INFRASTRUCTURE REVIEW
EXAM CHAPTERS 9-14
Chapter 9:
WINS
WINS provides a distributed database for registering and querying dynamic mappings of NetBIOS
names for computers and groups used on your network. WINS maps NetBIOS names to IP
addresses and was designed to solve the problems arising from NetBIOS name resolution in
routed environments. WINS is the best choice for NetBIOS name resolution in routed networks
that use NetBIOS over TCP/IP.
Computers running Windows 2000 are B-node by default and become H-node when they are
configured with a WINS server. Windows 2000 can also use a local database file called
LMHOSTS to resolve remote NetBIOS names. The LMHOSTS file is stored in the
%systemroot%\System32\Drivers\Etc folder.
The LMHOSTS File
The LMHOSTS file is a static ASCII file used to resolve NetBIOS names to IP addresses
of remote computers running Windows NT and other NetBIOS-based hosts.
Lesson Summary:
WINS uses standard name registration, name renewal, and name release methods. To
continue using the same NetBIOS name, a client must renew its lease before it expires.
When a WINS client is shut down, it notifies the WINS server that is no longer needs its
NetBIOS name.
Troubleshooting WINS
The following conditions can indicate basic problems with WINS:
Administrator cannot connect to a WINS server using the WINS console. (stop and restart
the services).
TCP/IP NetBIOS Helper service on the WINS client is down and cannot be restarted.
WINS service is not running and cannot be restarted.
If the WINS server does not respond to a direct ping, the source of the problem is likely to
be a network connectivity problem between the client and the WINS server.
NOTE: You configure a WINS server as a push or pull partner with the WINS
administration tool.
Chapter 10: DHCP
Lesson 1:
Introducing and Installing DHCP
DHCP automatically assigns IP addresses to computers. DHCP overcomes the limitations
of configuring TCP/IP manually.
DHCP is an extension of the Boot Protocol (BOOTP). BOOTP enables diskless clients
(or dumb terminals) to start up and automatically configure TCP/IP. DHCP centralizes and
manages the allocation of TCP/IP configuration information by automatically assigning IP
addresses to computers configured to use DHCP.
You should have static IP addresses for the following:
The advantage of DHCP is it centralizes IP addresses, saves time and centralizes administration.
DHCP very hardy (WINS can become corrupted!
75% Keep pool of addresses for DHCP, and 25% other subnets for fault tolerance.
Ethernet CSMA (networking essentials) wait till no collisions for the data to be sent, remember
that. Collision avoidance, but can take a long time. Ethernet 10 or 100 can have problems,
too much traffic.
NOTE: It is strongly recommended that you manually configure the DHCP server computer
to use a static IP address. The DHCP server cannot be a DHCP client. It must have a static
IP address, subnet mask, and default gateway address.
DHCP Relay Agent
A relay agent is a small program that relays DHCP/BOOTP message between clients and
servers on different subnets. The DHCP Relay Agent component provided with the Windows
2000 router is a BOOTP relay agent that relays DHCP messages between DHCP clients
and DHCP servers on different IP networks.
authorize a computer as a DHCP server in Active Directory
Logon to the network using either an account that has enterprise administrative privileges or
one that has been delegated authority DHCP servers for your enterprise.
Install the DHCP service
START/programs/administrative tools/DHCP
On the Action Menu, Click Manage Authorized Servers.
Click Authorize.
Lesson 4:
Using DHCP with Active Directory
Microsoft DHCP provides integration with the Active Directory service and DNS service,
enhanced monitoring and statistical reporting for DHCP servers, vendor specific options and
user-class support, multicast address allocation, and rogue DHCP server detection.
Chapter 11:
RAS
Lesson 1:
Introducing Remote Access Service
The remote access feature of Microsoft Windows 2000 Server enables remote or mobile
workers who use dial-up communication links to access corporate networks as if they were
directly connected. Remote access also provides VPN services so that users can access
corporate networks over the Internet.
Remote Access service is installed by default
Microsoft does not have a RADIUS server, it just means that it’s Remote Authentication.
Address 224.0.0.0 is multicast
Route^print at the command prompt displays the routing table.
Layer Two Tunneling Protocol (L2TP)
L2TP was inspired by PPTP. L2TP is an Open Systems Interconnection (OSI) layer 2
(Data-link layer) protocol used to create VPNs.
Examples of Tunneling
PPTP, Point-to-point Tunneling Protocol. PPTP allows IP internetwork packet (IPX),
or NetBIOS , NetBEUI traffic to be encrypted and then encapsulated in an IP header to
e sent address a corporate IP internetwork or public internetworks like the Internet.
L2TP. L2TP allows IP to be encrypted and sent over any medium that supports
Point-to-point datagram deliver, such as IP, frame relay, or asynchronous transfer mode
ATM).
IP-in-IP Tunneling. Encapsulates an existing IP datagram with an additional IP header.
Integrating VPN in a Routed Environment
In some corporate internetworks the data of a department is so sensitive that the department’s
LAN is physically disconnected from the rest of the corporate internetwork.
VPNs allow the department’s LAN to be
physically connected to the corporate internetwork
but separated by a VPN server.
The DHCP blocks the addresses into 10 and stores them in the registry.
Netsh is a command-line and scripting tool for Windows 2000 networking components for
local or remote computers. Netsh is supplied with Windows 2000. Netsh also provides the
ability to save a configuration script in a text file for archival purposes or for configuring other
servers.
aaaa” Accounting, Authentication, Authorization, and auditing
Chapter 12:
NAT
Lesson 1:
Introducing NAT
Network address translation (NAT) is a protocol that allows a network with private addresses
to access information on the Internet through an Internet Protocol (IP) translation process.
NAT enables private IP addresses to be translated into public IP addresses for traffic to and
from the Internet. This keeps traffic from passing directly to the internal network, while
saving the small office or home office user the time and expense of getting and maintaining a
public address range.
The following protocols do not work with NAT:
10.0.0.0 – 10.255.255.255. Class A, used within a private organization.
172.16.0.0-172.31.255.255. Class B, used within a private organization.
192.168.0.0-192.168.255.255. Class C, used within a private organization.
By default, a NAT translates IP addresses and TCP/UDP ports.
How to enable ICS
Start/Settings/Network and Dial-up Connections/VPN/Properties/Sharing, check the box for
Enable Internet Connection Sharing for This Connection, check box.
IP Addressing Issues
You should use the following IP addresses from the InterNIC private IP network IDs:
10.0.0.0 with a subnet mask of 255.0.0.0
172.16.0.0 with a subnet mask of 255.240.0.0
192.168.0.0 with a subnet mask of 255.255.0.0
By default, NAT uses the private network ID 192.168.0.0 with the subnet mask of
255.255.255.0 for the private network.
Chapter 13:
Certificate Services
The enterprise
NOTE: L2TP does not require a NAT editor. However, L2TP with IPSec cannot be
translated by the NAT. There cannot be a NAT editor for IPSec.
Recovery agent. A recovery agent account is used to restore data for all computers
covered by the policy. EFS requires an encrypted data recovery agent policy before it
can be used, and uses a default recovery agent account (the Administrator) if none has
been chosen. In a domain, only members of the Domain Admins group can designate
another account as the recovery agent account. A recovery agent account is used to
restore data for all computers covered by the policy.
Chapter 14:
Network Security
CHAP, Challenge Handshake Authentication Protocol. CHAP handles passwords send
by plaintext.
MS-CHAP. Microsoft Challenge Handshake Authentication Protocol. MS-CHAP is a
variant of CHAP that does not require a plaintext version of the password on the
authenticating server. MS-CHAP passwords are stored more securely at the server but
have the same vulnerabilities to dictionary and brute force attacks as CHAP.
PAP, Password Authentication Protocol. PAP passes a password as a string from the
user’s computer to the NAS device.
SPAP, Shiva Password Authentication Protocol. SPAP is a reversible encryption
mechanism employed by Shiva remote access servers. SPAP is more secure than PAP
but less secure than CHAP or MS-CHAP. SPAP offers no protection against remote
server impersonation.
EAP, Extensible Authentication Protocol. EAP is an extension of PPP that allows for
arbitrary authentication mechanisms to be employed for the validation of a PPP connection.
System Monitor
System Monitor is a tool that can be used to track system resource usage.
The features of the Windows 2000 security model and other security services are integrated
into several different operating system services.