Test Chapter 6-10
January 23, 2002
Chapter 6:
Active Directory services allows administrators, developers, and end users to gain access to
a directory service that is seamlessly integrated with both Internet and intranet environments.
D:\Data\Report\xyz.doc (is a distinguished name, it is the exact path from the root)
Global Catalog
When you initially install Windows 2000, the first domain controller, by default is the Global
Catalog Server. The global catalog is the central repository of information about objects in a
domain tree (a collection of domains that form a domain hierarchy) or forest (a collection of
domain trees that are part of different hierarchies).
Contiguous namespace. The name of the child object in an object hierarchy always contains
the name of the parent domain. A tree is a contiguous namespace.
Disjointed namespace. The names of a parent object and a child of the same parent object
are not directly related to each other. A forest is a disjointed namespace.
Unlike a distinguished name or a relative distinguished name, a GUID never changes, even
if you move or rename the object.
Active Directory Objects (6)
Computers
Contact
Group
Printer
User
Shared Folder
If you add a domain controller to an existing domain controller, you create a peer domain controller.
LDAP is Active Directory core Protocol!
ADSI objects are designed to meet the needs of three main audiences: developers, system administrators, and users.
Administration Model
A user is authorized by a higher authority to perform a specified set of actions on a specified set of object instances and object classes in some identified subtree of the directory. This is called delegated administration. Delegated administration allows granular control over who can do what and enables delegation of authority without granting elevated privileges.
The DSA is the process that manages the directory’s physical storage. Clients use one of the supported interfaces to connect to the DSA and then search for read and write directory objects and their attributes.
NOTE: Ntdsutil.exe is installed in %systemroot%\system32 when Windows 2000 Server is installed.
Defining a Namespace Architecture
You should consider the impact of replication traffic over the WAN. Additionally, organizations and their structure change constantly. The goal is to have a namespace architecture that is scalable, can adapt to change, can distinguish between internal and external resources, and can protect company data at the same time.
You should have the system designed in the following manner:
Root domain (The Head Office)
First-layer domain (Marketing or Sales)
Second-layer domain (Department London, Department Chatham)
This structure provides a granular replication topology and the ability to limit the scope of administrators as necessary.
Planning a Site
Up to this point it have revolved around the logical structure. It is important to consider the physical layout also. The physical design of a Windows 2000 Server-based network is demarcated by site. A site is a combination of one or more IP subnets connected by a high-speed link. Often, a site has the same boundaries as a local area network (LAN) or a very high-bandwidth WAN like an OC3 SONET (155 Mbps) or T3 (45MBps) WAN.
Active Directory, the file Ntds.dit the directory for the new domain, default location is %systemroot/ntds.
Structure of OU Hierarchy:
Administration-based or object-based OUs.
Geographical-based OUs.
Business function-based OUs.
Department-based OUs.
Project-based OUs.
The Global Catalog store information about every object in a domain tree or forest, so users can find information regardless of which domain in the tree or forest contains the data.
The users effective permissions are the combination of the users and group permissions.
An ACL is stored for every Active Directory Object.
Domain Modes
There are two domain modes: Mixed Mode and Native mode.
Before you create objects, you should create the OU that the object will go into.
Chapter 7:
Types of Domain Groups
Sometimes you create groups for security, such as assigning permissions. At other times you use them for reasons unrelated to security, such as sending e-mail messages. There are two types of groups: security and distribution.
Types of Local Groups
Domain and non-domain
MMCs
MMC an MMC console is a set of one or more snap-ins with the extension .msc.
By default, Windows 2000 saves customized MMC files in the My Administration Tools folder. There are two types of snap-ins: Stand-alone and Extension.
Account Options
By default, Windows 2000 permits access for all hours of the day.
By default, Users can use any computer and log on to the domain, there are no restrictions.
Properties of Users
Personal Properties
Account Tab
Profile Tab, path for network share.
Published Certificates tab.
Member of Tab
Dial-in Tab
Object Tab
Security Tab, allows or denies permissions.
Terminal services tab.
Using a Mandatory Profile
A mandatory profile is a read-only roaming user profile, ntuser.dat
Deleting a Group
Each group has a unique, nonreusable identifier called the security ID or SID.
When you delete a group, Windows 2000 does not use the SID again, even if you create a group with the same name as the one you deleted.
Deleting a group does not delete the user accounts associated with it.
Universal Groups
Universal groups are most often used to assign permissions to related resources in multiple domains. The have the following characteristics:
Open membership. You can add members from any domain.
Access to resources in any domain. You can use a universal group to assign permission to gain access to resources that are located in any domain.
Available in Native mode only. Mixed mode is not available.
You can make the following changes to a group scope:
Change the global group to a universal group. You can do this only if the global group is not a member of another global group.
Change a domain local group to a universal group. You can do this only if the domain local group you are converting does not contain another domain local group.
Built-in Global Groups
By default Windows 2000 automatically adds members to some built-in global groups. You can add user accounts to these built-in groups to provide additional users with the privileges and permissions that you assign to the built-in group.
When you create a domain, Windows 2000 creates built-in global groups in the Active Directory store. You assign rights by either adding the global groups to domain local groups or explicitly assigning user rights or permissions to the built-in global groups.
Built-in Global Groups
Global Group Description
Domain Users Windows 2000 automatically adds Domain Users to the Users
Built-in local groups. By default, the Administrator account
Is initially a member, and Windows 2000 automatically
Makes each new domain user account a members.
Domain Admins Windows 2000 adds Domain Admins to the Administrators
Domain local group so that members of Domain Admins can
Perform administrative tasks on any computer in the domain.
By default, the Administrator account is a member.
Domain Guests Windows 2000 automatically adds Domain Guests to the
Guests domain local group.
Who should have administrative control for the entire
Network. By default, The Enterprise Admins global group
is a member of the Administrators built-in local group. By
default, the Administrator account is a member.
Note: Members of a group and groups with which a group is a member are viewable from the Members and Members of tabs in the properties of each group.
Built-in Domain Local Groups
A built-in local group performs the same way that a domain local group functions. The only difference is that a built-in local group cannot be deleted.
Built-in local groups in the domain give predefined rights and permissions to user accounts when you add user accounts or global groups as members.
Global Group Description
Account Operators Members can create, delete, modify user accounts, they
Cannot modify the Administrators group or any of the
Operators groups.
Server Operators Members can share disk resources and backup and restore
files in the domain controller.
Print Operators Members can set up and manage network printers on
Domain controllers.
Administrators Members can perform all administrative tasks on all
Domain controllers and the domain itself. By default,
the Administrator user account, the Domain Admins
Domain local group, and the Enterprise Admins
Local group are members.
Guests Members can perform only tasks for which you have
granted rights and gain access only to resources for which
you have assigned permissions; members cannot make
permanent changes to the desktop. By default, the
guest user account and the Domain Guests domain local
group are members.
Backup Operators Backup and restore on the domain controller.
Users By default, the domain Users group, the Authenticated
Users special group, and the INTERACTIVE special
Groups are members.
Built-in Local Groups
All stand-alone servers, member servers, and computers running Windows 2000 Professional have built-in local groups. Built-in local groups give rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources.
Local group Description
Users Users can only perform tasks they have permissions.
Administrators Full Control, by default Administrator user account for the
Computer is a member.
Guests This account is disabled at install by default. By default,
The built-in guest account for the computer is a member.
Backup Operators Members can user windows Backup to backup and restore
Power Users Members can create and modify local user accounts on the
Computer and share resources.
Replicator Members can use this to configure file replication services.
Built-in System Groups
Built-in system groups are special groups in Windows NT, exist on all computers running windows 2000. System groups do not have specific memberships you can modify, but they can represent different users at different time, depending on how a user gain access to a computer or resource.
System Group Description
Everyone Be careful if you assign permissions to the Everyone group
and enable the guest account. Windows 2000 will authen-
ticate a user who does not have a valid user account as
Guest.
Authenticated Users Includes all users, this can be used instead of the Everyone
Group to ensure they are authenticated users.
Creator Owner Includes the user account for the user who created or took
Ownership of a resource.
Network Includes any user with a current connection from another
computer on the network to a shared resource on the
computer.
Interactive Members of the Interactive group gain access to resources on
The computer at which they are physically located.
Anonymous Logon Includes any user account that Windows 200 did not
Authenticate.
Dialup Includes any user who currently has a dial-up connection.
GPO Group Policy Object
GPO contains group policy settings for sites, domains and OUs.
Managing Administrative Templates
The Administrative Template extention in the Group Policy snap-in uses an Administrative extension of .adm file to specify the registry settings that can be modified.
By default, the folder redirection extension is not included with the Group Policy snap-in.
Chapter 8
Printer. A printer is the software interface between the operating system and the print device. The printer defines where a document will go to reach the print device, when it will go, and how various other aspects of the printing process will be handled.
Print Device. A print device is the hardware that produces the printed documents. Windows 2000 supports the following print devices:
Print Server. A print server is the computer on which the printers associated with local and network print devices reside. The print server receives and processes documents from client computers. You set up and share network printers on print servers.
Printer driver. Is one or more files containing information that Windows 2000 requires to convert print commands into a specific language, such as PostScript. This conversion makes it possible for a print device to print a document. A printer driver is specific to each print device model.
Setting a Separator Page
A separator page is a file that contains print device commands. Separator pages have two functions:
To identify and separate printed documents.
To switch between print modes.
File Name Function
Pcl.sep Switches the print mode to PCL fro HP series print devices
and prints a page before each document.
Pscript.sep Switches the print mode to PostScript for Hp printers, but
Does not print a page before each document.
Sysprint.sep Prints a page before each document.
Sysprtj.sep A version of Sysprint.sep that uses Japanese characters.
You can build your own separator page by creating a .sep file that contains legal printer commands.
Setting up a Printer Pool
A printer pool is one printer that is connected to multiple print devices through multiple ports on a printer server. The print devices can be local or network print devices.
Print devices should be identical, however you can use print devices that are not identical but use the same printer driver.
Print Server Properties
From properties, select File menu, Server Properties. Review them to see if there is a problem.
By default, the spool folder points to %systemroot%\System32\spool\PRINTERS
By default, Windows 2000 assigns the Printer permissions for each printer to the Everyone Group.
By default, the person who installs the printer owns it.
Pruning Orphans
When a printer is deleted from a print server, the corresponding Active Directory object is removed. A program called an orphan pruner accomplished this by running on each domain controller to periodically check for orphaned printer objects.
By default, if the orphan pruner cannot see a printer three times in a row at 8-hour intervals, it assumes the entry is no longer valid and deletes it.
Chapter 9
ATM *** Important ***
The Asynchronous Transfer Mode protocol is an advanced implementation of packet switching that is ideal for voice, video and data communications. ATM is a
High-speed networking technology that transmits data into cells of a fixed length. A cell is a fixed length packet containing 53 bytes of information.
ATM guarantees quality of service (Qos) on a local area network (LAN), a WAN and a public internetwork.
LANE
LANE is a method by which protocols that understand only connectionless media can communicate over ATM.
IP over ATM
IP over ATM uses the connection-oriented properties of ATM to overcome the connectionless nature of IP.
GSNW acts as a redirector for a computer running Windows 2000 Server where it is installed and as a gateway for other client computers.
NWLink
NWLink is Microsofts implementation of the Novell NetWare IPX/SPX Protocol.
Supports Ethernet, Token Ring, and FDDI Fiber Distribution Data Interface.
Net Beui
Non-routable, broadcast based
Small memory overhead
Apple
Windows 2000 supports for AppleTalk.
DLC
Data-Link Control, is used to print to Hewlett-Packard printers that are connected directly to networks.
IrDA
Is a group of short-range, high-speed, bi-directional wireless infrared protocols.
TCP/IP
Routable
Connects dissimilar systems
Cross-platform, is robust
DHCP
Each time a DHCP client starts, it requests IP addressing information from a DHCP server. This addressing information includes the following:
An IP address
A subnet mask
Optional values, such as a default multiple gateway address, a DNS server address, or a WINS server address
NOTE: If a computer has multiple network adapters bound to TCP/IP, the DHCP process occurs separately over each adapter. The DHCP Service assigns a unique and valid IP address to each adapter in the computer bound to TCP/IP.
REMEMBER THESE NUMBERS: (50% interval, and 87.5%)
If a DHCP client cannot review its lease with the original DHCP server at the 50% interval, the client broadcasts a DHCPREQUEST to contact any available DHCP server when 87.5% of the lease time has expired.
If the lease expires or a DHCPNACK message is received, the DHCP client must immediately discontinue using that IP address. The DHCP client then begins the DHCP lease process to lease a new IP address.
Installing and Configuring the DHCP Service
To implement DHCP, you must install and configure the DHCP Service on at least one computer running Windows 200 Server within the TCP/IP network.
Requirements for a Server Running the DHCP Service
Static IP address, subnet mask, default gateway.
DHCP Service
An activated DHCP scope. A scope is a range of IP addresses that are available.
An authorization. The DHCP server must be authorized with Active Directory services.
LEASE RENEWAL IS 8 DAYS!!!!!!
Creating a DHCP Scope **** IMPORTANT ***
The scope is a pool of valid IP addresses available for lease to DHCP clients:
You must create at least one scope for every DHCP Server.
You must exclude static IP addresses from the scope.
You can create multiple scopes on a DHCP server to centralize administration and to assign IP addresses specific to a subnet. You can assign only one scope to a specific subnet.
DHCP servers do not share scope information.
Configuring a DHCP Scope
Once you have created the DHCP scope, you can configure options for DHCP clients. There are three levels of scope options: server, scope, and client.
Server Options
Available to all DHCP Clients. Use this when all clients on all subnets require the same configuration information. To configure server options, select Server Options and then select Configure Options from the Action menu. DNS and WINS have only 1, they must be a static IP Address.
Scope Options
Scope Options are available only to clients who lease and address from the specific scope. For example, if you have a different scope for each subnet, you can define a unique default gateway address for each subnet.
Client Options
Client options are available to specific clients with reserved DHCP address leases. Client options are always used before scope or server options.
Client options only apply to the client.
To determine the number of ip Addresses, you use the scientific calculator 2 n –2.
OR 2 24 – 2 (2x (x^y)) – 2 = 65, 534
When a Zone is created, DNS automatically adds two resource records:
Start of Authority (SOA)
Name Server (NS)
Windows 2000 Server has dynamic DNS.
Every computer running Windows 2000 attempts the registration of its “A” (host) and “PTR” (pointer reverse lookup) records.
Chapter 10
Authentication and Authorization
There is a difference between the two, and it is important to know the distinction:
Authentication. Authentication is the verification of the credentials of the connection attempt. This process consists of sending the credentials from the remote access client to the remote access server in either a clear text or encrypted form that uses an authentication protocol.
Authorization. Authorization is the verification that the connection attempt is allowed. Authorization occurs after successful authentication.
First you must be authenticated, then you are authorized. Both of these parameters must be met.
There are two types of authentication: Windows or RADIUS Authentication.
RADIUS can respond to authentication requests based upon its own database, or it can be a front end to another database server, such as a generic Open Database Connectivity (ODBC) server or a Windows 2000 domain controller.
FEATURES OF RRAS
Unicast. Two computers establish a two-way, point-to-point conncection.
Multicast. Multicast traffic is sent to a single host but is processed by multiple hosts who listen for this type of traffic.
IPX Support. The Windows 2000 Server router is a fully functional IPX router.
AppleTalk. Windows 2000 RRAS can operate as an AppleTalk router by forwarding AppleTalk and supporting the use of RTMP.
Demand-Dial Routing. Allows you to connect to the Internet, to connect to branch offices, or to implement router-to-router VPN connections.
Remote Access. RRAS enables a computer to be a remote access server.
VPN Server. RRAS supports PPTP and L2TP over IPSec.
RADIUS Client-Server (AAAA), Authentication, Authorization, Accounting, and Auditing.
SNMP MIB Support. RRAS provides Simple Network Management Protocol (SNMP) agent functionality with support for Internet MIB II. MEN IN BLACK!!!!
API Support for Third-Party Components. RRAS has fully published API sets for unicast and multicast routing protocol and administration utility support.
Two ways to configure RRAS:
Command Prompt. Use the netsh utility (NetShell).
Routing and Remote Access snap-in. Create a snap-in with the Administrative tools.
Dial-up Remote Access Connections
A number of remote access clients can connect to a Windows 2000 remote access server:
Windows 2000
Windows NT 3.51 or later
Windows 98
Windows 95
Windows of Workgroups
MS-DOS
Microsoft LAN Manager
Digital Links and V.90
Send rate 33.6 Kbps and Receive 56 Kbps, but only 56Kbps is no analog conversions along the way.
IN CLASS NOTES:
Data can be called “data or payload” in the encryption process.
If end-to-end encryption is needed, use IpSec to create an encrypted end-to-end connection after the remoter access connection has been made.
Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and remote access client.
Caller ID requires that the caller’s telephone line, the phone system, the RAS server’s telephone line, and the Windows 2000 driver for the dial-up equipment all support caller ID.
The disadvantage of configuring caller ID is that the user must always dial-in from the same telephone line. This is the same disadvantage of callback configured to a specific telephone number.
Remote access policies can be used to impose connection parameters such as maximum session time, idle disconnect time, required secure authentication methods, required encryption, and so on.
You need a policy for each RAS if you have one set up, and this can be a lot of work. Whereas, if you set-up a RADIUS server then you just have one policy, and that is the one that will be implemented.
Managing Local Lockout
To enable account lockout, you must set the MaxDenials entry in the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout) to 1 or greater.
Lesson Summary:
Windows 2000 remote access provides two different types of remote access connectivity: dial-up remote access and VPN remote access.
A dial-up remote access connection consists of a remote access client, a remote access server, and a WAN infrastructure.
There are three types of remote access protocols supported by Windows 2000: PPP, SLIP and Asynchronous NetBEUI.
Windows 2000 remote access offers a wide range of security features, including secure user authentication, mutual authentication, data encryption, callback, caller ID and remote access account lockout.
Remote access management includes managing users, addresses, access and authentication.
Tunneling Basics
Tunneling, also known as encapsulation, is a method of using an internetwork infrastructure to transfer a payload.
PPTP
Point-to-Point Tunneling Protocol (PPTP) is an extension of PPP, encapsulates PPP frames into IP datagrams for transmission over an IP internetwork such as the Internet.
PPTP uses a TCP connection for tunnel maintenance and uses modified GRE encapsulated PPP frames for tunneled data. The payloads of the encapsulated PPP frames can be encrypted and compressed.
PPTP versus L2TP
Both PPTP and L2TP use PPP WAN connections, to provide an initial envelope for the data and then append additional headers for transport through the transit internetwork.
PPTP requires that the transit internetwork be an IP internetwork. L2TP requires that the tunnel media provide packet oriented point-to-point connectivity. L2TP can be run over IP.
L2TP provides header compression. When header compression is enabled, L2TP operates with 4 bytes of O/H, compared to 6 bytes for PPTP.
L2TP also provides tunnel authentication, while PPTP does not.
PPTP uses PPP encryption and L2TP does not.
IP-IP
IP-IP or IP is simple OSI layer 3 (network layer) tunneling technique. A virtual network is created by encapsulating an IP packet with an additional IP header.
Connection Attempt is Rejected When it Should be Accepted:
Verify that the host name or IP address of the VPN server is reachable by using the ping command.
Verify the RRAS is running on the VPN Server.
Verify that all of the PPTP or L2TP ports on the VPN server are not already being used.
Verify that the tunneling protocol of the VPN client is supported by the VPN server.
Remote access VPN clients are set to the Automatic server type by default, which means that they will try to establish a PPTP tunnel first, then try an L2TP over IPSec tunnel. If the server type is set to either PPTP or L2TP, verify that the selected tunneling protocol is supported by the VPN server.
A Windows 2000 computer running RRAS is a PPTP and L2TP server with five L2TP ports and five PPTP ports by default.
Verify that the VPN client and the VPN server are enabled to use at least one common authentication method.
For PPTP connections, test whether a PPTP connection can be made without encryption. If so, check the encryption settings on the VPN client and VPN server.
For L2TP over Ipsec connections, test whether a L2TP connection can be made without encryption. If so check the L2TP over IPSec encryption settings on the VPN client and VPN server.
Verify that the parameters of the connection have permission through the remote access policies.
Verify the VPN client’s credentials consisting of user name, password, and domain name are correct and can be validated by the VPN server.
For remote access VPN connections, verify that remote access is enabled on the VPN server.