HandsOn Kerberos Tracking

To track logon, you must first prepare and start the tools that will be used. Ensure that auditing of logon events and account logon events is turned on for DCs and domain computers. This should be done in the Default Domain Policy. Make sure the policy has been updated. Download and install the Resource Kit utilities Kerbtray.exe and Klist.exe. Make sure a copy is available on the logon client. Start Network Monitor and start a capture prior to logon. Optionally, make a folder on the DC to...

Info

As a network administrator, you will obviously need to perform administrative tasks as part of your job. However, you should not use an administrator account to perform nonadministrative, day-to-day job functions. Instead, stay logged on as a user with normal user privileges and use administrative privileges only when necessary. If you need to invoke these administrative privileges only occasionally, you can simply log on as an administrator to perform the administrative task and then log back...

Deploying IAS as a Radius Server

For basic RADIUS scenarios in which no RADIUS proxy is implemented, deploying IAS as a RADIUS server requires configuration both at the client running Routing And Remote Access and at the server running IAS. Exam Tip Pay close attention to this section. You need to know how to configure RADIUS clients and servers on the 70-291 exam. To configure a computer running Routing And Remote Access as a RADIUS client, first open the server properties dialog box in the Routing And Remote Access console,...

Using Service Recovery Options to Diagnose and Resolve Service Related Issues

Most of the services that are installed by Windows Server 2003 run under the Local System context that is, the special Local System account controls when the service should be started and stopped. However, additionally loaded services (usually by Microsoft or third-party applications) run under potentially different contexts. Often, when the service is being loaded, the administrator is asked for specific credentials under which the service is run. This way, instead of providing the service...

Exploring DHCP Audit Logging

By default, the DHCP Server service writes daily audit logs to the folder WINDOWS System32 Dhcp. These audit log files are text files named after the day of the week. For example, DhcpSrvLog-Mon is the log file that records all DHCP server activity between midnight and ll 59 P.M. on Monday, and DhcpSrvLog-Tue is the log file that records all DHCP server activity between midnight and ll 59 P.M. on Tuesday. Audit log files are typically overwritten after seven days, at which time a new log file...

Security Configuration Wizard

The Security Configuration Wizard (SCW) is a wizard that guides you through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server. After you have installed SP1, the SCW is made available as a new Windows component that you can add through Add Or Remove Programs in Control Panel. After you add this Windows component, you can launch the tool through the Start Menu. The SCW greatly simplifies the process of configuring security on a...

Implementing Managing and Maintaining Routing And Remote Access

Microsoft Windows Server 2003 can be configured as a router, as a dial-up server, as a virtual private network (VPN) server, and as a Network Address Translation (NAT) provider. Two such servers can be configured to send data between two private networks securely over the Internet. The Internet Authentication Service (IAS) on Windows Server 2003 can be configured to provide the Remote Authentication Dial-In User Service (RADIUS) to RAS servers that are RADIUS clients. Where Windows Server 2003...

Understanding DHCP Relay Agent

DHCP Relay Agent allows client computers to obtain an address from a DHCP server on a remote subnet. Typically, DHCP clients broadcast DHCP Discover packets that are then received and answered by a DHCP server on the same subnet. Because routers block broadcasts, DHCP clients and servers must normally be located on the same physical subnet. However, two methods can help you work around this limitation. First, if the routers separating the DHCP server and clients are RFC 1542-compliant, the...

Difference Between NAT and ICS

Like NAT, the ICS feature built into Windows provides Internet connectivity to hosts through a single interface a dial-up or permanent connection on a Windows computer. Like NAT, ICS also allows internal clients to preserve private IP addresses while these clients connect to public external addresses. Finally, NAT includes a component called Basic Firewall that blocks all but response traffic from entering the internal network. This component corresponds to Windows Firewall, which provides a...

Close Network Monitor Exercise Capturing DHCP Lease Renewal Traffic

In this exercise, you capture traffic from a DHCP lease renewal. 1. If you have not already done so, from Computer1, log on to Domain1 as Administrator. 3. Start a capture by clicking Start Capture. 4. Switch to Computer2. Unlock Computer2 if necessary by reentering the DOMAIN1 administrator credentials. 5. At a command prompt, type ipconfig renew, and then press Enter. After a few moments, an output displays the newly refreshed IP configuration. 7. In Network Monitor, stop the capture by...

Maintaining a Infrastructure

This examination domain requires that you know how to maintain and troubleshoot your network. You need to know how to monitor the health of your network and ensure that it can cope with the bandwidth requirements specified by the network design plan. You need to know when a network is operating normally, and how to produce a baseline showing normal traffic patterns. You need to know how to capture network traffic statistics, and how to compare these statistics with your baseline data in order...

Objective Questions

The Active Directory domain structure of the fourthcoffee.com forest is shown in the following illustration. DC1 is the first domain controller in domain accounts.den-ver.fourthcoffee.com. Clientl is a client in the same domain. No changes have been made to the primary or connection-specific DNS suffixes on either computer. What is the FQDN of Clientl 2. Resource1 is a multihomed Windows Server 2003 member server in the design.treyre-search.corp Active Directory domain. One of Resource1's...

Lesson Connecting to a Windows Server Network Infrastructure

In Windows, network connections are logical interfaces between software (such as protocols) and hardware (such as modems or network adapters). To connect to a network infrastructure, you will need to view, configure, and troubleshoot these network connections. After this lesson, you will be able to Bind protocols, services, and clients to a network connection Change the binding order of components bound to a connection Configure an IP address manually Configure an alternate IP address Recognize...

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the Questions and Answers section at the end of this chapter. 1. You have configured a subnet with two DHCP servers, DHCP1 and DHCP2. DHCP1 provides addresses within the first 80 percent of the subnet's scope range, and DHCP2 provides addresses for the remaining 20...

Exercise Using Nslookup in Interactive Mode

In this exercise, you use Nslookup in interactive mode to compare the outputs of lookups in Nodebug, D2, and Debug modes. You then perform specialized queries within the default zone. 1. If you have not already done so, from Computer1, log on to Domain1 as Administrator. 2. At a command prompt, type dnscmd zoneresetsecondaries domainl.local nonsecure. This command enables zone transfers to any server, which allows you to view the full contents of the domain1.local zone by using Nslookup. 3. At...

Exercise Configuring NAT Through a Demand Dial Interface

In this practice, you configure NAT through a demand-dial interface. 1. Log on to Domain1 from Computer1 as Administrator. 2. Open the Routing And Remote Access console. 3. In the console tree, right-click the COMPUTER1 (Local) node and, from the shortcut menu, select Configure And Enable Routing And Remote Access. The Routing And Remote Access Server Wizard launches. 4. Select Network Address Translation (NAT) and click Next. The NAT Internet Connection page appears. 5. Select Create A New...

Additional Uses for Kerberos Tools

Kerbtray.exe and Klist.exe provide a wealth of information. In addition, you can also use Netdiag to determine how Kerberos is functioning. These tools are all relatively simple to use. Understanding Kerbtray If the Kerbtray icon shows only question marks, you know that no Kerberos tickets are in the cache. This situation can occur if a computer is not connected to the network or if no DCs are available. Double-click the Kerbtray icon to see a list of tickets obtained since logon....

Exploring VPN Deployment Scenarios

VPNs are typically deployed either to allow users remote access to a network or to connect two or more private networks. The following section describes the configuration requirements for these scenarios and for a third, mixed scenario in which the VPN server is located behind a firewall. Because all three scenarios involve network access beyond the VPN server, the VPN servers in all cases must be enabled for LAN and demand-dial routing (settings found in the General tab of the server...

Using the Performance Console to Create Alerts

So far in this chapter, you have seen that Task Manager is an easy-to-use tool, and you already know that the Performance console is a powerful tool. How do you know when it's best to use which tool You might choose to use the Performance console over Task Manager for two main reasons Access to more performance counters Ability to send alert triggers based on specific criteria You have already seen that dozens of counters are available through the Performance console. Now let's take a look at...

Configuring VPN Types

Windows Server 2003 includes support for two types of VPNs PPTP and L2TP IPSec. If you did not originally specify a VPN remote access server role when you ran the Routing And Remote Access Server Setup Wizard, Windows Server 2003 includes only five ports for each VPN type. Because each port enables a single remote access connection, a typical Routing And Remote Access installation by default allows only five simultaneous connections of each type. These ports appear in the Routing And Remote...

Tuning Advanced Server Options

When initialized for service, DNS servers running on Windows Server 2003 apply installation settings taken either from the boot information file, the Registry, or the Active Directory database. You can modify these settings on the Advanced tab of the server properties dialog box in the DNS console, as shown in Figure 5-28. Debug Logging Event Logging i Monitoring Disable recursion (also disables forwarders) Load zone data on startup From Active Directory and registry V Enable automatic...

Analyzing DHCP Messages

The DHCP messages exchanged in the various stages of a lease process can be seen and analyzed in Network Monitor captures. This section describes the structure of individual DHCP messages so that they can be recognized within a larger pattern of exchanges between DHCP clients and servers. Figure 8-2 illustrates the general structure of a DHCP frame. As shown in the figure, the header is made up of 15 sections, including a variable-length Options section. The DHCP message type is distinguished...

Determining the Host Capacity of a n Network

To determine the host capacity of a network whose subnet mask is expressed in slash notation as n, use the following formula c 2 32_n - 2, where c represents the number of computers that can be accommodated by a given network, and n represents the number of bits in the network ID of that network. For example, in a 20 network, n 20. Therefore c 2 32-20 - 2, or 212 - 2, or 4096 - 2, or 4094. So, a 20 network can accommodate 4094 computers. Here is another example In a 28 network, n 28. Therefore,...

Page Case Scenario Exercise

You work as a network consultant, and you have been hired by three companies to solve problems related to network connectivity. While visiting each company, you draw sections of the relevant portions of the network. Use the following drawings to determine the IP configuration error that has led to a disruption of network connectivity at each company. Client C has an incorrectly configured default gateway. The default gateway should be set to 192.168.1.129. Client A IP address 192.168.1.116 28...

Objective Answers

Incorrect This configuration seems at first glance to be OK. The subnet mask has been reduced by a single 1 and the addresses are contiguous. However, let us look at the third octet So the two networks would have different network addresses given a 23 255.255.254.0 subnet mask. B. Incorrect This supernetted network is valid 206.10.12 22 with a host range 206.10.12.1 through 206.10.15.254. However, the networks allocated to your organization are 206.10.13.0 24 and 206.10.14.0 24, and an...

Exploring Remote Access Authorization Scenarios

The following selection presents a summary of the remote access authorization process. In each scenario, authorization settings at the remote access server differ when User1, a member of the Telecommuters group, attempts to connect through a dial-up line. Figure 10-20 shows the order of remote access policies defined at the server. Exam Tip You need to be familiar with the encryption settings for the exam. Server Status g COMPUTER1A local 1 J . Remote Access Clients 0 Il Ports IE IP Routing...

Name Checking

By default, the Name Checking drop-down list box on the Advanced tab of the DNS server properties dialog box is set to Multibyte UTF8 . Thus, the DNS service, by default, verifies that all domain names handled by the DNS service conform to the Unicode Transformation Format UTF . Unicode is a 2-byte encoding scheme, compatible with the traditional 1-byte US-ASCII format, that allows for binary representation of most languages. Figure 5-29 shows the four name-checking methods you can select from...

WSUS Deployment Scenarios

You can deploy WSUS in a variety of ways that depend on the size of your network, your administrative structure, and your available bandwidth. Some of these deployment scenarios are described below. Single WSUS Server Small-Sized or Simple Network In a single WSUS server scenario, administrators can set up a server running WSUS inside their corporate firewall, which synchronizes content directly with Microsoft Update and distributes updates to client computers, as shown in Figure 12-35. Note...

DNS Server Performance Counters

The DNS performance object in System Monitor includes 62 counters. You can use these counters to measure and monitor various aspects of server activity, such as the following Overall DNS server performance statistics, such as the number of overall queries and responses processed by a DNS server UDP or TCP counters, for measuring DNS queries and responses that are processed using either of these transport protocols Dynamic update and secure dynamic update counters, for measuring registration and...

Problem Making Your IPSec Policy Work

In the following exercise, you create and assign an IPSec policy, only to discover that the two computers cannot communicate at all. You can use a number of steps and tools to troubleshoot an IPSec policy, as described in the following list. Note IKE auditing is turned on by default. If auditing of logon events is turned on, IKE posts negotiation results in the Security Event log. Once policies have been assigned and are working, you can turn this feature off by adding the DisableIKEAudits...

Secure Cache Against Pollution

By default, the Secure Cache Against Pollution option is enabled. This setting allows the DNS server to protect its cache against referrals that are potentially polluting or nonsecure. When the setting is enabled, the server caches only those records with a name that corresponds to the domain for which the original queried name was made. Any referrals received from another DNS server along with a query response are simply discarded. For example, if a query is originally made for...

Reading the IP Routing Table

Routers use routing tables to determine where to send packets. When IP packets are sent to an IP router, the router reads the destination address of the packet and compares that destination address to the entries in the routing table. One of these entries is used to determine which interface to use to send the packet and to which hop gateway the packet will be sent next. To assist in this process, each routing table entry includes the five columns described in the following sections, as shown...

Managing Security Through Group Policy

Group Policy holds a unique position with respect to a network's security infrastructure. On the one hand, Group Policy provides a means to deploy and manage a security infrastructure. On the other hand, Group Policy provides the actual substance of that security infrastructure every GPO contains nodes whose configuration represents many of the most important security considerations for a network. Although basic Group Policy concepts remain beyond the scope of this training kit, it is important...

IP Routing Interface Features

These management features are accessible through the IP Routing node of the Routing And Remote Access console. When you select the General node within the IP Routing node, the interfaces configured for your server appear in the details pane. Right-clicking a demand-dial interface reveals various demand-dial management and troubleshooting commands, as shown in Figure 9-24. Routing and Remote Access Server Status - COMPUTER1A local Network Interfaces a-IE IP Routing JL General J Static Routes jji...

Network Diagnostics

Network Diagnostics is a graphical troubleshooting tool, built into the Windows Server 2003 interface, that provides detailed information about the local computer's networking configuration. To access the tool, first launch Help And Support from the Start menu. From the Help And Support Center window, click Tools in the Support Tasks area. Finally, expand Help And Support Center Tools from the Tools list, and then select Network Diagnostics. The Network Diagnostics window appears in the right...

Enable Netmask Ordering

The Enable Netmask Ordering option is selected by default. This default setting ensures that, in response to a request to resolve a single computer name matching multiple host A resource records, DNS servers in Windows Server 2003 first return to the client any IP address that is in the same subnet as the client. Note Multihomed computers typically have registered multiple host A resource records for the same host name. When a client attempts to resolve the host name of a multihomed computer by...

Setting the Primary DNS Suffix

You can specify or modify a computer's primary DNS suffix in the DNS Suffix And NetBIOS Computer Name dialog box, as shown in Figure 4-15. DNS SuffiH and NetBIOS Computer Name Primary DNS suffix of this computer Change primary DNS suffix when domain membership changes NetBIOS computer name This name is used for interoperability with older computers and services. Figure 4-15 Specifying a primary DNS suffix To access this dialog box, in the System Properties dialog box, click the Computer Name...

Case Scenario Exercise

You work as a network consultant, and you have been hired by three companies to solve problems related to network connectivity. While visiting each company, you draw sections of the relevant portions of the network. Use the following drawings to determine the IP configuration error that has led to a disruption of network connectivity at each company. Client A IP address 192.168.1.116 28 Default gateway 192.168.1.126 Client A IP address 192.168.1.116 28 Default gateway 192.168.1.126 Client B IP...

Memorizing Subnet Mask Octet Values

To handle IP addressing questions on the 70-291 exam, you will also need to memorize the nine possible values that might appear in a subnet mask octet. Use Table 2-4 below to help you memorize these values. The values in the top and middle rows have been labeled d values and r values respectively to provide consistency with references to these values that appear elsewhere in the chapter. Begin by covering the top row of the table. Once you can recite without hesitation the d value associated...

Load Zone Data On Startup

By default, the Load Zone Data On Startup drop-down list box is set to the From Active Directory And Registry option. Thus, by default, DNS servers in Windows Server 2003 initialize with the settings specified in the Active Directory database and the server Registry. However, this setting includes two other options, From Registry and From File, as shown in Figure 5-30. Figure 5-30 Server initialization options Figure 5-30 Server initialization options When you select the From Registry option...

What Does Disabling Recursion On Ns2 And Ns3

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the Questions and Answers section at the end of this chapter. 1. You are the network administrator for Lucerne Publishing. The Lucerne Publishing network consists of a single domain, lucernepublishing.com, that is protected from the Internet by a firewall. The firewall...

Allow Zone Transfers Server 2008

Allow Zone Transfers Server 2008

The Zone Transfers tab, shown in Figure 5-25, allows you to restrict zone transfers from the local master server. For primary zones, zone transfers to secondary servers by default are either completely disabled or limited to name servers configured on the Name Servers tab. The former restriction applies when the DNS server has been added by using the Manage Your Server window the latter, when it has been added by using the Windows Components Wizard. As an alternative to these default...

Exercise Use Netsh to Manage IPSec

Any task you can perform with the IP Security Policy snap-in and the IP Security Monitor snap-in, you can do with the Netsh command. You can also perform tasks with Netsh that you cannot do from a console, such as the following instituting computer startup security, performing computer startup traffic exemptions, running diagnostics, performing default traffic exemptions, performing strong certificate revocation list CRL checking, performing IKE Oakley logging, modifying logging intervals, and...

Verifying the Server Configuration

When verifying the DHCP server configuration, you can begin with the DHCP server address. To provide leases for clients on the local subnet, the DHCP server computer must be assigned an address whose network ID is common to that logical subnet. In addition, the DHCP Server service must be bound to the connection to that subnet. To verify a DHCP server's network bindings, select the Advanced tab in server properties and click the Bindings button. This procedure opens the Bindings dialog box,...

Page Lesson Review

Which of the following actions requires the least amount of administrative effort to enable network users to connect to Internet host names a. Disable recursion on NS2 and NS3. b. Enable netmask ordering on NS1. c. Configure NS2 and NS3 to use NS1 as a forwarder. 2. What can you do to decrease the network burden of zone transfers between the primary and secondary servers a. Clear the BIND Secondaries check box on Serverl. b. Configure a boot file on Server1 to initialize BIND-compatible...

Using Netcap to Capture Network Traffic

Netcap.exe is a command-line utility that you can use to capture network traffic to a capture file. You can then load the file in Network Monitor to view the captured traffic. The Network Monitor tool does not have to be installed on the computer running Windows Server 2003 to use Netcap. You can also use Netcap on computers running Windows XP, which makes it an extremely attractive way to capture traffic for later review. The tool is available after the Windows Server 2003 Support Tools have...

Questions and Answers

You have configured your remote access server to distribute addresses to remote access clients through a DHCP server. However, you find that your remote access clients assign themselves with only APIPA addresses. Name two possible causes of this scenario. There is not a DHCP server available on the network segment, and a DHCP relay agent has not been configured. The DHCP server did not have 10 free addresses in its scope when the Routing And Remote Access server started up. 2. Which...

Exercise Use Netsh to Monitor IPSec

After you have created and assigned the IPSec policy using Netsh, use Netsh commands to monitor the session. 1. From either computer, start Netsh Netsh 2. Use the Show command and review the active policy to see whether your policy application worked show policy name telnet level verbose 4. Set the diagnostic value to log all events the default is 0 or no logging using this command set config property ipsecdiagnostics value 7 5. Set the IPsecloginterval value to 60 seconds set config property...