These notes reside permanently at http://www.angelfire.com/co2/popeflame
************DHCP************
The lease process consists of four different messages processed in this order:
1. DHCPDISCOVER initial broadcast message sent from client to obtain IP address.
2. DHCPOFFER message from DHCP server that contains a possible IP address for
the client.
3. DHCPREQUEST from client to DHCP server indicating that the client would like
to receive the offered IP address
4. DHCPACK Final message, server to the client, server acknowledges that the IP
address is assigned to the client.
Other messages
DHCPNAK a negative acknowledgement from the server to the client indicating IP
not available.
DHCPRELEASE from client to server requesting current IP be canceled.
DHCPINFORM a new message type for windows 2000, gets options for local config.
3 Types of Options
Server options: effective for all scopes configured for the server
Scope Options: applied to the scope they are configured for
Reservation options: Only applied to specified computer
Windows 2000 DHCP supports:
Superscopes (administrative container for 2 or more scopes of different network
segments) multicast scopes (MADCAP)
DHCP server needs to be authorized with active directory before allocating IP
addresses unless it’s a standalone server.
DHCP relay agent is required on all segments that do not contain a DHCP server
OR not all BOOTP compatible routers.
Dynamic DHCP update both A & PTR records:
By default, the dynamic update options for a Windows 2000 DHCP client computer
are configured so that the Windows 2000 computer will register its own A (host)
resource record and will request that the DHCP server register its PTR resource
record
Older version clients use mmc-DHCP\Server\Scope\Properties\DNS tab\ Settings =
Automatic update client, always update, Enable update for clients who can’t. to
register there A & PTR records
By default, when DHCP client leases expire, the DHCP server automatically removes
from DNS any resource records that it originally registered
Two DHCP servers on same subnet 80/20 rule
DHCP server 1 - 80% of the available IP addresses
DHCP server 2 - 20% of the available IP addresses
DHCP wizard does not let you set an unlimited lease, only 999; you must use scope
properties\Advance tab for setting unlimited lease.
RRAS configured to use DHCP obtains 10 IP addresses from the DHCP server upon
bootup. It keeps one for itself and gives the others to clients. After the 10
are gone it requests in blocks of 10. If you don't you DHCP you can make a Static
pool on the RRAS.
To transfer DHCP database from one DHCP server to another u must use either the
DHCP console or the net stop dhcpserver command to stop the original DHCP server.
To ensure that the DHCP service will not start again, you should then disable
the DHCP Server service. Next, you should copy the %Systemroot%\System32\Dhcp,
to a temporary folder on the new DHCP server. The last necessary action is to
copy HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer Registry
subkey to a text file.
IGMP (Internet Group Management Protocol) proxy mode interface 'points' to the
multicast-enabled Intranet Multicast Address Dynamic Client Allocation Protocol
(MADCAP)
Multicast addresses fall within the Class D IP address range from 224.0.0.0 through
239.255.255.255. The Class D IP address range from 239.0.0.0 through 239.254.255.255
is a reserved range that is intended to be administratively scoped, much like
the unicast IP
address ranges that are reserved for private networks. RFC 2365 highly recommends
using the range that begins at 239.192.0.0 with subnet mask of 255.252.0.0 for
an organizational network so that the earlier addresses are available for future
expansion. The 233.0.0.0 through 233.255.255.255 range is recommended for use
with MADCAP for purpose of global scoping on a public network such as the Internet.
To prevent intra-branch office multicast traffic from being copied to the branch
office link. Use RRAS to Configure appropriate scope-based boundaries on the interface
on the hub office.
************NWLink ************
IPX/SPX NetBIOS compatible transport protocol (NWLink), main components: CSNW,
GSNW
Gateway service for NetWare
Directory service migration tools
File and Printer services for NetWare
To ensure that the appropriate users have access to the Shared volume on the NetWare
server, you should take following steps:
Install the IPX/SPX gateway on the NetWare server
Install the Gateway Service for NetWare on a Windows 2000 Server computer
Create NTGATEWAY group on NetWare server
Create user accounts on the NetWare server for the users who need access
Place the new accounts in the NTGATEWAY group
Enable the gateway to the NetWare server on the Windows 2000 Server computer
Create and activate a gateway to the Shared volume
Assign permissions to the gateway share on the Windows 2000 Server computer
Direct users to the share on the Windows 2000 Server computer
Default Ethernet frame types;
NetWare 3.12 and later - 802.2 - Win2k default
NetWare 3.11 and earlier - 802.3
How to add NetWare 4.x servers to WindowsNT domain;
When you select a NetWare 4.x server in the 'Select NetWare server' dialog box
in Directory Manager for NetWare (DSMN) the following message appears: “is a
NetWare 4.x server. It cannot be added to the domain”
You need to change following registry key:
HKLM\System\CurrentControlSet\Services\MSSync\Parameters\Allow4x
************WINS ************
NetBios name resolutions -- Resolve Order
B-node uses a local broadcast
P-node Uses WINS server
M-node Cache, local broadcast, wins, Lmhosts, Host, DNS
H-node Cache, wins, local broadcast, Lmhosts, Host, DNS
************Lmhosts************
Lmhosts file is a static file that assists with remote NetBIOS name resolution
on computers that cannot respond to NetBIOS name-query broadcasts. Location
systemroot\System32\Drivers\Etc
#pre: static name-to-address mappings, pre-loaded into the NetBIOS names cache,
used first to resolve name query
#Dom: domain-tag will associate the entry with the domain specified
#include: path to file- will force to seek the specified and parse it as if
it were local.
#Begin_Alternate & End_alternate allow multiple #INCLUDE statements to be
grouped together.
#NOFNR
#MH multiple entries exists due to multihomed computers
Static mappings; Name-to-address mapping to the server database, for computer
that does not directly use WINS (instead using static mappings might be resolved
by lmhosts files or DNS servers)
The Nbstat –RR command is used to force WINS clients to release and refresh
their NetBIOS names in WINS database
WINS Pull replication convergence time for wan; add together the two longest
convergence times between spokes and the hub
(Hub-and-Spoke WINS replication configuration)
Pull replication can only be configured to occur at specified time intervals
Push replication can only be configured to occur after a specified number of
changes in the version ID of the local WINS database.
To backup WINS database; Default Every 3 Hours
Right-click on WINS server, choose 'Back Up Database', browse to a folder on
local server and click ok. This series of actions creates a \Wins_Bak\New folder
within the designated folder and configure the server to automatically backup
its WINS database to the local \Wins_Bak\New folder at interval of every three
hours.
WINS Proxy must be present on the subnet that includes the Unix servers in order
to listen for their B-node broadcasts and either resolve them from its existing
cache or query the WINS server in order to update the WINS proxy cache
To make a computer a proxy agent requires a change to a Registry key --- enableproxy
set to 1
WINS Proxies are used to resolve name resolution requests that are broadcast
by non-windows-enabled computers.
2 components that utilize wins are My Network Places and Net.exe command
WINS server on one subnet With clients on many subnets; Configure the WINS server
to include its IP address as a WINS client computer when configuring the servers
TCP/IP properties on the Advanced Wins Tab.
When values below 20 are specified for number of version ID changes, persistent
connection is required in order for replication to occur
You can use Jetpack utility to compact and perform minor repairs on WINS database,
but this action would not update the outdated
NetBIOS name mappings.
***********RRAS ************
Authentication options are:
PAP--- Password Authentication Protocol,plaintext
SPAP--- Shiva Password Authentication Protocol - reversible encryption mechanism
CHAP ---Challenge Handshake Authentication Protocol
MS-CHAP 1, 2 ---Microsoft Challenge Handshake Authentication Protocol versions
1 & 2
EAP ---Extensible Authentication Protocol EAP-MD5, EAP-TLS will not work on
stand alone W2K server, must be Active Directory
************Unauthenticated access************
MS-CHAP v1 cannot be used to establish a 40-bit encrypted connection if the
user has a password of more than 14 characters.
To enable CHAP-based authentication make all setting + Reversible encryption
of passwords
Reversible encryption of passwords does not affect existing passwords, after
reversible encryption is selected, a user's password must be reset
***********Connection Types supported************
PPP, MPPE, PPTP, L2TP
PPP is the basis for the PPTP and L2TP protocols, which are used in secure virtual
private network (VPN) connections
Supported PPP connections: Multilink- more than one connection, BAP- with multilink
dynamically controls bandwidth utilization,
LCP- Callback and Caller ID feature.
For VPN connections, Windows 2000 uses MPPE with the Point-to-Point Tunneling
Protocol (PPTP) and IP Security (IPSec) encryption with the Layer Two Tunneling
Protocol (L2TP).
For dial-up networking connections, Windows 2000 uses Microsoft Point-to-Point
Encryption (MPPE).
With the basic and strong encryption methods MPPE provides only link encryption,
not end-to-end encryption. If end-to-end encryption is required, IPSec can be
used to encrypt IP traffic from end-to-end after the PPTP tunnel is established.
Data encryption for PPP or PPTP connections is available only if MS-CHAP (v1
or v2) or EAP-TLS is used as the authentication protocol. Data
encryption for L2TP connections relies on IPSec, which does not require any
specific authentication protocol.
Maximum level of data encryption for WindowsNT 4.0 and Windows98 computers is
MS-CHAP v2 for VPN connections
L2TP enables the use of IPSec for securing the payload
To create L2TP server only; set the number of PPTP ports to 1 and then clear
the remote access connection (inbound only) and demand-dial routing connections
(inbound and outbound) check boxes on the client computer change the type of
VPN server from automatic to L2TP
A remote access server running Windows 2000 does not support SLIP clients. Serial
Line Internet Protocol (SLIP) is an older remote access standard typically used
by UNIX remote access servers. Windows 2000 Network and Dial-up Connections
supports SLIP, and you can make connections to any remote access server by using
the SLIP standard.
***********IPSec************
The Kerberos V5 security protocol is the default authentication technology
Protects integrity, ensures confidentiality, Authenticates credentials, protects
computers from net attack
Profiles are for users Filters are for machines. Filters define the type of
packets are allowed to be processed.
Select the session key perfect forward secrecy check box to guarantee that no
master keying material will be re-used to generate the session key
You can monitor and troubleshoot IPSec by using the ipsecmon command to start
IP Security Monitor and by enabling audit policy and viewing IPSec events in
Event Viewer.
When IPSec is tunneled, ESP should be applied first then the Authentication
header (AH) “layer 3 tunneling”
***********RAS server order of process************
After Authentication
1. Check RRAS Policy
2. Check user dial up property configuration
3. Check policy profile settings
RIP v1 and RIP v2 are distance-vector routing protocols; RIP v1 and RIP v2 routers
periodically broadcast the routes that are contained on the routing table to
the network. However, the changes are not broadcast immediately.
Rip 1 vs Rip 2. 2 supports password, CIDR, VLSM, MULTICAST--- RIP 1 is chatty
Split horizon and Poison reverse settings prevent rip routing loops.
Route command: Route Print ---list all routes this computer knows. Route –F
---clears table.
RIP v2 router terminology;
PEER FILTERING: Ability to accept or discard updates of announcements from specific
routers identified by IP address
ROUTE FILTERING: Ability to accept or discard updates of specific network IDs
or from specific routers
RIP NEIGHBOURS: Ability to unicast RIP announcements to specific routers to
support on broadcast technologies like frame relay. A rip neighbour is a RIP
router that receives unicasted RIP announcements
CONDITIONS - determine the conditions to match
PERMISIONS - determine weather to grant or deny remote access permission
USER PROFILE – profile for users who matched the conditions you have specified
The first RAP that matches the conditions of the call attempt is used to determine
whether the connection attempt will be accepted or rejected.
************Ports************
20 FTP server (data channel)
21 FTP server (control channel)
23 Telnet server
53 Domain Name System zone transfers
80 HTTP Internet Access
139 NetBIOS session service
443 HTTPS secure web pages
To duplicate the configuration to the ISA server on the stand-by server;
You should use 'netsh aaaa show config' command on the IAS server to create
a script file, copy the script file to stand-by server, and use the 'netsh exec'
command to stand-by server to process the script file
Windows 2000 doesn't support the use of OSPF on non-persistent demand-dial connections
DVMRP is not available with RRAS; therefore, you cannot install it on the Windows
2000 routers.
In order to enable multicast traffic to pass through an Intranet section that
does not support multicast routing, you must use an IP-in-IP tunnel. In order
to enable each user group to send multicast datagrams to the other group, you
should create an IP-in-IP tunnel interface on each Windows 2000 router.
If you use NetMon in a switched network environment, you see only the traffic
addressed to the computer that is running NetMon
The Identify Network Monitor users… command will not detect instances of Network
Monitor or Network Monitor driver that are running on computers located on remote
subnets unless the routers forward multicast packets
SNMP devices and consoles are grouped into communities by the use of a community
name. SNMP devices and SNMP consoles must share a common community name in order
to interact by using SNMP.
************ICS************
In order for network computers to gain access to the Internet through an ICS
computer, the TCP/IP configuration of the network computers must be changed
to allow them to obtain their IP address automatically. When ICS is enabled
on the LAN interface of Windows 2000 Server computer, the LAN interface is automatically
configured with the IP address 192.168.0.1 and subnet mask 255.255.255.0. If
network computers are configured to obtain their IP address automatically, then
ICS assigns them IP addresses starting from 192.168.0.2 with a subnet mask of
255.255.255.0
************NAT************
NAT editors enable a NAT server to perform network address translation when
protocols such as FTP, ICMP, PPTP and NetBT are used.
A default static route must always have a destination of 0.0.0.0 and a subnet
mask of 0.0.0.0.
In order to ensure the correct translation of traffic that is bound from private
hosts to the Internet. You must select the Translate TCP/UDP headers (recommended)
option when the number of IP address on the private network exceeds the number
of IP addresses configured on the public interface of the NAT server.
By using the RRAS console to select Resolve IP address for Clients using DNS
check box, you have configured the NAT server to forward name resolution request
to DNS servers on Internet
Although the NAT computer is not actually a DNS server, the computers on private
network should be configured with the address of the NAT server as their preferred
DNS server because NAT server will function as DNS proxy on behalf of the client
computers.
************DNS ************
Although the use of AD integrates primary zones is not required in AD-domain,
they are the only zones that allow DNS clients to perform dynamic updates to
any DNS server in a domain. With AD-integrated zones, DNS zone data is stored
in the AD database, which is replicated to all domain controllers.
Refreshes every 24 hours by default
With standard primary DNS zones, only one copy of a particular primary zone
can exist, and only the DNS server that hosts the primary zone can accept dynamic
updates from DNS clients. Thus, it the DNS server that hosts the primary zone
is unavailable, then DNS clients cannot perform dynamic updates of their resource
records.
The ipconfig /registerdns command is used to force DNS clients to create A (host)
record for itself
Nslookup is used for troubleshooting DNS. Nslookup is available only if the
TCP/IP protocol has been installed.
A DNS client always checks its resolver cache before querying a DNS server;
therefore, user must flush the resolver caches of the network computers. Flushing
the caches will purge the caches of all information obtained through dynamic
resolution attempts. By stopping and starting the DNS client service on each
network computer, you will flush the DNS resolver cache of each network computer,
you can also flush the local resolver cache by carrying out the ipconfig /flushdns
command on each network computer.
Only DNS servers that host primary zones or AD-integrated zones have SOA records;
therefore, you cannot increase the value of Refresh Interval setting of the
SOA record on secondary DNS server.
In the simple test, the DNS client resolver on the computer that hosts the DNS
server attempts to query the local DNS server. Part of the simple test involves
the DNS server attempting to ping its own loopback address of 127.0.0.1. If
the simple test fails on DNS server, then your first troubleshooting step should
be to determine whether the server contains the 1.0.0.127.in-addr.arpa zone.
In the recursive test, the local DNS server attempts to resolve a query by querying
another DNS server, such as a DNS server on Internet. If the recursive test
fails and there is no firewall between the DNS server and the Internet, then
the first troubleshooting step you should take is to determine whether the root
hints are correct, then your next step should be to use the nslookup server
DNS_server_IP_address set querytype=NS command
************Certification Authorities************
You cannot use an enterprise root CA as an off-line root CA, because enterprise
CA's require AD to issue certificates, an enterprise CA that was taken off-line
would no longer be able to issue certificates.
An offline Root CA is a root CA that is not connected to the network. However,
you should install the root CA on a member server of an AD domain while the
member server is attached to the network. By installing the root CA on a computer
that is attached to the network, you ensure that the CA updates AD and that
all domain computers and users will trust the certificates that it issues.
You should obtain a Server Gated Cryptography (SGC) server certificate from
a commercial CA in order to assure visitors of your Web site’s identity and
provide 128-bit cryptography for all Web communications. The SGC protocol is
extension of SSL. An SGC server certificate is used to provide added encryption
between a client computer and Web server.
In order to ensure that employees can download the unsigned custom controls
from your company’s intranet Web site, you should use IEAK Profile Manager to
configure a security zone setting of Low for the Local intranet zone in Internet
Explorer.
************Denial of Service************
To drop Internet traffic from spoofed private IP addresses, configure input
filters on the Internet interface to accept all packets except
following:
10.0.0.0 with the subnet mask 255.0.0.0
172.16.0.0 with the subnet mask 255.240.0.0
192.168.0.0 with the subnet mask 255.255.0.0
To disable EFS at the OU level without nullifying the recovery policies of all
computers within the OUs,
Configure no recovery policy for each OU
To disable EFS for all computers within the OUs and not for OU itself Configure
an empty recovery policy for each OU
Encryption terminology:
Basic encryption:
40-bit for dial-up connections
40-bit for PPTP-based VPN connections
56-bit for L2TP/IPSec-based VPN connections
Strong encryption
56-bit for dial-up connections
56-bit for PPTP-based VPN connections
56-bit for L2TP/IPSec-based VPN connections
Strongest encryption
128-bit for dial-up connections
128-bit for PPTP-based VPN connections
3*56-bit for L2TP/IPSec-based VPN connections
You could reduce your company’s vulnerability to password-guessing attacks by
using smart card authentication and enabling
account lockout for remote access in the Registry. Smart card authentication
is token-based authentication method. Token-based
authentication requires the user to know something, usually a Person Identification
Number (PIN), and to have something, such as the
smart card; without both, a person cannot obtain access.
Account lockout is enabled for remote access by modifying two values located
in;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters
subkey of the Registry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout
7 OSI layers--- Application, presentation, session, transport, network, datalink,
physical
************TCP\IP Layers************
Application--- Defines TCP/IP applications protocols and how host programs interface
with transport layer services to use the network.
HTTP, Telnet, FTP, TFTP, SNMP, DNS, SMTP, X Windows, other
application protocols
Transport--- Provides communication session management between host computers.
Defines the level of service and status of the
connection used when transporting data. TCP, UDP, RTP
Internet--- Packages data into IP datagrams, which contain source and destination,
address information that is used to forward the
datagrams between hosts and across networks. Performs routing
of IP datagrams. IP, ICMP, ARP, RARP
Network interface--- Specifies details of how data is physically sent through
the network, including how bits are electrically signaled
by hardware devices that interface directly with a network
medium, such as coaxial cable, optical fiber, or twisted-pair copper wire.
Ethernet, Token Ring, FDDI, X.25, Frame Relay, RS-232, v.35
IP classes Multicast Experimental
Class
A
B
C
D
E
Address
1-127
128-191
192-223
224-239
241-Up
APIPA 169.254.0.0.16 automatic private internet
protocol addressing Available with win 98, 2000, XP, +
Mask Segments - 2 = usable segments, minus 2 is for the first and the last, all
0’s or 1’s not allowed
