data host, DNS 121
data modification, DNS 157
data throughput, remote site connectivity 515
decreasing DHCP default lease duration 88
default policy for remote access 500
defining scopes, DHCP
creating scopes 86
exclusion ranges 86
lease duration 87–88
MADCAP scopes 95
multicast scopes 94–95
New Scope Wizard 89
options 88–92
overview 84
removing scopes 95
reservations 92
superscopes 93–94
delegation, DNS 118
demand-dial filters
configuring for remote site-to-site connections 546
on-demand vs. persistent connections 482
Demand-Dial Interface Wizard 530
demand-dial interfaces
configuring for site-to-site connections 527–533
configuring for temporary ISP links 532
matching names 494
static routes for site-to-site connections 502
demilitarized zone (DMZ) See perimeter networks
denial-of-service attacks, DNS 157
deploying Connection Manager
additional resources 466–467
advanced customization 445–447
authentication methods 433
branding clients 444
clients background information 431–434
clients described 432
Connection Manager Administration Kit See CMAK (Connection Manager Administration Kit)
connection methods 432–433
Connection Point Services See CPS (Connection Point Services)
creating phone books 436
custom actions 442–444
customizing Connection Manager 438–447
direct dial 433
distributing certificates 449
distributing service profiles 451
hosting phone books on PBS servers 438
implementation example See Connection Manager implementation example
implementing deployments 448–451
installing PBA 436
Internet enrollments 449
intranet enrollments 450
native connection capabilities and limitations 431
network settings 441
outsourcing phone books 437
overview of remote access clients 429–430
phone book support 434–438
POPs (Points of Presence) 436
process 430
products 432
publishing phone books 436
regions in phone books 436
security education for users 450
security settings 441
service profiles 438–441
testing deployments 449
top-level profile 441
updating phone books 437
deploying DHCP
additional resources 110–111
authorizing servers in Active Directory 84
BOOTP client support 99–101
centralized vs. distributed infrastructure 73
configuring clients 98–101
configuring options 88–92
creating scopes 86
defining scopes 84
dynamic updates 82–83
exporting settings from Windows NT 4.0 or Windows 2000 97
implementation example See DHCP implementation example
implementing deployments 95–101
importing settings to Windows Server 2003 98
improving hardware for performance 74
installing on servers 96
integrating with other services 81–84
IP address lease and renewal 74
MADCAP scopes 95
migrating existing servers 96–98
multicast scopes 94–95
multihoming servers 76
multiple subnets 75–76
Netsh tool 98
New Scope Wizard 89
number of servers 76–77
optimizing availability 77–81
overview 69–70
performance 74–75
process 71
remote access client support 99
removing scopes 95
rouge servers 84
scope exclusion ranges 86
scope lease duration 87–88
scope options 88–92
scope reservations 92
secure dynamic updates 82–83
server design overview 72
server location 73
split-scope configurations 78
standby servers 80
superscopes 93–94
testing deployments 101
unauthorized servers 84
upgrading server hardware 72–73
Windows Clustering 79–80
deploying dial-up networking
additional resources 426–427
compared to VPN 378–381
design overview 382
expenses 379
hardware requirements 383
implementing deployments 423–426
outsourcing options 385
overview 375–376
placing servers 385
process 377
deploying DNS
additional resources 174–175
administrator role 116
application directory partitions 117
authoritative DNS server 118
cache pollution protection 160
client resolver 118
concepts 116–119
conditional forwarding 117–118
configuring clients 154–155
current environment 120–122
data host 121
data modification 157
definitions 118–119
delegation 118
denial-of-service attacks 157
designer role 116
designing DNS namespaces See designing DNS namespaces
designing DNS servers See designing DNS servers
designing DNS zones See designing DNS zones
DHCP integration 165
Dnscmd.exe 117, 173
DNSLint 117
DNSSEC (DNS Security Extensions) 117
domain trees 118
EDNSO (Extension Mechanisms for DNS) 117
encrypting replication traffic 163
existing infrastructure 122
existing security policies 122
footprinting 157
forward lookup zones 118
FQDN (fully qualified domain name) 118
Group Policy settings for clients 155
high-level security policy 159
implementing deployments See implementing DNS
integrating with Windows Server 2003 services 164–167
internal namespaces 119
internal server security 161
Internet status 121
iterative queries 119
low-level security policy 158
managing clients 154–155
mid-level security policy 159
namespaces See namespaces, DNS
Netdiag.exe 117
network topology 122
Nslookup.exe 117, 173
overview 113–114
primary server 119
process 115
public namespaces 118
recursive queries 119
redirection 157
restricting zone transfers 163
reverse lookup zones 119
roles 116
RR (resource record) 119
secondary server 119
secure dynamic update for zones 162
security overview 155
security policies 158–160
security threats 157
server design See designing DNS servers
server lists for clients 155
server security 160–161
servers described 118
stub zones 119
suffix search lists 155
terms 118–119
tools 117
Windows Server 2003 features 117
WINS integration 166–167
WINS lookup and reverse lookup 166
WINS referral 167
zone design See designing DNS zones
zone file 119
zone replication 162–163
zone transfers 119
zones described 119
deploying IAS
access server vulnerabilities 361
account lockout 360
accounting described 321
additional resources 373–374
architecture 317
auditing described 321
authentication described 321
authentication methods See authentication methods for IAS
authentication protocols 354–357
authorization described 321
client-specific remote access policies 352
common vs. custom remote access policies 349–351
concepts 316–321
conditions for remote access policies 350
configuring remote access policies 347–352
definitions 321
designing IAS See designing IAS
digital signature 360
IAS described 321
implementing deployments See implementing IAS
installing computer certificates for access clients 359
installing computer certificates for IAS servers 359
integrating with certificate infrastructure 357–359
Internet firewalls 360
IPSec traffic security 361
Message-Authenticator attribute 360
Network Access Quarantine Control 348
optimizing IAS See optimizing IAS
overview 313–314
permissions for remote access policies 350
process 315
profile properties for remote access policies 350
Quarantine Remote Access Policy 352
RADIUS client described 321
RADIUS protocol described 321
RADIUS protocol overview 316
RADIUS proxy described 321
RADIUS server described 321
RADIUS shared secrets 359, 361
remote access groups 346
remote access policies for switch access clients 352
remote access policies for users and groups 351
remote access policies for VPN clients 352
remote access policies for wireless access clients 352
remote access policy overview 345
remote access policy restrictions 351
remote client access authorization 346
securing RADIUS servers and proxies 359–361
security overview for remote access 353
signature attribute 360
specifications for common remote access policies 349
specifications for custom remote access policies 349
terms 321
user accounts 347
VPN tunnels 361
Windows Server 2003 features 318–320
deploying IPSec
additional resources 309
AH (Authentication Header) 250
assigning policies See assigning IPSec policies
authentication 250–251, 267
broadcast traffic failures 267
cluster node connectivity loss 267
compatibility 247
concepts 246–251
cryptography 250
decreased throughput 266
decrypting traffic for firewall inspections 263
default exemptions 249
default response 250
definitions 250–251
designing policies See designing IPSec policies
determining needs 252–269
endpoint not supporting IPSec 263
end-to-end security 256–260
ESP (Encapsulating Security Payload) 250
example of corporate network deployment 268–269
example of end-to-end security 259
filter actions 250
filters 248, 251
gateway-to-gateway tunneling 262
GPO (Group Policy object) 251
Group Policy 250
ICMP failures 267
implementing deployments 305–309
multicast traffic failures 267
NAT-T incompatibility 266
NAT-T support 248
Netsh tool 249, 251
network deployments 308
networking inspection technologies 266
overview 243–245
packet filtering 255–256
peer-to-peer communication 257
PFS (perfect forward secrecy) 251
policy described 251
process 245
reduced computing performance 265
RSoP (Resultant Set of Policy) 249, 307
rules 251
securing application servers 258
slower connections 265
solutions 246
terms 250–251
testing in pilot projects 307–308
testing in test labs 306–307
tradeoffs 265–267
transport mode 251, 255
tunnel endpoint 251
tunnel mode 251, 261–264
Windows Server 2003 features 248–249
deploying ISA Server
adding computers 229
additional resources 241
array vs. stand-alone 230
availability overview 225
back-to-back perimeter network 234
cache mode 218–219
capacity planning 226–229
client types 220–221
configuring in arrays 230–231
connecting remote sites 233
DNS round-robin 231
Enterprise Edition vs. Standard Edition 230
extranets 236
firewall clients 220
firewall mode 218
firewall requirements 228
forward cache mode 218, 228
hardware requirements 227
implementation overview 237
implementation steps 238–240
installation modes 217
installing in a domain 224
integrated mode 220
interoperability 222–224
network services 224
overview 213–214
process 215
reverse cache mode 219, 229
roles overview 216
running other services 223
scalability 230
SecureNAT clients 220
securing network perimeters 233–235
security overview 232
three-homed perimeter network 235
Web Proxy clients 220
deploying site-to-site connections See implementing remote site-to-site connections
deploying VPN
additional resources 426–427
availability improvements 404
benefits 380
capacity planning 384
choosing routing approaches 387–388
compared to dial-up networking 378–381
CPU requirements 384
design overview 382
firewalls 385–386
hardware requirements 383–384
implementing deployments See implementing VPN
IP addresses for clients 388
Network Load Balancing 404
optimizing remote access server design 404
outsourcing options 385
overview 375–376
placing servers 385–386
process 377
RAM requirements 384
redundant servers to improve availability 404
routing for clients 387–388
security for split tunneling 388
security planning See planning VPN security
servers behind firewalls 386
servers in front of firewalls 386
split tunneling options 388
testing remote access server design 405
tunneling authentication and encryption 380
deploying WINS
additional resources 211–212
automatic partner configuration 192–193
availability 184–188
branch offices 198
burst handling 189
concentrated user base 199
convergence time 195
conversion files 209
DHCP integration 207
DNS integration 206
evaluating deployments 210
filtering records 181
hardware 183
hub-and-spoke topology 194, 200–202
implementing deployments 207–210
integration overview 205
IPSec tunnels 204
load balancing 190
mapping replication to physical networks 197–202
migrating to Windows Server 2003 208
multiple servers 185
multiple subnets 189
NetBIOS node types 180
Netsh tool 193, 197
new features 181
number of servers 183
overview 177–178
performance 188–190
perimeter networks 204
process 179
redundant databases 190
replication across LANs 196
replication across WANs 195
replication between untrusted domains 197
replication partners 181, 193–194
replication strategy overview 190–192
response times 188
security 203–204
server strategy overview 182
T network topology 194
technology background 180
testing deployments 210
VPN tunnels 204
Windows Clustering 185–188
Windows Server 2003 features 181
deploying wireless LANs
additional resources 592–593
components 555–559
designing wireless network access solutions See designing wireless LANs
example of designing subnets and IP addressing 560
IP addressing 559–561
network infrastructure 555–561
overview 551–552
process 553
single points of failure 559
subnets 559–561
technology background 554
test environments See implementing WLAN test environments
designer role, DNS 116
designing DHCP servers
centralized vs. distributed infrastructure 73
improving hardware for performance 74
IP address lease and renewal 74
location of servers 73
multihoming 76
multiple subnets 75–76
number of servers 76–77
optimizing availability 77–81
overview 72
performance 74–75
split-scope configurations 78
standby servers 80
upgrading hardware 72–73
Windows Clustering 79–80
designing DNS namespaces
creating computer names 133–135
creating domain names 131–133
creating subdomains 137
different internal and external domain names 126
example of merging 137–140
external domains 125–126
integrated infrastructure computer names 134
internal DNS root 127–128
internal domain names 133
internal domains 125–126
internal subdomains 126
Internet domain names 131–132
name resolution for disjointed namespaces 128
NetBIOS names 136–137
overview 122
requirements 124
upgraded infrastructure computer names 135
Windows Server 2003 computer names 134
Windows Server 2003 integration 129–130
designing DNS servers
Active Directory availability 144
availability 143–144
conditional forwarding in off-site domains 144–145
conditional forwarding in other namespaces 146
forwarding 144–146
hardware resources 142
number of servers required 142–143
overview 141
placement of servers 143–144
upgrading to Windows Server 2003 146
designing DNS zones
Active Directory replication 151–153
Active Directory-integrated zones 150–151
conditional forwarding 149
domain-wide application directory partitions 151
file-based zone transfer 151
full zone transfer 151
incremental zone transfer 151
migrating zones to Windows Server 2003 153
overview 147
primary zones 148
propagation methods 151–153
secondary zones 148
stub zones 148–149
zone types 148–151
designing IAS
adding RADIUS or VSA attributes to connection request policy 330
adding RADIUS or VSA attributes to remote access policy 329
client access overview 331
compatibility issues for VPN access 334
compulsory vs. voluntary tunneling for VPN access 332–333
current environment 323
designing as RADIUS proxy 330–331
designing as RADIUS server 327–330
dial-up access 331
installing backup RADIUS proxies 331
installing backup RADIUS servers 330
optimizing IAS See optimizing IAS
overview 322
planning connection request policies for RADIUS proxy 330
planning for failure detection for RADIUS proxy 330
planning for load balancing for RADIUS proxy 330
planning for RADIUS clients 327
RADIUS proxy and server 326
RADIUS proxy as third-party ISP 324
RADIUS proxy for load balancing 325
RADIUS proxy overview 324
RADIUS proxy with multiple forests 324
RADIUS server authentication 328
RADIUS server domain membership 327
RADIUS server overview 323
role of IAS server 323–326
securing switch access 336
security risks with wireless access 335
switch access 336
VPN access 334
wireless access 334–335
designing IP addressing schemes
address allocation methods 23
aggregation 20–21
CIDR (classless interdomain routing) 22–23
classless IP addressing 16–18
classless routing 18–20
overview 14–15
private vs. public addresses 23–25
route summarization 20–21
structured address assignment model 16
supernetting 22–23
VLSM (variable length subnet mask) 21–22
designing IPSec policies
AH (Authentication Header) 283
All ICMP Traffic filter list 276
All IP Traffic filter list 276
assigning policies See assigning IPSec policies
authentication 284
certificate-to-account mappings 293
Client (Respond Only) 275
configuring firewalls 281
CRL (certificate revocation list) 291
default exemptions to filtering 277–280
default policies 275
ESP (Encapsulating Security Payload) 283
excluding CA names from certificate requests 293
filters, filter actions, and filter lists 277–280
general settings 272
IKE (Internet Key Exchange) 287, 294
Kerberos V5 285
overview 270
Permit filter action 276
predefined filter actions 276
predefined filter lists 276
preshared keys 294
protocols 283–284
public key certificates 286
Request Security filter action 276
Require Security filter action 276
rules 274
Secure Server (Require Security) 275
Server (Request Security) 275
designing remote access server solutions
availability 404
hardware requirements 383–384
Network Load Balancing 404
optimization 404
outsourcing options 385
overview 382
placing servers 385–386
planning VPN security See planning VPN security
redundant servers to improve availability 404
routing for VPN clients 387–388
testing 405
tools for testing 405
designing routing for remote site connectivity
addingstatic routes 502–504
auto-static updates 503
demand-dial interface for local ISP 503
demand-dial interface for remote sites 502
LAN interface at both sites 502
multicast connectivity between sites 506
off-subnet address ranges 503–504
on-subnet address ranges 503–504
overview 502
performance for Internet traffic 506
router user accounts 503
routing protocols 505
security for Internet traffic 505
servicing Internet traffic 505–506
static routes for site-to-site connections 502
designing TCP/IP networks
additional resources 67–68
address allocation methods 23
availability improvements 32–35
configuring DNS for IPv6/IPv4 coexistence 62–63
enabling IPv4 applications for IPv6 using PortProxy 64
IP addressing schemes design overview 14–15
IP configuration strategy 26–28
IP multicasting 35–42
IPv6 addressing 48–55
IPv6 overview 42–43
overview 3–4
planning IP-based infrastructure 7–9
private vs. public addresses 23–25
process 5
routing IPv6 traffic over IPv4 infrastructure 56–61
routing strategies 10–14
security 28–32
structured address assignment model 16–23
testing 64–66
Windows Server 2003 features 6, 44–48
designing WINS
automatic partner configuration 192–193
availability 184–188
convergence time 195
mapping replication to physical networks 197–202
Netsh tool 193, 197
performance 188–190
replication across LANs 196
replication across WANs 195
replication between untrusted domains 197
replication partners 193–194
replication strategy overview 190–192
designing wireless LANs
Active Directory-based wireless network policies 577
autoconfiguration 576
automatic switching between APs during roaming 575
basic security 570
channel frequencies for wireless APs 566–568
closing security risks 570
coverage areas for wireless users 563
distributing certificates through autoenrollment 576
encrypting data 571
enforcing authorization and authentication 571
example of IEEE 802.11b channels 568
example of mounting APs in plenum area 569
example of public space WLAN 574–575
example of wireless AP locations 566
manageability 575–578
number of wireless APs 564
overview 562
planning wireless AP deployments 568–569
public space WLAN 572–575
remote AP management 577
security 570–571
unauthenticated access 572
wireless AP location 563–566
DHCP (Dynamic Host Configuration Protocol)
additional resources 110–111
address allocation 27
authorizing servers in Active Directory 84
BOOTP client support 99–101
centralized vs. distributed infrastructure 73
configuring clients 98–101
configuring for wireless LANs 582
configuring options 88–92
creatingscopes 86
defining scopes 84
deployment overview 69–70
deployment process 71
DNS integration 27, 165
dynamic updates 82–83
exporting settings from Windows NT 4.0 or Windows 2000 97
implementation example See DHCP implementation example
implementing deployments 95–101
importing settings to Windows Server 2003 98
improving hardware for performance 74
installing on servers 96
integrating with other services 81–84
IP address lease and renewal 74
leases for wireless clients 557
MADCAP 38, 95
migrating existing servers 96–98
multicast scopes 94–95
multihoming servers 76
multiple subnets 75–76
Netsh tool 98
New Scope Wizard 89
number of servers 76–77
optimizing availability 77–81
performance 74–75
planning IP configuration strategy 26–28
remote access client support 99
removing scopes 95
rouge servers 84
scope exclusion ranges 86
scope lease duration 87–88
scope options 88–92
scope reservations 92
scopes for wireless clients 557
secure dynamic updates 82–83
server design overview 72
server location 73
split-scope configurations 78
standby servers 80
superscopes 93–94
testing deployments 101
unauthorized servers 84
upgrading server hardware 72–73
Windows Clustering 79–80
WINS integration 27, 207
DHCP implementation example
Active Directory domain structure 103
address pools 105
connectivity 102
exclusion ranges 105
installing servers in Active Directory 107
IP addressing 103–106
lease duration 109
message routing 106–110
overview 102
reservations 106
routing 102
scope configuration 107–110
scope options 109
server options 110
subnets 103–106
transmission security between sites 103
dial-in credentials for remote site-to-site connections 531, 533
dial-in hours for remote site-to-site connections 545
dial-in options for router user accounts 497
dial-out credentials for remote site-to-site connections 531, 533
dial-out hours for remote site-to-site connections 482, 545
dial-up connections
See also dial-up networking
connecting remote sites 476
described 433
remote site connectivity overview 474
dial-up networking
See also dial-up connections
additional resources 426–427
availability improvements 404
compared to VPN 378–381
deployment overview 375–376
deployment process 377
described 433
design overview 382
designing IAS 331
expenses 379
hardware requirements 383
implementing deployments 423–426
Network Load Balancing 404
optimizing remote access server design 404
outsourcing options 385
placing servers 385
redundant servers for availability improvements 404
testing remote access server design 405
digital signature, RADIUS 360
direct dial 433
disconnect intervals 537
disjointed DNS namespaces 128
distance vector routing protocols 12–13
distributing certificates, Connection Manager 449
distribution tier 9
Djikstra algorithm 14
DMZ (demilitarized zone) See perimeter networks
DNS (Domain Name System)
additional resources 174–175
administrator role 116
application directory partitions 117
authoritative DNS server 118
cache pollution protection 160
client resolver 118
concepts 116–119
conditional forwarding 117–118
configuring clients 154–155
configuring for IPv6/IPv4 coexistence 62–63
configuring for wireless LANs 582
current environment 120–122
data host 121
data modification 157
definitions 118–119
delegation 118
denial-of-service attacks 157
deployment overview 113–114
deployment process 115
deployment tools 117
designer role 116
designing namespaces See designing DNS namespaces
designing servers See designing DNS servers
designing zones See designing DNS zones
DHCP integration 27, 165
Dnscmd.exe 117, 173
DNSLint 117
DNSSEC (DNS Security Extensions) 117
domain trees 118
EDNSO (Extension Mechanisms for DNS) 117
encrypting replication traffic 163
existing infrastructure 122
existing security policies 122
footprinting 157
forward lookup zones 118
FQDN (fully qualified domain name) 118
Group Policy settings for clients 155
high-level security policy 159
implementing deployments See implementing DNS
integrating with Windows Server 2003 services 164–167
internal namespaces 119
internal server security 161
Internet status 121
ISA Server and DNS round-robin 231
iterative queries 119
low-level security policy 158
managing clients 154–155
mid-level security policy 159
namespaces See namespaces, DNS
Netdiag.exe 117
network topology 122
Nslookup.exe 117, 173
primary DNS server 119
public namespaces 118
recursive queries 119
redirection 157
restricting zone transfers 163
reverse lookup zones 119
roles 116
RR (resource record) 119
secondary server 119
secure dynamic update for zones 162
security overview 155
security policies 158–160
security threats 157
server design See designing DNS servers
server lists for clients 155
server security 160–161
servers described 118
stub zones 119
suffix search lists 155
terms 118–119
Windows Server 2003 features 117
WINS integration 166–167, 206
WINS lookup and reverse lookup 166
WINS referral 167
zone design See designing DNS zones
zone file 119
zone replication 162–163
zone transfer 119
zones described 119
zones where wireless clients register 557
DNS Security Extensions (DNSSEC) 117
Dnscmd.exe 117, 173
DNSLint 117
DNSSEC (DNS Security Extensions) 117
domain names, DNS 131–133
domain trees, DNS 118
domain-based IPSec policies 299
DomainDNS Zones (domain-wide DNS application directory partition) 151
double dial 432
duplicate IAS server configurations 340
Dynamic Host Configuration Protocol See DHCP (Dynamic Host Configuration Protocol)
dynamic membership 41
dynamic routers 418
dynamic routing protocols 11–14
dynamic updates
DHCP 82–83
DNS 162, 171