Lab 3-1: Designing Authentication for the Network

Lab Objectives

This lab prepares you to design authentication for a Windows 2000 network by meeting the following objectives:

  • Ensure availability of Kerberos authentication mechanisms in a Windows 2000 network
  • Ensure secure authentication for down-level clients
  • Determine placement of network services to optimize authentication in a Windows 2000 Network

About This Lab

This lab looks at designing authentication for a Windows 2000 network that contains Windows 2000, Windows NT, Windows 98, and Windows for Workgroups clients. The network is comprised of multiple sites that are connected using dedicated WAN links.

Before You Begin

Make sure you've completed reading the chapter material before starting the lab. For hints on how to design authentication security, pay close attention to the sections where the design decisions were applied throughout the chapter.

Scenario: Contoso Ltd.

Contoso Ltd., an international magazine sales company, wants to ensure that the highest form of security is used for authentication on its corporate network. You have been asked to design the Windows 2000 network to ensure that security is maintained during the authentication process.

Existing Network Configuration

The network is configured into three native-mode domains, as shown in Figure 3.13.

click to view at full size.

Figure 3.13 The Contoso Ltd. domain structure

Contoso uses a centralized management approach for Windows 2000 operation masters. The PDC emulator role for each domain is maintained on a domain controller at the London location. This ensures that the forest-wide administrators in London have ready access to the operation masters.

In addition to the corporate offices in London, Seattle, and Lima, there's an East Coast office in Tampa. The Tampa office users authenticate with the seattle.contoso.tld domain. The WAN links between the offices are configured as shown in Figure 3.14.

click to view at full size.

Figure 3.14 WAN links for the Contoso Ltd. office

Existing Network Server Placement

The network currently has network servers deployed as shown in the table below.

Location Network Servers
Seattle Three DCs for the seattle.contoso.tld are located at the Seattle office

One of the DCs is configured as a global catalog server for the Seattle site.

Tampa There are no DCs at the Tampa office.
London Two DCs for the contoso.tld, seattle.contoso.tld, lima.contoso.tld, and london.contoso.tld domains are at the London location.

The PDC emulator for all four domains are at this location.

Two DCs are configured as global catalog servers for the London site.

Two DCs in the contoso.tld domain are configured as DNS servers. The DNS servers are authoritative for the contoso.tld domain and all subdomains.

Lima Two DCs for the lima.contoso.tld are located at the Lima office.

Client Computer Details

Within Contoso, each office has a mix of Windows 2000, Windows NT 4.0, and Windows 98 client computers. The Lima office also has 10 Windows for Workgroups 3.11 client computers deployed. Each office has fewer than 1000 users. The Windows NT 4.0 Workstation computers have Windows NT 4.0 Service Pack 3 applied, and the Windows 98 clients don't have any service packs applied.

In all cases, both the computer and user accounts are located in the domain defined for the site in order to reduce authentication over WAN links.

Exercise 1: Designing Windows 2000 Client Authentication

This exercise will look at the design of Windows 2000 client authentication. Each of the Contoso network's four sites has Windows 2000 client computers that will require secure access to the corporate network.

Analyzing Server Placement

To ensure that authentication can take place for Windows 2000 clients, you must determine whether servers are placed on the network so that authentication can take place as desired. The answers to these questions can be found in the appendix.

  1. Are there any issues for Windows 2000 computers having the PDC emulators for each domain located at the London office?

  2. Are DCs placed correctly on the network to ensure local authentication at each remote office?

  3. Are global catalog servers placed correctly on the network to ensure that cached credentials aren't used at authentication?

  4. When the WAN link between the remote offices and the London office is unavailable, users can't locate resources on the network. What can you do to optimize network locator services for the Contoso network based on the current DNS design?

Analyzing Default Trust Relationships

The Contoso forest currently has four domains: contoso.tld, seattle.contoso.tld, lima.contoso.tld, and london.contoso.tld. This section looks at optimizing the trust relationships between the domains. The answers to these questions can be found in the appendix.

  1. Based on the current domain structure, what default trust relationships are established for the contoso.tld forest?

  2. If users in the seattle.contoso.tld domain frequently access resources in the London.contoso.tld domain, what can you do to optimize the Kerberos authentication process?


Exercise 2: Designing Down-Level Client Authentication

This exercise looks at the design issues that Contoso will face with the Windows 98, Windows NT 4.0, and Windows for Workgroups clients. The answers to these questions can be found in the appendix.

  1. Based on the current client computer distribution, are there any security risks? Detail all security risks for authentication.

  2. What do you need to do to reduce the security risk for authentication?

  3. How does the deployment of the DSClient software improve performance?

  4. Once you've deployed the DSClient software to all Windows 98 and Windows NT 4.0 clients, what changes must be made at the DCs?


Microsoft Corporation - MCSE Training Kit (Exam 70-220. Designing Microsoft Windows 2000 Network Security)
MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)
ISBN: 0735611343
EAN: 2147483647
Year: 2001
Pages: 172 © 2008-2017.
If you may any questions please contact us: