Index_D | Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003

D

data host, DNS 121

data modification, DNS 157

data throughput, remote site connectivity 515

decreasing DHCP default lease duration 88

default policy for remote access 500

defining scopes, DHCP

creating scopes 86

exclusion ranges 86

lease duration 87–88

MADCAP scopes 95

multicast scopes 94–95

New Scope Wizard 89

options 88–92

overview 84

removing scopes 95

reservations 92

superscopes 93–94

delegation, DNS 118

demand-dial filters

configuring for remote site-to-site connections 546

on-demand vs. persistent connections 482

Demand-Dial Interface Wizard 530

demand-dial interfaces

configuring for site-to-site connections 527–533

configuring for temporary ISP links 532

matching names 494

static routes for site-to-site connections 502

demilitarized zone (DMZ) See perimeter networks

denial-of-service attacks, DNS 157

deploying Connection Manager

additional resources 466–467

advanced customization 445–447

authentication methods 433

branding clients 444

clients background information 431–434

clients described 432

Connection Manager Administration Kit See CMAK (Connection Manager Administration Kit)

connection methods 432–433

Connection Point Services See CPS (Connection Point Services)

creating phone books 436

custom actions 442–444

customizing Connection Manager 438–447

direct dial 433

distributing certificates 449

distributing service profiles 451

hosting phone books on PBS servers 438

implementation example See Connection Manager implementation example

implementing deployments 448–451

installing PBA 436

Internet enrollments 449

intranet enrollments 450

native connection capabilities and limitations 431

network settings 441

outsourcing phone books 437

overview of remote access clients 429–430

phone book support 434–438

POPs (Points of Presence) 436

process 430

products 432

publishing phone books 436

regions in phone books 436

security education for users 450

security settings 441

service profiles 438–441

testing deployments 449

top-level profile 441

updating phone books 437

deploying DHCP

additional resources 110–111

authorizing servers in Active Directory 84

BOOTP client support 99–101

centralized vs. distributed infrastructure 73

configuring clients 98–101

configuring options 88–92

creating scopes 86

defining scopes 84

dynamic updates 82–83

exporting settings from Windows NT 4.0 or Windows 2000 97

implementation example See DHCP implementation example

implementing deployments 95–101

importing settings to Windows Server 2003 98

improving hardware for performance 74

installing on servers 96

integrating with other services 81–84

IP address lease and renewal 74

MADCAP scopes 95

migrating existing servers 96–98

multicast scopes 94–95

multihoming servers 76

multiple subnets 75–76

Netsh tool 98

New Scope Wizard 89

number of servers 76–77

optimizing availability 77–81

overview 69–70

performance 74–75

process 71

remote access client support 99

removing scopes 95

rouge servers 84

scope exclusion ranges 86

scope lease duration 87–88

scope options 88–92

scope reservations 92

secure dynamic updates 82–83

server design overview 72

server location 73

split-scope configurations 78

standby servers 80

superscopes 93–94

testing deployments 101

unauthorized servers 84

upgrading server hardware 72–73

Windows Clustering 79–80

deploying dial-up networking

additional resources 426–427

compared to VPN 378–381

design overview 382

expenses 379

hardware requirements 383

implementing deployments 423–426

outsourcing options 385

overview 375–376

placing servers 385

process 377

deploying DNS

additional resources 174–175

administrator role 116

application directory partitions 117

authoritative DNS server 118

cache pollution protection 160

client resolver 118

concepts 116–119

conditional forwarding 117–118

configuring clients 154–155

current environment 120–122

data host 121

data modification 157

definitions 118–119

delegation 118

denial-of-service attacks 157

designer role 116

designing DNS namespaces See designing DNS namespaces

designing DNS servers See designing DNS servers

designing DNS zones See designing DNS zones

DHCP integration 165

Dnscmd.exe 117, 173

DNSLint 117

DNSSEC (DNS Security Extensions) 117

domain trees 118

EDNSO (Extension Mechanisms for DNS) 117

encrypting replication traffic 163

existing infrastructure 122

existing security policies 122

footprinting 157

forward lookup zones 118

FQDN (fully qualified domain name) 118

Group Policy settings for clients 155

high-level security policy 159

implementing deployments See implementing DNS

integrating with Windows Server 2003 services 164–167

internal namespaces 119

internal server security 161

Internet status 121

iterative queries 119

low-level security policy 158

managing clients 154–155

mid-level security policy 159

namespaces See namespaces, DNS

Netdiag.exe 117

network topology 122

Nslookup.exe 117, 173

overview 113–114

primary server 119

process 115

public namespaces 118

recursive queries 119

redirection 157

restricting zone transfers 163

reverse lookup zones 119

roles 116

RR (resource record) 119

secondary server 119

secure dynamic update for zones 162

security overview 155

security policies 158–160

security threats 157

server design See designing DNS servers

server lists for clients 155

server security 160–161

servers described 118

stub zones 119

suffix search lists 155

terms 118–119

tools 117

Windows Server 2003 features 117

WINS integration 166–167

WINS lookup and reverse lookup 166

WINS referral 167

zone design See designing DNS zones

zone file 119

zone replication 162–163

zone transfers 119

zones described 119

deploying IAS

access server vulnerabilities 361

account lockout 360

accounting described 321

additional resources 373–374

architecture 317

auditing described 321

authentication described 321

authentication methods See authentication methods for IAS

authentication protocols 354–357

authorization described 321

client-specific remote access policies 352

common vs. custom remote access policies 349–351

concepts 316–321

conditions for remote access policies 350

configuring remote access policies 347–352

definitions 321

designing IAS See designing IAS

digital signature 360

IAS described 321

implementing deployments See implementing IAS

installing computer certificates for access clients 359

installing computer certificates for IAS servers 359

integrating with certificate infrastructure 357–359

Internet firewalls 360

IPSec traffic security 361

Message-Authenticator attribute 360

Network Access Quarantine Control 348

optimizing IAS See optimizing IAS

overview 313–314

permissions for remote access policies 350

process 315

profile properties for remote access policies 350

Quarantine Remote Access Policy 352

RADIUS client described 321

RADIUS protocol described 321

RADIUS protocol overview 316

RADIUS proxy described 321

RADIUS server described 321

RADIUS shared secrets 359, 361

remote access groups 346

remote access policies for switch access clients 352

remote access policies for users and groups 351

remote access policies for VPN clients 352

remote access policies for wireless access clients 352

remote access policy overview 345

remote access policy restrictions 351

remote client access authorization 346

securing RADIUS servers and proxies 359–361

security overview for remote access 353

signature attribute 360

specifications for common remote access policies 349

specifications for custom remote access policies 349

terms 321

user accounts 347

VPN tunnels 361

Windows Server 2003 features 318–320

deploying IPSec

additional resources 309

AH (Authentication Header) 250

assigning policies See assigning IPSec policies

authentication 250–251, 267

broadcast traffic failures 267

cluster node connectivity loss 267

compatibility 247

concepts 246–251

cryptography 250

decreased throughput 266

decrypting traffic for firewall inspections 263

default exemptions 249

default response 250

definitions 250–251

designing policies See designing IPSec policies

determining needs 252–269

endpoint not supporting IPSec 263

end-to-end security 256–260

ESP (Encapsulating Security Payload) 250

example of corporate network deployment 268–269

example of end-to-end security 259

filter actions 250

filters 248, 251

gateway-to-gateway tunneling 262

GPO (Group Policy object) 251

Group Policy 250

ICMP failures 267

implementing deployments 305–309

multicast traffic failures 267

NAT-T incompatibility 266

NAT-T support 248

Netsh tool 249, 251

network deployments 308

networking inspection technologies 266

overview 243–245

packet filtering 255–256

peer-to-peer communication 257

PFS (perfect forward secrecy) 251

policy described 251

process 245

reduced computing performance 265

RSoP (Resultant Set of Policy) 249, 307

rules 251

securing application servers 258

slower connections 265

solutions 246

terms 250–251

testing in pilot projects 307–308

testing in test labs 306–307

tradeoffs 265–267

transport mode 251, 255

tunnel endpoint 251

tunnel mode 251, 261–264

Windows Server 2003 features 248–249

deploying ISA Server

adding computers 229

additional resources 241

array vs. stand-alone 230

availability overview 225

back-to-back perimeter network 234

cache mode 218–219

capacity planning 226–229

client types 220–221

configuring in arrays 230–231

connecting remote sites 233

DNS round-robin 231

Enterprise Edition vs. Standard Edition 230

extranets 236

firewall clients 220

firewall mode 218

firewall requirements 228

forward cache mode 218, 228

hardware requirements 227

implementation overview 237

implementation steps 238–240

installation modes 217

installing in a domain 224

integrated mode 220

interoperability 222–224

network services 224

overview 213–214

process 215

reverse cache mode 219, 229

roles overview 216

running other services 223

scalability 230

SecureNAT clients 220

securing network perimeters 233–235

security overview 232

three-homed perimeter network 235

Web Proxy clients 220

deploying site-to-site connections See implementing remote site-to-site connections

deploying VPN

additional resources 426–427

availability improvements 404

benefits 380

capacity planning 384

choosing routing approaches 387–388

compared to dial-up networking 378–381

CPU requirements 384

design overview 382

firewalls 385–386

hardware requirements 383–384

implementing deployments See implementing VPN

IP addresses for clients 388

Network Load Balancing 404

optimizing remote access server design 404

outsourcing options 385

overview 375–376

placing servers 385–386

process 377

RAM requirements 384

redundant servers to improve availability 404

routing for clients 387–388

security for split tunneling 388

security planning See planning VPN security

servers behind firewalls 386

servers in front of firewalls 386

split tunneling options 388

testing remote access server design 405

tunneling authentication and encryption 380

deploying WINS

additional resources 211–212

automatic partner configuration 192–193

availability 184–188

branch offices 198

burst handling 189

concentrated user base 199

convergence time 195

conversion files 209

DHCP integration 207

DNS integration 206

evaluating deployments 210

filtering records 181

hardware 183

hub-and-spoke topology 194, 200–202

implementing deployments 207–210

integration overview 205

IPSec tunnels 204

load balancing 190

mapping replication to physical networks 197–202

migrating to Windows Server 2003 208

multiple servers 185

multiple subnets 189

NetBIOS node types 180

Netsh tool 193, 197

new features 181

number of servers 183

overview 177–178

performance 188–190

perimeter networks 204

process 179

redundant databases 190

replication across LANs 196

replication across WANs 195

replication between untrusted domains 197

replication partners 181, 193–194

replication strategy overview 190–192

response times 188

security 203–204

server strategy overview 182

T network topology 194

technology background 180

testing deployments 210

VPN tunnels 204

Windows Clustering 185–188

Windows Server 2003 features 181

deploying wireless LANs

additional resources 592–593

components 555–559

designing wireless network access solutions See designing wireless LANs

example of designing subnets and IP addressing 560

IP addressing 559–561

network infrastructure 555–561

overview 551–552

process 553

single points of failure 559

subnets 559–561

technology background 554

test environments See implementing WLAN test environments

designer role, DNS 116

designing DHCP servers

centralized vs. distributed infrastructure 73

improving hardware for performance 74

IP address lease and renewal 74

location of servers 73

multihoming 76

multiple subnets 75–76

number of servers 76–77

optimizing availability 77–81

overview 72

performance 74–75

split-scope configurations 78

standby servers 80

upgrading hardware 72–73

Windows Clustering 79–80

designing DNS namespaces

creating computer names 133–135

creating domain names 131–133

creating subdomains 137

different internal and external domain names 126

example of merging 137–140

external domains 125–126

integrated infrastructure computer names 134

internal DNS root 127–128

internal domain names 133

internal domains 125–126

internal subdomains 126

Internet domain names 131–132

name resolution for disjointed namespaces 128

NetBIOS names 136–137

overview 122

requirements 124

upgraded infrastructure computer names 135

Windows Server 2003 computer names 134

Windows Server 2003 integration 129–130

designing DNS servers

Active Directory availability 144

availability 143–144

conditional forwarding in off-site domains 144–145

conditional forwarding in other namespaces 146

forwarding 144–146

hardware resources 142

number of servers required 142–143

overview 141

placement of servers 143–144

upgrading to Windows Server 2003 146

designing DNS zones

Active Directory replication 151–153

Active Directory-integrated zones 150–151

conditional forwarding 149

domain-wide application directory partitions 151

file-based zone transfer 151

full zone transfer 151

incremental zone transfer 151

migrating zones to Windows Server 2003 153

overview 147

primary zones 148

propagation methods 151–153

secondary zones 148

stub zones 148–149

zone types 148–151

designing IAS

adding RADIUS or VSA attributes to connection request policy 330

adding RADIUS or VSA attributes to remote access policy 329

client access overview 331

compatibility issues for VPN access 334

compulsory vs. voluntary tunneling for VPN access 332–333

current environment 323

designing as RADIUS proxy 330–331

designing as RADIUS server 327–330

dial-up access 331

installing backup RADIUS proxies 331

installing backup RADIUS servers 330

optimizing IAS See optimizing IAS

overview 322

planning connection request policies for RADIUS proxy 330

planning for failure detection for RADIUS proxy 330

planning for load balancing for RADIUS proxy 330

planning for RADIUS clients 327

RADIUS proxy and server 326

RADIUS proxy as third-party ISP 324

RADIUS proxy for load balancing 325

RADIUS proxy overview 324

RADIUS proxy with multiple forests 324

RADIUS server authentication 328

RADIUS server domain membership 327

RADIUS server overview 323

role of IAS server 323–326

securing switch access 336

security risks with wireless access 335

switch access 336

VPN access 334

wireless access 334–335

designing IP addressing schemes

address allocation methods 23

aggregation 20–21

CIDR (classless interdomain routing) 22–23

classless IP addressing 16–18

classless routing 18–20

overview 14–15

private vs. public addresses 23–25

route summarization 20–21

structured address assignment model 16

supernetting 22–23

VLSM (variable length subnet mask) 21–22

designing IPSec policies

AH (Authentication Header) 283

All ICMP Traffic filter list 276

All IP Traffic filter list 276

assigning policies See assigning IPSec policies

authentication 284

certificate-to-account mappings 293

Client (Respond Only) 275

configuring firewalls 281

CRL (certificate revocation list) 291

default exemptions to filtering 277–280

default policies 275

ESP (Encapsulating Security Payload) 283

excluding CA names from certificate requests 293

filters, filter actions, and filter lists 277–280

general settings 272

IKE (Internet Key Exchange) 287, 294

Kerberos V5 285

overview 270

Permit filter action 276

predefined filter actions 276

predefined filter lists 276

preshared keys 294

protocols 283–284

public key certificates 286

Request Security filter action 276

Require Security filter action 276

rules 274

Secure Server (Require Security) 275

Server (Request Security) 275

designing remote access server solutions

availability 404

hardware requirements 383–384

Network Load Balancing 404

optimization 404

outsourcing options 385

overview 382

placing servers 385–386

planning VPN security See planning VPN security

redundant servers to improve availability 404

routing for VPN clients 387–388

testing 405

tools for testing 405

designing routing for remote site connectivity

addingstatic routes 502–504

auto-static updates 503

demand-dial interface for local ISP 503

demand-dial interface for remote sites 502

LAN interface at both sites 502

multicast connectivity between sites 506

off-subnet address ranges 503–504

on-subnet address ranges 503–504

overview 502

performance for Internet traffic 506

router user accounts 503

routing protocols 505

security for Internet traffic 505

servicing Internet traffic 505–506

static routes for site-to-site connections 502

designing TCP/IP networks

additional resources 67–68

address allocation methods 23

availability improvements 32–35

configuring DNS for IPv6/IPv4 coexistence 62–63

enabling IPv4 applications for IPv6 using PortProxy 64

IP addressing schemes design overview 14–15

IP configuration strategy 26–28

IP multicasting 35–42

IPv6 addressing 48–55

IPv6 overview 42–43

overview 3–4

planning IP-based infrastructure 7–9

private vs. public addresses 23–25

process 5

routing IPv6 traffic over IPv4 infrastructure 56–61

routing strategies 10–14

security 28–32

structured address assignment model 16–23

testing 64–66

Windows Server 2003 features 6, 44–48

designing WINS

automatic partner configuration 192–193

availability 184–188

convergence time 195

mapping replication to physical networks 197–202

Netsh tool 193, 197

performance 188–190

replication across LANs 196

replication across WANs 195

replication between untrusted domains 197

replication partners 193–194

replication strategy overview 190–192

designing wireless LANs

Active Directory-based wireless network policies 577

autoconfiguration 576

automatic switching between APs during roaming 575

basic security 570

channel frequencies for wireless APs 566–568

closing security risks 570

coverage areas for wireless users 563

distributing certificates through autoenrollment 576

encrypting data 571

enforcing authorization and authentication 571

example of IEEE 802.11b channels 568

example of mounting APs in plenum area 569

example of public space WLAN 574–575

example of wireless AP locations 566

manageability 575–578

number of wireless APs 564

overview 562

planning wireless AP deployments 568–569

public space WLAN 572–575

remote AP management 577

security 570–571

unauthenticated access 572

wireless AP location 563–566

DHCP (Dynamic Host Configuration Protocol)

additional resources 110–111

address allocation 27

authorizing servers in Active Directory 84

BOOTP client support 99–101

centralized vs. distributed infrastructure 73

configuring clients 98–101

configuring for wireless LANs 582

configuring options 88–92

creatingscopes 86

defining scopes 84

deployment overview 69–70

deployment process 71

DNS integration 27, 165

dynamic updates 82–83

exporting settings from Windows NT 4.0 or Windows 2000 97

implementation example See DHCP implementation example

implementing deployments 95–101

importing settings to Windows Server 2003 98

improving hardware for performance 74

installing on servers 96

integrating with other services 81–84

IP address lease and renewal 74

leases for wireless clients 557

MADCAP 38, 95

migrating existing servers 96–98

multicast scopes 94–95

multihoming servers 76

multiple subnets 75–76

Netsh tool 98

New Scope Wizard 89

number of servers 76–77

optimizing availability 77–81

performance 74–75

planning IP configuration strategy 26–28

remote access client support 99

removing scopes 95

rouge servers 84

scope exclusion ranges 86

scope lease duration 87–88

scope options 88–92

scope reservations 92

scopes for wireless clients 557

secure dynamic updates 82–83

server design overview 72

server location 73

split-scope configurations 78

standby servers 80

superscopes 93–94

testing deployments 101

unauthorized servers 84

upgrading server hardware 72–73

Windows Clustering 79–80

WINS integration 27, 207

DHCP implementation example

Active Directory domain structure 103

address pools 105

connectivity 102

exclusion ranges 105

installing servers in Active Directory 107

IP addressing 103–106

lease duration 109

message routing 106–110

overview 102

reservations 106

routing 102

scope configuration 107–110

scope options 109

server options 110

subnets 103–106

transmission security between sites 103

dial-in credentials for remote site-to-site connections 531, 533

dial-in hours for remote site-to-site connections 545

dial-in options for router user accounts 497

dial-out credentials for remote site-to-site connections 531, 533

dial-out hours for remote site-to-site connections 482, 545

dial-up connections

See also dial-up networking

connecting remote sites 476

described 433

remote site connectivity overview 474

dial-up networking

See also dial-up connections

additional resources 426–427

availability improvements 404

compared to VPN 378–381

deployment overview 375–376

deployment process 377

described 433

design overview 382

designing IAS 331

expenses 379

hardware requirements 383

implementing deployments 423–426

Network Load Balancing 404

optimizing remote access server design 404

outsourcing options 385

placing servers 385

redundant servers for availability improvements 404

testing remote access server design 405

digital signature, RADIUS 360

direct dial 433

disconnect intervals 537

disjointed DNS namespaces 128

distance vector routing protocols 12–13

distributing certificates, Connection Manager 449

distribution tier 9

Djikstra algorithm 14

DMZ (demilitarized zone) See perimeter networks

DNS (Domain Name System)

additional resources 174–175

administrator role 116

application directory partitions 117

authoritative DNS server 118

cache pollution protection 160

client resolver 118

concepts 116–119

conditional forwarding 117–118

configuring clients 154–155

configuring for IPv6/IPv4 coexistence 62–63

configuring for wireless LANs 582

current environment 120–122

data host 121

data modification 157

definitions 118–119

delegation 118

denial-of-service attacks 157

deployment overview 113–114

deployment process 115

deployment tools 117

designer role 116

designing namespaces See designing DNS namespaces

designing servers See designing DNS servers

designing zones See designing DNS zones

DHCP integration 27, 165

Dnscmd.exe 117, 173

DNSLint 117

DNSSEC (DNS Security Extensions) 117

domain trees 118

EDNSO (Extension Mechanisms for DNS) 117

encrypting replication traffic 163

existing infrastructure 122

existing security policies 122

footprinting 157

forward lookup zones 118

FQDN (fully qualified domain name) 118

Group Policy settings for clients 155

high-level security policy 159

implementing deployments See implementing DNS

integrating with Windows Server 2003 services 164–167

internal namespaces 119

internal server security 161

Internet status 121

ISA Server and DNS round-robin 231

iterative queries 119

low-level security policy 158

managing clients 154–155

mid-level security policy 159

namespaces See namespaces, DNS

Netdiag.exe 117

network topology 122

Nslookup.exe 117, 173

primary DNS server 119

public namespaces 118

recursive queries 119

redirection 157

restricting zone transfers 163

reverse lookup zones 119

roles 116

RR (resource record) 119

secondary server 119

secure dynamic update for zones 162

security overview 155

security policies 158–160

security threats 157

server design See designing DNS servers

server lists for clients 155

server security 160–161

servers described 118

stub zones 119

suffix search lists 155

terms 118–119

Windows Server 2003 features 117

WINS integration 166–167, 206

WINS lookup and reverse lookup 166

WINS referral 167

zone design See designing DNS zones

zone file 119

zone replication 162–163

zone transfer 119

zones described 119

zones where wireless clients register 557

DNS Security Extensions (DNSSEC) 117

Dnscmd.exe 117, 173

DNSLint 117

DNSSEC (DNS Security Extensions) 117

domain names, DNS 131–133

domain trees, DNS 118

domain-based IPSec policies 299

DomainDNS Zones (domain-wide DNS application directory partition) 151

double dial 432

duplicate IAS server configurations 340

Dynamic Host Configuration Protocol See DHCP (Dynamic Host Configuration Protocol)

dynamic membership 41

dynamic routers 418

dynamic routing protocols 11–14

dynamic updates

DHCP 82–83

DNS 162, 171