Section 6.3. Exam 70-291 Highlighters Index

6.3. Exam 70-291 Highlighters Index

In this section, I've attempted to compile the facts within the exam's subject areas that you are most likely to need another look atin other words, the areas of study that you might have highlighted while reading the Study Guide. The title of each highlighted element corresponds to the heading title in the Exam 70-291 Study Guide. In this way, if you have a question about a highlight, you can refer back to the corresponding section in the study guide. For the most part, the entries under a heading are organized as term lists with a Windows Server 2003 feature, component, or administration tool as the term, and the key details for this feature, component, or administration tool listed next.

6.3.1. Implementing, Managing, and Maintaining IP Addressing

Summary of highlights from the "Implementing, Managing, and Maintaining IP Addressing" section of the Exam 70-291 Study Guide.

Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite

• TCP is a connection-oriented protocol for end-to-end communications.

• IP is an internetworking protocol for routing packets over a network.

Three types of IP addresses

• Dynamic IP addresses are automatically obtained from a DHCP server.

• Static IP addresses are those manually assigned to computers.

• Automatic private IP addresses (APIPA) are used when a computer is configured for DHCP but no DHCP server is available.

Installing TCP/IP

• TCP/IP is configured if the operating system detects a network adapter.

• Install TCP/IP manually using the Local Area Connection Properties dialog box.

Configure TCP/IP addressing

• IP addresses identify computers by their associated network ID and host ID components.

• Subnet masks identify which parts of the IP address belong to the network ID and which parts belong to the host ID.

• Default gateways identify the IP address of the router that will act as the computer's gateway.

• Preferred and alternate DNS servers identify the IP address of the preferred and alternate DNS servers to use for name resolution.

TCP/IP version 4

• Available IP addresses are divided into network class ranges.

• Standard unicast IP address classes are Class A, Class B, and Class C.

• Private IP address classes are summarized in Table 6-1.

Table 6-1. Private network addresses by class

Network class	Network ID	Subnet mask	Assignable IP address range
Class A	10.0.0.0	255.0.0.0	10.0.0.1-10.255.255.254
Class B	172.16.0.0	255.240.0.0	172.16.0.1-172.31.255.254
Class C	192.168.0.0	255.255.0.0	192.168.0.1-192.168.255.254

Configuring static IP addressing

• Configure a static IP address by editing the TCP/IP properties.

• Select the Use The Following IP Address radio button.

• Type the IP address and network mask.

• Type the IP address of the default gateway.

• Type the IP addresses of the preferred and alternate DNS servers.

Configuring dynamic IP addressing

• Configure a dynamic IP address by editing the TCP/IP properties.

• Select Obtain An IP Address Automatically.

• Optionally, select Obtain DNS Server Address Automatically.

Configuring Automatic Private IP Addressing

• IP addresses in the range 69.254.0.1 to 169.254.255.254 with a subnet mask of 255.255.0.0.

• Determine whether a computer is using automatic private addressing by typing ipconfig /all.

• Configure automatic private addressing by editing the TCP/IP properties.

• Select the Automatic Private IP Address radio button to use the default alternate configuration.

Diagnosing and resolving Automatic Private IP Addressing

• An active network connection is required for automatic configuration to work properly.

• The media may be disconnected at either end of the network cable.

• Attempt to renew the IP address by typing ipconfig /renew at a command prompt.

• Disable APIPA using the IPAutoconfigurationEnabled DWORD value-entry in the Registry.

Diagnosing and resolving incorrect TCP/IP configuration

• Check for invalid gateway configuration.

• Check for invalid IP address.

• Check for invalid subnet mask.

• Check for invalid DNS configuration.

• Check for invalid WINS configuration.

• Use ping, arp, pathping, tracert, and netdiag for testing.

Diagnosing and resolving DNS caching issues

• Use ipconfig /displaydns to displays the entries in the DNS cache.

• Use ipconfig /flushdns to purge the entries in the DNS cache.

• Use ipconfig /registerdns to refresh leased IP addresses and re-registers DNS.

6.3.2. Installing, Configuring, and Managing DHCP

Summary of highlights from the "Installing, Configuring, and Managing DHCP" section of the Exam 70-291 Study Guide.

Understanding DHCP

• DHCP servers assign IP addresses to clients for a specific period of time known as the lease duration.

• Any server that you want to configure as a DHCP server must have a static IP address.

• Every DHCP server must have at least one active scope to grant leases to clients.

• A scope is simply a range of IP addresses to be leased to DHCP clients.

• An exclusion is an IP address or a IP address range not included in a scope and not assigned to clients.

• A reservation is an IP address that is held for use by a client with a specific hardware MAC address.

Installing and configuring DHCP is accomplished by:

1. Installing the DHCP server service on your designated DHCP servers.

2. Authorizing the DHCP servers in Active Directory.

3. Configuring the DHCP servers so they can assign dynamic configurations to clients.

4. Activating at least one scope on each DHCP server.

Installing the DHCP Server service

• Install DHCP Server service on a server assigned a static IP address.

• Do not install DHCP Server service on a DC (unless necessary).

• Use Add Or Remove Programs Windows Components in the Control Panel to install.

Working with and authorizing the DHCP server

• Manage DHCP using the DHCP console.

• Click Start Programs Administrative Tools DHCP.

• DHCP supports three types of scopes

  • Normal scopes for assigning Class A, B, and C IP addresses and related network settings.

  • Multicast scopes for assigning Class D IP addresses and related network settings.

  • Superscopes used as containers for scopes.

  
  

  Creating and activating normal scopes

  • Create a new scope by right-clicking the server's entry and then selecting New Scope.

  • The new scope is created and listed under the DHCP server node in the DHCP console.

  • Activate the scope by right-clicking it and selecting Activate.

  
  

  Creating and activating multicast scopes

  • Multicast scopes are used on networks that use TCP/IP multicasting.

  • Class D IP addresses from 224.0.0.0 to 239.255.255.255 are used for multicasting.

  • Create a new multicast scope by right-clicking the server's entry and then selecting New Multicast Scope.

  • Activate the scope by right-clicking it and selecting Activate.

  
  

  Creating and using superscopes

  • Superscopes allow you to group scopes for easier management.

  • Verify that you have at least one scope to create the superscope.

  • By activating or deactivating the superscope, you can activate or deactivate all the related scopes.

  • Create a new superscope by right-clicking the server's entry and then selecting New Superscope.

  • To activate or deactivate all scopes within a superscope, right-click the superscope and select Activate or Deactivate.

  • To add a scope to a superscope, right-click the scope and then select Add To Superscope.

  • To remove a scope from a superscope, right-click a scope and then select Remove From Superscope.

  
  

  DHCP scope options

  • Predefined options configure preset values and create additional TCP/IP options.

  • Server options configure TCP/IP options that are assigned to all scopes created on a server.

  • Scope options configure TCP/IP options that are assigned to all clients that use a scope.

  • Class options assign TCP/IP options based on membership in a particular class.

  • Reservation options set TCP/IP options for individual computers with reservations.

  • Standard TCP/IP options used with scopes are listed in Table 6-2.

  
  

  Overriding TCP/IP options

  • Server options can be overridden by scope, class, and reservation options.

  • Scope options can be overridden by class and reservation options.

  • Class options can be overridden by reservation options.

  • Reservation can be overridden only by manually assigned TCP/IP settings.

  Table 6-2. Overriding TCP/IP options

  Option name	Option code	Description
  DNS Domain Name	015	Sets the DNS domain name to use when resolving unqualified hostnames using DNS.
  DNS Servers	006	Sets the primary and alternate DNS servers in preference order.
  Router	003	Sets the default gateways in preference order.
  WINS/NBNS Servers	044	Sets the primary and alternate WINS servers in preference order.
  WINS/NBT Node Type	046	Sets the method to use when resolving NetBIOS names.

  
  
  
  

  Using dynamic DNS updates with DHCP

  • The options on the DNS tab determine how dynamic DNS updating works.

  • Clients register their A records using a nonsecure method.

  • DHCP servers dynamically update A and PTR records on behalf of clients using secure updates.

  • The DnsUpdateProxy security group members do not have security settings assigned to their records.

  
  

  New leases are granted through a four-part process:

  1. Discover. A client sends a DHCP Discover broadcast on the network using its MAC address and NetBIOS name.

  2. Offer. DHCP servers on a network that receive a DHCP Discover message respond with a DHCP Offer message.

  3. Request. Clients accept the first offer received by broadcasting a DHCP Request message for the offered IP address.

  4. Acknowledgment. The server accepts the request by sending the client a DHCP Acknowledgment message.

  
  

  Renewing leases

  • Clients attempt to renew their leases:

    At each restart.

    When the ipconfig /renew command is run at the client computer.

    When the client uses the Repair button in the connection status dialog box.

    When 50 percent of the lease time has passed.

    When 87.5 percent of the lease time has expired.

  • On failure, use APIPA and then sends DHCP Discover broadcasts every five minutes.

  
  

  Managing leases

  • Using the DHCP console, you manage lease durations on a per-scope basis.

  • To view or change the current lease duration, right-click the server's entry and then select Properties.

  • On clients, you manage IP addressing using ipconfig.

  
  

  Managing reservations and reserved clients

  • Use reservations to create permanent address leases assignments.

  • Reservation definitions must be created on each DHCP server in the subnet.

  • Define a reservation using the MAC address of the computer's network adapter.

  • To create a reservation, right-click the Reservations node and click New Reservation.

  
  

  DHCP databases

  • By default, the database is located in the %SystemRoot%\System32\DHCP folder.

  • Automatic backups occur every 60 minutes by default.

  • Set automatic backup using the BackupInterval entry in the Registry.

  • Automatic backups are stored by default in %SystemRoot%\System32\DHCP\backup.

  
  

  Manually backing up and restoring the DHCP database

  • Manual backups allow you to manually restore the database.

  • To back up, right-click the server node and click Backup.

  • To restore, right-click the server node and click Restore.

  
  

  Migrating a DHCP server

  1. On the current source DHCP server, perform a backup of the DHCP database.

  2. Type net stop dhcpserver at a command prompt.

  3. Copy the backup folder to the destination DHCP server.

  4. On the destination DHCP server, perform a restore of the DHCP database.

  
  

  Manually compacting the DHCP database

  1. Open a command prompt.

  2. CD to the directory containing the DHCP database.

  3. Type net stop dhcpserver.

  4. Type jetpack dhcp.mdb temp.mdb.

  5. Type net start dhcpserver.

  
  

  Troubleshooting DHCP

  • A red circle with an X indicates that the DHCP Server service is stopped or the DHCP server cannot be reached.

  • A white circle with a red down arrow indicates that the server is not authorized in Active Directory.

  • A white circle with a red down arrow on the scope node indicates that the scope is deactivated.

  • A white circle with a green up arrow indicates that the DHCP server is authorized and active.

  
  

  Understanding the DHCP audit logs

  • By default, all DHCP activity is written to the DHCP audit logs.

  • Audit logs are stored under %SystemRoot%\System32\dhcp.

  • To configure audit logging, right-click the server node and click Properties.

  • Use the audit logs for troubleshooting.

  • Table 6-3 summarizes audit log events related to authorization.

  Table 6-3. Audit log events related to authorization

  Event ID	Event text	Description
  50	Unreachable domain	The DHCP server cannot locate the domain for which it is configured.
  51	Authorization succeeded	The DHCP server is authorized to start on the network.
  53	Cached authorization	The DHCP server is authorized to start using previously cached information. Active Directory wasn't available at the time the DHCP Server service was started on the network.
  54	Authorization failed	The DHCP server is not authorized to start on the network and has stopped servicing clients. Typically, the DHCP Server service is stopped as a result.
  55	Authorization (servicing)	The DHCP server is successfully authorized to start on the network.
  56	Authorization failure, stopped servicing	The DHCP server is not authorized to start on the network and is shut down. You must authorize the server before starting it again.
  57	Server found in domain	Another DHCP server exists and is authorized for the domain.
  58	Server could not find domain	The DHCP server cannot locate the domain for which it is configured.
  59	Network failure	A network-related failure prevents the server from determining whether it is authorized.
  60	No DC is DS-enabled	No domain controller is found in the domain. The DHCP server must be able to contact a DC in the domain.
  61	Server found that belongs to DS domain	Another DHCP server that belongs to the domain is found.
  62	Another server found	Another DHCP server is found on the network.
  63	Restarting rogue detection	The DHCP server is trying to determine whether it's authorized.
  64	No DHCP-enabled interfaces	The DHCP server has its service bindings or network connections configured so that the DHCP Server service is not enabled to provide services. The server may be disconnected from the network, have a dynamic IP address, or have all its static IP addresses disabled.

  
  
  
  

  Verifying leases and DHCP reservation configuration

  • Select a server's Active Leases node in the DHCP console.

  • If a lease expires and is not renewed, the computer might have been moved.

  • If a reservation is inactive, the reservation may be incorrectly configured.

  
  

  Verifying the client configuration and examining the System event log

  • View the current TCP/IP configuration by typing ipconfig /all at a command prompt.

  • Warning messages regarding address conflicts are displayed in the system tray on the client computer. The System event log may have the Event ID 1055 and the source as Dhcp.

  
  

  Diagnosing and resolving issues with DHCP server configuration

  • Use predefined options, which set preset values and can be overridden at any other level.

  • Use server options, which can be overridden by scope, class, and reservation options.

  • Use scope options, which can be overridden by class and reservation options.

  • Use class options, which can be overridden by reservation options.

  • Use reservation options, which can be overridden only by manually assigned TCP/IP settings.

  
  

  Resolve DHCP configuration problems:

  1. Checking the Internet Protocol (TCP/IP) properties on the client.

  2. Configuring scope options to override other options, as necessary.

  3. Releasing and renewing the client lease to ensure that the client gets the correct settings.

6.3.3. Implementing, Managing, and Maintaining Name Resolution

Summary of highlights from the "Implementing, Managing, and Maintaining Name Resolution" section of the Exam 70-291 Study Guide.

Name resolution

• Windows Internet Naming Service (WINS) is used to resolve NetBIOS names.

• Domain Name System (DNS) is used to resolve DNS hostnames.

• With DNS, computers are grouped by name with domains.

• Domains establish a hierarchical naming structure.

• A computer's fully qualified domain name (FQDN) is its hostname combined with its domain name.

Managing DNS clients

• A computer's name serves as the computer's hostname.

• A computer's primary DNS suffix determines the domain to which it is assigned for name resolution.

• A computer gets its primary DNS suffix from the domain in which it is a member by default.

• Unqualified names that are used on a computer are resolved using the primary DNS suffix.

• Set the primary DNS suffix using the Computer Name tab of the System utility.

• Set the way DNS suffixes are used with the Advanced TCP/IP Settings dialog box.

Configuring dynamic DNS updates

• Set dynamic update options using the Advanced TCP/IP Settings dialog box.

• By default, computers dynamically update their A and PTR records in DNS.

• For updates to occur, the client must have a domain suffix that matches a zone name hosted by the preferred DNS server.

DNS queries

• With a recursive query, the DNS client requests that the DNS server respond directly.

• With an iterative query, a DNS server attempts to resolve a query or refers the client to another server.

DNS zones

• A zone is a portion of the DNS database that is being managed.

• A single zone can contain a single domain, or it can span multiple domains.

• Authoritative servers for a zone are responsible for the related portion of the DNS database.

• Nonauthoritative servers for a zone cache information related to the zone.

Types of zones

• A primary zone file is the master (writable) copy of a zone.

• A secondary zone is a read-only copy of a primary zone.

• A stub zone lists authoritative name servers for a zone.

DNS server roles

• Primary DNS servers maintain one or more primary zone files.

• Secondary DNS servers maintain one or more secondary copies of zone files.

• Forwarding-only DNS servers maintain a cache of resolved queries.

• A single DNS server can have multiple roles.

• An unconfigured DNS server acts as a caching-only server.

DNS resource records

• An A record maps a hostname to an IP address.

• A CNAME record sets an alias or alternate name for a host.

• An MX record specifies a mail exchange server for the domain.

• An NS record specifies a name server for a domain.

• A PTR record creates a pointer that maps an IP address to a hostname for reverse lookups.

• An SOA record declares the host that's the most authoritative for the zone.

Installing and configuring DNS server service

1. Install the DNS Server service using Add Or Remove Programs in the Control Panel.

2. Configure DNS server options.

3. Configure DNS zone options.

4. Configure DNS resource records.

5. Configure DNS forwarding.

Configuring and managing DNS server options

• Manage the DNS Server service using the DNS Management console.

• Click Start Programs Administrative Tools DNS.

• Configuring DNS zone options

  • Forward Lookup Zones are used to determine the IP address of a computer from its FQDN.

  • Reverse Lookup Zones are used to determine a computer's FQDN from its IP address.

  • Create a zone by right-clicking the DNS Server entry and clicking New Zone.

  
  

  Configuring zone type

  • To configure zone type, right-click the zone and then click Properties.

  • To change the zone type, click the Change button to the right of the Type entry.

  
  

  Configuring dynamic updating

  • To configure dynamic updating, right-click the zone, and then click Properties.

  • Use Dynamic Updates list to configure update security.

  
  

  Configuring scavenging

  • To configure scavenging, right-click the zone and then click Properties. Click Aging.

  • Aging refers to the process of placing timestamps on dynamically registered records.

  • Scavenging refers to the process of deleting outdated (stale) resource records.

  • The no-refresh interval is the period after the timestamp is set that must elapse before refresh can occur.

  • The refresh interval is the period after the no-refresh interval during which the timestamp can be refreshed.

  • Manually configured resource records have no timestamp.

  • No-refresh interval should be more than or equal to refresh interval.

  
  

  Configuring the Start Of Authority (SOA)

  • This is set using the Start Of Authority (SOA) tab of the zone Properties dialog box.

  • The Serial Number field lists the revision number of the zone file.

  • The Primary Server text box lists the primary server for the zone. The entry must end with a period.

  • The Responsible Person text box lists the person responsible for the zone and ends with a period.

  
  

  Configuring name servers for the zone

  • The Name Servers tab of the zone Properties dialog box configures NS records for the zone.

  • The primary name server for the zone is configured automatically.

  • Alternate name servers must be configured manually.

  • To create a NS record, click Add.

  
  

  Configuring zone transfers

  • Zone transfers are used to send a copy of a zone to requesting servers.

  • By default, zone transfers are not allowed or restricted only to the servers listed in the Name Servers tab.

  • The Zones tab of the zone Properties dialog box configures zone transfers.

  • When the zone file changes, secondary servers can be automatically notified.

  • To configure notification, click the Notify button on the Zone Transfers tab.

  
  

  DNS forwarding

  • Forwarding allows DNS servers to forward queries that they cannot resolve to other DNS servers.

  • By default, a DNS server can forward queries to servers in all other DNS domains.

  • A name server designated as the recipient of forwarded queries is known as a forwarder.

  • To use a forwarder, right-click the DNS Server entry and select Properties. Click the Forwarders tab.

  • To limit forwarding, click All Other DNS Domains, enter the forwarder's IP address, and click Add.

  
  

  Monitoring DNS

  • DNS Server Options can be used to monitor many aspects of DNS.

  • To configure monitoring, right-click the server entry and click Properties.

  • Use the Monitoring tab options to perform basic tests of name resolution.

  • Use the Event Logging options to configure event logging.

  • Use the Debug Logging tab options for detailed troubleshooting.

  • Use System Monitor and Performance Logging to monitor the overall health of DNS.

6.3.4. Implementing, Managing, and Maintaining Network Security

Summary of highlights from the "Implementing, Managing, and Maintaining Network Security" section of the Exam 70-291 Study Guide.

Secure network administration

• Authentication is used to prove user and computer identities.

• With Windows 2000 or later, the primary authentication protocol is Kerberos.

• Authorization is used to control access to resources.

• Authenticated users and computers authority depends primarily on group membership.

• Both Kerberos and NTLM are used for authorization.

• IP Security (IPSec) can be used to secure communications using encryption.

• Encryption can be used to securely store data.

Using security templates

• Security templates are stored in the %SystemRoot%\Security\Templates folder.

• Security templates can be imported into GPOs.

• Security templates contain customized group policy definitions that apply essential security settings.

• Security templates are used to implement and manage network security.

• Security templates are created and configured using the Security Templates snap-in.

• Security templates are applied and analyzed using the Security Configuration And Analysis snap-in.

Creating security templates

• Use the Security Templates snap-in to create templates.

• Create a copy of a template by right-clicking the template you want to copy and clicking Save As.

• Create a new template by right-clicking the C:\Windows\security\templates node and selecting New Template.

Applying security template settings and analyzing security

• Use the Security Configuration And Analysis snap-in to apply templates and to compare settings.

• Comparing settings pinpoints any discrepancies between what is implemented currently and what is defined in a security template.

Implementing the Principle of Least Privilege

• The Principle of Least Privilege is meant to ensure no user has more privileges or access than they need.

• Includes modifying privileges and access as appropriate when users change jobs.

• Removes privileges and access when individuals leave the organization.

• Extends to cover all users including administrators and other IT staff.

• No one should have more privileges or access than is required to do their job.

Understanding IP Security

• IPSec is used to authenticate and encrypt traffic between two computers.

• IPSec is also used to block traffic.

• With Active Directory domains, IPSec is applied using Group Policy.

• IPSec policy defines filters that enforce security.

• Only one IPSec policy is applied at a time.

• IP Security Policy Management determines whether IPSec policy is applied to a computer.

• To monitor IPSec, use IP Security Monitor or type netsh ipsec static show all.

Active Directory default IPSec policies

• With Server (Request Security) policy, servers request but do not require secure communications.

• With Client (Respond Only), clients communication is unsecure normally but respond to server requests for secure communications.

• With Secure Server (Require Security), servers require secure communications. Servers will not respond to clients that do not or cannot use secure communications.

Troubleshooting Kerberos

• In Active Directory domains, Kerberos is the primary authentication protocol.

• Kerberos policies are under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.

• To test Kerberos, type netdiag /test:kerberos /debug.

6.3.5. Implementing, Managing, and Maintaining Routing and Remote Access

Summary of highlights from the "Implementing, Managing, and Maintaining Routing and Remote Access" section of the Exam 70-291 Study Guide.

Routing And Remote Access roles

• Remote access over wireless, dial-up, or VPN, which enables computers to connect to the server using a dial-up or VPN connection.

• Network Address Translation (NAT), which allows internal computers to access the Internet using a public IP address from an assigned address pool.

• VPN and NAT, which allows remote clients to connect to the server through the Internet, and allows local clients to connect to the Internet using a public IP address from an assigned address pool.

• Secure connections between two private networks, which can be used to connect the network on which the server is located to a remote network.

• Custom configuration, which allows any combination of the available features.

Routing protocols

• DHCP Relay Agent routing protocol allows the server to route DHCP broadcast messages between subnets.

• Routing Information Protocol (RIP) version 2 for Internet Protocol allows dynamic routing between subnets and up to a maximum of 15 hops.

• Open Shortest Path First (OSPF) allows extended dynamic routing between subnets.

Managing Routing And Remote Access

• The Routing And Remote Access console is used to manage all aspects of RRAS.

• To access the console, click Start Programs Administrative Tools Routing And Remote Access.

RRAS setup

1. Implement Routing and Remote Access Service

2. Add and configure necessary network interfaces.

3. Configure Routing and Remote Access Service properties.

4. Add and configure necessary IP routing protocols.

Implementing Routing And Remote Access

• Use Services utility to disable the Windows Firewall/Internet Connection Sharing service.

• Use the Routing And Remote Access console, right-click the server entry, and then select Configure And Enable Routing And Remote Access.

• Start the Routing And Remote Access service.

• During installation, the RRAS server is made a member of the RAS And IAS Servers security group.

Types of network interfaces

• Network connections

• Dial-up connections

• VPN connections

Adding and configuring interfaces for network connections

• The RRAS setup process attempts to automatically detect all installed network interfaces.

• The detected network interfaces are then listed on the Network Interfaces node.

• To manually add a routing interface, right-click the General node, and then select New Interface.

Adding and configuring interfaces for dial-up connections

• Preconfigured dial-up connections are not automatically added or configured.

• To add as demand-dial interfaces, right-click the Network Interfaces node and then select New Demand-dial Interface.

Adding and configuring interfaces for VPN and PPPoE Connections

• VPN and Point-to-Point Protocol over Ethernet (PPPoE) are used for secure communications between private networks.

• VPN and PPPoE connections are configured manually as demand-dial interfaces.

• To add a demand-dial interface for VPN or PPPoE, right-click the Network Interfaces node and then select New Demand-dial Interface.

Managing remote access security

• Right-click a server entry in the Routing And Remote Access console and select Properties.

• Use the Security tab options to configure remote access security.

• With VPN, you can use IPSec with L2TP to enhance security by using a pre-shared key.

Authentication options

• Windows Authentication lets you use standard Windows security for authentication.

• Remote Authentication Dial-in User Service (RADIUS) is used to centralize the authentication of remote access clients and the storage of accounting information.

Accounting options

• None turns off logging of connection requests and sessions.

• Windows Accounting logs connection request and sessions in logfiles stored in the Remote Access Logging folder.

• RADIUS Accounting sends details about connection requests and sessions to a RADIUS server.

Managing user authentication

1. Right-click a server entry in the Routing And Remote Access console and select Properties.

2. Click the Security tab.

3. Click the Authentication Methods button.

User authentication methods

• Extensible Authentication Protocol (EAP) extends the authentication methods for PPP connections.

• Microsoft Encrypted Authentication version 2 (MS-CHAP v2) authenticates remote access and demand-dial connections using mutual authentication and strong encryption. MS-CHAP v2 is required for encrypted PPP and PPTP connections.

• Microsoft Encrypted Authentication (MS-CHAP) authenticates remote access and demand-dial connections using encryption. MS-CHAP is required for encrypted PPP and PPTP connections.

• Encrypted Authentication (CHAP) authenticates remote access and demand-dial connections using encryption.

• Shiva Password Authentication Protocol (SPAP) uses authentication with reversible encryption and is compatible with Shiva LAN Rover and Shiva clients. SPAP is not secure.

• Unencrypted Password (PAP) uses Password Authentication Protocol (PAP) and sends passwords in plain-text during authentication. PAP is the most unsecure authentication method.

Remote access policies

• Remote access policies for use with EAP are specified using the Remote Access Policies node.

• Connections To Microsoft Routing And Remote Access Server applies to connections to the currently selected RRAS server.

• Connections To Other Access Servers applies to connections to other access servers via the current RRAS server.

• New remote access policies can be created by right-clicking the Remote Access Policies node and selecting New Remote Access Policy.

• Each policy can have a dial-in profile associated with it that is used to set access permissions.

• Right-click a policy, select Properties, and then click the Edit Profile button to view and modify the profile settings.

• Remote access settings defined in a user's profile have precedence over dial-in profile settings.

Managing IP assignment

• Right-click a server entry in the Routing And Remote Access console and select Properties.

• Use the IP tab options to configure IP assignment.

IP assignment options

• You must select the IP Routing checkbox for LAN and demand-dial routing to occur.

• If you select the Allow IP-based Remote Access And Demand-Dial Connections checkbox, IP-based remote access and demand-dial connections can be established using RRAS.

• Select Dynamic Host Configuration Protocol (DHCP) to use DHCP to assign client IP addresses.

• On DHCP servers, use the Default Routing And Remote Access Class to define configuration for remote access clients.

• Select Static Address Pool to assign remote access clients static IP addresses from the defined IP address pools.

• Select Enable Broadcast Name Resolution to allow remote access clients to use broadcast messages.

• Broadcasts are not forwarded to other subnets.

Managing remote access logging

• Right-click a server entry in the Routing And Remote Access console and select Properties.

• Use the Logging tab options to configure event logging and debugging.

• RRAS events are stored in the System event logs.

• For debugging connections to RRAS, select the Log Additional Routing And Remote Access Information checkbox.

• When debugging is enabled, PPP connection events are written to Ppp.log in the %SystemRoot%\Tracing folder.

DHCP Relay Agents

• DHCP clients use broadcast messages to contact DHCP servers.

• Broadcasts aren't routed between subnets and are limited by the logical boundaries of a subnet.

• You can work around this restriction by configuring DHCP Relay Agents on subnets.

• A Relay Agent listens for DHCP broadcasts and forwards the DHCP broadcasts between clients and servers.

Configuring a server as a DHCP Relay Agent

1. Install the DHCP Relay Agent routing protocol.

2. Configure the DHCP Relay Agent routing protocol.

3. Enable the DHCP Relay Agent routing protocol.

Install the DHCP Relay Agent routing protocol

• Right-click the General node, and then select New Routing Protocol.

• Click DHCP Relay Agent, and then click OK.

Configure the DHCP Relay Agent routing protocol

• Right-click DHCP Relay Agent, and then select Properties.

• Type the IP address of a DHCP server for the network and then click Add.

Enable the DHCP Relay Agent routing protocol

• Right-click DHCP Relay Agent and then select New Interface.

• Click the network interface on which you want to enable the routing protocol.

TCP/IP routing

• When you install Routing And Remote Access and enable IP routing, you can add routing protocols.

• Routing Information Protocol (RIP) version 2 for Internet Protocol is ideal for small networks.

• Open Shortest Path First (OSPF) is better for larger networks.

Understanding RIP

• Initially the only entries in routing tables are for the networks to which the router is physically connected.

• The router starts sending announcements of its availability.

• Responses from announcements allow the router to update its routing tables.

• With periodic update mode, announcements are sent periodically to learn of available routes, and routes are deleted automatically when the router is stopped and restarted.

• With auto-static update mode, announcements are sent when other routers request updates, learned routes are added as static, and routes remain until they are manually deleted.

Configuring RIP

1. Install the RIP routing protocol.

2. Specify the network interface(s) through which RIP will be used.

Installing the RIP routing protocol

• Right-click the General node, and then select New Routing Protocol.

• Click Routing Information Protocol (RIP) version 2 for Internet Protocol.

Specifying the RIP network interface

• Right-click the RIP node, and then select New Interface.

• Select one of the available network interfaces through which RIP traffic can be routed.

Configuring RIP properties

• Right-click the RIP node, and then select Properties.

• The General tab options control triggered update delays and event logging.

• The Security tab options control how the router processes announcements.

Configuring RIP connection properties

• Click the RIP node, right-click the network interface, and then select Properties.

• The General tab options allow you to configure the operation mode, packet protocol, and authentication.

• The Security tab options allow you to configure RIP route filters.

• The Neighbors tab options allow you to configure how the router interacts with other RIP routers.

• The Advanced tab options control periodic announcements, routing expiration, and processing.

Understanding OSPF

• OSPF uses the Shortest Path First (SPF) algorithm to calculate routes.

• The route with the lowest route cost is the shortest path.

• The shortest path is always used first when routing.

• An OSPF router maintains a link-state database that it uses to track the network topology.

• Data is synchronized with adjacent routers and nonbroadcast multiple access (NBMA) neighbors.

• When a change is made to the network topology, the first router to identify it sends out a change notification.

• OSPF divides the network into transit areas, which can be thought of as areas of responsibility.

• OSPF routers maintain link-state information only for those transit areas for which they've been configured.

Configuring OSPF

1. Install the OSPF routing protocol.

2. Specify the network interface(s) through which OSPF will be used.

Installing the RIP routing protocol

• Right-click the General node, and then select New Routing Protocol.

• Click Open Shortest Path First (OSPF).

Specifying the RIP network interface

• Right-click the OSPF node, and then select New Interface.

• Select one of the available network interfaces through which OSPF traffic can be routed.

Configuring RIP properties

• Right-click the RIP node, and then select Properties.

• The General tab options set the router ID and control event logging.

• The Areas tab options can be used to subdivide the network into specific transit areas.

• The Virtual Interfaces tab options allow you to configure virtual interfaces for transit areas.

• The External Routing tab options allow you to configure Autonomous System Boundary Routing.

Configuring OSPF connection properties

• Click the OSPF node, right-click the network interface, and then select Properties.

• The General tab options allow you to configure the area ID, router priority, cost, and password.

• The NMBA Neighbors tab options allow you to specify IP addresses and priority of NMBA neighbors.

• The Advanced tab options control transit delays, retransmit intervals, Hello intervals for discovery, Dead intervals for determining down routers, and poll intervals for follow-ups to dead routers.

Static routes

• Static routes provide a permanent mapping to a specific destination network.

• Static routes are set according to the network ID, network mask, and relative cost of the route.

• Routers use this information to determine the gateway to use to forward packet.

• Static routes are not shared between routers.

Configure static routes using the Routing And Remote Access console

• You can view and configure existing static routes using the Static Routes node.

• To add a static route, right-click the Static Routes node, and then select New Static Route.

• To delete a static rout, right-click it, and then select Delete.

Configure static routes using the command line

• You can view existing static routes by typing route print.

• You can add a static route by using route add.

• You can remove a static route by using route delete.

Routing ports

• When you install RRAS, a number of routing ports are created automatically.

• Routing ports are used for inbound connections to the RRAS server.

• The types of ports available depend on the configuration of the RRAS server.

Managing routing ports

• To view ports, click the Ports node.

• To view a port's status and statistics, double-click the port entry.

• To reset a port, double-click the port entry, and then click the Reset button.

• To configure ports, right-click the Ports node, and then select Properties. Use the options available.

Network Address Translation (NAT)

• Allows multiple client computers to access the public Internet sharing a single public IP address or a pool of public IP addresses.

• Separates your organization's internal private network from the public network.

• Allows you to use private IP addresses internally and to use public IP addresses when client computers access the Internet.

Using NAT

• NAT provides internet connectivity to internal clients through a single interface.

• NAT includes the Basic Firewall, which can block external traffic from entering the internal network.

Configuring a server for NAT and the Basic Firewall

1. Install the NAT/Basic Firewall routing protocol.

2. Specify the Network Interface to use.

3. Configure the NAT/Basic Firewall routing protocol.

4. Optionally, enable basic firewall and configure packet filtering.

Installing the NAT/Basic Firewall routing protocol

1. Use the Routing And Remote Access console.

2. Right-click the General node, and then select New Routing Protocol.

3. Click NAT/Basic Firewall, and then click OK.

Configuring the NAT/Basic Firewall routing protocol

1. Use the Routing And Remote Access console.

2. Right-click the NAT/Basic Firewall node, and then select New Interface.

3. Select the interface that is directly connect to the Internet.

Configuring NAT properties

• Right-click the NAT/Basic Firewall node, and then select Properties.

• The NAT/Basic Firewall tab options set the interface type for which NAT/Basic Firewall is being used.

• The Address Pool tab options are used to configure the public IP addresses to be used.

• The Services And Ports tab options define firewall exceptions that allow external traffic to enter the internal network.

• The ICMP tab options configure the permitted incoming and outgoing information requests.

Packet filtering

• By default, Basic Firewall is not enabled for use with a public interface connected to the Internet.

• If you enable the Basic Firewall, the Basic Firewall accepts incoming traffic from the Internet only if it has been requested by the network.

• You can define packet filters to control network traffic.

• Inbound packet filters control which packets are forwarded or processed by the network.

• Outbound packet filters control which packets are received by the network.

Enabling Basic Firewall and configuring packet filtering

• Use the Routing And Remote Access console.

• Click NAT/Basic Firewall, and then double-click the network interface on which you want to configure.

• On the NAT/Basic Firewall tab, select the Enable A Basic Firewall On This Interface checkbox.

• Click the Inbound Filters button to specify which packets are forwarded or processed by the network.

• Click the Outbound Filters button to specify which packets are received by the network.

Managing remote access clients

• View connected clients by expanding the server node and clicking the Remote Access Clients node.

• Clients are listed by connected username, duration and number of access ports being used.

• To view a more detailed status, right-click the client entry, and then select Status.

• To disconnect a client, right-click the client entry, and then select Disconnect.

• To send a message to a client, right-click the client entry, select Send Message, type the message, and then click OK.

• To send a message to all clients, right-click the Remote Access Clients node, select Send To All, type the message, and then click OK.

• Control remote access permissions using remote access policies.

Internet Authentication Service (IAS)

• RADIUS servers are used to centralize the authentication of remote access clients and the storage of accounting information.

• Centralizing authentication and accounting reduces the administrative overhead of managing multiple RRAS servers.

• Registering RADIUS servers with Active Directory makes the server a member of the RAS And IAS Servers group.

• Members of this group are able to read remote access attributes of user accounts.

Configuring a server for IAS

1. Install IAS on a designated server.

2. Register the IAS server in Active Directory.

3. Configure your RRAS servers as IAS clients.

4. Configure your RRAS servers to use RADIUS.

Installing IAS

1. Use Add Or Remove Programs in Control Panel.

2. Select Internet Authentication Service.

Managing Internet Authentication Service

• Use the Internet Authentication Service console.

• Click Start Programs Administrative Tools Internet Authentication Service.

Registering the RADIUS server

1. Use the Internet Authentication Service console.

2. Right-click the Internet Authentication Service node.

3. Select Register Server In Active Directory.

Configuring RRAS servers as clients

1. Use the Internet Authentication Service console.

2. Right-click the RADIUS Clients node, and then select New Radius Client.

Configuring RRAS servers to use RADIUS

1. Use the Routing And Remote Access console.

2. Right-click a server entry and select Properties.

3. Configure the Security tab for RADIUS Authentication and RADIUS Accounting.

Diagnosing and resolving issues related to establishing a remote access dial-up connection

• On the General tab of the server's Properties dialog box, verify that Remote Access Server is enabled.

• On the IP tab of the server's Properties dialog box, verify that IP Routing is enabled if clients should have access to the network, and that it is disabled if clients should have access to the RRAS server only.

• If static IP addresses are used, verify that the address pool configuration is correct and that there are available IP addresses.

• If dynamic IP addresses are used, verify the configuration of the DHCP server. The IP address scope must be large enough so that the RRAS server can requests blocks of 10 IP addresses.

• Using the Ports node, verify that server has properly configured modem ports and that not all modem ports are assigned.

• Verify that the client, the RRAS server, and the remote access policy have at least one common authentication method configured.

• Verify the client and the server permissions, credentials, and access policies are configured correctly.

Diagnosing and resolving issues related to remote access VPNs

• On the General tab of the server's Properties dialog box, verify that Remote Access Server is enabled.

• Using the Ports node, verify that the server has properly configured ports and that not all ports are assigned.

• On the Security tab of the server's Properties dialog box, verify that the server is using the appropriate authentication provider and then the appropriate authentication methods are selected for use.

• Verify the remote access profile settings are correct and do not conflict with the server properties. Right-click a remote access policy, select Properties, and then click the Edit Profile button.

• Verify that the client, the RRAS server and the remote access policy have at least one common authentication method configured.

• Verify the RRAS server is made a member of the RAS And IAS Servers security group in the local domain. This membership is required for proper working of routing and remote access.

• Verify the underling dial-up configuration as discussed in the previous section.

Diagnosing and resolving issues related to resources beyond the Remote Access Server

• On the General tab of the server's Properties dialog box, verify that Router is enabled.

• On the General tab of the server's Properties dialog box, verify that LAN And Demand-Dial Routing is selected.

• On the IP tab of the server's Properties dialog box, verify that Enable IP Routing is selected.

• If static IP addresses are used, verify that the client's TCP/IP settings are correct.

• If dynamic IP addresses are used, verify that the client is obtaining the proper TCP/IP settings from the DHCP server.

• If your remote access clients use NetBIOS for name resolution, verify that Enable Broadcast Name Resolution is selected on the IP tab.

Troubleshooting router-to-router VPNs

• For the source and destination router, verify on the General tab of the server's Properties dialog box that both Router and LAN And Demand-Dial Routing are selected.

• For the source and destination router, verify on the IP tab of the server's Properties dialog box that Enable IP Routing is selected.

• For the source and destination router, verify that the servers have properly configured PPTP or L2TP ports.

• For the source and destination router, verify that the interface used for routing has Enable IP Router Manager selected on the General tab of the connection properties dialog box so that IP traffic can be routed over the connection.

• For the source and destination router, verify that the static routes are configured as appropriate to allow traffic over the appropriate interface.

• For the source and destination router, verify that permissions, credentials, and access policies are configured correctly.

Troubleshooting demand-dial routing

• Verify that Routing And Remote Access Services is installed.

• Verify on the General tab of the server's Properties dialog box that both Router and LAN And Demand-Dial Routing are selected.

• Verify on the IP tab of the server's Properties dialog box that Enable IP Routing is selected.

• Verify that the demand-dial interfaces are enabled and configured properly.

• Verify that the static routes are configured properly and that Use This Route To Initiate Demand-Dial Connections is selected in the static route properties.

• Verify that the Security tab settings of the network interfaces use a common configuration.

• Verify that the Networking tab settings of the network interfaces use a common VPN type.

• Verify that the servers use the appropriate authentication providers and that the appropriate authentication methods are selected for use. The servers must have at least one common authentication method.

• Verify that the servers have properly configured ports for demand-dial use.

• Verify that packet filters aren't blocking the routing.

6.3.6. Maintaining a Network Infrastructure

Summary of highlights from the "Maintaining a Network Infrastructure" section of the Exam 70-291 Study Guide.

Monitoring network traffic

• Use Task Manager to monitor network traffic.

• In the Performance console, use the Network Interface performance object to monitor network traffic.

• Install the Network Monitor Tools.

• Use the Network Monitor to analyze network traffic.

Network Interface object

• Use Track Packet Outbound Discarded.

• Use Track Packet Outbound Errors.

• Use Track Packet Received Discarded.

• Use Track Packet Received Errors.

Installing Network Monitor

• Use Add Or Remove Programs in Control Panel.

• Select Network Monitor Tools.

Network Monitor components

• Network Monitor Driver captures frames received by and sent to a network adapter.

• Network Monitor console is used to view and analyze data captured by the Network Monitor Driver.

Using Network Monitor

• To open, click Start Programs Administrative Tools Network Monitor.

• To change the monitored network, click Capture Networks.

• Start.

• Stop And View.

• Filter.

• Trigger.

Server services

• View the currently configured services using the Services utility in Control panel.

• In Computer Management, expand the Services And Applications node, and then select Services.

Service states

• Services can be in one of three possible states: started, paused, or stopped.

• If the service is running, the status is listed as Started.

• If the service is stopped, the status is listed as blank.

• If a service can be paused, you (or another administrator) have paused the service.

Service startup type

• Automatic services start automatically with the operating system.

• Manual services do not start automatically with the operating system, but can be manually started if called by another process.

• Disabled services do not start automatically and cannot be started manually either.

Service dependency

• Some services depend on other services in order to start.

• If a service depends on other services, it can only start when those services are running.

• To view, double-click the service, and then select the Dependencies tab. Dependent services are listed.

Service recovery

• Service recovery options allow you to specify the actions that should be taken if a service fails.

• The operating system can take one of four actions should a service fail. These actions are to:

  Take no action.

  Restart the service.

  Run a program.

  Restart the computer.

• To configure recovery, double-click the service, and then select the Recovery tab.