Saturday, November 18, 2006

DHCP

************DHCP************
The lease process consists of four different messages processed in this order:
1. DHCPDISCOVER initial broadcast message sent from client to obtain IP address.
2. DHCPOFFER message from DHCP server that contains a possible IP address for the client.
3. DHCPREQUEST from client to DHCP server indicating that the client would like to receive the offered IP address
4. DHCPACK Final message, server to the client, server acknowledges that the IP address is assigned to the client. Other messages DHCPNAK a negative acknowledgement from the server to the client indicating IP not available. DHCPRELEASE from client to server requesting current IP be canceled. DHCPINFORM a new message type for windows 2000, gets options for local config. 3 Types of Options Server options: effective for all scopes configured for the server Scope Options: applied to the scope they are configured for Reservation options: Only applied to specified computer Windows 2000 DHCP supports: Superscopes (administrative container for 2 or more scopes of different network segments) multicast scopes (MADCAP) DHCP server needs to be authorized with active directory before allocating IP addresses unless it’s a standalone server. DHCP relay agent is required on all segments that do not contain a DHCP server OR not all BOOTP compatible routers. Dynamic DHCP update both A & PTR records: By default, the dynamic update options for a Windows 2000 DHCP client computer are configured so that the Windows 2000 computer will register its own A (host) resource record and will request that the DHCP server register its PTR resource record Older version clients use mmc-DHCP\Server\Scope\Properties\DNS tab\ Settings = Automatic update client, always update, Enable update for clients who can’t. to register there A & PTR records By default, when DHCP client leases expire, the DHCP server automatically removes from DNS any resource records that it originally registered Two DHCP servers on same subnet 80/20 rule DHCP server 1 - 80% of the available IP addresses DHCP server 2 - 20% of the available IP addresses DHCP wizard does not let you set an unlimited lease, only 999; you must use scope properties\Advance tab for setting unlimited lease. RRAS configured to use DHCP obtains 10 IP addresses from the DHCP server upon bootup. It keeps one for itself and gives the others to clients. After the 10 are gone it requests in blocks of 10. If you don't you DHCP you can make a Static pool on the RRAS. To transfer DHCP database from one DHCP server to another u must use either the DHCP console or the net stop dhcpserver command to stop the original DHCP server. To ensure that the DHCP service will not start again, you should then disable the DHCP Server service. Next, you should copy the %Systemroot%\System32\Dhcp, to a temporary folder on the new DHCP server. The last necessary action is to copy HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer Registry subkey to a text file. IGMP (Internet Group Management Protocol) proxy mode interface 'points' to the multicast-enabled Intranet Multicast Address Dynamic Client Allocation Protocol (MADCAP) Multicast addresses fall within the Class D IP address range from 224.0.0.0 through 239.255.255.255. The Class D IP address range from 239.0.0.0 through 239.254.255.255 is a reserved range that is intended to be administratively scoped, much like the unicast IP address ranges that are reserved for private networks. RFC 2365 highly recommends using the range that begins at 239.192.0.0 with subnet mask of 255.252.0.0 for an organizational network so that the earlier addresses are available for future expansion. The 233.0.0.0 through 233.255.255.255 range is recommended for use with MADCAP for purpose of global scoping on a public network such as the Internet. To prevent intra-branch office multicast traffic from being copied to the branch office link. Use RRAS to Configure appropriate scope-based boundaries on the interface on the hub office.
************NWLink ************ IPX/SPX NetBIOS compatible transport protocol (NWLink), main components: CSNW, GSNW Gateway service for NetWare Directory service migration tools File and Printer services for NetWare To ensure that the appropriate users have access to the Shared volume on the NetWare server, you should take following steps: Install the IPX/SPX gateway on the NetWare server Install the Gateway Service for NetWare on a Windows 2000 Server computer Create NTGATEWAY group on NetWare server Create user accounts on the NetWare server for the users who need access Place the new accounts in the NTGATEWAY group Enable the gateway to the NetWare server on the Windows 2000 Server computer Create and activate a gateway to the Shared volume Assign permissions to the gateway share on the Windows 2000 Server computer Direct users to the share on the Windows 2000 Server computer
Default Ethernet frame types;
NetWare 3.12 and later - 802.2 - Win2k default NetWare 3.11 and earlier - 802.3 How to add NetWare 4.x servers to WindowsNT domain; When you select a NetWare 4.x server in the 'Select NetWare server' dialog box in Directory Manager for NetWare (DSMN) the following message appears: “is a NetWare 4.x server. It cannot be added to the domain” You need to change following registry key: HKLM\System\CurrentControlSet\Services\MSSync\Parameters\Allow4x
************WINS ************ NetBios name resolutions -- Resolve Order B-node uses a local broadcast P-node Uses WINS server M-node Cache, local broadcast, wins, Lmhosts, Host, DNS H-node Cache, wins, local broadcast, Lmhosts, Host, DNS
************Lmhosts************ Lmhosts file is a static file that assists with remote NetBIOS name resolution on computers that cannot respond to NetBIOS name-query broadcasts. Location systemroot\System32\Drivers\Etc #pre: static name-to-address mappings, pre-loaded into the NetBIOS names cache, used first to resolve name query #Dom: domain-tag will associate the entry with the domain specified #include: path to file- will force to seek the specified and parse it as if it were local. #Begin_Alternate & End_alternate allow multiple #INCLUDE statements to be grouped together. #NOFNR #MH multiple entries exists due to multihomed computers Static mappings; Name-to-address mapping to the server database, for computer that does not directly use WINS (instead using static mappings might be resolved by lmhosts files or DNS servers) The Nbstat –RR command is used to force WINS clients to release and refresh their NetBIOS names in WINS database WINS Pull replication convergence time for wan; add together the two longest convergence times between spokes and the hub
(Hub-and-Spoke WINS replication configuration) Pull replication can only be configured to occur at specified time intervals Push replication can only be configured to occur after a specified number of changes in the version ID of the local WINS database. To backup WINS database; Default Every 3 Hours Right-click on WINS server, choose 'Back Up Database', browse to a folder on local server and click ok. This series of actions creates a \Wins_Bak\New folder within the designated folder and configure the server to automatically backup its WINS database to the local \Wins_Bak\New folder at interval of every three hours. WINS Proxy must be present on the subnet that includes the Unix servers in order to listen for their B-node broadcasts and either resolve them from its existing cache or query the WINS server in order to update the WINS proxy cache To make a computer a proxy agent requires a change to a Registry key --- enableproxy set to 1 WINS Proxies are used to resolve name resolution requests that are broadcast by non-windows-enabled computers. 2 components that utilize wins are My Network Places and Net.exe command WINS server on one subnet With clients on many subnets; Configure the WINS server to include its IP address as a WINS client computer when configuring the servers TCP/IP properties on the Advanced Wins Tab. When values below 20 are specified for number of version ID changes, persistent connection is required in order for replication to occurYou can use Jetpack utility to compact and perform minor repairs on WINS database, but this action would not update the outdated NetBIOS name mappings.
***********RRAS ************ Authentication options are: PAP--- Password Authentication Protocol,plaintext SPAP--- Shiva Password Authentication Protocol - reversible encryption mechanism CHAP ---Challenge Handshake Authentication Protocol MS-CHAP 1, 2 ---Microsoft Challenge Handshake Authentication Protocol versions 1 & 2 EAP ---Extensible Authentication Protocol EAP-MD5, EAP-TLS will not work on stand alone W2K server, must be Active Directory
************Unauthenticated access************ MS-CHAP v1 cannot be used to establish a 40-bit encrypted connection if the user has a password of more than 14 characters. To enable CHAP-based authentication make all setting + Reversible encryption of passwords Reversible encryption of passwords does not affect existing passwords, after reversible encryption is selected, a user's password must be reset
***********Connection Types supported************ PPP, MPPE, PPTP, L2TP PPP is the basis for the PPTP and L2TP protocols, which are used in secure virtual private network (VPN) connections Supported PPP connections: Multilink- more than one connection, BAP- with multilink dynamically controls bandwidth utilization, LCP- Callback and Caller ID feature. For VPN connections, Windows 2000 uses MPPE with the Point-to-Point Tunneling Protocol (PPTP) and IP Security (IPSec) encryption with the Layer Two Tunneling Protocol (L2TP). For dial-up networking connections, Windows 2000 uses Microsoft Point-to-Point Encryption (MPPE). With the basic and strong encryption methods MPPE provides only link encryption, not end-to-end encryption. If end-to-end encryption is required, IPSec can be used to encrypt IP traffic from end-to-end after the PPTP tunnel is established. Data encryption for PPP or PPTP connections is available only if MS-CHAP (v1 or v2) or EAP-TLS is used as the authentication protocol. Data encryption for L2TP connections relies on IPSec, which does not require any specific authentication protocol. Maximum level of data encryption for WindowsNT 4.0 and Windows98 computers is MS-CHAP v2 for VPN connections L2TP enables the use of IPSec for securing the payload To create L2TP server only; set the number of PPTP ports to 1 and then clear the remote access connection (inbound only) and demand-dial routing connections (inbound and outbound) check boxes on the client computer change the type of VPN server from automatic to L2TP A remote access server running Windows 2000 does not support SLIP clients. Serial Line Internet Protocol (SLIP) is an older remote access standard typically used by UNIX remote access servers. Windows 2000 Network and Dial-up Connections supports SLIP, and you can make connections to any remote access server by using the SLIP standard.
***********IPSec************ The Kerberos V5 security protocol is the default authentication technology Protects integrity, ensures confidentiality, Authenticates credentials, protects computers from net attack Profiles are for users Filters are for machines. Filters define the type of packets are allowed to be processed. Select the session key perfect forward secrecy check box to guarantee that no master keying material will be re-used to generate the session key You can monitor and troubleshoot IPSec by using the ipsecmon command to start IP Security Monitor and by enabling audit policy and viewing IPSec events in Event Viewer. When IPSec is tunneled, ESP should be applied first then the Authentication header (AH) “layer 3 tunneling”
***********RAS server order of process************ After Authentication 1. Check RRAS Policy 2. Check user dial up property configuration 3. Check policy profile settings RIP v1 and RIP v2 are distance-vector routing protocols; RIP v1 and RIP v2 routers periodically broadcast the routes that are contained on the routing table to the network. However, the changes are not broadcast immediately. Rip 1 vs Rip 2. 2 supports password, CIDR, VLSM, MULTICAST--- RIP 1 is chatty Split horizon and Poison reverse settings prevent rip routing loops. Route command: Route Print ---list all routes this computer knows. Route –F ---clears table. RIP v2 router terminology; PEER FILTERING: Ability to accept or discard updates of announcements from specific routers identified by IP address ROUTE FILTERING: Ability to accept or discard updates of specific network IDs or from specific routers RIP NEIGHBOURS: Ability to unicast RIP announcements to specific routers to support on broadcast technologies like frame relay. A rip neighbour is a RIP router that receives unicasted RIP announcements
************RAP Remote Access Policy terminology************ CONDITIONS - determine the conditions to match PERMISIONS - determine weather to grant or deny remote access permission USER PROFILE – profile for users who matched the conditions you have specified The first RAP that matches the conditions of the call attempt is used to determine whether the connection attempt will be accepted or rejected.
************Ports************ 20 FTP server (data channel) 21 FTP server (control channel) 23 Telnet server 53 Domain Name System zone transfers 80 HTTP Internet Access139 NetBIOS session service 443 HTTPS secure web pages To duplicate the configuration to the ISA server on the stand-by server; You should use 'netsh aaaa show config' command on the IAS server to create a script file, copy the script file to stand-by server, and use the 'netsh exec' command to stand-by server to process the script file Windows 2000 doesn't support the use of OSPF on non-persistent demand-dial connections DVMRP is not available with RRAS; therefore, you cannot install it on the Windows 2000 routers. In order to enable multicast traffic to pass through an Intranet section that does not support multicast routing, you must use an IP-in-IP tunnel. In order to enable each user group to send multicast datagrams to the other group, you should create an IP-in-IP tunnel interface on each Windows 2000 router. If you use NetMon in a switched network environment, you see only the traffic addressed to the computer that is running NetMon The Identify Network Monitor users… command will not detect instances of Network Monitor or Network Monitor driver that are running on computers located on remote subnets unless the routers forward multicast packets SNMP devices and consoles are grouped into communities by the use of a community name. SNMP devices and SNMP consoles must share a common community name in order to interact by using SNMP.
************ICS************ In order for network computers to gain access to the Internet through an ICS computer, the TCP/IP configuration of the network computers must be changed to allow them to obtain their IP address automatically. When ICS is enabled on the LAN interface of Windows 2000 Server computer, the LAN interface is automatically configured with the IP address 192.168.0.1 and subnet mask 255.255.255.0. If network computers are configured to obtain their IP address automatically, then ICS assigns them IP addresses starting from 192.168.0.2 with a subnet mask of 255.255.255.0
************NAT************ NAT editors enable a NAT server to perform network address translation when protocols such as FTP, ICMP, PPTP and NetBT are used. A default static route must always have a destination of 0.0.0.0 and a subnet mask of 0.0.0.0. In order to ensure the correct translation of traffic that is bound from private hosts to the Internet. You must select the Translate TCP/UDP headers (recommended) option when the number of IP address on the private network exceeds the number of IP addresses configured on the public interface of the NAT server. By using the RRAS console to select Resolve IP address for Clients using DNS check box, you have configured the NAT server to forward name resolution request to DNS servers on Internet Although the NAT computer is not actually a DNS server, the computers on private network should be configured with the address of the NAT server as their preferred DNS server because NAT server will function as DNS proxy on behalf of the client computers.
************DNS ************ Although the use of AD integrates primary zones is not required in AD-domain, they are the only zones that allow DNS clients to perform dynamic updates to any DNS server in a domain. With AD-integrated zones, DNS zone data is stored in the AD database, which is replicated to all domain controllers. Refreshes every 24 hours by default With standard primary DNS zones, only one copy of a particular primary zone can exist, and only the DNS server that hosts the primary zone can accept dynamic updates from DNS clients. Thus, it the DNS server that hosts the primary zone is unavailable, then DNS clients cannot perform dynamic updates of their resource records. The ipconfig /registerdns command is used to force DNS clients to create A (host) record for itself Nslookup is used for troubleshooting DNS. Nslookup is available only if the TCP/IP protocol has been installed. A DNS client always checks its resolver cache before querying a DNS server; therefore, user must flush the resolver caches of the network computers. Flushing the caches will purge the caches of all information obtained through dynamic resolution attempts. By stopping and starting the DNS client service on each network computer, you will flush the DNS resolver cache of each network computer, you can also flush the local resolver cache by carrying out the ipconfig /flushdns command on each network computer. Only DNS servers that host primary zones or AD-integrated zones have SOA records; therefore, you cannot increase the value of Refresh Interval setting of the SOA record on secondary DNS server. In the simple test, the DNS client resolver on the computer that hosts the DNS server attempts to query the local DNS server. Part of the simple test involves the DNS server attempting to ping its own loopback address of 127.0.0.1. If the simple test fails on DNS server, then your first troubleshooting step should be to determine whether the server contains the 1.0.0.127.in-addr.arpa zone. In the recursive test, the local DNS server attempts to resolve a query by querying another DNS server, such as a DNS server on Internet. If the recursive test fails and there is no firewall between the DNS server and the Internet, then the first troubleshooting step you should take is to determine whether the root hints are correct, then your next step should be to use the nslookup server DNS_server_IP_address set querytype=NS command
************Certification Authorities************ You cannot use an enterprise root CA as an off-line root CA, because enterprise CA's require AD to issue certificates, an enterprise CA that was taken off-line would no longer be able to issue certificates. An offline Root CA is a root CA that is not connected to the network. However, you should install the root CA on a member server of an AD domain while the member server is attached to the network. By installing the root CA on a computer that is attached to the network, you ensure that the CA updates AD and that all domain computers and users will trust the certificates that it issues. You should obtain a Server Gated Cryptography (SGC) server certificate from a commercial CA in order to assure visitors of your Web site’s identity and provide 128-bit cryptography for all Web communications. The SGC protocol is extension of SSL. An SGC server certificate is used to provide added encryption between a client computer and Web server. In order to ensure that employees can download the unsigned custom controls from your company’s intranet Web site, you should use IEAK Profile Manager to configure a security zone setting of Low for the Local intranet zone in Internet Explorer.
************Denial of Service************ To drop Internet traffic from spoofed private IP addresses, configure input filters on the Internet interface to accept all packets except following: 10.0.0.0 with the subnet mask 255.0.0.0 172.16.0.0 with the subnet mask 255.240.0.0 192.168.0.0 with the subnet mask 255.255.0.0 To disable EFS at the OU level without nullifying the recovery policies of all computers within the OUs, Configure no recovery policy for each OU To disable EFS for all computers within the OUs and not for OU itself Configure an empty recovery policy for each OU Encryption terminology: Basic encryption: 40-bit for dial-up connections 40-bit for PPTP-based VPN connections 56-bit for L2TP/IPSec-based VPN connections Strong encryption 56-bit for dial-up connections 56-bit for PPTP-based VPN connections 56-bit for L2TP/IPSec-based VPN connections Strongest encryption 128-bit for dial-up connections 128-bit for PPTP-based VPN connections 3*56-bit for L2TP/IPSec-based VPN connections You could reduce your company’s vulnerability to password-guessing attacks by using smart card authentication and enabling account lockout for remote access in the Registry. Smart card authentication is token-based authentication method. Token-based authentication requires the user to know something, usually a Person Identification Number (PIN), and to have something, such as the smart card; without both, a person cannot obtain access. Account lockout is enabled for remote access by modifying two values located in; HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters subkey of the Registry. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout 7 OSI layers--- Application, presentation, session, transport, network, datalink, physical
************TCP\IP Layers************ Application--- Defines TCP/IP applications protocols and how host programs interface with transport layer services to use the network. HTTP, Telnet, FTP, TFTP, SNMP, DNS, SMTP, X Windows, other application protocols Transport--- Provides communication session management between host computers. Defines the level of service and status of the connection used when transporting data. TCP, UDP, RTP Internet--- Packages data into IP datagrams, which contain source and destination, address information that is used to forward the datagrams between hosts and across networks. Performs routing of IP datagrams. IP, ICMP, ARP, RARP Network interface--- Specifies details of how data is physically sent through the network, including how bits are electrically signaled by hardware devices that interface directly with a network medium, such as coaxial cable, optical fiber, or twisted-pair copper wire. Ethernet, Token Ring, FDDI, X.25, Frame Relay, RS-232, v.35 IP classes Multicast Experimental
Class
A
B
C
D
E
Address
1-127
128-191
192-223
224-239
241-UpAPIPA 169.254.0.0.16 automatic private internet protocol addressing Available with win 98, 2000, XP, + Mask Segments - 2 = usable segments, minus 2 is for the first and the last, all 0’s or 1’s not allowed 192 4 2 224 8 6 240 16 14 248 32 30 252 64 62 254 128 126 255 256 254

No comments: