Skip to main content

MCSE Windows 2000 Server Personal Study Guide -- 70216

.com

.edu

.org

.net

.gov

.mil

.num – phone #

.arpa – reverse DNS

.us

.cc

Look up host

1. HOSTS

2. DNS cache

3. DNS db

4. NetBIOS

5. WINS

6. Broadcast

7. LMHOSTS

Look up FQDN

1. HOSTS

2. DNS cache

3. DNS db

4. pass up until found

203.102.101.100/24, the reverse DNS PTR records is 101.102.203.in-addr.arpa

By default it is caching-only DNS server, needs lots of RAM, response from cache or pass to other DNS server (Root Hints), no zone transfer overhead.

ipconfig /displaydns

ipconfig /flushdns

BIND – Berkeley Internet Name Domain

BIND must support SRV records

Root name server acts as Start of Authority SOA for the zone and top-level server in the domain. It contains “.” domain and thus can’t be a forwarder.

SOA is the first record in the DB.

Serial number – versioning

Primary server

Email address – use . symbol instead of @

Secondary server – read-only db, need update via a zone transfer from another DNS server

1 Standard Primary server per zone

1+ Standard Secondary server per zone

AD integrated

Forward Lookup Zone provides an IP address for a queried host name

Reverse Lookup Zone – you must provide a network IP 203.102.101 or reverse lookup zone name 101.102.203.in-addr.arpa instead of a domain name.

Allow dynamic updates

Dynamic DNS – DDNS is simply the integration of DNS and DHCP.

ipconfig /registerdns

Iterative query – DNS server get closer to final answer .com, abc.com, xyz.abc.com…

Recursive query – client query or mail server query MX

ping /a – resolve IP to hostname

Authoritative query – first query DNS get it from remote DNS

Nonauthoritative query – following same query from cache

Delegated zone domain must be lower than the domain performing delegation

DNS records

A

CNAME

MX

MG

MB

MINFO

NS – Authoritative name server

PTR

TXT

RT – route through

SRV – used by Win2K for AD and Dynamic DNS.

Monitoring DNS

AXFR and IXFR Counters

Caching Memory

Dynamic Updates

Zone Transfers

DHCP Discover > (can cross routers if routers are configured with BOOTP)

DHCP Offer <

DHCP Request >

DHCP ACK <

Router must forward BOOTP or setup a DHCP Relay Agent in RRAS MMC

DHCP server must has static IP

Scope

Address Pool – to lease and to exclude

Address Leases – current leased

Reservations – specific set

Scope Options

SuperScope

Multicasting

TTL 32 hops

lease 30 days

Exclusions

Routers

Printers

App servers

To get MAC address, ping IP, arp –g

Configure DHCP server options such as DNS WINS IP, will apply to all scopes.

In DHCP server/scope DNS tab, you can enable DDNS. To keep DNS clean, enable discard. To support UNIX or pre-W2K, enable support for other clients don’t support dynamic update.

You need authorize DHCP server in AD. It is checked every 5 mins.

Monitoring DHCP

Discovers/sec

Offers/sec

Requests/sec

Acks/sec

Nacks/sec

Informs/sec indicates heavy DDNS integration traffic

Declines/sec indicates a bogus DHCP server

DHCP support SNMP and MIB

RRAS is installed by default not active. It can be configure and enabled as

Internet connection server for NAT

Remote Access server

VPN server

Networking router

Manually configured server

RRAS supports AppletTalk, TCP/IP, IPX, NetBEUI, SLIP, PPP,

Win2000 Pro supports 1 inbound dial-in, Win2000 Server supports 256.

When use RADIUS authentication, Remote Access Policies and Logging are disappear. You need access from Internet Auth Services instead.

Default remote access policy is Allow access if dial-in permission is enabled – denies all unless in AD user’s dial-in property is set to Allow access

No remote access policy, no remote access regardless their Dial-In setting.

When you have more restrictive policy, put them first in order.

Remote Access Policy properties > Edit Profile

Dial-in Constraints – idle time, max time, day, times, dial-in #, dial-in media

IP – IP Packet filters

Multilink

o BAP

o before that, you need have more than one modem, and enable multilink in both.

Auth

o Windows Auth

o Internet Auth Services - RADIUS

Encryption

o No encrypt

o Basic

o Strong

Advanced – for RADIUS

VPN

PPTP

L2TP/IPSec

Macintosh users can only user SSL over HTTP

To configure, open RRAS Ports Properties

WAN Miniport PPTP

WAN Miniport L2TP

Direct Parallel

modem if you have modem installed

RRAS get 10 IP address at a time from DHCP and hand out them to connecting clients.

RAS Port shows stats for only that port, RAS Total shows total stats for all ports

Internet Auth Services

You need Register Service in AD, and add it to RAS and IAS AD Security Group

Clients

o Friendly Name

o Protocol -- RADIUS

o Client address

o Client vendor

o Client must always send the signature attr in the request

Remote Access Logging

Remote Access Policies

Auth methods:

EAP

o One-time passwords

o Certificates

o Smart Cards

o Access Tokens

MS-CHAP v2

MS-CHAP

CHAP

SPAP

PAP

Encryption protocols

MPPE - PPTP

IPSec – L2TP

RIPv2 and OSPF support CIDR and VLSM, RIPv1 doesn’t.

CSNW

GSNW – If several clients use this method, consider use CSNW to avoid GSNW bottleneck

File and Print Services for NetWare – FPNW

Frame type

Ethernet 802.2

Ethernet 802.3

SNAP

Ethernet II

Configure GSNW

NTGATEWAY group on NW

Same account on both Windows 2000 and NW

Right assignment on NW Folder

Network binding

Keep most common used protocols first

Remove unnecessary protocols

Network Monitor Tools –> Add/Remove Windows Components -> Management and Monitoring Tools

Network Monitor Driver -> Network -> Install -> Protocol

IPSec use Kerberos V5 as its default auth, but also support X.509 (public/private keys)

IPSec secures data by adding a IPSec Header to each data packet.

Auth Header – use MD5 or SHA

Encapsulating Security Payload – confidentiality by encrypting data

Encryption key is handled by ISAKMP or Oakley protocol

You need to enable IPSec in local security policy or AD domain level group policy

IPSec on local machine, supplied but disabled by default

o Client

o Secure Server

o Server

You can customize IPSec policy

Connection Type

o All network connections

o LAN

o Remote Access

Tunnel Settings

o This rule does not specify an IPSec tunnel

o The tunnel endpoint is specified by this IP address

Filter Action

o Permit

o Request Security

o Require Security

IP Filter

IPSec for transport mode is MS version of IPSec, also known as L2TP/IPSec, enable VPN in RRAS with default setting, and it is in transport mode. IPSec for tunnel mode is IETF version, pure IPSec.

o Use transport mode if possible

o don’t use tunnel mode for remote access client using VPN

o Tunnel mode does not support protocol or port specific tunnels so make sure filter is ANY

o netdiag to check active filters

IPSECMON

WINS maps NetBIOS name to IP

WINS Servers

o one WINS for 10,000 users plus one for redundancy

WINS Clients

o connect directly to WINS, Win9x, NT, 2K

Non-WINS Clients

o broadcast to WINS, Win3.1, DOS and non-win

WINS Proxies

o intercept broadcasts on their subnet and communicate with WINS Servers

o nbtstat –c to start WINS Proxy

o don’t put more than one WINS Proxy in a single segment to avoid duplicate

NetBIOS Names – 16 chars, 15 chars + hex value

00h – workstation

03h – messenger

20h – file server

wins.exe in Task Manager Process tab, or check WINS snap-in stats is updated.

To see which one is primary WINS, use ipconfig /all

WINS Replication

Pull – time based

Push – event based, push partner doesn’t actually send data to its partner, but inform partners should pull data

Immediate

WINS traffic types:

B-node – broadcast

P-node – p2p

H-node – hybrid node – try P-node, then try B-node, default mode

M-node – modified node, try B-node, then P-node

To confirm, ipconfig /all check Node Type

Order of resolution

local NetBIOS Cache > WINS > Broadcast > LMHOST > DNS

To make sure record get deleted on all WINS server, manually tombstone the record.

Demand-Dial use modem, ISDN or serial connection to backup a main connection or save cost

Packet is send in one of 2 ways

default gateway

ICMP

RIP listener – work with RIPv1, not RIPv2

Need to be Domain admin or RAS and IAS Servers security group

RIP

distance vector

o simple to maintain/configure

o slow convergence

o count-to-infinity

Split Horizon

Split Horizon with Poison Reverse

Triggered updates

o create more traffic

o larger routing table

hop count – max 15

can send up to 25 routes in a single RTP packet

v1

o broadcast to all

o support silent RIP

v2

o multicast to 224.0.0.9

o support CIDR, VLSM

o prevent rogue RIP router with auth

OSPF

link state

o only send updates when there is a change

o flooding Link State Ads – LSA

router

networks attached to router

networks costs

o loop free

o load balance

o auth

o support CIDR, VLSM, supernetting

o quick convergence

o less bandwidth

AS, Areas(within AS with Area ID) and OSPF Backbone (link areas)

Two routers are need for Demand-Dial Routing – a calling and an answering router, each has RRAS installed

The following cause Demand-Dial takes place

breach of dial-out hours

breach of demand-dial filters

wrong dial-out credentials

mismatch of connecting interface

Demand-Dial types

On-demand

o until a demand-dial timeout

o one-way initiated connection

static route

authorized user

o two-way initiated connection

o be careful to point default gateway 0.0.0.0 to demand-dial

Persistent

o require X.25, ISDN, leased line connection

Silent RIP – only receive routing but don’t send out its own routes.

route

print

add mask metric

delete

change

-f

ICS

NAT

DNS proxy

DHCP

LDAP proxy

H323 proxy

Directplay proxy

NAT can only be installed on Win 2000 Server, not Pro

Public Key Infrastructure PKI

digital signature (certs)

o user name

o user public key

o serial #

o expiration date

o cert info

o issuing CA’s Info

encryption

Don’t install CA on a DC

Windows 2000 CA

Enterprise

o Integrated with AD

o Install before all other CA as a Root CA

o its computer account need to be in Cert Publishers group

Standalone

o for external users

Root CA must be places in Trusted Root Cert Authorities store to make Certification Path chain works. To protect Root CA, you should take it offline and let Subordinate CA to issue certs.

Upgrading from NT, you need import old style CA with certutil convertmdb

CRL Distribution Point – where Cert Revocation List located

Authority Info Access – where certs located

http://servername/certsrv to request cert for both Enterprise and Standalone CA. In MMC, it only works with Enterprise CA.


Comments

Post a Comment

Popular posts from this blog

spring 2.0 bean scope

singleton Scopes the bean definition to a single instance per Spring container (default). prototype Allows a bean to be instantiated any number of times (once per use). request Scopes a bean definition to an HTTP request. Only valid when used with a web capable Spring context (such as with Spring MVC). session Scopes a bean definition to an HTTP session. Only valid when used with a webcapableSpring context (such as with Spring MVC). global-session Scopes a bean definition to a global HTTP session. Only valid when used in a portlet context.
Post a Comment
Read more

Crocs sandals

Suddenly one special looking sandals get popular. The brand is Crocs. It even opens a brand store at Marina Square. The design idea is from Dutch wooden shoes, I guess. A pair of Crocs sandals is sold at around SGD 50. The price is justified for what it is made of - Croslite. Based on Crocs website, "Croslite™, a proprietary Closed Cell Resin (PCCR) which is NOT plastic NOR rubber. Croslite™ is closed-cell in nature and anti-microbial, which virtually eliminates odor. it is an extraordinary impact absorbing resin material developed for maximum cushioning. its closed cell properties resist odor, inhibits bacterial and fungal growth and are non toxic. this versatile material can be worn next to skin and be cleaned with just soap and water." However, it really looks like made of plastic or rubber, and the design is unique. Replica comes. they are sold at SGD 20, SGD 10, SGD 5 depending on quality.
Post a Comment
Read more

Singapore Girl Sex Clip Posted Online

A couple days ago, a sex video clip about a female Chinese graduate student Wang Ting Ting (王婷婷) was posted on the internet. Just as it is about to cool down, another sex video clip pops. It is a sex clip of a Singapore Nanyang Polytechnic student . The video clip was stored on her cell phone. Someone stole it and posted the video clip on the Internet. This is a breaking news. It is even reported on major Singapore and Malaysia newspapers. Now we have so many cool gadgets. It is a breeze to shoot photos/videos, and share them on the internet. Everyone, even dog, is on the internet waiting for breaking news. Be careful when you do something secret or stupid. It may appear all over the world, live!
Post a Comment
Read more

No smoking sign

Watch out this sign before you light the cigarette up. SGD 1000 fine! However, I wonder if someone had really paid so much for violation.
Post a Comment
Read more

Prostitutes in Singapore

Singapore is very realistic about this issue. Prostitution is legal. The famous red light zone is Geylang area. I heard Hong Kong officials are considering to legalize this business in HK also. Singaporeans are not allow to work as prostitute. Maybe also SPR. The prostitutes are mainly foreign workers from poor countries in SEA area, such as Indonesia, Thailand, India, Malaysia, not from China. They come under special 2-year working pass, and must pass the health exam, yes, to prevent STD such as HIV, AIDS and so on. The brothels are mixed with normal resident houses. The brothel's house number is red lighted. The price is ranged from SGD 50 to SGD 200. Illegal sex workers are also around, and in some massage clinics. A very recent fatal case and newly effective government policy make a special social group - Chinese accompanying mom for studying kids a hot media buzz again.
Post a Comment
Read more