Mark's Technical Knowledge Base
Just bunch of useful information I have collected over time.

Exam 70-216: Implementing and Administering a Microsoft Windows 2000 Network Infrastructure

February 9, 2002 – January 5, 2003

Network Protocols in Windows 2000 Environment

· OSI (Open Systems Interconnection) reference model was designed as a guide for developers to follow then creating or implementing a protocol.

· Different protocols work at different layers of OSI model

· OSI consists of 7 layers

1. Physical – puts data on the medium (hubs, media, repeaters, network interface cards, TCP/IP protocol (Ethernet, Token Ring) work on this layer)

2. Data Link – defines how data is accessed from the medium and to the medium (switches, bridges work on this layer)

3. Network – ensures the data has address where to go (routers, IPX protocol, TCP/IP protocol (IP, ICMP, IGMP, ARP) work on this layer)

4. Transport – error checking and data delivery guarantee (NetBIOS, SPX, and TCP/IP (TCP, UDP) protocols work on this layer)

5. Session – establishes communication channels between systems

6. Presentation – formatting of the information

7. Application – defines how applications interact with the network (TCP/IP protocol (HTTP, FTP, SMTP, etc) works on this layer)

· Windows 2000 supports the following network protocols:

o AppleTalk

o DLC (Data Link Control)

o NetBIOS (Enhanced User Interface – NetBEUI)

o NWLink (IPX/SPX)

o TCP/IP (Transmission Control Protocol / Internet Protocol)

· AppleTalk is used to communicate with Macintosh computers, but they can access files and printers only if File Services for Macintosh and Print Services for Macintosh network services are installed.

· DLC is used to communicate with IBM mainframes or older HP JetDirect printers (newer ones use TCP/IP)

· NetBIOS Enhanced User Interface (NetBEUI) in Windows 2000 is at version 3 (known as NetBIOS Frame – or NBF).

o NetBIOS is not routable, recommended only for networks of 20 computers or less

o NetBIOS does not support IBM Token-Ring Networks

o No configuration is necessary – additional settings can be done under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NBF\Parameters registry key.

o Do not try to bind NetBIOS to more than one NIC on same computer because NetBIOS registers computer name from all NICs. (and then will error with duplicate names).

o NetBIOS stands for Network Basic Input/Output System

o More information on NetBIOS is in the WINS section below.

· NWLink this is Microsoft implementation of Novell’s IPX/SPX protocol.

o NWLink is routable

o When Client Services for Netware or Gateway Services for Netware are installed NWLink is installed automatically.

o File and Print Service for Netware allows NetWare clients to access Windows 2000 files and printers.

· TCP/IP is a suite of protocols

o Microsoft implementation uses a four layer model,

§ Application (HTTP, FTP, etc)

§ Transport (TCP, UDP)

§ Internet – addressing and routing (IP, ICMP, IGMP, ARP)

§ Network Interface – Ethernet, Token Ring, etc

o TCP/IP is the default protocol in Windows 2000

o IP Address is a 32-bit number represented in dotted decimal format, each number between the dot represents eight bits of the address called an octet. (example: 209.151.129.1)

o Part of the IP address represents network ID and part the actual host ID

o Subnet Mask applied to the IP address allows to determine which part is network ID and which host ID.

o There are 5 classes of IP addresses (A-E), A,B,C are most commonly used, D is reserved for multicast traffic and E is experimental.

o Class A address uses the first octet to determine network ID.

§ Subnet mask is 255.x.x.x. First octet is between 1 and 126. Network ID 10 is reserved for private addressing and 127 for diagnostic purposes.

o Class B address uses the first and second octets to determine network ID.

§ Subnet mask is 255.255.x.x. First octet is between 128 and 191

o Class C address uses the first, second, and third octet to determine network ID.

§ Subnet mask is 255.255.255.x. First octet is between 192 and 223

o Class D address has the first octet between 224 and 239 (used for multicasting)

o Class E address has the first octet between 240 and 254 (experimental use)

o You can configure packet filters for TCP, UDP, and IP. This feature allows to specify what type of traffic to receive and on what ports. This feature can be enabled per interface. ICMP packets cannot be filtered.

· Network protocol security – there are many types of network-based attacks including eavesdropping (intercepting data on the network), data integrity can be compromised, identity spoofing (unauthorized system pretending to be authorized), denial of service attack (DoS) (crashing systems), man-in-the middle attack (compromising information as it is exchanged between two systems).

· IPSec is a security protocol in Windows 2000 for protection of IP packets. It provides the following:

o ESP (Encapsulating Security Payload) provides encryption of IP packets (data privacy)

o AH (Authentication Headers) establish trust between communicating systems using shared or cryptography-based keys

o Cryptography-based keys create digital checksum for each IP packet (data integrity)

o Packet filtering controls IP communication (different than IPSec policy filter)

o IPSec does not work with Windows NT4, 98, etc. It only works with Windows 2000 and XP machines

o Windows group policies or local security policies include “IP Security Policies” that define rules about what specific IP traffic to filter, what authentication to use, and what actions to take for specific traffic type.

§ IP filters can be based on source / destination IP addresses, protocol types, and ports.

§ Filter actions can be configured with following settings:

· Security Methods

o Integrity Algorithm - HMAC (Hash Message Authentication Codes) signs packets to validate data integrity, two hashing algorithms available:

§ MD5 (Message Digest 5) – uses 128-bit key

§ SHA (Secure Hash Algorithm) – uses 160-bit key – more secure

§ Both available with AH and ESP

o Encryption Algorithm :

§ 3DES (Data Encryption Standard) triple pass (default – more secure)

§ DES – Faster but less secure

§ Both available with ESP only

· Perfect Forward Secrecy option ensures that session keys or keying material are not re-used.

§ Authentication methods can be:

· Kerberos v5 (default)

· Certificates (from certificate authority)

· Secret password

· IPSec SA (Security Associations)

o SA is a set of parameters (contract) that defines services and mechanisms for secure communication, including key, security protocol, and SPI (Security Parameter Index).

o ISAKMP (Internet Security Association and Key Management Protocol) is a standard developed by IETF that centralizes security association management, reducing connection time.

o SPI is a unique identifier in SA used to distinguish among multiple SAs on the same computer.

o Oakley generates and manages the authenticated keys used to secure the information.

· IPSec example

o Application on Computer A generates IP packet to send to Computer B

o IPSec driver (inside TCP/IP stack) compares every packed against IPSec filters

o If it is a match then associated action takes place (no security, optional security, require security, etc)

o If security required Computer A negotiates security with Computer B using IKE (Internet Key Exchange) protocol

o Computers exchange security credentials (authentication methods could be Kerberos authentication, public-key certificates or shared key (password)) and establish two SA (Security Associations) between two computers:

§ Phase 1 IKE SA – how the computers trust each other

§ Phase 2 IPSec SA – how to protect particular communication

o Computer A signs and encrypts (if required) outgoing packet and sends over network to Computer B

o The routers and hosts in-between are unaware of the encryption (they cannot see the data), they just forward IP packets

o Computer B checks for packet integrity and decrypts data (if encrypted)

· Use ”ipsecmon” to monitor to check whether IPSec is enabled on the server and view active IPSec Security Associations

DNS in Windows 2000 Environment

· DNS (Domain Name System) is a hierarchical, distributed database, which with related set of protocols allows computers to translate DNS names into IP addresses and vice-versa. It consists of:

o Schema (domain namespace) defining database hierarchy of domains and zones

o Resource Records (RR) contained within this database, which map DNS domain names to different network resources. Most important RRs:

§ A (Hostname) maps DNS name to IP address

§ CNAME (Canonical Name Alias) maps DNS name to another A (Hostname)

§ PTR (Pointer) maps IP address to a DNS name

§ SRV (Service Locator) allows multiple servers providing a similar TCP/IP-based service to be located using a single DNS query operation.

o Mechanisms for querying and updating the domain database served by

§ DNS servers, which store and answer name queries for resource records.

§ DNS clients (resolvers) which query servers to resolve names to a type of resource record specified in the query

o Mechanisms for replicating the domain database among multiple servers

§ Full and incremental zone transfers

· There are different types of domain names in DNS:

o FQDN (Fully Qualified Domain Name) consists domain name stating absolute location within hierarchy ending with a period ( for example: www.dabrowski.ca. )

o Single-label, unqualified domain name contain no periods ( for example: www )

o Multiple-label, unqualified domain name consist of one or more periods but are not terminated with a period ( for example: www.dabrowski )

· DNS Resolution Process

Reference: Good explanation of DNS name resolution and how it all works (Title: Windows 2000 DNS): (http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_absq.asp)

o DNS Client (resolver) receives name to be resolved to IP address (from user, software, web browser, etc)

o If name is FQDN (terminated by dot) the client forwards directly to DNS server (according to configuration of DNS servers list)

o If name is Unqualified Multiple-label the client adds ending dot and forwards to DNS server

§ If resolution fails client starts adding various DNS suffixes (followed by ending dot to make it FQDN) and re-forwarding to DNS server according to configuration of the DNS tab in the TCP/IP properties dialog box.

o If name is Unqualified Single-label the client starts adding various DNS suffixes (same as in case above) and forwarding to DNS server.

o Note: In every case above, once FQDN is established and just before sending request to DNS server for resolution the client checks local DNS cache for match. Entries from local HOSTS file are pre-loaded into DNS cache as well; therefore they will take precedence before names in DNS server. If no match is found the DNS client then forwards request to DNS server.

o Successful resolutions are saved in the local cache for TTL (Time To Live) time specified on the client.

o How appending of DNS suffixes works (in order to make it FQDN) :

§ Primary DNS suffix configured through System (Control Panel), Computer Name tab.

§ Connection Specific DNS suffix configured through Advanced TCP/IP Settings, DNS tab for each network card / network connection.

§ DNS suffix search list configured through same tab.

§ If Append Primary and Connection Specific DNS Suffixes option is selected client first appends primary DNS suffix, submits to DNS server and if response fails appends each connection specific suffix.

· If option Append Parent Suffixes of the Primary DNS Suffix enabled, client also tries adding parent suffixes of the primary up to the second level domain. For example, if primary DNS suffix is dev.wcoast.microsoft.com and you type ping xyz at a command prompt, the computer also queries for xyz.wcoast.microsoft.com and xyz.microsoft.com.

§ If Append These DNS Suffixes option is selected clients ignores primary and connection specific and appends each suffix from list in Advanced TCP/IP Settings.

o HOSTS file resides in C:\WINNT\system32\drivers\etc (it’s a text file with no extension), each line is new entry, first is IP address followed by host name separated by space.

o When DNS client receives response for a host (A) that includes multiple IP addresses, the IP address that is on the same subnet as the client takes precedence and is used.

· DNS Servers

o In Windows 2000 DNS Server is installed through “Add/Remove Windows Components” applet of Control Panel (under “Networking Services” section. It is not installed by default.

o Zone (physically) is a file containing resource records for a particular domain and its sub-domains, (logically) is data represented in zone file(s).

§ Forward lookup zones are standard lookup zones providing name to IP address resolution.

§ Reverse lookup zones are providing IP address to name resolution. Contains only PTR records (in addition to standard SOA and NS records).

§ Typically one forward lookup zone is created for each domain name and one reverse lookup zone is created for each IP subnet or class C.

o Primary name server is where all changes to the DNS database for specific zone are made. There is only one primary server per each DNZ zone (only exception is Active Domain Integrated zone).

o Secondary name servers receive copies of the zone records from primary server via zone transfer

o Caching-only server is DNS server with no zones, it forwards queries to other zone-holding servers and cache results based on TTL.

o SOA (Start Of Authority) RR specifies primary server and other info related to zone transfer, renewal and expiration.

o Master server is a server responsible for zone transfer. Master server can be either primary or secondary.

o DNS server can be configured to store and load zone data from three sources:

§ Files: each zone is stored in separate file and boot data in a boot file on local server

§ Registry: zone data is stored in Windows registry

§ Active Directory and Registry: zone data is stored in both Active Directory and Windows registry.

o Root Hints are authoritative name servers on the internet used for resolution of domains that are not stored on this server.

§ Root hints are loaded according to the settings above (file, registry, or AD).

· Zone transfer replicates DNS zone data from one name server to another.

o Full or Incremental (only Win 2000 supports incremental in addition to full. Earlier versions support Full only)

o In incremental zone transfer master server maintains version history for the zone including all changes.

o When incremental zone transfer is attempted an IXFR query instead of standard AXFR query is sent to master server.

o SOA record for the zone tells secondary servers when to poll master server for zone transfer. (in both incremental and full)

o Local DNS server configuration of secondary zone tells which server is master and should be contacted for zone transfer.

· Active Directory Integrated zones are replicated among all domain controllers within Active Directory domain

o All domain controllers in AD-integrated zone act as primary servers accepting changes

o Can only be created on servers that are also AD controllers

o AD-integrated zones are using multimaster replication because multiple master servers can update the zone.

o In case of update collision the last entry written to database wins.

o Standard zone transfers to a secondary server can be also done from AD-integrated domain server

o Zone Conversions:

§ Standard primary and secondary zones can be converted to AD-integrated zones.

§ AD-integrated zones can be converted to standard primary zones

o When creating a new Active Directory domain an equivalent AD-integrated DNS forward lookup zone can also be created by the wizard. (Reverse lookup zone is not created by the wizard. Has to be created manually afterwards).

o Reverse lookup zones (containing PTR records) are not required for Active Directory operation.

· Dynamic DNS Updates are performed by “DHCP Client” service running on Windows 2000 Server or Workstation.

o Dynamic updates by a client happen when:

§ TCP/IP configuration on the client is changed

§ DHCP address is renewed or new lease obtained by the client

§ Network interface event occurs (ex. Plug & Play event involving plugging a network cable)

§ IP address is added or removed manually on the client

§ Every 24 hours

o Only Windows 2000 clients can update A (forward lookup) records and PTR (reverse lookup) records. Windows 2000 clients update A record and let DHCP server update PTR record unless instructed otherwise (see DHCP section on DNS integration for more info). Other clients need DHCP server to perform both updates for them.

o If DHCP server does not support dynamic updates, (or not configured) Win 2000 client registers A and PTR records.

o During dynamic update client first queries it’s DNS server to find out primary for the zone it is updating and with that information it contacts primary name server directly with request for dynamic update.

o Dynamic DNS updates are not required for Active Directory operation.

· Secure Dynamic DNS Updates allow only authorized users or groups to perform dynamic updates (as per ACLs)

o Available only with AD-integrated zones

o Default option when creating AD-integrated zone but not enabled when zone converted from standard.

· WINS integration allows DNS server to be redirected to a WINS server for resolution.

o To enable this add special WINS resource record to the zone pointing to the WINS server.

o For reverse lookup zones add WINS-R record.

· Other non-Microsoft DNS servers can be used with Active Directory, but:

o DNS server authoritative for the Netlogon service names must support SRV (service) RRs (resource records)

§ Windows 2000, Windows NT 4.0 (with Service Pack 4 or higher), and BIND 4.9.6

o Reverse lookups and dynamic updates are not required for AD.

o RFC 1123 allows only a-z, A-Z, and 0-9 characters to be used in DNS. This can be problematic when NetBIOS names are used since they allow other characters to be used.

· For older secondary BIND unix DNS servers enable “BIND Secondaries” server option in the Advanced tab of DNS server properties.

· DNS Administration and Troubleshooting

o DNS MMC snap-in is used for administration of a DNS server

o Nslookup is used for querying of DNS servers and troubleshooting various problems. Nslookup is a dns client that connects to server.

o Ipconfig is used to view IP configuration (including DNS info). The following switches are relevant.

§ /registerdns attempts to register client name and IP address in DNS

§ /flushdns clears DNS cache on the client

§ /displaydns displays DNS cache on the client

o netdiag (located on original Windows 2000 CD-Rom in D:\Support\tools\support.cab). Allows more extensive testing.

o Event Viewer and DNS Log to view activity and error messages

DHCP in Windows 2000 Environment

· DHCP (Dynamic Host Configuration Protocol) allows client computers to obtain their IP addresses and other relevant configuration from centrally managed server.

· To install DHCP service on Windows 2000 Server use Add / Remove Windows Components (DHCP server is option under Network Components)

· DHCP “leases” the IP addresses to client computers that are enabled for DHCP. The lease process consists of four steps: request, offer, selection, and acknowledgement.

o Request – Client computer broadcasts DHCPDISCOVER message (containing MAC address, and NetBIOS name of the computer)

§ If request fails it retries 4 times in 2, 4, 8, 16 second intervals. If all tries fail it assigns (if client is Windows 2000 or Win 98) APIPA address (Automatic Private IP Address) in range 169.254.0.0, and continues to retry sending DHCPDISCOVER every 5 minutes.

o Offer – DHCP server broadcasts back DHCPOFFER message (containing DHCP MAC address, DHCP IP address, IP address offered to the client (temporarily reserved on the server) with subnet mask, lease time, and the MAC address of the client).

o Selection – Client sends DHCPREQUEST message requesting the offered IP address (the message includes DHCP server’s IP address so other server ignore this message).

o Acknowledgement - Server sends DHCPACK acknowledging the IP address has been leased to the client. The message includes additional DHCP options.

§ If DHCPNAK is received the client restarts the whole process.

· A scope needs to be configured and activated for each subnet DHCP server will be assigning IP addresses. Scope can have the following settings:

o IP address range – contains range of the IP addresses assigned to clients by this scope

o Exclusions – part of the IP address range to exclude from being assigned

o Reservations – IP addresses in the scope reserved for specific computers (assigned by MAC addresses)

§ Only MAC and IP address of the client is required to make reservation (both DHCP and BOOTP)

o Client types – allows selecting BOOTP or DHCP clients. For BOOTP a BOOTP table needs to be created specifying boot image file name, server path to image, and TFTP file server address.

o DHCP lease time – specify for how long IP addresses are leased for – 8 days is default

o DHCP options – including:

§ Server options – (global options) options specific to all scopes on the server

§ Scope options- options specific to scope

§ Reserved client options – options specific to reserved IP address – most granular

§ All of above options can be overridden by specific user and vendor class options

· User classes are specific options applied to specific types of users (remote users, local users, etc)

· Vendor classes are specific options for specific type of the vendor devices

§ Most common DHCP options:

· 003 – Router – IP address of default gateway

· 006 – DNS Servers – IP addresses of DNS servers

· 015 – DNS Domain Name – domain name

· 044 – WINS Servers – IP addresses of WINS Servers

§ Options are applied in the following order:

· Server options then user and vendor class options for that server

· Scope options then user and vendor class options for that scope

· Reserved client options then user and vendor options for that reservation

· Superscope is a group of different scopes. Required for multinet (multiple subnets on same network) environments.

o Superscope allocates IP addresses from either of the member scopes.

· Multicast scopes – allows assignment of IP addresses to multicast clients (multicast allows one IP to send packets to multiple IPs at the same time – used for broadcasting).

o IP addresses in multicast scopes must be in range of class D addresses.

o Multicast scopes to not support any configurations.

· DHCP client tries twice to renew the lease (renew = keep the same IP address)

o At 50% of the lease time sends DHCPREQUEST – (if DHCPACK is received the lease is renewed)

o At 87.5% of the lease time sends DHCPREQUEST (if no response then at the end of lease it does the lease process from start.

· Hard-coded IP information on the client always overwrites any options received from the DHCP server.

· Windows 2000 DHCP server installed on a member server or domain controller needs to be authorized within the Active Directory before it can assign IP addresses.

o There are security issues when DHCP server is installed on Domain Controller server (see note under DNSUpdateProxy section below)

· DHCP Relay Agent is used to pass the communication from the client residing on different subnet to the DHCP server.

o RFC 2131 compliant router can forward DHCP and BOOTP messages between subnets.

o Windows 2000 or Windows NT server configured as a router can be configured as DHCP Relay Agent. You will need to add DHCP servers to the configuration.

§ In Windows 2000 this is an option in Routing and Remote Access

· DNS integration – DHCP server can dynamically update DNS servers mapping the FQDN hostnames of clients it assigns IP addresses to DNS.

o DHCP can update DNS for all client computers that support DHCP (WFW311, Win95, Win 98, NT, 2000, etc)

o DNS integration is configured per scope.

o Default configuration is to enable DNS integration. (option: “Automatically update DHCP client information in DNS” is enabled)

§ Sub-option: “Update DNS only if DHCP client requests” allows Windows 2000 client computer to update “A” record directly with DNS server, while “PTR” (reverse lookup) record is updated by DHCP server.

§ Sub-option: “Always update DNS” says that DHCP server will update both “A” and “PTR” for Windows 2000 client.

o Option “Enable updates for DNS clients that do not support dynamic update” will make DHCP server update DNS for older clients (Win95, 98, etc).

o Only Win 2000 clients can update “A” records directly. Older clients need DHCP server to update for them.

o DNSUpdateProxy global group is a special group whose members can update DNS server records, without taking ownership of those records.

§ Typically DHCP server machines belong to this group (so they can make updates in DNS)

§ If DHCP server is domain controller do not place it in this group – because it has full control of all records in DNS, which may contain Active Directory information.

· DHCP Manager MMC snap-in is used to manage and monitor DHCP server

· The DHCP Users group provides a way to grant read-only console access to the DHCP server.

· Use Event Viewer to gather logs containing information relevant to operation of DHCP server

· Use Network Monitor to “sniff” DHCP related network traffic

· Use Performance Monitor and specific performance objects related to DHCP to track details related to DHCP operation.

· Enable DHCP Audit Logging (through DHCP Manager) to log detailed information about DHCP server operation.

· Use IPCONFIG command with following switches (on the client Windows NT/2000 computers):

o /ALL to see all IP information as received from DHCP server

o /RENEW to renew IP address (sends DHCPREQUEST) or obtain new one (sends DHCPDISCOVER), in both cases all DHCP options are also retrieved.

o /RELEASE to release the IP address

· Always have at minimum one DHCP server for each network segment (or use Relay Agent)

· Use the 80/20 design rule for balancing scope distribution of addresses where multiple DHCP servers are deployed to service the same scope. (For explanation of this rule and more information on DHCP best practices see Windows 2000 Server Help – index “DHCP clients” / “best practices”)

Remote Access

· Remote access services are provided by “Routing and Remote Access Server” (RRAS) function of Windows 2000 Server.

· To enable remote access use RRAS MMC, select computer name and select “Configure and Enable Routing and Remote Access”.

o You can configure specific network protocols supported for remote access: TCP/IP(default), NetBEUI, IPX, AppleTalk

o For dial-in connections specify IP address assignment (from existing DHCP server or manually configured IP pool)

o If assigning IPs via DHCP a DHCP rely agent has to be configured with DHCP server’s IP address.

· Two kinds of remote access connections: Dial-Up and VPN

· Dial-Up (modem access over telephone or dedicated ISDN / DSL line)

o Dial-up connections in Windows 2000 can be outgoing or incoming.

o For incoming connections RADIUS server can be used for central authentication.

o Two protocols used for dial-up:

· PPP protocol (Point to Point Protocol) (inbound/outbound) (default)

· Because used by both Dial-Up and VPN it is configured at server level (RRAS server Properties)

· Multilink option merges multiple physical links into one logical connection to increase bandwidth.

· BAP or BACP (Bandwidth Allocation Protocol) allows control of multilink connections dynamically through policies (based on the percentage of bandwidth used). Can drop unnecessary multilink connections or establish new ones if more bandwidth required.

· LCP (Link Control Extensions) – additional PPP packets configuring the physical link (such as time remaining and call-back features).

· Software Compression – allows MPPC (Microsoft Point to Point Compression) to compress data

· SLIP protocol (Serial Line Internet Protocol) (outbound dial-up only)

· VPN (Virtual Private Network) over existing IP connection

o VPN Server (Win 2000 Server machine receiving incoming VPN connections from the Internet)

· Usually server receiving VPN connections has 2 network interfaces, one to Internet and one to local network.

· During setup choose dedicated network interface to receive VPN connections on (this interface will be automatically configured with input / output filters to allow only VPN traffic)

o VPN Client (Windows client machine connecting to corporate VPN server to gain access to private network)

· Usually two connections are involved; first one dial-up to local ISP, second VPN to corporate VPN server (tunneled over first one once established)

o Two protocols used for VPN:

· PPTP (Point to Point Tunneling Protocol) less secure

· PPP protocol encapsulated over IP connection

· Configured through Port properties (in RRAS MMC) – (configure as inbound or inbound and outbound, also configure number of ports – 1 user connection takes one port)

· L2TP (Layer 2 Tunneling Protocol) usually more secure

· Combination of PPTP and Layer 2 forwarding encapsulated over IP, X.25, Frame Relay or ATM connections.

· Configured through Port properties (in RRAS MMC).

· Authentication of Remote Access connections – the following are authentication methods supported by PPP connections (and because PPTP and L2TP are encapsulating PPP they also support same authentication).

o PAP (Password Authentication Protocol) – using clear text authentication

o SPAP (Shiva Password Authentication Protocol) – used primarily by Shiva in their products – uses some level of encryption during authentication.

o CHAP (Challenge Handshake Authentication Protocol) a challenge-response with one-way MD5 hashing on the response.

o MS-CHAP (Microsoft Challenge Handshake Auth. Protocol) a challenge-response with MD4 encryption on response.

o MS-CHAP2 (version 2) - mutual authentication, stronger initial data encryption keys, and different encryption keys for sending and receiving.

o EAP (Extensible Authentication Protocol) provides support for a wide range of authentication methods, including token cards, one-time passwords, and public key authentication using smart cards.

· L2TP authentication is done at two levels: computer and user

o Computer is authenticated first. Requires certificate on client computer and VPN server.

o User is authenticates second using authentication protocols above

· Encryption of Remote Access data

o MPPE (Microsoft Point-to-Point Encryption) (only for dial-up PPP and VPN PPTP connections)

§ Configure on Encryption tab / properties of a remote access policy to use 40-bit (Basic), 56-bit (Strong), or 128-bit (Strongest) encryption keys

§ Only EAP-TLS (transport level security), MS-CHAP, and MS-CHAP2 authentication protocols support MPPE!

o IPSec encryption only for VPN L2TP protocol.

§ IPSec encryption is configured through IPSec policy (group policy or local machine policy)

§ In addition to encryption of the data, IPSec allows for Data Authentication using:

· HMAC (Hash Message Authentication Code) using MD5 (Message Digest 5)

· SHA (HMAC Secure Hash Algorithm)

· Remote Access Policies – are conditions that govern which users can connect via Remote Access and what are their configurations.

o Configured through “Remote Access Policies” section of RRAS MMC.

o In order for any user to be allowed through Remote Access at least one policy must exist.

o Each policy contains the following elements Conditions, Permissions, and Profile:

o Policy Conditions – attributes compared to the variables when a remote users attempts to connect to remote access server.

· Each policy can contain multiple conditions.

· When multiple attributes exist all must match in order for connection to be successful.

· Most important attributes:

· Windows-Groups – single or multiple Windows groups

· Day-And-Time-Restriction – time conditions of the policy

· Tunnel-Type – connection type (PPTP or L2TP) allowed or disallowed for this policy

· For example if policy conditions define only “Toronto” Windows group, and L2TP as Tunnel-Type, each time user connects via Remote Access and does not belong to Toronto users group and does not connect via L2TP protocol, the policy will not be in effect.

o Permissions – two configuration areas determine whether user is allowed remote access or not.

· Dial-In tab permissions in user’s properties (Active Domain Users and Computers MMC) can be set to:

· Allow access

· Deny access

· Control access through Remote Access Policy

NOTE: User property “Control access through Remote Access Policy” is not available when domain is in mixed mote (domain must be in native mode for this option be enabled)

· Remote Access Policy conditions and permissions – whether all the conditions in the policy are met or not and whether this policy allows access or denies

· When user connects via Remote Access the following takes place in this order:

1. First Remote Access Policy conditions are checked against current user’s properties (such as his group membership, access type, dialing number, etc).

§ If no policies exist user is denied access

§ If policy conditions do not match user’s properties next policy is checked; if no other policies exist access is denied.

2. If policy conditions match the user then user’s Remote Access Permissions (Dial-In tab) are checked

§ If set to Allow access user is allowed access

§ If set to Deny access (default) user is denied access

3. If user’s Remote Access Permissions (Dial-In tab) are set to “Control through Remote Access Policy” then permission settings for that policy are checked.

§ If set to Allow user is allowed, otherwise denied access.

o Policy Profile – is specific configuration to be applied to connection when particular Remote Access policy is in effect.

§ If user’s connection is unable to meet these settings the connection is dropped.

§ The following profile configuration categories exist: Dial-In Constraints, IP, Multilink, Authentication, Encryption, and Advanced.

· Dial-In Constraints – (apply to dial-in users only, not VPN) specify dial-up user’s properties, such as:

· Disconnect if idle for number of minutes

· Restrict session duration to number of minutes

· Restrict access to specific days and times

· Restrict access to specific phone number

· Restrict Dial-In media – such as telephone line, ISDN, T1, etc.

· IP – specific settings, such as IP address assignment (by server, by client, or as per server’s configuration). Also input and output IP filters can be defined.

· Multilink are settings related dial-in users, whether multilink should be allowed or disabled and if allowed what is maximum number of ports allowed. Also BAP is configured here. (Only BAP option is: Reduce multilink connection by one line if lines fail below (default 50%) of capacity for a period of (default 2) minutes.

· Authentication enforce allowed PPP authentication methods for dial-in and VPN connections (any combination can be selected, if multiple allowed client negotiates with server appropriate):

· EAP (using either MD5 challenge or smartcard/certificate)

· MS-CHAP 2

· MS-CHAP

· CHAP

· PAP, SPAP (both unencrypted)

· Do not require any authentication

· Encryption levels (no encryption, basic, strong, and strongest)

· Advanced settings allow to assign specific RADIUS attributes if RADIUS (IAS) server is used.

· Remote Access Management and Monitoring

o Configure user’s Remote Access permissions using “Active Directory Users and Domains” MMC (User properties, Dial-In tab) and “Routing and Remote Access” MMC (this one is also used for monitoring of connections).

o Use Event Viewer for RRAS logging.

o The following are options in User properties Dial-In tab that can be configured per each user:

· Remote Access Permissions (see section above on Policy Permissions) – this applies to dial-un and VPN users

· Verify Caller ID – restricts user to always dial from one phone number

· Callback options – allows user to be called back at specified number for additional security

· Assign static IP address – allows user to always receive the same IP address

· Apply static routes – allows specific subnets to be routed to this particular user’s connection

o Use netsh command line utility for all administration of RRAS and IAS.

· This is replacement utility for routemon utility from Windows NT 4.0 RRAS.

o Resource Kit utility Rasmon can be used for per port monitoring and statistics collection.

· IAS – Internet Authentication Service – is used for centralized Remote Access policy and authentication management.

o IAS relies on standard RADIUS protocol for communication of authentication and accounting data between multiple Remote Access Servers (Windows 2000 servers configured to accept connections) and other third-party NAS (Network Access Servers).

o The authentication data from RAS is then authenticated against Windows 2000 or NT 4 Domains.

o Authorization is still performed by User’s dial-in properties and Remote Access Policy.

o IAS supports PAP, CHAP, MS-CHAP, and EAP authentication, (including authentication based on called number and callers number)

o IAS uses RADIUS accounting for auditing of authentication, rejection, lockout, time usage, bandwidth usage, etc data.

o In order to authenticate users against AD, IAS server needs to belong to domain local “RAS and IAS Servers” group.

o IAS is configured in consistent way with RRAS. The same Remote Access Policies are reused using same MMC interface.

WINS in Windows 2000 Environment

· WINS is used to resolve (to IP addresses), register, renew and release NetBIOS host names. (RFC1001 and RFC1002 compatible)

· Windows 3x, 9x, NT use NetBIOS names to request network services, Windows 2000 only for backward compatibility.

· NetBIOS name identifies single host on network, only one name can exist per each host.

· Name can be up to 16 bytes in length (15 characters plus character to identify service or application registering the name).

· NetBIOS is configured through registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

· Three standard ways to resolve NetBIOS names:

o Local broadcast – using UDP to query every host on the local network.

§ BcastQueryTimeout – registry entry to control timeout in ms (default is 750 ms)

§ BcastNameQueryCount – registry entry to control number of retries (default is 3 times)

o NetBIOS Name Cache – contains list of names that have been already resolved.

§ Entries in the list remain there for 10 minutes by default (configured by CacheTimeout registry entry – default 600,000ms)

§ Size/Small/Medium/Large registry entry controls the size of the cache (small [1] is default – 16 entries)

§ nbtstat –c command lists cache contents

o NetBIOS Name Server – using centralized names database – WINS

· Computer node type determines order in which name resolution happens

o B-Node (Broadcast) – resolution using broadcast on the local network

o P-Node (Peer-to-peer) – resolution using WINS server

o M-Node (Mixed) – resolution using broadcast first and then WINS server (B-Node and P-Node)

o H-Node (Hybrid) – resolution using WINS server first and then broadcast (P-Node and B-Node)

· Regardless of the node, local NetBIOS cache is always checked first

· In Windows 2000 B-node is enhanced with looking up LMHOSTS file if broadcast is unsuccessful and then resolving to DNS server before giving up.

· The default Windows 2000 node type is B-Node (if no WINS server is specified in TCP/IP settings) and H-node (if WINS server is specified)

o Node type can be changed via NodeType parameter (1 for B-node, 2 for P-node, 3 for M-node, 4 for H-node)

· LMHOSTS file located in the c:\winnt\system32\drivers\etc directory contains mappings of NetBIOS names to IP addresses

o Entries from this file followed by #PRE are pre-loaded into NetBIOS name cache every time machine starts

o The file is parsed sequentially – top to bottom. Put most used entries at the top while #PRE entries at the bottom (since they are already in the name cache).

o In Windows 2000 LMHOSTS resolution is done by default. Disable through TCP/IP settings (Advanced / WINS tab)

· Static IP address is required for proper WINS server operation.

· Install WINS server through Add/Remove Windows Components in Control Panel (under Networking Services)

· WINS Name Registration – client computer configured to use WINS sends name registration request directly to WINS server

o WINS server checks for duplicates and if OK sends response back with TTL value.

o The registration information also includes service type (Workstation, File Server, Messenger, Workgroup, Domain)

· WINS Name Renewal - happens in the mid point of the registration (half time of TTL)

o If no response client retries every 10 minutes for an hour.

o After hour client tries secondary name server, every 10 minutes for another hour. Then tries primary again, back and forth until TTL is reached.

o If WINS server responds name is renewed and new TTL set.

· WINS Name Release – happens when client is shut down (sends release request) or fails to renew registration.

o When WINS receives release request marks it for extinction (using extinction interval – time between released and extinct)

o Extinction timeout period is time between extinct and scavenged (deleted from database).

· WINS Proxy is a machine forwarding WINS broadcasts from local network to specific WINS server (on another subnet)

o To enable machine to be WINS proxy add EnableProxy entry to registry with value of 1. (same key as all other NetBIOS config). The machine will listen to local broadcasts and forward to specified WINS server in TCP/IP configuration.

· Replication of WINS database between servers – configured through MMC.

o On each WINS server add entry pointing to each other.

o Replication can be configured as Pull, Push or Pull and Push (default), on per computer basis.

o For pull replication default interval is 30 minutes

o For Push replication number of changes before replication is initiates needs to be specified (default 0 – no replication)

o New feature in Windows 2000 is persistent connections for replication (can be scheduled to start and end at specific time)

o Manual tombstoning is a new feature that prevents deleted records to be replicated back to other WINS servers.

o Replication partners can be automatically discovered (new feature)

· Burst handling is a new feature that improves performance by positively replying to client registration requests before entries are written physically to the database.

· To compact a WINS database we must stop the WINS server service. Then at the command prompt we must issue the 'jetpack wins.mdb tmp.mdb' command and then restart the WINS server service.

IP Routing in Windows 2000 Environment

· In TCP/IP environment, by default computers on the same subnet can communicate with each other directly (using broadcast).

· If computer needs to communicate with another computer on different subnet it cannot use broadcast because the other subnet may be unreachable directly (not on the same physical network, or separated by WAN (Wide Area Network).

· To communicate with hosts on remote subnets local computer sends the IP packets to host designated as default gateway.

· The default gateway computer (most likely a “router”) based on it’s routing table routes the original request to either it’s local network or to it’s own gateway if the destination is on farther remote network and so on.

· Windows 2000 RRAS (Routing and Remote Access Service) turns Windows machine in fully featured Internet Packet (IP) Router

· Original Windows NT 4.0 had only limited static routing. Addition of RRAS for NT 4.0 added the following routing services:

o RIP v2, OSPF, Demand-Dial Routing, IP Packet Filters.

· Windows 2000 RRAS adds the following services:

o Multicast Routing, ICS, NAT, L2TP over IPSec

· Static Routing – is when routes are manually entered in local routing table.

o In Windows routing table is automatically generated based on the information entered into TCP/IP configuration panel

o Any changes to routing table need to be manually added using route add command

o Use route print to print contents of routing table.

o Static routing has very limited fault tolerance and is extremely difficult to administer in large environments

· Demand-Dial Routing – allows connecting to remote network either on demand or permanently.

o The connection can be either over dial-up line or VPN tunnel

o A Demand-Dial interface in RRAS needs to be created for every remote network router (another RAS server or third-party)

§ The user account name on the answering computer must match the demand-dial interface name of the calling computer.

§ This account must have dial-in permissions and Remote Access Policy permissions on the remote server

o Demand-Dial Routing can be configured for On-Demand and Persistent dialing (configured by an option on the Demand-Dial interface in RRAS MMC)

o On-Demand Demand-Dial Routing is established only when data needs to be transmitted to the network connected by demand-dial routing interface.

§ Drawback is performance and reliability (if connection is not established it needs to be established first – applications may time out)

o Persistent Connection in Demand-Dial Routing is when connection to a particular network is established permanently.

§ If connection gets dropped, it is automatically established.

§ Client and server need to be configured for Persistent Connections (no idle timeouts, etc)

o One-Way Demand-Dial connection is when activity on one network triggers connection to be established to the other network.

o Two-Way Demand-Dial connection is when activity on either network triggers connection to be established to one another.

o Once interface is created a new static route for the remote subnet needs to be added in the RRAS MMC using this interface and option “Use this route to initiative Demand-Dial connection” must be enabled.

§ In case remote network contains multiple subnets it is nearly impossible to use static routes since they may change at any time and have to be manually entered.

§ A feature called Auto-Static routes uses RIP for IP to send broadcast across remote connection to discover static routes, and add them to local routing table as persistent routes, even when connection is no longer available. This can be scheduled with Windows scheduler to occur once a day or as needed.

o Every time a request to remote network (matching the route) is made on the local network the connection is established.

o Demand-Dial Filters allow to customize under what conditions the connection is initiated.

§ Filters can specify to establish connection based on specific source IP address of the host initiating connection, destination IP address or specific port numbers.

o Time and day settings can be configured on the Demand-Dial interface to allow connections only during these times.

· RIP (Routing Information Protocol)

o Recommended for small to medium networks – maximum diameter is 16 hops

o Uses the hop count as a metric to determine the best route for the data.

o Supports routing for IP and IPX protocols.

o RIP v1 does not announce subnet mask therefore is good only for class C routing.

§ Uses broadcasting to announce route changes to other RIP routers.

o RIP v2 supports subnet mask announcing.

§ Uses broadcasting and multicasting to announce route changes

§ Supports password authentication (clear-text passwords) – same password must be configured on every router

§ Two operation modes: Auto-static for demand-dial links and periodic update for persistent links

· Configure per each interface (RIP interface properties)

o When using both versions ensure that RIP v2 router is configured for broadcast announcements and accepts v1 and v2.

o To enable RIP right click General section under IP Routing and select “Install New Protocol” in RRAS MMC.

§ Add existing interfaces to use RIP protocol

o Silent RIP option does not broadcast routing information, only collects routing data from other routers.

§ Windows 2000 Professional supports silent RIP by installing “RIP Listener” network component

§ Windows 2000 Server supports this as option under “Outgoing packet protocol” option in interface properties.

o Peer security option allows to build list of IP addresses of other routers that can only communicate with this RIP router

§ This option is per RRAS server configured in properties of RIP protocol.

o Route filters at each RIP interface determine which networks should be handled by RIP (Security tab, interface properties)

o RIP neighbors ensure that RIP announcements are sent to specific routers

o RIP for IPX has same functionality as RIP for IP (above)

o SAP for IPX is used to advertise IPX services and their locations.

· OSPF (Open Shortest Path First)

o Good for large and very large internal networks with high performance, efficiency and redundancy.

o Disadvantage is that the LSDB (see below) database can get large and become complex. In general OSPF is very complex to plan for and administer.

o OSPF uses SPF (Shortest Path First) algorithm to determine the least costly route between the router and all the networks that are part of this internetwork.

o LSDB (Link State Database) is an internal map of the internal network within the OSPF area, is updated every time this topology changes and synchronized with all OSPF routers.

o Can coexist with RIP on the same network.

o OSPF network consists of: Autonomous System (AS), areas, backbone area, border routers, and virtual links.

o AS (Autonomous System) includes all of the networks that share common administrative authority

§ AS is the boundary of the OSPF network.

§ Is divided into OSPF areas communicating through backbone area.

§ One area is designated as backbone area located on a high-bandwidth network.

o Areas are collections of contiguous subnets

§ Administrative boundary used for separate sites or domains

§ Each area router is assigned it’s own router ID, in format 0.0.0.5

§ Stub areas should be used where possible

· With stub areas a single static route can summarize all external routes including ones destined outside of the AS.

· Stub areas ensure that all external routes outside of the AS are not routed through another stub area.

§ Good practice is to keep the communication between areas to minimum. Keep DNS, DHCP, WINS, DC servers within area. If possible have one OSFP area per every Active Directory Site.

o Backbone Area is a central area connected to all of the other OSPF areas.

§ Area ID of backbone area is always designated as 0.0.0.0

o OSPF Routers – there are four types:

§ Internal Router – has all interfaces in the same area

§ Area Border Router (ABR) – has interfaces connected to different areas

§ Backbone Router – router with at least one interface connected to backbone area.

· Backbone area ABRs and internal routers are also backbone routers

§ AS Boundary Router (ASBR) – responsible for exchanging routes with sources outside of the OSPF AS.

· Responsible for advertising external routers throughout AS.

· Communicates with external routers using local static routes, auto-static routes, RIP v2, etc.

· Can filter certain route sources and subnets

o Virtual link is a logical link between backbone ABR and another ABR without going through a backbone area.

§ Create virtual links by setting both ABRs as neighbors.

§ Avoid use of virtual links if possible as they can cause routing problems.

· Multicast Routing – routes multicast traffic

o Multicast allows sending data from single source to multiple destinations

o Windows 2000 RRAS does multicast routing using IGMP router mode and IGMP proxy mode

o IGMP is installed and configured by default when RRAS service is enabled and proxy and router interfaces are added. New interfaces can be added as routers or proxies.

o IGMP (Internet Group Management Protocol) is used to register IP clients within multicast environment.

o Windows 2000, NT 4 SP 4, Windows 98 all support IGMP v2

o IGMP is not used to initiate IP multicast traffic, it is used to maintain host group membership on local subnet.

o MBone is the Internet Multicast Backbone, portion of public internet capable of broadcasting multicast traffic (using multicast class IP addresses)

o IGMP Router interface is used to keep track of the multicast hosts on the network

§ Multiple router interfaces can exist on the same RRAS machine.

§ Router uses promiscuous mode (network card must support it) to catch all traffic on the network wire.

§ Listens for the “Host Membership Report” and “Leave Group” messages.

§ Sends “Host Membership Queries” to keep track of existing hosts.

§ Keeps multicast forwarding table including hosts on the subnet in the group membership.

o IGMP Proxy interface connects Windows IGMP router to an external multicast IP network (MBone)

§ Proxy interface acts as a single host to a MBone and joins host groups on behalf of hosts on it’s IGMP router interface.

o Router interface connects to internal network while Proxy interface connects to the Internet MBone

o Multicast boundary is used to control forwarding of multicast traffic to specific portions of the network.

§ Two types of boundaries: scope-based and TTL-based

§ Scope-based boundaries prevent traffic from being forwarded to specific range of multicast IPs.

· Addresses from 239.0.0.0 to 239.255.255.255

§ TTL-based boundaries prevent based on the TTL of the packet forwarded

· Avoid using TTL-based boundaries, they are independent of the multicast group membership. Use scope-based instead.

o Multicast heartbeat of multicast routing allows IGMP router to listen for multicast notification for specific group address.

o Internet MBone is divided into individual areas, connected together by tunnels.

o IP-in-IP tunnels allow forwarding of local multicast traffic from one network to another network through network that does not support multicasting.

o Management:

§ Command: “netsh routing ip show mfe” displays entries in multicast forwarding table

§ Command: “netsh routing ip ipmg set interface” configures IPMG interface settings

§ Use “mrinfo” to display configuration of multicast router.

· Two technologies in Windows 2000 allow sharing of internet connection with computers on local network based on NAT (Network Address Translation)

· Internet Connection Sharing (ICS)

o Simple solution for small office or home networks available in Windows 2000 Professional or Server and Windows 98

o Does not require RRAS to be enabled

o Enabled by one option on the interface (dial-up) connecting to the internet, requires another interface (LAN) available for local communication.

o Supports on-demand dialing

o Limited flexibility (uses 192.168.0.0 address range only) and basic configuration (only allows certain applications available through the connection).

o Built-in DHCP server; ICS will not work if another DHCP server on the network.

· Network Address Translation (NAT)

o Functionality of RRAS – available only in Windows 2000 Server.

o More advanced suitable for larger networks

o Ability to use built in DHCP server and external DHCP network already on the network.

o Enabled on the interface connecting to the internet.

o Can use any private IP range on the local network (configurable)

o To install NAT right click General section under IP Routing and select “Install New Protocol” in RRAS MMC.

§ Add existing interfaces to use NAT, when adding select if it is private or public.

§ Requires one interface connected to internet (public) and one private on the local network

o NAT Editor allows routing of PPTP from internal network to VPN server on the internet, but does not support routing of PPTP from internet to VPN servers on internal network.

· Routing Management

o Use netsh command to perform command line and advanced administration of routing protocols.

o Routing and Remote Access MMC Snap-In provides all graphical management and monitoring

o Many RRAS services support logging to Windows Event Viewer

Certificate Services

· Install Certificate Services using Add/Remove Programs in Control Panel (Add/Remove Windows Components).

· There are 4 types of CAs (Certificate Authorities) that can be installed in Windows 2000.

· Enterprise Root CA – is the root of Windows 2000 based corporate CA hierarchy. The enterprise CA is configured to issue certificates only to subordinate CAs. Since the certificate of this CA is registered in AD, all computers in the AD automatically trust this CA and it’s subordinates.

· Enterprise Subordinate CA

o Allows for independent management of application-specific certificates and provides full integration with Active Directory

o Requires Enterprise Root CA to be installed on the network

· Standalone Root CA – for setting up certificate hierarchy for issuing certificates outside of the organization. Standalone Root CA typically issues certificates to subordinate CAs who in turn issue end user certificates

· Standalone Subordinate CA - for issuing certificates outside of the AD network

Skills Being Measured

This certification exam measures your ability to install, manage, monitor, configure, and troubleshoot DNS, DHCP, Remote Access, Network Protocols, IP Routing, and WINS in a Windows 2000 network infrastructure. In addition, this test measures the skills required to manage, monitor, and troubleshoot Network Address Translation and Certificate Services. Before taking the exam, you should be proficient in the job skills listed below. (Taken from http://www.microsoft.com/traincert/exams/70-216.asp)

§ Installing, Configuring, Managing, Monitoring, and Troubleshooting DNS in a Windows 2000 Network Infrastructure

o Install, configure, and troubleshoot DNS.

§ Install the DNS Server service.

§ Configure a root name server.

§ Configure zones.

§ Configure a caching-only server.

§ Configure a DNS client.

§ Configure zones for dynamic updates.

§ Test the DNS Server service.

§ Implement a delegated zone for DNS.

§ Manually create DNS resource records.

o Manage and monitor DNS.

§ Installing, Configuring, Managing, Monitoring, and Troubleshooting DHCP in a Windows 2000 Network Infrastructure

o Install, configure, and troubleshoot DHCP.

§ Install the DHCP Server service.

§ Create and manage DHCP scopes, superscopes, and multicast scopes.

§ Configure DHCP for DNS integration.

§ Authorize a DHCP server in Active Directory™.

o Manage and monitor DHCP.

§ Configuring, Managing, Monitoring, and Troubleshooting Remote Access in a Windows 2000 Network Infrastructure

o Configure and troubleshoot remote access.

§ Configure inbound connections.

§ Create a remote access policy.

§ Configure a remote access profile.

§ Configure a virtual private network (VPN).

§ Configure multilink connections.

§ Configure Routing and Remote Access for DHCP Integration.

o Manage and monitor remote access.

o Configure remote access security.

§ Configure authentication protocols.

§ Configure encryption protocols.

§ Create a remote access policy.

§ Installing, Configuring, Managing, Monitoring, and Troubleshooting Network Protocols in a Windows 2000 Network Infrastructure

o Install, configure, and troubleshoot network protocols.

§ Install and configure TCP/IP.

§ Install the NWLink protocol.

§ Configure network bindings.

o Configure TCP/IP packet filters.

o Configure and troubleshoot network protocol security.

o Manage and monitor network traffic.

o Configure and troubleshoot IPSec.

§ Enable IPSec.

§ Configure IPSec for transport mode.

§ Configure IPSec for tunnel mode.

§ Customize IPSec policies and rules.

§ Manage and monitor IPSec.

§ Installing, Configuring, Managing, Monitoring, and Troubleshooting WINS in a Windows 2000 Network Infrastructure

o Install, configure, and troubleshoot WINS.

o Configure WINS replication.

o Configure NetBIOS name resolution.

o Manage and monitor WINS.

§ Installing, Configuring, Managing, Monitoring, and Troubleshooting IP Routing in a Windows 2000 Network Infrastructure

o Install, configure, and troubleshoot IP routing protocols.

§ Update a Windows 2000-based routing table by means of static routes.

§ Implement Demand-Dial Routing.

o Manage and monitor IP routing.

§ Manage and monitor border routing.

§ Manage and monitor internal routing.

§ Manage and monitor IP routing protocols.

§ Installing, Configuring, and Troubleshooting Network Address Translation (NAT)

o Install Internet Connection Sharing.

o Install NAT.

o Configure NAT properties.

o Configure NAT interfaces.

§ Installing, Configuring, Managing, Monitoring, and Troubleshooting Certificate Services

o Install and configure Certificate Authority (CA).

o Issue and revoke certificates.

o Remove the Encrypting File System (EFS) recovery keys.

Mark's Technical Knowledge Base Just bunch of useful information I have collected over time.