Incorrect: Only the client computers on the same local area network as the server running Windows NT would be able to resolve its name using broadcast transmissions.. 16 Planning, Imple
Trang 14 You are designing the NetBIOS name resolution strategy for a multisegment network running Windows Server 2003 but that still includes some Windows NT servers and Windows 95 workstations You have decided that you don’t want to run a WINS server, but you have a Windows NT 4.0 print server that all users must be able to access Which of the following strategies would make this possible? (Choose all that apply.)
A Do nothing The computers will be able to resolve the name of the server running Windows NT name automatically using broadcast name resolution
B Create an LMHOSTS file on each computer with an entry containing the NetBIOS name and IP address of the server running Windows NT
C Preload the NetBIOS name and IP address of the server running Windows NT into the NetBIOS name cache
D It can’t be done You must run a WINS server for computers to be able to resolve the NetBIOS names of computers on other networks
Trang 2Objective 2.8 Plan a NetBIOS Name Resolution Strategy 15-51
Objective 2.8 Answers
1 Correct Answers: B
A Incorrect: The NetBIOS name cache contains all the NetBIOS names that the
computer has recently resolved by any means, whether the resolved names are for computers on the local network or another network
B Correct: Broadcast transmissions are limited to the local network, so the
broad-cast method can only resolve the name of a computer on the local network
C Incorrect: You can create entries in an LMHOSTS file for the NetBIOS name of
any computer on any network In fact, the primary reason for using LMHOSTS files is to resolve the names of computers on other networks
D Incorrect: WINS can resolve the NetBIOS names of any computer on any
network
2 Correct Answers: D
A Incorrect: A computer running a Windows operating system always checks the
NetBIOS name cache before using any other NetBIOS name resolution method, but it uses LMHOSTS only after broadcast name resolution has failed
B Incorrect: A computer running a Windows operating system always checks the
NetBIOS name cache before using any other NetBIOS name resolution method, then uses broadcasts and, failing that, LMHOSTS
C Incorrect: Computers running Windows operating systems try to resolve
Net-BIOS names using broadcast transmissions before they try using LMHOSTS, and they always check the NetBIOS name cache before any other mechanism
D Correct: A computer running a Windows operating system that is not a WINS cli=
ent always checks the NetBIOS name cache first when trying to resolve a NetBIOS name, then tries the broadcast transmission method If the broadcast method fails, the computer tries to look up the name in the LMHOSTS file
Trang 33 Correct Answers: B
A Incorrect: This replication topology would result in only the New York WINS
servers having complete replicas of the database, because all replication traffic is traveling in one direction
B Correct: This solution is called a ring replication topology, because each site is
sending its data to the east and receiving data from the west This enables every server to have a complete replica of the WINS database without creating a large amount of redundant WAN traffic
C Incorrect: While this option does provide satisfactory replication performance, it
also generates much more WAN traffic than a ring topology
D Incorrect: The WINS client enables you to specify multiple WINS server
addresses only as fallbacks in case of a server failure Adding all the WINS server addresses to each client does not cause the client to register its NetBIOS name with all the servers
4 Correct Answers: B and C
A Incorrect: Only the client computers on the same local area network as the
server running Windows NT would be able to resolve its name using broadcast transmissions
B Correct: LMHOSTS functions as a backup to the broadcast name resolution
method, because it is able to resolve NetBIOS names of computers on other networks
C Correct: Preloading the name of the server running Windows NT into the cache
using an LMHOSTS file enables the computer to resolve the name without using the broadcast method
D Incorrect: An LMHOSTS file can resolve any NetBIOS name, regardless of
whether it is on the local network or not
Trang 4Objective 2.9 Troubleshoot Host Name Resolution 15-53
Name resolution failures can be the result of a problem on the client or on the com=puter running the DNS server At the client, the problem is typically an incorrect DNS server address Either the Preferred DNS Server or the Alternate DNS Server field in the Windows Internet Protocol (TCP/IP) Properties dialog box must contain the IP address
of a valid and operating DNS server
If the client contains valid DNS server addresses, the servers themselves might be mal=functioning The most obvious problem is that the DNS server is not functioning at all, because it is suffering from its own TCP/IP communications failure Like any other computer, the DNS server must have the correct TCP/IP configuration parameters, including a valid IP address and subnet mask, plus a default gateway address Malfunc=tioning hardware can also inhibit the server’s communications If you cannot success-fully ping a DNS server address, it is suffering from some sort of TCP/IP communications failure
If you can ping the DNS server computer, you should then check to see if the DNS Server service is running You might find that someone has shut down the service, or that the service never started when the computer booted, or that the service has stopped You can check the Event Viewer console for error messages that might explain the stoppage or just try restarting the service yourself
In some cases, a DNS server might successfully resolve a name, but supply the wrong
IP address to the client This could be due to any one of the following reasons:
■ Incorrect resource records—Administrators frequently type DNS resource records
by hand, and typographic errors can result If a resource record contains an incor=rect IP address, the only solution is to correct it manually
Trang 5■ Dynamic update failures—If dynamic updates fail for any reason, the DNS server’s resource records could contain incorrect or outdated IP addresses In this event, you can correct the resource records manually, or trigger a new dynamic update
by traveling to the computer whose resource record is wrong and typing IPCON=FIG /registerdns at a command prompt If dynamic updates still fail to occur, check to see whether the server supports them and is configured to accept them
■ Zone transfer failures—If the DNS server is supplying incorrect IP addresses from
a secondary zone, it is possible that a zone transfer has failed to occur, leaving dated information in the secondary zone database file Try to manually trigger a zone transfer If the zone transfer still does not occur, the problem might be due
out-to the incompatibility of different DNS server implementations, such as different compression formats or unsupported resource record types If this is the case, you might have to update the secondary zone’s resource records manually until you can update one or both servers to compatible DNS software implementations
Trang 6Objective 2.9 Troubleshoot Host Name Resolution 15-55
You are unable to ping the DNS server from the client computer, but you can ping
it from other computers
You can successfully ping the DNS server from any computer, but you cannot resolve a name using NSLOOKUP.EXE with that server
You can successfully resolve a name using NSLOOKUP.EXE with the DNS server, but the IP address it supplies is outdated
2 Which of the following symptoms indicates that a DNS server has incorrect root hints?
The server can resolve names of computers on the local network, but it cannot resolve names of computers on other networks
The server can resolve all names, but the IP addresses for computers on the local network are incorrect
The server can resolve names into IP addresses, but it cannot resolve IP addresses into names
The server can resolve names for which it is authoritative, but it cannot resolve any other names
3 When troubleshooting an Internet connection problem on a client running the Win=dows operating system, which of the following actions should you try to determine if name resolution failures are the cause of the problem?
A Connect to an Internet server using its IP address
B Ping the client’s preferred DNS server address
C Execute the IPCONFIG /registerdns command on the client
D Trigger a manual zone transfer on the client’s DNS
Trang 7Objective 2.9 Answers
1 Correct Answers: C
Incorrect: This symptom is an indication that either the client or the DNS server
is suffering from a complete TCP/IP communications failure, not just the failure of the DNS service
Incorrect: Because the server is operational, this symptom indicates that the cli=
ent computer is experiencing a TCP/IP communications failure
Correct: The fact that the client can ping the DNS server indicates that the server
computer is operational, but the failure of the server to resolve names indicates that the DNS Server service is not running or is not functioning properly
Incorrect: A non-functioning DNS Server service would not supply any IP
addresses in response to client requests
2 Correct Answers: D
Incorrect: DNS servers do not use broadcast transmissions during the name res=
olution process, so there is no way that they can be limited to resolving names on the local network only
Incorrect: Incorrect IP addresses could be a symptom of typographical errors in
resource records, dynamic update failures, or zone transfer failures They are not
a symptom of incorrect root hints
Incorrect: DNS servers perform reverse name resolutions (from addresses to
names) the same way they perform standard name resolutions Incorrect root hints would affect both of these processes
Correct: The names for which a DNS server is authoritative are those stored in its
own zone database files The inability to resolve other names indicates that the server is having problems sending queries to other servers, which could be caused
by incorrect root hints
Trang 8Objective 2.9 Troubleshoot Host Name Resolution 15-57
3 Correct Answers: A
Correct: The ability to connect to an Internet server using its IP address when the
client cannot connect to the same server using its name is a definitive indication of
a name resolution problem
Incorrect: The fact that the client computer cannot successfully ping the
preferred DNS server address does not establish that name resolution is the cause
of the client’s Internet connection problem The client could be using the alternate DNS server to resolve names and could actually be suffering from another problem
Incorrect: This command causes the client computer to reregister its name with
the DNS server using dynamic update While this action does verify that the client can communicate with the DNS server, it does not definitively identify name res=olution failure as the source of the Internet connection problem
Incorrect: Triggering a zone transfer initiates a replication process between two
DNS servers This action cannot determine anything about DNS clients
Trang 1016 Planning, Implementing,
and Maintaining Routing
and Remote Access (3.0)
The Routing and Remote Access service in the Microsoft Windows Server 2003 family
of operating systems can route traffic in several ways, enabling you to configure a server to route traffic between local area networks (LANs), between a LAN and a wide area network (WAN), or a LAN and remote users who access the network using modems or virtual private network (VPN) connections Remote access servers present unusual problems because of potential security hazards they represent Users connecting to a private network using the Internet or an open dial-up telephone line must be authenticated before they receive access, and in many cases, must have their access limited to specific resources To create an effective routing and remote access strategy, you must consider the security ramifications of the access you grant to your users and take steps to prevent access by unauthorized users
Tested Skills and Suggested Practices
The skills that you need to successfully master the Planning, Implementing, and Maintaining Routing and Remote Access objective domain on the 70-293 exam include:
■ Plan a routing strategy
❑ Practice 1: Configure a computer running Windows Server 2003 to function
as a router and install the Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) routing protocols Then, examine the configuration parameters available for each protocol and use the online help to determine their functions
❑ Practice 2: Configure the Routing and Remote Access service on a computer running Windows Server 2003 four times, using the four preset configurations provided by the Routing And Remote Access Server Setup Wizard For each configuration, list the components that the service installs by default and examine the default configuration settings for each component
16-1
Trang 11■ Plan security for remote access users
❑ Practice 1: Configure a computer running Windows Server 2003 on a work to function as a VPN remote access server Then, configure a workstation running Microsoft Windows XP or Microsoft Windows 2000 Professional
net-to function as a VPN client and use it net-to connect net-to the server
❑ Practice 2: Using the Routing And Remote Access console, practice creating remote access policies using various combinations of conditions and remote access profile elements
■ Implement secure access between private networks
❑ Practice 1: Configure a server running Windows Server 2003 to use the Secure Server (Require Security) IPSec policy and a workstation running Windows XP Professional to use the Client (Respond Only) IPSec policy Then, connect to the server from the workstation and, using the IP Security Monitor snap-in, examine the statistics of the IPSec connection
❑ Practice 2: Use the Network Monitor application included with Windows Server 2003 to capture a sample of the traffic between two computers configured to use IPSec and examine the internal structure of the packets
■ Troubleshoot TCP/IP routing Tools might include the route, tracert, ping, ping, and netsh commands and Network Monitor
path-❑ Practice 1: Open a Command Prompt window on a computer running Windows Server 2003 and examine the online help screens for the ROUTE, TRACERT, PING, PATHPING, and NETSH commands Then, experiment with the various functions of these tools
❑ Practice 2: Configure a computer running Windows Server 2003 to function
as a router Then, install Network Monitor on the computer and use it to capture traffic on both network interfaces and examine the changes the router makes to the IP headers in the captured packets
Further Reading
This section lists supplemental readings by objective We recommend that you study these sources thoroughly before taking exam 70-293
Objective 3.1 Review Lesson 2 in Chapter 2, “Planning a TCP/IP Network Infrastruc
ture,” and Lessons 1 and 2 in Chapter 5, “Using Routing and Remote Access.”
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit Volume: Deploying Network Services Redmond, Washington: Microsoft Press, 2003 Review
Chapter 1, “Designing a TCP/IP Network.” This volume can also be found on
Microsoft’s Web site at http://www.microsoft.com/windowsserver2003/techinfo/res kit/deploykit.mspx
Trang 12Chapter 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0) 16-3
Objective 3.2 Review Lesson 3 in Chapter 5, “Using Routing and Remote Access.”
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit Volume: Deploying Network Services Redmond, Washington: Microsoft Press, 2003 Review
Chapter 8, “Deploying Dial-up and VPN Remote Access Servers.” This volume can
also be found on Microsoft’s Web site at http://www.microsoft.com/ windowsserver2003/techinfo/reskit/deploykit.mspx
Objective 3.3 Review Lessons 2 and 3 in Chapter 12, “Securing Network Communi
cations Using IPSec.”
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit Volume: Deploying Network Services Redmond, Washington: Microsoft Press, 2003 Review
Chapter 6, “Deploying IPSec.” This volume can also be found at Microsoft’s Web site
at http://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.mspx
Objective 3.4 Review Lesson 4 in Chapter 5, “Using Routing and Remote Access.”
Microsoft Corporation Windows Server 2003 Online Help Review the “Using the Route Command,” “Using the Tracert Command,” “Using the Ping Command,”
“Using the Pathping Command,” and “The Netsh Command-Line Utility” pages in the Windows Server 2003 Help and Support Center
Trang 13Objective 3.1
Plan a Routing Strategy
A router is a device that connects two networks, either two local area networks (LANs)
or a LAN and a wide area network (WAN), and forwards traffic between the networks A router can be a dedicated hardware device or a computer with two network interfaces
Windows Server 2003 includes the Routing and Remote Access service (RRAS), which
enables the computer to function as a router, using any one of several configurations
Routers forward packets using information stored in a routing table The routing table
consists of entries for specific network destinations, each entry specifying the interface
and the gateway that the router should use to send traffic to that destination (Gateway
is the TCP/IP term for a router.) To reach a particular destination on a large network,
a router typically has to send packets to another router, which forwards them in the same way, handing off the packets until they reach their final destinations On the route from the source to the destination computer, each router that processes a packet
is referred to as a hop For example, a destination can be said to be four hops away
from the source
One of the most important tasks in the operation of a router is adding information to the routing table Routers must have current and complete information to forward traffic properly On a large installation, the network configuration can change frequently, and the routing table must keep up with the changes There are two methods for inserting information into a routing table: static routing and dynamic routing
Static routing is a manual process in which an administrator creates or modifies rout
ing table entries using a tool like the Windows Server 2003 Routing And Remote Access console or the ROUTE.EXE command-line utility Although static routing has the advantage of not generating any additional network traffic, it suffers from several disadvantages, including the possibility of typographical errors, and the inability to automatically compensate for changes in the network Static routing is suitable only for small networks that do not often change
Dynamic routing uses a specialized routing protocol to gather information from
other routers on the network and automatically add it to the routing table Routers are able to create their own routing table entries for destinations on the networks to which they are directly attached, but they have no direct knowledge of more distant net-works Dynamic routing protocols enable routers to share their routing table information with other routers, enabling each router to build a composite routing table compiled from many sources and containing an overall picture of the network
Trang 14Objective 3.1 Plan a Routing Strategy 16-5
Each entry in a routing table contains a value called a metric, which specifies the rel
ative efficiency of the route When a router is processing a packet and there is more than one route to the packet’s destination, the router always chooses the route with the lowest metric value Routing protocols determine their metric values in one of two
ways Distance vector routing uses the number of hops between the router and the destination for the metric value, while link state routing uses a more complex (and
more accurate) calculation that accounts for additional factors, such as the transmission speeds of the networks involved, and network congestion
Windows Server 2003 supports two routing protocols: Routing Information Proto
col (RIP) and Open Shortest Path First (OSPF) RIP is a simple distance vector rout
ing protocol that enables a router to broadcast or multicast the contents of its routing table at regular intervals RIP is intended for relatively small networks, because it generates large amounts of traffic and because distance vector routing is generally not suit-able for large installations with networks running at different speeds OSPF is a more complex protocol that uses link state routing, does not use broadcast or multicast trans-
missions, and has the ability to split a network into distinct areas, so that routers only
have to share their information with other routers in the immediate vicinity OSPF has more features and is more efficient than RIP, but it is also more difficult to implement You must plan an OSPF deployment carefully, while deploying RIP is simply a matter
of installing the protocol on a network’s routers
Multicasting is a one-to-many communications technique that enables systems to
transmit messages to designated groups of recipients Multicast transmissions use a single destination IP address that identifies a group of systems on the network, called a
host group Multicasts use Class D addresses, as assigned by the Internet Assigned
Numbers Authority (IANA), which can range from 224.0.1.0 to 238.255.255.255 For a multicast transmission to reach an entire multicast group with members on different LANs, the routers on the network must know which hosts are members of the group, so that they can forward the messages to them Computers that are to be members of a particular multicast host group must register themselves with the routers on
the local network, using the Internet Group Management Protocol (IGMP) To
sup-port multicasting, all the members of the host group and all the routers providing access to the members of the host group must have support for IGMP
Trang 15by RIP, but you cannot reduce its functionality, as changes to the network infrastructure are frequent and the routers must be able to keep up with them You also do not want
to increase the current administrative burden of routing table maintenance Which of the following solutions can achieve all these goals?
A Upgrade the routers to RIP version 2 and configure them to use multicast transmissions instead of broadcasts
B Increase the RIP Periodic Announcement Interval settings on all the routers
C Configure all the routers to use OSPF instead of RIP
D Stop using RIP on all the routers and use static routing instead
2 Which of the following are valid reasons for using a link state routing protocol on a computer running Windows Server 2003 instead of a distance vector routing protocol? (Choose all that apply.)
A Link state routing protocols are easier to implement and configure than distance vector routing protocols
B Link state routing protocols generate less network traffic than distance vector routing protocols
C Link state routing protocols support multicast transmissions, while distance vector routing protocols do not
D Link state protocols use metrics that account for conditions such as network speed and congestion, while distance vector routing protocols do not
Trang 16Objective 3.1 Plan a Routing Strategy 16-7
Trang 17Objective 3.1 Answers
1 Correct Answers: A
A Correct: RIP version 1 always uses broadcasts to transmit routing table informa
tion to other routers Because all systems on the network must process incoming broadcasts, the amount of traffic generated by the frequent update messages can negatively affect network performance By upgrading the routers to RIP version 2, you can use multicast transmissions instead of broadcasts Multicast RIP messages are processed only by other routers
B Incorrect: Increasing the Periodic Announcement Interval setting on a RIP router
causes the system to transmit its routing table update messages less frequently, reducing the amount of traffic that RIP generates However, this also reduces the functionality of RIP by causing it to compensate for network configuration changes more slowly
C Incorrect: OSPF uses unicast transmissions instead of broadcasts, so it generates
less network traffic than RIP However, OSPF requires more administrative attention than RIP
D Incorrect: Static routing generates no network traffic at all, but requires a great
deal more administration than RIP
2 Correct Answers: B and D
A Incorrect: Implementing OSPF, the link state routing protocol included with
Windows Server 2003, requires careful planning and configuration, while RIP, a distance vector routing protocol, requires virtually no planning or configuration
B Correct: OSPF uses unicast transmissions to communicate with other routers,
while RIP can use only broadcast or multicast transmissions Unicasts generate less traffic because each packet is processed by only one destination computer
C Incorrect: OSPF, a link state routing protocol, uses only unicast transmissions; it
does not support multicasting RIP, a distance vector routing protocol, does port multicasting
sup-D Correct: OSPF, a link state routing protocol, computes its metrics based on a vari
ety of factors, while RIP, a distance vector routing protocol, uses only the number
of hops for its metrics
Trang 18Objective 3.1 Plan a Routing Strategy 16-9
3 Correct Answers: D
A Incorrect: RIP is a dynamic routing protocol Although it can use multicast
trans-missions to send its messages, it does not facilitate multicasting
B Incorrect: ICMP is a TCP/IP protocol that routers use to send error messages
back to end systems ICMP has nothing to do with multicasting
C Incorrect: OSPF is a dynamic routing protocol that does not provide support for
multicasting
D Correct: IGMP is the protocol that makes multicasting possible by enabling mem
bers of a host group to register themselves with routers
4 Correct Answers: A, B, and D
A Correct: RIP version 1 supports only unicast transmissions, while version 2
sup-ports multicasting as well, enabling you to reduce the amount of network traffic that RIP generates
B Correct: RIP version 1 cannot supply a Netmask (or subnet mask) value in its
routes The RIP version 2 message format contains a Netmask field
C Incorrect: RIP versions 1 and 2 both support the use of broadcast transmissions
D Correct: RIP version 1 cannot supply a Gateway value in its routes; RIP routers
use the transmitting router’s IP address instead when creating routing table entries from RIP messages The RIP version 2 message format contains a Gateway field
Trang 19Objective 3.2
Plan Security for Remote
Access Users
A remote access server enables users at distant locations to connect to a network
using a dial-up telephone line or an Internet connection The remote users establish a connection with the remote access server, which then functions as a router, providing them with access to network resources The Routing and Remote Access service (RRAS) in Windows Server 2003 is capable of functioning as a remote access server for multiple clients simultaneously RRAS supports remote access clients using standard
dial-up modems and virtual private network (VPN) connections A VPN connection
is a secured conduit through the Internet that connects the remote access client and server The client dials in to a local Internet service provider (ISP) and establishes a connection to the server using the Internet as a medium
Having your network accessible through standard telephone lines and the Internet is convenient for your users, but it also opens up your network to any potential intruder with a modem or an Internet connection Planning security is therefore a major part of implementing a remote access server Windows Server 2003 RRAS includes a variety of security mechanisms that can protect the server and the network from unauthorized access, including dial-in properties, authentication protocols, and remote access policies Dial-in properties are configuration settings that you find on the Dial-In tab of the Properties dialog box for every user object in the Active Directory database These properties are as follows:
■ Remote Access Permission (Dial-in Or VPN)—Specifies whether the individual user is allowed or denied remote access You can also specify that remote access
be controlled using group memberships, as indicated in remote access policies
■ Verify Caller ID—Enables you to specify the user’s telephone number, which the system will verify using caller ID during the connection process If the number the user calls from does not match the number supplied, the system denies the connection
■ Callback Options—Causes the RRAS server to break the connection after it authenticates a user, then dial the user to reconnect This mechanism saves on long distance expenses by having the remote access calls originate at the server’s location, but it can also function as a security mechanism if you furnish a specific callback number in this box The user must be dialing in from the location you specify to connect to the server
Trang 20Objective 3.2 Plan Security for Remote Access Users 16-11
The most basic method for securing a remote access server is to perform an authentication that verifies the user’s identity In most cases, users authenticate themselves by supplying an account name and password after connecting to the server The nature of the authentication messages is controlled by an authentication protocol RRAS supports the following authentication protocol options:
■ Extensible Authentication Protocol (EAP)—An open-ended system that makes
it possible for RRAS to use third-party authentication protocols, as well as those supplied with Windows 2000 EAP is the only authentication protocol supported
by Windows Server 2003 RRAS that enables you to use mechanisms other than passwords (such as digital certificates stored on smart cards) to verify a user’s identity
■ Microsoft Encrypted Authentication Version 2 (MS-CHAP v2)—Version 2 of the
Microsoft Challenge Handshake Authentication Protocol is a
pass-word-based protocol that enables the client and the server to mutually authenticate each other using encrypted passwords MS-CHAP v2 is the simplest and most secure option to use when your remote access clients are running Microsoft Windows 98 or a later version of the Windows operating system
■ Microsoft Encrypted Authentication (MS-CHAP)—An earlier version of the
MS-CHAP protocol that uses one-way authentication and a single encryption key for transmitted and received messages The security that MS-CHAP v1 provides is inferior to that of version 2, but RRAS includes it to support remote access clients running Microsoft Windows 95 and Microsoft Windows NT 3.51, which cannot use MS-CHAP v2
■ Encrypted Authentication (CHAP)—An industry standard authentication protocol
that is included in RRAS to support non-Microsoft remote access clients that not use MS-CHAP or EAP CHAP is less secure than either version of MS-CHAP because CHAP requires using a reversibly encrypted password
can-■ Shiva Password Authentication Protocol (SPAP)—Shiva Password Authentication Protocol is a relatively insecure authentication protocol designed for use with Shiva remote access products SPAP uses a reversible encryption mechanism for authentication
■ Unencrypted Password (PAP)—The Password Authentication Protocol is a
password-based authentication protocol that transmits passwords in clear text, leaving them open to interception by packet captures
■ Allow Remote Systems To Connect Without Authentication—Enables remote access clients to connect to the RRAS server with no authentication at all, enabling anyone to access the network The use of this option is strongly discouraged
Trang 21RRAS also supports the use of Remote Authentication Dial-In User Service
(RADIUS), a standard defining a service that provides authentication, authorization,
and accounting for remote access installations A RADIUS server stores the user accounts and passwords for all remote access users, and can provide authentication services for multiple remote access servers
Remote access policies are sets of conditions that users must meet before RRAS
authorizes them to access the server or the network You can create policies that limit user access based on group memberships, day and time restrictions, and many other criteria Remote access policies can also specify which authentication protocol and what type of encryption clients must use Using the Routing And Remote Access con-sole, you can create different policies for different types of connections, such as dial-up, virtual private network (VPN), and wireless connections
Remote access policies consist of three elements, which are as follows:
■ Conditions—Specific attributes that the policy uses to grant or deny authorization
to a user If there is more than one condition, the user must meet all the conditions before the server can grant access Some of the conditions that RRAS remote access policies can use include day and time restrictions and the use of a specific authentication protocol, data-link layer protocol, or tunnel type, and membership
in a specific group set up using the Windows operating system
■ Remote access permission—Clients receive permission to access the remote
network either by satisfying the conditions of the RRAS server’s remote policies, or
by an administrator explicitly granting them the permission on the Dial-in tab of each user’s Properties dialog box
■ Remote access profile—A set of attributes associated with a remote access
pol-icy that the RRAS server applies to a client once it has authenticated and authorized it The profile can consist of elements such as time limits for the connection
or specific IP addresses, authentication protocols, and types of encryption
Trang 22Objective 3.2 Plan Security for Remote Access Users 16-13
A This solution can accomplish neither of the stated goals: it will neither limit the users’ logon hours nor enable smart card authentication
B This solution accomplishes only one of the stated goals: it will not limit the users’ logon hours, but it will enable smart card authentication
C This solution accomplishes only one of the stated goals: it will limit the users’ logon hours, but it will not enable smart card authentication
D This solution accomplishes both stated goals: it will limit the users’ logon hours and enable smart card authentication
Trang 233 Which of the following Windows Server 2003 remote access configurations would enable an attacker running Network Monitor to read user passwords from captured packets in unencrypted form?
A You configure RRAS to use CHAP for its authentication protocol and enable the Store Password Using Reversible Encryption password policy for all remote access users
B You configure RRAS to use PAP for its authentication protocol, and issue a smart card to each user
C You configure the Allow Remote Systems To Connect Without Authentication option on the RRAS server, and create a remote policy with a profile specifying the use of the strongest encryption method available
D You configure RRAS to use MS-CHAP for its authentication protocol and set up the callback options so the server reconnects to the client at a predetermined telephone number
4 Which of the following procedures can you use to limit client access to a remote access server based on group membership?
A Modify the properties of the clients’ user objects in the Active Directory Users And Computers console
B Configure RRAS to use the EAP authentication protocol in the Routing And Remote Access console
C Configure RRAS to use a RADIUS server to authenticate incoming client connections
D Use the Routing And Remote Access console to create a remote access policy
Trang 24Objective 3.2 Plan Security for Remote Access Users 16-15
Objective 3.2 Answers
1 Correct Answers: B
A Incorrect: The Password Authentication Protocol transmits passwords in clear
text, so it has no encryption requirements
B Correct: The Challenge Handshake Authentication Protocol requires access to
the users’ passwords, and by default, Windows Server 2003 does not store the passwords in a form that CHAP can use To authenticate users with CHAP, you must open the group policy governing the users and enable the Store Password Using Reversible Encryption password policy mechanism
C Incorrect: Version 1 of the Microsoft Challenge Handshake Authentication Proto
col uses one-way authentication and a single encryption key for transmitted and received messages, but it requires no modification of Active Directory’s password storage method
D Incorrect: Version 2 of the Microsoft Challenge Handshake Authentication Proto
col enables clients and servers to mutually authenticate each other using encrypted passwords, but requires no modification to Active Directory
2 Correct Answers: C
A Incorrect: You can successfully limit remote access users’ logon hours using a
remote access policy, so the solution does accomplish one of the stated goals
B Incorrect: Remote access policies can limit users’ logon hours, but the MS-CHAP
v2 authentication protocol does not support smart cards
C Correct: The remote access policy can limit users’ logon hours, but to enable
smart card authentication, you must use the Extensible Authentication Protocol (EAP)
D Incorrect: While the solution can successfully limit users’ logon hours, you
cannot authenticate users with smart cards using MS-CHAP v2
Trang 253 Correct Answers: B
A Incorrect: Storing passwords using a reversible encryption method, as required
for the Challenge Handshake Authentication Protocol, does not alter the fact that the passwords are encrypted when the clients transmit them over the remote access connection An attacker capturing the packets using Network Monitor would not be able to read the encrypted passwords
B Correct: The Password Authentication Protocol transmits user passwords in clear
text, so that anyone capturing the packets with a protocol analyzer such as work Monitor would be able to read the passwords
Net-C Incorrect: Although enabling the Allow Remote Systems To Connect Without
Authentication option is a grave security risk, there is no danger of passwords being compromised, because the clients do not transmit any passwords at all
D Incorrect: The Microsoft Challenge Handshake Authentication Protocol always
transmits passwords in encrypted form, so there is no danger of passwords being compromised by Network Monitor, regardless of the callback options in effect
4 Correct Answers: D
A Incorrect: You can grant or deny users remote access and set caller ID and
call-back options by modifying the properties of user objects, but you cannot limit their access based on group membership
B Incorrect: Authentication protocols do not limit users’ access based on group
memberships or any other criteria They simply specify the format for the message exchanges that the clients and server will use when authenticating
C Incorrect: Using RADIUS offloads the authentication process from the RRAS
service to an external RADIUS service, but RRAS is still responsible for server access control
D Correct: Remote access policies enable you to limit user access based on group
memberships, day and time restrictions, and various other criteria
Trang 26Objective 3.3 Implement Secure Access Between Private Networks 16-17
Objective 3.3
The Routing and Remote Access service in Windows Server 2003 can route traffic between networks at remote locations, using a wide area networking (WAN) link To
do this, you must connect the two sites using any functional WAN technology, such as
a dial-up telephone line, leased line, or VPN, and install a router at each site to connect the private network to the WAN However, one of the problems in implementing a connection between private networks is securing the traffic passing over the WAN link Depending on the nature of the WAN technology you choose and the sensitivity of your data, you might choose to encrypt the traffic passing between the networks To
do this with routers running Windows Server 2003, you use the IP Security
extensions (IPSec)
IPSec is a set of extensions to the Internet Protocol (IP) that enable systems to digitally sign and encrypt data before it is transmitted over the network With the transmitted data protected in this way, attackers capturing packets cannot read the information inside, nor can they modify the contents of the packet without the modifications being detected by the recipient
To define when and how computers running Windows Server 2003 use IPSec, you use
IPSec policies, which you manage using the IP Security Policies snap-in for Microsoft
Management Console (MMC) Windows Server 2003 has three default IPSec policies, which are as follows:
■ Client (Respond Only)—Configures the computer to use IPSec only when
another computer requests its use The computer using this policy never initiates
an IPSec negotiation; it only responds to requests from other computers for secured communications
■ Secure Server (Require Security)—Configures the computer to require IPSec
security for all communications If the computer attempts to communicate with another computer and discovers that it does not support IPSec, the computer terminates the connection
■ Server (Request Security)—Configures the computer to request the use of IPSec
when communicating with another computer If the other computer supports IPSec, the IPSec negotiation begins If the other computer does not support IPSec, the systems establish a standard, unsecured IP connection
Trang 27You can use these policies as they are, modify them, or create your own An IPSec icy consists of the following elements:
pol-■ Rules—A rule is a combination of an IP filter list and a filter action that specifies when and how the computer should use IPSec An IPSec policy can consist of multiple rules
■ IP filter lists—A collection of filters that specifies what traffic the system should secure with IPSec, based on IP addresses, protocols, or port numbers You can also create filters using a combination of these criteria
■ Filter actions—Configuration parameters that specify exactly how IPSec should secure the filtered packets Filter actions specify whether IPSec should use the IP Authentication Header protocol, the IP Encapsulating Security Payload protocol,
or both, as well as what data integrity and encryption algorithms the system should use
To implement an IPSec policy, you can apply it to an individual computer, using local policies, but for network installations, it is more common for administrators to deploy IPSec policies by assigning them to Active Directory objects using group policies Once you have created IPSec policies in the appropriate places, you must then activate them
by selecting Assign from the Action menu in the IP Security Policies snap-in
Trang 28Objective 3.3 Implement Secure Access Between Private Networks 16-19
Objective 3.3 Questions
1 You are a network administrator for a company with headquarters in New York and a branch office in Chicago You have installed a T-1 leased line connecting the two offices and you are using computers running Windows Server 2003 as the routers at each end of the WAN connection There is a database server at headquarters that hosts confidential company information, and users in the Chicago office must be able to access the information on that server The workstations in the Chicago office are using
a variety of operating systems, not all of which support IPSec You want to use IPSec
to encrypt only the database information, and only as it is passing over the T-1 connection Which of the following solutions can accomplish this goal?
A Configure both routers running Windows Server 2003 to use the Secure Server (Require Security) IPSec policy
B Configure the database server to use the Secure Server (Require Security) IPSec icy and the clients in the Chicago office to use the Client (Respond Only) policy
pol-C Create a new IPSec policy for the two routers with a tunnel mode rule and a filter list containing the port numbers used by the database application
D Modify the Secure Server (Require Security) policy by adding a filter list containing the port numbers used by the database application and configure the database server and the Chicago clients to use it
2 Which of the following IPSec policies should you use for an e-mail server that you want to use IPSec encryption whenever possible, when some of the clients that must access the server are running operating systems that do not support IPSec?
A Client (Respond Only)
B Server (Request Security)
C Secure Server (Require Security)
D None of the above You must create a new IPSec policy
3 When creating IPSec policies using tunnel mode, which of the following configuration elements must the policies contain? (Choose all that apply.)
A The IP addresses of the tunnel endpoints
B The port numbers of all applications that will use the tunnel
C The name of the algorithm that the systems will use to encrypt the traffic passing through the tunnel
D The IP addresses of the clients and servers using the tunnel
Trang 294 You are the network administrator for a large corporation in Phoenix that has recently acquired a small company in Albuquerque Both companies are running networks based on Windows Server 2003, but at this time, the company in Albuquerque is still running a separate network with its own Active Directory installation Also, neither company has a public key infrastructure (PKI) implementation You are in the process
of creating an IPSec policy that will enable users on the Albuquerque network to access servers in the Phoenix office with complete security Which of the following authentication methods should you specify in the policy?
Trang 30Objective 3.3 Implement Secure Access Between Private Networks 16-21
Objective 3.3 Answers
1 Correct Answers: C
A Incorrect: Configuring the routers to use the Secure Server (Require Security)
policy would encrypt all traffic generated by the routers, but it would not encrypt traffic passing through the routers that is generated by other computers
B Incorrect: Configuring the database server and clients in this way would protect
the traffic generated by the database application, but it would also protect all other application traffic In addition, the IPSec encryption would not be limited to the T-1 line, but would be in effect for the entire route between the source and destination systems
C Correct: IPSec in tunnel mode is designed specifically to protect traffic passing
between two routers over a WAN link In tunnel mode, a router receives normal (unencrypted) packets and protects then using IPSec before transmitting them to the router at the other end of the WAN The other router then decrypts the data and forwards it to its destination Specifying the port numbers that the database application uses enables the routers to encrypt only the database traffic
D Incorrect: Even with a filter list that designates only the database server traffic for
encryption, this IPSec policy would be in effect over the entire connection between the database server and the clients, not just the T-1 line
2 Correct Answers: B
A Incorrect: The Client (Respond Only) policy causes a system to use IPSec only
when the other system it is communicating with requests it This policy is not appropriate for a server that you want to use IPSec whenever it can
B Correct: The Server (Request Security) policy enables the e-mail server to use
IPSec whenever the client supports it, but still enables clients that do not support IPSec to access server resources
C Incorrect: The Secure Server (Require Security) policy would deny clients not
supporting IPSec access to the e-mail server
D Incorrect: There is no need to create a new IPSec policy for this application,
because the Server (Request Security) policy satisfies all the stated requirements
Trang 313 Correct Answers: A and C
A Correct: When creating a new IPSec policy, if you elect to use tunnel mode, you
must specify the IP address of the system that will function as the endpoint of the tunnel Typically, this router relays traffic between two private networks using a WAN link
B Incorrect: The filter list for a tunnel mode IPSec policy is no different from the
list for a transport mode policy You only have to specify port numbers if you want
to filter traffic based on the applications generating the traffic
C Correct: All IPSec policies must specify the algorithm that the system will use to
encrypt the protected data
D Incorrect: IPSec in tunnel mode is an arrangement between the two routers
functioning as endpoints for the tunnel The only requirement for the clients and servers making use of the tunnel is that they have access to the routers
4 Correct Answers: D
A Incorrect: The Kerberos protocol is the default authentication method for Active
Directory networks However, as these two networks are running completely separate Active Directory installations, clients on one network cannot be authenticated by servers on the other
B Incorrect: Because neither network has a PKI in place, the use of digital certifi
cates for IPSec authentication would not be practical
C Incorrect: Smart cards rely on digital certificates, which are stored on the cards
Without a PKI in place, using smart cards for IPSec authentication would not be practical
D Correct: Using a key that you have supplied to the administrators of the other
network beforehand, IPSec systems can authenticate each other without the need for additional infrastructure
Trang 32Objective 3.4 Troubleshoot TCP/IP Routing 16-23
Objective 3.4
Troubleshoot TCP/IP Routing
Windows Server 2003 includes a variety of tools that you can use to troubleshoot TCP/
IP routing problems Most of the following tools are command-line utilities, which you run from a command prompt window The tools are as follows:
■ ROUTE ROUTE.EXE is a command-line program that you can use to view and
manage the routing table on a computer running Windows Server 2003 Whether you are using static or dynamic routing, TCP/IP routing problems are often caused
by missing or incorrect information in the routing table, and working directly with the routing table can help you isolate the source of the problem
■ PING PING is the standard TCP/IP tool for testing connectivity, which takes the
form of a command-line program called PING.EXE in Windows Server 2003 By
typing ping plus an IP address on the command line, you can test any TCP/IP sys
tem’s connectivity with any other system PING functions by transmitting a series
of Echo Request messages containing a sample of random data to the destination you specify, using the Internet Control Message Protocol (ICMP) The system receiving the Echo Request messages must generate an Echo Reply message for each request containing the same data sample, and then return them to the sender Compared to other tools, PING has relatively limited utility when you are trying to locate a malfunctioning router You might be able to ping a router’s IP address successfully, even when it is not routing traffic properly However, as part of your initial troubleshooting efforts, you can use PING to test for routing problems by pinging various computers on different LANs to determine which router is not functioning properly
■ TRACERT TRACERT.EXE is the Windows Server 2003 command-line implemen
tation of the UNIX traceroute program TRACERT enables you to view the path
that packets take from a computer to a specific destination When you type tracert
and an IP address at the Windows operating system’s command prompt, the gram displays a list of the hops to the destination, including the IP address and DNS name (where available) of each router along the way If the program fails to trace the entire route to the specified destination, you can assume that the problem occurs immediately after the last router listed in the tracing
Trang 33pro-■ PATHPING PATHPING.EXE is a Windows Server 2003 command-line tool that is
similar to TRACERT in that it traces a path through the network to a particular destination and displays the names and addresses of the routers along the path PATHPING is different, however, because it is designed to report packet loss rates
at each router on the path After displaying the path to the destination, PATHPING sends 100 packets (by default) to each router on the path and computes the packet loss rate in the form of a percentage TRACERT is the preferred tool for locating a router failure that completely interrupts communications, while PATH-PING is more useful when you can connect to a destination, but you are experiencing data loss or transmission delays
■ NETSH NETSH.EXE is a Windows Server 2003 command-line utility that enables
you to display or modify the network configuration of any computer on the work NETSH also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer You can use NETSH in a variety of contexts, but for routing purposes, NETSH essentially functions as a command-line equivalent for the Routing And Remote Access console
net-■ Network Monitor A graphical utility included with Windows Server 2003 that
can capture and analyze packets transmitted to or from any of the network faces on the computer where the program is running Once the program has captured the packets, it uses built-in parsers for the various network protocols to display the packet contents in decoded form You can use Network Monitor to examine the values of packet header fields, which can help locate and diagnose TCP/IP routing problems
Trang 34inter-Objective 3.4 Troubleshoot TCP/IP Routing 16-25
Objective 3.4 Questions
1 You are the sole network administrator for a small company with an internetwork consisting of five local area networks (LANs) connected by routers You are currently using static routing, because the network configuration does not often change You are in the process of adding a sixth LAN to the internetwork, and you must create new static routes to give all the computers on the network access to the new LAN Which of the following programs can you use to create the new static routes? (Choose all that apply.)
A One of the routers on the way to the destination is not functioning
B The destination system is not functioning
C The network interface on the computer you are using is malfunctioning
D The computer you are using has an incorrect default gateway address
Trang 354 You are able to successfully ping computers on your local network, but you cannot ping computers on other networks However, when you try to ping the IP address of the computer running Windows Server 2003 that is your default gateway, the test is successful Based on this information, which of the following statements is definitely not true?
A
B
C The Routing and Remote Access service on the default gateway has shut down
D The default gateway system is not running
Trang 36Objective 3.4 Troubleshoot TCP/IP Routing 16-27
Objective 3.4 Answers
1 Correct Answers: B and D
A Incorrect: Network Monitor is capable only of capturing and analyzing network
traffic; it cannot create static routes
B Correct: ROUTE.EXE enables you to view a computer’s routing table, as well as
create, modify, and delete static routes
C Incorrect: PATHPING.EXE is a diagnostic tool that can help you to determine
whether a router is functioning properly, but you cannot use it to create static routes
D Correct: NETSH.EXE is a comprehensive configuration and scripting tool that
enables you to perform a multitude of network-related functions, including creating static routes on a RRAS server
2 Correct Answers: A, B, and D
A Correct: You can use PING to test whether a TCP/IP system, including a router,
is up and running Any computer with an operational TCP/IP stack and network interface can receive and return the Internet Control Message Protocol (ICMP) messages generated by the PING program
B Correct: TRACERT displays the path packets take through an internetwork to
reach a particular destination, listing all the routers on the way If a router appears
in the list of hops produced by TRACERT, you know the router is functioning
C Incorrect: The ROUTE command enables you to manage the routing table on
the local computer only You cannot connect to a router elsewhere on the work and manage it using ROUTE
net-D Correct: PATHPING, like TRACERT, displays the path packets take through an
internetwork If a router is listed in the PATHPING output, the router is functioning properly
Trang 373 Correct Answers: A and C
A Correct: When a router is malfunctioning, it does not return the appropriate mes
sages to the TRACERT program, and the path through the network displayed by TRACERT stops at that point
B Incorrect: When TRACERT fails to create a complete trace through the network,
it does not indicate a fault in the destination computer, but rather in one of the routers on the path to that destination
C Correct: Although unlikely, it is possible for the network interface in the com
puter running TRACERT to malfunction in the middle of a test, preventing the system from completing the trace
D Incorrect: If the computer has an incorrect default gateway address, the TRAC
ERT program would not display even one router entry in its output Because the program does list several router addresses, you know that the default gateway address is correct
4 Correct Answers: D
A Incorrect: If your computer is configured with an incorrect default gateway
address, you might be able to ping the computer using that address successfully, even though the computer is not a router Therefore, this statement could be true
B Incorrect: If the default gateway has incorrect routing table entries, it might be
unable to forward packets to other networks, even though its TCP/IP stack is functioning properly, enabling it to pass a PING test Therefore, this statement could
be true
C Incorrect: If RRAS on the default gateway shuts down, the system is unable to
route traffic, even though it can still participate on a TCP/IP network Therefore, this statement could be true
D Correct: If the default gateway system were not running at all, your attempt to
ping it would fail Therefore, it is not possible for this statement to be true
Trang 38Microsoft Windows Server 2003 includes tools and services that you can use to ensure that servers remain available to users For example, Windows Server 2003 supports
clusters, which are groups of connected servers that function as a single resource,
sharing the performance load and providing fault tolerance Regular backups keep servers available by enabling administrators to restore data that is lost due to a drive erasure or failure Windows Server 2003 includes a Backup program that enables you
to protect all your server files, including key elements such as the registry, Active Directory directory service databases, and cluster configuration data
Keeping servers available is often a matter of anticipating problems that could cause a server failure Tools such as Network Monitor and the Performance console enable you
to track the performance of specific server components, to locate system bottlenecks, and to detect network service failures
Tested Skills and Suggested Practices
The skills that you need to successfully master the Planning, Implementing, and Maintaining Server Availability objective domain on the 70-293 exam include:
■ Plan services for high availability
❑ Practice 1: Using information from vendors’ World Wide Web sites, catalogs,
or manufacturers’ product collateral, research the hardware products currently on the market that you can use to build large Network Load Balancing (NLB) and server clusters
❑ Practice 2: Design two 10-node clusters: a 10-node server cluster for a base application and a 10-node Web server NLB cluster Your design should include diagrams of the networks and a list of all the hardware products required to build the clusters
data-17-1
Trang 39■ Identify system bottlenecks, including memory, processor, disk, and network related bottlenecks
❑ Practice 1: On a computer running Windows Server 2003, open the Performance console and use System Monitor to examine the performance counters for the system’s various hardware components Using the explanation that System Monitor provides for each counter, create a list of counters that you think could help you detect performance bottlenecks on a server
❑ Practice 2: Using the list of counters you created in Practice 1, open the Performance console, create a counter log in the Performance Logs And Alerts snap-in and use it to establish a performance baseline for the computer running Windows Server 2003 Then, create a series of alerts to inform you when system performance parameters reach unacceptable levels
■ Implement a cluster server
❑ Practice 1: Use the Cluster Administrator application to create a 1-node server cluster on a computer running Windows Server 2003, Enterprise Edition Study the hardware requirements for creating server clusters and determine what components you would need to add more nodes to the cluster you have created
❑ Practice 2: On a lab network, install Microsoft Internet Information Services (IIS) on a computer running Windows Server 2003 and use the Network Load Balancing Manager application to create a 1-node NLB cluster
❑ Practice 3: Study the components that the Windows Server 2003 Backup gram protects when you back up the System State element and determine which of these elements can help you restore a cluster node that has suffered
pro-a complete hpro-ard drive fpro-ailure
❑ Practice 4: On a lab network, create a 2-node Web server NLB cluster and monitor the log messages in Network Load Balancing Manager as you disable one of the nodes
■ Manage Network Load Balancing Tools might include the Network Load Balancing Manager and the WLBS cluster control utility
❑ Practice 1: Use Network Load Balancing Manager to add additional nodes to your NLB cluster and monitor the messages displayed in the Manager’s log pane
❑ Practice 2: Use NLB.EXE or WLBS.EXE to control your NLB cluster, using parameters such as START, STOP, SUSPEND, RESUME, ENABLE, DISABLE, and DRAINSTOP
Trang 40Chapter 17 Planning, Implementing, and Maintaining Server Availability 17-3
■ Plan a backup and recovery strategy
❑ Practice 1: Using the Windows Server 2003 Backup program, create backup jobs to perform differential or incremental jobs six days a week and a normal job on the seventh day
❑ Practice 2: Perform a full system backup using the Windows Server 2003 Backup program, then practice restoring individual files, multiple files, and folders, both to their original locations and to an alternate location, using the various file overwrite options
Further Reading
This section lists supplemental readings by objective We recommend that you study these sources thoroughly before taking exam 70-293
Objective 4.1 Review Lessons 1, 2, and 3 in Chapter 7, “Clustering Servers.”
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit Volume: Planning Server Deployments Redmond, Washington: Microsoft Press, 2003
Review Chapter 6, “Planning for High Availability and Scalability.” This volume
can also be found on Microsoft’s Web site at http://www.microsoft.com/ windowsserver2003/techinfo/reskit/deploykit.mspx
Microsoft Corporation Microsoft Encyclopedia of Networking, 2d ed Redmond,
Washington: Microsoft Press, 2002 See entries for “clustering.”
Objective 4.2 Review Lesson 2 in Chapter 6, “Maintaining Server Availability.”
Microsoft Corporation Microsoft Windows 2000 Server Resource Kit Volume: Windows 2000 Server Operations Guide Redmond, Washington: Microsoft Press,
2000 Review Chapters 5 to 9 (The performance monitoring principles outlined in these chapters are applicable to Windows Server 2003.)
Objective 4.3 Review Lesson 3 in Chapter 6, “Maintaining Server Availability” and
Lessons 1, 2, and 3 in Chapter 7, “Clustering Servers.”
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit Volume: Planning Server Deployments Redmond, Washington: Microsoft Press, 2003
Review Chapter 7, “Designing and Deploying Server Clusters.” This volume can
also be found on Microsoft’s Web site at http://www.microsoft.com/ windowsserver2003/techinfo/reskit/deploykit.mspx