mcse exam 70-293 planning and maintaining a windows server 2003 network infrastructure phần 1 pptx

Shinder Technical Editor Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293... KEY SERIAL NUMBER Planning and Maintaining a Windows Server 2003 Network

Syngress knows what passing the exam means toyou and to your career And we know that youare often financing your own training andcertification; therefore, you need a system that iscomprehensive, affordable, and effective.

Boasting one-of-a-kind integration of text, DVD-qualityinstructor-led training, and Web-based exam simulation, theSyngress Study Guide & DVD Training System guarantees 100% coverage of examobjectives

The Syngress Study Guide & DVD Training System includes:

■ Study Guide with 100% coverage of exam objectives By reading

this study guide and following the corresponding objective list, youcan be sure that you have studied 100% of the exam objectives

■ Instructor-led DVD This DVD provides almost two hours of virtual

classroom instruction

■ Web-based practice exams Just visit us at www.syngress.com/ certification to access a complete exam simulation.

Thank you for giving us the opportunity to serve your certification needs And

be sure to let us know if there’s anything else we can do to help you get themaximum value from your investment We’re listening

www.syngress.com/certification

Martin Grasdal

Laura E Hunter

Michael Cross

Laura Hunter Technical Reviewer

Debra Littlejohn Shinder Technical Editor

Dr Thomas W Shinder Technical Editor

Planning and Maintaining a Windows Server

2003 Network Infrastructure: Exam 70-293

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, orproduction (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results

to be obtained from the Work

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work

is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state

to state

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, orother incidental or consequential damages arising out from the Work or its contents Because somestates do not allow the exclusion or limitation of liability for consequential or incidental damages, theabove limitation may not apply to you

You should always use reasonable care, including backup and other appropriate precautions, whenworking with computers, networks, data, and files

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the AuthorUPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “MissionCritical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of SyngressPublishing, Inc Brands and product names mentioned in this book are trademarks or service marks oftheir respective companies

KEY SERIAL NUMBER

Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293

Study Guide & DVD Training System

Copyright © 2003 by Syngress Publishing, Inc All rights reserved Printed in the United States ofAmerica Except as permitted under the Copyright Act of 1976, no part of this publication may bereproduced or distributed in any form or by any means, or stored in a database or retrieval system,without the prior written permission of the publisher, with the exception that the program listingsmay be entered, stored, and executed in a computer system, but they may not be reproduced forpublication

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-931836-93-0

Technical Editors: Debra Littlejohn Shinder Cover Designer: Michael Kavish

Dr.Thomas W Shinder Page Layout and Art by: John Vickers Technical Reviewer: Laura E Hunter Copy Editor: Michelle Melani and Marilyn SmithAcquisitions Editor: Jonathan Babcock Indexer: Nara Wood

DVD Production: Michael Donovan DVD Presenter: Laura Hunter

The incredibly hard working team at Elsevier Science, including Jonathan Bunkell,AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, RobertFairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our visionremains worldwide in scope.

David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, AudreyGan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receiveour books

Kwon Sung June at Acorn Publishing for his support

Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow,Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their helpand enthusiasm representing our product in Canada

Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at JaguarBook Group for their help with distribution of Syngress books in Canada

David Scott, Annette Scott, Delta Sams, Geoff Ebbs, Hedley Partis, and Tricia Herbert ofWoodslane for distributing our books throughout Australia, New Zealand, Papua NewGuinea, Fiji Tonga, Solomon Islands, and the Cook Islands

Winston Lim of Global Publishing for his help and support with distribution of Syngressbooks in the Philippines

A special thanks to Deb and Tom Shinder for going the extra mile on our core four MCSE

2003 guides.Thank you both for all your work

Another special thanks to Daniel Bendell from Assurance Technology Management for his24x7 care and feeding of the Syngress network Dan manages our book network in a highlyprofessional manner and under severe time constraints, but still keeps a good sense of humor

Acknowledgments

Martin Grasdal(MCSE+I, MCSE/W2K MCT, CISSP, CTT+, A+) is anindependent consultant with over 10 years experience in the computerindustry Martin has a wide range of networking and IT managerial experi-ence He has been an MCT since 1995 and an MCSE since 1996 Histraining and networking experience covers a number of products, includingNetWare, Lotus Notes,Windows NT,Windows 2000,Windows 2003,Exchange Server, IIS, and ISA Server As a manager, he served as Director ofWeb Sites and CTO for BrainBuzz.com, where he was also responsible for allstudy guide and technical content on the CramSession.com Web sit Martincurrently works actively as a consultant, author, and editor His recent con-sulting experience includes contract work for Microsoft as a TechnicalContributor to the MCP Program on projects related to server technologies.Martin lives in Edmonton, Alberta, Canada with his wife Cathy and theirtwo sons Martin’s past authoring and editing work with Syngress has

included the following titles: Configuring and Troubleshooting Windows XP

Professional (ISBN: 1-928994-80-6), Configuring ISA Server 2000: Building Firewalls for Windows 2000 (ISBN: 1-928994-29-6), and Dr.Tom Shinder’s ISA

Server & Beyond: Real World Security Solutions for Microsoft Enterprise Networks

(ISBN: 1-931836-66-3)

Van Varnell (Master CNE, MCSE, MCDBA) is a Senior Network Analystfor Appleton, Inc His areas of expertise are development and maintenance ofhigh-availability systems, storage area networks and storage platforms, perfor-mance monitoring systems, and data center operations.Van has held high-level positions in the industry over the 15 years of his career including that ofWindows Systems Architect for Motorola and Senior Consultant for

Integrated Information Systems.Van holds a bachelor’s degree in ComputerInformation Systems and currently resides in Wisconsin with his wife Lisaand five children (Brennan, Kyle, Katelyn, Kelsey, and Kevin) He wishes to

thank his wife and kids for being his wife and kids, and Jon Babcock of

Syngress for his patience and assistance

Contributors

vi

Michael Cross(MCSE, MCP+I, CNA, Network+) is an Internet Specialist/Computer Forensic Analyst with the Niagara Regional Police Service Heperforms computer forensic examinations on computers involved in criminalinvestigations, and has consulted and assisted in cases dealing with computer-related/Internet crimes In addition to designing and maintaining their Website at www.nrps.com and Intranet, he has also provided support in the areas

of programming, hardware, and network administration As part of anInformation Technology team that provides support to a user base of over

800 civilian and uniform users, his theory is that when the users carry guns,you tend to be more motivated in solving their problems

Michael also owns KnightWare (www.knightware.ca), which providescomputer-related services like Web page design, and Bookworms

(www.bookworms.ca), where you can purchase collectibles and other esting items online He has been a freelance writer for several years, and hasbeen published over three dozen times in numerous books and anthologies

inter-He currently resides in St Catharines, Ontario Canada with his lovely wifeJennifer and his darling daughter Sara

Paul M Summitt(MCSE, CCNA, MCP+I, MCP) has a Masters degree inMass Communication Currently the IT Director for the Missouri CountyEmployees’ Retirement Fund, Paul has served as network, exchange, anddatabase administrator as well as Web and application developer Paul haswritten previously on virtual reality and Web development and has served astechnical editor for several books on Microsoft technologies Paul lives inColumbia, Missouri with his life and writing partner Mary.To the Syngresseditorial staff, my thanks for letting me be a part of this project.To my kids,adulthood is just the beginning of all the fun you can have

Rob Amini(MCSE, MCDBA, MCT) is currently a systems manager forMarriott International in Salt Lake City, Utah He has a Bachelor’s degree incomputer science and has been breaking and fixing machines since the Atari

800 was considered state of the art In 1993 he began his professional career

by fixing IBM mainframes and various unix-flavored boxes After a long stint

as a technician and systems admin, he gained fabled notoriety as a

pun-wielding Microsoft trainer Rob has continued as an instructor for morethan three years and although teaching is his first love, he tends to enjoytechnical writing more than a well-adjusted person should.When actuallynot working with and programming a variety of electronic gizmos, Robenjoys spending every minute he can with his beautiful wife Amy and therest of his supportive family

Dan Douglass(MCSE+I, MCDBA, MCSD, MCT) is a software developerand trainer with a cutting edge medical software company in Dallas,Texas

He currently provides software development skills, internal training and gration solutions, as well as peer guidance for technical skills development.His specialties include enterprise application integration and design, HL7,XML, XSL,Visual Basic, database design and administration, Back Office and.NET Server platforms, network design, Microsoft operating systems, andFreeBSD Dan is a former US Navy Submariner and lives in Plano,TX withhis very supportive and understanding wife,Tavish

inte-Jada Brock-Soldaviniis a MCSE and holds a degree in ComputerInformation Systems She has worked in the Information TechnologyIndustry for over 7 years She is working on her Cisco certification trackcurrently and has contributed to over a dozen books and testing software forthe Microsoft exam curriculum She works for the State of Georgia as aNetwork Services Administrator.When she is not working on her technicalskills she enjoys playing the violin Jada is married and lives in the suburbs ofAtlanta with her husband and children

Michael Moncuris an MCSE and CNE He is the author of several

best-selling books about networking and the Internet, including MCSE In a

Nutshell:The Windows 2000 Exams (O’Reilly and Associates) Michael lives in

Salt Lake City with his wife, Laura

Laura E Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA,A+, Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with theUniversity of Pennsylvania, where she provides network planning, implemen-tation and troubleshooting services for various business units and schoolswithin the University Her specialties include Microsoft Windows NT and

2000 design and implementation, troubleshooting and security topics As an

“MCSE Early Achiever” on Windows 2000, Laura was one of the first in thecountry to renew her Microsoft credentials under the Windows 2000 certifi-cation structure Laura’s previous experience includes a position as theDirector of Computer Services for the Salvation Army and as the LANadministrator for a medical supply firm She also operates as an independentconsultant for small businesses in the Philadelphia metropolitan area and is aregular contributor to the TechTarget family of websites

Laura has previously contributed to the Syngress Publishing’s Configuring

Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7) She has also

con-tributed to several other exam guides in the Syngress Windows Server 2003MCSE/MCSA DVD Guide and Training System series as a DVD presenter,contributing author, and technical reviewer

Laura holds a bachelor’s degree from the University of Pennsylvania and

is a member of the Network of Women in Computer Technology, theInformation Systems Security Association, and InfraGard, a cooperativeundertaking between the U.S Government and other participants dedicated

to increasing the security of United States critical infrastructures

Technical Reviewer, DVD Presenter, and Contributor

Debra Littlejohn Shinder(MCSE) is a technology consultant, trainer, and

writer who has authored a number of books on networking, including Scene

of the Cybercrime: Computer Forensics Handbook published by Syngress

Publishing (ISBN: 1-931836-65-5), and Computer Networking Essentials,

pub-lished by Cisco Press She is co-author, with her husband Dr.Thomas

Shinder, of Troubleshooting Windows 2000 TCP/IP (ISBN: 1-928994-11-3), the best-selling Configuring ISA Server 2000 (ISBN: 1-928994-29-6), and ISA

Server and Beyond (ISBN: 1-931836-66-3) Deb is also a technical editor and

contributor to books on subjects such as the Windows 2000 MCSE exams,the CompTIA Security+ exam, and TruSecure’s ICSA certification She editsthe Brainbuzz A+ Hardware News and Sunbelt Software’s WinXP News and

is regularly published in TechRepublic’s TechProGuild andWindowsecurity.com Deb specializes in security issues and Microsoft prod-ucts She lives and works in the Dallas-Fort Worth area and can be contacted

at deb@shinder.net or via the website at www.shinder.net

Thomas W Shinder M.D. (MVP,MCSE) is a computing industry veteranwho has worked as a trainer, writer, and a consultant for Fortune 500 com-panies including FINA Oil, Lucent Technologies, and Sealand ContainerCorporation.Tom was a Series Editor of the Syngress/Osborne Series ofWindows 2000 Certification Study Guides and is author of the best selling

books Configuring ISA Server 2000: Building Firewalls with Windows 2000 (Syngress Publishing, ISBN: 1-928994-29-6) and Dr.Tom Shinder’s ISA Server

and Beyond (ISBN: 1-931836-66-3).Tom is the editor of the Brainbuzz.com Win2k News newsletter and is a regular contributor to TechProGuild He is

also content editor, contributor, and moderator for the World’s leading site onISA Server 2000, www.isaserver.org Microsoft recognized Tom’s leadership

in the ISA Server community and awarded him their Most ValuedProfessional (MVP) award in December of 2001

Jeffery A Martin (MCSE, MCDBA, MCT, MCP+I, MCNE, CNI, CCNP,CCI, CCA, CTT, A+, Network+, I-Net+, Project+, Linux+, CIW, ADPM)has been working with computers and computer networks for over 15 years.Jeffery spends most of his time managing several companies that he owns andconsulting for large multinational media companies He also enjoys working

as a technical instructor and training others in the use of technology

Technical Editors

Exam Objective Map

Objective Chapter

1 Planning and Implementing Server Roles and 2

Server Security

1.1 Configure security for servers that are assigned 2

specific roles

1.2 Plan a secure baseline installation 2

1.2.1 Plan a strategy to enforce system default security 2

settings on new systems

1.2.2 Identify client operating system default 2

security settings

1.2.3 Identify all server operating system default 2

security settings

1.3 Plan security for servers that are assigned specific 2

roles Roles might include domain controllers, Web servers, database servers, and mail servers

1.3.1 Deploy the security configuration for servers that 2

are assigned specific roles

xi

MCSE 70-293 Exam Objectives Map and

Table of Contents

All of Microsoft’s published objectives for the MCSE

70-293 Exam are covered in this book To help you easilyfind the sections that directly support particularobjectives, we’ve listed all of the exam objectivesbelow, and mapped them to the Chapter number inwhich they are covered We’ve also assigned num-bers to each objective, which we use in the subse-quent Table of Contents and again throughout thebook to identify objective coverage In some chapters,we’ve made the judgment that it is probably easier for thestudent to cover objectives in a slightly different sequence thanthe order of the published Microsoft objectives By reading this study guide and fol-lowing the corresponding objective list, you can be sure that you have studied 100%

of Microsoft’s MCSE 70-293 Exam objectives

xii Exam Objective Map

Objective Chapter

1.3.2 Create custom security templates based on 2

server roles

1.4 Evaluate and select the operating system to 2

install on computers in an enterprise

1.4.1 Identify the minimum configuration to satisfy 2

security requirements

2 Planning, Implementing, and Maintaining a 3, 4, 5

Network Infrastructure

2.1 Plan a TCP/IP network infrastructure strategy 3

2.1.1 Analyze IP addressing requirements 3

2.1.2 Plan an IP routing solution 3, 42.1.3 Create an IP subnet scheme 3

2.2 Plan and modify a network topology 3

2.2.1 Plan the physical placement of network 3

resources

2.2.2 Identify network protocols to be used 3

2.3 Plan an Internet connectivity strategy 5

2.4 Plan network traffic monitoring Tools might 3

include Network Monitor and System Monitor

2.5 Troubleshoot connectivity to the Internet 5

2.5.1 Diagnose and resolve issues related to Network 5

Address Translation (NAT)

2.5.2 Diagnose and resolve issues related to name 6

resolution cache information

2.5.3 Diagnose and resolve issues related to client 4

configuration

2.6 Troubleshoot TCP/IP addressing 3

2.6.1 Diagnose and resolve issues related to client 3

computer configuration

2.6.2 Diagnose and resolve issues related to DHCP 3

server address assignment

2.7 Plan a host name resolution strategy 6

2.7.1 Plan a DNS namespace design 6

2.7.2 Plan zone replication requirements 6

2.7.3 Plan a forwarding configuration 6

Exam Objective Map xiii

Objective Chapter

2.7.5 Examine the interoperability of DNS with third- 6

party DNS solutions

2.8 Plan a NetBIOS name resolution strategy 62.8.1 Plan a WINS replication strategy 62.8.2 Plan NetBIOS name resolution by using the 6

3 Planning, Implementing, and Maintaining 4, 7

Routing and Remote Access

3.1.1 Identify routing protocols to use in a 4

specified environment

3.1.2 Plan routing for IP multicast traffic 43.2 Plan security for remote access users 73.2.1 Plan remote access policies 73.2.2 Analyze protocol security requirements 73.2.3 Plan authentication methods for remote 7

xiv Exam Objective Map

Objective Chapter

4.1.2 Plan a high availability solution that uses 9

Network Load Balancing

4.2 Identify system bottlenecks, including memory, 8

processor, disk, and network related bottlenecks

4.2.1 Identify system bottlenecks by using 8

System Monitor

4.3.1 Recover from cluster node failure 9

4.4 Manage Network Load Balancing Tools might 9

include the Network Load Balancing MonitorMicrosoft Management Console (MMC) snap-in and the WLBS cluster control utility

4.5 Plan a backup and recovery strategy 8

4.5.1 Identify appropriate backup types Methods 8

include full, incremental, and differential

4.5.2 Plan a backup strategy that uses volume 8

shadow copy

4.5.3 Plan system recovery that uses Automated 8

System Recovery (ASR)

5 Planning and Maintaining Network Security 10, 11

5.1 Configure network protocol security 105.1.1 Configure protocol security in a heterogeneous 10

client computer environment

5.1.2 Configure protocol security by using IPSec 10

policies

5.2 Configure security for data transmission 105.2.1 Configure IPSec policy settings 105.3 Plan for network protocol security 105.3.1 Specify the required ports and protocols for 4

Exam Objective Map xv

Objective Chapter

5.4.2 Plan for remote administration by using 7

Terminal Services

5.5 Plan security for wireless networks 115.6 Plan security for data transmission 105.6.1 Secure data transmission between client 10

computers to meet security requirements

5.6.2 Secure data transmission by using IPSec 105.7 Troubleshoot security for data transmission 10

Tools might include the IP Security Monitor MMC snap-in and the Resultant Set of Policy (RSoP) MMC snap-in

6 Planning, Implementing, and Maintaining 11, 12

6.2.1 Identify the appropriate type of certificate 12

authority to support certificate issuance requirements

6.2.2 Plan the enrollment and distribution of 12

framework for security

6.4 Plan a security update infrastructure Tools might 11

include Microsoft Baseline Security Analyzer and Microsoft Software Update Services

xvii

Chapter 1 Using Windows Server 2003 Planning Tools

Introduction ………2

Overview of Network Infrastructure Planning ………2

Planning Strategies ………3

Using Planning Tools ………3

Fundamentals of Network Design ………9

Analyzing Organizational Needs ………11

Information Flow Factors ………11

Management Model and Organizational Structure ………12

Centralization versus Decentralization ………13

Management Priorities ………14

Availability/Fault Tolerance ………15

Security ………15

Scalability ………16

Performance ………16

Cost ………16

User Priorities ………17

Electronic Communications ………17

Scheduling/Task Management ………18

Project Collaboration ………19

Data Storage and Retrieval ………21

Internet Research ………23

Application Services ………23

Print Services ………24

Graphics/Audio/Video Services ………26

Reviewing Legal and Regulatory Considerations ………26

Calculating TCO ………27

xviii Contents

Planning for Growth ………28

Developing a Test Network Environment ………29

Planning the Test Network ………30

Implementing the Test Network ………34

Documenting the Planning and Network Design Process …………36

Importance of Documentation ………37

Creating the Planning and Design Document ………37

Summary of Exam Objectives ………39

Exam Objectives Fast Track ………40

Exam Objectives Frequently Asked Questions ………41

Self Test ………43

Self Test Quick Answer Key ………51

Chapter 2 Planning Server Roles and Server Security 53 Introduction ………54

1.1.1 Understanding Server Roles ………54

Domain Controllers (Authentication Servers) ………58

Active Directory ………58

Operations Master Roles ………59

File and Print Servers ………62

Print Servers ………62

File Servers ………62

DHCP, DNS, and WINS Servers ………63

DHCP Servers ………63

DNS Servers ………64

WINS Servers ………65

Web Servers ………65

Web Server Protocols ………66

Web Server Configuration ………67

Database Servers ………68

Mail Servers ………68

Certificate Authorities ………69

PKI ………69

Certificates ………70

Certificate Services ………71

Application Servers and Terminal Servers ………75

Application Servers ………75

Contents xix

Terminal Servers ………78

1.1 Planning a Server Security Strategy ………78

1.4 Choosing the Operating System ………79

Security Features ………81

Functional Levels ………83

1.4.1 Identifying Minimum Security Requirements for Your Organization ………91

Identifying Configurations to Satisfy Security Requirements ………93

1/1.2 Planning Baseline Security ………94

Security Templates and Tools ………94

Predefined Templates ………95

Security Configuration and Analysis ………98

Group Policy Object Editor ………99

Secedit ………100

Planning Secure Baseline Installation Parameters ………103

Using Security Configuration and Analysis to Analyze a Computer ………103

1.2.1/1.2.2 Enforcing Default Security Settings on New Computers ……109

1.2.3 Using Security Configuration and Analysis to Apply Templates a Local Computer ………109

Using Group Policy Object Editor to Apply Templates ……109

1 Customizing Server Security ………113

1.3/1.3.1 Securing Servers According to Server Roles ………113

Security Issues Related to All Server Roles ………113

Securing Domain Controllers ………121

Securing File and Print Servers ………122

Securing DHCP, DNS, and WINS Servers ………125

Securing Web Servers ………126

Securing Database Servers ………127

Securing Mail Servers ………128

Securing CAs ………129

Securing Application and Terminal Servers ………130

1.3.2 Creating Custom Security Templates ………131

Deploying Security Configurations ………134

xx Contents

Summary of Exam Objectives ………137

Exam Objectives Fast Track ………137

Exam Objectives Frequently Asked Questions ………139

Self Test ………140

Self Test Quick Answer Key ………146

Chapter 3 Planning, Implementing, and Maintaining the TCP/IP Infrastructure 147 2/2.1/2.1.2 Introduction ………148

Understanding Windows 2003 Server Network Protocols …………148

2.2.2 Identifying Protocols to Be Used ………149

Advantages of the TCP/IP Protocol Suite ………151

The Multiprotocol Network Environment ………153

Reviewing TCP/IP Basics ………160

What’s New in TCP/IP for Windows Server 2003 ………164

IGMPv3 ………165

IPv6 ………165

Alternate Configuration ………166

Automatic Determination of Interface Metric ………167

2/2.1/2.1.2 Planning an IP Addressing Strategy ………171

2.1.1 Analyzing Addressing Requirements ………171

2.1.3 Creating a Subnetting Scheme ………173

Classful Addressing ………173

Understanding ANDing and Binary Numbering …………175

Subnetting Networks ………177

Classless Inter-Domain Routing (CIDR) ………180

2.6 Troubleshooting IP Addressing ………181

2.6.1 Client Configuration Issues ………181

2.6.2 DHCP Issues ………182

Transitioning to IPv6 ………183

IPv6 Utilities ………184

6to4 Tunneling ………192

IPv6 Helper Service ………192

The 6bone ………193

Teredo (IPv6 with NAT) ………193

2/2.1 Planning the Network Topology ………193

2.1.2/2.2 Analyzing Hardware Requirements ………193

2.2.1 Planning the Placement of Physical Resources ………194

Chapter 4 Planning, Implementing, and Maintaining a

3.1.2 Planning a Routing Strategy for IP Multicast Traffic ………223

Routing Protocols ………225Using Netsh Commands ………233Evaluating Routing Options ………236Selecting Connectivity Devices ………236Switches ………242Routers ………245Windows Server 2003 As a Router ………245

2/2.1.2/3/ Security Considerations for Routing ………2573.1/5.3.1

Analyzing Requirements for Routing Components …………259Simplifying Network Topology to Provide Fewer

Attack Points ………259Minimizing the Number of Network Interfaces and

Routes ………260Minimizing the Number of Routing Protocols ………260Router-to-Router VPNs ………263Packet Filtering and Firewalls ………268Logging Level ………269

xxii Contents

2/2.1.2/3 Troubleshooting IP Routing ………2703.4

Identifying Troubleshooting Tools ………271Common Routing Problems ………274Interface Configuration Problems ………274RRAS Configuration Problems ………274Routing Protocol Problems ………275

2.5.3 TCP/IP Configuration Problems ………276

Routing Table Configuration Problems ………276Summary of Exam Objectives ………277Exam Objectives Fast Track ………277Exam Objectives Frequently Asked Questions ………279Self Test ………280Self Test Quick Answer Key ………285

Chapter 5 Planning, Implementing, and Maintaining an

Introduction ………288

2/2.3/2.5 Connecting the LAN to the Internet ………289

Routed Connections ………289Advantages of Routed Connections ………289Hardware and Software Routers ………289

IP Addressing for Routed Connections ………290Translated Connections ………290

2.5 Network Address Translation (NAT) ………291

Internet Connection Sharing (ICS) ………297

2/2.3 Implementing Virtual Private Networks (VPNs) ………300

Internet-based VPNs ………301How Internet-based VPNs Work ………301Configuring Internet-based VPNs ………302Router-to-Router VPNs ………303

On Demand/Demand-Dial Connections ………304One-Way versus Two-Way Initiation ………306Persistent Connections ………306Remote-Access Policies ………306VPN Protocols ………306PPTP ………307L2TP ………307

Contents xxiii

VPN Security ………307MPPE ………307IPSec ………307

2/2.3 Using Internet Authentication Service (IAS) ………308

Advantages of IAS ………308Centralized User Authentication and Authorization ………308Centralized Auditing and Accounting ………309RRAS Integration ………309Control via Remote-Access Policies ………309Extensibility and Scalability ………309IAS Management ………309Activating IAS Authentication ………310Using the IAS MMC Snap-in ………312IAS Monitoring ………313IAS SDK ………313Authentication Methods ………314PPP-based Protocols ………314EAP ………314Authorization Methods ………317Dialed Number Identification Service (DNIS) ………317Automatic Number Identification (ANI) and

Calling Line Identification (CLI) ………317Guest Authorization ………317Access Server Support ………318Outsourced Dialing ………318

2/2.3 Using Connection Manager ………318

Using CMAK ………319Installing and Running CMAK ………319Service Profiles ………323Custom Actions ………323Custom Help ………324VPN Support ………324Connection Manager Security Issues ………324Preventing Editing of Service Profile Files ………324Client Operating System, File System, and Configuration …324Preventing Users from Saving Passwords ………325

xxiv Contents

Secure Distribution of Service Profiles ………325Summary of Exam Objectives ………326Exam Objectives Fast Track ………326Exam Objectives Frequently Asked Questions ………328Self Test ………330Self Test Quick Answer Key ………334

Chapter 6 Planning, Implementing, and Maintaining a

Introduction ………336

2.7 Planning for Host Name Resolution ………337

Understanding Host Naming ………337NetBIOS over TCP/IP ………338Host Names ………338Understanding the Hosts File ………339Understanding DNS ………341

2.7.1 Designing a DNS Namespace ………357

Choosing the Parent Domain Name ………358Host Naming Conventions and Limitations ………359DNS and Active Directory (AD) ………361Supporting Multiple Namespaces ………363Planning DNS Server Deployment ………369Planning the Number of DNS Servers ………369Planning for DNS Server Capacity ………371Planning DNS Server Placement ………372Planning DNS Server Roles ………373

2.7.2 Planning for Zone Replication ………377

Active Directory-integrated Zone Replication Scope ………379Security for Zone Replication ………382General Guidelines for Planning for Zone Replication ……382

2.7.3 Planning for Forwarding ………383

Conditional Forwarding ………384General Guidelines for Using Forwarders ………386DNS/DHCP Interaction ………387Security Considerations for DDNS and DHCP ………389Aging and Scavenging of DNS Records ………391

2.7.5 Windows Server 2003 DNS Interoperability ………392

Contents xxv

BIND and Other DNS Server Implementations ………393Zone Transfers with BIND ………395Supporting AD with BIND ………397Split DNS Configuration ………398Interoperability with WINS ………399

2.7.4 DNS Security Issues ………404

Common DNS Threats ………406Securing DNS Deployment ………407DNS Security Levels ………408General DNS Security Guidelines ………410Monitoring DNS Servers ………412Testing DNS Server Configuration with the DNS

Console Monitoring Tab ………413Debug Logging ………414Event Logging ………415Monitoring DNS Server Using the Performance Console …415Command-line Tools for Maintaining and

Monitoring DNS Servers ………416

2.8 Planning for NetBIOS Name Resolution ………417

Understanding NETBIOS Naming ………418NetBIOS Name Resolution Process ………418

2.8.2 Understanding the LMHOSTS File ………420

Understanding WINS ………421What’s New for WINS in Windows Server 2003 …………424Planning WINS Server Deployment ………424Server Number and Placement ………424

2.8.1 Planning for WINS Replication ………427

Replication Partnership Configuration ………428Replication Models ………434WINS Issues ………437Static WINS Entries ………438Multihomed WINS Servers ………439Client Configuration ………440Preventing Split WINS Registrations ………444Performance Issues ………444Security Issues ………449

xxvi Contents

Planning for WINS Database Backup and Restoration ……451

2.5.2 Troubleshooting Name Resolution Issues ………4522.9 Troubleshooting Host Name Resolution ………453

Issues Related to Client Computer Configuration …………454

2.9.1 Issues Related to DNS Services ………455

Troubleshooting NetBIOS Name Resolution ………457Issues Related to Client Computer Configuration …………457Issues Related to WINS Servers ………458Summary of Exam Objectives ………461Exam Objectives Fast Track ………469Exam Objectives Frequently Asked Questions ………472Self Test ………474Self Test Quick Answer Key ………483

Chapter 7 Planning, Implementing, and Maintaining a

Introduction ………486

3 Planning the Remote Access Strategy ………486

Analyzing Organizational Needs ………487Analyzing User Needs ………487Selecting Remote Access Types To Allow ………487Dial-In ………488VPN ………488Wireless Remote Access ………489

3 Addressing Dial-In Access Design Considerations ………489

Allocating IP Addresses ………490Static Address Pools ………490Using DHCP for Addressing ………490Using APIPA ………491Determining Incoming Port Needs ………491Multilink and BAP ………491Selecting an Administrative Model ………492Access by User ………493.Access by Policy ………494

3/3.3 Addressing VPN Design Considerations ………495

Selecting VPN Protocols ………496Client Support ………496

Contents xxvii

Data Integrity and Sender Authentication ………496PKI Requirements ………497Installing Machine Certificates ………497Configuring Firewall Filters ………499Creating Access Policies ………500

3 Addressing Wireless Remote Access Design Considerations ………500

The 802.11 Wireless Standards ………501Using IAS for Wireless Connections ………501Configuring Remote Access Policies for Wireless

Connections ………502Multiple Wireless Access Points ………503Placing CA on VLAN for New Wireless Clients ………503Configuring WAPs as RADIUS Clients ………503Wireless Encryption and Security ………504WEP (Wired Equivalent Privacy) ………504802.1X ………504WPA ………505

3.2.2/3/3.2/Planning Remote Access Security ………5053.2.1

Domain Functional Level ………505Determining the Function Level ………506Raising the Domain Functional Level ………507

3.2.3 Selecting Authentication Methods ………508

Disallowing Password-Based Connections (PAP, SPAP, CHAP, MS-CHAP v1) ………509Using MS-CHAP v2 ………511Using EAP ………511Using RADIUS/IAS vs Windows Authentication …………512Selecting the Data Encryption Level ………512Using Callback Security ………513Managed Connections ………513Mandating Operating System/File System ………514Using Smart Cards for Remote Access ………514

3 Creating Remote Access Policies ………515

Policies and Profiles ………515Authorizing Remote Access ………516Authorizing Access By User ………516

xxviii Contents

Authorizing Access By Group ………518Restricting Remote Access ………520Restricting by User/Group Membership ………521Restricting by Type of Connection ………521Restricting by Time ………523Restricting by Client Configuration ………524Restricting Authenication Methods ………524Restricting by Phone Numbers of MAC Addresses …………525Controlling Remote Connections ………525Controlling Idle Timeout ………525Controlling Maximum Session Time ………525Controlling Encryption Strength ………527Controlling IP packet Filters………528Controlling IP addresses for PPP Connections………528

3/5.4 Creating a Plan to Offer Remote Assistance to Client Computers …529

How Remote Assistance Works ………529Using Remote Assistance ………530Configuring Remote Assistance for Use ………530Asking for Assistance ………532Completing the Connection ………537Managing Open Invitations ………540Offering Remote Assistance to your Clients ………542Remote Assistance Security Issues ………543

3/5.4.2Planning for Remote Administration by Using Terminal Services …545

Using Remote Desktop for Administration ………545Configuring RDA ………545Setting Up Authentication ………546Advantages of RDA Over Other Remote

Administration Methods ………546Remote Desktop Security Issues ………547Summary of Exam Objectives ………549Exam Objectives Fast Track ………550Exam Objectives Frequently Asked Questions ………552Self Test ………553Self Test Quick Answer Key ………558

Contents xxix

Chapter 8 Planning, Implementing, and Maintaining

Introduction ………560

4/4.1/4.2 Understanding Performance Bottlenecks ………560

Identifying System Bottlenecks ………561Memory ………561Processor ………563Disk ………564Network Components ………568

4.2.1 Using the System Monitor Tool to Monitor Servers …………570

Using Event Viewer to Monitor Servers ………584Using Service Logs to Monitor Servers ………593

4/4.1/4.5 Planning a Backup and Recovery Strategy ………5934.5.1 Understanding Windows Backup ………594

Types of Backups ………596Determining What to Back Up ………600Using Backup Tools ………602Using the Windows Backup Utility ………602Using the Command-Line Tools ………604Selecting Backup Media ………604Scheduling Backups ………605Restoring from Backup ………606

4.5.3/4/4.1 Planning System Recovery with ASR ………612

What Is ASR? ………613How ASR Works ………613Alternatives to ASR ………614Safe Mode Boot ………614Last Known Good Boot Mode ………614ASR As a Last Resort ………615Using the ASR Wizard ………615Performing an ASR Restore ………617Planning for Fault Tolerance ………618Network Fault-Tolerance Solutions ………619Internet Fault-Tolerance Solutions ………619Disk Fault-Tolerance Solutions ………620RAID ………620Hot Spare Drives ………624Server Fault-Tolerance Solutions ………624

xxx Contents

Summary of Exam Objectives ………626Exam Objectives Fast Track ………627Exam Objectives Frequently Asked Questions ………630Self Test ………631Self Test Quick Answer Key ………638

Chapter 9 Implementing Windows Cluster Services

Introduction ………640

4.1.1 Making Server Clustering Part of Your High-Availability Plan ……641

Terminology and Concepts ………641Cluster Nodes ………641Cluster Groups ………642Failover and Failback ………643Cluster Services and Name Resolution ………643How Clustering Works ………643Cluster Models ………644Single Node ………644Single Quorum Device ………645Majority Node Set ………646

4.3 Server Cluster Deployment Options ………647

N-Node Failover Pairs ………648Hot-Standby Server/N+I ………649Failover Ring ………651Random ………652Server Cluster Administration ………653Using the Cluster Administrator Tool ………653Using Command-Line Tools ………654

4.3.2 Recovering from Cluster Node Failure ………657

Server Clustering Best Practices ………657Hardware Issues ………658

4.3 Cluster Network Configuration ………662

Security ………667

4.1.2 Making Network Load Balancing Part of Your

High-Availability Plan ………678Terminology and Concepts ………678Hosts/Default Host ………678Load Weight ………679

Contents xxxi

Traffic Distribution ………679Convergence and Heartbeats ………680How NLB Works ………681Relationship of NLB to Clustering ………681

4.4 Managing NLB Clusters ………682

Using the NLB Manager Tool ………682Remote Management ………683Command-Line Tools ………684NLB Error Detection and Handling ………687Summary of Exam Objectives ………699Exam Objectives Fast Track ………699Exam Objectives Frequently Asked Questions ………701Self Test ………702Self Test Quick Answer Key ………708

Chapter 10 Planning, Implementing, and Maintaining Internet Protocol Security 709

3.3.1/5/5.3 Deploying IPSec ………7265.6/5.6.1/5.6.2/5.1

Determining Organizational Needs ………727

5.7 Troubleshooting IPSec ………751

Using netdiag for Troubleshooting Windows Server

2003 IPSec ………751Viewing Policy Assignment Information ………752Viewing IPSec Statistics ………753Using Packet Event Logging to Troubleshoot IPSec ………755Using IKE Detailed Tracing to Troubleshoot IPSec ………757Using the Network Monitor to Troubleshoot IPSec ………759Disabling TCP/IP and IPSec Hardware Acceleration to

Solve IPSec Problems ………760

3.3.1/5/ Addressing IPSec Security Considerations ………7615.2/5.7

Strong Encryption Algorithm (3DES) ………761Firewall Packet Filtering ………762Diffie-Hellman Groups ………762Pre-shared Keys ………763Advantages and Disadvantages of Pre-shared Keys …………764Considerations when Choosing a Pre-shared Key …………764Soft Associations ………764

3.3.1/5/5.7 Using RSoP for IPSec Planning ………765

Using the RSoP Wizard ………766

Contents xxxiii

Security and RSoP ………766Selecting the RSoP Mode for IPSec-related Queries …………766Logging Mode Queries ………767Planning Mode Queries ………768Summary ………769Exam Objectives Fast Track ………770Exam Objectives Frequently Asked Questions ………772Self Test ………772Self Test Quick Answer Key ………779

Chapter 11 Planning, Implementing, and

Introduction ………782

5/5.4/6/6.3 Planning and Implementing Active Directory Security ………782

Understanding Permission Types ………787Active Directory Permissions ………787NTFS Permissions ………788Share Permissions ………789Physically Securing Domain Controllers ………790Securing the Schema ………790Managing Cross-domain and Cross-forest Security

Relationships ………791Cross-domain Relationships ………791Cross-forest Relationships ………793Account Security ………795

5/5.4/5.5/Planning and Implementing Wireless Security ………8016/6.3

Understanding Wireless Networking ………803Wireless Network Types ………803EAP Authentication ………804How Wireless Networking Works ………806Authentication for Wireless Networks ………806Authentication Protocols ………810Wireless Security Issues ………812Default Settings ………813WEP Weaknesses ………815Making Wireless More Secure ………815

xxxiv Contents

5/6/6.3/6.3.1Monitoring and Optimizing Security ………817

Wireless Monitor ………817Object-based Access Control ………818Auditing ………818Auditing Registry Keys ………821Auditing Files or Folders ………822Viewing the Results of Auditing ………823Security Log Settings ………823Security Policies ………823Password Policies ………824Kerberos Policies ………825Account Lockout Policies ………826User Rights ………826Security Templates ………827

5/6/6.3/6.3.1Planning a Change and Configuration Management Framework …8305.4

5/6/6.3/6.3.1Planning a Security Update Infrastructure ………8305.4

Understanding the Importance of Regular Security Updates ………831Using Microsoft Baseline Security Analyzer (MBSA) …………831Installing the Microsoft Baseline Security Analyzer …………832Using Microsoft Software Update Services (SUS) ………837Summary of Exam Objectives ………848Exam Objectives Fast Track ………851Exam Objectives Frequently Asked Questions ………852Self Test ………853Self Test Quick Answer Key ………859

Chapter 12 Planning, Implementing, and Maintaining

Introduction ………862

6/6.2 Planning a Windows Server 2003 Certificate-Based PKI …………862

Understanding Public Key Infrastructure ………863Public Key Cryptography ………864The Function of the PKI ………867Components of the PKI ………867Understanding Digital Certificates ………868User Certificates ………870

Contents xxxv

Machine Certificates ………870Application Certificates ………870

6.2.1 Understanding Certification Authorities ………870

How Microsoft Certificate Services Works ………872

6/6.1/6.2.1 Implementing Certification Authorities ………875

Analyzing Certificate Needs within the Organization …………881Determining Appropriate CA Type(s) ………881Enterprise CAs ………882Stand-Alone CAs ………882Planning the CA Hierarchy ………883Planning CA Security ………885Certificate Revocation ………886

6/6.1/6.2.2 Planning Enrollment and Distribution of Certificates ………887

Certificate Templates ………887Certificate Requests ………892Auto-Enrollment Deployment ………895Role-Based Administration ………896

6/6.2.3 Implementing Smart Card Authentication in the PKI ………897

What Are Smart Cards? ………897How Smart Card Authentication Works ………898Deploying Smart Card Logon ………898Smart Card Readers ………899Smart Card Enrollment Station ………899Using Smart Cards To Log On to Windows ………899Using Smart Cards for Remote Access VPNs ………903Using Smart Cards To Log On to a Terminal Server …………906Summary of Exam Objectives ………907Exam Objectives Fast Track ………908Exam Objectives Frequently Asked Questions ………910Self Test ………912Self Test Quick Answer Key ………918

This book’s primary goal is to help you prepare to take and pass Microsoft’s exam number

70-293, Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Our

secondary purpose in writing this book is to provide exam candidates with knowledge andskills that go beyond the minimum requirements for passing the exam, and help to preparethem to work in the real world of Microsoft computer networking in an Active Directorydomain environment

What is Exam 70-293?

Exam 70-293 is one of the four core requirements for the Microsoft Certified SystemsEngineer (MCSE) certification Microsoft’s stated target audience consists of IT professionalswith at least one year of work experience on a medium or large company network.Thismeans a multi-site network with at least three domain controllers, running typical networkservices such as file and print services, database, firewall services, proxy services, remote accessservices and Internet connectivity

However, not everyone who takes Exam 70-293 will have this ideal background Manypeople will take this exam after classroom instruction or self-study as an entry into the net-working field Many of those who do have job experience in IT will not have had theopportunity to work with all of the technologies covered by the exam In this book, our goal

is to provide background information that will help you to understand the concepts and cedures described even if you don’t have the requisite experience, while keeping our focus

pro-on the exam objectives

Exam 70-293 covers the basics of managing and maintaining the network infrastructure

in a network environment that is built around Microsoft’s Windows Server 2003 Objectivesare task-oriented, and include the following:

■ Planning a secure baseline installation,including planning a strategy toenforce system default security settings on new systems, identifying client operatingsystem default security settings, and identifying all server operating system defaultsecurity settings

xxxvii

Foreword

xxxviii Foreword

■ Planning and configuring security for servers that are assigned specific roles,including domain controllers,Web servers, database servers, and mail servers.This includes deploying the security configuration for servers assigned to these spe-cific roles and creating custom security templates based on server roles

■ Evaluating and selecting the operating system to install on computers in

an enterprise,including identifying the minimum configuration to satisfy securityrequirements

■ Planning a TCP/IP network infrastructure strategy,including analyzing IPaddressing requirements, planning an IP routing solution, and creating an IP sub-netting scheme

■ Planning and modifying a network topology,including planning the physicalplacement of network resources and identifying network protocols to be used

■ Planning an Internet connectivity strategy.

■ Planning network traffic monitoring,using tools such as Network Monitorand System Monitor

■ Troubleshooting connectivity to the Internet,including diagnosing andresolving issues related to Network Address Translation (NAT), name resolutioncache information, and client configuration

■ Troubleshooting TCP/IP addressing,including diagnosing and resolving issuesrelated to client computer configuration and DHCP server address assignment

■ Planning a host name resolution strategy,including planning the DNSnamespace design, planning zone replication requirements, planning a forwardingconfiguration, planning for DNS security, and examining the interoperability ofDNS with third-party DNS solutions

■ Planning a NetBIOS name resolution strategy,including planning a WINSreplication strategy and planning NetBIOS name resolution by using the Lmhostsfile

■ Troubleshooting host name resolution,including diagnosing and resolvingissues related to DNS services and client computer configuration

■ Planning a routing strategy,including identifying routing protocols to use in aspecified environment and planning routing for IP multicast traffic

■ Planning security for remote access users,including planning remote accesspolicies, analyzing protocol security requirements and planning authenticationmethods for remote access clients, offering remote assistance to client computer,and performing remote administration using terminal services

www.syngress.com

■ Implementing a cluster server and recovering from cluster node failure.

■ Monitoring Network Load Balancing,using tools such as the NLB MonitorMMC snap-in and the WLBS cluster control utility

■ Monitoring servers that provide network services,using tools such as SystemMonitor, Event Viewer, and service logs

■ Planning a backup and recovery strategy,including identifying appropriatebackup types such as full, incremental and differential, planning a backup strategythat uses volume shadow copies, and planning system recovery that uses AutomatedSystem Recovery (ASR)

■ Configuring network protocol security,including configuring protocol rity in a heterogeneous client computer environment and configuring protocolsecurity by using IPSec policies

secu-■ Configuring security for data transmission,including configuring IPSecpolicy settings

■ Planning for network protocol security,including specifying the requiredports and protocols for specified services and planning an IPSec policy for securenetwork communications

■ Planning secure network administration methods,including creating a plan

to offer Remote Assistance to client computers and planning for remote tration by using terminal services

adminis-■ Planning security for wireless networks.

■ Planning security for data transmission,including securing data transmissionsbetween client computers to meet security requirements and securing data trans-missions by using IPSec

■ Troubleshooting security for data transmission,using tools such as the IPSecMonitor MMC snap-in and the Resultant Set of Policies (RSoP) MMC snap-in

Foreword xxxix