MCSE: Windows 2000 Network Infrastructure Design Exam Notes

MCSE: Windows® 2000 Network Infrastructure Design, Exam Notes™

William Heldman

SYBEX®

MCSE: Windows 2000 Network Infrastructure Design Exam Notes

This page intentionally left blank

MCSE: Windows® 2000 Network Infrastructure Design Exam Notes™

William Heldman

San Francisco • Paris • Düsseldorf • Soest • London

Associate Publisher: Neil Edde Contracts and Licensing Manager: Kristine O’Callaghan Associate Developmental Editor: Elizabeth Hurley Editor: Julie Sakaue Production Editor: Liz Burke Technical Editor: Joshua Konkle Book Designer: Bill Gibson Graphic Illustrator: Tony Jonick Electronic Publishing Specialist: Judy Fung Proofreaders: Leslie E.H. Light, Jennifer Campbell, Liz Burke, Laurie O’Connell Indexer: Nancy Guenther Cover Designer: Archer Design Cover Photography: Natural Selection Copyright © 2001 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: 00-107348 ISBN: 0-7821-2767-3 SYBEX and the SYBEX logo are trademarks of SYBEX Inc. in the USA and other countries. Exam Notes is a trademark of SYBEX Inc. Screen reproductions produced with Collage Complete. Collage Complete is a trademark of Inner Media Inc. Microsoft, the Microsoft Internet Explorer logo, Windows, Windows NT, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. SYBEX is an independent entity from Microsoft Corporation, and not affiliated with Microsoft Corporation in any manner. This publication may be used in assisting students to prepare for a Microsoft Certified Professional Exam. Neither Microsoft Corporation, its designated review company, nor SYBEX warrants that use of this publication will ensure passing the relevant exam. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America. 10 9 8 7 6 5 4 3 2 1

To KL—thanks for hanging with me.

Acknowledgments With grateful acknowledgment of all those who helped me with these books. I’m especially grateful to the Sybex associate publisher in charge of the study guides, Neil Edde. He was the one who graciously gave me my start in writing computer books—and I feel that I’m privileged to write for the best computer book company on earth. I’d also like to thank the editors of this book: Elizabeth Hurley, associate developmental editor; Julie Sakaue, editor; Liz Burke, production editor; as well as Joshua Konkle, the technical editor who helped with this book. I’d also like to acknowledge the artists and layout people, Tony Jonick and Judy Fung, without whom a book would have no pizzazz. You can’t begin to know the patience of a wife who must put up with someone who comes home from work tired, hungry, and grumpy and who must hit the word processor for a good solid two hours in order to get the next chapter in on time. Thank you so much Kimmie Lou for your loyalty, endurance, and patience with my second career—my first love. Last, but certainly not least, I want to thank God, the giver of gifts and of life.

Contents Introduction Chapter

Chapter

1

2

x Analyzing Business Requirements


Analyze the existing and planned business models. 3




Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans. 12




Analyze factors that influence company strategies. 24




Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process, and change-management process. 35

Analyzing Technical Requirements


Evaluate the company's existing and planned technical environment and goals. 49




Analyze the impact of infrastructure design on the existing and planned technical environment. 66




Analyze the network requirements for client computer access. 86




Analyze the existing disaster recovery strategy for client computers, servers, and the network. 93

1

47

viii Contents

Chapter

Chapter

Chapter

3

4

5

Designing a Windows 2000 Network Infrastructure


Modify and design a network topology. 101




Design a TCP/IP networking strategy. 107




Design a DHCP strategy. 122




Design name resolution services. 133




Design a multi-protocol strategy. Protocols include IPX/SPX and SNA. 149




Design a Distributed file system (Dfs) strategy. 161

Designing for Internet Connectivity


Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server. 172




Design a load balancing strategy. 185

Designing a Wide Area Network Infrastructure


Design an implementation strategy for dial-up remote access. 192




Design a virtual private network (VPN) strategy. 215




Design a Routing and Remote Access routing solution to connect locations. 228

99

171

191

Contents

Chapter

Index

6

Designing a Management and Implementation Strategy for Windows 2000 Networking


Design a strategy for monitoring and managing Windows 2000 network services. Services include global catalog, Lightweight Directory Access Protocol (LDAP) services, Certificate Services, DNS, DHCP, WINS, Routing and Remote Access, Proxy Server, and Dfs. 238




Design network services that support application architecture. 255




Design a plan for the interaction of Windows 2000 network services such as WINS, DHCP, and DNS. 262




Design a resource strategy. 266

ix

237

274

Introduction Microsoft’s new Microsoft Certified Systems Engineer (MCSE) track for Windows 2000 is the premier certification for computer industry professionals. Covering the core technologies around which Microsoft’s future will be built, the new MCSE certification is a powerful credential for career advancement. This book has been developed, in cooperation with Microsoft Corporation, to give you the critical skills and knowledge you need to prepare for one of the core requirements of the new MCSE certification program, Designing a Microsoft Windows 2000 Network Infrastructure. You will find the information you need to acquire a solid understanding of the design of a Windows 2000 network infrastructure, to prepare for Exam 70-221: Designing a Windows 2000 Network Infrastructure, and to progress toward MCSE certification.

Is This Book for You? The MCSE Exam Notes books were designed to be succinct, portable exam review guides that can be used either in conjunction with a more complete study program (book, CBT courseware, classroom/lab environment) or as an exam review for those who don’t feel the need for more extensive test preparation. It isn’t our goal to give the answers away, but rather to identify those topics on which you can expect to be tested and to provide sufficient coverage of these topics. Perhaps you’re already familiar with the features and functionality of Windows 2000. The thought of paying lots of money for a specialized MCSE exam preparation course probably doesn’t sound too appealing. What can they teach you that you don’t already know, right? Be careful, though. Many experienced network administrators have walked confidently into test centers only to walk sheepishly out of them after failing an MCSE exam. As they discovered, there’s the Microsoft of the real world and the Microsoft of the MCSE exams. It’s our goal with these Exam Notes books to show you where the two converge and where they diverge. After you’ve finished reading

Introduction

xi

through this book, you should have a clear idea of how your understanding of the technologies involved matches up with the expectations of the MCSE test makers in Redmond. Or perhaps you’re relatively new to the world of Microsoft networking, drawn to it by the promise of challenging work and higher salaries. You’ve just waded through an 800-page MCSE Windows 2000 study guide or taken a class at a local training center. Lots of information to keep track of, isn’t it? Well, by organizing the Exam Notes books according to the Microsoft exam objectives, and by breaking up the information into concise manageable pieces, we’ve created what we think is the handiest exam review guide available. Throw it in your briefcase and carry it to work with you. As you read through the book, you’ll be able to identify quickly those areas you know best and those that require more in-depth review.

NOTE The goal of the Exam Notes series is to help MCSE candidates familiarize themselves with the subjects on which they can expect to be tested in the MCSE exams. For complete, in-depth coverage of the technologies and topics involved, we recommend the MCSE Windows 2000 Study Guide series from Sybex.

How Is This Book Organized? As mentioned above, this book is organized according to the official exam objectives list prepared by Microsoft for Exam 70-221. The chapters coincide to the broad objectives groupings, such as Designing a Wide Area Network Infrastructure. These groupings are also reflected in the organization of the MCSE exams themselves.

xii Introduction

Within each chapter, the individual exam objectives are addressed in turn. Each objective’s coverage is further divided into the following sections of information: Critical Information

This section presents the greatest level of detail on information for the objective. This is the place to start if you’re unfamiliar with or uncertain about the objective’s technical issues. Exam Essentials

In this section, we’ve put together a concise list of the most crucial topics that you’ll need to comprehend fully prior to taking the MCSE exam. These summaries can help you identify subject areas that might require more study on your part. Key Terms and Concepts

Here you’ll find a mini-glossary of the most important terms and concepts related to the specific objective. This list will help you understand what the technical words mean within the context of the related subject matter. Sample Questions

For each objective, we’ve included a selection of questions similar to those you’ll encounter on the actual MCSE exam. Answers and explanations are provided so you can gain some insight into the test-taking process.

How Do You Become an MCSE? Attaining MCSE certification has always been a challenge. In the past, people could acquire detailed exam information—even most of the exam questions—from online “brain dumps” and third-party “cram” books or software products. For the new MCSE exams, however, this simply will not be the case. To avoid the “paper-MCSE syndrome” (a devaluation of the MCSE certification because unqualified individuals manage to pass the exams), Microsoft has taken strong steps to protect the security and

Introduction

xiii

integrity of the new MCSE track. Prospective MSCEs will need to complete a course of study that provides not only detailed knowledge of a wide range of topics, but true skills derived from working with Windows 2000 and related software products. In the new MCSE program, Microsoft is heavily emphasizing hands-on skills. Microsoft has stated that “nearly half of the core required exams’ content demands that the candidate have troubleshooting skills acquired through hands-on experience and working knowledge.” Fortunately, if you are willing to dedicate time and effort with Windows 2000, you can prepare for the exams by using the proper tools. If you work through this book and the other books in this series, you should successfully meet the exam requirements.

TIP This book is part of a series of MCSE Study Guides and Exam Notes published by Sybex that covers the five core requirements as well as the electives you need to complete your MCSE track.

Exam Requirements Successful candidates must pass a minimum set of exams that measure technical proficiency and expertise.


Candidates for MCSE certification must pass seven exams, including four core operating system exams, one design exam, and two electives.




Candidates who have already passed three Windows NT 4 exams (70-067, 70-068, and 70-073) may opt to take an “accelerated” exam plus one core design exam and two electives.

NOTE If you do not pass the accelerated exam after one attempt, you must pass the five core requirements and two electives.

xiv Introduction

The following tables show the exams that a new certification candidate must pass. All of these exams are required: Exam #

Title

Requirement Met

70-216

Implementing and Administering a Microsoft Windows 2000 Network Infrastructure

Core (Operating System)

70-210

Installing, Configuring, and Administering Microsoft Windows 2000 Professional

Core (Operating System)

70-215

Installing, Configuring, and Administering Microsoft Windows 2000 Server

Core (Operating System)

70-217

Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure

Core (Operating System)

One of these exams is required: Exam #

Title

Requirement Met

70-219

Designing a Microsoft Windows 2000 Directory Services Infrastructure

Core (Design)

70-220

Designing Security for a Microsoft Windows 2000 Network

Core (Design)

70-221

Designing a Microsoft Windows 2000 Network Infrastructure

Core (Design)

Introduction

xv

Two of these exams are required: Exam #

Title

Requirement Met

70-219

Designing a Microsoft Windows 2000 Directory Services Infrastructure

Elective

70-220

Designing Security for a Microsoft Windows 2000 Network

Elective

70-221

Designing a Microsoft Windows 2000 Network Infrastructure

Elective

Any current MCSE elective

Exams cover topics such as Exchange Server, SQL Server, Systems Management Server, Internet Explorer Administrators Kit, and Proxy Server (new exams are added regularly)

Elective

NOTE For a more detailed description of the Microsoft certification programs, including a list of current MCSE electives, check Microsoft’s Training and Services Web site at www.microsoft.com/trainingandservices.

Exam Registration You may take the exams at any of more than 1,000 Authorized Prometric Testing Centers (APTCs) and VUE Testing Centers around the world. For the location of a testing center near you, call Sylvan Prometric at (800) 755-EXAM (755-3926), or call VUE at (888) 837-8616. Outside the United States and Canada, contact your local Sylvan Prometric or VUE registration center.

xvi Introduction

You should determine the number of the exam you want to take, and then register with the Sylvan Prometric or VUE registration center nearest to you. At this point, you’ll be asked for advance payment for the exam. The exams are $100 each. Exams must be taken within one year of payment. You can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. You can cancel or reschedule your exam if you contact the center at least two working days prior to the exam. Same-day registration is available in some locations, subject to space availability. Where same-day registration is available, you must register a minimum of two hours before test time.

TIP

You may also register for your exams online at

www.sylvanprometric.com or www.vue.com.

When you schedule the exam, you’ll be provided with instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you’ll receive a registration and payment confirmation letter from Sylvan Prometric or VUE. Microsoft requires certification candidates to accept the terms of a nondisclosure agreement before taking certification exams.

What the Designing a Windows 2000 Network Infrastructure Exam Measures This exam is going to test your ability to recognize ways that you can provide connectivity to outside users. For example, you’ll be tested in Virtual Private Network (VPN) installations—security, authentication, the why and how of building a VPN. You’ll also be tested on your understanding of Routing and Remote Access Services (RRAS), Windows 2000’s capability of providing connectivity for telecommuting users. Windows 2000 Server can function as a router—you’ll be tested on router protocols and why and when you’d use Windows 2000 routers.

Introduction

xvii

There are sections in this book on DHCP, WINS, DNS, Dfs, and other Windows 2000 TCP/IP features. Also, you’ll be asked to test your knowledge of TCP/IP subnetting principles. This book delves into network hardware and infrastructures. The goal of the design test is to help the administrator understand the enterprise concept—that there’s more to the network than simply the server farm, there’s so much more.

Tips for Taking Your Exam Here are some general tips for taking your exam successfully:


Arrive early at the exam center so you can relax and review your study materials, particularly tables and lists of exam-related information.




Read the questions carefully. Don’t be tempted to jump to an early conclusion. Make sure you know exactly what the question is asking.




When answering multiple-choice questions you’re not sure about, use a process of elimination to get rid of the obviously incorrect questions first. This will improve your odds if you need to make an educated guess.




This test has many exhibits (pictures). It can be difficult, if not impossible, to view both the questions and the exhibit simulation on the 14- and 15-inch screens usually found at the testing centers. Call around to each center and see if they have 17-inch monitors available. If they don’t, perhaps you can arrange to bring in your own. Failing this, some have found it useful to quickly draw the diagram on the scratch paper provided by the testing center and use the monitor to view just the question.




You are allowed to use the Windows calculator during your test. However, it may be better to memorize a table of the subnet addresses and to write it down on the scratch paper supplied by the testing center before you start the test.

xviii Introduction

Once you’ve completed an exam, you’ll be given immediate, online notification of your pass or fail status. You’ll also receive a printed Examination Score Report indicating your pass or fail status and your exam results by section. (The test administrator will give you the printed score report.) Test scores are automatically forwarded to Microsoft within five working days after you take the test. You don’t need to send your score to Microsoft. If you pass the exam, you’ll receive confirmation from Microsoft, typically within two to four weeks.

Contact Information To find out more about Microsoft Education and Certification materials and programs, to register with Sylvan Prometric, or to get other useful information, check the following resources. Outside the United States or Canada, contact your local Microsoft office or Sylvan Prometric testing center. Microsoft Certified Professional Program—(800) 636-7544

Call the MCPP number for information about the Microsoft Certified Professional program and exams, and to order the latest Microsoft Roadmap to Education and Certification. Sylvan Prometric Testing Centers—(800) 755-EXAM

Contact Sylvan to register to take a Microsoft Certified Professional exam at any of more than 800 Sylvan Prometric testing centers around the world. Microsoft Certification Development Team—http:// www.microsoft.com/trainingandservices

Contact the Microsoft Certification Development Team through their Web site to volunteer for participation in one or more exam development phases or to report a problem with an exam. Address written correspondence to the Certification Development Team, Microsoft Education and Certification, One Microsoft Way, Redmond, WA 98052.

Introduction

xix

Microsoft TechNet Technical Information Network—(800) 344-2121

The is an excellent resource for support professionals and system administrators. Outside the United States and Canada, call your local Microsoft subsidiary for information.

How to Contact the Publisher Sybex welcomes reader feedback on all of its titles. Visit the Sybex Web site at www.sybex.com for book updates and additional certification information. You’ll also find online forms to submit comments or suggestions regarding this or any other Sybex book.

This page intentionally left blank

Chapter

1

Analyzing Business Requirements MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: the existing and planned business models. Analyze (pages 3 – 12)


Analyze the company model and the geographical scope. Models include regional, national, international, subsidiary, and branch offices.




Analyze company processes. Processes include information flow, communication flow, service and product life cycles, and decisionmaking.

the existing and planned organizational Analyze structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans. (pages 12 – 23) factors that influence company strategies. Analyze (pages 24 – 35)


Identify company priorities.




Identify the projected growth and growth strategy.




Identify relevant laws and regulations.




Identify the company's tolerance for risk.




Identify the total cost of operations.

the structure of IT management. Analyze Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process, and change-management process. (pages 35 – 45)

W

e’ll start by reviewing the makeup of a company, probably your company. We’ll analyze the company’s management organization, its funding model, tolerance for risk, priorities, and so forth. Looking above, you can see that the exam objectives that revolve around this topic are numerous and yet nontechnical. Why are they important? Because, to get your hands around a Windows 2000 deployment, you need to thoroughly understand the way your company ticks. Windows 2000 has so many new features that you may decide one fits in a given circumstance where another feature would work better in a different place. Recognizing the way that your company works, how it is built, helps you understand how to introduce Windows 2000 into the environment.



Analyze the existing and planned business models.





Analyze the company model and the geographical scope. Models include regional, national, international, subsidiary, and branch offices. Analyze company processes. Processes include information flow, communication flow, service and product life cycles, and decision-making.

Microsoft, while a software (and hardware) company, is also in the business of making you successful by using their software. People at Microsoft are great project managers, and they realize that in order to make Windows 2000 successful you need to understand how your organization works, so that you can precisely place different Windows 2000 features where needed.

4 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Critical Information In the following exam objectives, we’re interested in taking apart a company’s logical makeup and seeing if we can define the company’s model, its geographic scope, the processes that are in place and are routinely followed, and the existing and planned organizational structures in the company. It will probably be a great help to you to think about your own company in the context of this section. It is important to thoroughly understand the concepts outlined here in order to succeed with a Windows 2000 deployment, our second objective. (Our first, of course, being to pass the test.)

Analyzing the Company Model and the Geographical Scope Let’s take a moment to review the various company models and what they encompass. Notice that the subobjective says, “Models include…” implying that the list isn’t limited to only the models suggested. The point here is not that you memorize the models, but that you recognize the model(s) your company uses. Here are some of the models and geographical scopes that you might encounter: Local A local company is only in business within a city or the very localized surrounding area relative to a city. For example, suppose that you work for a flower company that has retail stores in several suburban towns and cities close to its headquarters. None of the retail stores are out of state, and all are within a few miles of one another. This would be an incidence of a local company. Regional A regional company operates in several widely geographically dispersed cities within a state, in several states, or both. Suppose, for example, that you work for a company that operates a chain of restaurants localized within one large state, but that it has a presence in different cities within that state. This would be an example of a regional company. National A national company is one that has a presence of some kind within its country of origin. In a U.S. example, this does not specifically imply that there is an office in every state or an office of great proportions, but it does imply that there is some presence in every state. The

Chapter 1




Analyzing Business Requirements

5

most basic and common example is a company that requires a small office in each state to maintain a sales force local to that state. An office might be comprised of just a few people, but it would, nonetheless, be part of your company and make for very interesting connectivity and computing planning. International A company that has offices all over the world is said to have an international presence. Again, these offices don’t necessarily have to be very large to influence your evaluation and planning. A company might have a distributed environment with its headquarters in, say, Chicago, another large one in the U.K. (perhaps a “mini-HQ”), and several smaller offices staffed predominantly with salespeople and support personnel in many other countries. Subsidiary Offices Some companies specialize in a certain venture and then find that they need something else to make their particular area of expertise more palatable to the public. So, rather than reinventing the wheel, they buy a company that’s already doing whatever they need done. A company that is purchased and yet retains its own identity is a subsidiary. Subsidiaries present unique challenges to network designers and IT people, because typically you inherit a legacy group of administrators who are accustomed to doing things their way and who may not necessarily be amenable to re-inventing their lives in order to fit their new parent’s mold. Branch Offices Some companies may maintain one central headquarters office but also have several branch offices that have some autonomy relative to HQ. A company’s size and the nature of its business will determine how many branch offices it may have. The geographical scope of a company really presents an interesting twist to the whole network design scenario. One must consider a series of things: the area that your network must traverse, it’s geographic placement, and the resources and funds it will take to set up communications between sites. Another thing to consider while using the Windows 2000 design is the concept of a Single Point of Failure (SPOF) and bottlenecks. A SPOF is a place or places where only one connection or part holds up the system. A server with only one hard drive in it has a SPOF—the hard drive. If that hard drive goes out, the server’s down until you get it repaired.

6 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

A bottleneck is a place where things slow to a crawl as data crosses that place. Bottlenecks are like chameleons and take on the characteristics of where they’re living. There are some Windows 2000 features such as System Monitor that can help you identify bottlenecks, but it’s pretty apparent that your own instincts are going to be the biggest tool you have in helping you discover and eradicate bottlenecks.

Analyzing Company Processes Some companies do quite a bit of their information interplay by paper or word of mouth, not thinking that computer systems can accomplish the same goal. If your company wants to say something new—to go where no one has gone before—how does it accomplish that? How does your company get information from one point to another? Common corporate processes include using collaborative frameworks in Lotus Notes, public folders on an Exchange server, mainframes, and intranets—or a combination of these things. This is one of the elements you’re looking to discover when you do your network design and diagramming. Information and Communications Flow

In terms of network design, there are generally two practiced forms of communications. The first is inter-company communication such as e-mail, intranets, and virtual meetings. The second area of information and communications flow is the more abstract communications ethos. Virtual Communications This is where you sit down and take a physical inventory of how your company handles its intercommunications. You would be examining areas such as your phone system, for example. The majority of intra-company communications are either voice-based or e-mail-centric. As companies migrate more and more to network-based communications, e-mail has become the central method of communicating. People Communications This area is much more nebulous. You must be able to assess areas such as how people interact in their daily business dealings, how management communicates with their direct reports, and how requests for information are handled. As a network

Chapter 1




Analyzing Business Requirements

7

designer, you need to understand how interpersonal communication at your company works, before you start interrogating people about their technical and business needs. If you don’t adapt your approach to the company culture, then your message will never get across. Product and Service Life Cycles

Products ride a life cycle very similar to the famous bell curve that seems to crop up in most of life. Many products that were leaders just five to ten years ago are either nonexistent or have been incorporated in solutions or packages. Figure 1.1 shows a standard product life cycle. This isn’t quite a fair representation of what really happens, because a company that is dynamically trying to improve and release upgrades to their software actually spawns a lengthening of the bell curve, or, more practically, generates a whole new bell curve. Most users never get to the product decline stage, because they’ve adopted the new software upgrade and the old software version is allowed to die quietly. Nevertheless, software and hardware products go through distinct product life-cycle stages. Service life cycles consist of roughly the same concepts. F I G U R E 1 . 1 : The product life-cycle curve Product is at the apex of its use—for new usage to continue, new developments and improvements must be made.

Product gains wide acceptance, moves into the fore of standard software.

Product begins to assimilate marketshare.

Competitors enter in with superior products or company fails to produce new improvements. Product begins its decline.

8 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Decision-Making Processes

This is probably the most complicated part of your network design segment to try to figure out. You must be able to identify who makes the decisions and how the information generated from those decisions is disseminated. Some companies have an “Emerging Technologies” department that’s charged with the research and recommendation of new technologies. Other companies use the “architect” concept—people who have tons of everyday experience in the industry and are now equipped to make corporate decisions regarding technical direction.

Exam Essentials Know your company’s overall business model. By identifying which business model your company falls into, you can effectively provide a standardized desktop and overall consistent computing environment. Understand the geographical scope of your company. This scope will help you determine what kind of economic, geographic, facilitation, and political issues you will face with a given connection. Know why your company does what it does. Understanding your company’s processes will help you figure out how to do your job better. Know your company’s virtual and people-to-people communications flow. Good communications will facilitate a Windows 2000 rollout. Bad communications will destroy any chance you have of being successful. Know what product and service life cycles are. An understanding of the product life cycle of software (these days about one year or less) and the accompanying service life cycles are crucial to your applications integration into Windows 2000 rollouts. Example: You have an enterprise fax software program that you’re using in the enterprise. You’re on version 6, the company that wrote the software is now at version 7 and fixing to roll into version 8. You’re out of the product (and probably the service) life cycles.

Chapter 1




Analyzing Business Requirements

9

Know who makes the decisions in your company and why. Getting a Windows 2000 rollout nailed down is all about making sure that the big decisions you need finalized are made, accepted, and not reversible.

Key Terms and Concepts bottleneck A place where things slow to a crawl as data crosses that place. international A company that has offices and does business in countries that are foreign to its own home headquarters. local A company that does business only within a city or region. national A company that does business within its home country. regional A company that operates in its own city and several geographic regions nearby. The term “regional” might mean operating in several key cities in adjoining states or simply in suburbs of a city, depending on the size of the company. Single Point of Failure (SPOF) That place or places where the system is held up by only one connection or part. subsidiary A part of a company that’s involved in an activity that’s distinct from the parent company.

Sample Questions 1. You have a transoceanic connection between your sites in Madrid

and Haifa. Your boss has told you to eliminate all SPOFs on this circuit. How can you make sure that you accomplish this task? Select all that apply. A. Set up a land-based WAN circuit that acts as a backup to the

main circuit. B. Create a satellite-based connection between the two sites.

10 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

C. Set up two Windows 2000 demand-dial routers, one for each site. D. Set up a dial-up connection in Windows 2000 RRAS.

Answer: A, B, C. Options A, B, and C are all valid, though one may be more expensive than the other. There is some latency associated with the satellite-based solution, but it may still be more cost-effective than nailing up a land-based WAN circuit (since you’d have to traverse the Mediterranean coast to get the circuit going). Probably the most cost-effective and simplest solution would be to simply set up a set of Windows 2000-based demanddial routers. Transoceanic circuit craters? Start talking to the other site with the Windows 2000 routers instead. 2. You have a database system that has many users utilizing it on a

daily basis. There appears to be a bottleneck in the system, and you’ve traced the 100-BaseT infrastructure, client computers, and servers and have not found anything wrong other than the fact that the server that houses the database is heavily overused. How would you fix this problem? Select all that apply. A. Upgrade the database server’s hardware. B. Upgrade the network to gigabit ethernet. C. Set the database server up in a clustered environment. D. Limit the maximum connections to the server.

Answer: A, D. We’re told in the question that the problem does not lie with the network so option B isn’t valid, at least in context of the question. Option C is tricky because databases aren’t ideal candidates for clustered environments. You could opt to upgrade the server’s hardware. Often that fixes stodgy bottlenecks, especially when it comes to RAM. Limiting the maximum connections to the server so as to maintain decent response times based on user expectations isn’t an ideal workaround, but it is nonetheless a workaround. 3. It might be an intrusion to users when network admins have to

upgrade the network operating system and associated back office

Chapter 1




Analyzing Business Requirements

11

applications from time to time. Why is it important to keep up with updates? Select the best option. A. Sticking with the latest and greatest software improves

productivity. B. Staying at or near the top of the product life-cycle curve pre-

vents having to go through costly upgrades later on. C. Changes in the network operating system provide better

throughput. D. As software evolves, business problems are simultaneously

solved. Answer: B. Companies that stubbornly refuse to upgrade their network software slowly drift behind in version releases to the point where it is quite costly to upgrade. The other reasons are good ones as well, but the product life-cycle curve has the most practical ramifications for a business. 4. Why would it be important to spot your company’s acquisition

plan? Select all that apply. A. Your company might have to change to the software the newly

acquired company is using. B. Your company might need to migrate the newly acquired com-

pany to the software you’re using. C. Your company may need to provide a transitional environment

while the newly acquired company is brought online. D. Your company may need to provide translational software for

the newly acquired company. Answer: B, C, D. In most cases, the company that’s being acquired is the one that must buckle under and adapt to their parent’s standards, so A is probably not an accurate answer. The other three may very well come into play. 5. You work as a network architect for a multinational firm with

offices all over the world. What would be one of the chief practical

12 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

considerations you would need to take into account when planning a Windows 2000 upgrade? A. Geographical scope B. Language issues C. Administrative issues D. WAN circuitry problems

Answer: B. Obtaining and installing Windows 2000 Server in all of the languages that might be in use at your diverse company will be of very practical concern to you. If you have an admin in Brazil who needs to upgrade his server, will you be able to obtain Windows 2000 software in Portuguese?



Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans.

W

ow! Quite the subobjective, isn’t it? It all depends on the size of your company and the extent to which you’re involved with a Windows 2000 rollout, but analyzing existing and planned organizational structures could take up quite a bit of your design time. Nevertheless, this is an all-important highly non-technical area that will definitely demand your time.

Critical Information Let’s review a typical management hierarchy from the top down, then segue into the management structures that get adopted as a result of various leadership styles.

Chapter 1




Analyzing Business Requirements

13

Identifying Organizational Structure Since a publicly held company is obligated to comply with a fiduciary duty—a responsibility to act as the trustee on someone else’s behalf with respect to an organization’s funding; in this case, shareholders— often there’s a board of directors that oversees the company’s operations. A chairperson heads up the board; this is most often not the same person as the president. The board is typically comprised of several stakeholders, often those with a heavy venture capital risk at stake, and various officers, including a secretary, a financial officer, a chief technical officer, and so forth. The board of directors is responsible for the hiring and firing of officers in corporate law. Board meetings are held to identify the leaders of the company, and then the positions are appointed. Figure 1.2 shows a typical organization’s org chart. F I G U R E 1 . 2 : A typical organization’s org chart CEO

Chief General Counsel

President

Sr. Vice President

Vice President

Sr. Manager

Board of Directors

Vice President

Director

Sr. Vice President

Vice President

Sr. Project Manager

Manager

Scientist

Supervisor

Supervisor

Team Leader

You?

Director

Technical Advisor

Vice President

Sr. Manager

14 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Most companies operate with some sort of senior leader, be that a president, a chief executive officer (CEO), or someone who holds the combination of those two roles. In a privately held company, the president is the owner of the company, frequently the person who started the company in the first place. Often, as a company goes from private to publicly held, the role shifts from president to CEO, but owners can tend to retain some semblance of the old mixed in with the new. The CEO is usually looked at as the visionary. Beneath the board of directors/CEO layer are the senior vice presidents and vice presidents. These individuals, the president, CEO, and board, together with an occasional benefactor chair or chief legal counsel, compose senior management. Directors and managers make up mid-management. Depending on the makeup of the company, they may or may not have input into the company’s direction—that is, they have different levels of power. Supervisors (aka line managers), team leaders, and the regular working folks round out the rest of the company. Some companies equate team leaders with supervisors, but I tend to look at team leaders as supervisors without any power. There are two main differences between a team leader and a supervisor. A supervisor handles budgeting and employee performance reviews. Team leaders are the overseers of a technical endeavor and the chief knowledge-keepers for a given group. Now your company may be laid out very differently. It’s up to you to decide exactly how your company is laid out and determine its structure so that you can create and maintain the most effective network design for it. In doing so, you must also consider all of the different types of management styles in your organization and how they might play a role in formulating your Windows 2000 design.

Management Models The autocratic leader is one who dictates that something should be done a certain way and expects to see it accomplished in that way. An autocratic leader typically allows little give-and-take and tolerates little variance in a project’s timeline or budget.

Chapter 1




Analyzing Business Requirements

15

The French phrase laissez-faire means “to allow to do.” The laissezfaire management style is typical in most computer environments where there are many software developers or administrators. Another word you might use in place of laissez-faire is “professional.” Workers are allowed to come and go as they like. I’ve never seen this style labeled quite like this in any business book, but some managers live by the loose-bundle system. What I mean is that the manager, as good as his intentions are, cannot quite get all of the loose ends to come together so as to finalize a project. Hands-on managers are those who aren’t terribly interested in the budgetary and performance evaluation aspects of their jobs, but instead like to get their hands dirty helping you out with a project. As you can imagine, this can have tremendous positive consequences if the manager knows what she’s doing. On the other hand, if the manager is completely incompetent (relative to the project at hand, of course), her interaction will be more of a thorn in your side than a help. A neutral style of management is one in which your manager really couldn’t care less one way or the other what projects a person is involved in. This might have to do with any one of a number of reasons. For example, suppose that a manager is promoted into a department and, after working there awhile, finds that she doesn’t really care for any of the people in the department. But the people working under her are vital to the department’s continuing function, so she opts for a manager-neutral approach. The political manager is one who manages for political expedience, not necessarily for the common good of a project or the department as a whole. The goal here is individual promotion, not departmental success. Sometimes a project completion happens to align with the goals of the manager, so things appear on the surface to be motivated by company goals, but this is really not the case. The project-oriented manager is one who focuses more on projects than on day-to-day activities and is effective with someone who must manage large project deployments. It can be bad when the manager must manage a team of individuals who are involved in the daily

16 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

operation of a network and are also responsible for implementing various network upgrades. The daily operation will be neglected in favor of the project, or someone on the team must take responsibility for daily operations just to make sure those needs are met. There are two situations in which an administrator or designer might have unique considerations different from those of a private company: not-for-profit organizations and governmental bodies. Both of these kinds of organizations have budgeting, management, and process differences that can contrast drastically with a private company, whether the private company is public or privately held. Working for a government organization is completely different from working for a private company. There are many reasons for this, such as the following:


The level of red tape and bureaucracy goes up by two to 10 times the amount you’d find in the average private company.




The pay is often less than the corporate average, so you’re either understaffed or else staffed with people who’ve come up through the ranks and who may not have as keen a grasp as you do of networks and networking.




Usually some legislative body (which may or may not understand exactly what the organization does) gives a governmental body its direction, so you may have little direct control over how you accomplish a given objective.




The budgetary cycle is often one in which the money for the year is doled out all at once, and managers have to be careful about how they allot their funding so that they don’t run out too soon.




The public has a great effect on how you do your job, either indirectly through the legislative body or directly on you, primarily generated from a “civilian” complaint.




Business directions can change as elected officials change, even if your job description does not.

Chapter 1







Analyzing Business Requirements

17

Because your executive management is motivated by political concerns, not business or technical concerns, your objectives may be in direct conflict with theirs.

Vendor, Partner, and Customer Relationships Vendors are those who sell you the equipment, software, and services you need to get your job done. Some companies that manufacture things also act as the vendor for those things. An example would be a company such as Dell or Gateway. Partners are companies or individuals who are in the business of helping you do business. The most successful model would be that of a company that thrives on partnerships and takes advantage of the additional marketing exposure and presence that partnerships offer. It should be a mutually beneficial relationship in which both parties feed off of one another’s success. Understanding a company’s customers directly correlates to the kind of enterprise software the company will use in addressing the needs of its customers and hence will reflect on the Windows 2000 choices you make. Example: Your company uses a specific manufacturing package because it is the only manufacturing software that can handle the particular assembly line structure you use. But there’s one problem: the software manufacturer has no plans to upgrade to Windows 2000 compliance. Now your Windows 2000 rollout has a problem.

Spotting Potential Acquisition Plans Some company CEOs, especially those who head up small businesses, are interested in grooming the company to a state of health where it’s ready for an acquisition of some kind. The company has a product that’s unique, the engineering and marketing forces are in place, and the firm is moving forward strongly. There are different reasons for acquisitions. Some companies are so huge that, when they need something that fits into the profile that they’ve established for a given product or service, they often buy a company making that very same thing rather than make it themselves. Another reason for acquisition is that a company is doing

18 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

something that the company looking to acquire wants to get into. Often a company is overwhelmed by its competition. A brutish little firm somehow manages to make a far better product than its oversized competitor, and, in many cases like these, it’s simply bought by the bigger industry leader. Finally, there are also times when a large company will buy a firm that has developed a part, device, service, or software solution that they desperately need. The flip side of an acquisition is the act of one company purchasing another, called a takeover. There are two kinds of takeovers, hostile and non-hostile. A hostile takeover occurs when the company that wants the goods or services of the target company simply barges in and acquires controlling interest. This can happen, for example, when a company has managed itself so poorly that it’s weakened to the point where it’s a good target for takeover. Provided, that is, that its goods or services are something that are desired in the industry. Non-hostile takeovers happen when a company is amenable to the proposition of being taken over by another company. Some companies are founded and managed in such a way as to drive the company toward a takeover. There’s huge money in it for the officers of such a company. A person starts the company, preferably with a product or service offering that’s hot, hot, hot, then manages it well until it’s highly attractive to other companies. Then the company introduces an initial public offering (IPO). So, when designing your network you must bear in mind the following two questions:


Is your company in business-acquisition mode? You may have noted a new trend in business where it’s not necessarily the gargantuan company that winds up buying out the smaller one.




Is your company setting itself up to be acquired by another company? I guess that I can offer no clear indicators of exactly how you would know that your company is in this state, apart from the concepts described above. Is your company small but provides a

Chapter 1




Analyzing Business Requirements

19

unique presence in your particular industry, one that others clamor for? Have you had an IPO—are you publicly held? Is your company financially strong and well managed? These are all indicators of a company that’s a sitting duck for an acquisition. Then again, you might be internally aware that your management is the worst there ever was, but the scenario that’s portrayed to the public at large is that they’re geniuses, so it’s all relative.

Exam Essentials Be able to diagnose the management model of your company. What is the in toto management structure of your company? (When your company management faces you in a unified front, what does their face look like?) What is the management style of each individual stakeholder manager? Understand your company’s organizational makeup. What does your company do? How does it do it? Is it good at what it does? Analyze vendor, partner, and customer relationships. This little gem will show up on the test numerous times in the form of Virtual Private Network (VPN) connectivity between your network and a partner relationship network. What are the relationships that your company has with its various vendors, partners, and, most importantly, with its customers? Spot any acquisition plans. A near-future acquisition could be the project killer for your Windows 2000 deployment.

Key Terms and Concepts autocratic A leader who uses the capacity of his office with unlimited power and authority. fiduciary A type of responsibility held by company officials who act in a special relation of trust, confidence, or responsibility to others. “Fiduciary” responsibility is normally used in the context of corporate monies or stocks.

20 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

hands-on A manager who likes to get his “hands dirty,” working alongside you when assembling and configuring a computer or figuring out how things work. A hands-on manager likes to participate in the activities his people are involved in. hostile takeover A takeover that is resisted by the management of the target company. Initial Public Offering (IPO) The formal process of a company making itself public by offering stock for sale for the first time. laissez-faire Noninterference in the affairs of others. A laissez-faire manager lets his direct reports go about their jobs with minimal input or interference. loose-bundle A manager who is inherently disorganized or communicates in a way that makes it hard to understand what’s being said. Loose-bundle managers aren’t stupid or bad communicators; they’re just interested in many other things going on at the same time! neutral A “neither hot nor cold,” “neither good nor bad” stance taken by management on a particular topic. Neutrality can be good if there is a holy war going on over a given topic. But neutrality can be a bad thing when an employee needs to know that the stance taken on a particular subject is unshakeable. non-hostile takeover A takeover in which both the management of the company and the entity taking over the company agree to the terms. political A political manager is one who strives to satisfy upper management’s concern that the projects and decisions handed down are being fulfilled all the while attempting to make employees happy with these same projects and decisions. It’s a very delicate tightrope that must be walked. Not all managers succeed but some are brilliant at it. project-oriented A manager who views things from a projectmanagement standpoint. All assigned tasks are filtered through a project management system and are handled using project management techniques.

Chapter 1




Analyzing Business Requirements

21

takeover A new management team begins managing the company, with or without approval of the current management.

Sample Questions 1. Your manager possesses a very laissez-faire management style.

What does this mean? A. She wants to know everything you’re doing. B. She is very hands-off and lets you run things the way you see fit. C. She doesn’t understand the things you’re talking about. D. She is interested only in the things that will get her promoted.

Answer: B. Laissez-faire managers are very prevalent in the IT field. They expect admins to be professional in their work ethic and generally return a hands-off management style as a reward for professionalism. 2. From a Windows 2000 perspective, why do you think it would be

important to understand a company’s organizational makeup? A. To make sure all managers are in agreement with the Win-

dows 2000 design B. To identify areas that need to be upgraded C. To understand the breakout of business functions D. To correctly identify forest, tree, domain, and AD design

parameters Answer: D. All of the options above are fine. But the one that has the most to do with Windows 2000 centers around the fact that you need to understand the organization so you can make intelligent decisions about what the forest(s) will be, the trees and domains in them, and how you’ll roll out Active Directory. 3. You work for a company that has recently converted to Win-

dows 2000 Server. The network is now running AD in native mode. You’ve overheard that the company is planning on

22 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

acquiring a new manufacturing concern that will help them increase the production of widgets. What will you need to identify so that this acquisition can take place smoothly? Select all that apply. A. What kind of NOS the company is running B. What enterprise applications are running C. What the new company’s name-resolution techniques are D. What special concerns there are that would prohibit an

upgrade of their network to Windows 2000 E. If the acquired company will need to migrate to Windows 2000

Answer: A, B, D, E. You’re definitely going to be interested in the NOS the soon to be acquired company is running. While there are tools that can help you interoperate with non–Windows-2000 NOSs such as NetWare, your ultimate goal will probably be to convert the network to pure Windows 2000. That is, unless, of course, the managers of the company say that this new acquisition will be an autonomous entity, in which case you may not need to care about the NOS. You’ll still care about enterprise applications, especially messaging (e-mail) and how the users in the new acquisition are going to talk to your current users. 4. What effect, if any, might an initial public offering (IPO) have on

your plans for a Windows 2000 conversion? A. Absolutely none B. Massive C. Minimal D. Moderate E. Depends

Answer: D. IPOs require that the Securities and Exchange Commission (SEC) thoroughly examine the bookwork of the company requesting permission for an IPO. Which means that the corporate financials are going to be heavily scrutinized. In a company as

Chapter 1




Analyzing Business Requirements

23

small as a hundred nodes, generally there is some server-based software where the financials are kept and maintained. Therefore, were you to forge ahead with your Windows 2000 rollout plans without bothering to take into consideration what impact the conversion would have on the financials (and associated documents hanging out there on user and hard drives), you’d not get far. Chances are that in the middle of an IPO, your rollout won’t proceed until the IPO is completed anyway, unless some aspect of the IPO predicates that you’ve got the conversion done. When an IPO happens, everybody is focused on making the company public. 5. You’ve just heard that your company is going to be subject to a

hostile takeover. You’ve just recently finished converting the DCs to Windows 2000 Advanced Server and you were getting ready to convert the rest of the servers and workstations when you heard this news. What impact will this news have on your rollout plans? A. Absolutely none B. Massive C. Minimal D. Moderate E. Depends

Answer: E. It depends on the hostility of the takeover. There are some companies that acquire another company through hostile means and then immediately sell off every component of the business. They do this for a variety of reasons—to get rid of competition, to strip the company of its assets, etc. But other companies that are acquired through hostile means are very much needed by the company doing the acquiring. Chances are that your rollout will stay on hold in its present state until such time as management (whether your old managers or the new managers) tell you to move forward.

24 MCSE: Windows 2000 Network Infrastructure Design Exam Notes



Analyze factors that influence company strategies.






Identify company priorities. Identify the projected growth and growth strategy. Identify relevant laws and regulations. Identify the company's tolerance for risk. Identify the total cost of operations.

A

long with understanding a company’s management makeup and its organizational structure, we also need to clearly define intangibles—things such as the company’s priorities, its growth strategies, laws and regulations that affect it, its tolerance for risk, and the cost of operations that it incurs as it does business. These are tough things to define objectively, but they come into play as you make decisions about your Windows 2000 rollout.

Critical Information By analyzing the factors that influence your company’s strategies, you will be better able to assess its priorities and, in turn, better assess your own as an administrator. Understanding how your company got started and why will help you understand what your network needs in order to support the goals of your company.

Identifying Company Priorities People who work for governmental and not-for-profit organizations will have a much easier time identifying these priorities than corporate workers will. Nevertheless, the exercise is ours to accomplish, no matter who you work for. Let’s start with some ways that you can begin to identify your company’s priorities. There are lots of places where you can begin to look

Chapter 1




Analyzing Business Requirements

25

for clues about your company’s main concerns. Following are a few of them:


Does your company print an annual report? Most publicly held companies will print an annual report, and usually, somewhere near the front, you’ll find the company’s mission statement. If your company has an intranet or newsletter, you’ll probably also find the mission statement posted there.




Did you attend an orientation when you went to work for this company? If so, the presenters undoubtedly gave you a clue about what the company considers important somewhere along the line.




Do you have all-company meetings in which the CEO gets absolutely everybody together to discuss issues? If so, that’s very good! And if you listen closely, you’ll probably hear some priorities coming out.




Are your company’s priorities clearly reflected in the communications that managers send down to their employees? If the company’s big enough, the answer is probably not, but it’s still important to see whether you can hear it in your manager’s communications to you.




What do people stress in team meetings? What consistently comes up as the most crucial part of any project? Often, you get the clearest sense of what a company’s priorities are by listening to employees at the grass-roots level—that’s where the burden of a company’s goals usually falls.




If you work for a not-for-profit organization, do you know the mission of your organization? Here, more than in any other organization, mission statements are important, highly utilized, and fundamental in the organization’s operation.




If you work for a governmental entity, do you know why the legislature spun that entity into motion? Or has the entity spun so far off of its orbit that the initial mission isn’t recognizable anymore?

Think about your company. What are your company’s actual priorities? Certainly making money is the obvious one, but what I

26 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

mean here is, how do they go about making money? Do your company’s leaders take the market into consideration when they make a decision? Are they fast paced and quick to act, or are they stodgy about the decisions they make? Some companies have gotten into trouble when they stayed with the “tried and true,” only to find that the market was outpacing them.

Identifying the Projected Growth and Growth Strategies The secret is in the planning for growth: planning for the capitalization of the growth, training the managers, preparing a special one way by which things are to be done. You must have plenty of capital to pull off such a venture. It’s a risky thing, and you have to plan for the potential for some failure, no matter how minute. Upgrading a network from Windows NT to Windows 2000 is going to imply that you spend money on the server farm, the infrastructure, training the admins, and training the users, and spend lots of time gaining buy-in among the various management players. Then, too, there is the problem with non–Windows-compliant apps. All of these are relevant growth questions that must be answered completely before pursuing and, more importantly, funding a Windows 2000 rollout. The first thing a good manager should look at when pondering a company’s potential for growth is the risk-management aspect. How much can I grow this company before it’s in a danger zone and I’ve gone too far with it? How little do I want it to grow? When should I stop growing the company so that it stays manageable? The answers to these questions are as far reaching as the managers that are asking them.

Identifying the Company’s Tolerance for Risk So, there’s risk associated with both kinds of endeavors, but the risk for the ambitious entrepreneur is far greater than for the corporation that’s starting up its 1,000th restaurant, you see? Maybe it’s that way where you work. You want to roll out a Windows 2000 solution. You’ve got plenty of managerial backing, the

Chapter 1




Analyzing Business Requirements

27

financing is there, you have people who can help you with the rollout— people who are anxious to get the experience. You’ll prepare a project plan and go slowly. The risks are not that great because, if you fail, you’ll only have failed in one tiny segment of your rollout. You can back it out and see what fix is needed. On the other hand, the administrator who works by himself with a handful of servers—the kind who troubleshoots user problems by day and only has the luxury of configuring Windows 2000 rollouts at night—is in much greater danger of failure. Risk assessment is tricky. Risk is like a chameleon, taking on the shape and form of the project being considered. Risk is at once your nemesis and, managed wisely, in small ways, an asset. You have to know what kind of risk you’re looking at. Below, you’ll find some kinds of risk that I’ve run into over my years in business. I’m sure you’ll think of more. Technology Risk Companies put themselves at risk when they put technology to the stress test, an unpleasant strategy that can be done in a couple of different ways. One way is to try to blend two (or more) unique technologies together in such a way as to form one whole entity. I can’t tell you how much this is done in business… and how often it fails. The managers that make these kinds of decisions wouldn’t dare dream of putting a Chevy water pump in a Ford engine, but they’ll take multimillion-dollar systems and try to tinker with them in the hopes of accomplishing basically the same thing! It doesn’t add up. Don’t get me wrong here. There are ways of getting systems to talk to each other, most often with Application Programming Interfaces (APIs). I’m talking here about ways of putting two technologies together that should not be thought of. Another way that a company puts itself at technology risk is when it launches out into a totally new, completely unproven technology that almost nobody has a handle on. Technology risk assessment means asking the question: Are we ready for this technology, and is it ready for us?

28 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Minimal Skill Risk Very often minimal skill risk follows hand-inhand with technology risk. Minimal skill risk is incurred when the people to whom you’re trusting a system can’t possibly maintain the system. Often this kind of false trust (hope?) leads to a decision to bring in scads of contractors to help maintain the system and paint some kind of successful face on it. Strategic Overshoot Risk This is a fun one, and easy to spot. You take a company that’s staffed by highly professional, highly qualified people. Put them in a room with lots of money, an ambitious project, and the promise of a wonderful payoff for them if the whole thing succeeds, and you've just mixed yourself up a big batch of strategic overshoot risk. The conversation in the meetings starts out pretty realistic. “We need such-and-such,” the CIO says, “The users are demanding it!” “Great,” the senior developer says, “I think we could go about it in this direction.” And then, all of a sudden, somebody stands up in the meeting and says something, a “I know! We do this…” moment, that becomes a turning point in the project—the kind of turning point that interstellar probes encounter when they’re shot around the earth in order to propel them deeply out into space. Before you know it, the project winds up having many different bells and whistles, most of which don’t meet the actual stated need but are “nice to haves.” Disney’s First Law Risk A hopelessly inept manager, deep into the last days of a multimillion-dollar IT project that would inevitably fail big-time, actually asked her developers, “Can’t you code faster?” Then, not a month later, she fired all 100 of them. She was personally let go just one quarter after that. Some companies actually subscribe to Disney’s first law: wishing will make it so. We wish our payroll system talked to our tax accounting system, so we’ll just hire the expertise to make it happen. We wish that our fleet’s GPS system could also be used to manage our inventory database. We wish that all types of different disparate systems could be combined into one huge GUI. We wish that our telephony gear could talk to our mainframe and that everything could talk to our video production studio.

Chapter 1




Analyzing Business Requirements

29

Quite frequently, Disney’s first law risk manifests itself in the form of two totally dissimilar software products being somehow jammed together with the belief that there will be a cohesive fit, a molecular kind of thing will happen, and the business will be healthier and better. No-Pain No-Gain Risk In “no-pain no-gain,” we have a “reverse” risk. There are companies out there that don’t see the sense in strategically investing in technology in such a way as to enhance their future. I’m not talking here about companies that are afraid of running beta software on their network. I’m talking about companies that are still running DOS and Windows 3.1 because they work perfectly fine and, well, this whole Windows 95 thing isn’t proven to their satisfaction yet. Companies like this actually put themselves at a competitive disadvantage, because they’re not taking advantage of the kinds of smart features that updated software can bring to the table to help them get their jobs done more quickly and with less hassle. Managers of these kinds of companies are living in some kind of vague, “it’s good enough” world, thinking they’re saving money, when in reality their risky behavior is costing them money.

Identifying Relevant Laws and Regulations When you create a network design, you have to take into account how governmental regulations affect the way your company does business. You must be able to determine what kinds of legal ramifications a company can face in its decision-making efforts, especially relative to a Windows 2000 rollout. The point here is to get you thinking about what sorts of laws and regulations you work with and how they might impact you in your efforts. Medical Laws and Regulations Areas such as a medical facility, a medical equipment manufacturing firm, a pharmaceutical company, or some other entity that somehow touches the medical community face endless rules and regulations. Interstate Commerce Rules Industries like trucking routinely put GPS systems on their trucks, so they can keep track of their location, their load, and their expected time of destination arrival. All of these situations are regulated closely and would provide some interesting

30 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

challenges for you in terms of setting up fault-tolerant networks that could support such endeavors. Utilities Frequently, public utility commissions (PUCs) act as oversight committees for their state legislatures. The PUC’s sole purpose in life is to make sure that the utility is doing its level best to satisfy the needs of its customers, without raking them over the coals in terms of the rates they charge. Utilities, even though they’re private companies, wind up being looked at as semi-governmental agencies because they’re so strictly regulated. It turns out that the laws and regulations that companies face have serious effects on the technological decisions that get made by a company’s officers. It’s up to you to familiarize yourself with your company’s purpose in life and the legal necessities that it’s forced to adhere to.

Identifying the Total Cost of Operations The total cost of operations—the costs incurred by procuring, installing, and maintaining a specific system—is another factor in how a manager chooses to grow the business. There are many factors in the total cost of operations question, many considerations and details to think about. One of the biggest factors is identifying what risks there would be in undertaking a new venture. You must be able to weigh purchase costs considerations, identify surprising problems that were not clear to you at the time of acquiring this new company, and finally take on the challenge of running a cost-effective operation. A company’s return on investment, or ROI as it’s called, represents the time that must elapse before a company can expect to realize the benefit from its initial investment in a project. ROI can be thought of in terms of the number of years that elapse before a system pays itself back in time and operations savings or as a percentage returned over (an assumed) time frame. Now think about the importance of a smoothly operating network. As the administrator, you must be able to effectively choose and design a network that will benefit the company financially. When

Chapter 1




Analyzing Business Requirements

31

thinking about how ROI fits into a network plan, you must take yourself out of the technological picture and ask yourself the questions that the financiers of the project, typically non-technical types, are going to ask you.

Exam Essentials Be able to elucidate your company’s priorities. Knowing what your company does helps you match a Windows 2000 fit to the company’s needs. Understand your company’s growth and growth strategies. Windows 2000 scalability features and associated infrastructure designs, not to mention acquisition of legacy systems, will all come into play with growth plans. Identify relevant laws and regulations. Heavy emphasis on the word “relevant.” Identifying relevant laws and regulations could have great import on how you roll out Windows 2000. Assess your company’s tolerance for risk. Some people love roller coasters. Some get sick just watching people ride a roller coaster. Where does your company fit in the business roller-coaster ride? Pinpoint your company’s total cost of ownership. Know how to choose and design a network that will benefit the company financially.

Key Terms and Concepts Return on Investment (ROI) Generally speaking, the income that an investment returns in one year. In computing terms, the “income” wouldn’t be measured in dollars, but in added bandwidth, faster, smarter applications, more secure enterprises, and so forth. risk In the business sense, that portion of a project or system that may be prone to failure, extra costs, unpredictability, hazard, or other unknown complications. Risk-takers in business often reap big rewards, but they also often have projects fail because they overestimate the size of the risk.

32 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

total cost of operations The total cost of performing a certain function on the network. For example, the total cost of operations would answer this question: What is the cost, in terms of dollars per thousand e-mails sent out, to maintain an Exchange server?

Sample Questions 1. Your company’s management has heard that a Windows 2000

Datacenter Server will have the capability of talking to up to 32 processors, which is far above the amount of parallel processing that computer systems running other Network Operating Systems (NOS) that are in the same price range are capable of. The engineering modeling applications they run can benefit from the parallel processing features of this new OS. They want to move forward with an immediate Windows 2000 Datacenter Server rollout. What things might you advise them of when going forward with this project? Select all that may apply. A. Windows 2000 Datacenter Server is new and largely untested. B. You’ll need a lab to test the installation before rolling it out. C. This is not a practical decision because there is too much risk

associated with it. D. Stabilize the server environment first, then go into experimen-

tal areas such as this. Answer: A, B. The people telling you they want to go to Datacenter Server have evidently played around with other alternatives before, because they’re the ones telling you that it does what they’re looking for. But it’s up to you to tell them they’re venturing where very few have gone before and that you’d like to thoroughly evaluate and test the system before you go forward with a live deployment. A lab environment is always called for in situations such as this before you put a system out into production. 2. You work for a governmental agency that handles the investiga-

tion, inspection, and licensing of new medical devices that utilize high-power lasers. You’re interested in deploying Windows 2000,

Chapter 1




Analyzing Business Requirements

33

but your managers have some security concerns about this new OS. Specifically, they want to guarantee that the kind of information they’re keeping will not be privy to prying eyes. You are able to assure them that this new OS has very robust security features. What nuances have you been able to identify in their questioning? Select all that apply. A. Risk assessment B. Risk aversion C. Growth strategies D. Priorities

Answer: A, D. Risk assessment does not imply risk aversion. Just because a manager is trying to weigh the risks of migrating to a new OS doesn’t mean he is averse to the new platform. On the other hand, managers must make decisions that revolve around what’s working now, what happens if we go forward and it breaks, and what the risks are of it breaking. You need to ask that question as well. The security question is very legitimate and one you’ll have to quickly and intelligently answer if you want to get anywhere with Windows 2000 in governmental rollouts. The managers in the question are also interested in priorities. Where does this rollout fit into the priorities of testing laser equipment and making sure that medical regulations are being satisfied? These are two highly valid concerns that you would do well to come to the table prepared to answer. 3. You work for a securities company that is highly risk-averse.

What are some sound arguments that you could present to management to make your case that a Windows 2000 rollout is not that risky? Select all appropriate options. A. There are multiple multinational companies that have been

running the software in production environments since it was beta. B. You’ll go through a thorough testing and evaluation stage

before you put the software into production.

34 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

C. You have several third-party whitepapers that detail the expe-

rience that others have had during the transition from NT 4 to Windows 2000. D. You can improve the Total Cost of Ownership (TCO) by pro-

viding a more stable, more secure computing environment. Answer: B, C, D. It probably wouldn’t be wise to say the things that option A is saying, even though it’s true it doesn’t mean anything to managers who have their own company to run. Would you jump off a cliff just because Johnny did? But options B, C and D are all viable, though B and C will carry the most weight, especially if you can provide whitepapers from other securities companies stating the issues they’ve experienced and the answers they’ve obtained during their rollout. For companies that are interested in deploying beta code in production environments, there is an entity called the Joint Deployment Program (JDP) that provides a different support mechanism while companies go through this kind of trial. 4. You really believe that Windows 2000 Server would be of great

benefit to your company. But you can’t seem to convince your managers. You currently run Windows NT 4 and associated BackOffice products, along with most of the Oracle financials suite. You haven’t had all that many problems, but you think computing technology, throughput, and business readiness might improve if you could only upgrade. What might be your management’s reasoning? Select all that apply. A. Risk B. Priorities C. TCO D. Laws and regulations E. Testing of financials

Answer: A, B, D, E. All of the options could qualify. The best option is probably B because your management just doesn’t see a Windows 2000 rollout as a priority. As the saying goes, “if it ain’t

Chapter 1




Analyzing Business Requirements

35

broke, don’t fix it,” and your network runs just fine. An upgrade is risky, too. Are you personally willing to go through the pain of making sure the upgrade goes smoothly? The disparate financials application presents additional problem scenarios for you as well. This network, even though it might be small, presents some challenges to upgrade to Windows 2000. 5. You work for a large pharmaceutical company. You’re in discus-

sions with your teammates about upgrading your NT 4 network to Windows 2000. What might be the biggest single factor that you’ll have to take into account as you go forward with your project plan? A. Risk B. Priorities C. TCO D. Testing of financials

Answer: D. Pharmaceutical companies are heavily regulated by the Food and Drug Administration (FDA). Of all the factors that moving a large pharmaceutical company from Windows NT 4 to Windows 2000 entails, certainly the laws and regulations that might affect such a move should be considered first.



Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decisionmaking process, and change-management process.

Y

ou need to assess what level of centralization (or decentralization) your IT organization uses, what its funding model is like, whether you’re outsourcing certain components, what the decision-making processes are, and if there are change-management processes in place.

36 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Critical Information Now we will review how IT operations are funded and possibly outsourced, review the decision-making processes, and conclude with change-management processes. This section will recap the way in which IT specifically is structured. You will need to be able to target its funding model so you can decide how to acquire the funds necessary to accomplish a rollout. You need to understand whether outsourcing components are required for a rollout. You will also need to ascertain what decision-making models are in place, so that stakeholders who have a say in the rollout are informed and are able to make solid decisions about how the rollout should go forward. You would be wise to have viable change-management solutions in place as you go forward.

Analyzing IT Funding The word funding has drastic differences in meaning when we examine it from the perspective of someone in the government versus the private sector or a not-for-profit organization. Governmental Funding Unlike their private-sector counterparts, governmental IT departments are not distinct profit-center entities that have the ability to make major corporate decisions. The government has a fiduciary duty to assure that the taxes are spent with the greatest benefit to the taxpayer in mind and officials must decide whether your IT department is worthy of government spending. If not, then you won’t get approval. That’s how governmental IT departments are funded. Private Sector Funding In the private sector, funding for IT shops is much freer and allows for projects to be implemented more spontaneously. The first thing to establish is whether your IT department constitutes a cost center or a profit center. If your IT department helps to create

Chapter 1




Analyzing Business Requirements

37

software that your company is selling, then your contribution is intrinsic to the company’s success, and you are involved in a profit center. You help make a profit for the company. On the other hand, if you are involved with an IT department whose mission is simply to keep things on the straight and narrow on a daily computing basis— meaning that the servers stay up, the databases stay fast, and so forth—then you probably are considered a cost center. You cost the company money to maintain, and you really don’t contribute much toward helping them earn a buck. Funding in Not-for-Profit Organizations Funding for not-for-profits comes from the donors, so it is a really tough one to design for. The goal of a not-for-profit is to provide some service that’s a benevolence to mankind. While computers certainly are bought and networks are installed by not-for-profits, they are nowhere near the size or grand design of business networks. IT managers/administrators must take on the hybrid role of both maintaining their departments and guarding the funds that are acquired to keep it afloat. Many times, the “funding” is in the form of donations of older equipment that somebody else can no longer use but you can. A Windows 2000 rollout in an environment like this is going to take lots of planning, careful consideration, and, most importantly, lots of time to see the project from start to completion.

Outsourcing Risks You must be able to examine the risks associated with an outsourcing maneuver. You must be able to weigh the benefits of reducing overhead costs against the risks of outsourcing IT functions. Here are some key arguments that sum up the mindset you need to apply when examining the risk of outsourcing: “Outsourced entities can’t understand internal functionalities.” Companies that have spent thousands, hundreds of thousands, or millions of dollars developing internal software programs that are specifically customized for their business can’t expect outsource entities to come right in and understand the ramifications of their program.

38 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

“Companies don’t typically save money by outsourcing; they lose money.” Outsourcing isn’t cheaper, it’s more expensive. You must be able to confidently say that the entire cost of outsourcing the project would be less expensive than handling the project internally. You must be able to factor in the time it will take for your contractor to become acquainted with the work as well as find an hourly rate that’s equal to or lower than the rate of a salary employee. Often, this is not practical. “Consultants, like trainers, are not geniuses; they’re ordinary Joes.” There’s an old computer joke: “Q: What’s the difference between you and the trainer you’re taking the NT class from? A: About two pages in the manual.” The same is true of consultants. Unless you pay the big dollars for a very specific knowledge category—a highly specialized person who knows all about one specific subject—you’re wasting your time and money. The people you have on staff are as adequately prepared (or can quickly become that way) as the people you bring in. “Outsourcing doesn’t work if you use the consultants as the project managers.” This is often true. Generally speaking, it is the project manager who understands the project from stem to stern. Independent contractors aren’t equipped with any background knowledge of how your business operates, and therefore it’s challenging for them to make effective decisions. “It’s not true that the company isn’t in the IT business.” Regardless of what kind of products your company makes, if it uses computers to track and maintain its business, then you’re automatically in the IT business. There are two distinct situations where you might get involved with outsourcing and you will need to think about yourself and your company’s involvement. They are as follows:


Outsourcing a specific IT project




Outsourcing the entire IT staff

Chapter 1




Analyzing Business Requirements

39

Outsourcing a Specific IT Project When designing a Windows 2000 network, outsourcing a specific IT project is going to be of importance to you. This is because your company is going to bring in contractors who have a given objective in mind, to assess the current environment— probably not asking questions about the future environment—and then design a solution that fits today’s network. That may or may not be tomorrow’s network, so it’s important for you to monitor all aspects of an outsourced job and raise the flag when you need to. Your operating principle should be to tell everybody, all project players including the contractors, what all of your plans are for your environment. Outsourcing the Entire IT Staff What can I say about this? If you’re pretty sure the entire IT operation is going to be outsourced, I’d bag any notion of going forward with a Windows 2000 deployment and hope that in your next job you get to do such a deployment. Stuff happens.

Creating and Managing a Change-Management Process Finally, we want to discuss the change-management process. Mainframers have used change management for decades to make sure that changes are well documented and that there’s a backout methodology in place before a change is implemented. Well-implemented changemanagement techniques can all but guarantee a much safer and more successful rollout of an application or project. Change-management programs require that you document any changes that you make to a system by going through a series of steps in your documentation procedure. Figure 1.3 shows a sample change-management document.

40 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

F I G U R E 1 . 3 : A sample change-management document

Change Management Document Proposed change (please supply full written details):

Server or servers impacted:

Application or applications impacted:

Network infrastructure changes needed:

Estimated time to make change: Persons involved:

How the change will be tested to assure that it is complete & satisfactory:

Backout procedure if change is unsuccessful:

Date and time change is to take place: Stakeholders involved:

Approvals:

Change-management documents are usually very official documents that are signed off by managers. If the evidence that you’re sure the change won’t crater something is insufficient, managers will often either refuse to sign off on the change or they’ll require that you watch the change and implement backout procedures as soon as you see something wrong happening. The owner of the change-management document (the one making the change) is the one who must be with the

Chapter 1




Analyzing Business Requirements

41

system (or be immediately available) the entire time the change is being made. With your Windows 2000 upgrade, change management should start with making sure you test things in a lab environment. Having worked through things in the lab, you file a change-management document stipulating what your intentions are, what’s going to happen, what people should observe happening, how you’re going to test the rollout, and what your backout policies are. Get it approved by all of the stakeholders, set a time to deploy it, and follow the letter of the document. Decision-Making

There are two facets of decision-making: a thorough analytical process that takes into consideration all the pros and cons of a new approach or tactic and then the sheer gutsy going forward with that new approach or tactic. Management will have to make the decision to go forward with the Windows 2000 rollout, but they’ll go forward on the evidence and facts that you’ve given them. Management won’t go forward if you don’t make them feel comfortable that you know where things need to go and how you’re going to get them there. Which is why this and other Windows 2000 exams are so different from older Microsoft exams. Microsoft is trying to get you to understand the reality that knowing your business is the first step toward a good deployment. Understanding how project management works and how to design and implement is second. Then and only then can you go forward with your project. Decision-making happens when people are sure that there’s a clear-cut need, that the time to go forward is now, and that there’s adequate funding for the project.

Exam Essentials Identify whether your IT makeup is centralized, decentralized, or somewhere in between. Knowing what state of centralization you’re in helps you figure out who the stakeholders are, what sort of autonomy various groups enjoy, how the funding is distributed, and so on.

42 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Identify how IT is funded. Understand how your IT operation is funded. Know how your Windows 2000 rollout will create capital for your company. Will outsourcing be a part of IT? Outsourcing is a big component of today’s IT mechanism. Learn how to balance the need versus the risk of outsourcing in your department. What are the decision-making processes and how are they enacted in your company? Identifying the decision-making processes helps you get things done faster. Understand change management. A change-management ethos is wonderfully viable in any shop.

Key Terms and Concepts backout The proposed sequence of steps to undo a change that you’ve just made. All good change management includes a backout plan (though that backout plan may well say, “We can’t do anything to back this out once it’s implemented.”). change management The process of describing a change to a system, detailing what the change affects, how it will be affected, how long the change will take, what the ramifications are of going through with the change, what they are if it is decided to not go through with the change, and the backout procedure. cost center A group within an organization that costs money to maintain. decentralized When a group of individuals with a common collective mission reports to more than one leader, the group is said to be decentralized. outsourcing The process of permanently hiring an entity to perform work that was once performed by somebody inside the company, or the process of hiring an entity to perform a specific task for the company.

Chapter 1




Analyzing Business Requirements

43

strategic planning The ability to think and plan long-term. Looking down the road several years and creating a long-term plan for your department.

Sample Questions 1. You are rolling out a Windows 2000 deployment. You’ve set up a

lab and tested various phases of your rollout before going forward. The next component of your rollout is to notify stakeholders of what you’re doing and present them with a proposed backout plan. What function are you involved in relative to this phase of the deployment? A. Risk assessment B. Strategic planning C. Change management D. Decision-making assessment

Answer: C. You’re going through a change-management phase. Bully for you! A backout is a portion of a change-management document. The backout says, “OK, if this step craters, here’s how I’m going to revert things back to normal.” 2. Juan works in your Argentina office. He reports to your boss, the

operations manager. Nihdi works in the New Delhi office and reports to a network manager who, in turn, reports to your operations manager. Nuk works in the Cairo office and reports to his network manager who, in turn, reports to your operations manager. How is the network management structure organized? Select the best answer. A. Centralized B. Decentralized C. Hybrid of centralized/decentralized D. Not enough information

44 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Answer: C. A tricky question. Unless your operations manager is so busy that she can’t possibly keep in contact with all of your multinational offices (a very real prospect), it’s safe to say that you’re functioning under a centralized methodology. What she says gets out to the network managers, who in turn get the information to you. If communications weren’t very well established between the operations manager and her network managers, then you might wind up with a hybridized methodology. 3. You work for a securities company that is highly risk-averse but

wants to proceed with a Windows 2000 Server rollout on all network servers. As the chief admin for the company, you want to make sure that the rollout happens smoothly. What steps might you take to assure that your design and rollout are faultless? Select all that apply. A. You’ll outsource the design components that you don’t know

anything about. B. You’ll go through a thorough testing and evaluation stage

before you put the software into production. C. You’ll go through a user evaluation and approval process. D. You’ll go to formal Windows 2000 training.

Answer: A, B, D. In the case of network operating system upgrades, it’s probably not going to be to your benefit to run through a user evaluation and testing period. You might do that if you were rolling out client software that directly affected the user’s desktop. In this case, however, the user shouldn’t see anything different than before. Options A, B, and D are highly recommended. 4. You work for a small non-profit cable TV station that runs Public

Broadcasting System (PBS) programming. Your little network currently runs on NT 4, but you want to upgrade to Windows 2000 because of the multicast enhancements that you can get out of the new network operating system (NOS). What will be the single biggest

Chapter 1




Analyzing Business Requirements

45

obstacle you’ll likely have to overcome when proposing this rollout to the brass? A. Risk B. Priorities C. TCO D. Laws and regulations E. Funding

Answer: E. Often in small networks, the question isn’t about what’s nice to have, it’s about what’s necessary to have. While you may reap benefits from the multicasting features that are offered through Windows 2000, funding will be a huge question on the lips of the managers able to OK the project. 5. Your network is out of control! Admins all over the place are

applying changes to the servers without notifying anybody. You want to design an intranet-based change management document. What might be some options that you’d include with such a document? Select all that apply. A. Risk B. Backout C. Date/time D. WAN circuits affected E. Cost of change

Answer: A, B, C. You’ll probably want to know what the risk is if you make the change. You’d also likely want to know how to undo the change if it craters things. And you’d certainly want to know the date and time that this transaction will happen. You’ll less likely want to know the WAN circuit that’s affected because it’ll go on running even if the change presents problems to the server. The cost of the change isn’t usually moot in a change management document.

This page intentionally left blank

Chapter

2

Analyzing Technical Requirements MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: the company's existing and planned techEvaluate nical environment and goals. (pages 49 – 66)


Analyze company size and user and resource distribution.




Assess the available connectivity between the geographic location of worksites and remote sites.




Assess net available bandwidth and latency issues.




Analyze performance, availability, and scalability requirements of services.




Analyze data and system access patterns.




Analyze network roles and responsibilities.




Analyze security considerations.

the impact of infrastructure design on the Analyze existing and planned technical environment. (pages 66 – 86)


Assess current applications.




Analyze network infrastructure, protocols, and hosts.




Evaluate network services.




Analyze TCP/IP infrastructure.




Assess current hardware.




Identify existing and planned upgrades and rollouts.




Analyze technical support structure.




Analyze existing and planned network and systems management.

the network requirements for client Analyze computer access. (pages 86 – 93)


Analyze end-user work needs.




Analyze end-user usage patterns.

the existing disaster recovery stratAnalyze egy for client computers, servers, and the network. (pages 93 – 97)

T

his objective grouping addresses the business side of a Windows 2000 rollout, but it is also technical in nature. You will be discovering and analyzing your technical environment. You should be able to evaluate your existing technical environment in order to make decisions about how to roll out Windows 2000. You will need to be familiar with areas such as bandwidth, applications, the user environment, the server farm, and so on.



Evaluate the company's existing and planned technical environment and goals.












Analyze company size and user and resource distribution. Assess the available connectivity between the geographic location of worksites and remote sites. Assess net available bandwidth and latency issues. Analyze performance, availability, and scalability requirements of services. Analyze data and system access patterns. Analyze network roles and responsibilities. Analyze security considerations.

W

e start by reviewing how to examine a company’s existing and planned technical environments and identifying the goals involved in getting the company from the existing to the planned. It’s highly important to recognize within this objective the word planned because it implies that you’ll want to incorporate your Windows 2000 deployment into the existing network in such a way that it is fully capable of absorbing any new changes that may arise further on down the road.

50 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Critical Information This section deals with various components of the technical environment. As you read the following subobjective sections, remember to think about your company and how these things break out there. Bear in mind the people in charge of the various components and what they might have to say about the impact that a Windows 2000 rollout will have on them. If you can think in these terms, you’ll soon have the flavor of what the framework type exams are all about, and you’ll be much better prepared to take them.

Analyzing Company Size and User and Resource Distribution When analyzing your company size against user and resource distribution, you will need to think about and define what the resources are in your technical environment. Resources can be divided into the following six categories:


Servers and associated tie-in gear, such as Redundant Array of Inexpensive Drives (RAID) array controller cards, fax boards, CDROM towers, etc.




Routers and associated internetworking gear such as Carrier Sensing Unit/Data Sensing Units (CSU/DSUs)




Network infrastructures, including cable plants, network closets containing the patch panels and switches and hubs, and the actual switches and hubs themselves




Telephony gear not used for internetworking (RAS devices, for example)




Printers and network printing gear (JetDirect cards, etc.), including scanners, plotters, and other miscellaneous peripheral gear used in day-to-day business activities




People

This list is certainly not all-inclusive. For the purpose of studying for the exam, you may add other items to this list.

Chapter 2




Analyzing Technical Requirements

51

Servers and Associated Gear

You need to document the location of every server within the scope of your Windows 2000 rollout, its function in life, and how it will play into your upgrade plans. Information that you glean about each server should include the current version of Windows NT it’s running (if, indeed, it’s running NT), as well as information on the processor, memory, hard drives, fault-tolerance gear, brand of computer, network connectivity, drivers, peripherals, installed software, and users working on it. The biggest problem you’ll run into here will be finding Windows 2000 device drivers for peripheral gear you’ve got hanging off of the servers or for RAID array adapters that are already in the box. You may wind up having to go to the vendor to get updated Windows 2000 drivers for these devices. Routers and Associated Internetworking Gear

The biggest challenges that Windows 2000 network planners are going to run into, in terms of working with in-place internetworking gear, fall into the following two categories:


Replacing older routing equipment with Windows 2000 routers




Using modern routers that are capable of hosting Domain Name Service (DNS) and Dynamic Host Configuration Protocol (DHCP)

You may opt to replace some of your older routing equipment with a Windows 2000 router (that’s precisely one of the topics covered later in this book). Windows NT 4 Server was capable of acting as a Routing Information Protocol (RIP) router pretty early on in its release period. Now Windows 2000 routers can use RIP, Open Shortest Path First (OSPF) or Internet Group Management Protocol (IGMP). Network Infrastructures

Another resource at your disposal, one that you may not think of as a resource, is your actual network infrastructure. You need to take a serious look at all network infrastructures on every campus. Diagram where the switch and hub closets are. Identify the core closets and core switches, then identify your spanning switches. Brand names

52 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

and model numbers of switches and hubs are necessary, including any updates that have been applied to the firmware. Document all add-on cards in the switches or hubs. As long as you’re budgeting this rollout, you need to budget for the replacement of networking gear that won’t cooperate with Windows 2000 or design around slow low-intelligence gear. Non-Internetworking Telephony Gear

You also need to clearly document telephony gear used in the network that will be affected by Windows 2000. I can think of two very specific categories, but you can probably come up with more:


RAS switches, devices specifically designed to function as a RAS interface on your network, that are not servers




Interactive Voice Response (IVR) servers

Administrators often buy boxes that act as RAS devices; these little things have gotten pretty sophisticated. You need to figure out where all of these RAS devices are, what they have on them, what firmware revision they’re at, whether they’re using authentication packages, and what your upgrade path is going to be, if any. Key in this will be the decision about whether to use Remote Authentication Dial-In User Service (RADIUS) with these devices. When using IVR technology, learn to document where your IVR boxes are, what version of server software they’re running, what version of IVR software they have installed, and how they’re going to affect your deployment. Printers and Network Printing Gear

First, you need to figure out what servers are acting as NT print hosts for your network-connected printers. Some companies have only one or two Windows NT boxes that act as print servers for all of their printers! Next, you need to try to get a handle on where the printers are, what they are, and how they’re connecting. One very good thing that will arise from this work is identifying old and ailing print server boxes or JetDirect cards that need to be updated. You’d probably like to try to

Chapter 2




Analyzing Technical Requirements

53

figure out what level of firmware your print boxes (i.e., specialized boxes that you can buy and plug your printers into, so that they run off of the network) and cards are at as well, so that you know which ones need updating. Cards and boxes that can’t be updated to the latest and greatest firmware need to be replaced. Figure out whether your printers are using Line Print Daemon (LPD) via TCP/IP or Data Link Control (DLC) to talk to the servers. All of this information needs to be mapped out so that you know what printer talks to what print server using what LPD port and IP number. You also need to document the share names and the permissions associated with each printer share. People

Finally, you need to map out the personnel at each site, their level of responsibility, applications managed, and so forth. Include internetworking personnel, NT server admins, Unix admins, PC techs, and any others that will be affected. Anyone that may come in contact with this Windows 2000 upgrade—not as a user but as a participating technology owner—must be included in the list. It’s up to you to communicate your Windows 2000 plans to the people targeted in this documentation and then keep them updated as you go along. A small desktop intranet page or an Exchange distribution list is an excellent way to maintain communications such as these.

Assessing the Available Connectivity between the Geographic Location of Worksites and Remote Sites These days, of course, the words “network” and “connectivity” can mean many things, and you’ll have to judge their meanings before you can assess the real intent behind the words. When we discuss the phrase “network connectivity assessments,” we find three distinct connotations to it:


You need to assess how disparate networks connect to each other. How do offices in Chicago and Tokyo talk to each other, if at all?

54 MCSE: Windows 2000 Network Infrastructure Design Exam Notes




You must determine how telecommuters connect to the network. Do you have RAS servers, VPNs, high-speed telephony interfaces, or some other method of allowing contact with your network?




You must determine how users connect to the network.

The first bullet item is a straightforward one to assess. A simple call to the internetwork WAN people will yield the appropriate information. They might even be able to provide a Visio drawing of the network for you. The second bullet item is probably more difficult to assess, and the second half of this book talks in detail about telecommuters and their special needs. Microsoft has done tremendous work with Windows 2000 to provide enhanced connectivity for telecommuters. Finally, an assessment of how users connect to the network is important. First, find out what kinds of clients are connecting. There is a profusion of connectivity options. Users can connect through NetWare or via a Macintosh. The OS makes a difference in the connection client; OS/2 clients have a client that looks (and acts) different than Windows for Workgroups, and Windows 3.x and 9x clients even differ among themselves. Then, there’s the protocol issue: what protocol are clients connecting with—and for multiple protocols, which one is at the top of the stack?

Assessing Net Available Bandwidth and Latency Issues Internetwork managers and network managers are typically the ones who watch the bandwidth. Bandwidth is defined as the amount of data that can be transmitted in a fixed amount of time. WAN circuits are often measured in some amount of bits per second. A typical T1 line runs at 1.544 million bits per second (Mb/sec). Regular LAN networks are also measured in the amount of bits per second they can transmit, but fortunately you don’t have any Committed Information Rate (CIR) to worry about. When you set up a frame relay circuit with a telephony provider (such as Sprint, AT&T, etc.) you purchase a certain speed on the circuit, say 128 Kb/sec, plus you agree to

Chapter 2




Analyzing Technical Requirements

55

a CIR. If the data flow over the circuit goes above 128Kb, the packets that are over the data rate are considered to be discard-eligible, meaning that the telephone company can drop them if they so choose. A big problem with corporations today is that they undersize their CIR, thus putting data in jeopardy of being discarded (forcing a retransmit on the data) and actually slowing the network down even more than it already was. Today’s common standard in internal network speed is 100 million bits per second, but a relatively new speed, 1 gigabit per second, is quickly becoming vogue. Oftentimes the closet, sometimes called the Intermediate Distribution Facility (IDF), and the core (Main Distribution Facility [MDF]) switches are connected together at gigabit speeds. This back-end connection is called the backbone. Servers often connect directly to the backbone at the same speed. Users then connect at either 100 Mb/sec or 10 Mb/sec. Internetwork managers also look at the overall latency of the network: the speed with which a packet can travel the network from point A to point B relative to the expected speed. It’s all about deltas (changes or differences in speed). The slower the packet is traveling, the more that internetwork managers wonder about incorrectly configured routers or Virtual LANs (VLANs), pointers to invalid VLANs, poor name resolution, cards or switches going bad, even bad wiring. Virtual LANs are created in switches and have to do with the ability you have to logically group users, or like entities, together in order to cut down collision and broadcast domains and to more logically segment your network. If you decide to go through Cisco Certified Network Associate (CCNA) training, you’ll get a healthy dose of VLAN creation and maintenance.

Analyzing Performance, Availability, and Scalability Requirements of Services Here you must pause and take a good long hard look at how the network is used. Often, you’ll find it utilized in a totally different way than you might have imagined it to be. When studying, use the following guidelines of network utilization as categories to be aware of.

56 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Messaging Services

Users use the network for e-mail and calendar-sharing purposes. Generally, in a Windows NT environment, there is at least one Exchange server where Exchange clients inherit the right to use Schedule+, and Outlook users can opt to use Schedule+ or Outlook calendars. Calendars can be shared to schedule meetings, and users can actually view one another’s free and busy times. The concept is that users can virtually share their appointment information and possibly even virtually collaborate on an item using messaging and collaboration components (such as NetMeeting, for example). Virtual collaboration is starting to step up to the plate now that networks are slowly being upgraded to intelligent switched backbones. For example, Oracle Corporation has a proprietary Web-based collaboration setup known as “Webex” where Oracle developers, DBAs, and so forth can go online and discuss a particular site’s deployment with one another. Microsoft, of course, has had NetMeeting in place for years, allowing for video, audio, and desktop takeover in virtual collaboration settings. Oftentimes, conference-calling for the voice portion of the collaboration comes into play as you set up these network-based collaboration scenarios, simply because the network either cannot transport the telephony data because the routers and switches aren’t equipped for it, or because it doesn’t have the bandwidth to be able to handle voice transport. Virtual collaboration: a) is very cool and b) has come alive with Exchange 2000 Server. File Server Services

File serving is a huge part of any user’s network utilization, even though the user may not realize that he is getting files from the network. Many shops provide large RAID arrays with gigs of hard drive space that are made available to users so that they can store all kinds of important documents, which are then subject to routine tape backups. Windows 2000 IntelliMirror will allow users to work on networkbased copies of their files, then take those with them when they disconnect from the network. When the user reconnects, IntelliMirror kicks in and synchronizes the files worked on in stand-alone mode with the files kept on the server.

Chapter 2




Analyzing Technical Requirements

57

Print Server Services

Print serving is another widely used feature. You set up one or two NT Server computers and then just set up a bunch of printers through either LPR or DLC connections. (You can also use Jet Direct connections.) Application Server Services

Users access the network for applications, all kinds of applications. They might be using applications you weren’t even aware were loaded on the network. Some of the kinds of applications that can be used on a network can be described as follows:


Server-based applications such as SQL Server or Exchange Server, which typically require some kind of user interface or application.




Internet/intranet-based applications requiring only a browser for access to the application. This is called thin-client computing.




Terminal applications that need terminal emulation software, which then allows users to access a Windows terminal server or Citrix MetaFrame server (or a combination of the two). A Systems Network Architecture (SNA) Server also requires a client that acts as a front end to an NT computer, which in turn communicates with a mainframe host.




n-tier client/server applications that depend on some sort of user application, which talks to the NT computers that talk to a Unix or mainframe back-end host, sometimes using middleware to do so.




Remote Bootstrap Protocol (BootP) devices that, upon bootup, send out a BootP request to look for a validation server that can supply the credentials (and apps) needed to participate on the network. Windows 2000 Remote Installation Services (RIS) works similar to this, allowing BootP or PXE-enabled devices to obtain an image of the Windows 2000 software.

TCP/IP Configuration Services

You don’t often think of DCHP, DNS, or WINS as applications, but they really are. The user boots up and sends out a DHCP request, a DHCP server answers because it’s running the DHCP application,

58 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

and the user is equipped with the proper TCP/IP credentials. DHCP is an application running on the server, providing TCP/IP configuration services to users.

Analyzing Data and System Access Patterns It’s not enough to know what user components are accessing the network. You also need to determine the times of the day that users access the network more heavily and which applications or files garner the most access. This has a very practical application; it allows you to determine how the infrastructure handles things when the network is at critical mass. Knowing usage patterns also allows you to make scalability decisions about servers that are constantly being hit. You can use NT’s performance monitor (now called System Monitor in Windows 2000) for a lot of the usage tracking you need, and several good, third-party products can help you get more details. Your network manager can sniff the network and give you some concepts about which packets are traversing the LAN at what times. Knowing usage patterns helps you strategically place servers that will handle the most load and beef up infrastructures that are too weak to handle user onslaught.

Analyzing Network Roles and Responsibilities Although network management appears to be straightforward, by now you’ve learned that there are many areas to manage. Let’s review some of the different concepts. Physical Network Management

The physical management of the network has to do with the people that sit and watch the status of the network infrastructure. In a switched virtual LAN (VLAN) environment on a large network, this activity can be a full-time job for one or more people. Using Hewlett Packard (HP) OpenView, Computer Associates (CA) Unicenter, or another network management system (NMS), network managers watch Simple Network Management Protocol (SNMP) traps for specific events on different pieces of network gear.

Chapter 2




Analyzing Technical Requirements

59

Another management technique is network sniffing, where somebody does an actual network protocol capture and thoroughly analyzes what’s happening on the network. Internetwork managers might use software from Network General or Fluke Systems for their network sniffing needs. Network managers are typically internetworking experts who know their way thoroughly around OpenView or other NMSs. Logical Network Management

Another internetworking bailiwick lies in the fascinating, complicated, and highly evolved world of logical network layout—the internal management of VLANs on switches and routers. You can significantly isolate portions of the network that do the most talking to each other, keeping them from other similar network environments, all through the magic of VLANs. Managerial Network Management

This is probably the most fascinating aspect of network management, simply because it revolves around how the people are arranged to accomplish solid network management. Become aware of the many ways that a manager can set up staff so that the network is competently managed. Following are just a few:


Segmenting internetworking (router/switch) people, server people, apps people, PC techs, and help-desk personnel all into different camps (you might possibly hear these referred to as technical silos).




Train your server admins to also function as server application admins. The help-desk and PC tech people stay where they are, but the server and application admins are one and the same.




Implement the jack-of-all-trades manager. This person runs help desk, maintains PCs, configures servers, and installs and supports application software. Typically this is seen in very small (500 nodes or fewer) networks.




Utilize the PC techs as the help-desk personnel and vice versa. Note that this person isn’t yet a full-fledged administrator, but is functioning in the dual role of help-desk and PC tech. You’ll see this a lot in very small networks.

60 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Analyzing Security Considerations Network security has some of its own unique ramifications, some of which are completely beyond the scope of this book (security being a career unto itself) and others of which you can manage in your project plans. Use the following considerations as guidelines when reviewing network security. Protecting the Network from Outside Intruders

Firewalls and proxy servers protect networks from outside intruders, but they’re only as good as the people that program them and the network design. If a hacker can come in from the outside and figure out the IP address of the Web server he’s hitting, and if he can ascertain the port that the Web server’s using, he’s essentially got all he needs to get inside the corporation and poke around a bit. You should be aware of common security threats such as the SYN and ICMP attack. A SYN is a TCP/IP synchronization request sent by a user trying to contact one of your external servers, typically a Web server. The concept here isn’t to hack into your private network, it’s to disrupt you. If someone wrote a program that would send a SYN request to a server, then somehow mask their IP address and resend the very same SYN, mask their IP again and resend the SYN again, doing this thousands of times in a few seconds, they could theoretically overload a server that’s trying to acknowledge all of the SYNs. A SYN attack is sometimes called a denial of service (DoS) attack. The ICMP attack (or PING for packet Internet groper) is simply a hacker pinging the box millions of times, the result of which is to bring the server to its knees. Protecting the Network from Inside Intruders

Every network has a dumping ground where users place their common stuff for other users to be able to see. If the rights on the shared directory aren’t sufficiently examined, a user with Change permission to absolutely everything can simply drag and drop a critical folder somewhere else in the system with one click of a mouse button and not even know it happened. Know how to keep your public folders safe from harm by knowing how to assign security features to them.

Chapter 2




Analyzing Technical Requirements

61

Now your coders, engineers, and power users present a whole different kind of threat. They’re (usually) smart enough not to drag an entire shared folder to a different spot on the RAID array. But that’s the problem—they’re smart. They can figure out workarounds for situations you’re trying to guard against. You must be able to plan, relative to a Windows 2000 rollout and internal user security, for a way to identify who has what rights today and to either mimic those rights on the new system or to crack down even further. Documenting all of the users and groups is going to present you with a large challenge, but it should be done. Protecting the Network from Terminated Employees

Terminated employees, especially network admins or programmers (aka coders) and engineers with tons of rights, need to be observed very closely at termination time. A Windows 2000 designer should confer with the security person who handles the terminations and determine how they’re handled. The designer should insist on either deleting the account or, at a bare minimum, disabling it. And this deleting/disabling activity should happen the day the person is terminated.

Exam Essentials Identify the company’s size and its user and resource distribution. Identify the six categories of resources outlined earlier, noting where they are geographically, how many users are involved with each resource, and how the resources interplay within the environment. Determine the connectivity between geographic locations. Assess the kind of connectivity you have between geographic sites, its speed, its CIR, and its availability. Determine if it is sufficient for Windows 2000 needs. Assess any remote connectivity needs such as RAS. Determine if there are any bandwidth or latency issues. By identifying WAN circuits and LAN backbone speeds, you’ll know the bandwidth. Make a determination as to how fast the network is keeping up with user demand.

62 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Analyze the network services, taking into account how available they are, how effective they are in their performance, and any scalability issues you might encounter in a Windows 2000 rollout. Use the various service categories listed earlier to help identify service issues. Analyze data and system access patterns. Answer the following questions: How do users use the systems? What are the data needs for various systems? How well do systems behave as users access them? Determine network roles and responsibilities. Be able to describe who the players are in the network, what their jobs entail, and their responsibilities. Discover security considerations. Make a determination as to the current state of security on the network, where it needs to go, and how to get it there.

Key Terms and Concepts Bootstrap Protocol (BootP) A TCP/IP protocol that allows a computer to boot up and find a server that can equip it with its IP configuration. Committed Information Rate (CIR) When working with a frame relay service, a specified amount of guaranteed bandwidth (measured in bits per second). When purchasing frame relay service from a provider (typically the telephone company), a company can specify the CIR level they wish. The provider guarantees that packets not exceeding this level will be delivered. It’s possible that additional traffic may also be delivered, but it’s not guaranteed. Packets that are above the CIR are considered to be discard-eligible and could possibly be thrown away. Data Link Control (DLC) Every network card has a Data Link Control (DLC) address known as the DLC identifier (DLCI). Some topology protocols used in networks, such as Token Ring and Ethernet, use this address to identify nodes on the network. Others use the logical link layer, but ultimately all network addresses are translated to this DLCI address. The DLC resides at layer two of the OSI model—the data link layer.

Chapter 2




Analyzing Technical Requirements

63

discard-eligible Packets that are being sent above the committed information rate (CIR) may be discarded. These packets are marked discard-eligible. ICMP attack A malicious attack using thousands of PING commands to ping a specific network. Interactive Voice Response (IVR) Telephony systems that provide a series of voice messages that guide a caller through menu selections; e.g., “Press 1 for Sales or 2 for Marketing.” Internet Group Management Protocol (IGMP) A TCP/IP standard (RFC 1112) that details the routing of multicast traffic over the Internet. latency There are two acceptable ideas behind the concept of latency. The first is the notion of how long a computer component spends time waiting on another component to finish what it’s doing and honor a request. The second has to do with the amount of time that a packet takes to get from one point to another across a network. Line Print Daemon (LPD) A printer service that runs on Unix computers. Microsoft Print Services for Unix also includes an LPD service. Open Shortest Path First (OSPF) A routing protocol developed using the link-state algorithm. Preboot Execution Environment (PXE) An Intel standard that allows a computer to find a boot server. PXE is used with RIS implementations. Routing Information Protocol (RIP) A small lightweight routing protocol that allows for routing between small- to medium-sized networks. Limited to routes no more than 15 routers away. Simple Network Management Protocol (SNMP) An early set of protocols that were designed to facilitate the management of network equipment. SYN attack The act of a hacker sending thousands of Synchronize requests to a server, flooding the server so badly that the network cannot send or receive packets. Also known as a denial of service (DoS) attack.

64 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Sample Questions 1. You have a network at your main site and one at a satellite office

several hundred miles away. The sites are connected together with a T1 frame relay circuit with 512 CIR. There are about 500 users at each site. Recently you’ve implemented a thin-client database system where the client uses a browser to connect to the database in order to retrieve information from the database. You’ve noticed that performance has decreased in the satellite site since you’ve implemented this system. What could the nature of the problem be? A. Bandwidth B. Latency C. Poorly normalized databases D. Poor client computers

Answer: A. There’s not a lot of information to go on here, but you know enough to take a guess that you’ve got a problem with bandwidth, specifically the poor CIR. Without a good trace on the network to see what sort of bandwidth the WAN circuit’s actually utilizing, it’s hard to say, but the problem most probably lies with packets becoming discard eligible because they’ve gone over CIR and are being tossed. 2. You have offices in the United States, Canada, and the United

Kingdom. You want to implement Windows 2000 in all offices, but you’ve run into a snag in terms of your connections with the other sites. It seems as though you’re restricted as to the kind of encryption that’s allowed in other countries. What sort of issue are you facing here? A. Bandwidth B. Latency C. Security D. User environment

Chapter 2




Analyzing Technical Requirements

65

Answer: C. You have a security issue. Only 40- and 56-bit DES encryption are allowed in countries other than the U.S. and Canada. Clearly some planning will have to take place on your part to facilitate good quality encryption at all sites. 3. In preparing your Windows 2000 design, you’ve asked that an

internetworking expert come in and sniff the network. She is now telling you the amount of time it takes for a packet to get from one server to another is very slow. What problem is she describing? A. Bandwidth B. Attenuation C. Latency D. Wait state

Answer: C. She’s describing the network’s latency to you. This may be a one-time phenomenon, a recurring thing, or a continuous problem. You’ll have to figure that out and fix the problem before proceeding with the upgrade. 4. In considering scalability issues you might encounter in your roll-

out, what could potentially be the most costly to fix? A. Server upgrades B. Network infrastructure upgrades C. Both A and B D. Neither A nor B

Answer: C. Scalability implies that you have reserve capacity that can be used to add processes or processing without stressing a system. If you’re considering clustering for some of your new Windows 2000 processes, the operation could become quite expensive, not only because you’re throwing redundant gear at the problem, but also because you’re probably buying enterpriseclass gear that can handle many processes. Infrastructure upgrades are not cheap. Vendors don’t give away switches, routers, and cabling upgrades.

66 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

5. You work as a network architect for a multinational firm with

offices all over the world. What would be one of the chief physical considerations you would need to take into account when planning a Windows 2000 upgrade? A. Servers at each site B. Language issues C. Administrative issues D. WAN connections

Answer: D. Your biggest concern should ultimately center around the WAN connectivity between sites. It doesn’t matter how sophisticated the server farm or the network operating system (NOS) is if the computers can’t talk to one another very well.



Analyze the impact of infrastructure design on the existing and planned technical environment.









Assess current applications. Analyze network infrastructure, protocols, and hosts. Evaluate network services. Analyze TCP/IP infrastructure. Assess current hardware. Identify existing and planned upgrades and rollouts. Analyze technical support structure. Analyze existing and planned network and systems management.

Next, we’ll review network infrastructure. This is a very loosely used phrase, but when we think of network infrastructures, typically we’re thinking of the cable plant, the server farm, the switches, hubs, routers, and WAN connectivity that make it so. Microsoft adds to this list the TCP/IP infrastructure and technical support structure, in addition to how the network is being managed using systems management tools.

Chapter 2




Analyzing Technical Requirements

67

Critical Information This is a fun section. We start by recapping current applications running on the network. Next we’ll cover the actual infrastructure itself, including the evaluation of network services, TCP/IP infrastructure and hardware involved. You should be able to identify any planned upgrades or rollouts then take a look at the technical support structure. Finally, we’ll review both network and systems management. Of all of the components you’ve covered, the most critical is probably the identification of the applications on the network. Nothing will bring your rollout to a stop more quickly than a mission-critical app that can’t hang with Windows 2000.

Assessing Current Applications There are two separate distinctions we need to make here: the app’s scope—whether it is enterprise or workgroup—and, regardless of scope, whether the app is client/server or Web-based. Enterprise or Workgroup Scope?

Network applications can be split into two different varieties: enterprise and local. An enterprise application is one that is used daily by a lot of people. Exchange is an enterprise application, but that’s an obvious one. An intranet app that lives on a Web server and is used with IE is a different story. The number of users and daily volume of use could be vast. Think of enterprise applications as those that have a missioncritical status, are being used by large numbers of people, and are in use almost all of the time during working hours. Workgroup apps live on a server and serve a purpose specifically for one group of people. Financials are probably the most common of several good examples. Not everybody in the company needs to use server-based financial software—typically, only the accountants and payroll people. Nevertheless, the software is large and expensive, requires tons of training for the admins and end users, and needs a lot of care and feeding. Often a client-based GUI has to be installed and periodically upgraded.

68 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Another good example to use as a guideline might be Visual SourceSafe (VSS) for coders. Few people in the company need VSS, but the software lives on a server and requires a lot of admin maintenance. The scope of an app such as this one is not that it’s an enterprise tool; it’s local in nature and shouldn’t be considered enterprise software. Client/Server or Web-Based?

A second distinction, independent of the scope of the app, is the way that the app is distributed across the environment. Following are some differentiating characteristics that distinguish the various client/ server iterations, so you can get a feel for how very complicated an apps disbursement can be. 2-Tier Client/Server Typically, this means that a client software piece is installed on several computers and then this client component talks to the server. A database is usually involved. Exchange Server is a good example of a 2-tier client/server. It includes a set of centralized databases and a client such as Exchange client, the Outlook client, or Outlook Web Access (OWA). Clients can be homegrown with tools such as PowerBuilder or Visual Basic, or they can come with the application (as in the case of Exchange Server). 3-Tier Client/Server A third piece called middleware that’s introduced into the client/server picture; middleware usually (but not always) resides on an NT computer. The user makes a request to the middleware box, which in turn passes the request on to the Unix host and then sends the result set back to the user. Thus, there are three components and a 3-tier client/server model. n-Tier Client/Server The phrase n-tier client/server is given to systems with much more complicated levels than standard 2-tier or 3-tier systems. The design dictates how many tiers deep you go. Databases that replicate and consolidate with other databases might also qualify as n-tier systems. n-tier systems are highly complicated and require careful attention by server and application admins and DBAs. Thin-Client Client/Server Thin-client computing is truly client/ server computing, called “thin” because very little processing goes on at the client level (and much at the server). Thin clients access server applications via a Web browser, the best example being access to an

Chapter 2




Analyzing Technical Requirements

69

Exchange server for e-mail. When you access an Exchange server via OWA, you’re accessing a database and using a browser to read it. Web-Based Web-based apps rely on a browser, but their functionality rises entirely from coding paradigms that center around the Web, things like ASP, HTML, XML, Java, and VBScript. When you use a browser to access an intranet app that talks to a database, you’re using 3-tier client/server, but you’re working in a strictly Webbased environment. Microsoft Transaction Server (MTS) could run as a middle tier allowing Common Object Model (COM) objects to run within its context potentially in any of the above-mentioned configuration scenarios. What about the Clients?

When dealing with client/server apps, there are two factors that the Windows 2000 network designers need to keep in mind. The first is to know what the clients are using, and the second is to know the origins of the application. Be able to identify how it was coded and developed and whether the client will continue to use this app in an upgraded environment. With off-the-shelf client software, you have a little bit of a better opportunity to find out what sorts of compatibility issues you’ll run into. The company that wrote the software should be able to give you a good idea of the client component’s capability of working with Windows 2000. You must also be able to anticipate if the server software will behave in the Windows 2000 environment. BackOffice and Off-the-Shelf Server Applications

Some apps are designed to run in a heavy enterprise environment. All of the Microsoft BackOffice suite is, of course, built that way. But there are many other server software programs that reside on NT boxes and provide large user support for a specific function. It’s important to identify these apps and then check with the vendor to make sure they’re going to be able to keep up with the Windows 2000 environment. Test these apps before things get too far down the road just to make sure everything will work.

70 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

When working out your Windows 2000 design on paper, part of the activity that you’ll perform—a big part—is describing all of the different apps that are installed on servers throughout your enterprise. You need to determine the type and scope of each app, its use in the company, and whether it’s going to cooperate with Windows 2000. You’ll also need to know how to test apps before they are moved into the Windows environment.

Analyzing Network Infrastructure, Protocols, and Hosts If you’re not the internetworking and/or infrastructure keeper of the knowledge, that person’s going to have to be available when you begin this undertaking. There are three separate issues that you need to review here: infrastructure, protocols, and hosts. Infrastructure

The infrastructure involves the way that the various buildings your company occupies are wired, the health of the various switch closets, the backbone that connects the switch closets, and the switches, hubs, and routers that build the switching matrix of each building. When designing Windows 2000 for your company, select a building for examination. Take a walk through the building, getting a feel for where the wiring closets are and how they’re wired. Figure 2.1 shows an example of what you may see. Here, there are three wiring closets, two of which are “user closets”—that is, users connect from their office to the switches in the closet. Data travels the backbone to the core switch and thence to the server.

Chapter 2




Analyzing Technical Requirements

71

F I G U R E 2 . 1 : A typical network infrastructure model. Client

Client

Fiber optic backbone

Patch panels

Closet switches

Core switch

Server

Infrastructures are complicated little beasts. You have to watch the connections at the patch panel terminators to make sure they’re professionally installed. You want to run plenum Cat5 through ceilings, and it should be solid, not stranded, wire. Don’t run the wire parallel to any lights or up chases with phone lines (crosstalk occurs in both cases), only across lights. The jumper cables and user connection cables should be stranded, not solid (this keeps them from slipping out of the RJ-45 jack easily). You should always outsource your fiber optic cable installations, and I would certainly recommend that you outsource all cable installations. Your cable plant is your lifeblood, so have an expert build it. Routers are an entire science unto themselves. You might want to consider outsourcing your router purchase, configuration, and maintenance.

72 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Protocols

There are several kinds of protocols in use on Windows 2000 networks: LAN protocols (those in use on the network itself), WAN protocols (those used by the routers and frame relay gear to get your packets to outlying destinations), connection protocols that manage the connection between a remote user and the network, and encryption protocols and authentication protocols. Routers make conversion of almost any LAN protocol into packets the WAN can understand very seamless, so you don’t have many concerns there. It’s up to you to ascertain what protocols are on the LAN side of the house and make plans to get rid of unsupported protocols. This may involve a server-to-server visit just to find out what’s on each computer and thus what’s running on the LAN. Supported Windows 2000 Protocols

NetBEUI is still supported, but why do you want that old thing? Sure, it was fast, but it wasn’t routable. IPX/SPX is also supported for backward compatibility to legacy NetWare boxes. NetWare went straight TCP/IP a few years back, and they’ve never gone back to IPX. But there are scads of old NetWare 3.11 boxes still hanging around, running only IPX, with users needing to access them. You’ll use IPX/SPX in a legacy NetWare environment, but only long enough to convert the NetWare boxes to TCP/IP (or to Windows 2000). Windows 2000 supports the IPX/ SPX protocol with the Microsoft implementation of IPX/SPX, a protocol called NWLink. An AppleTalk network integration is included for continued support of Macintosh clients. Both Intel-based and Apple clients can share files and printers using this feature. The Point to Point Tunneling Protocol (PPTP) is a VPN connection protocol that is supported in Windows 2000. Its single purpose is to assist with the nailing up of virtual private networks (VPNs). PPTP has been around the Microsoft camp for several years now and works well.

Chapter 2




Analyzing Technical Requirements

73

A second VPN connection protocol, newer than PPTP, is the Layer 2 Tunneling Protocol (L2TP). It, too, is used for VPNs, but does not rely on vendor-specific encryption technologies. Microsoft expects this protocol to wind up being the industry VPN standard. Microsoft Point to Point Encryption (MPPE) and IP Security (IPSec) are two encryption protocols supported by Windows 2000. Microsoft Challenge Authentication Protocol version 2 (MS-CHAP v2), as well as MS-CHAP, CHAP, SHIVA, and PAP are authentication protocols—validating that a remote user is who she says she is. The RADIUS protocol is a connection protocol predominantly used for dial-up users accessing a third-party RAS server device, but ISPs also use it for tunneled network users. All three protocols—PPTP, L2TP, and RADIUS—use the tunneling method. What this means is that the user’s packets are buried deep in TCP/IP packets as they fly along the Internet. At the place where they knock on the door of the network, they are authenticated and unbundled, and the data is read. SNMP, a network management protocol, is still supported in Windows 2000. With this protocol, your network monitoring software, such as HP OpenView, can obtain information from network gear and other equipment that has the ability to send SNMP traps. The Hewlett-Packard DLC protocol is also included for backward compatibility with DLC connections to shared printers. There are other specialized protocols (such as the exotic infrareddevice protocols IrDA-FIR and IrDA-SIR), but, for the most part, the above protocols are the ones you’ll be using most often. Hosts

The word “hosts” is a TCP/IP word. Whenever anyone says the word “host,” you should think of “computer.” A host is simply another computer out in the big bad network world. That’s why the old Unix file that translates IP addresses to FQDN is called hosts; it lists the hosts on your network. (The hosts file, by the way, was a great idea back in the early ’80s. Today, with so many TCP/IP hosts, it’s a terribly inefficient way to maintain name resolution.)

74 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

What’s being asked of you in this particular topic is that you assess the kinds of hosts you have on the network. I would look at that task as assessing what kinds of operating systems are loaded on your computers, because the operating system essentially defines the host.

Evaluating Network Services Microsoft has really broken the infrastructure objective into small pieces, haven’t they? Without some context “Evaluate network services” could mean a lot of things. You must be able to choose services consisting of either software or hardware that will come to the aid of the network in order to formulate a stronger, better-functioning system. Network Monitoring

Network monitoring services typically consist of network monitoring software coupled with a computer that’s designated to handle only the influx of SNMP and RMON traffic from the LAN. (RMON is a more robust, scalable, and intelligent iteration of a network management protocol.) The combination of the network monitoring software and hardware is called a network management system (NMS). Some companies have many NMS computers housed in one area strictly for the purpose of monitoring their huge networks. The combination of lots of NMS computers in one location is called a Network Operations Center (NOC). Network devices report their status to the NMS via the SNMP protocol. Management Information Bases (MIBs), object descriptions stored in SNMP databases, that are loaded on the NMS know how to prepare and present the freshly reported data. The most common NMS software around the world is HP OpenView or CA Unicenter TNG, though there are others. Metrics Monitoring

The concept of metrics centers around ascertaining how much uptime the servers have had the luxury of experiencing. There are two methods of determining uptime, each at opposite ends of the scale. You could opt to manually keep track of every time that a server went down, how long it was down for, and what the cause of the outage was.

Chapter 2




Analyzing Technical Requirements

75

The number of outages that occur on a specific server can be quite revealing information. If you know, for example, that a server was down four times in one month, you might find out that an application had been recently loaded on the server and that this was the cause for all the outages. What you’d do to correct that problem is another story, but at least you may have a handle on what’s causing the outages. A more elegant solution is software that handles metrics monitoring. NetIQ, BMC Patrol, and ManageX are all designed to give you super granularity in terms of watching critical servers and services, handling problems with them, and alerting you of the issues. TCP/IP Services

TCP/IP services consist of things like DHCP, WINS, LDAP, and DNS. The most interesting of these is DHCP and DNS. While Unix boxes don’t readily do DHCP (though I understand some Unix software applications can now handle this function), they do DNS pretty darn well. And in legacy environments where DNS servers are already running and handling things nicely, you might have a really hard time convincing people that DNS needs to move to Windows 2000. Lucent Technologies offers a replacement DNS/DHCP/WINS application called QIP, which lives on servers and takes the place of regular NT services. Some switch and router gear can host TCP/IP services. Again, it’s not feasible for switches to do your DNS work, because you need Windows 2000 to do it for you. Security Monitoring

Security monitoring, in my mind, has to do with the alerting that goes on with proxy and firewall servers. A firewall product is expected to alert the administrator that some sort of attack is transpiring. Moreover, good firewall software should have some method of ascertaining when it’s being hit by an attack and be able to dismantle the attack before it craters the network. Microsoft Proxy Server supports Internet Server API (ISAPI) filters— customized filters that third-party vendors write in order to prevent

76 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

users who are coming in or going out from performing some specific activity. ISAPI is a Microsoft API that developers can utilize to hook into proxy servers. Fault-Tolerance Monitoring

When you install tools like HP’s TopTools or Compaq’s equivalent, Insight Manager, one of the things you do is monitor the fault-tolerant gear that’s installed on the server. This is fault-tolerance monitoring. SNMP could be said to be acting in a fault-tolerance monitoring capacity when it sends out a trap alerting the administrators that a redundant link (a special port on switches that allows you to set up a second, fall-back link into them) has gone down. When this happens, of course, the switch represents a Single Point of Failure (SPOF) and needs to be addressed quickly. Web Monitoring

A new kind of monitoring activity that administrators have to be cognizant of is monitoring the company’s Web sites, both internal and external. With Web sites, you’re interested in a variety of things: monitoring traffic, front and back load management, capturing visitor information, and most importantly site security.

Analyzing TCP/IP Infrastructure Assessing the TCP/IP infrastructure is probably going to be one of the simpler tasks that you’ll be involved with in your Windows 2000 network design. You need to know where key servers are and what their names and IP addresses are. You need to know the network IDs and subnet masks in use on the network. You need to know what the router, firewall, and proxy server IP addresses are. Here are the kinds of things you’ll be watching out for:


Key servers are the DNS, DHCP, and WINS servers in the environment. Find out these servers’ names (both NetBIOS and FQDN) and IP addresses and where they’re located. While you’re locating this information, also identify the server scopes: where they are,

Chapter 2




Analyzing Technical Requirements

77

what they’re composed of, and the various global or scope settings that are applied.


Identify all of the network IDs. Also, find out what subnet masks are in use throughout the various parts of your network.




Obtain all of the critical connector server information, such as router addresses (typically the network ID with a .1 address—e.g., 10.1.1.1). You’ll also want to know the NetBIOS and FQDN names and the IP addresses of the various proxy servers and firewalls on the network.




Obtain the IP addresses of the printers and the locations of their LPR, DLC, or HP ports.




List the IP addresses and NetBIOS and FQDN names of the servers.




If a BootP server is in use for thin-client workstations that have no hard drive and use BootP to boot off of the network, identify the server names and IP addresses.




Identify any RAS servers, their names, and IP addresses. While identifying these boxes, it’d be a good idea to jot down the phone numbers that are associated with the servers.

It’s not important to know the IP addresses of the switches in the closets. Chances are you won’t be connecting to them for any reason.

Assessing Current Hardware Depending on the size of your network (and whether you have Microsoft Systems Management Servers [SMS] installed), you might have to spend several weeks getting information about the hardware on your network. SMS, of course, allows you to garner asset and network information and keep it stored in a SQL Server database. You’ll need to diagram several different categories of hardware in order to have a more complete understanding of the hardware on your network. In larger installations, a complete view might be impossible, but it’s at least possible to ascertain what servers are in the domain. Once you know that, the very least that you should do is to find out what hardware the servers are using. You must be able to find weak

78 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

spots on the network that need to be addressed before you go forward with the design and deployment. Also, be mindful of your department budget. Below are some logical steps you can take in your hardware discovery process:


Figure out which servers are on the network.




Identify networked printers by type, manufacturer, and model.




Ascertain the type of switches and hubs you have on the network.




Repeat the same kind of work for the routers.




Tape backup systems should be revisited at this time.




RAS servers such as those made by Shiva, US Robotics, and 3Com—stand-alone devices that provide telecommuting interfaces for your network—are also going to come into play on the new Windows 2000 network.

Miscellaneous devices that you should know about when considering the Windows 2000 upgrade should appear on the list as well. There are all kinds of devices that come to mind.

Identifying Existing and Planned Upgrades and Rollouts It is highly critical that you identify any existing or planned upgrades or rollouts that might be affected by your Windows 2000 plans. Let us identify the difference between an upgrade and a rollout. Upgrade An upgrade is something that happens to an already extant system or device—an improvement over a like existing system. Rollout An entirely new thing—a new hardware device, a new way of doing a business task, or a new software application—is a rollout.

Analyzing Technical Support Structure After you’ve analyzed the equipment and the code, it’s time to find out what people and procedures your company uses to maintain all of that. There are two ways of looking at this exam objective, and I

Chapter 2




Analyzing Technical Requirements

79

think it’s probably safe to examine both. You need to identify what kind of technical support is in place for the administrators who are going to own the system and for the users who will utilize it. Network Manager Support Identify the technical support infrastructure that you and your deployment managers will require for the Windows 2000 rollout. User Support Be sure that the structure you’re implementing is one that your users will expect. Always make them aware of changes you plan to make—putting your users on a knowledge level where they can use the network the way they used it before the rollout.

Analyze Existing and Planned Network and Systems Management Finally, you will need to know how the network is being managed today and how the Windows 2000 change is anticipated to affect the network managers. You’ll also need to consider any network or systems management software that’s in place. Managers of the Network

Depending on the size of your network, you’ll find that network managers fall into several different categories. It’s important that you determine the various layers of network management that are involved at your site, who manages what, and to what depth each person’s knowledge goes when it comes to Windows networks and TCP/IP. A training chart is called for, one that has “Current” and “Windows 2000” as column headers. Write the network manager’s name, the type of management she is responsible for, and the level of knowledge currently possessed. Then you can write in the Windows 2000 column how much training is required for this person and how involved she will probably be in the new network. Use this list of network management tasks as a study tool: Backup Managers These people are responsible for nothing other than the backup of the network. It’s possible that these are Unix people that happen to also back up the NT network, a very feasible paradigm.

80 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Internetwork (Data-Comm) Managers These people are responsible for the routers and WAN connections, though they may not be responsible for the infrastructure. There may be a logical separation of the two camps (internetwork and infrastructure). Infrastructure Managers These people manage the overall infrastructure of the network. They handle the cable plant, the wiring closets (don’t forget the cool internetworking buzz phrases Intermediate Distribution Facility/Main Distribution Facility [IDF/MDF]), the patch panels, and the hubs and switches. Applications Managers Someone is responsible for the enterprise applications on the network. Often they have one or, at the most, two separate applications that they manage. There might be several different applications managers. Print Managers In larger companies, believe it or not, there are people who do nothing but handle print queues all day long. If you’ve ever hassled with JetAdmin software over a new printer on the network, you’ll know how challenging this job can be. Database Administrators (DBAs) DBAs set up tables, create namespaces, write stored procedures, perform business analysis on new database systems, and so forth. They’re usually very skilled, in terms of the database software, and are wonderful resources for you. NOS Managers Some companies have people that strictly handle the set up of servers and the installation of the NOS. These people would not be terribly application-aware, but chances are they would be highly aware of the changes coming their way in Windows 2000. E-mail Managers E-mail systems can grow to be so large and ponderous that dedicated administrators are required. This part of network management would then be relegated to the e-mail managers. Web Managers For both Internet and intranet sites, dedicated Web administrators are sometimes required. Telephony Systems Managers Here we have the rare breed of individual who is responsible for the telephony systems (and the associated interfaces that are related to the corporate network). Windows NT 4 was highly CTI-aware, and Windows 2000 will be even more that way.

Chapter 2




Analyzing Technical Requirements

81

Security Managers These folks create and manage user accounts, groups, NTFS permissions, mainframe logons, Internet usage accounts, and so forth. More than one of these network management roles could be occupied by the same person. It’s possible that one entity might not even know that another exists. Nevertheless, all of these various management components need to know and be aware of the ramifications of a Windows 2000 network that’s barreling their way. Network and Systems Management Software

Different kinds of software products are available to help manage the network. Network management software typically looks at SNMP traps and helps the operators evaluate problems on the network. Systems management software, such as Microsoft’s Systems Management Server, allow administrators to gather asset inventory, roll out software packages, remotely control client computers, and perform other management functions.

Exam Essentials Identify and understand the current applications. Become familiar with enterprise applications that are being used by users. Also be aware of and familiar with workgroup apps that may live on servers. Determine the network infrastructure, the protocols in use, and the types of hosts on the network. Know how the network is built, its cabling plant, the switches and hubs, the server farm, the WAN connections, what the TCP/IP infrastructure is like, and the protocols in use. Understand the various types of hosts that are using the network. Understand the services that are in use on the network. Utilizing the above definitions of network services, know and understand what’s in place on your network. Evaluate and understand the TCP/IP infrastructure. Completely understand how TCP/IP is integrated into your network.

82 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Evaluate the hardware in place on the network. Know the components that make up your network including servers, hubs, switches, routers, and other hardware componentry. Be aware of any upgrades or rollouts that are planned or currently underway. Know the difference between a rollout and an upgrade. Possess an awareness of any existing or planned rollouts or upgrades. Evaluate and understand the technical support structure. Know where your technical support will come from, both for the administrative staff who has to manage the new Windows 2000 network and for the users who must utilize it. Evaluate the existing network and systems management structures and any new plans for such structures. Know who the various managers of the network are. Know what network and systems management components are in place.

Key Terms and Concepts 2-tier client/server A system with a fat client (one which runs a lot of the application code) coupled with a server. A good example might be the Exchange Server system talking to an Outlook client. 3-tier client/server A system that consists of three different computers running three separate processes. The computers can be of different platforms: client computer, middle tier, or database tier. client/server A computing and network architecture that relies on servers and clients. Servers handle applications, files, print sharing, and other large tasks. Clients use servers. In a client/server environment, the client may be a fat client, meaning that it offloads some of the work from the server, or a thin client, meaning that it does no work at all. Layer 2 Tunneling Protocol (L2TP) An extension of the PPP protocol that enables the implementation of VPNs through either ISPs or private networks. The protocol is a combination of the best of Microsoft’s PPTP and Cisco’s L2F.

Chapter 2




Analyzing Technical Requirements

83

network management system (NMS) A system that allows you to monitor the network for errors and provides alerting if an error takes place. n-Tier client/server A client/server environment that contains multiple server and/or client layers. Point to Point Tunneling Protocol (PPTP) A protocol invented by Microsoft and several other partners in a collaborative membership known as the PPTP Forum. PPTP is designed to facilitate the setting up of a virtual private connection with a client coming over the Internet to a private network. The data is tunneled inside TCP/IP packets. Remote Authentication Dial-In User Service (RADIUS) A server that functions both as an authentication and an accounting server. You pass your logon credentials to a RADIUS server, where they are validated and accounted for. Remote Monitoring (RMON) Similar to SNMP, though much richer in the context of what it can do. Where SNMP could accept one Management Information Base (MIB) from a client such as a router, switch, or hub, RMON can receive ten separate specialized MIBs, thus creating far more granularity in the kind of monitoring that can go on. rollout The deployment of a new project. thin client A client that holds very little responsibility for the processing involved in a client/server application. Browsers make great thin clients. thin-client client/server A client/server model that includes a thin client as its client of choice. upgrade An updated version of an existing hardware or software component. workgroup A grouping of computers that is not associated with a domain.

84 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Sample Questions 1. What network component will you not need to consider for your

Windows 2000 evaluations? A. Servers B. Mainframes C. Telephony gear D. Routers

Answer: B. You don’t have to worry about mainframes; they’re handled by somebody else entirely and won’t affect your rollout. The 3270 emulation software, the code that allows PC users to talk to the mainframe, is another story and may require a good hard look from you before a Windows 2000 rollout. 2. In your company of 5,500 employees, about two-thirds of the

people use a client/server front-end application that talks to the company’s back-office databases. Select the kind(s) of applications this represents. A. Client/server B. Workgroup C. Enterprise D. Mainframe

Answer: A, C. An application that uses a client component and a back-office component (I’m speaking generically here when I use the term back-office—meaning that there is some server process running—not necessarily that Microsoft BackOffice is in place) is said to be a client/server. Since so many users are using it, it also qualifies as an enterprise application. 3. You’ve successfully upgraded your Domain Controllers (DCs) to

Windows 2000 Server and enabled Active Directory. Now you’re ready to proceed with the upgrade of the rest of your servers. What will be the biggest issue that you face as you upgrade these servers?

Chapter 2




Analyzing Technical Requirements

85

A. Enterprise applications running on apps servers may not work

on Windows 2000 B. The servers might need a hardware upgrade before proceeding C. The servers might need to be put on a gigabit network before

proceeding D. The servers will need to be on the Windows 2000 Hardware

Compatibility List (HCL) Answer: A. Option D is especially important as is Option B. But Option A is the most problematic issue you’ll face—one that could potentially blindside you if you’re not careful. Option C, while a nicety, doesn’t enter into the area of problems with servers, unless, of course, your infrastructure is slow. But hopefully you’ve already taken care of that problem. 4. Halfway through your Windows 2000 upgrade design, you find

that the applications team is right in the middle of an Oracle release 8i to release 11 (R11) upgrade. How will this affect your upgrade plans? A. It won’t affect it at all. B. Stop everything! C. Need to gather more information. D. Who cares?

Answer: C. You’re pretty close to stop everything mode with this news. Oracle is a vast product that requires a lot of attention to detail. An upgrade of this nature (from 8i to R11) means that you’ll have to get involved as well and make sure that the software will reside OK on Windows 2000 servers. If R11 isn’t certifiable on Windows 2000, then those servers will have to remain NT 4 until such time as Oracle is ready. This is part of knowing your applications because a Windows 2000 installation could have a potentially disastrous impact on apps that used to run just fine. Check first!

86 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

5. You’ve been retained as a design consultant to work for a large

retail outlet that’s currently using NetWare 3.11 as its NOS. You have been given the duty to upgrade the servers to Windows 2000. What will be your first objective? A. Discover what protocols are running. B. Discover what apps are running. C. Determine the hardware capabilities of the current servers. D. Procure adequate licensing.

Answer: A. TCP/IP is critical to Windows 2000 functionality. You cannot get along without it because name resolution in a Windows 2000 network revolves around DNS, which is a TCP/IP thing. Since the current network is NetWare 3.11, it’s highly likely that the only protocol you’re running is IPX. This discovery has a major impact on your design, especially relative to client software. You or somebody else will have to physically visit each work station on the network, remove the NetWare client, and install both TCP/IP and the Microsoft Client for Networks before anyone can talk to the new network. This will require exquisite project planning and timing on your part.



Analyze the network requirements for client computer access.



Analyze end-user work needs. Analyze end-user usage patterns.

F

inally, you should know how the users are actually utilizing the network. This may be the most important step of all because it will yield information about how adequately the network is meeting the needs of the users and what steps need to be taken to improve it.

Chapter 2




Analyzing Technical Requirements

87

Critical Information There are two facets to analyzing client computer access: first, understanding how users work and how their work needs are met by the network computing environment, and secondly understanding the pattern that users follow as they access the network. Knowing when and how users access the network will go far in your understanding of the enterprise as a dynamic whole.

Analyzing End-User Work Needs If you stand back and take a good hard look at why and how users access the network, I’m sure that you’ll find yourself putting users into different stereotypes that describe their behavior. Knowing user patterns helps you plan more airtight implementations of future network rollouts. Let’s take a look at a few of the types of users you may encounter. Power Users

The power user is one who is potentially dangerous. This person knows enough about computers to be able to do things like erase critical files, hack the Registry of the local machine, change .INI files, and so forth. Though you’ll find power users in any department that accesses the network, I’d say that they are predominantly the engineers, software developers, and some financial types. This kind of person is potentially dangerous, but they can also be helpful. This might be the kind of person that offers to help a less knowledgeable user out of a jam when tech support for the network is busy and not quickly available. 3270 Emulation Software Users

These folks don’t use their PC for a whole lot, maybe the Web and e-mail. Typically, they’re either mainframe programmers running 3270 emulation software to access the mainframe in order to do their programming, or they’re order entry or billing folks that use the mainframe to check records and edit data that’s already in the system. There are also operations people who schedule jobs to run, review

88 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Job Control Language (JCL), a mainframe language that allows for the scheduling and running of jobs, and so forth, but they’re better categorized as mainframe programmers. Macintosh, Unix, Linux, OS/2, or VAX Users

These kinds of users have extremely special needs that you’ll have to handle on an OS-by-OS basis. For example, a Linux user might want to mount a Samba NFS share for people on the Windows 2000 network to look at. Or, quite the opposite, the Unix host might need to extract files from a Windows 2000 host by using FTP. Linux users will also want to surf the Web, exchange e-mail, and create documents that are available for non-Linux users. Macintosh users have very specific computing needs, and my experience has been that they typically like to save their large graphics files out to a RAID array on the Windows NT or Windows 2000 network. That’s a perfectly fine use for them and one that you should sanction (because the files are privy to backup at that point). Windows 2000 has visited the whole Macintosh access issue and has, it’s hoped, made it easier (more crash-proof) for administrators to maintain. Mac users will also want to surf the Web and exchange e-mail and documents. Unix users access the Unix servers either via an emulation host on their PC or through a Unix workstation that sits next to their PC. The basic needs are the same, with the exception of Unix admins, who require the ability to modify server files. Though you might not have many dealings with OS/2 users, they’re definitely out there, and the OS is still quite common. Typically, OS/2 requires its own special software for anything that you might want it to do on the Windows 2000 network. OS/2 users are often power users who choose that OS for very special reasons. VAX systems are still in use throughout the world, especially in the manufacturing sector. I find VAX systems to be very complicated and (for me) annoying. Nonetheless, VAX administrators have to be able to find ways to share files and data on the regular network. Those methods are probably already in place, and the VAX admin will typically be aware of them.

Chapter 2




Analyzing Technical Requirements

89

Managerial/Professional/Executive Users

These users are usually accustomed to having things move quickly, and they expect you to take every bit of time you need in order to get their computing needs solved, even though the entire network may be burning down around you! It seems as though the higher you go up the food chain, the more demanding they seem to get. That’s not exactly fair, because they’re usually quite nice about the way that they go about getting you to fix the problem, but they’re firm in that managerial kind of way. I, for one, always feel a little tense when I have to work on an executive’s computer. Cowboys

How does a cowboy user differ from a power user? Both are power users, but I’d say it has to do with the tendency that cowboys have of installing rogue software on their PCs and then calling the help desk for support when things auger. Ordinary Joe and Jenny Users

These are the ordinary people who just want to log on and get a day’s work done. The standard user e-mails, probably surfs the Web, uses Microsoft Office, and possibly runs some specialized apps that pertain to his area of the company.

Analyzing End-User Usage Patterns Watching users is one way to analyze user behaviors. Try to spend some time just watching a variety of user types. Watch for the apps they load up in the morning, how long their log time is, and the quality of their login time. See if you can glean any information about how ordinary users go about their computing lives. It’ll be very informative and time well spent. You can also run performance monitoring on the main servers (such as Exchange and the file and print servers) to get information about the load at specific times. If you run Performance Monitor (System Monitor in Windows 2000) scans periodically over the course of a day, you’ll have good benchmarks as to how the network performs.

90 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Most shops are fairly e-mail-centric now, so it’s a good bet that the server is in heavy use throughout the business day. You can get a good feel for e-mail traffic by watching the Exchange Performance Monitor (System Monitor in Windows 2000) threads and by checking out the Internet Mail Service (IMS) queues. Network managers might be able to sniff the network and give you some idea of usage patterns, though the information will mostly be about broadcasts and the amount of traffic going across the wire. Some metrics software such as NetIQ or ManageX might be helpful to you, too, in your quest for user-behavior information.

Exam Essentials Know and understand your end-user habits, work needs, and usage patterns. Possess a keen understanding of how, when, and why the network is accessed. Be able to clearly elucidate network usage patterns.

Key Terms and Concepts cowboy An individual who either feels christened as a super user or is actually a true super user. Cowboys are people who tend to want to play with their computers and can make more trouble for administrators than ordinary users—simply because they can play. power user A computer operator who has a firm grasp of computing technology and can easily and quickly assimilate the tasks that need to be done in order to effect a computing endeavor. Frequently, power users are given more control over a computer than they might need, sometimes resulting in problems. VAX A Digital Equipment Corporation (DEC) minicomputer, still in use and still for sale, though now called servers instead of minicomputers.

Chapter 2




Analyzing Technical Requirements

91

Sample Questions 1. Which of the following qualify as user work needs? Choose all that

are correct. A. Connectivity to e-mail systems B. 21-inch monitor C. Connection to the network D. Local printing E. 800MHz processor

Answer: A, C, D. Differentiating between need to have and nice to have is a tough decision that administrators make about enduser support on a daily basis. Where needed, A, C, and D are all valid choices. Option E probably falls within the “nice to have” category; most users could get along nicely with less. 2. You work in a plant that is open 24/7/365. What will be the most

fundamental assessment you’ll have to make about your end users? A. Usage patterns B. Work needs C. Network connectivity D. Growth plans

Answer: A. User usage patterns will be a very important consideration to you with a network like this. Especially important will be considerations such as using the Windows Installer to download packages to end users. If the network is always in use, which shift should be the one that gets the packages? 3. You have several Macintoshes on your network. While the net-

work is running NT 4, these users are fine. Once you convert to Windows 2000, how will these users be affected? A. They won’t be affected at all.

92 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

B. You’ll have to install the Microsoft Macintosh Client for Win-

dows 2000 (MCW2K). C. Each Mac client will have to have TCP/IP installed on it. D. Mac clients will have to run third-party emulation software.

Answer: A. If you upgrade a server that has the NT 4 Services for Macintosh (SFM) running on them, the Windows 2000 Server upgrade will take this into account and retain the AppleTalk and SFM services. If you have an NT 4 server that’s currently hosting SFM and you don’t intend to upgrade it until later, the Macs are still OK. It would be best to get the Macs on TCP/IP and get rid of AppleTalk, but you can accomplish that step later. 4. You work for a company that has a mainframe computer. It used

to be that users who needed to access the mainframe had an IBM terminal on their desktops. Today, they can access the mainframe from their PC. How is this able to happen? A. TCP/IP B. SNA C. FTP D. 3270 emulation software

Answer: D. Emulation software written by corporations such as Attachmate allow PC users to access mainframe sessions from their PC. In a Windows 2000 upgrade design, it would be important for you to evaluate the software users are using to get to the mainframe prior to upgrading them to Windows 2000 Professional. Make sure the 3270 emulation software will work with Windows 2000! 5. You want to purchase some software that will give you informa-

tion about services that go down, outages on computers, reboots that have occurred on servers, and other uptime information. What kind of information are you looking for? A. Uptime B. Metrics

Chapter 2




Analyzing Technical Requirements

93

C. Response times D. Usage patterns

Answer: B. Monitoring a network for changes that happen to the servers, then preparing a report that details these changes in an evaluative sort of format is called metrics, or more appropriately, metrics reporting. Windows NT and 2000 can help with some of the metrics information that you need. For example, Uptime.exe is available from the Resource Kit. But your larger concern might be to monitor when a service fails because even though it isn’t construed as an outage, a service failure really does cause users to go without a function.



Analyze the existing disaster recovery strategy for client computers, servers, and the network.

Disaster recovery (DR) is a computing science unto itself. Large enterprises spend millions of dollars each year to maintain DR implementations that can save the company in the event of a catastrophe, such as the company’s headquarters office building burning to the ground. It is highly important that every network, no matter how small, have a DR plan in place, tested, and ready to go.

Critical Information Where fault tolerance means building in protection against emergencies, disaster recovery (DR) is making and testing a plan for the complete restoration of critical systems in the event of a catastrophe, after the fact. It is not good enough to have a DR plan; it’s vital that you also periodically go through a DR test, so that your plan makes sense and includes recent changes.

94 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Establishing Disaster Recovery for Servers and the Network You can employ some interesting DR techniques. Real-time data mirroring allows for data to be copied from one server to another, preferably one that’s offsite, in order to protect that data. There are variations on this theme, but it’s a good (and expensive) DR strategy. Tape backup operators, the administrators who maintain the backup system(s), are charged with making sure that the backups are reliable and that they occur on a regular basis. These systems require a plan for backing up the servers and critical workstations on your network; this plan must be revisited frequently as your network changes almost constantly. Many tape backup systems require that you install a software agent on each computer. Redundant routes on network routers and a redundant, yet geographically separate, Web presence should be investigated as a bigger part of the network DR picture.

Establishing Disaster Recovery for Client Computers Hopefully, you’ve examined your user behaviors, and you know who your power users are—the critical ones who save lots of important files to the local disk. You have to target these individuals first, making sure that you have some fault-tolerance methodologies in place for them. Step two is to communicate strongly. Make sure that all end users understand that company-critical data needs to be saved to file servers, not to the local, unprotected drive.

Exam Essentials Possess a very clear understanding of how your company has implemented a DR strategy for all of the networking components: servers and network and client computers. If a company’s administrators do not understand the completeness that an enterprise entails, they’ll get the whole DR thing wrong. It’s important that you be able to

Chapter 2




Analyzing Technical Requirements

95

clearly explain how each component is being protected in the case of a catastrophe.

Key Terms and Concepts disaster recovery (DR) The process of restoring a network to the condition it was in prior to some sort of disaster, whether natural or caused by humans.

Sample Questions 1. What is the single most important disaster recovery methodology

that you can implement? A. Redundancy B. Tape backup system C. UPS D. RAID

Answer: B. Option A is also awfully good, but it’s critical that you have a backup system in place, back up your network data regularly, and check to make sure that the backups are correctly working. This is by far the most elemental and supreme fault-tolerant procedure that you can implement. Then, after you’re done with that, the others are great ideas as well! 2. Rotating backup tapes offsite is often a very good fault tolerance

and DR approach. Why is this? A. Tapes that are offsite can’t be stolen as easily. B. Tapes that are offsite can be used to restore computers in the

event of a disaster. C. Tapes that are offsite aren’t as likely to suffer from potential

erasure. D. You won’t be as prone to try to reuse a good tape if it’s offsite.

96 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Answer: B. A set of backup tapes that are stored offsite is an excellent fault tolerance and disaster recovery measure. You’re assured that some sort of data is available for recovery in the event of a catastrophe. Of course, this all depends on the data that is on the tapes being good. 3. Suppose that you’re considering a disaster recovery (DR) strategy

for your network. What would be one DR item that you might be likely to overlook? A. RAID arrays for servers B. SQL agents for backup software C. Periodic testing of restoration processes D. Server room power conditioning

Answer: C. You need to periodically test your backup software’s restoration capabilities. Just because you can prove that you’ve got the data on backup tape doesn’t mean you can guarantee you can restore it! 4. You’re considering a Disaster Recovery (DR) model where you

keep your backup tapes for the last seven days in a highly accessible but very quickly available place. Your goal is to provide a restoration capability that, in the event of a disastrous turn of events, could bring the network back to the previous days’ business. What would be the safest of the alternatives to pick from? A. Take the tapes home B. Keep the tapes in your car C. Buy a fireproof safe D. Retain a service to keep them offsite

Chapter 2




Analyzing Technical Requirements

97

Answer: D. You might think the safe’s a pretty good idea and indeed you can buy "data safes." But, these safes are only rated for 125 degrees, and they’re only good for a maximum of two hours! In a hot fire that spreads throughout your building, it’s very possible that your backup tapes, even in a data safe, would melt down. Your safest option is to retain a service that keeps the tapes offsite in a safe area. You might consider the safe option as a second fallback alternative. Answers A and B are not acceptable. 5. Suppose that you have two sites that act as twins to one another.

You’d like to come up with a method where you keep your sister site’s Disaster Recovery (DR) data and they keep yours. Of the choices below, what would be the best option you could pick? A. Real-time data mirroring B. Exchanging backup tapes C. Setting up Active Directory between the two sites D. Windows 2000 Intellimirror

Answer: A. The best answer would be some sort of real-time data mirroring functionality where your sister site copied data to servers at your site and vice versa on a real-time basis. You could potentially utilize Windows 2000 Network Load Balancing (NLB) for such a function. The biggest thing you’ll have to worry about with real-time data mirroring will be to make sure that the network connection between your mirroring servers is very robust. The exchanging of backup tapes is an OK idea, but time intensive. Active Directory between the sites provides redundancy, but not the capability of restoring enterprise apps. Intellimirror is intended for workstation apps, not big enterprise applications.

This page intentionally left blank

Chapter

3

Designing a Windows 2000 Network Infrastructure MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: and design a network topology. Modify (pages 101 – 106) a TCP/IP networking strategy. Design (pages 107 – 122)


Analyze IP subnet requirements.




Design a TCP/IP addressing and implementation plan.




Measure and optimize a TCP/IP infrastructure design.




Integrate software routing into existing networks.




Integrate TCP/IP with existing WAN requirements.

Design a DHCP strategy. (pages 122 – 133)


Integrate DHCP into a routed environment.




Integrate DHCP with Windows 2000.




Design a DHCP service for remote locations.




Measure and optimize a DHCP infrastructure design.

name resolution services. Design (pages 133 – 149)


Create an integrated DNS design.




Create a secure DNS design.




Create a highly available DNS design.




Measure and optimize a DNS infrastructure design.




Design a DNS deployment strategy.




Create a WINS design.




Create a secure WINS design.




Measure and optimize a WINS infrastructure design.




Design a WINS deployment strategy.

a multi-protocol strategy. Protocols Design include IPX/SPX and SNA. (pages 149 – 160) a Distributed file system (Dfs) strategy. Design (pages 161 – 170)


Design the placement of a Dfs root.




Design a Dfs root replica strategy.

W

ith this chapter, we now go totally techno and start getting into the nuts and bolts of a good Windows 2000 infrastructure design. Especially important will be the concepts behind DNS. We assume in this book that you’ve already been through the basic Windows 2000 courses, which should leave you with a fairly comprehensive understanding of DNS (assuming you didn’t have one before you started working with Windows 2000). DNS will probably be the biggest trip-up for most administrators simply because, up till now, DNS has been in the Unix camp and very rarely a part of NT. Now DNS is a big player and something you need to get a handle on.



Modify and design a network topology.

W

hat is a topology? Think of it as the way the network is wired up and the Institute of Electrical and Electronics Engineers (IEEE) standard that it uses. The IEEE is the group responsible for setting network topology standards. A more succinct way of putting it would be that a topology is the set of rules that are made for physically connecting and then going about the business of computing on a given medium. The topology determines how the computers are going to connect to each other (a physical component) and the rules that are going to be used when they talk to each other (a logical component).

Critical Information As an administrator you are probably familiar with the basic topologies you might find on a network. Nonetheless, let’s briefly review them. We’ll first talk about the physical components of a topology then discuss its logical components.

102 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Physical Components of a Topology There are three basic physical topologies that are important to us: the bus, star, and ring topologies. The old 10Base-2 network scheme used a bus topology, starting with a string of coaxial cable. In star topologies, each PC or server on the network connected to a central device such as a hub or a switch (preferably a switch). And ring topologies enjoyed a real heyday in the late ’80s and early ’90s, then Ethernet star topologies sort of took over. But, just when it appeared that the battle had totally been won, Fiber Distributed Data Interface (FDDI) and Asynchronous Transfer Mode (ATM) surfaced and recaptured the ring concept, this time on a wide area network basis. A ring merely consists of devices arranged in a ring with the cable passing in one side of each device’s network card and out the other. The network has a token (or sometimes two), hence the original name Token Ring network. Fault-tolerant implementations of ring topologies have two tokens counter-rotating on two different rings. If one ring breaks, the other ring is used as a fallback. This is quite common in Synchronous Optical Network (SONET) implementations where extremely reliable WAN connectivity is desired. All of the various topologies have problems. For example, a ring topology is very fault-tolerant, as long as it’s used on moderately loaded networks, but as soon as the network approaches being heavily loaded, it slows way down. On the other hand, Ethernet networks function well when more heavily loaded, but have a lot of overhead associated with the acknowledging (ACK) and negative-acknowledging (NACK) that goes on when a packet is received or, worse, when it isn’t received. Interestingly, some network designers feel that a Token Ring topology presents an opportunity to find out how the network is going to behave under loaded conditions. Why? Because Token Ring networks are scalable, meaning that you can define how many hosts are allowed on, how long any one system owns the token, and thus you can determine the maximum amount of hosts based upon the maximum latency you’ll allow.

Chapter 3




Designing a Windows 2000 Network Infrastructure

103

Logical Components of a Topology The Institute of Electrical and Electronics Engineers (IEEE) defines standards specifications for new networking technologies. IEEE 802.5 defines the Token Ring topology; IEEE 802.3, 802.3u, 802.3x, and 802.3z define Ethernet topologies, 10Base-T, 100Base-T, full-duplex Ethernet, and 1000Base-T, respectively. Note that logical topologies define more than just the speed of the network. They define aspects like the type of switching that takes place (circuit, message, or packet), the media that they can run on, and the types of connections that can be made.

The Cable Plant—Backbone and User Connections Let’s say that the building housing your network is fairly large. Maybe you have two or three different closets where you have network gear, hubs, or switches. Typically these closets have a wiring rack with a patch panel and the network gear. The wires come in from one or more closets and attach to the patch panel. The wire running from closet to closet is called the backbone. Then you run jumper cables from the patch panel to the hubs or switches. In a scenario like this, there is typically a place where all of the cable runs terminate into a central switch, often called a core switch. This switch usually has enough ports in it for the runs from the various closets to plug into, as well as the servers. Most generally, servers home run directly to the core switch for optimum throughput. The wiring that runs between closets could be fiber optic wire, in which case you very likely have a 100Base-T or 1000Base-T (gigabit Ethernet) backbone. These speeds are 100 megabits per second (Mb/ sec) and 1000 megabits per second, respectively (not megabytes per second, which would be MBps). Ethernet is based on a method called Carrier Sense Multiple Access with Collision Detection (CSMA/CD). In other words, when a host is ready to send data out onto the wire, it listens for a carrier—i.e., is there current on the wire? If a carrier is found, packets are allowed out. But because many computers are on the network, multiple packets are allowed out onto the wire at the

104 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

same time. It’s possible that packets can collide because there’s nothing preventing them from doing so. Thus, there has to be a collision-detection mechanism. The last element provides that if there is a collision (and there will be), the packet is requested to be resent. Because multiple packets can be running around, there are liable to be lots of collisions. As you might imagine, 100Base-T and 1000Base-T consist of fast collision domains.

Exam Essentials Be able to design and modify a network topology. Understand what network topologies are all about, and be able to design them from the ground up or modify existing topologies.

Key Terms and Concepts core switch A network switch that acts as the nexus for a topology. Typically, these switches have enough ports for home runs from closets back to the core and for servers that connect to them. topology The physical layout and design of the network.

Sample Questions 1. Your WAN uses SONET. What kind of topology does it use? A. Bus B. Star C. Modified-star D. Ring

Answer: D. Synchronous Optical Network (SONET) is a form of ring topology.

Chapter 3




Designing a Windows 2000 Network Infrastructure

105

2. You’re retained as the network designer for a small 500-node

network. All nodes reside in one building, but there are 10Base-T hubs in each closet that home run over Cat5 to a central patch panel in the server room. What might be your first two recommendations for this network? A. Replace the hubs switch 10Base-T switches. B. Replace the hubs with 100Base-T switches. C. Change the home run cables to fiber optic. D. Add a core switch in the server room.

Answer: B, D. At a very minimum, it’s advisable to get rid of the hubs and get users onto switches. You’d probably have a hard time finding a new 10Base-T switch these days, so you’ll probably need to go with 100Base-T. Gigabit wouldn’t be a bad option either, but it needs Cat6 to effectively support the bandwidth. Next, add a core switch in the server room, and plug those servers directly into the switch. Just multiplexing (muxing) the data using switching technology makes an incredible difference in throughput. 3. If the backbone of your network is equipped with gigabit switches,

which devices will operate at gigabit speeds? A. Gigabit ports on switches B. 100Base-T ports on switches C. Servers D. Workstations

Answer: A. Neither the servers nor the workstations will operate at gigabit speeds unless they’re equipped with gigabit Ethernet cards, their speed is set for gigabit, and they’re plugged into a gigabit port on the switch. Anything plugged into a 100Base-T port will run at 100Base-T. Of course, once the data leaves the switch and hits the backbone, it is running at or near gig speeds.

106 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

4. You’ve got a small network of about 250 users on two floors that

you’re going to convert to Windows 2000. In examining the closet connection areas, the Intermediate Distribution Facility (IDF), and the main server area, the Main Distribution Facility (MDF), you notice that all of the connection gear is comprised of hubs, not switches. What benefits could you reap by spending the extra money and upgrading the hubs to switches prior to implementing your Windows 2000 rollout? A. It will cut down on the number of collision domains. B. It will cut down on the number of broadcast domains. C. CPUs in switches provide faster throughput of data. D. Uplink port provides a faster backbone.

Answer: A, C, D. Collision domains are isolated at the switch level, broadcast domains at the router level. The CPUs in switches set up what is called a "switch fabric" that provides much faster throughput than you’d get with hubs. Instead of sharing the bandwidth, the CPUs are providing equal (or near equal) bandwidth to all users. A fast uplink port creates a fast backbone. 5. What might be an alternative to Ethernet that is higher speed and

has no collision domains? A. Asynchronous Transfer Mode (ATM) B. Synchronous Optical Network (SONET) C. Fast Token Ring D. VGAnyLan

Answer: A. ATM, while not necessarily the most practical choice because of its cost and complexity, is a high-speed non-collisiondomain alternative to Ethernet. You can gain much higher speeds with ATM than with Ethernet.

Chapter 3






Designing a Windows 2000 Network Infrastructure

107

Design a TCP/IP networking strategy.






Analyze IP subnet requirements. Design a TCP/IP addressing and implementation plan. Measure and optimize a TCP/IP infrastructure design. Integrate software routing into existing networks. Integrate TCP/IP with existing WAN requirements.

I

f you’re not already working with TCP/IP, then you’ve got to get up to speed fast. While Windows 2000 supports other LAN protocols, it was designed with TCP/IP in mind. This section deals with the art of coming up with a high-quality TCP/IP design.

Critical Information We’ll begin by discussing IP subnets then work our way into an addressing and implementation plan. We’ll talk about how to measure and optimize a TCP/IP infrastructure and how to integrate TCP/ IP into existing WANs. We’ll wind up with a discussion on integrating software routing into the network.

Analyzing IP Subnet Requirements What exactly is a subnet anyway? It seems that you can have awfully large subnets, even though the subnet masks that you sometimes work with only allow a few hosts. Subnetting Principles

To use TCP/IP, you must understand its various classes. Class A ranges from 1.x.y.z to 126.x.y.z (127 is reserved for loopback diagnostic testing and will never be given out). There are also four private reserved ranges—10.x.y.z, 172.16.0.0-172.31.0.0, 169.254.0.0, and 192.168.0.0-192.168.255.0—that will never be allowed on the Internet and that you can thus use in your private network. Note that there are two reserved private ranges in Class B. You can dole these out as private IP numbers any way you like, as long as they never see the light of the Internet day.

108 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

The standard Class A subnet mask is 255.0.0.0. Obtaining a Class A network number from an ISP or Internet authority would provide your company with more than 16 million TCP/IP numbers using this subnet mask! Class B ranges from 128.x.y.z to 191.x.y.z. You can use 172.16.0.0– 172.31.0.0 as your private Class B range, because it too will never be allowed out on the Internet. A single Class B network number provides you with 65,534 IP addresses. If you choose to use the entire private range (172.16 through 172.31, along with a standard Class B subnet mask), you’ll have more than 1 million numbers, each of which will be using subnet mask 255.255.0.0.

TIP Remember the special Class B network number, 169.254.0.0, used for Automatic Private IP Addressing (APIPA). Test questions will undoubtedly try to sneak this network number in on you.

Class C ranges from 192.x.y.z to 223.x.y.z. Each Class C network number can fit you with 254 network addresses that you can use for printers, servers, users, and what have you. If you choose to use the entire private suite of Class C numbers (along with a Class C subnet mask), you’ll have 65,534 numbers at your disposal, using subnet mask 255.255.255.0. Table 3.1 lays out the various network numbers in each class. TABLE 3.1:

Available Network Numbers by TCP/IP Class

Class

Public

Private

Standard Subnet Mask

A

1.x.y.z– 126.x.y.z

10.x.y.z

255.0.0.0

B

128.x.y.z– 191.x.y.z

172.16.0.0– 172.31.0.0, 169.254.0.0

255.255.0.0

C

192.x.y.z– 223.x.y.z

192.168.0.0– 192.168.255.0

255.255.255.0

Chapter 3




Designing a Windows 2000 Network Infrastructure

109

Do you work for a company of, say, 5,000 users? If you were to somehow obtain a regular Class B network number (from either your ISP or an Internet authority), you could use 65,000+ numbers. Maybe you don’t need all of those numbers—they’ll go to waste. On the other hand, at 254 numbers per Class C address, you’d need about 20 of those standard Class C network numbers to give you enough IP addresses to work with for all your users, printers, routers, switches, and other gear.

Designing a TCP/IP Addressing and Implementation Plan All you really need to put your company on the Internet is to obtain four solitary Class C addresses from your ISP. Your ISP’s router will use these addresses as pointers to you for any requests that are destined for your company. You, in turn, will have a router that has one of the external IP addresses you’ve been given. The router will point to a firewall, which has the second address, and the firewall will point to a proxy server with the third address. The firewall will keep out unwanted hacker traffic, and the proxy server can filter both incoming and outgoing traffic. What about your inside users? Just pick one of the private TCP/IP network number ranges (probably the Class B range, in this company’s case) and begin to use them instead of public IP addresses. The proxy server and firewall will handle the security and network address translation of the users, so you have that covered—then it really gets interesting in terms of subnetting. Let’s say, just for simplicity’s sake, that you have only one geographic location and no WAN connections to other sites that you have to worry about. You have this huge private network number, 172.16.0.0–172.31.0.0, which gets you 1,048,576 IP addresses that you can use any way you like. There are several ways that you could disperse these numbers in order to logically segment the users. For example, suppose that your Accounting department would get one block of numbers, your sales people another, and so on, as in Table 3.2.

110 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

TABLE 3.2:

Sample IP Segments

Group

Network Number

Servers & Printers

172.16.1.z

Marketing

172.17.1.z

Sales

172.17.2.z–172.17.4.z

IT

172.17.5.z–172.17.6.z

Accounting

172.18.1.z–172.18.2.z

Assembly/Manufacturing

172.19.1.z–172.19.4.z

We’re assuming here that the subnet mask is 255.255.0.0 for all users, making it a nice, flat TCP/IP implementation. In this demonstration, you’ve allocated 254 IP addresses for servers and printers, another 254 for your marketing folks, about 700 for the sales people, about 500 for the IT people, and so on. It doesn’t take much to extrapolate how you’d fit the rest of your company into this design. You’ve done some very basic rudimentary subnetting. If you were to add a second network on the other side of a WAN connection, you’d have to add a second router (all WAN connections require two routers, one on each side), but you’d probably divvy up the network numbers in much the same way as in Table 3.2. Figure 3.1 shows what this network might look like; here you can see that users in Network B have to pass through two routers to Network A, then through the proxy server and the firewall if they need to get out onto the Internet. That sounds like a lot of traveling, but if the WAN connections are OK, it’s really no big deal. Thousands of networks are set up exactly like this.

Chapter 3




Designing a Windows 2000 Network Infrastructure

111

F I G U R E 3 . 1 : A dual network separated by routers

Internet

Network A Router Firewall

Proxy server Router

Network B Router

The problem with both of these setups is that they’re too flat. Everybody’s on one big flat network. There’s a lot of broadcasting going on, and though most internetworking specialists don’t allow routers to forward broadcasts, there’s still a lot going on within both networks. You probably do need to attend to this situation, trying to cut down the number of broadcasts. You can do this by using subnet masks to logically segment your network in a more granular fashion. Suppose that you’re going to use the same Class B private network numbers, but you’re going apply some unique subnet masks. You settle on 172.20.y.z as the network number of choice. If you choose not to apply the 255.255.0.0 subnet mask and instead opt to apply 255.255.240.0, you’ll only be allowed a range of 16 network numbers with your starting point number. Here are the allowed network numbers you could use with this particular subnet mask:


172.20.0.z–172.20.15.z




172.20.16.1–172.20.31.254




172.20.32.1–172.20.47.254




172.20.48.1–172.20.63.254




172.20.64.1–172.20.79.254




and so on, to the last range, 172.20.224.1–172.20.239.254

112 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

You could put Network A in the first network range and Network B in the second. You’ve logically segmented your users into categorical groups—subnets. When broadcasting goes on within a subnet, it doesn’t leave that subnet. Because routers don’t forward broadcasts, you’re effectively keeping the network traffic within a specific group isolated from another group. You could apply even more granularity than this—putting servers and printers in the 172.20.0.z–172.20.15.z subnet, marketing in the 172.20.16.z–172.20.31.z subnet, and so on, effectively isolating individual groups from one another’s broadcast traffic. This is true, provided, of course, that you’re using the 255.255.240.0 subnet mask. You have a problem with all this special subnetting, though. DHCP is broadcast-based. If you have a DHCP server on the 172.20.16.z subnet and a marketing person trying to get a DHCP lease from the 172.20.32.z subnet, it won’t happen! The 255.255.240.0 subnet mask keeps the marketing folks from broadcasting to the servers. You could handle this problem with a DHCP relay agent computer on each subnet that needed to participate in DHCP. Alternatively, you could simply set up a private Class A network, using a separate number for each physical network and a 255.255.0.0 mask. This would also effectively isolate each network from the other. Moreover, it’s easier to set up and much neater to implement. Remote subnets are somewhat different to design than regular LAN/ WAN-based networks. There are three categories of remote subnets to worry about. Point-to-Point and Multi-Point Connections Standard 56K and fractional T1 or full T1 frame relay connections each require their own dedicated subnet. Each router connecting the points must, of course, have its own static IP address. These circuits cannot be seen on public networks. X.25 Networks X.25 networks, which use packet-switching and multiple points, only require one subnet. Virtual Private Network (VPN) Connections VPN connections are not entirely “private,” although one side of the connection is, of course, definitely private. The other side is very public, as it is typically connected to an ISP.

Chapter 3




Designing a Windows 2000 Network Infrastructure

113

Measuring and Optimizing a TCP/IP Infrastructure Design In the early days of TCP/IP, a router wouldn’t support an unusual subnet mask like 255.255.240.0. You had to go with standard flat masks. But then came along the advent of Classless Internet Domain Routing (CIDR) and Variable Length Subnet Masks (VLSM) standards for routers. These standards provided ways that you could depart from a 255.0.0.0, 255.255.0.0, or 255.255.255.0 mask and use subnetting principles to break networks into logical segments. Single subnet mask networks, ones that use the masks just listed, are called class-based networks. In a class-based network, you can only run one subnet mask on the network, as in the example earlier in the previous section. But suppose you wanted to use the 255.255.240.0 subnet mask on one network and 255.255.192.0 on the other? Older router protocols would not support multiple subnets. The Routing Information Protocol (RIP) version 1 is an example of an older routing protocol that couldn’t support multiple subnet masks and hence wouldn’t be useful in today’s complex IP environment. Routers that support CIDR or VLSM—those running RIP version 2, Border Gateway Protocol (BGP), or Open Shortest Path First (OSPF)— allow you to run multiple subnet masks on a network. Look at the “subnet mask ruler,” as shown in Figure 3.2. Each network address has a network portion and a host portion. Class A networks use the first 8 bits, called the first octet, for the network address and then the last three octets for the host address. Class B uses the first two octets for network and the last two for host, and Class C uses the first three octets for the network address and the last octet for the hosts. We have a sliding scale here because if we’re using a Class A network address, we can get many hosts but not very many different network addresses. On the other hand, if we’re using Class C, we can get many networks, but not very many hosts per network. Using a subnet mask, you “borrow” bits from the host portion of the address. By sliding one bit to the right or left (which makes a profound difference in the decimal subnet mask), you wind up either adding or subtracting hosts and doing the opposite subtraction or addition with the amount of networks you can use.

114 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

TIP The CIDR standards help us out with subnet mask nomenclature because they allow us to use “slash” terminology instead of writing out full subnet masks. Since a Class A network with a flat 255.0.0.0 subnet mask has as its network portion up to the 8th bit, we can say that it’s /8 masked. The /8 implies the same thing as a 255.0.0.0 mask. For a Class B mask using 255.255.0.0, we’d just say /16 instead. And for a Class C we’d say /24 for a 255.255.255.0 mask. See http://public .pacbell.net/dedicated/cidr.html for a wonderful overview of CIDR.

F I G U R E 3 . 2 : The subnet mask ruler More hosts

255

.

More subnets

0

.

0

.

0

You can see that there is some sort of TCP/IP axiom at work in this illustration. If your network were to use the 10.x.y.z reserved network number (the one that’s not allowed out to the Internet), you’d have a wide variety of choices for subnet masks. The further to the left of the ruler you go, the more hosts you add; the further to the right, the more subnets you create. There are seven unique subnet masks, not including the 255 mask, and you should memorize them. They are: 128, 192, 224, 240, 248, 252, and 254. Here’s a quick non-binary ordinary math calculation you can use to figure out how many hosts and how many networks you’re going to get out of a unique subnet mask. We’ll start with a Class C example and then tell you how to make the formulas fit Class B and A. Suppose that you want to break your Class C reserved 192.168 network up into 8 subnets of 30 hosts apiece. How could you quickly calculate this? The math is very simple. Subtract the subnet mask you’d like to try. Let’s pick 224 just for grins. The math works out this way: 256 – 224 = 32. The 32 number is the number of hosts that you can use with this particular subnet mask for Class C. But you

Chapter 3




Designing a Windows 2000 Network Infrastructure

115

always have to remember to subtract 2 from this number, one for the network and one for broadcast. So you do the math: 32 – 2 = 30. This is the amount of hosts you can expect out of this unique Class C mask. But how many subnets can you create using this mask? Simply divide 256 by 32 like so: 256 ÷ 32 = 8, and you’ll wind up with the amount of subnets you can generate by using this mask. So, if we wanted to logically break up the 192.168.1 network into departmental units, for example, we’d have the following networks using the 224 mask:


Servers, printers, peripherals, etc.: 192.168.1.0-31




Marketing: 192.168.1.32-631




Sales: 192.168.1.64-95




IT: 192.168.1.96-127




Finance: 192.168.1.128-159




Legal: 192.158.1.160-191




Executive: 192.158.1.192-223




Reserved: 192.158.1.224-255

Remember that for each network you’d lop off two from the host range because you have to reserve a number for the network and a number for broadcast. These numbers would be the first and the last numbers in the host range. Got a Class B address instead? When you calculate how many hosts you have per subnet simply multiply the resulting number by 256. For example, suppose you want to use a Class B address with a 224 mask. Do your math: 256 – 224 = 32, 32 – 2 = 30, 30 × 256 = 7680. This is how many hosts you can expect per subnet using a Class B 224 mask. Notice that we subtracted 2 from every subnet involved. For Class A, you use the same math, but multiply by 512 instead of 256. Measuring how well you’ve implemented your TCP/IP rollout has mostly to do with routers. Internetworking people are going to be able to tell you if there are too many broadcasts hitting a router or if there are an inordinate amount of errors. This implies that the TCP/ IP design needs to be looked at again. The PING command, while

116 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

very useful on the Internet, isn’t quite as useful on networks. However, a PING time of more than a 100 milliseconds (ms) or so implies that there are problems on the network. As a general rule of thumb, well-designed networks usually don’t experience PING times greater than 10 ms. Network Monitor is a useful tool for measuring network performance. Good subnetting techniques using high-quality switch gear (and potentially VLANs) can eliminate lots of TCP/IP issues.

Integrating TCP/IP with Existing WAN Requirements When we talk about TCP/IP implementations, generally we’re talking about something more than a flat little network with a few hundred users. Typically you’ll run into legacy environments where there are geographic separations and the routers and frame relay circuits are already set up. The chore then comes in when you want to “re-IP” the network. In a situation like that, you could simply use one or two of the reserved Class C network numbers with a vanilla Class C subnet mask. But what about a more complicated little site, something on the order of the site in Figure 3.1, only maybe with one or two more networks connected to it? Take a look at Figure 3.3. F I G U R E 3 . 3 : Networking four geographic regions

ISP

Site A 2,000 users

Site B 500 users

Site C 750 users

Site D 1,750 users

Chapter 3




Designing a Windows 2000 Network Infrastructure

117

Figure 3.3 shows four sites separated by routers. The router at Network A has three ports and accepts input from Networks B, C, and D; the other networks each have a single port router that connects to Network A. Note the number of users on each network. Network A also has a proxy server, firewall, and a link to the company’s ISP. Now suppose that you’re going to use the reserved Class A 10.x.y.z network for your users. What would be the best way to apply subnetting so that your users were logically segmented and yet able to effectively work? Start by making things fairly easy. Select 10.1.y.z for Network A, 10.2.y.z for B, 10.3.y.z for C, and 10.4.y.z for D. The largest network is Network A with 2,000 users. You could opt to use the 255.255.0.0 subnet mask and have enough IP addresses to handle all of Network A. But that’s a flat mask and may not be the best choice for a geographically diverse network. A subnet mask of 255.248.0.0 would still supply ample hosts. Let’s take this a little further. What if Network A consisted of 1,500 office workers—people who were responsible for the care and feeding of the business—and 500 sales people? In a case like that, segmenting Network A even further by supplying a subnet mask of 255.255.248.0 would provide you with eight separate network segments in the 10.1.y.z network, each with 254 hosts. You’d use 10.1.0.z–10.1.6.z for the 1,500 and 10.1.7.z–10.1.8.z for the 500, effectively segmenting one group from another. Alternatively, you could simply enlarge your 10.x.y.z set to include 10.1.y.z–10.2.y.z for Network A, and use a 255.248.0.0 subnet mask to keep the clerical staff separated from the sales people.

Integrating Software Routing into Existing Networks Were you aware that Windows 2000 can be a router? If you are in an environment where you can’t afford a router, you can easily install Windows 2000 Routing and Remote Access Service (RRAS) on a computer with a couple of Network Interface Cards (NICs) in it, and you’ll have yourself a router.

118 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

You can use Windows 2000 RRAS to set up several different kinds of routers that use different routing protocols:


Routing Information Protocol (RIP) is very old and has been in wide use for 20 years.




Border Gateway Protocol (BGP) was designed for use within autonomous systems.




Open Shortest Path First (OSPF), a much more efficient protocol than RIP, was designed by the Internet Engineering Task Force (IETF) for the purpose of routing over the Internet.




Internet Group Management Protocol (IGMP) should be used when you need to do some multicasting, as in setting up NetMeeting connections or Windows Media Viewer applications. IGMP is designed strictly for use with multicasting applications.




Service Advertisement Protocol (SAP) is used on IPX-based networks.




Network Address Translation (NAT) hides internal addresses from external networks by translating internal addresses to public external ones.

TIP Despite all these choices, you’re probably going to need to use only RIP or OSPF, depending on the size of your network.

There are four kinds of routing methods at your disposal with RRAS. They are as follow: Static Routing With this method, you actually key in the routes to the other routers on the network. This works fine for routers and routes that aren’t updated very frequently. Auto-Static Routing This feature is available to you in RIP for IP, RIP for IPX, and SAP for IPX. You can set up your routers to perform a periodic request for an update to their route tables. Dynamic Routing Routers that use dynamic routing have algorithms that detect changes to the network environment and update themselves.

Chapter 3




Designing a Windows 2000 Network Infrastructure

119

Demand-Dial Routing Small office/home offices (SOHOs) use this kind of connection for times when they want to send e-mail or connect to the Internet.

Exam Essentials Understand and be able to analyze subnet requirements. Understand what subnets are and how to bring granularity to them with varying subnet masks. Understand the private (reserved) address ranges and how to use them in the network. Design a TCP/IP addressing and implementation plan. Utilize subnetting techniques with VLSM to introduce logical segmenting to the network. Be able to illustrate how to deploy such a plan. Be able to measure and optimize a TCP/IP infrastructure design. Utilize tools and techniques in order to gauge how well the network is segmented. Implement software routing. Utilize Windows 2000 as a software router. Discover existing WAN environments and integrate TCP/IP into them. Few designers get to put up brand new networks. Instead you wind up supporting legacy environments. Understand the routers that are involved and how to integrate TCP/IP into the existing systems.

Key Terms and Concepts Automatic Private IP Addressing (APIPA) A method by which clients can automatically obtain IP configuration information without requiring manual entries or using a DHCP server. APIPA uses the Class B 169.254 network address with a standard Class B subnet mask. Border Gateway Protocol (BGP) An Internet routing protocol that allows groups of routers in autonomous systems to share routing information.

120 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Classless Internet Domain Routing (CIDR) A new method of IP addressing that replaces the old Class A, B, and C scheme. A single IP address can be used to refer to several IP addresses. Internet Group Management Protocol (IGMP) A TCP/IP standard (RFC 1112) that details the routing of multicast traffic over the Internet. Open Shortest Path First (OSPF) A routing protocol developed using the link-state algorithm. Point to Point Protocol (PPP) A connection protocol that connects remote computers to networks. Private Reserved Range A range of IP addresses that are not routed on the Internet. Routing and Remote Access (RRAS) The Windows 2000 service that facilitates various remote access services (such as demand-dial and RAS) and routing services (such as RIP, OSPF, and others). Routing Information Protocol (RIP) A small, lightweight protocol that allows for routing between small- to medium-sized networks. Serial Line Internet Protocol (SLIP) An older predecessor to the PPP protocol. SLIP is a connection protocol that gets clients hooked to remote networks or the Internet. Service Advertisement Protocol (SAP) A NetWare protocol that is used to announce the services and addresses of NetWare servers hooked to the network. small office/home office (SOHO) A very small network. The standard SOHO has a little hub or switch, a few computers, a shared printer, and maybe some other peripheral devices such as a scanner or CD writer. Variable Length Subnet Masks (VLSM) The concept of a variable length subnet mask has to do with changing the bits on the mask to provide more hosts with less possible subnets or more subnets with less possible hosts.

Chapter 3




Designing a Windows 2000 Network Infrastructure

121

Sample Questions 1. What two routing protocols are installed by default with Win-

dows 2000 RRAS? A. IGMP B. RIP C. IGRP D. OSPF

Answer: B, D. Windows 2000 provides support for IGMP, but it is not loaded by default. RIP (version 1) and OSPF are the two default protocols. You’ll have to get third-party support for IGRP. 2. You’re going to use the reserved Class A network address in your

new network. What subnet mask will give you a range of 8 networks of 32 subnets and 4,094 hosts per subnet? A. 255.255.248.0 B. 255.255.224.0 C. 255.248.0.0 D. 255.224.0.0

Answer: D. You’ll have a range of 32 network addresses that you can use. You can have 8 networks consisting of 32 subnets apiece. You’ll have a potential for 16,382 hosts. 3. What is the “slash” terminology you’d use to stipulate a 192.168

network that uses a standard Class C subnet mask? A. 192.168 /8 B. 192.168 /16 C. 192.168 /24 D. 192.168 /32

Answer: C. The segmentation between the network and host addresses is at the 24th bit.

122 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

4. In order to support Variable Length Subnet Masks (VLSM), what

do the routers have to be able to support? A. BGP B. IGMP C. OSPF D. CIDR

Answer: D. Routers must be able to utilize Classless Internet Domain Routing (CIDR) in order to accommodate VLSM. 5. Two autonomous systems (groups) of routers must be connected

together using which routing protocol? A. BGP B. IGMP C. OSPF D. CIDR

Answer: A. A group of routers that share routing tables with one another is an autonomous system. Connecting two autonomous systems of routers together requires BGP.



Design a DHCP strategy.





Integrate DHCP into a routed environment. Integrate DHCP with Windows 2000. Design a DHCP service for remote locations. Measure and optimize a DHCP infrastructure design.

N

ext, we set our sights on what our Windows 2000 DHCP implementation will be like. Perhaps the biggest problems that new administrators run into revolve around TCP/IP: delivering to client computers the IP configuration information they need and providing name resolution services.

Chapter 3




Designing a Windows 2000 Network Infrastructure

123

Critical Information Ah, DHCP. What a wonderful tool for any administrator to use! Think of the time saved not having to manually keep track of every user’s static IP configuration entry. The computer does it for you, and does it well. DHCP has been in use on Microsoft NOS for a long time now. It is well-known and well-understood. New administrators must understand DHCP thoroughly.

Integrating DHCP into a Routed Environment In networks with WAN links going across routers, you might run into some interesting difficulties when you consider your DHCP design. Both DHCP and BootP have the ability to operate across routers, but the majority of the world’s routers have this capability turned off. DHCP and BootP are broadcast-based, message-oriented protocols. So what do you do with a router that doesn’t pass DHCP and BootP requests? You have two choices. You can either set up multiple DHCP servers or install the DHCP relay agent on Windows 2000 computers in each subnet. Either way will work, and there are pros and cons to both.

Designing a DHCP Service for Remote Locations The decision you make regarding the two choices you have on how to handle a router that doesn’t pass DHCP and BootP requests revolve around issues of money, connectivity, and configuration. Look at Figure 3.4. Here you see a site that consists of four geographically separated campuses connected by 128K frame relay circuits. Note that you’ve used the reserved Class A network with Class B subnet masks to effectively segment the subnets within each campus.

124 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

F I G U R E 3 . 4 : A simple network configured with DHCP

Site A (HQ) 10.1.0.0 255.255.0.0 1,500 users

Site B 10.2.0.0 255.255.0.0 1,200 users DHCP server

DHCP relay agent

128K frame relay circuits

Site C 10.3.0.0 255.255.0.0 1,750 users DHCP relay agent

Site D 10.4.0.0 255.255.0.0 1,300 users DHCP server

Now that you have your sites set up, you will want to begin doing some DHCP service within the network. This is a large network, with 5,750 users and an equal distribution of users across the campuses. So if the routers are configured to pass DHCP requests and even if a wellequipped single DHCP server could handle the load, it may not be realistic to have all of the DHCP requests coming across relatively slow wires to a single point. You have two methods of countering this difficulty: you can set up more than one DHCP server and do some scope-splitting for fault tolerance, or you can set up a DHCP relay agent. Multiple DHCP Servers and Scope-Splitting

In large networks, it might not be a bad idea to provide a localized DHCP server at each location. You could handle this in a couple of

Chapter 3




Designing a Windows 2000 Network Infrastructure

125

different ways. For example, working from Figure 3.4, you could place a DHCP server at each location and simply make the scope the appropriate subnet for each campus, as shown in Figure 3.5. F I G U R E 3 . 5 : Multiple DHCP servers in a network

Site A (HQ) 10.1.0.0 255.255.0.0 1,500 users

Site B 10.2.0.0 255.255.0.0 1,200 users DHCP server

DHCP server

128K frame relay circuits

Site C 10.3.0.0 255.255.0.0 1,750 users

Site D 10.4.0.0 255.255.0.0 1,300 users DHCP server

DHCP server

DHCP Relay Agents

If you need to avoid placing so many DHCP servers due to costs or manageability, you could install the DHCP relay agent instead. In the sample network above, you could install the DHCP relay agent on Windows 2000 Server computers in Campuses B, C, and D. Figure 3.6 shows this new setup.

126 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

F I G U R E 3 . 6 : One DHCP server and three DHCP relay agent computers in a network

Site A (HQ) 10.1.0.0 255.255.0.0 1,500 users

Site B 10.2.0.0 255.255.0.0 1,200 users DHCP server

DHCP relay agent

128K frame relay circuits

Site C 10.3.0.0 255.255.0.0 1,750 users

Site D 10.4.0.0 255.255.0.0 1,300 users

DHCP relay agent

DHCP relay agent

The DHCP relay agent isn’t a full-blown DHCP server, so it has to be configured with a pointer to its DHCP server. The DHCP relay agent requests a DHCP lease on a client’s behalf by sending a unicast message across a router to a DHCP server on the other side. The concept behind unicast is that a packet is sent directly to the host it’s intended for, as opposed to multicast where packets are sent to multiple hosts. Broadcast, of course, means that packets are put out there for all to hear and respond to.

Integrating DHCP with Windows 2000 Microsoft has done lots of work with regard to DHCP security. Doubtless you’ll be asked numerous questions on the test relative to these new features. Specialized DHCP Groups

We start with groups. A special local group, DHCP Administrators, is created for the purpose of allowing only certain individuals the ability to administer the DHCP scopes. There is also a second group, DHCP

Chapter 3




Designing a Windows 2000 Network Infrastructure

127

Users. The intent of this group is to populate the DHCP scopes with the user accounts of those who need read access to the DHCP scopes, such as your junior administrators or PC technicians and help-desk folks. Active Directory and DHCP Integration

Working with Active Directory (AD) presents some new challenges with respect to DHCP. Windows 2000 DHCP servers must be authorized in AD to be considered a valid DHCP server. This prevents rogue Windows 2000 DHCP servers from going online and giving out invalid DHCP addresses to users. A rogue Windows NT 4 DHCP server, however, could be brought online, and the Windows 2000 network would not do anything about it! There are two very special rules that need to be followed when setting up Windows 2000 DHCP. They are as follows:


Rule 1—The very first DHCP server you set up must be on a Windows 2000 DC or member server. At least one of the DHCP servers must be able to communicate with AD so it can read the list of authorized DHCP servers. You cannot have NT 4 DHCP servers on the network if you’re going to incorporate DHCP into AD.




Rule 2—All relay agent computers must be Windows 2000–based.

Both of these rules apply whether you’re in mixed or native mode. High-Availability Scenarios

Unlike WINS, there is no backup server for a DHCP server. Splitting up scopes mandates that you have at least two DHCP servers running in your environment. For example, suppose that you have a large single campus of 2,500 users. You could set up two DHCP servers in this single environment. Then you’d have the choice of setting up two different scopes—one for each server—or, more appropriately, setting up a single scope. On the first DHCP server, you’d put a reservation on half of the scope. Let’s say, for example, that you decided to use 172.20.y.z with a subnet mask of 255.255.0.0. You might go to the first DHCP server and set up the

128 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

scope with 172.20.1.0–172.20.15.255 and then reserve 172.20.8.0– 172.20.15.255. This way, the first DHCP server would only use the first half of the scope. Then you’d go to the second DHCP server and configure exactly the same scope, but this time you’d reserve the first half. If the first DHCP server goes down, the second can then begin picking up the slack. The tactic of splitting the scopes will work well across WAN links as well, as long as the routers are forwarding broadcasts. But in a situation such as that, Microsoft recommends that you consider not doing a full 50/50 split on the scopes. You might, instead, want to do an 80/20 split, with 80 percent being on the network that’s more heavily loaded. The goal here is to whittle down the number of requests that have to go across a slow WAN link. The concept behind a Windows 2000 cluster server is fairly straightforward: You provide two servers that are both dedicated to a single server’s function so that if the first server goes away for any reason, the second server sees the fault and performs a failover. Users aren’t supposed to see even a blip on the radar screen when the failover occurs; they can keep working. It’s wonderful that a DHCP server will work with a cluster server. But you’re probably not going to be inclined to set up a cluster server simply for DHCP. More likely, you’ll set up a cluster server for other critical apps that you have running on the network and then decide to add DHCP as well.

Measuring and Optimizing a DHCP Infrastructure Design Are there ways that you can optimize and tune your DHCP configuration? There are three different methods, the first of which has to do with tuning a single DHCP server. The other two have to do with steps that you can take across your entire DHCP implementation.

Chapter 3




Designing a Windows 2000 Network Infrastructure

129

Single-Server Optimization

Slow response from a DHCP server might be the server’s problem or the network’s problem. Since DHCP is message-based and the messages are tiny, there’s a good chance that, unless the network is absolutely saturated, it’s not going to be the slow part of this process. DHCP servers involved with other activities, such as Exchange, SQL Server, or file or print serving, can drastically slow down the response time of the server giving out a lease to a client. Here are some ideas you can use to spruce up your DHCP server’s capabilities:


Offload your DHCP server from any other activities other than providing DHCP.




In multiple-subnet environments, you can multi-home your DHCP server by installing two or more network interface cards (NICs) and pointing each to a different subnet.




Since Windows 2000 DHCP is multithreaded, it can use multiple CPUs: add a second CPU to your DHCP server.




Change out those old 7,500rpm SCSI hard drives for 10,000rpm drives running on a hardware RAID adapter.




If you have a gigabit backbone, add a gigabit-rated NIC to the DHCP server and put it on the backbone.




You can use Network Monitor to monitor DHCP traffic across your network.

Steps like this will greatly increase the efficiency and throughput of your DHCP computer. Increase Lease Length

Perhaps the biggest thing that administrators neglect to think about when designing DHCP deployments is the lease renewal time. What about that eight-day lease expiration time? In the days of cluttered networks, lease expiration times had to be short. But today, we can set up huge pools of reserved IP addresses for our scopes, and we don’t have to worry so much about the expiration of leases.

130 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Set Up Multiple DHCP Servers

By setting up more than one DHCP server, you do two things: you offload each of your servers so that they don’t have to work so much, and you keep DHCP traffic from crossing slow WAN links. DHCP can and should live on a computer all by itself, dedicated to the process, but you could also have WINS occupy the same server. It’s important in a setting like this to make sure that you provide an ample supply of IP numbers in your scope so that no one is in danger of their lease expiring and not being able to get a new one.

Exam Essentials Understand how to integrate DHCP into a routed environment. Understand why routers don’t typically forward DHCP and BootP requests and how to work around this. Know what’s necessary to integrate DHCP with Windows 2000. Understand how to integrate DHCP into Active Directory. Be able to design a DHCP service for remote locations. Be familiar with DHCP relay agents. Understand how to measure and optimize a DHCP infrastructure. Understand scope-splitting, DHCP on a cluster server, and lengthened lease times.

Key Terms and Concepts DHCP relay agent A routing protocol that forwards, in unicast, DHCP requests from a network that has no DHCP server to a network that does. Dynamic Host Configuration Protocol (DHCP) A common TCP/IP protocol that is used to automatically and dynamically allocate IP addresses and configuration information among requesting clients.

Chapter 3




Designing a Windows 2000 Network Infrastructure

131

IPConfig A TCP/IP test utility for Windows NT or Windows 2000 computers that yields the current TCP/IP configuration information for a given adapter. multicast The act of transmitting data in the form of packets to a select group of recipients. Used primarily in video or audio streaming, stock ticker programs, etc. Multicast Address Dynamic Client Allocation Protocol (MADCAP) A protocol that provides support for DHCP-based TCP/IP configuration of multicast clients. unicast Packets that are sent from a source to a single destination are said to be sent in unicast. WINIPCFG A Windows 9x utility that allows administrators or users of computers to determine the computer’s current IP configuration.

Sample Questions 1. You’ve been given a requirement to set up some training servers that

will have computer-based training (CBT) software on them that streams multimedia content over the intranet to students that request it. What DHCP protocol will the DHCP servers need to be configured with to use a correct delivery method? A. MADCAP B. MS-CHAP C. Unicast D. ADCAST

Answer: A. The Multicast Address Dynamic Client Authentication Protocol (MADCAP) is used by DHCP servers that are configured to provide multicast support. Remember that this protocol uses a special set of subnets, 239.253.0.0–239.255.255.255, for this work.

132 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

2. You have a site that is made up of two campuses separated by a geo-

graphic distance. There are two Cisco 1000 routers connecting the WAN circuit. Clients currently use statically entered addresses, but you’ve read about the DHCP server’s conveniences and have decided to set up a server. But when you set up your Windows 2000 DHCP server, clients in the other campus can’t seem to negotiate a new IP lease. What could be the matter? Pick the best answer. A. You need to add the new DHCP server to LMHOSTS. B. Clients must be Windows 2000 Professional workstations to

participate in Windows 2000 DHCP. C. Routers are configured to not allow DHCP or BootP requests

across their backplanes. D. The scope is not correctly set up.

Answer: C. While Option D is certainly a possibility and one that you’d check, the most likely answer is C. Routers are generally configured to not allow the passage of DHCP or BootP broadcast requests. 3. By which method does a DHCP client find a DHCP server? A. Multicast B. Unicast C. Broadcast D. Singlecast

Answer: C. Clients send out broadcasts when requesting DHCP services. 4. Why is it necessary to use a DHCP relay agent when DHCP clients

are separated by a router from the DHCP server? A. Routers cannot provide DHCP services. B. The DHCP protocol cannot talk to more than one physical

LAN segment. C. Routers cannot forward DHCP requests. D. Broadcasting across routers is typically shut off.

Chapter 3




Designing a Windows 2000 Network Infrastructure

133

Answer: D. Internetworking experts typically shut off a router’s ability to forward broadcasts. Some routers can be equipped with a helper address that acts as a pointer to a DHCP server. 5. Pick out two new features within Windows 2000 DHCP. A. It provides IP configuration information to Macintosh computers. B. Windows 2000 DHCP servers must be authorized in AD. C. Support is provided for backup DHCP servers. D. DHCP can supply IP addresses to multicast clients.

Answer: B, D. Windows 2000 DHCP servers must be authorized within AD. The design goal here is to prevent any rogue DHCP servers from coming on line and passing out IP configuration information that isn’t correct. DHCP can provide IP addressing information to multicast clients.



Design name resolution services.










Create an integrated DNS design. Create a secure DNS design. Create a highly available DNS design. Measure and optimize a DNS infrastructure design. Design a DNS deployment strategy. Create a WINS design. Create a secure WINS design. Measure and optimize a WINS infrastructure design. Design a WINS deployment strategy.

Have you ever been in situations where you had a network problem that you thought was enormously complex but it turned out that you had a name resolution problem with one of the name servers? Moving into the DNS environment, we add a whole new layer of complexity to the topic of nameserving. It’s imperative that you completely understand both DNS and WINS in your Windows 2000 work.

134 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Critical Information Interestingly, even though a heavily modified version of DNS was incorporated into Windows 2000, WINS won’t (can’t) go away because there are so many applications out there that require NetBIOS name resolution. Yes, if your network was entirely Windows 2000 Professional and Windows 2000 Server equipped and you had no NetBIOS-reliant applications (effectively ruling out minor things like Exchange 5.5), you could dismantle WINS; however, this is rarely the case. So, let’s move on to cover name serving using not only DNS but WINS.

The Two-Fold DNS Design Process When you sit down to begin a Windows 2000 DNS design, you must think in terms of how it will integrate into your existing network and how you’ll apply the updated Windows 2000 security features to it. Creating an Integrated DNS Design

Up until now, it’s safe to say that the majority of DNS servers ran on Unix computers. But there are so many advantages to using Windows 2000 DNS that it’s very possible that many administrators will want to move their main DNS server services to their Windows 2000 servers instead. One advantage is the integration with AD. Wherever your AD database winds up getting replicated, there will be your DNS records as well. You can intermix DNS servers using Active Directory–integrated zones and regular DNS servers participating in standard zones. In fact, when you set up DNS on your Windows 2000 server, you can opt to make it a standard primary DNS server, a standard secondary DNS server, or an AD– integrated DNS server. Windows NT 4 DNS servers cannot integrate with AD, but they can participate as a secondary zone to a Windows 2000 DNS server. Make your primary DNS servers the AD-integrated ones and your NT servers the secondary ones. Creating a Secure DNS Design

Active Directory–integrated zones allow for very fine distinctions to be made among those who are allowed to manage the DNS database.

Chapter 3




Designing a Windows 2000 Network Infrastructure

135

Certain groups are automatically given administrative authority over the DNS servers, among them domain admins, enterprise admins, DNS admins, and the Administrators group. The Administrators group lacks Full Control and Delete All Child Objects rights, but retains great control over the DNS databases. An important decision is whether to allow dynamic updates to the DNS database. If you’ve enabled a DHCP server to dynamically update DNS, then Windows 2000 clients can update the DNS database, as can the DHCP server.

Secure Zone Transfers You can set up your DNS zones so that they transfer only to DNS servers that you designate. A screened subnet is one that lies between two firewalls—the private network is on one side of a firewall, the screened subnet is in the middle, and the public (Internet) network is on the other side of the second firewall. You’d encounter this kind of situation if you had a set of Web servers out in a demilitarized zone (DMZ), a semi-public, semi-private zone where Web servers can reside to provide Web services to Internet viewers but prevent access to internal networks. Creating a Highly Available DNS Design

Active Directory integration creates an environment where you don’t have as much to worry about in terms of DNS availability. But, it’s key that you target weak points in your site that may require a second DNS server and then set up servers at those points. You can then create Active Directory–integrated zones between these servers, or you can set up a primary/secondary zone replication scheme. A technique that might work well for you is the concept of delegated domains. Here’s how the concept works. Suppose that you’re an administrator for a company, LargeCompany, with a couple of different sites; let’s call them SiteA and SiteB. SiteA is pretty large and might very well merit its own domain: SiteA.LargeCompany.com. Ditto for SiteB: SiteB.LargeCompany.com.

136 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

What you can do is set up two DNS servers: one at SiteA and one at SiteB. SiteA will have as its primary zone SiteA.LargeCompany.com, while SiteB will have as its primary zone SiteB.LargeCompany.com. Then, each server will have the opposite server as its secondary. In a case like this, you’ve delegated the domain for SiteA to the DNS server at SiteA and vice versa for SiteB. Measuring and Optimizing a DNS Infrastructure Design

Several key components need to be looked at when considering the correct DNS infrastructure for your design. Perhaps the most important question you’ll have to ask yourself is whether it will be desirable to replace the BIND (Unix) DNS servers running in your Windows 2000 environment. This decision will drive everything else in your project. If it’s not acceptable for Windows 2000 to do the DNS work, that’s no big deal. The BIND servers will be the primary DNS servers, your DNS boxes will be the secondaries, and you can still have an integrated Active Directory server that feeds the DNS data into AD. The chart below shows some common BIND versions and the updated support they provide: BIND Version

Supplies

4.9.6 or later

Support for SRV records

8.1.2 or later

Support for a dynamically updated DNS zone database

8.2.1 or later

Support for incremental zone updates

8.2.2

Support for AD

If a DNS server is a standard primary server and it is out on the DMZ, then it might be very possible for someone to hack in and update or change the DNS tables, which would subsequently replicate to the secondary servers. You can fight this problem by keeping your primary DNS server in the private network and replicating only certain zones to the secondary DNS server in the DMZ. Since secondary DNS servers have read-only databases, they can’t be messed with.

Chapter 3




Designing a Windows 2000 Network Infrastructure

137

ZONE-REPLICATION SECURITY

You can handle zone-replication security in a number of ways. Perhaps the most risk will exist when transferring zone information across the Internet from one of your DNS servers to another. Microsoft recommends that you set up a VPN when sending data of this sort over the Internet and that you encrypt the data either through IP Security (IPSec) or VPN technology. On zone replications that take place inside the internal network, the best and easiest way to secure the replication is to set up Active Directory–integrated zones. This data is encrypted as it’s passed along and is highly secure. HIGH-AVAILABILITY SCENARIOS

Perhaps the easiest and cheapest method for providing highly available DNS is to provide lots of redundancy in your DNS design. This kind of technique requires that you think about your delegated domains, how you’re going to split things out among several DNS servers. A second question is whether you provide a backup DNS server at each site. For really important sites that require very fault-tolerant installations, you’ll want to consider a cluster server for your DNS installations. OPTIMIZATION AND TUNING OF DNS

The most basic technique you can use for testing how well DNS is doing is to PING a Fully Qualified Domain Name (FQDN) several times to see what kinds of response times you’re getting out of the system. You’ll also want to time reverse name lookups with NSLOOKUP so you have a feel for how fast the DNS box can respond to those kinds of queries as well. You can also use Performance Monitor to evaluate the performance of your DNS servers. A DNS object and several DNS-related counters are provided with Performance Monitor as soon as you install DNS on a Windows 2000 computer. To optimize performance, you can set up Windows 2000 DNS servers for fast replication. You’ll also want to make sure that the overall network infrastructure can handle what’s being asked of it. Routers with

138 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

10Mbps uplink ports cannot possibly perform well in 100Base-T networks that deliver the data faster than the routers can take it in. Finally, to speed up DNS requests across slow WAN links, you should consider setting up a DNS server to act strictly as a cachingonly server. Caching-only DNS servers do not host any zones of their own, but cache all lookup requests forwarded to DNS servers that do have valid zones. Designing a DNS Deployment Strategy

Certain key benefits from Windows 2000 DNS are not supported in older versions of BIND. For example, the SRV resource record wasn’t supported until BIND version 4.9.6 or later. Support for dynamically updated BIND databases wasn’t provided until BIND version 8.1.2. A relatively obvious concept, incremental zone updates, wasn’t provided until BIND 8.2.1. A visit with your friendly Unix DNS admin is in order so that you can ascertain exactly where you’re at in terms of BIND versions. Windows NT 4 DNS servers don’t support dynamic DNS updates, period, so in terms of backward compatibility with them, you’ll have to make sure that there is always a secondary server to your Windows 2000 primary DNS server. Neither BIND nor Windows NT 4 DNS servers support Unicode character sets, only ANSI. This could be a problem with foreign-language DNS implementations that use characters not found in the ANSI character set. If the chances are that you’ll encounter such sets, you’ll have to set your Windows 2000 DNS servers for RFC-compliance (ANSI) and avoid the Unicode issue. Some vendors supply non-RFC-compliant resource records in DNS. For example, suppose that a manufacturer of a voice card for fax systems decided to include a record such as Digital Synthesis Processor (DSP) in the DNS database. This is not a recognized record type. In BIND and Windows NT 4 implementations, zone replication would cease, stop, go kaput. But, through the magic of Windows 2000 DNS,

Chapter 3




Designing a Windows 2000 Network Infrastructure

139

you can instruct the DNS server to simply ignore strange resource records such as this. If you’re using BIND DNS servers and you decide to set up WINS forward lookup zones, your BIND servers will croak on the WINS and WINS-R records. The decision to use WINS as a forward lookup zone with Windows 2000 or Windows NT 4 DNS automatically indicates that BIND DNS drops out of the picture. Creating a WINS Design

The whole purpose of WINS is to resolve NetBIOS names to IP addresses by sending unicast messages across routers. When you design WINS servers, there are several things that you need to know: Pushing and Pulling Suppose that you have two WINS servers on the network. One of the servers has resolved several names and has dynamically updated its database so that it can continue to resolve these names in the future. Ditto for the other server. In such a situation, you should set up what is called a push/pull partner relationship. If the first server sends its contents to the second, that’s called a push. If the first server obtains the contents of the second server on its own, it’s a pull. WINS Proxy Agents Some (non-Microsoft) NetBIOS clients are not able to work with WINS servers, but require the capability of performing NetBIOS name resolution. A good example of such a client is a CD tower that uses NetBIOS but is not a WINS participant. Windows 2000 Computers Support Multicast WINS Server Discovery Windows 2000 computers have the capability of discovering new WINS server partners via multicast on 224.0.1.24. The default time delay between multicasts is two hours. Order of Name Resolution WINS uses the concept of a node type. These are hexadecimal numbers that you enter in DHCP scopes that tell the WINS client the order of name resolution to use. The most common type, node type H or hybrid node, will check a WINS server first, then check the local LMHOSTS file (discussed in the next section), then broadcast for the name.

140 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

H-Node Search Order NetBIOS cache on client computer WINS Broadcast LMHosts file Hosts file DNS You can check the current listings in your cache, plus obtain the timeto-live (TTL) for cache entries by simply going to a command prompt and entering the command NBTSTAT -c | more. LMHOSTS File In the \Windows directory of Windows 3.x or 9x computers and the \Winnt\System32\Drivers\Etc directory of NT computers, you’ll find a file called LMHOSTS. The file is very easy to use: each line includes the IP address of a server that the client may need to connect to, a tab, then the server’s NetBIOS name. You can install the WINS Server service on Windows 2000 domain controllers. These WINS servers are backward compatible with any Windows NT 4 WINS servers you currently have in your network, including acting as push/pull partners with Windows 2000 servers. Creating a Secure WINS Design

You can secure WINS servers very much the same way that you secure DNS boxes. If you have WINS traffic crossing the Internet, remember that the data is ASCII text and fully readable—probably not a good thing to have going out over a public network. You can get around this problem by setting up a VPN between your sites or by using IPSec to encrypt the data before sending it out. The internetworking (router) guru might have to do some firewall and router work to allow IPSec messages from one server to the other. In a screened subnet design, where you desire to allow Internet clients to be able to reference names registered with corporate WINS servers,

Chapter 3




Designing a Windows 2000 Network Infrastructure

141

consider making the WINS server in the screened subnet a pull partner with the corporate WINS server on the other side of the firewall. WINS servers can be put on a cluster for fault-tolerance purposes. Measuring and Optimizing a WINS Infrastructure Design

Microsoft has done you several favors in terms of tuning and optimizing your WINS deployment. There is a need for making sure that adequate performance tuning techniques are available for admins who need to use this system. These techniques are as follows. SERVER OPTIMIZATION TECHNIQUES

We start with the fact that WINS is now multiprocessor-aware. This means that you can either purchase a dual-processor system for each of your WINS server computers or, if possible, you can upgrade your current WINS servers to dual-CPU. A dual-CPU computer running symmetric multiprocessing (SMP)-aware apps can improve the performance and throughput of your servers. If you have hundreds or thousands of users hitting your WINS servers daily, consider upgrading the servers to dual-CPU boxes. Is your WINS box old? Then you’ve probably got some old SCSI drives running at 7,500rpm. You can do your system a big favor by replacing them with 10,000rpm SCSI drives. If your network infrastructure can support it, set the network card to 100Base-T full duplex. Make sure the switch port is set for 100-Full as well. Windows 2000 WINS servers support a new concept called burstmode name recognition. It counts how many requests the WINS server component is getting, and if the number exceeds 500 right away, the time-to-live (TTL) for the clients making and caching the request is set randomly anywhere between 5 and 50 minutes. Additionally, responses are sent back to the clients prior to actually writing the data to the database, thus slowing things down even more. Supply enough servers for the network to support all of its users without going overboard on the number of WINS servers you have

142 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

installed. Too many WINS servers can create as many problems as not having enough. CLIENT OPTIMIZATION TECHNIQUES

If you extend the client renewal period, you’ll do your network a favor by not hammering it so often with WINS renewals, although Microsoft estimates that only about 1 percent of the network on a typical network is taken up by WINS. Lengthening this renewal period will likely not produce noticeable results unless you’re on an already cram-packed network, in which case you need to review your infrastructure. You can also provide multiple WINS servers for redundancy. Suppose that WINS server A is down when the client renews. WINS server B will pick up the renewal request and register the client’s name in WINS. Then, when WINS server A comes back online and a push/pull happens, WINS server A will also know about the client computer. Check the DHCP scope settings to make sure the node type is set to “0x8, h-node.” If it’s set to some other value, change it back.

Measuring WINS Server Name Resolution Performance First, you should be aware that when WINS is installed on a computer, a Performance Monitor object is added, and there are several counters that you can use to measure the performance of your WINS servers. This is probably the best and most factual way of ascertaining how loaded your WINS boxes are. You can also do a poor man’s test simply by measuring PING times. PING a NetBIOS name, and time how long it takes to return the reply. The <10ms figure that a typical PING returns is usually fine. You’re looking for exceedingly long PING times—on the order of seconds instead of the expected <10ms. Long PING times imply either host name resolution issues you need to check into or poor infrastructure. A second important thing to try to monitor is the convergence time. The WINS convergence time is the time it takes for a new entry in one

Chapter 3




Designing a Windows 2000 Network Infrastructure

143

WINS server to replicate to a second WINS server. Type an entry for a bogus server into the first WINS server. Get a stopwatch going, and see how long it takes to replicate this information to the second WINS server. This is the convergence time. Too long? Adjust down the amount of time between database replications. Too short? Adjust the replication time up. Designing a WINS Deployment Strategy

WINS implementations are fairly straightforward, even in a setting where you’ve already got some NT 4 WINS servers and you’re going to add some Windows 2000 WINS servers. First, determine the number of clients you have to support. Also determine whether that number is expected to grow appreciably. If it’s not, and you currently have some Windows NT 4 servers that seem to be doing the trick, upgrade them to Windows 2000, being careful to check their performance after they’ve been upgraded. Always evaluate the placement of the WINS servers—the current ones in a legacy situation, or where you’re going to place your new servers if you’re building a new deployment. Remember that if Windows 3.x, 9x, and NT clients can’t resolve a NetBIOS name, they aren’t going to work very well, so make sure you have redundancy and ample coverage. If you opt to put a WINS server out with the Web servers in a DMZ environment (you’d do this only for applications that required it), make sure that this server is a pull partner, not a push partner, with other WINS server on the private network. Non-WINS NetBIOS clients can make use of a WINS proxy agent on the same subnet for name server services should a true WINS server not be readily available. The WINS proxy agent sends a name resolution request to a valid WINS server then returns the results back to the client. On Windows 2000 servers, adjust the WINS server properties and turn on Database Consistency Checking, so that it runs on a regular basis. The default is once a day.

144 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Exam Essentials Be able to create an integrated DNS design. Understand the ramifications of integrating a Windows 2000 DNS design into a legacy DNS system. Design scenarios might include having to think about BIND-based DNS servers or NT DNS server platforms. Understand how to secure your DNS design. Understand the Windows 2000 features that will allow you to create a more secure DNS design. Know about encryption capabilities using secure zone transfers. Create a highly available DNS design. Comprehend what it takes to make sure DNS is highly available. Understand the ramifications of putting DNS on a cluster server or somehow providing redundancy to the DNS databases. Be able to measure and optimize a DNS infrastructure design. Know how to measure the performance of DNS and optimize it. How well is DNS performing? How long does it take users to receive a name-resolution after requesting one? Be able to design a DNS deployment strategy. Develop the capacity to come up with a solid DNS deployment strategy. Especially in legacy environments, understanding the old DNS implementation and how you’re going to introduce the new are especially important. Know how to create a WINS design. Understand the ramifications of creating a WINS design. WINS has to stay around at a minimum for legacy interaction with NetBIOS-based applications. Be able to create a secure WINS design. Know how to use Windows 2000 features to secure your WINS design. Understand how to authorize WINS servers. Be able to measure and optimize a WINS infrastructure design. Know how to measure and optimize your WINS infrastructure. Be able to apply measurement techniques to determine how quickly name-resolution requests are being fulfilled. Be able to design a WINS deployment strategy. Comprehend how to design a WINS deployment strategy. Two key points here include

Chapter 3




Designing a Windows 2000 Network Infrastructure

145

the legacy interaction with NetBIOS applications and the capability of authorizing WINS servers. Also key is the idea of a WINS proxy agent.

Key Terms and Concepts Active Directory Integrated DNS Zone A Windows 2000-based DNS zone that is integrated into Active Directory. Berkeley Internet Name Domain (BIND) The original DNS implementation used to resolve host names to IP addresses, thus replacing the need for static hosts tables. burst-mode name recognition A mode that a WINS server can be configured with, so that the server provides clients with a short time-tolive (TTL) when hit with large numbers of simultaneous client registrations, forcing clients to reregister when the server isn’t as busy. When there are more than 500 client registration attempts at any one time, WINS kicks into burst mode and sets client TTLs to five minutes. For every 100 client registration attempts above 500, the TTL has another five minutes added to it; if 600 clients try to register simultaneously (if a new call center is powered up all at once, for instance), TTLs would be set for 10 minutes. This is new to Windows 2000 WINS. convergence time The time it takes for a network service to stabilize after a change in the network. For example, after a WINS update, the time it takes for other WINS servers to update their database and be in agreement with one another. delegated domains A domain for which authority has been delegated to another DNS server. Demilitarized Zone (DMZ) A network that a company maintains between the company’s private network and the Internet. Typically, DMZ networks contain Web servers and computers that help support the Web environment (such as proxy servers or firewalls). Also called a screened subnet.

146 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

forward lookup zone A zone that allows one to look up an IP address when a host name (FQDN) is known. hybrid node (h-node) A name resolution method wherein the client first queries the listed name servers it has been given, then broadcasts, then checks an LMHOSTS file. LMHOSTS A static table of NetBIOS names to IP address mappings. negative caching A situation in which a negative response from a DNS server for the IP address of a host is cached. The purpose of the caching is to speed up the query on other DNS client computers. node type One of four different name resolution paradigms that a client will use when attempting to resolve computer names to IP addresses on a network. NSLOOKUP A command used to query DNS servers with a fully qualified domain name (FQDN) in order to find an IP address or to query DNS servers with an IP address in order to find the FQDN of a host. push/pull partner The term given to the act of one WINS server sending (pushing) the changes to its database to another, while taking (pulling) the database changes from the other to itself. resource record A description of the type of host listed in a DNS database. There are many different resource records that can be used to describe different types of hosts. screened subnet Microsoft’s term for a demilitarized zone. service record (SRV) A type of resource record new to Windows 2000 DNS. The SRV resource record specifies which computers provide which kind of TCP/IP services on the network. Used to find which servers are providing LDAP, Kerberos, and Global Catalog services, for example. standard primary DNS zone The zone that is authoritative for the organization and handles the root domain structure. standard secondary DNS zone A redundant partner to a standard primary DNS zone; one which receives replicated updates to its database as the standard primary DNS zone is updated.

Chapter 3




Designing a Windows 2000 Network Infrastructure

147

Unicode A 16-bit standard that represents characters as integers and is capable of representing 65,000 unique characters. Because of this huge number of possible character values (compared to only 256 in ASCII), almost all the characters from all the languages in the world can be represented with a single character set. WINS proxy agent A Windows 2000 component that relays broadcast NetBIOS name resolution requests in unicast mode across a router to a WINS server for name resolution services. WINS-R A resource record new to Windows 2000. This is a WINS reverse lookup record. The record says, “Check WINS for an address, then do a reverse lookup on it to retrieve its FQDN.” zone A DNS term for a group of records that share a namespace. A zone can contain a few records, a domain, or multiple domains, as long as the namespace for each of the hosts is common.

Sample Questions 1. For what purpose would you use the WINS and WINS-R source

records? A. For WINS integration into AD-integrated DNS B. To point to the network’s WINS servers C. For WINS integration into BIND DNS D. So Windows 2000 WINS servers act as the DNS servers for the

network Answer: A. Once a Windows 2000 server has been converted to a domain controller and DNS has been installed on it (which happens automatically when using the Wizard associated with DCPROMO), you are in a position to set up DNS so that it forwards name resolution requests that it cannot resolve to the network’s WINS computers. The WINS record is the forward lookup record for the WINS servers; the WINS-R record is the reverse lookup record.

148 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

2. What does the burst-mode feature in the Windows 2000 WINS

server service do? A. It keeps WINS servers from being inundated with name reso-

lution requests. B. It forwards multiple name resolution requests to other WINS

servers. C. It forwards name resolution requests to DNS servers. D. It shuts down broadcast storms on the network.

Answer: A. This is a fairly tricky concept. If a Windows 2000 WINS server gets hit with more than 500 simultaneous name resolution requests, it kicks into burst mode. This doesn’t help the initial problem, but it prevents it from happening again. The WINS server gives different clients different TTL times, so they don’t all expire at once and go looking for a refreshed name resolution all at the same time. 3. You have two Windows 2000 DNS servers. You’ve got them set up

so that one server is authoritative for one domain you’re in and the other is authoritative for a second domain. The servers have the opposite domain’s information keyed in as a backup. What roles are each of these DNS servers playing? A. Standard primary server B. Standard secondary server C. Backup primary server D. Backup secondary server

Answer: A, B. Both servers are playing the role of standard primary server for the domain they’re authoritative for and standard secondary server for their backup domain.

Chapter 3




Designing a Windows 2000 Network Infrastructure

149

4. When a Windows 2000 DNS server copies only part of its data to

a secondary DNS server, what is this called? A. Partial zone transfer B. Incremental zone transfer C. Secure zone transfer D. Dynamic zone transfer

Answer: B. An incremental zone transfer speeds up the amount of time it takes to update each zone database that is participating in a DNS hierarchy for that zone. 5. You have a slow WAN link that separates two DNS servers. What

can you do to speed up DNS requests coming from one side of the slow circuit? A. Set up one side to have read-only DNS databases. B. Make one side authoritative for its side of the network and the

other side authoritative for its side. C. Make one DNS server a caching-only server. D. Set up both servers with round-robin lookups.

Answer: C. Windows 2000 DNS provides you with the ability to make a server on a slow wire a caching-only server. Caching-only servers do not hold any zones of their own but forward requests to DNS servers that have valid zones.



Design a multi-protocol strategy. Protocols include IPX/SPX and SNA.

N

ot all enterprises are built out of only the TCP/IP protocol. Many different networks have legacy systems that utilize many different protocols. This section is about some of the non-TCP/IPsupported protocols that you’ll encounter in your Windows 2000 deployment and how to include them in your design plans.

150 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Critical Information If you haven’t already, you’re bound to encounter some Novell NetWare servers in your administrative career. NetWare is a stable wellbehaved Network Operating System (NOS) that has a large foothold in the industry. Legacy NetWare networks running the Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) protocol will have an impact on your Windows 2000 rollout, as will Macintosh computers running AppleTalk and Unix computers, even though they run TCP/IP. Finally, there’s the issue of mainframe connectivity (both IBM mainframe and AS/400) using Microsoft’s host integration software.

NetWare Systems Today, many legacy NetWare 3.11 and 3.12 servers are still running in corporations all over the world, and there’s a good deal of NetWare 4.x and now 5.x as well. NetWare servers are highly reliable, though from an applications standpoint, some may argue that they lack the functionality that Windows NT and Windows 2000 servers provide. There are two types of NetWare installations: the older Bindery mode and the new NetWare Directory Services (NDS) system. You’ll find NDS running on NetWare 4.x and 5.x systems, while Bindery mode systems will center around NetWare 3.x and some 4.x systems. Early installations of NetWare used a protocol called Internetworking Packet Exchange (IPX). Later renditions of NetWare were TCP/IPcompliant. Microsoft wrote an IPX protocol implementation called NWLink in order to provide connectivity with NetWare servers running the IPX protocol. In the Windows NT environment, three installable services were introduced to help the two server platforms communicate. These services were brought forward into the Windows 2000 platform: Gateway Service for NetWare (GSNW) This service, introduced in the Windows 3.51 era, is very powerful. It has continued through

Chapter 3




Designing a Windows 2000 Network Infrastructure

151

Windows NT 4 to Windows 2000. It works about the same as it did in the 3.51 days. Client Services for NetWare (CSNW) This is the client component that Windows 2000 Professional computers can install in order to act as a NetWare client. File and Print Services for NetWare (FPNW) This is an optional purchase for Windows 2000 computers that provides the computer with the ability to provide NetWare file and print services to Windows clients. All three of the services require that the NWLink protocol be installed on the computer they’re running on. If NWLink isn’t installed at the time the service is installed, Windows 2000 goes ahead and installs it with the service.

Macintosh Systems In every company, it seems that at least a handful of people require Macintosh computers. These people are typically in the graphic arts areas of the company, such as Marketing departments or Publishing areas; Macs are fine computers for work such as this. Macintosh computers are designed, out of the box, to work on a network, but the network they were originally designed for is a proprietary one called a LocalTalk network. Macintoshes natively use the AppleTalk protocol when connected to a LocalTalk network. In the last few years, Macintosh experts have modified and improved this design, so today we also have the TokenTalk and EtherTalk topologies in addition to LocalTalk. Macintoshes can use TCP/IP and do so more frequently these days. They burrow their Apple stuff (the files that they’re sharing) in the AppleTalk Control Protocol (ATCP) over TCP/IP. In essence, they’re tunneling the Macintosh data inside TCP/IP frames. Now, it’s possible for you to run Windows 2000 on a native LocalTalk network. (Windows 2000 is also supported over not only LocalTalk, but Token Ring, FDDI, and ATM as well.) However, you probably

152 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

wouldn’t want to do this. Instead, you should find a way for the Macintosh users to work their way out to the network and thence to a file server. This is done with an Ethernet adapter for the Macintosh computer. Macs plug into a switch or hub in a switch closet (IDF/MDF), just like any other computer on the network. But how will you support your Mac users when they begin looking for a file server to store their files on? Your Windows 2000 computers won’t recognize Macintosh computers until you prepare them to do so. It’s easy to install the Services for Macintosh (SFM), which installs the AppleTalk protocol if it’s not already on the system; do this through the Network and DialUp Connections window. Macintosh User Authentication Methods

If you’ve installed the Windows NT 4 SFM, you’ve probably wondered what the UAM volume was after you rebooted the machine and began checking out what was new as a result of the installation. UAM stands for User Authentication Module. Installing File Services for Macintosh automatically creates a UAM volume that’s available to Macintosh users. When a Macintosh user logs on, he opens the Chooser, clicks the AppleShare icon, and selects the zone that you configured previously. Macintosh users can log on as one of the following three different users: Guest “Guest” allows basic users without proper credentials to log on. Macintosh Authentication The user types in a valid username and password, which are both passed across the wire as clear text. Microsoft UAM Authentication Windows 2000 provides a more secure authentication method for Macintosh users through its UAM. If a Macintosh client is running the AppleShare Client 3.8 or greater or the MacOS version is 8.5 or greater, the new Microsoft UAM version 5 is used. If the Mac user’s software doesn’t fit these criteria, the older Microsoft UAM version, version 1, is used; both UAM versions are

Chapter 3




Designing a Windows 2000 Network Infrastructure

153

included with Windows 2000. Macintosh users will have to open the Microsoft UAM Installer to install the UAM software for this purpose. Installing File Services for Macintosh is a different operation than installing the AppleTalk protocol, but it’s still quite easy. Open Control Panel, and double-click the Add/Remove Programs applet. Click the Add/ Remove Windows Components button on the left side of the screen. Click the Other Network File and Print Services item, then click the Details button. In the next window, shown in Figure 3.7, check File Services for Macintosh, and click OK. F I G U R E 3 . 7 : Adding File Services for Macintosh

You will no longer use the File Manager or Explorer to view or modify File Services for Macintosh; instead, you use a new Windows 2000 program called Computer Management. It’s easy to get to: Start  Programs  Administrative Tools  Computer Management. Highlight the Shares node, and you’ll see the Microsoft UAM volume shown in the Details pane.

154 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Unix Systems Fortunately, Unix computers have used TCP/IP for years. So, as long as you have TCP/IP configured as your main Windows 2000 protocol (hopefully your only Windows 2000 protocol), Unix machines can participate in several aspects of your network. Printing Unix computers can print to Windows 2000 printers quite easily. It’s a two-part process. First, you install Print Services for Unix, through Control Panel  Add/Remove Programs. Then you configure a printer that’s on your network with an additional port, a line printer (LPR) port. When Unix computers send a print job to a computer, they contact a line printer port. When they’re set up to receive a print job, they use the Line Print Daemon (LPD). To create an LPR port, click Start  Settings  Printers. Double-click the Add Printer icon to call up a Wizard. The Add Printer Wizard allows you to define the printer as Local or Network and to select an LPR port and IP address. File Sharing Unix users sometimes need to pull files off of Windows servers and vice versa. As was said earlier, Windows computers use Service Message Blocks (SMBs), a Microsoft message format used to share files and folders, to talk to servers, but Unix computers use the Network File System (NFS) method of posting files to computers. So, you need a translation method that allows you to put your files on the other type of computer. Fortunately, lots of third-party work has been done along this line. Samba, an SMB client software program available at samba.anu.edu.au/samba, is available for Unix computers that need to mount Samba volumes for NT (and Windows 2000) computers. Other companies, such as Hummingbird, manufacture NFS software for Windows servers in order to mount an NFS volume that Unix users can post their files to. Telnet One of the missing components in Windows environments is a robust Telnet server service. While this service isn’t started automatically in Windows 2000, it is installed and allows you to open a secure Telnet session on Windows 2000 computers. After starting the Telnet service, simply open a command prompt and type Telnet computer_ name to connect to the Windows 2000 computer with which you’d like to open a Telnet session.

Chapter 3




Designing a Windows 2000 Network Infrastructure

155

Remote Execute Windows 2000 lacks an important Unix tool: Remote Execute. But you can obtain a Remote Execute executable (REXEC) from the Windows 2000 Server Resource Kit, thus rounding out your Unix toolbag. Remote Access Services The Internet browser has revolutionized remote access services (RAS) for Unix users. Now they can RAS into Windows servers, open a browser, and grab their Exchange server e-mail. As long as a browser is available and the applications that Unix users need to run on Windows servers is Web-enabled, there is no longer a cross platform issue. Perhaps the most important job that an administrator in a platformdisparate shop faces is the interaction between Unix servers and Windows servers. Fortunately, third-party vendors and the advent of Windows 2000 have made this cross-platform work much easier.

TIP Microsoft has done a lot of work developing services that can allow Unix and Windows NT/2000 computers to interoperate with one another. See www.microsoft.com/sfu for more detail on Microsoft Services for Unix (SFU).

What About SNA Support? If you don’t know what SNA Server does, then you’re likely not working for a company that needs to use it. The Systems Network Architecture (SNA) protocol, invented by IBM in the early 1970s, was used to connect Multiple Virtual Session (MVS) mainframe processors; since then, the protocol has been ported to AS/400 and OS/2 servers. While some mainframes have converted to the mainframe version of TCP/IP (IBM 3270-E), lots of companies are still running native SNA. Since it’s important to be able to fetch data from these servers using SNA, there had to be some sort of methodology for this. Microsoft’s implementation of SNA server has been around for years. Microsoft has been working feverishly in the background to prepare a brand new SNA server that is both Windows 2000- and Windows NT 4-compliant. This brand new version of SNA server,

156 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

now called Host Integration Server 2000, is now ready for prime time. Visit Microsoft’s SNA server Web site at www.microsoft.com/sna.

Third-Party Protocols Dozens and dozens of protocols have been written by software developers so that computers, devices, programs, and people can communicate. Most of the protocols are highly proprietary and never see the standardization light of day. Nevertheless, if you’re running a program that requires a strange protocol—one that’s not in the usual administrator dialog—you need it to make your application run correctly. One such protocol that comes to mind is the one that used to run on Banyan Vines servers, the VINES protocol. Microsoft doesn’t provide native support for this in Windows 2000, so if you have to integrate your Windows 2000 servers with VINES, you have to try going to Banyan to see if you can get some support for the protocol there. The long and short of non-standardized protocols that are somewhat proprietary or specialized is this: Microsoft is depending on the vendor of that protocol to supply updates to Windows 2000. Expect native support for TCP/IP, IPX, and AppleTalk; don’t expect support for exotic protocols that aren’t much in use.

Exam Essentials Be able to understand and design deployments around multi-protocol installations. Understand when you’re in a multi-protocol environment that’s going to take some special attention when designing and implementing a Windows 2000 rollout.

Key Terms and Concepts AppleShare A communication protocol for Apple computers that allows Apple clients to communicate with servers, including Windows 2000 servers, on a network.

Chapter 3




Designing a Windows 2000 Network Infrastructure

157

AppleTalk The networking protocol built into every Macintosh computer. AppleTalk Control Protocol (ATCP) Used over PPP connections to move AppleTalk packets. AppleTalk zones A grouping of Macintosh computers, similar to a Windows workgroup. You can seed a zone with the number of network numbers you want in the range times the maximum number of nodes (253) per network address. (If you have fewer than 253 Macintoshes, you can seed the zone with 1 network number times the 253 maximum nodes). Windows 2000 servers equipped with AppleTalk have the ability to seed a Macintosh zone. Chooser A Macintosh service through which users select and connect to networks and devices, such as drives, shares, and printers. EtherTalk A medium that the AppleTalk protocol can use to communicate over Ethernet networks. host A computer on a network, whether a server or workstation. The term could loosely extend to printers, routers, or other devices— anything with an IP address—but is typically confined to computers. Host Integration Server 2000 The new term for Microsoft SNA Server. Internetworking Packet Exchange (IPX) A networking protocol once used heavily by Novell NetWare servers and clients. IPX uses datagrams for connectionless communications. LocalTalk The cabling scheme used to connect Macintosh computer systems in a network. Microsoft Directory Synchronization Services (MSDSS) A service that provides administrators with a way to synchronize Novell NetWare NDS directories or binderies with the Windows 2000 Active Directory. Network File System (NFS) An open design for Unix systems that allows all users of a network to access files on a server, regardless of their platform.

158 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Samba The brand name of a software product that uses Server Message Blocks (SMB) to allow Windows computers to share files and directories with Unix computers. If you wanted to share files and directories from a Unix computer, you’d mount an NFS volume. If you wanted to share Windows files and directories with Unix clients, you’d use Samba. seed Typically used with Macintosh zones, the concept is that you broadcast out network addresses for Macintosh computers to use. The process is called “seeding a zone.” You use Windows 2000 routers configured with AppleTalk to seed Macintosh zones. Service Advertisement Protocol (SAP) A NetWare protocol used to identify services and the addresses of NetWare servers attached to the network. This protocol is supported by Windows 2000 and used in conjunction with its NetWare compatibility. Systems Network Architecture (SNA) Developed by IBM in 1974 as a network protocol that could be used with IBM mainframes. SNA was enhanced so that it could also be used to connect peer-to-peer networks. Today’s client/server work with SNA typically involves retrieving database data from mainframe systems in order to be processed by network servers. Telnet A terminal emulation program for TCP/IP that allows you to connect to a server and execute commands on it as though you were actually sitting at its console. TokenTalk An AppleTalk media type for use with Token Ring networks. User Authentication Module (UAM) A built-in Macintosh module that allows Macintosh computers to log on to servers. Microsoft provides its own UAM for Macintosh clients.

Sample Questions 1. You have several Macintoshes that need to access your Win-

dows 2000 file server. What is the most secure authentication method they can use once you get everything set up? A. Guest

Chapter 3




Designing a Windows 2000 Network Infrastructure

159

B. MS-CHAP C. AppleTalk Authentication D. User Authentication Method

Answer: D. Microsoft’s User Authentication Method (UAM) is the most secure method of authenticating in the Windows 2000 system. 2. You have several legacy NetWare servers that are running file and

print services. You’ve set up a new Windows 2000 network, and users are now logging on to it. What feature can you use that will allow your users to see the NetWare services? Select the best answer. A. Client Service for NetWare B. Gateway Service for NetWare C. File and Print Service for NetWare D. Latest client downloaded from the Novell site

Answer: C. Options A and D will get the job done, but you would have to visit each of your client PCs and set up the CSNW (provided they’re running Windows 2000 Pro) or the latest NetWare client; lots of work involved there. GSNW only supports one NetWare pipe, so you can’t have multiple NetWare servers involved (unless, of course, you have multiple installations of GSNW). GSNW can be throughput-intensive with multiple users. The best answer is C, FPNW. 3. What are some of the non-TCP/IP supported protocols that Win-

dows 2000 supports? A. VINES protocol B. IPX/SPX C. AppleTalk D. DLC

160 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Answer: B, C, D. VINES isn’t supported but the other protocols are. The IPX/SPX protocol is called NWLink in the Microsoft world. The Data Link Control (DLC) protocol has a couple of different uses, but is used by Windows 2000 to talk to printers. 4. You have a need to provide interconnectivity to an IBM AS/400

computer in your network. The computer is not equipped with TCP/IP. What product will you need to do this? A. 5250 emulation software B. 3270 emulation software C. SNA Server software D. AS/400 Interchange protocol

Answer: C. Microsoft SNA server, now called Host Integration Server (HIS) can talk to mainframes or AS/400 computers using the SNA protocol. 5. You have a slow WAN link that separates two DNS servers. What

can you do to speed up DNS requests coming from one side of the slow circuit? A. Set up one side to have read-only DNS databases. B. Make one side authoritative for its side of the network and the

other side authoritative for its side. C. Make one DNS server a caching-only server. D. Set up both servers with round-robin lookups.

Answer: C. Windows 2000 DNS provides you with the ability to make a server on a slow wire a caching-only server. Caching-only servers do not hold any zones of their own but forward requests to DNS servers that have valid zones.

Chapter 3




Designing a Windows 2000 Network Infrastructure

161



Design a Distributed file system (Dfs) strategy.



Design the placement of a Dfs root. Design a Dfs root replica strategy.

D

istributed file system (Dfs) is a service that came out late in the Windows NT 4 world as a standalone download and installation. It has now been integrated completely into Windows 2000 and will undoubtedly provide much help to administrators trying to provide a one-stop shopping environment for users looking for directories and files.

Critical Information The following section discusses Dfs, its implementation, and the strategies behind it.

Designing the Placement of a Dfs Root Dfs is a very straightforward feature to implement in your site, and it’s going to make your life much easier in terms of having to manage loads of disparate shares. You personally (and your co-admins) will still have to know the physical location of the various files, the sharenames, and how the permissions are set up. But when you point to these shares in Dfs, users think that the server to which they’re pointing is the one that’s doling the files out to them. This means that you can move the files to a different share and not affect the user. You can replicate the files to another share so that you have a backup for load balancing; you can take the sharepoint offline while you work on it (moving the share to a different location); and, you can manage files much more effectively. Your “midnight maintenance window” won’t have to always be at midnight anymore, because you won’t be disrupting user access when working on a server hosting some shares.

162 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Creating the Root

The first thing you do when you set up Dfs is create a new Dfs root. The Dfs root is nothing more than a starting point for the share you’re going to point to, called a link. Let me run you verbally through this so you can get a picture of what you’ll do when you go to a server to try to set this up. The first thing you need to know is that Dfs is automatically installed with Windows 2000 Server (all three levels—Server, Advanced, and Datacenter), and it’s ready for you to start setting things up. First, you click Start  Programs  Administrative Tools  Distributed File System; the Dfs MMC comes up. Right-click the Distributed File System icon and select New Dfs Root (or optionally click Action  New Dfs Root…). You’ll be presented with a New Dfs Root Wizard that you can run through. At this point you must decide whether you want a standalone root or a domain root. A standalone root is put on the computer that you specify; a domain root is put into Active Directory and is automatically replicated to all domain controllers participating in AD. Standalone roots do not participate in AD replication, but there are some other load balancing methods you can employ, which I’ll talk about in a second. For a standalone root, you next browse to the server where you’re going to place the root; this server must be Windows 2000 or above. You’re only allowed one root (of either kind) per server. The next step is either to select an existing share that you want to have act as the root or to specify a new share. If you specify a new share and the folder has not yet been created, Windows 2000 will create the folder for you. Creating a domain root is very similar. You again right-click the Distributed File System icon and select New Dfs Root… but this time you select the domain root button. Next, select the domain that will host this root. If there are more domains than yours, all trusting domains will be shown so you can select the one you want to host the root. The rest of the steps are exactly the same as the standalone root steps.

Chapter 3




Designing a Windows 2000 Network Infrastructure

163

Creating Links

At first you might think that the one-root limit is a pretty severe restriction. But within that one root, you can have many pointers to shares on the network. The supposition is that you already have directories out there that you’re going to want to link this new Dfs root to. Suppose, for example, that you have a group of accountants who have shares spread out all over the network and that you want to link into one Dfs root. You create the root on a Windows 2000 server. (You’ll probably opt to create it as a domain root so it’s privy to AD replication and is site aware and fault tolerant.) Now you want to link up those shares so that when users map to \\Computer_ Name\ShareName, they see the share they used to see by mapping to a completely different server. Look at Table 3.3 for an example of how you might opt to leverage a Dfs root and many links. TABLE 3.3:

An Example of How Dfs Maps to Corporate Shares

UNC Name

Maps To

Description

\\CorpServer\Corp

\\CorpServer\Corp

This is the Dfs root.

\\CorpServer\Corp\ Intranet

\\WebServ\WWWroot

This mapping points users to the intranet home drive.

\\CorpServer\Corp\ Financials

\\OracleNT\Finance

Finance team can use this share.

\\CorpServer\Corp\ ArtWork

\\Marketing\ ArtWork

Drawings created by the marketing team are kept here.

\\CorpServer\Corp\IT

\\ITServ\Files

This provides mapping to NT Admins important stuff.

Once you’ve created a root, simply right-click it and select New  Dfs Link from the resulting menu. Enter a meaningful name for the link (remembering that this is going to show up as a folder name the user

164 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

will see when mapping to the Dfs root). Next, browse out and select the share you’d like to point to and key in an optional comment. Note that the client cache timeout defaults to 1,800 seconds (30 minutes); you may want to toy with this number. This number reflects how long the client caches out the servers involved in the link. Generally, if a share has files going in and out of it very often—this is one busy share—then you’ll want to shorten the cache so the user is made aware of any new changes. But if you have a relatively static share that seldom changes, say for document templates, then you could increase the cache time to keep client refresh activity to a minimum. Note that if you opt to select a link that’s not on a Windows 2000 NTFS server, the links will not be subject to automatic replication. Only those links that are on Windows 2000 NTFS servers will be replicated. The current maximum number of links per root that can be created is 1,000. Setting Up Replicas

Replicas provide a way for you to duplicate your Dfs shared data across different servers, for redundancy and fault tolerance. Below, I discuss two methods of leveraging replicas and one method of interlinking with other Dfs shares. Suppose that you want to set up a second root on a different server that you’ll use to point to exactly the same links as your original root. In other words, you’ll be configuring some redundancy into the system so that if one server goes down that’s hosting an important root, you have another to fall back on. Note that users would have to map to the new servername, but the sharename would be the same. This second root is called a root replica. You do this by right-clicking the newly created primary root and then selecting New
Root Replica from the resulting menu. When done creating a root replica, rightclick the root again and select Replication Policy in order to adjust the replication settings. Keep in mind the replication only works for domain Dfs roots, or Active Directory integrated roots, using FRS (file replication service) as the replication transport mechanism. Another feature of Dfs is the notion of a link replica. Suppose that you want to load-balance a heavily hit share. You can set up a duplicate folder and files on a separate server (even in a different site) and

Chapter 3




Designing a Windows 2000 Network Infrastructure

165

then create a link replica to that folder. You do this by right-clicking the link you want to duplicate and then select New Replica from the resulting menu. If both folders are on Windows 2000 server NTFS partitions, automatic replication will keep the folders identical to one another. An interesting alternative to the conventional Dfs methodologies we’ve talked about so far is the idea of inter-Dfs linking. In this scenario, you first set up your root and Dfs link on one server. Then, you go to another server and set up a root and link, but the link points to the first server’s Dfs link. You’ve created a share pointing to a share pointing to a share. This might be a good methodology for getting at files that are hosted by a different entity within a corporation, but which are needed by a user group that you support.

Designing a Dfs Root Replica Strategy Replication of the Dfs objects takes several forms and depends on whether we’re talking about the root or a replica (shared folder) under the root. You can replicate both, but some rules are applied to each before you can ensure that replication can take place. I’ll talk first about replicating the Dfs root, then the replicas associated with a root. Replicating the Root

We already know that domain roots can be replicated throughout the Active Directory and consequently be made available to all users on the network. None of this requires configuration by an administrator and is automatic. Standalone roots are replicated by setting up a second root on a different Windows 2000 server running NTFS; then, using the Replication Policy window of the Distributed File System MMC, you set up replication between the two. Note that the requirements for this kind of replication are that both roots reside on an NTFS partition of a Windows 2000 server. You can set up both from the same MMC console. When you’re done setting up the roots, right-click the first one and select Replication Policy to set up the replication. The root that contains the information to be replicated to the other root is called the initial master.

166 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

There is a Windows 2000 service, hidden from both users and, interestingly, administrators, called the File Replication Service (FRS). This service handles the job of replicating roots and links. The FRS service is purposely made difficult to view. However you can view FRS settings by going to Active Directory Users and Computers  View  Advanced Features. Expand System, then File Replication Service, and finally expand Dfs Volumes. This object will not be created or populated until you’ve set up replication between standalone roots. Replicating the Links

Replicating the links you set up beneath a root works about the same as replicating a root, except that you can adjust the replication policy as you’re setting up the replicated link. The link that receives the contents of the original link is called a link replica. To create a link replica, go into the Distributed File System MMC console, highlight the link you’d like to replicate, right-click, and select New Replica... from the shortcut menu. Note that you immediately configure the replication for link replicas as you’re creating them. You have one of two choices: manual or automatic replication. This replication uses the same FRS as root replication, and the 15-minute period between replications stays the same. Sharepoint volumes that get a lot of use—in other words, that are heavily written to—present unusual problems with Dfs. FRS uses an algorithm called Last Writer Wins to manage volumes. This means that the last person to write to a file is the “winner” in the sense that their version is replicated and displayed to others. In heavily writeintensive volumes, this could be a big problem. The workaround for this is to use one volume that’s read-only, then replicate to it. While users only have one volume they can write to, you can provide fault tolerance to this volume anyway. First server has a problem? Make the second volume writable and users are on their way, giving you time to fix the first one.

Chapter 3




Designing a Windows 2000 Network Infrastructure

167

TIP See the Dfs white paper on the Microsoft Web site for more detail about Last Writer Wins.

Not all enterprise tape backup software is Dfs-aware. It’s advisable to ask the vendor of your backup software whether it can see Dfs trees. My guess would be that any tape backup software that’s Windows 2000–compliant will work just fine with Dfs, but why rely on a guess? Check with the vendor, before you set up Dfs and find you can’t back up the tree. Keep in mind that even though you can’t back up a Dfs tree, you really haven’t lost anything other than simplicity, because you can still back up the actual folders where the sharepoints actually reside.

Exam Essentials Be able to understand and design the placement of a Dfs root. Know the difference between a standalone and a domain-based root. Know how to design and place these various roots accordingly. Come up with a strategy for designing a Dfs root replica. Be able to develop a solid Dfs root replica design.

Key Terms and Concepts Dfs Root The root container that contains the links to shares and files in a Dfs system. domain root The topmost part of an organization’s hierarchy. MyCompany.com might be the domain root, while Sales.MyCompany .com and Accounting.MyCompany.com would be child domains subordinate to the root domain. initial master The File Replication Service server that is initially responsible for replicating files and folders to other servers. link In Dfs, a connector from the Dfs system to a directory or share.

168 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

link replica A copy of a Dfs link on a different computer. The idea is to create redundancy within the Dfs system, either to increase the fault tolerance of the share or for the ability to take down a share for maintenance. root replica Dfs term used to denote a root Dfs volume that has been replicated by AD to another Windows 2000 domain controller (DC). standalone root A Dfs root that isn’t using Active Directory as its replication methodology.

Sample Questions 1. What service is responsible for the replication of Dfs information? A. Dfs-Configuration B. AdminSDHolder C. WinSockServices D. File Replication Service

Answer: D. The File Replication Service (FRS) is used for replicating the AD SYSVOL as well as Dfs information. You can view FRS properties by viewing the Advanced System menu of Active Directory Users and Computers. 2. How can you set up two locations for the same Dfs? A. Create a link replica B. Create a root replica C. Create an interlink D. Set up replication between links

Chapter 3




Designing a Windows 2000 Network Infrastructure

169

Answer: A. Link replicas are redundant locations for the same share data. In other words, you have a share on server A that contains some files and a share on server B that contains the same files. You can set up a link replica in Dfs that points to the second sharepoint and use this as a redundancy and load-balancing link. Keep in mind that this technique is generally best when the data doesn’t change. There are set rules within Dfs (see the Dfs white paper on the Microsoft Web site for more detail) that determine what gets written over. Best option is not to put frequently written-to data on Dfs link replicas. 3. You’ve got two domain controllers hosting a single fault tolerant

Dfs root. You’ve made a change to the Dfs root on one of the domain controllers, but you don’t see the change you made on the other. What could be the problem? A. Replication hasn’t occurred yet. B. You have not yet enabled replication. C. The domain controllers are in separate domains. D. You cannot have Dfs roots on more than one domain controller.

Answer: A, B. You can indeed replicate Dfs fault-tolerant root information across AD from one domain controller to another. You could have two potential problems, you have not enabled replication yet, or, more probable, you have not waited long enough for replication to take place. On average, you can expect to see replication happen within five minutes on domain controllers in the same site. With domain controllers in different sites, you can expect to see the replication changes show up in an average of 15 minutes. 4. In order to facilitate replication of a Dfs root across two domain

controllers, what are the requirements that you must meet? A. Must be on an NTFS 5 partition B. Can be on a FAT, FAT32, NTFS 4, or NTFS 5 partition C. Can be on a Windows 2000 Professional computer

170 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

D. Can be on a Windows 2000 domain controller E. Can be on a Windows 2000 Member Server F. Can be put on Windows NT 4 Servers G. Can be put on Windows NT 4 Workstations

Answer: A, D, E. In order to facilitate fault-tolerant Dfs roots, you need to put the roots on an NTFS 5 partition, and the roots can only be on Windows 2000 domain controllers or member servers. 5. Name the operating systems that can connect to Dfs fault-tolerant

roots. A. Windows 3.x B. Windows 9.x C. Windows NT 3.51 D. Windows NT 4 E. Windows 2000

Answer: E. Only Windows 2000 computers can connect to Dfs fault-tolerant roots (roots that are formulated on more than one Windows 2000 computer and that participate in replication between one another).

Chapter

4

Designing for Internet Connectivity MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: an Internet and extranet access solution. Design Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server. (pages 172 – 185) a load-balancing strategy. Design (pages 185 – 190)

W

indows 2000 was designed to have the capacity to be different things for different people. Probably one of its biggest new uses will be that of Internet, extranet, and RRAS connectivity. This chapter is dedicated to the concepts of designing for Internet connectivity and of load balancing your mission-critical servers to meet your particular needs.



Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server.

The first step in designing an Internet or extranet solution is to determine which components should be involved. Components to consider include proxy servers, firewalls, RRAS connectivity, NAT, connection sharing, and Web and e-mail servers.

Critical Information Part of the 70-221 test revolves around Microsoft Proxy Server, so we begin our discussions with it.

Chapter 4




Designing for Internet Connectivity

173

Designing a Proxy Server Implementation Microsoft Proxy Server 2 is not included with Windows 2000. It is a separate add-on product that you’ll need to buy, but its importance in large networks that connect to the Internet is very high, making the money spent on the purchase well worth it. What does Proxy Server do? Proxy Server allows you to connect your private network to the Internet. The Proxy Server acts as an Internet go-between for your users; when a network user with an internal IP address points his browser to an Internet site, Proxy Server goes to the URL, grabs the page, and fetches it back to the user. Proxy Server has two network interfaces: one that points to your ISP (which we’ll call the “public network”) and one that points to your private network. So, Proxy Server is acting as a big, grown-up Network Address Translation (NAT). You can restrict who’s allowed onto the Internet on a user-by-user or resource-by-resource basis. But it’s more than that. Proxy Server allows you to ban certain incoming protocols. For example, if you want to avoid ICMP (PING) attacks, you can set up Proxy Server so that it filters any outside PING requests on your server. You can also add third-party software in the form of what are called custom filters, also known as Internet Service API (ISAPI) filters, which allow you to control which users are allowed out onto the Internet and what kind of content they’ll be allowed to surf. With the custom filters, you can turn off the ability to browse sex, gambling, sports, illegal activities, hate speech, and other kinds of sites using these products. Proxy Server works well with third-party hardware firewalls, such as Cisco PIX, and with software firewalls such as Axent’s Raptor firewall. Proxy Server 2 is fully Windows 2000–compliant and can be used in conjunction with the new Microsoft IP Security protocol (IPSec), demand dialing, VPNs, and Active Directory user authentication. Proxy Server supports a few proxy protocols: Web Proxy, Winsock, and SOCKS.

174 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

One of Proxy Server’s biggest features is that it caches Web page requests so that, over slow ISP connections, the Web appears much faster than it actually is. You can configure the cache to your liking. You can also configure and deploy a Proxy Server client component for users, allowing you finer control in categorizing users. Moreover, you can use the Internet Explorer Administration Kit (IEAK) to customize and deploy a Proxy Server Active Server Page (ASP) that provides users with the settings they need to access the Internet through the Proxy Server. Finally, Proxy Server has a unique capability that enables it to be set up in a proxy array, a group of proxy servers that collectively forward their requests to a main proxy server that interfaces with the Internet. If your network has several geographically separated sites but only one ISP connection, you can set up a proxy server at each site (for URL caching), which in turn talks to the main proxy server that has the linkage with the Internet. You need to consider the following several items when designing a Microsoft Proxy Server implementation:


Correct sizing of proxy server(s).




Whether the proxy server will be in the Demilitarized Zone (DMZ—known in Microsoft land as a “screened subnet”) or on the edge of the network.




What type of firewall the proxy server will interface with and any integration constraints you might face.




WAN circuitry and its characteristics.




Who will be allowed to use Proxy Server, and who will not.




Whether you’ll integrate third-party software with Proxy Server for more robust Web monitoring and reporting capabilities (highly recommended). NetIQ, for example, has a Proxy Server monitoring plug-in that works with Windows 2000 and IIS 5. See www .micorosft.com/proxy for more third-party vendors of snap-ins to Proxy Server.

Chapter 4




Designing for Internet Connectivity

175

Designing Firewalls A firewall allows you to very explicitly restrict IP addresses, protocols, and ports from entering in (or exiting out of) your network. You can nail down as tightly as you wish, restricting all but a handful of IP addresses, or you can open the doors wide. Most companies allow firewalls to pass outgoing SMTP (Internet e-mail) traffic to the public network, but that’s about it. SMTP is allowed to come in and go out. Other protocols such as HTTP might be allowed out, maybe in. You might have to allow protocols such as IPSec, L2TP, PPTP, and MPPE out if you’re doing some flavor of a VPN. While the literature for Microsoft Proxy Server says that it is a firewall (due to its ability to restrict incoming and outgoing traffic), in bigger enterprises, Proxy Server alone might not provide the level of control that you require. You should place Proxy Server ahead of your private network but behind a firewall.

Implementing Internet Connection Sharing and NAT With Network Address Translation (NAT), which is used mostly with small office/home offices (SOHOs), you can solve the following several small office requirements:


You have the ability to connect users on a private network to the Internet.




You can provide a DNS name resolution server.




You have a service that acts like DHCP in the sense that it gives IP addresses to client computers.

NAT is not intended for large enterprises that need the robustness of Proxy Server and other Windows 2000 features. NAT is useful for connecting private networks to public ones, for connecting disparate types of network segments such as Ethernet to ISDN, and for creating a screened subnet (a DMZ) for your Web servers. NAT needs to talk to the reserved IP address 192.168.0.0–192.168 .24.255, subnet mask 255.255.255.0, and cannot use public IP numbers that are being used on a private network. If you don’t have this kind of setup, you’ll have to go with Microsoft Proxy Server instead.

176 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

NAT simply serves as an address-translator protocol: it allows private users onto the Internet by converting private addresses into public ones. There are many limitations to NAT, mostly with respect to the types of protocols that it is not allowed to pass. Among the restrictions are the following:


No Simple Network Management Protocol (SNMP)




No Lightweight Directory Access Protocol (LDAP)




No Component Object Model (COM) and Distributed Component Object Model (DCOM). (Both of these are used extensively by third-party applications such as quota management software and others—COM and DCOM are the Microsoft-based heart and soul of client/server programming.)




No Kerberos v. 5




No Microsoft Remote Procedure Call (RPC). (Unfortunately, Exchange versions earlier than Exchange 2000 heavily use RPC. On top of that, lots of the Microsoft Management Consoles [MMCs] use RPC to communicate in a client/server environment.)




IPSec cannot be used over NAT.




You cannot run any DHCP servers on the network other than NAT.




While you can run other DNS servers on the network, NAT can forward name resolution requests from clients on the private network to DNS servers on the Internet. Use this feature when you don’t have other DNS servers on the network or your private network is a single non-routed subnet.

Knowing When to Use an RRAS Demand-Dial Interface Using RRAS to get to the Internet is a fruitful endeavor, especially in smaller shops that don’t have the luxury of having a DS-3 Internet connection. As you might imagine, Internet connectivity scenarios can get highly complicated, what with determining redundancy characteristics, planning for disaster recovery, and so much more, but

Chapter 4




Designing for Internet Connectivity

177

with some networks, the most important objective is simply to get connected in the first place. Windows 2000 RRAS provides many ways for an administrator or designer to use telephony solutions to connect the network’s users to the Internet. One of the design elements that you’ll need to pay some attention to is whether to use a demand-dial connection on the public side of your NAT. Suppose that you’re dealing with a small shop that currently has users that dial in to their respective ISPs using the telephone line on their desks. You want to set up an inexpensive high-speed link to an ISP, then provide connectivity to your users. NAT is perfect for this. Connections that are full-time, such as DSL or asynchronous, are called persistent connections. NAT can use persistent connections as well as demand-dial connections. Suppose you’re charged for each minute that you’re connected with the ISP, as is the case with an ISDN line. If you were connected 24×7, this could cost far more than your use justifies. So, you set up a demand-dial connection through RRAS; then when users access NAT, the connection is dialed and they can do their work. NAT security is generally good, although you can augment it by setting up RRAS IP filters that restrict incoming or outgoing IP address ranges by protocol (e.g., FTP). You can also set up IP address pools. Use a pool when you want to allow Internet or VPN users to be able to access resources on the private network, as you might in a business-partner relationship. You can use VPNs to restrict private-network access by user. Note that since IPSec isn’t allowed through NAT, you can’t use Layer Two Tunneling Protocol (L2TP) for your VPN connection but must rely instead on Point to Point Tunneling Protocol (PPTP) and Point to Point Protocol (PPP) connections.

Internet Connection Sharing The concept behind NAT is one of providing a “one-stop” server that users can go to for their IP address, name resolution, connectivity to the Internet, and basic firewall services. But what about SOHOs that

178 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

don’t need all this firepower? Is there a way that they can perform basic NAT services without the full-blown features of NAT? Sure: Internet Connection Sharing (ICS). You still have to provide a Windows 2000 Server in order to enable this feature, but it is much less intense than the services used by NAT. In fact, from the most sophisticated method to the least you’d have the following: Proxy Server (which does not provide its own name-resolution or DHCP services), NAT (which uses DHCP and DNS proxy servers), and then ICS (which also uses DHCP and DNS proxy servers). You enable Internet Connection Sharing by setting up a Windows 2000 Server computer that has a network card that can talk to the private network and a modem (or similar connectivity device) that can talk to the public network. Don’t install DHCP or DNS at this time! Then, when the server is ready, go into Network and Dial-Up Connections by right-clicking My Network Places and selecting Properties from the shortcut menu. (Optionally, you can click Start  Control Panel  Network and Dial-Up Connections.) Create a new dial-up to your ISP, then right-click it and select Properties. Navigate to the Sharing tab, and check Enable Internet Connection Sharing for This Connection. You can also enable on-demand dialing by simply checking the box for this feature. Once this feature is enabled, ICS will use the same DHCP pool that is used by NAT (192.168.0.1 with a subnet mask of 255.255.255.0). Note that you cannot have computers on your internal network that are configured with a static IP address. All addresses, other than the Internet Connection Sharing server itself, must obtain their IP information from DHCP. To configure the client, simply open Internet Explorer or another browser that supports proxy servers, and type the private address of the Internet connection server into the configuration area provided for the proxy server address. You’ll use port 80 for this connectivity. That’s all there is to it. We need to mention the two other kinds of dial-up connections that you can create: VPN or dial-in. A “VPN dial-up” connection means that you’re setting up a VPN with another network somewhere, one

Chapter 4




Designing for Internet Connectivity

179

that’s equally equipped to receive VPN calls. Use a VPN when you want a secure, encrypted tunnel from one point to another, typically server to server, or when you want to allow users to connect to your private network using a secure tunnel through the Internet. A “dial-in” connection is much more simplistic: it merely allows a user to connect to and work on your network using a conventional modem. Suppose that you use Internet Connection Sharing for a VPN that talks to another network, and you’d like to set up a server in that remote network so that it shares applications and you can thus use applications from your SOHO. You can add authentication and encryption to dial-up connections, but the security that a VPN provides, not to mention leveraging the ISP’s bandwidth as opposed to yours or your user’s, is very useful. You can also set up ICS dial-up connections in such a way that users can dial in to your network and run applications. In this case, instead of a VPN dial-up connection, you’d set up an incoming connection.

Designing a Web Server Access Solution Is there a way that Windows 2000 Server could help a company to create its own Web servers and then put them out on the Internet? Proxy Server 2 can be configured to allow users coming in from the Internet to hit an internal Web server. This technique, called reverse hosting, might not be desirable for larger enterprises that have dozens of Web servers to maintain. Moreover, while the possibility of users coming inside a corporate network to view Web documents exists, it might strike fear in the hearts of security administrators. So, what about the corporation that doesn’t want anything to do with users coming inside the corporate network? The corporate managers want to keep users out of their internal workings—put them on the fringe of the network where they can view Web pages but where they can’t create too much trouble if they do manage to hack in to one of the servers. A screened subnet, also known as a DMZ, is called for in such circumstances. A lot more configuration has to go on in such a situation. For example, what protocols should be allowed from the DMZ into the internal network? Obviously, the Hypertext Transfer

180 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Protocol (HTTP) normally used for Web pages is probably off-limits, but what about SMTP for Internet e-mail? There are more questions with a DMZ. How about DNS or WINS? Basically, you’d want to configure a one-way pull scenario in the DMZ so that users cannot modify WINS or DNS entries in the DMZ. This, of course, creates security issues as well because hackers could potentially obtain NetBIOS or host names that are inside the private firewall. Perhaps the best notion is that of static hosts and lmhosts entries. How about databases? Should they reside on a server inside the network and somehow communicate with the DMZ, or should they be allowed to live outside the network on the DMZ? Your answer probably will be to keep your database servers inside the corporate network where they’re nice and safe, and then poke a hole in the firewall that allows the Web servers sitting out on the DMZ to talk to the database servers on the inside. There are other considerations with a DMZ as well; for example, what about Windows Load Balancing, a feature incorporated in Windows 2000 and available for Windows NT 4? You want fault tolerance and load balancing on your Web servers so that one can help ease the load when another is being hit exceptionally hard. You might want to consider more formal products such as Site Server and Commerce Server as well.

Designing a Mail Server Access Solution E-mail servers are not something that you would normally put out on a DMZ. This is because they normally have large databases on them and, because of that, they are awfully tempting for hackers. Most corporate networks keep e-mail servers inside because they allow SMTP traffic through their firewalls and into the e-mail servers—after all, the internal users need to receive e-mail from outside sources. There are work-arounds for getting internal Exchange servers to talk to Proxy Server. This setup works very well, and gives you the kind of

Chapter 4




Designing for Internet Connectivity

181

control you want over your users’ Internet destinations, but keeps your Exchange servers internal to the business. It is quite possible, using Windows 2000 VPN or dial-in connections, to allow off-site users to access your internal mail servers. You might consider doing this with a business partner entity that needs to use those servers (for things like setting up calendar appointments or running custom forms). It should be noted here that if you intend to allow your users to send e-mail out to the Internet or receive e-mail from people on the Internet, it’s to your advantage to purchase and apply a good quality virus scanner to your e-mail system. With this software, e-mail coming in and going out is automatically scanned. You’ll be shocked at how many virus-laden e-mail documents your users can receive from the Internet in a day!

Exam Essentials Be able to design an Internet and extranet access solution that includes a proxy server. Using Microsoft Proxy Server leverages the control you have over Internet usage by both internal users going out to surf the Web and external users trying to come in (to spoof e-mail servers by acting as relay agents or to attempt malicious acts). Be able to design an Internet and extranet access solution that includes a firewall. No serious organization should be without a firewall. Be able to design an Internet and extranet access solution that includes routing and remote access. Much of the work done in Windows 2000 revolves around changes to RRAS, especially with respect to VPNs. Be able to design an Internet and extranet access solution that includes Network Address Translation (NAT). A very key tool that will really help facilitate Internet access for smaller companies.

182 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Be able to design an Internet and extranet access solution that includes connection sharing. Used to be that you’d have to use Proxy Server to gain the features that connection sharing now provides SOHOs. Be able to design an Internet and extranet access solution that includes a Web server. The key concept here is that of the DMZ. Look for many test questions that revolve around DMZ connectivity or features. Be able to design an Internet and extranet access solution that includes a mail server. Getting Internet mail into the network and allowing Internet users to send out mail quickly is a full-time job for people working in larger enterprises. Many security issues, especially revolving around viruses, pertain to this area.

Key Terms and Concepts Extranet An intranet that is accessible by outsiders. Typically includes some kind of authentication to verify that the person trying to access the network is actually who they say they are. Internet Service API (ISAPI) An application programming interface (API) written by Microsoft so that programmers can write code for Internet Information Services computers. Some companies specializing in augmenting the use of Microsoft Proxy Server have developed ISAPI filters that help Proxy Server filter out unwanted traffic. Network Address Translation (NAT) The process of hiding an entire network behind a single IP address. This process both helps reduce IP address space shortages and hides the internal network addressing scheme from external hackers. Windows 2000 provides the NAT service. Persistent Connections A connection that is kept up continually during the operation of computing devices and is restored after the restart of those devices.

Chapter 4




Designing for Internet Connectivity

183

Proxy Array A grouping of Microsoft Proxy Server computers that are configured hierarchically for upward Internet flow or to provide load balancing for each other. Reverse Hosting Hosting a Web server on the private network without benefit of a DMZ. Microsoft Proxy Server provides for this kind of hosting. SOCKS A protocol that can be used with proxy servers. It provides a simple firewall by checking incoming and outgoing packets and hiding the IP addresses of client applications. Web Proxy A Microsoft Proxy Server proxy protocol. Winsock Proxy An abbreviation for Windows Sockets; an Application Programming Interface (API) that was written so that developers could write TCP/IP interface code for Windows programs. Also a supported Microsoft Proxy Server protocol.

Sample Questions 1. What three types of dial-up options are you provided with when

setting up Internet Connection Sharing? A. Demand-dial B. Dial-up C. VPN D. Dial-in

Answer: B, C, D. Careful here. You have the ability to create a dial-up, VPN, or dial-in connection. Then, when you’ve created the connection, you also have the ability to tell the system whether it’s a persistent or a demand-dial connection. 2. What are two ways that you can enhance the performance of an

NAT server? A. Add a second NAT server for redundancy. B. Make sure the Internet connections are persistent connections.

184 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

C. Add a router to the public side. D. Provide multiple Internet connections.

Answer: B, D. The best things you can do to enhance NAT performance, besides dedicating a computer specifically to NAT, is to make sure that the Internet connections are persistent rather than demand-dial and to provide multiple Internet connections if possible. At some point, though, you’ll reach a place where the network has grown to full-blown router, firewall, Proxy Server size. 3. Select all of the items below that correctly identify a feature

of NAT. A. It hides internally managed IP addresses from external net-

works by translating the private address into a public address. B. It provides Kerberos v. 5 security. C. It provides its own version of SNMP. D. It uses a predefined set of internal IP addresses.

Answer: A, D. NAT cannot provide Kerberos security, nor does it support SNMP. It does utilize a reserved set of IP addresses, 192.168.0.0 – 192.168.24.255/24. NAT won’t work in networks that have routers and multiple physical segments. 4. When would you use Internet Connection Sharing (ICS)? A. For large offices B. When you have multiple ISPs and want to combine the

bandwidth they offer C. When you have a small office/home office (SOHO) where a

handful of computers need to share a connection to the Internet D. For large offices where Proxy Server is not enough

Chapter 4




Designing for Internet Connectivity

185

Answer: C. There are two network address translation software choices that you have at your disposal with Windows 2000 and Microsoft software. NAT is the weakest choice and is used in very small offices where only a handful of users need to access the network. NAT is used in conjunction with ICS and can be used in more moderately sized networks, as long as the network only consists of one physical segment. Microsoft Proxy Server is the big boy used in large installations. 5. What is a demand-dial connection used for? Select all that apply. A. To automatically dial a number when requested B. To save money on costly telephony connections C. To provide a fallback in the event that a WAN circuit goes D. To dial a RAS user back to his house as a security measure

Answer: A, B. Demand-dial is used to call a dial-up entry that you consistently use, like that of an ISP. Then whenever a connection to the Internet is requested through ICS, demand-dial automatically dials the entry and connects for you.



Design a load balancing strategy.

O

ffloading server work is the objective of load balancing. For example, suppose that you have Web servers getting hit hard. Maybe the best way to relieve the servers (and those surfing into them) is to utilize load balancing in such a way that many servers are performing the same task.

Critical Information Below is the summary information you’ll need to know about Network Load Balancing (NLB) before taking test #70-221.

186 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Network Load Balancing Clustering has gone through several iterations at Microsoft. In the early stages of Microsoft clustering (the WolfPack days—a code name for a product that ultimately wound up being called Microsoft Cluster Server), the product was a separate add-on of NT Enterprise Server. Then, somewhere along the line, Microsoft purchased a clusterlike load balancing tool and named it Windows Load Balancing (WLB). Today, in Windows 2000, it is called Network Load Balancing. You’ll still find traces of the old Windows Load Balancing terminology; in fact, the executable is still called wlbs.exe. That said, any references to Windows Load Balancing (WLB) or Network Load Balancing (NLB) are referring to one and the same thing. You should set up NLB so that every server computer in the cluster runs a copy of the application simultaneously, hence balancing the load. However, clusters are not suited to just any old application on the network. They are especially suited for things like Web sites, where you don’t have a lot of data being transferred into a system by users. If you do have a SQL server that gets information posted to it through a Web site, and you have multiple Web sites on a cluster, then all Web sites can post to the same Web server. But the SQL server itself is a stand-alone unit, or it makes use of SQL Server replication; it does not work well in a clustered environment.

TIP Every computer in Microsoft Cluster Server is called a node; in Network Load Balancing every node is called a cluster host.

You have to look for applications that are cluster-aware, meaning that they’ll work on a cluster. The Windows 2000 services—WINS, DHCP, DNS, and others—are cluster-aware, as are some of the BackOffice products such as Exchange 2000. Keep in mind that if an application requires specialized hardware or customized configurations, then for each clustered server you must duplicate that hardware or configuration component. Even though Windows 2000 VPNs are cluster-aware, you must make sure you duplicate the hardware and settings required on each computer so that failover can occur.

Chapter 4




Designing for Internet Connectivity

187

Nodes that operate simultaneously with one another in a cluster are said to be members of an active/active cluster. Nodes that are active and failover to inactive nodes are members of an active/passive cluster. After failover in an active/passive cluster, once the problem is repaired, the application can go through a failback to put it back on the primary node. You should opt for an active/active cluster because you’re wasting perfectly good hardware in an active/passive state— simply waiting for the primary server to fail. Might as well put the passive gear to good use. You can install NLB from the Local Area Network Properties page just as you would any other network driver component. It installs over TCP/IP and no other protocol and will work on FDDI or Ethernet network segments. You have two choices for NLB installation: unicast mode or multicast mode. Multicast mode is preferred because it’s more efficient. If you’re going to use unicast mode, you must have two Network Interface Cards (NICs) in the cluster computer: one will be used by the client in accessing the cluster computer, the other by the cluster computer talking to the rest of the cluster. Multicast mode doesn’t require two NICs, but it will modify the Media Access Control (MAC) address on the NIC so that it shows up as a multicast NIC. Some NICs do not allow these kinds of modifications; if yours doesn’t, you’ll have to replace the NIC with one that does. You can use the Cluster Administrator program installed on every Windows 2000 or Windows NT 4 SP3 node in the cluster. Alternatively, you can use the Cluster Administrator from a separate computer to manage the entire cluster. To see a list of commands used in clustering, grab a command prompt and type cluster /?. Use a command prompt with WLBS.EXE /? to manage Network Load Balancing. Finally, you can use clustering with two different design scenarios. You can choose to use two or more nodes that are hooked to a common shared storage device, such as a RAID tower, or each node in the cluster can have its own disk array. Intuitively, failover on a node that has its own array takes longer than failover on a node that is hooked to a shared storage array.

188 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Exam Essentials Understand how to implement a load-balancing strategy in your network. Microsoft puts heavy emphasis on clustering and load balancing. Know and understand the concepts.

Key Terms and Concepts Network Load Balancing Using Windows 2000 Network Load Balancing (NLB), you can set up NLB so that an application runs on more than one computer and provides multiple places for users to access the application, thus taking the load off of a single computer.

Sample Questions 1. There are two ways to configure the method that Network Load

Balancing (NLB) will use to communicate with the nodes in the cluster. What are they? A. Shared storage B. Separate storage C. Multicast mode D. Unicast mode

Answer: C, D. When you configure NLB, you’re asked what mode you’d like to use to communicate with the other nodes. Multicast mode changes the MAC address on the computer’s NIC and then allows it to communicate simultaneously with all the nodes in the cluster. This may be a problem for NICs that don’t allow the updating of their MAC address. Unicast mode requires that each node in the cluster have two NICs, one for client access to the node and one for the cluster computer to be able to talk to the other nodes in the cluster.

Chapter 4




Designing for Internet Connectivity

189

2. You have a Web application that uses a back-end SQL Server data-

base. The Web server is now being heavily hit. You want to implement Network Load Balancing (NLB). What hardware methodology would you likely implement in order to facilitate this? A. Shared storage B. Separate storage C. Shared network cards D. Separate network cards

Answer: A. If you set up a RAID tower that both servers hook up to, you can then set up an NLB scenario where you have one central repository but two application servers talking to the same database. The alternative, a tricky one, would be to have each application talk to its own database (whether on a separate server from the application or not), then to periodically synchronize the databases. 3. From the list below, select some applications that you would use

Network Load Balancing (NLB) for. A. Streaming multimedia B. E-commerce servers C. Exchange 5.5 Server databases D. Exchange 2000 Server databases

Answer: A, B. An ideal use for NLB, which is nothing more than a front-end cluster scalable up to 32 servers, is e-commerce. Exchange 2000 Server can make use of NLB. You can’t use it with Exchange 5.x or lower. 4. What could you use as a "poor-man’s alternative" to NLB? A. Identically equipped computers with a manual failover B. Round-robin DNS (RRDNS) C. Multiple installations of an application on separate servers D. Dual-homed server

190 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Answer: B. Round-robin DNS (RRDNS) can point a user to a similarly equipped computer so that processing is essentially loadbalanced at the name-resolution level. User 1 points to the first IP address for a DNS entry, user 2 points to the second, user 3 points to the first, and so on, alternating back and forth. 5. Why would round-robin DNS (RRDNS) not be as efficient

as NLB? A. Name-resolution speed is much slower than NLB B. The requestor has to cross the network to get the address of the

server C. If a server in RRDNS fails, RRDNS continues to hand it work D. NLB can use fibre-channel connections

Answer: C. If a server that’s a part of RRDNS fails, RRDNS will continue to try to feed it work. The client will, of course, fail because the server it’s trying to contact is offline. NLB can compensate for a server failure.

Chapter

5

Designing a Wide Area Network Infrastructure MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: an implementation strategy for dial-up Design remote access. (pages 192 – 214)


Design a remote access solution that uses Routing and Remote Access.




Integrate authentication with Remote Authentication Dial-In User Service (RADIUS).

a virtual private network (VPN) strategy. Design (pages 215 – 228) a Routing and Remote Access routing Design solution to connect locations. (pages 228 – 236)


Design a demand-dial routing strategy.

C

onnectivity with other sites and telecommuting users is a big, big, big exam topic. It’s important to understand all of the new features that Windows 2000 has implemented so that you can understand when to apply a given service to a specific requirement. This chapter is about connecting users through dial-up remote access, through a VPN, or through a demand-dial routing strategy.



Design an implementation strategy for dial-up remote access.





Design a remote access solution that uses Routing and Remote Access. Integrate authentication with Remote Authentication Dial-In User Service (RADIUS).

This section covers the concepts of Routing and Remote Access (RRAS) and Remote Authentication Dial-In User Service (RADIUS). The addition of RADIUS allows you to use key administrative options when working with more than one RRAS implementation. As the level of dial-in user access grows, so does an administrator’s need to understand how to leverage RRAS and RADIUS.

Critical Information When you design a Routing and Remote Access Service (RRAS) implementation, you begin by asking yourself a very basic question: What is the purpose for this RRAS solution that I’m designing? You have three choices when answering this question. You could say that

Chapter 5




Designing a Wide Area Network Infrastructure

193

you’re designing this implementation for a server-to-server connection. Or you could say that you’re designing it for a telecommuting usage, where people dial into the system to access resources (more colloquially known as Remote Access Services [RAS]—users are said to be “RAS-ing” into your system when they gain access to corporate resources via phone lines). Finally, you could say that you’re setting up a demand-dial connection so that internal users can access the Internet. Any of these needs could adequately be addressed by RRAS.

Designing a Remote Access Solution That Uses Routing and Remote Access When you request a data or phone circuit from a carrier, you’re said to be provisioning that circuit. Provisioning a circuit very often lies within the realm of a corporate administrator’s work, though large enterprises have dedicated areas that handle the provisioning and setup of data and telephony circuits. Today’s telephony carriers have a smorgasbord of options that they can present to you to provide just the speed and number of concurrent connections you need for a given RRAS design. Suppose that you require a simple dial-in solution where users RAS into your servers through conventional phone lines. Suppose that your design calls for 24 total connections; that’s one T1 telephony circuit. So if your company maintains its own PBX gear, maybe your next approach would be to request from the telephony department that a dedicated T1 be provided to you so that you have a total of 24 phone lines for your RRAS solution. Or, optionally, you could provision a dedicated T1 from your carrier and use the circuits that way. In either case, the identification of 24 phone lines precipitates the decision on what sort of provisioning you require. Suppose that you want to provide a way for users to be able to use their home cable-modem, Digital Subscriber Line (DSL), or Integrated Services Digital Networks (ISDN) high-speed connection to the Internet to access corporate servers through a virtual private network (VPN). Does this mean that you’ll have to provide cable, DSL, and ISDN services so that you can support each of the three different kinds of users? It does not. What it really means is that you must have

194 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

a high-speed connection to your corporate ISP (one that can grow, because VPNs will place some load on the system) and that you must set up a VPN that these users can come in through. You’ll probably need to help configure the client so they are able to successfully connect to your corporate VPN. RRAS supports conventional asynchronous (regular telephone line) circuits, ISDN (Basic Rate Interface [BRI], not Primary Rate Interface [PRI]), and X.25 through either a packet assembler/disassembler (PAD) or direct connection. With telecommuting users and demanddial setups, you have these three choices. VPN connections can work with almost any kind of connection your company has to its ISP, including DSL. VPN telecommuters and VPN server-to-server connections allow you to figure out how you’re going to get from point A to point B. For example, you have a Digital Signal Level-3 (DS-3, which runs at 44Mbps) connection to your ISP. You have a server in Sydney with the same kind of ISP connection. Your provisioning is already done. You have circuitry to the Internet and so does the Sydney office. What you now want to do is set up the VPN circuits, a task that assumes the provisioning part is concluded. The single most important design question you can ask yourself, from a provisioning perspective, is how many users you think will be on the system once it’s made ready. Then a second question would be how large you think the system will grow. Remote Access in a Routed Environment

When users telecommute into your network, will they have access to the entire network, including any sites that you have connected by WAN links, or will they only be connecting to the local network and no other? In a routed environment, if a user connects to or requests resources from a segment other than the one it’s connected to, it follows that the data path is through the RAS server’s interface out to the user. While the user may have fairly decent throughput (56K, for example), the fact that the resources were requested from a remote segment may have an impact on the total I/O the user realizes; it may

Chapter 5




Designing a Wide Area Network Infrastructure

195

also have an aggregate effect on the total throughput of the RAS interface, possibly making other users wait longer while a resource is requested. You can restrict the places a user can go in one of the three following ways:


By allowing access to only those resources that are on the remote access server. You have to set this option individually on each server you configure, and the option applies to all users connecting to the server (both of which could present problems).




By controlling access to other subnets through router configurations that prohibit the user from going any farther than the local subnet.




By defining static routes to subnets that the user is permitted to go to.

The key to this kind of situation is to put the RRAS servers on the segment where the most activity is likely. In a flat non-routed network where you’re only using switches, place the RRAS servers on the same switch as the other servers where users are likely to try to access resources. This will prevent the switch from having to send data to other switches, keeping the design localized to some extent. The more you can keep the activity within the switch fabric of the switch that the majority of the servers are tied to, the faster your remote users will be able to allocate resources. There may be a time when you’d want to position an RRAS server in the Demilitarized Zone (DMZ), or Screened Subnet as it’s called. You might want to do this so that telecommuting clients are authenticated by a firewall or some kind of filtering instead of simply relying on the RRAS security to handle authentication. Another reason you might do this is that the RRAS server also has public files on it. Further, you might choose to go this route if the resources that clients need are on the screened subnet, not on private subnets. In any of these circumstances, consider placing your RRAS server in the DMZ, not in the private network.

196 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Security Scenarios

One argument that managers will put forward for not implementing an RRAS solution is that RRAS servers might not be very secure. You have to be prepared with arguments that stipulate what kind of security is available when setting up and using RRAS and what sorts of “holes” the creation of an RRAS server might make in your network. Protocol Choices

First of all, let’s note that Windows 2000 RRAS supports four different network protocols: TCP/IP, NWLink (IPX/SPX), NetBEUI, and AppleTalk. The protocols you’ll pick for your RRAS implementation are determined by the clients that will be dialing in and the resources they’ll be connecting to. Since any of these protocols can be enabled by the administrator, part of your RRAS security design should include determining which protocols may run on the system and which ones should not be allowed because they’re not needed. NetBEUI, while fast, isn’t necessary in today’s networks and should be immediately struck. If you don’t have NetWare servers to worry about connecting to, don’t use NWLink. Try to get your protocol list down to the bare minimum needed for users to connect. Authentication Choices

Far more important than your protocol choice is the method that you use for the authentication of users—how the client and the server are going to agree on a user’s credentials when that user is requesting access to the network. Several different authentication methods are supported in Windows 2000 RRAS, as shown in the list below, which runs from most secure to least:


Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2). Same methodology as MS-CHAP, but with enhancements such as two-way authentication.




Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). Works on PPP or PPTP connections.

Chapter 5




Designing a Wide Area Network Infrastructure

197




Extensible Authentication Protocol-Transport Level Security (EAP-TLS). A certificate-based security environment that is used predominantly by smart card–enabled computers accessing resources via RRAS.




Challenge Handshake Authentication Protocol (CHAP). Similar to MS-CHAP, but it supports non-Microsoft remote access clients; it’s disabled by default.




Shiva Password Authentication Protocol (SPAP). Used with Shiva LAN Rover remote access servers. Windows 2000 computers connecting to Shiva LAN Rovers use SPAP.




Password Authentication Protocol (PAP). This protocol examines only plain text passwords and is only slightly more secure than no authentication method at all.




Unauthenticated Access. You don’t ask for, nor do you receive user validation credentials.

As you configure an RRAS protocol, you also configure authentication choices. Given the seriousness of providing a user with the capability of dialing into corporate servers, you shouldn’t mess around with PAP or Unauthenticated Access. You should start with MC-CHAP v2 (provided RRAS is running on Windows 2000 computers—version 2 isn’t supported in Windows NT 4) and then, if needed, work your way down. L2TP is used in VPN setups with IPSec. L2TP works with CHAP, MSCHAP, MS-CHAP v2, and EAP-TLS. Because L2TP uses certificates, a public CA (Certificate Authentication) server must be present for it to work. Encryption Choices

You have two encryption choices at your disposal with RRAS (and RADIUS): Microsoft Point-to-Point Encryption (MPPE) or Internet Protocol Security (IPSec used with Layer Two Tunneling Protocol [L2TP]). MPPE uses the RAS’s Rivest-Shamir-Adleman (RSA) RC4 stream cipher and works with either PPP or PPTP. You can set it for 40-bit

198 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

or 128-bit in the U.S. and Canada or just 40-bit in international locations (dependent on the schannel.dll file). MPPE works with all of the authentication protocols except Unauthenticated Access and with MS-CHAP, MS-CHAP v2, and EAP-TLS. You can force encryption. If the client refuses encryption, it’s dropped! Third-Party Remote Access Server Integration

RRAS also integrates nicely with third-party remote access servers, such as a Shiva LAN Rover. You would, of course, use SPAP for your authentication protocol when contacting a Shiva product. RRAS integrates with NetWare Connect, Unix-based SLIP or PPP, and any other PPP-based RAS servers that might be out in network-land. Keep in mind that other communications servers might have much less stringent authentication paradigms than what Windows 2000 provides, and you might wind up easing up on the security model if you need to integrate with other RAS boxes. Active Directory Integration

Perhaps the most secure thing you can do for an RRAS implementation is to integrate it into Active Directory (AD). With AD, you can set up remote access policies that strictly control who is allowed to connect to the network, in whatever method you use (dial-in, VPN, etc.). With AD you not only have the centralized administrative capabilities of the Microsoft Management Console (MMC), but you also have the ability to control permissions through remote access policies. High Availability Scenarios

As with all things that pertain to networks and servers, the key to high availability is redundancy and fault tolerance. It is highly important to correctly size your computers for the anticipated load you think they’ll undergo, then add 25 percent for a fudge factor. Be sure to design dedicated RRAS servers that have plenty of RAM and CPU. (Disk isn’t so important in a telecommuting server.) What does that mean in terms of available modems (or alternative circuits)? For example, should you install 50 modems for a 1,000-user non-technical shop?

Chapter 5




Designing a Wide Area Network Infrastructure

199

It’s important to keep in mind that users definitely have the ability to wreck your infrastructure’s bandwidth, depending on the kinds of file access that they’re requesting. The speed of the infrastructure backbone is going to seriously impact how you set up your RAS servers. Suppose each user is able to attain a 56K connection to the RRAS servers. This means that you could reasonably provide service to 175 users or so (given a 10Base-T network). Why? Well, divide 10,000,000/56,000 and you come up with about 178 concurrent 56K connections. But you have other things going over the wire, even late at night—backups, Exchange servers chatting with one another, etc. Load calculation, balancing, and anticipation will go a long way in reducing downtime on your telecommuting installation. Optimization and Tuning of Remote Access

There are some things that you can do to help optimize and tune your remote access servers. Matching up HCL-compliant hardware to your telecommuting servers will go a long way toward providing a more foolproof operation. Also, it will be beneficial to you to dedicate computers to the remote access process and not use them in other network processes. It’s good to create remote access servers that do not participate in the user validation process. They should not be participating as domain controllers validating regular LAN users. You can tune the servers by setting their primary task mode for background operation, not foreground. You can also make sure that you’ve nullified any IRQ conflicts you might have, that you have the OS installed on one partition and the data and apps on another, and that the modems or telephony gear you’re using is Windows 2000-compatible. The modems or telephony gear you’re using should also have the latest and greatest software drivers and be correctly optimized for your operation. By supplying a DHCP Relay Agent service on the RAS computer, you allow users to receive the full extent of DHCP-supplied configuration information. Without the Relay Agent, the users get only the IP address and subnet mask that the DHCP server gives out, plus the

200 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

WINS and DNS entries that were configured for the RAS server. Windows 2000 RAS servers obtain IP leases from the DHCP server in blocks of 10 (actually, it would be 11 if the RAS server is requesting a lease for itself). When a user is done using an IP number, it is released for use by the next user. If all of the IP addresses are in use, the RAS server requests another block of 10. Integrating Remote Access into a Windows 2000 Environment

Conventional Windows NT 4 RAS servers will integrate into the Windows 2000 network quite nicely. Keep in mind that, until they’re converted to Windows 2000, they can’t use remote access policies, a shortcoming that you’ll want to rectify in order to get increased security and fault tolerance. Upgrading Windows NT 4 RAS servers isn’t quite as easy as it sounds because you not only have the current server configuration to worry about (making sure it can handle the increased requirements of Windows 2000), but you must also make sure that the current communications gear is compatible with Windows 2000 as well. Before integrating RAS into your Windows 2000 environment, design time would be the opportune time for you to figure out whether you should do the following:


Migrate to VPNs




Obtain dial-up connectivity with other networks




Allow high-speed circuits such as DSL or ISDN into your network




Address current applications and file connections

Integrating Authentication with Remote Authentication Dial-In User Service (RADIUS) RADIUS is a client/server protocol that insists upon a RADIUS client connecting to a RADIUS server in order to provide remote access services. In the Windows 2000 world, the RADIUS client isn’t actually the RAS client; it’s the RAS server. And the RADIUS server isn’t the

Chapter 5




Designing a Wide Area Network Infrastructure

201

RAS server; it’s actually a server running the Internet Authentication Service (IAS). Table 5.1 shows the layout for a typical RADIUS arrangement. TABLE 5.1:

The RADIUS Client/Server Model

RADIUS

Server Type

OS and Platform

Client

RRAS Server or other RADIUS Server

May not need to know or care about what this is

Server

IAS Server (realize that RRAS will run on this computer as well)

Windows 2000 Server

Remote Access Client Can vary

The basic concept here is that you have one server doing the remote access functions—answering the modems, connecting the users—and a second one actually authenticating the users. There are a variety of uses for such a setup, such as the following:


You’ve outsourced your remote access services, but you want to authenticate users from within your site.




You have a remote access server in the DMZ, but you want to authenticate from within the private network.




Your servers are separated by geographic distances.




The client and server pieces need to be on different platforms and OS architectures.




You want to encrypt your RAS connections by using either IPSec or VPN tunnels.




IAS servers can hold a central RAS policy that will be processed by all RAS servers that are configured to use RADIUS for security on the RRAS servers’ Properties  Security tab.

202 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

You’ll find that RADIUS usually makes sense for corporate entities that are getting into the business of being ISPs, whether that means hosting extranet sites for corporate users or becoming a full-blown ISP. Regular corporations with a telecommuting need and no heavyduty Internet activities might not need to go down this road, though you might find that RADIUS central authentication and logging features in a multi-RAS-server environment are a plus. Assessing Correct Remote Access Client Needs in a RADIUS Environment

Let’s presume that you work for a Network Service Provider (NSP) that’s supposed to be able to provide connectivity to a huge variety of users. What kinds of clients might you expect? Whatever your answer may be, you’ll certainly have OS issues; you’ll want to accommodate customers with Macintosh, Linux, Windows 3x, 9x, NT, or 2000, and possibly even OS/2. These disparate OS types can mean at least one big problem for you: protocols. Some users will have the IPX/SPX protocol because they’re connecting from a NetWare network. Others will use TCP/IP, and you can imagine the various protocol “mixes” that you might encounter if that’s the case, AppleTalk over TCP/IP for instance. In any event, it’s important that you keep in mind that the supported RADIUS protocols are TCP/IP, IPX/SPX, and AppleTalk. Some of your clients may be primitive, others quite sophisticated. So the goal is to provide authentication and encryption; your Macintosh, for instance, doesn’t know anything about the new Windows 2000 Microsoft Point-to-Point Encryption (MPPE) protocol, now does it? Older clients might be able to use Digital Encryption Standard (DES) instead, which brings up the whole issue of authentication. Some users can only authenticate with a clear-text password, others can use CHAP, others MS-CHAP. It’s a big variety-filled world. Users will want to connect with DSL (in any of its 31 flavors), ISDN, cable modems, multilink modems, or plain old telephone service (POTS) lines. Some might even want to get in with their broadband Palm VIIs or equivalent.

Chapter 5




Designing a Wide Area Network Infrastructure

203

So, aside from all of the various hardware concerns that an NSP will have, it will also have to be concerned about all of these clients and their associated needs (or lack thereof). Windows 2000 RADIUS clients can be authenticated by remote access policies in Windows 2000 or even by Windows NT 4 domains. RADIUS provides very detailed logging of remote access client activity, including whether the user succeeded or failed in the logon, how long the user was on, and times when the RADIUS server could not validate the client. Windows 2000 RADIUS can integrate with RRAS to supply demand-dial scenarios, and IP filters can be configured to weed out unwanted traffic. Intuitively then, a good RADIUS design includes the following information:


The identity of the connecting remote access clients.




The location of the RADIUS clients and servers.




The Local Area Network (LAN) protocols that will be necessary to support in this environment, such as IPX, AppleTalk, TCP/IP.




The authentication schemes supported.




The encryption technique, such as MPPE or IPSec.




Whether remote access clients will be using a VPN or dial-in connection.




The domain that RADIUS will be using to authenticate users— whether you’ll be connecting to a Windows 2000 native mode, mixed mode, Windows NT 4 domain, or domain accessible through a trust relationship. Note that domains are called realms in RADIUS dialect.




The number of ports (dial-in or VPN) available for the system.




Any restrictions that were set up in the remote access policies.




The user accounts that will be granted permissions.

See Figure 5.1 for an example of a typical RADIUS scenario.

204 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

F I G U R E 5 . 1 : A typical RADIUS scenario

RAS clients ISP

RAS clients

ISP’s RADIUS server (the client)

RAS clients

Internet Corporate network Corporate RADIUS server

RADIUS in a Heterogeneous Environment

“Why do I need RADIUS when I can just use plain old dial-in connections to get users into my network?” RADIUS goes beyond standard dial-in connections by providing authentication and logging (typically for billing and provisioning purposes). Three computers act as RAS clients that want to connect to your corporate network. Perhaps these clients are quite a distance from your corporate site, many states or even countries away. Your firm negotiates a RADIUS connection with the ISP in that area. This RADIUS server is actually a RADIUS client to the Windows 2000 system. Then, you set up a RADIUS server at your site and get the connections set such that, when these users connect to the ISP, they’re connected by the RADIUS client, then validation work is passed to your RADIUS server, and finally they’re logged on. In a scenario like this, you could use a

Chapter 5




Designing a Wide Area Network Infrastructure

205

VPN connection between the RADIUS client and server or a demanddial connection (if the RADIUS client supports it). Also, you could specify the kind of authentication that you’d support and the protocols that the users would have to connect with. A second use for RADIUS technology might be to use it to temporarily join two different firms together so that they can share some work on a project. Let’s say, for example, that you work with the lead American engineer for a huge dam project in China, and that your Chinese counterparts want to be able to share documents with you as the work progresses. Since it’s a long plane flight to China—especially just to drop off some documents—and since most documents today are digital anyway, you could easily set up a RADIUS connection that would satisfy the need. What is the one design feature that stands out when you consider the two suggested designs above? If you’re saying words like “bandwidth” or “data-rate,” you’re right on target! A RADIUS designer will want to take into consideration the persistence of the RADIUS connections (whether they stay up all the time, time out after a given time of inactivity, or are based strictly on a demand-dial scenario) and the amount of bandwidth that will be required to transfer the requests between the RADIUS client and the RADIUS server. If a remote access client is going to try to run an application upon connection through a set of RADIUS servers, can the network throughput support it? A more basic question would be, can a user be authenticated within a reasonable period of time? The persistence question is about saving money; the bandwidth question is about conserving WAN resources. RADIUS Security Scenarios

A serious security issue exists when we talk about RADIUS designs. What if you went to your CIO and said, “Look, boss! We can set up this RADIUS client/server model so that we here in Waxahachie can talk to our users in Punxatawny!” Initially, she’s going to laugh you right out of the building. Why? Because there are so many different places where security loopholes could exist that it’s almost laughable to think about.

206 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Let’s first think about the connection that the remote access client will use when connecting to the RADIUS client box. What kind of security should be involved there? Suppose, for example, that you’re setting up a RADIUS client computer that is a Unix computer. What kind of security will the remote access client have? Chances are the ISP has provided a username and password for this client to authenticate with, so you have the security thing somewhat covered. It would be great if the Unix computer at least supported CHAP as an authentication method so that you knew for sure the user connecting was really the user who should connect. Such clients also present an encryption question: Can this host encrypt logons and data from users requesting a RADIUS connection? In a Windows 2000 RADIUS environment, these questions are answered for you. For starters, when the Windows 9x, NT, or 2000 remote access client connects to a RADIUS client by PPP (dial-in) or PPTP (VPN), it will run either MPPE or IPSec as its encryption protocol. MPPE is a very strong, new encryption protocol that allows you to set whether you want a 40-bit key (for faster, not as secure performance) or a 128-bit key (with slower throughput, but much higher security). Remote access clients connecting to Windows 2000 RADIUS clients must be authenticated using MS-CHAP, MS-CHAP v2, or EAP-TLS in order to use MPPE. Consider enabling the strongest authentication possible. IPSec uses certificates to validate who a user is and then encrypts the data. IPSec is primarily used with L2TP VPN tunneling. There is also this bizarre concept of a RADIUS secret. The secret is made up of the user’s password, combined with a 16-byte random number that is passed through a Message Digest 5 (MD5) hash to produce a 16-byte encryption value. This value is kept with the password that was used by the remote user. You should always use secrets with your RADIUS implementation, because they work both with user password encryption and with client-to-server mutual authentication. The ideal RADIUS scenario is a Windows 2000 Professional workstation connecting to a RADIUS client running Windows 2000 Server, which then talks to a Windows 2000 Server RADIUS server, with secrets enabled throughout. Then if the client dials in via PPP, MPPE is being used, secrets are in place, and the data is secure and encrypted through the entire path.

Chapter 5




Designing a Wide Area Network Infrastructure

207

RADIUS Client to RADIUS Server Connection

Next, you have a connection between two computers that goes across the Internet or public wires. How can you make sure that the data gets from points A to B, from RADIUS client to server, and back without running the risk of some hacker grabbing some of the data and using it for evil? RADIUS supports three different ways of encrypting and protecting data going from RADIUS client to server. U.S. Governmental restrictions might make it difficult for you to provide anything other than encrypted data. But then again, some governments (France, for example) don’t go along with some of the security standards in use elsewhere, and you won’t be able to encrypt the data. (Did you know, for example, that until recently you couldn’t ship 40-bit DES Windows products into France?) RADIUS Server to Private Network Server Connection

What about that idea of a partner relationship, where you have an engineer from one company dropping documents onto a server in the private domain of your corporate network? In other words, this engineer has ridden a highly secure line from his Windows 2000 Professional workstation through the RADIUS client to the RADIUS server and is not authenticated to your domain. But what control do you have once the user is inside the private network? You can control things with NTFS permissions and by restricting the usage to only the RRAS servers through dial-up properties. Remote Access Policies

Probably the most important tools you have in your bag are the remote access policies that you implement in Windows 2000. By setting up robust remote access policies, choosing very specific dial-up properties, and specifying that remote access clients be matched up with remote access policies on the RADIUS server (not the client), you can streamline how much or how little chutzpah the user can assert on the network. You can control the time of day and the day of the week when the user is allowed in. You can specify certain characteristics that pertain to a remote user, things like the phone number and the IP address. A remote access policy will not govern NTFS or share permissions, so go cautiously throughout the entire design, making sure potential holes are plugged.

208 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

You can visit the currently installed remote access policies by going to a Windows 2000 domain controller and clicking Start  Programs  Administrative Tools  Routing and Remote Access. Once inside the RRAS Properties window, double-click the Remote Access Policies container to see the policies in place. In new installations, there is only one default remote access policy. Right-click it to view the policy’s properties. The policies appear beneath a server in the RRAS tool. Any server in the AD can be loaded and managed with the correct permissions and policies on a per-server basis. By clicking the Edit Profile button, you bring up a window that allows you great control over remote access sessions. The Dial-In Constraints tab provides you with the ability to disconnect users after a certain idle time, to restrict the days and times they’re allowed on, and, most importantly, to restrict certain connect types from being allowed in. For example, you can restrict faxes from trying to connect to your RAS system. The IP tab allows you to define how the remote access client is going to get its IP address and what kind of IP filtering is going to happen. The Multilink tab allows you to detect multilink clients and to either allow or disallow them. Multilink, as you may recall, is an NT (and now 2000) service that allows an NT computer to use multiple modems to create additional bandwidth. The Authentication tab is the place where you select the kinds of authentication you’re going to allow for this policy. The Encryption tab allows you to select the kind of encryption you’ll allow over this Windows 2000 RRAS server. By default, all three—no encryption, basic, and strong—are checked, meaning that your Macintosh guy could easily get in as long as he matched certain authentication criteria. Default authentication methods selected are MS-CHAP and MS-CHAP v2. Finally, the Advanced tab allows you to specify additional connection attributes that the RRAS server can use. There’s a whole bevy of preconfigured connection attributes at your disposal.

Chapter 5




Designing a Wide Area Network Infrastructure

209

Once you’ve written your remote access policies, you simply go to Active Directory Users and Computers, double-click a user, click the Dial-In tab, and click the Control Access through Remote Access Policy tab. The remote access policy will go into effect for that user. Now, we’ve covered some how-to material here, but what about the design aspect? First and foremost, you must decide if RADIUS is for you. Large implementations with numerous RRAS servers might benefit from a RADIUS implementation. You can get more carried away than that if you’re outsourcing some telecommuter connectivity and need to interconnect with a foreign RADIUS server, which we alluded to somewhat above. On the other hand, maybe you’ll have only one RRAS server. Is RADIUS necessary at that point? Probably not. A third thing to think about is the possibility that you have a hardwarebased RRAS system like a 3Com Total Control System (TCS) RAS server and it too is capable of running RADIUS. Should you set up a RADIUS implementation that acts as a server to its client? These are things to think about when considering RADIUS. Geographic considerations come into play as well. If you’ve got a RRAS server or two in Munich, one in New York, several in Chicago, and so forth, RADIUS will help you with this setup. It won’t help you configure the RRAS servers; it’ll only help you with the authentication and logging of the RRAS users, but this feature is a plus with multiple RRAS users dialing into several RRAS servers spread out over a large geographic area. For normal networks (of which I’d say most fall into this majority), you’ll probably have a central nexus that handles the bulk of your RRAS services and you won’t be real interested in RADIUS. On the other hand, if you’ve got quite a few RRAS servers and you’re attracted to centralized policy and logging administration, you might want to take a second look at RADIUS. Radius Servers inside Screened Subnets (DMZ)

Suppose that you want to put the RADIUS server in the DMZ rather than inside your corporate private network. What does that mean, in terms of added steps? First, RADIUS clients cannot and should not be placed within the DMZ. Your RADIUS server, on the other hand, is

210 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

already inside the DMZ, which means that you’ll want to connect the two together with a VPN tunnel, probably L2TP and IPSec if you’re dealing with Windows 2000 computers—for the most security. Next, you (actually, your internetworking experts) will poke a hole in the firewall to allow connectivity between the RADIUS server and the internal network by setting up a VPN between the RADIUS server and the internal network. The RADIUS server would be a member server, not a domain controller, so when authentication is requested from a remote access client traveling through this pipe, it would be forwarded to an internal domain controller, validated, and then sent back to the RADIUS server and hence back to the client. This model is highly secure because you don’t expose user accounts or remote access policies to the outside world and everything is done through VPN tunnels, making them encrypted and highly authenticated. High Availability Scenarios

There are several steps you can take to build fault tolerance and redundancy into your RADIUS configuration. You start with the standard redundancy technique: provide two or more duplicate servers for each phase of the RADIUS design. This means you’d have two or more RADIUS clients and two or more RADIUS servers, both comparably equipped. It goes without saying that these computers would have their configurations on RAID1 or RAID5 arrays for maximum fault tolerance. You could implement Round Robin DNS entries with such a setup so that if one RRAS computer failed the DNS system would reference the other computer. With duplicate scenarios such as these, you can set up round-robin DNS entries to facilitate one computer handling one dial-in request and the second handling the next. In addition, you’d probably want to provide each computer with at least two phone lines, one to act as a backup in case the first failed. You would register both RADIUS clients with the RADIUS servers so that you are assured correct authentication is going on. All RADIUS servers would use the same user account and authentication domain for redundancy.

Chapter 5




Designing a Wide Area Network Infrastructure

211

Optimization and Tuning of RADIUS

When you consider the optimization and tuning of RADIUS installations, you need to think about three different regions of your network. First, consider your RADIUS client and server environment. If you have a large number of remote access clients trying to access the RADIUS clients, you’ll likely have a bottleneck. The cure for this is obvious: hook up more RADIUS clients. It could also be that the number of RADIUS client servers is adequate for the number of remote access clients, but the client servers themselves are weak and under-engineered. You can cure this problem by either beefing up the hardware or replacing the servers with higher-performance computers. Second, you can also tune RADIUS clients by adding additional modems. If a remote access client gets a busy signal half of the time that it tries to connect, you need more phone lines. Third, you can add additional RADIUS servers for improved authentication. Or, optionally, you can upgrade the hardware or replace a RADIUS server if it is adequately addressing the needs of the RADIUS clients but just not doing it quickly enough. Integrating RADIUS into a Windows 2000 Environment

Going into a Windows 2000 environment with a legacy RADIUS installation might take some thought and work to accomplish. For example, 3Com Total Control Modules (TCM) support RADIUS. In fact, a TCM box is basically an NT 4 computer with one or many modem modules and a HiPer ARC router module added as well. The RADIUS service runs within the NT services on the TCM box and is stoppable. How will this device integrate with a Windows 2000 RADIUS installation? Remote access clients using older OSs should not have too many issues connecting to a RADIUS client unless there’s a configuration issue on your part.

212 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Exam Essentials Be able to design a remote access solution that uses Routing and Remote Access. Routing and Remote Access (RRAS) comes automatically installed, but not configured or enabled with Windows 2000 Server. Understand how to utilize its features for remote access clients. Understand how to use Remote Authentication Dial-In User Service (RADIUS) to provide remote access client authentication. Know and understand what a RADIUS server and RADIUS client are, why they exist, how connectivity between them works, and the various authentication methods you have at your disposal.

Key Terms and Concepts Basic Rate Interface (BRI) An Integrated Services Digital Networks (ISDN) phone configuration in which two Bearer (B) channels can each carry up to 64K of voice or data and one Data (D) channel carries synchronization and call-control information. carrier A telephone company that delivers signals for your WAN or phone connections. Microsoft Point-to-Point Encryption (MPPE) A protocol that uses 40-, 56-, or 128-bit encryption keys using the Rivest-Shamir-Adleman (RSA) RC4 stream cipher; it is useful for all PPP connections except L2TP. It can be used with only EAP-TLS or MS-CHAP v2. plain old telephone service (POTS) An ordinary telephone line. provisioning The act of setting up a telephony or data circuit with a carrier.

Sample Questions 1. Name the components of a typical RADIUS installation. Choose

all that apply. A. Remote access client

Chapter 5




Designing a Wide Area Network Infrastructure

213

B. RADIUS client C. RADIUS server D. Telephony circuits

Answer: B, C, D. RADIUS setups require at least one RADIUS client and one RADIUS server plus some form of telephony circuit, whether that circuit is POTS, ISDN, or X.25, for the remote access client to connect to. A remote access client is not a component of the RADIUS installation; it’s a user of the installation. Note that telephony circuits might not be needed at all between the RADIUS client and server if the installation includes a VPN to the Internet. But the remote access client would probably still connect using POTS (although DSL, cable modem, satellite, or ISDN are now also viable options). 2. When would you possibly be required to supply more than one

phone line per remote access client? A. When a remote access client has multiple locations it might

dial from B. When a remote access client has two different types of phone

service (e.g., ISDN and POTS) C. When a remote access client needs to connect to two different

networks D. When a remote access client is trying to use multilink

Answer: D. Multilink is a Windows NT 4 and Windows 2000 feature that allows you to take several phone lines and call out over them so that they appear as one big piece of bandwidth. Windows 2000 RRAS supports multilink clients, but this implies that the client is going to use more phone lines than regular clients and that you’ll have to provide for that kind of capacity. 3. What functions does RADIUS bring to a multiple-server RRAS

installation? Select all that apply. A. Single point for viewing logs B. Single point for administering Remote access policies

214 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

C. Accounting D. Active Directory integration

Answer: A, B, C. RADIUS provides you with a place to view all of the RRAS server’s logs and to provide accounting for RRAS. Neither RADIUS nor Remote Access Services integrate into Active Directory. Each RRAS server is its own server; however, you can administer Remote Access Services from RADIUS. 4. From the list below, select the RRAS authentication protocols. A. MS-CHAP B. MPPE C. EAP-TLS D. PPP

Answer: A, C. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and Extensible Authentication ProtocolTransport Level Security (EAP-TLS) are authentication protocols. Microsoft Point to Point Encryption Protocol (MPPE) is an encryption protocol. Point to Point Protocol is a WAN connection protocol. 5. Why would you introduce packet filtering with RRAS clients? A. To restrict RRAS to only certain computers B. To restrict certain IP protocols C. To restrict users to certain servers D. To prohibit certain network protocols

Answer: B. Packet filtering is used to restrict certain IP protocols from being allowed in or out of the network. To enhance RRAS security you can apply packet filtering to your Remote Access Policies.

Chapter 5




Designing a Wide Area Network Infrastructure

215



Design a virtual private network (VPN) strategy.

T

he biggest question you’ll want to ask yourself when considering a VPN is, “Will I be putting my users and their data at risk if I allow VPNs into my network?” It’s a security question. After all, we’re talking here about you setting up a connection that links your network and your telecommuters, or your network and another network, over the Internet, where millions of people can potentially get at the data that’s crossing the wire. If you correctly configure authentication and encryption on your VPN circuits, you have as much security as you’d have over RAS circuits, and you can do all the same authentication and encryption as you would with RAS.

Critical Information So what are the reasons for needing VPNs that you’d offer to a stakeholder? Here are some uses you might have for VPN connections:


Home telecommuters with high-speed lines (ISDN, DSL, cable modem, etc.) need access to your corporate network and intranet.




Business partner relationships need access to corporate files.




Two company networks with no connectivity need to connect to one another.




People need access to your network while traveling to places where it doesn’t reach without them (overseas, for instance).

Use a VPN when you feel that the risk is low enough to substantiate implementing it. Working on top-secret laser war weapons for the military? You might not want to think about a VPN (even though with strong encryption and authentication, VPNs are pretty hack-proof).

216 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

VPNs use IP tunneling to accomplish their goal, as shown in Figure 5.2. The idea of tunneling is that you use the TCP/IP transport mechanism to transport the data across the Internet, but that you tunnel your data inside TCP/IP packets and then transport them over the Internet. It’s like transporting a car inside a truck: the truck is the transport mechanism, and the car is the data. In a VPN, if you’ve correctly set up authentication, you know where the data came from and where it’s headed. Joe, the truck driver, knows he came from point A, and he knows point B is expecting him, and he has an “ID” that proves it to point B’s guards. And, if you’ve correctly set up encryption, you’ve scrambled the data so that it’s not readable by outside parties. Encryption is a second level of defense: the Volkswagen inside the truck is disguised as a refrigerator, which makes no sense to the viewer who is hoping to see a car, not an appliance. F I G U R E 5 . 2 : A typical VPN setup VPN server Corporate ISP Corporate Network

Asynchronous, DSL, Cable modem, etc.

Telecommuter

Telecommuter’s ISP

Secure Connectivity over Public Networks When sending data across the Internet using a VPN, you have the choice of two different connection methods. In addition to the two connectivity selections, you also have a choice of authentication

Chapter 5




Designing a Wide Area Network Infrastructure

217

methods and the type of encryption that you’ll use with the VPN. In the U.S. you can attain very good encryption levels, up to triple DES (3-DES). But first let’s talk about some reasons why you’d want to use a VPN over ordinary RAS circuits.

Reduced Leased Line Costs Some networks don’t even connect to one another because the cost of setting up a WAN link between the sites is prohibitive. If you have a site in London and one in New York, how do you connect the two if not with a WAN link? VPNs provide you with a way to connect two sites in a much less expensive fashion than if you use WAN circuits.

Administration of Remote Networks VPNs allow administrators to obtain high-speed Internet circuits and connect to their local network for administrative purposes. They’re just another user on the network at the point that they connect to it using VPN, albeit an administrator-type user. Keep in mind that a couple of administrative VPN clients could chew up virtually all of a corporation’s ISP bandwidth. For example, if admin A has a cable modem that routinely provides, say, 1.2MB of bandwidth and admin B has a DSL line with 512K of bandwidth, you’re pretty close to approaching 2MB of bandwidth. A company with only a T1 line’s worth of bandwidth (1.544Mb/sec) has the potential of having its bandwidth completely consumed if both admins get on line at once! Consider looking into Windows 2000 Quality of Service (QoS) in situations like this. Quality of Service is a term that has trickled in from the ATM camp and is now being brought into Ethernet and Windows circles. The idea is that you provide a higher level of service to one data component over another. For example, Internet streaming video requires a steady dedicated slice of bandwidth to provide quality video to the client. QoS can be set up to provide this sort of guaranteed throughput.

Privacy for Clients Connecting via Public Networks Imagine the following possibility. You’re at a hotel in Chicago, and you want to connect back to your e-mail server in Denver. So you fire up the laptop, dial into your ISP’s toll-free number, and connect using

218 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

PPTP. From there, you connect to your local network and grab your e-mail safely and securely, all the while using the Internet as your backbone. Clients connecting over public networks can be configured to use several different encryption protocols so that you’re assured the data is secure, plus you have the ability to require the user connecting to the network to authenticate with the connecting server.

Designing a VPN Implementation So how does one go about designing a solid VPN implementation— one that you won’t lose sleep over…one that doesn’t get you paged at all hours of the night because it’s not working? Two major questions come up when we think about VPNs in a routed environment. First, what network resources will you allow your VPN users to access? Should you let them access the entire network, or should you restrict them to the local computer they’ve connected to? You can configure RRAS connections—the very same connections that are used for VPN—so as to prevent connecting users from utilizing any more than what is on the connected computer. When would this be pragmatic? Perhaps when a business partner needs to connect to your network to receive files; you’d keep the files local to the RRAS server. A second, much more interesting question is whether you’ll put the VPN server in the DMZ or bring it into the corporate network. You gain some security benefits by putting a VPN server in the DMZ. Users with valid IP addresses (given out by the RRAS servers) are just like any other users on the network. They can get anywhere they need to and map to any shares, provided the appropriate permissions are there. This capability includes all segments on the network that require a router to connect to them. But suppose you don’t want these users going anywhere they want? How would you fix such a problem? In other words, suppose that you don’t want a user to be able to cross a router to another network segment—everything that user needs is on the segment of the network that he’s currently connected to. Probably the simplest method would be to configure the routers so that they do not allow the RRAS IP addresses across. A second

Chapter 5




Designing a Wide Area Network Infrastructure

219

method for fixing this problem would be to configure a proxy server on each network segment, then disallow specific IP addresses. When setting up VPNs, you have to make three decisions:


Will you use PPTP or will you use L2TP?




What type of authentication will you use to validate that the party trying to connect is indeed who he says he is?




What type of encryption will you use to scramble the data that’s being tunneled?

PPTP vs. L2TP

Both PPTP and L2TP use IP tunneling to get the data from one place to the other. The difference lies in whether you’re interested in using certificates to validate the connecting party. To use L2TP you’ll need a certificate authority (CA) server to generate certificates and check the validity of certificates. Windows 2000 servers have the capability of being certificate authority servers. Alternatively, you could use a third party certificate provider such as VeriSign. It’s important to note that if you’re using a Network Address Translation (NAT) device, such as a proxy server, your decision as to whether to use L2TP and IPSec or PPTP may be somewhat clouded. When using L2TP and IPSec, the headers of the IP packets are encrypted, which means that the NAT device can’t make any modifications to them. If you have applications that rely on the translation of addresses from one address to another using NAT services (such as a Web server asking for internal database information), you may be in trouble if you choose a VPN using L2TP and IPSec. PPTP does not have this issue, but it also doesn’t have the enhanced security that L2TP does. Picking an Authentication Method

Next, you need to pick the type of authentication you want to use. Remember that the safest forms of authentication are MS-CHAP v2, MS-CHAP, and CHAP. There are also Shiva, PAP, and no authentication method at all to pick from, in addition to a specialized form, EAP-TLS.

220 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Picking an Encryption Method

If you’re using PPTP, you can use MPPE protocol. It works with MS-CHAP, MS-CHAP v2, and EAP-TLS. Use it when you don’t have (or don’t want to hassle with) a certificate authority server to support IPSec. You can use 40-bit or 128-bit encryption in the U.S. and Canada and 40-bit elsewhere in the world. (Keep in mind that the stronger the encryption, the more CPU cycles the server has to apply to the encryption/decryption process and the slower the transmission.) If you’re using L2TP, go ahead and use IPSec. Realize that you’ll need at least one certificate authority server for IPSec to use to pass out certificates of authority. IPSec can use 40-bit or 56-bit DES or triple DES (3-DES) in the U.S. and Canada and 40-bit and 56-bit DES in other countries. The difference in the two encryption methods is that MPPE is userbased encryption (I’m the user I say I am), but IPSec is machine-based encryption (this machine is guaranteed to be the machine it says it is). IPSec is more difficult to set up, but more secure. It’d be a good idea to have a little chart as to what authentication methods can be used by which platforms so that you’re ready for any confusing authentication questions you may see on the test. Table 5.2 can help you remember the characteristics of various authentication protocols. TABLE 5.2:

Authentication Protocols

Protocol

Description

Typical Uses

EAP-MD5 CHAP

Uses the same methods as CHAP, but sends responses as EAP messages

Smart cards

EAP-TLS

Certificates, private key exchange, very strong

Smart cards

Chapter 5

TABLE 5.2:




Designing a Wide Area Network Infrastructure

221

Authentication Protocols (continued)

Protocol

Description

Typical Uses

CHAP

Standard challenge/ response protocol

Supported by many platforms, including Windows NT, 2000

MS-CHAP

First version of Microsoft CHAP, encrypted password

All Windows NT and 2000 platforms

MS-CHAP v2

Very strong authentication, public keys

Only Windows 2000

SPAP

Shiva remote access client

Shiva remote access servers

PAP

Password sent in clear text

Supported by most platforms

No Authentication

No username or password required

Used by most platforms

Assuring VPN Availability

There are several methods you can employ to provide enhanced availability to your VPN setups. We start with a very unusual, yet also very clever method. ROUND-ROBIN DNS ENTRIES AND VPNS

It turns out that many DNS servers allow you to enter more than one address for a particular device. When DNS is referenced for the name (and address) of a device, the first entry is consulted, then the second, and so on; when DNS reaches the end of the list, it returns to the first address and loops again. This round-robin DNS feature allows you to set up more than one VPN server with the same DNS entry, but with different IP addresses. When a user requests a VPN connection, the first server replies. A second user gets the second server, and then usage moves to the third server (or falls back to the first server if there are only two).

222 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Suppose that you have one VPN server that has more power and can handle more simultaneous users than a second server. In this case, list two or more of the same DNS entries for the stronger server, followed by the DNS entries for the second server. When you have a roundrobin setup like this, each listed address is hit in succession, so you might have something that looks like the entries in the following list. User Number

FQDN

IP Address

User 1

[email protected]

10.1.23.4

User 2

[email protected]

10.1.23.4

User 3

[email protected]

10.1.23.4

User 4

[email protected]

10.1.23.4

User 5

[email protected]

10.1.23.5

User 6

[email protected]

10.1.23.5

Using multiple identical DNS entries for the 10.1.23.4 server forces more lookups there. PUTTING VPN SERVERS ON A CLUSTER SERVER

You can put multiple VPN servers on a cluster server. If a VPN server dies, a failover happens, and users can still get in. Failover is automatic, but users will not see a timeout error if they fail to connect while the failover is occurring. USING RADIUS TO CENTRALIZE YOUR OPERATION

Don’t forget that RADIUS servers allow you to centrally administer many different VPN servers and to read the success/failure audits for each server from a central location. While more intellectually difficult to set up in the beginning, you gain centralized administration from such an approach. Using RADIUS servers also allows you to centrally view the logs for each of your VPN servers. It provides one-stop shopping for viewing how your VPN servers are acting in the real world of telecommuting connectivity.

Chapter 5




Designing a Wide Area Network Infrastructure

223

OPTIMIZING AND TUNING VPN PERFORMANCE

Here’s a different DNS round-robin technique: When you have two VPNs that you’d like to optimize, create an FQDN for each one, but in your round-robin IP entries, point to the opposite VPN server as the second entry in the list. This kind of DNS entry creates a “poor man’s load balancing” situation. You alternate between VPNs, but DNS isn’t smart enough to check to see how busy the other server is. It’s like having two NT admins who work for you: you assign the first task to the first admin, the second to the second, the third back to the first, and so on, regardless of how busy (or not busy) each is. User Number

FQDN

IP Address

User 1

[email protected]

10.1.23.4

User 2

[email protected]

10.1.23.5

User 3

[email protected]

10.1.23.5

User 4

[email protected]

10.1.23.4

When the first user requests a connection to a specific VPN, DNS is queried and the user is pointed to the first server. The second user is pointed to the second and so on, in round-robin fashion. Do the reverse for the opposite VPN server. Hardware Issues

As you might suspect, VPNs are hardware-intensive little beasts, and there are many ways that you can beef up your VPN servers’ performance. Following are just a couple:


You should always dedicate a server to each VPN installation that you decide to have. Do not put Exchange Server, SQL Server, or any other applications on this computer.




You should upgrade wimpy little servers that are trying their best to act as VPN servers but aren’t quite cutting it. Add RAM, upgrade, or add a second CPU, and make the disk subsystem SCSI and Ultra as well, if possible. If your network infrastructure supports it, make sure the NIC in the computer is running at 100Base-T full-duplex.

224 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

VPNs in a Windows 2000 Environment

VPNs are allowed to interoperate with the Windows 2000 network in much the same way as a regular RRAS dial-up connection. Thus, operating a VPN in a Windows 2000 environment means that clients will have to participate in functions that your locally connected users are provided, things like DHCP, WINS, etc. Following is an explanation of how VPN in a Windows 2000 environment interacts with the following functions: DHCP The VPN server can obtain a block of ten addresses for VPN clients and one for itself from the DHCP server. As more users go online, the VPN server requests another block of ten. Just as with RRAS, if a DHCP relay agent is not installed, the client uses whatever WINS and DNS entries the VPN server uses. WINS Clients that use a VPN circuit to connect to a Windows 2000 network and then receive IP configuration information automatically register themselves with WINS. DNS DNS is not automatically updated when a VPN client goes online. However, the integration of DHCP with DNS allows for the automatic updating of the DNS database. An admin can set the DHCP scope to automatically update DNS with both A and PTR records. Optionally the admin can also set it so that the DHCP scope does not update DNS. AD Integration You cannot administer remote access policies through Active Directory. But you can set a user for dial-in capabilities through Active Directory Users and Groups, just like you could by adjusting a Windows NT user’s dial-in properties. This is called User Administration. You open the Properties sheet for a user, navigate to the Dial-In tab and, in the Remote Access Permissions section, select Allow Access or Deny Access, and then adjust the remote user’s dial-in settings as needed. The alternative is to utilize a remote access policy. But the way that you utilize the policies depends on whether you’re in native mode or mixed mode. In native mode, the Dial-In tab of the user’s Properties box will have a Control Access through Remote Access Policy radio button. When in native mode, if you decide that you want to enable

Chapter 5




Designing a Wide Area Network Infrastructure

225

Remote Access Policies (recalling that the policy is established per RRAS server), you check the Control Access through Remote Access Policy radio button for every user. Then you create a Windows Group and adjust the remote access policy to either allow or deny dial-in permissions to that group. Groups do not work when using RADIUS or Internet Authentication Services (IAS). Mixed mode is completely different. In mixed mode, the user Properties Dial-In tab won’t have the Control Access through Remote Access Policy radio button because the remote access servers are members of a mixed-mode domain. In this case, you set Allow Access for Every User and you also delete the Allow Access If Dial-In Permission Is Enabled remote access policy. Then you create your Windows Group and set up a remote access policy that only gives permissions to this group. For further information on these three techniques for granting remote access permissions to users, see the following URL: http://www. microsoft.com/WINDOWS2000/library/operations/management/ pgremote.asp.

Exam Essentials Know and understand how to design a VPN strategy. Strategy is the key word in this objective. You have three different ways you can utilize VPNs: server to server, user through ISP to corporate network, corporate network to corporate network. Understand why you’d use a VPN over an RRAS circuit (high-speed Internet connectivity being the prime example). Understand the difference between authentication, tunneling, encryption, and connection protocols.

Key Terms and Concepts Digital Encryption Standard (DES) A 40-, 56-, or 128-bit encryption standard developed by the National Institute of Standards and Technology (NIST) that’s commonly used in the United States and Canada.

226 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

National Institute of Standards and Technology (NIST) An office of the U.S. Commerce Department that works with industry to develop and apply technology, measurements, and standards. round-robin DNS The ability of DNS to have more than one IP address for a given FQDN. The entries are gone through first one, then the next, and so on down the list, then back to the first—hence the round-robin name.

Sample Questions 1. What feature would a RADIUS server provide to your VPN

installation? A. Centralized management of IP addresses for all VPN servers

and clients B. Centralized management of all VPN servers C. Centralized management of remote access policies D. Centralized management of authentication and encryption

protocols Answer: C. Implementing a RADIUS server to augment your VPN deployment allows you to centrally manage all remote access policies, which would include the use of proper authentication and encryption methods for all VPN servers in the network. 2. What components will you need to set up an L2TP- and IPSec-based

VPN? Choose all necessary elements. A. VPN server on your network side B. NAT server C. VPN connection on the ISP side D. CA server E. Installation of RRAS on the VPN servers

Chapter 5




Designing a Wide Area Network Infrastructure

227

Answer: A, C. D. The installation of RRAS on the VPN servers isn’t necessary because it’s automatically installed on Windows 2000 servers. You probably don’t care how your ISP gets VPN going for you, as long as you understand the authentication and encryption protocols that they can support you with. You do need a VPN server on your side, a VPN connection on the ISP side (I say “connection” because you don’t know whether they’re using a server or a hardware device), and a certificate authority (CA) server. Why the CA server? Because you’ll use IPSec, which requires a CA server. NAT wouldn’t be correct because a network that’s big enough to set up a VPN setup for telecommuters is well beyond the capabilities of NAT. 3. Which of the following protocols are RRAS/VPN encryption

protocols? A. MS-CHAP v2 B. RIP v2 C. MPPE D. IPSec

Answer: C, D. Both Microsoft Point to Point Encryption (MPPE) and Internet Protocol Security (IPSec) are encryption protocols that can be used on VPNs. Typically you’d use MPPE with Point to Point Tunneling Protocol (PPTP) and IPSec with Layer Two Tunneling Protocol (L2TP). Of the two encryption protocols, IPSec is stronger. 4. Select three uses for VPNs from the options listed. A. RAS access for telecommuters with high-speed Internet

connections B. DMZ to internal network secure pipe C. Corporate network to ISP D. Corporate network to business partner

228 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Answer: A, B, D. Chances are you won’t use a VPN to talk to your ISP. But you can set one up for telecommuters that have high-speed Internet connections and need to access the private network from home. You can also set up VPN tunnels between servers that are on the Demilitarized Zone (DMZ—screened subnet) and the private network. It’s also useful for connecting corporate networks to business partner networks. 5. You want to be able to centrally administer your remote access

policies. How do you accomplish this? A. Through the AD Users and Groups MMC B. Through RADIUS C. Through the RRAS MMC D. Through the VPN MMC

Answer: B. Remote Access Policies are not a part of Active Directory. They are set on each RRAS server and thus not normally centrally controllable. So how do you centrally control remote access policies? Through the installation of RADIUS, you gain centralized administration of the policies, along with other features.



Design a Routing and Remote Access routing solution to connect locations.


Design a demand-dial routing strategy.

S

maller networks need to be able to connect to remote sites without expensive routing gear and WAN connectivity. Demanddialing provides a method whereby a server can dial and connect to a remote location over ordinary phone lines. Demand-dialing is predicated upon a request by a user who needs to connect to the remote location. The user does not know that this behind-the-scenes dialing is occurring. One very typical use for this feature would be to connect small office/home office (SOHO) computers to an ISP upon request by a user for a URL.

Chapter 5




Designing a Wide Area Network Infrastructure

229

Critical Information Let’s suppose that you work for a small company and that you currently have no routers connecting two of your sites. Your company can’t afford robust WAN connections; after all, a frame relay 128K connection isn’t the cheapest thing in the world, especially going across a Local Access and Transport Area (LATA), a U.S. geographic area where one or more telcos provide local service. You can’t afford the routers and wouldn’t know how to configure them if you could afford them, but you sure do need the two offices connected. Sound familiar? This is the problem that demand-dial routing is setting out to solve.

Designing a Demand-Dial Routing Strategy The concept behind demand-dial routing is that you use Windows 2000 servers to act as routers and set up an RRAS or VPN connection between them. Whenever one of the routers sees that a group of packets has a destination that’s not in its local routing table, it dials up the other router and passes the packets across. There are two ways that you can leverage demand-dial routing. They are as follows:


Create connectivity by having two Windows 2000 routers dial one another.




Increase fault tolerance for your current routing scenarios.

Cut Corporate Leased Line Expenses

Demand-dial routing can help cut corporate leased line (frame relay, X.25, or ISDN circuits) expenses. If, for example, you have a 256K frame relay connection between Boston and Chicago, you’re likely paying several hundred dollars a month for that connection—not to mention the time it took to set up the connection, the router configurations involved, and the maintenance and upkeep cost of retaining an internetworking specialist who can work on the routers when there’s a problem. In a big corporate environment, these arrangements may be no big deal, and if a router goes toes-up, you can often

230 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

go right to a supply cabinet and get a cold spare. But in a small company, such a setup is costly and very troublesome, and it’s unlikely that you’ll have a router sitting around unused. In a demand-dial routing configuration, you can also set up login usernames and passwords that the two sides must negotiate in order to be able to talk to one another—authentication. You can set up tight encryption protocols, too, so that you know for sure that the data crossing the wire is secure. Demand-dial routing especially makes sense when you want to connect two of your networks over the Internet, but you want to make sure you’re doing it in a highly secure fashion. Using a VPN allows you to use L2TP and IPSec for heightened security and encryption over the Internet. You’re able to leverage the backbone of the Internet to transport data from one router to another. This means that you could have a site in, say, Tokyo, and one in the U.S. Under conventional routing practices, the intercontinental transport costs of a leased line could be enormous. But if you and the Tokyo site have high-speed, good quality connections to ISPs, you can get a routing thing going and save some money too. Since authentication says, “Who are you, and what proof do you have that you are who you say?” we’d like to have routers perform two-way authentication when one router calls another. This technique, called mutual authentication, means that the two routers will physically contact one another and shake hands. But with PAP, CHAP, and MS-CHAP, you only have one-way authentication. Your router calls up and says “Hi! I’m so-and-so from such-and-such. Let me in!” but it never bothers to say, “And, by the way, who are you?” Fortunately for you, EAP-TLS and MS-CHAP v2 both support twoway authentication, so you have much stronger security with these two protocols. EAP-TLS requires the presence of a Public Key Infrastructure (PKI). The sending router will use a user certificate to validate the calling router, while the receiving router will use a machinebased certificate. If you don’t want to go to the trouble of setting up a PKI to handle this scenario, EAP-TLS is not the option for you.

Chapter 5




Designing a Wide Area Network Infrastructure

231

Fault Tolerance for WAN Links

Do WAN links ever go down? Have you ever had, for example, your 128K frame relay circuit go out for an hour or two? Here are some things you might see if this happens: Certain configurations of Systems Management Server (SMS) 2 freak out because they can’t find their primary site server. WINS goes in the tank if the clients try to access a WINS server across a broken WAN link. If you have only one domain controller (DC) for a given set of users and that DC happens to be on the wrong side of the broken WAN circuit, the side that the users aren’t on, the users can no longer be validated. Suppose you work for a hospital or other company that has a missioncritical operation. You cannot afford to have WAN links out of operation for any duration, no matter how short or long. So you set up some Windows 2000 routers and a demand-dial connection. If the WAN circuit between two points goes out, you can have your Windows 2000 routers kick in, and users will still be able to connect. Your Windows 2000 routers shouldn’t be doing others things in addition to being routers. You wouldn’t take a Cisco router and install Exchange on it, would you? No. Well, it’s the same kind of thing with Windows 2000 routers. If possible, let them do their job independently of any additional software you might be tempted to add. Install the Windows 2000 software on good computers amply equipped with enough CPU, disk, and RAM to handle the job. How much of a job is it? Well, truthfully, not much. You’re asking the computer to handle routing requests through its NICs, to run the RIP or OSPF protocols, and to periodically review the routing tables for routes to destinations other than the local network. You’ll need an HCL-rated computer that exceeds the minimum requirements for Windows 2000 Server. Since routing is CPU- and RAM-intensive, it’s to your benefit to boost the RAM up a bit. The computers are going to need either a modem (including ADSL, cable modem, etc.) or an ISDN adapter in order to dial out. Windows 2000 will probably detect any communications devices you have installed in the computer and install the drivers automatically. New or exotic devices

232 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

might need to have a driver supplied by the device vendor in order for Windows 2000 to be able to work with them. You’ll also need a NIC in each router so that it can talk to the private network. You’ll want to install RIP or OSPF on the routers. RIP should probably be preferred because it integrates so well with Windows Network Operating Systems (NOSs) (having been around for a few years now), but OSPF would work well too. Installing and Configuring Demand-Dial Routing

Remember that RRAS is pre-installed and ready to configure and enable with any Windows 2000 Server installation. Install the server software on the router as a member server. Once you’re sure the server is up and running correctly, click Start  Programs  Administrative Tools  Routing and Remote Access to open the RRAS window. Then right-click the Ports object, and select Properties to open the Ports Properties window. Now highlight the modem or ISDN device, and click the Configure button. Be sure that you review the properties on the server and verify that the correct radio buttons and checkboxes have been selected. Otherwise, many of the options for VPNs and demand-dial routing will not be available. Updating Routing Tables in a Demand-Dial Routing Environment

You’ll need to add static routes to the routing tables for each of your routers. In order to accomplish this, the demand-dial part of your router must have a default static route with the IP address of 0.0.0.0 and subnet mask of 0.0.0.0. You can validate that this has been created by navigating to the Routing and Remote Access window, clicking the IP Routing object, then clicking the Static Routes object. Right-click, and choose Route Table. Adding an additional route is easy. Just right-click the Static Routes window from the Routing and Remote Access Properties menu, and select New Static Route from the shortcut menu. Key in the new route. Suppose that you type static routes into your demand-dial routing table on a periodic basis, and you want to update the other routers in

Chapter 5




Designing a Wide Area Network Infrastructure

233

the route table with the new entries. You can accomplish this feat with something called auto-static updates. You can set auto-static updates through the RIP Properties screen. You get to the RIP Properties screen by going to Routing and Remote Access, clicking RIP, right-clicking the demand-dial interface, then clicking Properties. Note that auto-static updating is only useful for very small networks. In a network with hundreds of users spread across many campuses, auto-static updating—which isn’t automatic unless you make it so using the Command Scheduler—can turn into a maintenance chore. Don’t use Windows 2000 routers for demand-dialing in large networks except as a redundant backup to your normal routing methodology. The purpose of static routing is to provide alternate routes for addresses that cannot be resolved locally. The router can’t resolve the address, so it dials up the other router and passes the request along for resolution of the address. Demand-Dial Routing Considerations

Demand-dial routing implicitly means that you’ll be connecting only periodically to the opposing router(s). But it’s possible to set up a demand-dial connection that’s persistent. An example of this might be a connection where you dial another Windows 2000 router and keep the connection open 24/7. This, of course, probably means that the other router is within the same area code and prefix that the first router’s in; otherwise, the connect charges could get expensive. Establishing a persistent connection does buy you the ability to set up dynamic routing, wherein all routers update each other’s routes, freeing you from the pain of auto-static updating. You can use remote access policies to strengthen the way that your demand-dial connection works. For example, you can restrict anything but Windows 2000 computers from using the demand-dial connection. You can specify the authentication and encryption that will be used with the connection. You can also set up the times and days when the connection is allowed to work and also the idle time-out that will be used by the connection.

234 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Logging

One last point to make here, one that’s not talked about very frequently in the new training materials or in the testing: You should realize that all of these activities—NAT, DHCP, WINS, DNS, routing, and RRAS—are logged in the normal Event Viewer. Troubleshooting should, therefore, start with the Event Viewer logs. Also checking the RRAS logs stored either locally or on the RADIUS server will be of benefit as well.

Exam Essentials Be able to design a demand-dial routing strategy. Know how, when, and why you’d use Windows 2000 routers that are set up for demand-dial routing.

Key Terms and Concepts auto-static updates When a RIP for IP or RIP for IPX router is configured with auto-static updates, the router sends a request to its neighbors and inherits their routes. The beautiful part of auto-static routing is that the routes are saved in the routing table instead of being keyed in for the session; thus they are present even upon restart of the router. Manually entered routes are flushed at restart. mutual authentication The process of one host verifying the identity of another and vice versa. “I understand that you need to see my credentials, but please don’t be offended if I ask to see yours as well.” Public Key Infrastructure (PKI) A system that uses certificates and certificate authorities, which can vouch for the authenticity of a client accessing an Internet or network resource.

Chapter 5




Designing a Wide Area Network Infrastructure

235

Sample Questions 1. Which three routing protocols can be configured with auto-static

updating? A. RIP for IP B. IGMP C. RIP for IPX D. SAP for IPX

Answer: A, C, D. While IGMP is indeed a Windows 2000 routing protocol, it cannot be used with auto-static updating. RIP for IP, RIP for IPX, and SAP for IPX can be configured with this feature. 2. What are the default static route address and subnet mask that are

set up with a demand-dial routing interface? A. IP address: 0.0.0.0, subnet mask: 255.255.255.0 B. IP address: 1.1.1 1, subnet mask: 255.255.255.255 C. IP address: 0.0.0.0, subnet mask: 0.0.0.0 D. IP address: 1.1.1.1, subnet mask: 1.1.1.1

Answer: C. The default static route address that’s assigned to your demand-dial interface is an IP address of all zeros and a subnet mask of all zeros. This allows the demand-dial interface to be the default gateway for the network. 3. Select the demand-dial authentication protocols that support

two-way authentication. A. MS-CHAP v2 B. MS-CHAP C. EAP-TLS D. CHAP

236 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

E. SHIVA F. PAP

Answer: A, C. Only MS-CHAP v2 and EAP-TLS support two-way demand-dial authentication—“Hi, I’m so-and-so. Let me in! Who are you?” The others only provide one-way authentication— “Hi, I’m so-and-so. Let me in!” 4. When working with authentication protocols that utilize two-way

authentication, what else is required to make them work? A. Adjustment to remote access policies B. Routing Internet Protocol (RIP) v2 C. Public Key Infrastructure (PKI) D. Membership in Universal Security Group (USG)

Answer: C. Both two-way authentication protocols (MS-CHAP v2 and EAP-TLS) require a PKI so that digital certificates can be issued to requesting entities. 5. Select the two best reasons for using demand-dial routing. A. Fault tolerance for WAN links B. Connection to hardware routers C. Cut down leased line expenses D. Intermediate Data Facility (IDF)/Main Data Facility (MDF)

connectivity Answer: A, C. All demand-dial routing really means is that when routing is desired, the connection is automatically made and then taken down when the desired routing operation is concluded. The whole thing is about cutting down leased line expenses or acting as a backup link to remote sites.

Chapter

6

Designing a Management and Implementation Strategy for Windows 2000 Networking MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: a strategy for monitoring and managing Design Windows 2000 network services. Services include global catalog, Lightweight Directory Access Protocol (LDAP) services, Certificate Services, DNS, DHCP, WINS, Routing and Remote Access, Proxy Server, and Dfs. (pages 238 – 255) network services that support application Design architecture. (pages 255 – 262) a plan for the interaction of Windows 2000 Design network services such as WINS, DHCP, and DNS. (pages 262 – 266)

Design a resource strategy. (pages 266 – 273)


Plan for the placement and management of resources.




Plan for growth.




Plan for Decentralized resources or centralized resources.

I

n this chapter, we’re considering Windows 2000 networking and its associated nuances, such as name-servers, remote access strategies, Dfs, and so on. What we’re predominantly interested in with this chapter is not only how the services work, but, more importantly, how you manage them. For this reason, a discussion is also included on the ramifications of the placement and management of resources and the planning for growth and decentralized versus centralized resources.



Design a strategy for monitoring and managing Windows 2000 network services. Services include global catalog, Lightweight Directory Access Protocol (LDAP) services, Certificate Services, DNS, DHCP, WINS, Routing and Remote Access, Proxy Server, and Dfs.

T

ypical services coming from the server farm include things like DNS, DHCP, and WINS. But with Windows 2000, we add unique new services such as LDAP and Dfs. Whether old or new, you’ll want to be able to monitor and manage Windows 2000 networking services.

Critical Information This section is about designing a strategy for dealing with various Windows 2000 network services. For example, how does one monitor and manage the global catalog? Or LDAP? You can see the importance of

Chapter 6




Designing a Windows 2000 Networking Strategy

239

why we would want to monitor such services. If they crater, we need to know why they did and how to bring things back to normal. When we talk about each of the network services and their separate monitoring and managing needs, there are three things you need to keep in mind: Events and Alert Notification You should know what service events are important enough that you need to be alerted right away when they occur. Anticipating Design Changes Undoubtedly, some systems will outgrow their initial design, or managers in your company will make a decision that necessitates changes to the design somewhat. It’s possible that business needs might change the use of the network, thus producing a necessary design change on your part. There are numerous conditions that might require a design change; that’s not hard to imagine. Anticipating how to react to a design change, that’s more meaningful—and spotting how the design should be changed can be very difficult. Verifying Design Compliance Is the design being used the way that you actually planned and anticipated that it would? If not, why not? If not, do you need to correct people on the method used (probably not), or do you need to manage changes to the design so that it complies with its current use (probably)?

Global Catalog When you began your Windows 2000 deployment, perhaps you started out with a Windows 2000 domain controller in a single domain. After some time, study, and involvement with your one domain, you found a need for additional domains. You came up with two more domains in your Windows 2000 forest, and you enabled Active Directory within each domain. For the sake of simplicity, let’s say that within each domain there is only one domain controller. The very first domain controller installed within your forest has the duty of being the global catalog for the entire forest. Here’s the idea: The domain controller in each domain is responsible for keeping track of changes to the objects in the Active Directory database.

240 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Change or move a username? That’s a replica change, one that must be replicated to the global catalog. The domain controller that does the replication to the global catalog is said to have the function of infrastructure master. This server forwards replica changes to the global catalog. The replicas that are stored from other domains are said to be partial replicas in that not all of the properties for every object are replicated and stored in the global catalog. You can access the location where you set the global catalog by going to the domain controller you want to configure and clicking Start  Programs  Administrative Tools  Active Directory Sites and Services (the icon will show up on the desktop as AD Sites and Services). From there, find the NTDS Settings item, and right-click it. Select Properties, and you’ll find an NTDS Site Settings Properties window where you can enable the global catalog. Following are the planning and design rules for global catalog placement:


There should be at least one domain controller per site.




You can have multiple domain controllers per site.




Each site should have at least one domain controller configured as a global catalog server, especially when the sites are connected by slow links. This way, users will receive current forest information from a local domain controller.




You can adjust the replication of objects across slow links to occur during off-peak hours.




Too many global catalog servers means too much replication, which could potentially create a bottleneck for your network.

Adding replica attributes to the objects that are already being replicated will add time and bandwidth to the network. Better to leave things as configured. When you think about event notification, can you think of alerts you might like to get when the global catalog has a problem? I’d like to know when a global catalog server goes down. I’d also like to be

Chapter 6




Designing a Windows 2000 Networking Strategy

241

alerted when too many queries are hitting any one global catalog server, which would imply that it needs a friend to help it out in the domain it’s in and that you’ve identified a need for a design change. Then, too, it could just be that people are trying to get used to the system and are performing frequent queries against it. Also, a new app that’s coming on board and makes use of AD might be making an inordinate amount of queries against the AD database.

Lightweight Directory Access Protocol (LDAP) Access to the global catalog and the domain controllers running it is accomplished through the Lightweight Directory Access Protocol (LDAP version 3—RFC 2251). Active Directory clients need LDAP because this is how they query and subsequently access shared resources on the network. LDAP is an Internet Engineering Task Force (IETF) communications protocol that defines how directory clients access a directory service and how queries and sharing of directory data are performed. LDAP, which has been in use with Microsoft Server products for several years now, is light, efficient, and preferred over other, more rotund directory service protocols. Because LDAP is a universal standard, Active Directory can work with other directory systems via a programming interface that’s included with AD, called Active Directory Service Interfaces (ADSI). The directory is broken up into objects and their attributes. LDAP uses a hierarchical structure, somewhat similar to what you may have seen in Exchange Server, to uniquely identify each object in the Active Directory. Attributes can be shared among several different objects. Let’s consider an LDAP example. Suppose that you have a user named Ralph in the domain. Ralph will have an LDAP common name, CN=Ralph. Since Ralph is a member of the Users group, he will also have a group designator (using the same CN designation), CN=Users. Suppose that Ralph is affiliated with the Sales group that is located in the California domain, and the domain root is VeryBigCompany.com. Then, in addition to the common name and distinguished name, you’ll also have an organizational unit (OU) and four domain components (DC), one each for the domain and the tree and two for the domain

242 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

root. These would be represented as DC=California and DC= VeryBigCompany,DC=com. Thus the entire distinguished name would be CN=Ralph,CN=Users,OU=Sales, DC=California,DC= PaperProducts,DC=VeryBigCompany,DC=com. When considering Ralph’s name within context of the domain that he’s in, his relative distinguished name (RDN) would simply be Ralph. A different way of representing this name is via a canonical name. Instead of using the distinguished name OU, CN, and DC delimiters, simply put a slash in front of the various components. Also, start with the domain root first, then proceed down the hierarchy. So the canonical equivalent of the distinguished name for the user Ralph would be VeryBigCompany.com/PaperProducts/California/Sales/Users/Ralph. Additionally, Ralph would personally have what is referred to as a user principal name (UPN)—his username followed by the @ sign and the company name (just as an e-mail address might appear). So Ralph’s UPN would be [email protected]. The UPN is automatically created by AD and isn’t something you need to worry about. Nor should you try appending an @ sign to his username in the hopes of helping to create a UPN. The relative distinguished name is that part of the distinguished name that represents an attribute of an object. In the Ralph example above, CN=Ralph,OU=sales,DC=verybigcompany,DC=com is the relative distinguished name for the parent object Users.

TIP Most Active Directory tools don’t display the CN, OU, or DC attributes, but do display the common name instead. However, it is quite useful to understand the LDAP naming nomenclature and how it maps to Active Directory.

The cool thing about LDAP is that, if you plan your domain layout right and get the OUs placed correctly, users will be able to access anybody (computer, group, or user) in the catalog quickly, providing access to what could be literally millions of objects grouped according to the logical layout of your network.

Chapter 6




Designing a Windows 2000 Networking Strategy

243

There are two caveats to managing an LDAP database. Number one is this: Don’t mess with the database schema. While the schema is extensible, it’s best to leave it alone and not modify it. Some applications might do that (Exchange 2000, for example, might add things to the schema), but you should not. Second, plan, plan, plan the layout of your future Windows 2000 network, making sure that you’ve designed the logical splits correctly, both at the VLAN and at the domain model levels. It would also not be a bad idea to try to anticipate any future changes the managers (or business needs) might want to incorporate that would subtly change the layout. If you can somehow anticipate those changes, you’ll be light years ahead of where you need to be.

Certificate Services There are two authentication services in Windows 2000: Internet Authentication Services (IAS) and Certificate Services (CS). IAS is used for dial-in users. Certificate Services is a software service used for the authentication of entities that are requesting access to the network. Certificate Services can work with secure e-mail, digital signatures, Web-based authentication, and smart-card authentication. Windows 2000 Certificate Services uses public key encryption as its method for guaranteeing the reliability of the entity that is requesting authentication. When you use Certificate Services, you create a certification authority (CA). The CA is responsible for vouching for the authenticity of the entity requesting to get onto the network. The CA receives certificate requests, verifies that the one presenting the certificate is the one entitled to use it (via the matching of the public and private keys), revokes certificates, and maintains published lists of revoked certificates (a certification revocation list or CRL). Servers trust what is called a “root authority.” If I have a certificate from a root authority and my certificate is not on the CRL, my certificate is considered trusted. The CA acts as the holder of the public keys. When a user wishes to request a certificate, she uses either a Web browser or a certificate

244 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Microsoft Management Console (MMC) snap-in to connect to the CA and request a certificate. A cryptographic service provider (CSP) software component that runs on her computer generates a public key and a private key. The private key stays at the computer, the public key is forwarded to the CA and, if the criteria for granting a certificate is met, she gets the certificate. If there are criteria set up to make her certificate expire at some time (such as when a contractor will finish working for the company), her certificate would be put on a CRL upon expiration and she’d no longer have access to the network. Certificates and groupings of CA servers (called a CA hierarchy) can be used in place of a username and password to gain access to the network, as in the case of users gaining access with a smart card. In large enterprises, you can’t get away with just one CA server (nor would it be practical from a security standpoint!), so you must design in several CA servers. While the reasons for using a CA server are valid, there are many things to think about when considering Certificate Services. First, do you really need to have Certificate Services running on your network? In other words, does your company do work so top secret and important that it’s paramount that you keep track of who’s getting on? If so, then Certificate Services is for you. But what if you’re on an ordinary work-a-day network where that kind of security isn’t needed? Then you need to ask yourself whether it’s possible that somebody from the Internet, or a contractor, or someone in another type of partnership relationship with you could conceivably get on the network and do some damage. If so, it’s still worth your time to consider Certificate Services because, with a public key and a private key (and the certificate), you’re validating that the resource requesting to get onto the network is actually that resource, not somebody spoofing as that resource. This, of course, keeping in mind that Kerberos and regular auditing can help with standard security measures. Another consideration is that of protecting the security of the CA servers. Since they contain keys that could potentially be very valuable to those who surreptitiously gain access to them, it’s highly important that CA servers are strongly secured. What happens if the

Chapter 6




Designing a Windows 2000 Networking Strategy

245

computer augers in and you lose the keys? How will you restore them? Fault tolerance becomes extremely important when discussing CA servers. Third-party certificate providers (such as VeriSign) can be used in place of Windows 2000 Certificate Services. But is it worth the money, time, and effort of putting a separate CA entity in place? And finally, it’s paramount that the designers and administrators of Certificate Services in Windows 2000 networks completely understand how public key encryption (PK) works and, more importantly, how Windows 2000 uses PK and certificates.

Name-Resolution Services One of the more popular questions being asked by administrators everywhere is, “What happens to WINS with Windows 2000?” The question requires a dual answer. If you’re migrating a legacy Windows NT 4 network over to Windows 2000, then WINS is available and there is backward-compatibility with other WINS servers. You can maintain some legacy name-serving while performing your cutover. If, on the other hand, you’re starting from scratch, you can use DNS and don’t need WINS at all. Windows 2000 is designed to work with DNS and not WINS. Keep in mind that legacy apps may need to continue to use WINS, so you might be forced to keep a WINS server lying around for this purpose. WINS retains the old ability to use WINS proxy agents (agents that garner a NetBIOS name resolution for a non-Windows host). WINS services can now be secured across public lines by IPSec over a VPN. Also, Windows 2000 WINS can be put on a cluster server for redundancy and fault tolerance. Windows 2000 WINS supports a burst mode capability. You’d use this when you anticipate a large amount of simultaneous requests from the WINS server. The burst mode capability sends short announcements to requesting machines, telling them, in essence, “Wait! I’ll get back with you in a few minutes. Be patient, and I'll get to you!”

246 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

WINS strategies include the judicious placement of WINS servers, creating pull partners across slow WAN links, and setting up push/ pull times after hours for slow links. It will be important to use an alerting method to notify you when WINS has stopped working for whatever reason. You’ll also want to know when replication times are taking longer than expected and if the number of queries or times to resolve queries has gone up. All of these imply a heavily loaded WINS system that needs to be dealt with. You can set up LAN-based WINS servers to provide persistent connections with one another. DNS looks very similar to the way it looked in Windows NT 4 except that, like WINS, it too uses the MMC interface. Several new features of Windows 2000 DNS make it more valuable:


DNS in Windows 2000 has a load-balancing feature, where you can group several computers together that have a common name but different IP addresses under one DNS entry. When a DNS request comes in for that name, the DNS service can answer the request either via a pre-prioritized list or in round-robin fashion. You’d use this primarily with Web or cluster servers that were load-balancing off of one another.




Recursive forward lookups allow a DNS server to forward requests for computer records it does not have, using other WINS or DNS servers to satisfy a client’s name lookup request.




Multiple Windows 2000 DNS servers can be configured to redundantly support one DNS database (for fault tolerance) or to contain separate parts of the database.




Secure zone transfers of encrypted DNS data can be sent over public lines using IPSec over VPN technology.




Incremental zone transfers consisting of just the updated parts of the DNS database can take place. These reduce the bandwidth used by DNS servers that are replicating with one another.




DHCP and WINS incorporate themselves into DNS.

Chapter 6







Designing a Windows 2000 Networking Strategy

247

If you like, you can run DNS on Windows clustering for full redundancy and fault tolerance.

Deciding how to implement DNS in the Windows 2000 network is going to be your hardest job. Chances are, unless you’re starting with a brand new installation of Windows 2000, you’ll have to pick up some legacy DNS implementation, probably based on Unix. Your desire will be to cut the entire DNS operation over to Windows 2000. Why? Because dynamic DNS will make your life so much easier by getting rid of the necessity of manually keying in all sorts of different DNS records. If you’ve ever maintained static DNS and reverse lookup tables, you know what a monstrously great achievement this new dynamic DNS thing is. With Windows 2000, DNS can reference the Active Directory and get what it needs from there. Unix hosts still have to be manually keyed in (they’re not a part of AD—you could, optionally, zone transfer to Unix BIND servers), but your job is made much simpler. You can make use of the security and speed of zone transfers and use all of the cool AD reference functions of Windows 2000 DNS. There are several good reasons for going forward with an AD-integrated DNS zone design. They are as follows:


It’s much more difficult for rogue DNS servers to impersonate valid DNS servers in an AD environment.




The DNS replication follows that of the AD replication.




There is no single point of failure in the design (because the DNS zone is a part of AD, the failure of one DNS computer would not compromise the others).




An AD-based DNS server appears to others as a primary DNS server.

A second smaller issue is the actual DNS design. You have two basic models you can draw on: the hierarchical model and the flat design with one or two DNS servers that share the DNS database. You’d use a hierarchical model in a large site with many remote locations. You would set up your first DNS box as the primary box to

248 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

house all of the records for the site. Then, you would set up other DNS servers in the other areas, making them secondary servers to the primary server back at HQ. As the secondary servers replicate their data upward to the primary, the primary contains a complete listing of all computers on the network, and the secondaries only have information pertaining to their parts of the network. One potential downfall to this design is that you must almost have a DNS administrator on site at each of the secondary locations because of the need to maintain the DNS information at the site. That being said, you don’t need anything more than a basic admin that has the ability to start and stop DNS and to cycle the server if necessary. You could opt for a flat design with one or two DNS servers that share the DNS database. You’d use this design for smaller networks with fewer users or where the name-resolution services might take place anywhere on the network and not be so geographically separated. Managing the DNS environment is going to require some serious planning. There are several questions you have to ask yourself. For starters, how will you be notified if a DNS server goes down? Some sort of alerting methodology—such as an Enterprise Management System (EMS) like ManageX, NetIQ, or HP OpenView—might help you with this. You also need to figure out whether the current DNS structure can handle the number of requests coming in. As the system grows and requests start to tax the DNS structure, you’ll need to put extra systems into place to help balance out the load. A heavy load will also affect the amount of time it takes to replicate the database to other computers.

Internet and Remote Access Services The management of Remote Access Services (RAS) has become very sophisticated in recent years. Not only is the list of network protocols that you might have to support much longer, but you’re also faced with new technologies. RADIUS and VPN technologies are among the new concepts that are being used more and more widely in today’s networks. Planning for and managing these RAS and Internet services are an important design component of Windows 2000 networks.

Chapter 6




Designing a Windows 2000 Networking Strategy

249

Your first consideration, one that your users will be asking of you, is whether you’re going to institute conventional dial-up RAS or go with a VPN solution. With conventional dial-up, you’d provide a bank of modems (and possibly a 1-800 number or two) that users could dial to get into the system. Conventional network protocols and authentication methods are available for dial-up users, and if added security is needed, you could institute a call-back methodology where the user must key in his phone number and then the system calls him back. This kind of RAS is widely in use today under Windows NT 4, and it works well. Standard telecommuting type users would benefit from a regular RAS installation. But there are questions. Can you afford to purchase the modems and pay for the additional monthly cost of the phone lines? If so, how many lines do you think you’ll need? Should you purchase an RAS server device that can use RADIUS or some other method, or should you just go with a set of modems that is connected to an RAS server? With VPN connections, a user dials her ISP (through whatever kind of connection she is paying for) and then tunnels into your network over the Internet via a secure VPN protocol. With this method, you have a lot more planning to do. You need a high-speed connection with an ISP. Then, you’re going to have to determine whether you want to try to accomplish this kind of telecommuting connectivity with hardware or with Windows 2000 software. If you select a hardware option, you’ll wind up purchasing special VPN switches and routers that can handle the interaction with the client. Windows 2000 supports NWLink, TCP/IP, and AppleTalk as its network protocols. It accepts a variety of authentication protocols, among them the standard MS-CHAP that has been in use for many years plus an encrypted version specifically made for Windows 2000, MS-CHAP v2. EAP-TLS is an authentication protocol used for smart-card support. Shiva Password Authentication Protocol (SPAP) is an authentication method used for Shiva LAN Rovers, and Password Authentication Protocol (PAP) will work for clients who are RASing in and have no other authentication capability.

250 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

You also have a choice of encryption methods such as Microsoft Point-to-Point Encryption (MPPE) for PPP or PPTP protocols, and IPSec, which is used in conjunction with L2TP for VPN connections. Internet connections fall into three categories: keeping users inside and not letting them out onto the Internet, acting as an ISP, and being a “poor man’s ISP” for employees who RAS in and use the Internet. Proxy Server, a standard component in Windows 2000, will allow you to keep users, who should only be using your intranet, off of the Internet. Windows load balancing will help keep Web servers functional. Group policy objects will allow you to control who gets to do what. Event notification in RAS is easy through System Monitor. There are specific counters geared toward this function (RAS Port and RAS Total). With Web servers, you have Index service counters and event log notifications.

Distributed File System Distributed file system (Dfs) has been in use for many years in the Windows NT 4 environment and has now found a permanent home in Windows 2000. Its idea is, instead of having users memorize tons of different shares spread across many servers, why not have one server host a program that links to the appropriate server and share when the user requests it? For example, suppose you have a server called Fred and a share on it called Files. The Universal Naming Convention (UNC) to get to this share would be \\Fred\Files. Suppose you have another server called Wilma, and it has a share on it called Shared. That UNC would then be \\Wilma\Shared. How many of these specific UNCs does a user have to memorize before she’s completely confused? So, it’s more convenient to appoint one server as the Dfs host server and have links on it pointing to the various shares out on the network. Suppose your host server is named Dino and the Dfs root is called Corp. Now your users would point to \\Dino\Corp\Files and \\Dino\ Corp\Shared for their directories, but Dfs would link them to the appropriate servers and shares. This feature spells one-stop shopping for the users, but more complicated maintenance for you.

Chapter 6




Designing a Windows 2000 Networking Strategy

251

You can highly scale Dfs, creating multiple Dfs root volumes, which then replicate with one another. Since the data is published in AD, it’s available immediately after replication for all users enterprisewide. Any one path is limited to 260 characters, the only Dfs link limitation that you’d run into. As far as managing this service, the pre-installation design of Dfs is probably the most important step you can take. Where will you place your Dfs servers, and what are the shares that they’ll link to? This is all done in a common DNS namespace, so management is easy, but it’ll take time to set up.

Exam Essentials Come up with a strategy for monitoring and managing your Windows 2000 network services. There are many services at play in a Windows 2000 network. Understand what they are and how to manage them.

Key Terms and Concepts canonical name The name of a network object in the form defined by the rules of the directory. In Active Directory, the canonical name is in the form domain/container/sub-container/object common name. So, the canonical name of the user bsmith in the OU called sales and in the domain called BigCompany.com would be BigCompany.com/ sales/bsmith. Certificate Services (CS) Windows 2000 Certificate Services allows you to set up a Certificate Authority (CA) using Public Key Infrastructure (PKI). The CA is responsible for validating the authenticity and identity of the certificates. CS is used with IPSec and other Windows 2000 security services. common name The name by which a network object is commonly known.

252 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

distinguished name The distinguished name identifies the domain that the object is in, plus denotes the path through the container hierarchy by which the object can be reached. domain component (DC) Used in Active Directory distinguished names to indicate an identifier for a part of the object’s domain. In the example /O=Internet/DC=ORG/DC=Charity/CN=Users/CN=BillyBob, the domain components are ORG and Charity. global catalog server The computer that houses a copy of the global catalog, the Active Directory index that contains at least a partial replica of every object in a Windows 2000 forest. infrastructure master A domain server role that assures object consistency across the domain. Internet Authentication Services (IAS) The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server. organizational unit (OU) Used in Active Directory, the container that denotes the organization to which individuals or groups belong. Used to ease administration of Active Directory objects and as a unit to which group policy can be deployed. partial replicas A database that contains only a subset of the records found in a full copy of the original database. Used in Active Directory work. relative distinguished name (RDN) The name of an object within its current level in the directory. For the user DC=COM/DC= MyCompany /CN=Users /CN=jim.smith, jim.smith would be the user’s relative distinguished name. user principal name (UPN) A user’s logon name coupled with the @ sign and the domain that the user is associated with in the forest. [email protected] is an example of a UPN.

Chapter 6




Designing a Windows 2000 Networking Strategy

253

Sample Questions 1. Help! You have so many UNC sharenames on the network distrib-

uted over numerous servers that your users are confused as to what to connect to. What Windows 2000 feature will help eliminate this problem? A. RADIUS B. Global catalog server C. L2TP D. Dfs

Answer: D. The Distributed file system (Dfs) is used for setting up one server that links to different UNC shares across the network. Highly scalable, Dfs will be a major improvement in the way that users access UNC shares. 2. Your three-domain Windows 2000 deployment has a domain con-

troller in each domain. You establish a global catalog server in one of the domains. What function will the other domain controllers serve in terms of updating the global catalog? A. Infrastructure master B. Intranet master C. Extranet master D. Partial replica

Answer: A. Domain controllers that are not designated as the global catalog server automatically take on the role of infrastructure master. They are responsible for notifying the global catalog server of moves or changes to objects. 3. What Windows 2000 feature will allow users to access Exchange 2000

directory information? A. DNS B. LDAP

254 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

C. Certificate Services D. Public Key Infrastructure

Answer: B. The Lightweight Directory Access Protocol allows both users and processes to access the Exchange 2000 directory. LDAP is at the heart of Windows 2000 Active Directory (AD). Since the Exchange directory is an extension of the AD schema, LDAP would be required to access the directory. 4. You have a network that is separated into two buildings. You’ve

got the network set up so that each building comprises its own logical segment, but the two are connected together by a fiber optic backbone. Your server farm, including all name resolution and DHCP servers, is housed in Building A. No servers are in Building B. You are planning your Windows 2000 upgrade. In order to accomplish DHCP functionality, what servers or equipment will you need to place in Building B? A. A DHCP Relay Agent B. A DHCP Server C. None D. A Windows 2000 Router

Answer: C. Upgrading your current network to Windows 2000 will be sufficient. There is no need for introducing any further routing, nor is there a need for a DHCP relay agent. You would need a relay agent if Building B was on a routed network and the routers did not allow broadcasts across them. Since we have enough information from the case study to know that we are currently doing DHCP, there is nothing else that needs to be done apart from upgrading. 5. In a pure Windows 2000 environment, when would you still be

required to provide WINS name resolution services? A. For Windows 9x clients B. For Macintosh clients C. For NetBIOS-based applications

Chapter 6




Designing a Windows 2000 Networking Strategy

255

D. For non–Windows 2000 applications

Answer: C. We’re told in the question that we have a pure Windows 2000 environment, which I take to mean both clients and servers. Hence options A and B are out. Non–Windows 2000 applications may or may not require WINS, depending on how they’re written. The only option that has no gray area is C, when we need to continue to support NetBIOS-based applications.



Design network services that support application architecture.

N

ext we need to concern ourselves with the apps that are running on the network. We’re not talking here about somebody who has an Access database running on a file server. When we think of application architecture, we’re talking about heavy-hitter apps such as Oracle, Exchange, SQL Server, and so forth.

Critical Information As with almost everything else we’ve discussed relative to a Windows 2000 deployment, there are two things you must consider when thinking about how to support application architectures: legacy applications and new Windows 2000 applications. But before we dive into those two things, we need to define what the term architecture might imply. Where you work, are there people who are the architects for the enterprise? That means they’re given a charge by management to find out what software and hardware can meet a company goal. You might have Windows, Unix, network, and Oracle DBA architects. Suppose that one of the mandates is that the architects are to find out what the best high-level videoconferencing system is and then make a determination as to what software and hardware is required to make the system active and viable. Network changes might need to be wrought. New computers might need to be brought in, or training

256 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

might have to take place so that the stakeholders, the owners of the new system, understand how it works. Likely, several components would be involved in bringing this new system online, not just one. That’s what the framers of the Windows 2000 Infrastructure test are getting at when they put up an objective like “Design network services that support application architecture.” We need to look at the whole picture to figure out how best to support a given application. Some applications are fairly unobtrusive—meaning that they live on one box, they’re used by a handful of users, and they don’t get in the way of the enterprise, so to speak. Others are massive, requiring many hours of planning, conversation, and engineering to make sure they work correctly.

Designing Network Services to Support Legacy Applications This is most likely going to be the bone of contention for you and your stakeholders that will slow down your Windows 2000 deployment. Suppose that you have an application that’s used daily by hundreds of users. The application runs just fine on a Windows NT 4 Server computer, though it has taken you a bit of fiddling to make sure it works correctly. You’ve gone through a couple of service pack installations and special Registry hacks, but the app has proven to be rather non-error-prone and a very dynamic tool for your enterprise. You couldn’t live without it. But now you want to introduce Windows 2000 to the network. What sort of reaction do you think the owners of the legacy app will have when you tell them about your plans? It’s possible that they’ll want you to set up a test environment and rigorously test the application on the new OS before you even consider putting Windows 2000 into production. Back to the drawing board. First you have to find out whether the company that wrote the software even supports it on Windows 2000, or if your in-house developers wrote it, you need to find out from them whether they think the code will operate on the Windows 2000 OS. There is a much higher chance of having to delay your complete Windows 2000 deployment if you have legacy apps that are complicated

Chapter 6




Designing a Windows 2000 Networking Strategy

257

and used by lots of people. First, stakeholders are reluctant to migrate to a new OS just because it’s the cool thing to have, especially when the old OS works just fine. Second, there are millions of rabbit trails that you must go down when you’re figuring out how big applications work, and it’ll take some time to get all of the workarounds and special new methods in place before you can proceed.

Designing Network Services to Support New Applications Supporting new applications is much easier because you’re starting with a known infrastructure framework—the stuff has to run on Windows 2000. Exchange 2000, for example, is designed to run with the AD, and, if you architect the computer, it’s going to live on correctly and shouldn’t give you any problems—at least relative to not being able to run correctly on Windows 2000. But imagine the huge training investment companies will have to make so that developers understand how AD works and how it’s different from the old NT 4 Security Account Master (SAM). Not to mention what Kerberos is all about, how certificate services work, and what role LDAP plays in a Windows 2000 environment. For independent, non-Microsoft coders, it’s going to be a big paradigm shift. Some apps might port just fine; others will need to be completely rewritten. An awareness of the core network services that Windows 2000 provides will help you to determine whether a new application will play nicely in the new OS sandbox. Be very cautious of vendors who maintain that their code will live just fine on a Windows 2000 box when you can read the software package’s label and clearly see that it was written for Windows NT 4. Test this kind of code in a lab environment before putting it into production. In either of the above two cases, legacy apps or new apps, a determination needs to be made about what service(s) the app requires from the network. Then you need to determine how to adequately provide such services. For example, suppose you had a huge set of Oracle databases living on a Unix server. In the old Windows NT 4 Server

258 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

days, you had things set up so that Open Database Connectivity (ODBC) with your NT servers was established and worked fine. But now you want to upgrade to Windows 2000 Server. How will you connect to the Oracle databases: ODBC, the new Services for Unix, or another method? What testing paradigm will you put in place so you know that things will work correctly? What will be your fallback plan if they don’t? How will you migrate from the old to the new? What will users experience? All valid questions. Each app that you install on Windows 2000 or move from Windows NT to 2000 needs this kind of in-depth study.

Exam Essentials Be able to design network services that support application architecture. What are the apps? Are they legacy or to be newly installed? And what are the services associated with them that need consideration?

Key Terms and Concepts Kerberos A key-based authentication system developed at the Massachusetts Institute of Technology (MIT). Kerberos is designed to provide users or services, called principals, with unique keys, called tickets, that they can use to identify themselves to other principals on the network. Tickets can also be used by a principal to identify itself to cryptographic services. In Windows 2000, the Kerberos 5 concept provides a “one-stop shopping” element for users logging on to the network. If you are who you say you are when you log in, that is the only logon required for the entire time that you’re on the network. Open Database Connectivity (ODBC) A standardized database access method developed by Microsoft. The goal of ODBC is to make access to any data from any application possible, regardless of the relational database management system (RDBMS) handling the data. The way that this is handled is that ODBC inserts a middle layer between an application and the RDBMS. The purpose of this layer is to translate the application’s request for data into SQL

Chapter 6




Designing a Windows 2000 Networking Strategy

259

commands that the RDBMS understands. For this to work, both the application and the RDBMS must be ODBC-compliant. The application must be capable of using ODBC, and the RDBMS must be capable of responding to the commands issued to it. Security Account Master (SAM) The listing of users and groups in a Windows NT domain.

Sample Questions 1. You are the administrator of a large network covering 12 different

sites. Your fellow administrators are planning a Windows 2000 rollout. What is one thing that will impact your NetBIOS-based applications installation that you must be cognizant of as you go forward with the rollout? A. You cannot move the DCs into Active Directory native mode. B. You cannot do away with WINS, even if the workstations get

upgraded to Windows 2000 Professional. C. You cannot install DNS because NetBIOS-based applications

don’t work with DNS. D. You must upgrade to Exchange Server 2000 to be able to work

with Windows 2000. Answer: B. Options A and C are ludicrous. Most NetBIOS-based apps probably don’t care if you’re running on Windows 2000, especially if only the DCs have been converted to Windows 2000. You have to have DNS to work with Windows 2000. Option D is feasible, but not necessary. Even if you convert all of your computers to Windows 2000, including the workstations, you must provide WINS for name resolution if you keep any NetBIOS-based legacy Windows NT 4 applications running. 2. Why is it beneficial to begin to plan on upgrading your applica-

tions to Windows 2000-compliant versions? A. Because they’ll be Active Directory compatible

260 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

B. Because DNS is used with Windows 2000 and is much more

reliable than WINS C. Because Windows 2000 supports much larger amounts of pro-

cessors in servers, so you can run applications on very highcapacity computers D. Because Windows 2000 has clustering built in for application

fault-tolerance Answer: A. The most important reason to investigate the possibility of upgrading your legacy apps to Windows 2000 is for the Active Directory support. With AD, application information is propagated to all DCs, providing your users with universal application access. Of course, not all applications will need to utilize AD to function, but this reason might be uppermost in your reasons for upgrading your apps to Windows 2000. Option D is also a good choice, but you’ve got to be careful here. Some apps don’t work well on clustered servers. Option C is also somewhat of a good choice, but Windows NT 4 was scalable as well, so not really. Option B is foolishness. WINS is highly reliable, and DNS takes more configuration effort, but it, too, is reliable once it’s set up correctly. 3. You’re planning a Windows 2000 server upgrade in your net-

work. One of the application environments that you support is a telephony-based call-routing system that intercepts incoming calls, makes a decision about the nature of the call, and routes it to a customer support agent that is able to support that type of call. This system is an autonomous system that is on an independent domain of its own, yet with a two-way trust relationship into your existing network. There are only a handful of users in the call routing domain’s SAM. Unfortunately, in your Windows 2000 planning, you find that the vendor will not support you if you upgrade the computers to Windows 2000 server. How will this affect your rollout? A. Not at all B. Can’t move from mixed mode to native mode AD

Chapter 6




Designing a Windows 2000 Networking Strategy

261

C. Can’t move forward until this domain can move to Win-

dows 2000 D. Will have to use legacy DNS and WINS

Answer: B. This shortcoming on the call-routing system’s part won’t hinder you from going forward with your Windows 2000 upgrade. But you will not be able to convert from mixed to native mode until all DCs are on Windows 2000. You won’t have to use legacy DNS or WINS—the call-routing servers will work just fine with Windows 2000 name resolution. 4. You’re planning a Windows 2000 upgrade. Your Unix computers,

currently on BIND 4.9.3, are performing the DNS lookups for the enterprise. You want to eventually migrate to Windows 2000 DNS and dismantle the Unix DNS. What things will you have to take into consideration when thinking about legacy DNS support during migration? A. Support for SRV records B. Support for secure zone transfers C. Support for AD integration D. Support for incremental zone transfers

Answer: A. The only critical thing you’ll need when considering a legacy DNS system that’s going to be eventually replaced by your Windows 2000 DNS implementation will be the support for SRV resource records as long as the BIND version currently running on the Unix servers can support SRV resource records (which the above version of BIND cannot). The rest of the options are nice things to have in Windows 2000 DNS but aren’t showstoppers in terms of getting the deployment going. 5. When considering new applications for Windows 2000 networks,

what is one critical piece of information that you might want to obtain before deciding to make the purchase? A. Does the app utilize SRV resource records? B. Does the app modify the AD schema?

262 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

C. Does the app use LDAP? D. Does the app work in a clustered environment?

Answer: B. The most important question you’ll want to ask yourself is if the application modifies the AD schema. Modifications to the schema are irreversible, which means that you’ll want to carefully consider such a move. Exchange 2000 Server modifies the AD schema, but I’d certainly think it would be OK to go ahead with the installation of that particular program since it was written by the same company that wrote Windows 2000. But with an application purchased from a less well known company—one that modifies the AD schema to boot—I think I’d be careful to find out what other purchasers of the application have to say about it. The other questions are either not important to Windows 2000 (as in option D) or nonsense (as in A and C).



Design a plan for the interaction of Windows 2000 network services such as WINS, DHCP, and DNS.

W

e continue our discussion of network services, this time talking about how the various Windows 2000 services will interact with each other. Service interaction has been greatly heightened in Windows 2000.

Critical Information Name-resolution problems can really wreak havoc on a network. Implementing a set of Windows 2000 networking services requires that you understand how the services interplay with one another and how you can leverage them to your benefit.

Chapter 6




Designing a Windows 2000 Networking Strategy

263

Backward Compatibility with NT 4 Networks and Name-Resolution Services Windows 2000 DHCP servers must be authorized for AD. Windows NT 4 DHCP servers don’t have that kind of capability, but you can monitor their scopes from within the Windows 2000 DHCP program. The same is true of WINS servers. There is some added functionality in Windows 2000 WINS, namely the burst mode feature we spoke of earlier, but getting NT 4 and 2000 WINS servers to talk to each other is a piece of cake. They can act as replication partners with one another and can be manipulated from the same Windows 2000 WINS interface (found in Start  Programs  Administrative Tools). The Windows 2000 DNS interface will not work with the old Windows NT 4 DNS. If you’re in an environment where other sources do DNS, you can’t go to dynamic Windows 2000 DNS. If your Windows NT 4 boxes were originally doing DNS, perhaps you should either move DNS to Windows 2000 or upgrade the DNS server boxes to Windows 2000 almost before any other boxes are done. That way you can take advantage of the new DNS. If AD is the heart and soul of Windows 2000, DNS is the bread and butter.

Pure Windows 2000 Networks and Name-Resolution Service Interaction Running name-resolution services, WINS, and DNS in a pure Windows 2000 environment will be easy to set up. But you could run into problems if you decide to implement some of the fault-tolerance or security features, such as encrypted zone transfer, in the new DNS. Probably the best and wisest design scenario is to bring up your new name server services, get them running, and monitor them for incongruencies or weaknesses. Then, when you’re sure you have things nailed, go forward with the security measure that you’d like to implement. Especially with Windows 2000, a phased-in approach to getting name services working correctly is highly recommended.

264 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Exam Essentials Design for the interaction of Windows 2000 network services. Understand how Windows 2000 services such as WINS, DNS, and DHCP integrate with one another and be able to design network services around this interaction.

Key Terms and Concepts Domain Name Service (DNS) A service that maps an IP address to a Fully Qualified Domain Name (FQDN) to an IP address. Dynamic Host Configuration Protocol (DHCP) A common TCP/IP protocol, used to automatically and dynamically allocate IP addresses and configuration information to requesting clients. Windows Internet Name Service (WINS) A service that maps a NetBIOS computer name to an IP address.

Sample Questions 1. What key feature allows you to send Windows 2000 DNS data

across public environments such as the Internet? A. Public key encryption B. Dynamic DNS C. Secure zone transfers D. Recursive forward lookup

Answer: C. A secure zone transfer using the new IPSec protocol will make this happen. 2. You have a very small network of just a few users. You want to set

them up on the Internet. What one Windows 2000 component will

Chapter 6




Designing a Windows 2000 Networking Strategy

265

handle name-resolution and NAT services for you so that you don’t need multiple computers for the job? A. Proxy server B. Connection sharing C. Internet authentication services D. CA Hierarchy

Answer: B. Connection sharing acts as a NAT device and provides elementary name-server services for small networks. 3. You’re considering a phased-in approach to your Windows 2000

upgrade from Windows NT 4. When considering DHCP, what things will be affected if you do not upgrade the DHCP servers immediately to Windows 2000? Neither of your DHCP servers are DCs. A. NT 4 DHCP cannot support Windows 2000 Professional

clients. B. NT 4 DHCP cannot support multicast clients. C. NT 4 DHCP servers cannot be authorized in Windows 2000. D. Nothing will be affected.

Answer: B, C. These are not big issues, though. Chances are you don’t have multicast clients, or if you do, they don’t use DHCP. Also, the authorization of Windows 2000 DHCP servers is a great thing because it keeps rogue DHCP servers from popping up on the network, but only rogue Windows 2000 DHCP servers. You could still set up an NT 4 DHCP server and hand out IP addresses with nary a peep from Windows 2000. So, in reality, there will be very little effect at all. 4. Name some features that are new to Windows 2000 WINS. A. Support for persistent LAN connections B. Support for persistent WAN connections C. Support for burst mode registration

266 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

D. Support for forwarding of registration information to Win-

dows 2000 DNS servers Answer: A, C, D. Windows 2000 WINS supports persistent LAN connections, not WAN, which means that the registration updates get to the respective WINS servers faster than they would if they were simply on a push/pull partner basis. WINS also supports burst mode, and it can forward its registration information to DNS. 5. Suppose that you had a pure Windows 2000 network with all Win-

dows 2000 servers and workstations. Would you still need to keep a WINS server around? A. You might, depending upon whether the applications you had

running used NetBIOS. B. Once the cutover to pure Windows 2000 is done, you don’t

have to worry about WINS. C. Windows 2000 Professional workstations require WINS. D. No reason at all to keep WINS lying around.

Answer: A. You still might have a legacy app or two that can play in the sandbox with Windows 2000 but requires WINS. Best to double-check before turning down the WINS servers!



Design a resource strategy.




Plan for the placement and management of resources. Plan for growth. Plan for Decentralized resources or centralized resources.

W

e arrive at the end of this chapter, having thought and talked an awful lot about various network resources: WINS, DHCP, DNS, AD global catalog servers, LDAP, RAS, and Internet services, among others. Does your design plot out the various things you need to know about the resources involved in making these things happen?

Chapter 6




Designing a Windows 2000 Networking Strategy

267

Critical Information We start out with a discussion on planning for the placement and management of resources, then planning for growth, and then planning for centralized versus decentralized resources.

Planning for the Placement and Management of Resources Here are some examples of questions to think about in designing a resource strategy that will adequately handle the new network:


Are the computers you intend to use for the new purpose on the Windows 2000 Hardware Compatibility List (HCL), and are they able to adequately handle the task?




Do you have enough displacement of computers? In other words, if your enterprise covers large geographic distances, do you have redundant computers to handle things like name server services and AD? You can handle the replication issues over slow links later on at deployment time, but you need to make sure you have the enterprise covered in terms of componentry at all hot spots.




Will geographically separated sites run RAS? If so, will their RAS servers be local to them or to you? If local to you, will you have a toll-free number?




What about the Web servers? Are they on a demilitarized zone (DMZ)? Is there firewall protection for them? Will they participate in Windows 2000? (If there’s a fear about moving to the new OS, perhaps they may not need to since they’re in a separate domain.) What is the firewall protection like? If users need to use the intranet, where and how will they access it?




Will you have to support legacy applications and be backwardcompatible with Windows NT 4 servers for a time? If so, do you know how long? What about name server services—can you bring them up on Windows 2000 right away, or do you have to use legacy name server support for a time?

268 MCSE: Windows 2000 Network Infrastructure Design Exam Notes




Which sites will have global catalog servers? WINS servers? DNS servers?




Will you use dynamic DNS and the various security methodologies that are supported in the new DNS?




How will you monitor events and provide alerting for yourself and other administrators when a component has a problem? Will you strictly try to use System Monitor? Will you try to implement a third-party EMS (Enterprise Management System)?




How will you handle design changes, both pre- and post-deployment? Do you think you can spot trouble spots before they become big flameouts? If so, what will your design-compliance strategy be?

All of these questions come into play when you begin to consider the placement of network services resources on a Windows 2000 network. Making sure the TCP/IP design works and is solid will go a long way toward helping you get the answers you need to the above questions. Trying to figure out something that you think is a network services problem, when in fact you have a TCP/IP issue, will not be a happy time in your deployment life. Weak WAN circuits need to somehow be dealt with. In a Windows 2000 design, with all of this network services activity taking place across many different servers in different locations, you might be required to take another look at the WAN connectivity and spruce it up before you go forward with the rollout. The people resources required in order to manage these various network services servers might present another problem for you. For example, you know that you’re probably going to have to place a second DNS box out in your Johannesburg, South Africa site. But you don’t have any skilled Windows NT or Windows 2000 administrators there who can help troubleshoot the computer if it has a problem. You have some junior people there whom you could work with over the phone, but they’re 18 hours away from you in Kentucky, and you’ll be working in the middle of the night!

Chapter 6




Designing a Windows 2000 Networking Strategy

269

Planning for Growth Not only do you have to plan for the initial placement of resources, you must also plan for the growth of various sites. Certain sites are probably going to be more prone to growth than others. If you could somehow figure out what those sites might be ahead of time, you could allocate additional resources to those sites in anticipation of that growth. Growth also comes into play when you think about the server farm. You start out with 10 servers and all of a sudden you’re up to 25! How did that happen? Very often you find that you’re suffering from ”urban sprawl” on your servers and some consolidation might be in order. Lately, a big discussion topic has been whether you should centralize a great deal of your computing resources on one or two mammoth multi-processor computers. The major problem with this approach is that you’ve introduced a Single Point of Failure (SPOF) of vast proportions. If the server dies for any reason, you’ve lost a great deal of your enterprise’s computing power. You’d need to cluster the server to make sure it’s fault-tolerant.

Planning for Decentralized or Centralized Resources Decentralized resources that are geographically far away from one another present a unique challenge. You might have administrator problems (either by virtue of not having any administrators in the remote site or not being sure of who the administrator is), and you might have connectivity issues with slow or nonexistent WAN circuits. You can use Windows 2000 dial-up connections to provide RAS connectivity between sites. The more subjective problem might be pinpointing and solving the administrator issues. Centralized resources are easier to plan and manage, but unless you have great WAN connections to outside sites, users will become frustrated with the slowness associated with trying to use the resources. A decentralized model is hard to administer but easier on users, while the opposite is true with a centralized model. This, of course, has everything to do with the speed of the connecting WAN circuits (if any). Windows

270 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

Terminal Server is a great workaround to some of the problems associated with a centralized methodology, because users RAS in with their own computers and run the applications they need from centralized servers. You might encounter other issues, such as where to place DHCP and DNS servers. Slow WAN circuits, lack of administrative resources, and the need for redundancy and backups might force you to design in added servers at other sites. Then the question becomes, “who’s going to manage these new resources?” In a centralized environment, you would handle that chore. In a decentralized environment, somebody else might have to. An interesting topic that comes up when you begin considering the centralization or decentralization of resources centers around nameresolution services. If you have, for example, several WINS servers based all over the country, is it feasible to bring all WINS nameresolution activities into one central area and consolidate them to, say, two servers? Ditto for DNS. The converse could be a question too. If you have only two WINS servers, but you find that you’re experiencing WINS resolution problems in outer areas, should you consider introducing some more WINS servers in these outlying areas? What are the ramifications of doing so?

Exam Essentials Be able to design a resource strategy that accounts for the placement and management of resources, the growth of resources, and decentralized and centralized resources. Understand how your network’s resources are placed today and cleverly design any changes that you might like to introduce as you move forward with a Windows 2000 rollout.

Chapter 6




Designing a Windows 2000 Networking Strategy

271

Key Terms and Concepts NOTE You should already be familiar with the key terms and concepts that were discussed in this section. They have been introduced and covered in other sections of this chapter, and, in some cases, in other chapters as well.

Sample Questions 1. You work for a company that has offices in New Zealand, Hong

Kong, and Los Angeles; you’re based in the L.A. office. The offices are connected by slow WAN links. What would your resource strategy revolve around? A. Decentralized resources B. Centralized resources C. Connection-sharing resources D. DCOM object resources

Answer: A. Slow WAN links mean only one thing—distributed resources. That may open up a whole can of administrative worms, but name-server services are much better served by drawing local resources than by tying up WAN circuits. 2. You have several outer sites that are comprised of just one server.

These sites, called “spoke sites,” have only a few users in each office. Each of the servers is a DC. There are no administrators in these outlying areas. Can you name some methods that you might use to be able to effectively administer these computers? A. Systems Management Server 2 remote tools B. No good alternative C. PC-Anywhere

272 MCSE: Windows 2000 Network Infrastructure Design Exam Notes

D. User at each office E. Terminal Server

Answer: A, C, D E. This is a complicated situation. Here you have servers out in tiny little user sites. These servers will undoubtedly need administrative assistance from time to time. For example, how are you going to verify that the virus signature files for each server were safely downloaded from the Web and applied on a regular basis? There are good solutions to this problem, the most popular of which is probably Symantec’s PC-Anywhere. But SMS 2 will work equally as well and give very robust remote tool access to your servers. Option C is sketchy because it’s difficult to get users who are highly literate and can communicate to you what’s going on. If you see a question similar to this on the test, go with SMS. 3. You’re a network design consultant that has been retained to

design a brand new network for a start-up “dot-com” company. This company has several remote geographic locations but only a handful of users at each location. The WAN links have been previously ordered and are robust. What will be one of your biggest resource strategy issues that you face with this rollout? A. No admins at the remote sites B. Name-resolution services at each site C. Not enough money for servers D. Whether to implement hardware versus software routing

Answer: A. Probably the biggest issue you’ll face with this rollout, in terms of resource strategies, is that you probably won’t have admins at each remote site. This means a centralized approach, including name-resolution services and others. We’re not told if we have money for servers or not. The WAN links are already up, implying that we’re doing hardware routing.

Chapter 6




Designing a Windows 2000 Networking Strategy

273

4. In multiple domain sites, how many global catalogs (GCs) do you

have to have? A. One per domain B. One per organizational unit C. One per forest D. One per tree

Answer: C. You have to provide one GC per forest. Typically the first domain controller in the forest serves the function of GC, but you can move the function later on as you add DCs or you can add more GCs. 5. You have a three-site network. All sites are separated by geo-

graphic distance but are connected by WAN links. You have a WINS server in each site. How will you make sure that the WINS servers share their information with one another? A. Active Directory integration B. Push/pull partnerships C. Persistent connections D. Integrate into DNS

Answer: B. WINS doesn’t integrate into Active Directory. It’s included with Windows 2000 for legacy support of NetBIOS name resolution. Persistent connections between WINS servers is a LAN-based thing, not WAN-based. While WINS can talk to DNS, this is not the way to get the three WINS servers in sync with one another. A push/pull partner relationship is needed to accomplish this.

Index Note to Reader: In this index, boldfaced page numbers refer to primary discussions of the topic; italics page numbers refer to figures.

A

B

ACK, 102 acquisitions, 17–19 active/active cluster, 187 Active Directory Dfs root and, 162 and DHCP, 127 integration, 135 in RRAS, 198 virtual private network and, 224 Active Directory Integrated DNS Zone, 145 Active Directory Service Interfaces (ADSI), 241 active/passive cluster, 187 alerts from network services, 239 annual report, 25 ANSI character set, 138 APIPA (automatic Private IP Addressing), 119 AppleShare, 156 AppleTalk, 72, 151, 157 AppleTalk Control Protocol (ATCP), 151, 157 AppleTalk zones, 157 application server services, 57 application software network services, 255– 259 support for legacy applications, 256–257 support for new applications, 257–258 applications managers, 80 architecture, 255–256 ATCP (AppleTalk Control Protocol), 151, 157 ATM (Asynchronous Transfer Mode), 102 authentication mutual, 234 in RRAS, 196–197 in virtual private network, 219 authentication protocols, 220–221 auto-static routing, 118 auto-static updates, 233, 234 autocratic leader, 14, 19 automatic Private IP Addressing (APIPA), 119

backbone, 55, 103–104 of Internet, 230 BackOffice, in Windows 2000 environment, 69–70 backout procedures, 40, 42 backup managers, 79 and disaster recovery, 94 backups, and Dfs, 167 backward compatibility, 263 bandwidth assessing net available, 54–55 user impact on, 199 Banyan Vines servers, 156 Basic Rate Interface (BRI), 212 Berkeley Internet Name Domain (BIND), 145 BGP (Border Gateway Protocol), 113, 118, 119 BIND (Berkeley Internet Name Domain), 136, 145 support for Windows 2000 DNS, 138 Bindery mode (NetWare), 150 bits per second, 54 board of directors, 13 Bootstrap Protocol (BootP), 56, 62 Border Gateway Protocol (BGP), 113, 118, 119 bottlenecks, 6, 9 branch offices, 5 BRI (Basic Rate Interface), 212 broadcasts, reducing, 111 burst-mode name recognition, 141, 145 bus topology, 102 business model analysis, 3–9

C cabling, 71, 103–104 caching Web page requests, 174 call-back for dial-up remote access, 249 canonical name, 242, 251

carrier – Demilitarized Zone (DMZ)

carrier, 212 Carrier Sense Multiple Access with Collision Detection (CSMA/CD), 103 centralized or decentralized resources, 269– 270 certificate authority servers, 219, 220 Certificate Services (CS), 243, 251 monitoring, 243–245 Challenge Handshake Authentication Protocol (CHAP), 197, 221 change-management process, 39–41, 42 documentation, 40 CHAP (Challenge Handshake Authentication Protocol), 197, 221 Chooser, 157 AppleShare, 152 CIDR (Classless Internet Domain Routing), 113, 114, 119 CIR (Committed Information Rate), 54, 62 Class A subnet mask, 108, 113 Class B subnet mask, 108, 113 Class C subnet mask, 108, 113 Classless Internet Domain Routing (CIDR), 113, 114, 119 client-server infrastructure, 82 or web-based infrastructure, 68–69 Client Services for NetWare (CSNW), 151 clients, 69 disaster recovery for, 94 optimization in WINS, 142 privacy for connecting via public networks, 217–218 cluster-aware applications, 186 cluster host, in Network Load Balancing, 186 cluster server in Windows 2000, 128 vpn servers on, 222 clustering, 186 collision of packets, 104 Committed Information Rate (CIR), 54–55, 62 common name, 241, 251 communications flow, 6–7 company influences priorities, 24–26 tolerance of risk, 26–29 company model, 4–6 company processes, analyzing, 6–8 company size, and user and resource distribution, 50–53

275

Computer Associates Unicenter, 58 Computer Management (Windows 2000), 153 connections. See also demand-dial routing between worksites and remote sites, 53– 54 consultants, 38 convergence time, 142–143, 145 core switch, 103, 104 cost center, 42 IT department as, 36–37 cost of operations, total, 30–31 cowboys, 89, 90 crosstalk, 71 cryptographic service provider, 244 CS (Certificate Services). See Certificate Services (CS) CSMA/CD (Carrier Sense Multiple Access with Collision Detection), 103 CSNW (Client Services for NetWare), 151 customer relationships, 17

D data access patterns, 58 Data Link Control (DLC), 53, 62, 73 database administrators, 80 Database Consistency Checking, 143 databases, location, 180 decentralized, 42 decentralized or centralized resources, 269– 270 decision-making processes, 8, 41 delegated domains, 135, 145 deltas, 55 demand-dial routing, 119, 228–234 fault-tolerance, 231–232 installing and configuring, 232 issues, 233 lease line cost reduction, 229–230 routing table update, 232–233 Demilitarized Zone (DMZ), 135, 145, 179– 180 proxy server in, 174 RADIUS servers inside, 209–210 RRAS server in, 195 VPN server in, 218 WINS server in environment, 143

276 DES (Digital Encryption Standard) – exam essentials

DES (Digital Encryption Standard), 225 device drivers, Windows 2000, 51 Dfs. See Distributed file system (Dfs) Dfs root, creating, 162 DHCP (Dynamic Host Configuration Protocol), 75, 122–131, 130, 264 Active Directory and, 127 design for remote locations, 123–126 growth strategies, 26 integrating with Windows 2000, 126–128 lease length, 129 measuring and optimizing infrastructure design, 128–130 multiple DHCP servers and, 130 relay agents, 125–126 in routed environment, 123 virtual private network and, 224 DHCP Administrators group, 126 DHCP relay agent, 130 DHCP Users group, 127 dial-up remote access, 249 implementation strategy, 192–212 Digital Encryption Standard (DES), 225 Digital Subscriber Line (DSL), 193 disaster recovery, 93–95 discard-eligible packets, 55, 63 Disney's First Law Risk, 28–29 distinguished name, 242, 252 Distributed file system (Dfs), 161–168 mapping to corporate shares, 163 monitoring, 250–251 placement of root, 161–165 replica setup, 164–165 DLC (Data Link Control), 53, 62, 73 DMZ (Demilitarized Zone), 135, 145, 179– 180 proxy server in, 174 RADIUS servers inside, 209–210 RRAS server in, 195 VPN server in, 218 WINS server in environment, 143 DNS (Domain Name Service), 75, 101, 264 deployment strategy, 138–139 measuring and optimizing infrastructure design, 136–138 optimization and tuning, 137–138 round-robin, 221–222, 226 virtual private network and, 224 in Windows 2000 environment, 246–247, 263

domain component, 241, 252 domain controller, 239 domain root, 162, 167 domains, delegated, 145 DoS attack (denial of service), 60 DSL (Digital Subscriber Line), 193 dual-CPU computer, as WINS server, 141 dynamic DNS, 247 Dynamic Host Configuration Protocol (DHCP). See DHCP (Dynamic Host Configuration Protocol) dynamic routing, 118

E e-mail, 6 monitoring traffic, 90 server access design, 180–181 e-mail managers, 80 EAP-MD5 CHAP, 220 EAP-TLS (Extensible Authentication Protocol-Transport Level Security), 197, 220 public key infrastructure, 230 encryption in RRAS, 197–198, 208 in virtual private network, 220 enterprise infrastructure, or workgroup, 67– 68 Ethernet adapter, for Macintosh computer, 152 EtherTalk, 151, 157 event notification, from global catalog problems, 240–241 Event Viewer, 234 exam essentials, 234 business model analysis, 8–9 business requirements analysis, 31 corporate structure analysis, 19–21 DHCP, 130 disaster recovery strategy, 94 Distributed file system (Dfs), 167 DNS, 144–145 Internet access, 181–182 infrastructure of network, 81–82 IT management structure, 41–42 load balancing, 188 network services to support application architecture, 258 network topology, 104

Exchange server – initial public offering (IPO)

protocols, 156 resource strategy, 270 RRAS and RADIUS, 212 TCP/IP, 119 technical environment, 61–62 user needs, 90 virtual private network (VPN), 225 Exchange server, 56 executive users, 89 Extensible Authentication Protocol-Transport Level Security (EAP-TLS), 197, 220 public key infrastructure, 230 extranet, 182

F fault-tolerance in RADIUS configuration, 210 in ring networks, 102 for WAN links, 231–232 monitoring, 76 FDDI (Fiber Distributed Data Interface), 102 fiduciary duty, 13, 19 File and Print Services for NetWare (FPNW), 151 File Replication Service (FRS), 166 file server services, 56 File Services for Macintosh, installing, 153, 153 file sharing, in Unix, 154 firewalls, 60, 75 design, 175 IP address for, 109 Proxy Server and, 173 screened subnet between, 135 folders, security for, 60–61 forward lookup zone, 146 FPNW (File and Print Services for NetWare), 151 FRS (File Replication Service), 166 funding, 36–37 Windows 2000 rollout, 26

G Gateway Service for NetWare (GSNW), 150– 151 geographical scope of business, 4–6

277

global catalog server, 240, 252 monitoring, 239–241 government organization, 16 funding, 36 government restrictions on encryption, 207 growth strategies, 26, 269 GSNW (Gateway Service for NetWare), 150– 151 guest, as Macintosh login, 152

H h-node (hybrid node), 139, 146 hands-on managers, 15, 20 hardware assessment of, 77–78 for demand-dial routing as WAN link fault tolerance, 231–232 for virtual private networks, 223 Hardware Compatibility List, 267 Hewlett Packard OpenView, 58 host, 157 Host Integration Server 2000, 156, 157 hostile takeovers, 18, 20 hosts, 73–74 hosts file, 73 Hummingbird, 154 hybrid node (h-node), 139, 146

I IAS (Internet Authentication Services), 243– 245, 252 IBM Corporation, Systems Network Architecture (SNA), 155–156 ICMP attack, 60, 63 ICS (Internet Connection Sharing), 177–179 IDF (Intermediate Distribution Facility), 55 IEEE (Institute of Electrical and Electronics Engineers), 101, 103 IGMP (Internet Group Management Protocol), 51, 63, 118, 119 information flow, 6–7 infrared-device protocols, 73 infrastructure managers, 80 infrastructure master, 240, 252 initial master, 165, 167 initial public offering (IPO), 18, 20

278 installing – Line Print Daemon (LPD)

installing demand-dial routing, 232 File Services for Macintosh, 153, 153 Network Load Balancing (NLB), 187 Institute of Electrical and Electronics Engineers (IEEE), 101, 103 integrated DNS design, 134 IntelliMirror (Windows 2000), 56 Interactive Voice Response (IVR), 52, 63 Intermediate Distribution Facility (IDF), 55 international company, 5, 9 Internet monitoring services, 248–250 private network connection to, 173 WINS traffic on, 140 Internet access connection sharing, 175–179 firewalls, 175 mail server access, 180–181 NAT (Network Address Translation), 175–176 proxy server implementation design, 173– 174 RRAS (Routing and Remote Access Service), 176–177 Web server access solution, 179–180 Internet Authentication Services (IAS), 243– 245, 252 Internet Connection Sharing (ICS), 177–179 Internet Explorer Administration Kit, 174 Internet Group Management Protocol (IGMP), 51, 63, 118, 119 Internet Protocol Security, 197 Internet Server API (ISAPI), 75–76, 182 filters, 173 internetwork managers, 80 Internetworking Packet Exchange (IPX), 150, 157 infrastructure of network, 66–83 analyzing, 70–71, 71 analyzing TCP/IP, 76–77 BackOffice and server applications, 69–70 client-server or web-based, 68–69 enterprise or workgroup, 67–68 hardware assessment, 77–78 hosts, 73–74 network management and, 79–81 protocols, 72–73

technical support structure analysis, 78– 79 upgrades and rollouts, existing and planned, 78 intruders, protecting network against, 60–61 IP address for Internet Connection Sharing, 178 pools, 177 IPConfig, 131 IPO (initial public offering), 18, 20 IPSec (IP Security), 73, 206 certificate authority server for, 220 IPX (Internetworking Packet Exchange), 150, 157 IPX/SPX, 72 ISAPI (Internet Server API), 75–76, 182 filters, 173 ISDN (Integrated Services Digital Networks), 193 IT management structure, 35–43 funding, 36–37 IVR (Interactive Voice Response), 52, 63

K Kerberos, 258

L L2TP (Layer 2 Tunneling Protocol), 73, 82 PPTP vs., 219 laissez-faire management style, 15, 20 Last Writer Wins, 166 LATA (Local Access and Transport Area), 229 latency of network, 55, 63 laws, identifying relevant, 29–30 Layer 2 Tunneling Protocol (L2TP), 73, 82 LDAP (Lightweight Directory Access Protocol), 241–243 lease, length in DHCP, 129 leased lines, costs, 217 legacy applications, network services support, 256–257 Lightweight Directory Access Protocol (LDAP), 241–243 Line Print Daemon (LPD), 53, 63, 154

line printer (LPR) port – NetBIOS clients, use of WINS proxy agent

line printer (LPR) port, 154 link replica, 164–165, 168 creating, 166–167 links in Dfs, 162 creating, 163–164 Linux users, 88 LMHOSTS file, 139–140, 146 load balancing strategy, 185–188 Local Access and Transport Area (LATA), 229 local company, 4, 9 LocalTalk, 151, 157 log in Event Viewer, 234 logical network management, 59 loose-bundle system, 15, 20 LPD (Line Print Daemon), 53, 63, 154 LPR (line printer) port, 154 Lucent Technologies, QIP, 75

M Macintosh systems protocols, 151–153 users, 88 MADCAP (Multicast Address Dynamic Client Allocation Protocol), 131 mail server, access design, 180–181 Main Distribution Facility (MDF), 55 management models, 14–17 managerial network management, 59 managerial users, 89 managers, of the network, 79–81 MDF (Main Distribution Facility), 55 megabits per second, 103 megabytes per second, 103 messaging services, 56 metrics monitoring, 74–75 Microsoft Challenge Authentication Protocol (MS-CHAP), 73, 196, 221 Microsoft Challenge Authentication Protocol (MS-CHAP v2), 196, 221 Microsoft Directory Synchronization Services (MSDSS), 157 Microsoft Point to Point Encryption (MPPE), 73, 197–198, 206, 212 Microsoft Proxy Server implementation design, 173–174 ISAPI filter support, 75–76 mid-management, 14

279

middleware, 68 minimal skill risk, 28 monitoring Windows 2000 network services, 238–252 certificate services, 243–245 Distributed file system (Dfs), 250–251 global catalog server, 239–241 Internet and remote access services, 248– 250 LDAP (Lightweight Directory Access Protocol), 241–243 name resolution services, 245–248 MPPE (Microsoft Point to Point Encryption), 73, 197–198, 206, 212 in virtual private network, 220 MS-CHAP (Microsoft Challenge Authentication Protocol), 73, 196, 221 MS-CHAP v2 (Microsoft Challenge Authentication Protocol), 196, 221 MSDSS (Microsoft Directory Synchronization Services), 157 multicast, 131 multicast mode, for Network Load Balancing, 187 multiple servers for DHCP, 130 mutual authentication, 230, 234

N n-tier client/server applications, 56, 68, 83 NACK, 102 name resolution services, 133–147 design process, 134–135 monitoring, 245–248 order of, 139 secure zone transfers, 135–142 in Windows 2000 environment, 263 WINS server name resolution performance measurement, 142–143 NAT (Network Address Translation), 118, 175–176, 182 national company, 4–5, 9 National Institute of Standards and Technology (NIST), 226 NDS (NetWare Directory Services), 150 negative caching, 146 NetBEUI, 72 NetBIOS clients, use of WINS proxy agent, 143

280 NetIQ – priorities of company

NetIQ, 174 NetWare IPX/SPX support for, 72 protocols, 150–151 NetWare Directory Services (NDS), 150 network connectivity assessment, 53–54 disaster recovery for, 94 evaluating services, 74–76 infrastructure, 50, 51–52 load balancing, 186–187 monitoring services, 74 roles and responsibilities, 58–59 Network Address Translation (NAT), 118, 175–176, 182 Network File System (NFS), 154, 157 Network Load Balancing (NLB), 186, 188 installing, 187 network management software, 81 network management system (NMS), 74, 83 Network Operations Center (NOC), 74 network sniffing, 59 neutral style of management, 15, 20 New Dfs Root Wizard, 162 NFS (Network File System), 154, 157 NIST (National Institute of Standards and Technology), 226 NLB (Network Load Balancing), 186, 188 installing, 187 NMS (network management system), 74, 83 no-pain no-gain risk, 29 NOC (Network Operations Center), 74 node, in Microsoft Cluster Server, 186, 187 node type, 139, 146 non-hostile takeovers, 18, 20 NOS managers, 80 not-for-profit organizations, funding, 37 NSLOOKUP, 137, 146

O ODBC (Open Database Connectivity), 258– 259 Open Shortest Path First (OSPF), 51, 63, 113, 118, 119 operating systems, 74 operations, total cost of, 30–31 optimizing DHCP server, 129

Oracle Corporation, Webex, 56 organizational structure analyzing, 12–21 identifying, 13, 13–14 organizational unit, 241, 252 OS/2 users, 88 OSPF (Open Shortest Path First), 51, 63, 113, 118, 119 outsourcing, 42 risk from, 37–39

P packet collision, 104 PAP (Password Authentication Protocol), 197, 221, 249 partial replicas, 240, 252 partners, 17 performance monitor. See System Monitor (Windows 2000) persistent connections, 177, 182 in demand-dial routing, 233 personnel communications, 6–7 distribution, 53 as resource, 268 physical network management, 58–59 PING command, 115–116, 137 to measure WINS server name resolution, 142 PKI (Public Key Infrastructure), 230, 234 plain old telephone service (POTS), 212 political management style, 15, 20 POTS (plain old telephone service), 212 power users, 87, 90 PPP (Point to Point Protocol), 119 PPTP (Point to Point Tunneling Protocol), 72, 83 vs. L2TP, 219 Prebook execution environment (PXE), 63 print managers, 80 print server services, 57 Print Services for Unix, 154 printers distribution, 50, 52–53 information about, 77 printing by Unix computers, 154 priorities of company, 24–26

private key – rollouts

private key, 244 private network, connection to Internet, 175 Private Reserved Range, 107, 119 private sector funding, 36–37 product life cycle, 7, 7 professional users, 89 profit center, IT department as, 36–37 project manager, 38 project-oriented manager, 15, 20 projected growth strategies, 26 protocols, 72–73, 149–158 authentication, 220–221 Macintosh systems, 151–153 NetWare, 150–151 Proxy Server filters for, 173 RADIUS support, 202 in RRAS, 196 SNA (Systems Network Architecture), 155–156 Unix, 154–155 provisioning, 193, 212 proxy agents, WINS, 139 proxy array, 174, 183 proxy servers, 60 implementation design, 173–174 public key encryption, in Windows 2000 Certificate Services, 243–244 Public Key Infrastructure (PKI), 230, 234 public networks client privacy when connecting, 217–218 secure connectivity over, 216–217 push/pull partner, 139, 146 PXE (Prebook execution environment), 63

Q QIP (Lucent Technologies), 75 Quality of Service, 217

R RADIUS (Remote Authentication Dial-In User Service) protocol, 73, 83, 200–211 client needs assessment, 202–203 client/server model, 201 optimization and tuning, 211 security, 205–206 uses for, 201, 209

281

and virtual private networks, 222 RAS switches, 52 RDN (relative distinguished name), 252 redundancy in DNS design, 137 in RADIUS configuration, 210 regional company, 4, 9 regulations, identifying relevant, 29–30 relative distinguished name (RDN), 242, 252 relay agents, 130 for DHCP, 125–126 remote access policies, and RADIUS, 207– 209 remote access services, 155. See also dial-up remote access monitoring, 248–250 Remote Execute executable (REXEC), 155 remote monitoring (RMON), 74, 83 remote network administration, VPN for, 217 replicas in Dfs, setting up, 164–165 replication of Dfs root, 165–167 to global catalog, 240 of links, 166–167 reserved IP address, for NAT (Network Address Translation), 175 resource distribution, company size and, 50– 53 resource record, 146 resource strategy, 266–271 decentralized or centralized resources, 269–270 placement and management of resources, 267–268 planning for growth, 269 return on investment (ROI), 30–31 reverse hosting, 179, 183 REXEC (Remote Execute executable), 155 ring topology, 102 RIP (Routing Information Protocol), 51, 63, 113, 118, 120 risk, 31 from outsourcing, 37–39 risk tolerance of company, 26–29 RMON (remote monitoring), 74, 83 ROI (return on investment), 30–31 rollouts, 83 existing and planned, 78

282 root authority – standard primary DNS zone

root authority, 243 root replica in Dfs, 164, 168 strategy design, 165–167 round-robin DNS, 221–222, 226 routed environment, remote access in, 194– 195 routers, 71 distribution, 50, 51 information about, 77 Routing Information Protocol (RIP), 51, 63, 113, 118, 120 routing table, updating in demand-dial routing environment, 232–233 RRAS (Routing and Remote Access Service), 117–119, 193–200 Active Directory, 198 authentication, 196–197 demand-dial routing, 228–234 encryption, 197–198 evaluating purpose, 192–193 high-availability scenarios, 198–199 integration into Windows 2000, 200 knowing when to use, 176–177 optimization and tuning, 199–200 properties window, 208 protocols, 196 in routed environment, 194–195 security, 196 third-party server integration, 198

S SAM (Security Account Manager), 257, 259 Samba, 154, 158 SAP (Service Advertisement Protocol), 118, 120, 158 scope-splitting multiple DHCP servers and, 124–125, 125 servers for, 127–128 screened subnet, 135, 140, 146, 174, 179 RADIUS servers inside, 209–210 secret (RADIUS), 206 secure DNS design, 134–135 secure zone transfers, 135–142 security, 60–61 in RADIUS, 205–206 in RRAS, 196 zone replication, 137

Security Account Manager (SAM), 257, 259 security managers, 81 seed, 158 senior management, 14 Serial Line Internet Protocol (SLIP), 120 server applications, in Windows 2000 environment, 69–70 servers disaster recovery for, 94 distribution, 50, 51 information about, 76–77 monitoring load, 89 Service Advertisement Protocol (SAP), 118, 120, 158 service life cycle, 7 Service Message Blocks (SMB), 154 service record (SRV), 146 services application server services, 57 file server services, 56 messaging services, 56 print server services, 57 TCP/IP configuration services, 57–58 Services for Macintosh (SFM), 152 sharing Internet connection, 177–179 Shiva LAN Rover, 198 Shiva Password Authentication Protocol (SPAP), 197, 211, 249 Simple Network Management Protocol (SNMP), 58, 63, 73 Single Point of Failure (SPOF), 5, 9, 269 SLIP (Serial Line Internet Protocol), 120 small office/home office (SOHO), 120 SMB (Service Message Blocks), 154 SNA (Systems Network Architecture), 155– 156, 158 SNMP (Simple Network Management Protocol), 58, 63, 73 SOCKS protocol, 173, 183 SOHO (small office/home office), 120 SONET (Synchronous Optical Network), 102 SPAP (Shiva Password Authentication Protocol), 197, 221, 249 SPOF (Single Point of Failure), 5, 9, 269 SRV (service record), 146 stakeholders, 13 standalone root, 162, 168 standard primary DNS zone, 146

standard secondary DNS zone – users

standard secondary DNS zone, 146 star topology, 102 static routing, 118 strategic overshoot risk, 28 strategic planning, 43 subnet masks, unique, 114 subnets, 107–109 broadcasts within, 112 subsidiary offices, 5, 9 supervisors, 14 SYN attack, 60, 63 Synchronous Optical Network (SONET), 102 system access patterns, 58 System Monitor (Windows 2000), 58, 89 Systems Network Architecture (SNA), 158

T T1 line, bandwidth, 54 takeovers, corporate, 18, 21 TCP/IP, 268 addressing and implementation plan, 109–112 analyzing infrastructure, 76–77 configuration services, 57–58 integrating with WAN requirements, 116–117 IP subnet requirements, 107–109 Macintosh system use of, 151 measuring and optimizing infrastructure design, 113–116 services, 75 team leaders, 14 technical environment, 49–63 company size and user and resource distribution, 50–53 connectivity between worksites and remote sites, 53–54 data and system access patterns, 58 net available bandwidth and latency, 54– 55 network roles and responsibilities, 58–59 performance, availability and scalability requirements of services, 55–58 security issues, 60–61 technical silos, 59 technical support, structure analysis, 78–79 technology risk, 27

283

telecommuters, connectivity, 54 telephony, 50, 52 systems managers, 80 Telnet, 154, 158 terminal applications, 56 terminated employees, protecting network against, 61 thin-client, 83 thin-client computing, 56, 68–69 third-party certificate providers, 245 Token Ring network, 102 TokenTalk, 151, 158 tolerance of risk in company, 26–29 topology, 104 logical components, 103 physical components, 102 what it is, 101 total cost of operations, 30–31, 32 tunneling, 216 two-way authentication, 230

U UAM (User Authentication Module), 152– 153 unicast message, 126 unicast mode, for Network Load Balancing, 187 Unicode character sets, 138, 147 Unix protocols, 154–155 users, 88 upgrades, 83 existing and planned, 78 UPN (user principal name), 252 user and resource distribution, company size and, 50–53 user authentication, Macintosh methods, 152–153 User Authentication Module (UAM), 158 user needs, analyzing, 87–89 user patterns, analyzing, 89–90 user principal name (UPN), 242, 252 users disconnecting after idle time, 208 impact on bandwidth, 199 restricting access in RRAS, 195

284 Variable Length Subnet Masks (VLSM) – zone replication security

V Variable Length Subnet Masks (VLSM), 113, 120 VAX, 90 VAX users, 88 vendors, relationships, 17 VINES protocol, 156 virtual collaboration, 56 virtual communications, 6 virtual private network (VPN), 112, 193– 194, 215–226, 216 dial-up connection, 178–179 dial-up remote access, 249 hardware for, 223 implementation design, 218–225 assuring availability, 221–223 authentication, 219 encryption, 220 PPTP vs. L2TP, 219 optimization and tuning, 223 privacy for clients connecting via public networks, 217–218 reduced leased line costs, 217 remote network administration, 217 secure connectivity over public networks, 216–217 and security, 215 typical setup, 216 uses for, 215 in Windows 2000 environment, 224–225 virus scanner, 181 VLSM (Variable Length Subnet Masks), 113, 120 VPN (Virtual Private Network), 112, 193– 194 dial-up connection, 178–179

Web proxy, 173, 183 Web server, access design, 179–180 Windows 2000 backward compatibility with Windows NT, 263 funds for upgrade, 26 integrating DHCP with, 126–128 IntelliMirror, 56 network services, 262–264 Quality of Service, 217 rollout, decision-making process, 41 RRAS integration, 200 supported protocols, 72–73 virtual private network (VPN) in environment, 224–225 Windows Load Balancing (WLB), 186 Windows NT services for NetWare communications, 150 Windows 2000 backward compatibility, 263 WINS proxy agent, 147 WINS-R, 147 WINS (Windows Internet Name Service), 264 deployment strategy, 143 design creation, 139–140 proxy agents, 139 secure design, 140–141 server optimization, 141 virtual private network and, 224 in Windows 2000 environment, 245–246, 263 Winsock proxy, 173, 183 wiring closets, 70, 103 WLB (Windows Load Balancing), 186 WolfPack, 186 workgroup, 83 workgroup infrastructure, enterprise infrastructure or, 67–68

W WAN (wide area network) connection, 268 fault-tolerance for links, 231–232 integrating TCP/IP with, 116–117 scope-splitting on, 128 web-based infrastructure, client-server infrastructure or, 68–69 web managers, 80 Web monitoring, 76

X X.25 networks, 112

Z zone, 147 zone replication security, 137