About the Authors
J.C. Mackin MCSA, MCSE, MCT is an author, editor, consultant, and trainer who has been working with Microsoft networks since 1997. He holds a master's degree in telecommunications and network management. Ian McLean MCSE, MCDBA, MCT has over 35 years of experience in industry, commerce, and education. He started his career as an electronics engineer before going into distance learning and then education as a university professor. He currently runs his own consultancy company. Ian has written 15...
Determining the Host Capacity of a n Network
To determine the host capacity of a network whose subnet mask is expressed in slash notation as n, use the following formula c 2 32_n - 2, where c represents the number of computers that can be accommodated by a given network, and n represents the number of bits in the network ID of that network. For example, in a 20 network, n 20. Therefore c 2 32-20 - 2, or 212 - 2, or 4096 - 2, or 4094. So, a 20 network can accommodate 4094 computers. Here is another example In a 28 network, n 28. Therefore,...
Page Case Scenario Exercise
You work as a network consultant, and you have been hired by three companies to solve problems related to network connectivity. While visiting each company, you draw sections of the relevant portions of the network. Use the following drawings to determine the IP configuration error that has led to a disruption of network connectivity at each company. Client C has an incorrectly configured default gateway. The default gateway should be set to 192.168.1.129. Client A IP address 192.168.1.116 28...
Objective Answers
A. Incorrect This configuration seems at first glance to be OK. The subnet mask has been reduced by a single 1 and the addresses are contiguous. However, let us look at the third octet So the two networks would have different network addresses given a 23 255.255.254.0 subnet mask. B. Incorrect This supernetted network is valid 206.10.12 22 with a host range 206.10.12.1 through 206.10.15.254. However, the networks allocated to your organization are 206.10.13.0 24 and 206.10.14.0 24, and an...
Configuring RIP
RIP is a dynamic routing protocol that helps routers determine the best path through which to send given data. Routes to destinations are chosen according to lowest cost. By default, this cost is determined by the number of hops or routers between endpoints however, you can manually adjust the cost of any route as needed. Importantly, RIP discards routes that are determined to have a cost higher than 15. This feature effectively limits the size of the network in which RIP can operate. Another...
Determining Hosts per Subnet
Determining the number of hosts per subnet is no different from determining the number of hosts per network, as covered in Lesson 2 of this chapter. Simply use the formula c 2 32-n - 2, where c number of computers or hosts that can be supported by the address range and n the number of bits in the new, modified network ID. It is important to remember that when you have subnetted your network, you should use the number of bits that you have allocated to the network ID internally. For example, if...
Exploring Remote Access Authorization Scenarios
The following selection presents a summary of the remote access authorization process. In each scenario, authorization settings at the remote access server differ when User1, a member of the Telecommuters group, attempts to connect through a dial-up line. Figure 10-20 shows the order of remote access policies defined at the server. Exam Tip You need to be familiar with the encryption settings for the exam. Server Status g COMPUTER1A local 1 J . Remote Access Clients 0 Il Ports IE IP Routing...
Exercise Converting Subnet Masks to Slash Notation
Use the steps described above to convert the subnet masks in dotted-decimal notation to slash notation in your head. Write only the final answer in each space provided. Dotted-Decimal Notation Slash Notation
Name Servers Tab
The Name Servers tab, shown in Figure 5-23, allows you to configure NS resource records for a zone. These records cannot be created elsewhere in the DNS console. Start of Authority SOA WINS I Zone Transfers Start of Authority SOA WINS I Zone Transfers Server Fully Qualified Domain Name FQDN represents an IP address retrieved as the result of a DNS query and may not represent actual records stored on this server. represents an IP address retrieved as the result of a DNS query and may not...
Name Checking
By default, the Name Checking drop-down list box on the Advanced tab of the DNS server properties dialog box is set to Multibyte UTF8 . Thus, the DNS service, by default, verifies that all domain names handled by the DNS service conform to the Unicode Transformation Format UTF . Unicode is a 2-byte encoding scheme, compatible with the traditional 1-byte US-ASCII format, that allows for binary representation of most languages. Figure 5-29 shows the four name-checking methods you can select from...
Using Network Monitor Triggers
Network Monitor's main function is to capture packets as they cross the network. So much occurs at once that trying to find the information you need is often nearly impossible. Therefore, one important skill to master with Network Monitor is the ability to quickly locate what you are looking for when the action happens. Setting Triggers Network Monitor provides a facility to alert you when certain conditions are met. This facility might be helpful under a variety of circumstances where you set...
Frame Size
By default, Network Monitor captures each frame in its entirety. However, you can reduce the number of bytes of each frame captured by lowering the frame size setting. For example, if you set the frame size to 128, Network Monitor will capture only the first 128 bytes of each frame. The minimum frame size setting is 64 bytes the maximum setting aside from the default setting of Full is 65,535 bytes. You might want to reduce the frame size because, typically, it is only the beginning of a frame...
Objective Questions Gnc
1. You are the administrator of an internetwork that consists of two network segments, A and B, connected by a router. The network has been configured so that clients on both network segments obtain their IP configuration automatically from a DHCP server on Subnet B. A new client computer is installed on network segment A. You configure it in the same way as the others. The new client computer cannot communicate with any of the computers on either network. You use the Ipconfig command and...
WSUS Deployment Scenarios
You can deploy WSUS in a variety of ways that depend on the size of your network, your administrative structure, and your available bandwidth. Some of these deployment scenarios are described below. Single WSUS Server Small-Sized or Simple Network In a single WSUS server scenario, administrators can set up a server running WSUS inside their corporate firewall, which synchronizes content directly with Microsoft Update and distributes updates to client computers, as shown in Figure 12-35. Note...
Troubleshooting Connections Using Ping and PathPing
Ping is a tool that helps to verify IP-level connectivity PathPing is a tool that detects packet loss over multiple-hop trips. When troubleshooting, the Ping command is used to send an ICMP echo request to a target host name or IP address. Use Ping whenever you want to verify that a host computer can send IP packets to a destination host. You can also use the Ping tool to locate remote hardware problems and incompatible configurations. When troubleshooting network connectivity, use the Ping...
DNS Server Performance Counters
The DNS performance object in System Monitor includes 62 counters. You can use these counters to measure and monitor various aspects of server activity, such as the following Overall DNS server performance statistics, such as the number of overall queries and responses processed by a DNS server UDP or TCP counters, for measuring DNS queries and responses that are processed using either of these transport protocols Dynamic update and secure dynamic update counters, for measuring registration and...
Objective Questions Jtl
1. ServerA is a server running Windows Server 2003, Enterprise Edition, configured as a router. InterfaceA has an IP address of 10.10.1.1. You want to specify that only Hypertext Transport Protocol HTTP traffic on TCP port 80, and Secure Hypertext Transport Protocol HTTPS traffic on TCP port 443 will be allowed into the router through that interface. You configure two inbound packet filters on Interface A, as shown in the following figure. These filters control which packets are forwarded or...
Problem Making Your IPSec Policy Work
In the following exercise, you create and assign an IPSec policy, only to discover that the two computers cannot communicate at all. You can use a number of steps and tools to troubleshoot an IPSec policy, as described in the following list. Note IKE auditing is turned on by default. If auditing of logon events is turned on, IKE posts negotiation results in the Security Event log. Once policies have been assigned and are working, you can turn this feature off by adding the DisableIKEAudits...
Secure Cache Against Pollution
By default, the Secure Cache Against Pollution option is enabled. This setting allows the DNS server to protect its cache against referrals that are potentially polluting or nonsecure. When the setting is enabled, the server caches only those records with a name that corresponds to the domain for which the original queried name was made. Any referrals received from another DNS server along with a query response are simply discarded. For example, if a query is originally made for...
Exercise Determining Network Size Requirements in Terms of a DottedDecimal
Each of the values in the leftmost column of the table below refers to a number of computers that a given network must support. In the corresponding space in the rightmost column, specify with a subnet mask in dotted-decimal notation the smallest network size that will accommodate those computers. You should attempt to perform these calculations in your head. Use a scratch pad only if necessary. The first row is provided as an example. Number of Network Hosts Subnet Mask w.x.y.z
Reading the IP Routing Table
Routers use routing tables to determine where to send packets. When IP packets are sent to an IP router, the router reads the destination address of the packet and compares that destination address to the entries in the routing table. One of these entries is used to determine which interface to use to send the packet and to which hop gateway the packet will be sent next. To assist in this process, each routing table entry includes the five columns described in the following sections, as shown...
Managing Security Through Group Policy
Group Policy holds a unique position with respect to a network's security infrastructure. On the one hand, Group Policy provides a means to deploy and manage a security infrastructure. On the other hand, Group Policy provides the actual substance of that security infrastructure every GPO contains nodes whose configuration represents many of the most important security considerations for a network. Although basic Group Policy concepts remain beyond the scope of this training kit, it is important...
Page Case Scenario Exercise 1
1. A user on your local subnet Subnet E cannot connect to any network resources. Ping is best used because you need to perform basic troubleshooting and the computer is local. 2. A user on Subnet C cannot connect to resources on Subnet E. Tracert is best used to begin troubleshooting this problem because in this case, two routers separate the subnets. This utility enables you to determine at which subnet or router the problem occurs. 3. A user on Subnet C can connect to resources on the company...
Objective Questions Jcz
1. Your DNS domain seattle.fourthcoffee.com has two mail servers, mail1 and mail2. You want mail1 to be the primary mail server and mail2 to be the secondary mail server. Which DNS resource records should you create Choose all that apply. A. MX 10 mail1.seattle.fourthcoffee.com. B. MB 10 mail1.seattle.fourthcoffee.com. C. MX 20 mail1.seattle.fourthcoffee.com. D. MB 20 mail1.seattle.fourthcoffee.com. E. MX 20 mail2.seattle.fourthcoffee.com. F. MB 20 mail2.seattle.fourthcoffee.com. G. MX 10...
Troubleshoot Client Access to Remote Access Services
Troubleshooting client access to a remote network is not only about solving problems. Good maintenance is preemptive. The process does not merely involve diagnosing and resolving issues related to client access to remote access VPNs and establishing connections to resources beyond the remote access server. The process involves monitoring traffic and trends, predicting when faults are likely to occur, and taking corrective action before the user is aware of the problem. You need to know how to...
Lesson Summary Uht
NAT is a service built into a router that modifies the source address of IP datagrams before sending them on to their destinations. This functionality allows NAT clients to connect to the Internet by sharing one or more publicly registered IP addresses on the computer running the NAT service. In Routing And Remote Access, NAT can also be configured to function as a DHCP allocator, a DNS proxy, or a WINS proxy. NAT can be understood as a fully configurable version of ICS. To function, NAT...
Understanding DHCP Server Log File Format
DHCP server logs are comma-delimited text files with each log entry representing a single line of text. Figure 8-5 shows a sample audit log file. Figure 8-5 Sample DHCP audit log file Figure 8-5 Sample DHCP audit log file 02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client. 11 A lease was renewed by a client. 12 A lease was released by a client. 13 An IP address was found to be in use on the network. 14 A lease request could not be satisfied...
IP Routing Interface Features
These management features are accessible through the IP Routing node of the Routing And Remote Access console. When you select the General node within the IP Routing node, the interfaces configured for your server appear in the details pane. Right-clicking a demand-dial interface reveals various demand-dial management and troubleshooting commands, as shown in Figure 9-24. Routing and Remote Access Server Status - COMPUTER1A local Network Interfaces a-IE IP Routing JL General J Static Routes jji...
Troubleshooting DHCP
Monitor network traffic. Tools might include Network Monitor and System Monitor. Diagnose and resolve issues related to DHCP authorization. Verify DHCP reservation configuration. Examine the system event log and DHCP server audit log files to find related events. Diagnose and resolve issues related to configuration of DHCP server and scope options.
Objective Questions Kyo
1. You have configured a server running Windows Server 2003 as a VPN server and added 100 PPTP ports and 100 L2TP ports. L2TP tunnels use IPSec encryption. PPTP tunnels use built-in MPPE encryption. You have specified both MS-CHAP and MS-CHAP v2 authentication and strong encryption. Three hundred salespeople in your domestic sales force use laptops running Windows 98, Second Edition. Two hundred salespeople in your international sales force use laptops running Windows XP. Sometimes your...
Network Diagnostics
Network Diagnostics is a graphical troubleshooting tool, built into the Windows Server 2003 interface, that provides detailed information about the local computer's networking configuration. To access the tool, first launch Help And Support from the Start menu. From the Help And Support Center window, click Tools in the Support Tasks area. Finally, expand Help And Support Center Tools from the Tools list, and then select Network Diagnostics. The Network Diagnostics window appears in the right...
Page Lesson Review Xlo
1. You have configured a scope with an address range of 192.168.0.11 through 192.168.0.254. However, your DNS server on the same subnet has already been assigned a static address of 192.168.0.200. With the least administrative effort, how can you allow for compatibility between the DNS server's address and DHCP service on the subnet By configuring an exclusion for the address 192.168.0.200, you can most easily allow for compatibility between the DNS server and the currently configured DHCP...
Enable Netmask Ordering
The Enable Netmask Ordering option is selected by default. This default setting ensures that, in response to a request to resolve a single computer name matching multiple host A resource records, DNS servers in Windows Server 2003 first return to the client any IP address that is in the same subnet as the client. Note Multihomed computers typically have registered multiple host A resource records for the same host name. When a client attempts to resolve the host name of a multihomed computer by...
Q Hve
File or Folder Access Auditing access to a particular file or folder is a two-step process. First, you must configure the Audit Object Access policy to audit successes or failures, or both as required . Then, you must configure the properties of the files or folders for which you want to audit access. In the properties of the file or folder, select the Security tab, click the Advanced button, and then select the Auditing tab. In the Auditing tab, configure the desired members of the system...
Setting the Primary DNS Suffix
You can specify or modify a computer's primary DNS suffix in the DNS Suffix And NetBIOS Computer Name dialog box, as shown in Figure 4-15. DNS SuffiH and NetBIOS Computer Name Primary DNS suffix of this computer Change primary DNS suffix when domain membership changes NetBIOS computer name This name is used for interoperability with older computers and services. Figure 4-15 Specifying a primary DNS suffix To access this dialog box, in the System Properties dialog box, click the Computer Name...
Exercise Use IP Security Monitor to Monitor an IPSec Connection
In this exercise, you monitor IPSec activity using the IP Security Monitor snap-in. 1. Open IP Security Monitor on both computers by adding the snap-in to an MMC. 2. Check that the active IPSec policy is the one you assigned. 3. Examine the details about the active policy. Are the details what you expected Select the Main Mode Figure 11-45 and Quick Mode Figure 11-46 Security Associations nodes and double-click the SA in the details pane. This step tells you which encryption is being used....
Case Scenario Exercise 1
You work as a network consultant, and you have been hired by three companies to solve problems related to network connectivity. While visiting each company, you draw sections of the relevant portions of the network. Use the following drawings to determine the IP configuration error that has led to a disruption of network connectivity at each company. Client A IP address 192.168.1.116 28 Default gateway 192.168.1.126 Client A IP address 192.168.1.116 28 Default gateway 192.168.1.126 Client B IP...
Memorizing Subnet Mask Octet Values
To handle IP addressing questions on the 70-291 exam, you will also need to memorize the nine possible values that might appear in a subnet mask octet. Use Table 2-4 below to help you memorize these values. The values in the top and middle rows have been labeled d values and r values respectively to provide consistency with references to these values that appear elsewhere in the chapter. Begin by covering the top row of the table. Once you can recite without hesitation the d value associated...
Objective Questions
1. Some time ago, your organization was allocated two Class C networks 206.10.13.0 and 206.10.14.0. You now want to supernet these two networks so that your external router advertises only one network on the Internet. Which allowable configuration enables you to do this A. Network address 206.10.13.0 and subnet mask 255.255.254.0. B. Network address 206.10.12.0 and subnet mask 255.255.252.0. C. Network address 206.10.13.0 and subnet mask 255.255.253.0. 2. Your organization has leased the Class...
Load Zone Data On Startup
By default, the Load Zone Data On Startup drop-down list box is set to the From Active Directory And Registry option. Thus, by default, DNS servers in Windows Server 2003 initialize with the settings specified in the Active Directory database and the server Registry. However, this setting includes two other options, From Registry and From File, as shown in Figure 5-30. Figure 5-30 Server initialization options Figure 5-30 Server initialization options When you select the From Registry option...
Subnet Masks
The subnet mask is used to determine which part of a 32-bit IP address should be considered its network ID. For example, when we write 192.168.23.245 24, the 24 represents the subnet mask and indicates that the first 24 of the 32 bits in that IP address should be considered its network ID. For the IP address 131.107.16.200 shown in Figure 2-3 above, the first 16 bits according to the picture are used for the network ID. Therefore, the appropriate subnet mask to be used by a host assigned that...
BIND Secondaries
The BIND Secondaries option is enabled by default. As a result, DNS servers running on Windows Server 2003 do not use fast transfer format when performing a zone transfer to secondary DNS servers based on BIND. This restriction allows for zone transfer compatibility with older versions of BIND. Fast transfer format is an efficient means of transferring zone data that provides data compression and allows multiple records to be transferred per individual Transmission Control Protocol TCP message....
Objective Answers Urj
A. Correct Because no gateway exists and the new client cannot connect to any other computers on either subnet, it has likely been configured by APIPA. Because the DHCP server is on the network and the DHCP service is running, the new client probably cannot obtain a configuration through DHCP because all the addresses in the scope have been allocated. If a lease can be deleted because the computer to which it is assigned is no longer on the network, or if the size of the DHCP scope can be...
Lesson Review Ese
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the Questions and Answers section at the end of this chapter. 1. You are the network administrator for Lucerne Publishing. The Lucerne Publishing network consists of a single domain, lucernepublishing.com, that is protected from the Internet by a firewall. The firewall...
Zone Transfers Tab
The Zone Transfers tab, shown in Figure 5-25, allows you to restrict zone transfers from the local master server. For primary zones, zone transfers to secondary servers by default are either completely disabled or limited to name servers configured on the Name Servers tab. The former restriction applies when the DNS server has been added by using the Manage Your Server window the latter, when it has been added by using the Windows Components Wizard. As an alternative to these default...
Exercise Use Netsh to Manage IPSec
Any task you can perform with the IP Security Policy snap-in and the IP Security Monitor snap-in, you can do with the Netsh command. You can also perform tasks with Netsh that you cannot do from a console, such as the following instituting computer startup security, performing computer startup traffic exemptions, running diagnostics, performing default traffic exemptions, performing strong certificate revocation list CRL checking, performing IKE Oakley logging, modifying logging intervals, and...
Verifying the Server Configuration
When verifying the DHCP server configuration, you can begin with the DHCP server address. To provide leases for clients on the local subnet, the DHCP server computer must be assigned an address whose network ID is common to that logical subnet. In addition, the DHCP Server service must be bound to the connection to that subnet. To verify a DHCP server's network bindings, select the Advanced tab in server properties and click the Bindings button. This procedure opens the Bindings dialog box,...
Page Lesson Review Dhl
1. Which of the following actions requires the least amount of administrative effort to enable network users to connect to Internet host names a. Disable recursion on NS2 and NS3. b. Enable netmask ordering on NS1. c. Configure NS2 and NS3 to use NS1 as a forwarder. 2. What can you do to decrease the network burden of zone transfers between the primary and secondary servers a. Clear the BIND Secondaries check box on Serverl. b. Configure a boot file on Server1 to initialize BIND-compatible...
Page Case Scenario Exercise Boz
You are a network administrator for Proseware, Inc., a book publishing company that operates out of a single building in Kansas City, Missouri. Proseware employs 200 fulltime workers, all of whom work on desktop computers, and 100 part-time workers, all of whom work on personal laptops. The part-time employees change docking stations frequently and work on various floors throughout the company building. Part-time employees work in the office at least one day per week. You are responsible for...
Using Netcap to Capture Network Traffic
Netcap.exe is a command-line utility that you can use to capture network traffic to a capture file. You can then load the file in Network Monitor to view the captured traffic. The Network Monitor tool does not have to be installed on the computer running Windows Server 2003 to use Netcap. You can also use Netcap on computers running Windows XP, which makes it an extremely attractive way to capture traffic for later review. The tool is available after the Windows Server 2003 Support Tools have...