Windows 2000 Implementation & Administration
Network Infrastructure

You should enter the subnet mask 255.255.255.192. This subnet mask is used to define the subnets 192.168.10.0, 192.168.10.64, 192.168.10.128, and 192.168.10.192. The host addresses supported on the subnet 192.168.10.128 are 192.168.10.129 through 192.168.10.190. The host addresses supported on subnet 192.168.10.128 with the subnet mask 255.255.255.128 are 192.168.10.129 through 192.168.10.254. The host addresses supported on subnet 192.168.10.128 with the subnet mask 255.255.255.224 are 192.168.10.129 through 192.168.10.158. The host addresses supported on subnet 192.168.10.128 with the subnet mask 255.255.255.240 are 192.168.10.129 through 192.168.10.142.

You should use the registry editor on each DNS client to modify the setting DefaultRegistrationTTL for the TCP/IP service. You could also modify this value by defining the setting in a Group Policy Object (GPO) that is linked to a site, domain, or organizational unit (OU) to which the computers are assigned. You do not need to modify the TTL setting for each network adapter card on the DNS client. You modify the default TTL value in the SOA record for each zone to define the minimum TTL for static records created in the zone. The server options for DHCP do not include an option to define the TTL for a DNS resource record.

You should enable TLS and MS-CHAP as the authentication protocols. Microsoft Point-to-Point Encryption (MPPE) is used to encrypt data with both of these authentication protocols. TLS is an Extensible Authentication Protocol (EAP). CHAP does not support data encryption. PAP does not support data encryption.

You must configure a unique internal network number in the properties of NWLink for SQLSrv1. A service, such as SQL, that runs on a computer running Windows 2000 and advertises its availability using the Service Advertising Protocol (SAP) must advertise a unique internal (or virtual) network number. You configure an external network number to uniquely identify each network segment in a routed IPX network. You install File and Print Services for NetWare on a computer running Windows 2000 Server if NetWare clients need access to files and printers on the Windows 2000 server. It is not needed to allow access to applications on the Windows 2000 server.
File and Print Services for NetWare is not included in Windows 2000 Server, and it must be purchased separately. You should not set the frame type for NWLink to 802.3. The frame type used for NetWare 4.11 communications is 802.2. Frame type 802.2 is the default frame type set by NWLink when it is installed on a computer running Windows 2000 if multiple frame types, only the 802.2 frame type, or no frame types are detected on the network when NWLink is installed.

There are two types of keys that can be configured with Perfect Forward Secrecy, the Master and Session keys. Forcing Perfect Forward Secrecy for the Master key is the most secure option, however it can place an additional load on the network's domain controllers because it requires re-authentication. Session keys are generated from the Master key. Although regeneration of these is not as secure, it is still highly secure and it meets the question's requirements for both security and limiting performance reductions.Windows 2000 Help, Search for the article entitled: Key exchange.

You should add the internal and external interfaces to the NAT routing protocol. You should then configure the properties of the external interface to define any public Internet Protocol (IP) addresses that are to be mapped to computers on the private network. You do not need to configure static routes for NAT. The goal of NAT is to provide shared access to the Internet. Defining static routes to Internet resources is not recommended. You do not need to restart the Routing and Remote Access service. You do not enable support for NAT from the Properties dialog box of the modem. You create a demand-dial interface that uses the modem, add the interface to NAT, and then manage the NAT configuration of the interface from the Properties dialog box of the interface in the NAT node.

You should enable support for the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP, version 1 or 2) to allow data to be encrypted. You should then select the strong encryption option for the dial-in profile associated with the applicable remote access policy to provide 56-bit encryption. The basic encryption option provides 40-bit encryption. The Challenge Handshake Authentication Protocol (known as CHAP and MD5-CHAP) does not support data encryption. The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication method also supports data encryption using MPPE.

You accomplish the goals of backing up the certificate and the private key, but you do not accomplish the goals of removing the recovery agent's certificate and private key. You must restart the computer to complete the removal. The built-in Administrator account is the default recovery agent for a stand-alone computer. The Local Security Policy console is the correct utility to use to export and remove the file recovery certificate and the related private key.

You should enable support for the Link Control Protocol (LCP) extensions. You do this on the PPP tab of the Properties dialog box of a remote access server in the Routing and Remote Access console. You then use the Properties dialog box of the Ports node in the Routing and Remote Access console to configure each port to be used for multilink with a phone number for the link. You enable support for Bandwidth Allocation Protocol (BAP) and Bandwidth Allocation Control Protocol (BACP) to allow links to be dynamically added and dropped as needed during a multilink session. You enable this option by selecting "Dynamic bandwidth control using BAP or BACP" on the PPP tab of the Properties dialog box of a remote access server in the Routing and Remote Access console. You enable support for the Extensible Authentication Protocol (EAP) if you want to allow the use of smart cards or Transport Layer Security (TLS) for authentication. Support for EAP is configured on the Authentication tab of the Properties dialog box of a remote access profile. You enable the option "Require BAP for dynamic Multilink requests" to allow multilink requests to be honored only from clients that are configured to use BAP. You enable this option on the Multilink tab of the Properties dialog box of a remote access profile.

The netdiag utility can be used to test and fix DNS problems. Netdiag is one of the Windows 2000 support tools that can be installed from the \Support\Tools folder of a Windows 2000 installation CD-ROM. Netdiag runs a series of tests that determine the state of the network client on a computer. One of the tests is the DNS test. This test insures that the DNS cache service is running and determines whether or not resource records for the computers are registered correctly in DNS. If netdiag is run with the /fix option, it will attempt to reregister the resource records if the records are not registered correctly. The netstat utility is used to display information about existing TCP/IP connections and sessions. The nbtstat utility is used to display and manage information in the NetBIOS name cache. The hostname utility is used to display the host name of the computer.

You should ensure that the registry value NegativeTimeCache in the key HKEY_Local_Machine\System\CurrentControlSet\Services\DNSCache\Parameters is set to a value greater than zero. The maximum setting for this value is 900 seconds (15 minutes). This feature is referred to as negative caching. This feature helps to minimize the number of queries submitted to resolve a name that cannot be found. You set the Retry time in the Start of Authority record for a zone to define the number of seconds that a secondary name server will wait before it attempts to retry a zone transfer that has failed. You set the Expire time in the Start of Authority record for a zone to define the number of seconds that a secondary name server will continue to respond to client queries even if it cannot complete a successful zone transfer from its master name server. You use the cache.dns file to define the Internet Protocol (IP) addresses of root name servers.

You should use the Translation tab of the Properties dialog box of NAT. From this tab, you select Applications to display a dialog box from which you can define the specific applications, the related port numbers on the remote servers, and the incoming response ports. You use the Properties dialog box of the interface to the Internet to define it as an external interface, to define a pool of public addresses that can be mapped to computers on the internal network, and to define ports and addresses on the internal network to which incoming sessions should be mapped. You use the Properties dialog box of the interface to the local private network to define it as an internal interface. You use the properties dialog box of the remote access server to define whether it is enabled as a router or a remote access server (or both) and to configure the logging level and parameters for remote connections.

You should enable BAP to provide support for dynamic multilinking. If a remote access client and server are enabled to use BAP, a client can request use of an additional line, as needed, and a server can disconnect a line from one connection and use it for another connection. You should enable EAP to provide support for smart card authentication. L2TP is a protocol used to establish a Virtual Private Network (VPN). Internet Protocol Security (IPSec) is a protocol that is often used with L2TP to encrypt data being sent using L2TP. MS-CHAP can be used as an authentication protocol for a remote access server, but it does not support smart card authentication.

You can choose either the Secure Hash Algorithm (SHA) or Message Digest 5 (MD5). An integrity algorithm defines the method used to provide encrypted authentication between computers using IPSec. Data transferred using IPSec can be encrypted with 56-bit Data Encryption Standard (DES), 40-bit DES, or Triple DES (3DES). 40-bit DES is not RFC-compliant, but is available for use with applications exported to France. MS-CHAP is not supported for IPSec encrypted authentication.

You should define a phone number for each port in the Ports object in Routing and Remote Access on RAS1. When the client is configured to support multilink and BAP, a Callback-Request message is sent to the remote access server when utilization of the current link (or links) exceeds the defined threshold. The remote access server responds with a Call-Response message that contains the phone number of an available port. The client then uses this number to request an additional link. You define a list of alternate phone numbers for each client connection when you want multiple phone numbers to be available for the initial attempt to dial a remote access server. If the first number in the list is not available, Dial-up Networking (DUN) will attempt to use the other numbers. Callback is a feature of Routing and Remote Access that allows the remote access server to disconnect after a client computer makes an initial connection and then call the client computer back.
Round robin is a feature of the Domain Name System (DNS) service that allows multiple IP addresses to be assigned to the same name. When round robin is enabled, the DNS server rotates the order in which it returns the related IP addresses for each request. The DNS client uses the first name in the list, in general, so the clients will alternate among the IP addresses when accessing the requested service (such as a web site).

You should share NWPrt. You can share a printer when using the Add Printer wizard or you can share it after it has been created. You do not need to install NWLink on the user's computer. When you install GSNW on a server, NWLink is also installed on that server. ServerN communicates with the NetWare server using NWLink, but computers running Windows 2000 Professional can use TCP/IP to send print jobs to ServerN. You do not need to add the user to the group NTGATEWAY. The group NTGATEWAY must be created on the NetWare server, and the account you use to create NWPrt must be a member of NTGATEWAY. The group NTGATEWAY or the account you use to create NWPrt must be able to use the printer on the NetWare server. Jobs submitted by users to NWPrt will be sent to the NetWare server using the security context of the account you used to create NWPrt. You change the frame type on a computer running Windows 2000 Professional if the computer is using NWLink to access another computer and the frame types configured on the two computers are different.

You should add the group Everyone to the "Pre-Windows 2000 Compatible Access" group. The Routing and Remote Access Service on the computer running Windows NT 4.0 Server uses the LocalSystem account. This account cannot be used to establish a Null session with a domain controller running Windows 2000 Server when the domain is configured to use permissions compatible with Windows 2000 servers only. The account can be used to establish a Null session to a BDC running Windows NT 4.0 Server.
Therefore, when RAS10 contacts a BDC to authenticate a user, the connection can be established successfully because the BDC can verify the user's dial-in access in its local Security Accounts Manager (SAM) database. When RAS10 contacts a domain controller running Windows 2000, a Null session cannot be established. Since it is RAS10 that must be able to communicate with all domain controllers, adding the computer account for the Sales department's laptops will not provide the support needed. You do not need to configure support for MS-CHAP v2 on RAS10, since Windows NT 4.0 clients can use MS-CHAP v2 only for Virtual Private Network (VPN) connections, not for dial-up connections. You should not add the computer accounts for the BDCs to the "RAS and IAS Servers" group. Members of this group can access user account properties related to remote access.

You should configure one of the computers running Windows 2000 Professional as a WINS proxy. A WINS proxy is a computer that responds to NetBIOS name resolution broadcasts. If the WINS proxy does not have a mapping of the requested name to an IP address in its NetBIOS name cache, it sends a request to the configured WINS server. Once it receives a response from the WINS server, it can reply to the original requester. WINS does not support LAN Manager for OS/2 as a WINS client, so you cannot configure the IP address of the WINS server in the TCP/IP properties of the client. Configuring a static mapping for the OS/2 client in the WINS database will not allow applications on the OS/2 client to resolve NetBIOS names to IP addresses. Configuring a static mapping will allow other computers to determine the IP address of the OS/2 client. You should not create an LMHOSTS file on the computer running OS/2 with an entry for the WINS server. This would not enable the client to send name resolution requests to the WINS server.

You should ensure that the routers between the subnets on which the WINS servers are located are configured for multicasting. When automatic partner configuration is enabled, the WINS servers use the multicast address 224.0.1.24 to discover each other. Once the WINS servers discover each other, each pair of WINS servers is automatically configured as push and pull partners with replication occurring every two hours. You do not have to configure a WINS proxy agent on each subnet on which there is no WINS server to enable the WINS servers to discover each other. You use a WINS proxy agent to respond to name resolution request broadcasts on the subnet on which the WINS proxy agent is installed. The proxy agent forwards the request to its configured WINS server and then returns the reply to the non-WINS client that issued the broadcast.
In the situation described here the client computers are configured as WINS clients, so WINS proxy agents are not needed at all. You do not need to add the other two WINS servers as replication partners from the context menu of the Replication Partners node for each WINS server. Once the servers discover each other via multicasting, they will be automatically configured as partners. You should not create static mappings on each WINS server for the other WINS servers. You create static mappings for computers that use NetBIOS but cannot be configured as WINS clients. The static mappings ensure that applications running on computers configured as WINS clients can locate the computers that are not WINS clients.

You can include the subnets 172.21.128.0/18 and 172.31.192.0/18 in Area1. With the routing protocol Open Shortest Path First (OSPF), an area consists of contiguous subnets that can be represented via route summarization. The network prefix "/18" indicates that the first 18 bits represent the subnet identifiers (IDs). This includes the first two bits of the third octet. The subnets that can be defined in this octet are represented in binary notation as 00000000, 01000000, 10000000, and 11000000. In decimal notation, the value of the subnet ID in the third octet can be 0, 64, 128, or 192. The address 172.31.96.0 represents a host on subnet 172.31.64.0. The address 172.31.160.0 represents a host on subnet 172.31.128.0. The address 172.31.224.0 represents a host on subnet 172.31.192.0.

You should create a new VPN connection and select the option "For all users" in the Network Connection wizard. If you select the option "Only for myself", the connection is stored in your user profile and is not available until you have logged on to the computer. You do not need to enable ICS to enable the ability to log on using a VPN connection. You enable ICS to allow users on other computers connected to the same network as the laptop computer to use the connection once it is established. You do not need to configure the VPN connection to automatically use your Windows domain, logon name and password to enable the ability to log on using a VPN connection. You use this option if you are already logged on with a user account that is valid for the VPN server. You should not choose the dial-up connection that the VPN connection is enabled to use. This will allow you to log on using the dial-up connection but not the VPN connection.

You should define the interfaces on each router that should use RIP. When you install RIP, no interfaces are configured by default to use RIP. You do not have to delete all static routes on each router. You do not have to configure the IP address of other routers connected to a common segment as default gateways. If you have only two computers running Windows 2000 that are configured as routers, you do not need to use RIP. Instead, you can configure the default gateway on the interface on the common segment with the IP address of the other router's interface on the common segment. You do not need to enable router authentication. If you do enable authentication on an interface, you must configure other routers that make announcements to that interface to use authentication and you must configure the same passwords on the routers. Router authentication is used primarily for identification of other RIP-enabled routers. Before you can enable router authentication, you must define the interfaces that should use RIP.

You can use either address (A) records or canonical name (CNAME) records to enable round robin. A DNS server that supports round robin rotates the order in which it returns resource records to each query. Since resolvers generally attempt to use the first record in the returned list before attempting to use the other records, requests are distributed among the servers defined for the host name or alias. Computers running Windows 2000 are not configured by default to use round robin. Instead, both DNS servers and resolvers use a feature called subnet prioritization. This method optimizes the probability that a client will use a computer on its subnet for the service being requested. You use service locator (SRV) records to locate servers that provide a specific service such as domain controllers, global catalog servers, and Lightweight Directory Access Protocol (LDAP) servers. You use pointer (PTR) records to identify the fully qualified domain name of the host given the IP address of the host. Reverse lookup zones contain PTR records. You use host information records (HINFO) to record the hardware type and operating system of a host.

You can define the maximum session length, the use of BAP, and the use of MS-CHAP as the authentication protocol in the remote access profile. You can define the use of only PPP and the use of the policy by members of Sales-Mgrs as conditions of the remote access policy. The conditions defined for a remote access policy are compared to the settings configured for a connection attempt. If the settings match all of the conditions, the settings in the profile for the policy are then applied to the connection if the user's account allows dial-in access.

You should create an IPSec policy that includes a rule configured for transport mode. Configure the rule to use certificates for authentication. You should create a filter list that manages all traffic from the IP address of one domain controller (DC) to the other DC and mirror it for traffic in the other direction. Since you want to encrypt all traffic between the DSs, you should use certificate authentication. Kerberos cannot be protected with IPSec transport filters. You use tunnel mode to protect data traveling between two networks across an unsecured network. Only one tunnel mode connection can be active at a time on a computer.

You should configure DNS1 as a forwarder for DNS5. A forwarder is a DNS server to which a DNS server forwards queries. For example, if DNS1 is configured as a forwarder for DNS5, and DNS5 receives a query that it cannot answer from its own set of records or the information in the DNS server cache, it forwards the query to DNS5 for resolution. You should not configure DNS1 as a master name server for DNS5 because the servers host separate zones. A master name server is either a primary or a secondary name server for a zone from which a secondary name server can receive zone transfers. You should not configure DNS1 in the root hints of DNS5, since DNS1 does not host a root zone. On both servers, the root hints should contain information about the name servers that host the root zone on the Internet. This information is loaded by default from the preconfigured file cache.dns. You should not configure DNS1 as an alternate server for DNS5. You configure an alternate server to allow the DNS resolver to contact a second server if the resolver cannot contact the primary DNS server. The DNS server service does not use this information to locate an alternate server.

You can configure Kerberos, Certificates, or a Pre-shared key for authentication when defining an IPSec policy rule. Kerberos is the default. A rule can be configured to use one or more authentication methods. You can use Basic authentication, Integrated Windows authentication, and Digest authentication to authenticate users attempting to access the Internet Information Service on a computer running Windows 2000 Server.

You should define the NAS-Port-Type condition of the remote access policy as Virtual. You should enable support for Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2) for the server and in the remote access profile defined for the remote access policy. MS-CHAP v2 supports both mutual authentication and data encryption. Message Digest 5 Challenge Handshake Authentication Protocol (MD5-CHAP) does not support data encryption or mutual authentication. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) supports data encryption but does not support mutual authentication. Setting the NAS-Port-Type as Ethernet allows a user to connect to the server from the local area network (LAN).

You should use PathPing. PathPing sends packets to the destination and analyzes information returned from each router in the path to determine if packets are being dropped. You use tracert to determine each router that is used to reach a destination. Tracert provides information about the length of time that a packet stays at each router, but it does not report packet loss. You use netstat to display statistics for current TCP/IP connections and protocols in use for an individual computer. You use Network Monitor to capture and display packets that are sent to or from a computer. It is not used to detect if packets are lost while traveling to a remote destination.

You should configure RIP for autostatic update mode on the demand-dial interfaces. Autostatic update mode is the default configuration for demand-dial interfaces. In this mode, the routers exchange routes only when initiated by an administrator. You initiate an update by selecting "Update routes" from the context menu of the demand-dial interface in the General node of the IP Routing node in the Routing and Remote Access console. You can also create a batch file that uses the netsh utility to execute autostatic updates, and then use Task Scheduler to run the batch job periodically. You should not configure RIP for periodic update mode on the demand-dial interfaces. Periodic update mode initiates RIP updates every 30 seconds. This mode generates too much traffic for a demand-dial interface.
In a mixed-mode domain, you cannot configure a static route on a user account. In a native-mode domain, this attribute is available on the Dial-in tab of the Properties dialog box of a user account. This attribute is used to define static routes for a demand-dial connection. You enable ICMP router discovery to allow a computer running Windows 2000 Professional or Server to detect routers on the same subnet as the computer. If a default gateway is not configured for a host or the configured default gateway is not available, the host can send a router solicitation message to discover a router to use as a default gateway.

You should configure the rule in the policy in each OU to use transport mode. This will ensure that data being transferred from any servers in Mgt-Servers to or from any of the client computers in Mgt-Clients is protected. You use tunnel mode if you want to insure that data being transferred between two specific computers is protected, even if these computers are not the final destination for the data. Once the data is received by one of the computers, it may be forwarded to the final destination computer without using IPSec. Tunnel mode is generally used to ensure that data traveling between two networks across an unsecured network, such as the Internet, is protected. The rules that govern communication between two computers must be configured to use the same mode, either transport mode or tunnel mode. A computer can support multiple simultaneous connections in transport mode. In tunnel mode, only one tunnel connection can be active at a time. A rule must be defined for each tunnel connection.

You can use the Route command or the Netsh command to add static routes to a routing table. With the Route command, you use the add option to add a route. You can also use the add option in conjunction with the "-p" option to make the route entry persistent. The "-p" option adds the entry to the HKEY_LOCAL_MACHINE portion of the registry. The Netsh command uses helpers (dynamic link libraries) to execute commands related to various networking contexts such as routing, Dynamic Host Configuration Protocol (DHCP), Remote Access (RAS), and Windows Internet Name Service (WINS). You use Netstat to display information about existing TCP/IP connections and sessions. You use Arp to view and manage the Address Resolution Protocol (ARP) cache. The ARP cache contains a list of the Media Access Control (MAC) addresses that have been identified for related Internet Protocol (IP) addresses. You use Ipconfig to view and manage IP address configuration parameters.

The first step you should take to activate an IPSec policy is to assign the policy in the IP Security Policies node in the Group Policy Editor. If you create a new IPSec policy or want to put a predefined policy into effect, you must first assign the policy. You use the utility Secedit with the refreshpolicy option to propagate changes to the settings of a GPO immediately rather than at the next scheduled update. By default the settings are updated every 90 minutes on a client computer. If the IPSec policy has not been assigned, no changes to settings for the policy would be propagated. You use the IP Security Monitor (ipsecmon.exe) to view IP Security associations and IPSec statistics. You should restart the policy agent on a computer if you want to insure that changes you have made to an IPSec policy are effective. However, the changes will not take effect if the policy has not been applied.

The most likely cause of the timeout errors is that a reverse lookup zone does not exist. When you issue an Nslookup command, Nslookup attempts to contact the DNS server that the computer is configured to use. The first step it takes is to resolve the Internet Protocol (IP) address of the DNS server to a name using the reverse lookup process. If a reverse lookup zone containing a PTR record for the server does not exist, Nslookup will display timeout errors because the DNS server cannot respond to the reverse lookup request. Nslookup will be able to display any resource records from the forward lookup zones even if it cannot display the DNS server's name.
When you install the DNS service on a computer during the installation of Active Directory, a forward lookup zone is created. A reverse lookup zone is not created, though, so you should create that manually if you want to enable the DNS server to respond to reverse lookup requests. The forward lookup zone created during the installation of Active Directory is configured, by default, for dynamic updates. If you create a reverse lookup zone, you should enable it to accept dynamic updates. You do not need to configure a forwarder to use Nslookup. A forwarder is a DNS server to which another DNS server forwards requests. This is often done to minimize the number of computers on a network that contact the root DNS servers for information about external domain names.

The most likely reason that the recursive query fails is that the root zone is not available or has been deleted. The recursive query test attempts to forward a recursive query to the configured servers for the root zone, and the test fails if the root zone is not available. You do not need SRV resource records to do a recursive query. SRV records are used to identify servers that provide specific services such as Lightweight Directory Access Protocol (LDAP) servers, domain controllers, and global catalog servers. You do not need to configure an alternate DNS server to do a recursive query. You configure an alternate DNS server to allow a DNS client to contact the alternate DNS server if the primary DNS server is not available. You do not need to configure a reverse lookup zone to do a recursive query. You create a reverse lookup zone to enable a DNS server to respond to queries to return a domain name for a specific Internet Protocol (IP) address.

The use of TLS for smart card authentication requires that you enable support for EAP. L2TP is a protocol used to establish a Virtual Private Network (VPN). IPSec is a protocol that is often used with L2TP to encrypt data being sent using L2TP. PAP and MS-CHAP can be used as authentication protocols for a remote access server, but they do not support smart card authentication.

You should configure a root zone on DNSSrv1. You should also configure the cache.dns file on DNSSrv2 and DNSSrv3 with name server records for DNSSrv1 instead of the default name server records for computers that maintain the root DNS domain for the Internet. You should also insure that the Root Hints tab in the Properties dialog box of DNSSrv1 in the DNS Manager does not contain entries for the computers that maintain the root DNS domain for the Internet. You can also do this by deleting the default records in the cache.dns file. You should not create root zones on DNSSrv2 or DNSSrv3 nor should you configure the cache.dns file on DNSSrv1 with name server records of the other DNS servers.

When you install DNS at the same time you promote a computer to a domain controller for a Windows 2000 domain, the forward lookup zone for the domain is created automatically and configured to accept dynamic updates. However, the corresponding reverse lookup zone is not created. You must create the reverse lookup zone and enable this zone to accept dynamic updates. You must enable dynamic updates for each zone hosted on a DNS server, not for the DNS server itself. Windows 2000 Professional computers are enabled by default to send updates to a DNS server that accepts dynamic updates, so you do not need to configure this option on the client computers. A zone does not have to be an Active Directory integrated zone to accept dynamic updates. A zone that is integrated with Active Directory can be configured to allow only secure dynamic updates. If a zone is configured to allow only secure dynamic updates, new registrations are allowed only from computers that have a computer account in Active Directory. Updates to DNS entries in a zone that allows only secure dynamic updates can only be done by the computer that originally registered the record being updated.

IPSec in tunnel mode for Windows 2000 supports tunnels defined between IP subnets. Port-specific, protocol-specific, and application-specific tunnels cannot be defined. When a rule for a tunnel is defined, you must specify the IP address of the tunnel endpoint on the destination subnet when defining a filter for the rule. There must be a rule for each endpoint of the tunnel in the IPSec policy.

Since the computer is a member of a Windows 2000 domain, DNS is the primary name resolution service, so the incorrect name is most likely in the host name cache. The command "ipconfig /flushdns" can be used to clear the host name cache (or resolver cache) on a computer. The command "ipconfig /displaydns" can be used to view the contents of the cache. The command "nbtstat -R" is used to clear and reload the NetBIOS name cache on a computer. The nslookup utility is used to issue queries to a DNS server. The netstat utility is used to display information about existing TCP/IP connections and sessions.

You should use the Network Connection wizard to create a dial-up connection on RASA. This will create keys for BAP, IPBOOTP, PPP, and other RRAS-related features such as the authentication protocols. Although tracing (logging) for some features, such as the Point-to-Point Protocol (PPP) can be enabled in the Routing and Remote Access console, tracing for other protocols must be enabled in the registry. As always, you should use caution when using the Registry Editor. In the subkey for each component, you can enable tracing and define the size and location of the log file in which data is to be recorded as well as the level of logging desired. Note that tracing uses system resources and should not be left enabled on a long-term basis. You can use the Registry Editor to create the subkey and its associated values, but mistakes can be made easily in doing this. This is not the recommended method. Phone and Modem Options in the Control Panel can be used to enable logging of all modem communications for a computer.

By default clients will seek to refresh their lease automatically at 50% of the address lease time. To make changes that are made to the options in a lease effective immediately, you must use the ipconfig.exe /renew command. The /renew switch forces the clients to renew their lease. This renewal process will also update the client with any changes made to its address lease, including changes in configured options such as its default router.Windows 2000 Help, Search for the article entitleD. To verify, release, or renew a client address lease.

You can only define one scope of addresses per subnet so, in this case, you should configure a scope that encompasses all potential addresses on the subnet and then exclude all addresses other than those listed in the question. You create a multicast scope to configure a set of addresses to be allocated for use with multicasting. Collaboration applications such as NetMeeting use multicasting. Each user who wants to receive a multicast must configure a subscription to the multicast address assigned to a multicast session. You configure a superscope to allow addresses for multiple logical subnets to be assigned to computers on the same physical network segment. You use this feature when the number of computers on the segment is greater than the number of addresses available in a single logical subnet. You use an option class to distinguish one type of client from another to assign unique configuration parameters based on the client type. For example, you may choose to assign a shorter lease to laptop computers than to desktop computers.

The DNS:Zone Transfer SOA Request Sent counter is the total number of zone transfer SOA requests sent by the Secondary DNS server. The SOA record contains the number that identifies which version of the database is on the Primary DNS server. That number is compared against the local database version on the Secondary server to determine if a zone transfer is needed.To minimize the bandwidth required for this traffic you can do one of two things. First, you can increase the Refresh interval in the SOA record. This governs the amount of time Secondary servers wait before contacting the Primary server to check the database versions and determine if an update is needed. You could also configure the notify list on the Primary server. This will allow the Primary server to notify the Secondary servers when changes are made. If a high Refresh interval is set, it does not matter because the Primary server will directly notify Secondary servers when changes are made to the zone.Windows 2000 Help, Search for the articles entitleD. Understanding zones and zone transfer; and Monitoring server performance.

Windows 2000 uses DNS for name resolution. All computers on the network that clients need to communicate with should have a corresponding resource record in DNS. Windows 2000 computers automatically have their forward DNS records registered by DHCP. By default, DHCP does not register records for downlevel (pre-Windows 2000) computers such as Windows NT or 98.In order for the Windows 2000 computers to access the Windows NT server, it needs to have a resource record in DNS. One can be added manually, or the DHCP server can be configured to register DNS records for clients that do not support dynamic updates, such as Windows NT.This option can be set in the DHCP console. In the DHCP console, right click a server and select Properties. Select the DNS tab and check the box next to Enable updates for DNS clients that do not support dynamic update. The DHCP console is accessed by going to Start => Programs => Administrative Tools => DHCP.Windows 2000 Help, Search for the article entitleD. Using DNS servers with DHCP.

This question refers to the Access by user administrative model for dial in connections. In this model two things must occur in order for users to successfully dial in. First, their user account must be set to Allow access. This is done on the Dial-in tab in the user account's properties.Second, a remote access policy must be in place on the RRAS server that allows them to dial in. Remote access policies are used to set the conditions of a dial up connection. They can be set to allow certain groups access, place time restrictions on remote access, etc. If the conditions do not match the user's dial up attempt, the user is not allowed to establish a connection.Windows 2000 Help, Search for the articles entitleD. Accepting a connection attempt; and Remote access policy administrative models.

Just because a computer is a WINS server does not mean that the server automatically has records for itself placed in its own WINS database. The server must register with its WINS database just like any other client. You must enter the WINS server address on the WINS tab in TCP/IP Properties.Windows 2000 Help, Search for the article entitleD. To configure TCP/IP to use WINS.20

Extensible Authentication Protocol (EAP), was developed to support additional authentication methods including smart cards. Microsoft considers the use of smart cards the highest level of authentication supported for users in Windows 2000. The use of smart cards requires the user's computer to be equipped with a smart card reader. The dial up connection must be configured to use Extensible Authentication Protocol and "Smart Card or other Certificate (encryption enabled)" in the Advanced Security Settings dialog box of the connection's properties. The user is given a smart card that contains his or her logon credentials. When they swipe their card through the reader while at the logon prompt, it is the equivalent of hitting ctrl+alt+del. The user still must supply a password (called a PIN) to logon to the computer.
On the server side, certificates must be in use on the network. The Remote Access Server must have a machine certificate installed and EAP must be enabled. The remote access policy in use should specify smart card logons.Windows 2000 Help, Search for the articles entitled: Extensible Authentication Protocol (EAP); Using smart cards for remote access; To enable smart card or other certificate authentication; and To configure identity authentication and data encryption settings for a dial-up connection.

You must delete the scope, use the New Scope wizard to create a new scope with a subnet mask of 22 bits, and then edit the properties of the new scope to set an unlimited lease. You can then activate the scope. You cannot modify the subnet mask for a scope once the scope has been created. Also, you cannot use the New Scope wizard to define an unlimited lease. You cannot set a default lease length using the Properties dialog box of the DHCP server. You can use this dialog box to configure how the DHCP server updates a DNS server.

You should install IAS on a computer running Windows 2000 Server, copy the remote access policies to the IAS server, and configure the remote access servers as clients of the IAS server. You can use the netsh command-line utility to copy remote access policies to the IAS server. IAS is Microsoft's implementation of the Remote Authentication Dial-In User Service (RADIUS). A RADIUS server provides both authentication and accounting services for remote access servers. You cannot manage remote access policies with a GPO, so you should not create a GPO and link it to the appropriate OUs.
Remote access policies are stored on each remote access server or on an IAS server. You cannot manage remote access policies by using a security template to configure a remote access server. The Security Configuration and Analysis utility allows you to import templates to a security database, compare the current security settings on a computer to the database, and configure the server using the settings in the database. You should not configure all remote access clients to connect to the IAS server. A computer on which IAS is installed may not also be configured as a remote access server. IAS is a service used by remote access servers, not by remote access clients.

Multiple public IP addresses that are assigned for your use can be entered on the Address Pool tab in the Properties of the Internet (public) interface in the Routing and Remote Access console. This console can be called up by going to Start => Programs => Administrative Tools => Routing and Remote Access.Windows 2000 Help, Search for the articles entitled: To configure interface IP address ranges; and Troubleshooting network address translation.15

You should use IP address-specific rules to define the authentication method. This allows the two computers to establish a security association (SA) before any protocol-specific or port-specific traffic is attempted. You should mirror all filters that secure traffic. This ensures that both computers are using the same method to secure traffic. You should not use protocol-specific rules to define the authentication method, since the security association must be set up prior to securing, allowing, or blocking packets for specific protocols. You should not use port-specific rules to define the authentication method, since the security association must be set up prior to securing, allowing, or blocking packets for specific ports. You do not have to mirror all filters that block traffic. You can create one-way filters to block specific traffic. You do not have to mirror all filters that permit traffic. You can create one-way filters to permit specific traffic.

In order to add a protocol parser to Network Monitor you copy the parser .dll file to the %netmon%\Parsers folder. Once completed, open the Parser.ini file from the %netmon% folder and enter the information about the parser you have just added. You must then add the parser within the graphical Network Monitor tool by selecting Default Parsers from the Options menu. Select the name of the new parser you added and click enable.Network Monitor Help, Search for the article entitled: To add a protocol parserTo open Network Monitor and access help go to Start => Programs => Administrative Tools => Network Monitor. Click on the Help menu once the tool open.

On a local subnet, name resolution can be accomplished with broadcasts. Name resolution across subnets and network browsing across subnets relies on non-broadcast methods of name resolution. The two dominant forms of non-broadcast name resolution on Windows networks are LMHOSTS files and WINS.A WINS server maintains a dynamic database that maps IP addresses to NetBIOS names. When a client boots up on a WINS network, it registers its NetBIOS names and IP address with the WINS server. In order to do this, it needs to have been configured with the IP address of at least one WINS server.
A computer will only register with one WINS server. Two or more WINS servers can be configured for the client to use, but they will only be tried if the first WINS server cannot be found.Once they have registered, WINS clients can look up other computers and the resources they have available in WINS. They can also use WINS to resolve NetBIOS names into IP addresses. For example, if a WINS client is trying to communicate with a server named server1, it can look up the IP address of server1 in the WINS database. Once the WINS client has the IP address it can begin direct communication with server1.WINS servers can be configured to replicate their databases. In essence this takes two or more individual WINS databases and ensures that each database contains the information in all of the databases. Because clients only use one WINS server (unless that server becomes unavailable), they only have access to the records in that server. Database replication ensures that each of the WINS servers has all of the records in it that a client may need.Windows 2000 Help, Search for the article entitled: Configuring WINS replication.

Windows 2000 DHCP servers that are installed on an Active Directory network must be authorized in Active Directory. DHCP servers that are not authorized will not hand out addresses. This feature is intended to prevent rogue Windows 2000 DHCP servers from handing out addresses. The feature does not effect non-Windows 2000 DHCP servers. Non-Windows 2000 DHCP servers are able to hand out addresses without being registered.Windows 2000 Help, Search for the article entitled: Authorizing DHCP servers.

You should use the Routing and Remote Access console to add the NAT routing protocol. You modify the properties of an existing connection to enable Internet Connection Sharing. You can also use the Network Connection wizard to enable Internet Connection Sharing. You use Add/Remove Programs to install many of the Windows 2000 networking components, but not to add NAT.

UNIX machines use host names not NetBios names. In addition, UNIX computers do not use WINS. Static mappings are used to allow non-WINS enabled computers to be resolved through WINS. An administrator manually adds an IP to name mapping in the WINS database for these clients. Once added, WINS clients can query the database for the computer's name and successfully retrieve an IP address for the non-WINS enabled computer.Windows 2000 Help, Search for the article entitled: Using static mappings.

A PPTP connection is preferred to an L2TP connection because PPTP supports built in encryption. L2TP must use IPSec or another form of encryption to encrypt traffic. Broadcast traffic should not pass from one network segment to another. Because of this it is important to ensure that it does not cause a demand-dial connection to be established,You can configure the types of protocol traffic that are allowed for a demand dial connection. To do so, open the Routing and Remote Access console by going to Start => Programs => Administrative Tools => Routing and Remote Access. Click routing interfaces, right click the demand dial interface you wish to configure and select Properties. From the Properties menu, select Set IP Demand-dial Filters.Windows 2000 Help, Search for the articles entitled: Demand-dial routing design considerations; and PPTP-based router-to-router VPN.

You should use the command "nslookup -ls -d corp.com" to obtain information about the computers in division3.corp.com. Since there is not a separate zone for division3.corp.com, the nslookup command cannot return information when queried for division3.corp.com instead of corp.com. You should not create an NS record for DNS1 in division3.corp.com because this is a child domain, not a zone. You use the "Append these DNS suffixes (in order)" field of the TCP/IP properties of the Local Area Connection to define suffixes to use when unqualified names are to be resolved with DNS. An unqualified name is a name that does not contain a fully qualified domain name (FQDN). Configuring DNS1 as a slave server will not enable information about the child domain division3.corp.com to be obtained using nslookup with the syntax shown. A slave server is a DNS server that contacts another DNS server to resolve queries for which the slave server cannot provide information either from cache or from its zone data.

Users dialing in to a Windows 2000 domain that is in Native mode can be assigned a unique static IP address at logon. This is done from the Dial-in tab of the user account properties by checking the box next to Assign a Static IP Address and entering in the address they would like the user to receive. The user account properties are accessed by going to Start => Programs => Administrative Tools => Active Directory Users and Computers. In the container that holds the user's account, right click the account and select Properties.Windows 2000 Help, Search for the articles entitled: Dial-in properties of a user account.

All computers on the network that need to communicate with each other must have a frame type in common. As an example, if one computer is configured to use frame type 802.2 and another is using 802.3 the two computers will not be able to communicate with each other.When configuring NWLink you can specify automatic frame type detection or select the frame type manually. By default, NWLink uses automatic frame type detection. Though it may sound like this setting detects and configures all frame types in use, it does not. When it detects multiple frame types, it defaults to 802.2. This means that the server cannot communicate with computers running any other frame type. Most modern servers use the 802.2 frame type. However, some older servers such as NetWare 3.11 and earlier use frame type 802.3. Because the servers do not have a frame type in common, they cannot communicate with each other.
A computer can be assigned more than one frame type to communicate with. In this way it can communicate with servers that use 802.2, in addition to servers that use 802.3. Though normally configured through the NWLink Properties graphical interface, another way to configure a server for more than one frame type is to directly edit the registry. When editing the registry you should enter in the hexadecimal values for the frame types under the key: HKEY_LOCAL_MACHINE\System\CurrentControlSet(number)\Services\NwlnkIpx\Parameters\Adapters\{adapter ID}\PktTypeWindows 2000 Help, Search for the articles entitled: Setting the frame type; and To configure NWLink.

DHCP clients obtain their address leases by using broadcasts. Because broadcasts cannot pass over routers, they do not travel from one network segment to another. A DHCP client cannot obtain an address lease from a DHCP server that is on another network segment unless the routers support DHCP broadcasts or a DHCP relay agent is installed on the client's subnet. DHCP relay agents are configured with the address of a DHCP server. When they detect a client on their network segment that is attempting to obtain a DHCP address lease, they contact the DHCP server on behalf of the client to obtain addressing information. Once the addressing information has been obtained from the DHCP server, it is passed along to the client. The DHCP relay agent must be located on the same network as the client in order for it to hear and respond to DHCP client requests. It is not necessary to have a relay agent on the same network segment as a DHCP server.Windows 2000 Help, Search for the article entitled: DHCP Relay Agent.

TCP/IP filters can be set in Routing and Remote Access (RRAS). There are two types of filters Input and Output. Input filters are applied to incoming traffic and output filters are applied to traffic that is leaving the router. Filters can be applied to block all traffic except for what is specified in the filter, or allow all traffic except what is specified in the filter. In this case, the filter had the wrong setting applied to it. Instead of discarding all packets except the ones configured in the filter it was doing the opposite.Windows 2000 Help, Search for the articles entitled: Packet filtering; and To add a packet filter.

A busy network can generate a lot of information in three hours. The default Buffer Size is 1MB, which will not hold much traffic. This will need to be increased to hold three hours worth of traffic. In addition, the Frame Size setting can also be adjusted. This is the amount of information you want captured from each frame. Because you only need the source IP address, destination IP address, and destination port number you do not need to capture the entire frame. Setting the Frame Size so that it only captures enough of the frame to include this information will greatly reduce the amount of storage space that your capture requires.To set the Buffer and Frame Size settings open Network Monitor by going to Start => Programs => Administrative Tools => Network Monitor. On the Capture menu select Buffer Settings.Network Monitor Help, Search for the articles entitled: Capture Buffer Settings dialog box; and To modify capture buffer size or capture bytes per frameTo access Network Monitor help, open Network Monitor as described above and click on the Help menu once the tool is open.

DHCP clients obtain their address leases by using broadcasts. Because broadcasts cannot pass over routers, they do not travel from one network segment to another. A DHCP client cannot obtain an address lease from a DHCP server that is on another network segment unless the routers support DHCP broadcasts or a DHCP relay agent is installed on the client's subnet. DHCP relay agents are configured with the address of a DHCP server. When they detect a client on their network segment that is attempting to obtain a DHCP address lease, they contact the DHCP server on behalf of the client to obtain addressing information. Once the addressing information has been obtained from the DHCP server, it is passed along to the client. The DHCP relay agent must be located on the same network as the client in order for it to hear and respond to DHCP client requests. It is not necessary to have a relay agent on the same network segment as a DHCP server.Windows 2000 Help, Search for the article entitled: DHCP Relay Agent.40

You should add the computer accounts for both DHCP servers to the group DNSUpdateProxy. When DNS records are created by members of this group, the records have no security. Therefore, neither of the DHCP servers is assigned ownership of the records, and either DHCP server can update DNS records created by the other DHCP server. You should not create a reservation for each of these clients on both DHCP servers. If the servers are not members of the group DNSUpdateProxy, the server that assigns the initial lease to a client will own the DNS record that it creates and the other DHCP server will not be able to update the DNS record. You should not add the computer accounts for both DHCP servers to the group DHCP Administrators because this group does not have the ability to update DNS records.
When you set up two DHCP servers to provide addresses for the same subnet, you create a scope on each DHCP server with the set of addresses to be managed by that server. You can expand this scope later to include additional addresses and then exclude the ones managed by the other DHCP server. However, you cannot create new scopes to define addresses managed by the other DHCP server because the address ranges with the required subnet masks will conflict with your existing scopes. You use a superscope to define multiple address ranges from different subnets in separate scopes that can be assigned to computers on the same physical segment.

You should configure NWLink on WK10 to use both the 802.2 and the 802.3 frame types. When you install NWLink, the default installation enables the "Auto Frame Type Detection" option. If NWLink detects that multiple frame types are being used, it defaults to the 802.2 frame type. NetWare 3.11 uses frame type 802.3, while NetWare 4.11 uses frame type 802.2. You do not need to configure a unique internal network number for WK10. An internal network number must be configured on a computer if it runs a service that advertises its availability using the Service Advertising Protocol (SAP).
You do not need to add the user to the group NTGateway on NWData. If you install the Gateway Service for NetWare on a computer running Windows 2000 Server, you must use an account that is a member of the group NTGateway on the NetWare server to configure a gateway to a resource on the NetWare server. You do not need to move NWLink to the top of the binding order for the network adapter card on WK10. WK10 can use both NWLink and TCP/IP, but it will first try the one that is at the top of the binding order. If the user at WK10 primarily accesses resources on NetWare servers instead of on computers that use TCP/IP, you can improve performance by moving NWLink to the top of the binding order for the Client Services for NetWare.

You should tombstone the record on your WINS server. You do this by deleting the record from the WINS console and selecting the option "Replicate deletion to other servers (tombstone)" from the dialog box that is displayed when you delete the record. You should not delete the record only on your WINS server, since the other WINS servers would then continue to replicate it to each other. You select the option "Delete the record only from this server" when other WINS servers contain the correct information and can then replicate it back to your server. Since your server is the owner of this record, you should tombstone it. You should not restore a database that was backed up before the invalid record was created because the database will not contain records created since that record was created. You can do an authoritative restore of an Active Directory database but not of a WINS database.
The option "Verify Database Consistency" verifies that the local copy of each record obtained from a replication partner is identical to the record stored in the database of the WINS server that owns the record. Choosing this option will not update the invalid information in the database of your WINS server or any of the other WINS servers.

You should install the Network Monitor driver, which is used to collect frames from a network that can be passed to the Network Monitor utility to be viewed and analyzed. Installing the Network Monitor driver also makes the Network Segment object available in System Monitor. The Network Segment object contains counters such as %Network Utilization, Broadcast Frames Received/sec, and Total Frames Received/Sec. You install the SNMP service to provide an SNMP agent that can respond to requests for information from an SNMP management system such as HP Open View. The SNMP agent can also be configured to send a message to a management system when a specific event occurs. The information for SNMP is stored in a Management Information Base (MIB) on the client computer. Default MIBs are available for system data such as fault and configuration analysis information and logon information. You install the Connection Manager Components to help automate the creation of client computer connections for remote access and Virtual Private Networks (VPNs). You install the Simple TCP/IP Services to install such utilities as Character Generator, Daytime, Echo, and Quote of the Day.

You can provide confidentiality with ESP but not with AH. Confidentiality is provided by encryption of the data or payload of an IP packet. Data Encryption Standard (DES) or Triple-DES (3DES) can be used to encrypt data. Authentication is provided by both AH and ESP by guaranteeing the identity of the sending computer. Authentication can be based on Kerberos, certificates, or pre-shared keys. Integrity is provided by support for hashing with both AH and ESP. Authentication encryption can be done with either Message Digest 5 (MD5) or Secure Hash Algorithm (SHA). Antireplay protection is provided by both AH and ESP. Both use sequence numbers in the header of the IP datagram to avoid replay attempts.

You must configure a static IP address on a computer on which the DHCP Server service is installed. A subnet mask is required to identify the subnet ID and host ID portions of the IP address. Since updates to a DNS server on a different subnet are required, you must supply the address of a default gateway. A DHCP server sends updates to the DNS server defined in the properties of TCP/IP in the DHCP server's Local Area Connection, so you must define the address of the DNS server. You do not configure the DNS domain name for a computer in the properties of TCP/IP. You define the DNS domain to which a computer belongs from the Network Identification tab of the System icon in the control panel. You can configure a suffix to be used for the connection in the properties of TCP/IP if the DNS suffix differs from the domain name. An entry consisting of the computer name and this suffix is added to DNS if DNS dynamic updates are enabled.

RADIUS infrastructures use clients and servers. In actuality both types of RADIUS computers are remote access servers. Users dial into RADIUS clients. The RADIUS clients authenticate the user by using a RADIUS server. Because all RADIUS servers are remote access servers, they all use remote access policies to determine who can and cannot attach to the network. Fortunately for administrators, only one remote access policy is needed. This is because the remote access policy specified on the RADIUS server is used by all RADIUS client servers. A 40 bit encryption level is specified in a remote access policy by using the Basic setting.Windows 2000 Help, Search for the articles entitled: Data encryption; and Using RADIUS for multiple remote access servers.30

dding a WINS server to a network does not automatically cause all network clients to use it. You must configure the clients to use WINS either manually or through DHCP. On a network that uses DHCP, this is accomplished by using a DHCP option that specifies the WINS server the clients should attempt to use. The NetBIOS node type should also be set so that the WINS server is used for name resolution before broadcast resolution is attempted.Windows 2000 Help, Search for the article entitled: Assigning options.

If there is no remote access policy, no users will be able to connect, since the connection settings will not match the settings of any policy. If there is no remote access policy defined for a remote access server, the Remote Access Permission for each user account has no effect on whether or not a user can access the server. Thus, neither those with a Remote Access Permission set to "Allow access" or to "Control access through remote access policy" will be able to connect. Remote access policies are stored on each remote access server, and there is no mechanism for defining a default policy for a domain. You could use a Remote Authentication Dial-in User Service (RADIUS) server to centralize remote access policies for a network. You then configure each remote access server to use the RADIUS server for authentication. In Windows 2000, RADIUS is implemented via the Internet Authentication Service (IAS).

If the Remote Access Permission for a user account is set to "Deny access", the setting will be changed to "Control access through Remote Access Policy" when a domain is converted from mixed mode to native mode. If the Remote Access Permission for a user account is set to "Allow access", the setting will be left as "Allow access" when a domain is converted from mixed mode to native mode.

The most likely reason that you do not have this option is that the computer is not a member of a Windows 2000 domain. An enterprise CA uses Active Directory to authenticate users or computers when a user or computer submits a certificate request, so you can only configure a computer as an enterprise CA if the computer is a member of a Windows 2000 domain. You must be a member of the group Enterprise Admins, not just the Administrators group, to configure a computer as an enterprise CA. To create a standalone CA, you must be a member of the Administrators group on the computer on which you install Certificate Services. The computer does not have to be a domain controller to be configured as an enterprise root CA or an enterprise subordinate CA. The computer does need to be a member of an Active Directory domain. The computer does not have to be the schema master to be configured as an enterprise root CA or an enterprise subordinate CA. The computer does need to be a member of an Active Directory domain.

NAT cannot process Kerberos and IPSec traffic because it cannot manipulate the IP address information properly for these protocols. IP information is stored in the encrypted portion of these packets and the IP information cannot be modified, therefore, the packets needed to negotiate security cannot pass through NAT. FTP headers contain IP address information, but a built-in NAT editor is used to modify the information stored outside of IP, TCP, and UPD headers. PPTP packets contain IP-related information that is stored outside of the IP, TCP, and UDP headers, but NAT includes a built-in NAT editor to modify the related information. RPC stores IP-related information outside of the IP, TCP, and UDP headers, but NAT includes proxy software to manage RPC packets.

Before installing the DNS Server service on a computer, you should assign a static IP address to the computer or insure that it has leased a reserved address from a DHCP server. The computer on which the DNS Server service is installed can be a DHCP client. When the computer is a DHCP client, you will be warned that the computer should be configured with a static address when you install DNS. You can assign this address either manually or by configuring a DHCP reservation for the computer. You do not have to configure a static address from the Properties dialog box of the local area connection. You should also configure the name of the DNS domain for which the computer will be responsible. The DNS domain name should be entered in the "DNS suffix for this connection" field of the TCP/IP properties of the Local Area Connection. The dialog box for entering the DNS suffix is displayed by selecting the Advanced button on the General tab of the TCP/IP properties. Once this dialog box is displayed, the DNS tab can be used to define the DNS suffix. You should not enter the address of a DNS root name server in the "DNS server addresses, in order of use" field of the TCP/IP properties of the Local Area Connection. Instead, you should enter the address of the computer on which you are installing the DNS Server service. The "Append these DNS suffixes (in order)" field of the TCP/IP properties of the Local Area Connection is used to define suffixes to be used when unqualified names are to be resolved with DNS. An unqualified name is a name that does not contain a DNS domain name. An example of using an unqualified name is using the ping command with just the name of a computer instead of using the fully qualified domain name of the computer.

You should use the subnet mask 255.255.248.0. This reserves nine bits for the subnet identifier and eleven bits for the host identifier. Nine bits will allow you to define up to 510 subnets. Eleven host bits will allow you to define up to 2046 hosts on each subnet. The subnet mask 255.255.224.0 only supports 126 subnets. The subnet mask 255.255.240.0 only supports 254 subnets. The subnet mask 255.255.252.0 only supports 1022 hosts per subnet. Note: If your routers and hosts support the all-zeros and all-ones subnets, you can define up to 512 subnets with the subnet mask 255.255.248.0, 128 subnets with the subnet mask 255.255.224.0, and 256 subnets with the subnet mask 255.255.240.0. Hosts and routers running Windows 2000 Server or Professional support these special subnets.

The CRLDistributionPoint object for a CA contains the published Certificate Revocation Lists (CRLs) for the CA. This object exists in the configuration partition of Active Directory, so it will be replicated to all domain controllers in the forest. A CRL contains the serial numbers of all certificates that have been revoked by the CA. The domain partition of Active Directory is only replicated to domain controllers in the same domain. User certificates reside in the domain partition, since they are published in the User object. A subset of the information in the domain partition of each domain in a forest is published to each global catalog server in the forest. User certificates are included in the information replicated to global catalog servers. The schema partition of Active Directory is published to all domain controllers in a forest.

You should permit IP protocol number 89 to allow OSPF messages to be received on OSPF-enabled interfaces. The Internet Control Message Protocol (ICMP) is IP protocol number 1. The Exterior Gateway Protocol (EGP) is IP protocol number 8. The MIT Remote Virtual Disk (RVD) is IP protocol number 66.

You should use CorpRt, the name assigned to the demand-dial interface you created on CorpRouter. The user name configured in the dial-out credentials should be the name assigned to the demand-dial interface on the destination router. On the destination router, you can configure a password to be used for remote router connections by defining the password in the dial-in credentials. The group RAS and IAS Servers is a domain local security group that is, by default, given permission to access remote access-related properties of user objects. When you enable Routing and Remote Access on a computer running Windows 2000 Server, the computer account of that server is added to the RAS and IAS Servers group. You should not use the name of the remote router computer, an administrative account, or the name of a user account that belongs to RAS and IAS Servers as the user name for the dial-out credentials.

The DHCP server must be authorized in Active Directory before it can lease addresses to clients. When existing DHCP servers are upgraded to Windows 2000, they are not automatically authorized in Active Directory. You must authorize each of the servers from the DHCP console. Only a member of the group Enterprise Admins can authorize a DHCP server. In both Windows NT 4.0 and Windows 2000, a computer must have a static IP address before you install the DHCP Server service on the computer, so the computer would not have an address assigned through (APIPA). You do not need to have an option class defined for Windows 98 clients to lease an address to a Windows 98 client. DHCP clients do not need access to information from a DNS server to find a DHCP server.

When a WINS proxy agent receives a name resolution request broadcast, the proxy agent first checks its NetBIOS name cache to determine if there is an entry in the cache that maps the name to an Internet Protocol (IP) address. You should increase the size of the name cache on the WINS proxy agent to improve the likelihood that the requested name will be in the cache. The default configuration provides a name cache that can hold 16 entries. You can configure it to hold 128 or 256 entries. You should also increase the length of time that entries are kept in the cache, which is 10 minutes by default. The cache size and timeout values can be configured in the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters. If the name request cannot be resolved using the NetBIOS name cache, the WINS proxy agent will contact its configured WINS server. The WINS proxy agent will not attempt to resolve a name resolution broadcast by searching its local LMHOSTS file. The WINS proxy agent will not attempt to resolve a name resolution broadcast by searching its local HOSTS file.

The only enrollment method supported for a stand-alone CA is the Certificate Services Web Pages option. This is activated by accessing the Uniform Resource Locator (URL) http://certsrv from a web browser. You can request a certificate from an Enterprise CA using either the Certificate Services Web Pages or the Certificates console. Using the Certificates console, you can invoke the Certificate Request wizard to request a certificate. You use the Local Security Policy console to manage IPSec policies, but not to request a certificate for IPSec.

You should implement EAP, which provides support for smart card authentication. PAP, CHAP, and MS-CHAP can be used as authentication protocols for a VPN server, but they do not support smart card authentication.

You should use scope options to configure leases that will force computers to release their addresses at shutdown, rather than keep the address the full length of time defined for the lease. You configure this choice by using a vendor-specific option as one of the scope options. The option described, "Release DHCP Lease on Shutdown", is available for Microsoft clients only. It can be configured from the Advanced tab of the Scope Options dialog box. You use server options to define options that apply to all scopes configured for a DHCP server. You use reservations to ensure that the same IP address is always assigned to a specific Media Access Control (MAC) or hardware address. You configure a lease length in the address lease properties as either unlimited or valid for a specific amount of time. You cannot configure the properties of a lease to have clients release the lease at shutdown.

The most likely reason that you cannot access other servers is that a DHCP server is not available. When a computer has been configured as a DHCP client and a DHCP server is not available, an address for the computer is assigned using Automatic Private Internet Protocol Addressing (APIPA). The range of addresses reserved for APIPA is 169.254.0.1 to 169.254.255.254 with a subnet mask of 255.255.0.0. A NAT server can be configured to use a DHCP server to assign IP addresses or you can configure a range of addresses to be managed by the DHCP allocator feature of NAT. Since the other servers you are trying to access are on the same subnet as the remote access server, you do not need to configure a static route for the subnet. Even if a DNS zone is not configured that includes the IP address of the connection, you should be able to locate servers on the same subnet as the remote access server by using broadcasts to resolve the server names to IP addresses.

You should enable IP forwarding on the firewall for ESP (IP protocol 50) and for IKE (UDP port 500). With IPSec the payload from the application layer protocols, such as CIFS, NetBT, and RPC, is encapsulated in standard IP packets and can be routed as normal IP traffic. An ESP header provides data confidentiality. IKE is an application layer protocol responsible for setting up a security association between two computers. CIFS provides access to NetBIOS-based resources over any TCP/IP network, including the Internet. CIFS is an enhancement to the Server Message Block (SMB) protocol. NetBT is a session layer protocol that manages the network I/O for the NetBIOS presentation layer programming interface. RPC is an interprocess communication (IPC) mechanism used for client-server communication.

The computers will remain configured as replication partners until the WINS server service is stopped properly on one of the partners. If you uninstall the WINS server service from one of the partners, the replication partner will be removed when the service is stopped during the uninstall procedure. The Verification Interval defines the length of time after which a WINS server will determine if records that it does not own are active. Even if two WINS servers cannot communicate due to network problems, they will remain configured as replication partners. If a WINS server runs the scavenge process, it will not drop records that are owned by a WINS server that is not available.

You should create a remote access policy and set the condition Windows-Groups to VPN-Access in the policy. This will allow only those who are members of VPN-Access to use the policy. Since this is the only policy, the connection parameters of other users who attempt to access the VPN will not match the policy and they will be denied access. You cannot control access via permissions on the remote access policy object or by configuring the remote access profile associated with a remote access policy. You do not need to use only EAP-TLS authentication. Other methods of authentication can be used as long as the remote access policy is configured correctly.

You should delete the file cache.dns. If the wizard finds the cache.dns file, it uses the information in the file to configure root hints for the server. If it does not find the file, the wizard creates a root zone. A reverse lookup zone is used to determine the name associated with a given Internet Protocol (IP) address. The file boot.dns is not required but can be used to provide configuration information for a DNS server. A root name server does not use a forwarder, so, when the wizard creates the root zone, it will disable the ability to use a forwarder.

You should define the list of DNS servers in the TCP/IP properties of the DHCP server. If the DNS server that is authoritative for the zone in which the client's resource record is stored is not listed, the DNS servers that are listed will refer the request to the DNS server that is authoritative for the zone. You define DNS servers to be used by the DHCP clients in the DHCP scope options. You use the Properties dialog box of either the DHCP server or the DHCP scope in the DHCP console to configure the interaction between DHCP and DNS. Parameters that you can configure include when to automatically update DHCP client information in DNS and whether or not to update information for DNS clients that do not support dynamic updates.

You can modify the burst handling setting on the WINS server in Dallas to Low. This will allow the server to respond more quickly to registration requests when the demand is high. Burst handling enables a WINS server to issue short leases to clients without registering the names of the clients in the WINS database. When the clients send renewal requests, if the load on the server has decreased, it then issues normal leases and registers the names in the database. By setting the value of burst handling to Low, the burst handling will be triggered once 300 requests are queued. The default setting of Medium triggers burst handling when 500 requests are queued. A setting of High triggers burst handling when 1000 requests are queued. You use the extinction interval to define the period between the time an entry is marked in the WINS database as released and the time it is marked as extinct. When an entry is marked as extinct, it may then be removed from the database after the amount of time configured as the extinction timeout. You define the maximum number of records verified each period to govern the number of records in the database of a WINS server that are compared to the records in the database of the WINS server that owns the records. This setting is used when WINS servers are configured as WINS replication partners. You define the renewal interval to set the amount of time for which a name registration is valid.

The most likely reason that the smart card authentication failed is that a domain controller is not available. A user cannot log on if a domain controller is not available. This is true even if the user has logged on to the computer previously with the smart card. A password is not used during smart card authentication. Instead, the certificate that is stored on the smart card is used for the initial authentication. Therefore, a user will not be required to change his or her password when logging on with a smart card. You do not need a remote access network connection configured to use a smart card for authentication. Smart card authentication can be used for access from a local area network (LAN) or for remote access. To configure support for smart card authentication for remote access, you must enable the Extensible Authentication Protocol.

You should use Public Key Policies to automate the process of requesting, obtaining, and installing computer certificates. Public Key Policies work with autoenrollment objects in Active Directory to insure that certificates are created and issued. You use the Certificates console to request certificates and to import and export certificates. You use the Certificate Request Wizard from the Certificates Console to request a certificate from an enterprise CA. The wizard must be activated for each certificate you need. You use the Certificate Services Web Pages to request a certificate from an enterprise CA or a stand-alone CA.

You use Routing and Remote Access (RRAS) to install and configure the DHCP relay agent. This service is added as a routing protocol in the IP routing node of RRAS. You use the registry editor to configure a computer as a WINS proxy. You use Add/Remove Programs to install the DHCP Server service, but not the DHCP relay agent. You use the Properties dialog box of the Local Area Connection to manage the properties of most networking protocols and services (other than the DHCP relay agent).

When a DHCP client supports dynamic updates for DNS, the client submits the Fully Qualified Domain Name (FQDN) in the DHCPREQUEST message in Option 81. The DHCP server uses this information to register a pointer (PTR) record in DNS for the client. The PTR record defines the reverse-lookup address for a host, so that, if a query is submitted requesting the name affiliated with a specific IP address, the name can be returned in response to the query. When a host leases an IP address from a DHCP server, the host can obtain a DNS domain name from the DHCP server.
The domain name can be defined in either the scope options or the server options. However, the DNS suffix can also be defined via the TCP/IP properties of the Local Area Connection of a host. This suffix would override a domain name issued as part of a DHCP lease if the option "Use this connection's DNS suffix in DNS registration" is enabled in the Advanced TCP/IP settings. Option 81 is not submitted in a DHCPDISCOVER message. The DHCPDISCOVER message is the first packet sent when a host is attempting to lease an address from a DHCP server. A DHCP server that receives this request responds with a DHCPOFFER message. The host responds to a DHCPOFFER message with a DHCPREQUEST message, and then the server responds with a DHCPACK message to confirm that the offered IP address with its associated options has been leased to the host.

After you install the DHCP Server service on a computer, the icon for the computer will display a red arrow until the server has been authorized in Active Directory. You must use the DHCP console to authorize the server before the server can lease addresses to clients. Once the DHCP server has been authorized in Active Directory, you should attempt to restart the service if the icon for the server displays a red arrow after authorization has taken effect. You can restart the service either from Services in Computer Management or from the DHCP console. You can use the New Scope wizard to create a scope or configure the server to update DNS either before or after you authorize the DHCP server in Active Directory. Neither of these steps will change the red arrow to a green arrow, though.

You can use the DNS console to enable collection of the number of DNS requests submitted to a DNS server over TCP or UDP. You configure the collection of this information from the logging tab of the Properties dialog box of the DNS server. The information will be stored in the dns.log file in %systemroot%\system32\dns. You can also use System Monitor to collect and display the number of DNS requests submitted to a DNS server over TCP or UDP. The counters "TCP requests received" and "UDP requests received" can be selected from the DNS object. The collection of this information cannot be enabled by default using either the Group Policy Editor or Local Security Policy. You could create your own template to configure the related registry setting that enables the collection of the information. You could use Network Monitor to collect the packets that are generated, but that would also require you to configure a display filter to determine which packets are generated specifically by DNS requests.

You can install the DNS Server service using either Add/Remove Programs or when you use the Active Directory Installation wizard (dcpromo.exe) to promote a computer running Windows 2000 Server to a domain controller. You use Services in Computer Management to start, pause, stop, and restart services. You also use Services to configure the user account to be used by a service. You use the properties of a Local Area Connection in Network and Dial-up Connections to add networking protocols, client networking services, and file and printer sharing services such as the SAP Agent and Gateway Service for NetWare (GSNW). There is no Network icon in the Control Panel in Windows 2000. Most of the configuration that was done using the Network icon in Windows NT 4.0 is done from Network and Dial-up Connections in Windows 2000.

The most likely reason that a global catalog server cannot be located is that there is no DNS server available. Resource records in the DNS database define where services such as domain controllers and global catalog servers can be found. Since you are able to log on to the computer and ping the address of the global catalog server, you know that both the computer at which the user is trying to log on and the global catalog server have valid IP addresses, either assigned by a DHCP server or manually assigned. An administrator can log in to the network, even if a global catalog server is not available, but a domain user cannot log in if he or she has not logged into the network from that computer before. If the user has logged in before, his or her cached credentials can be used if a global catalog server or domain controller is not available. A user can log in if the PDC emulator is not available or if the global catalog server and the computer being used to log in are in different domains, as long as the global catalog server can be located.

You should use protocol number 2. The numbers associated with each protocol are defined in the file \system32\drivers\etc\protocol. TCP/IP packet filters can be configured to permit only defined Transmission Control Protocol (TCP) ports,User Datagram Protocol (UDP) ports, or Internet Protocol (IP) protocols by selecting the Options tab from the Advanced button in the Properties dialog box of TCP/IP. Protocol number 1 is Internet Control Message Protocol (ICMP). ICMP cannot be filtered using TCP/IP filtering. It can be restricted by using Internet Protocol (IP) packet filters in Routing and Remote Access (RRAS). Protocol number 6 is TCP. Protocol number 17 is UDP.

You should remove and reinstall the TCP/IP protocol, since the IPSec components are installed with TCP/IP. The IPSec Policy Agent runs as a service. You use the IP Security Monitor (ipsecmon.exe) to view IP Security associations and IPSec statistics. You use the "IP Security Policies on Local Machine" node in Computer Management to assign the "Client (Respond Only)" policy, but doing this will not reinstall the IPSec Policy Agent. You do not need to use the Registry Editor to enable the IPSec Policy Agent. You may want to use the Registry Editor to enable logging of policy agent activities or the creation of security associations.

If the IP address of a computer is the same as the IP address of another host, the ipconfig utility will display the subnet mask as 0.0.0.0 on the second host that attempts to use the IP address. When an IP address is assigned to a host, the host sends a gratuitous Address Resolution Protocol (ARP) packet to determine if another host is using the assigned address. If the computer gets a response that the IP address is in use, an error is logged and the subnet mask is set to all zeroes. If the network adapter card is not connected to the network, ipconfig will display an IP address of 0.0.0.0. The Microsoft MediaSense software override feature of Windows 2000 can detect if a network card is not connected to the network. If the computer is assigned an IP address by APIPA, the subnet mask will be 255.255.0.0. If a static route is configured incorrectly on the computer, there will be no impact on the computer's IP address or subnet mask.

You should use protocol number 6. The numbers associated with each protocol are defined in the file \system32\drivers\etc\protocol. TCP/IP packet filters can be configured to permit only defined TCP ports, User Datagram Protocol (UDP) ports, or Internet Protocol (IP) protocols by selecting the Options tab from the Advanced button in the TCP/IP Properties dialog box. Protocol number 1 is Internet Control Message Protocol (ICMP). ICMP cannot be filtered using TCP/IP filtering. It can be restricted by using Internet Protocol (IP) packet filters in Routing and Remote Access (RRAS). Protocol number 2 is Internet Group Management Protocol (IGMP). Protocol number 17 is UDP.

You should enable traffic to pass through TCP port 443 on the firewall. This is the port reserved for Hypertext Transfer Protocol (HHTP) access when SSL is enabled. TCP port 80 is the default port for HTTP without SSL. TCP port 119 is the default port for the Network News Transport Protocol (NNTP). TCP port 563 is the default port for NNTP with SSL.

You use the cache command in the boot file to define the location of the file that contains the addresses of the name servers for the root domain. When you install the DNS Server service, the file cache.dns is created in the \system32\dns folder. The file cache.dns contains the addresses of the name servers that host the root zone for the Internet. If you configure your own root zone, you should update the cache.dns file to reflect the name servers that are authoritative for your root zone. You use the directory command in the boot file to define the location of the folder in which the files defined in the boot file can be found. You use the primary command to define the domain for which the name server is authoritative and the name of the file that contains the resource records for the domain. You use the secondary command to define three configuration parameters: the domain for which the name server is a secondary name server, a list of the Internet Protocol (IP) addresses of the master name servers from which this name server can obtain resource records, and the name of the local file in which to cache records for the domain.

You can use the range of addresses 172.16.32.1 to 172.16.39.254 for hosts on this subnet. The network prefix /21 indicates that the first two octets and five bits in the third octet are reserved for the subnet ID. The lowest order bit of the five bits in the third octet represents an increment of 8 for the subnet IDs. The valid subnet IDs include 8, 16, 24, 32, 40, and 48. The range of addresses from 172.16.32.1 to 172.16.39.254 are valid host IDs for the subnet 172.16.32.0/21. The range of addresses from 172.16.32.1 to 172.16.35.254 are valid host IDs for the subnet 172.16.32.0/22. The range of addresses from 172.16.32.1 to 172.16.47.254 are valid host IDs for the subnet 172.16.32.0/20. The range of addresses from 172.16.32.1 to 172.16.63.254 are valid host IDs for the subnet 172.16.32.0/19.

You define a pool of addresses to be assigned to DHCP clients on the local network on the Address Assignment tab of the Properties dialog box of NAT. The DHCP allocator service of NAT manages the assignment of addresses from this pool. You use the Properties dialog box of the internal NAT interface to define it as an internal interface. You use the Properties dialog box of the RRAS server to define if it is enabled as a router or remote access server (or both), to configure the logging level, and to configure parameters for remote connections. You define the pool of Internet Protocol (IP) addresses to be assigned to remote access clients on the IP tab of the Properties dialog box of the RRAS server. You use the Properties dialog box of the DHCP Relay Agent to define the address of the DHCP server to which requests for IP addresses should be sent.

ICMP traffic cannot be filtered using TCP/IP filtering. You restrict ICMP traffic by defining RRAS packet filters. The IP protocol number for ICMP is 1. You can use TCP/IP filtering to filter IGMP traffic. The IP protocol number for IGMP is 2. You can use TCP/IP filtering to filter all TCP traffic or to filter traffic destined for specific TCP ports. The IP protocol number for TCP is 6. You can use TCP/IP filtering to filter all UDP traffic or to filter traffic destined for specific UDP ports. The IP protocol number for UDP is 17. The numbers associated with each protocol are defined in the file \system32\drivers\etc\protocol. The ports defined for each service are defined in the file \system32\drivers\etc\services.

The route that is learned by the preferred routing protocol is used. You define a preferred routing protocol by configuring a preference level. This is done in the Routing and Remote Access console from the Properties dialog box of the IP Routing\General node on the Preference Levels tab. The path from the source with the lowest value in the rank field on the Preference Levels tab is chosen. If there are multiple routes learned by each routing protocol, the route with the lowest metric for that protocol will be the route that is included in the IP routing table. Since the definition of a metric varies with each routing protocol, the metric is not the determining factor when comparing routes learned from different protocols. The route that was learned from RIP is chosen only if RIP is configured as the preferred routing protocol. The route that was learned from OSPF is chosen only if OSPF is configured as the preferred routing protocol.

You can configure the option to use a DHCP server and specify the local area connection to use for the DHCP requests from the Properties dialog box of the remote access server in the Routing and Remote Access console. This is configured on the IP tab. You can also use this tab to configure a pool of addresses to be managed by the remote access server instead of using DHCP. You cannot configure these choices from the Properties dialog box of the local area connection in Networking and Dial-Up connections. You use this dialog box to configure the settings for services enabled on the local area connection. You use the Configure option for the remote access modem in the Properties dialog box of the Port node in the Routing and Remote Access console to enable the modem for remote access and define a phone number for the modem. You use the IP tab of the Properties dialog box of the remote access profile configured for each remote access policy that you create to designate if the remote access server must supply an address or if the client can request an address.

You should enable support only for IP protocol number 47, which is Generic Routing Encapsulation (GRE), and TCP port 1723, which is reserved for PPTP. The Encapsulating Security Payload (ESP) is IP protocol number 50. The Open Shortest Path First (OSPF) routing protocol is IP protocol number 89. TCP port 1701 is used for Level 2 Tunneling Protocol (L2TP) traffic. UDP port 500 is used for Internet Security Association and Key Management Protocol (ISAKMP).

You should stop the Routing and Remote Access service. When this is done, the addresses obtained from the DHCP server will be released. However, this will also disconnect those who are currently using a remote access connection. The addresses will not be made available if there are no remote access clients connected, so having those who are currently using remote access disconnect will not make the addresses available. Disabling the modem being used for remote access will not make the addresses available. The command "ipconfig /release" can be used to release the current Internet Protocol (IP) address of the remote access server, but it cannot be used to release all addresses currently in use by the Routing and Remote Access service.

Records obtained by a DNS server from a WINS server will be marked as authoritative. These records are stored in the cache of the DNS server, not in a zone. The Time-to-Live (TTL) value of the records obtained from a WINS server is decreased while the records are in cache. Therefore, if a record returned from an nslookup query is marked as authoritative but the TTL decreases on subsequent queries, the information for the record came from a WINS server.

You should use the Advanced Settings option in the Advanced menu in Network and Dial-Up Connections to configure the order in which network providers should be accessed. On the Provider Order tab, you can move the desired Network Provider and Print Provider to the top of each list. You use the Properties dialog box of the network adapter card to enable or disable support for each installed service or protocol. You use the Properties dialog box of NWLink in the Properties dialog box of the network adapter card to define the Internal Network Number and the Frame Type for NWLink. You use the Properties dialog box of the GSNW icon in the Control Panel to create gateways from the Windows 2000 server to NetWare servers and to configure the properties of the Client Services for NetWare component of GSNW.

You should use the WINS console to define a backup path on the General tab in the Properties dialog box of the WINS server. Once you define a path, WINS will automatically back up the database every three hours. You can also select an option on the General tab to back up the database when the server shuts down. You use the jetpack utility to compact the WINS database, not to back it up. The Windows 2000 Backup utility does not include a configuration option to specify that the WINS database should be backed up. You can use it to define a backup set that contains the WINS database file, which is stored by default in \system32\wins\wins.mdb. You configure a WINS replication partner for a WINS server to ensure that entries registered in the database of either partner are available in the database of the other partner. You should not restore the full database from one server to the other server, though.

You should enable the option "Translate TCP/UPD headers (recommended)" in the properties of the router interface for NAT. This enables the router to do TCP port and UDP port translation. You use the properties of the NAT protocol to enable event logging, define how long TCP and UDP mappings should be kept, allow applications on internal computers to communicate with Internet-based applications, and to allow the computer running NAT to offer Dynamic Host Configuration (DHCP) and Domain Name System (DNS) services. You use the Static Routes node to add entries to the Routing Table. You use the properties of the server running NAT to enable the computer as a router or remote access server (or both), to configure the protocols supported for both routing and remote access, to enable the Point-to-Point Protocol (PPP) options, and to set the logging level.

You use the Network Connection wizard to configure inbound connections for computers running Windows 2000 Professional or those running Windows 2000 Server that belong to a workgroup rather than a Windows 2000 domain. You use Routing and Remote Access to configure inbound connections for computers running Windows 2000 Server that belong to Windows 2000 domains. You use Add/Remove Programs to add a number of networking services, but not to add support for remote access. You use Phone and Modem Options in the Control Panel to configure the properties of the modem devices that are used to host inbound and outbound connections.

Even though you export and then delete the certificate and the associated private key for the recovery agent, there is still a recovery policy defined. Therefore, users will be able to encrypt and decrypt files. You will not be able to decrypt files until you import the certificate and key using the Certificates console. If there is an empty recovery policy, that is, there are no recovery agents defined, users will not be able to encrypt or decrypt files.

You should implement Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), since it provides the most secure form of authentication that can be used for dial-up connections from Windows NT 4.0 and Windows 9x clients. It also allows the client and server to encrypt data using Microsoft Point-to-Point Encryption (MPPE). The Password Authentication Protocol (PAP) is the least secure protocol listed due to its use of clear-text passwords. Message Digest 5 Challenge Handshake Authentication Protocol (MD5-CHAP), also known as CHAP, does not support data encryption. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), supports authentication of Windows NT 4.0 and Windows 98 clients for VPN connections, but not for dial-up connections.

You should configure domain passwords to be stored using reversible encryption and then reset passwords for the users who will use CHAP. You can configure the ability to store passwords using reversible encryption either by setting this option in each user's account or by enabling it in the Password Policy of a Group Policy Object (GPO) that is linked to the domain to which the user accounts are assigned. You add the group Everyone to the "Pre-Windows 2000 Compatible Access" domain group to allow computers running Windows NT 4.0 Server to access information in Active Directory. You do not need to take this step to enable support for CHAP. You should not enable the Guest account because this will provide unauthenticated access. Although CHAP is not as secure as the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), it is an authentication protocol and a user must have a valid user account and password to be authenticated. You select the option "Do not require Kerberos preauthentication" if the account object uses a different implementation of Kerberos than Windows 2000 uses.

You should enter the subnet mask 255.255.224.0. This subnet mask is used to define the subnets 10.5.0.0, 10.5.32.0, 10.5.64.0, 10.5.96.0, and so on, in increments of 32. The host addresses supported on the subnet 10.5.64.0 are 10.5.64.1 through 10.5.95.254. The host addresses supported on subnet 10.5.64.0 with the subnet mask 255.255.192.0 are 10.5.64.1 through 10.5.127.254. The host addresses supported on subnet 10.5.64.0 with the subnet mask 255.255.240.0 are 10.5.64.1 through 10.5.79.254. The host addresses supported on subnet 10.5.64.0 with the subnet mask 255.255.248.0 are 10.5.64.1 through 10.5.71.254.

You should configure the address of the preferred DNS server in the TCP/IP properties of the Local Area Connection. A resolver sends DNS queries to a DNS server. The DNS resolver on a computer running Windows 2000 is part of the DNS client service. The DNS client service is installed when TCP/IP is installed. This service uses the System account by default and runs as part of the process services.exe. You do not have to install the DNS Server service on a computer to enable the resolver component. DNSUpdateProxy is a new group used in Windows 2000. If a DHCP server that is a member of this group registers a host record (A record) in DNS for a client, the next authenticated account that is not a member of DNSUpdateProxy that accesses the DNS record object is assigned ownership of the record.

You should use the Address Pool tab of the Properties dialog box of the NAT interface External. On this tab, you first add the public addresses. You then reserve a specific public address for the private address of each computer that has a service that you want to make available from the Internet. You use the Properties dialog box of the interface to the local private network to define it as an internal interface. You use the Properties dialog box of NAT to define the logging level, the length of time to keep TCP and UDP mappings, applications on the Internet that should be available to internal users, and whether or not address assignment and name resolution services should be provided by NAT. You use the properties dialog box of the remote access server to define whether it is enabled as a router or a remote access server (or both) and to configure the logging level and parameters for remote connections.

You should start the IPSec Policy Agent service. When you start this service, the agent will automatically start the ISAKMP/Oakley service. The policy agent is responsible for retrieving the IPSec policy from Active Directory or the registry and sending policy information to the IPSec driver and the ISAKMP/Oakley service. Starting the IPSec driver will not enable you to start the ISAKMP/Oakley service. When you start the IPSec Policy Agent, it will start the IPSec driver automatically. You do not have to create an IPSec policy to start the ISAKMP/Oakley service. The IPSec services can run even if no IPSec policy is assigned. You do not have to install an IPSec certificate on the computer to start the ISAKMP/Oakley service. An IPSec certificate is one of the authentication mechanisms that can be used for authentication by an IPSec policy rule. You can also use Kerberos or a pre-shared key.

The computer Mktg5laptop will use DNSremote as its DNS server. Configuration parameters defined in a client reservation supercede server-level, scope-level, and user-class options. Configuration parameters defined in options for a user-class supercede those defined at a server level or a scope level. Configuration parameters defined in options for a scope supercede those defined at a server level. Configuration options defined at the server level apply to all clients that receive leases from that server unless the options are superceded at the scope, user-class, or client level.

You should set the node type option (option code 46) for the scope to H-node (hybrid - 0x8). If an H-node client does not have an IP address for a NetBIOS name that is referenced by an application, the client first attempts to contact its configured name server to resolve a name. If the name server cannot resolve the name, the client attempts to resolve the name using a broadcast. To insure that WINS clients contact the WINS server before doing a broadcast, you should configure the node type to H-node. You configure the node type as B-node (broadcast - 0x1) if you want clients to use a broadcast but not attempt to contact a name server to resolve a NetBIOS name. You configure the node type as P-node (peer - 0x2) if you want clients to attempt to contact a name server to resolve a NetBIOS name but not to use a broadcast to resolve the name. You configure the node type as M-node (mixed - 0x4) if you want clients to first issue a broadcast to attempt to resolve a NetBIOS name and then attempt to contact a name server if the name is not resolved using a broadcast.

The most likely reason that the policy is still in effect is that you did not unassign the policy before deleting it. If a policy is assigned but the IPSec Policy Agent cannot find the policy, it will use its cached copy of the policy. Restarting the IPSec Policy Agent or using Secedit to refresh the GPO will not change this behavior if the policy is deleted before being unassigned. Once you unassign the policy, the Winlogon service will detect this during its next check for changes to Group Policy. By default, this check is done every 90 minutes. The Winlogon service will then notify the IPSec Policy Agent that the IPSec policy has been unassigned, and the policy agent will discontinue using the policy. You use the IP Security Monitor (ipsecmon.exe) to view IP Security associations and IPSec statistics.