Windows 2000 Network Infrastructure

Only SandraSmith can authorize DHCP and RIS by default. A user account must be a member of the Enterprise Admins group in the forest root domain to authorize both the DHCP and the RIS services in Active Directory. The Enterprise Admins group exists only in the forest root domain. You cannot authorize a DHCP or RIS server in Active Directory if your user account is a member of the Domain Admins group in any domain in the forest if your account is not also a member of the Enterprise Admins group in the forest root domain. You cannot authorize a DHCP or RIS server in Active Directory if your user account is a member of the Administrators group on the DHCP or RIS server if your account is not also a member of the Enterprise Admins group in the forest root domain. A member of the Enterprise Admins group can delegate the authority to authorize DHCP and RIS servers to another group or to a specific user account.

Microsoft SQL server supports full clustering (also called server clusters). Server clustering is only available on Windows 2000 Advanced Server and Windows 2000 Datacenter server. The main task of a server cluster is to preserve access to data at all times. In order to participate in a server cluster, the application must be able to make use of the clustering API. Not all applications have this capability. Computers that participate in server clusters frequently share the same hard drive system. The company's implementation calls for the use of Windows 2000 Advanced Server. Advanced Server can only cluster between two computers.Windows 2000 Help, Search for the articles entitled: Business scenarios; Planning your groups; Windows Clustering; and Choosing applications to run on a server cluster.

The fact that it needs to be upgraded is obvious. However, remember during the test to try to answer questions more specifically. Why does the network need to be upgraded? Two of the most important reasons are that it is virtually impossible to manage and that its performance is poor. In addition, the background information provided by the company makes it very clear that access to information is a matter of life or death. Despite this, currently a doctor working at a satellite center may not have access to the records that they need at the main hospital because the network is not integrated.

Multiple proxy servers can be combined to form a Proxy Array. Proxy Arrays have many advantages over stand alone proxy servers, including increased performance.

You should ensure that the registry value NegativeTimeCache in the key HKEY_Local_Machine\System\CurrentControlSet\Services\DNSCache\Parameters is set to a value greater than zero. The maximum setting for this value is 900 seconds (15 minutes). This feature is referred to as negative caching. This feature helps to minimize the number of queries submitted to resolve a name that cannot be found. You set the Retry time in the Start of Authority record for a zone to define the number of seconds that a secondary name server will wait before it attempts to retry a zone transfer that has failed. You set the Expire time in the Start of Authority record for a zone to define the number of seconds that a secondary name server will continue to respond to client queries even if it cannot complete a successful zone transfer from its master name server. You use the cache.dns file to define the Internet Protocol (IP) addresses of root name servers. This file does not contain a time value.

You should insure that latency is minimized for authentication traffic. Since additional communication cannot occur until the authentication completes, you want to optimize performance for authentication. One way to do this is to ensure that servers providing authentication services, such as domain controllers, communicate with computers requesting authentication services over a local area network (LAN) rather than a wide area network (WAN). One of the key issues that should be addressed when implementing Active Directory is the placement of domain controllers. Other examples of latency sensitive traffic are logons and negotiations required to provide encryption services. Thin client applications, web based applications, and client server applications are examples of traffic that are sensitive to bandwidth issues rather than to latency issues. Communications that are sensitive to bandwidth constraints involve the transfer of large amounts of data, often in one direction, with only acknowledgement traffic flowing in the opposite direction.

You must enable support for Authentication Header (AH) traffic (IP protocol 50), Encapsulating Security Protocol (ESP) traffic (IP protocol 51), and Internet Security Association and Key Management Protocol (ISAKMP) traffic (UDP port 500). AH is used to insure data integrity. ESP is used to provide data encryption. ISAKMP is used to negotiate the keys that are used for a security association. UDP port 139 is needed to support the NetBIOS session service. IP protocol 47 is used for Generic Routing Encapsulation (GRE) traffic. TCP port 389 is used for Lightweight Directory Access Protocol (LDAP) traffic. 2.1.7. Evaluate the company's existing and planned technical environment and goals. Analyze security considerations. 4.1. Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT), connection sharing, web server, or mail server.

You could combine WINS and the DHCP relay agent services with a low to medium level of impact on the memory and processor subsystems of a server. Both services have low memory requirements. The WINS server service has a low level of processor utilization. The relay agent has a medium level of processor utilization. Both NAT and IPSec require a high level of processor utilization. NAT also has a high level of memory utilization. DHCP and a remote access server both require a high level of processor utilization. A remote access server also has a high level of memory utilization. IAS and the DNS server service both require a high level of memory utilization.

You should configure the IPSec policies to use Message Digest 5 (MD5), the 56-bit Data Encryption Standard (DES), and Diffie-Hellman Group 1. These settings will provide protection for the data with the least impact on your processors. To minimize processor overhead for authentication, you should use MD5 instead of the Secure Hash Algorithm (SHA). MD5 uses 128-bit key while SHA uses a 160-bit key.

To minimize processor overhead for encryption, you should use 56-bit Data DES instead of Triple DES (3DES). 3DES uses a 128-bit key. To minimize processor overhead for the exchange of keys, you should use Diffie-Hellman Group 1 instead of Group 2. Group 1 uses 768 bits and Group 2 uses 1024 bits.

You should configure External in IGMP proxy mode and Internal in IGMP router mode. An interface in IGMP proxy mode is responsible for forwarding multicast traffic from an interface configured in IGMP router mode to and from a multicast-enabled network. An interface in IGMP router mode listens for IGMP traffic from hosts and sends IGMP queries. Both types of interfaces update the TCP/IP multicast forwarding table. You should not configure both interfaces in IGMP router mode. External, the interface that is connected to the network on which a multicast-enabled router is installed must be in IGMP proxy mode. You should not configure both interfaces in IGMP proxy mode. Internal, the interface that is connected to the internal network must be in IGMP router mode.

You should recommend that they configure the routers between the subnets on which the WINS servers are located to support multicasting. When automatic partner configuration is enabled, the WINS servers use the multicast address 224.0.1.24 to discover each other. Once the WINS servers discover each other, each pair of WINS servers are automatically configured as push and pull partners with replication occurring every two hours. The network administrators do not have to configure a WINS proxy agent on each subnet on which there is no WINS server to enable the WINS servers to discover each other. You use a WINS proxy agent to respond to name resolution request broadcasts on the subnet on which the WINS proxy agent is installed. The proxy agent forwards the request to its configured WINS server and then returns the reply to the non-WINS client that issued the broadcast.
In the situation described here the client computers are configured as WINS clients, so WINS proxy agents are not needed at all. The network administrators do not need to add the other two WINS servers as replication partners from the context menu of the Replication Partners node for each WINS server. Once the servers discover each other via multicasting, they will be automatically configured as partners. The network administrators should not create static mappings on each WINS server for the other WINS servers. You create static mappings for computers that use NetBIOS but cannot be configured as WINS clients. The static mappings ensure that applications running on computers configured as WINS clients can locate the computers that are not WINS clients.

You should implement a certificate-based authentication mechanism using the Secure Sockets Layer and Transport Layer Security (SSL/TLS) protocols. You can associate each client certificate with a specific Windows 2000 user account. You can create a security group in Windows 2000, include the appropriate user accounts in the security group, and configure access control entries (ACEs) in the access control list (ACL) that governs access to each resource. The client and server certificates can be granted by a Windows 2000 Certificate Authority (CA) or by an external CA. You should not use Integrated Windows Authentication since it is only supported by Internet Explorer. Integrated Windows Authentication supports both Kerberos and Windows NT Challenge/Response authentication. Kerberos is supported by Internet Explorer 5.0 and above. Kerberos can work across a firewall.
Windows NT Challenge/Response is supported by Internet Explorer 3.01 and above and cannot be used across a firewall. You should not use Digest authentication because it is only supported in InternetExplorer 5.0 and later. It does support authentication across a firewall. You should not use Basic Authentication because it does not protect passwords exchanged during the security negotiation process. With Basic Authentication, a password is encoded but not encrypted. Basic Authentication does work with most web browsers. Basic Authentication does work across firewalls.

You should configure RIP for autostatic update mode on the demand-dial interfaces. Autostatic update mode is the default configuration for demand-dial interfaces. In this mode, the routers exchange routes only when initiated by an administrator. You initiate an update by selecting "Update routes" from the context menu of the demand-dial interface in the General node of the IP Routing node in the Routing and Remote Access console. You can also create a batch file that uses the netsh utility to execute autostatic updates, and then use Task Scheduler to run the batch job periodically. You should not configure RIP for periodic update mode on the demand-dial interfaces. Periodic update mode initiates RIP updates every 30 seconds. This mode generates too much traffic for a demand-dial interface. In a mixed-mode domain, you cannot configure a static route on a user account. In a native-mode domain, this attribute is available on the Dial-in tab of the Properties dialog box of a user account. This attribute is used to define static routes for a demand-dial connection. You enable ICMP router discovery to allow a computer running Windows 2000 Professional or Server to detect routers on the same subnet as the computer. If a default gateway is not configured for a host or the configured default gateway is not available, the host can send a router solicitation message to discover a router to use as a default gateway.

You configure tunnel mode by configuring the properties of a rule defined for an IPSec policy. On the Tunnel Setting tab you enable the option "The tunnel endpoint is specified by this IP address" and designate the address to be used. You use the General tab of the Properties dialog box of an IPSec policy to configure settings for key exchange. IPSec policies are managed in a Local Security Policy or a Group Policy Object (GPO). An IPSec policy must be assigned in the Local Security Policy or the GPO to make it the active policy. You use the Properties dialog box of a filter used by a rule in an IPSec policy to configure addresses, protocols, and ports for which traffic will be allowed. You use the Properties dialog box of an interface defined for demand-dial routing to enable the interface for IP routing, to enable router discovery, to configure input and output filters, and to configure multicast settings. The demand-dial routing interface is managed from the General node of the IP Routing node in the Routing and Remote Access console.

You can use 172.20.32.0/19 and 172.20.128.0/19. The private network identifier (ID) being used in this scenario is 172.16.0.0/12. As implemented in this design, 7 bits are being used to divide the network ID into subnets. Each subnet must be represented by a unique value in those 7 bits. Since all of the proposed answers include the value 20 in the second octet, we need to analyze the third octet. In the third octet, three bits are being used for the subnet ID. The remaining 5 bits in this octet and the 8 bits of the fourth octet are used for the host IDs on each subnet. The three bits in the third octet can be any of the following values: 32, 64, 96, 128, 160, or 192. The value 172.20.40.0/19 is a host ID on the 172.20.32.0 subnet. The value 172.20.88.0/19 is a host ID on the 172.20.64.0 subnet. The value 172.20.144.0/19 is a host ID on the 172.20.128.0 subnet.

The company is moving from a centralized to a decentralized management model. We know from the background information that centralized management proved impractical because of the size and geographic distribution of the network and that these factors made the network very difficult to both manage and monitor. By identifying different levels of network administrators, the company hopes to bring the network under control.

You should recommend that FPNW be installed on the computer running Windows 2000 Server. This product can be purchased as part of Services for NetWare version 5. With FPNW installed, a computer running Windows 2000 Server can emulate a NetWare 3.12 file and print server. No changes are required on the client computers to access the shared resource on the Windows 2000 server. You use GSNW to allow computers running a Windows operating system and a Microsoft network client to access resources on a computer running NetWare via a computer running Windows 2000 Server and GSNW. After installing GSNW on the server, a gateway must be defined to allow access to a shared resource on a NetWare volume. The gateway is then shared to allow access by Microsoft clients, so it appears to the client computers as if they are accessing the resource on the Windows 2000 server. MSDSS is another component of Services for NetWare version 5. You use MSDSS to synchronize information between Active Directory and Novell Directory Services (NDS). You use DSMN to synchronize information between Windows NT Server 4.0 domain controllers and NetWare bindery servers. DSMN can be purchased as part of the Microsoft Services for NetWare Add-on Pack.

Remember that the company does not have a lot of money to spend on servers. Because of this, clusters are out of the question for DHCP. With clusters excluded, the best option is to place a DHCP server on each subnet that has clients located on it. If the local DHCP server does go down for some reason, clients will be able to obtain address leases from another DHCP server on the network. This is possible because every DHCP server has address scopes configured on it for every subnet on the network. In order to obtain addresses from a DHCP server that was not local, the routers connecting the subnets will need to have BOOTP forwarding enabled or DHCP relay agents would need to be in use on the network.Windows 2000 Help, Search for the articles entitled: DHCP servers; DHCP defined; Planning DHCP networks; BOOTP and DHCP; Understanding relay agents; Understanding DHCP; Configuring scopes; To exclude an address from a scope; Cluster support for DHCP servers; and TCP/IP configuration methods.

You should insure that the network administrators define the interfaces on each router that should use RIP. When you install RIP, no interfaces are configured by default to use RIP. You do not have to instruct the network administrators to delete all static routes on each router. You do not have to instruct the network administrators to configure the IP address of other routers connected to a common segment as default gateways. If you have only two computers running Windows 2000 that are configured as routers, you do not need to use RIP. Instead, you can configure the default gateway on the interface on the common segment with the IP address of the other router's interface on the common segment. You do not need to instruct the network administrators to enable router authentication. If you do enable authentication on an interface, you must configure other routers that make announcements to that interface to use authentication and you must configure the same passwords on the routers. Router authentication is used primarily for identification of other RIP-enabled routers. Before you can enable router authentication, you must define the interfaces that should use RIP.

The company mentioned Security and high availability as high priorities. To this end, Active Directory integrated DNS zones have many advantages over standard zones. Once converted, the zone information is stored in Active Directory, not zone files. Transfer of zone information takes place as part of Active Directory replication and is therefore encrypted. Zone information can be updated on any domain controller that is also acting as a DNS server, rather than just the Primary server when using standard zones. In essence, all Active Directory integrated DNS servers function as Primary servers. Finally, a major benefit of Active Directory integrated zones is their support for secure dynamic updates. This ensures that only the system that registered a given resource record in DNS can alter or delete the record. It prevents unauthorized computers or users from altering DNS records.Windows 2000 Help, Search for the articles entitled: Namespace planning for DNS; DNS domain names; Checklist: Deploying DNS for Active Directory; Understanding DNS integration; Interoperability issues; and Dynamic update.

Two items stand out from the list of possible answers. The first is that the company stressed the fact that it had very little money to spend on the project. The second is that everything currently revolves around access to the mainframe. An interruption in access to the data the mainframe contains could seriously affect the business.

A proxy server can cache web content locally. For example, when a client that is configured to access the Internet or a website on an Intranet attempts to access a webpage, the proxy server goes out on behalf of the client and obtains the page. It then caches it and returns the page to the user that requested it. When another user requests the page, it is returned from cache. Because the page was in cache, it did not need to go out and access the Internet again, thus reducing bandwidth. Proxy servers can also be used to control which websites are accessible. It can do this for all users or for specific groups of users.

Remember that the company will require its partners to only dial in from Windows 98 and 2000 clients. Both of these clients support the highest level of Windows security for authentication, MS-CHAP version 2. Because security is critical, no other authentication protocol should be allowed. Due to the sensitive nature of the data, it would also be best to strongly encrypt the data that passes over the wire. This is supported by dial-in clients using MS-CHAP and MS-CHAPv2.The above solution is preferable to a VPN. VPN's are designed to be used over the Internet or other persistent forms of connection. Because the partners will be directly dialing into the network, a VPN is not necessary. In addition, IPSec is supported by Windows 2000, but not Windows 98. If all of the dial in clients were Windows 2000 clients, it would be the strongest method of data encryption available.Windows 2000 Help, Search for the articles entitled: MS-CHAP version 2; MS-CHAP; Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2); Dial-up networking clients; PAP; Password Authentication Protocol (PAP); SPAP; Shiva Password Authentication Protocol (SPAP); Authentication methods and protocols; Authentication methods; EAP; Extensible Authentication Protocol (EAP); Using smart cards for remote access; and Dial-up connection authentication and data encryption.

Resources will be made available from servers, not clients. Therefore, it is not necessary for clients to register with DNS. Because both WINS and DNS will be made available on the network, clients and servers should be configured to use each for name resolution. A client does not need to have registered a DNS record in order to query the DNS database. A client does, however, need to have registered a record in WINS in order to be able to query WINS for the address of server. Although all clients and servers on the network will be running Windows 2000 post implementation, the hospital could use both methods of name resolution to increase its name resolution fault tolerance. In addition, older Windows clients will be connecting from the medical office building that use WINS for name resolution. Servers will need to be configured to register with DNS so that their records will be available for DNS clients on the network.Windows 2000 Help, Search for the articles entitled: Planning WINS networks; WINS defined; When to use WINS; WINS; Checklist: Deploying DNS for Active Directory; Understanding DNS integration; Interoperability issues; and Dynamic update.

You should recommend that the network administrators install TCP/IP and NWLink on the remote access servers. A remote access server acts as a gateway between clients and other servers on a network as long as the remote access server has at least one protocol in common with the client and one protocol in common with the servers. The network protocol that is used to communicate with the client can be a different protocol from the one used to communicate with another server.
A best practice is to minimize the number of protocols installed on each computer, since each protocol on a computer incurs its own overhead. You should not recommend that TCP/IP be installed on all of the servers, since the remote access server can act as a gateway between the protocol on a client and the protocol on a server. You should not recommend that NWLink, in addition to TCP/IP, be installed on all of the laptop computers, since the remote access server can act as a gateway between the protocol on a client and the protocol on a server. You should not recommend that support for multilinking be enabled for the remote access servers to enable access to the other servers on the network. Multilinking provides the ability for a client to use multiple physical connections to the remote access server as a single logical connection. The client uses a network protocol across the logical connection that it has in common with the remote access server.

Because the company has a very small number of routers and segments, there is no reason to use dynamic routing protocols. Such protocols would only introduce unnecessary traffic onto the network. It is a simple matter to configure the routers statically when there are so few of them. Windows 2000 Help, Search for the articles entitled: Routing overview; IP routing protocols; OSPF; OSPF design considerations; The OSPF environment; Deploying OSPF; RIP for IP; RIP-for-IP design considerations; Deploying RIP for IP; The RIP-for-IP environment; The static routed environment; Static routing design considerations; and Deploying static routing.

The company is currently using a Class B address which means that the first 16-bits of the subnet mask are taken. This means that the last two octets are available for further subnetting. A 24-bit subnet mask will provide you with the most subnet and host range flexibility while maintaining consistency with all of the background information provided in the design.Windows 2000 Help, Search for the articles entitled: Numbering your network; Routing overview; Subnet masks; IP addressing and routing; IP addressing; IP routing; Understanding routing; and Routing scenarios.

Records obtained by a DNS server from a WINS server will be marked as authoritative. These records are stored in the cache of the DNS server, not in a zone. The Time-to-Live (TTL) value of the records obtained from a WINS server is decreased while the records are in cache. Therefore, if a record returned from an nslookup query is marked as authoritative but the TTL decreases on subsequent queries, the information for the record came from a WINS server.

The SQL server databases hold all patient information. Interruptions in access to these servers could seriously hamper patient care. For this reason, client/server application access interruptions pose the most significant risk during project implementation.

You can use superscopes to support the existing addresses as well as migrate to the new addresses. A superscope allows you to combine two or more scopes for a physical network segment into a single scope. Typically, you would configure the existing scope, in this case the one that is using addresses from the public range, with a short lease so that these leases expire. You then deactivate the scope. After the clients obtain addresses from the new scope, the original scope can be deleted. Supernetting allows you to consolidate multiple consecutive IP network identifiers into a single entry to be included in a routing table. Variable length subnet masks allow you to implement a subnet addressing scheme that uses a variable number of bits for the host identifiers on different subnets. APIPA is used by a computer when it is configured as a DHCP client but cannot locate a DHCP server. APIPA addresses are in the range 169.254.0.1 to 169.254.255.254 with a subnet mask of 255.255.0.0. Computers using APIPA addresses can only communicate with other computers using APIPA on the same subnet.

You should enable support only for IP protocol number 47, which is Generic Routing Encapsulation (GRE), and TCP port 1723, which is reserved for PPTP. The Encapsulating Security Payload (ESP) is IP protocol number 50. The Open Shortest Path First (OSPF) routing protocol is IP protocol number 89. TCP port 1701 is used for Layer 2 Tunneling Protocol (L2TP) traffic. UDP port 500 is used for Internet Security Association and Key Management Protocol (ISAKMP).

The route that is learned by the preferred routing protocol is used. You define a preferred routing protocol by configuring a preference level. This is done in the Routing and Remote Access console from the Properties dialog box of the IP Routing\General node on the Preference Levels tab. The path from the source with the lowest value in the rank field on the Preference Levels tab is chosen. If there are multiple routes learned by each routing protocol, the route with the lowest metric for that protocol will be the route that is included in the IP routing table. Since the definition of a metric varies with each routing protocol, the metric is not the determining factor when comparing routes learned from different protocols. The route that was learned from RIP is chosen only if RIP is configured as the preferred routing protocol. The route that was learned from OSPF is chosen only if OSPF is configured as the preferred routing protocol.

The company has mandated that their name space be contiguous with their root DNS name. However, their root DNS name is hosted on a BIND server that does not support Active Directory integrated zones. The version of BIND in use by the company does support the use of service (SRV) records. Because of this, it could technically support Active Directory. However, in the background information, the company specifically states that the DNS servers for Active Directory must support multimaster operations. This means that DNS resource records must be able to be updated on any of the DNS servers that support Active Directory. The only zone type that supports this is Active Directory integrated which, again, BIND does not support.Because of this, the root DNS name cannot be used for the forest root and a subdomain (ad) must be used instead. This domain will also double as the domain for headquarters. All other domains will be child domains of the Active Directory root domain, d.Windows 2000 Help, Search for the articles entitled: Namespace planning for DNS; DNS domain names; Checklist: Deploying DNS for Active Directory; Understanding DNS integration; Interoperability issues; and Dynamic update.

DFS is used to make it easier for users to locate files. Rather than having to search through My Network Places and look on several different servers to locate the shared folder that they need, users can access shares in a central location. One benefit of DFS is that it can be used to present a consistent location for client resources access over time. For instance, you may occasionally add and remove servers from the network. As you do so, users will need to be informed of where the resources they use are currently located and locate them.Although this does not seem like a big deal for people with experience in computers, it can be quite difficult for those with less experience. It certainly causes users to have to take time away from their standard work duties to locate the resources. DFS is designed to solve this problem. Using DFS, administrators can create a share that has pointers in it to all of the other shared folders on the network. These pointers appear as folders to clients, and are called child nodes or links. When servers are added and removed from the network, administrators update the pointers. Users still access the information from the same share point that they have always used, so the process is seamless for them.
Child nodes can take advantage of DFS technology to be more fault tolerant. They can also work with Active Directory to produce increased performance. When a child node is first defined, it consists of a pointer to a single share somewhere on the network that contains resources that the network administrator wants to make available using DFS. For fault tolerance purposes, additional locations can also be defined for the client node to point to. These additional locations are referred to as replicas. If the administrators wish, these locations can have their resources synchronized. The proper term for this in DFS is replication. Because DFS is a file system technology, when we talk about resources we are essentially referring to files. Thus when we talk about resource synchronization, we are really referring to a file replication process.In addition, DFS can integrate with Active Directory to examine where the user is attempting to access the resource from, and direct the user to a server that is located near them. In this way, the user may not be required to cross WAN links that can drive up the cost of resource access, and lower performance for the user.For instance, let's say that there are several shares on the network that contain a marketing spreadsheet. Each department is assigned a different server to access the file from. By using DFS, and administrator can create a central share point that all these users will access the resource from. DFS will contain a child node with several replicas that point to the different locations on the network that the file is located. When a user from accounting logs in to examine the file, DFS will examine where the user is coming from and attempt to locate a server near by that contains the file.
For purposes of the example, we will say that one of the replicas is a share in the accounting department, and that the user not only examines the file but also changes some of the data in it and saves it.If a user from marketing next attempts to access the file, that user will also be pointed to a replica that is near them. Again, for example purposes, we will say that there is a server in marketing that has a share with the file in it. The user will be directed to the server located near them to get the resource from. In addition, because the file contains data that is updated by people in several locations, the administrator would need to have set up synchronization so that the version of the file that was just updated on the accounting file server is available on the marketing file server when next requested.The DFS root server is the first server that contains the central share that is accessed on the network. This is the share that all users initially access. It contains the pointers to the other resources. It is possible to have replicas of the root in order to increase fault tolerance and speed up access to this top level share. Because of its importance, the root server should be located at the central hospital building. However, to increase fault tolerance and speed up performance for resource access, a replica server can be placed in each of the medical centers.Windows 2000 Help, Search for the articles entitled: Distributed file system overview; Distributed file system features; Distributed file system topology; Distributed file system topology; Platform compatibility; and Using the Distributed File System (Dfs).

You can use 190.6.32.1 to 190.6.39.254 for the host IDs. A subnet mask of 255.255.248.0 indicates that 21 bits are used for the subnet ID. The five bits of the third octet that can be used to define subnet IDs allow the use of 8, 16, 24, 32, 40, 48, etc., as subnet IDs. The subnet ID of 190.6.32.0 can be used to assign host IDs ranging from 190.6.32.1 to 190.6.39.254. Addresses that are assigned to the interface of the router on the new subnet and to the DHCP server should be excluded from the scope. A subnet ID of 190.6.32.0 with a subnet mask of 255.255.255.0 defines addresses in the range 190.6.32.1 to 190.6.32.254. This allows 24 bits for the subnet ID and 8 bits for the host IDs. A subnet ID of 190.6.32.0 with a subnet mask of 255.255.240.0 defines addresses in the range 190.6.32.1 to 190.6.47.254. This allows 20 bits for the subnet ID and 12 bits for the host IDs. A subnet ID of 190.6.32.0 with a subnet mask of 255.255.224.0 defines addresses in the range 190.6.32.1 to 190.6.63.254. This allows 19 bits for the subnet ID and 13 bits for the host IDs.

You should enable the Affinity feature. This feature is also referred to as the Sticky Sessions feature. This feature ensures that requests from a specific client are directed to the same server for consistency. You enable multicast support if you want the Media Access Control (MAC) address of the cluster to be converted to a multicast address. With this enabled, the Address Resolution Protocol (ARP) can resolve the multicast address correctly. You should configure the load weight to govern the percentage of traffic that a specific host in the NLB cluster should handle for a specific port rule. You should set the filtering mode to single host if you want all traffic defined for a specific port rule to be managed by a single host rather than just the traffic for a specific client session for the port rule.

You should add the computer accounts for both DHCP servers to the group DNSUpdateProxy. When DNS records are created by members of this group, the records have no security. Therefore, neither of the DHCP servers is assigned ownership of the records, and either DHCP server can update DNS records created by the other DHCP server. You should not create a reservation for each of these clients on both DHCP servers. If the servers are not members of the group DNSUpdateProxy, the server that assigns the initial lease to a client will own the DNS record that it creates and the other DHCP server will not be able to update the DNS record. You should not add the computer accounts group does not have the ability to update DNS records.
When you set up two DHCP servers to provide addresses for the same subnet, you create a scope on each DHCP server with the set of addresses to be managed by that server. You can expand this scope later to include additional addresses and then exclude the ones managed by the other DHCP server. However, you cannot create new scopes to define addresses managed by the other DHCP server because the address ranges with the required subnet masks will conflict with your existing scopes. You use a superscope to define multiple address ranges from different subnets in separate scopes that can be assigned to computers on the same physical segment.

Despite its central importance, Seattle has a relatively small amount of network bandwidth available to it. If any changes are going to be made to the amount of bandwidth available on the network, Seattle would be a good place to start. Regional offices don't necessarily have a great deal of bandwidth either, however they are not as critical to the design as Seattle. A mesh network is a costly and ultra high availability solution that the company does not need.

You can include the subnets 172.31.128.0/18 and 172.31.192.0/18 in Area1. With he routing protocol OSPF, an area consists of contiguous subnets that can be represented via route summarization. The network prefix "/18" indicates that the first 18 bits represent the subnet identifiers (IDs). This includes the first two bits of the third octet. The subnets that can be defined in this octet are represented in binary notation as 00000000, 01000000, 10000000, and 11000000. In decimal notation, the value of the subnet ID in the third octet can be 0, 64, 128, or 192. The address 172.31.96.0 represents a host on subnet 172.31.64.0. The address 172.31.160.0 represents a host on subnet 172.31.128.0. The address 172.31.224.0 represents a host on subnet 172.31.192.0.

Remember that the key is high availability. Under this design, the main hospital building would house the DHCP cluster. A cluster is an ultra high availability solution that is often quite costly to implement. The cluster would contain backup scopes for every subnet on the network. Each subnet would get its own DHCP server. These servers would also be configured to hand out addresses for all of the subnets on the network, but would primarily serve as the principle DHCP server for their local subnet. Finally, BOOTP compliant routers would be necessary so that clients on one subnet could successfully communicate with DHCP servers on other subnets in the event their local DHCP server became unavailable.Windows 2000 Help, Search for the articles entitled: DHCP servers; DHCP defined; Planning DHCP networks; BOOTP and DHCP; Understanding relay agents; Understanding DHCP; Configuring scopes; To exclude an address from a scope; Cluster support for DHCP servers; and TCP/IP configuration methods.

To minimize network traffic, you should configure a computer running Windows 2000 Advanced Server as a Dynamic Host Configuration Protocol (DHCP) server and a RIS server and create an image of Windows 2000 Professional and the required applications using the Remote Installation Preparation Wizard. When DHCP and RIS are installed on the same computer, the client computer need only send one DHCPDiscover message and will receive a reply with both an IP address and information about the RIS server. If DHCP and RIS are installed on separate computers, additional network traffic is required. The Remote Installation Preparation Wizard is used to create an RIPrep image of a source computer on which Windows 2000 Professional and applications are installed. The RIPrep image contains only the files and registry keys needed for the defined configuration, so there is less information to copy to a client computer than there is when using a CD-based image.

You must define both an address (A) record and a name server (NS) record for ADDns1. If you define an NS record but not an A record, you will create a broken delegation. The nslookup command can be use to verify the integrity of the zone delegation. The NS record is sometimes referred to as a delegation record, and the A record is sometimes referred to as a glue record. You use a canonical name (CNAME) record to define an alias for a host or for multiple hosts. Each of the CNAME records must refer to an A record that contains the correct IP address for the host. You must define a start of authority (SOA) record on ADDns1 for the delegated zone. You use a service locator (SRV) record to locate servers that provide a specific service such as domain controllers, global catalog servers, and Lightweight Directory Access Protocol (LDAP) servers.

You must enable ports 137/tcp, 137/udp, 138/udp, and 139/tcp. You enable ports 445/tcp and 445/udp to provide support for Common Internet File System (CIFS) communications. You enable port 389/tcp to provide support for the Lightweight Directory Access Protocol (LDAP). You enable port 161/upd to provide support for the Simple Network Management Protocol (SNMP).

Although the medical center doesn't have an excessive amount of subnets, they have strongly indicated that they want as much of the network configuration to be automated as possible. Because this is a smaller environment, RIP version 2 would be appropriate for use and would meet the automation requirements.Windows 2000 Help, Search for the articles entitleD. Routing overview; IP routing protocols; OSPF; OSPF design considerations; The OSPF environment; Deploying OSPF; RIP for IP; RIP-for-IP design considerations; Deploying RIP for IP; The RIP-for-IP environment; The static routed environment; Static routing design considerations; and Deploying static routing.

For fault tolerance purposes, the minimum number of DNS servers is always two. Designs will often require more than the minimum, however. In this case the performance and high availability needs of the network dictate that many more servers be used.

Microsoft Internet Information Server (IIS) supports load balanced clusters. Load balanced clustering is only available on Windows 2000 Advanced Server and Windows 2000 Datacenter server. Under this implementation, more than one server can be grouped together to form a load balanced cluster. If one of the servers fails or goes offline, this is detected and future client requests will be redirected to a server in the load balanced cluster that is still functioning. Any requests that are in the process of being fulfilled will fail and the client will need to resubmit the request, which will then be redirected. Under load balanced clustering, each of the computers that comprise the load balanced cluster access data from their own hard drive which may not contain the same data as hard drives in other computers of the load balanced cluster.
SQL server supports full clustering (also called server clusters). Server clustering is only available on Windows 2000 Advanced Server and Windows 2000 Datacenter server. The main task of a server cluster is to preserve access to data at all times. In order to participate in a server cluster, the application must be able to make use of the clustering API. Not all applications have this capability. Computers that participate in server clusters frequently share the same hard drive system.Windows 2000 Help, Search for the articles entitleD. Business scenarios; Planning your groups; Windows Clustering; and Choosing applications to run on a server cluster.

You should use the "migrate on" feature, which will allow dynamic updates to replace existing static records. By default, this feature is disabled and WINS preserves static entries. You use the manual tombstoning feature to insure that records that are deleted from a WINS server are not replicated back to the WINS server from which the records are deleted. You use the "block records" feature to block replication of records from inactive WINS servers, but this removes the records rather than allowing them to be updated. You use the extinction timeout to define the amount of time between a record being marked as extinct and the record being eliminated from the WINS database.

You should recommend that they configure domain passwords to be stored using reversible encryption and then reset passwords for the users who will use CHAP. You can configure the ability to store passwords using reversible encryption either by setting this option in each user's account or by enabling it in the Password Policy of a Group Policy Object (GPO) that is linked to the domain to which the user accounts are assigned. You add the group Everyone to the "Pre-Windows 2000 Compatible Access" domain group to allow computers running Windows NT 4.0 Server to access information in Active Directory. You do not need to take this step to enable support for CHAP. You should not recommend that they enable the Guest account because this will provide unauthenticated access. Although CHAP is not as secure as the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), it is an authentication protocol and a user must have a valid user account and password to be authenticated. You select the option "Do not require Kerberos preauthentication" if the account object uses a different implementation of Kerberos than Windows 2000 uses.

You should configure each WINS server in Los Angeles as push and pull partners of the other 2 WINS servers in Los Angeles, configure each WINS server in New York as push and pull partners of the other 2 WINS servers in New York, and configure NYWINS1 and LAWINS4 as push and pull partners of each other. This will keep the servers in each site up to date with each other. Allowing just NYWINS1 and LAWINS4 to exchange information will help minimize the wide area network (WAN) traffic. Also, you should configure the value of the pull interval so that replication across the WAN link does not interfere with other WAN traffic. You should not configure NYWINS1 as push and pull partners of NYWINS2, NYWINS3, and LAWINS4 and configure LAWINS4 as push and pull partners of NYWINS1, LAWINS5, and LAWINS6. This solution does not keep NYWINS2 and NYWINS3 (and LAWINS5 and LAWINS6) as up to date with each other as the first solution. You should not configure each WINS server as push and pull partners of the other 5 WINS servers as this would potentially impact the WAN link. You should not configure each WINS server in Los Angeles as a push and pull partner of a WINS server in New York with each server a partner of both other WINS servers in its city. This configuration could negatively impact the WAN link.

The company has stated that a "driving goal" of the project is increasing the manageability of the network. In addition, network downtime is rarely unacceptable. This is especially true in an environment where the company has stressed the need to use redundancy to minimize downtime. Finally, the loss of sensitive company data to network security breaches is also a serious issue.

NAT cannot process Kerberos and IPSec traffic because it cannot manipulate the IP address information properly for these protocols. IP information is stored in the encrypted portion of these packets and the IP information cannot be modified, therefore, the packets needed to negotiate security cannot pass through NAT. FTP headers contain IP address information, but a built-in NAT editor is used to modify the information stored outside of IP, Transmission Control Protocol (TCP), and User Datagram Protocol (UPD) headers. PPTP packets contain IP-related information that is stored outside of the IP, TCP, and UDP headers, but NAT includes a built-in NAT editor to modify the related information. RPC stores IP-related information outside of the IP, TCP, and UDP headers, but NAT includes proxy software to manage RPC packets.

You should install IAS on a computer running Windows 2000 Server, copy the remote access policies to the IAS server, and configure the remote access servers as clients of the IAS server. You can use the netsh command-line utility to copy remote access policies to the IAS server. IAS is Microsoft's implementation of the Remote Authentication Dial-In User Service (RADIUS). A RADIUS server provides both authentication and accounting services for remote access servers. You cannot manage remote access policies with a GPO, so you should not design a GPO and link it to the appropriate OUs. Remote access policies are stored on each remote access server or on an IAS server. You cannot manage remote access policies by using a security template to configure a remote access server. The Security Configuration and Analysis utility allows you to import templates to a security database, compare the current security settings on a computer to the database, and configure the server using the settings in the database. You should not configure all remote access clients to connect to the IAS server. A computer on which IAS is installed may not also be configured as a remote access server. IAS is a service used by remote access servers, not by remote access clients.

Since encrypted data is being transferred to and from France, you can only use the 40-bit Data Encryption Standard (DES). You can use either the Message Digest 5 (MD5) or Secure Hash Algorithm (SHA) authentication protocols. MD5 uses a 128-bit key. SHA uses a 160-bit key. SHA provides a higher level of security but incurs more processing overhead than MD5. 40-bit DES uses a 40-bit key. 56-bit DES uses a 56-bit key. Triple DES (3DES) uses a 128-bit key. The longer the key, the more secure the data is but this data security is at the expense of additional processor overhead. You cannot transfer data into or out of France if the data is encrypted with 56-bit DES or Triple DES.

You should recommend that the administrators create a remote access policy and set the condition Windows-Groups to VPN-Access in the policy. This will allow only those who are members of VPN-Access to use the policy. Since this is the only policy, the connection parameters of other users who attempt to access the VPN will not match the policy and they will be denied access. You cannot control access via permissions on the remote access policy object or by configuring the remote access profile associated with a remote access policy. You do not need to use only EAP-TLS authentication. Other methods of authentication can be used as long as the remote access policy is configured correctly.

The Windows 2000 DHCP server service installs two groups that can be used for DHCP management. The DHCP User group provides its members with the ability to view but not alter DHCP server service configuration data. Membership in the DHCP Administrators group allows users to fully administer the DCHP server service, but not the actual Windows 2000 server that hosts the service. Because Regional administrator teams will be allowed to manage DHCP information, they should be added to the DHCP Administrators group in their region's domain.Windows 2000 Help, Search for the article entitled: New features.

You should recommend Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), since it provides the most secure form of authentication that can be used for dial-up connections from Windows NT 4.0 and Windows 9x clients. It also allows the client and server to encrypt data using Microsoft Point-to-Point Encryption (MPPE). The Password Authentication Protocol (PAP) is the least secure protocol listed due to its use of clear-text passwords. Message Digest 5 Challenge Handshake Authentication Protocol (MD5-CHAP), also known as CHAP, does not support data encryption. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), supports authentication of Windows NT 4.0 and Windows 98 clients for VPN connections, but not for dial-up connections.

You should use an IPSec policy that includes a rule configured for transport mode. Configure the rule to use certificates for authentication. You should create a filter list that manages all traffic from the IP address of one domain controller (DC) to the other DC and mirror it for traffic in the other direction. Since you want to encrypt all traffic between the DCs, you should use certificate authentication. Kerberos cannot be protected with IPSec transport filters. Multiple connections in transport mode can be active simultaneously on a computer. You use tunnel mode to protect data traveling between two networks across an unsecured network. Only one tunnel mode connection can be active at a time on a computer.

You should establish a proxy array. This ensures that the configuration information for the ISA Server, Enterprise Edition is stored in Active Directory. It also positions the server to support expansion as needed by allowing more servers to be added to the array. Including the server in an NLB cluster does not store the configuration information in Active Directory. Defining DNS resource records for the ISA Server in an Active Directory-integrated zone insures that the DNS information is stored in Active Directory. It does not provide storage of ISA Server configuration information in Active Directory. Configuring the ISA Server to use Active Caching allows the server to update the contents of the proxy cache automatically as resources allow.

You should use the subnet mask 255.255.248.0. This reserves nine bits for the subnet identifier and eleven bits for the host identifier. Nine bits will allow you to define up to 510 subnets. Eleven host bits will allow you to define up to 2046 hosts on each subnet. The subnet mask 255.255.224.0 only supports 126 subnets. The subnet mask 255.255.240.0 only supports 254 subnets. The subnet mask 255.255.252.0 only supports 1022 hosts per subnet. Note: If your routers and hosts support the all-zeros and all-ones subnets, you can define up to 512 subnets with the subnet mask 255.255.248.0, 128 subnets with the subnet mask 255.255.224.0, and 256 subnets with the subnet mask 255.255.240.0. Hosts and routers running Windows 2000 Server or Professional support these special subnets.

DNS is not a cluster-aware application, so you must manually enable the DNS server service on another computer in the cluster if the server on which DNS is running fails. You can minimize the time needed to bring the other server online if you store the DNS zone files on the cluster drive. DHCP, WINS, and Proxy Server are all cluster-aware applications. If the primary server for any of these services fails, another server in the cluster provides automatic failover support.

You should enable support for unauthenticated access on the Authentication tab of the remote access profile for the policy. Since a user name and password are not sent when an ANI/CLI connection is made, you must allow unauthenticated access. You also configure the User Identity setting for remote access policies in the registry to direct the remote access server or Internet Authentication Service (IAS) server to use the number from which the user is calling as the user identity. You enable support for unencrypted authentication when you need to support clients that use the Password Authentication Protocol (PAP). Passwords are transmitted in a plaintext or clear-text format with PAP. You enable support for encrypted authentication when you support clients that use either Challenge Handshake Authentication Protocol (CHAP) or Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).
Both of these protocols encrypt passwords. You may enable support for Message Digest 5 (MD5) - Challenge when you enable support for the Extensible Authentication Protocol (EAP). This protocol is used to validate the connection during the connection authentication phase of establishing a connection to a remote access server.

You should create a domain-based Dfs root and create one or more root replicas. When you create a domain-based Dfs root, the Dfs configuration information is stored in Active Directory so it is available from any domain controller. This configuration information includes the Dfs topology. A domain-based Dfs root can be created on a Windows 2000 domain controller or on a computer running Windows 2000 Server or Advanced Server that is a member of a Windows 2000 domain. When you create a root replica, the content of the folder that is used as the root folder of the Dfs hierarchy is replicated to another server. Thus, if the original server becomes unavailable, the content of the root folder is still accessible. You can have up to 32 replicas of the root. You should not create a standalone Dfs root because the configuration information for a standalone Dfs root resides only on that root server.
Also, you cannot create replicas of the root folder for a standalone Dfs root. You should not create a domain-based Dfs root and create replicas of each child node in the hierarchy if you want to provide redundancy for the Dfs root itself. Although this solution stores the topology in Active Directory, this solution does not make a redundant copy of the root folder available.

You should recommend that Proxy Server be implemented both to improve access to external web sites and to support an external FTP server. With Proxy Server caching can be enabled to cache data and improve access to the content of the web and FTP sites that the employees use for research. The Proxy Server can also provide access to the internal FTP server. The client computers should be configured as proxy clients. Proxy Server is not included with Windows 2000, but management has approved the purchase of additional hardware and software. You should not recommend that NAT be implemented. NAT could be used to support an internal FTP server, but it will not serve to improve access to Internet resources. You should not recommend that ICS be implemented since it cannot be used to support an internal FTP server. You should not recommend that Windows Load Balancing be implemented. Windows Load Balancing helps to improve access to content on the servers on which Windows Load Balancing is implemented. It does not improve access to content on external servers.

You should define the list of DNS servers in the TCP/IP properties of the DHCP server. If the DNS server that is authoritative for the zone in which the client's resource record is stored is not listed, the DNS servers that are listed will refer the request to the DNS server that is authoritative for the zone. You define DNS servers to be used by the DHCP clients in the DHCP scope options. You use the Properties dialog box of either the DHCP server or the DHCP scope in the DHCP console to configure the interaction between DHCP and DNS. Parameters that you can configure include when to automatically update DHCP client information in DNS and whether or not to update information for DNS clients that do not support dynamic updates.

You should recommend that the network administrator configure one of the computers running Windows 2000 Professional as a WINS proxy. A WINS proxy is a computer that responds to NetBIOS name resolution broadcasts. If the WINS proxy does not have a mapping of the requested name to an IP address in its NetBIOS name cache, it sends a request to the configured WINS server. Once it receives a response from the WINS server, it can reply to the original requester. WINS does not support LAN Manager for OS/2 as a WINS client, so you cannot configure the IP address of the WINS server in the TCP/IP properties of the client. Configuring a static mapping for the OS/2 client in the WINS database will not allow applications on the OS/2 client to resolve NetBIOS names to IP addresses. Configuring a static mapping will allow other computers to determine the IP address of the OS/2 client. You should not create an LMHOSTS file on the computer running OS/2 with an entry for the WINS server. This would not enable the client to send name resolution requests to the WINS server.

You should recommend that they modify the burst handling setting on the WINS server in Dallas to Low. This will allow the server to respond more quickly to registration requests when the demand is high. Burst handling enables a WINS server to issue short leases to clients without registering the names of the clients in the WINS database. When the clients send renewal requests, if the load on the server has decreased, it then issues normal leases and registers the names in the database. By setting the value of burst handling to Low, the burst handling will be triggered once 300 requests are queued. The default setting of Medium triggers burst handling when 500 requests are queued. A setting of High triggers burst handling when 1000 requests are queued. You use the extinction interval to define the period between the time an entry is marked in the WINS database as released and the time it is marked as extinct. When an entry is marked as extinct, it may then be removed from the database after the amount of time configured as the extinction timeout. You define the maximum number of records verified each period to govern the number of records in the database of a WINS server that are compared to the records in the database of the WINS server that owns the records. This setting is used when WINS servers are configured as WINS replication partners. You define the renewal interval to set the amount of time for which a name registration is valid.

You should configure DC1, DC2, or DC3 as a forwarder for DCEU1. A forwarder is a DNS server to which a DNS server forwards queries. For example, if DC1 is configured as a forwarder for DCEU1, and DCEU1 receives a query that it cannot answer from its own set of records or the information in the DNS server cache, it forwards the query to DC1 for resolution. You should not configure DC1, DC2, or DC3 as a master name server DCEU1 because the servers host separate zones. A master name server is either a primary or a secondary name server for a zone from which a secondary name server can receive zone transfers. You should not configure DC1, DC2, and DC3 in the root hints of DCEU1, since DC1, DC2, and DC3 do not host a root zone. On all the DNS servers, the root hints should contain information about the name servers that host the root zone on the internet. This information is loaded by default from the preconfigured file cache.dns. You should not configure DC1, DC2, and DC3 as alternate servers for DCEU1. You configure an alternate server to allow the DNS resolver to contact a second server if the resolver cannot contact the primary DNS server. The DNS server service does not use this information to locate an alternate server.

You should recommend that WINSA and WINSB be configured as push and pull partners of each other. Each server should be configured to request updates during non-business hours or when traffic across the 256 Kilobit line is lowest. As push and pull partners, each server should be configured to contact its partner for updates or both databases will not stay up to date. You should recommend that the network administrator set the number of changes that will trigger a replication to a value greater than the number of updates the normally occur every twelve hours. This will help to ensure that replication happens primarily at the defined intervals. You should not recommend that WINSA and WINSB be configured as only push partners of each other because you will not be able to manage when replication occurs. Also, one must be a push partner and the other a pull partner to establish replication. You should not recommend that WINSA be configured only as a push partner of WINSB and WINSB as a pull partner of WINSA. In this configuration, changes on WINSA will not be replicated to WINSB. You should not recommend that WINSA be configured only as a pull partner of WINSB and WINSB as a push partner of WINSA. In this configuration, changes on WINSB will not be replicated to WINSA.

When you select the option systemstate, you must use normal or copy as the backup type. An incremental backup only saves data that has been modified since the last normal or incremental backup. A differential backup only saves data that has been modified since the last normal or incremental backup. A daily backup only saves data that has been modified on the day the backup is being done. When backing up system state data, you must back up all of the system state data to insure consistency, so incremental, differential, and daily backup types are not supported.

Since the company is using a proxy server to access the Internet, private Internet Protocol (IP) addresses are used for internal communications. You should configure a root zone on DNSSrv1 since these DNS servers will be used to resolve internal names. You should also configure the cache.dns file on DNSSrv2 and DNSSrv3 with name server records for DNSSrv1 instead of the default name server records for computers that maintain the root DNS domain for the Internet. You should also insure that the Root Hints tab in the Properties dialog box of DNSSrv1 in the DNS Manager does not contain entries for the computers that maintain the root DNS domain for the Internet. You can also do this by deleting the default records in the cache.dns file. You should not create root zones on DNSSrv2 or DNSSrv3 nor should you configure the cache.dns file on DNSSrv1 with name server records of the other DNS servers.

Proxy Server would benefit the most from load balancing. DNS can be configured with a single Internet Protocol (IP) address for the cluster. Once an external client attempts to connect to this IP address, one of the servers in the cluster responds to the request, alternating the load among the servers. DHCP and WINS are cluster-aware services that benefit primarily from the failover services of a cluster rather than from the load balancing services. DNS is not a cluster-aware application, so you must manually enable the DNS server service on another computer in the cluster if the server on which DNS is running fails. You can minimize the time needed to bring the other server online if you store the DNS zone files on the cluster drive.

You should add the group Everyone to the "Pre-Windows 2000 Compatible Access" group. The Routing and Remote Access Service on the computer running Windows NT 4.0 Server uses the LocalSystem account. This account cannot be used to establish a Null session with a domain controller running Windows 2000 Server when the domain is configured to use permissions compatible with Windows 2000 servers only. The account can be used to establish a Null session to a BDC running Windows NT 4.0 Server. Therefore, when RAS10 contacts a BDC to authenticate a user, the connection can be established successfully because the BDC can verify the user's dial-in access in its local Security Accounts Manager (SAM) database. When RAS10 contacts a domain controller running Windows 2000, a Null session cannot be established. Since it is RAS10 that must be able to communicate with all domain controllers, adding the computer account for the Sales department's laptops will not provide the support needed. You do not need to configure support for MS-CHAP v2 on RAS10, since Windows NT 4.0 clients can use MS-CHAP v2 only for Virtual Private Network (VPN) connections, not for dial-up connections. You should not add the computer accounts for the BDCs to the "RAS and IAS Servers" group. Members of this group can access user account properties related to remote access.

The encryption levels to be used would have a greater influence on design decisions for Great Garments than on those for Acme Attire, since Great Garments has facilities in a number of countries. Encryption levels must be addressed when designing Internet Security Protocol (IPSec) policies, remote access policies, and the configuration of virtual private networks (VPNs), among others. The strongest level of encryption that can be exported out of the United States and Canada is 56-bit Data Encryption Standard (DES). Government regulations must be considered in all network designs, no matter what countries are involved. There are often additional regional and local government agency regulations that must be considered. The authentication mechanisms available in Windows 2000 can be used in any country. The placement of servers is more dependent on the network services installed at each location than on the country or countries in which an enterprise operates. The overall goal when placing servers is to minimize the amount of network traffic generated by the services running on each server and to optimize the responsiveness to user requests.

You should configure one of the computers running Win2000 Professional as a WINS proxy. A WINS proxy is a computer that responds to NetBIOS name resolution broadcasts. If the WINS proxy does not have a mapping of the requested name to an IP address in its NetBIOS name cache, it sends a request to the configured WINS server. Once it receives a response from the WINS server, it can reply to the original requester.

The LMHOSTS file is not dynamic, and therefore would require additional work to stay up to date.

The OS/2 client does not have a setting for the address of a WINS server.

Configuring a static mapping for the client will allow other computers to find the OS/2 computer but would not help the OS/2 computer resolve the other computers' names.

OSPF uses IP multicast to send link-state updates as well as offers better convergence than RIP. OSPF allows transfer and tagging of external routes in an Autonomous System. The use of IP multicast to send link-state updates means less processing for routers that are not listening for OSPF packets. OSPF offers better convergence than RIP because routing changes are propagated instantaneously, not periodically as in RIP. OSPF's transfer and tagging of external routes in an Autonomous System keeps track of external routes injected by exterior protocols such as BGP. RIPv1 and RIPv2 are distance vector protocols.

OSPF is more complex than RIPv2 and does not use a hop count metric. OSPF is a link-state protocol.

Your boss, quite simply, is asking the impossible. RIPv1 does not support VLSM because it doesn't track subnet masks.

RIPv1 is a distance-vector protocol, not a link-state protocol, and uses hop counts.

RIPv2 does support VLSM but even then it should not be used if RIPv1 routers are present on the network.

Even RIPv2 cannot be configured to handle hop counts greater than 15. In this case, OSPF would be preferable because it supports up to 255 routers.

RIPv2 does allow you to optimize convergence times through the use of split horizon, poison reverse and triggered updates. However, OSPF would still give you the best convergence time.

RIPv1 uses broadcast announcements, while RIPv2 uses multicast.

One default gateway is the most you can define on the server. Even with three adapters and two different IP routing protocols, you need define only one or no default gateways on the server. Windows 2000 has only one routing table and so there can be only one current default gateway. A hardware router, which may have many different routing tables, would require more than one defined gateway.

In a demand-dial on-demand configuration, you use static routing with no routing protocols. If your demand-dial connection were persistent, then you would use dynamic routing and would use routing protocols.

You should shut down any computers set to obtain an IP address automatically to be sure the IP information assigned by the old DHCP server doesn't interfere with addresses assigned by the ICS server. ICS does not function with unidirectional adapters (Q231648) and requires two network adapters on a host computer, the computer with a connection both to the Internet and the local LAN (Q265728).

Powering on all computers will give those computers the wrong IP addresses.

Unidirectional device adapters are only a problem on the PC running ICS, not its clients. The client network cards can be either unidirectional or bi-directional.

The must be at least 2 adapters present: one to act as an internal interface, and one to act as an external interface. Therefore 1,3,4,5, and 6 are wrong answers.

Common examples are a NIC and a modem adapter. There should be at least one internal network interface card and an external interface. The external interface can be a modem, ISDN adapter or Ethernet adapter.

If you do not have a connection to the LAN as well as to the Internet, you will not be able to install ICS.

ICS does not function with unidirectional adapters (such as the DirectPC system) (Q231648).

A null-modem cable permits two RS-232 "DTE" devices to communicate with each other without modems or other communication devices between them. This will do nothing to assist an ICS install.

The RIP protocol is not needed either.

NAT allows the use of multiple network adapters, Internet ports and IP addresses. ICS is simpler to configure than NAT and is better suited to single segmented private networks of up to 254 workstations.

All the services your boss wants are offered in NAT but can be set up only on a Windows 2000 Server with Routing and Remote Access enabled. ICS can be setup on Windows 2000 professional but it can't use more than one IP address, doesn't offer flexibility in how DNS names are resolved, and doesn't allow for dynamic mapping.

You need to enable the RRAS (Routing and Remote Access) Windows 2000 Server service, not install it. When it is enabled, it will trigger the Routing and Remote Access Server Setup Wizard. One of the wizard's options is to enable NAT. From there, you will be asked whether you want to use ICS or NAT.

RIP (Routing Information Protocol) and OSPF (Open Shortest Path First) are routing protocols.

BGP (Border Gateway Protocol) is an Internet protocol that enables groups of Autonomous Systems (AS) to share routing information.

POTS (Plain Old Telephone Service) is standard telephone service.

A digital certificate from a valid CA provides the necessary authentication. Moreover, since a third party is involved, this maintains the anonymity of the computer that is initiating the connection.

The Kerberos protocol is used between computers in the same domain.

Shared secret protocols are usually used in wireless communications and the secrets are manually entered.

By deleting the data recovery certificate, only a person who has physical access to the data recovery certificate can recover data from that system.

If a Data recovery certificate is deleted, not revoked, only the person who can gain physical access to the data recovery certificate can recover data from that system.

Moving data to a different partition with different NTFS permissions will not insure physical access to the data recovery certificate.

Backing up the files and removing them from the system will make them unavailable.

Designated user accounts, called recovery agent accounts, are issued recovery agent certificates with public keys and private keys that can be used for EFS data recovery operations. Recovery agent accounts are designated by the EFS recovery policy. EFS requires that a data recovery policy be set at the domain level. This recovery policy is set by domain administrators that control the recovery keys for all computers in that domain. After these keys have been backed up, they can be deleted from the recovery agents store for additional security, using the Certificates console of the MMC.

Revoking the policy will not delete the recovery certificate.

Deletion of the recovery certificate is done with the Certificates console in the MMC, not by using the CA.

If Sam's assigned certificate is revoked, he will not be able to access any network resources. Revoked certificates appear on the Revoked Certification list.

Restricting permissions may not effect all permissions.

Revoking a certificate is quicker than forcing a it to expire early.

By creating a CA and issuing users a certificate to be stored within the smart card, only users with valid smart cards will be able to log on to the network.

If you are using a smart card, the certificate can be stored in the smart card, eliminating the need for downloading the certificate each time the user logs in.

Creating a standalone Certificate Authority (CA) will not accomplish all the goals listed.

A certificate must be issued if you are using smart cards.

If a parent CA is unavailable, you can save the request to a file; give the path and filename. You can then obtain the subordinate CA's certificate from the parent when it comes online.

There may be only one CA root authority.

The certificate must be issued by the parent CA to be valid; therefore, installing a sample certificate would not accomplish the task.

You can create a CTL to contain only secure email and apply this to your group policy object so that anyone in the group will use only Mailcall for secure email certificates.

You can pick and chose the types of certificates you use from a CA.

The goal is for the CA to only issue certificates for secure email; therefore, it should not have issued certificates that need to be revoked.

Creating a subordinate CA would be inefficient and unnecessary.

Since you want all of the sites to have the same namespace, it is easiest to set each site up as a second level domain and ensure each site has a DNS server.

Setting up the San Francisco office as the first level domain and setting up the other three sites as second level domains will not insure that intersite DNS queries are kept to a minimum as the second level domains would have to synchronize with the first level domain.

There is no such thing as a DNS child domain.

The DNS server will provide the name resolution, and Active Directory requires it. If a DNS server is not present when Active Directory is installed, the Active Directory will have to install the DNS server.

DHCP servers do not provide for name resolution.

WINS servers with NetBIOS name resolution do provide for name resolution, but not in a way the Active Directory can use. Active Directory requires host names, not NetBIOS names.

LMHOSTS is similar to a host file. It will provide name resolution, but the administrative effort would require touching each machine.

Since you want all of the sites to have the same namespace, it is easiest to set each site up as a second level domain and ensure each site has a DNS server.

Setting up the San Francisco office as the first level domain and setting up the other three sites as second level domains will not insure that intersite DNS queries are kept to a minimum as the second level domains would have to synchronize with the first level domain.

There is no such thing as a DNS child domain.

Configuring a Root Name Server will be authoritative for all Top-Level Domain queries and thus will ensure that all name resolutions occur locally. This DNS structure will control which domains the users can resolve names for.

Setting up the DNS server inside the DMZ may still mean that the DNS servers will need to query other name servers on the Internet.

Setting up the DNS server behind the proxy server may still mean that the DNS servers will need to query other name servers on the Internet.

Setting up a DNS caching server will guarantee that the DNS server will need to query other name servers on the Internet.

Increasing the Refresh Interval for the Start of Authority (SOA) records on the Primary Zone will cause the Secondary Zone to make fewer transfer requests.

Decreasing the refresh interval for the SOA will increase the amount of network traffic, because it will mean less time between zone transfers.

The TTL value determines how long a particular resource record is considered valid. Once the TTL on a record expires, the DNS client must resend a DNS query request for the same host name. DNS clients affected by the TTL include both DNS servers performing recursion and DNS client computers.

With no forward lookup Host record for a system, you will not be able to access that system via its host name. This is one of the reasons why it is an advantage to use a DHCP server to issue IP addresses and to set up Dynamic DNS.

There are no specifications on the number of hosts necessary to use DHCP.

Flushing the DNS cache may be an option, but it does not have the highest probability of solving the problem.

Reverse lookup would not play a part in this scenario. Reverse lookup resolves an IP address to a DNS name.

host will check its resolver cache first before sending a query to the DNS server, so it would still be receiving the wrong answer until the cache is cleared.

Rebooting the DNS server will clear the DNS resolver cache on that computer, but will not affect the cache on each of the client hosts.

FileSvr1 does not have a part in the name resolution scenario. It is the target, and is thus not providing any name resolution.

The release and renew parameters of IPConfig won't help clear the resolver cache but instead will download DHCP options.

The caching-only server will keep a record of the resolved names to the remote sales office and will thus not have to query the DNS server in the main office as much as in the past. Also, it is the least expensive and easiest solution to set up.

Setting up a DNS server at the remote sales office would not meet the criteria of spending too much administrative time on the project.

There is no such thing as a DNS Relay agent.

Setting up a VPN between the main office and remote office will have no effect on name resolution.

The scope is configured at the DHCP server not at the local host.

There is no mention of the administrator attempting to contact the ISP's servers.

The IP address of 169.254.203.111 should be recognized as an Automatic Private IP Address.

If the DHCP server were still functioning, it would renew the IP leases.

If the DHCP server fails, the computers will use Automatic Private IP Addressing (APIPA) to configure themselves so that network communications can occur, but connections to the Internet will not. The APIPA network ID is 169.254.0.0/16. Windows 2000 clients assigned an APIPA address continue to issue DHCPDISCOVER broadcasts every five minutes, in the event the DHCP server comes back online.

According to the Microsoft Windows(r) 2000 Server Resource Kit you should use the 80/20 Rule by assigning 80% of the scope to the main DHCP server and 20% of the scope to the backup DHCP server. This is the most efficient solution.

There is no way to configure DHCP server to "take turns assigning IP addresses". Assignment is done by the first server to respond to the DHCP client.

A DCHP server will respond to any request it receives. It will depend on which response reaches the DHCP client first as to which IP address is accepted.

By placing the IP addresses in the Reserved option and creating ten client reservations, the servers will always have the same IP leased to them.

If you placed the addresses in the Exclusions option, thus creating an excluded address range, these addresses would not be available for lease.

You could manually configure the servers, but that would take more administrative effort.

Creating a separate subscope would not guarantee that the servers would receive the same address.

A DHCP Cluster that is set up as a virtual node will guaranty that the DHCP service will continue to function if any of the nodes fails and will automatically transfer the name space and services to one of the other nodes. Also, the cluster provides load balancing, so all of the objectives are met.

After receiving a DHCPNAK when it tries to renew its lease, the host will send a broadcast discover message, which contains its MAC address, in order to request a new IP address.

There is no record kept of the location of any host. All records are based on the MAC address of the network card in the host.

You will not have to assign a static IP address.

Since there is no router involved, a relay agent is not necessary.

You not only have to configure the DHCP server to "Always update DNS" and "Discard forward (name-to-address) lookups when the lease expires". You also have to configure the DNS server to accept Dynamic DNS updates.

Updating is done by the server. In this scenario, it is implied there is just one scope.

You want all clients to be registered with DNS, so the client should not have the ability to make a request.

In order to install the DHCP service, the server used must have a static IP address and a subnet mask defined, and the network card needs to have TCP/IP set up with a default gateway in a routed network. The DNS server and Active Directory will be needed after the service has been installed. DNS, WINS and Active Directory are not required to install or maintain a DHCP server.

The Bandwidth Allocation Protocol (BAP) is used to manage links based on the bandwidth required for the traffic flowing between two endpoints. BAP defines packets, parameters, and negotiation procedures allowing two endpoints to add or drop links from a multilink bundle as needed. BAP is a part of the overall RAS Access Policies (RAP) in Windows 2000.

Extensible Authentication Protocol (EAP) and Challenge Handshake Authentication Protocol (CHAP) are user authentication methods.

RAS Access Policies (RAP) is the name in Windows 2000 for the set of policies used to control remote access.

You can define the maximum session length, the use of BAP, and the use of MS-CHAP as the authentication protocol in the remote access profile. The use of PPP and limiting the use of the policy to members of Development-Mgrs are conditions of the remote access policy.

RRAS supports multiple authentication protocols that can be used for different purposes.

EAP (Extensible Authentication Protocol) allows requests to the RRAS server to be properly formatted and forwarded to the RADIUS server. EAP supports certificates and smart cards.

MS-CHAP can only be used in a Microsoft environment and does not support the use of smart cards.

Kerberos is used to authenticate Active Directory connections inside a network.

Passwords in PAP authentication are not encrypted and PAP does not support the use of smart cards.

Windows 2000 server can support the following remote access authentication protocols in a VPN environment: Shiva Password Authentication Protocol (SPAP); Versions 1 and 2 of Microsoft Challenge Handshake Authentication Protocol (MS-CHAP); Challenge Handshake Authentication Protocol (CHAP); Password Authentication Protocol (PAP); and Extensible Authentication Protocol (EAP).

Point-to-Point over Ethernet (PPoE) is a common access protocol used in broadband connections and is not an authentication method.

Microsoft Point-to-Point Encryption (MPPE) provides encapsulation and encryption for VPN connections.

The Point-to-Point Tunneling Protocol (PPTP) is a tunneling protocol used to create a VPN.

If you want to do this seamlessly, this isn't the way. Without a default remote access policy, no user will be allowed access through the RRAS server. All connection requests are evaluated against the criteria contained in the remote access policy.

You may delete the default profile but if there are no other profiles, all connection attempts will be denied. It is usually best to keep the default policy and modify it to suit your needs.

The RRAS server uses user permission to determine what access rights you have to resources, not whether or not you can connect.

If there is no remote access policy, there are no conditions to compare and all requests are denied.

Enabling CHAP on the server simply tells the server to accept this type of authentication. Additional steps must be taken for CHAP to work properly. One of the drawbacks of CHAP is that client passwords must be stored in the SAM database after CHAP is enabled. This means that all remote access users must change their password after CHAP is enabled on the server for CHAP to work.

Remote access is determined by the permissions assigned to the user and the remote access policy. What device you are using is immaterial as long as it is using the correct authentication method.

A Win2000 server is able to use multiple authentication methods for RRAS. The fact that MS-CHAP v1 and v2 are in use would not have any effect on the Windows CE devices.

The most likely reason Chris cannot connect is that there are no free VPN ports available. By default, 5 PPTP and 5 L2TP ports are installed on the remote access server. It would not be unusual for all of these ports to be in use during business hours.

Since Chris said that connection attempts were unsuccessful, this means that the connection was never accepted in the first place.

The fact that Chris can establish connections at different times of the day and different days of the week rules out a Time and Day policy creating the problem.

Chris did not report any error messages regarding passwords or any problems entering a password so that is a less likely source of trouble.

The default configuration for RRAS supports five PPTP ports and five L2TP ports. Since there are only 10 ports, only 10 users can connect at a time.

Windows 2000 Professional workstations support remote access and VPN connections using a variety of connection types.

MS-CHAP provides encrypted and mutual authentication between the respective RRAS locations. MPPE works with MS-CHAP and provides encryption for all the data between the locations.

PAP, SPAP and CHAP perform one-way authentication. They allow the user to authenticate to the server, but do not provide a mechanism for the server to authenticate back to the user.

Challenge Handshake Authentication Protocol (CHAP) is a standard remote access authentication protocol that provides the use of encrypted passwords and is compatible with both Microsoft and non-Microsoft clients.

Neither version of MS-CHAP supports non-Microsoft clients.

PAP sends passwords in plain text (unencrypted).

TCP/IP is necessary on the server with Gateway Services for NetWare. All the workstations are running TCP/IP and connect to the Win2000 Gateway server through TCP/IP.

NetBEUI is not routable and therefore not appropriate for this type of environment.

Since you are migrating to windows 2000 you will not need to use IPX/SPX, a protocol developed by Novell.

AppleTalk is only needed if there were Apple computers on this network.

You use the Advanced button in the TCP/IP properties dialog box to assign the IP address.

The type of network card is immaterial, as long as it supports the TCP/IP.

A network adapter can only have one IP address assign to it. If a computer needs to have multiple IP's it must have multiple network adapters.

The first step you should take to activate an IPSec policy is to assign the policy in the IP Security Policies node in the Group Policy Editor. If you create a new IPSec policy or want to put a predefined policy into effect, you must first assign the policy.

You use the utility SECEDIT with the refresh policy option to propagate changes to the settings of a GPO immediately rather than at the next scheduled update.

You use the IP Security Monitor (IPSECMON.EXE) to view IP Security associations and IPSec statistics.

You should restart the policy agent on a computer if you want to ensure that changes you have made to an IPSec policy are effective. However, the changes will not take effect if the policy has not been applied.

IPSec in Windows 2000 is designated to protect sensitive data on a TCP/IP network. IPSec is useful when the network between two communicating computers is not secure. It provides confidentiality, integrity and authentication of IP traffic for each packet traversing the network. When using IPSec, the two computers communicating over the network first agree on the highest common security policy, and then each handles the IP Security at its respective end. Before sending data across the network, the computer initiating communication transparently encrypts the data by using IP Security.

Installing TCP/IP on the servers, along with the current NWLink, will allow the clients that have been newly migrated to use server resources, while still permitting all remaining clients to continue accessing the resources on the servers.

Installing WINS will not be necessary since all stations will be serviced by DHCP for their IP addressing needs. WINS instead deals with NetBIOS name to IP address translation.

AD does not support the NWLink protocol.

Ipconfig displays configuration information about the TCP/IP stack of the machine you run it on. Your first step is to run Ipconfig and check the default gateway.

Nslookup would be used to determine the name associated with IP address of a host. Of course, if all attempts to connect to resources are failing this would be useless since you wouldn't be able to connect to the DNS server.

Netstat -a displays active TCP connections, and ports on which the computer is listening, but does not display the default gateway.

Nbtstat displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache. It will not tell you the default gateway, however.

Checking the physical connections of a system will save time, and should be among the first things you check.

Continuous broadcasting on the network would flood the network and slow performance but it wouldn't terminate connections.

Network cards don't "wear out", and unless the stations are in a high traffic area or you have some sort construction or maintenance going on, there isn't much chance of damaging a cable.

DNS properties being changed would affect all stations, not just a some of them.

An Allow Unsecured security filter action will always request an IPSec connection before it allows an unsecured request.

"Deny" would not allow any connections.

"Block" is not a valid option.

Allow only Secured will not request an IPSec connection. It will simply deny the unsecured connection.

Either DHCP or manual addressing can be used on the second card.

Since DHCP is running, you can have the TCP/IP configuration downloaded from the server. Install TCP/IP and configure it to obtain an IP address automatically.

The WINS server itself should be a WINS client in order for other network nodes to access it based upon its NetBIOS name.

If you had configured the WINS server to include its own IP address as a WINS client, it would have worked.

The default gateway is a router. The WINS server may or may not fulfill that role.

You would not have to configure the default gateway address as a WINS client.

Configuring both WINS servers as push/pull partners ensures the greatest level of synchronization possible. Both servers should have nearly identical databases at any given time. This method will greatly increase network traffic, however. This is the default WINS replication configuration.

You can also configure one server as a push partner and one as a pull partner, but this won't keep the databases as synchronized as the previous method.

Configuring both servers as pull partners will not ensure the greatest level of synchronization. Pull partners request information from their partners at configured time intervals.

Configuring both servers as push partners will not ensure the greatest level of synchronization. Push partners send update requests to their partner when a designated level of updates occurs.

If Network traffic is a concern, you can also disable persistent replication.

Configuring clients to retrieve WINS information from just one server will not insure an up to date WINS database.

Configuring both servers as pull partners will not ensure the greatest level of synchronization. Pull partners request information from their partners at configured time intervals or when an update occurs on the push partner.

Configuring both servers as push partners will not ensure the greatest level of synchronization. Push partners send update requests to their partner when a designated level of updates occurs or at a specified time interval.

All WINS servers need to have the same name resolution information in each database. By establishing push/pull relationships between all the WINS servers, the information from each database is exchanged with other WINS servers until they all hold the same information.

The LMHOSTS file should include an entry that includes the IP address and NetBIOS name of the server. The PRE tag will ensure that the entry is preloaded into the client's NetBIOS name cache on startup. The DOM tag identifies the server as a domain controller for the ABX domain.

The entry 192.168.4.2 DC1 #PRE #DOM:DC1 is incorrect because the #DOM tag identifies the DOMAIN. In this case the domain is ABX, not DC1.

The entry 192.168.4.2 DC1 #PRE #INCLUDE_ABX is incorrect because it does not identify the domain.

The entry 192.168.4.2 DC1 #PRE #ABX uses improper syntax.