INF314 Journey into the Mysteries of Windows Server 2003 Networking Services

1
INF314Journey into the Mysteries of Windows
Server 2003 Networking Services

• Erik Rozman
• Mercury Interactive

2
Agenda

• The importance of Networking Service
• DHCP
• Overview
• Using scope options
• Superscopes (usage of multiple scopes)
• Detecting duplicates (server-side/client-side)
• The virtues of the DHCP client service
• DNS
• Overview
• Mixing DDNS and DHCP
• Using DNS as a load balancer
• Cleaning up the infromation
• DNS and the command line
• IAS
• Overview
• Is There a Future for Infrastructure Service?
• NAP Overview

3
Infrastructure ServicesThe untold story

• How do you define a modern network?
• Infrastructure services provide the foundation
  for all services provided by a computer network.
• Infrastructure service may be your friend or
  foe-it all depends on how you treat it.

4
Strong Foundations-Strong Structure
Client Facing Applications Exchange, File
Servers, etc.
OOPS!!
Bye Bye
Networking Service DHCP, DNS, WINS, IAS, etc.
Operating System Permissions, Registry, etc.
Hardware Components Servers, routers, switches,
cabling, etc.
5
DHCP- Basic process

• DHCP is a protocol that eases the dispersion of
  IP addresses.
• The major advantage of DHCP is that it takes care
  of a relatively tedious chore automatically and
  relatively safely.
• DHCP can be more then meets the eye for the good
  and for the worse.

DHCPOffer (Broadcast)
DHCPAck (Broadcast)
DHCPDiscover (Broadcast)
DHCPRequest (Broadcast)
6
Providing different options in the same scope

• In some cases you might need to provide different
  options to different clients that use the same
  scope.
• This might be useful in the following situations
• Prevent access to Internal networks for
  unauthorized systems
• Provide access to different services on the same
  subnet
• To solve this issue a method that differentiates
  clients has to be established.
• This can be achieved by using User Class options.

7
User Class
20.0.0.3

• Each DHCP client has a User Class.
• The default User Class is an empty one (none).
• When a client requests information from a DHCP
  server it presents its User Class.
• The server will provide onlythe options defined
  for theUser Class presented.

Corporate VLAN
20.0.0.2
DG Corporate10.0.0.2
10.0.0.2
DG10.0.0.3
10.0.0.3
Conference Room VLAN
Scope 10.0.0.0 Range10.0.0.10-254 SM255.255.255.
0 DG10.0.0.3 DG Corporate10.0.0.2
Corporate Client
IP info?Corporate
IP info?
Guest Client
8
Configuring a User Class

• To be able to use a User Class it has to be
  configured both on the client and the server
• Server - A user class has to be configured and a
  keyword to be used as the identifier has to be
  set.
• Client Has to be configured to provide the User
  Class identifier when requesting DHCP settings.

9
Demo- User Class in Action

• User Class Configuration (GUIScripting)
• Server-side
• Client-side
• Displaying how the settings affect clients

10
One Scope will Rule Them AllMultiple Scopes

• DHCP provides IP configuration information to
  un-configured clients.
• The DHCP protocol does not provide an
  authentication mechanisms thus the server has no
  method of identifying a client.
• What happens when a server has multiple scopes
  configured and it receives a request? Which scope
  does it use?

11
One Scope will Rule Them All
DHCP ServerIP20.0.0.2SM255.255.255.0
AND
IP info?10.0.0.0
20.0.0.0
20.0.0.5
10.0.0.5
20.0.0.0
10.0.0.0
DHCP Relay Agent
20.0.0.11
10.0.0.11
Scope 10.0.0.0 Range10.0.0.10-254 SM255.255.255.
0 DG10.0.0.3 Scope 20.0.0.0 Range20.0.0.10-254
SM255.255.255.0 DG20.0.0.3
IP info?
IP info?
12
Demo-Multiple Scopes

• Demonstrating the process when multiple scopes
  are used
• Server
• Client
• Network trace

13
Superscopes

• In some cases it is beneficial to override the
  default behavior of the DHCP when multiple scopes
  are used.
• If addresses from multiple scopes have to be
  assigned a Superscope has to be configured.
• A Superscope is a container for multiple
  scopes-addresses will be assigned from the first
  scope to the last without discrimination.

14
Demo-SuperScopes

• Configuration
• Mode of operation

15
Detecting Duplicates

• A TCP/IP based network has one cardinal rule No
  two hosts can use the same IP address.
• In the case of two hosts that are configured with
  the same IP address the 2nd host to start up will
  not be able to function in the network (on most
  TCP/IP implementations).
• Since a DHCP server uses a database to track
  leased addresses it should not encounter such
  issues, yet the world is not perfect

16
Detecting Duplicates

• Duplicate IP addressee may appear on a network
  for a myriad of reason, just to name a few
• A user configures a static IP address that is
  used in a scope.
• An administrator forgets to exclude an address he
  used in a static configuration.
• A DHCP server has to be replaced with a new one.
• To avoid this issue the DHCP server has a built
  in mechanism that should identify address that
  are already used and prevent them from being
  leased.

17
Detecting Duplicates DHCP Server

• The DHCP server has a built in mechanism that can
  check if an address that is about to be leased is
  in use.
• It does so by Pinging(ICMP) the address that it
  is about to lease. If the DHCP servers receives
  an answer from the address it will not lease it.
• In addition to that it will mark it as a
  BAD_ADDRESS rendering the IP address unusable
  until an administrator will return it to the
  scope.
• The Conflict Detection feature is disabled by
  default.

18
Demo-Conflict Detection

• Configuration of Conflict Detection on the
  server
• In action (returning the address to the scope)
• Network trace (Showing the ICMP messages)

19
Detecting DuplicatesClient Side

• As stated earlier if two clients were assigned
  the same IP address the 2nd client to start will
  not be able to use the TCP/IP stack to
  communicate.
• This is achieved by a mechanism hat is built into
  the TCP/IP stack.
• When a client is assigned an IP address (static
  or dynamic), before it starts to use it, the
  client will send out an ARP query for the address.

20
Detecting DuplicatesClient Side

• If the ARP query is answered the client assumes
  that the address is already being used and it
  relinquishes it
• Static Assignment- Client will not be able to
  function.
• Dynamic Assignment- Client will send a
  DHCPDecline to the DHCP servers offer. The DHCP
  serve will mark the address as a BAD_ADDRESS and
  the client will start the process of obtaining an
  address from scratch.
• By default the client will emit three ARP
  requests. This can be controlled by changing the
  following registry keyHKLMSYSTEMCurrentControl
  SetServicesTcpipParametersArpRetryCount
  (REG_DWORD)Value range 1-3

21
Demo-Client Conflict Detection

• In action
• Network trace (DHCPNack,DHCPDecline)

22
Virtues of the DHCP client (DNS registration)

• In a DDNS environment clients will update their
  respective resource records.
• It is somewhat surprising to realize that the
  software responsible for the dynamic update of
  resource records is the DHCP Client Service.
• Even if the service is not being used since the
  client is configured with a static IP it has the
  role of registering resource records.
• If this service is disabled due to hardening RR
  will not be recorded.

23
Demo DHCP Client Service

• Ipconfig /registerDNS
• With and without DHCP Client Service UP

24
NETSH Commands for DHCP

• Using the NETSH interface it is possible to
  configure every facet of the DHCP server.
• For an extensive overview of NETSH(DHCP)
  commands, please visit the following
  locationhttp//technet2.microsoft.com/WindowsSer
  ver/en/Library/df9ecef3-7d85-49e6-a2aa-ff84a5bd3a3
  91033.mspx

25
Demo - DHCP Backup and Restore

• Netsh to move db to another server
• Copy settings to another server standardization
• http//support.microsoft.com/?id325473EZACAAA

26
DNS- Overview

• The Domain Name System (DNS) is the main name
  resolution mechanism used by the TCP/IP protocol.
• Name resolution is the process of translating a
  user friendly name to an unfriendly IP address.
• Human beings are comfortable with remembering
  friendly names while they may feel uncomfortable
  when using unfriendly addresses thus a mechanism
  such as DNS is a necessity.

27
Danger DHCPDDNS

• DNS is the map to a network- the records used by
  users point to IP addresses used by the systems.
• DHCP can be used to update dynamic records in
  DNS.
• In some cases the DHCP will update records for
  pre-2000 clients while in others it will update
  specific records for Windows 2000 or higher
  clients.
• If records are updated fraudulently users might
  be forwarded to incorrect resources.
• To prevent such things DDNS (in AD integrated
  mode) places an ACL on each record and allows
  update privileges exclusively to the records
  owner.

28
Danger DHCPDDNS

• The ACL solution is perfect in case of post-2000
  clients which register their own records.
• Pre-2000 client use the DHCP server to register
  their records thus the owner of the records is
  the DHCP.
• Two issues are caused by this
• If the client is provided with a new system that
  post-2000 it will not be able to update its own
  record.
• If the client may be able to acquire an IP
  address for more then one DHCP the record update
  process may be problematic, including a DHCP
  cluster.

29
Danger DHCPDDNS

• To solve this issue a special group was provided
  DNSUpdateProxy .
• To use this group the DHCP servers computer
  account had to be added as a member of the
  group.
• This group created one major issue
• Records created by a DHCP server that is a member
  of the group are created without an ACL.
• So the problem was not solved - it was avoided.

30
Danger DHCPDDNS-Solution

• To solve this problem, Windows 2000 SP2 and
  specifically Windows 2003 can be configured to
  use a specific user account to update records.
• The advantage of using this account is that the
  records will be registered under one account thus
  each server will be able to update the records
  (specifically in a cluster scenario).

31
Demo DHCPDDNS

• Configuring the user account
• In action

32
Danger DHCPDDNSDC

• It is very important to understand why it is not
  advisable to install a DHCP server on a DC.
• If the DHCP server is installed on a DC the same
  computer account that has permissions on the DCs
  record is the account used by the DHCP.
• Thus a client that uses the DHCP server might
  abuse this privilege and might attempt to change
  the DCs records.

33
Load Balancing with DNS

• A load balancing system eases the load on a
  system by balancing out client requests among
  identical systems.
• A smart load balancing system will also
  identify a failure among the identical systems
  and avoid forwarding requests to them.
• A DNS server can be used as a relatively simple
  load balancing system.

34
Load Balancing with DNS (Round Robin)

• By employing Round Robin the DNS server can
  rotate the record it returns, thus creating a
  very primitive (yet functional) load distribution
  mechanism.
• The load distribution mechanism created will not
  be aware of the failure of one of its members and
  it will keep on distributing its address.

35
Load Balancing with DNS (Round Robin)
Zoneacme.com.www 10.0.0.1www 10.0.0.2www 10.0.
0.3
10.0.0.1
DNS Server
10.0.0.2
10.0.0.3
36
Demo- Load Balancing with DNS (Round Robin)

• Configuration
• Client side

37
DNS-OptimizingClient access to resources

• If multiple A records match the query sent to a
  DNS server, it can reorder the records by their
  subnet location.
• By using this method the client will access the
  record that exists on its own subnet.
• This process will optimize access to servers.
• If both Round Robin and Netmask Ordering are
  enabled, Netmask Ordering takes precedence.

38
DNS-Optimizing Client access to resources
Zoneacme.com.www 10.1.0.1www 10.2.0.2www 10.3.
0.3
10.1.0.1/16
DNS Server
10.2.0.2/16
10.3.0.3/16
10.3.0.100/16
39
Netmask Ordering at the Client Side

• The Netmask Ordering feature is enabled both on
  the server and the client
• To disable it, edit the following registry entry
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
  es\Dnscache\ Parameters\PrioritizeRecordData
  -set it to 0

40
Demo- OptimizingClient access to resources

• Configuration
• Client access
• Disabling Netmask Ordering on the client side

41
DNS Scavenging

• Since DNS is using a dynamic mechanism for
  registering resource records, after a while
  resource records might become stale.
• If a zone is not cleaned the following issues
  might appear
• Outdated records are used to answer client
  requests
• Zone transfer are longer since zones are larger
• Unneeded disk space is used

42
DNS Scavenging-3 locations

• To enable Resource Record scavenging the
  following must be configured
• Automatic Scavenging for the server should be
  enabled and the interval for the process should
  be specified.
• Lifetime values for specific zones or the server
  should be set.

43
Demo-DNS Scavenging

• Configuring DNS scavenging
• Configuring resource aging

44
DNS and the command line

• There are several command line tools that can
  be used in conjunction with DNS
• NSLOOKUP- In essence this tool is a stripped down
  DNS resolver. It will provide the user with the
  information the resolver is provided with.
• DNSCMD Enables the configuration of the DNS
  service using the command line.
• DNSLINT- An all around tool to enable the testing
  of DNS zones and environment.

45
DEMO-DNS Tools

• DNSCMD
• DNSLINT
• http//www.dnsstuff.com/

46
Internet Authentication ServiceOverview

• Currently a large number of connection methods
  (in addition to direct access) to corporate
  networks exist
• VPN
• Wireless Access Points
• Different vendors provide different Network
  Access Servers (NAS) equipment.
• Since each NAS came from a different vendor a
  consolidated manner of implementing the three As
  of security was necessary.

47
Internet Authentication ServiceRADIUS

• The obstacle of diversity has been overcome by
  the adoption of the Remote Authentication Dial-In
  User Service (RADIUS) protocol.
• The RADIUS protocol provides a standardized way
  of passing authentication data to one centralized
  database.
• The Internet Authentication Service is the RADIUS
  server implementation by Microsoft.

48
Internet Authentication ServiceMode of Operation
DHCP
DNS
RADIUS
Departmental Switch
VPN/Dial-Up
Wireless Access Point
49
The future-NAP!!

• Network Access Protection (NAP) is a policy
  enforcement platform built into the Microsoft
  Windows Vista and Windows Server "Longhorn"
  operating systems.
• With Network Access Protection, a customized
  health policies can be created to validate
  computer health before allowing access or
  communication on the network.

50
Books, Links, Resources

• The TCP/IP Guide A Comprehensive, Illustrated
  Internet Protocols Reference Charles Kozierok
• Microsoft Windows Server 2003 TCP/IP Protocols
  and Services Technical Reference Joseph Davies,
  Thomas Lee
• Internetworking with TCP/IP Vol.1 Principles,
  Protocols, and Architecture (4th Edition)
  Douglas E. Comer

51
Summary

• Networking services are not dead!
• Networking services provide the foundation of
  every client facing application.
• Correct and efficient configuration of the
  services described in this session will guarantee
  a healthy networking environment.

52

• Thank You!!!

53
The Nomad (Temp Name)

• One of the benefits of using DHCP is the ability
  to have clients move among networks without a
  need for manual intervention.
• On the other hand this benefit poses a challenge.
  Considering the fact that IP addresses are leased
  for a period of time and coupling that with a
  DHCP clients behavior upon startup we are in for
  a ride as we will see later on.

54
The Nomad- Issues

• Lets have a closer look at the behavior that may
  cause some issues for nomadic users
• Lease- The DHCP server leases IP configuration
  information to its clients for a period of
  time.This period of time is useful in case of a
  DHCP server crash. Clients that have already
  leased an address do not need the server for the
  lease period and they can continue functioning on
  the network even if the DHCP server is down.
• Startup- When a DHCP client starts up it attempts
  to renew its TCP/IP configuration (directly). If
  the server is unavailable (and the clients lease
  is still valid) the client will keep on using the
  TCP/IP settings it previously used.

55
The Nomad- Issues
DHCP Server
10.0.0.5
20.0.0.5
10.0.0.0
20.0.0.0
10.0.0.11DG10.0.0.5LL8 Days
10.0.0.2
Scope 10.0.0.0 Range10.0.0.10-254 SM255.255.255.
0 DG10.0.0.5 Lease length8 days
IP info?
56
New York! New York!

• ??? ?????? ?????
• ? - email ???? ?? ???
• ? -Beat Center

• ?? ???????
• ????? Feel The Beat
• ??????? ?????? ?????? ????
• ?????? i-mate ????...(??????? ???? ??? ???)

57
(No Transcript)
58
(No Transcript)