Title: INF314 Journey into the Mysteries of Windows Server 2003 Networking Services
1INF314Journey into the Mysteries of Windows
Server 2003 Networking Services
- Erik Rozman
- Mercury Interactive
2Agenda
- The importance of Networking Service
- DHCP
- Overview
- Using scope options
- Superscopes (usage of multiple scopes)
- Detecting duplicates (server-side/client-side)
- The virtues of the DHCP client service
- DNS
- Overview
- Mixing DDNS and DHCP
- Using DNS as a load balancer
- Cleaning up the infromation
- DNS and the command line
- IAS
- Overview
- Is There a Future for Infrastructure Service?
- NAP Overview
3Infrastructure ServicesThe untold story
- How do you define a modern network?
- Infrastructure services provide the foundation
for all services provided by a computer network. - Infrastructure service may be your friend or
foe-it all depends on how you treat it.
4Strong Foundations-Strong Structure
Client Facing Applications Exchange, File
Servers, etc.
OOPS!!
Bye Bye
Networking Service DHCP, DNS, WINS, IAS, etc.
Operating System Permissions, Registry, etc.
Hardware Components Servers, routers, switches,
cabling, etc.
5DHCP- Basic process
- DHCP is a protocol that eases the dispersion of
IP addresses. - The major advantage of DHCP is that it takes care
of a relatively tedious chore automatically and
relatively safely. - DHCP can be more then meets the eye for the good
and for the worse.
DHCPOffer (Broadcast)
DHCPAck (Broadcast)
DHCPDiscover (Broadcast)
DHCPRequest (Broadcast)
6Providing different options in the same scope
- In some cases you might need to provide different
options to different clients that use the same
scope. - This might be useful in the following situations
- Prevent access to Internal networks for
unauthorized systems - Provide access to different services on the same
subnet - To solve this issue a method that differentiates
clients has to be established. - This can be achieved by using User Class options.
7User Class
20.0.0.3
- Each DHCP client has a User Class.
- The default User Class is an empty one (none).
- When a client requests information from a DHCP
server it presents its User Class. - The server will provide onlythe options defined
for theUser Class presented.
Corporate VLAN
20.0.0.2
DG Corporate10.0.0.2
10.0.0.2
DG10.0.0.3
10.0.0.3
Conference Room VLAN
Scope 10.0.0.0 Range10.0.0.10-254 SM255.255.255.
0 DG10.0.0.3 DG Corporate10.0.0.2
Corporate Client
IP info?Corporate
IP info?
Guest Client
8Configuring a User Class
- To be able to use a User Class it has to be
configured both on the client and the server - Server - A user class has to be configured and a
keyword to be used as the identifier has to be
set. - Client Has to be configured to provide the User
Class identifier when requesting DHCP settings.
9Demo- User Class in Action
- User Class Configuration (GUIScripting)
- Server-side
- Client-side
- Displaying how the settings affect clients
10One Scope will Rule Them AllMultiple Scopes
- DHCP provides IP configuration information to
un-configured clients. - The DHCP protocol does not provide an
authentication mechanisms thus the server has no
method of identifying a client. - What happens when a server has multiple scopes
configured and it receives a request? Which scope
does it use?
11One Scope will Rule Them All
DHCP ServerIP20.0.0.2SM255.255.255.0
AND
IP info?10.0.0.0
20.0.0.0
20.0.0.5
10.0.0.5
20.0.0.0
10.0.0.0
DHCP Relay Agent
20.0.0.11
10.0.0.11
Scope 10.0.0.0 Range10.0.0.10-254 SM255.255.255.
0 DG10.0.0.3 Scope 20.0.0.0 Range20.0.0.10-254
SM255.255.255.0 DG20.0.0.3
IP info?
IP info?
12Demo-Multiple Scopes
- Demonstrating the process when multiple scopes
are used - Server
- Client
- Network trace
13Superscopes
- In some cases it is beneficial to override the
default behavior of the DHCP when multiple scopes
are used. - If addresses from multiple scopes have to be
assigned a Superscope has to be configured. - A Superscope is a container for multiple
scopes-addresses will be assigned from the first
scope to the last without discrimination.
14Demo-SuperScopes
- Configuration
- Mode of operation
15Detecting Duplicates
- A TCP/IP based network has one cardinal rule No
two hosts can use the same IP address. - In the case of two hosts that are configured with
the same IP address the 2nd host to start up will
not be able to function in the network (on most
TCP/IP implementations). - Since a DHCP server uses a database to track
leased addresses it should not encounter such
issues, yet the world is not perfect
16Detecting Duplicates
- Duplicate IP addressee may appear on a network
for a myriad of reason, just to name a few - A user configures a static IP address that is
used in a scope. - An administrator forgets to exclude an address he
used in a static configuration. - A DHCP server has to be replaced with a new one.
- To avoid this issue the DHCP server has a built
in mechanism that should identify address that
are already used and prevent them from being
leased.
17Detecting Duplicates DHCP Server
- The DHCP server has a built in mechanism that can
check if an address that is about to be leased is
in use. - It does so by Pinging(ICMP) the address that it
is about to lease. If the DHCP servers receives
an answer from the address it will not lease it. - In addition to that it will mark it as a
BAD_ADDRESS rendering the IP address unusable
until an administrator will return it to the
scope. - The Conflict Detection feature is disabled by
default.
18Demo-Conflict Detection
- Configuration of Conflict Detection on the
server - In action (returning the address to the scope)
- Network trace (Showing the ICMP messages)
19Detecting DuplicatesClient Side
- As stated earlier if two clients were assigned
the same IP address the 2nd client to start will
not be able to use the TCP/IP stack to
communicate. - This is achieved by a mechanism hat is built into
the TCP/IP stack. - When a client is assigned an IP address (static
or dynamic), before it starts to use it, the
client will send out an ARP query for the address.
20Detecting DuplicatesClient Side
- If the ARP query is answered the client assumes
that the address is already being used and it
relinquishes it - Static Assignment- Client will not be able to
function. - Dynamic Assignment- Client will send a
DHCPDecline to the DHCP servers offer. The DHCP
serve will mark the address as a BAD_ADDRESS and
the client will start the process of obtaining an
address from scratch. - By default the client will emit three ARP
requests. This can be controlled by changing the
following registry keyHKLMSYSTEMCurrentControl
SetServicesTcpipParametersArpRetryCount
(REG_DWORD)Value range 1-3
21Demo-Client Conflict Detection
- In action
- Network trace (DHCPNack,DHCPDecline)
22Virtues of the DHCP client (DNS registration)
- In a DDNS environment clients will update their
respective resource records. - It is somewhat surprising to realize that the
software responsible for the dynamic update of
resource records is the DHCP Client Service. - Even if the service is not being used since the
client is configured with a static IP it has the
role of registering resource records. - If this service is disabled due to hardening RR
will not be recorded.
23Demo DHCP Client Service
- Ipconfig /registerDNS
- With and without DHCP Client Service UP
24NETSH Commands for DHCP
- Using the NETSH interface it is possible to
configure every facet of the DHCP server. - For an extensive overview of NETSH(DHCP)
commands, please visit the following
locationhttp//technet2.microsoft.com/WindowsSer
ver/en/Library/df9ecef3-7d85-49e6-a2aa-ff84a5bd3a3
91033.mspx
25Demo - DHCP Backup and Restore
- Netsh to move db to another server
- Copy settings to another server standardization
- http//support.microsoft.com/?id325473EZACAAA
26DNS- Overview
- The Domain Name System (DNS) is the main name
resolution mechanism used by the TCP/IP protocol. - Name resolution is the process of translating a
user friendly name to an unfriendly IP address. - Human beings are comfortable with remembering
friendly names while they may feel uncomfortable
when using unfriendly addresses thus a mechanism
such as DNS is a necessity.
27Danger DHCPDDNS
- DNS is the map to a network- the records used by
users point to IP addresses used by the systems. - DHCP can be used to update dynamic records in
DNS. - In some cases the DHCP will update records for
pre-2000 clients while in others it will update
specific records for Windows 2000 or higher
clients. - If records are updated fraudulently users might
be forwarded to incorrect resources. - To prevent such things DDNS (in AD integrated
mode) places an ACL on each record and allows
update privileges exclusively to the records
owner.
28Danger DHCPDDNS
- The ACL solution is perfect in case of post-2000
clients which register their own records. - Pre-2000 client use the DHCP server to register
their records thus the owner of the records is
the DHCP. - Two issues are caused by this
- If the client is provided with a new system that
post-2000 it will not be able to update its own
record. - If the client may be able to acquire an IP
address for more then one DHCP the record update
process may be problematic, including a DHCP
cluster.
29Danger DHCPDDNS
- To solve this issue a special group was provided
DNSUpdateProxy . - To use this group the DHCP servers computer
account had to be added as a member of the
group. - This group created one major issue
- Records created by a DHCP server that is a member
of the group are created without an ACL. - So the problem was not solved - it was avoided.
30Danger DHCPDDNS-Solution
- To solve this problem, Windows 2000 SP2 and
specifically Windows 2003 can be configured to
use a specific user account to update records. - The advantage of using this account is that the
records will be registered under one account thus
each server will be able to update the records
(specifically in a cluster scenario).
31Demo DHCPDDNS
- Configuring the user account
- In action
32Danger DHCPDDNSDC
- It is very important to understand why it is not
advisable to install a DHCP server on a DC. - If the DHCP server is installed on a DC the same
computer account that has permissions on the DCs
record is the account used by the DHCP. - Thus a client that uses the DHCP server might
abuse this privilege and might attempt to change
the DCs records.
33Load Balancing with DNS
- A load balancing system eases the load on a
system by balancing out client requests among
identical systems. - A smart load balancing system will also
identify a failure among the identical systems
and avoid forwarding requests to them. - A DNS server can be used as a relatively simple
load balancing system.
34Load Balancing with DNS (Round Robin)
- By employing Round Robin the DNS server can
rotate the record it returns, thus creating a
very primitive (yet functional) load distribution
mechanism. - The load distribution mechanism created will not
be aware of the failure of one of its members and
it will keep on distributing its address.
35Load Balancing with DNS (Round Robin)
Zoneacme.com.www 10.0.0.1www 10.0.0.2www 10.0.
0.3
10.0.0.1
DNS Server
10.0.0.2
10.0.0.3
36Demo- Load Balancing with DNS (Round Robin)
- Configuration
- Client side
37DNS-OptimizingClient access to resources
- If multiple A records match the query sent to a
DNS server, it can reorder the records by their
subnet location. - By using this method the client will access the
record that exists on its own subnet. - This process will optimize access to servers.
- If both Round Robin and Netmask Ordering are
enabled, Netmask Ordering takes precedence.
38DNS-Optimizing Client access to resources
Zoneacme.com.www 10.1.0.1www 10.2.0.2www 10.3.
0.3
10.1.0.1/16
DNS Server
10.2.0.2/16
10.3.0.3/16
10.3.0.100/16
39Netmask Ordering at the Client Side
- The Netmask Ordering feature is enabled both on
the server and the client - To disable it, edit the following registry entry
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Dnscache\ Parameters\PrioritizeRecordData
-set it to 0
40Demo- OptimizingClient access to resources
- Configuration
- Client access
- Disabling Netmask Ordering on the client side
41DNS Scavenging
- Since DNS is using a dynamic mechanism for
registering resource records, after a while
resource records might become stale. - If a zone is not cleaned the following issues
might appear - Outdated records are used to answer client
requests - Zone transfer are longer since zones are larger
- Unneeded disk space is used
42DNS Scavenging-3 locations
- To enable Resource Record scavenging the
following must be configured - Automatic Scavenging for the server should be
enabled and the interval for the process should
be specified. - Lifetime values for specific zones or the server
should be set.
43Demo-DNS Scavenging
- Configuring DNS scavenging
- Configuring resource aging
44DNS and the command line
- There are several command line tools that can
be used in conjunction with DNS - NSLOOKUP- In essence this tool is a stripped down
DNS resolver. It will provide the user with the
information the resolver is provided with. - DNSCMD Enables the configuration of the DNS
service using the command line. - DNSLINT- An all around tool to enable the testing
of DNS zones and environment.
45DEMO-DNS Tools
- DNSCMD
- DNSLINT
- http//www.dnsstuff.com/
46Internet Authentication ServiceOverview
- Currently a large number of connection methods
(in addition to direct access) to corporate
networks exist - VPN
- Wireless Access Points
- Different vendors provide different Network
Access Servers (NAS) equipment. - Since each NAS came from a different vendor a
consolidated manner of implementing the three As
of security was necessary.
47Internet Authentication ServiceRADIUS
- The obstacle of diversity has been overcome by
the adoption of the Remote Authentication Dial-In
User Service (RADIUS) protocol. - The RADIUS protocol provides a standardized way
of passing authentication data to one centralized
database. - The Internet Authentication Service is the RADIUS
server implementation by Microsoft.
48Internet Authentication ServiceMode of Operation
DHCP
DNS
RADIUS
Departmental Switch
VPN/Dial-Up
Wireless Access Point
49The future-NAP!!
- Network Access Protection (NAP) is a policy
enforcement platform built into the Microsoft
Windows Vista and Windows Server "Longhorn"
operating systems. - With Network Access Protection, a customized
health policies can be created to validate
computer health before allowing access or
communication on the network.
50Books, Links, Resources
- The TCP/IP Guide A Comprehensive, Illustrated
Internet Protocols Reference Charles Kozierok - Microsoft Windows Server 2003 TCP/IP Protocols
and Services Technical Reference Joseph Davies,
Thomas Lee - Internetworking with TCP/IP Vol.1 Principles,
Protocols, and Architecture (4th Edition)
Douglas E. Comer
51Summary
- Networking services are not dead!
- Networking services provide the foundation of
every client facing application. - Correct and efficient configuration of the
services described in this session will guarantee
a healthy networking environment.
52 53The Nomad (Temp Name)
- One of the benefits of using DHCP is the ability
to have clients move among networks without a
need for manual intervention. - On the other hand this benefit poses a challenge.
Considering the fact that IP addresses are leased
for a period of time and coupling that with a
DHCP clients behavior upon startup we are in for
a ride as we will see later on.
54The Nomad- Issues
- Lets have a closer look at the behavior that may
cause some issues for nomadic users - Lease- The DHCP server leases IP configuration
information to its clients for a period of
time.This period of time is useful in case of a
DHCP server crash. Clients that have already
leased an address do not need the server for the
lease period and they can continue functioning on
the network even if the DHCP server is down. - Startup- When a DHCP client starts up it attempts
to renew its TCP/IP configuration (directly). If
the server is unavailable (and the clients lease
is still valid) the client will keep on using the
TCP/IP settings it previously used.
55The Nomad- Issues
DHCP Server
10.0.0.5
20.0.0.5
10.0.0.0
20.0.0.0
10.0.0.11DG10.0.0.5LL8 Days
10.0.0.2
Scope 10.0.0.0 Range10.0.0.10-254 SM255.255.255.
0 DG10.0.0.5 Lease length8 days
IP info?
56New York! New York!
- ??? ?????? ?????
- ? - email ???? ?? ???
- ? -Beat Center
- ?? ???????
- ????? Feel The Beat
- ??????? ?????? ?????? ????
- ?????? i-mate ????...(??????? ???? ??? ???)
57(No Transcript)
58(No Transcript)