Installing, Configuring and Administering
Windows 2000 Professional 120 minutes - 60
Questions - 620 Passing Score
Minimum requirements
Pentium 133 or greater.
64 MB RAM minimum (4GB Max)
650 MB Free disk space on partition that will contain the
system files. (1 GB recommended)
Professional supports up to 2 processors.
Features:
replaces 95, 98 and Workstation as the business
desktop. Professional supports upgrades of 95, 98 and NT4.0
meaning all applications and settings will be saved.
Administrative tools can be added by running Adminpak.msi
from the Server CD.
No admin tools are available for NT or 9.x systems.
Increased Hardware Support (Plug and
Play). - Windows 2000 brings back Plug and Play
with a more stable version than the one we see in Win9.x.
Dynamic Disks - Windows 2000
introduces dynamic disks. All disks are basic disks on
install, You can upgrade your disks from basic to dynamic
through the MMC. You can't go from dynamic back to basic
disks without repartitioning and losing your data. Dynamic
disks allow you to manage disks and volumes without having to
reboot. Dynamic disks are not readable to any other operating
systems that are installed on the same box.
Lightweight Directory Access Protocol (LDAP)
- Allows you to query an object in the active directory. This
allows you to do things like search for a computer or a
printer or a user.
Kerberos version 5 protocol -
In Kerberos authentication, a client is authenticated when
logging on to the network by a Key Distribution Center (KDC).
When a client needs to access a resource, the owner of that
resource contacts the KDC to verify that the client has
permissions to access the resource. The KDC issues a session
ticket. The next time the client accesses the resource, the
owner of the resource is able to authenticate the client
itself using this session ticket instead of going back to the
KDC thus cutting down a lot of overhead on the authentication
process.
Installation - Upon install,
only the partition that will be used to install Windows 2000
should be created. All other partitions should be created
later using the Disk Management Utilities as Windows 2000 has
additional features that will be available to disks created
with this utility.
No start up floppies are created during the install. If you
wish to have the start-up floppies, you can run makeboot.exe
from the setup CD. this will create 4 setup floppies.
As in NT4.0, both winnt and winnt32.exe are available.
winnt is for straight DOS based machines. winnt32.exe is now
used for win9.x as well as NT systems.
Win9.x and NT will upgrade to Windows 2000 and keep all
settings.
WINNT
Performs an installation of or upgrade to Windows 2000.
winnt [/s:sourcepath] [/t:tempdrive]
[/u:answer file][/udf:id [,UDB_file]]
[/r:folder][/rx:folder][/e:command][/a]
Parameters
/s:sourcepath
Specifies the source location of the Windows 2000 files. The
location must be a full path of the form x:\[path] or
\\server\share[\path].
/t:tempdrive
Directs Setup to place temporary files on the specified drive
and to install Windows 2000 on that drive. If you do not
specify a location, Setup attempts to locate a drive for you.
/u:answer file
Performs an unattended Setup using an answer file. The answer
file provides answers to some or all of the prompts that the
end user normally responds to during Setup. You must also use
/s.
/udf:id [,UDB_file]
Indicates an identifier (id) that Setup uses to specify
how a Uniqueness Database (UDB) file modifies an answer file
(see /u). The /udf parameter overrides values in
the answer file, and the identifier determines which values in
the UDB file are used. If no UDB_file is specified,
Setup prompts you to insert a disk that contains the $Unique$.udb
file.
/r:folder
Specifies an optional folder to be installed. The folder
remains after Setup finishes.
/rx:folder
Specifies an optional folder to be copied. The folder is
deleted after Setup finishes.
/e:command
Specifies a command to be executed at the end of GUI-mode
Setup.
/a
Enables accessibility options.
Winnt32
Sets up or upgrades Windows 2000 Server or Windows 2000
Professional. You can run the winnt32 command at a Windows 95,
Windows 98, or Windows NT command prompt.
winnt32 [/s:sourcepath] [/tempdrive:drive_letter]
[/unattend[num]:[answer_file]] [/copydir:folder_name]
[/copysource:folder_name] [/cmd:command_line]
[/debug[level]:[filename]] [/udf:id[,UDF_file]]
[/syspart:drive_letter] [/checkupgradeonly]
[/cmdcons] [/m:folder_name] [makelocalsource]
[/noreboot]
Parameters
/s:sourcepath
Specifies the source location of the Windows 2000 files. To
simultaneously copy files from multiple servers, specify
multiple /s sources. If you use multiple /s
switches, the first specified server must be available or
Setup will fail.
/tempdrive:drive_letter
Directs Setup to place temporary files on the specified
partition and to install Windows 2000 on that partition.
/unattend
Upgrades your previous version of Windows 2000,
Windows NT 4.0, Windows 3.51, Windows 95, or Windows 98 in
unattended Setup mode. All user settings are taken from the
previous installation, so no user intervention is required
during Setup.
Using the /unattend switch to automate Setup affirms
that you have read and accepted the Microsoft License
Agreement for Windows 2000. Before using this switch to
install Windows 2000 on behalf of an organization other than
your own, you must confirm that the end user (whether an
individual, or a single entity) has received, read, and
accepted the terms of the Windows 2000 Microsoft License
Agreement. OEMs may not specify this key on machines being
sold to end users.
/unattend[num]:[answer_file]
Performs a fresh installation in unattended Setup mode. The
answer file provides Setup with your custom specifications.
Num is the number of seconds between the time that
Setup finishes copying the files and when it restarts your
computer. You can use num on any computer running
Windows NT or Windows 2000.
Answer_file is the name of the answer file.
/copydir:folder_name
Creates an additional folder within the folder in which the
Windows 2000 files are installed. For example, if the source
folder contains a folder called Private_drivers that has
modifications just for your site, you can type
/copydir:Private_drivers to have Setup copy that
folder to your installed Windows 2000 folder, making the new
folder location C:\Winnt\Private_drivers. You can use /copydir
to create as many additional folders as you want.
/copysource:folder_name
Creates a temporary additional folder within the folder in
which the Windows 2000 files are installed. For example, if
the source folder contains a folder called Private_drivers
that has modifications just for your site, you can type /copysource:Private_drivers
to have Setup copy that folder to your installed Windows 2000
folder and use its files during Setup, making the temporary
folder location C:\Winnt\Private_drivers. Unlike the folders
/copydir creates, /copysource folders are
deleted after Setup completes.
/cmd:command_line
Instructs Setup to carry out a specific command before the
final phase of Setup. This would occur after your computer has
restarted twice and after Setup has collected the necessary
configuration information, but before Setup is complete.
/debug[level]:[filename]
Creates a debug log at the level specified, for example,
/debug4:C:\Win2000.log. The default log file is C:\%Windir%\Winnt32.log,
with the debug level set to 2. The log levels are as follows:
0-severe errors, 1-errors, 2-warnings, 3-information, and
4-detailed information for debugging. Each level includes the
levels below it.
/udf:id[,UDB_file]
Indicates an identifier (id) that Setup uses to specify
how a Uniqueness Database (UDB) file modifies an answer file
(see the /unattend entry). The /udf parameter
overrides values in the answer file, and the identifier
determines which values in the UDB file are used. For example,
/udf:RAS_user,Our_company.udb overrides settings
specified for the RAS_user identifier in the Our_company.udb
file. If no UDB_file is specified, Setup prompts the
user to insert a disk that contains the $Unique$.udb file.
/syspart:drive_letter
Specifies that you can copy Setup startup files to a hard
disk, mark the disk as active, and then install the disk into
another computer. When you start that computer, it
automatically starts with the next phase of the Setup. You
must always use the /tempdrive parameter with the /syspart
parameter.
/checkupgradeonly
Checks your computer for upgrade compatibility with
Windows 2000. For Windows 95 or Windows 98 upgrades, Setup
creates a report named Upgrade.txt in the Windows installation
folder. For Windows NT 3.51 or 4.0 upgrades, it saves the
report to the Winnt32.log in the installation folder.
/cmdcons
Adds to the operating system selection screen a Recovery
Console option for repairing a failed installation. It is only
used post-Setup.
/m:folder_name
Specifies that Setup copies replacement files from an
alternate location. Instructs Setup to look in the alternate
location first and if files are present, use them instead of
the files from the default location.
/makelocalsource
Instructs Setup to copy all installation source files to your
local hard disk. Use
/makelocalsource when installing from a CD to
provide installation files when the CD is not available later
in the installation.
/noreboot
Instructs Setup to not restart the computer after the file
copy phase of winnt32 is completed so that you can execute
another command.
Unattended Installs
- Unattended install can be run using the /unattend
switch as in NT4.0.
Setup Manager will allow you to create the unattend.txt
file and the UDF file.
Sysdiff is still available for installing applications in an
unattended setup. The same switches are used that were used in
NT4.0.
Sysdiff /snap takes a snapshot of an image.
Sysdiff /diff creates a difference file after installing
applications.
Sysdiff /apply will apply the changes to the system that just
got the unattended install.
Sysprep strips the uniqueness out of a machine (SID,
Computer Name) so you can create an image. It adds a setup at
the end of dumping the image to put in the specifics or you
can use Sysprep to create an sysprep.inf file. You will still
need identical hardware.
Remote Installation Services (RIS)
- Allow you to do remote installs to systems that support
network boot through the NIC card. This is better than imaging
because it allows for plug and play so you don't have the
strict hardware requirements. RIS is limited to installing
Windows 2000 professional clients. A RIS server will have to
be available and you must have DNS, DHCP and Active Directory
available. Like DHCP, RIS servers need to be authorized by an
Enterprise admin to run on the network.
File Systems - Windows 2000
supports FAT16, FAT32, NTFS. Choose NTFS if you are only
running Windows 2000 on your system as it has many security
and performance improvements.
- FAT16 is necessary to dual boot Windows 2000 with DOS,
Win3.x, WIN95 or Win98.
- FAT32 could also be used to dual boot with Win2000 and
Win98.
- If you have an NT4 box that you want to dual boot with
Windows 2000, make sure the NT box has service pack 4 or
later or it will not be able to read an NTFS5 partition.
Windows 2000 NTFS advantages:
Disk Compression - NTFS5 offers disk compression. 2000
Professional can not read drives compressed with an earlier
operating system so be sure to uncompress drives before
upgrading.
Disk Quotas - Windows2000 features built-in disk
quota management. Users can be limited to a certain amount of
disk space on the file server on a volume by volume basis.
You can customize how much space and can configure warnings
when a certain amount is used. You can also not allow the
user to save any additional data when their limit is reached.
Encrypting File System (EFS) -
allows files to be stored encrypted on the hard disk. This
protects against people booting from a floppy or logging into
a machine locally and gaining access to your files. They will
be denied access to the files as they will not have the proper
encryption key.
- Only files and folders on an NTFS volume can be
encrypted.
- Compressed files or folders cannot be encrypted.
- Encrypted files cannot be shared.
- Encrypted files will become unencrypted if copied or
moved to a non-NTFS volume.
- System files cannot be encrypted.
- Other than the user that encrypted the files, only a
designated recovery agent can unencrypt the files.
Sharing Data:
The main reason we have networks is for the sharing of data
and printers. Lets take a look at data sharing.
When a folder is shared, permissions are given to users that
need to access the folder. The two types of permissions are
Share level and NTFS permissions.
Share Level Permissions:
By default, the everyone group is given full control
permissions when a file is shared. Share Level permissions
are only in effect when a folder is accessed over the
network. If a user logs on locally, Share level permissions
will have no effect., only NTFS permissions will be in effect.
- Full Control - Allows user to change permissions,
take ownership of NTFS files, Perform all tasks permitted by
change permissions
- Change - Create folders and add files, Manipulate
data in files, change file attributes, Delete Folders and
files, Perform all tasks permitted by the read permission.
- Read - Display names of folders and files,
Display data and attributes of files, Run program files,
Manipulate subfolders.
- These permissions can either be allowed or denied.
Share level permissions can be applied on a user or on a
group level. When a user attempts to access a shared folder,
all of the permissions for that user are combined If a user
is in one group with Full Control, one group with Change and
the user himself has read, The combined permissions will be
the least restrictive or Full control. Any time the user is
explicitly denied access whether it is a user or group
permission, this overrides all other permissions. A user can
be in one group with Full Control, one group which is denied
access and the user himself can have Change permissions, the
effective permissions will be no access as this overrides all
of the other permissions. Always assign the most restrictive
permissions you can to a user. You don't want them to be able
to do anything more than they need to. The easiest and most
efficient way to assign permissions is to do it on a group
basis. If everyone in your accounting department needs
certain permissions to several folders, assign the permissions
to a group called accounting, then when a new employee joins
the accounting team, all you have to do is place this
employees user account in the accounting group and all of
their permissions will be there.
Windows 2000 shares some folders by default for
administrative purposes. These shares will show up with a $
behind the name. The dollar sign signifies that the share is
hidden from the browse list, these default administrative
shares are only accessible by users with administrative
rights. If you want to hide any of the shares that you
create, simply put a $ after the name (i.e. Share$)
NTFS Permissions:
When a volume is formatted with the NTFS file system, NTFS
permissions can be used to secure resources. NTFS permissions
allow you to assign permissions at the folder and file level
while Share permissions are limited to the folder level. NTFS
permissions are also a lot more granular than Share level
permissions allowing you to permission such things as traverse
folders, write attributes and much more.
Applying NTFS Permissions:
Users can be assigned permissions directly or can be put
into groups that have permissions assigned. All individual
permissions and group permissions are combined to find out the
users effective permissions.
No access overrides all other permissions.
File permissions take precedence over folder permissions.
If you have no access to folder but have full control to a
file in that folder, you can still access the file using the
full UNC path to that file.
Combining Share and NTFS permissions.
When figuring permissions, look at share and NTFS
separately. Take the least restrictive share permission and
the least restrictive NTFS permission. Now take the most
restrictive of the two and that is your effective
permission.
ex.
Joe is in Accounting Group and also in IT group.
Accounting Group has Full control on the share 'RedSox'
IT group has read access on the share 'RedSox
Joe's cumulative permissions on the share 'RedSox' would be
full control.
Accounting Group has read access NTFS permissions on the
directory 'RedSox
IT group has change access NTFS permissions on the directory
'stuff'
Joe's cumulative NTFS permissions on the directory 'RedSox'
are Change
Now we take the most restrictive of the two results which is
change which is the access Joe has when accessing 'RedSox'
over the network.
Keep in mind that if Joe is logged on locally to the machine
holding the 'RedSox' directory, you will only be using NTFS
permissions and not regarding share permissions. Share
permissions are only used when coming across the network
share.
Also keep in mind that if Joe is explicitly denied access
anywhere, he automatically gets no access regardless of what
other permissions he has elsewhere with the exception of no
access to a folder but access to a file within the folder
that can be accessed through a UNC path.
By default the everyone group is given full control. This
should be removed or else anyone who is able to log on locally
to a system will have full control.
Permissions and Moving/Copying files on NTFS volumes:
When copying folders or files either from one partition to
another or on the same partition, the permissions will be
inherited from the target folder.
When moving files to another partition, the permissions
will be inherited from the target folder.
When moving files or folders on the same partition, the
permissions will remain intact. This is the only time
permissions are retained and not inherited.
One easy way to remember this is: MRS - Move Retains Same
(partition)
Whenever files are moved or copied to a fat partition, all
permissions are lost as FAT does not support NTFS permissions.
Windows Installer - The msiexec program is a client side
component of the Windows Installer used to install and upgrade
software. It works in conjunction with an .msi file which is
the software package to be installed and .mst files which is a
transform file. The transform file is applied to the msi file
at publication to make any changees to the file. ex.you can
use an .mst file to define only a portion of an application.
Transforms are applied to the .msi file at initial assignment;
they cannot be applied to an already installed application
Authenticated Users need the Read and Apply Group
Policy ACEs (Access Control Entries) to be able to install
from the software distribution point.
Internet Printing - Windows 2000 brings us Internet based
printing. The Print server must be running IIS (Internet
Information Server) if it is a Windows 2000 Server or PWS
(Peer Web Services) if it is running Windows 2000
professional. IPP (Internet Printing Protocol) is used for
Internet printing. IPP is encapsulated within HTTP. Basic
Authentication must be used if you wish to support all
clients. Kerberos Authentication or Challenge/Response are
supported by IE (Internet Explorer). Printers can be managed
by any browser running IE4 or higher.
Recovery and Protection:
Like NT Workstation, Windows 2000 professional does not
offer fault tolerance. Only 2000 Server and higher.
Recovery Console - Windows 2000 has a recovery
console to help when you have trouble booting. The recovery
console is not installed by default. Install the recovery
console by running winnt32.exe /cmdcons from the I386
directory of the CD. You will now see an option to enter the
Windows 2000 recovery console at boot up. (or it can be run by
booting from the setup floppies or CD and choosing repair)
The recovery console is limited to administrators (you will be
authenticated when entering) and will allow you to do such
things as:
- Use, copy, rename or replace operating system files and
folders.
- Enable or disable services or devices from starting when
you next start your computer.
- Repair the file system boot sector or the Master Boot
Record (MBR).
- Create and format partitions on drives.
You are fairly restricted as to what you are able to do.
You can't throw files on a floppy or removable media, only
copy them to the hard drive from the floppy or removable
media.
Emergency Repair Disk (ERD) - Windows 2000 ERD's are
created through the backup program (you will see an option to
create an ERD on the welcome screen). RDISK (from NT4.0) is
no longer available. The repair process will attempt to
repair system files, the partition boot sector on your system
disk, and your startup environment if you have a dual boot
system. To run the repair process, boot either from the
Windows 2000 CD or from the setup floppies. Choose the
'repair or recover' option when prompted. Fast repair will
attempt to repair everything, manual repair will allow you to
choose.
Driver Signing - Microsoft digitally signs all
drivers that are qualified to run with Windows 2000. You have
the option to install only drivers that have been signed, see
a warning when drivers haven't been signed so you can decide
then, or never allow unsigned drivers to be installed. This
can be set from control panel, system on the hardware tab.
System File Checker - System File Checker (sfc.exe)
is a command line utility that scans and verifies the versions
of all protected system files after you restart your computer.
If System File Checker discovers that a protected file has
been overwritten, it retrieves the correct version of the file
from the %systemroot%\system32\dllcache folder,
and then replaces the incorrect file.
Windows File Protection - runs in the background and
watches for applications trying to replace your system files
such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. If an
application attempts to replace a system file with one that is
not signed, Windows file protection replaces it back with one
stored in dllcache and logs the attempt in the Event log.
There are 4 instances where File protection will allow the
files to be replaced:
- Windows 2000 Service Packs using Update.exe
- Hotfix distributions using Hotfix.exe
- Operating system upgrades using Winnt32.exe
- Windows Update
Task Scheduler - allows you to automate running
commands, scripts or programs at a set time. This is accessed
through the scheduled tasks folder in control panel. It
offers the ability to choose a user account for each task.
Offline Files - Windows 2000 offers the ability to
use files offline. Any files that you set up to have
available offline will be there when you disconnect from the
network. Your permissions will be the same as if you were
connected to the network. When you connect back to the
network, the files are synchronized with the network.
- Performance Monitor - This chart shows some of
the common counters and their acceptable ranges.
Resource |
Object\ Counter |
Suggested threshold |
Comments |
Disk |
PhysicalDisk\ % Disk Time |
90% |
|
Disk |
PhysicalDisk\ Disk Reads/sec, PhysicalDisk\ Disk
Writes/sec |
Depends on manufacturer's specifications |
Check the specified transfer rate for your disks to
verify that this rate doesn't exceed the specifications.
In general, Ultra Wide SCSI disks can handle 50 I/O
operations per second. |
Disk |
Physical Disk\ Current Disk Queue Length |
Number of spindles plus 2 |
This is an instantaneous counter; observe its value
over several intervals. For an average over time, use
Physical Disk\ Avg. Disk Queue Length. |
Memory |
Memory\ Available Bytes |
Less than 4 MB |
Research memory usage and add memory if needed. |
Memory |
Memory\ Pages/sec |
20 |
Research paging activity. |
Network |
Network Segment\ % Net Utilization |
Depends on type of network |
You must determine the threshold based on the type of
network you are running. For Ethernet networks, for
example, 30% is the recommended threshold. |
Paging File |
Paging File\ % Usage |
99% |
Review this value in conjunction with Available Bytes
and Pages/sec to understand paging activity on your
computer. |
Processor |
Processor\ % Processor Time |
85% |
Find the process that is using a high percentage of
processor time. Upgrade to a faster processor or install
an additional processor. |
Processor |
Processor\ Interrupts/sec |
Depends on processor. |
A dramatic increase in this counter value without a
corresponding increase in system activity indicates a
hardware problem. Identify the network adapter causing the
interrupts. |
Transmission Control Protocol/Internetworking protocol
(TCP/IP) - TCP/IP is the default protocol used with
Windows 2000. In the NT 4.0 world, TCP/IP was a separate
topic and exam. In the Windows 2000 world it was incorporated
into the core exams so expect to see it in every exam you sit.
History -
Protocol suite designed for Wide Area Networks (WAN's)
Originally used by the department of defense back in the late
60's, TCP/IP is now the common Protocol used for the
Internet. All major operating systems offer support for
TCP/IP.
The standards for TCP/IP are published in a series of
documents called Request for Comments (RFC's).
TCP/IP utilities
FTP - File Transfer Protocol - provides file transfers between
TCP/IP hosts with one running FTP software.
Telnet - Provides Terminal Emulation to a TCP/IP host running
Telnet server software.
RSH - Remote Shell - runs commands on a UNIX host.
REXEC - Remote Execution - Runs a process on a remote
computer.
LPR - Line Printer Remote - Prints a file to a host running
the LPD Service.
LPQ - Line Printer Queue - Obtain status of a print queue on a
host running the LPD Service.
LPD - Line Printer Daemon - Services LPR requests and submits
print jobs to a printer device.
PING - Packet Internet Groper - Verifies that TCP/IP is
configured correctly and that another host is available.
IPCONFIG - Verifies TCP/IP information. with a /all switch
will give DHCP, DNS and WINS addresses. WINIPCFG is used in
Win9.x
NSlookup - examines entries in the DNS database pertaining to
a particular host or domain.
Hostname - returns the local computers host name.
Netstat - Displays Protocol statistics and the current state
of TCP/IP connections.
NBTstat - Checks the state of current NetBIOS over TCP/IP
connections, updates LMHOSTS cache, determines registered
name.
Route - views or modifies the local routing table.
Tracert - verifies the route used from the local host to the
remote host.
ARP - Address Resolution Protocol - displays a cache of
locally resolved IP addresses to Media Access Control(MAC)
addresses.
Finger - Retrieves system info from a remote computer that
supports the TCP/IP finger service.
TCP/IP Address Properties.
IP Address - 32 bit address used to uniquely
identify a TCP/IP host. The address has two parts. The
network ID and the host ID. The network ID identifies all
hosts that are on the same logical network. The host ID
identifies the host. Hosts can be workstations, Servers,
Routers, ex.. A sample IP address is 24.128.102.7
Lets compare this to the Calendar. We have 12 Networks:
January, February, March.... On each Network, we have hosts:
1,2,3,4...
January 1 and January 14 are unique hosts on the same
network. March 4 and June 17 are on different networks.
Subnet Mask - Blocks part of the IP address
to distinguish the network ID from the Host ID. This will
determine if the TCP/IP clients are on the same network or on
a remote network. An example of a subnet mask is
255.255.255.0. An improper Subnet mask can cause
connectivity problems.
Default Gateway - If a packet is determined
not to be on the same network, it is sent to the default
gateway. This is usually a router. An incorrect default
gateway will produce errors when trying to communicate outside
of your network.
A TCP/IP client must at least have an IP address and a subnet
mask for communications to work.
A TCP/IP client must have a minimum of IP address, Subnet mask
and default gateway for TCP/IP to work through a router.
Hosts communicate by Media Access Control (MAC) address. If a
MAC address is not known then an ARP broadcast is sent out.
The destination hardware will respond with its MAC address and
its IP address and these are stored in the ARP cache. The ARP
cache is always checked before doing an ARP broadcast.
IP Addresses dissected.
The 32 bit IP Address is broken down into 4 8-bit fields
called octets separated by a period. Each octet represents a
number between 0 and 255.
To understand the addresses you must look at them in binary
form.
Bit |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
Decimal(powers
of 2) |
128 |
64 |
32 |
16 |
8 |
4 |
2 |
1 |
Lets look at IP address 24.128.102.7
In binary form this would translate to:
24=00011000(the bits at 16 + 8 are turned on)
128=10000000(the bit at 128 is turned on)
102=01100110(the bits at 64+32+4+2 are turned on)
7=00000111(the bits at 4+2+1 are turned on)
00011000 . 10000000 . 01100110 . 00000111
The Network portion of the IP is on the left side. The
host portion of the ID is on the right side.
Which part is the Network and which is the
Host?
In the early days things were simple and IP addresses fell
into classes. Let's start with the default classful IP
addresses. Class A or /8(pronounced slash 8) network, Class B
or /16 network, Class C or /24 network.
Class A or /8 network.
The first 8 bits to the left (the first octet) are the
network ID and the next 24 bits(3 octets) are the host ID.
The first bit in a class A address is always set to zero which
actually leaves us 7 bits to toggle for the network ID.
This leaves our first octet as 00000001 to 01111111or 1 to
127.
The 127 addresses are reserved for the loopback addresses
thus leaving us 1 to 126.
Class B or /16 network.
The first 16 bits(2 octets) to the left are the network ID
and the next 16 bits(2 octets) are the host ID. The first two
bits in a class B address are always set to 1-0 which actually
leaves us 14 bits to toggle for our Network ID.
This leaves our first octet as 10000000 to 10111111or 128
to 191.
Class C or /24 network.
The first 24 bits(3 octets) to the left are the network ID
and the next 8 bits(1octet) are the host ID. The first three
bits in a class C address are always set to 1-1-0 which
actually leaves us 21 bits to toggle for our network ID.
This leaves our first octet as 11000000 to 11011111or 192
to 223..
Class D network. Class D addresses are
reserved for multicasting. The first four bits in a class D
address are always set to 1-1-1-0.
This leaves our first octet as 11100000 to 11101111or 224
to 239..
Class E network. Class E addresses are
reserved for future and experimental use. The first four bits
in a class E address are always set to 1-1-1-1.
This leaves our first octet as 11110000 to 11111111or 240
to 255..
IP Address Class |
Decimal Range |
# Networks available 2^x-2 |
# Hosts available 2^y-2 |
Class A (/8) |
1 to 126 |
126 |
16777214 |
Class B (/16) |
128 to 191 |
16382 |
65534 |
Class C (/24) |
192 to 223 |
2097150 |
254 |
Class D |
224 to 239 |
|
|
Class E |
240 to 255 |
|
|
(1) - Number of available networks is determined by using
powers of 2. There are 2 possible positions for a bit.
On(1)and Off(0). Keeping in mind that the first bit is always
set to 0, we have 7 bits left to toggle. This means that
there are 2^7 networks available for a Class A. By rule
(because some older routers can't route them) the all(0)'s and
all (1)'s networks are not used which leaves us with 2^7-2
Networks available for the Class A. Using this same 2^x-2
formula we can determine the number of networks for Class B
and Class C. Remember that in Class B, the first two bits are
always set to 1-0 giving us 14 bits to toggle for a formula of
2^14-2. Remember that in Class C, the first three bits are
always set to 1-1-0 giving us 21 bits to toggle for a formula
of 2^21-2.
(2) - Number of Hosts is derived using the same formula as
the number of networks. Class A network uses 8 bits for the
Network ID leaving us 24 bits for the Host ID. Using our
formula 2^24-2, we get 16777214. We can calculate the Hosts
for Class B and Class C the same way.
I have two IP Addresses. Are they on the same
network?
To decide whether or not two IP addresses are on the same
network, we use a subnet mask. This is used to mask the
network portion of the IP Address. The network portion of the
IP address has a 1 in the corresponding bit of the subnet
mask. The host portion of the IP has a 0 in the corresponding
bit of the subnet mask. Lets take a look at the subnet mask
in binary form.
Class A addressing.
01110111 . 00100010 . 00010100 . 00010101 = 119.34.20.21
11111111 . 00000000 . 00000000 . 00000000 = 255.0.0.0 -
This is the default Subnet Mask for Class A networks.
01110111 . 00111000 . 00101011. 01000000 = 119.56.43.64
In the above example, 119 is the network ID because it
corresponds with the bits turned on in the subnet mask. Both
of the above IP's are on the same network.
Dynamic Host Configuration Protocol (DHCP)
– automatically assigns TCP/IP addresses and information to
client computers. The client requests an IP from the DHCP
server at startup. The DHCP server chooses an IP from a pool
and offers it to the client, along with the subnet mask,
default gateway, and many other optional items. If the client
accepts the offer the IP will be leased for a specified period
of time. A DHCP server must have a static IP address. Windows
2000 introduces us to authorized DHCP servers in which an
administrator has to give the OK for a DHCP server to run or
it will shut down its services. This prevents anyone from
setting up a DHCP server and handing out addresses that you
don't want. A scope is set up which is a range of valid IP
addresses that a DHCP server can assign. If you have multiple
DHCP servers, they must each have a unique scope to avoid
assigning duplicate IP addresses. You can have multiple scopes
on a DHCP server.
For redundancy, you should share part of
your scope with another DHCP server.
Ex. You have the subnet 222.222.222.x. You
can give a scope of 222.222.222.1 to 222.222.222.200 to your
primary DHCP server and a scope of 222.222.222.201 to
222.222.222.254 to a secondary server. This will allow clients
to obtain a lease if the primary DHCP server is down but will
avoid the leasing of duplicate IP’s. Microsoft’s
recommendation is to have 80% of the addresses in the primary
and 20% in the secondary. DHCP can also hand out many other
pieces of information including Routers, DNS Servers, and WINS
Servers… These can be configures on a global level, scope
level or client level.
Automatic Private IP addressing (APIPA) - This is a
feature that Windows 2000 offers that is similar to a mini
DHCP server. If a computer is set up to use DHCP and a DHCP
server is not available, Windows 2000 assigns an IP address
from the private range 169.254.0.1 - 169.254.255.254 with a
subnet mask of 255.255.0.0. This can be quite useful in a
home office or small company as there is no need to set up a
DHCP server. It is quite limited though in that you don't get
a default gateway so it is useless in a routed environment.
Another downside is that in a network in which the DHCP server
is unavailable a client will log on and wont get any error
messages so it might make troubleshooting a bit more difficult
when they can't access network resources.
Windows Internet Name Service (WINS) -
WINS is responsible for resolving NetBIOS names to IP
addresses. When a WINS client boots up it announces itself to
the WINS server. The WINS server stores the name and IP of the
client in the database to hand out on future requests. This
enables you to connect to a server named Appsserver by name
instead of having to remember Appsserver’s IP address. The
WINS database is dynamic.
DNS (Domain Name System)
DNS is used to resolve fully qualified domain names (FQDN) to
IP addresses. i.e. CERTguide.com resolves to 24.128.102.7.
Windows 2000 uses DNS as its primary means of resolution
including locating domain controllers.
Lookup Zone Files
Forward Lookup Zone - resolves hostname to IP address
Reverse Lookup Zone - resolves IP address to hostname.
Host File - manually updated text file that contains IP
address to host name combinations. This is how it was done
before DNS.
DDNS (Dynamic DNS) - Windows 2000 includes DNS that is
dynamically updated to prevent having to manually keep the DNS
database current. When a Windows 2000 client boots up, it will
send its info straight to the DNS server to be added.
Windows9.x and NT clients can not pass their information
directly to the DNS server so the DHCP server forwards their
information along to allow them to take advantage of the
Dynamic DNS. Dynamic updates are configured at the zone level
so you can choose to update one or more zones manually if you
choose.
RAS (Remote Access Service)
Windows 2000 supports several remote access protocols
including:
PPP (Point to Point Protocol) - most common Remote
Access protocol. Allows for multivendor environments.
SLIP Serial Line Internet Protocol) - not supported on
the server, only the client. Mostly used for telnet.
Microsoft RAS - Clients must use NetBEUI. Server acts
as gateway to connect to NetBEUI, TCP/IP, or IPX/SPX.
ARAP (AppleTalk Remote Access Protocol) - A windows
2000 server running ARAP can accept connections from MAC
clients.
Windows 2000 RAS supports several LAN protocols including:
TCP/IP
NetBEUI
NWlink
AppleTalk
Permissions can be set to allow access, deny access or control
through Remote Access Policy. (control through RAS policy only
available in native mode)
Caller ID can be enabled to check for a specific number before
accepting connection. (only available in native mode)
RAS can be configured to call user back at a specific number
to complete connection.
RAS can be set to assign a static IP address if a client
requires a specific IP.
Windows 2000 RAS supports multilink in which several
connections can be combined to increase bandwidth. Both
client and server need to have multilink enabled.
BAP (bandwidth Allocation Protocol) - works with multilink to
provide bandwidth on demand by adding or dropping links as
needed.
Remote Access Authentication Protocols:
PAP (Password Authentication Protocol) - uses clear
text passwords. provides little security.
SPAP - (Shiva Password Authentication Protocol) - more
secure than PAP. use to connect to Shiva LANRover to Windows
2000. Medium Security.
CHAP - (Challenge Handshake Authentication Protocol) -
uses the industry standard MD5 1-way encryption scheme to
encrypt the response. Highly Secure.
MS-CHAP (Microsoft Challenge Handshake
Authentication Protocol)- 1-way encrypted password. This
is enabled by default on a windows 2000 server running RAS.
Highly Secure.
MS-CHAP v2 (Microsoft Challenge Handshake Authentication
Protocol v2)- Strong encryption. Windows 2000 clients use
this by default for dialup. Windows 2000,NT4 and Win98
clients use this by default for VPN. Highly Secure.
EAP (Extensible Authentication Protocol) - Client and
server negotiate the Authentication method to include MD5
username and password encryption, smart-cards, token cards,
retina or fingerprint scanners and other third party
authentication technologies.
Remote Access Data Encryption Protocols:
MPPE (Microsoft Point to Point Encryption) - Encrypts
data moving between a PPTP connection and a VPN server. Can
use 128-bit, 56-bit or 40-bit encryption.
IPSec (Internet Protocol Security)
- IPSec encrypts data traveling across the network. The
systems communicating via IPSec use keys to decipher data that
has been encrypted using algorithms. The key can be generated
using algorithms on the systems communicating so that the key
does not have to travel across the network. Key lengths can be
varied depending on how secure the data needs to be. Keys can
also be dynamically changed during a session in case a key is
captured and deciphered then the rest of the data will be
encrypted using a different key. IPSec can be forced on users
by using policies. IPSec communication can be assigned on a
group to group basis.
IP Addressing - RAS can hand out IP addresses using 3
methods:
Static IP address - IP address is configured on the
client. Not recommended because of the administration.
IP address Range - assign a range of addressees to the
RAS server to be able to give out.
DHCP addressing - RAS will get addresses for its
clients from a DHCP server. Highly recommended as there is
only one pool of IP addresses to maintain.
Remote Access Policies - RAS Policies consist of
Conditions, permissions and profile.
Conditions - Conditions include things like time, user
groups, IP addresses, caller ID's that must be matched for
client to connect.
Permissions - RAS policy permissions work in
conjunction with a user's dial-in permissions in Active
Directory. Dial-n permissions will override RAS Policy
permissions. i.e. The sales group is a granted remote access
through a policy from 9:00 to 5:00. John, a member of the
sales group is given 24 hour access in active directory. John
will have 24 hour access.
Profiles - This contains settings such as time limits,
authentication and encryption protocols.
IAS (Internet Authentication Service) - IAS in
conjunction with Routing and Remote Access Service provide
support for RADIUS (Remote Authentication Dial-in User
Service). RADIUS is used for authentication of users outside
of the internal network. IAS also allows for tracking of
connections for things like usage for billing purposes and
auditing for security purposes.
VPN (Virtual Private Networks)
A VPN is a tunnel between two systems. The data that passes
between the systems is encrypted. This allows for secure
communication across a public network such as the Internet.
VPN's use either PPTP or L2TP encryption.
PPTP (point to point tunneling protocol) - only works
on IP network. Uses built-in PPP encryption
L2TP (Layer 2 Tunneling Protocol)- works on IP, Frame
Relay, X.25 or ATM. Uses IPSec encryption |