Implementing, Managing, and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure
The objectives for exam 70-291 focus it more on the network
services that are available within Windows Server 2003 than
any other exam in the new track. The objectives for it are:
Implementing, Managing, and Maintaining IP Addressing
Configure TCP/IP addressing on a server computer.
o Manage DHCP clients and leases.
o Manage DHCP Relay Agent.
o Manage DHCP databases.
o Manage DHCP scope options.
o Manage reservations and reserved clients.
Troubleshoot TCP/IP addressing.
o Diagnose and resolve issues related to Automatic
Private IP Addressing (APIPA).
o Diagnose and resolve issues related to incorrect
o Diagnose and resolve issues related to DHCP
o Verify DHCP reservation configuration.
o Examine the system event log and DHCP server audit
log files to find related events.
o Diagnose and resolve issues related to
configuration of DHCP server and scope options.
o Verify that the DHCP Relay Agent is working
o Verify database integrity.
Implementing, Managing, and Maintaining Name Resolution
Install and configure the DNS Server service.
o Configure DNS server options.
o Configure DNS zone options.
o Configure DNS forwarding.
o Manage DNS zone settings.
o Manage DNS record settings.
o Manage DNS server options.
Monitor DNS. Tools might include System Monitor, Event Viewer,
Replication Monitor, and DNS debug logs.
Implementing, Managing, and Maintaining Network
Implement secure network administration procedures.
o Implement security baseline settings and audit
security settings by using security templates.
o Implement the principle of least privilege.
Monitor network protocol security. Tools might include the IP
Security Monitor Microsoft Management Console (MMC) snap-in
and Kerberos support tools.
Troubleshoot network protocol security. Tools might include
the IP Security Monitor MMC snap-in, Event Viewer, and Network
Implementing, Managing, and Maintaining Routing and
Configure Routing and Remote Access user authentication.
o Configure remote access authentication protocols.
o Configure Internet Authentication Service (IAS) to
provide authentication for Routing and Remote Access clients.
o Configure Routing and Remote Access policies to
permit or deny access.
n Manage remote access.
o Manage packet filters.
o Manage Routing and Remote Access routing
o Manage devices and ports.
o Manage routing protocols.
o Manage Routing and Remote Access clients.
n Manage TCP/IP routing.
o Manage routing protocols.
o Manage routing tables.
o Manage routing ports.
n Implement secure access between private
n Troubleshoot user access to remote access
o Diagnose and resolve issues related to remote
o Diagnose and resolve issues related to establishing
a remote access connection.
o Diagnose and resolve user access to resources
beyond the remote access server.
n Troubleshoot Routing and Remote Access routing.
o Troubleshoot demand-dial routing.
o Troubleshoot router-to-router VPNs.
Maintaining a Network Infrastructure
n Monitor network traffic. Tools might include
Network Monitor and System Monitor.
n Troubleshoot connectivity to the Internet.
n Troubleshoot server services.
o Diagnose and resolve issues related to service
o Use service recovery options to diagnose and
resolve service-related issues.
DHCP (Dynamic Host Configuration Protocol) allows you to
dynamically distribute IP addresses and all associated
configuration data through an open standard. DHCP clients are
given leases to define the amount of time their address
information is valid. Every client automatically attempts to
extend the lease when half the time of the lease has expired.
If it fails, it keeps trying for the duration of the lease.
DHCP does not only issue addresses from the address
pool/scope, but also issues lease information and other IP
configuration data (default gateway, subnet mask, etc.). DHCP
is installed as a service on Windows Server 2003 through the
use of wizards that follow the networking services
subcomponent of the Add/Remove Programs applet.
A scope is a range of IP addresses that can be
issued to DHCP clients on a single subnet by the DHCP server.
Only one scope can be created for each subnet, and a single
DHCP server can manage several scopes.
DHCP scopes are created with the New Scope Wizard, which
also allows you to add exclusions, configure the router,
define Domain Name and DNS Server options, and specify WINS
settings. After installing the DHCP service, you gain the DHCP
snap-in and must define at least one scope on the server. Only
one scope can be created for each subnet.
A red arrow on the icon of a DHCP server indicates that it
is not authorized. Once the DHCP server is authorized, the
arrow changes to green.
MADCAP (Multicast Address Dynamic Client Allocation
Protocol) works like DHCP, but is used to issue multicast
addresses only. Multicasting involves sending a message to a
select group of recipients through the use of class D IP
addresses. This is useful for conserving bandwidth. If you
need to send a data packet to 300 out of 600 users, for
example, you need to send it only once (to the class D
address) rather than the 300 times unicasting would require.
Multicast addresses must fall within the Class D range of
DHCP servers can be configured to use DDNS (Dynamic DNS) at
the scope level or server level. The DHCP snap-in enables you
to manage and monitor DHCP. For example, you can work with the
database files, remove leases, and modify scopes.
NAT interfaces define connection properties for network
address translation. They define what constitutes the internal
network and what constitutes the external network. NAT
translates between two different networks, allowing you to
have a private scope internally and still communicate with the
Utilizing NAT, only one machine (the NAT) needs to have a
valid IP address for the Internet; all the internal clients
can have private addresses (10.0.0.0 for Class A, 172.16.0.0.
for Class B, 192.168 for Class C).
Windows Server 2003 includes the following NAT editors:
FTP, ICMP, and PPTP. Configuration of NAT (Network Address
Translation) is done through the Routing and Remote Access MMC
snap-in (meaning that RRAS must be activated before NAT can be
Internet Connection Sharing (ICS) is a service that allows
you to provide automated demand-dial capabilities on a small
network, such as a home office. This can be used for any
number of processes, including DNS Proxy, DHCP, and NAT.
DNS is a server service consisting of a hierarchical,
distributed database with built-in redundancy and caching
capabilities. DNS translates domain names into IP addresses.
When a DNS server cannot resolve a query, it moves (escalates)
it up to a root server that is authoritative for a zone. DNS
queries can be either recursive or iterative.
DNS is installed as a service within Windows Server 2003
through the use of wizards. If you have installed Active
Directory (via the Active Directory Installation Wizard) but
cannot find a DNS server, the ADI wizard will attempt to
install the DNS service for you. DNS management can be
performed with the DNS Manager snap-in.
DNS monitoring can be done with the Performance tool on
counters such as Caching Memory, IXFR Counters, TCP/IP, and
Zone Transfer. DNS uses resource records to perform
translations. Resource records are entries in the zone
database file; each resource record identifies a particular
resource within the database.
If necessary, you can manually add resource records into
DNS through the DNS snap-in.
Dynamic DNS (DDNS) is simply the marriage of DHCP and DNS.
Whenever a client interacts with DHCP (new lease, renewal,
etc.), the fully qualified domain name (FQDN) of the client is
registered with DNS through the DHCP server. This registration
can be done manually using the REGISTERDNS parameter with the
DNS zone transfers can be all (AXFR), or incremental (IXFR).
The caching-only server does not have a copy of the zone table
and is used merely to speed up client queries by storing the
results of cached queries.
Round robin is a method of load-balancing DNS servers by
rotating type A resource records.
Configuring a zone for dynamic updates within the zone
properties dialog box (obtainable from the DNS Management
Console) allows DNS clients to update their resource records
dynamically with the server anytime a change occurs. This can
be enabled or disabled on a per-zone basis. With an Active
Directory Integrated zone, you can store DNS resource records
in AD naming contexts to simplify zone replication.
The DNS root name server of a domain is the name server
that is acting as the Start of Authority for that zone. The
first division of DNS is into domains. The InterNIC (Internet
Network Information Center) controls top-level domains (com,
edu, etc.). Stub zones contain SOA and NS records, as well as
A records for name servers.
A DNS client is any computer that can query a DNS
server (through a resolver). A resolver is the DNS
client program that is used to query DNS name information. A
DNS server is any computer running the DNS Server
service. DNS servers perform name-to-IP mapping and attempt to
resolve client queries.
FQDNs (fully qualified domain names) specify the host name,
the domain or subdomain to which the host belongs, and any
domains above that in the hierarchy until the root domain in
the organization is specified. The FQDN is read from left to
right, with each host name or domain name separated by a
Event Viewer - the primary tool used for viewing log
files. In addition to the three log files that have always
existed (Application, System - which contains information
about services and drivers that fail to start - and
Security), there are now log files for: Directory Services,
File Replication Service, and DNS, if those services are in
Common TCP ports to allow/deny include:
TCP/IP packet filters can be used to prevent types of
packets from reaching your network server. These are
configured through the Advanced button on the TCP/IP protocol
properties. Filters can be set for TCP, UDP, or IP protocol
numbers, and can be universal (for all adapters) or
individual. The filter can accept, deny, or accept within
specified conditions (always respond using IPSec, use Perfect
Forward Secrecy, etc.).
IPSec is used to negotiate the secure connection utilizing
DES (Data Encryption Standard/ 56-bit), and 3DES (Triple DES).
IPSec is used to secure packets between two hosts and cannot
be used locally, whereas EFS is used locally and does not
encrypt data on a network.
Only one IPSec policy can be in use at a time. All policy
settings can be made using wizards. IPSECMON.EXE can be used
to monitor and troubleshoot operations.
The IP Security Policy Management MMC console is used to
manage IPSec. To create a new policy, right-click the IP
Security Policies folder for the popup menu that contains the
New IP Security Policy option.
RRAS routing is installed/configured through the RRAS MMC
snap-in by right-clicking on the server and choosing Configure
and Enable Routing and Remote Access on the popup menu. This
starts the RRAS Setup Wizard.
The three types of remote access permissions available to a
Control access through Remote Access Policy
When a user dials in, you can choose to verify caller-ID,
assign a static IP address to the connection, and/or apply
RRAS includes support for RIP for IPX and SAP for IPX. RRAS
supports the following protocols: AppleTalk, IPX, NetBEUI, and
An individual host can have its data packet sent in one of
the following three ways:
- By looking
at the default gateway address in the IP configuration
- By using
Internet Control Message Protocol (ICMP) redirects to find a
route to a destination host
listening to traffic between routers utilizing RIP (Routing
Information Protocol) or Open Shortest Path First (OSPF)—known
as dynamic routing.
Monitoring remote access is done through counters in the
Performance utility; the RRAS MMC console can be used to
configure incoming connections and other features.
Remote Access Dial-in Profiles allow you to define the
IP Address Assignment Policy
Multilink (aggregation of multiple analog phone
lines through multiple modems for greater bandwidth)
Encryption (No Encryption, Basic or Strong)
Remote Access Dial-in Profiles can be configured and govern
security in much the same way group policies do.
A remote access policy defines actions that can be
undertaken for a user or group of users who connect remotely.
They can employ specific authentication and encryption
IAS (Internet Authentication Service) can be used to
enforce (through policies) issues such as: RADIUS clients
allowed, incoming phone numbers to accept, the type of media
used to establish the connection, user membership in security
groups, and the time of allowed access (day, hour, etc.). With
RADIUS, all authentication requests heard by a server are sent
to a RADIUS server for approval/denial. RADIUS is an open
IAS is used for centralized administration and to enforce
access policies. It works with PAP, CHAP, MS-CHAP, and EAP.
IAS is useful for centralized auditing, scaling systems for
growing demand, monitoring usage remotely, and working with a
graphical interface through an MMC snap-in.
Remote Access Authentication Protocols:
CHAP - (Challenge Handshake Authentication Protocol) -
uses the industry standard MD5 1-way encryption scheme to
encrypt the response. Highly Secure.
EAP (Extensible Authentication Protocol) - Client and
server negotiate the Authentication method to include MD5
username and password encryption, smart-cards, token cards,
retina or fingerprint scanners and other third party
MS-CHAP (Microsoft Challenge Handshake
Authentication Protocol)- 1-way encrypted password. This
is enabled by default on a Windows Server 2003 running RAS.
Highly Secure. This differs from CHAP in that client
communication must be between two Microsoft operating systems.
MS-CHAP v2 (Microsoft Challenge Handshake Authentication
Protocol v2)- Strong encryption. Windows clients use this
by default for dialup networking (also known as DUN). Windows
2000,NT4 and Win98 clients use this by default for VPN.
Highly Secure. Version 2 differs from version 1 primarily in
that two-way (mutual) authentication is implemented in version
PAP (Password Authentication Protocol) - uses clear
text passwords. Provides little security.
SPAP - (Shiva Password Authentication Protocol) - more
secure than PAP, it is uses to connect to Shiva LANRover.
A virtual private network (VPN) is an extension of the
physical network. Rather than restricting the network to local
cabling, it uses a public network (i.e. the Internet) as a
Windows Server 2003 uses two main encryption protocols with
VPNs (virtual private networks): MPPE is used with PPTP, and
IPSec, an open protocol suite that relies on L2TP, is used to
encrypt user names, passwords, and data. Connections are
configured to use MPPE (running with PPTP) or IPSec (running
with L2TP) through the Network and Dial-up Connections applet.
PPPoE (Point to Point Protocol over Ethernet) support is
built into Windows Server 2003, as is an integrated firewall,
802.1x (wireless security) and IPv6 support.
Network Monitor is a subset of the fuller version in
SMS. It can be used to capture real-time activity, to create
filters, and to view and save data to a file.
System Monitor - an ActiveX tool that can
graphically display performance of various real-time
statistics. Within it, the workstation is divided into a
number of different objects, and each object is divided into
one or more counters. System Monitor appears on the
Performance tool (Start - Programs - Administrative Tools -
Performance) and it is the primary performance tool for the
system. Performance Logs and Alerts enables you to record data
to create and compare with a baseline (to get a long-term look
at how the system is operating) or send administrative alerts
when thresholds are reached.
Optimal performance from a system is what you are always
striving for. Optimal performance is attained when a system is
running (processing, responding, and so on) as fast as it
possibly can, given the resources available to it.
TCP/IP utilities to know for network performance:
ARP - Address Resolution Protocol - displays a cache of
locally resolved IP addresses to Media Access Control (MAC)
Finger - Retrieves system info from a remote computer
that supports the TCP/IP finger service.
FTP - File Transfer Protocol - provides file transfers
between TCP/IP hosts with one running FTP software.
Hostname - returns the local computers host name.
IPCONFIG - Verifies TCP/IP information. with the
“/all” switch, it will give DHCP, DNS and WINS addresses.
WINIPCFG is the utility used in place of IPCONFIG on Win9.x
workstations. The /DISPLAYDNS, /FLUSHDNS, and /REGISTERDNS
options are used to directly interact with Domain Name Service
LPD - Line Printer Daemon - Services LPR requests and
submits print jobs to a printer device.
LPQ - Line Printer Queue - Obtain status of a print
queue on a host running the LPD Service.
LPR - Line Printer Remote - Prints a file to a host
running the LPD Service.
NBTstat - Checks the state of current NetBIOS over
TCP/IP connections, updates LMHOSTS cache, determines
Netdiag - Tests the network functions and provides a
report of the results.
Netsh - Network Shell. This utility can be used to
interact with most services from the command-line.
Netstat - Displays Protocol statistics and the
current state of TCP/IP connections. The -a option is used to
see all information.
NSlookup - examines entries in the DNS database
pertaining to a particular host or domain.
Pathping -acts as combination of ping and tracert. It
sends echoes requests out and identifies the host that hears
PING - Packet Internet Groper - Verifies that TCP/IP
is configured correctly and that another host is available.
REXEC - Remote Execution - Runs a process on a remote
Route - views or modifies the local routing table.
RSH - Remote Shell - runs commands on a UNIX host.
Telnet - Provides Terminal Emulation to a TCP/IP host
running Telnet server software.
Tracert - verifies the route used from the local host
to the remote host. This is superior to PING in that it also
shows the route taken to reach the remote host.