-DC's cant startup in safe mode or safe mode with networking
-Add recovery console->start,run,x:\i386\winnt32.exe /cmdcons (adds to start prgrm)
-Recovery console you can access->%sysroot%, %windir%, %sysroot%\cmdcons (subfolders)
-Best way to distribute apps/srvpacks is thru GPO's
-Domain wide OPs masters are Domain naming and Schema master
-Infrastructure role shouldn't be on the same as GC, Domain Naming role should be on the GC,Schema master and Domain Naming should be on same server.
-Only NT servers can be upgraded to w2k server (3.51, 4.0)
-Syspart used for clean installs with dissimiliar hardware. Sysprep used when master PC and targets are the same. SMS used for upgrades.
-Separate forests use 1 way non-transitive trusts, single domain sites don't have trusts
-RIS, need a RIS server (DC or part of w2k domain), AD must be there, DDNS, RIS capable clients (PXE). Dont need wins or NAT
-Creating a UAF (setupmgr) and using Sysprep are both ways for automated installs
Create uaf with Setup Manager, copy the uaf file to the i386 dir on network share. Sysprep is for cloning identical OEM systems.
-Sysdiff util used for image creation to install apps over network
-Winnt32.exe /checkupgradeonly is for to check NT4.0 Server for 2k upgrade is ok or not
-sysprep creates a sysprep.inf file, it asks for user info at boot up (duplicate drive before rebooting)
-Application compatibility script for Terminal Services makes apps run better in multi-user environments
-Domain naming master and Schema master are on the 1st DC in network (1 server only)
-GCS can be added to domain servers over 56 modems links (searches for DC for login)
-RIS steps: DHCP assigns IP/DNS info, locates DNS server, DNS used to find DC, finds RIS server (ldap call), remote boot protocol used to connect to RiS, bootstrap image copies files, script runs to perform unattended install
-SMS used for automated w2k server upgrade only (clean install use syspart,sysprep,Boot CD, SMS)
- \i386\$OEM$\textmode folder for new files for mass storage (OEM Hals), on distrib server
-winnt32.exe /syspart when master PC and target dont have same hdw. Full command is winnt32 /unattend:unattend.txt /s:install_source /syspart:second_drive /tempdrive:seconddrive noreboot .
-w2k minimum is 133Mghz, 64Ram, 1Gb HD,
-Three Power schemes mobile computing: Home/Office Desk, Portable/Laptop, Always on
-Setup Manger can create ans file for unattended, create sysprep scripts, and RIS scripts
-RIS deployment needs: 1.NiC that meets Spec. 2.PXE Rom 3.Start disk with drivers loaded
Also need DNS, DHCP, Active Directory
-Win2k install with UAF, create winnt.sif with setupmgr and copy to bootable CD
-RIS setup wizard does->RIS sfw installed, w2k profession files copied to network,*.sif files created, client install setup steps for system starup are config'd
-Verify caller ID: If callers # does'nt match config'd # then access is denied
-Distinguished name: CN=xxx DC=yyy (CN=common name, DC=domain componants)
-Win2k policy templates are system.adm and inetres.adm . NT4 and win9x is Common.adm . Win9x is windows.adm (only). NT4.0 only is winnt.adm .
-System Policy editor (from NT4.0)-If user has personal profile here then group policies dont apply (user prof only).
-Global groups can contain domain users and global groups (from domain).
-Local groups used on PCs that are not member of domain, can only contain local users from this PC
-Domain local groups: Grant permissions anywhere in Domain. Users, Global groups, Universal Groups
-Universal: Anywhere in Forest
-DFS replica needs to be on a DC (standalone servers can implement DFS with fat,fat32,ntfs
-For users to encrypt files on the server->AD users&computers, accesss PCs properties and "Trust computer for delegation"
-The DFS root and topology are stored on host computer in a standalone DFS
-DFS client sfw available for w2k professional, W98 and NT4
-Domain based DFS the topology is stored in AD
-DFS doesn't use unique shares/NTFS permissions, it uses what is already set for that share
-If DFS link is queried everytime a user access' it, then the cache referral is set to 0
-Each DFS link can have 32 replicas
-To share folders in a domain you must be member of Admins or "Server Operators"
-W95 shares can be linked to a DFS root
-File and Printer services for unix installed for printing to a LPD server (unix)
-Printer share permission so user can delete own jobs is "Creator Owner"
-To add TCP/IP printer-> "Create new port-Standard TCP/IP port"
-To share a printer this needed "Manage Printer" permission
-If outlook is config'd for multiple languages and printing is slow, then install multiple languages on the print server
-Only win2k servers can host DFS roots and replicas (not work on w2k prof.).
-If local group policy allows 3 login attemps and the Domain policy allows 2 login attempts the the user has an accumulative 5 login attempts to login
-Power Users group can create shares on local PC for network users
-GPOs are w2k only, for w95/98 and NT4 use Poledit.exe (winnt.adm and windows.adm respectively)
-W2k domain networking has 2 groups; Security and Distribution. Groups also have a 3 types of scopes to assign (determine if group will span multiple domains or not), 1.Global Group=To organize domain users in AD and can be added to Domain Local and Universal. 2.Domain Local=Grant permissions to resources in domain in which group created 3.Universal=Grant permissions to resources in multiple domain.
-IRQ4=COM1,3 | IRQ3=COM2,4 (tip is 2 3 4 for this one) | IRQ1=Kybrd | IRQ2=Cascade to IRQ9 | IRQ5=Multimedia or 2nd printer port
-“Software Environment” is where you check to see if a driver loaded (under system information)
-Control Panel->Add/Remove Hardware to add plug n play nic
-Driver signing via ->Control Panel-System-Hardware tab-Device Mgr-Driver signing (options are Ignore, warn or block)
-Command line tools to check driver signatures or SigVerify (view name/date etc) and SFC (system file checker) to check digital signatures of files on system (SFC /scannow)
-BAP (Bandwidth allocation Proto) is an enhancement to Multilink, it’s a PPP control protocol and works with PPP to provide bandwidth on demand, adding or dropping links appropriately
-To check if enough ram: Paging file %Usage and Memory pages/sec
-To increase paging file ops: 1.Move paging file away from system files 2.Conf RAID 0 (stripe set) and put swap file there 3.Increase initial swap file size
-Start an app at higher process: “Start appname.exe /high or /realtime or /abovenormal . /separate is used for 16bit apps, /max is used for running app in maximum mode (large)
-For drive monitoring use: PhysicalDisk Avg. Disk queue Length and PhysicalDisk% Time
-To see if server is being mashed use: Server Work Queue Total Operations/sec and Server Bytes/sec.
-In safe mode you don’t have “hardware Resources” options
-Loading recovery console by:”winnt32 /cmdcons , Boot from CD (repair), boot from boot floppies (press R when ready)
-NIC counters: “Output Queue Length” and “Packets Outbound Discarded” are areas if high could be network traffic very high
-If a sustained “Processor Time utilization “is %80 then add processor
-For App server running slowly check the Process object in Perfmon to check for leaky apps
-Other tools for network problems: Netstat, NBTstat, System Monitor, Network Monitor
-With dynamic storage can have unlimited number of volumes
-Difference of simple volume vs. a partition is (Volume doesn’t have size restrictions) and a volume can be spanned (if formatted NTFS)
-Spanned volume can contain 32 disks
-NT4 volume sets are brought over to w2k as basic volume sets (limited because can’t add to span on basic type disks)
-User fills up disk quota, what to do: 1.Delete files 2.Have another user take ownership of some files 3.Have admin increase size of quota (Note:Compressing doesn’t help)
-Quotas not recognized by anything other than w2k, If dual boot system boot nt4 he will be able to exceed quota limit. When “disk quota tracked” is enabled no Event viewer” messages alert, but violations are tracked in a log and no actions taked
-Disk quotas don’t prevent admin from allocating more than the actual space (ie 100 users get allocated 100MG on only a 1Gb drive, this is ok)
-Quotas tracked via “per user, total disk space per volume”
-Admins are exempt from quotas, an admin can copy files into a users folder and exceed the limit.
-Quotas are stored on the file system not the registry. If a drive is pulled from one system to another, the quotas stay in place on the drive wherever it is
-View changes in Disk Manger drive letter assignments do “Refresh”
-To change from basic to dynamic in disk manager do “Upgrade to Dynamic Disk” Command
-To go from dyn to basic “backup data-delete volumes-Disk manager “Revert” command-restore
-W2k maximum partition size for FAT16 is 4095MB
-On volume with fewer than 32,680 sectors (smaller than 16MG) its formatted
FAT12 (yes 12)
-On basic disk can’t be extended, but can mount the drive to a new folder created on the first drive (map a folder on drive to new drive)
-RAID5 is faster than mirroring, disk striping is fastest but no fault-tolerance (RAID0)
-To recover from failed mirror you need a fault tolerant boot diskette and and new drive. Boot diskette is for booting to the second drive, then you break the mirror replace drive, then re-establish mirror
-Mirror sets from NT4 (basic) can be migrated to w2k, can also repair, resync, break and delete. Can’t create new basic mirror. Status will change to “regenerating” then “healthy”, if healthy doesn’t show then use “Resynch Mirror”
-Incremental backups mark files as “backed up”, Differential backups do not mark. If restore is needed and backups are diff, Increm and full, you’ll need 3 tapes for restore
-Basic disks used for only Primary and extended partitions/logical drives (useful on wrkstns), no fault tol. Dynamic for volumes, striped volumes, spanned volumes, mirrored and Raid5
-Need 1Mg free on disk to convert from basic to dynamic. Converting from dyn to basic will lose data
-Hardware RAID is better, its invisible to w2k and faster and more features (hot swappable, bus-mastering and caching at the SCSI controller level). FTDISK.exe is used for mirroring, give ability to write to more than 1 drive at a time
-Can’t mirror volumes on same drive (duh!, mirroring is for drive tolerance!!)
-When mirror is broke, the surviving member can be in 1 of 3 states: Offline, Missing, Online. The missing member will show “Failed Redundancy”
-Converting File Systems: Only for converting FAT and FAT32 to NTFS. Cannot convert FAT to FAT32 and can’t convert NTFS to FAT/FAT32. “Convert.exe c: /fs:ntfs
-Terminal Services “Change user” command is used when an app is to be installed and the install doesn’t use a setup program (examp. IE asks for additional sfw to be installed)
-Apps in TS environment: 32 bit apps run better than 16 bit , Apps that don’t run on w2k wont run in TS, 16-bit apps can reduce number of users by %40 (increases ram upto %50)
-After creating a new hardware profile you must shutdown and restart into that new profile then make the device manager changes to reflect that new profile.
-Terminal Server must have TCP/IP and Remote Desktop Proto (RDP) protocols (client can be w2k,95/98,NT,wfw or CE (doesn’t support non-windows platforms)
-TS for unix users use Citrix MetaFrame
-For internal Web with no “default document” you can enable “Directory Browsing” so users can view directory structure (for external client usually don’t do this because of hacking”
-Web site contains 5 sites, to have separate identies for all 5 do: create virtual sites for all, then register domain names with you server, then DNS records for those sites point to your web server
-Must have srv records in DNS when your adding a DC into another domain tree of forest. The netlogon.dns file has these entries but these records have to be added to DNS. DNS is not config’d automatically for dynamic updates so if DDNS is not enabled then have to be added manually into the secondary DNS. Cache.dns files if for quering Internnet Domain names.
- - -
-W2k uses group policies not system policies. To restore legacy policies for NT and Win95/98 do the following: copy config.pol (95/98) and ntconfig.pol (NT) into
%systemroot%\sysvol\sysvol\domain name\scripts folder (on a DC). This is the netlogon directory/share.
-Encryped files cant be compressed
-If compressed files copied/moved between partitions then the files inherit new attributes, if moved/copied on same partition then they keep their attributes
-People who need to fulfill the role of EFS Recovery Agent must have an EFS Recovery Agent Certificate and be desiginated as EFS Recovery agent in the GPO
-GPO’s – “NO Overide” means policy will inherit from above container even if the “Block Inheitance” is config’d at the lower level. The “Not Configured” setting means no preference at a higher level has been set.
-To begin auditing select auditing on the folder then also enable “audit object access” in the Audit Policy for your system
-To audit printing enable auditing on printer and also like above (object access auditing enable)
-Analyze security on w2k by “Security Configuration and Analysis snap-in for MMC” and command prompt “secedit.exe”.
-Dr. Watson logs events (exception error) in the “Application Log”
-3 basic security templates are Basicwk.inf (w2k professional), Basicksv.inf (w2k server), Basicdc.inf (w2k Domain Contr.). Other templates are available to use (incremenatal) to use in conjunction with these
-4 security policy templates w/ w2k, admins can add or remove (modify these at will). Basic, compatible, secure and high (are in order of increasing levels)
-Account Policies responsible for password settings, intruder detection, and account lockout, and Kerberos V5 control. Local policies for auditing, user rights etc. Public key policies to configure encrypted data recovery, trusted certificates etc. IP Security policies for configing IPSec. GPOs for event log policies, restrict group policies for built-in groups. System services policies to config startup and security for services running on computer. Registry policies for security on w2k registry. File system policies for configing security on specific file paths.
-Auditing on local PC via Local Policies.
-Areas for security settings: Local Policies, IPSec Policies, System Policies, Account Policies.
-The GPO setting closest to the DC Object will be enforced by default and overrides any previous settings. By default the group everyone is selected for inclusion in the auding policy, but full control is not a default permission tracked by auditing via default Domain policy/controller
-To capture “Audit successful attempts” and “Audit Failed attemps” need to check “Read all Properties Failed” and “Read all properties successful” along with enabling “Account Object Access” .
-L2TP offers: Don’t have to worry about L2TP support on part of your ISP, and offers access to TCP/IP, IPX and Netbeui resources (tunnels inside an IP packet)
-Order of GPO’s/login Scipts are: (Computer settings before user settings)
1. GPO computer settings are applied
2. GPO computer specific startup scripts are run
3. User Profile is loaded and User GPO settings applied
4. GPO user specific logon scripts are run
5. User account assigned logon scripts are run
Network Infastructure section:
-DNS zone database for standard primary zone is in winnt\system32\dns folder
-DNS zone database for AD integrated zone is in an AD object
-Type of zones for secure dynamic updates are AD integrated zones
-New zone replication in w2k is Incremental zone tranfer (IXFR)
-2 ways to test DNS are nslookup and DNS console
-To convert from standard primary zone to AD integrated zone serve must be DC
-NSlookup has 2 modes, interactive and noninteractive
-NSlookup needs a PTR resource record for the DNS name server in database
-NT4 supports full zone transfers only (AXFR)
-The portion of domain namespace which is defined by resource records is the zone
-2 types of lookup zones can be created, forward and reverse
-4 types of resource records are A, CNAME, SOA and PTR
-Reverse lookup zone suffix added is in-addr.arpa
-Creating new zone do->1.Zone type=standard primary or secondary 2.Forward or Reverse 3.Specify master server to coordinate zone transx (start of auth.=SOA is master) 4.Create resource records
-SOA: (Start of Auth) is master name server for zone
-NS: used for DNS servers in given domain
-A: maps hostname to IP address
-PTR: maps IP address to hostname
-CNAME: Alias for hostname
-SRV: to locate servers which provide particular service
-The SOA controls the zone transfer process
-For remote networks setup remote DNS as "caching server only" (not forward or reverse-no zones) it will attempt to resolve via its cache first then go to main DNS for lookup
-A root DNS zone must be created when 1.Your intranet is not connected to the internet 2.Your
intranet goes through a proxy
-DNS server doesn't have to be on a DC if your not doing AD intergrated zones, don't have to reboot after installing DNS
-NT4 DNS doesnt support dynamic updates
-If master DNS server changes IP address then on your secondary on the general prop page add the new entry and remove the old one
-W98 cant update DNS records, only can though DHCP assignment (never directly)
-For DNS to only use "secure updates" do->Run DCpromo, change zones to AD intergrated zones, select "only secure updates"
-A delagated zone can be created for remote office to manage their own DNS
-Alias name could be created if ISS installed on existing server with name fp001 and you want to
access the web server via www.coffeehouse.com
-3 tools for checking DNS lookups are NSlookup, ping and "monitoring tab" on DNS server. Tools that won't help are NBTstat, ntdsutil (performs db maintenance on AD), DNScmd (command line util to manage DNS but won't help with Lookup utils), IPconfig
-Use WINS "server statistics" for checking Netbios name problems
-View a client DNS cache with ipconfig /displaydns
-Check if a Bind DNS server is doing ddns and support srv records: NSlookup, then ls -t SRV followed by the name of the domain
-W2k professional updates their own DNS records, all others have to be DHCP clients.
-BIND versions: 8.2.2 and above good; below 4.9.6 will have to be replaced
-DDNS enables DHCP to add records to DNS server
-3 types of scopes in DHCP are 1.Scopes, 2.Superscopes, and 3.Multicast scopes
-Create scopes in DHCP with "Create Scope Wizard"
-Activate new scope by right clicking new scope, then All Tasks then Activate
-DHCP parameters can be Scope name, IP address range, Wins Server (not DHCP server IP)
-Create a Multicast scope via the "Create Multicast Scope Wizard"
-Settings when creating a superscope are: “Name” and “Scopes to Include”
-Setting up a Multicast scope: Lease duration, IP range, Name of scope.
-Two types of option classes in DHCP are: ‘User-defined’ and ‘Vendor Defined”
-If DHCP server can’t be installed in small lan then just use APIPA
-DHCP Lease Generation processes are: IP Lease Request, Offer, Selection and acknowledgment. At 50% and 87.5% lease duration expired it will renew lease.
-Common scope options are Domain Name, DNS/WINS IP, and Gateway IP. Other less common are Netbios of TCP/IP name resolution and NetBios Scope ID
-4 levels of scope options are: 1. Server Level (options are applied to all DHCP clients) 2. Scope Level: (options only apply to certain scope) 3. Class
Level: (Vendor/User defined classes) 4. Reserved Client Level: (to specified clients).
-2 ways to Load DHCP service via: 1. Add/Remove Programs in Control Panel 2: Admin Tools->Configure your Server->Advanced->Optional Companants
-To create a superscope you need to create 2 standard scopes first then combine via superscpe
-Win98 have to update DNS via DHCP (w2k does this automatically to DNS). Have to select options in DHCP:”Dynamically update DNS” and “Enable updates for Clients”
-A new DHCP server must be authorized in AD before it will work
-View DHCP stats via “Display statistics” on the Action Menu of DHCP console
-Only Enterprise Admins can authorize DHCP servers in AD
-If new DHCP isn’t authorized then it gets a red down arrow
-Default “DDNS” setting in DHCP is “Update according to client request”
-Superscope used for managing more than 1 subnet on same physical net and if you need more IPs than originally planned for.
Remote access:
-After RRAS is installed the service doesn’t start until a config is done and enabled, also 5 L2TP and 5 PPTP ports are added
-4 conditions to be set in a Remote Access Policy: Service type, Protocol, Client IP, Day/time restriction, group membership (not RAS encryption). Permissions consist of: Allow/Deny Access, control access through remote access policy.
-Default RRAS policy setting “Allow access if Dial-In Permissions is Enabled” is disabled by default. In mixed mode the remote access policy is not available, (allow and deny only).
-RRAS setting are checked in the order which they have been described: Conditions, then permissions, then profile
-PPTP and L2TP used to establish a VPN connection
-Setup RAS on w2k Prof via the Network Connection Wizard
-Two ways to specify the w2k server to connect to via VPN are IP addr or Host name
-BAP and PPP multilink used for combining two line together, BAP allow you to add or drop on the fly depending on bandwidth use etc (controlled through RRAS profiles tab)
-4 authentication protos supported (from least to most secure): PAP=Uses clear text: SPAP(Shiva)=Encrypts passwd MD5-CHAP=Challenge/Response and encrypts: MS-CHAP=Similar to CHAP and also uses MS Point to Point Encryption (MPPE) to encrypt. CHAP is most secure for non-MS clients, for MS client use MS-CHAP.
-RADIUS enables ISP to perform authent. For client, request goes to an IAS server.
-VPN Encyrption proto are MS Point to Point Encryption (MPPE) and IPSec. MPPE encrypts between a PPTP connetion and VPN server (40 and 128-bit schemes). IPSec is new and has policies included. Data encryption is only available after authenticating via MS-CHAP or EAP
-Config IPSec via “IP Security Policy Management”
-RRAS events can be seen via Application Event log. For detailed RRAS logs enable by: RRAS snap-in, under RRAS Server object in Remote Access Logging Folder.
-Use NAT Server for ability to provide some internet connectivity for some users.
-RRAS policies created via RRAS console (stored locally), and not stored in AD
-Default settings for RRAS Policy and Dial-In settings on user account are disabled for remote access. RRAS profile could also be config’d to deny access
-If VPN clients are timing out then one of your VPN servers could be down
-Call back security often doesn’t work with Multilink (need to lines for
multilink), it will only call back on 1 line only. ISDN will work normally because only has one number
-For RRAS server to automatically IPs using a DHCP server on different subnet use a Relay Agent on the RRAS box.
-RRAS Dial-In access is defined via user objects in AD and RRAS Policy, both are needed for access, if one or the other is disabled or not defined then no access is granted
-Authent proto are MS-CHAP v2, MS-CHAP by default. If EAP enabled the can use Smart-Cards, MD5-Challenge, PAP, SPAP, unauthenticated.
-VPN server can use DHCP or a range of IP’s to use for clients. The first time a VPN server starts it will creat 128 L2TP and 128 PPTP ports (more can be created later if needed)
-FTP access only is wanted you need to: Adv Options of TCP/IP and enable TCP port 21 only, all others will be denied
-Security analysis compares the settings in database to the settings on target computer, anything changed on the PC that is not defined in the database will not get a red or green checkmark.
-If PC is not a server or part of a domain then the Network Connection Manager can be used to setup incoming calls. If box is server or part of domain then RRAS needed.
-RRAS console is installed automatically with w2k server (console only)
-Tabs available for Remote access Profiles: RAS Encryption; Dial-in Constraints; Multilink; IP settings; Authentication; Encryption; Advanced ->Radius
-To implement NAT use: demand-dial connection/RRAS - Load NAT and bind to both interfaces – use private address’ internally. Do not load two IPs on one interface.
-If NAT installed via ICSb the internal LAN Nic is config’d to 192.168.0.1. Need to change all workstations IPs to that network number (192.168.x.x). Should not use a DC for a NAT server.
-Encapsulation and Encryption used:
->W2k uses RC4 streaming cipher encryption which employs MD4
->Extensible Authentication Proto-Transport Level Security (EAP-TLS) used in VPN-certificates
->Generic Routing Encapsulation (GRE) used for PPTP to encrypt into PPP frames for VPN
->L2TP over IPSec is another VPN proto
-W2k PPTP connections support 128-bit RC4 Cipher and 40-bit RC4 Cipher
-If going through NAT and Mail insn’t receiving mail, you can change your DNS record for the mail server to be the same as the NATs external address
-UDP port 1701 is used for L2TP over IPSec, 21=FTP, 1723=PPTP, 23=Telnet, 53=DNS,
NNTP=119, POP3=110, SMTP=25
-A DHCP server must be authorized before it will work, Sites & Services-Select Server-Authorize
-DHCP scope conforms to the same subnet: Superscope combines different subnets into a single scope: Multicast Scope is for 224.0.0.0 thru 239.255.255.255
-Can config a DNS Server to listen on just one interface (if 2 installed) (want query on other ip subset this way). Default is to listen on all IPs.
-If member server wants to be a DNS server, then control panel-add DNS (reboot not required)
-W2k can be a RADIUS client and server.
RRAS
-L2TP provides tunneling but not encryption (relays on other technology for encrypt like IPsec).
-PPTP provides tunneling and encryption by itself. Uses PPP for encryption and doesn’t support tunnel authentication (can use PPP and IPsec together for encryption which would allow it to support tunnel authentication but would be very slow)
-L2TP supports header compression, PPTP doesn’t (this makes for smaller overhead 4 bytes vice 6 bytes). L2TP supports tunnel auth, PPTP doesn’t.
-PPTP requires an IP based network, L2TP requires that tunnel supports packet-oreinted, point-to –point connectivity (doesn’t have to be IP based).
-High Level: Difference between PPTP and L2TP is: L2TP provides tunnel authentication and header compression, PPTP doesn’t
-SLIP transmits authen passwords in clear text (bad)
-A ras server in a domain (native) can have a call back number with unlimited characters, in mixed mode the number of Chars is 128
-Remote acces policys cover Groups (not individuals), service type, framed protocol, and day/time restrictions
-When logging in remotely with vendor supplied auth tool (smartcard etc) the user should use the pre-configured dial-in connection from login box
-Can’t use a smart card when, promoting a server to a DC, when configuring a remote access connection, joining a computer to a domain
-Authentication protos in domain and between domains is Kerberos5 (default) and NTLM(default for NT4)
-RRAS verify caller-ID is to verify where the call is coming from (someones house).
-If RRAS server also has IAS for RADIUS installed (to give more options in remote access policy) then the following are required “Client-IP-Address”, NAS-IP-Address”, and “Client Friendly-Name”
-RRAS can get IPs from a DHCP but doesn’t integrate with DHCP. If DHCP is down then RRAS will issue APIPA address (169.254.x.x)
-EAP (Extensible Authen Proto) allows client and RRAS server to negotiate which protocol to use for authentication. EAP supports generic token cards, MD5-CHAP,and TLS (Transport Layer Sec)
-RRAS requires at least the condition of one policy be met, if no policy then all users denied
-RRAS in mixed mode, the Default policy is overridden by dial-in permissions
-3 types of incoming connections are Direct , Modem, VPN.
-NT4 doesn’t support RRAS policies. Default setting for users in the Dialup tab is set to “control acces through Remote access Policy (NT4 interprets as deny access)
Network Protos
-IP connectivity: IPconfig; ping loopback; ping DG; ping remote host
-IPconfig to check your ip configuration
-NetBeui is self configuring, uses low memory and error protection. Is chatty (broadcasts), uses more bandwidth than others, Can’t use Active Directory with Netbeui
-For Netware clients to connect to w2k use NWLink and File/Print services for Netware.
-Internal Network Number uniquely identifies NWLink PC’s in network (like IP addr)
-If multiple frame types detected on network and Nic is configured for auto bind then NwLink will bind with 802.2 only, important to set manual frame type in multi-framed networks
-Command line for checking IPX info is “IPXConfig. Another is “IPXRoute config”. This also allows RIP tables or static routes to be set, changed or viewed.
-For 2 nodes to talk in IPX network the Network # and Frame type must be the same. 8 dig. hex
-In a multiprotocol network the w2k server will try to connect with the first protocol bound to nic
-Only bind the protos you need for multi nics installed
-TCP/IP proto IPSec used for authen and encryption
-When setting up IPSec: Select security level->client, server or secure server. Then select authent. Method
-To create IPSec policies for domain use->Domain Security Policy
-Default IPSec mode is Transport mode, used for peer to peer connections
-IPSec can also be in tunnel mode (for tunnel between routers, for security between networks). To set tunnel mode, both ends must be specified by “pointing at the other computer in the tunnel endpoint setting”
-3 types of authen in IPSec are: Preshared Keys, Kerberos V5, Certificates
-To use Biometrics devices for security use: EAP on the RRAS server and EAP in RAS Policy
-RRAS Policy defaults for encryption: Basic, Strong and No Encryption0
-
|
