DNS
You must set the "allow dynamic updates" for the DNS server when running as a standard primary zone.
To clear the DNS cache on a client computer, use ipconfig /flushdns command
Reverse lookup zones require PTR (pointer) records to be entered for each host that requires the reverse lookup feature.
The SOA (Start Of Authority) reord for a DNS zone contains settings for that zone, such as Refresh interval, TTL
When Server B requests a record form a zone on Server A, the TTL setting in the SOA record on server A effects how long that record will remain on Server B.
A Name Server record must be entered below the Primary zone SOA record for each server participating in replication for that zone
Installing DNS servers at remote locations reduces DNS traffic across slow WAN links. Client computers must be configured to query their local DNS server. (more from 55)
WINS
When a WINS server is added to a network, all clients must update their TCP/IP settings to include the WINS server (either manually, or through DHCP)
When using multiple WINS servers on the same network, the WINS servers must be set to be replication partners of each other.
Any computer not configured as a WINS client will not be automatically added into the WINS database. Windows NT clients use NetBIOS naming to locate domain controllers, and may not be able to log in to the domain unless both the client and the domain controller are WINS clients(if not in broadcast range).
If a client can not contact the first WINS server listed, it will contact the second in the list, and so on…
If a client can contact the WINS server, but the server is unable to resolve the name requested, the client will not continue to the other servers listed, but will begin to broadcast.
When using several WINS servers, the fastest replication occurs by using one WINS server to replicate with all others. This "central server" ensures that all servers are updated within two replications.
To add non-WINS computers to the WINS database mappings, you must use Static Mappings.
For push partners, you set WINS to replicate after a certain number of changes to the database. A setting of one would mean that replication would occur with every update.
For pull partners, you set WINS to replicate after a certain time interval.
The JETPACK command-line utility is used to compact the WINS database, and can only be run when the WINS service is stopped.
DHCP
A DHCP scope of Class D addresses must be established for multicasts
The command IPCONFIG /RENEW will cause a DHCP client to refresh it's DHCP lease.
DCHP relay must be installed to facilitate computers that are not on the same subnet as the DHCP server. DHCP relay agent setup involves installing the service and providing the service with the IP address of the DHCP server.
DHCP servers must be authorized in active directory before they can issue IP configuration to clients.
The DHCP database is located in the \system32\DHCP directory
To have a DHCP server compare scope entries to registry information "choose reconcile all scopes".
DHCP server must contain at least one scope per subnet.
TCP/IP
Sub-netting (refer to quizzes and table)
Port 80 is used for web site traffic, Port 443 for SSL
RIP is used to allow multiple routers in a network to share routing information, and by default does not restrict which routers can exchange information with the router.
When adding new routes, the -p switch makes the route permanent
The default gateway address is the address of your router
IGMP for multicasting? IP in IP #39+40+45,46
NAT
NAT configures with a public (real) IP address on the Internet of the router and a private (fake) IP address on the intranet (your network) side. NAT must be configured to enable network address translation and name resolution through the interface. With multiple public IP addresses, you can map an individual public IP address to a private internal address, allowing external traffic to reach internal resources.
NWLINK
When your network has servers using multiple frame-types (Netware 4.1 and Netware 3.11 servers) on the same network, you must manually configure your client computers to use BOTH frame types.
TOOLS
Network monitor can capture packets traveling across your subnet, as well as identifying others using Network Monitor on your subnet. To capture or monitor on a different subnet, you will have to run Network Monitor on a machine in the distant subnet.
To increase the time-span of Network Monitor's capture, you must increase the capture buffer size to accommodate the amount of data to be collected.
SNMP allows monitoring of TCP/IP statistics across a network. All computers involved must have the same community name. SNMP is non-platform specific, and can be run on any computer using TCP/IP. The computers in a management role have "Trap" software, and the clients send trap messages to the trap.
RRAS
MSCHAP v.2
For non-Windows based computers to authenticate with RAS, Basic Authentication should be enabled.
Multi-link must be enabled before users can connect with multiple devices. Bandwidth Allocation Protocol (BAP) helps multi-link environments adapt to changing bandwidth conditions.
A remote access policy must be configured for each different restriction setting group for clients.
Remote access policies are applied in the order of priority.
If your RAS server does not have DHCP services running, installing DHCP relay agent on the server will assist the clients in receiving an IP address when they connect to the network.
A RADIUS server centralizes administration of multiple RAS servers. Policies applied to the RADIUS server apply to all RAS servers.
Basic encryption is 40-bit, Strong encryption is 128-bit
Demand-Dial interfaces can be restricted by RRAS policy (time usage, filters, etc…)
A VPN connection is required to provide encryption over demand-dial links or other RAS connections.
SECURITY
For non-Windows based computers to authenticate, Basic Authentication should be enabled.
Default Secure Server IPSEC Policy? Encrypt communications between servers, but not communications to the internet.
To Implement an IPSec policy using Kerberos authentication, the IPSec policy must be applied to the domain controller, as well as the server. The client policy must be applied to the clients.
When applying TCP/IP filters, remember that the filters apply to a specific interface. Services that use multiple ports must have those ports allowed in the filter.
Example: HTTP uses port 80, while SSL uses 443. You must allow BOTH ports for secure web communication.
Certificate Services can be streamlined by adding a subordinate certificate authority to your network. This is true even if you are using a Third-Party CA to serve your certificates.
The Pre-Windows 2000 compatible access group exists to enable its members to bypass security measured implemented in Windows 2000 domains. Add users to this group when they log in to the domain through an NT4 based RAS or IIS server.
L2TP requires certificate services. PPTP does not.
|
