INF314Journey into the Mysteries of Windows Server 2003 Networking Services

Erik Rozman

Mercury Interactive

Agenda• The importance of Networking Service

• DHCP – Overview– Using scope options– Superscopes (usage of multiple scopes)– Detecting duplicates (server-side/client-side)– The virtues of the DHCP client service

• DNS– Overview– Mixing DDNS and DHCP– Using DNS as a load balancer– Cleaning up the infromation– DNS and the command line

• IAS– Overview

• Is There a Future for Infrastructure Service?– NAP – Overview

Infrastructure ServicesThe untold story

• How do you define a modern network?

• Infrastructure services provide the foundation for all services provided by a computer network.

• Infrastructure service may be your friend or foe-it all depends on how you treat it.

Strong Foundations-Strong Structure

Client Facing

Applications

Exchange, File

Servers, etc.

Networking Service

DHCP, DNS, WINS, IAS,

etc.

Operating System

Permissions, Registry, etc.

Hardware Components

Servers, routers, switches, cabling, etc.

OOPS!!Bye Bye

DHCP- Basic process• DHCP is a protocol that

eases the dispersion of IP addresses.

• The major advantage of DHCP is that it takes care of a relatively tedious chore automatically and relatively safely.

• DHCP can be more then meets the eye for the good and for the worse.

DHCPDiscover (Broadcast)

DHCPOffer (Broadcast)

DHCPRequest (Broadcast)

DHCPAck (Broadcast)

User Class• Each DHCP client has a User Class.

• The default User Class is an empty one (none).

• When a client requests information from a DHCP server it presents it’s User Class.

• The server will provide onlythe options defined for theUser Class presented. 10.0.0.2

10.0.0.3

Internet

20.0.0.2

20.0.0.3

Scope 10.0.0.0Range:10.0.0.10-254SM:255.255.255.0DG:10.0.0.3DG [Corporate]:10.0.0.2

Scope 10.0.0.0Range:10.0.0.10-254SM:255.255.255.0DG:10.0.0.3DG [Corporate]:10.0.0.2

Conference Room VLAN

Corporate VLAN

Corporate Client

Guest Client

IP info?

DG:10.0.0.3

IP info?[Corporate]

DG [Corporate]:10.0.0.2

Demo- User Class in Action

• User Class Configuration (GUI+Scripting)

– Server-side– Client-side

• Displaying how the settings affect clients

One Scope will Rule Them All

Scope 10.0.0.0Range:10.0.0.10-254SM:255.255.255.0DG:10.0.0.3

Scope 20.0.0.0Range:20.0.0.10-254SM:255.255.255.0DG:20.0.0.3

Scope 10.0.0.0Range:10.0.0.10-254SM:255.255.255.0DG:10.0.0.3

Scope 20.0.0.0Range:20.0.0.10-254SM:255.255.255.0DG:20.0.0.3

20.0.0.0

DHCP ServerIP:20.0.0.2SM:255.255.255.0

10.0.0.0

IP info?

AND

20.0.0.0

DHCP Relay Agent20.0.0.11

IP info?

20.0.0.5 10.0.0.5

IP info?10.0.0.0

10.0.0.11

Demo-Multiple Scopes

• Demonstrating the process when multiple scopes are used:

– Server– Client– Network trace

Superscopes

• In some cases it is beneficial to override the default behavior of the DHCP when multiple scopes are used.

• If addresses from multiple scopes have to be assigned a Superscope has to be configured.

• A Superscope is a container for multiple scopes-addresses will be assigned from the first scope to the last without discrimination.

Demo-SuperScopes

• Configuration• Mode of operation

Detecting Duplicates

• A TCP/IP based network has one cardinal rule: No two hosts can use the same IP address.

• In the case of two hosts that are configured with the same IP address the 2nd host to start up will not be able to function in the network (on most TCP/IP implementations).

• Since a DHCP server uses a database to track leased addresses it should not encounter such issues, yet the world is not perfect…

Detecting Duplicates – DHCP Server

• The DHCP server has a built in mechanism that can check if an address that is about to be leased is in use.

• It does so by Pinging(ICMP) the address that it is about to lease. If the DHCP servers receives an answer from the address it will not lease it.

• In addition to that it will mark it as a BAD_ADDRESS rendering the IP address unusable until an administrator will return it to the scope.

• The Conflict Detection feature is disabled by default.

Demo-Conflict Detection

• Configuration of Conflict Detection on the server

• In action (returning the address to the scope)

• Network trace (Showing the ICMP messages)

Detecting DuplicatesClient Side

• As stated earlier if two clients were assigned the same IP address the 2nd client to start will not be able to use the TCP/IP stack to communicate.

• This is achieved by a mechanism hat is built into the TCP/IP stack.

• When a client is assigned an IP address (static or dynamic), before it starts to use it, the client will send out an ARP query for the address.

Virtues of the DHCP client (DNS registration)

• In a DDNS environment clients will update their respective resource records.

• It is somewhat surprising to realize that the software responsible for the dynamic update of resource records is the DHCP Client Service.

• Even if the service is not being used since the client is configured with a static IP it has the role of registering resource records.

• If this service is disabled due to hardening RR will not be recorded.

Demo – DHCP Client Service

• Ipconfig /registerDNS

– With and without DHCP Client Service UP

DNS- Overview• The Domain Name System (DNS) is the main name

resolution mechanism used by the TCP/IP protocol.

• Name resolution is the process of “translating” a user friendly name to an unfriendly IP address.

• Human beings are comfortable with remembering friendly names while they may feel uncomfortable when using unfriendly addresses thus a mechanism such as DNS is a necessity.

Danger: DHCP&DDNS

• DNS is the map to a network- the records used by users point to IP addresses used by the systems.

• DHCP can be used to update dynamic records in DNS.

• In some cases the DHCP will update records for pre-2000 clients while in others it will update specific records for Windows 2000 or higher clients.

• If records are updated fraudulently users might be forwarded to incorrect resources.

• To prevent such things DDNS (in AD integrated mode) places an ACL on each record and allows update privileges exclusively to the records owner.

Danger: DHCP&DDNS

• The ACL solution is perfect in case of post-2000 clients which register their own records.

• Pre-2000 client use the DHCP server to register their records thus the owner of the records is the DHCP.

• Two issues are caused by this:

– If the client is provided with a new system that post-2000 it will not be able to update it’s own record.

– If the client may be able to acquire an IP address for more then one DHCP the record update process may be problematic, including a DHCP cluster.

Demo – DHCP&DDNS

• Configuring the user account• In action

Danger: DHCP&DDNS&DC

• It is very important to understand why it is not advisable to install a DHCP server on a DC.

• If the DHCP server is installed on a DC the same computer account that has permissions on the DCs record is the account used by the DHCP.

• Thus a client that uses the DHCP server might abuse this privilege and might attempt to change the DC’s records.

Load Balancing with DNS (Round Robin)

10.0.0.110.0.0.1

10.0.0.310.0.0.3

10.0.0.210.0.0.2

DNS ServerDNS Server

Zone:acme.com.Zone:acme.com.wwwwww 10.0.0.110.0.0.1wwwwww 10.0.0.210.0.0.2wwwwww 10.0.0.310.0.0.3

Demo- Load Balancing with DNS (Round Robin)

• Configuration• Client side

10.1.0.1/1610.1.0.1/16

10.3.0.3/1610.3.0.3/16

10.2.0.2/1610.2.0.2/16

DNS ServerDNS Server

Zone:acme.com.Zone:acme.com.wwwwww 10.1.0.110.1.0.1wwwwww 10.2.0.210.2.0.2wwwwww 10.3.0.310.3.0.3

10.3.0.100/1610.3.0.100/16

DNS-Optimizing Client access to resources

Demo- OptimizingClient access to resources

• Configuration• Client access• Disabling Netmask Ordering on the client side

DNS and the command line There are several command line tools that can be used in conjunction with

DNS:

– NSLOOKUP- In essence this tool is a stripped down DNS resolver. It will provide the user with the information the resolver is provided with.

– DNSCMD – Enables the configuration of the DNS service using the command line.

– DNSLINT- An all around tool to enable the testing of DNS zones and environment.

DEMO-DNS Tools

• DNSCMD• DNSLINT• http://www.dnsstuff.com/

Internet Authentication ServiceOverview

• Currently a large number of connection methods (in addition to direct access) to corporate networks exist:– VPN– Wireless Access Points

• Different vendors provide different Network Access Servers (NAS) equipment.

• Since each NAS came from a different vendor a consolidated manner of implementing the three A’s of security was necessary.

Internet Authentication ServiceRADIUS

• The obstacle of diversity has been overcome by the adoption of the Remote Authentication Dial-In User Service (RADIUS) protocol.

• The RADIUS protocol provides a standardized way of passing authentication data to one centralized database.

• The Internet Authentication Service is the RADIUS server implementation by Microsoft.

Internet Authentication ServiceMode of Operation

VPN/Dial-Up Departmental Switch Wireless Access Point

DHCP DNS

RADIUS

The future-NAP!!

• Network Access Protection (NAP) is a policy enforcement platform built into the Microsoft Windows Vista and Windows Server "Longhorn" operating systems.

• With Network Access Protection, a customized health policies can be created to validate computer health before allowing access or communication on the network.

Books, Links, Resources

• The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference Charles Kozierok

• Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Joseph Davies, Thomas Lee

• Internetworking with TCP/IP Vol.1: Principles, Protocols, and Architecture (4th Edition) Douglas E. Comer

Summary

• Networking services are not dead!

• Networking services provide the foundation of every client facing application.

• Correct and efficient configuration of the services described in this session will guarantee a healthy networking environment.

Thank You!!!

The Nomad (Temp Name)

• One of the benefits of using DHCP is the ability to have clients move among networks without a need for manual intervention.

• On the other hand this benefit poses a challenge. Considering the fact that IP addresses are leased for a period of time and coupling that with a DHCP clients behavior upon startup we are in for a ride as we will see later on.

The Nomad- Issues

• Lets have a closer look at the behavior that may cause some issues for nomadic users:– Lease- The DHCP server leases IP configuration information to it’s

clients for a period of time.This period of time is useful in case of a DHCP server crash. Clients that have already leased an address do not need the server for the lease period and they can continue functioning on the network even if the DHCP server is down.

– Startup- When a DHCP client starts up it attempts to renew it’s TCP/IP configuration (directly). If the server is unavailable (and the client’s lease is still valid) the client will keep on using the TCP/IP settings it previously used.

The Nomad- Issues

10.0.0.0 20.0.0.0

10.0.0.5 20.0.0.5

10.0.0.2

IP info?

DHCP Server

Scope 10.0.0.0Range:10.0.0.10-254SM:255.255.255.0DG:10.0.0.5Lease length:8 days

Scope 10.0.0.0Range:10.0.0.10-254SM:255.255.255.0DG:10.0.0.5Lease length:8 days

10.0.0.11DG:10.0.0.5LL:8 Days

New York! New York!

איך ממלאים משוב? בסוף כל יום emailב -

Beat Centerב -

מה מקבלים?Feel The Beatחולצת

השתתפות בהגרלת כרטיסי טיסה)לממלאים משוב לכל יום( ועוד...i-mateמכשירי