goals

5.1 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 5: Planning Network Services

Goals

Design the DHCP infrastructure

Design the remote access infrastructure

Design remote access policies




Dynamic Host Configuration Protocol (DHCP)

A simple, but critical, service

Functionality

Provides IP addressing information to client computers

Records the addresses leased

Can also be configured to notify DNS of address leases to update and maintain a Dynamic DNS (DDNS) zone

Designing the DHCP Infrastructure

(Skill 1)




Number of subnets supported in the design

Helps determine how many scopes are required

Identifies how many addresses will be provided via DHCP

Indicates how many superscopes are required

Identifies the exclusions and reservations that will be required

Designing the DHCP Infrastructure (4)

(Skill 1)




RFC 1542 compliance in routers

To be RFC 1542-compliant, routers themselves must be capable of acting as Bootstrap Protocol (BOOTP) relay agents

Determines whether you require any DHCP relay agents to create a centralized DHCP design

Number of scopes required

Typically determined once you examine the subnet model


(Skill 1)




Number of superscopes required

A superscope is a way of combining more than one non-contiguous IP address range into a single scope

Superscopes are only required when you need multiple non-contiguous subnets to be leased to a single physical subnet


(Skill 1)




Reservations and exclusions

Reservations are typically used when you do not want to manually configure each client, but you want a specific group of clients to always have the same IP address

Exclusions are addresses that will never be handed out by the DHCP server


(Skill 1)




Presence of other DHCP servers/Active Directory integrationActive Directory server authorization

Windows Server 2003 and Windows 2000 Server require DCHP servers to be authorized in Active Directory before starting, which is a mechanism to disable rogue DHCP servers

Windows NT, Unix, and NetWare DHCP servers, as well as client systems with Internet Connection Sharing enabled, do not have this feature

It is important to know where the other devices are on the network that may potentially function as a DHCP and make sure that they are not configured to offer IP addresses


(Skill 1)




Redundancy requirements

Generally want at least two DHCP servers hosting each scope

Servers do not have to be solely dedicated to DHCP

DHCP can be installed on file servers, print servers, and even domain controllers


(Skill 1)




Two basic types of DHCP infrastructure designs

Centralized

Decentralized


(Skill 1)




Centralized design

Place two or more DHCP servers in a central hub location and enable BOOTP forwarding on routers for remote DHCP-enabled subnets

Typically easier to administer and less costly

May make meeting redundancy requirements difficult


(Skill 1)




Decentralized design

Place a DHCP server on each DHCP-enabled subnet, with a backup copy of each different scope on an adjacent server

Requires more administrative resources

Requires more server resources

Makes achieving redundancy much easier


(Skill 1)




Figure 5-4 Reservations and exclusions

(Skill 1)




Figure 5-5 Decentralized DHCP model

(Skill 1)




Figure 5-6 Centralized DHCP model

(Skill 1)




Remote access infrastructure design considerations

Type of remote access (dial-up or VPN) required

How many concurrent users must be supported

Availability requirements

Designing the Remote Access Infrastructure

(Skill 2)




Type of remote access (dial-up or VPN) required

Determines the physical considerations of the design

Dial-up (POTS or ISDN) must ensure there are enough incoming lines

VPN

Ensure you have adequate Internet bandwidth

Ensure the encryption load can be supported

Designing the Remote Access Infrastructure (2)

(Skill 2)




Availability requirements

Determines the number of RAS servers required

Determines the configuration of RAS servers

If using VPNs, can use network load balancing (NLB) for maximal availability

If using dial-up, specialized hardware to distribute connections is typically required


(Skill 2)




Hardware requirements

RAS is a fairly low-impact service

Network connectivity for RAS server is biggest consideration

When using VPNs, make sure server’s processing capability can support the encryption requirements of the connections


(Skill 2)




Server placement

Place RAS server and RAS connectivity as near as possible to the network resources that remote users will most commonly access

Placement of servers vis-à-vis the firewall is very important


(Skill 2)




Authentication, authorization, and accounting (AAA)

RADIUS is generally a better choice than Windows Accounting

Provides centralization of remote access policies and accounting information


(Skill 2)




Auditing and logging options

Enable Internet Authentication Service (IAS) logging to keep a running list of connections made to RAS server

Enable logging of accounting and authentication requests

Audit successful and failed account logon events


(Skill 2)




Figure 5-10 Placement of a VPN server

(Skill 2)




Remote access policy conditions

Used to match a specific policy to a given user

Available condition components

Authentication-Type: Matches users based on the type of authentication protocol they are using

Called-Station-ID: Matches users based on the phone number they dialed

Calling-Station-ID: Matches users based on the phone number from which they are calling

Designing Remote Access Policies (2)

(Skill 3)




Available condition components

Client-Friendly-Name: Defines the friendly name of the RADIUS client that is requesting use of the RADIUS server

Client-IP-Address: Matches the IP address of RADIUS client that is requesting access

Client-Vendor: Matches the vendor of the RADIUS client

Day-and-Time-Restrictions: Matches the user based on the day and time they attempt to connect


(Skill 3)




Remote access policy permissions

Used to control access

Set to allow or deny access

Remote access policy profile

Used to restrict which remote access settings are supported

Settings are defined in the Edit Dial-in Profile dialog box


(Skill 3)




Tabs in the Edit Dial-in Profile dialog box

Dial-in Constraints tab: Used to define any needed restrictions for the dial-in properties of the policy

IP tab: Used to define the IP properties associated with the connections to which this profile applies

Multilink tab: Used to define the setting applied to multilink connections for this policy


(Skill 3)




Tabs in the Edit Dial-in Profile dialog box

Authentication tab: Used to define the authentication methods allowed by this policy

Encryption tab: Used to define MPPE encryption levels for the connection

Advanced tab: Used to define special settings to be returned from RADIUS servers to RADIUS clients


(Skill 3)




Figure 5-11 Components of a remote access policy

(Skill 3)




Figure 5-12 Dial-in Constraints tab

(Skill 3)




Figure 5-13 IP tab

(Skill 3)




Figure 5-14 Multilink tab

(Skill 3)




Figure 5-15 Authentication tab

(Skill 3)




Figure 5-16 Encryption tab

(Skill 3)




Figure 5-17 Advanced tab

(Skill 3)

goals

Documents