goals
DESCRIPTION
Goals. Design the DHCP infrastructure Design the remote access infrastructure Design remote access policies. (Skill 1). Designing the DHCP Infrastructure. Dynamic Host Configuration Protocol (DHCP) A simple, but critical, service Functionality - PowerPoint PPT PresentationTRANSCRIPT
5.1 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Goals
Design the DHCP infrastructure
Design the remote access infrastructure
Design remote access policies
5.2 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Dynamic Host Configuration Protocol (DHCP)
A simple, but critical, service
Functionality
Provides IP addressing information to client computers
Records the addresses leased
Can also be configured to notify DNS of address leases to update and maintain a Dynamic DNS (DDNS) zone
Designing the DHCP Infrastructure
(Skill 1)
5.3 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Number of subnets supported in the design
Helps determine how many scopes are required
Identifies how many addresses will be provided via DHCP
Indicates how many superscopes are required
Identifies the exclusions and reservations that will be required
Designing the DHCP Infrastructure (4)
(Skill 1)
5.4 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
RFC 1542 compliance in routers
To be RFC 1542-compliant, routers themselves must be capable of acting as Bootstrap Protocol (BOOTP) relay agents
Determines whether you require any DHCP relay agents to create a centralized DHCP design
Number of scopes required
Typically determined once you examine the subnet model
Designing the DHCP Infrastructure (5)
(Skill 1)
5.5 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Number of superscopes required
A superscope is a way of combining more than one non-contiguous IP address range into a single scope
Superscopes are only required when you need multiple non-contiguous subnets to be leased to a single physical subnet
Designing the DHCP Infrastructure (6)
(Skill 1)
5.6 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Reservations and exclusions
Reservations are typically used when you do not want to manually configure each client, but you want a specific group of clients to always have the same IP address
Exclusions are addresses that will never be handed out by the DHCP server
Designing the DHCP Infrastructure (7)
(Skill 1)
5.7 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Presence of other DHCP servers/Active Directory integrationActive Directory server authorization
Windows Server 2003 and Windows 2000 Server require DCHP servers to be authorized in Active Directory before starting, which is a mechanism to disable rogue DHCP servers
Windows NT, Unix, and NetWare DHCP servers, as well as client systems with Internet Connection Sharing enabled, do not have this feature
It is important to know where the other devices are on the network that may potentially function as a DHCP and make sure that they are not configured to offer IP addresses
Designing the DHCP Infrastructure (8)
(Skill 1)
5.8 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Redundancy requirements
Generally want at least two DHCP servers hosting each scope
Servers do not have to be solely dedicated to DHCP
DHCP can be installed on file servers, print servers, and even domain controllers
Designing the DHCP Infrastructure (9)
(Skill 1)
5.9 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Two basic types of DHCP infrastructure designs
Centralized
Decentralized
Designing the DHCP Infrastructure (10)
(Skill 1)
5.10 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Centralized design
Place two or more DHCP servers in a central hub location and enable BOOTP forwarding on routers for remote DHCP-enabled subnets
Typically easier to administer and less costly
May make meeting redundancy requirements difficult
Designing the DHCP Infrastructure (11)
(Skill 1)
5.11 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Decentralized design
Place a DHCP server on each DHCP-enabled subnet, with a backup copy of each different scope on an adjacent server
Requires more administrative resources
Requires more server resources
Makes achieving redundancy much easier
Designing the DHCP Infrastructure (12)
(Skill 1)
5.12 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Figure 5-4 Reservations and exclusions
(Skill 1)
5.13 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Figure 5-5 Decentralized DHCP model
(Skill 1)
5.14 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Figure 5-6 Centralized DHCP model
(Skill 1)
5.15 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Remote access infrastructure design considerations
Type of remote access (dial-up or VPN) required
How many concurrent users must be supported
Availability requirements
Designing the Remote Access Infrastructure
(Skill 2)
5.16 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Type of remote access (dial-up or VPN) required
Determines the physical considerations of the design
Dial-up (POTS or ISDN) must ensure there are enough incoming lines
VPN
Ensure you have adequate Internet bandwidth
Ensure the encryption load can be supported
Designing the Remote Access Infrastructure (2)
(Skill 2)
5.17 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Availability requirements
Determines the number of RAS servers required
Determines the configuration of RAS servers
If using VPNs, can use network load balancing (NLB) for maximal availability
If using dial-up, specialized hardware to distribute connections is typically required
Designing the Remote Access Infrastructure (3)
(Skill 2)
5.18 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Hardware requirements
RAS is a fairly low-impact service
Network connectivity for RAS server is biggest consideration
When using VPNs, make sure server’s processing capability can support the encryption requirements of the connections
Designing the Remote Access Infrastructure (4)
(Skill 2)
5.19 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Server placement
Place RAS server and RAS connectivity as near as possible to the network resources that remote users will most commonly access
Placement of servers vis-à-vis the firewall is very important
Designing the Remote Access Infrastructure (5)
(Skill 2)
5.20 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Authentication, authorization, and accounting (AAA)
RADIUS is generally a better choice than Windows Accounting
Provides centralization of remote access policies and accounting information
Designing the Remote Access Infrastructure (6)
(Skill 2)
5.21 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Auditing and logging options
Enable Internet Authentication Service (IAS) logging to keep a running list of connections made to RAS server
Enable logging of accounting and authentication requests
Audit successful and failed account logon events
Designing the Remote Access Infrastructure (7)
(Skill 2)
5.22 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Figure 5-10 Placement of a VPN server
(Skill 2)
5.23 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Remote access policy conditions
Used to match a specific policy to a given user
Available condition components
Authentication-Type: Matches users based on the type of authentication protocol they are using
Called-Station-ID: Matches users based on the phone number they dialed
Calling-Station-ID: Matches users based on the phone number from which they are calling
Designing Remote Access Policies (2)
(Skill 3)
5.24 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Available condition components
Client-Friendly-Name: Defines the friendly name of the RADIUS client that is requesting use of the RADIUS server
Client-IP-Address: Matches the IP address of RADIUS client that is requesting access
Client-Vendor: Matches the vendor of the RADIUS client
Day-and-Time-Restrictions: Matches the user based on the day and time they attempt to connect
Designing Remote Access Policies (3)
(Skill 3)
5.25 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Remote access policy permissions
Used to control access
Set to allow or deny access
Remote access policy profile
Used to restrict which remote access settings are supported
Settings are defined in the Edit Dial-in Profile dialog box
Designing Remote Access Policies (6)
(Skill 3)
5.26 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Tabs in the Edit Dial-in Profile dialog box
Dial-in Constraints tab: Used to define any needed restrictions for the dial-in properties of the policy
IP tab: Used to define the IP properties associated with the connections to which this profile applies
Multilink tab: Used to define the setting applied to multilink connections for this policy
Designing Remote Access Policies (7)
(Skill 3)
5.27 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Tabs in the Edit Dial-in Profile dialog box
Authentication tab: Used to define the authentication methods allowed by this policy
Encryption tab: Used to define MPPE encryption levels for the connection
Advanced tab: Used to define special settings to be returned from RADIUS servers to RADIUS clients
Designing Remote Access Policies (8)
(Skill 3)
5.28 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Figure 5-11 Components of a remote access policy
(Skill 3)
5.29 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Figure 5-12 Dial-in Constraints tab
(Skill 3)
5.30 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Figure 5-13 IP tab
(Skill 3)
5.31 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Figure 5-14 Multilink tab
(Skill 3)
5.32 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Figure 5-15 Authentication tab
(Skill 3)
5.33 © 2004 Pearson Education, Inc.
Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure
Lesson 5: Planning Network Services
Figure 5-16 Encryption tab
(Skill 3)