Installing_ Configuring_ Managing_ Monitoring_ and Troubleshooting

Document Sample
Installing_ Configuring_ Managing_ Monitoring_ and Troubleshooting Powered By Docstoc
					Installing, Configuring, Managing, Monitoring, and

Troubleshooting DNS in a Windows 2000 Network

Install the DNS Server service

DNS Background

The designers at Microsoft decided to use an existing technology, DNS (The Domain Name System/Service –
Microsoft normally calls it “Service” while other users call it “System”), as the method to manage Active
Directory’s namespace. This is in addition to DNS performing its usual role of translating host names to IP
addresses (and vice versa). DNS is a server service consisting of a database that is hierarchical (as opposed
to flat) and distributed, along with having built-in capabilities for redundancy and caching. You can use a non-
Microsoft Windows 2000 DNS to work with Active Directory, assuming certain minimum requirements are
met; however, you may not get all the functionality you want.

Originally HOSTS files were used to translate all host names to IP addresses. These text files, which are both
flat and static, have to exist and be updated on every host connected to the network. As this became
impossible to maintain on an Internet-wide basis as the number of Internet hosts started to grow
exponentially, DNS (Domain Name System/Service) was created as the replacement.

DNS, developed in the 1980s, has these advantages over the HOSTS method:

  1. DNS is faster because it distributes the processing load for name resolution and also caches results. A
       DNS server doesn’t have to host all the name mappings: DNS name servers can host segments of the
       DNS namespace instead of all of the namespace. We will find out more about this when we discuss
  2.   DNS keeps the mapping of hosts to IP addresses more consistent. DNS name servers use replication
       (zone transfers) to stay informed of name mapping changes – HOSTS files have to be manually
       updated and copied to all servers when even just one mapping change occurs.
  3.   DNS, because of its hierarchical nature, allows for non-unique names – the same host name can be
       used in two different portions of the DNS naming tree. Although there can be duplicate host names,
       there cannot be duplicate Fully Qualified Domain Names (FQDN – described below).

To refer to a host in a domain, you use a fully qualified domain name (FQDN), which, in essence, specifies
the actual location of the host. An FQDN specifies the host name, the domain or subdomain the host belongs
to, and any domains above that in the hierarchy until the root domain (also known as “.”) in the organization is
specified. The FQDN is read from left to right, with each host name or domain name specified by a period. An
example of an FQDN is

Talking about the DNS hierarchy, its first division is into domains. The InterNIC (Internet Network Information
Center) controls top-level domains (TLDs), which are summarized in the following table:

Name Type of Organization
Com      Commercial organizations
Edu      Educational institutions
Org      Non-profit organizations
Net      Networks (the backbone of the Internet)
Gov      Non-military government organizations
Mil      Military government organizations
Num      Phone numbers
Arpa     Reverse DNS
Xx       Two-letter country code, such a "ca" for
         Canada, "uk" for United Kingdom, etc.
Cc       A newer TLD used for commercial
         organizations. It was created to help with
         the overloaded .com TLD

Under these TLDs are domains specific to companies or organizations; e.g.,,

Registering A Domain Name

Before installing the first DNS server for your site, ensure that you carefully consider your domain name. Even
if you don’t initially see a need to register this name, do so anyways. If at a later date you decide to register
the domain name that you had previously built your Active Directory namespace upon, and some other
company has since registered the same name, you ’ll be in big trouble. You will have to remove and reinstall
Active Directory to use a new domain name. Play it safe. Use a service, such as Network Solutions , to first
verify that your chosen name is available, and then to register it.

CHECK: Understanding Order of Name Resolution

When a client requests a host name (e.g., computer1) on its local network, to be resolved into an IP address,
the following steps are taken.

  1.   The client checks its local HOSTS file. If answer unsuccessful,
  2.   The client passes the request onto the name server, which checks its DNS cache. If unsuccessful,
  3.   The DNS server checks its database. If unsuccessful,
  4.   The client checks its NetBIOS cache. If unsuccessful,
  5.   The client passes the request onto the WINS server. If unsuccessful,
  6.   The client broadcasts its request. If unsuccessful,
  7.   The client checks its LMHOSTs file.

When a client requests an FQDN (e.g., to be resolved into an IP address, the following
steps occur.

  1.   The client checks its local HOSTS file. If answer unsuccessful,
  2.   The client passes the request onto the name server, which checks its DNS cache. If unsuccessful,
  3.   The server checks its database. If unsuccessful,
  4.   The DNS server passes the request onto a root name server.
  5.   The root name server passes the request to the appropriate first-level domain name server and so on
       until a name server can resolve the name.
  6.   The name server that can resolve the name passes the corresponding IP address to the requesting

Reverse Lookup

In a reverse lookup, a client knows an IP address but wants to find the corresponding host name. PTR DNS
records provide the answer to the client’s question. Note that Active Directory does not set up reverse lookup
tables by default. Keep this in mind if you’ll need to occasionally perform a reverse lookup.

For an address such as and subnet mask of, its corresponding reverse table
is of the form:

One example of a situation where reverse lookups are useful is in a high security government or military
setting. By means of reverse lookup, you can prevent incoming IP traffic from certain sites from reaching your
web site. In this case, the incoming traffic is in the form of an IP address, yet you want to know what FQDN is
associated with that address in order to prevent unauthorized access.


DNS (see Overview) is installed as a service within Windows 2000 through the use of wizards. If you install
Active Directory (through the Active Directory Installation wizard), and a DNS server cannot be found or is
not specified, the ADI wizard will attempt to install the DNS service for you.

If you wish only to install DNS, you can do so through the Networking Services component via the
Add/Remove Windows Components section beneath the Add/Remove Programs applet of the Control
Panel .

There is a third way to install DNS. You can also trigger the DNS installation wizard by right-clicking on the
My Network Places icon, choosing Properties, clicking Add Network Components in the bottom-left
corner, selecting the Networking Services component, clicking the Details... button and then choosing
Domain Name System (DNS). This latter method requires that you are viewing the “Network and Dial-up
Connections” folder as a Web page.

The easy part is now done. Whichever method you use to install DNS, you wont’ have to reboot the server.
The configuration of DNS is performed by selecting the DNS MMC that can be reached from the
Administrative Tools section of Start -> Programs. In fact, if no further configuration is done, you have a
functional Caching-only DNS server that is able to do name resolutions thanks to it knowing about root DNS
name servers.


A BIND (Berkeley Internet Name Domain ) DNS platform may be able to support Active Directory. The
following table lists versions of BIND versus support for Active Directory. At minimum, BIND must support
SRV records or all bets are off. These records allow clients to access services in Active Directory by mapping
an IP address to the name of a server providing a service.

DNS Server         Feature
Microsoft          Integration with WINS for name
Windows 2000       resolution. Name resolution queries that
DNS                fail with DNS are passed to a WINS
                   server. (Enabled via the “Use WINS
                   forward lookup” check box on the WINS
                   tab of the zone file properties page in the
                   DNS MMC) Note that a side effect of this
                   integration is that a WINS record in a DNS
                   primary zone can cause a DNS zone
                   transfer failure when that transfer is to
                   another version of DNS, such as BIND,
                   which isn’t designed to handle WINS
                   Secure DNS updates (the administrator
                   can limit DNS updates to chosen
                   secondary servers)
                   Ability to integrate zones into Active
                   Directory (Active Directory Integrated
                   Zones). The benefit of this is that zone
                   information management can piggyback
                   on top of built-in Windows 2000 replication
                   and fault tolerance. Even without
                   integrated zones, speed improvements
                   are achieved via master servers notifying
                   secondary ones of changes (notification-
                   driver) as opposed to depending on
                   polling intervals
BIND 8.2.1         IXFR (Incremental Zone transfers in
                   addition to only full zone transfers) IXFR
                   transfers can take place from both Active
                   Directory-integrated servers and Standard
                   Primary servers to Standard Secondary
BIND 8.1.1         Dynamic Update DNS support (the
                   integration of DNS and DHCP facilitates
                   the automatic recording of client IP
                   address / host name mappings for
                   Windows 2000 clients)
BIND 4.9.7         SRV record support

Naming Restrictions

Category           Regular DNS (Includes Windows 2000
                      Windows NT 4.0)           DNS
Allowed               a-z, A-Z, 0-9 and         Same as regular
Characters            hyphen (-)                DNS plus support
                                                for NetBIOS names
                                                and Unicode
                                                Translation Format
FQDN, label           255 bytes maximum        Domain Controllers
lengths               total for FQDN, 63 bytes limited to 155 bytes
                      per label                for FQDN
RFC                   1123                      1123, 2044, 2181

Technet: Active Directory: Set up DNS

Configure a root name server
The root name server of a domain is the name server that acts as the Start of Authority for that zone.
Moreover it is a server that forms the top-level server in your domain. As such, it contains the “.” domain and
thus cannot be a forwarder. To resolve queries outside of your domain, you should set up a forwarder, which
will eventually have a cache full of information. When a DNS server cannot resolve a query, it moves
(escalates) it up to a root server that is authoritative for a zone. The Start of Authority (SOA) record is the first
record in the database (KB# Q163971).

Field descriptions:
    l   Serial number (i.e., the version number of the database which controls precedence of zone transfers)
    l   Primary server (the DNS server hosting the database)
    l   Email address (the responsible person’s email address – the address uses a “.” instead of the “@”
    l   Information that controls zone transfer intervals for secondary servers. Secondary servers contain a
        read-only version of the DNS database and thus must receive zone information update via a zone
        transfer from another secondary server or a primary server
            ¡ Refresh time (time, in seconds, that passes before a secondary server checks to see if a zone
               transfer should take place)
            ¡ Retry time (time, in seconds, that passes before a secondary server reattempts a failed zone
            ¡ Expiration time (time, in seconds, during which a secondary server attempts a zone transfer. If a
               successful transfer does not occur before the time elapses the server discards its now old zone
            ¡ Minimum Time to live (time, in seconds, that a server continues to cache resource records)

            ¡ TTL for this record (time, in seconds, that other DNS servers, and some DNS clients, will cache

               this record)

Configure zones
The core unit of organization for DNS is a zone. A zone is a logical collection of hostnames (sometimes called
“friendly names”) within DNS. This collection forms a subset of the domain. The name server that administers
this zone has “authority” for the zone.

There are three major types of zone storage.

  1. Standard Primary: zone information is stored on a server that is authoritative for the zone and has a
        write-able copy of the text zone database. There can only be one standard primary server per zone.
  2. Standard Secondary: zone information is stored on a server that gets its zone information from the
        primary master or another secondary and contains a read-only copy of the zone database. These
        servers are normally used as a back up of primary server and to help with load balancing. There can
        be more than one these servers per zone.
  3.    Active Directory-Integrated: zone information is stored in the Active Directory and hence cannot be
        read with a text editor. Zone transfers are more secure, as the zone data is encrypted during the
        transfer, and as the zone transfers takes place along with other Active Directory updates. A member
        server cannot hold an AD-integrated zone since a member server is not a domain controller and hence
        does not house the Active Directory database. More than one Standard Secondary server may receive
        transfers from AD-integrated servers.

You use the DNS MMC (Microsoft Management Console) snap-in (also available from the Administrative
Tools program folder) to manage DNS and zones.

Forward Lookup Zone

Forward lookup zones provide an IP address for a queried host name. Upon the DNS install completing, the
first zone is created by running the DNS MMC, right -clicking on the server, selecting “Configure the Server”
and completing the wizard. The following items need to entered during the creation of the zone:

    l   Whether or not you want to create a forward lookup zone
    l   One of the three major types of zone storage
    l   A domain name. The majority of the time you want to use a registered domain name and pick a name
        that you will not have to change. Changing a domain name entails reinstalling Active Directory
    l   A new or existing file to house the text file DNS database; e.g., Choose an
        existing file if you plan to import zone information from an non-Windows DNS server
     l   Whether or not you want to create a reverse lookup zone. Note that it is possible to set up your DNS
         with only a forward lookup zone and no reverse lookup zone
     l   Review the wizard summary and click “Finish”

The Forward Lookup zone appears as follows:

If your browser doesn't support inline frames click HERE to view the full-sized graphic.

Each of your server’s IP addresses should have a corresponding Host record.

Additional zones can be created by right-clicking on the Forward Lookup Zone folder and selecting New

Reverse Lookup Zone

Reverse lookup zones provide a host name for a supplied IP address and are also necessary for proper
operation of the NSLookup command (described in a subsequent section).

The procedure to create a reverse lookup zone is similar to creating a forward lookup zone with the major
difference being that you must supply either a network ID (e.g., 203.102.101) or reverse lookup zone name
(e.g., instead of a domain name. If you enter the network ID, the dialog
automatically fills in the reverse lookup zone name. Also, for a non-Active Directory-Integrated zone you will
choose a new zone file name along the lines of:

Once complete your Reverse Lookup zone should have an SOA and NS record. To manually create pointer
records (PTR) that correspond to forward lookup records, right click on the zone and select New Pointer...
and enter the host portion of the host’s IP address and the corresponding FQDN.
Automatically Creating Pointer Records

To automatically have pointer records created, select “Create associated pointer (PTR) record” when creating
a new host record in the Forward Lookup zone.

Configure a caching-only server
Caching-only servers have these characteristics:

    l   They speed up name resolution responses to clients by storing recent client DNS queries
    l   They do not have a copy of a zone and hence are not authoritative for any zones nor can they directly
        answer queries for any queries that are not contained in their cache. However, a benefit of this is that
        these servers do not have the overhead associated with zone transfers and thus they make a good
        choice for a remote office connected by a slow WAN link to headquarters
    l   They should be on a server with plenty of RAM as this is where their cached information is stored
    l   They answer client queries either from their cache or by passing the request onto other DNS servers

With respect to the last point, these other DNS severs are listed on the Root Hints tab and New Resource
Record dialog box accessed from the Properties page for a server in the DNS MMC. For the selected
server, you associate which name servers you want to cache lookups for. By default, the root domain servers
appear in the Root Hints tab and have names such as “”. Thus, caching servers can initiate
name resolution for FQDNs outside of the domain that the caching-only servers reside in.

To view what in the cache, call up a command prompt and type:

Ipconfig /displaydns

To flush the cache, type:

Ipconfig /flushdns

The biggest deficiency of this type of server appears when the server restarts. The cache information is lost.
Nonetheless, these servers do come in handy, often in branch offices, where there is no need for a separate
domain at that location but DNS functionality is still required.

To create a Caching-only server, there are only two steps. First, install DNS. Second, run the DNS MMC,
select the DNS menu, click New Server and enter the IP address for the server.

(KB# Q167234)

Configure a DNS client
First, some definitions. A DNS Client is any computer that can query a DNS server through a resolver. A
resolver is the system that actually issues the queries to the name server.

There are two steps to configure a Windows 2000 client to work with DNS. The first requires visiting the
Advanced TCP/IP Settings dialog via the Network and Dial-up Connections window while the second
requires accessing the Network Identification portion of the System Properties dialog.

General DNS Settings

To get to these settings, select Start-> Settings -> Network and Dial-up Connections. Pull up the
Properties of the Local Area Connection, followed by the Properties of the Internet Protocol (TCP/IP). On
the Internet Protocol (TCP/IP) properties page you can provide the IP address of a preferred DNS server
and Alternate one or choose to “Obtain DNS server address automatically”. By clicking on the “Advanced...”
button and selecting the DNS tab, you can add and prioritize the order of use of more DNS server addresses.
Moreover, you can make decisions about how the DNS suffix helps to resolve unqualified names. For
example, you can list several DNS suffixes to append to an unqualified domain name. You can enable
Register this connection’s address in DNS, which allows the client to work with Dynamic DNS. For more
information on these settings, reference: Technet: Active Directory: Set up DNS.

Active Directory Integration DNS Settings

To get to these settings, select Properties after right -clicking on the My Computer icon. Select the Network
Identification tab and then click Properties and More.... In the “DNS Suffix and NetBIOS Computer Name”
dialog, you can choose the primary suffix of the computer. Enabling the Change primary DNS suffix when
domain membership changes ensures the computer’s suffix changes accordingly when domain
membership changes.

Configure zones for dynamic updates
You configure a zone for dynamic updates within the zone properties dialog box from within the DNS MMC by
setting Yes to the field “Allow dynamic updates?”. (For a higher level of security when using an Active
Directory-Integrated zone, you can choose “Only secure updates ”.) Choosing “Yes” or “Only secure updates”
allows DNS clients to update their resource records dynamically with the server anytime a change occurs.
This functionality can be enabled or disabled on a per-zone basis.

Dynamic DNS ( DDNS) is simply the integration of DHCP and DNS. Whenever a client interacts with DHCP
(TCP/IP configuration modification, new lease, address renewal, plug and play event, and static adapter IP
address change), the FQDN of the client is registered with DNS through the DHCP server. This registration
can also be done manually using the “registerdns” parameter with the command prompt ipconfig.exe utility
(KB# Q201346). Dynamic DNS is described in RFC 2136. See the section, under DHCP, called “Configure
zones for dynamic updates” for more information.

Here’s how the dynamic update works. The client triggers a forward lookup zone entry in DNS and asks the
DHCP server, via an option 81 and its FQDN, to trigger a reverse lookup zone entry for it in DNS. In other
words, the client “owns” the name for the forward lookup zone while the DHCP server “owns ” the address for
the reverse lookup zone.

Test the DNS Server service
In order to help you test your DNS server service, it helps to understand the difference between a recursive
and an iterative query.

Recursive Query

When a client performs a recursive query to a DNS server, it wants an answer: either the IP address that
maps to the queried FQDN, or a notification of failure to resolve the name. If the DNS server has the answer
in its cache or zone information, it will send it to the client. Otherwise, the DNS server performs one or more
iterative queries to other DNS servers to get the answer. In addition to clients using recursive queries,
servers use recursive queries when asking a forwarder to help with name resolution. A mail server, when
asked to send a message to a domain it doesn’t know about, may also send a query to a DNS server for help
in resolving where to deliver the message. In this case, the MX resource records stored in the DNS servers
are used to provide the required answers.

Iterative Query

A DNS server that can’t resolve a name will first send an iterative query to root domain servers. It will take
the answer and send another iterative query to the domain listed in the answer. It will continue to do this until
it finds the answer it was looking for and then pass that answer on to the requesting client. Each time the
originating DNS server gets an answer, the answer will be closer to the final answer; e.g., .com,, In order to improve its speed for future queries, the DNS server will store
the results of its iterative queries in its cache.


The simplest yet sometimes most useful TCP/IP command line utility is the ping command. Ping sends an
ICMP message to an IP address or FQDN and receives replies from that host if successful. The “-a” option
resolves addresses to hostnames. “ping –a” can thus be used to see if a given FQDN has an alias or
CNAME. To find out about other interesting options, run “ping /?” or “ping -?”.


NSLookup is another command line utility that is useful in testing and troubleshooting DNS. As mentioned
before, NSLookup requires the presence of reverse lookup zones. NSLookup has two modes. The first, non-
interactive, can be used when you need only a single answer to a query.

The second, interactive, brings you to a “>” prompt and allows the entry of more than one command. To find
out about interactive NSLookup options, run NSLookup and type “?”.
If your browser doesn't support inline frames click HERE to view the full-sized graphic.

The simplest usage of NSLookup is the non-interactive “nslookup host”; e.g., “nslookup”. This returns the FQDN and IP address of the DNS server responsible for the domain.

In terms of interactive mode, a handy command is “ls –d brainbuzz > file.txt”. The ls says to list records in
the domain (in this case brainbuzz) and the “-d” specifies to list all records (i.e., soa, a, ns, mx, cname, ptr,
etc.). The last portion of the command says to place the results in the file “file.txt” in the directory that the
nslookup command was run from. By leaving out the “-d” option, only host (a) records are listed. In essence,
this is a zone transfer (from the DNS database to the screen or file). Keep in mind that some hosts prevent
sharing the zone information for security or performance reasons.

You can also set options by typing, “set option”; e.g., “set debug” enables debug information (“set d2”
enables exhaustive debug information) to appear for subsequent commands. “set type=soa” will cause
subsequent queries to deal only with the Start of Authority Record. “set all” shows the status of all the
possible options. A side benefit of learning the NSLookup command is that it also works in other operating
systems such as Unix.

Lastly, a command such as “name1 name2” tells NSLookup to use a DNS server specified by name2 (a
name server that can be outside of your domain) to do name resolution for name1.

The difference between an authoritative and nonauthoritative query is as follows. The initial query for a
remote host name is authoritative since the local DNS server gets an answer from a DNS server that is
authoritative for the domain containing the remote host. The local DNS server then stores the result in its
cache and the next query, for the same information, is call nonauthoritative since the answer comes directly
from the local DNS server’s cache.
(KB# Q200525)

Web Browser

After entering an FQDN into the address or URL box on a browser, check the lower left portion of the browser
for both the IP address of the FQDN and then the FQDN. This is another method to see whether or not your
DNS server is performing name resolution.

DNS Admin Tool

You can also monitor DNS activity by running the DNS MMC, right-clicking on the server, selecting
Properties and clicking on the Monitoring tab. You can choose to perform a simple (iterative) query or
recursive query, followed by the “Test Now” button, or an automatic test of the DNS service based on a time

Implement a delegated zone for DNS
The first thing to know about delegating a zone is that the delegated domain must be lower in the domain
hierarchy (i.e. closer to the hosts than to the root) than the domain performing the delegation. With that in
mind, it makes sense that a domain higher in the hierarchy will refer DNS requests to the DNS server in the
delegated domain.

To perform the delegation, run the DNS MMC, right-click on the zone you want to delegate, select New
Delegation and complete the New Delegation Wizard.

Manually create DNS resource records

DNS uses resource records to perform its hostname to IP address translations. If necessary, resource
records can be manually added into DNS through the DNS snap-in. With Dynamic DNS, why would you need
to create manual entries? First, you may have non-Windows 2000 clients that require entries. Second, you
may want static entries for certain hosts. Third, you may want an entry that is not supported by Dynamic DNS.
There are several choices on the type of new entry, including: New host, New alias, New mail exchanger
and Other new records. Resource records types include:

Description of Records

Record      Purpose
A           Host address record – for mapping a DNS
            name to an IP address.
            Requires name, IP address and whether
            or not to “Create associated pointer (PTR)
CNAME       Canonical Name - an alias domain name
            for a name already specified as another
            resource type in the zone. An example is
            to assign an alias name “www2 ” to an
            FQDN for target host “”
MB          Mailbox record
MG          Mail group record
MINFO       Mailbox or mailing list information - usually
            used to specify a mailbox for error
MX            Mail exchanger record - details message
              routing to a mail exchange host. Entry
              fields include the domain name, the name
              of the mail server and the priority which
              defaults to 10 (the lower the priority
              number, the higher the priority of this
              particular mail serer)
NS            Name server record - specifies a server
              that is authoritative for a certain zone
PTR           Pointer record - used for reverse lookups.
              Remember that the DNS installation does
              not create a reverse lookup zone by
TXT           Text record - can hold descriptive text that
              can be applied to a specific DNS name
RT            Route Through - details intermediate-
              route-through binding for hosts that do not
              have their own WAN address
SRV           Service Record - used by Windows 2000
              for Active Directory and "Dynamic DNS".
              Active Directory can work with non-
              Windows 2000 DNS servers so long as
              those DNS servers support the use of
              SRV records.

Manage and Monitor DNS

Managing DNS

The following lists most of the DNS management tasks that are available by selecting a DNS server from the
DNS MMC and choosing the Action menu:

     l   Set Aging/Scavenging for All Zones – use this to remove outdated resource records
     l   Scavenge Stale Resource Records Manually – use this to scavenge old resource records
     l   All Tasks – use this to start, stop, pause, resume and restart the DNS server service
     l   Delete – use this to delete a DNS server
     l   Refresh – use this to update the status of the display
     l   Export List – export DNS server information to a file
     l   Properties – includes these tabs
             ¡ Interfaces – allows limiting the DNS server’s IP addresses that the DNS server will process
               requests from
             ¡ Forwarders – use this to forward a request, not to a root server, but to the specified server(s),
               hoping that that server(s) can resolve the request. This configuration can’t be created if the
               server is set up as a root name server; i.e., has a “.” domain. The DNS server acts like a “DNS
               client” to its corresponding forwarder and is called the “forwarding server”. You will probably
               check “Don’t use recursion” since this server likely can’t perform the resolution if its forwarder
               failed in its attempt. Enabling this setting may also open up your internal zone information to
             ¡ Advanced – includes server options such as enabling DNS servers to act in “round robin”
               fashion (this provides a certain amount of load balancing) and forcing a DNS server to perform
               iterative, not recursive queries. Also has a checkbox to “Enable automatic scavenging of stale
             ¡ Root Hints – contains list of DNS servers to forward DNS requests to. Root hints do not exist if
               the DNS server is configured with a “.” domain
            ¡   Logging – contains a list of items that you can log activity for to the file %System Root%
            ¡   Monitoring – (discussed in the Test the DNS Server service section)

Monitoring DNS

Monitoring can be done through the Performance tool (available from Start->Programs->Administrative
Tools). Some counters and types of counters for the DNS object include:

    l   AXFR and IXFR Counters – counters include Requests Received, Requests Sent, Response
        Received, Success Received, Success Sent
    l   Caching Memory – this counter tracks memory usage
    l   Dynamic Updates – various and sundry counters related to Dynamic DNS
    l   Zone Transfers – the Failure counter is an obvious one to check for trouble

Other RFCs worth checking out:

1536, 1739, and 1912

Other resources:

DNS Resource Directory

How DNS Queries Work

DNS Forwarding ...

Defining DNS Server Roles

Installing, Configuring, Managing, Monitoring and
Troubleshooting DHCP in a Windows 2000 Network
DHCP Background

DHCP stands for Dynamic Host Configuration Protocol (see Overview). This protocol was developed to ease
the headaches involved with manually managing client IP addresses, headaches that include problems such
as duplicate IP addresses and other TCP/IP setting inaccuracies. DHCP is based on the BOOTP protocol,
with the added advantage that DHCP is not restricted to handing out client configuration information from a
static table. DHCP enables dynamically distributing IP addresses, and all associated configuration data,
through an open standard defined by RFC 2131 and RFC 2132.

Steps for a client to receive and address

  1. Client broadcasts a DHCP Discover message (broadcast can cross routers if the routers are
        configured with the BOOTP protocol)
  2.    All DHCP servers respond with a DHCP Offer message
  3.    Client sends DHCP Request message to server whose DHCP Offer message first got to client
  4.    Server send DHCP ACK to client, gives the client a lease to use an address that resides on the subnet
        the client is on
  5.    Client uses IP address to attach to network and any other parameters supplied with lease.
Clients are given the lease to define the amount of time their address information is valid. Every client will
automatically try to extend the lease when half the time of the lease has expired (if it fails, it will keep trying for
the duration of the lease).

DHCP and Routers

Because DHCP has its roots in the BOOTP protocol, DHCP messages do not traverse routers by default.
Either BOOTP forwarding has to be set on the routers or DHCP Relay Agents must be set up on the
segments without a DHCP server.

In order to set up a DHCP Relay Agent, run the Routing and Remote Access tool and right click on DHCP
Relay Agent and choose New Interface.

On the Properties page for the DHCP Relay Agent icon, add the DHCP server’s IP address. On the
Properties page of the Interface (e.g., Local Area Connection) enable the Relay DHCP packets checkbox.

Install, configure, and troubleshoot DHCP

Install the DHCP Server service

Before installing the DHCP server service, ensure that the target computer has a static address: if you forget
to do this, the installation process will prompt you to do so. Note that the target computer need not be a
domain controller.

As with installing DNS, there is more than one way to install DHCP. One way is to use the new Configure
Your Server application which is reached from Start -> Programs -> Administrative Tools. Next, from the
left nav bar, select Networking and DHCP . In the middle of the screen, select Start the Windows
Component Wizard. From this dialog, choose Networking Services, click on the Details button, choose
DHCP and click OK.

Another installation method is via the Network and Dial-up Connections folder. Click the Add Network
Components link in the bottom left. From the Networking Services dialog, follow the same steps as listed
near the end of the previous paragraph.
After installing the DHCP service, you gain the DHCP snap-in and must define at least one scope on the
server before it can start to answer DHCP requests (KB# Q169289).

In the event your DHCP service isn’t running (your server shows up “X”ed out in the DHCP program), run the
Services program (from the Administrative Tools folder) and start the DHCP service.

Create and manage DHCP scopes, superscopes, and multicast scopes


A scope is a database of a range of IP addresses that can be issued to clients on a subnet by the DHCP
server. DHCP does not only issue addresses from the address pool/scope, but also issues lease information
and other IP configuration data, including:

    l   Default gateway
    l   Subnet mask
    l   DNS server addresses and DNS suffix (e.g.,
    l   WINS server address
    l   WINS Proxy information
    l   NetBIOS scope ID
    l   IP routing

To see what settings your client has for these settings, run “ipconfig /all” on a Windows NT or 2000 client or
“winipcfg ” on a Windows 9X client.

Scopes are created with the New Scope Wizard, described below.


A superscope (KB# Q255999) is used to support a multinetted or supernetted (multiple network addresses or
subnets running on the same segment) network with a Windows 2000 DHCP server. A situation where this
works well is in a section of an office with more clients than is allowed on one segment but, if not for that
restriction, all the clients would reside on one segment. Superscopes aid the administration of scopes by
grouping related scopes (VLANs) and by providing statistics for all scopes belonging to the same superscope.


Multicasting involves sending a message to a select group of recipients through the use of class D IP
addresses and is analogous to sending an email message to a specific group of users. This is useful for
conserving bandwidth: if a data packet needs to be sent to 300 out of 600 users, you need send it only once
(to the class D address) rather than the 300 times unicasting would require.

MADCAP (Multicast Address Dynamic Client Allocation Protocol – RFC 2730) works like DHCP, but is
used to issue multicast addresses only. To begin the process of issuing multicast addresses, perform a right-
click on the server in the DHCP snap-in and choose New Multicast Scope from the popup menu. This, in
turn, starts the New Multicast Scope wizard. Multicast addresses must fall within the Class D range of Understand that a multicast address is not meant for normal web traffic but is
solely meant for multicast-aware applications.

Creating a Scope

To start the DHCP scope creation wizard, from within the DHCP manager, click on the appropriate server,
and choose Action->New Scope.
The following entries can be made in this wizard:

    l   Name (perhaps include the network address in the name) and description of scope (for example, why
        you created the scope)
    l   The start and end IP address for the range of addresses the server will distribute as well as the number
        of bits (length) of an address associated with the network/subnet portion or the 255.X.X.X value for the
        subnet mask
    l   Zero, one or more start and end IP address exclusion ranges. A single address can be included.
        Excluded addresses are ones we don’t want to give to clients
    l   In days, hours and minutes, the lease duration (default is 8 days, maximum is 999 days). Generally,
        the more stable the network, the longer the lease period. If you have more clients that available IP
        addresses, you will want to go for a shorter lease duration
    l   Opportunity to configure DHCP options (only skip and say “no...” for very a simple network). Enter
        options here that are specific to the scope (e.g., default gateway) – place options that are applicable to
        all scopes in the server options (see the “Server Options” section below)
    l   Assign an address to the default gateway or router (you can have more than one entry here)
    l   Specify the parent domain name (i.e., DNS suffix) for your DHCP clients as well as one or more DNS
        server names and corresponding IP addresses. At least two DNS servers should be listed because of
        Active Directory’s need for DNS
    l   Optionally supply one or more WINS server names and IP addresses. As stated in the WINS section of
        this Cramsession most networks will still need WINS support for the near future
    l   Decide whether or not to activate the scope (yes is the default dialog setting)

Scope Folders
Folder contents

    l   Address Pool – shows both pools of addresses to lease and to exclude
    l   Address Leases – shows addresses currently in use (information includes the client IP address,
        FQDN and lease expiration)
    l   Reservations – shows IP addresses set aside for specific computers
    l   Scope Options – shows Option Name (e.g. 046 WINS/NBT Node Type), Vendor (e.g. Standard) and
        Value (e.g. 0x8 – represents hybrid mode of NetBIOS name resolution)


Items to exclude from a scope are ones that shouldn’t have a transitive IP address and include:

    l   Routers
    l   Net-connected printers
    l   Application servers

Reserved Vs. Required Addresses

Why use DHCP to hand out an address that is always the same? Why not just use a static IP address?

Here are some benefits:

    l   WINS re-registrations can be quickly accomplished with the ipconfig utility
    l   It’s easier to track all IP addresses on your network
    l   A server such as WINS or DNS, while requiring the same address at all times, can benefit by getting
        this address from DHCP since along with the address they receive scope options

(KB# Q170062)

To set up a reservation, right-click on the Reservations object:
Note: In terms of the MAC Address, enter it without dashes. A quick way to discover a MAC address is to ping
the IP address of a client and then run “arp –g”, since this will report the IP address / MAC address mapping
that is temporarily stored in cache.

Server Options

Server options act as defaults for all scopes and can be overwritten by a scope-specific option. To set
options, select Action -> Configure Options from the Server Options folder. Likely candidates for
configuration here are DNS server and WINS server IP addresses; i.e., settings that would apply to all

Underneath a particular scope folder, scope options have an icon consisting of a yellow gear and blue gear
while options that are “inherited” from server options have a yellow gear and a server icon.

The general tab lists available options. When you click an option, its related fields display.

Vendor and User Classes

Vendor classes provide a way to apply particular scope options to clients that are all of the same vendor type
(e.g., Microsoft Windows 2000 Options). User classes perform a similar function for clients that share non-
vendor-specific characteristics, such as being all dial-in clients.

Creating a Superscope

This is accomplished through the New Superscope command that appears on the popup menu after right-
clicking on a DHCP server within the DHCP snap-in. The following steps ask for a name and scopes.
Remember that before adding a scope to a multiscope it must be active.
Creating a Multicast Scope

The Multicast Scope creation steps ask for a name, description, start and end IP address (in the range
224.X.X.X to 239.X.X.X), time to live (default of 32 hops that can be traversed before the data is tossed),
exclusion addresses, lease duration (default of 30 days), and whether or not you want to activate the scope.

Under the new multicast scope item there are two folders: address pool (shows possible addresses to lease)
and address leases (shows addresses presently leased).

Configure DHCP for DNS integration

The DHCP server should also be configured to use DDNS, and this can be done at the scope, or server level.
On the Properties tab of either the scope or server, choose the DNS tab and check the box to
Automatically update DHCP client information in DNS. If you do not do this (or do not enable DNS for
DDNS, as well), then you do not have Dynamic DNS.

To help keep the DHCP DNS clean, leave the discard option enabled. Check the enable option for UNIX and
pre-Windows 2000 clients.

See the “Configure zones for dynamic updates” DNS section of this Cramsessions for more details.

Authorize a DHCP server in Active Directory
In Windows 2000, a DHCP server cannot provide services to clients until it has been authorized in Active
Directory. This is accomplished by adding the IP address of the DHCP server into Active Directory and
requires Enterprise Administration privileges. Specifically, right-click on the server within the DHCP snap-in
and choose the Authorize command from the popup menu, or right-click on the DHCP icon, choose “Manage
Authorized Servers... ”, and enter the IP address of the server you wish to authorize.

This new functionality prevents a “rogue” DHCP server from assigning IP addresses without your knowledge
or approval. After a few minutes you’ll know that your server is authorized by seeing that the scopes
associated with server have a status of “Active”. Even after the server is authorized, it checks every 5 minutes
to ensure it is still authorized.

Should you need to reverse the process, right-clicking the server brings up an Unauthorize option.

Manage and monitor DHCP
The DHCP snap-in is used for managing and monitoring DHCP.

Action Menu

Action->Display Statistics

Action->Reconcile All Scopes compares scope information in the database and the registry and should only
be required if you suspect problems with the DHCP database.
Action->All Tasks includes: start, stop, pause, resume and restart.

Action->Define User Classes is used to apply DHCP options to a set of DHCP clients

Action->Define Vendor Classes is used to supply vendor-specific DHCP settings

Action->Properties has three tabs: General, DNS and Advanced. The DNS tab was discussed in the
“Configure DHCP for DNS integration” section.

Properties General Tab

The audit logging is recorded in <%system root%?\system32\dhcp. As well, the system records DHCP
information to the System Log within the Event Viewer.

Properties Advanced Tab

Adjust the Advanced tab settings only if you really know what you’re doing:
    l   Conflict detection attempts – setting this to 1 or more can result in a performance hit as address
        conflicts are checked before assigning an address
    l   Changer server connection bindings... - useful on a DHCP server with more than one NIC, this
        setting allows you to decide which interface to configure with DHCP

DHCP-Related System Monitor Counters

Recall from the “Steps for a client to receive and address” section that there are four main messages sent
between a client and a DHCP server for the client to lease an address: discover, offer, request and ack. In
addition to several other counters, such Active Queue Length (a high number here could indicate an
overloaded DHCP server), there are counters (all a part of the DHCP Server object) that relate to the above

    l   Discovers/Sec
    l   Offers/Sec
    l   Requests/Sec
    l   Acks/Sec and Nacks/Sec

A high value for Informs/Sec indicates heavy Dynamic DNS integration traffic, while a high Declines/Sec
could point to a “rogue” DHCP server.

Support for SNMP and MIB

The DHCP snap-in supports the Simple Network Management Protocol (SNMP) and Management
Information Bases (MIBs) which enables the DHCP server to deliver alerts and report stats to SNMP-enabled
management systems.
Configuring, Managing, Monitoring, and
Troubleshooting Remote Access in a Windows 2000
Network Infrastructure
Configure and troubleshoot remote access

Remote Access Background

In Windows 2000, the Routing and Remote Access Service (RRAS) is installed automatically, though not
activated. This service includes the RAS (Remote Access Service) functionality available under Windows NT
4.0 as well as VPN (Virtual Private Networking) and other enhancements. Some of these enhancements

    l   Fewer reboots required during configuration
    l   L2TP and IPSec support
    l   NAT and ICS
    l   New authentication mechanisms: MS-CHAP2, RADIUS and EAP
    l   An integrated management front end: the Routing and Remote Access Server Snap-in assists with the
        configuration, and setup of parameters

When working with RRAS, you might find it helpful to keep in mind that all connections, including ones made
via modem, are treated like LAN connections. The advantage of this is that full Windows 2000 network
functionality is available to dial-in clients; the disadvantage is that this same functionality must be carefully

RRAS supports these networking protocols: AppleTalk, IPX, NetBEUI, TCP/IP

It also supports these data link control protocols for asynchronous connections:

    l   SLIP (Serial Line Interface Protocol) – older, limited protocol for use only with legacy applications
        and can be used only by clients
    l   PPP (Point-to-Point Protocol) – enhancements over SLIP include: error correction, compatibility with
        several authentication protocols, support for more protocols than just TCP/IP, and automatic session
        setup and disconnection. See RFC 1661.

Configure inbound connections


First of all, let’s address a couple of basic questions. How many inbound dial-up connections are permitted?
Windows 2000 Professional supports 1 while Windows 2000 Server supports 256.

What’s the best platform to house RRAS? A member server, not a domain controller. This is to limit the
potential damage a security breach or improper configuration of RRAS can cause on the network.

Remote access policies are used to allow or reject connection attempts. This is in addition to the method of
granting remote access to a single user account that Windows NT 4.0 RAS supported.

Enabling RRAS

Unlike most other Windows 2000 networking products, RRAS comes pre-installed; however, you must enable
it by performing the following:

    l   Run Start->Programs->Administrative Tools->Routing and Remote Access
    l   Right-click the server (or click Action on the menu) and select Configure and Enable Routing and
        Remote Access

You are then presented with these options for how you want RRAS to function:

  1.    Internet connection server – for NAT
  2.    Remote access server – for dial-in connections
  3.    Virtual private network (VPN) server
  4.    Network router
  5.    Manually configured server – allows you to set things up as you wish

The last step is to click Finish and Yes to start RRAS

RRAS Interface

In term of Remote Access Logging, the system tracks client connection activity and logs it to the file

When you choose RADIUS Authentication and Accounting Providers, Remote Access Policies and Remote
Access Logging disappear and are then accessed from the Internet Authentication Services console, not
the RAS server (also known as a RADIUS client).
Server Properties

The following tabs appear for a RRAS server’s properties:

    l   General
           ¡ Router

                  n LAN

                  n LAN and demand dial routing - If your clients only need to access the RRAS server, not

                     resources on the network, don’t enable the Router setting
           ¡ Remote access server

    l   Security – these options are described later (they can be either IAS or RADIUS)
           ¡ Authentication Provider
           ¡ Accounting Provider (described later)

    l   IP
           ¡ Enable IP routing – enable client to connect, not just to this server, but also to the attached
           ¡ Allow IP based remote access and demand dial connections – allows IP based

              connections, and assigns IP addresses either statically or from DHCP
    l   PPP

             o   Multilink Connections – used to aggregate modem or ISDN connections

             o   Link control protocol (LCP) extensions – enables Time -Remaining and Identification
                 packets. See RFC 1570 for more details.
             o   Software compression – may provide slightly better performance thanks to compression
                 provided by the Microsoft Point-to-Point Compression Protocol (MPPC)

    •    Event Logging

             o    Enable PPP Logging – enables/disables the logging of errors and warnings

Inbound Connection Configuration

To set up an inbound connection, follow these steps:

    l   Open the Network and Dial-up Connections window (we’ve previously discussed different ways to
        get to this window)
    l   Double-click the Make New Connection icon
    l   If you haven’t already done this, you’re prompted to enter telephone location information
    l   From the Network Connection Wizard’s Network Connection Type dialog, choose “Accept Incoming

    l   Choose whether or not to support virtual private connections (these connections to your server via the
        Internet, or direct cable connection, are an alternate way to make a connection, in addition to a modem
    l   Choose which users may connect (those with disabled or locked out accounts are not eligible)
    l   Clicking Properties for a user and choosing the Callback tab allows you to choose one of the following
            ¡ Do not allow callback
            ¡ Allow the caller to set the callback number

            ¡ Always use the following callback number (the most secure selection)

    l   Choose the network components (e.g., Internet Protocol (TCP/IP), File and Printer Sharing for
        Microsoft Networks, Client for Microsoft Networks) that are available to the user after connection
    l   Name the connection
Create a remote access policy
A Remote Access Policy (see Operation Guide) defines a group of actions that can be undertaken for a user
or group of users who connect and who satisfy a list of requirements. Also, it is a good design idea to assign
remote access policies on a group basis. This way, instead of adjusting policies, you set your policies once
and then you just have to add or remove a user to a group in order to change whether or not a policy applies
to that particular user. Lastly, carefully plan your policies before implementing them: as with other technical
fields, the more work you put into the design, the easier the implementation.

Default Policy

The default policy, called Allow access if dial -in permission is enabled, applies to all users and times and
denies remote access except if a particular user’s Dial-In property in Active Directory Users and Computers
is set to Allow access.

If you select Caller-ID realize that this requires extra hardware. The Apply Static Routes setting is
associated with a user account that exists on one server for the express purpose to make a demand dial call
to another server. The user account Dial-In property stores the static routes the connection needs at the other
end of the demand dial connection.

Note: If there is no remote access policy, no users are allowed to connect, regardless of their Dian-In property

Remote Access Policy Configuration
Follow these steps to create and configure a remote access policy:

    l   Run the Routing and Remote Access snap-in from Start ->Programs->Administrative Tools->Routing
        and Remote Access
    l   Double-click the server, right-click Remote Access Policies and click New Remote Access Policy
    l   Enter a friendly (i.e., descriptive) name for the policy. Consider placing the name of the group to which
        this policy applies in this field
    l   Click Add... and, in the Select Attribute dialog, choose a condition (attribute)

    l   Make subsequent selections based on your selected condition
    l   If you add another condition, realize that users must meet both or all conditions (like a logical AND)
    l   In the Add Remote Access Policy dialog, choose to either Grant or Deny remote access permission
    l   Make any necessary changes to the “Edit Dial-in Profile” dialog (these profile settings are discussed

Order that policies take effect

When there is more than one policy condition, they are ANDed together. In other words, if a user is to be
granted permission for a connection, all the conditions that apply to that user must enable the user to make
the connection. For example, if four policy conditions grant permission and a fifth doesn’t, no connection is

When you have more than one policy, place the more restrictive policy lower in the list. The reason for this:
policy processing stops as soon as you are explicitly granted or denied access by a policy.

Configure a remote access profile

A profile does not trigger until a user meets the profile’s associated policy conditions. The profile controls how
the user’s connection is handled after a policy grants the connection to take place. In fact, Remote Access
Dial-in Profiles can be configured and govern security in much the same way group policies do.
To access the Edit Dial-in Profile page, where you are able to configure a remote access profile, run the
Routing and Remote Access snap-in, right-click the appropriate remote access policy, click Properties and
then click Edit Profile... . You are presented with six tabs that are described below.

A Remote Access Dial-in Profile allows you to define the following, which correspond to the six tabs
mentioned above:

    l   Dial-in Constraints – has settings that specify the number of minutes that can elapse before
        disconnecting an idle session; the maximum number of minutes a connection is allowed; and
        connection restrictions based on days and times, dial-in numbers and dial-in media (e.g., ADSL,
        Ethernet, IDSL)
    l   IP

            ¡   Clicking on “From client...” or “To client...” produces this dialog:
          ¡   Clicking Add... produces a dialog which lets you permit or deny traffic at a very granular level:

   l Multilink – Multilinking is the ability to combine more than one phone line for higher throughput (KB#
             ¡  BAP (Bandwidth Allocation Protocol) is a PPP protocol that allows the automatic releasing of
                a phone line when a predetermined amount of capacity is no longer being used, thus freeing the
                line up for another connection. Settings include:
             ¡ The percent of capacity that a connection must be under and the number of minutes that this

                condition exists for before one of the multilink lines is dropped.
     l   Authentication – This tab, described in more detail in the “Configure authentication protocols” section,
         is where you choose the connection’s authentication method and where you can allow PPP clients to
         connect without an authentication method (a low security choice)
     l   Encryption – There are three choices:

  1. No Encryption
  2. Basic
  3. Strong

     l   Advanced – Used to add connection attributes when using RADIUS (Remote Authentication Dial-In
         User Service). With RADIUS, all authentication requests heard by a server are sent to a RADIUS
         server for approval/denial. RADIUS is an open standard defined by RFCs 2138, 2139, and 2548. (See
         the “Radius Authentication” section.)

Common TCP/IP ports:

Port        Service
20          FTP (data)
21          FTP (session)
23        Telnet
25        SMTP
80        HTTP
110       POP3
119       NNTP
139       NetBIOS
143       IMAP

Common UDP Ports

53      DNS name
69      TFTP
137     NetBIOS
161     SNMP
520     RIP

Common IP Protocol Numbers

1      ICMP
2      IGMP
6      TCP
7      CBT

Configure a virtual private network (VPN)
A Virtual Private Network (VPN) is an extension of the physical network. Rather than restricting the network to
local cabling, it uses the Internet as a segment backbone. The obvious pro is the cost savings of using an
existing, publicly accessible data pipe while two cons are the risk associated with sending private information
over a public medium, and the reliance on a medium that may, at times, be bogged down because of heavy
Internet traffic.

VPN Encryption

Windows 2000 uses encryption protocols: Point-to-Point Tunneling Protocol (PPTP) and IP Security Protocol
(IPSec ). Since L2TP (Layer 2 Tunneling Protocol) does not have a built in encryption, it relies on IPSec to
help with this, while L2TP is left to set up the secure connection between the nodes. By default, Windows
2000 supports IPSec through L2TP by means of digital certificates. (KB# QB240262, QB265112)

The following table compares IPSec and PPTP:

L2TP                         PPTP
Standards-Based              Specific to Microsoft
Has header compression       Has no header compression
DES / 3DES compression Built in, Microsoft proprietary
Supports Windows 2000,       Supports Windows and
Linux, Solaris and others     Linux
Requires only packet -        Requires IP -based
based                         internetwork
connectivity (this includes
X.25, frame relay and
IPSec encryption for          PPP encryption for
authentication                authentication
Not compatible with NAT       Compatible with NAT

Since Macintosh clients cannot use IPSec or PPTP, the only option is to use Secure Sockets Layer (SSL)
over an http connection.

TechNet: Windows 2000-Based Virtual Private Networking: Supporting VPN Interoperability

Setting up a Virtual Private Network

From the Routing and Remote Access snap-in, open the Ports folder. By default, there are five PPTP and
L2TP/IPSec ports. This can be adjusted.

Right-click Ports and choose Properties. You should see the possible ports, including:

    l   WAN Miniport (PPTP)
    l   WAN Miniport (L2TP)
    l   Direct Parallel
    l   <vendor> modem (this automatically appears if you had a modem connected to the sever when RRAS
        is configured and enabled)

By selecting one of these and clicking “Configure...”, you have the option to configure the device to:

    l   Accept Remote access connections (inbound only)
    l   Accept Demand-dial routing connections (inbound and outbound)
    l   Have a phone number associated with the device (used in concert with a Call-Station-ID condition, and
        not needed when using caller-id hardware)

Configure multilink connections
Before enabling Multilink, there are two prerequisites:

  1. You need more than one modem
  2. You need a configured incoming remote access connection

To enable Multilink, call up the Network and Dial-up Connections window, get the Properties for the
Incoming Connections icon and check Enable multilink. The next time a user connects to your server with
two modems, the user will have access to more bandwidth thanks to an aggregated connection.

Configure Routing and Remote Access for DHCP Integration
RRAS, when integrated with DHCP, will get 10 IP address at a time from the DHCP sever that it can then
hand off to connecting clients. When the latest batch of 10 addresses are used up, another batch of 10 are
made available. The DHCP service can be running on another server or the same server that is hosting
To configure how RRAS dishes out addresses, run Routing and Remote Access, right-click on the server,
and select Properties. Click on the IP tab. In the IP address assignment section of the dialog choose to
either assign addresses from DHCP or to use a static address pool. If you choose the latter, you must define
your address pool.

The top half of the dialog has two check boxes:

  1. Enable IP Routing
  2. Allow IP-based remote access and demand-dial connections

DHCP Relay Agent

In the case that dial-in clients are on a different network segment than the DHCP server you have to set up a
DHCP Relay Agent so that the clients can find the DHCP server. To do this, from within the Routing and
Remote Access snap-in, right-click the DHCP Relay Agent item under IP Routing and choose New
Interface.... Select Local Area Connection and check the Relay DHCP packets checkbox. Next, again
right-click the DHCP Relay Agent item and choose Properties. Enter the IP address of the DHCP server. The
main importance of setting up a DHCP Relay Agent is that you can use it to hand out DHCP scope options to
RAS clients. One of the key scope options you will likely want to set for a dial-up environment is to lower the
DHCP IP address lease time. Since most dial-up connections don’t last very long, there is no need for an
excessively long lease time.

Manage and monitor remote access
Monitoring remote access is done through counters of the RAS object in the Performance console. Keep in
mind that selecting a RAS Port shows statistics for just one port while selecting RAS Total shows cumulative
results for all the ports. Some of the counters track bytes and frames received and transmitted per second.
Others track compression percentages and errors.

The Routing and Remote Access program also provides statistical information on a port basis. After running
the program, select Ports in the left pane and then right-click a particular port in the right pane. Click Status.
Configure remote access security
To configure remote access authentication, run the Routing and Remote Access snap-in. Open the
Properties for the server and click on the Security tab. See the next section for possible Authentication

By default, the Authentication provider is Windows Authentication, but it can be changed to RADIUS
authentication, which, for Windows 2000, is the Internet Authentication Service. IAS is used for centralized
administration, enforcement, and accounting of access policies. It works with PAP, CHAP, MS-CHAP, and

IAS has these benefits:

    l   Centralized auditing
    l   Ability to scale systems for growing demand
    l   Remote monitoring of usage patterns
    l   A graphical interface, through an MMC snap-in, for configuration

When a RADIUS server is implemented, it can handle the authentication (user names and passwords) and
accounting (user connection activity) for one or more RADIUS clients (e.g., Windows 2000 RRAS servers,
Novell client, Cisco device). This way, authentication and accounting management are centralized.

RADIUS Authentication

To configure RADIUS authentication, click Authentication followed by Configure... and Add... from the
Security tab on the Properties dialog of the Routing and Remote Access snap-in, to access these options:
    l   Secret is the shared secret text string (this is like a password which both the RADIUS server and
        RADIUS client must share in order to communicate). Initial Score is a relative rating for the
        responsiveness of the server and defaults to 30

RADIUS Accounting

To configure RADIUS accounting, click Accounting followed by Configure... and Add....

The options are the same as those listed for RADIUS Authentication except for Port and the last item. The
Port is 1813 and the checkbox item reads “Send RADIUS Accounting On and Accounting Off messages
from a RAS server”.

Internet Authentication Service

To install IAS, run Add/Remove Programs and select Add/Remove Windows Components -> Networking
Services -> Details -> Internet Authentication Service. This results in the following new shortcut under
Programs -> Administrative Tools -> Internet Authentication Service .

The IAS snap-in has one major item, Internet Authentication Service (local). Before IAS is functional, it must
be registered in Active Directory by right-clicking on the Internet Authentication Service (local) item and
selecting Register Service in Active Directory. This step places the server account into the RAS and IAS
Active Directory security group. There are also three sub-items:

    l   Clients – This is where RAS clients are recorded. Right-clicking on this and choosing New Client
        allows the entry of these fields:
            ¡ Friendly Name, Protocol (RADIUS), Client address (IP address or FQDN), Client vendor (for
               a Windows 2000 server, replace “RADIUS Standard” with Microsoft), and Client must always
               send the signature attribute in the request (after selecting this checkbox, you must supply
               the shared secret which you entered on the corresponding RRAS server)
    l   Remote Access Logging – This defines what is logged. Double-clicking on Local File (Logging
        Method), to the right of the Remote Access Logging, provides these choices:
            ¡ Settings tab:

                   n Accounting requests

                   n Authentication requests
                   n Periodic status
            ¡Local File tab:
                n Database compatible file format – ODBC compliant
                n IAS format

    l   Remote Access Policies – Already described in the “Remote Access Policy Configuration” section

Configure authentication protocols
Authentication can be accomplished through the use of the following, which may be used in conjunction with
one another (KB #Q227815):

    l   EAP - Extensible Authentication Protocol - the client and the server negotiate the protocol that will be
        used, in much the same way that networking protocols are determined. This protocol extends PPTP.
        Possible choices include:
             ¡ One-time passwords

             ¡ Certificates

             ¡ Smart cards
             ¡ Access tokens

    l   MS-CHAP v2 - Microsoft Challenge Handshake Authentication Protocol - requires the client to be a
        Microsoft operating system (version 2), or a small handful of other compatible OSes (version 1).
        Features include:
             ¡ Separate sending and receiving of encryption keys
             ¡ Mutual authentication

             ¡ Robust initial data-encryption keys

    l   MS-CHAP - Challenge Handshake Authentication Protocol - one-step above PAP in that it does not
        use clear-text passwords. This protocol has been specifically designed for Windows operating systems
    l   CHAP - Challenge Handshake Authentication Protocol – encrypted authentication that relies on MD5
        (Message Digest 5) hashing
    l   SPAP - Shiva Password Authentication Protocol - a shade above PAP, it is available for backward-
        compatibility and is not favored for new installations. It is meant for environments that have a Shiva
        client or server and a corresponding Windows 2000 server or client
    l   PAP - Password Authentication Protocol - uses an unencrypted plain-text password authentication
        method and should only be used if the clients you support cannot handle encryption

To configure these click Authentication Methods... from the Properties dialog as described in the above
“Configure remote access security” section.

Configure encryption protocols
Windows 2000 has two main encryption protocols that are used with the Virtual Private Network:

    l   MPPE (Microsoft Point-to-Point Encryption) - used with PPTP (Point-to -Point Tunneling Protocol).
        Although Microsoft and other vendors developed MPPE, it has not been widely adopted by most of the
        Internet community. MPPE can use 40-bit, 56-bit, and 128-bit (North America only) encryption. It is
        available only when using MS-CHAP, MS-CHAP2 or EAP-TLS authentication. This relationship
        explains why you should use MS-CAHP with PPTP
    l   IPSec - an open protocol suite that works with L2TP for encrypting user names, passwords, and data.

Installing, Configuring, Managing, Monitoring, and
Troubleshooting Network Protocols in a Windows 2000
Network Infrastructure

In addition to the prevalent TCP/IP networking protocol, Windows 2000 works with and integrates with several
other popular protocols.

Install and configure TCP/IP
Since so many of the features of Windows 2000 are dependent upon TCP/IP, Windows 2000 installs this
protocol by default. In addition to TCP/IP, you can also install other protocols for compatibility with other
operating systems, and other services as needed.

TCP/IP Basics

For resources on TCP/IP basics, such as binary math, IP address definition, IP address classes, default
gateway and other related topics, please refer to these Cramsessions:

    l   Microsoft TCP/IP
    l   Novell Netware TCP/IP
    l   CIW Internetworking Professional
    l   CompTIA I-Net+


A subnet mask is a method used in TCP/IP to divide the network portion of an IP address from the host
portion. A subnet is a portion of a TCP/IP network that accesses other subnets via routers. A shorthand way
to describe a subnet mask is to append a slash (“/”) after the IP address followed by a number that indicates
how many bits of the IP address belong to the network portion. For example, the address
represents an IP address of that has a subnet mask of The “/8” is read as “slash 8” or
“eights ” and this method of naming is called “classless addressing”.

Legacy networking hardware and software prevent the use of all 0’s or all 1 ’s in a subnet. With recent
hardware, though, whether or not all 0 or 1 subnets are allowed depends on the routing protocol in use.
Here are links on the basics of IP addressing and subnetting. These, and many other useful articles, are
located in the IT Resources section of,, under Tech Library -
> Articles -> Networking.

    l   Learn to Subnet - Part 1
    l   Learn to Subnet - Part 2
    l   Quick and Dirty Subnetting

Here are some other helpful links:

    l   Understanding IP Addressing: Everything You Ever Wanted To Know - By Chuck Semeria
    l   ITPRC TCP/IP


A Windows 2000 computer needs these three items before it can properly communicate on a TCP/IP network:
IP address, subnet mask and default gateway.

By default, TCP/IP is installed when you install Windows 2000. If it was removed, you can reinstall it by
following these steps:

    l   Run Network and Dial-up Connections from the Control Panel
    l   Double-click Local Area Connection and click Properties
    l   Click Install..., select Protocol and select Internet Protocol (TCP/IP) and click OK

There are two ways to configure TCP/IP: using DHCP , the recommended solution for clients, and manually
assigning TCP/IP settings. This option is useful for a server that runs software such as WINS, DNS, and
DHCP, that requires a static IP address.

To configure TCP/IP, run Network and Dial-up Connections, double-click Local Area Connection, select
Properties, choose the General tab and click Properties for the Internet Protocol (TCP/IP) item. This dialog
allows you to either automatically receive or manually set these items: IP address, subnet mask, default
gateway and preferred and alternate DNS servers.

The Advanced... tab provides access to these items: IP addresses, default gateways and interface metric,
DNS suffix and registration settings, WINS settings and IP Security and TCP/IP filtering options.


Classless Inter-Domain Routing is a method that allows us to use a single IP address and subnet to reference
a group of addresses. The address is called “Classless” because it ignores the “Classful” conventions that
employ three classes of addresses: Class A, B and C, which state that the first 8 bits of a Class A address
reference the network, the first 16 bits of a Class B address reference the network and the first 24 bits of a
Class C address reference the network.

With CIDR, between 13 and 27 bits of an IP address can refer to the network segment while the remaining
bits refer to the host portion. In the case of 27 bits, this would result in a network segment with 30 hosts (2 to
the power of (*32-27) –2).

These are the major benefits to CIDR:

    l   Fewer entries are needed in routing tables since several contiguous network segments can be “rolled
        up” or aggregated into one IP address
    l   CIDR makes more IP addresses available. By ignoring the rigid rules of “classful” addressing, different
        combinations of network segment / host number pairings are possible

A CIDR address uses notation that takes the form of w.x.y.z/s, as in 192,168,8.0/20 where the "/20" indicates
the number of bits that mask off the “network” portion of the address. Note in this example that the subnet
mask is shorter than the one used for the standard “classful” address.

CIDR is used primarily to optimize routing tables. Let ’s assume that 4 contiguous Class C networks, to, are reachable via a single router. Instead of having 4 routing table entries
to describe the route to these networks, we can use one routing table entry to specify an interface to use to
reach the networks described by a single summarized entry of In large, enterprise-wide
configurations, proper planning of IP address space to allow the use of CIDR blocks can result in significant
savings of resources used to maintain routing tables.

Variable Length Subnet Mask helps large organizations to better allocate the IP address space. VLSM,
which is closely related to CIDR, allows various subnetworks to have different subnet masks. By properly
designing your IP address space, subnet masks with fewer bits assigned to a network address can be used to
summarize or aggregate subnet masks with more bits assigned to the network address. This results in routers
having smaller route tables.

Note: The RIP Version 2 and OSPF routing protocols support both CIDR and VLSM. RIP Version 1 does not.
For an excellent source of further information on CIDR and VLSM, please see “Understanding IP Addressing:
Everything You Always Wanted to Know” by Chuck Semeria.

Install the NWLink protocol


Windows 2000 NetWare integration uses the NWLink protocol (KB# Q203051) for IPX/SPX-compatibility. This
allows Windows 2000 systems to communicate with NetWare servers that do not use TCP/IP. Because
Netware uses the NCP protocol while Windows uses the SMB/CIFS protocol, these two platforms are unable
to share files without special configuration. Although a Windows 2000 system can communicate with a
Netware server running a client/server application and a Netware server can communicate with a Windows
2000 client/server application, compatibility issues crop up when dealing with file and print services.

In addition to NWLink, these services enhance connectivity with Netware, including:

    l   Client Services for NetWare (CSNW) – enables Windows 2000 clients to connect directly to NetWare
        shares, without needing a native Netware client
    l   Gateway Services for NetWare (GSNW) – enables Windows 2000 clients to connect to Netware
        shares via a gateway set up on a Windows 2000 server, without needing a native Netware client. If
        several clients use this method to access Netware data, consider using CSNW or adding the native
        NetWare client, Client 32. Otherwise, the GSNW may become a bottleneck
    l   File and Print Services for NetWare (FPNW) – allows NetWare computers to access Windows 2000
        network shares. In addition, the Microsoft Directory Synchronization Services (including the
        Directory Service Manager for Netware and the Directory Service Migration Utility) and the File
        Migration Utility (FMU) help to synchronize Active Directory with NDS as well as migrate from NDS to
        Active Directory and migrate a Netware file system to Windows 2000

The first two products ship with Windows 2000, while FPNW does not.

Installing NWLink

This routable protocol is installed via Network and Dial-up Connections -> Properties of the Local Area
Connection -> Install -> Protocol -> NWLink IP/SPX/NetBIOS Compatible Transport Protocol.
Configuring NWLink

You configure NWLink via Network and Dial-up Connections -> Properties for the relevant connection ->
General tab -> Properties for the NWLink IPX/SPX/NetBIOS Compatible Transport Protocol.

Configuration options include, Internal network number, frame type (auto or Ethernet 802.2, 802.3, II, and
SNAP). If you choose a frame type that does not match that of the NetWare server, your improperly
configured device will not be able to talk to the NetWare server

Installing and Configuring Gateway Services for NetWare

Items required to enable GSNW include, the same account on both Windows 2000 and Netware, rights
assignment on a Netware folder (be careful not to make these rights too tight as the permissions provided by
Windows 2000 to this share will be limited by how restrictive the NetWare rights are), and an NTGATEWAY
group on Netware server (to house the shared account).

You install GSNW via the Properties of the Network and Dial-up Connections. This requires a reboot.

GSNW is configured via the GSNW icon in the Control Panel . Configuration options include, a Preferred
Server (for pre NetWare 4.X servers) or a Default Tree and Context (for NetWare 4.X and higher), whether
or not to Run a Login Script, Print Options and a connection to the Netware shared folder.

Configure network bindings

Network Bindings represent the order in which protocols are tried as clients and servers attempt to
communicate. Communication will be tried in the binding order until a common protocol is found between both
the client and server.

There are two types of objects, or providers, that relate to bindings:

  1. Network – e.g., Microsoft Windows Network, Gateway Services for NetWare
  2. Printer – e.g., LanMan Print Services, HTTP Print Services

For optimization purposes, keep these recommendations in mind:

    l   The binding order should be from the most often used protocol to the least, so that a common
        language can quickly be found
    l   Unneeded protocols should be removed to reduce needless traffic

You set the order of bindings via Network and Dial-up Connections -> network connection -> Advanced
Settings from the Advanced -> Provider Order tab.

To set protocol binding ordering, follow the above steps except choose the Adapters and Bindings tab
instead of the Provider Order tab.

Configure and troubleshoot network protocol security
Technologies that provide network protocol security in a Windows 2000 environment include:

    l   IPSec, which protects data communication between devices on a network
    l   PPTP and L2TP which help secure a VPN connection
    l   Proxy servers – see our ISA Server 2000 Cramsession
    l   Devices which stand between dial-in clients and a network, such as RADIUS servers and smart card
    l   Kerberos V5 - (KB# Q217098)

Manage and monitor network traffic


Two of the largest contributors to network traffic are the number of hosts on the network and the number of
services provided by network servers. Other culprits are protocols and network shares. Thus, the easiest way
to reduce traffic is to remove any of the above items that are not necessary. Also, consider segmenting your

Network Monitor

Keep in mind that the Network Monitor product that comes bundled with Windows 2000 is a limited edition
that captures frames only between the host on other computers, not all frames present on the network
segment. The full version of Network Monitor comes with Microsoft’s SMS product. (See SMS 2.0
Cramsession for more information on the full Network Monitor product.)

Network Monitor has two components that enable it to capture and analyze data packets:

    l   Network Monitor – the GUI tool that captures and analyzes the data
    l   Network Monitor Driver – this is installed, along with Network Monitor, on a server. You may want to
        install just this driver on a client so that the SMS version of Network Monitor can monitor the client

Network Monitor Installation

This is installed via Add/Remove Windows Components -> Management and Monitoring Tools ->
Network Monitor Tools.

Network Monitor Driver Installation

To install this select Network and Dial-up Connections -> Properties for the Local Area Connection ->
Install -> Protocol -> Add -> Network Monitor Driver.

Capturing Data

Refer to this Microsoft Knowledge Base article for details on how to capture data. (KB# Q148942)

Being able to capture data, analyze the results, and optionally save the results to a file is important. However,
of even more importance is the discipline to create a baseline of captured data on a regular basis. It is the
comparison of a data capture to the baseline that will likely help you most in troubleshooting a problem.

Configure and troubleshoot IPSec


IPSec (see the Step-by-Step Guide to Internet Protocol Security) secures private data transmissions across
an IP network and does so in such a way as to be transparent to users.

IPSec uses Kerberos V5 as its default method for authentication but also supports pre-shared keys and public
key certificates (X.509). No data exchange is allowed until both communicating computers authenticate with
each other. IPSec performs the encryption for L2TP.
IPSec Header

IPSec secures data by adding a header to each data packet. This header consists of these elements:

     l   Authentication Header (AH) – uses either the MD5 or SHA (has a longer key than MD5) hashing
         algorithm to prevent data modification and also provides three functions: authentication, data integrity
         and prevention of replay (i.e., uses a sequence number to prevent the same data packet from being
         received twice)
     l   Encapsulating Security Payload (ESP) – provides confidentiality (tunneling) by encrypting the data.

Handling of Encryption Key

This is accomplished with ISAKMP (Internet Security Key Association Key Management Protocol) and the
Oakley key creation protocol. As mentioned in the Background section, communication between two hosts
cannot proceed until the hosts agree upon encryption keys. This “contract ” is called SA (Security

Enable IPSec
This is done via setting up a policy and assigning it, either for a local computer or for a domain.

Customize IPSec policies and rules
Without a policy, IPSec cannot be configured. You can set a policy in a local computer policy or in an Active
Directory group policy.

Local Computer Policy

To set up a policy for a local computer policy, add the IP Security Policy Management MMC snap-in and
run it or run Start -> Programs -> Administrative Tools -> Local Security Policy.

If your browser doesn't support inline frames click HERE to view the full-sized graphic.

Supplied, but disabled by default, policies:
    l   Client (Respond Only) – security is used only if requested
    l   Secure Server (Require Security) – security must be used
    l   Server (Request Security) – all sessions request IPSec security, but communications will proceed
        without it

When setting up a policy, you can choose between one of these authentication methods: Windows 2000
default (Kerberos v5) certificate, preshared key.

Active Directory Group Policy

To set up a policy, or enable existing policies for an Active Directory Domain group policy, select Active
Directory Users and Computers -> domain -> Properties -> Group Policy tab -> Edit for the Default
Domain Policy. Select Computer Configuration -> Windows Settings -> Security Settings -> IP Security
Policies on Active Directory.

Each policy has default rules associated with it. For example the Secure Server policy has these rules:

    l   All IP Traffic
    l   All ICMP Traffic
    l   <Dynamic>


To activate the policy, close the Properties dialog, if it is open, right-click the policy and choose Assign. This
changes the Policy Assigned column status from No to Yes.


There are two tabs to the Policy Properties dialog and these are where you customize an IPSec policy.
The General tab contains fields for the name, description, how often to check for policy changes (default
180 minutes) and Advanced settings for Key Exchange.

On the Rules tab, clicking Edit... allows you to adjust rules, which are essentially elements that control when
security is invoked for the parent policy.
Connection Type choices include, all network connections (the default), LAN, and Remote access.

Tunnel Settings has two choices:

    l   This rule does not specify an IPSec tunnel
    l   The tunnel endpoint is specified by this IP address

Filter Action has three choices: Permit, Request Security (Optional) and Require Security.

Adding an IP Filter

When adding an IP filter, which is accomplished by clicking Add from the above dialog, you are presented
with these fields and options: Name, Description, IP Traffic Source (My IP Address, Any IP Address, etc.),
IP Traffic Destination, IP Protocol Type (TCP, RDP, etc.), IP Protocol Port (From any port, From this port,
To any port and To this port). You can optionally choose to use a wizard to aid your configuration.

Configure IPSec for transport mode
IPSec transport mode is Microsoft’s version of IPSec, and is also known as L2TP/IPsec. Installing Routing
and Remote access, enabling a VPN and leaving all default settings when creating an IPSec policy will result
in transport mode.

Configure IPSec for tunnel mode
IPSec tunnel mode is the IETF (Internet Engineering Task Force) version of IPSec, and is also known as pure
IPSec. This mode should be used when interoperating with routers and gateways that do not support

Setting up an IPSec Tunnel

Refer to the following Microsoft Knowledge article for details.

(KB# Q148942)

Here are some highlights from the above article:

    l   Use transport mode unless the device you’re attempting to communicate with doesn’t support
        L2TP/IPSec or PPTP – an added benefit is that transport mode is less work to set up
    l   Don’t use tunnel mode for remote access clients using VPN – that’s what transport mode is for
    l   Tunnel mode does not support protocol and port -specific tunnels so ensure that, when adding a filter,
        you select Any protocol type on the Protocol tab
    l   Only traffic explicitly specified in the IPSec filters is secured. Take precautions, as necessary to secure
        traffic that does not go through the tunnel
    l   Two filters are required: one to handle traffic from your host and the other to handle traffic to your host.
        Also, clear the Mirrored checkbox on the IP Filter List tab when building a filter

    l   Ensure you don’t enable these two settings on the above New Filter Action Edit dialog, Security
        Methods tab:
            ¡ Accept unsecured communication, but always respond using IPSec

            ¡ Allow unsecured communication with no IPSec -aware computer
    l   Also, only check Session key Perfect Forward Secrecy (PFS) if the target host also has this selected
     l   You will likely have to use certificates as the Authentication Method unless you have a special
         network setup. When testing, initially use a preshared key
     l   You can use the command line netdiag utility to check active filters

Manage and monitor IPSec

IP Security Monitor

IPSECMON is run from Start -> Run.

If your browser doesn't support inline frames click HERE to view the full-sized graphic.

The Options button allows you to change the default Refresh Interval from 15 seconds.

Monitoring L2TP Port Connections

By running Routing and Remote Access, selecting the server and the Ports folder and double-clicking on a
relevant L2TP port, you can view port status information. See the “Manage and monitor remote access”
section (under the major “Remote Access section”) earlier in this Cramsession for more details.

Installing, Configuring, Managing, Monitoring, and
Troubleshooting WINS in a Windows 2000 Network
WINS Background

It will likely be some time before we can banish WINS from most networks. In a pure Windows 2000 network,
with all Windows 2000 clients and WinSock applications, DNS and Active Directory handle name resolution
without help from WINS. The Windows Internet Naming Service, which maps NetBIOS (“computer”) names
to IP addresses, is required on any Windows 2000 network which has non-Windows 2000 computers or has
Windows 2000 computers running applications that are written for the NetBIOS interface, not the WinSock
interface. Moreover, the Computer Browser (i.e., Network Neighborhood) service also relies on WINS. The
good news, if you still require WINS in your environment, is that Microsoft has added some enhancements to
the WINS product that eliminate some of the past headaches administrators suffered from when managing it.

For really small networks, just as HOSTS files can be used in place of DNS to map hostnames to IP
addresses, LMHOSTS files (KB# Q101927) can be used in place of WINS to map NetBIOS names to IP
addresses, and the broadcast nature of the NetBIOS protocol can probably be tolerated. However, Windows
2000 WINS make life easier for all but the smallest networks. If you do need to fiddle with LMHOSTS files,
know that a sample file (LMHOSTS.SAM) resides under \winnt\system32\drivers\etc.

There are four main components to WINS:

  1. WINS Servers – receive directed messages from WINS clients or WINS proxy computers and perform
        NetBIOS to IP address name resolutions. At minimum, you should have at least two WINS servers (for
        load balancing and fault tolerance), but realize that some problems can result by having an excess of
        WINS servers. Moreover, you should have at least two WINS servers on a network segment that is
        bounded by a WAN link. Microsoft recommends one WINS server for 10,000 users plus one other for
        redundancy. When your large network justifies several WINS servers, go for a spoke and hub design.
        (KB# Q185786)
  2.    WINS Clients - use directed communication with the WINS servers as opposed to broadcasting across
        the network. Clients can be Windows for Workgroups, Windows 9X, Windows NT and Windows 2000
  3.    Non-WINS Clients - use broadcasts to WINS proxy computers which in turn communicate with WINS
        servers. Windows 3.1, DOS and non-Windows computers fit in this category. These clients aren’t left
        out of the WINS world thanks to WINS proxy servers
  4.    WINS Proxies – these computers intercept broadcasts on their subnet and communicate with a WINS
        server on behalf of a client. This role can be filled by these systems: Windows for Workgroups,
        Windows 9X, Windows NT and Windows 2000 (Server and Professional). Although WINS proxy
        servers can help a client with name resolution, they cannot perform a registration for the client

NetBIOS Names

NetBIOS names are 16 characters long with the first 15 characters used to identify a unique name (for a
single user or computer) or a group name (for a set of users or computers). The last character is a hex value
that identifies the type of resource that is being registered.

For example, these resources are created when a computer registers with WINS:

    l   00h – WorkStation
    l   03h – Messenger
    l   20h – File Server

Several other resources are possible, such as Domain Name, 1ch.

Windows 2000 Server Documentation – NetBIOS Names
Install, configure, and troubleshoot WINS


As with other servers, such as DNS, you need your WINS server to have a static IP address. WINS is
installed (see the Overview) on a Windows 2000 server, by selecting the Windows Components section of
the Add/Remove Programs applet in the Control Panel. Next choose Networking Services, Details, and
then Windows Internet Name Service (WINS). A second way to install WINS is to choose Add Network
Components -> Network Services -> Details -> WINS from the Network and Dial -up Connections icon.
Thankfully, no reboot is needed.

There are two quick ways to ensure that your WINS server is functional. The first is to run Task Manager (via
a Ctrl-Alt-Delete) and check for the wins.exe process on the Processes tab. The second is to run the WINS
snap-in, right-click the server and choose WINS Server Statistics. If, after the interval time (set on the server
Properties General tab described below) has elapsed, no statistics have changed, chances are high there is a
WINS problem.

Clients are configured to talk to up to 12 WINS server on the Advanced tab of TCP/IP properties dialog box.
Clients can set these server values statically or receive them via DHCP. To see if a client can access a WINS
server, use this command: ping –a <WINS server name>. To see which WINS server is primary for a client,
run ipconfig /all from the command prompt on the client and check the field Primary WINS Server.


If your browser doesn't support inline frames click HERE to view the full-sized graphic.

The Active Registrations folder lists Record Name, Type, IP Address, State (e.g., Active). Right-clicking on
this folder allows you to find resources by name and owner. You can also add a New Static Mapping for,
say, a UNIX client. Scope is an optional entry that segments groups of computers.
The Replication Partners folder lists Server Name, IP Address and Type (e.g. Push/Pull – the default for a
new WINS server).

Server Settings in WINS MMC

Several options exist for a WINS server. They are accessed by running the WINS snap-in, right-clicking on
the server and choosing Properties and include these tabs:

    l   General
            ¡ Set the interval at which statistics are updated (default 10 minutes) and choose whether or not
              to backup the database during shutdown and to enter the default backup path. Choosing a
              removable media as a backup destination provides more fault tolerance in case your WINS
              server craters
    l   Intervals
            ¡ Renew Interval – only reduce the default for a network where PCs enter and leave it frequently
              (default 6 days). Every time a computer shuts down, its registered names are released from
            ¡ Extinction Interval – time interval before a record is classified as extinct (default 4 days)
            ¡ Extinction Timeout – time interval before an extinct record is removed from the database.
              Removal is referred to as scavenging (default 6 days)
            ¡ Verification Interval – time period between database records accuracy check (default 24 days).
              This process checks records that are stored on but not owned by the WINS server initiating the
    l   Database Verification
Owner servers is the logical choice since a server’s copy of records are compared with the server that
created the records, not with a random server that may not be the owner of the records. The default time
interval is 24 hours. This new feature of Windows 2000 WINS goes a long ways to eliminating a common beef
with prior versions of WINS: an inconsistent WINS database

   l   Advanced
Burst handling settings allow the administrator to decide how many registration or renewal requests the
server should handle at one time before asking clients to try again.

In terms of the Database path, Microsoft recommends that you periodically run JetPack on your WINS
database to compact it. (KB# Q167812)

Starting version ID is an incrementing hex value that identifies this server’s version of the WINS database.
It’s used for replication purposes.

Compatibility with LAN Manager – enabling this provides down-level support for LAN Manager computer
names. LAN Manager TCP/IP does not recognize the hexadecimal format for the 16 th character of the
NetBIOS name. (TechNet article on LMHOSTS files)

WINS Proxy Placement

You need to place a WINS proxy agent on network segments containing clients that don’t work with WINS;
i.e., clients such as UNIX machines that are unable to store the IP address of a WINS server. The proxy
agent intercepts a client’s request for NetBIOS name resolution and passes the request, across a router, to a
WINS server. After the proxy receives the answer from the WINS server, it stores it in its NetBIOS name
cache and passes it on to the requesting client. To view the entries in the proxy agent’s cache, which are
stored there for 10 minutes (by default), run this utility from the command prompt: nbtstat –c.

To make a computer a proxy agent requires a change to a Registry key.

Don’t place more than one proxy agent on a single segment as the agents won ’t know about each other and
thus perform duplicate work.

(KB# Q121004)

Configure WINS replication

The main benefits of having more than one WINS server on your network is that by sharing the WINS
database, these servers provide fault tolerance and load balancing.

Replication Types

    l   Pull Replication – this method is time based and occurs as set by the administrator. This is a good
        choice to use for two WINS server separated by a WAN since the administrator can choose the best
        time of the day to trigger the replication. Settings include:
            ¡ Start time of replication
            ¡ Interval for replication (default: 30 minutes)

            ¡ Whether or not to configure a persistent connection (see next section for more details)

    l   Push Replication – this method is event based and occurs when a pre-determined number of WINS
        database changes have occurred. A version ID tracks each change to records in the WINS database
        and is used as the trigger for a push replication. The push partner does not actually send data to its
        partner, but only reminds the partner that the partner should pull the data. Push partners should
        generally be connected by fast links. Settings include:
            ¡ The number of increments of the version ID before initiating a replication

            ¡ Whether or not to configure a persistent connection (see next section for more details)

    l   Immediate Replication – an administrator can manually force a replication by right -clicking on a
        partner server and choosing to send an immediate trigger

Persistent Connections

This is a new feature to Windows 2000 whereby a WINS server can be permanently connected to one or
more replication partners. This results in faster replication because no time is wasted at the start of each
replication in order to make a connection to a replication partner.

Configuring Replication Partners

WINS servers can use push, pull or both types of replication.

To add a replication partner to a WINS server, run the WINS snap-in, right-click the Replication Partners
and choose New Replication Partner. Enter the name or IP address of this server’s replication partner and
click OK. Right-click on the new partner’s icon and choose Properties. On the Advanced tab make the
selections that are listed in the “Replication Types” section for Push and Pull Replication and click OK.

Configuring Global Options

Administrators can set options that apply to all WINS servers installed in the future (but not ones that have
already been configured). To configure these options, right-click on the Replication Partners folder and
choose Properties. The following tabs allow you to:

    l   General – choose to replicate not only with partners but with other servers
    l   Push Replication – enable or disable the starting of push replication at: service startup, and when an
        address changes. Also has a setting for the number of changes in version ID before replication and
        whether or not to use persistent connections
    l   Pull Replication – enable or disable the starting of pull replication at startup, and enable or disable
        persistent connections. Also contains entries for the replication start time and interval and the number
        of retries
    l   Advanced – block certain servers from replicating and a setting, to be used only on small networks
        due to its multicast nature, that enables automatic partner configuration. For automatic
        configuration, every WINS server announces its presence with multicasts, and if a server is found
        without a push/pull partner, this server gets added into the replication list of an existing server.
        Multicast settings include a time interval and time to live (TTL)

Configure NetBIOS name resolution
WINS works several different broadcast/traffic types:

    l   B-node - broadcast node: only broadcast messages compose the communication. This method is
        used by older clients
    l   P-node - point-to -point node: only directed (unicast) messages compose the communication. This
        used by newer clients and requires a WINS server. P -node clients, upon startup, register their name/IP
        address mapping with the WINS server
    l   H-node - hybrid node: a device first attempts to use P-node resolution and then, on failure, resorts to
        B-node. This is the default mode for Microsoft clients
    l   M-node - modified node: a device first tries a B -node, and then, on failure, resorts to P -node

The two disadvantages with broadcast messages are that broadcasts are wasteful of bandwidth and
broadcasts generally do not cross routers.

How is your client configured? Run ipconfig /all and view the Node Type field.

Order of name resolution

The typical order for NetBIOS resolution (assuming an H -node client) is:

Local NetBios name Cache -> WINS -> Broadcast –> LMHosts file -> Hosts file -> DNS

See the “Name Resolution” section in the Microsoft TCP/IP Cramsession for more information and a handy
acronym for the above chain of events.

Manage and monitor WINS
The WINS MMC is the main tool to manage and monitor WINS.

WINS server statistics are available from the WINS MMC via right -clicking on the WINS server and selecting
WINS Server Statistics.
Clicking on a WINS sever and then opening the Action menu provides a plethora of options, including:

    l   Displaying stats
    l   Scavenging the database (i.e., removing unused database entries)
    l   Verifying database consistency and version ID consistency (both time consuming);
    l   Manually starting either push or pull replications
    l   Backing up (done every 24 hours by default) and restoring the database
    l   Deleting a WINS server
    l   Refreshing displayed information
    l   Exporting the WINS database to a tab- or comma-delimited file

The WINS MMC, in addition to having powerful searching capabilities (including filtering functionality), is
multi-threaded, which means that more than one WINS MMC can be run at once and each MMC produces
snappy results.

Another enhancement in the Windows 2000 release of WINS is that you can delete not just static but also
dynamic records.
The System Monitor has several counters associated with the WINS object, including ones that track failed
and successful queries and releases as well as conflicts, registrations and renewals. These counters are
measured by the second.

Manual Tombstoning to Permanently Remove a Record

To ensure that a record gets deleted, not just on your WINS server, but also on all partner servers, manually
tombstone the record.

Other BrainBuzz IT Resources Reference Material:

The WINS Proxy Agent

WINS Enhancements in W2K

A World Without WINS

Working with WINS Replication Pt. 1

Working with WINS Replication Pt. 2

Installing, Configuring, Managing, Monitoring, and
Troubleshooting IP Routing in a Windows 2000 Network
Routing Background

Routing is a method of transporting a data packet from a source to a destination. Of course, routing is not
needed in cases where messages are destined for the same network segment; i.e., cases where, based on
the subnet mask, the host and destination devices share the same network address.

Windows 2000, by means of built-in utilities and the Routing and Remote Access Service (RRAS –
essentially a multiprotocol router), handles three types of routing:

    l   Static – relies on a static routing table, which is stored in RAM and contains instructions on how to get
        a packet from one network segment to another. A routing table is created when TCP/IP starts up and
        changes when an administrator manually adds, or removes records
    l   Dynamic – relies on either Distance Vector or Link State routing protocols. The main benefit of
        dynamic routing over static is that records are added and changed automatically in the routing table
        (hence the name dynamic). This automatic operation leads to a related benefit: fault tolerance. If one
        network path goes down, the dynamic routing protocol will attempt to find an alternate route. One of the
        key ways to compare dynamic protocols is to see how they rate in terms of convergence : the elapsed
        time for all routers to record a routing information update
    l   Demand-Dial – also known as Dial on Demand (DoD), relies on a modem, ISDN or direct (serial or
        parallel) connection. This type of routing serves two main purposes: to backup a main connection
        (redundancy), and to save on connection costs (costs accrue only while the connection is in

Install, configure, and troubleshoot IP routing protocols

Update a Windows 2000-based Routing Table by Means of Static Routes
A Windows 2000 Professional PC can send a data packet to another network segment in one of three ways:

    l   By sending the data to a router as defined by the default gateway address recorded in its TCP/IP
        settings. The TCP/IP address of the default gateway is first translated to a MAC address by means of
        the workstation’s Address Resolution Protocol (ARP) cache, before the packet hits the network
    l   By reading the Internet Control Message Protocol (ICMP) message from the router, which contains
        advice on the best route to the destination address
    l   By listening (eavesdropping) to the routing traffic present on its network segment; i.e., by being a RIP

Windows 2000 Professional as Router

A Windows 2000 Professional workstation can track the same information that’s stored on adjoining routers
by becoming a RIP Listener. This is set up by selecting Control Panel -> Add/Remove Programs ->
Add/Remove Windows Components-> Networking Services -> Details -> RIP Listener.

Microsoft describes the RIP Listener in the Networking Services dialog as follows: “Listens for route updates
sent by routers that use the Routing Information Protocol version 1 (RIPv1)”. Since RIP Listeners don’t
understand multicast announcements, they won’t work properly with RIP Version 2 that is configured to use

Setting up RRAS in Network Router Mode

In order for a server to run RRAS, you either have to run the installation as a Domain Administrator or ensure
that the server’s computer account gets added to the RAS and IAS Servers security group. To enable RRAS
as a network router, perform the following:

    l   Run Start -> Programs -> Administrative Tools -> Routing and Remote Access
    l   Right-click the server and then select Configure and Enable Routing and Remote Access
    l   From the Common Configuration selections, choose Network Router
    l   For the Routed Protocols dialog, choose Yes, all of the available protocols are on the list to choose
        TCP/IP (the default), or select No, I need to add protocols, to add other protocols
    l   Choose whether or not you “want to use demand-dial connections to access remote networks”
        and click Finish

Distance Vector (RIP) Routing

RIP (Routing Information Protocol) routing is a Distance Vector style of routing, which leverages the
information it learns from other routers to build a routing table and which uses a hop count metric (which
normally increments by one as each new network segment is encountered) to count the number of routers
which must be traversed to reach the destination network. RIP is restricted to a maximum of 15 hops and
can send only up to 25 routes in a single RIP packet. To add RIP routing, do this:

    l   Run RRAS
    l   Right-click General under the IP Routing folder
    l   Choose New Routing Protocol
    l   Select RIP Version 2 for Internet Protocol
If your browser doesn't support inline frames click HERE to view the full-sized graphic.

Next, it’s necessary to assign an interface to the RIP protocol. This is done by right -clicking the RIP item and
choosing New Interface. Select the interface that is attached to a network for which you want to learn more
about routes.

In Distance Vector routing, routers update their record based on these events:

     l   When routers are started
     l   When routers have changes to their routing tables
     l   On a periodic basis

Advantages of Distance-Vector routing:

     l   It is simpler to configure than Link State
     l   It is simpler to maintain

Disadvantages of Distance-Vector routing:

     l   It is slower to converge than Link State
     l   It is at risk to the Count-to-infinity problem
     l   It creates more traffic than Link State since a hop count change must be propagated to all routers,
         which then must all process the change. Moreover, because of its periodic hop count updates, even if
         there are no changes in the network topology, broadcasts still occur thus wasting bandwidth
     l   For larger networks, it results in larger routing tables than Link State since each router must know
         about all other routers. This can also lead to congestion on WAN links

Note: RIP announces host or default routes by default.

The Count-to-infinity problem results when one router cannot reach an adjoining network. A second router,
1 hop away from the first router, thinks that the unreachable network is 2 hops away. Meanwhile, the first
router then updates its records to say it is 3 hops away from the unreachable network based on the fact it is 1
hop from the second router, which says it is 2 hops from the unreachable network. The routers continue
incrementing their hop count until the maximum (15), “infinity”, is reached. There are three methods to prevent
this problem Split Horizon, Split Horizon with Poison Reverse, and Triggered updates.

Link State (OSPF) Routing

OSPF (Open Short Path First) routing is a Link State style of routing, which only sends out network topology
information when changes have occurred. Routers learn about network topology, and hence build their
routing tables, by sending out “hello ” packets to adjoining routers. These packets also notify other routers that
the sending router is still alive.

Also, flooding takes place, in which routers share route change information via Link State Advertisements
(LSAs). Since an LSA is not changed by any routers, but forwarded to all routers, this information is
considered first-hand. Also, an LSA contains information only about the originating routers neighbors and
thus results in smaller routing tables.

An LSA consists of three elements:

  1. A router
  2. The networks attached to the router
  3. The costs for the networks

OSPF also has these features:

    l   It is essentially loop -free, having a maximum hop metric of 65,535
    l   It can load balance network traffic between multiple paths of the same metric value
    l   It supports authentication using passwords and other methods
    l   It converges quicker than RIP since routing updates are sent immediately instead of periodically
    l   It uses less bandwidth since transmission take place only when routing changes occur
    l   It supports the logical grouping of network segments into areas (see the “Autonomous System”
        section below). Moreover, it announces routes outside of an autonomous system within the
        autonomous system so that it can calculate costs to reach outside networks
    l   Thanks to announcing subnet masks, it supports CIDR , VLSM (Variable Length Subnetting),
        Supernetting (used to aggregate Class C networks) and non-contiguous network segments

To add OSPF routing, follow the same steps as to add RIP except choose Open Shortest Path First instead
of RIP.

Implement Demand-Dial Routing
Two routers are need for Demand-Dial Routing: a calling and an answering router, each of which must
have RRAS installed.

Configuring Demand-Dial Routing

Run RRAS and select server Properties -> Router -> LAN and demand-dial routing on the General tab ->
OK. This adds the Ports folder under the server in the RRAS console (see the section “Setting up a Virtual
Private Network” for more details on the Ports folder).
Right-click Routing Interfaces -> New Demand-Dial Interface -> fill in the Interface name field, connection
type, select the modem or adapter the interface will use, enter the phone number or address of the dial-up
server you’re connecting to and select the protocols and security.

The Add a user account so a remote router can dial in setting allows a remote router to dial-in to this
router and will cause the dial in credentials dialog to appear next.

Enter dial in credentials and dial out credentials.
Assigning Port as Dial-in, Dial-out

To ensure a port is set up properly for dial-out and/or dial-in routing, right-click on the Ports folder, select the
appropriate device (e.g., specific modem), click Configure, and check the appropriate checkboxes:

  1. Remote access connections (inbound only)
  2. Demand-dial routing connections (inbound and outbound)

Setting up a Static Route

If you want to use static routes, from within the RRAS console, right-click Static Routes. Choose New Static

Demand-Dial Routing Activation

Demand-Dial Routing takes place when a router configured for this type of routing receives a packet that it
determines requires a demand-dial route. The RRAS server initiates a PPP connection (physical or VPN
tunnel) with the other end of the route and, in the case of a VPN tunnel, uses either PPTP or L2TP. In the
event a desired connection already exists, it is used.

Reasons Demand-Dial Connections Fail

The following items will prevent a demand-dial connection from taking place:

    l   A breach of the dial-out hours
    l   A breach of demand-dial filters
    l   Improper dial-out credentials (User name, Domain, Password)
    l   A mismatch of connecting interfaces between the calling and answering routers

Demand-Dial Connection Types

There are two types of connection types:
  1. On-demand – connection is initiated when demand-dial routing is required and stays intact until a
        demand-dial timeout has elapsed after the last data transmission
           ¡ In a one-way initiated connection, there is only one calling router and this router must have
              configured both a user that is authorized on the receiving router for the connection, and static
              routes associated with that user that lists which outbound routes should be handled by the
              demand-dial connection
           ¡ A two-way initiated connection is the same as the one-way connection except that both
              routers are configured like the calling router described above
           ¡ The main disadvantage with an on-demand connection is that some time-based applications
              may not handle the delay required to make the connection and set up the static routes
           ¡ Because of its non-persistent nature, it’s better suited to static routes or autostatic updates (a
              single exchange of a large amount of routing information from one router to another, which must
              be manually triggered the first time and then subsequently scheduled) rather than a dynamic
              routing protocol such as RIP which requires frequent, periodic communication
           ¡ Be careful about pointing the default gateway ( to an address requiring an on-
              demand connection. This may not be appropriate for your environment and may result in the
              initiation of connections which cannot satisfy the routing request
  2.    Persistent – connection is permanent
           ¡ Has no delay to set up a connection since the connection is permanent

           ¡ If the connection gets broken, the calling router can be set up to automatically reconnect
           ¡ Requires an X.25, leased line or ISDN connection

Demand-Dial Security

To ensure that only valid calling and answering routers are involved in a demand-dial connection and that the
data transmitted across that connection is secured, these technologies and measures are used:

    l   An authenticated user account with appropriate permissions to make the connection. Account
        Lockout can also be set up to prevent a cracker from repeatedly attempting to guess a valid
        user/password pairing
    l   See the section “Configure Authentication Protocols” for more information on these Windows 2000
        supported authentication methods: PAP, SPAP, CHAP , MS-CHAP (Versions 1 and 2), and EAP-MD5.
        Certificate based authentication is also supported; namely, EAP-TLS and IPSec/L2TP
    l   Transmitted data can be protected by one of these mechanisms: MPPE and IPSec . See the section
        “Configure Encryption Protocols” for more information
    l   Callback can be used to ensure the proper calling router is connecting. See the “Inbound Connection
        Configuration” section for more information
    l   Caller ID can be used to ensure the incoming call is from the proper phone number. This is a more
        complex and secure protection mechanism than callback (KB# Q279440)

Manage and monitor IP routing

Autonomous System

Autonomous systems are defined as those that use an interior (or intradomain) routing protocol, such as
RIP, OSPF and IGP (Interior Gateway Protocol), for delivering network topology traffic within the
autonomous system. By grouping a set of network IDs such that they require only one entry in a routing table,
autonomous systems can be segregated into routing areas (also known as regions or domains).

In order to route among autonomous systems, a different set of protocols is used: exterior (or interdomain).
These include:

    l   Exterior Gateway Protocol (EGP)
    l   Border Gateway Protocol (BGP)
By aggregating routes, these exterior protocols can scale to very large networks.

Manage and monitor internal routing


RIP, which the Internet uses extensively, comes in two flavors: Versions 1 and Version 2.

RIP Version 1

To set up RIP Version 1, perform the same steps listed under the section “Distance Vector (RIP) Routing” and
then add these steps before closing RRAS:

    l   Right-click the RIP icon and select New Interface
    l   Choose the Local Area Connection entry associated with the interface you wish to adjust and click

Operation Mode entries included Auto-Static update mode or Periodic update mode (the default).
Outgoing packet protocol includes:

    l   RIP Version 1 Broadcast
    l   RIP Version 2 Broadcast
    l   Multicast
    l   Silent RIP

Incoming packet protocol includes:
    l   RIP Version 1 and 2
    l   RIP Version 1 only
    l   RIP Version 2 only

The Security tab has these settings for incoming and outgoing routes:

    l   Accept all routes
    l   Accept all routes in the ranges listed
    l   Ignore all routes in the ranges listed

The Neighbors tab allows the following settings for neighboring router addresses:

    l   Use broadcast or multicast only
    l   Use neighbors in addition to broadcast or multicast
    l   Use neighbors instead of broadcast or multicast – i.e., unicast

RIP Properties

RIP Properties include these settings (defaults are shown in brackets): Periodic announcement interval (30s);
Time before route expires (180s) and Time before route is removed (120).

RIP Version 1 Shortcomings

One downfall of RIP Version 1 is that it broadcasts its route updates, and hence all hosts, not just non-RIP
ones, get the announcements. However, this disadvantage of creating extra traffic has an advantage: a host
can be configured as a Silent RIP and help with routing.

Silent RIP refers to a router that handles RIP announcements, while at the same time not announcing its own

To configure Silent RIP, you would follow the same steps listed in this Cramsession to configure RIP Version
1 but instead set the Outgoing packet protocol to Silent RIP.

RIP Version 1 assumes a class -based networking scheme. It thus assumes that Class A, B and C addresses
use the default subnet masks (e.g.,, and For addresses that don’t map
directly to Class A, B or C, if the network portion of the address matches that defined by the subnet mask
associated with the interface sending the data, the system assumes that subnet mask, otherwise the subnet mask is assumed. Because of these assumptions, supernetted routes may appear
as a single network address, and a subnet being announced outside of its network segment may appear as a
single host. As a result RIP Version 1 does not support CIDR and VLSM.

Another knock against RIP Version 1 is that it can’t protect against a rogue RIP router from filling the network
with garbage routes.

RIP Version 2

RIP Version 2 addresses some of the Version 1 shortcomings. It does this by:

    l   Using a multicast instead of a broadcast address. Instead of broadcasting RIP announcements,
        routers send to an IP multicast address of The disadvantage of this is that a Silent RIP
        router may not understand the multicast announcement
    l   Sending not just an address but also a subnet mask. This overcomes RIP Version 1’s problem of
        having to assume what the associated subnet mask is. This enhancement enables RIP Version 2 to
        support VLSM and CIDR and to allow for non-contiguous network segments which RIP Version 1
        cannot handle. Also, RIP Version 2 can increase the number of available subnets because it can
        support the all “0” and all “1”s subnets
    l   Preventing rogue RIP routers by supporting authentication methods such as passwords, and Message
        Digest 5 (MD5)


The OSPF relies on the Shortest Path First (SPF) algorithm to figure out the shortest path to each remote
node. It, like RIP Version 2, supports CIDR and VLSM. It is set up in a similar fashion to configuring RIP (see
the “Distance Vector (RIP) Routing” section).

OSPF Routing Hierarchies

The three main components of a routing hierarchy are:

  1. Autonomous System – networks with the same routing scheme and administration
  2. Areas – grouping of networks within an autonomous system. Areas are identified by an Area ID and
        are used to lessen the size of the Topological Database, which uses LSAs to provide a bird ’s eye
        view of the networks and their proximity to routers. Each area forms its own topological database.
        Routers with more than one interface can link areas and are called border routers
  3.    OSPF Backbone – a special type of OSPF area, which links areas by transmitting routing information
        between them. Each OSPF internetwork has at least one backbone. The area ID for a backbone is and is reserved. The backbone must be in the middle of all areas within an autonomous system
        and consists of:
            ¡ Border routers

            ¡ Networks not assigned to an area
            ¡   Unassigned networks ’ routers

A Virtual Link is used to connect an area, which cannot physically interface with an OSPF Backbone, to an
OSPF Backbone. The Virtual Link is the connection between two routers, while the area that hosts those two
routers is called a Transit Area.

Manage and monitor border routing

Border routing is routing between autonomous systems. The main border routing protocols are:

    l   Internet Group Recommended Practice (IGRP)
    l   Border Gateway Protocol (BGP)
    l   RIP

Excessive traffic may result since, by default, all external routes are announced in an autonomous system. To
ignore routing information from certain types of protocols and to enable an Autonomous System Boundary,
run RRAS and select IP Routing -> Properties for OSPF -> Check Enable autonomous system boundary
router on the General tab

Click on the External Routing tab and choose to either accept or ignore routes from all route sources
except those selected:

    l   AutoStatic Routes
    l   Local Routes
    l   RIP Version 2 for Internet Protocol
    l   SNMP Routes
    l   Static Routes

Stub areas are those areas that use a default route to reach addresses outside of the autonomous system.

An adjacency is formed when two adjoining routers are synchronized.

Manage and monitor IP routing protocols
The following tools and methods can be used, not just to manage and monitor IP routing protocols, but also to
help you troubleshoot problems.

Network Monitor

For information on the Network Monitor product, please see the “Manage and Monitor Network Traffic”
section. Network Monitor can help you isolate why routing is not working properly in your environment.

Route Command

In addition to configuring static routes, the route command helps with troubleshooting. Key options include:

    l   print – lists all routes known by computer running the command
    l   add – adds routes. If used with the –p options, the route is persistent across a system restart. In terms
        of the metric (cost) parameter, the route with the lower cost is chosen first. The full route add

        route add <destination> mask <mask> <gateway> metric <metric cost>
    l   delete – deletes a route
    l   change – modifies an existing route
    l   -f – clears all gateway entries

Examining Routing Tables

To examine the routing tables associated with a certain protocol, run RRAS , select the server, IP Routing.
Right-click Static Routes and select Show IP Routing Table.

Here’s an article on routing, by Tom Shinder, from BrainBuzz’s IT Resources site:

The W2K Routing Table

Filtering Traffic

You can configure demand-dial routing to filter what traffic it allows and disallows. You do so as follows:

    l   Run RRAS -> server -> IP Routing -> General
    l   Double click the Interface card and select the General tab

The Input Filters and Add IP Filter dialogs are similar to those displayed in the “Configure a remote access
profile” subsection of the “Remote Access ” section.

Constructing Tunnel Between Routers

To construct a tunnel between routers run RRAS and select a server -> right-click on Routing Interface ->
New IP Tunnel and supply a name. Select IP Routing -> right-click on General -> New Interface -> enter
the new IP Tunnel name you previously entered. Enter a Local Address (one end of tunnel), Remote
Address (other end of tunnel), and Time to Live.

Troubleshooting RIP, OSPF

Windows 2000 Resource Kit – Troubleshooting IP Routing

Installing, Configuring, and Troubleshooting Network
Address Translation (NAT)
Network Address Translation Background

Before diving into details on Network Address Translation (NAT) and ICS (Internet Connection Sharing),
know that ICS is meant for small networks that need a quick and simple-to-install shared Internet connection
while NAT is meant for larger networks that need not only an Internet connection, but also one that can be
configured to provide a high level of security. NAT also leverages a network ’s allotment of IP address. (ICS

Install Internet Connection Sharing

ICS Background

ICS, installed on a Windows 2000 computer (Professional, Server or Advanced Server) with a dial-up
connection to the Internet, provides the following items to its locally attached network:
    l   Network address translation – via NAT
    l   Name resolution – via DNS proxy
    l   Addressing – via DHCP

(KB# Q237254)

Although ICS has fewer configuration options compared to NAT, it does provide these features that NAT
doesn’t (at least not yet):

    l   Directplay Proxy – allows users to play Directplay games through router connections to the Internet
    l   LDAP Proxy – facilitates working with an Internet Locater Service (ILS), which handles registrations
        for NetMeeting
    l   H.323 Proxy – used with NetMeeting calls

Before installing ICS, ensure that the computer you plan to do this on is not a Domain Controller and is also
not acting as a DNS or DHCP server. The reason is simple: the above servers require a static IP address and
installing ICS will re-assign the computer’s static IP address. Moreover, since this computer will be handling
name resolution and addressing, it should be the only computer on the network set up to do so and should be
the only computer with a connection to the Internet. If you have more than one registered IP address available
for you internal network, keep in mind that ICS can use only one registered IP address.

ICS Installation

To enable ICS do the following:

    l   Run Network and Dial-up Connections and ensure you have both a Local Area Connection and a
        dial-up connection to an Internet Service Provider (ISP)
    l   Choose Properties for the ISP connection, click on the Sharing tab and enable this checkbox “Enable
        Internet Connection Sharing for this connection”. The “Enable on-demand dialing” setting should
        be enabled as well
    l   Click Settings if you want to configure shared applications or services

Adding an application (that you want outside users to be able to access on your local network) requires the
entry of an application name, the remote server port number and whether it is TCP or UDP and the incoming
TPC or UPD response port number.

To add a service (that you want outside users to be able to access on your local network), select a listed
service (such as POP3), and enter the service port number and whether it is TCP or UDP and the related
Name or address of the server computer on the private network.

Effects of Installing ICS

Once installed, ICS changes the IP address on the target PC to the IP address of Since this is a
private address, it cannot be routed outside of the local network to the Internet. You can change this address
but, for security reasons, it’s best to leave it as a private IP address. The PC also becomes a DNS proxy in
that it passes name resolution requests, on the local network, to the DNS server configured in the PC’s DHCP
settings. The PC also runs the AutoDHCP service so that it can dole out addresses (based on the network) on the local network. Lastly, the PC becomes a demand-dial router that accesses the
ISP connection.

Install NAT

NAT Background
As its name describes, NAT translates IP addresses for hosts on the local network so they can communicate
on the Internet. There are three pools of private addresses (i.e., ones that cannot route to the Internet) that
are used by NAT:

    l to
    l to
    l to

(RFCs 1597, 1631)

This translating of network addresses provides these benefits:

  1. Security – your local network hosts are protected from the Internet since the addresses they use
        locally are not the same as what they use on the Internet
  2. Thrifty Use of IP Addresses – by allowing several hosts on a local network to share a small number
        of Internet-aware IP addresses, NAT requires fewer registered addresses. If your NAT configuration
        provides only one registered address, all internal hosts use the same registered address but a random
        port number. If your NAT configuration provides several registered addresses, only address translation,
        not port translation, takes place. All translations are store in the NAT table

NAT Installation

NAT can be installed only on Windows 2000 Server, not Professional. It is set up in a similar fashion to
configuring RIP (see the “Distance Vector (RIP) Routing” subsection of the “IP Routing” section).

Configure NAT properties
To call up properties for NAT, run Routing and Remote Access, right-click Network Address Translation
(which is under the server and IP Routing) and choose Properties.

The following tabs are on the NAT Properties dialog:

    l   General – this allows you to configure logging (logged information resides in the System Event log in
        the Event Viewer). If possible, avoid the Disable event logging setting since logging at least some
        information may help you detect intruders
    l   Translation – this controls timeout settings for TPC mappings (1440 minutes default) UPD mappings
        (1 minute default)
             ¡ There is an application button which allows you to “make applications on the public network
               available to private network clients”
    l   Address Assignment – this allows you to choose to assign addresses by using DHCP. The default
        private IP address and mask is and You can also exclude addresses
        (such as network connected printers). If you already have a DHCP server, do not check this checkbox.
        However, relying on NAT’s DHCP makes it simple for your clients to use NAT since they will
        automatically use the NAT server’s IP address as their gateway to the Internet
    l   Name Resolution – there are two options here:
            ¡ To resolve IP addresses for clients by using DNS. To quote Dan Charbonneau from his 70-216
               CBT Nuggets, this does not enable an actual DNS server, but a “virtual” one
            ¡ To use a demand-dial interface, where needed, for name resolution. There is a also a drop-

               down box to select the demand-dial interface, such as a connection to an ISP

Configure NAT interfaces
NAT refers to two types of interfaces: Public, the connection to the Internet (this requires configuration); and
Private, the local network (this requires no configuration).

To configure NAT interfaces, do the following:

    l   Run Routing and Remote Access, right-click Network Address Translation (NAT) and choose New
    l   Choose the interface (e.g., Local Area Connection)
    l   From the General tab, select Private interface ... to enable the private interface and Public
        interface ... to further configure the Internet connection. Microsoft recommends also enabling the
        translation of TCP/UDP headers even when you have more than one registered IP address. This
        setting is required if you have only one registered IP address
    l   From the Address Pool tab, select the public addresses provide by your ISP as well as make
        reservations for addresses to be used by specific local computers
    l   From the Special Ports tab, if required, map a protocol’s (TCP by default) public ports and addresses
        to private ports and addresses. You could use this, for example, to allow inbound sessions to access a
        web server on your local network

Monitoring NAT Mappings

The right pane of the Network Address Translation (NAT) item of Routing and Remote Access tracks
mappings and inbound and outbound packet counts for both the public and private interfaces.
Right-clicking on the public interface and selecting Show Mappings, lists the mappings present at that given

Installing, Configuring, Managing, Monitoring, and
Troubleshooting Certificate Services
PKI Background

The Public Key Infrastructure (PKI) provides security for conversations between computers. PKI relies on
these components to achieve its purpose:

    l   Digital signature (certificate) – like a person’s cursive signature, this verifies that a message is
        actually from the stated source. In a networking computer environment, users, computers, routers and
        organizations can use digital certificates to certify their identities. Certificates thus provide
    l   Encryption – like the snapping lid on a bottle of Ketchup verifies that the tasty red contents have not
        been tampered with, encryption verifies that the message has not been corrupted or viewed.
        Encryption thus provides privacy as well as integrity to the communicating entities

Install and configure Certificate Authority (CA)

Certificate Authority

A Certificate Authority (CA) issues certificates. In addition to commercial companies such as VeriSign, a
Windows 2000 system can also be configured to issue certificates and to verify that an existing certificate is
legitimate and belongs to the entity it says it is from. Before issuing a certificate, a CA must validate that the
applicant is who she says she is.

Here are some preliminary items to know and iron out before installing a CA in Windows 2000:

    l   Reconsider installing a CA on a Domain Controller as this could result in an overly busy system
    l   Ensure you’re happy with the computer name: it can ’t be renamed after loading Certificate Services nor
        can it join or leave a domain
    l   Have a unique CA name handy for each CA in your enterprise


A certificate is an electronic container, which, in a Windows 2000 environment, holds the following:

    l   User’s Name
    l   User’s Public Key
    l   Serial number
    l   Expiration date
    l   Certificate Information
    l   Information on the issuing CA

This information forms a digital identifier for the user it is associated with. Two keys are used: a public key ,
which can be obtained from the CA and a private key, which resides with the user. The public key encrypts a
message while the private key decrypts it. Active Directory Group Policy provides the ability to both publish
and revoke certificates to a user’s account.

A certificate has a validity period, by default, 2 years. After this period, the certificate expires and the CA
must then renew the certificate.

Certificates can be used to provide security for various situations such as email transmissions , web-based
SSL financial transactions and smart card authentications.

Windows 2000 CAs

There are two main types of Windows 2000 CAs, each of which can be a Root or Subordinate:

  1. Enterprise –
            ¡Requires a Windows 2000 server for installation
            ¡Integrates with Active Directory – certificates and Certificate Revocation Lists (CRLs) are
             published in AD. Moreover, certificates can be issued only to objects in the Active Directory
             forest. Use a Standalone CA for objects outside of the forest
           ¡ Install an Enterprise Root CA before all other CAs since they rely on the Root CA to certify
             them. Also, the server that is to hold the Enterprise Root CA needs its computer account in the
             Cert Publishers group. The installation has to be done by an administrator in the Enterprise
             Admin group
           ¡ Automatically approves certificates – based on user account and group account information and
             certificate template information
           ¡ Works with smart cards (to accomplish a smart card login, the user must place the card into a
             reader and enter a pin – there is no need to enter a user name and password)
           ¡ Should have some fault tolerance built in such as regularly scheduled backups

           ¡ Its associated server name becomes part of the certificates it manages thus you can’t change
             the server name after installing Certificate Services
           ¡ Doesn’t require the person requesting a certificate to supply all identifying information about her
             since this information is apparent based on the user’s logon account. Moreover, the certificate
             type is based on the certificate template
  2.    Standalone – limit use to providing certificates to external users
           ¡ Doesn’t require Active Directory

           ¡ Supports S/MIME (secure email), Secure Sockets Layer (SSL) and Transport Layer Security
           ¡ Works with external networks (extranets)
           ¡ Holds requests for certificates in a Pending Queue for later (manual) approval by a CA
             administrator and thus does not immediately grant certificates
           ¡ Requires person requesting a certificate to supply all identifying information about herself as
             well as the type of desired certificate
           ¡ Doesn’t use certificate templates

CA Hierarchy

A Root CA is at the top of a hierarchy of CAs and is self-certified. It should be highly secured and, if possible,
taken offline to protect its certificate and keys. This way, if a child CA gets “compromised”, the child can be
disabled and the overall CA hierarchy is still intact; i.e., the Root CA still contains a clean list of certificates. It
communicates with either issuing or intermediate CAs. A Subordinate CA is either an Intermediate or
Issuing CA that must communicate with an intermediate or root CA to obtain information about certificates.
Moreover a parent CA certifies a subordinate (“child”) CA. A Certification Path is the trust chain from the
certificate all the way up to the Root CA. Before the Certification Path works, the certificate of the Root CA
must be placed in the Trusted Root Certification Authorities store. For security reasons, a Subordinate CA
cannot have a certificate expire after a certificate higher up in the hierarchy expires.

The benefits of a Windows 2000 CA hierarchy include:

    l   Ability to work with non-Windows 2000 CAs and other organization’s CA hierarchies
    l   Ability to scale your CA network
    l   Ability to have a CA at both ends of a WAN link
    l   Ability to tightly secure the root CA while being more lenient with the subordinate CAs
    l   Ability to revoke a single CA without revoking other CAs
    l   Ability to assign particular roles to different CAs (e.g., one CA can look after secure email while another
        can handle smart card authentication)
    l   Ability to have different administrators control certificate publication and revocation via group polices

Installing a CA

A CA can be installed by upgrading from Certificate Server 1.0 (KB# Q246535), during Windows 2000
installation (including unattended), and after a Windows 2000 installation.

In terms of a new installation, add Certificate Services via the Add/Remove Programs (Add/Remove
Windows Components) program in the Control Panel.

The following items must be selected to complete the installation wizard:

    l   Certification Authority type

    l   Advanced Options –
           ¡ CSP (Cryptographic Service Provider) – key generation; default: Microsoft Base
              Cryptographic Provider 1.0. Since this default has a relatively short key, avoid using this choice
              for a Root CA
           ¡ Key Length – a longer key means a more secure key
           ¡ Hash Algorithm – default is the 160 bit Secure Hash Algorithm-1 (SHA-1). Others include MD4
              and MD5
           ¡ Use existing keys – options to view and import certificates

    l   CA Identifying Information:
Note: If you make the certificate valid for longer than 2 years, consider using a longer key length as well.
Otherwise, you are giving crackers a longer time to solve a shorter key

    l   Data Storage Location:
             ¡ Location of database and database log – default: c:\winnt\system32\certlog

             ¡ Shared Folder – shared CA data location for CAs not working with Active Directory

    l   CA Certificate Request – this step applies when setting up an Enterprise Subordinate CA. When
        setting up a Standalone CA, the CA generates its own certificate
             ¡ You can either send a certificate request to a Computer name or Parent CA , or you can save

               the request to a file
    l   Before the configuration completes, you are warned that IIS, if running, will be stopped

When upgrading Windows NT, which is running Certificate Server 1.0, to Windows 2000, Certificate Services
is automatically upgraded; however, you will have to import the old style CA database as follows.

    l   Stop the Certificate Services service via the Services MMC
    l   From a command prompt, run certutil convertmdb
    l   From the Services MMC, start the Certificate Services service

Administrative Tools

The Certification Authority program resided in the Administrative Tools folder.
Renewing a Certificate

You may have to renew a certificate when the “lifetime of your certificate you are currently issuing is reduced”.
To do this, run Certificate Authority, from Administrative Tools, choose the CA, and select Action -> All
Tasks -> Renew CA Certificate from the menu. You can then choose whether or not to generate a new
public and private key pair.

Backing up a CA

There are two ways to back up a CA. The first way is via the regular system backup command (Start ->
Programs -> Accessories -> System Tools -> Backup). By choosing to back up the System State data you
will back up the CA.

The other way is via the Certificate Authority program.

Making CRL Available on Another Server

To protect your root CA, you should plan to take if offline and let its subordinate CAs issue certificates to other
subordinates and to users. Before taking the root CA offline, however, you should take some measures to
ensure that the Certification Revocation List is still available. The CRL is used by entities to see whether or
not a certificate is still valid. As administrator, you can configure how often the CRL is published (default is
one week) and trigger a publication (by right-clicking on the Revoked Certificates folder in Certificate
Authority program, and selecting Publish from All Tasks).

The following dialog shows where the CRL is located physically on the hard drive.
If your browser doesn't support inline frames click HERE to view the full-sized graphic.

The CRL Distribution Point (CDP) field of a certificate records the location of the CRL while the Authority
Information Access (AIA) field lists where the certificates for a CA are located. You reach the following
dialog from Certification Authority -> Properties of the server -> Policy Module -> Configure.

The following article describes how to make the CRL available while the root CA is offline. (KB# Q271386)
Issue and revoke certificates
Before a CA issues a certificate, a request must first be made. In some cases, this process is automatic (e.g.,
a smart card logon to a domain), while in other cases user interaction is required.

Requesting a Certificate

Here are a couple of methods to manually request a certificate:

If your browser doesn't support inline frames click HERE to view the full-sized graphic.

Run the Certificates MMC and select Certificates -> Personal -> All Tasks -> Request New Certificate.
You are then presented with a certificate template (i.e. policy) choice.
If your browser doesn't support inline frames click HERE to view the full-sized graphic.

These templates control the issuing of a certificate and may include additional choices than those shown in
the dialog in the case you’ve added more functionality such as a smart card. Lastly, you assign a friendly
name and description. If the certificate is granted to a user, the user can cancel, install or view the
certificate. This method of requesting a certificate works only with an Enterprise CA.

The other way is via the Certificate Services Web Page, which is accessible through
http://servername/certsrv, where servername is the name of the server hosting Certificate Services. From this
page, you can choose to Request a certificate. This works with a Standalone or Enterprise CA.

Issuing a Certificate

An Enterprise CA will either grant or refuse to grant a certificate request. In the case of a grant, the requesting
user is asked to install the certificate. On the other hand, a Standalone CA will place the request in a pending
state so that an administrator can later deal with it. One advantage of requesting a certificate from an
Enterprise CA is that the user gets an automatic response as to the success of the request. To check for a
pending certificate, load http://servname/certsrv and select Check on a pending certificate . You will be
presented with a list of certificates in one of these states: denied, issued or pending.

Mapping Certificates

For networks with huge numbers of accounts, it may make sense to map certificates to user accounts. Then,
instead of users supplying passwords, the certificate mapped to the user account is used to authenticate the
user. Mapping is accomplished when using an Enterprise CA by including a user’s Active Directory Principal
Name in a new certificate. Generally one-to-one mapping (between certificates and users) is sufficient, but
some situations require many-to-one mappings. For example, a user from another company that just merged
with yours needs a new account plus his account. His two accounts will thus map to one certificate.
Revoking a Certificate

You may have to revoke a certificate in situations where an employee leaves a company, you suspect a
private key has been compromised, or you accidentally issued a certificate when you did not mean to.
Revoked certificates are published in the Certification Revocation List (CRL).

A certificate is revoked from the Certification Authority program by selecting the certificate and choosing
Revoke Certification. You will be asked why you are revoking the certificate (e.g., Superseded, CA
Compromised, etc.). If you revoke a certificate for a subordinate CA, you effectively disable that CA. This is
handy if you want to disable a child CA for some reason.

Remove the Encrypting File System (EFS) recovery keys
Windows 2000 uses the Encrypting File System (EFS) to protect data that resides on a computer’s hard
drive. For details on EFS, please see the EFS section in the Windows 2000 Professional Cramsession and
see the EFS for Windows 2000 technical overview .

Removing EFS Recovery Keys

In case there is a threat that the user name and password can be guessed, it is a good idea to remove the
EFS key from the computer and store it elsewhere, such as on a floppy disk. This procedure is useful for
traveling salespeople who wish to protect their laptop data when using airports – high risks areas for stolen

To do this, run the Certificates MMC and select Certificates -> Personal -> Certificates. Right -click the
certificate, and choose All Tasks -> Export . The Certificate Export Wizard asks for the following settings:

You will also have to supply a password (don’t’ forget it or you won ’t be able to access your data) to protect
the exported file. As well, you must supply the export file name and location.
(KB# Q223316)

Importing EFS Recovery Keys

When you need to access encrypted files for a system on which you have exported the EFS recovery keys,
you will first have to import the keys. You follow the same steps as listed in the “Removing EFS Recovery
Keys ” section but instead choose All Tasks -> Import. You will have to supply the export file, a password and
where you want the certificate to reside (i.e., the certificate store).

Recovery Agent

Recovery agents are specialized accounts that have recovery agent certificates assigned to them. Use these
accounts only in cases where a user is unable to decrypt a file.

(KB# Q230490)

BrainBuzz IT Resources Reference Material:

Windows 2000 Certificate Services (includes descriptions of these three command line utilities: certutil.exe,
certreq.exe and certsrv.exe)

Certificate Services in W2K