Escolar Documentos
Profissional Documentos
Cultura Documentos
The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the
Boot.ini timeout and default settings, use the System option in Control Panel from the Advanced tab and
select Startup.
When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup
function or if it later malfunctions, you must run the compatibility mode function. This is accomplished
by right-clicking the application or setup program and selecting Properties –> Compatibility –> selecting
the previously supported operating system.
3. If you uninstall Windows Server 2003, which operating systems can you revert to?
Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and 98 to Windows Server
2003.
Start –> Control Panel –> Network and Internet Connections –> Network Connections.
Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box.
Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the
focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area.
Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F
opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module
selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization.
Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.
Active Directory is a network-based object store and service that locates and manages resources, and
makes these resources available to authorized users and groups. An underlying principle of the Active
Directory is that everything is considered an object—people, servers, workstations, printers, documents,
and devices. Each object has certain attributes and its own security access control list (ACL).
7. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC)
in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read
and write relationship that hosts copies of the Active Directory.
8. How long does it take for security changes to be replicated among the domain controllers?
Security-related modifications are replicated within a site immediately. These changes include account
and individual user lockout policies, changes to password policies, changes to computer account
passwords, and modifications to the Local Security Authority (LSA).
When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an
existing DC to update the directory and replicate from the DC the required portions of the directory. If
the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix
the problem. In order to be located on a network, every DC must register in DNS DC locator DNS
records. The Active Directory Installation Wizard verifies a proper configuration of the DNS
infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory
Installation Wizard.
Organizations that operate on radically different bases may require separate trees with distinct
namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations
merge or are acquired and naming continuity is desired. Organizations form partnerships and joint
ventures. While access to common resources is desired, a separately defined tree can enforce more
direct administrative and security restrictions.
11. How can you authenticate between forests?
Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote
access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside
the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user
principal name (UPN) credentials.
1. Describe how the DHCP lease is obtained. It’s a four-step process consisting of (a) IP request, (b) IP
offer, © IP selection and (d) acknowledgement.
2. I can’t seem to access the Internet, don’t have any access to the corporate network and on ipconfig
my address is 169.254.*.*. What happened? The 169.254.*.* netmask is assigned to Windows machines
running 98/2000/XP if the DHCP server is not available. The name for the technology is APIPA
(Automatic Private Internet Protocol Addressing).
3. We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting
DHCP leases off of it. The server must be authorized first with the Active Directory.
4. How can you force the client to give up the dhcp lease if you have access to the client PC? ipconfig
/release
5. What authentication options do Windows 2000 Servers have for remote clients? PAP, SPAP, CHAP,
MS-CHAP and EAP.
6. What are the networking protocol options for the Windows clients if for some reason you do not want
to use TCP/IP? NWLink (Novell), NetBEUI, AppleTalk (Apple).
7. What is data link layer in the OSI reference model responsible for? Data link layer is located above the
physical layer, but below the network layer. Taking raw data bits and packaging them into frames. The
network layer will be responsible for addressing the frames, while the physical layer is reponsible for
retrieving and sending raw data bits.
8. What is binding order? The order by which the network protocols are used for client-server
communications. The most frequently used protocols should be at the top.
9. How do cryptography-based keys ensure the validity of data transferred across the network? Each IP
packet is assigned a checksum, so if the checksums do not match on both receiving and transmitting
ends, the data was modified or corrupted.
10. Should we deploy IPSEC-based security or certificate-based security? They are really two different
technologies. IPSec secures the TCP/IP communication and protects the integrity of the packets.
Certificate-based security ensures the validity of authenticated clients and servers.
11. What is LMHOSTS file? It’s a file stored on a host machine that is used to resolve NetBIOS to specific
IP addresses.
12. What’s the difference between forward lookup and reverse lookup in DNS? Forward lookup is name-
to-address, the reverse lookup is address-to-name.
13. How can you recover a file encrypted using EFS? Use the domain recovery agent
Describe how the DHCP lease is obtained.
It’s a four-step process consisting of (a) IP request, (b) IP offer, © IP selection and (d) acknowledgement.
I can’t seem to access the Internet, don’t have any access to the corporate network and on ipconfig my
address is 169.254.*.*. What happened?
The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP if the DHCP server is
not available. The name for the technology is APIPA (Automatic Private Internet Protocol Addressing).
We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP
leases off of it. The server must be authorized first with the Active Directory.
How can you force the client to give up the dhcp lease if you have access to the client PC?
ipconfig /release
What authentication options do Windows 2000 Servers have for remote clients?
PAP, SPAP, CHAP, MS-CHAP and EAP.
What are the networking protocol options for the Windows clients if for some reason you do not want
to use TCP/IP?
What is data link layer in the OSI reference model responsible for?
Data link layer is located above the physical layer, but below the network layer. Taking raw data bits and
packaging them into frames. The network layer will be responsible for addressing the frames, while the
physical layer is reponsible for retrieving and sending raw data bits.
The order by which the network protocols are used for client-server communications. The most
frequently used protocols should be at the top.
How do cryptography-based keys ensure the validity of data transferred across the network?
Each IP packet is assigned a checksum, so if the checksums do not match on both receiving and
transmitting ends, the data was modified or corrupted.
They are really two different technologies. IPSec secures the TCP/IP communication and protects the
integrity of the packets. Certificate-based security ensures the validity of authenticated clients and
servers.
It’s a file stored on a host machine that is used to resolve NetBIOS to specific IP addresses.
What’s the difference between forward lookup and reverse lookup in DNS?
1. What’s the difference between local, global and universal groups? Domain local groups assign access
permissions to global domain groups for local domain resources. Global groups provide access to
resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
2. I am trying to create a new universal user group. Why can’t I? Universal groups are allowed only in
native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be
promoted to Windows Server 2003 Active Directory.
3. What is LSDOU? It’s group policy inheritance model, where the policies are applied to Local machines,
Sites, Domains and Organizational Units.
4. Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority
among the numerous policies.
5. Where are group policies stored? %SystemRoot%System32\GroupPolicy
6. What is GPT and GPC? Group policy template and group policy container.
7. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
8. You change the group policies, and now the computer and user settings are in conflict. Which one has
the highest priority? The computer settings take priority.
9. You want to set up remote installation procedure, but do not want the user to gain access over it.
What do you do? gponame–> User Configuration–> Windows Settings–> Remote Installation Services–>
Choice Options is your friend.
10. What’s contained in administrative template conf.adm? Microsoft NetMeeting policies
11. How can you restrict running certain applications on a machine? Via group policy, security settings
for the group, then Software Restriction Policies.
12. You need to automatically install an app, but MSI file is not available. What do you do? A .zap text
file can be used to add applications using the Software Installer, rather than the Windows Installer.
13. What’s the difference between Software Installer and Windows Installer? The former has fewer
privileges and will probably require user intervention. Plus, it uses .zap files.
14. What can be restricted on Windows Server 2003 that wasn’t there in previous products? Group
Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP
properties. Users may be selectively restricted from modifying their IP address and other network
configuration parameters.
15. How frequently is the client policy refreshed? 90 minutes give or take.
16. Where is secedit? It’s now gpupdate.
17. You want to create a new group policy but do not wish to inherit. Make sure you check Block
inheritance among the options when creating the policy.
18. What is "tattooing" the Registry? The user can view and modify user preferences that are not stored
in maintained portions of the Registry. If the group policy is removed or changed, the user preference
will persist in the Registry.
19. How do you fight tattooing in NT/2000 installations? You can’t.
20. How do you fight tattooing in 2003 installations? User Configuration - Administrative Templates -
System - Group Policy - enable - Enforce Show Policies Only.
21. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for
users, particularly those who move between workstations or those who must periodically work offline.
22. What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no
security over locally logged-on users. Only native NTFS provides extensive permission control on both
remote and local files.
23. How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.
24. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not
inherited by files within a folder. However, newly created subfolders will inherit this permission.
25. I have a file to which the user has access, but he has no folder permission to read it. Can he access it?
It is possible for a user to navigate to a file for which he does not have folder permission. This involves
simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My
Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way
to start would be to type the full path of a file into Run… window.
26. For a user in several groups, are Allow permissions restrictive or permissive? Permissive, if at least
one group has Allow permission for the file/folder, user will have the same permission.
27. For a user in several groups, are Deny permissions restrictive or permissive? Restrictive, if at least
one group has Deny permission for the file/folder, user will be denied access, regardless of other group
permissions.
28. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON,
print$ and SYSVOL.
29. What’s the difference between standalone and fault-tolerant DFS (Distributed File System)
installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a
shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared
resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated
to other domain controllers. Thus, redundant root nodes may include multiple connections to the same
data residing in different shared folders.
30. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC
path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
31. Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition
Knowledge Table, which is then replicated to other domain controllers.
32. Can you use Start->Search with DFS shares? Yes.
33. What problems can you have with DFS installed? Two users opening the redundant copies of the file
at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one
file will be propagated through DFS.
34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a
standalone one.
35. Is Kerberos encryption symmetric or asymmetric? .
36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time stamp
is attached to the initial client request, encrypted with the shared key.
37. What hashing algorithms are used in Windows 2003 Server? RSA Data Security’s Message Digest 5
(MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
38. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows Server
2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange
CA certificates with third-party certificate authorities.
39. What’s the number of permitted unsuccessful logons on Administrator account? Unlimited.
Remember, though, that it’s the Administrator account, not any account that’s part of the
Administrators group.
40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it
possible to attack the password lists, specifically the ones using NTLMv1? A cracker would launch a
dictionary attack by hashing every imaginable term used for password and then compare the hashes.
41. What’s the difference between guest accounts in Server 2003 and other editions? More restrictive in
Windows Server 2003.
42. How many passwords by default are remembered when you check "Enforce Password History
Remembered"? User’s last 6 passwords.
This entry was posted in Windows. Bookmark the permalink. Post a comment or
A. General
1. What is DHCP?
DHCP stands for "Dynamic Host Configuration Protocol".
2. What is DHCP's purpose?
DHCP's purpose is to enable individual computers on an IP network to extract their configurations from
a server (the 'DHCP server') or servers, in particular, servers that have no exact information about the
individual computers until they request the information. The overall purpose of this is to reduce the
work necessary to administer a large IP network. The most significant piece of information distributed in
this manner is the IP address.
3. Can DHCP work with Appletalk or IPX?
No, it is too tied to IP. Furthermore, they don't need it since they have always had automated
mechanisms for assigning their own network addresses.
4. Who Created It? How Was It Created?
DHCP was created by the Dynamic Host Configuration Working Group of the Internet Engineering Task
Force (IETF; a volunteer organization which defines protocols for use on the Internet). As such, it's
definition is recorded in an Internet RFC and the Internet Activities Board (IAB) is asserting its status as
to Internet Standardization. As of this writing (June 1998), DHCP is an Internet Draft Standard Protocol
and is Elective. BOOTP is an Internet Draft Standard Protocol and is Recommended. For more
information on Internet standardization, see RFC2300 (May 1998)
5. How is it different than BOOTP or RARP?
DHCP is based on BOOTP and maintains some backward compatibility. The main difference is that
BOOTP was designed for manual pre-configuration of the host information in a server database, while
DHCP allows for dynamic allocation of network addresses and configurations to newly attached hosts.
Additionally, DHCP allows for recovery and reallocation of network addresses through a leasing
mechanism.
RARP is a protocol used by Sun and other vendors that allows a computer to find out its own IP number,
which is one of the protocol parameters typically passed to the client system by DHCP or BOOTP. RARP
doesn't support other parameters and using it, a server can only serve a single LAN. DHCP and BOOTP
are designed so they can be routed.
6. How is it different than VLANs?
DHCP and VLANs, which are very different in concept, are sometimes cited as different solutions to the
same problem. While they have a goal in common (easing moves of networked computers), VLANs
represent a more revolutionary change to a LAN than DHCP. A DHCP server and forwarding agents can
allow you to set things up so that you can unplug a client computer from one network or subnet and
plug it into another and have it come alive immediately, it having been reconfigured automatically. In
conjunction to Dynamic DNS, it could automatically be given its same name in its new place. VLAN-
capable LAN equipment with dynamic VLAN assignment allows you to configure things so a client
computer can be plugged into any port and have the same IP number (as well as name) and be on the
same subnet. The VLAN-capable network either has its own configuration that lists which MAC
addresses are to belong to each VLAN, or it makes the determination from the source IP address of the
IP packets that the client computer sends. Some differences in the two approaches:
DHCP handles changes by reconfiguring the client while a VLAN-capable network handles it by
reconfiguring the network port the client is moved to.
DHCP dynamic reconfiguration requires a DHCP server, forwarding agent in each router, and DHCP
capability in each client's TCP/IP support. The analogous capability in VLANs requires that all hubs
throughout the network be VLAN-capable, supporting the same VLAN scheme. To this point VLAN
support is proprietary with no vendor interoperability, but standards are being developed.
DHCP can configure a new client computer for you while a VLAN-capable network can't.
DHCP is generally aimed at giving "easy moves" capability to networks that are divided into subnets
on a geographical basis, or on separate networks. VLANs are generally aimed at allowing you to set up
subnets on some basis other than geographical, e.g. instead of putting everyone in one office on the
same subnet, putting each person on a subnet that has access to the servers that that person requires.
There is an issue with trying to use DHCP (or BOOTP) and VLANs at the same time, in particular, with the
scheme by which the VLAN-capable network determines the client's VLAN based upon the client
computer's source IP address. Doing so assumes the client computer is already configured, which
precludes the use of network to get the configuration information from a DHCP or BOOTP server.
7. What protocol and port does DHCP use?
DHCP, like BOOTP runs over UDP, utilizing ports 67 and 68.
8. What is an IP address?
An IP address (also called an IP number) is a number (typically written as four numbers separated by
periods, i.e. 107.4.1.3 or 84.2.1.111) which uniquely identifies a computer that is making use of the
Internet. It is analogous to your telephone number in that the telephone number is used by the
telephone network to direct calls to you. The IP address is used by the Internet to direct data to your
computer, e.g. the data your web browser retrieves and displays when you surf the net. One task of
DHCP is to assist in the problem of getting a functional and unique IP number into the hands of the
computers that make use of the Internet.
9. What is a MAC address?
A MAC address (also called an Ethernet address or an IEEE MAC address) is a number (typically written
as twelve hexadecimal digits, 0 through 9 and A through F, or as six hexadecimal numbers separated by
periods or colons, i.e. 0080002012ef, 0:80:0:2:20:ef) which uniquely identifes a computer that has an
Ethernet interface. Unlike the IP number, it includes no indication of where your computer is located. In
DHCP's typical use, the server uses a requesting computer's MAC address to uniquely identify it.
10. What is a DHCP lease?
A DHCP lease is the amount of time that the DHCP server grants to the DHCP client permission to use a
particular IP address. A typical server allows its administrator to set the lease time.
11. What is a Client ID?
What is termed the Client ID for the purposes of the DHCP protocol is whatever is used by the protocol
to identify the client computer. By default, DHCP implementations typically employ the client's MAC
address for this purpose, but the DHCP protocol allows other options. Some DHCP implementations
have a setup option to specify the client ID you want. One alternative to the MAC address is simply a
character string of your choice. In any case, in order for DHCP to function, you must be certain that no
other client is using the client ID you choose, and you must be sure the DHCP server will accept it.
12. Why shouldn't clients assign IP numbers without the use of a server?
It is theoretically possible to develop software for client-machines that finds an unused address by
picking them out of the blue and broadcasting a request of all the other client machines to see if they
are using them. Appletalk is designed around this idea, and Apple's MacTCP can be configured to do this
for IP. However, this method of IP address assignment has disadvantages.
1. A computer that needs a permanently-assigned IP number might be turned off and lose its number to
a machine coming up. This has problems both for finding services and for security.
2. A network might be temporarily divided into two non-communicating networks while a network
component is not functioning. During this time, two different client-machines might end up claiming the
same IP number. When the network comes back, they start malfunctioning.
3. If such dynamic assignment is to be confined to ranges of IP addresses, then the ranges are configured
in each desktop machine rather than being centrally administered. This can lead both to hidden
configuration errors and to difficulty in changing the range. Another problem with the use of such
ranges is keeping it easy to move a computer from one subnet to another.
13. Can DHCP support statically defined addresses?
Yes. At least there is nothing in the protocol to preclude this and one expects it to be a feature of any
DHCP server. This is really a server matter and the client should work either way. The RFC refers to this
as manual allocation.
14. How does DHCP and BOOTP handle multiple subnets?
For the situations where there is more than one LAN, each with its own subnet number, there are two
ways. First of all, you can set up a seperate server on each subnet. Secondly, a feature of some routers
known as "BOOTP forwarding" to forward DHCP or BOOTP requests to a server on another subnet and
to forward the replies back to the client. The part of such a router (or server acting as a router) that does
this is called a "BOOTP forwarding agent". Typically you have to enable it on the interface to the subnet
to be served and have to configure it with the IP address of the DHCP or BOOTP server. On a Cisco
router, the address is known as the "UDP Helper Address".
15. Can a BOOTP client boot from a DHCP server?
Only if the DHCP server is specifically written to also handle BOOTP queries.
16. Can a DHCP client boot from a BOOTP server?
Only if the DHCP client were specifically written to make use of the answer from a BOOTP server. It
would presumably treat a BOOTP reply as an unending lease on the IP address.
In particular, the TCP/IP stack included with Windows 95 does not have this capability.
17. Is a DHCP server "supposed to" be able to support a BOOTP client?
The RFC on such interoperability (1534) is clear: "In summary, a DHCP server: ... MAY support BOOTP
clients," (section 2). The word "MAY" indicates such support, however useful, is left as an option.
A source of confusion on this point is the following statement in section 1.5 of RFC 1541: "DHCP must
provide service to existing BOOTP clients." However, this statement is one in a list of "general design
goals for DHCP", i.e. what the designers of the DHCP protocol set as their own goals. It is not in a list of
requirements for DHCP servers.
18. Is a DHCP client "supposed to" be able to use a BOOTP server?
The RFC on such interoperability (1534) is clear: "A DHCP client MAY use a reply from a BOOTP server if
the configuration returned from the BOOTP server is acceptable to the DHCP client." (section 3). The
word "MAY" indicates such support, however useful, is left as an option.
19. Can a DHCP client or server make a DNS server update the client's DNS entry to match the client's
dynamically assigned address?
RFCs 2136 and 2137 indicate a way in which DNS entries can be updated dynamically. Using this requires
a DNS server that supports this feature and a DHCP server that makes use of it. The RFCs are very recent
(as of 5/97) and implementations are few. In the mean time, there are DNS and DHCP servers that
accomplish this through proprietary means.
20. Can a DHCP server back up another DHCP server?
You can have two or more servers handing out leases for different addresses. If each has a dynamic pool
accessible to the same clients, then even if one server is down, one of those clients can lease an address
from the other server.
However, without communication between the two servers to share their information on current leases,
when one server is down, any client with a lease from it will not be able to renew their lease with the
other server. Such communication is the purpose of the "server to server protocol" (see next question).
It is possible that some server vendors have addressed this issue with their own proprietary server-to-
server communication.
21. When will the server to server protocol be defined?
The DHC WG of the IETF is actively investigating the issues in inter-server communication. The protocol
should be defined "soon".
22. Is there a DHCP mailing list?
There are several:
List Purpose
---- -------
dhcp-v4@bucknell.edu General discussion: a good list for
server administrators.
dhcp-bake@bucknell.edu DHCP bakeoffs
dhcp-impl@bucknell.edu Implementations
dhcp-serve@bucknell.edu Server to server protocol
dhcp-dns@bucknell.edu DNS-DHCP issues
dhcp-v6@bucknell.edu DHCP for IPv6
The lists are run by listserv@bucknell.edu which can be used to subscribe and sign off. Archives for the
dhcp-v4 list (which used to be called the host-conf list) are stored at ftp://ftp.bucknell.edu/pub/dhcp/.
23. In a subnetted environment, how does the DHCP server discover what subnet a request has come
from?
DHCP client messages are sent to off-net servers by DHCP relay agents, which are often a part of an IP
router. The DHCP relay agent records the subnet from which the message was received in the DHCP
message header for use by the DHCP server.
Note: a DHCP relay agent is the same thing as a BOOTP relay agent, and technically speaking, the latter
phrase is correct.
24. If a single LAN has more than one subnet number, how can addresses be served on subnets other
than the primary one?
A single LAN might have more than one subnet number applicable to the same set of ports (broadcast
domain). Typically, one subnet is designated as primary, the others as secondary. A site may find it
necessary to support addresses on more than one subnet number associated with a single interface.
DHCP's scheme for handling this is that the server has to be configured with the necessary information
and has to support such configuration & allocation. Here are four cases a server might have to handle:
0. Dynamic allocation supported on secondary subnet numbers on the LAN to which the server is
attached.
1. Dynamic allocation supported on secondary subnet numbers on a LAN which is handled through a
DHCP/BOOTP Relay. In this case, the DHCP/BOOTP Relay sends the server a gateway address associated
with the primary subnet and the server must know what to do with it.
The other two cases are the same capabilities during manual allocation. It is possible that a particular
server-implementation can handle some of these cases, but not all of them. See section below listing the
capabilities of some servers.
25. If a physical LAN has more than one logical subnet, how can different groups of clients be allocated
addresses on different subnets?
One way to do this is to preconfigure each client with information about what group it belongs to. A
DHCP feature designed for this is the user class option. To do this, the client software must allow the
user class option to be preconfigured and the server software must support its use to control which pool
a client's address is allocated from.
26. Where is DHCP defined?
In Internet RFCs.
RFC 2131
R. Droms, "Dynamic Host Configuration Protocol", 3/97. Supersedes RFC 1541 and RFC 1531. [Note that
some of the references in this FAQ are to RFC 1541: I'll update them when I get a chance. -- Author]
RFC 1534
R. Droms, "Interoperation Between DHCP and BOOTP", 10/08/1993.
RFC 2132
S. Alexander, R. Droms, "DHCP Options and BOOTP Vendor Extensions", 3/97. Supersedes RFC 1533.
Some websites with copies of RFCs:
http://info.internet.isi.edu/1s/in-notes/rfc/
http://www.cis.ohio-state.edu/hypertext/information/rfc.html
http://www.pmg.lcs.mit.edu/rfc.html
27. What other sources of information are available?
See the dhcp-v4 mailing list mentioned above as well as its archives.
DHCP - Dynamic Host Configuration Protocol
http://www.eg.bucknell.edu/~droms/dhcp/
Problems and Solutions of DHCP: Experiences with DHCP implementation and Operation
A. Tominaga, O. Nakamura, F. Teraoka, J. Murai. http://info.isoc.org/HMP/PAPER/127/html/paper.html
DHCP Resources
Alan Dobkin. http://NWS.CC.Emory.Edu/WebStaff/Alan/Net-Man/Computing/DHCP/
DHCP Reading Room
Eric Hall. http://www.ehsco.com/reading/dhcp.html
Internet Drafts
Internet drafts are works in progress intended to update the current RFCs or specify additional
functionality, and sometimes there is one or more draft related to DHCP. All Internet Drafts are available
from various sites: the US East Cost site is ftp://ds.internic.net/internet-drafts/; a web site is
http://ds.internic.net/ds/dsintdrafts.html. The DHCP-related drafts currently have filenames of the form
"draft-ietf-dhc-SOMETHING". These DHCP-related drafts are also stored at
ftp://ftp.bucknell.edu/pub/dhcp/, and are available through
http://www.eg.bucknell.edu/~droms/dhcp/. I cannot be more specific about the documents because
they are by their nature temporary.
"DHCP Clients: Do They Really Work?"
Eric Hall. Network Computing, Vol. 7, No. 7, May 1, 1996, pp. 114-120. Reviews DHCP-client-function of
some popular Windows IP stacks. http://www.ehsco.com/reading/19960515ncw2.html
"The Heaven And Hell Of DHCP Servers"
Eric Hall. Network Computing, Vol. 7, No. 8, May 15, 1996, pp. 118-121. Reviews DHCP servers.
http://www.ehsco.com/reading/19960515ncw1.html
28. Can DHCP support remote access?
PPP has its own non-DHCP way in which communications servers can hand clients an IP address called
IPCP (IP Control Protocol) but doesn't have the same flexibility as DHCP or BOOTP in handing out other
parameters. Such a communications server may support the use of DHCP to acquire the IP addresses it
gives out. This is sometimes called doing DHCP by proxy for the client. I know that Windows NT's remote
access support does this.
A feature of DHCP under development (DHCPinform) is a method by which a DHCP server can supply
parameters to a client that already has an IP number. With this, a PPP client could get its IP number
using IPCP, then get the rest of its parameters using this feature of DHCP.
SLIP has no standard way in which a server can hand a client an IP address, but many communications
servers support non-standard ways of doing this that can be utilized by scripts, etc. Thus, like
communications servers supporting PPP, such communications servers could also support the use of
DHCP to acquire the IP addressees to give out.
The DHCP protocol is capable of allocating an IP address to a device without an IEEE-style MAC address,
such as a computer attached through SLIP or PPP, but to do so, it makes use of a feature which may or
may not be supported by the DHCP server: the ability of the server to use something other than the
MAC address to identify the client. Communications servers that acquire IP numbers for their clients via
DHCP run into the same roadblock in that they have just one MAC address, but need to acquire more
than one IP address. One way such a communications server can get around this problem is through the
use of a set of unique pseudo-MAC addresses for the purposes of its communications with the DHCP
server. Another way (used by Shiva) is to use a different "client ID type" for your hardware address.
Client ID type 1 means you're using MAC addresses. However, client ID type 0 means an ASCII string.
29. Can a client have a home address and still float?
There is nothing in the protocol to keep a client that already has a leased or permanent IP number from
getting a(nother) lease on a temporary basis on another subnet (i.e., for that laptop which is almost
always in one office, but occasionally is plugged in in a conference room or class room). Thus it is left to
the server implementation to support such a feature. I've heard that Microsoft's NT-based server can do
it.
30. How can I relay DHCP if my router does not support it?
A server on a net(subnet) can relay DHCP or BOOTP for that net. Microsoft has software to make
Windows NT do this.
31. How do I migrate my site from BOOTP to DHCP?
I don't have an answer for this, but will offer a little discussion. The answer depends a lot on what
BOOTP server you are using and how you are maintaining it. If you depend heavily on BOOTP server
software to support your existing clients, then the demand to support clients that support DHCP but not
BOOTP presents you with problems. In general, you are faced with the choice:
0. Find a server that is administered like your BOOTP server only that also serves DHCP. For example,
one popular BOOTP server, the CMU server, has been patched so that it will answer DHCP queries.
1. Run both a DHCP and a BOOTP server. It would be good if I could find out the gotcha's of such a setup.
Global Catalog:
Domains and Forests can also share resources available in active directory. These resources are searched
by Global Catalog across domains and forests and this search is transparent to user. For example, if you
make a search for all of the printers in a forest, this search goes to global catalog server for its query and
then global catalog returns the results. Without a global catalog server this query needs to go to every
domain in the forest of its result.
It is important to have a global catalog on at least one domain controller because many applications use
port 3268 for searching. For example, if you do not have any global catalog servers in your network, the
Search command on the Start menu of Windows 2000/2003 cannot locate objects in Active Directory.
The global catalog is a domain controller that contains attributes for every object in the Active Directory.
By default, only the members of the Schema Admins group have rights to change which attributes
stored in the global catalog, according to organization's requirements.
The global catalog contains:
• The commonly used attributes need in queries, such as a user's first and last name, and logon name.
• All the information or records which are important to determine the location of any object in the
directory.
• A default subset of attributes for each object type.
• All the access related permissions for every object and attribute that is stored in the global catalog.
Say, without permission you can't access or view the objects. If you are searching for an object where
you do not have the appropriate permissions to view, the object will not appear in the search results.
These access permissions ensure that users can find only objects to which they have been assigned
access.
A global catalog server is a domain controller that contains full and writable replica of its domain
directory, and a partial, read-only replica of all other domain directory partitions in the forest. Let's take
an example of a user object; by default user objects have lot of attributes such as first name, last name,
address, phone number, and many more. The Global Catalog will store only the main attributes of user
objects in search operations like a user's first name and last name, or login name. This partial attributes
of that user object which is stored would be enough to allow a search for that object to be able to locate
the full replica of the object in active directory. If a search comes to locate objects, then first it goes to
local global catalog and reduces network traffic over the WAN.
Domain Controllers always contain the full attribute list for objects belonging to their domain. If the
Domain Controller is also a GC, it will also contain a partial replica of objects from all other domains in
the forest.
It is always recommended to have a global catalog server for every active directory site in an enterprise
network.
Microsoft global catalog
The global catalog is a distributed data repository that contains a searchable, partial representation of
every object in every domain in a multidomain Active Directory forest. The global catalog is stored on
domain controllers that have been designated as global catalog servers and is distributed through
multimaster replication. Searches that are directed to the global catalog are faster because they do not
involve referrals to different domain controllers.
In addition to configuration and schema directory partition replicas, every domain controller in a
Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single domain
directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an
object in a different domain would require the user or application to provide the domain of the
requested object.
The global catalog provides the ability to locate objects from any domain without having to know the
domain name. A global catalog server is a domain controller that, in addition to its full, writable domain
directory partition replica, also stores a partial, read-only replica of all other domain directory partitions
in the forest. The additional domain directory partitions are partial because only a limited set of
attributes is included for each object. By including only the attributes that are most used for searching,
every object in every domain in even the largest forest can be represented in the database of a single
global catalog server.
What is vlan?
benefits of Vlan:
1)Provides n/w security
2)Provides Broadcast control.
3)Effiocient usage of bandwidth
4)Phsically you can move the host to any location,it will
remain in same vlan
What is a VPN?
A Virtual Private Network (VPN) is a network technology that creates a secure network connection over
a public network such as the Internet or a private network owned by a service provider. Large
corporations, educational institutions, and government agencies use VPN technology to enable remote
users to securely connect to a private network.
A VPN can connect multiple sites over a large distance just like a Wide Area Network (WAN). VPNs are
often used to extend intranets worldwide to disseminate information and news to a wide user base.
Educational institutions use VPNs to connect campuses that can be distributed across the country or
around the world.
In order to gain access to the private network, a user must be authenticated using a unique
identification and a password. An authentication token is often used to gain access to a private network
through a personal identification number (PIN) that a user must enter. The PIN is a unique
authentication code that changes according to a specific frequency, usually every 30 seconds or so.
Protocols
There are a number of VPN protocols in use that secure the transport of data traffic over a public
network infrastructure. Each protocol varies slightly in the way that data is kept secure.
IP security (IPSec) is used to secure communications over the Internet. IPSec traffic can use either
transport mode or tunneling to encrypt data traffic in a VPN. The difference between the two modes is
that transport mode encrypts only the message within the data packet (also known as the payload)
while tunneling encrypts the entire data packet. IPSec is often referred to as a "security overlay"
because of its use as a security layer for other protocols.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) use cryptography to secure
communications over the Internet. Both protocols use a "handshake" method of authentication that
involves a negotiation of network parameters between the client and server machines. To successfully
initiate a connection, an authentication process involving certificates is used. Certificates are
cryptographic keys that are stored on both the server and client.
Point-To-Point Tunneling Protocol (PPTP) is another tunneling protocol used to connect a remote client
to a private server over the Internet. PPTP is one of the most widely used VPN protocols because of it's
straightforward configuration and maintenance and also because it is included with the Windows
operating system.
Layer 2 Tunneling Protocol (L2TP) is a protocol used to tunnel data communications traffic between two
sites over the Internet. L2TP is often used in tandem with IPSec (which acts as a security layer) to secure
the transfer of L2TP data packets over the Internet. Unlike PPTP, a VPN implementation using
L2TP/IPSec requires a shared key or the use of certificates.
VPN technology employs sophisticated encryption to ensure security and prevent any unintentional
interception of data between private sites. All traffic over a VPN is encrypted using algorithms to secure
data integrity and privacy. VPN architecture is governed by a strict set of rules and standards to ensure a
private communication channel between sites. Corporate network administrators are responsible for
deciding the scope of a VPN, implementing and deploying a VPN, and ongoing monitoring of network
traffic across the network firewall. A VPN requires administrators to be continually be aware of the
overall architecture and scope of the VPN to ensure communications are kept private.
Advantages & Disadvantages
A VPN is a inexpensive effective way of building a private network. The use of the Internet as the main
communications channel between sites is a cost effective alternative to expensive leased private lines.
The costs to a corporation include the network authentication hardware and software used to
authenticate users and any additional mechanisms such as authentication tokens or other secure
devices. The relative ease, speed, and flexibility of VPN provisioning in comparison to leased lines makes
VPNs an ideal choice for corporations who require flexibility. For example, a company can adjust the
number of sites in the VPN according to changing requirements.
There are several potential disadvantages with VPN use. The lack of Quality of Service (QoS)
management over the Internet can cause packet loss and other performance issues. Adverse network
conditions that occur outside of the private network is beyond the control of the VPN administrator. For
this reason, many large corporations pay for the use of trusted VPNs that use a private network to
guarantee QoS. Vendor interoperability is another potential disadvantage as VPN technologies from one
vendor may not be compatible with VPN technologies from another vendor. Neither of these
disadvantages have prevented the widespread acceptance and deployment of VPN technology.