Troubleshooting client connections

ü       Determine the computer's network settings by using the ipconfig /all command from the command line.  A healthy configuration might look something like this:

ü       If no access can be made from the client machine, the likely culprit is a network hardware one.  Check that the network cable is attached and not damaged.  Try moving the cable to a different port on the hub or switch that it is attached to as ports can and will die.  Ping the loop back address (ping 127.0.0.1) on the network adapter installed in the client machine to test that the NIC is functioning properly.

ü       If internal network access is not to blame, flush the local computer DNS cache by using the ipconfig /flushdns.

ü       The TRACERT tool determines the path taken to a destination by sending ICMP Echo Request messages with varying Time to Live (TTL) values to the destination. Each router along the path is required to decrement the TTL in an IP packet by at least 1 before forwarding it. Effectively, the TTL is a maximum link counter. When the TTL on a packet reaches 0, the router is expected to return an ICMP Time Exceeded message to the source computer.  Usage: tracert [-d] [-h MaximumHops] [-j HostList] [-w Timeout] [TargetName]

ü       The PING tool verifies IP-level connectivity to another TCP/IP computer by sending Internet Control Message Protocol (ICMP) Echo Request messages. The receipt of corresponding Echo Reply messages are displayed, along with round-trip times. Ping is the primary TCP/IP command used to troubleshoot connectivity, reach ability, and name resolution. Used without parameters, ping displays help.  PING is available only if the Internet Protocol (TCP/IP) protocol is installed on the computer.  Usage:  ping [-t] [-a] [-n Count] [-l Size] [-f] [-i TTL] [-v TOS] [-r Count] [-s Count] [{-j HostList | -k HostList}] [-w Timeout] [TargetName]

ü       The IPCONFIG tool displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays the IP address, subnet mask, and default gateway for all adapters.  This command is available only if the Internet Protocol (TCP/IP) protocol is installed on the computer.  Usage:  ipconfig [/all] [/renew [Adapter]] [/release [Adapter]] [/flushdns] [/displaydns] [/registerdns] [/showclassid Adapter] [/setclassid Adapter [ClassID]]

ü       The NBTSTAT tool is useful for troubleshooting NetBIOS name resolution problems. You can use the nbtstat command to remove or correct preloaded entries.  Usage:  nbtstat [-a remotename] [-A IP address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]

Configuring SSL authentication

ü       If you want to authenticate users who log onto a secure server with a client certificate, you will need to create mappings that tie together the information contained in a certificate to that contained in a user account.

ü       You can configure either one-to-one mapping or many-to-one mapping. 

ü       One-to-one mapping maps individual client certificates to accounts. The server compares the copy of the client certificate it holds with the client certificate sent by the browser. The two must be absolutely identical for the mapping to proceed. If a client gets another certificate containing all of the same user information, it must be mapped again.

ü       Many-to-one mapping uses wildcard matching rules that verify whether a client certificate contains specific information, such as issuer or subject. This mapping does not compare the actual client certificate, but rather accepts all client certificates fulfilling the specific criteria. If a client gets another certificate containing all of the same user information, the existing mapping will work.

ü       Alternatively, Directory Service (DS) mapping can be enabled.  Directory Service (DS) certificate mapping uses native Windows 2000 Active Directory features to authenticate users with client certificates. There are both advantages (client certificate information is shared across many servers) and disadvantages (wildcard matching is not as advanced) to using DS mapping. You can enable DS mapping only at the Master properties level, and only if you are a member of a Windows 2000 domain. Activating DS mapping will exclude the use of one-to-one and many-to-one mapping for the entire Web service.

Auditing

ü       To understand auditing, you need to understand three terms:  Discretionary Access Control List (DACL), System Access Control List (SACL) and Access Control Entry (ACE).

ü       The Discretionary Access Control List is a list that represents part of an object's security descriptor and allows or denies permissions to specific users and groups.

ü       The System Access Control List is a list that represents part of an object's security descriptor and specifies which events are to be audited per user or group.

ü       An Access Control Entry is an entry an object’s DACL that grants certain permissions to a user or a group.  An ACE is also an entry in an object’s SACL that specifies the security events to be audited for a user or a group.

ü       Auditing is disabled by default.  You can enable auditing on a specific computer or across the entire domain--it's your choice.

ü       In order to audit access to objects as part of your audit policy, you must turn on either the Audit directory service access category (for auditing objects on a domain controller), or the Audit object access category (for auditing objects on a member server).

ü       To allow auditing of file access, you will need to configure the auditing options for the folders and files of concern; this is done from the Advanced tab of the Properties page.

ü       When you audit a file or folder, an entry is written to the Event Viewer security log whenever the file or folder is accessed in a certain way that you are auditing.

Working with DHCP servers

ü       Before a DHCP server can serve clients, it must be authorized to do so in Active Directory.  To authorize a DHCP server, right-click on it and select Authorize.

ü       DHCP scopes can have options configured at the scope level and also the server level.  Options are inherited from the server level to the scope level.

ü       For network with DHCP clients separated from the DHCP server by a router, the DHCP relay agent will need to be installed.  Routers do not pass DHCP messages by default as they are broadcast messages.

DNS & DNS servers

ü       If your DNS server must resolve addresses outside of the private network, then you must configure it for DNS forwarding.  Right-click the DNS server in question, select Properties and change to the Forwarders tab.

ü       When using Active Directory, consider changing DNS zones to Active Directory integrated zones.  AD integrated zones are easier to manage and offer superb security compared to standard DNS zones.

ü       Configure DNS for dynamic update to keep your zones up-to-date as DHCP leases are obtained and released.

ü       Non Microsoft DNS servers can be used with Active Directory so long as they support RFCs 2052 (SRV records) and 2163 (dynamic updates). The DNS server in Windows NT Server 4.0 cannot be used with AD, however BIND versions 8.1.2 and later can.

ü       A records map a FQDN to an IP address.

ü       Start Of Authority (SOA) records names the primary DNS server for a domain, provides an e-mail address for the admin, and specifies how long it's okay to cache its data.

ü       NS records designate which servers are Name Servers in the domain.

ü       CNAME (Canonical Name) Records or Aliases used to provide an alias for the hostname of the server.

ü       MX (Mail Exchange) records allow an admin to designate which machines receive mail in a domain by order of preference (a lower number equals higher preference).

ü       PTR (Pointer) records are also called reverse records or reverse lookups. Allow an IP address to be resolved to a host name.

ü       SRV records allow DNS to identify server types.

ü       A Standard Primary zone stores a master copy of the zone in a text file. Used to exchange DNS data with other servers that use text-based storage methods.

ü       A Standard Secondary zone creates a copy of an existing zone - used for load balancing and fault-tolerance.

ü       A caching DNS server simply resolves requests and caches data from resolved requests until its TTL expires.

ü       Full Zone Transfer (AXFR) - supported by most DNS implementations. When the refresh interval expires on a secondary server it queries its primary using an AXFR query. If serial numbers have changed since the last copy, a new copy of the entire zone database is transferred to the secondary (.

ü       Incremental Zone Transfer (IXFR) - Also uses serial numbers, but only transfers information that has changed rather than the entire database. The server will only transfer the full database if the sum of the changes is larger than the entire zone, the client serial number is lower than the serial number of the older version of the zone on the server or the server responding to the IXFR request doesn't recognize that type of query.

ü       You can use the dnscmd.exe utility from the command line to work with DNS servers, zones and resource records.  It can be used to manually modify DNS server properties, to create and delete zones and resource records, and to force replication events between DNS server physical memory and DNS databases and data files.

Working with WINS

ü       The Windows Internet Name Service (WINS) provides a dynamic replicated database service that can register and resolve NetBIOS names to IP addresses.  It is mostly used in legacy Windows environments and is not required in Windows 2000, although it is supported.

ü       Avoid using static WINS entries (as much as possible) as this requires further administrative action to ensure their successful and intended use. A situation where static entries would be appropriate is the WINS registration of the names used by servers.

ü       Avoid the use of limited replication partnerships (Push Only or Pull Only) between WINS servers, except in special cases where replication must occur over slow WAN links.

ü       In order to help boost performance and minimize fragmentation of the WINS database, regular offline compaction is highly recommended.  Use the jetpack utility to compact the WINS database.

Installing and configuring hardware

ü       You will need administrative privileges to install hardware using the Add/Remove Hardware Wizard.

ü       When installing a Plug and Play printer, administrative permissions will not be required if the driver is already installed.

ü       Driver Signing is new in Windows 2000 and can be used to prevent the installation of unsigned device drivers.  If you are signed in with administrative permissions, you can configure Driver Signing for all users of the computer.

Recovering from startup problems

ü       You can use Safe Mode to get a computer started that will not boot normally due to errors or system conflicts.  Safe Mode starts Windows with only a minimal set of drivers (basic mouse, video, keyboard, monitor and mass storage) to help resolve startup problems.

ü       Safe Mode with Networking loads a minimal set of device drivers and services to start Windows plus the drivers necessary to load networking.

ü       Last Known Good Configuration starts Windows using a previous good configuration.

ü       The Recovery Console is a DOS like command line tool that can be used to get a computer started that either will not start at all or is starting with errors.

ü       When starting Recovery Console, you must log on as the local Administrator.

Parallel installations

ü       A Parallel Installation is a secondary installation of Windows 2000 inside a different directory, on a different partition or most preferably, on a separate physical disk.

ü       A Parallel Installation will allow you full control access to your NTFS formatted volumes in the event that disaster strikes and you need access to the files or Registry data contained on the primary installation.

Monitoring and troubleshooting

ü       Use the System Monitor to collect and view real-time data about memory, disk, processor, network, and other activity in graph, histogram, or report form.  The System Monitor is found in the Performance console.

ü       Using the event logs in Event Viewer you can gather information about hardware, software, and system problems, and you can monitor Windows 2000 security events.

ü       The Task Manager provides information about computer performance, and programs and processes running on the computer. Using Windows Task Manager, you can end programs or processes, start programs, and view a dynamic display of your computer’s performance.

Service Packs and Hot Fixes

ü       Service Packs are regularly scheduled maintenance releases to products that correct problematic issues with them and also occasionally add additional functionality to them.

ü       In addition to applying a Service Pack to a single computer you can slipstream them into new OS deployment images for use with RIS or extract them to a network file share and assign them via Group Policy using the update.msi file.

ü       Hot Fixes are small, problem specific executables whose purpose is to correct one specific flaw or security issue in an Operating System or other installed application. 

ü       Hot Fixes typically result from the discovery of an attack opportunity or weakness in a product.  The timely application of a hot fix is critical to properly secure the system or prevent degraded system performance.

ü       Hot Fixes can be chained together for installation on an existing Operating System installation using Qchain.exe, which allows for multiple hot fixes to be installed sequentially without rebooting the computer in between each Hot fix.  Even for hot fixes that do not necessarily required a reboot after installation, chaining hot fixes via Qchain.exe will help to alleviate problems due to locked files or other issues.

Group management

ü       Security groups are used to collect users, computers and other groups into manageable units for the purpose of assigning permissions.

ü       Distribution groups are not security-enabled and can be used only with e-mail applications (such as Exchange) to send e-mail to collections of users. If you do not need a group for security purposes, create a distribution group instead of a security group.

ü       Groups with universal scope can have as their members groups and accounts from any Windows 2000 domain in the domain tree or forest and can be granted permissions in any domain in the domain tree or forest. Groups with universal scope are referred to as universal groups.

ü       Groups with global scope can have as their members groups and accounts only from the domain in which the group is defined and can be granted permissions in any domain in the forest. Groups with a global scope are referred to as global groups.

ü       Groups with domain local scope can have as their members groups and accounts from a Windows 2000 or Windows NT domain and can be used to grant permissions only within a domain. Groups with a domain local scope are referred to as domain local groups.

ü       When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain mode. Although changing a group scope is not allowed in mixed-mode domains, the following conversions are allowed in native-mode domains:

o        Global to universal. However, this is only allowed if the group is not a member of another group having global scope.

o        Domain local to universal. However, the group being converted cannot have as its member another group having domain local scope.

Active Directory replication troubleshooting

ü       The Active Directory Replication Monitor, Replmon.exe, is a graphical tool that you can use to view low-level status and performance of replication between Active Directory domain controllers. Replmon can be used to monitor domain controllers from different forests simultaneously.

ü       Repadmin.exe is a command-line tool that lets you view and change replication status on domain controllers when you need to diagnose and troubleshoot replication between Windows 2000–based domain controllers. You can use Repadmin to view the current replication topology, manually create the replication topology, and force replication events.

Group Policy basics

ü       Group policy settings are processed (inherited) in the following order: 

o        Local GPO – there can be only one local GPO and it is processed first.

o        Site GPOs – these are processed next; the administrator can specify the order they are processed in.

o        Domain GPOs – multiple GPOs are processed synchronously in the order specified by the administrator.

o        OU GPOs – GPOs linked to the OU highest in AD are processed first followed by GPOs linked to any child OUs. Each previous GPO is overwritten by the next in line. When several GPOs are linked to a single OU, they are processed synchronously, in the order specified by the administrator.

ü       Exceptions to processing (inheritance) order:

o        Block inheritance – any site, domain or OU can block inheritance of group policy from above, except when an administrator has set No Override to the GPO link. Block inheritance cannot be applied to GPOs or GPO links.

o        No override – any GPO linked to a site, domain or OU can be set to no override so that none of its policies will be overridden by a child container it is linked to.

o        Loopback setting – only used in closely managed environments like kiosks, labs, classrooms and reception areas. Can only be set to merge or replace modes.

ü       Setting permissions for security groups allows an administrator to filter group policy so that it only applies to the users and computers specified.

Deploying software via Group Policy

ü       Software that is assigned to a user has a shortcut appear on a user’s Start > Programs menu, but is not installed until the first time they use it. Software assigned to a computer is installed the next time the user logs on regardless of whether or not they run the software.

ü       Published applications are not advertised. They are only installed through Add/Remove Programs in the Control Panel or through invocation.  Published applications lack resiliency (do not self-repair or re-install if deleted by the user). Applications can only be published to users, not computers.

ü       Non-MSI programs are published as .ZAP files. They cannot take advantage of MSI features such as elevated installation privileges, rolling back an unsuccessful installation, installing on first use of software or feature, etc.

ü       Modifications are created using tools provided by the software manufacturer and produce .MST files which tell the Windows Installer what is being modified during the installation. .MST files must be assigned to .MSI packages at the time of deployment.

ü       Patches are deployed as .MSP files.

ü       If the error message “The feature you are tying to install is cannot be found in the source directory” is received, check the network condition and also permissions on the share where the distribution folder is located.

ü       If the error message “Active Directory will not allow the package to be deployed” or “Cannot prepare package for deployment” is received, check the network status and determine if the package has been corrupted.  Corrupt installation packages must be replaced before they will operate properly.

Subnetting

ü       Subnetting is the process of dividing a larger network into smaller segments for ease of configuration or management.

ü       To perform subnetting, you need to be able to convert binary to decimal quickly and accurately.  A simple subnetting table is presented below.

Troubleshooting Remote Access policy

ü       In a native-mode network, the remote-access permission on every user account is set to Control access through Remote-Access Policy, which means that the remote-access permission setting on the remote-access policy controls whether remote-access permission is allowed or denied. You can allow or deny access on a per-group basis by creating a remote-access policy using the Windows Group condition and setting the remote-access permission on the remote-access policy to either Grant remote-access permission or Deny remote-access permission.

ü       In a mixed-mode network, the remote-access permission on every user account is set to Allow access, and the default remote-access policy called Allow access if dial-in permission is enabled is deleted. On a remote-access server running Windows 2000 that is a member of a Windows 2000 mixed-mode domain, the Control access through Remote-Access Policy setting on the user account is not available.  You can allow or deny access on a per-group basis by creating a remote-access policy using the Windows Group condition. However, in order to deny access, you must specify within the profile properties a connection constraint that cannot be met. To do this, enable the Restrict Dial-in to this number only dial-in constraint and type a number that does not correspond to any dial-in number being used by the server.

Remote Access tidbits

ü       NAT and IPSec are incompatible technologies.  Due to IPSec encrypting the headers, the NAT Translator cannot examine the packet.

ü       You can troubleshoot modem commands sent from the Remote Access Server or client by using a modem log file.

ü       If your remote access clients cannot see the internal network, check into the following things:

o        For IP-based remote access clients, is IP routing enabled?

o        Is there a static IP address pool configured but no routes back to the remote access clients?

o        Are there packet filters in use that are preventing the flow of IP traffic?

o        If your clients are IPX, AppleTalk or NetBEUI-based, are these protocols installed and configured on the RRAS server?

ü       The remote access client and the remote access server in conjunction with a remote access policy must be configured to use at least one common encryption strength.

ü       The remote access client and the remote access server in conjunction with a remote access policy must have at least one common authentication method.

ü       A lack of addresses in the static IP address pool will result in a client not being able to make a connection.  Use addresses from the DHCP server when possible.

ü       You cannot use the built-in local groups of a stand-alone remote access server running Windows 2000 for the Windows Groups attribute.

Things To Do

1.      Using a Windows 2000 Server, promote it from a member server to a domain controller.

2.      Create a test environment.  Use at least one Windows 2000 Server and one or more client computers.  Practice configuring and implementing Group Policy.

3.      Create a test environment.  Use at least one Windows 2000 Server and one or more client computers.  Practice assigning and publishing software.

4.      Using a Windows 2000 Server, practice creating Virtual Servers, Virtual Directories and configuring IIS.

5.      On a sheet of paper, write out a subnetting chart; do this until you can do it from memory.

6.      Restart a computer in Safe Mode.  Explore a bit and see exactly what options you have.

7.      Using a Windows 2000 Server, create and configure DNS, WINS and DHCP servers.  Create and configure forward and reverse DNS zones.  Create and configure one or more DHCP scopes.

8.      Using a Windows 2000 Domain Controller, perform user and group administration for an entire domain.  How is this different than performing user and group administration for a stand-alone or workgroup computer?

9.      Explore how DHCP and DNS are integrated in Windows 2000.

10.  Use the PING, PATHPING and TRACERT commands to determine network connectivity status in your network and beyond.  Determine where problems are located by reading the results provided.

11.  Practice setting up WINS replication between PUSH/PULL partners, use as many Servers as you can.

12.  Using a Windows 2000 Server, set up NAT for a small network.

13.  Using a Windows 2000 Server or Windows 2000 Professional computer, set up ICS.  How is this different from NAT?

14.  Set up a RRAS server on your Windows 2000 Server.  Configure it with the appropriate protocols and security levels.  Configure policies and profiles to allow and disallow RRAS access.  Test it out.

15.  Practice with RIP and OSPF on your RRAS server.  See how they are configured and what options they have.

16.  Install a Certificate Authority on your network.  Issue and revoke certificates from the MMC console and from your browser.

17.  Create additional DHCP scopes to get the gist of the 80/20 or 70/30 rule.  Use two more DHCP servers if possible.

18.  Setup your network with a router between the clients and the server.  Configure and manage DHCP to support this situation.

19.  Integrate NetWare, Macintosh and Unix clients into your network.  Get them all talking, sharing and printing.

20.  Configure and share folders and printers across your network.  Set share and NTFS permissions.  Publish resources in Active Directory.  Search for them in Active Directory.