Study Notes for Microsoft exam 70-218
Page 2 of 4 Previous Page Next Page Troubleshooting client connections
ü Determine the computer's network settings by using the ipconfig /all command from the command line. A healthy configuration might look something like this:
ü If no access can be made from the client machine, the likely culprit is a network hardware one. Check that the network cable is attached and not damaged. Try moving the cable to a different port on the hub or switch that it is attached to as ports can and will die. Ping the loop back address (ping 127.0.0.1) on the network adapter installed in the client machine to test that the NIC is functioning properly. ü If internal network access is not to blame, flush the local computer DNS cache by using the ipconfig /flushdns. ü The TRACERT tool determines the path taken to a destination by sending ICMP Echo Request messages with varying Time to Live (TTL) values to the destination. Each router along the path is required to decrement the TTL in an IP packet by at least 1 before forwarding it. Effectively, the TTL is a maximum link counter. When the TTL on a packet reaches 0, the router is expected to return an ICMP Time Exceeded message to the source computer. Usage: tracert [-d] [-h MaximumHops] [-j HostList] [-w Timeout] [TargetName] ü The PING tool verifies IP-level connectivity to another TCP/IP computer by sending Internet Control Message Protocol (ICMP) Echo Request messages. The receipt of corresponding Echo Reply messages are displayed, along with round-trip times. Ping is the primary TCP/IP command used to troubleshoot connectivity, reach ability, and name resolution. Used without parameters, ping displays help. PING is available only if the Internet Protocol (TCP/IP) protocol is installed on the computer. Usage: ping [-t] [-a] [-n Count] [-l Size] [-f] [-i TTL] [-v TOS] [-r Count] [-s Count] [{-j HostList | -k HostList}] [-w Timeout] [TargetName] ü The IPCONFIG tool displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays the IP address, subnet mask, and default gateway for all adapters. This command is available only if the Internet Protocol (TCP/IP) protocol is installed on the computer. Usage: ipconfig [/all] [/renew [Adapter]] [/release [Adapter]] [/flushdns] [/displaydns] [/registerdns] [/showclassid Adapter] [/setclassid Adapter [ClassID]] ü The NBTSTAT tool is useful for troubleshooting NetBIOS name resolution problems. You can use the nbtstat command to remove or correct preloaded entries. Usage: nbtstat [-a remotename] [-A IP address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]
Configuring SSL authentication ü If you want to authenticate users who log onto a secure server with a client certificate, you will need to create mappings that tie together the information contained in a certificate to that contained in a user account. ü You can configure either one-to-one mapping or many-to-one mapping. ü One-to-one mapping maps individual client certificates to accounts. The server compares the copy of the client certificate it holds with the client certificate sent by the browser. The two must be absolutely identical for the mapping to proceed. If a client gets another certificate containing all of the same user information, it must be mapped again. ü Many-to-one mapping uses wildcard matching rules that verify whether a client certificate contains specific information, such as issuer or subject. This mapping does not compare the actual client certificate, but rather accepts all client certificates fulfilling the specific criteria. If a client gets another certificate containing all of the same user information, the existing mapping will work. ü Alternatively, Directory Service (DS) mapping can be enabled. Directory Service (DS) certificate mapping uses native Windows 2000 Active Directory features to authenticate users with client certificates. There are both advantages (client certificate information is shared across many servers) and disadvantages (wildcard matching is not as advanced) to using DS mapping. You can enable DS mapping only at the Master properties level, and only if you are a member of a Windows 2000 domain. Activating DS mapping will exclude the use of one-to-one and many-to-one mapping for the entire Web service.
Auditing
ü To understand auditing, you need to understand three terms: Discretionary Access Control List (DACL), System Access Control List (SACL) and Access Control Entry (ACE). ü The Discretionary Access Control List is a list that represents part of an object's security descriptor and allows or denies permissions to specific users and groups. ü The System Access Control List is a list that represents part of an object's security descriptor and specifies which events are to be audited per user or group. ü An Access Control Entry is an entry an object’s DACL that grants certain permissions to a user or a group. An ACE is also an entry in an object’s SACL that specifies the security events to be audited for a user or a group. ü Auditing is disabled by default. You can enable auditing on a specific computer or across the entire domain--it's your choice. ü In order to audit access to objects as part of your audit policy, you must turn on either the Audit directory service access category (for auditing objects on a domain controller), or the Audit object access category (for auditing objects on a member server). ü To allow auditing of file access, you will need to configure the auditing options for the folders and files of concern; this is done from the Advanced tab of the Properties page. ü When you audit a file or folder, an entry is written to the Event Viewer security log whenever the file or folder is accessed in a certain way that you are auditing.
Working with DHCP servers
ü Before a DHCP server can serve clients, it must be authorized to do so in Active Directory. To authorize a DHCP server, right-click on it and select Authorize. ü DHCP scopes can have options configured at the scope level and also the server level. Options are inherited from the server level to the scope level. ü For network with DHCP clients separated from the DHCP server by a router, the DHCP relay agent will need to be installed. Routers do not pass DHCP messages by default as they are broadcast messages.
DNS & DNS servers
ü If your DNS server must resolve addresses outside of the private network, then you must configure it for DNS forwarding. Right-click the DNS server in question, select Properties and change to the Forwarders tab. ü When using Active Directory, consider changing DNS zones to Active Directory integrated zones. AD integrated zones are easier to manage and offer superb security compared to standard DNS zones. ü Configure DNS for dynamic update to keep your zones up-to-date as DHCP leases are obtained and released. ü Non Microsoft DNS servers can be used with Active Directory so long as they support RFCs 2052 (SRV records) and 2163 (dynamic updates). The DNS server in Windows NT Server 4.0 cannot be used with AD, however BIND versions 8.1.2 and later can. ü A records map a FQDN to an IP address. ü Start Of Authority (SOA) records names the primary DNS server for a domain, provides an e-mail address for the admin, and specifies how long it's okay to cache its data. ü NS records designate which servers are Name Servers in the domain. ü CNAME (Canonical Name) Records or Aliases used to provide an alias for the hostname of the server. ü MX (Mail Exchange) records allow an admin to designate which machines receive mail in a domain by order of preference (a lower number equals higher preference). ü PTR (Pointer) records are also called reverse records or reverse lookups. Allow an IP address to be resolved to a host name. ü SRV records allow DNS to identify server types. ü A Standard Primary zone stores a master copy of the zone in a text file. Used to exchange DNS data with other servers that use text-based storage methods. ü A Standard Secondary zone creates a copy of an existing zone - used for load balancing and fault-tolerance. ü A caching DNS server simply resolves requests and caches data from resolved requests until its TTL expires. ü Full Zone Transfer (AXFR) - supported by most DNS implementations. When the refresh interval expires on a secondary server it queries its primary using an AXFR query. If serial numbers have changed since the last copy, a new copy of the entire zone database is transferred to the secondary (. ü Incremental Zone Transfer (IXFR) - Also uses serial numbers, but only transfers information that has changed rather than the entire database. The server will only transfer the full database if the sum of the changes is larger than the entire zone, the client serial number is lower than the serial number of the older version of the zone on the server or the server responding to the IXFR request doesn't recognize that type of query. ü You can use the dnscmd.exe utility from the command line to work with DNS servers, zones and resource records. It can be used to manually modify DNS server properties, to create and delete zones and resource records, and to force replication events between DNS server physical memory and DNS databases and data files.
Page 2 of 4 Previous Page Next Page |
|
||||||||||