15-50 Chapter 15 Planning, Implementing, and Maintaining a Network Infrastructure (2.0) 4. You are designing the NetBIOS name resolution strategy for a multisegment network running Windows Server 2003 but that still includes some Windows NT servers and Windows 95 workstations. You have decided that you don’t want to run a WINS server, but you have a Windows NT 4.0 print server that all users must be able to access. Which of the following strategies would make this possible? (Choose all that apply.) A. Do nothing. The computers will be able to resolve the name of the server running Windows NT name automatically using broadcast name resolution. B. Create an LMHOSTS file on each computer with an entry containing the NetBIOS name and IP address of the server running Windows NT. C. Preload the NetBIOS name and IP address of the server running Windows NT into the NetBIOS name cache D. It can’t be done. You must run a WINS server for computers to be able to resolve the NetBIOS names of computers on other networks. Objective 2.8 Plan a NetBIOS Name Resolution Strategy 15-51 Objective 2.8 Answers 1. Correct Answers: B A. Incorrect: The NetBIOS name cache contains all the NetBIOS names that the computer has recently resolved by any means, whether the resolved names are for computers on the local network or another network. B. Correct: Broadcast transmissions are limited to the local network, so the broad- cast method can only resolve the name of a computer on the local network. C. Incorrect: You can create entries in an LMHOSTS file for the NetBIOS name of any computer on any network. In fact, the primary reason for using LMHOSTS files is to resolve the names of computers on other networks. D. Incorrect: WINS can resolve the NetBIOS names of any computer on any network. 2. Correct Answers: D A. Incorrect: A computer running a Windows operating system always checks the NetBIOS name cache before using any other NetBIOS name resolution method, but it uses LMHOSTS only after broadcast name resolution has failed. B. Incorrect: A computer running a Windows operating system always checks the NetBIOS name cache before using any other NetBIOS name resolution method, then uses broadcasts and, failing that, LMHOSTS. C. Incorrect: Computers running Windows operating systems try to resolve Net- BIOS names using broadcast transmissions before they try using LMHOSTS, and they always check the NetBIOS name cache before any other mechanism. D. Correct: A computer running a Windows operating system that is not a WINS cli= ent always checks the NetBIOS name cache first when trying to resolve a NetBIOS name, then tries the broadcast transmission method. If the broadcast method fails, the computer tries to look up the name in the LMHOSTS file. 15-52 Chapter 15 Planning, Implementing, and Maintaining a Network Infrastructure (2.0) 3. Correct Answers: B A. Incorrect: This replication topology would result in only the New York WINS servers having complete replicas of the database, because all replication traffic is traveling in one direction. B. Correct: This solution is called a ring replication topology, because each site is sending its data to the east and receiving data from the west. This enables every server to have a complete replica of the WINS database without creating a large amount of redundant WAN traffic. C. Incorrect: While this option does provide satisfactory replication performance, it also generates much more WAN traffic than a ring topology. D. Incorrect: The WINS client enables you to specify multiple WINS server addresses only as fallbacks in case of a server failure. Adding all the WINS server addresses to each client does not cause the client to register its NetBIOS name with all the servers. 4. Correct Answers: B and C A. Incorrect: Only the client computers on the same local area network as the server running Windows NT would be able to resolve its name using broadcast transmissions. B. Correct: LMHOSTS functions as a backup to the broadcast name resolution method, because it is able to resolve NetBIOS names of computers on other networks. C. Correct: Preloading the name of the server running Windows NT into the cache using an LMHOSTS file enables the computer to resolve the name without using the broadcast method. D. Incorrect: An LMHOSTS file can resolve any NetBIOS name, regardless of whether it is on the local network or not. Objective 2.9 Troubleshoot Host Name Resolution 15-53 Objective 2.9 Troubleshoot Host Name Resolution Name resolution failures can often appear to users as complete TCP/IP communica= tions failures, but that is not the case. When a client computer is unable to resolve a name, it cannot obtain the IP address it needs to initiate communication with the named computer. However, if you already have the named computer’s IP address, you can connect to it directly by using the address in place of the name. This is the best way to determine if a failure to connect to a TCP/IP system is due to a name resolution problem. Once you have determined that a name resolution problem is causing your communications failure, you can begin to isolate the location of the problem. Name resolution failures can be the result of a problem on the client or on the com= puter running the DNS server. At the client, the problem is typically an incorrect DNS server address. Either the Preferred DNS Server or the Alternate DNS Server field in the Windows Internet Protocol (TCP/IP) Properties dialog box must contain the IP address of a valid and operating DNS server. If the client contains valid DNS server addresses, the servers themselves might be mal= functioning. The most obvious problem is that the DNS server is not functioning at all, because it is suffering from its own TCP/IP communications failure. Like any other computer, the DNS server must have the correct TCP/IP configuration parameters, including a valid IP address and subnet mask, plus a default gateway address. Malfunc= tioning hardware can also inhibit the server’s communications. If you cannot success- fully ping a DNS server address, it is suffering from some sort of TCP/IP communications failure. If you can ping the DNS server computer, you should then check to see if the DNS Server service is running. You might find that someone has shut down the service, or that the service never started when the computer booted, or that the service has stopped. You can check the Event Viewer console for error messages that might explain the stoppage or just try restarting the service yourself. In some cases, a DNS server might successfully resolve a name, but supply the wrong IP address to the client. This could be due to any one of the following reasons: ■ Incorrect resource records—Administrators frequently type DNS resource records by hand, and typographic errors can result. If a resource record contains an incor= rect IP address, the only solution is to correct it manually. 15-54 Chapter 15 Planning, Implementing, and Maintaining a Network Infrastructure (2.0) ■ Dynamic update failures—If dynamic updates fail for any reason, the DNS server’s resource records could contain incorrect or outdated IP addresses. In this event, you can correct the resource records manually, or trigger a new dynamic update by traveling to the computer whose resource record is wrong and typing IPCON= FIG /registerdns at a command prompt. If dynamic updates still fail to occur, check to see whether the server supports them and is configured to accept them. ■ Zone transfer failures—If the DNS server is supplying incorrect IP addresses from a secondary zone, it is possible that a zone transfer has failed to occur, leaving out- dated information in the secondary zone database file. Try to manually trigger a zone transfer. If the zone transfer still does not occur, the problem might be due to the incompatibility of different DNS server implementations, such as different compression formats or unsupported resource record types. If this is the case, you might have to update the secondary zone’s resource records manually until you can update one or both servers to compatible DNS software implementations. Objective 2.9 Troubleshoot Host Name Resolution 15-55 Objective 2.9 Questions 1. Which of the following sets of symptoms could indicate that the DNS server service has shut down? A. You are unable to ping the DNS server from the client computer or any other com= puter. B. You are unable to ping the DNS server from the client computer, but you can ping it from other computers. C. You can successfully ping the DNS server from any computer, but you cannot resolve a name using NSLOOKUP.EXE with that server. D. You can successfully resolve a name using NSLOOKUP.EXE with the DNS server, but the IP address it supplies is outdated. 2. Which of the following symptoms indicates that a DNS server has incorrect root hints? A. The server can resolve names of computers on the local network, but it cannot resolve names of computers on other networks. B. The server can resolve all names, but the IP addresses for computers on the local network are incorrect. C. The server can resolve names into IP addresses, but it cannot resolve IP addresses into names. D. The server can resolve names for which it is authoritative, but it cannot resolve any other names. 3. When troubleshooting an Internet connection problem on a client running the Win= dows operating system, which of the following actions should you try to determine if name resolution failures are the cause of the problem? A. Connect to an Internet server using its IP address. B. Ping the client’s preferred DNS server address. C. Execute the IPCONFIG /registerdns command on the client. D. Trigger a manual zone transfer on the client’s DNS. 15-56 Chapter 15 Planning, Implementing, and Maintaining a Network Infrastructure (2.0) Objective 2.9 Answers 1. Correct Answers: C A. Incorrect: This symptom is an indication that either the client or the DNS server is suffering from a complete TCP/IP communications failure, not just the failure of the DNS service. B. Incorrect: Because the server is operational, this symptom indicates that the cli= ent computer is experiencing a TCP/IP communications failure. C. Correct: The fact that the client can ping the DNS server indicates that the server computer is operational, but the failure of the server to resolve names indicates that the DNS Server service is not running or is not functioning properly. D. Incorrect: A non-functioning DNS Server service would not supply any IP addresses in response to client requests. 2. Correct Answers: D A. Incorrect: DNS servers do not use broadcast transmissions during the name res= olution process, so there is no way that they can be limited to resolving names on the local network only. B. Incorrect: Incorrect IP addresses could be a symptom of typographical errors in resource records, dynamic update failures, or zone transfer failures. They are not a symptom of incorrect root hints. C. Incorrect: DNS servers perform reverse name resolutions (from addresses to names) the same way they perform standard name resolutions. Incorrect root hints would affect both of these processes. D. Correct: The names for which a DNS server is authoritative are those stored in its own zone database files. The inability to resolve other names indicates that the server is having problems sending queries to other servers, which could be caused by incorrect root hints. Objective 2.9 Troubleshoot Host Name Resolution 15-57 3. Correct Answers: A A. Correct: The ability to connect to an Internet server using its IP address when the client cannot connect to the same server using its name is a definitive indication of a name resolution problem. B. Incorrect: The fact that the client computer cannot successfully ping the preferred DNS server address does not establish that name resolution is the cause of the client’s Internet connection problem. The client could be using the alternate DNS server to resolve names and could actually be suffering from another problem. C. Incorrect: This command causes the client computer to reregister its name with the DNS server using dynamic update. While this action does verify that the client can communicate with the DNS server, it does not definitively identify name res= olution failure as the source of the Internet connection problem. D. Incorrect: Triggering a zone transfer initiates a replication process between two DNS servers. This action cannot determine anything about DNS clients. 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0) The Routing and Remote Access service in the Microsoft Windows Server 2003 family of operating systems can route traffic in several ways, enabling you to configure a server to route traffic between local area networks (LANs), between a LAN and a wide area network (WAN), or a LAN and remote users who access the network using modems or virtual private network (VPN) connections. Remote access servers present unusual problems because of potential security hazards they represent. Users connect- ing to a private network using the Internet or an open dial-up telephone line must be authenticated before they receive access, and in many cases, must have their access limited to specific resources. To create an effective routing and remote access strategy, you must consider the security ramifications of the access you grant to your users and take steps to prevent access by unauthorized users. Tested Skills and Suggested Practices The skills that you need to successfully master the Planning, Implementing, and Main- taining Routing and Remote Access objective domain on the 70-293 exam include: ■ Plan a routing strategy. ❑ Practice 1: Configure a computer running Windows Server 2003 to function as a router and install the Routing Information Protocol (RIP) and Open Short- est Path First (OSPF) routing protocols. Then, examine the configuration parameters available for each protocol and use the online help to determine their functions. ❑ Practice 2: Configure the Routing and Remote Access service on a computer running Windows Server 2003 four times, using the four preset configurations provided by the Routing And Remote Access Server Setup Wizard. For each configuration, list the components that the service installs by default and examine the default configuration settings for each component. 16-1 [...]... taking exam 7 0- 293 Objective 3.1 Review Lesson 2 in Chapter 2, “Planning a TCP/IP Network Infrastruc­ ture,” and Lessons 1 and 2 in Chapter 5, “Using Routing and Remote Access.” Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit Volume: Deploying Network Services Redmond, Washington: Microsoft Press, 2003 Review Chapter 1, “Designing a TCP/IP Network.” This volume can also be found on Microsoft s... site at http://www .microsoft. com/windowsserver2003/techinfo/res­ kit/ deploykit.mspx Chapter 16 Objective 3.2 Planning, Implementing, and Maintaining Routing and Remote Access (3.0) 1 6-3 Review Lesson 3 in Chapter 5, “Using Routing and Remote Access.” Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit Volume: Deploying Network Services Redmond, Washington: Microsoft Press, 2003 Review... Dial-up and VPN Remote Access Servers.” This volume can also be found on Microsoft s Web site at http://www .microsoft. com/ windowsserver2003/techinfo/reskit/deploykit.mspx Objective 3.3 Review Lessons 2 and 3 in Chapter 12, “Securing Network Communi­ cations Using IPSec.” Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit Volume: Deploying Network Services Redmond, Washington: Microsoft. .. Encrypted Authentication (MS-CHAP)—An earlier version of the MS-CHAP protocol that uses one-way authentication and a single encryption key for transmitted and received messages The security that MS-CHAP v1 provides is inferior to that of version 2, but RRAS includes it to support remote access clients running Microsoft Windows 95 and Microsoft Windows NT 3.51, which cannot use MS-CHAP v2 ■ Encrypted Authentication... v2)—Version 2 of the Microsoft Challenge Handshake Authentication Protocol is a password-based protocol that enables the client and the server to mutually authenti­ cate each other using encrypted passwords MS-CHAP v2 is the simplest and most secure option to use when your remote access clients are running Microsoft Win­ dows 98 or a later version of the Windows operating system ■ Microsoft Encrypted... Deployment Kit Volume: Deploying Network Services Redmond, Washington: Microsoft Press, 2003 Review Chapter 6, “Deploying IPSec.” This volume can also be found at Microsoft s Web site at http://www .microsoft. com/windowsserver2003/techinfo/reskit/deploykit.mspx Objective 3.4 Review Lesson 4 in Chapter 5, “Using Routing and Remote Access.” Microsoft Corporation Windows Server 2003 Online Help Review the “Using... the network from unauthorized access, including dial-in properties, authentication protocols, and remote access policies Dial-in properties are configuration settings that you find on the Dial-In tab of the Properties dialog box for every user object in the Active Directory database These properties are as follows: ■ Remote Access Permission (Dial-in Or VPN)—Specifies whether the individual user is... open-ended system that makes it possible for RRAS to use third-party authentication protocols, as well as those supplied with Windows 2000 EAP is the only authentication protocol supported by Windows Server 2003 RRAS that enables you to use mechanisms other than passwords (such as digital certificates stored on smart cards) to verify a user’s identity ■ Microsoft Encrypted Authentication Version 2 (MS-CHAP... which cannot use MS-CHAP v2 ■ Encrypted Authentication (CHAP)—An industry standard authentication protocol that is included in RRAS to support non -Microsoft remote access clients that cannot use MS-CHAP or EAP CHAP is less secure than either version of MS-CHAP because CHAP requires using a reversibly encrypted password ■ Shiva Password Authentication Protocol (SPAP)—Shiva Password Authentication Protocol... activate them by selecting Assign from the Action menu in the IP Security Policies snap-in Objective 3.3 Implement Secure Access Between Private Networks 1 6-1 9 Objective 3.3 Questions 1 You are a network administrator for a company with headquarters in New York and a branch office in Chicago You have installed a T-1 leased line connecting the two offices and you are using computers running Windows . before taking exam 7 0- 293 . Objective 3.1 Review Lesson 2 in Chapter 2, “Planning a TCP/IP Network Infrastruc- ture,” and Lessons 1 and 2 in Chapter 5, “Using Routing and Remote Access.” Microsoft. need to successfully master the Planning, Implementing, and Main- taining Routing and Remote Access objective domain on the 7 0- 293 exam include: ■ Plan a routing strategy. ❑ Practice 1: Configure. on Microsoft s Web site at http://www .microsoft. com/windowsserver2003/techinfo/res- kit/ deploykit.mspx. Chapter 16 Planning, Implementing, and Maintaining Routing and Remote Access (3.0) 1 6-3