Visit us at w w w s y n g r e s s c o m Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers We are also committed to extending the utility of the book you purchase via additional materials available from our Web site SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you may find an assortment of valueadded features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s) ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form These e-books are often available weeks before hard copies, and are priced affordably SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations Contact us at sales@syngress.com for more information CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use Contact us at sales@syngress.com for more information This page intentionally left blank Brien Posey Technical Editor Susan Snedaker Jeffery Martin John Karnay Ira Herman Dustin Hannifin Shawn Tooley Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents The Work is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, and Syngress®, are registered trademarks of Elsevier, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER HJIRTCV764 PO9873D5FG 829KM8NJH2 BPOQ48722D CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc Elsevier, Inc 30 Corporate Drive Burlington, MA 01803 The Real MCTS/MCITP Exam 70-642 Prep Kit Copyright © 2008 by Elsevier, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN 13: 978-1-59749-246-1 Publisher: Andrew Williams Acquisitions Editor: David George Technical Editor: Brien Posey Project Manager: Gary Byrne Page Layout and Art: SPI Copy Editors: Audrey Doyle, Judy Eby, Adrienne Rebello Indexer: Nara Wood Cover Designer: Michael Kavish For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.pedersen@elsevier.com Technical Editor Brien Posey is a freelance technical writer who has received Microsoft’s MVP award four times Over the last 12 years, Brien has published more than 4,000 articles and whitepapers, and has written or contributed to more than 30 books In addition to his technical writing, Brien is the cofounder of Relevant Technologies (www.relevanttechnologies.com) and also serves the IT community through his own Web site at www.brienposey.com Prior to becoming a freelance author, Brien served as CIO for a nationwide chain of hospitals and healthcare facilities and as a network administrator for the Department of Defense at Fort Knox He has also worked as a network administrator for some of the nation’s largest insurance companies Brien wishes to thank his wife, Taz, for her love and support throughout his writing career v Contributing Authors Susan Snedaker, (MCSE, MCT) principal consultant for VirtualTeam Consulting, LLC (www.virtualteam.com), is an accomplished business and technology consultant, speaker, and author During her career, she has held executive and technical positions with companies such as Microsoft, Honeywell, Keane, and Apta Software As a consultant, she has worked with small, medium-sized, and large companies, including Canyon Ranch, University of Arizona, National University, Sabino Investment Management, Pyron Solar, University of Phoenix, DDB Ventures, ShopOrganic.com, and the Southern Arizona AIDS Foundation Susan’s latest book, Business Continuity and Disaster Recovery for IT Professionals, Syngress (978-1-59749-172-3) was released in the spring of 2007 Additionally, Susan has written four other books and contributed chapters to 11 books She has also written numerous technical articles on a variety of technology, information security, and wireless technologies Susan is an experienced trainer, facilitator, and speaker Susan holds a Master of Business Administration (MBA) and a Bachelor of Arts in Management (BAM) from the University of Phoenix In 2006, she received an Executive Certificate in International Management from Thunderbird University’s Garvin School of International Management Susan also holds a certificate in Advanced Project Management from Stanford University and attained Microsoft Certified Systems Engineer (MCSE) and Microsoft Certified Trainer (MCT) certifications Susan is a member of the Project Management Institute (PMI) and the Information Technology Association of Southern Arizona (ITASA) Jeffery A Martin MS/IT, MS/M (MCSE, MCSE:Security, MCSE: Messaging, MCDBA, MCT, MCSA, MCSA:Security, MCSE:Messaging, MCP+I, MCNE, CNE, CNA, CCA, CTT, A+, Network+, I-Net+, vi Project+, Linux+, CIW, ADPM) has been working with computer networks for more than 20 years He is an editor, coeditor, author, or coauthor of more than 15 books and enjoys training others in the use of technology John Karnay is a freelance writer, editor, and book author living in Queens, NY John specializes in Windows server and desktop deployments utilizing Microsoft and Apple products and technology John has been working with Microsoft products since Windows 95 and NT 4.0 and consults for many clients in New York City and Long Island, helping them plan migrations to XP/Vista and Windows Server 2003/2008 When not working and writing, John enjoys recording and writing music as well as spending quality time with his wife, Gloria, and daughter, Aurora Ira Herman (MCSE, CCAI, CCNA, CNA, A+, Network+, i- Net+, CIW Associate) is co-chief executive officer and cofounder of Logic IT Consulting (www.logicitc.com), a consulting firm specializing in business information technology solutions with an emphasis on work-life balance, stress-free productivity, and efficiency training and coaching Prior to founding Logic IT Consulting, Ira held various technical and executive positions with companies such as Microsoft, Keane, The University of Arizona, Xynetik, and Brand X LLC Ira has written and delivered technical training for Logic IT Consulting and its clients as well as various organizations, including Pima Community College, JobPath, and SeniorNet Ira holds Microsoft Certified Systems Engineer (MCSE and MCSE+I), Cisco Certified Academy Instructor (CCAI), Cisco Certified Network Associate (CCNA), Certified Novell Administrator (CNA), CompTIA A+ Certified Computer Service Technician (A+), CompTIA Network+, CompTIA Internetworking (i-Net+), and ProsoftTraining Certified Internet Webmaster Associate (CIW Associate) certifications as well as Microsoft internal endorsements in Windows NT Fundamentals (Workstation), Windows NT Advanced (Server), Microsoft TCP/IP on Windows NT 4, Windows 2000 Foundational Topics, and Windows 2000 Setup Specialty vii Dustin Hannifin (Microsoft MVP—Office SharePoint Server) is a systems administrator with Crowe Chizek and Company LLC Crowe (www.crowechizek.com) is one of the nation’s leading public accounting and consulting firms Under its core purpose of “Building Value with Values®,” Crowe assists both public and private companies in reaching their goals through services ranging from assurance and financial advisory to performance, risk, and tax consulting Dustin currently works in Crowe’s Information Services delivery unit, where he plays a key role in maintaining and supporting Crowe’s internal information technology (IT) infrastructure His expertise resides in various Microsoft products, including Office SharePoint Server, System Center Operations Manager, Active Directory, IIS, and Office Communications Server Dustin holds a bachelor’s degree from Tennessee Technological University and is a founding member of the Michiana IT Professionals Users Group He regularly contributes to technology communities, including his blog (www.technotesblog.com) and Microsoft newsgroups Dustin, a Tennessee native, currently resides in South Bend, IN Shawn Tooley owns a consulting firm,Tooley Consulting Group, LLC, that specializes in Microsoft and Citrix technologies, for which he is the principal consultant and trainer Shawn also works as network administrator for a hospital in North Eastern Ohio Shawn’s certifications include Microsoft Certified Trainer (MCT), Microsoft Certified System Engineer (MCSE), Citrix Certified Enterprise Administrator, Citrix Certified Sales Professional, HP Accredited System Engineer, IBM XSeries Server Specialist, Comptia A+, and Comptia Certified Trainer In his free time he enjoys playing golf viii Contents Foreword xix Chapter IP Addressing and Services Introduction Configuring IPv4 and IPv6 Addressing IPv4 Quick Review Configuring Local IPv4 Settings Configuring IPv4 Options Subnetting Supernetting 12 Alternative Configuration 13 Internet Protocol Version (IPv6) 13 IPv6 Address Format 13 IPv6 Address Types 14 IPv6 Autoconfiguration Options 15 IPv6 Transition Technologies 15 Configuring IPv6 Settings 16 Configuring Dynamic Host Configuration Protocol (DHCP) 18 Adding the DHCP Server Role 19 Configuring DHCP Scopes 21 Configuring IPv4 Scopes and Options 21 DHCP IPv4 Reservations 24 Configuring DHCP Scope Options 24 Server Options 24 Scope Options 25 Reservation Options 25 Setting Scope Options 26 Configuring IPv6 Scopes 27 Configuring IPv6 Scope Options 30 DHCP IPv6 Client Reservation Configuration 30 Creating New Options 31 New Options Using the Windows Interface 32 New Options Using the Command Line 32 Exclusions 32 DHCP Relay Agents 36 ix 520 Index filtering (Continued) WFAS inbound/outbound filters, 272–273 firewall AH header and, 57 profiles, 75–76 rules, 71–75 See also Windows Firewall with Advanced Security flexible host isolation, 481 folder DFS namespace, adding shared folders to, 334–335 DFS replication, 335–336 encrypting with EFS, 327 NTFS permissions, 316–319 Shadow Copy Services, 337–342 Share Permissions, 315–316 shared folders/permissions, configuring, 319–325 sharing, 314–315 forwarders, server-level configuration of, 114–117 creating, 117–118 forwarding, conditional configuration of, 118 domain requests, 219 forwarders, creating, 118–120 forwarders, managing, 121–123 FQDN (fully qualified domain name), 115 FRS (File Replication Service), 312 FSRM (File Server Resource Manager) description of, 311 Disk Quotas, 348–353 full backup, 343 fully qualified domain name (FQDN), 115 G global hostname space, 115 global unicast addresses, 14 www.syngress.com GlobalNames Zone (GNZ) creating, 149–150 description of, 125, 215 domain controllers, enabling to support, 148–149 overview of, 147 GPOs See Group Policy Objects Group Policy IEEE 802.1x configuration in, 50–53 IPSec configuration via, 59, 61 IPSec policy creation in, 61 IPSec settings in, 92–93 for network authentication, 43, 49 RRAs configuration via, 53 WFAS management, 81–82 for Wired Network Policies Group Policy extension, 47–48 wireless group policy creation, 285–286 for WLAN authentication, 46 Group Policy Objects (GPOs) client DNS settings management with, 211–213 DNS client management with, 221 overrides/application order, 395 for WSUS clients, 398–401 groups, WSUS computer, 395–398 H Hard Quotas, 349–350, 372 HCAP (Host Credential Authorization Protocol), 45 Health Policies, NAP configuring, 473–474 Connection Request Policies, 474–475 Health Policies, 476–478 NAP settings, 478–479 Network Policies, 475–476 health policy of NAP, 40 in NAP and DHCP integration policy, 39 Index of NPS/NAP, 249–251 Health Policy Server, NAP, 461 Health Registration Authority (HRA), 45, 460 Health requirement server, NAP, 461 hints, root See root hints Host Credential Authorization Protocol (HCAP), 45 host ID, host records A vs AAAA, 220 DNS, creating, 159–163 host-based firewalls, 64 hosts files configuring, 191–192 name resolution with, 103 HRA (Health Registration Authority), 45, 460 HTTPS, 262–263 Hyper V role, 266 I IAID (identity association identifier), 31 IAS See Internet Authentication Service IBSS (independent basic service set) network, 283 ICACLS command, 318 ICS (Internet Connection Sharing), 257–260 identity association identifier (IAID), 31 IEEE 802.1x configuration in Windows Server 2008, 50–53 enforcement, 484–485 NAP client authentication methods, 485–487 WLAN authentication with, 46–50 IEEE 802.11 standard weakness of, 46 Windows Server 2008 changes to, 238 for wireless access, 277 wireless group policy and, 285 IEEE 802.3 configuration in Windows Server 2008, 50–53 WLAN authentication with, 46–50 IGP (Interior Gateway Protocol) OSPF, 244–245 RIP, 243–244 import/export, of print queues/printer settings, 359–361 inbound rules, 72–74 inbound/outbound filters, 272–273 incoming traffic, firewall rules for filtering, 71–74 incremental backup, 343 independent basic service set (IBSS) network, 283 Indexing Service, 312 infrastructure network ad hoc network vs., 283–285 wireless network as, 277 inheritance, 319 Integrated Services Digital Network (ISDN), 245 integration policy, 38–40 Interior Gateway Protocol (IGP) OSPF, 244–245 RIP, 243–244 Internet routing protocols, 242–243 top-level domain names, 116–117 Internet Authentication Service (IAS) NPS as replacement, 292 replacement of, 237, 248, 275 Internet Connection Sharing (ICS), 257–260 Internet Security Association and Key Management Protocol (ISAKMP), 58, 261 Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 16 www.syngress.com 521 522 Index IP address IPv6 address format, 13–14 IPv6 address types, 14–15 NAT for, 255–257 See also Domain Name Servers (DNS) configuration IP addressing alternative configuration of, 13 DHCP configuration, 18–42 IP Security (IPSec) configuration, 55–64 IPv4 configuration, 3–13 IPv4/IPv6 comparison, 2–3 IPv6 configuration, 13–18 network authentication configuration, 43–55 overview of, 85–90 Windows Firewall with Advanced Security in Windows Server 2008, 64–84 IP header, 57 IP Security enforcement, 491–492 IP Security (IPSec) authentication header, 57–58 configuration in Windows Server 2008, 59–61 configuration overview, 89 Encapsulating Security Payload, 58–59 firewall rules for filtering traffic, 73 isolation policy, 63–64 overview of, 86 policy, creation of, 61–63 properties of, 55–56 for remote access, 261 settings in Group Policy/WFAS, 92–93 SSTP development and, 262 WFAS integration, 65 WFAS settings, 76–80 IPSec enforcement boundary network, 480 flexible host isolation, 481 overview of, 479–480 www.syngress.com restricted network, 481 secure network, 480 IPSecurity Policy Management, 61 IPv4 alternative configuration, 13 configuration of local settings, 6–7 configuration overview, 87 DHCP reservations, 24 DHCP scope options, configuration of, 24–27 DHCP Server role, adding, 20 DHCP server scopes/options, configuration of, 21–23 exam questions about, 85 host records, 171–173 IPv6 comparison, 2–3 LLMNR and, 221 NAT for translation of, 255–257 overview of, 4–5 subnetting, 7–12 supernetting, 12 IPv6 address format, 13–14 address types, 14–15 autoconfiguration options, 15 CIDR in, 12 configuration of local settings, configuration of settings, 16–18 configuration overview, 87 DHCP client reservation configuration, 30–31 DHCP scopes, configuration of, 21 DHCP Server role, adding, 19–21 enabled by default in Windows Server 2008, exam questions about, 85, 91 host records, 173–175 IPv4 comparison, 2–3 NAP and, 460–461 NAT and, 256 resources on, Index scope options, configuration of, 30 scopes, configuration of, 27–29 transition technologies, 15–16 WFAS support of, 66 IPv6 over IPv4 tunneling, 16 ISAKMP (Internet Security Association and Key Management Protocol), 58, 261 ISATAP (Intra-Site Automatic Tunnel Addressing Protocol), 16 ISDN (Integrated Services Digital Network), 245 isolation, server/domain, 69 isolation policy, IPSec, 63–64 K Kerberos authentication, 44–45 key exchange, 76, 77–78 keys of Encrypting File System, 326–330 IPSec properties, 55–56 in SSL, 263, 265 L LANs (Local Area Networks), 242–243 Layer Two Tunneling Protocol (L2TP), 261 Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec) changes to, 54–55 for remote authentication, 53, 54 SSTP and, 237 lease duration DHCP lease duration, 18–19 in IPv4 scopes configuration, 23 for IPv6 scopes, 28–29 link state database (LSDB), 244 link state protocol, 243 Link-Local Multicast Name Resolution (LLMNR), 210, 221 LMHOSTS file, 208–210 Local Area Connection Properties dialog box IPv4 settings configuration, 6–7 IPv6 settings configuration, 16–18 Local Area Networks (LANs), 242–243 local link address begin with FE80, 27 in IPv6, 14, 15 location-aware profiles, 66, 68–69 log See event log LSDB (link state database), 244 M mail exchanger (MX) records, 178–179 Main mode, 77–78, 81 master server, DNS, 137 Media Access Control (MAC) address DHCP IPv4 reservations, 24 DHCP IPv6 client reservation configuration, 30–31 Message Digest (MD5), 55 Microsoft, DNS terminology, 119–120 Microsoft Baseline Security Analyzer (MBSA), 438–441, 445 Microsoft TechNet, Microsoft Trustworthy Computing Initiative, 456 Microsoft Virtual Server, 343 Microsoft Web site, 5, 27 monitoring, 80–81 See also network infrastructure management multicast scopes, 21 N name resolution, client computer configuration of, 217–218 DNS server list, configuring, 200–202 HOSTS file configuration, 203–204 LLMNR overview, 210 LMHOSTS file, configuring, 208–210 www.syngress.com 523 524 Index name resolution, client computer (Continued) NetBIOS node type configuration, 204–206 overview of, 197–199 settings management with Group Policy, 211–213 suffix search order, configuring, 202–203 WINS server list, configuring, 207–208 in XP and later, 199–200 name resolution, private, 117–119 name server records, 184–186 namespace See DFS namespace NAP See Network Access Protection NAP Health Policy Server (NPS), 460, 461 NAS, 273–275 NAT See Network Address Translation NAT–T (Network Address Translation Translation–Traversal), 56 NBP (network boot program), 36–37 NET PRINT command, 355 NET SHARE command, 325 NetBIOS node type, 204–206 netsh advfirewall command, 60, 83 netsh command, 41–42 netsh dhcp command, 32 netsh lan command, 48 netsh wlan command, 280 network access overview of, 287–290 remote access and Windows Servers 2008, 237–238 remote access, configuration of, 245–277 routing, configuration of, 238–245 routing in Windows Server 2008, 236–237 Windows Server 2008 features for, 235 wireless access and Windows Server 2008, 238 wireless access, configuration of, 277–286 Network Access Protection (NAP) 802.1x enforcement, 484–487 www.syngress.com configuration of policies/settings for NAP enforcement, 251–252 DHCP and, 38–40 DHCP enforcement, 463–469 DHCP integration with, 85 health policies, configuring, 473–479 health policy for network with, 249–251 IPsec enforcement, 479–483 network layer protection, 458–463 overview of, 456–458, 488–490 replacement of IAS, 237 VPN enforcement, 469–473 Web site, 492 Network Access Protection Partners, 457 Network Access Quarantine Control description of, 456 NAP and, 457, 491 Network Address Translation (NAT) enabling/configuring, 256–257 for IPv4, popularity, use of, 10 remote access with, 255–256 Network Address Translation Translation–Traversal (NAT–T), 56 network addresses for IPv4, 4–5 subnetting for IPv4 networks, 8–10 network authentication configuration NTLMv2/Kerberos authentication, 44–45 overview of, 43–44, 85–86, 88 Routing and Remote Access Services, 53–55 WLAN authentication with 802.1x/802.3, 46–53 Network Awareness APIs, 281 network boot program (NBP), 36–37 network connections, 67–69 network data, gathering Baseline Security Analyzer, 438–441 Network Monitor, 441–444 Index overview of, 446 SNMP, 433–437 Network Diagnostics Framework, 279 network ID subnetting for IPv4 networks, 8–10 supernet as range of Class C network IDs, 12 Network Information Service (NIS), 30 Network Information Service Plus (NIS+), 30 network infrastructure management client settings, 394–398 client targeting, 401 Data Collector Sets, 409–419 disconnected networks, 406–408 event logs, monitoring, 426–433 GPOs, 398–401 network data, gathering, 433–444 overview of, 380 performance data, capturing, 409 Performance Monitor, 420–423 Reliability Monitor, 424 software updates, 401–404 System Stability Index, monitoring, 425–426 test/approval, 404–406 type selection, updating, 393–394 WSUS, installing, 381–393 WSUS server settings, configuring, 380–381 network interface card (NIC), network layer protection Active Directory Domain Services, 461 NAP clients, 459–460 NAP enforcement points, 460–461 NAP Health Policy Server, 461 NAP Health Requirement Server, 461 overview of, 458–459 restricted networks, 462–463 software policy validation, 463 Network Location Awareness (NLA), 84 network location-aware host firewall, 67–69 Network Monitor, 441–444 network perimeter firewalls, 64 network policies, 43–44 Network Policy and Access Services for Kerberos authentication configuration, 45 RADIUS function handled by, 43 Network Policy Server (NPS) changes to, 250–251 function of, 43–44 functionality with, 248–249 as IAS replacement, 292 for Kerberos authentication configuration, 45 for NAP and DHCP integration policy, 38–40 NAP enforcement methods, policies/ settings for, 251–252 for RADIUS server configuration, 275–277 replacement of IAS, 237 for WLAN authentication, 46 network printer, 357–358 networks Internet disconnected, WSUS updates on, 406–408 restricted, NAP and, 462–463 New Scope Wizard DHCP exclusions settings in, 32–35 IPv4 scopes/options configuration, 22–24 IPv6 scopes, configuration of, 27–29 NIC (network interface card), NIS (Network Information Service), 30 NIS+ (Network Information Service Plus), 30 NLA (Network Location Awareness), 84 non-broadcast network, 281–282 nontemporary addresses, 15, 17–18 normal scopes, 21 not-so-stubby area (NSSA), 245 www.syngress.com 525 526 Index NPS See Network Policy Server NPS (NAP Health Policy Server), 460, 461 NSSA (not-so-stubby area), 245 NT LAN Manager (NTLM), 44–45 NTFS Disk Quotas system quota management by volume/user, 348–350 Resource Manager Disk Quotas vs., 372 NTFS permissions overview of, 316–319 shared folders/permissions, configuring, 320–322 special permissions, 369 NTLMv2/Kerberos authentication, 44–45 O Offline Files description of, 319 disabling, 369 file server, configuration of, 319 Open Shortest Path First (OSPF) areas in OSPF network, 244–245 as popular link state protocol, 243 operational log, 429 outbound rules, 72–74 outgoing traffic, 71–74 P packet switching network, 242–243 packets IPSec AH header and, 57–58 IPSec ESP and, 58–59 routing fundamentals, 239–240 static routing, 242–243 partitions, 169–170 password, 328 PEAP-Microsoft Challenge Handshake Authentication Protocol version (PEAP-MS/CHAPv2) for network access authentication, 49 in Windows Server 2008, 53 www.syngress.com for Windows Server 2008 authentication, 47 PEAP–TLS See Protected Extended Authentication Protocol–Transport Layer Security peer authentication, 55 performance, of ad hoc network, 284 performance data capturing, 446 capturing for WSUS, 409 Data Collector Sets, 409–419 Performance Monitor adding counters to, 361–362 Data Collector Sets vs., 447 overview of, 420–423 permissions NTFS, 316–319 NTFS special permissions, 369 printer, 355–356 Share Permissions, 315–316 shared folders/permissions, configuring, 319–325 PKI See Public Key Infrastructure pointer records creating, 175–177 use for, 220 Point-to-Point Tunneling Protocol (PPTP) changes to, 54–55 description of, 260–261 for remote authentication, 53–54 SSTP and, 237 policies IPSec, creation of, 61–63 IPSec isolation policy, 63–64 IPSec policy creation, 61 IPSec via command line, 61–63 with Network Policy Server, 43–44 remote access policies, 253–255 WFAS management with Group Policy, 81–82 wired network policy, 50–53 Index wireless group policy, 285–286 pooling, printer, 363 ports, 82 positive caching, 120 PPP, 237–238 PPTP See Point-to-Point Tunneling Protocol Pre-Boot Execution Environment (PXE Boot), 36–37 primary forward lookup zone, 139–144, 153–154 primary reverse lookup zone, 149–154 primary zone, 164–165 print priority, 364 print queues, export/import of, 359–361 print services counters, adding to Performance Monitor, 361–362 overview of, 366, 368 print priority, 364 print queues/printer settings, export/ import of, 359–361 printer connections, deployment of, 357–358 printer drivers, installation of, 358–359 printer permissions, 355–356 printer pooling, 363 printer sharing, 353–354 publishing printer to Active Directory, 355, 372 security of, 306 printer connections, deployment of, 357–358 printer drivers, installation of, 358–359, 373 Printer Migration Wizard, 359–361 printer permissions, 355–356 printer pooling, 363 printer settings, 359–361 printer sharing, 353–354 priority, print, 364 private IP addresses, 10 private key, 263, 265 private name resolution, 106–107 private profile configuration of, 75–76 function of, 66 in Windows Firewall with Advanced Security, 68–69 Windows Firewall with Advanced Security, configuration of, 70–71 profiles configuration of settings for, 75–76 in WFAS, 66, 68–69 WFAS, configuration of, 70–71 Protected Extended Authentication Protocol–Transport Layer Security (PEAP–TLS) for network access authentication, 49 in Windows Server 2008, 53 Windows Server 2008 authentication, 47 Protected Extensible Authentication Protocol (PEAP), 46 protocols routing protocols excluded from Windows Server 2008, 236–237 routing protocols for packet switching networks, 242–243 in Windows Firewall with Advanced Security, 82 in Windows Server 2008, 92 PTR record See pointer records Public Folder Sharing description of, 307–308 enabling, 314–315 public key, 263, 265 Public Key Infrastructure (PKI) network authentication through, 43 for secure network access authentication, 49 for Windows Server 2008 authentication, 47 public name resolution, 117–118 www.syngress.com 527 528 Index public profile configuration of, 75–76 function of, 66 in Windows Firewall with Advanced Security, 68–71 PXE Boot (Pre-Boot Execution Environment), 36–37 Q queries, DNS server/client, 119 Quick mode, 79, 81 quotas entries, 350–352 templates, 353 by volume or by user, 348–350 R RADIUS See Remote Authentication Dial-In User Service records, DNS CNAME, creating, 183–184 configuration of, 217 DDNS overview, 192–197 host, creating, 171–175 MX, creating, 178–179 NS, creating, 184–186 pointer, creating, 175–177 SOA record, 166–169 SRV, creating, 179–183 types, managing, 171 WINS/DNS integration, configuring, 186–192 recovery See backup/restore recursive query, 107 Registry file, Windows, 54–55 relay agents, 19, 36 Reliability Monitor, 424 Reload, 163 Reload from Master, 163 Remediation Server, 39 remote access www.syngress.com dial-up, 252–253 in general, 245–246 inbound/outbound filters, 272–273 Internet Connection Sharing, 257–260 Network Address Translation, 255–257 Network Policy Server, Network Access Protection, 248–252 overview of, 288–289 RADIUS server configuration, 273–277 remote access policy, 253–255 remote access protocols, 260–267 RRAS, installation of, 246–248 RRAS authentication, 53–55 SSL VPN server, installation/ configuration of, 268–272 virtual private networks, 267 Windows Server 2008 and, 237–238 remote access policy, 253–255 remote access protocols for dial-up networking, 252 IPSec, 261 L2TP, 261 PPTP, 260–261 SSL development, 262 SSTP, 261–265 SSTP configuration on Windows Server 2008, 266–267 virtual networking, 266 remote access server, 246 Remote Authentication Dial-In User Service (RADIUS) server, configuration of, 273–277 in Windows Server 2008, 43–44 remote management, of backups, 345–346 replication, DFS, 335–336 replication, DNS application directory partition, creating, 157–159 manual initiation with DNS Manager, 151 overview of, 151 Index SOA record, 154–157 standard, configuring/managing, 217 zone transfers, DNS server configuration allowing, 152–154 reservations configuration of DHCP scope options, 25 DHCP IPv4, 24 DHCP IPv6 client reservation configuration, 30–31 exclusion of, 32 for nontemporary address, 18 Resource Manager Disk Quotas NTFS Disk Quotas system vs., 372 quota entries, 350–352 quota management by volume/user, 348–350 quota templates, 353 restore of data, 346–347 Shadow Copy Services, 337–342 See also backup/restore restricted network, 481 reverse lookup zone, 149–154 RIP (Routing Internet Protocol), 243–244 rogue DHCP server, 34 role, DHCP Server role, adding, 19–21 role, DNS server, 120–121, 129–130 Role Services DFS, adding, 331–332 for File Services role, 310–313 roles NPS/HRA/CA server, installing, 481–483 WSUS, installing, 381–391 root hints configuration of, 110 copying from another server, 114 private DNS server network and, 219 records, adding, 111–112 records, editing, 112–113 records, removing, 113 route command, 242 router, 36 Router Advertisements, 15 Router/default Gateway scope option, 26 routing changes in Windows Server 2008, 291 fundamentals of routing, 238–240 Open Shortest Path First, 244–245 overview of, 287–288 Routing Internet Protocol, 243–244 routing table in Windows Server 2008, 240–241 static routing, 242–243 in Windows Server 2008, 236–237 Routing and Remote Access Services (RRAS) authentication configuration, 53–55 changes to, 236–237 installation of, 246–248 Network Policy Server, Network Access Protection, 248–252 remote access policy, 253–255 SSL VPN server, installation/configuration of, 268–272 in Windows Server 2008, 236–237 in Windows Server 2008 authentication, 43–44 Routing Internet Protocol (RIP), 243–244 routing metric, 239 routing protocols excluded from Windows Server 2008, 236–237 OSPF, 244–245 in packet switching networks, 242–243 RIP, 243–244 routing table fundamentals of routing, 239–240 in Windows Server 2008, 240–241 RRAS See Routing and Remote Access Services www.syngress.com 529 530 Index rules connection security rules, 74–75 firewall rules for filtering traffic, 71–74 Windows Firewall with Advanced Security, 66–67, 80–81, 82, 273 S SA (security association), 58, 81 scavenging, DDNS automatic, enabling, 195–196 configuration of, 193–195 manual, initiating, 196–197 schedule backup, 343–345 for Shadow Copy Services, 341 scope options configuration of, 24–27 for IPv6, configuration of, 30 new DHCP options, creation of, 31–32 scopes DHCP, configuration of, 21–24 DHCP configuration via Server Core, 41–42 DHCP exclusions, 32–35 IPv6 scope options, configuration of, 30 IPv6 scopes, configuration of, 27–29 leased to DHCP clients, 18–19 in NAP and DHCP integration policy, 39 options, configuration of, 24–27 screening, file, 313–314, 369 secondary forward lookup zone creating, 144–145 zone transfers and, 166 secondary reverse lookup zone standard, creating, 154–155 zone transfers and, 166 secure network, 480 Secure Socket Tunneling Protocol (SSTP) configuration on Windows Server 2008, 266–267 www.syngress.com description of, 261–264 features of, 237–238 for remote authentication, 53, 54 SSTP-based VPN connection flow, 264–265 Secure Sockets Layer (SSL) cryptographic system of, 263, 265 for remote access authentication, 237–238 SSL VPN, definition of, 292 SSL VPN server, installation/ configuration of, 268–272 for SSTP development, 262 security dial-up networking options, 253 Encrypting File System, 325–331 of file/print services, 306 inbound/outbound filters, 272–273 of network access, 235 security association (SA), 58, 81 Serial Line Internet Protocol (SLIP), 236 server configuration of DHCP scope options, 24–25 Disk Quotas, 348–353 RADIUS server configuration, 273–277 remediation server group, creating, 478–-479 WSUS server settings, configuring, 380–381 Server Core See Windows Server 2008 Core server isolation, 69 server list, 200–202 Server Manager configuration of DHCP scope options, 24–27 DFS namespace configuration, 332–334 File Services role, adding, 308–310 file share publishing, 307–315 Index IPv4 scopes/options configuration in, 22–24 IPv6 scopes, configuration of, 27–29 new DHCP options in, 32 shared folders/permissions, configuring, 319–325 Windows Server Backup schedules, 343–345 Server role, DHCP, 19–21 servers, DNS add/remove with DNSCMD, 171 cache-only, overview of, 122 configuration of, 120 DNS Server Role, installing, 120–121 forwarders, server-level, 126–130 forwarding, conditional, 130–135 root hints, configuring, 122–126 Server Core, 135–136 zones and, 135–136 server-to-server query, 107 service records, 179–183 Service Set Identifier (SSID), 281–282 Services for Network File System, 311 Session Initiation Protocol (SIP), 30 Shadow Copy Services enabling, 337–338 previous versions, recovery of, 338–341 schedule, setting, 341 storage locations, 342 in Windows 2000/XP, 371 Share Permissions NTFS permissions and, 317 overview of, 315–316 settings for, 369 sharing DFS namespace, adding shared folders to, 334–335 file share publishing, 307–315 folder, 314–315 printer sharing, 353–354 shared folders/permissions, configuring, 319–325 Simple Network Management Protocol (SNMP), 433–437 Simple Policy Update, 63 SIP (Session Initiation Protocol), 30 site local address, 27 SLIP (Serial Line Internet Protocol), 236 SMB protocol, 314 SNMP (Simple Network Management Protocol), 433–437 SOA (Start of Authority) record, 166–169 Soft Quotas, 349, 372 software, policy validation, 463 software updates, 401–404 special addresses, 14, 15 special permissions, 369 SSID (Service Set Identifier), 281–282 SSL See Secure Sockets Layer SSL VPN, 292 SSL VPN server, 268–272 SSTP See Secure Socket Tunneling Protocol stand-alone namespace, 332 Standard (in-place) File Sharing, 307–308, 314 Start of Authority (SOA) record, 166–169 stateful mode, 15, 40 stateless mode, 15, 40 static IP address, 32–33 static routing definition of, 291 description of, 239, 242 routing protocols, 242–243 routing table on Windows Server 2008, 240–241 storage Disk Quotas for, 348 for Shadow Copy Services, 342 stub area, 244–245 www.syngress.com 531 532 Index stub zone creating, 158–159 description of, 137 subnet mask for Class C network, 12 for IPv4, 4–5 IPv4 configuration, IPv4 scopes/options configuration, 22 subnetting, 7–12 subscriptions, event log, 430–433 suffix search order, 202–203 supernetting, 12 superscopes, 21 System Stability Index, 425–426, 447 T targeting, client, 401 targets, DFS, 334–335 TCP/IP See Transmission Control Protocol/Internet Protocol templates, quota, 353 Teredo, 16 terminology, DNS, 119–120 test, WSUS, 404–406 TFTP (Trivial File Transfer Protocol), 37 third-party encryption, 331 traffic filtering with Windows Firewall with Advanced Security, 71–75 firewall rules for filtering, 71–74 IPSec AH header and, 57–58 IPSec ESP and, 58–59 IPSec isolation policy, 63–64 IPSec properties, 55–56 routing fundamentals, 239–240 server/domain isolation, 69 Windows Firewall with Advanced Security, configuration of, 69–70 transition technologies, 15–16 Transmission Control Protocol/Internet Protocol (TCP/IP), 2, www.syngress.com See also IP addressing transport mode AH in, 57 ESP header in, 58–59 IPSec in, 56 Trivial File Transfer Protocol (TFTP), 37 troubleshooting, wireless access in Windows Server 2008, 279 TrueCrypt, 331 tunnel mode AH in, 57 ESP header in, 58–59 IPSec in, 56 tunneling, 16 type, update, 393–394 U UDP (User Datagram Protocol), 33 unique local IPv6 unicast address, 14 updates dynamic, AD integrated zones and, 147–149 type selection, 393–394 WSUS, installing, 381–393 WSUS client, 394–398 WSUS server settings, configuring, 380–381 user network authentication, 43–44 policies in WFAS, 81–82 quota management by, 349–350 User Datagram Protocol (UDP), 33 V validation, 458 Vendor class options, 26 views, event log custom, 426–429 Virtual Local Area Networks (VLANs) network layer protection, 462–463 recommendation for, 491 virtual networking, 266 Index Virtual Private Networks (VPNs) description of, 267 ICS configuration and, 258, 259 NAP enforcement of, 469–473 RRAS authentication, 53–54 SSL VPN, definition of, 292 SSL VPN server, installation/ configuration, 268–272 SSTP for, 261–267 volume quota management by, 348–349 restore with Shadow Copy Services, 340–341 VSSADMIN command, 342 W WBADMIN command, 347 WDSPXE (Windows Deployment Services PXE Server), 37 WEP (Wired Equivalent Privacy), 46 WFAS See Windows Firewall with Advanced Security Wide Area Network (WAN), 252 Wi-Fi Protected Access (WPA2), 283 Wi-Fi Protected Access (WPA), 46–47, 282 Windows Deployment Services, 36–37 Windows Deployment Services PXE Server (WDSPXE), 37 Windows Explorer, 370 Windows Firewall with Advanced Security (WFAS) command line tools for, 83–84 configuration of, 69–71 configuration overview, 89–90 firewall profiles, 75–76 Group Policy for management of, 81–82 host-based firewalls, 64 improvements with, 292 inbound/outbound filters, 272–273 incoming/outgoing traffic filtering, 71–75 IPSec configuration via, 59–60 IPSec settings in, 76–80, 92–93 monitoring, 80–81 as network location-aware host firewall, 67–69 network perimeter firewalls, 64 new features in, 64–67 overview of, 86–87 ports/protocols/identification of, 82 server and domain isolation, 69 Windows Internal Database, 386 Windows Internet Name Service (WINS) DNS integration, 186 on DNS networks, 221 lookup record, creating, 186–189 Node Type scope option, 26 reverse lookup record, creating, 189–192 server list, 207–208 Windows Registry file, 54–55 Windows Search Service, 311 Windows Server 2003 File Services, 312 Windows Server 2008 802.1x configuration in, 50–53 DHCP configuration, 18–42 file server features in, 306–307 hands-on experience with, 491 IP Security (IPSec) configuration, 55–64 IPSec features in, 60–61 IPv4 configuration, 3–13 IPv4/IPv6 comparison, 2–3 IPv6 and, 175 IPv6 configuration, 13–18 network access with, 235 network authentication configuration, 43–55 Reliability/Performance Monitors, 447 remote access and, 237–238, 246 routing and, 236–237 routing changes in, 291 routing table in, 240–241 RRAS installation, 246–248 www.syngress.com 533 534 Index Windows Server 2008 (Continued) SSTP configuration on, 266–267 Windows Firewall with Advanced Security, 64–84 wireless access and, 238 wireless access features, 278–281 WSUS role installation, 381–391 Windows Server 2008 Core command line questions, 85 DHCP configuration via, 40–42 DNS and, 135–136 exam questions about, 91 Windows Server 2008 DNS Server GNZs and, 159, 160–161 zones hosting, 125 Windows Server Backup backup schedules, 343–345 backup types, 342–343 differential backup and, 371 features of, 342 remote management of backups, 345–346 restoring data, 346–347 Windows Server Update Services (WSUS) installing, 381–393 overview of, 445 server settings, configuring, 380–381, 445 WINS See Windows Internet Name Service wired authentication 802.1x configuration in Windows Server 2008, 50–53 in Windows Server 2008, 47–48 Wired Equivalent Privacy (WEP), 46 Wired Network Policies Group Policy extension, 47–48 wireless access, 277–286 ad hoc vs infrastructure mode, 283–285 description of wireless access, 277–278 overview of, 289–290 Service Set Identifier, 281–282 www.syngress.com Wi-Fi Protected Access, 282 Wi-Fi Protected Access 2, 283 Windows Server 2008 and, 238 Windows Server 2008 features for, 278–281 wireless group policy, 285–286 Wireless Auto Configuration, 278–279 wireless diagnostics tracing, 279 wireless group policy, 285–286 Wireless Local Area Network (WLAN) ad hoc vs infrastructure mode, 283–285 authentication with 802.1x/802.3, 46–53 SSID, 281–282 WPA (Wi-Fi Protected Access), 46–47, 282 WPA2 (Wi-Fi Protected Access 2), 283 WSUS See Windows Server Update Services Z zones, DNS conditional forwarding and, 120 configuration of, 217 domains vs., 220 forward lookup, AD integrated, 134–137 forward lookup, secondary, 132–133 forward lookup, standard primary, 127–132, 153–154 GlobalNames Zone feature, 147–150 integrated, 220 overview of, 124–127 reverse lookup, standard primary, 137–142 reverse lookup, standard secondary, 142–143 standard vs AD integrated, 126–129 stub zone, 146–147 transfers, DNS server configuration for, 152–153 zone delegation, 143–146 ... in Windows Vista and Windows Server 2008 There are, of course, many other references on IPv6 but these are good to start with prior to the Windows Server 2008 exam Configuring IPv4 Options In Windows. .. Noteworthy These sidebars point out changes in Windows Server 2008 from Windows Server 2003 as they will apply to readers taking the exam These may be elements that users of Windows Server 2003... as of the time of this writing There are two Windows Server 2008 tracks, Server Administrator and Enterprise Administrator To achieve the Server Administrator MCITP for Windows Server 2008, you