Visit us at w w w. s y n g r e s s . c o m

Syngress is committed to publishing high-quality books for IT Professionals and

delivering those books in media and formats that fi t the demands of our cus tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site.

  SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions. Once registered, you can

access our solutions@syngress.com Web pages. There you may fi nd an assortment of

valueadded features such as free e-books related to the topic of this book, URLs

of related Web sites, FAQs from the book, corrections, and any updates from the

author(s).

  ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of

some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of

expertise, including Cisco Engineering, Microsoft Windows System Administration,

CyberCrime Investigation, Open Source Security, and Firewall Confi guration, to name a few.

  DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable

Adobe PDF form. These e-books are often available weeks before hard copies, and

are priced affordably.

  SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at signifi cant savings.

  SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at sales@syngress.com for more information.

  CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at sales@syngress.com for more information.

  This page intentionally left blank

  Technical Editor

  Brien Posey Susan Snedaker Ira Herman

Jeffery Martin Dustin Hannifi n John Karnay Shawn Tooley Elsevier, Inc., the author(s), and any person or fi rm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work

is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state

to state.

In no event will Makers be liable to you for damages, including any loss of profi ts, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do

not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

  You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and fi les. _{® ®}

Syngress Media , and Syngress , are registered trademarks of Elsevier, Inc. Brands and product names

mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

  001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 BPOQ48722D 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc.

  Elsevier, Inc.

  30 Corporate Drive Burlington, MA 01803 The Real MCTS/MCITP Exam 70-642 Prep Kit Copyright © 2008 by Elsevier, Inc. All rights reserved. Printed in the United States of America.

  

Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced

or distributed in any form or by any means, or stored in a database or retrieval system, without the

prior written permission of the publisher, with the exception that the program listings may be

entered, stored, and executed in a computer system, but they may not be reproduced for publication.

  Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

  ISBN 13: 978-1-59749-246-1 Publisher: Andrew Williams Page Layout and Art: SPI

Acquisitions Editor: David George Copy Editors: Audrey Doyle, Judy Eby, Adrienne Rebello

Technical Editor: Brien Posey Indexer: Nara Wood Project Manager: Gary Byrne Cover Designer: Michael Kavish

For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director

and Rights, at Syngress Publishing; email m.pedersen@elsevier.com.

  Technical Editor

Brien Posey is a freelance technical writer who has received Microsoft’s MVP

  award four times. Over the last 12 years, Brien has published more than 4,000 articles and whitepapers, and has written or contributed to more than 30 books. In addition to his technical writing, Brien is the cofounder of Relevant Technologies (www.relevanttechnologies.com) and also serves the IT community through his own Web site at www.brienposey.com.

  Prior to becoming a freelance author, Brien served as CIO for a nationwide chain of hospitals and healthcare facilities and as a network administrator for the Department of Defense at Fort Knox. He has also worked as a network administrator for some of the nation’s largest insurance companies.

  Brien wishes to thank his wife, Taz, for her love and support throughout his writing career.

  v

  Contributing Authors Susan Snedaker, (MCSE, MCT) principal consultant for VirtualTeam

  Consulting, LLC (www.virtualteam.com), is an accomplished business and technology consultant, speaker, and author. During her career, she has held executive and technical positions with companies such as Microsoft, Honeywell, Keane, and Apta Software. As a consultant, she has worked with small, medium-sized, and large companies, including Canyon Ranch, University of Arizona, National University, Sabino Investment Management, Pyron Solar, University of Phoenix, DDB Ventures, ShopOrganic.com, and the Southern Arizona AIDS Foundation.

  Susan’s latest book, Business Continuity and Disaster Recovery for IT

  Professionals, Syngress (978-1-59749-172-3) was released in the spring of

  2007. Additionally, Susan has written four other books and contributed chapters to 11 books. She has also written numerous technical articles on a variety of technology, information security, and wireless technologies. Susan is an experienced trainer, facilitator, and speaker.

  Susan holds a Master of Business Administration (MBA) and a Bachelor of Arts in Management (BAM) from the University of Phoenix. In 2006, she received an Executive Certifi cate in International Management from Thunderbird University’s Garvin School of International Management. Susan also holds a certifi cate in Advanced Project Management from Stanford University and attained Microsoft Certifi ed Systems Engineer (MCSE) and Microsoft Certifi ed Trainer (MCT) certifi cations. Susan is a member of the Project Management Institute (PMI) and the Information Technology Association of Southern Arizona (ITASA).

  Jeffery A. Martin MS/IT, MS/M (MCSE, MCSE:Security, MCSE:

  Messaging, MCDBA, MCT, MCSA, MCSA:Security, MCSE:Messaging, MCP+I, MCNE, CNE, CNA, CCA, CTT, A+, Network+, I-Net+,

  vi

  Project+, Linux+, CIW, ADPM) has been working with computer networks for more than 20 years. He is an editor, coeditor, author, or coauthor of more than 15 books and enjoys training others in the use of technology.

  John Karnay is a freelance writer, editor, and book author living

  in Queens, NY. John specializes in Windows server and desktop deployments utilizing Microsoft and Apple products and technology. John has been working with Microsoft products since Windows 95 and NT 4.0 and consults for many clients in New York City and Long Island, helping them plan migrations to XP/Vista and Windows Server 2003/2008. When not working and writing, John enjoys recording and writing music as well as spending quality time with his wife, Gloria, and daughter, Aurora.

  

Ira Herman (MCSE, CCAI, CCNA, CNA, A+, Network+, i- Net+,

  CIW Associate) is co-chief executive offi cer and cofounder of Logic

  IT Consulting (www.logicitc.com), a consulting fi rm specializing in business information technology solutions with an emphasis on work-life balance, stress-free productivity, and effi ciency training and coaching. Prior to founding Logic IT Consulting, Ira held various technical and executive positions with companies such as Microsoft, Keane, The University of Arizona, Xynetik, and Brand X LLC. Ira has written and delivered technical training for Logic IT Consulting and its clients as well as various organizations, including Pima Community College, JobPath, and SeniorNet. Ira holds Microsoft Certifi ed S ystems Engineer (MCSE and MCSE+I), Cisco Certifi ed Academy Instructor (CCAI), Cisco Certifi ed Network Associate (CCNA), Certifi ed Novell Administrator (CNA), CompTIA A+ Certifi ed Computer Service Technician (A+), CompTIA Network+, CompTIA Internetworking (i-Net+), and ProsoftTraining Certifi ed Internet Webmaster Associate (CIW Associate) certifi cations as well as Microsoft internal endorsements in Windows NT 4 Fundamentals (Workstation), Windows NT 4 Advanced (Server), Microsoft TCP/IP on Windows NT 4, Windows 2000 Foundational Topics, and Windows 2000 Setup Specialty.

  vii

  Dustin Hannifi n (Microsoft MVP—Offi ce SharePoint Server) is a

  systems administrator with Crowe Chizek and Company LLC. Crowe (www.crowechizek.com) is one of the nation’s leading public accounting and consulting fi rms. Under its core purpose of “Building _®

  Value with Values ,” Crowe assists both public and private companies in reaching their goals through services ranging from assurance and fi nancial advisory to performance, risk, and tax consulting. Dustin currently works in Crowe’s Information Services delivery unit, where he plays a key role in maintaining and supporting Crowe’s internal information technology (IT) infrastructure. His expertise resides in various Microsoft products, including Offi ce SharePoint Server, System Center Operations Manager, Active Directory, IIS, and Offi ce Communications Server. Dustin holds a bachelor’s degree from Tennessee Technological University and is a founding member of the Michiana IT Professionals Users Group. He regularly contributes to technology communities, including his blog (www.technotesblog.com) and Microsoft newsgroups. Dustin, a Tennessee native, currently resides in South Bend, IN.

  Shawn Tooley owns a consulting fi rm, Tooley Consulting Group, LLC,

  that specializes in Microsoft and Citrix technologies, for which he is the principal consultant and trainer. Shawn also works as network administrator for a hospital in North Eastern Ohio. Shawn’s certifi cations include Microsoft Certifi ed Trainer (MCT), Microsoft Certifi ed System Engineer (MCSE), Citrix Certifi ed Enterprise Administrator, Citrix Certifi ed Sales Professional, HP Accredited System Engineer, IBM XSeries Server Specialist, Comptia A+, and Comptia Certifi ed Trainer. In his free time he enjoys playing golf.

  viii

  Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Chapter 1 IP Addressing and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Confi guring IPv4 and IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 IPv4 Quick Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Confi guring Local IPv4 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Confi guring IPv4 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Supernetting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Alternative Confi guration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Internet Protocol Version 6 (IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 IPv6 Address Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 IPv6 Address Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 IPv6 Autoconfi guration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 IPv6 Transition Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Confi guring IPv6 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Confi guring Dynamic Host Confi guration Protocol (DHCP) . . . . . . . . . . 18 Adding the DHCP Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Confi guring DHCP Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Confi guring IPv4 Scopes and Options . . . . . . . . . . . . . . . . . . . . . . 21 DHCP IPv4 Reservations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Confi guring DHCP Scope Options . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Scope Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Reservation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Setting Scope Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Confi guring IPv6 Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Confi guring IPv6 Scope Options . . . . . . . . . . . . . . . . . . . . . . . . . . 30 DHCP IPv6 Client Reservation Confi guration . . . . . . . . . . . . . . . . 30 Creating New Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 New Options Using the Windows Interface . . . . . . . . . . . . . . . . . . 32 New Options Using the Command Line . . . . . . . . . . . . . . . . . . . . 32 Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 DHCP Relay Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

  ix

  x Contents

  Security in Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Network Perimeter Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Host-based Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

  Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Connection Security Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Firewall Profi les . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

  Confi guring Windows Firewall with Advanced Security . . . . . . . . . . . . 69 Incoming and Outgoing Traffi c Filtering . . . . . . . . . . . . . . . . . . . . . . . 71

  Server Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Domain Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

  Computer, and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Location-Aware Profi les . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Detailed Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Expanded Authenticated Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Network Location-Aware Host Firewall . . . . . . . . . . . . . . . . . . . . . 67 Server and Domain Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

  IPSec Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Support for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Support for Active Directory User,

  New Features in Windows Firewall with Advanced Security . . . . . . . . . 64

  IPSec Isolation Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Windows Firewall with Advanced

  PXE Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 DHCP and Network Access Protection (NAP) . . . . . . . . . . . . . . . . . . 38 DHCP Confi guration via Server Core. . . . . . . . . . . . . . . . . . . . . . . . . 40

  IPSec Using the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

  IPSec Encapsulating Security Payload (ESP) . . . . . . . . . . . . . . . . . . . . . 58 Confi guring IPSec in Windows Server 2008 . . . . . . . . . . . . . . . . . . . . 59 Creating IPSec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

  IPSec Authentication Header (AH) . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

  Routing and Remote Access Services (RRAS) Authentication . . . . . . . 53 Confi guring IP Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

  Wireless and Wired Authentication Technologies . . . . . . . . . . . . . . . 47 Implementing Secure Network Access Authentication . . . . . . . . . . . 49

  Confi guring Network Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 NTLMv2 and Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . 44 WLAN Authentication Using 802.1x and 802.3 . . . . . . . . . . . . . . . . . 46

  IPSec Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

  Contents xi

  Managing Windows Firewall with Advanced Security via Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Identifying Ports and Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Command Line Tools for Windows Firewall with Advanced Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . 91 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

Chapter 2 Confi guring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102 An Introduction to Domain Name System (DNS) . . . . . . . . . . . . . . . . . . .102 Understanding Public Name Resolution . . . . . . . . . . . . . . . . . . . . . . .105 Understanding Private Name Resolution . . . . . . . . . . . . . . . . . . . . . . .106 Understanding Microsoft’s DNS Terminology . . . . . . . . . . . . . . . . . . .107 Confi guring a DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Installing the DNS Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Understanding Cache-Only DNS Servers . . . . . . . . . . . . . . . . . . . . . .109 Confi guring Root Hints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Adding Root Hint Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Editing Root Hints Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112 Removing Root Hints Records . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Copying Root Hints from Another Server . . . . . . . . . . . . . . . . . . .114 Confi guring Server-Level Forwarders . . . . . . . . . . . . . . . . . . . . . . . . .114 Confi guring Conditional Forwarding . . . . . . . . . . . . . . . . . . . . . . . . .118 Creating Conditional Forwarders . . . . . . . . . . . . . . . . . . . . . . . . . .118 Managing Conditional Forwarders . . . . . . . . . . . . . . . . . . . . . . . . .121 Server Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Creating DNS Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 Creating a Standard Primary Forward Lookup Zone . . . . . . . . . . . . . .127 Creating a Secondary Forward Lookup Zone. . . . . . . . . . . . . . . . . . . .132 Creating an Active Directory Integrated Forward Lookup Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 Creating a Standard Primary Reverse Lookup Zone . . . . . . . . . . . . . .137 Creating a Standard Secondary Reverse Lookup Zone . . . . . . . . . . . . .142 Creating a Zone Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Creating a Stub Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Using the New GlobalNames Zone Feature . . . . . . . . . . . . . . . . . . . .147

  xii Contents

  Enabling a Domain Controller to Support GlobalNames Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

  Creating the GlobalNames Zone . . . . . . . . . . . . . . . . . . . . . . . . . .149 Confi guring and Managing DNS Replication . . . . . . . . . . . . . . . . . . . . . .151

  Manually Initiating Replication Using DNS Manager . . . . . . . . . . . . .151 Confi guring DNS Servers to Allow Zone Transfers . . . . . . . . . . . . . . .152

  Confi guring a Standard Primary Zone for Transfers . . . . . . . . . . . . .152 Confi guring an AD Integrated or

  Secondary Zone for Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Confi guring the SOA Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Creating an Application Directory Partition . . . . . . . . . . . . . . . . . . . . .157

  Creating and Managing DNS Records . . . . . . . . . . . . . . . . . . . . . . . . . . .159 Managing Record Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

  Creating Host Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159 Creating A Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159 Creating AAAA Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161

  Creating Pointer Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163 Creating MX Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 Creating SRV Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Creating CNAME Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 Creating NS Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172

  Confi guring Windows Internet Name Service (WINS) and DNS Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Creating a WINS Lookup Record . . . . . . . . . . . . . . . . . . . . . . . . .174 Creating a WINS Reverse Lookup Record . . . . . . . . . . . . . . . . . . .177

  Understanding the Dynamic Domain Name System (DDNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180

  Confi guring DDNS Aging and Scavenging . . . . . . . . . . . . . . . . . . .181 Enabling Automatic Scavenging . . . . . . . . . . . . . . . . . . . . . . . . . . .183 Initiating Manual Scavenging . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

  Confi guring Name Resolution for Client Computers . . . . . . . . . . . . . . . .185 How Name Resolution Works in

  Windows XP and Later . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Confi guring the DNS Server List . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Confi guring the Suffi x Search Order . . . . . . . . . . . . . . . . . . . . . . . . . .190 Confi guring the HOSTS File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191 Confi guring the NetBIOS Node Type . . . . . . . . . . . . . . . . . . . . . . . . .192 Confi guring the WINS Server List . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Confi guring the LMHOSTS File . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

  Contents xiii

  Understanding Link-Local Multicast Name Resolution (LLMNR) . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

  Managing Client Settings by Using Group Policy . . . . . . . . . . . . . . . .199 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .207 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 Self Test Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214

Chapter 3 Confi guring Network Access . . . . . . . . . . . . . . . . . . . . . . . . 215 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 Windows Server 2008 and Routing . . . . . . . . . . . . . . . . . . . . . . . . . .217 Window Server 2008 and Remote Access . . . . . . . . . . . . . . . . . . . . . .218 Windows Server 2008 and Wireless Access . . . . . . . . . . . . . . . . . . . . . .219 Confi guring Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 Routing Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223 Routing Internet Protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . .224 Open Shortest Path First (OSPF) . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 Confi guring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226 Routing and Remote Access Services (RRAS) . . . . . . . . . . . . . . . . . .227 Network Policy Server and Network Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . .229 Dial-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Remote Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . .236 Internet Connection Sharing (ICS) . . . . . . . . . . . . . . . . . . . . . . . . . . .238 Remote Access Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 Installing and Confi guring a SSL VPN Server . . . . . . . . . . . . . . . . . . .249 Inbound/Outbound Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 Confi guring Remote Authentication Dial-In User Service (RADIUS) Server . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Confi guring Wireless Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258 Set Service Identifi er (SSID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262 Wi-Fi Protected Access (WPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263 Wi-Fi Protected Access 2 (WPA2) . . . . . . . . . . . . . . . . . . . . . . . . . . . .264 Ad Hoc vs. Infrastructure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264 Wireless Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

  xiv Contents

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .272 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278

Chapter 4 Confi guring File and Print Services . . . . . . . . . . . . . . . . . . . 279 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280 Confi guring a File Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280 File Share Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281 Additional Role Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284 File Screening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287 Sharing a Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288 Share Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289 NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 Offl ine Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293 Encrypting File System (EFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299 Working with EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Confi guring Distributed File System (DFS) . . . . . . . . . . . . . . . . . . . . . . . .305 DFS Namespaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305 DFS Confi guration and Application . . . . . . . . . . . . . . . . . . . . . . . . . .306 Creating and Confi guring Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . .308 DFS Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309 Confi guring Shadow Copy Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311 Recovering Previous Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312 Setting the Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Setting Storage Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Confi guring Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Backup Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Backup Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317 Managing Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319 Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320 Managing Disk Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322 Quota by Volume or Quota by User . . . . . . . . . . . . . . . . . . . . . . . . . .322 Quota Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324 Confi guring Quotas Using FSRM . . . . . . . . . . . . . . . . . . . . . . . . .325 Quota Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327 Confi guring and Monitoring Print Services . . . . . . . . . . . . . . . . . . . . . . .327 Printer Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327 Publishing Printers to Active Directory . . . . . . . . . . . . . . . . . . . . . . . .329

  Contents xv

  Printer Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329 Deploying Printer Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331 Installing Printer Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Exporting and Importing Print Queues and Printer Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333 Adding Counters to Reliability and Performance

  Monitor to Monitor Print Servers . . . . . . . . . . . . . . . . . . . . . . . . .335 Printer Pooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337 Print Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .343 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351

Chapter 5 Monitoring and Managing

  

a Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354 Confi guring Windows Server Update Services

  Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354 Installing Windows Server Update Services . . . . . . . . . . . . . . . . . . . . .355 Update Type Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367 Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368

  Confi guring WSUS Computer Group Assignment Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370

  Group Policy Objects (GPOs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372 Client Targeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375 Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375 Test and Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378 Disconnected Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380

  Capturing Performance Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383 Data Collector Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383 Performance Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 Reliability Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398 Monitoring the System Stability Index . . . . . . . . . . . . . . . . . . . . . . . .399

  Monitoring Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400 Custom Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400 Application and Services Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403

  Admin Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403 Operational Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403

  xvi Contents

  Analytic Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403 Debug Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403

  Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 DNS Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407

  Gathering Network Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407 Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . .407 Baseline Security Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412 Network Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .421 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427

Chapter 6 Network Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . 429 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430 Working with NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432 Network Layer Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432 NAP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 NAP Enforcement Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Active Directory Domain Services . . . . . . . . . . . . . . . . . . . . . . . . .435 NAP Health Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435 Health Requirement Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435 Restricted Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436 Software Policy Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437 DHCP Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437 VPN Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443 Communication Process with VPN Client and NAP . . . . . . . . . . . .443 Confi guring NAP Health Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . .447 Connection Request Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448 Network Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449 Health Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450 Network Access Protection Settings . . . . . . . . . . . . . . . . . . . . . . . .452 IPsec Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453 Secure Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454 Boundary Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454 Restricted Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455 Flexible Host Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455

  802.1x Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458

  Contents xvii

  Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .465 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471

  Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 This page intentionally left blank

  Foreword

  This book’s primary goal is to help you prepare to take and pass Microsoft’s Exam 70-642, Windows Server 2008 Network Infrastructure, Confi guring. Our secondary purpose in writing this book is to provide exam candidates with knowledge and skills that go beyond the minimum requirements for passing the exam and help to prepare them to work in the real world of Microsoft computer networking.

  What Is MCTS Exam 70-642?

  Microsoft Certifi ed Technology Specialist (MCTS) Exam 70-642 is both a stand-alone test for those wishing to master Active Directory technology and a requirement for those pursuing certifi cation as a Microsoft Certifi ed Information Technology Professional (MCITP) for Windows Server 2008. Microsoft’s stated target audience consists of IT professionals with at least one year of work experience on a medium-sized or large company network. This means a multisite network with at least three domain controllers running typical network services such as fi le and print services, messaging, database, fi rewall services, proxy services, remote access services, an intranet, and Internet connectivity.

  However, not everyone who takes Exam 70-642 will have this ideal background. Many people will take this exam after classroom instruction or self-study as an entry into the networking fi eld. Many of those who do have job experience in IT will not have had the opportunity to work with all of the technologies covered by the exam. In this book, our goal is to provide background information that will help you to

  xix

  xx Foreword

  understand the concepts and procedures described even if you don’t have the requisite experience, while keeping our focus on the exam objectives.

  Exam 70-642 covers the basics of managing and maintaining a network environment that is built around Microsoft’s Windows Server 2008. The following task-oriented objectives are included:

  ■

  Confi guring IP Addressing and Services This objective includes confi guring IPv4 and IPv6 addressing, confi guring Dynamic Host Confi guration Protocol (DHCP), confi guring routing, and confi guring IPsec.

  ■

  Confi guring Name Resolution This objective includes confi guring a Domain Name System (DNS) server, confi guring DNS zones, confi gur- ing DNS records, confi guring DNS replication, and confi guring name resolution for client computers.

  ■

  Confi guring Network Access This objective includes confi guring remote access, confi guring Network Access Protection (NAP), confi guring network authentication, confi guring wireless access, and confi guring fi rewall settings.

  ■

  Confi guring File and Print Services This objective includes confi g- uring a fi le server, confi guring Distributed File System (DFS), confi guring shadow copy services, confi guring backup and restore, managing disk quotas, and confi guring and monitoring print services.

  ■

  Monitoring and Managing a Network Infrastructure This objective includes confi guring Windows Server Update Services (WSUS), capturing performance data, monitoring event logs, and gathering network data.

  Path to MCTS/MCITP/MS Certifi ed Architect

  Microsoft certifi cation is recognized throughout the IT industry as a way to demon- strate mastery of basic concepts and skills required to perform the tasks involved in implementing and maintaining Windows-based networks. The certifi cation program is constantly evaluated and improved, while the nature of information technology is changing rapidly; consequently, requirements and specifi cations for certifi cation can

  Foreword xxi

  also change rapidly. This book is based on the exam objectives as stated by Microsoft at the time of writing; however, Microsoft reserves the right to make changes to the objectives and to the exam itself at any time. Exam candidates should regularly visit the Certifi cation and Training Web site at www.microsoft.com/learning/mcp/ default.mspx for the most updated information on each Microsoft exam.

  Microsoft currently offers three basic levels of certifi cation on the technology level, professional level, and architect level:

  ■

  Technology Series This level of certifi cation is the most basic, and it includes the Microsoft Certifi ed Technology Specialist (MCTS) certifi cation. The MCTS certifi cation is focused on one particular Microsoft technology. There are 19 MCTS exams at the time of this writing. Each MCTS certifi cation consists of one to three exams, does not include job-role skills, and will be retired when the technology is retired. Microsoft Certifi ed Technology Specialists will be profi cient in implementing, building, troubleshooting, and debugging a specifi c Microsoft technology.

  ■

  Professional Series This is the second level of Microsoft certifi cation, and it includes the Microsoft Certifi ed Information Technology

  Professional (MCITP) and Microsoft Certifi ed Professional

Developer (MCPD) certifi cations. These certifi cations consist of one

  to three exams, have prerequisites from the Technology Series, focus on a specifi c job role, and require an exam refresh to remain current. The MCITP certifi cation offers nine separate tracks as of the time of this writing. There are two Windows Server 2008 tracks, Server Administrator and Enterprise Administrator. To achieve the Server Administrator MCITP for Windows Server 2008, you must successfully complete one Technology Series exam and one Professional Series exam. To achieve the Enterprise Administrator MCITP for Windows Server 2008, you must successfully complete four Technology Series exams and one Professional Series exam.

  ■

  Architect Series This is the highest level of Microsoft certifi cation, and it requires the candidate to have at least 10 years’ industry experience.

  Candidates must pass a rigorous review by a review board of existing architects, and they must work with an architect mentor for a period of time before taking the exam.

  xxii Foreword OTE N

  Those who already hold the MCSA or MCSE in Windows 2003 can

upgrade their certifi cations to MCITP Server Administrator by passing

one upgrade exam and one Professional Series exam. Those who already

hold the MCSA or MCSE in Windows 2003 can upgrade their certifi ca-

tions to MCITP Enterprise Administrator by passing one upgrade exam, two Technology Series exams, and one Professional Series exam.