copyright line. ip addressing and services exam objectives configuring ipv4 and ipv6 addressing...

Copyright line.

IP Addressing and ServicesIP Addressing and Services

EXAM OBJECTIVESEXAM OBJECTIVES

Configuring IPv4 and IPV6 AddressingConfiguring IPv4 and IPV6 AddressingConfiguring Dynamic Host Configuration Protocol (DHCP)Configuring Dynamic Host Configuration Protocol (DHCP)Configuring Network AuthenticationConfiguring Network AuthenticationConfiguring IP Security (IPSec)Configuring IP Security (IPSec)Configuring Windows Firewall with Advanced SecurityConfiguring Windows Firewall with Advanced Security

Copyright line. Slide 2

Configuring IPv4 and IPV6 Configuring IPv4 and IPV6 AddressingAddressing

IPv4 addressing uses 32-bits and a subnet mask to identify the IPv4 addressing uses 32-bits and a subnet mask to identify the network and host portions of the address.network and host portions of the address.

IPv6 addressing uses 128 bits and the network information is IPv6 addressing uses 128 bits and the network information is contained in the left-most 64 bits, host information in the right-contained in the left-most 64 bits, host information in the right-most 64 bits. IPv6 uses hexadecimal notation.most 64 bits. IPv6 uses hexadecimal notation.

Supernetting uses the Classless Inter-Domain Routing (CIDR) Supernetting uses the Classless Inter-Domain Routing (CIDR) notation, and this notation is also used in IPv6.notation, and this notation is also used in IPv6.

IPv6 address types include local-link, unique local IPv6 unicast, IPv6 address types include local-link, unique local IPv6 unicast, global unicast, multicast, anycast, and special addressing. global unicast, multicast, anycast, and special addressing. Local-link maps to IPv4 private addressing, global unicast maps Local-link maps to IPv4 private addressing, global unicast maps to IPv4 public addressing.to IPv4 public addressing.

The local loopback address in IPv6 is ::1/128; FF80::/64 is used The local loopback address in IPv6 is ::1/128; FF80::/64 is used for local-link addressing.for local-link addressing.

IP4 to IP6 transition technologies include dual IP layer IP4 to IP6 transition technologies include dual IP layer architecture, IPv6 over IP4 tunneling, Intra-Site Automatic architecture, IPv6 over IP4 tunneling, Intra-Site Automatic Tunneling Addressing Protocol (ISATAP), 6to4, and Teredo. Tunneling Addressing Protocol (ISATAP), 6to4, and Teredo.


Configuring Dynamic Host Configuring Dynamic Host Configuration Protocol (DHCP)Configuration Protocol (DHCP)

The DHCP server role in Windows Server 2008 includes native The DHCP server role in Windows Server 2008 includes native support for IPv6 as DHCPv6.support for IPv6 as DHCPv6.

Scope, reservations, exceptions, and scope options are Scope, reservations, exceptions, and scope options are configured in IPv6 much the same as they are in IPv4.configured in IPv6 much the same as they are in IPv4.

A DHCP server should have its scope and configuration data A DHCP server should have its scope and configuration data set, the scope should be activated, and the server should be set, the scope should be activated, and the server should be authorized in the Active Directory domain in order to bring a new authorized in the Active Directory domain in order to bring a new DHCP server online.DHCP server online.

DHCP and Network Access Protection (NAP) are integrated in DHCP and Network Access Protection (NAP) are integrated in Windows Server 2008, providing the ability to deny or limit Windows Server 2008, providing the ability to deny or limit access to network resources based on the client computer’s access to network resources based on the client computer’s health status. Health status includes having the latest operating health status. Health status includes having the latest operating system updates and antivirus signatures installed.system updates and antivirus signatures installed.

DHCP can be configured using command line commands. This DHCP can be configured using command line commands. This is helpful for managing DHCP servers remotely across the is helpful for managing DHCP servers remotely across the network.network.


Configuring Network AuthenticationConfiguring Network Authentication

Network authentication is managed through Active Directory and uses Kerberos Network authentication is managed through Active Directory and uses Kerberos as the default authentication protocol. NTLMv2 is supported for backward as the default authentication protocol. NTLMv2 is supported for backward compatibility and should be used only if needed.compatibility and should be used only if needed.

Network Policy and Access Services is a role that can be installed on the Network Policy and Access Services is a role that can be installed on the Windows Server 2008 computer. It includes NPS, RRAS, RADIUS, RADIUS Windows Server 2008 computer. It includes NPS, RRAS, RADIUS, RADIUS proxy, and NAP.proxy, and NAP.

WLAN access and authentication follows 802.11, 802.1X, and 802.3 standards. WLAN access and authentication follows 802.11, 802.1X, and 802.3 standards. Associated protocols include EAP-TLS, PEAP-TLS, PEAP-MS-CHAPv2, PPTP, Associated protocols include EAP-TLS, PEAP-TLS, PEAP-MS-CHAPv2, PPTP, and SSTP.and SSTP.

Support for SPAP, EAP-MD5-CHAP, and MS-CHAPv1 has been removed in Support for SPAP, EAP-MD5-CHAP, and MS-CHAPv1 has been removed in Windows Server 2008. EAPHost architecture includes new features not Windows Server 2008. EAPHost architecture includes new features not supported in earlier operating systems including support for additional EAP supported in earlier operating systems including support for additional EAP methods, network discovery, vendor-specific EAP types, and coexistence of methods, network discovery, vendor-specific EAP types, and coexistence of multiple EAP types across vendors.multiple EAP types across vendors.

Routing and remote access supports the use of IPSec through transport and Routing and remote access supports the use of IPSec through transport and tunnel modes. Point-to-point tunneling protocol (PPTP), Microsoft Point-to-Point tunnel modes. Point-to-point tunneling protocol (PPTP), Microsoft Point-to-Point Encryption (MPPE), Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec), and Encryption (MPPE), Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec), and Secure Socket Tunneling Protocol (SSTP) are supported for data authentication, Secure Socket Tunneling Protocol (SSTP) are supported for data authentication, integrity, encryption, and confidentiality.integrity, encryption, and confidentiality.


Configuring IP Security (IPSec)Configuring IP Security (IPSec)

IPSec provides peer authentication, data origin authentication, IPSec provides peer authentication, data origin authentication, data integrity, data confidentiality, antireplay, and key data integrity, data confidentiality, antireplay, and key management. Due to increasing needs for network security, management. Due to increasing needs for network security, IPSec is being implemented with greater frequency.IPSec is being implemented with greater frequency.

The AH and ESP protocols within IPSec provide different types The AH and ESP protocols within IPSec provide different types of security. Data encryption is provided by ESP, not by AH, of security. Data encryption is provided by ESP, not by AH, making it the preferred protocol.making it the preferred protocol.

IPSec is integrated with Windows Firewall with Advanced IPSec is integrated with Windows Firewall with Advanced Security and is also managed through Group Policy in the Security and is also managed through Group Policy in the Active Directory context.Active Directory context.

IPSec can be configured via command line commands within IPSec can be configured via command line commands within the the netsh ipsecnetsh ipsec context. context.

IPSec can be used to provide server and domain isolation to IPSec can be used to provide server and domain isolation to ensure secure IP traffic remains secure.ensure secure IP traffic remains secure.


Configuring Windows Firewall with Configuring Windows Firewall with Advanced SecurityAdvanced Security

New features include IPSec integration, support for IPv6, integration with Active New features include IPSec integration, support for IPv6, integration with Active Directory user, computer, and group settings, location aware profiles (for mobile Directory user, computer, and group settings, location aware profiles (for mobile computers), detailed rules, and expanded authenticated bypass capabilities.computers), detailed rules, and expanded authenticated bypass capabilities.

Inbound and outbound rules along with connection security rules provide the Inbound and outbound rules along with connection security rules provide the network administrator with the ability to create finely tuned rules to protect the network administrator with the ability to create finely tuned rules to protect the network and the host.network and the host.

Connection security rules can be configured with requirements, authentication Connection security rules can be configured with requirements, authentication methods, and profiles to manage and restrict connections on the network.methods, and profiles to manage and restrict connections on the network.

IPSec settings can be configured to use a variety of authentication methods.IPSec settings can be configured to use a variety of authentication methods. Customized IPSec data protection settings allow you to configure data protection Customized IPSec data protection settings allow you to configure data protection

to use the ESP and AH IPSec protocols. Advanced authentication methods can to use the ESP and AH IPSec protocols. Advanced authentication methods can also be configured within the IPSec settings of Windows Firewall with Advanced also be configured within the IPSec settings of Windows Firewall with Advanced Security.Security.

Windows Firewall with Advanced Security can be configured using the snap-in Windows Firewall with Advanced Security can be configured using the snap-in from the Group Policy Management console.from the Group Policy Management console.

You can use command line options for configuring, managing, and monitoring You can use command line options for configuring, managing, and monitoring Windows Firewall with Advanced Security.Windows Firewall with Advanced Security.


FAQFAQ

Q: I’m pretty solid with IP addressing in IPv4 but I’m not Q: I’m pretty solid with IP addressing in IPv4 but I’m not really well-versed in IPv6. How much do I need to really well-versed in IPv6. How much do I need to know for the exam?know for the exam?

A: You will need to be comfortable with IPv6 in order to A: You will need to be comfortable with IPv6 in order to navigate one or more questions on the exam. You navigate one or more questions on the exam. You should understand the basics such as the address should understand the basics such as the address format; how networks, hosts, and ranges are format; how networks, hosts, and ranges are specified; and where you configure IPv6 settings. specified; and where you configure IPv6 settings. Also be clear about the terminology, such as Also be clear about the terminology, such as temporary and nontemporary, specific to IPv6 and be temporary and nontemporary, specific to IPv6 and be sure to be familiar with site local, link local, and other sure to be familiar with site local, link local, and other IPv6 formats and naming conventions.IPv6 formats and naming conventions.


FAQFAQ

Q: I’ve been reading a bit about Windows Server 2008 Q: I’ve been reading a bit about Windows Server 2008 online and there’s a lot of discussion about the Core online and there’s a lot of discussion about the Core version. What do I need to know about this?version. What do I need to know about this?

A: Expect to see questions about using the command A: Expect to see questions about using the command line on the exam. Command line options have always line on the exam. Command line options have always been available, but the release of the Core version of been available, but the release of the Core version of Window Server 2008 will certainly bring this to the Window Server 2008 will certainly bring this to the forefront. Don’t expect the exam to test you on syntax forefront. Don’t expect the exam to test you on syntax necessarily, but do expect to see questions related to necessarily, but do expect to see questions related to using the command line options for frequently used using the command line options for frequently used features.features.


FAQFAQ

Q: DHCP is pretty basic stuff, though the Q: DHCP is pretty basic stuff, though the addition of IPv6 makes it a bit different. What addition of IPv6 makes it a bit different. What should I expect in the way of DHCP questions should I expect in the way of DHCP questions on the exam?on the exam?

A: Expect to see questions that test your A: Expect to see questions that test your understanding of DHCP configuration and understanding of DHCP configuration and settings as well as questions that test your settings as well as questions that test your understanding and knowledge of new DHCP understanding and knowledge of new DHCP features. Since IPv6 is just being rolled into features. Since IPv6 is just being rolled into organizations, you can expect to see some organizations, you can expect to see some IPv6-based questions related to DHCP.IPv6-based questions related to DHCP.


FAQFAQ

Q: There are tons of protocols—sometimes it’s like alphabet soupQ: There are tons of protocols—sometimes it’s like alphabet soup—MS-CHAP, MS-CHAP v2, EAP, PEAP, PPP, Kerberos V5, —MS-CHAP, MS-CHAP v2, EAP, PEAP, PPP, Kerberos V5, and the list goes on. I’m having a hard time keep all these and the list goes on. I’m having a hard time keep all these straight and remembering how they’re used (or not) in Windows straight and remembering how they’re used (or not) in Windows Server 2008. Any tips you can share?Server 2008. Any tips you can share?

A: First, divide protocols into those used to authentication users A: First, divide protocols into those used to authentication users locally (Kerberos, etc.) and those used to authentication users locally (Kerberos, etc.) and those used to authentication users remotely (PPP, EAP, PEAP). It can be helpful to divide the remotely (PPP, EAP, PEAP). It can be helpful to divide the protocols according to these areas so you can better keep track protocols according to these areas so you can better keep track of what they do and when they’re used. Also, spend time in the of what they do and when they’re used. Also, spend time in the Routing and Remote Access Server segment of Windows Routing and Remote Access Server segment of Windows Server 2008 as well as in the Windows Firewall with Advanced Server 2008 as well as in the Windows Firewall with Advanced Security section. The more you see the various protocols being Security section. The more you see the various protocols being used in the default screens, the more they should sink in. Most used in the default screens, the more they should sink in. Most of the time, the item will be spelled out the first time you see it. If of the time, the item will be spelled out the first time you see it. If it’s not, then it’s a pretty common acronym such as AD for it’s not, then it’s a pretty common acronym such as AD for Active Directory or IP, IPSec, or DHCP. Active Directory or IP, IPSec, or DHCP.


FAQFAQ

Q: I’m not sure I’m clear on the difference between IPSec settings in the Q: I’m not sure I’m clear on the difference between IPSec settings in the Windows Firewall with Advanced Security and the IPSec settings in Windows Firewall with Advanced Security and the IPSec settings in Active Directory Group Policy. I’ve reread the material in this chapter, Active Directory Group Policy. I’ve reread the material in this chapter, but I am still a bit confused. Can you provide any additional information but I am still a bit confused. Can you provide any additional information that might help?that might help?

A: Yes. Group Policy in AD is going to specify how computers, users, and A: Yes. Group Policy in AD is going to specify how computers, users, and groups much be configured or must interact with the network. If you groups much be configured or must interact with the network. If you specify IPSec within Group Policy for a set of computers, you are specify IPSec within Group Policy for a set of computers, you are requiring that all computers to which that policy is applied must use requiring that all computers to which that policy is applied must use IPSec to communicate with other computers. Windows Firewall with IPSec to communicate with other computers. Windows Firewall with Advanced Security, on the other hand, can be configured to require Advanced Security, on the other hand, can be configured to require IPSec for inbound and/or outbound connections. So, the computers to IPSec for inbound and/or outbound connections. So, the computers to which the IPSec Group Policy has been applied (we’ll call them the GP which the IPSec Group Policy has been applied (we’ll call them the GP computers for short here) can communicate with other GP computers computers for short here) can communicate with other GP computers or other computers using IPSec all day long and have no interaction or other computers using IPSec all day long and have no interaction with the IPSec rules in the Windows Firewall on the Windows Server with the IPSec rules in the Windows Firewall on the Windows Server 2008. 2008.


Test Day TipTest Day Tip

Expect to see a question or two on the exam Expect to see a question or two on the exam comparing the features of IPv4 to the features comparing the features of IPv4 to the features of IPv6. Often you’ll see several answers that of IPv6. Often you’ll see several answers that are possibly correct and you’ll need to have a are possibly correct and you’ll need to have a solid understanding of the differences solid understanding of the differences between IPv4 and IPv6 in order to determine between IPv4 and IPv6 in order to determine the correct response.the correct response.



Remember that subnets are assigned to sites Remember that subnets are assigned to sites via AD Sites and Services console, whereas via AD Sites and Services console, whereas subnetting options are set up in the DHCP subnetting options are set up in the DHCP Server role. Also remember that subnets can Server role. Also remember that subnets can easily be moved to different sites within the easily be moved to different sites within the AD Sites and Services console simply by AD Sites and Services console simply by double-clicking the subnet in the Subnets double-clicking the subnet in the Subnets folder and changing the site association in the folder and changing the site association in the Site selection list on the General tab. Site selection list on the General tab.


Exam WarningExam Warning

Be familiar with IP notation in both IPv4 and Be familiar with IP notation in both IPv4 and IPv6. You’re likely to see more on IPv6 and IPv6. You’re likely to see more on IPv6 and transitioning to IPv6 than on standard IPv4 transitioning to IPv6 than on standard IPv4 notation. If you’re not up to speed on IPv6, notation. If you’re not up to speed on IPv6, you might want to take some time to you might want to take some time to thoroughly understand IPv6 and transition thoroughly understand IPv6 and transition technologies before heading into the exam. technologies before heading into the exam.



Questions about DHCP on the exam will likely Questions about DHCP on the exam will likely fall into one of three typesfall into one of three types——DHCP server DHCP server questions, DHCP relay agent questions, and questions, DHCP relay agent questions, and DHCP lease questions. DHCP lease questions.



All DHCP traffic uses the User Datagram All DHCP traffic uses the User Datagram Protocol (UDP). Messages from the client to Protocol (UDP). Messages from the client to the server use UDP port 68 as the source the server use UDP port 68 as the source port and port 67 as the destination port. port and port 67 as the destination port. Messages from the server to the client use Messages from the server to the client use just the reverse—UDP port 67 as the source just the reverse—UDP port 67 as the source and UDP port 68 as the destination. If you and UDP port 68 as the destination. If you see questions using UDP ports 67 or 68, think see questions using UDP ports 67 or 68, think DHCPDHCP. .



Only Windows-based DHCP servers must be Only Windows-based DHCP servers must be authorized in an Active Directory domain. If authorized in an Active Directory domain. If someone wanted to install a non-Windows-someone wanted to install a non-Windows-based DHCP server (such as a Linux-based based DHCP server (such as a Linux-based DHCP server) on the network, they could DHCP server) on the network, they could start it up and start handing out IP start it up and start handing out IP configuration data to unsuspecting DHCP configuration data to unsuspecting DHCP clients. Check your answers on DHCP to clients. Check your answers on DHCP to ensure the server specified is (or is not) ensure the server specified is (or is not) Windows-based. Windows-based.



Microsoft exams are notorious for extensive Microsoft exams are notorious for extensive testing on new features. In Windows Server testing on new features. In Windows Server 2008, there are two notable new features 2008, there are two notable new features related to DHCP. The first is support for related to DHCP. The first is support for Dynamic Host Configuration Protocol for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)IPv6 (DHCPv6), which is defined by the , which is defined by the IETF’s RFC 3315 specification. IETF’s RFC 3315 specification.

The second important change related to The second important change related to DHCP is the addition of Network Access DHCP is the addition of Network Access Protection (NAP) enforcement support. Protection (NAP) enforcement support.



Be sure to familiarize yourself with the command line Be sure to familiarize yourself with the command line options. Even though you won’t have to memorize options. Even though you won’t have to memorize every command and all its syntax to pass the exam, every command and all its syntax to pass the exam, you should expect to see a fair amount of emphasis you should expect to see a fair amount of emphasis on command line usage. Understanding the basics of on command line usage. Understanding the basics of how to use the command line window, which is the how to use the command line window, which is the user interface for the Windows Server 2008 Core user interface for the Windows Server 2008 Core installation, will help you answer these types of installation, will help you answer these types of questions, and they might be the difference between questions, and they might be the difference between passing and just squeaking by (or not). passing and just squeaking by (or not).



Numerous authentication and communication-based protocols Numerous authentication and communication-based protocols are no longer supported in Windows Server 2008. For the full are no longer supported in Windows Server 2008. For the full list, refer to the Microsoft Web site. Support has been removed list, refer to the Microsoft Web site. Support has been removed for:for:·· X.25X.25·· SLIP-based connections (automatically updated to SLIP-based connections (automatically updated to PPP-PPP- based connections)based connections)·· ATMATM·· NWLinkIPX/SPX/NetBIOS Compatible Transport NWLinkIPX/SPX/NetBIOS Compatible Transport ProtocolProtocol·· Service for MacintoshService for Macintosh·· OSPFOSPF·· SPAP, EAP-MD5-CHAP and MS-CHAPv1 SPAP, EAP-MD5-CHAP and MS-CHAPv1 authentication authentication protocols protocols



Group Policy and Network Policy Server are Group Policy and Network Policy Server are two Windows Server 2008 areas with which two Windows Server 2008 areas with which you should be familiar. Understand the role of you should be familiar. Understand the role of Group Policy versus the role of Network Group Policy versus the role of Network Policy Server in securing the network. Be Policy Server in securing the network. Be able to explain in your own words what these able to explain in your own words what these two features do in Windows Server 2008. If two features do in Windows Server 2008. If you can describe them in your own words, you can describe them in your own words, there’s a good chance you understand their there’s a good chance you understand their functionality and will be able to distinguish functionality and will be able to distinguish right and wrong answers on the exam. right and wrong answers on the exam.



A concept you should be familiar with is A concept you should be familiar with is defense-in-depthdefense-in-depth. This refers to a network . This refers to a network security strategy that uses layers of security security strategy that uses layers of security methods to provide security at several methods to provide security at several different layers of the network. different layers of the network.



Microsoft recommends enabling Windows Firewall Microsoft recommends enabling Windows Firewall with Advanced Security for all three profiles. You may with Advanced Security for all three profiles. You may see an exam question on this topic implying that you see an exam question on this topic implying that you can enable only one profile at a time. You can can enable only one profile at a time. You can configure these profiles by right-clicking configure these profiles by right-clicking Windows Windows Firewall with Advanced SecurityFirewall with Advanced Security in the left pane of in the left pane of Server Manager, then clicking Server Manager, then clicking PropertiesProperties. You can . You can also access the properties from the also access the properties from the ActionAction menu menu item, the Action pane on the right, or the center pane, item, the Action pane on the right, or the center pane, when the folder is selected. All three profiles should when the folder is selected. All three profiles should be be enabledenabled, but only one will be , but only one will be appliedapplied based on the based on the Network Awareness API functionality. Network Awareness API functionality.



Here’s a key take away for working with Windows Firewall with Here’s a key take away for working with Windows Firewall with Advanced Security. When you allow or block unsolicited traffic Advanced Security. When you allow or block unsolicited traffic by creating a TCP or UDP port rule, that action will be taken any by creating a TCP or UDP port rule, that action will be taken any time Windows Firewall is running. This differs from creating a time Windows Firewall is running. This differs from creating a rule for a program in which the action is taken only when the rule for a program in which the action is taken only when the program is running. So, if you create a rule to allow UDP 1443 program is running. So, if you create a rule to allow UDP 1443 traffic, that rule will be enabled when the firewall is enabled traffic, that rule will be enabled when the firewall is enabled (which should be all the time). Contrast that to a program rule (which should be all the time). Contrast that to a program rule that specifies that it needs UDP 1443 traffic. In that case, the that specifies that it needs UDP 1443 traffic. In that case, the firewall will allow only UDP 1443 traffic when the program is firewall will allow only UDP 1443 traffic when the program is running—a much more secure setting and the recommended running—a much more secure setting and the recommended method, whenever possible. method, whenever possible.



Whenever you run server-type commands from the Whenever you run server-type commands from the command line, you have must have Administrator-command line, you have must have Administrator-equivalent rights. Depending on the server and its equivalent rights. Depending on the server and its roles, you may need Domain Administrator rights roles, you may need Domain Administrator rights rather than local Administrator rights. That said, keep rather than local Administrator rights. That said, keep in mind that best practices suggest you log onto a in mind that best practices suggest you log onto a server using a standard user account and log in using server using a standard user account and log in using the Administrator account only by using the the Administrator account only by using the Run As Run As AdministratorAdministrator option. This helps maintain tight option. This helps maintain tight security on your network. If you see questions on the security on your network. If you see questions on the exam that use the exam that use the Run AsRun As option, chances are good option, chances are good it’s a correct answer. it’s a correct answer.

copyright line. ip addressing and services exam objectives configuring ipv4 and ipv6 addressing...

Documents

configuring ipv4

unique local ipv6

ipv4 private addressing

ipv4 public addressing

special addressing

ipv6 address types

dhcp server role

new dhcp server