Networking in a Windows Active Directory Environment

A. DHCP   

Video Tutorials:

1. DHCP 1
2. DHCP 2

DHCP Basics
DHCP is short for “Dynamic Host Configuration Protocol”. It is used by servers to assign dynamic IP addresses to clients when they boot up. It removes the necessity of adding a static IP to a host machine every time it boot up or is moved to a different location. In short, it automates what would otherwise be a manual configuration.

When a host that needs a dynamic IP first boot, it initializes a very limited version of the TCP/IP stack. It then tries to obtain an IP address from a DHCP server utilizing a 4-step handshake process:

1 – DHCP Discover Broadcast = Until appropriate network, host and subnet settings are configured, a host’s only option of communicating is via a broadcast over “255” (all bits on). Routers are set to block broadcast traffic by default, unless they are RFC 1542 compliant. Therefore, a DHCP server or RFC 1542 compliant router is required on each subnet. Another option is to configure a “Relay Agent”. A Relay Agent sits on a subnet listening for a DHCP Discover broadcast that exceeds its specified threshold. When this threshold is exceeded, it forwards the broadcast to the address of a DHCP server on another subnet with which it has been statically configured.   Another use for Relay Agents is fault tolerance and load balancing.

2 – DHCP Offer = When a DHCP server receives a DHCP Discover broadcast, it searches its database for a free IP in the appropriate range and subnet that it may lease to the MAC address of the broadcasting client. After de-encapsulating the packet and retrieving its source MAC field information at layer 2 of the OSI, it then sends the offer of its selected IP lease to the client.

3 – DHCP Request = When the client receives the server’s DHCP Offer, it broadcasts a DHCP request message to tell other DHCP servers that it has received and therefore reserved a particular IP. This is to prevent an IP conflict, where two hosts would have the same IP address at layer 3 of the OSI.

4 – DHCP ACK = When the DHCP server receives the DHCP Request broadcast from the client, it responds with a DHCP ACK containing the lease duration and network configuration information for the dynamically configured host.

In both Windows and Linux, DHCP servers are configured with a “scope”, which is a range of valid IP addresses for a particular subnet and class of network. This scope can pass out gateway, router, DNS and service information to hosts that receive IP addresses from it. Typically, a scope must be activated to become active, and it may be deactivated as well. Both Linux and Windows DHCP servers can support “Dynamic Update”. Dynamic Update is a service whereby clients may automatically register “A” records with a DNS server, negating the need to manually add host to IP mappings in a forward lookup zone.

All DHCP servers “lease” IP addresses from their databases. Default leases in 2000 and 2003 were 8 days. In 2008, the default lease is 6 days when configured by the wizard and 8 days when configured by the node. Lease length may be increased or decreased as desired. Longer leases translate into less traffic on your network as the DHCP 4-way handshake process takes place less frequently. The disadvantage to long lease length is that the server “recycles” IP addresses slowly. As a result, it may run out of IP addresses for a given subnet, preventing new clients from joining the network until previous leases expire. Shorter leases mitigate this problem by recycling leases quickly so that the server does not run out of them. However, this comes at the expense of generating much more network traffic due to frequent DHCP broadcasts.

In addition to leases and scopes configured with subnet, DNS and gateway information, a DHCP server can contain exclusions and reservations. An exclusion provides a range of addresses that fall within a server’s activated scope that will not be assigned dynamically. An example of a need for this would be servers with static IP addressed that fall within the range of the scope. This way, no IP conflicts are created. A reservation causes the server to only assign a certain IP address to a certain MAC address. Again, this may be applied towards servers that are configured with static IPs that fall within an activated scope.

Microsoft 2008/2003/2000 Active Directory enabled DHCP servers support two unique and proprietary features – “Secure Dynamic Update” and “DHCP Authorization”. Secure Dynamic Update cuts down on host spoofing and man-in-the-middle attacks by preventing a host from dynamically updating its record in DNS unless it has an authorized computer account in Active Directory. One would therefore have to possess administrative rights and credentials to add a host to the domain before it can dynamically update. This makes it more difficult for a hacker to use Dynamic Update to impersonate another host or poison a DNS server. The second feature, DHCP Authorization, prevents a hacker from setting up rogue DHCP servers on a network, which could also pose major security risks. It does this by forcing a DHCP server to be “authorized” before domain members will accept it. This authorization requires administrative permission and credentials.

B. FTP and Web Servers in Vista and 2008 (IIS)

Video Tutorials:

1. Setting Up and FTP Server in 2008 and Vista
2. Setting Up IIS Web Server in 2008 and Vista – Part 1
3. Setting Up IIS Web Server in 2008 and Vista – Part 2
4. Setting Up IIS Web Server in 2008 and Vista – Part 3

FTP (File Transfer Protocol) functions through ports 20 and 21. It is a commonly used file transfer service. It is typically employed with "anonymous" access, as passwords are sent unencrypted and therefore a security risk. Linux and Windows both support the client and service aspects of FTP with command line tools and GUI configurations. Windows utilizes IIS (Internet Information Services) to provide FTP functionality.

C. Setting Up a 2008/Vista NAT and VPN Server

Video Tutorials:

1. 2008 VPN and NAT - 1
2. 2008 VPN and NAT - 2
3. 2008 VPN and NAT - 3

NAT and VPNs are two common services provided by routing and remote access in 2008/2003/2000 Server. Linux also provides these services.

NAT (Network Address Translation) allows many private IP addresses to share a single public IP address. It also hides these addresses from those who access the public IP. Traffic through the public IP address is filtered by a firewall, protecting the private IPs. Requests for hosts from the private IPs pass through the server to the public IP and internet. The server stores the source and destination IPs and MAC addresses so that it can reroute traffic back to the original destination on the private network. As far as the public network is concerned, it deals with the NAT server. Therefore, NAT acts as both a router and a security device. It is different from a proxy server in that it does not disassemble and reassemble each packet as it passes through the server. It therefore does not protect a network against malformed packets or ACK/SYN flag attacks as a proxy server would. As an advantage, since it does not disassemble and reassemble packets, it possesses faster throughput than a proxy server.   

VPNs are use to create secure connections over broadband to private LANs. Without them, any connection made over broadband to a private network would be open to millions of prying eyes. They do this by creating an encrypted tunnel through which traffic must pass. To accomplish this, four IP addresses are employed - two outer IPs on the public network, and two inner virtual IP addresses that exist within the encrypted tunnel. The outer IPs are provided by the ISP to both the client and the server they are connecting to. The inner IPs are provided via a DHCP server or internal database on the VPN server and are encrypted from prying eyes. There are three basic types of VPN in both Linux and Windows:

1. SSTP = Secure Socket Tunneling Protocol, uses SSL on port 443 for encryption, as such, it is compatible with and passes through most firewalls as web traffic.

2. L2TP =  Layer 2 Tunneling Protocol, uses IPSec for encryption so it supports shared keys and certificates. It offers header compression and encryption for efficiency and security, but as such, may be less compatible than PPTP for communication with older routers and servers.

3. PPTP = Point to Point Tunneling Protocol, uses MPPE for encryption. It is more compatible with older routers and servers.

D. DNS

DNS is responsible for Domain Name Resolution. It maps a computer’s host name to its IP address. Remember that IP addressing functions at Layer 3 of the OSI model. On the internet, DNS resolution is broken up into zones over which different servers are delegated authority. Things resolve from right to left in a domain name. At the top level are DNS servers that resolve ".com", ".org", .gove", ".mil", etc. These servers hold IP addresses for name servers that resolve things like "microsoft", or "google", or "wikipedia" or "yahoo" or "youtube". These servers then hold host to IP mappings for zones like "www", "training", "uploads", etc.

There are several bits and pieces to DNS. Below are some videos concerning setting up DNS and configuring it in 2008 and Vista. 

Video Tutorials:

1.  Setting Up DNS with DHCP

2. Setting Up DNS within Active Directory:

1. 2008 Active Directory 1 
2. 2008 Active Directory 2 
3. 2008 Active Directory 3 

Important Aspects of DNS:

Forward Lookup Zone = holds A records, maps host names to IP addresses
Reverse Lookup Zone = holds PTR records, maps IP address to host name
Stub Zone = holds addresses of name servers
A records = map host names to IP addresses
PTR records = map IP addresses to host names
SRV records = map services in Active Directory, such as global catalog (gc)
CNAME records = aliases for other A records of servers or hosts

ADI Zone = Active Directory Integrated, does not depend on zone transfers but DNS information is replicated via Active Directory replication, it is secure by encryption with Kerberos, and supports “Secure Dynamic Update”. It does not integrate with Linux and BIND. Multi-master model, all DNS servers are read/write capable.

Standard Primary Zone = It does not support “Secure Dynamic Update”. It does integrate with Linux and BIND. Depends on zone transfers by increment (IXFR) or scheduled times. Not encrypted. In the standard model, only the Primary Zone is read/write capable. The Secondary zones are read-only.

Standard Secondary Zone = Read-only standard zone, receives updated from the sole primary zone server. It does not support “Secure Dynamic Update”. It does integrate with Linux and BIND.

 

Dynamic Update = Available in both Windows and Linux environments. Allows a client to automatically update it’s a record in DNS, or a DHCP server to update the client on its behalf.

Secure Dynamic Update = Exclusive feature in 2008, 2003 and 2000 only available within an ADI DNS environment. It tightens security by forcing a computer to have an authorized Active Directory account before it can dynamically update it’s A record.

E. IP Addressing

To understand networking and routing in either Linux or Windows environments, one needs to acquire a background in IP addressing, sub-netting and routing. Below are some brief summaries:

IP addressing come in multiple versions:

1. IPv4, 32 bits, which provides about 4.2 billion addresses

2. IPv6, 128 bits, which provides a million times as many addresses as IPv4. In perspective, if shared among 6.5 billion people, IPv6 would provide approximately 5×10²⁸ addresses for each individual.

Primarily, we still deal with IPv4. Here are several lectures and breakdowns on IP addressing, sub-netting, routing, CIDR and VLSM. (For those of you who were in the hardware class this may be a good review):

1. Classful IP addressing and Structure
2. Sub-netting
3. Supernetting
4. CIDR and VLSM
5. Routing, Static Tables and Dynamic Protocols
6. Switches and Layer 2 of the OSI
7. Layer 3 Switching and VLANs
8. WAN Protocols

©2008 C. Germany