70-221: Designing a Network Infrastructure

Satya | 10:12 AM | 0 comments


Introduction

Windows 2000 is fast becoming the most widely deployed network operating system in the corporate world and as the computer network industry advances in both technology and size, the need for proven skills and expertise is of prime significance. Microsoft has already realized the need of the situation and thus revised its Microsoft Certified Professional (MCP) program to give us appropriate credentials to demonstrate our expertise of Microsoft Windows 2000 family of products and services.
Windows 2000 actually consists of several different flavors including Windows 2000 Server/Advanced Server, Data Center Server, and Windows 2000 Professional depending upon the client server environment requirements.
This study guide provides an overview what you need to pass the exam 70-221 designing a Microsoft Windows 2000 Network Infrastructure, which sheds light on the business aspects and technical requirements for creating a functional Windows 2000 network Infrastructure, including the description of administrative tasks in the Windows operating system. 


Analysis of Business Infrastructure

The design and overall infrastructure of your business (company or organization) determines greatly your Windows 2000 network design-an "Enterprise" what Microsoft say which can be defined as a network or grouping of networks in which disparate computing hosts can interrelate to accomplish the corporation's daily business. One or more administrators can strictly control this interrelation.

Geographical Boundaries

Determination of the fact whether your business is operating locally, regionally, internationally helps to determine the overall makeup of your Windows 2000 framework, for instance design of domains and organizational units around geographical or business boundaries.

Determination of Company Organization

To accomplish this first determine the management style of your leaders as well as the logical layout of your management. Secondly analyze vendor, partner and customer relationships that you and your company have built. These are the factors which help in determining whether your company is either in a position to be acquired or will be acquiring other companies which in turn impacts your Windows 2000 network plan.

Determination of Company's Growth Chances and Strategies

Although Windows 2000 networks are scalable and amendable to growth but your network design still needs to take into account the potential for growth.

Risk Assessment

Your company's risk assessment i.e. the kind of risks your company might face and how these risks can be incorporated in your Windows 2000 network design. For instance a company involves in e-business has security risks associated with it.

Total Cost of Operations

Your Company's total cost of operations from which what percentage can be used for IT related operations so that any cost associated with IT related operations must be carefully planned and spent. Secondly if you choose Windows 2000 as your network operating system, the aftereffects/returns you will experience on investment.

Analysis of Company's Resource Distribution

Analysis of Company's resource distribution, which includes people, servers, routers, telephony, printers, and associated network peripherals and to decide whether these resources are distributed centrally or decentralized.

In a centralized resource management environment one key leadership governs all others followed by several managers who administer various areas thus forming a tree like structure of leadership and order whereas in a decentralized environment there are groups of people handling different computing scenarios and managed by different authorities and may or may not be required to report to the highest official.

Evaluation of the Current Network Environment

Evaluation of the current network environment, which includes describing the performance, the protocols in use, TCP/IP Hosts, assessment of network services such as DHCP, DNS, network monitoring, performance monitoring, and network hardware as well as providing of technical support which highly depends upon your end user needs and finally how your current environment will respond in case of any catastrophic or benign failure or disaster. In other words your current environment fault tolerance and disaster recovery strategies.
After evaluation you should consider the shortcomings this environment is facing and how they can be minimized by effectively planning a Windows 2000 network design and deployment.

Overview of Windows 2000 Network Services

Network Protocols and Services

Protocols

A protocol is a set of rules and conventions for sending information over a network. Windows 2000 relies on TCP/IP for logon, file and print services, and replication of information between domain controllers, and other common functions. Primary network protocols that Windows 2000 supports include:
  • TCP/IP
  • AppleTalk.
  • Internet work Packet Exchange/Sequenced Packet Exchange (IPX/SPX)
  • Data Link Control (DLC)
  • Net BIOS Enhanced User Interface (NetBEUI)

TCP/IP Protocol

A Routable protocol installed by default in Windows 2000, which can be used to connect heterogeneous networks. To use TCP/IP, each Computer on the network can be identified by a 32-bit IP address, which can be entered manually or provided automatically by a DHCP server.
Because these addresses are numbers and therefore hard to remember, you will also have to provide users with names that are easier to use. Mapping this type of name to an IP address is called name resolution, and can be accomplished by various methods, primarily the Domain Name System (DNS) and Windows Internet Name Service (WINS)

Name resolution for TCP/IP

Name resolution is a process that provides users with easy-to-remember server names, instead of requiring them to use the numerical IP addresses by which servers identify themselves on the TCP/IP network. The name-resolution services are the DNS and WINS.

Domain Name System (DNS)

DNS is a hierarchical naming system used for locating computers on the Internet and private TCP/IP networks. One or more DNS servers are needed in most installations. DNS is required for Internet e-mail, Web browsing, and Active Directory. DNS is also required in domains with clients running Windows 2000. DNS is installed automatically when you create a domain controller (or promote a server to become a domain controller), unless the Windows 2000 software detects that a DNS server already exists for that domain. (Alternatively, you can explicitly select DNS as a component to install during or after Setup.)
If you are installing DNS on a server, you will need to specify a static IP address on that server. In addition, you will need to configure the DNS clients so that they recognize that IP address.

Windows Internet Name Service (WINS)

Provides name resolution for clients running Windows NT and earlier versions of Microsoft operating systems. With name resolution, users can access servers by name, instead of having to use IP addresses that are difficult to recognize and remember. If you provide support for clients running Windows NT or any earlier Microsoft operating system, you will need to install Windows Internet Name Service (WINS) on one or more servers in the domain.

Overview of DHCP

Dynamic host configuration protocol is used to automatically assign TCP/IP addresses to clients along with the correct subnet mask, default gateway, and DNS server.

Unix Interoperability

If you install Windows 2000 on a UNIX network you will also need to install the following:
  • TCP/IP- TCP/IP is necessary to provide allow the UNIX computers to connect to the Windows 2000 Professional computers on the network
  • SNMP Service- SNMP is your Simple Network Management Platform
  • Print Services for UNIX- Print Services for UNIX allows computers on the network to connect to UNIX controlled printers.

NWLink (IPX/SPX) and NetWare Interoperability

Gateway Services for NetWare can be implemented on your NT Server to provide an MS client system to access your NetWare server by using the NT Server as a gateway. Frame types for the NWLink protocol must match the computer that the NT system is trying to connect with. Mismatching frame types will cause connectivity problems between the two systems. NetWare 3 servers uses Bindery Emulation (Preferred Server in CSNW). NetWare 4.x and higher servers use NDS (Default Tree and Context.) NWLink is used by NT to allow NetWare systems to access its resources.
To allow file and print sharing between NT and a NetWare server, CSNW (Client Service for NetWare) must be installed on the NT system. In a NetWare 5 environment, the Microsoft client does not support connection to a NetWare Server over TCP/IP. You will have to use IPX/SPX or install the Novell NetWare client.
When NWLink is set to auto-detect the frame type, it will only detect one type and will go in this order: 802.2, 802.3, ETHERNET II and 802.5 (Token Ring).

Apple Talk

AppleTalk must be installed to allow Windows 2000 to communicate with Apple printers. File and Print Services for Macintosh allows Apple Clients to use resources on a Microsoft Network.

DLC

It is a special-purpose, non-routable protocol used by Windows 2000 to talk with IBM mainframes, AS400s and Hewlett Packard printers.

NetBEUI

It is used solely by Microsoft operating systems and is non-routable.

Remote Access Services

Remote Access Service (RAS) is considered to be a Wide Area Network (WAN) connection.

Protocols Supported By RAS

Connection Protocols

  • Point to Point Protocol (PPP) - Point to Point Protocol is a form of serial line data encapsulation that is an improvement over SLIP which provides serial bi-directional communication. Packets are delivered in the order they were sent.
  • Serial Line Interface Protocol(SLIP) - This protocol places data packets into data frames in preparation for transport across network hardware media. This protocol is used for sending data across serial lines. There is no error correction, addressing, compression, or packet identification. There are no authentication or negotiation capabilities with SLIP. SLIP will only support transport of IP packets.
  • Point-to-Point Multilink Protocol - Combines bandwidth from several physical connections into one logical connection.
  • Microsoft RAS

VPN Protocols Support

Overview of Virtual Private Network

A Virtual Private Network allows you to run a secure, private network over an unsecured public network. You can use virtual private networking to get clients connected to your network over the Internet and do it securely, even though the Internet is inherently unsecured network.

VPN protocols

  • Point to Point Tunneling Protocol (PPTP) - Point-to-Point Tunneling Protocol (RFC 2637) works at the Data link layer. No encryption or key management included in specifications. A VPN tunneling Protocol used to send secure communications from point to point. It is used to access a network through the network using the speed of a modem. It uses PPP encryption or Microsoft Point to Point Encryption (MPPE) over TCP as a transport protocol.
  • Layer Two Tunneling Protocol (L2TP) - Layer2 Tunneling Protocol. Combines features of L2F and PPTP and works at the Data link layer.
  • IPSec - Internet protocol security, developed by IETF, implemented at layer 3. It is a collection of security measures that address data privacy, integrity, authentication, and key management, in addition to tunneling.

Bandwidth Allocation Protocols

  • BACP - Bandwidth Allocation Control Protocol. It is used with PPP.
  • BAP - Bandwidth Allocation Protocol is a bandwidth control protocol for PPP connections. It is a new protocol with Windows 2000. It works with BACP.

Authentication Protocols Supported

  • CHAP - Challenge Handshake Authentication Protocol - encrypts user names and passwords, but not session data. Works with non-Microsoft clients.
  • EAP - Extensible Authentication Protocol. Allows for an arbitrary authentication mechanism to validate a dial-in connection. Uses generic token cards, MD5-CHAP and TLS.
  • EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards.
  • MS-CHAP (V1 and 2) - Microsoft Challenge Handshake Authentication Protocol. Encrypts entire session, not just username and password. V2 is supported in Windows 2000 and NT 4.0 and Win 95/98 (with DUN 1.3 upgrade) for VPN connections.
  • PAP - Password Authentication Protocol. Sends username and password in clear text.
  • RADIUS - Remote Authentication Dial-in User Service. Provides authentication and accounting services for distributed dial-up networking.
  • SPAP - Shiva Password Authentication Protocol. Used by Shiva LAN Rover clients. Encrypts password, but not data.

Remote Access Policies

With Remote Access Policies you define rules with conditions that the system evaluates to see whether a particular user can connect or not.
You can have any number of policies in a native Windows 2000 domain. When a caller connects,the policy conditions are evaluated one by one to see whether the caller gets in or not.All of the conditions in the policy must match for the user to gain access.If there are multiple policies,they are evaluated according to an order you specify.The three components of a remote access policy are its conditions, permissions and profile:
  • Conditions- List of parameters (time of day, user groups, IP addresses or Caller Ids) that are matched to the parameters of the client connecting to the server. The first policy that matches the parameters of the inbound connection is processed for access permissions and configuration.
  • Profile- Settings (authentication and encryption protocols) which are applied to the connection. If connection settings do not match the user's dial-in settings, the connection is denied.
  • Permissions- Connections are allowed based on a combination of the dial-in properties of a user's account and remote access policies. The permission setting on the remote access policy works with the user's dial-in permissions in Active Directory providing a wide range of flexibility when assigning remote access permissions.

Routing

The "Routing and Remote Access" administrative tool is used to enable routing on a Windows 2000 server that is multihomed (has more than one network card). Windows 2000 professional cannot be a router. The "Routing and Remote Access" administrative tool or the "route" command line utility can be used to configure a static router and add a routing table. A routing table is required for static routing. Dynamic routing does not require a routing table since the table is built by software. Dynamic routing does require additional protocols to be installed on the computer. When using the "Routing and Remote Access" tool, the following information is entered:

Dynamic Routing

Two Windows 2000 supported Dynamic routing protocols are:

Routing Information Protocol (RIP) version 2 for IP

A RIP Capable router periodically sends out announcements while simultaneously receiving announcements from its peers. This exchange of routing information makes each router able to learn what router exist on the network and which destination networks each of them how to reach.
Each route has an associated cost. RIP attempts to do least cost routing by searching its routing table to find the lowest cost route that will reach a particular destination.

OSPF

OSPF is also designed to allow routers to dynamically share routing data. Routers use link-state algorithms to send routing information to all nodes by calculating the shortest path to each node based on a topography of the Internet constructed by each node. Since each router sends that portion of the routing table that describes the state of its own links rather than the entire table, it is more efficient than RIP.

CIDR (Classless Inter Domain Routing)

CIDR is a new IP addressing scheme that replaces the older system based on classes A, B, and C. A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP prefix.
172.200.0.0/18
CIDR helps in making more IP Addresses available thus helpful when you have to increase the number of subnets for decreasing network congestion.

Quality of Service Circuits

It is a networking term that specifies a guaranteed throughput level. This means to guarantee to their customers that end-to-end latency will not exceed a specified level. Traffic control services in Windows 2000 are used to manage traffic flow for QoS aware and non QoS-aware programs. Non QoS-aware programs uses the traffic control API (TCI) with a best effort treatment, while QoS-aware program uses the GQoS (Generic QoS API) with bandwidth reservation.

Traffic Control Components

Traffic Control Components include:
  • Packet Scheduler - for traffic policing
  • Packet Classifier - for mapping each incoming packet to a specific priority level
  • Admission Control - for deciding whether a flow can be granted without disrupting any established flows
  • Resource Reservation - for setting up a flow state between end computers and inter-network devices

Queuing Methods

Queuing Methods include:
  • First-In First-Out - the default mechanism used on routers that deploys store and forward method
  • Priority Queuing - traffic is queued as high, normal, medium, or low, with all high-priority traffic being serviced first
  • Weighted Fair Queuing - gives low-volume traffic flows preferential treatment and allows higher-volume traffic flows to obtain equity in the remaining capacity.

Internet Connectivity Issues

Proxy Server Implementation

Microsoft Proxy Server acts as a proxy between your users on the private network and the internet.You can control who is allowed out to which sites and when. You can set up custom filters.You can filter out certain packets such as ICMP.You can buy third party products such as SmartFilter ,ProxyReporter that bundle with proxy server to provide added security and control to your deployment.Exchange servers sitting behind a proxy server require special configuration to make them able to continue to receive Internet email.

Firewalls

A firewall allows you to very explicitly restrict IP addresses,protocols,and ports from entering(exiting) your network.

Screened Subnet or Demilitarized Zone (DMZ)

A screened subnet is one that lies between two firewalls-the private network is on one side of a firewall,the screened subnet is in the middle and the public network(Internet) is on the other side of the second firewall

Network Address Translation (NAT)

It is used to allow one computer to masquerade on one interface for all other computers that are on another of its interfaces. It is not a firewall but adds security by allowing multiple computers to access the Internet or an external network through it. External computers cannot directly contact computers on the network inside the NAT computer. The only registered interface is the interface on the NAT computer on the outside. If it is on the Internet, it must have a registered IP address. NAT must be set up to use an interface that is set for routing. The "Routing and Remote Access" administrative tool is used to install and configure NAT.

Internet Connection Sharing

Windows 98 supported Internet Connections Sharing (ICS), which is now also supported in Windows 2000. ICS allows multiple PCs to share a single connection with the aid of Network Address Translation(NAT) and is intended for small office/home office(SOHO) environments. When you enable ICS, the network adapter connected to the network is given a new static IP address configuration. Existing TCP/IP connections on the computer are lost and need to be re-established.

Understanding Distributed File System (DFS)

The DFS allows files and directories in various places to be combined into one directory tree. Only Windows 2000 Servers can contain DFS root directories and they can have only one.

DFS Characteristics

  • The permissions of shared folders that are part of the DFS are still the same.
  • Shares with important information can be replicated to several servers providing fault tolerance.
  • The DFS root must be created first.

DFS Components

  • DFS root - A shared directory that can contain other shared directories, files, DFS links, and other DFS roots. One root is allowed per server. Types of DFS roots:
    • Stand alone DFS root - Not published in Active Directory, cannot be replicated, and can be on any Windows 2000 Server. This provides no fault tolerance with the DFS topology stored on one computer. A DFS can be accessed using the following syntax:

      \\Server\DFSname
    • Domain DFS root - It is published in Active Directory, can be replicated, and can be on any Windows 2000 Server. Files and directories must be manually replicated to other servers or Windows 2000 must be configured to replicate files and directories. Configure the domain DFS root, then the replicas when configuring automatic replication. Links are automatically replicated. There may be up to 31 replicas. Domain DFS root directories can be accessed using the following syntax:

      \\domain\DFSname
  • DFS link - A pointer to another shared directory. There can be up to 1000 DFS links for a DFS root.
DFS administration is done on the Administrative Tool, "Distributed File System". This tool is on all Windows 2000 Server computers, and Windows 2000 Professional computers that have the ADMINPAK installed.

Scenario

How do I connect my small office to the Internet?

Existing Environment

  • Windows NT 4.0 Servers,
  • Windows NT 4.0 Workstations, Windows 95/98

Solution

Windows 2000 Connection Sharing
  • Internet Connection Sharing (ICS)
  • Network Address Translation (NAT)

Explanation

  • Both provide DHCP, DNS, and WINS and Network Address Translation
  • If I do not have enough IP addresses for my network, then I need the NAT
  • ICS offers a single click configuration of NAT, DHCP, DNS, WINS.
  • Proxy Servers have the benefit of Increased performance- caches data, Accounting and Logging, Increased security - firewall functionality.
Thus ICS is great for the home office connected to the Internet with cable Modem or DSL.

Case Study

MEDICARE HOSPITAL.

Background

Medicare Hospital provides medical services for the small community of North Dallas, Texas. Its facilities include the central hospital building and an outpatient clinic. The central hospital building contains 200 patient rooms, 50 offices, 35 examination rooms, and 10 operating theaters. The central hospital building contains 2000 employees. Of these employees, 1500 require access to resources located on hospital computers. The outpatient clinic is located approximately 20 meters away from the central hospital building. The outpatient clinic contains 150 employees.

IT Environment

Central Hospital Building

The central hospital building contains a 4-Mbps token ring network. The network contains a single ring that consists of multiple interconnected hubs. Servers and token ring hubs are contained in a server room in the basement of the central hospital building. The network uses IBM LAN Server as its network operating system and OS/2 Warp as its client operating system. The network contains 85 client computers that provide user access to network resources. Approximately 15 people share each client computer.

Outpatient Clinic

The outpatient clinic has a small I0-Mbps Ethernet LAN that is not connected to the hospital network. The LAN Windows NT Server 3.51 as its network operating system and Windows NT Workstation 3.51 as its client operating system. The LAN contains 75 client computers that provide user access to resources. Approximately 100 of the employees at the facility share these client computers.

Views and Requirements of Hospital Management

Chief Information Officer (CIO)

We are using outdated technology in the central hospital. Our existing equipment and software cannot provide the services that our patients and vendors want. We spend too much money maintaining our network; especially in training our IT personnel to service these outdated systems.
I want a network that reduces our cost of ownership, while improving productivity for all users. Hospital wants to ensure that patient information, such as scanned x-rays, can be easily shared between our facilities in real time. We want to explore technology that would allow patients to access their medical records over the Web.
We have allocated funding to completely replace the network infrastructure and to provide links between Central Hospital Building and the outpatient clinic. Our budget also includes enough funds to replace all servers and client computers.
Medicare Hospital wants to place a computer terminal in each patient room, examination room, and operating theater, so patient information will always be available and can be updated immediately by hospital staff.

IT Manager

Our network is hopelessly obsolete and is operating very close to capacity. My department personnel spend so much time implementing fixes and patches on our operating systems) they cannot respond to the needs of our users and patients. We need a flexible, scalable physical network infrastructure that has enough bandwidth to handle expected growth and traffic in our network. We also need complete reliability in our network operating system.
We need a single network topology that can grow with our company, and a single operating system platform that will provide easy access to resources for all users.
We want to establish an Internet presence so we can serve our patients and staff more effectively, but we need control that has access to the network and to secure patient records and other sensitive information from unauthorized access.

Network Administrator

We need a network that serves the needs of our entire user community. The network needs to be reliable, interoperable, and manageable. Client computer configuration on the network should be automatic and fault tolerant. All network services must be completely fault tolerant and available at all times

Envisioned IT Environment

General Requirements

The new network design must consider all aspects of client/server networking, including name resolution, resource sharing.
A single protocol should be used in the client/server network. This protocol must be scalable enough to meet anticipated growth.
The new network design must provide for secure outbound Internet connectivity for internal users.

Anticipated Growth

Within a year, hospital management expects to begin construction on a new wing of die central hospital building. This addition will contain 50 additional patient rooms, 15 additional offices, and 10 additional examination rooms. The construction will take approximately 8 months.

Solution

  • LAN environment: The existing LAN topologies will be upgraded to 100Mbps Ethernet.
  • Internet connectivity: The central hospital will connect to the Internet by means of a Tl line.
  • All Internet traffic will be routed through the central hospital.
  • Operating system: All server operating systems will be upgraded to Windows 2000 Advanced Server, and all client operating systems will be upgraded to Windows 2000Professional.
  • Logical network: A single Windows 2000 domain will be used.

  • Source:http: http://adminkernel.com

Category:

About GalleryBloggerTemplates.com:
GalleryBloggerTemplates.com is Free Blogger Templates Gallery. We provide Blogger templates for free. You can find about tutorials, blogger hacks, SEO optimization, tips and tricks here!

0 comments