Sie sind auf Seite 1von 41

Technical Interview Questions – Networking

Q:-What is an IP address?

An Internet Protocol address (IP address) is a numerical label that is assigned to devices participating in a
computer network that uses the Internet Protocol for communication between its nodes.[1] An IP address serves two
principal functions: host or network interface identification and location addressing. Its role has been characterized as
follows: "A name indicates what we seek. An address indicates where it is. A route indicates how to get there."[2]

Q:-What is a subnet mask?

The word subnetwork (usually shortened to subnet) has two related meanings. In the older and more general meaning,
it meant one physical network of an internetwork. In the Internet Protocol (IP), a subnetwork is a division of a
classful network. The rest of this article is about the second meaning. Subnetting an IP network allows a single large
network to be broken down into what appear (logically) to be several smaller ones. It was originally introduced
before the introduction of classful network numbers in IPv4, to allow a single site to have a number of local area
networks. Even after the introduction of classful network numbers, subnetting continued to be useful, as it reduced
the number of entries in the Internet-wide routing table (by hiding information about all the individual subnets inside
a site). As a side benefit, it also resulted in reduced network overhead, by dividing the parts which receive IP

Q:-What is ARP?

The Address Resolution Protocol (ARP) is a computer networking protocol for determining a network host's link
layer or hardware address when only its Internet Layer (IP) or Network Layer address is known. This function is
critical in local area networking as well as for routing internetworking traffic across gateways (routers) based on IP
addresses when the next-hop router must be determined. ARP was defined by RFC 826 in 1982.[1] It is Internet
Standard STD 37.

Q:-What is ARP Cache Poisoning?

ARP stands for Address Resolution Protocol. Every computer in a LAN has 2 identifiers: IP and MAC address. IP is
either entered by the user or dynamically allocated by a server. But the MAC address is unique for any Ethernet card.
For example, if you have 2 ethernet cards, one for wired and the other for WiFi, you have 2 MAC addresses on your
machine. The MAC address is a hardware code for your ethernet card.
The communications between computers is done on the IP level. Means that if you want to send a file to a computer,
you need to know the other computer IP.
Now, ARP is the protocol that matches every IP with a certain MAC address in ARP table that is saved on your
switch in your LAN.
ARP cache poisoning is changing this ARP table on the switch.
For Normal case, when a machine tries to connect to another machine. The first machine goes to the ARP table with
the other machine IP, the ARP table provide the MAC address for the other machine and the communication starts.
But if someone plays with the table, the first machine goes with the IP and the ARP table will provide a faulty MAC
address to a 3rd machine who wants to intrude through your communication.
This Kind of attach is known as "Man in the Middle".
Q) What is the ANDing process?

In order to determine whether a destination host is local or remote, a computer will perform a simple mathematical
computation referred to as an AND operation. While the sending host does this operation internally, understanding
what takes place is the key to understanding how an IP-based system knows whether to send packets directly to a host
or to a router.

Q) What is a default gateway? What happens if I don't have one?

A gateway is a routing device that knows how to pass traffic between different subnets and networks. A computer
will know some routes (a route is the address of each node a packet must go through on the Internet to reach a
specific destination), but not the routes to every address on the Internet. It won’t even know all the routes on the
nearest subnets. A gateway will not have this information either, but will at least know the addresses of other
gateways it can hand the traffic off to. Your default gateway is on the same subnet as your computer, and is the
gateway your computer relies on when it doesn’t know how to route traffic. The default gateway is typically very
similar to your IP address, in that many of the numbers may be the same. However, the default gateway is not your IP
address. To see what default gateway you are using, follow the steps below for your operating system.

Q) Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway?

If we are using public ip address, we can browse the internet. If it is having an intranet address a gateway is needed as
a router or firewall to communicate with internet.Without default gateway you cannot browse internet. It doesnt
matter if you are on public or private network. Default Gateway is required to route your IP packets from your
network to the other networks.

Q) What is a subnet? Why do I care?

A subnet specifies a range of IP addresses. The special attribute of a subnet is that all the computers within the subnet
(a "sub-network") can talk directly to each other, and don't need a router to communicate.

When it's time to send a packet, your computer delivers a packet a) directly to the destination computer or b) sends it
to the router for ultimate delivery.

But how does your computer know whether the packet's destination is within its subnet? The answer is that your
computer uses the subnet mask to determine the members of the subnet. If your computer's address and the destination
computer's IP addresses are in the same subnet address range, then they can send packets directly to each other. If
they're not in the same range, then they must send their data through a router for delivery.The chart below associates
the number of IP addresses in a subnet to the subnet mask. For example, the subnet mask "" represents
254 consecutive IP addresses.

Subnet Mask # of Addresses Subnet Mask # of Addresses

/1 2.1 billion /17 32,766
/2 1 billion /18 16,382
/3 536 million /19 8,190
/4 268 million /20 4,094
/5 134 million /21 2,046
/6 67 million /22 1,022
/7 34 million /23 510
/8 17 million (Class A) /24 254 (Class C)
/9 8.4 million /25 126
/10 4.2 million /26 62
/11 2.1 million /27 30
/12 1 million /28 14
/13 524 thousand /29 6
/14 262 thousand /30 2
/15 131 thousand /31 RFC 3021
/16 65,534 (Class B) /32 A single address

Q) What is APIPA?

Zero configuration networking (zeroconf), is a set of techniques that automatically creates a usable Internet Protocol
(IP) network without manual operator intervention or special configuration servers.Automatic Private IP Addressing:
a safety mechanism in dynamic host client processing to assign IP addresses within a given range when the main
DHCP mechanism fails

APIPA, also known as Automatic Private IP Addressing, is a feature used in Windows operating systems. It comes
into action only when DHCP (Dynamic Host Configuration Protocol) servers are available. When the DHCP client
first comes on, it will try to establish a connection with the DHCP server in order to get an IP address. It is when this
server is (or at a later point becomes) unavailable, that APIPA will kick in.

As the client is unable to connect with the server, APIPA will automatically try to configure itself with an IP address
from an specially reserved range. (This reserved IP address range goes from to

Q) What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them)

A Request For Comments (RFC) document defines a protocol or policy used on the Internet. An RFC can be
submitted by anyone. Eventually, if it gains enough interest, it may evolve into an Internet Standard Each RFC is
designated by an RFC number. Once published, an RFC never changes. Modifications to an original RFC are
assigned a new RFC number.

Q) What is RFC 1918?

RFC 1918 is Address Allocation for Private Internets The Internet Assigned Numbers Authority (IANA) has reserved
the following three blocks of the IP address space for private internets: - (10/8 prefix) - (172.16/12 prefix) - (192.168/16
prefix) We will refer to the first block as "24-bit block", the second as "20-bit block", and to the third as "16-bit"
block. Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the
second block is a set of 16 contiguous class B network numbers, and third block is a set of 256 contiguous class C
network numbers.

Q) What is CIDR?

CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to allocate and specify the
Internet addresses used in inter-domain routing more flexibly than with the original system of Internet Protocol (IP)
address classes. As a result, the number of available Internet addresses has been greatly increased. CIDR is now the
routing system used by virtually all gateway hosts on the Internet's backbone network. The Internet's regulating
authorities now expect every Internet service provider (ISP) to use it for routing.

The original Internet Protocol defines IP addresses in four major classes of address structure, Classes A through D.
Each of these classes allocates one portion of the 32-bit Internet address format to a network address and the
remaining portion to the specific host machines within the network specified by the address. One of the most
commonly used classes is (or was) Class B, which allocates space for up to 65,533 host addresses. A company who
needed more than 254 host machines but far fewer than the 65,533 host addresses possible would essentially be
"wasting" most of the block of addresses allocated. For this reason, the Internet was, until the arrival of CIDR,
running out of address space much more quickly than necessary. CIDR effectively solved the problem by providing a
new and more flexible way to specify network addresses in routers. (With a new version of the Internet Protocol -
IPv6 - a 128-bit address is possible, greatly expanding the number of possible addresses on the Internet. However, it
will be some time before IPv6 is in widespread use.)

Using CIDR, each IP address has a network prefix that identifies either an aggregation of network gateways or an
individual gateway. The length of the network prefix is also specified as part of the IP address and varies depending
on the number of bits that are needed (rather than any arbitrary class assignment structure). A destination IP address
or route that describes many possible destinations has a shorter prefix and is said to be less specific. A longer prefix
describes a destination gateway more specifically. Routers are required to use the most specific or longest network
prefix in the routing table when forwarding packets.

A CIDR network address looks like this:
The "" is the network address itself and the "18" says that the first 18 bits are the network part of the
address, leaving the last 14 bits for specific host addresses. CIDR lets one routing table entry represent an aggregation
of networks that exist in the forward path that don't need to be specified on that particular gateway, much as the
public telephone system uses area codes to channel calls toward a certain part of the network. This aggregation of
networks in a single address is sometimes referred to as a supernet.
CIDR is supported by the Border Gateway Protocol, the prevailing exterior (interdomain) gateway protocol. (The
older exterior or interdomain gateway protocols, Exterior Gateway Protocol and Routing Information Protocol, do not
support CIDR.) CIDR is also supported by the OSPF interior or intradomain gateway protocol.
Q:- You have the following Network ID: What is the IP range for your network?

It ranges from -

But the usable address are from - - it is the broadcast address - will be the ip address of next range

we can use 30 hostes in this network

Q:- You have the following Network ID: You need at least 500 hosts per network. How many
networks can you create? What subnet mask will you use?

subnetmask is, we can create 4 subnet and atleast we can connect 500host per network

Q:-You need to view at network traffic. What will you use? Name a few tools

Depends what type of traffic I want to monitor and the network design. I really liked using Fluke Networks OptiView
Network Analyzer. Software though I would say wireshark, sitrace, Iris Network Traffic Analyzer, Airsnare,
Packetcapsa. Backtrack (a linux live CD) has tons of different applications that you can use to monitor and view
network traffic

Q:-How do I know the path that a packet takes to the destination?

use "tracert" command-line

Q:-What is DHCP? What are the benefits and drawbacks of using it?


1. DHCP minimizes configuration errors caused by manual IP address configurationDHCP minimizes configuration
errors caused by manual IP address configuration

2. Reduced network administration.


Your machine name does not change when you get a new IP address. The DNS (Domain Name System) name is
associated with your IP address and therefore does change. This only presents a problem if other clients try to access
your machine by its DNS name.


1. DHCP minimizes configuration errors caused by manual IP address configurationDHCP minimizes configuration
errors caused by manual IP address configuration

2. Reduced network administration.


Your machine name does not change when you get a new IP address. The DNS (Domain Name System) name is
associated with your IP address and therefore does change. This only presents a problem if other clients try to access
your machine by its DNS name.

Q:-Describe the steps taken by the client and DHCP server in order to obtain an IP address.

At least one DHCP server must exist on a network. Once the DHCP server software is installed, you create a DHCP scope, which is a pool of IP addresses that the server manages. When clients log on,
they request an IP address from the server, and the server provides an IP address from its pool of available addresses. DHCP was originally defined in RFC 1531 (Dynamic Host Configuration Protocol,
October 1993) but the most recent update is RFC 2131 (Dynamic Host Configuration Protocol, March 1997). The IETF Dynamic Host Configuration (dhc) Working Group is chartered to produce a
protocol for automated allocation, configuration, and management of IP addresses and TCP/IP protocol stack parameters.

Q:-What is the DHCPNACK and when do I get one? Name 2 scenarios.

Recently I saw a lot of queries regarding when the Microsoft DHCP server issues a NAK to DHCP clients.

For simplification purposes, I am listing down the possible scenarios in which the server should NOT issue a NAK.
This should give you a good understanding of DHCP NAK behavior.

When a DHCP server receives a DHCPRequest with a previously assigned address specified, it first checks to see if it
came from the local segment by checking the GIADDR field. If it originated from the local segment, the DHCP
server compares the requested address to the IP address and subnet mask belonging to the local interface that received
the request.

DHCP server will issue a NAK to the client ONLY IF it is sure that the client, "on the local subnet", is asking for an
address that doesn't exist on that subnet.

The server will send a NAK EXCEPT in the following scenarios:-

1. Requested address from possibly the same subnet but not in the address pool of the server:-

This can be the failover scenario in which 2 DHCP servers are serving the same subnet so that when one goes down,
the other should not NAK to clients which got an IP from the first server.

2. Requested address on a different subnet:- If the Address is from the same superscope to which the subnet belongs,
DHCP server will ACK the REQUEST.

Q:-What ports are used by DHCP and the DHCP clients?

Requests are on UDP port 68, Server replies on UDP 67

double check. these are reversed.

Q:-Describe the process of installing a DHCP server in an AD infrastructure.

Terms you'll need to understand:


Lease duration



Multicast scopes

Scope options

Techniques you'll need to master:

Installing DHCP

Understanding the DHCP lease process

Creating scopes, superscopes, and multicast scopes

Configuring the lease duration

Configuring optional IP parameters that can be assigned to DHCP clients

Understanding how DHCP interacts with DNS

Configuring DHCP for DNS integration

Authorizing a DHCP server in Active Directory

Managing a DHCP server

Monitoring a DHCP server


The TCP/IP protocol is an Active Directory operational requirement. This means that all computers on Windows
2000 network require a unique IP address to communicate with the Active Directory. Static IP addresses can
add a lot of administrative overhead. Not only can management of static IP addresses become time consuming,
but such management also increases the chances of misconfigured parameters. Imagine having to manually type
10,000 IP addresses and not make a single error. The Dynamic Host Configuration Protocol (DHCP) can be
implemented to centralize the administration of IP addresses. Through DHCP, many of the tasks associated
with IP addressing can be automated. However, implementing DHCP also introduces some security issues
because anyone with physical access to the network can plug in a laptop and obtain IP information about the
internal network.
In this chapter, you'll learn how to implement a DHCP server, including the installation process, authorization of the
server, and the configuration of DHCP scopes. The chapter ends by looking at how to manage a DHCP server and
monitor its performance.


DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While PPP remote access clients
do not use DHCP to obtain IP addresses for the remote access connection, Windows 2000 and Windows 98 remote
access clients use the DHCPInform message to obtain DNS server IP addresses, WINS server IP addresses, and a
DNS domain name. The DHCPInform message is sent after the IPCP negotiation is concluded.

The DHCPInform message received by the remote access server is then forwarded to a DHCP server. The remote
access server forwards DHCPInform messages only if it has been configured with the DHCP Relay Agent..

Q:-Describe the integration between DHCP and DNS.

Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly, changing
authorization rights for a particular user on a group of devices has meant visiting each one and making configuration
changes. DHCP integration with DNS allows the aggregation of these tasks across devices, enabling a company's
network services to scale in step with the growth of network users, devices, and policies, while reducing
administrative operations and costs.

This integration provides practical operational efficiencies that lower total cost of ownership. Creating a DHCP
network automatically creates an associated DNS zone, for example, reducing the number of tasks required of
network administrators. And integration of DNS and DHCP in the same database instance provides unmatched
consistency between service and management views of IP address-centric network services data.

Windows Server 2003 DNS supports DHCP by means of the dynamic update of DNS zones. By integrating DHCP
and DNS in a DNS deployment, you can provide your network resources with dynamic addressing information stored
in DNS. To enable this integration, you can use the Windows Server 2003 DHCP service.
The dynamic update standard, specified in RFC 2136: Dynamic Updates in the Domain Name System (DNS
UPDATE), automatically updates DNS records. Both Windows Server 2003 and Windows 2000 support dynamic
update, and both clients and DHCP servers can send dynamic updates when their IP addresses change.
Dynamic update enables a DHCP server to register address (A) and pointer (PTR) resource records on behalf of a
DHCP client by using DHCP Client FQDN option 81. Option 81 enables the DHCP client to provide its FQDN to the
DHCP server. The DHCP client also provides instructions to the DHCP server describing how to process DNS
dynamic updates on behalf of the DHCP client.
The DHCP server can dynamically update DNS A and PTR records on behalf of DHCP clients that are not capable of
sending option 81 to the DHCP server. You can also configure the DHCP server to discard client A and PTR records
when the DHCP client lease is deleted. This reduces the time needed to manage these records manually and provides
support for DHCP clients that cannot perform dynamic updates. In addition, dynamic update simplifies the setup of
Active Directory by enabling domain controllers to dynamically register SRV resource records.
If the DHCP server is configured to perform DNS dynamic updates, it performs one of the following actions:

The DHCP server updates resource records at the request of the client. The client requests the DHCP server to update
the DNS PTR record on behalf of the client, and the client registers A.
The DHCP server updates DNS A and PTR records regardless of whether the client requests this action or not.
By itself, dynamic update is not secure because any client can modify DNS records. To secure dynamic updates, you
can use the secure dynamic update feature provided in Windows Server 2003. To delete outdated records, you can
use the DNS server aging and scavenging feature.

Q:-What options in DHCP do you regularly use for an MS network?

Automatic providing IP address

Subnet mask

DNS server

Domain name

Default getaway or router

Q:-What are User Classes and Vendor Classes in DHCP?

Microsoft Vendor Classes

The following list contains pre-defined vendor classes that are available in Windows 2000 DHCP server.
Collapse this tableExpand this table
MSFT 5.0 Microsoft Windows 2000 options Class that includes all Windows 2000
DHCP clients. MSFT 98 Microsoft Windows 98 options Class that includes all Windows
Class Class
Description 98 and Microsoft Windows Millennium Edition (Me) DHCP clients. MSFT Microsoft
Data Name
options Class that includes all Windows 98, Windows Me, and Windows 2000 DHCP

If you have non-Microsoft DHCP clients, you can define other vendor-specific classes on the DHCP server. When
you define such classes, make sure the vendor class identifier that you define matches the identifier used by the

Back to the top

User Classes

The following list contains pre-defined user classes that are available in Windows 2000 DHCP server.

Collapse this tableExpand this table

Unspecified Default user class All DHCP clients that have no user class specified.
Class Class
Description RRAS.Microsoft Default Routing and Remote Access class All Dial-Up Networking
ID Type
(DUN) clients. Bootp Default Bootp class All Bootp clients
In addition to these pre-defined classes, you can also add custom user classes for Windows 2000 DHCP clients.
When you configure such classes, you must specify a custom identifier that corresponds to the user class defined on
the DHCP server.

For additional information about how to create other user and vendor classes, click the article number below to view
the article in the Microsoft Knowledge Base

Q:-How do I configure a client machine to use a specific User Class?

The command to configure a client machine to use a specific user class is

ipconfig /setclassid "<Name of your Network card>" <Name of the class you created on DHCP and you want to join
(Name is case sensitive)>


ipconfig /setclassid " Local Area Network" Accounting

Q:-What is the BOOTP protocol used for, where might you find it in Windows network infrastructure?

BootP (RFC951) provides a unique IP address to the requester (using port 67) similar to the DHCP request on port 68
AND can provide (where supported) the ability to boot a system without a hard drive (ie: a diskless client)

Apple OS X 10.* Server supports BootP (albeit) renamed as NetBoot. The facility allows the Admin to maintain a
selected set of configurations as boot images and then assign sets of client systems to share(or boot from) that image.
For example Accounting, Management, and Engineering departments have elements in common, but which can be
unique from other departments. Performing upgrades and maintenance on three images is far more productive that

working on all client systems individually.

Startup is obviously network intensive, and beyond 40-50 clients, the Admin needs to
carefully subnet the infrastructure, use gigabit switches, and host the images local to the clients to avoid saturating the
network. This will expand the number of BootP servers and multiply the number of images, but the productivity of 1
BootP server per 50 clients is undeniable :)

Sunmicro, Linux, and AIX RS/600 all support BootP.

Todate, Windows does not support booting "diskless clients".

Q:-DNS zones – describe the differences between the 4 types.

Dns zone is actual file which contains all the records for a specific domain.

i)Forward Lookup Zones :-

This zone is responsible to resolve host name to ip.

ii)Reverse Lookup Zones :-

This zone is responsible to resolve ip to host name.

iii)Stub Zone :-

Stubzone is read only copy of primary zone.but it contains only 3 records viz

the SOA for the primary zone, NS record and a Host (A) record.

Q:-DNS record types – describe the most important ones.

Type of Record What it does

A (Host) Classic resource record. Maps hostname to IP(ipv4)

PTR Maps IP to hostname (Reverse of A (Host)

AAAA Maps hostname to ip (ipv6)

Cname Canonical name, in plain English an alias.such as

Web Server,FTP Server, Chat Server

NS Identifies DNS name servers. Important for forwarders

MX Mail servers, particularly for other domains.MX records required to deliver internet email.

_SRV Required for Active Directory. Whole family of

underscore service,records, for example, gc = global catalog.

SOA Make a point of finding the Start of Authority (SOA) tab at the

DNS Server.

For more knowledge

Srv records :- A SRV or Service Record is a category of data in the DNS specifying information on available
services. When looking up for a service, you must first lookup the SRV Record for the service to see which server
actually handles it. Then it looks up the Address Record for the server to connect to its IP Address.
Authoritative Name Server [NS] Record :-A Zone should contain one NS Record for each of its own DNS servers
(primary and secondary). This mostly is used for Zone Transfer purposes (notify). These NS Records have the same
name as the Zone in which they are located.

SOA :-This record is used while syncronising data between multiple computers.A given zone must have precisely
one SOA record which contains Name of Primary DNS Server,Mailbox of the Responsible Person,Serial Number:
Used by Secondary DNS Servers to check if the Zone has changed. If the Serial Number is higher than what the
Secondary Server has, a Zone Transfer will be initiated,Refresh Interval: How often Secondary DNS Servers should
check if changes are made to the zone,Retry Interval: How often Secondary DNS Server should retry checking, if
changes are made - if the first refresh fails,Expire Interval: How long the Zone will be valid after a refresh. Secondary
Servers will discard the Zone if no refresh could be made within this interval.Minimum (Default) TTL: Used as the
default TTL for new Records created within the zone. Also used by other DNS Server to cache negative responses
(such as Record does not exist, etc.).

Q:-Describe the process of working with an external domain name

Serving Sites with External Domain Name Servers

If you host Web sites on this server and have a standalone DNS server acting as a primary (master) name server for
your sites, you may want to set up your control panel's DNS server to function as a secondary (slave) name server:

To make the control panel's DNS server act as a secondary name server:

Go to Domains > domain name > DNS Settings (in the Web Site group).

Click Switch DNS Service Mode.

Specify the IP address of the primary (master) DNS server.

Click Add.

Repeat steps from 1 to 5 for each Web site that needs to have a secondary name server on this machine.

To make the control panel's DNS server act as a primary for a zone:

Go to Domains > domain name > DNS Settings (in the Web Site group).

Click Switch DNS Service Mode. The original resource records for the zone will be restored.

If you host Web sites on this server and rely entirely on other machines to perform the Domain Name Service for
your sites (there are two external name servers - a primary and a secondary), switch off the control panel's DNS
service for each site served by external name servers.

To switch off the control panel's DNS service for a site served by an external name server:

Go to Domains > domain name > DNS Settings (in the Web Site group).
Click Switch Off the DNS Service in the Tools group. Turning the DNS service off for the zone will refresh the
screen, so that only a list of name servers remains.

Note: The listed name server records have no effect on the system. They are only presented on the screen as clickable
links to give you a chance to validate the configuration of the zone maintained on the external authoritative name

Repeat the steps from 1 to 3 to switch off the local domain name service for each site served by external name

If you wish to validate the configuration of a zone maintained on authoritative name servers:

Go to Domains > domain name > DNS Settings (in the Web Site group).

Add to the list the entries pointing to the appropriate name servers that are authoritative for the zone: click Add,
specify a name server, and click OK. Repeat this for each name server you would like to test.

The records will appear in the list.

Click the records that you have just created. Parallels Plesk Panel will retrieve the zone file from a remote name
server and check the resource records to make sure that domain's resources are properly resolved.

The results will be interpreted and displayed on the screen.

Q:-Describe the importance of DNS to AD.

When you install Active Directory on a server, you promote the server to the role of a domain controller for a
specified domain. When completing this process, you are prompted to specify a DNS domain name for the Active
Directory domain for which you are joining and promoting the server.If during this process, a DNS server
authoritative for the domain that you specified either cannot be located on the network or does not support the DNS
dynamic update protocol, you are prompted with the option to install a DNS server. This option is provided because a
DNS server is required to locate this server or other domain controllers for members of an Active Directory domain

Q:-Describe a few methods of finding an MX record for a remote domain on the Internet.

In order to find MX Records for SMTP domains you can use Command-line tools such as NSLOOKUP or DIG. You
can also use online web services that allow you to perform quick searches and display the information in a convenient

Q:-What does "Disable Recursion" in DNS mean?

In the Windows 2000/2003 DNS console (dnsmgmt.msc), under a server's Properties -> Forwarders tab is the
setting Do not use recursion for this domain. On the Advanced tab you will find the confusingly similar option
Disable recursion (also disables forwarders).
Recursion refers to the action of a DNS server querying additional DNS servers (e.g. local ISP DNS or the root DNS
servers) to resolve queries that it cannot resolve from its own database. So what is the difference between these

The DNS server will attempt to resolve the name locally, then will forward requests to any DNS servers specified as
forwarders. If Do not use recursion for this domain is enabled, the DNS server will pass the query on to forwarders,
but will not recursively query any other DNS servers (e.g. external DNS servers) if the forwarders cannot resolve the

If Disable recursion (also disables forwarders) is set, the server will attempt to resolve a query from its own database
only. It will not query any additional servers.

If neither of these options is set, the server will attempt to resolve queries normally:
... the local database is queried
... if an entry is not found, the request is passed to any forwarders that are set
... if no forwarders are set, the server will query servers on the Root Hints tab to resolve queries beginning at the root

Q:-What could cause the Forwarders and Root Hints to be grayed out?

Win2K configured your DNS server as a private root server

Q:-What is a "Single Label domain name" and what sort of issues can it cause?

Single-label names consist of a single word like "contoso".

• Single-label DNS names cannot be registered by using an Internet registrar.
• Client computers and domain controllers that joined to single-label domains require additional configuration to
dynamically register DNS records in single-label DNS zones. • Client computers and domain controllers may require
additional configuration to resolve DNS queries in single-label DNS zones.
• By default, Windows Server 2003-based domain members, Windows XP-based domain members, and Windows
2000-based domain members do not perform dynamic updates to single-label DNS zones.
• Some server-based applications are incompatible with single-label domain names. Application support may not
exist in the initial release of an application, or support may be dropped in a future release. For example, Microsoft
Exchange Server 2007 is not supported in environments in which single-label DNS is used.
• Some server-based applications are incompatible with the domain rename feature that is supported in Windows
Server 2003 domain controllers and in Windows Server 2008 domain controllers. These incompatibilities either block
or complicate the use of the domain rename feature when you try to rename a single-label DNS name to a fully
qualified domain name.

Q:-What is the "" zone used for?

When creating DNS records for your hosts, A records make sense. After all, how can the world find your mail server
unless the IP address of that server is associated with its hostname within a DNS database? However, PTR records
aren't as easily understood. If you already have a zone file, why does there have to be a separate zone
containing PTR records matching your A records? And who should be making those PTR records--you or your
provider? Let's start by defining .arpa is actually a TLD like .com or .org. The name of the TLD comes
from Address and Routing Parameter Area and it has been designated by the IANA to be used exclusively for Internet
infrastructure purposes. In other words, it is an important zone and an integral part of the inner workings of DNS. The
RFC for DNS (RFC 1035) has an entire section on the domain. The first two paragraphs in that section
state the purpose of the domain: "The Internet uses a special domain to support gateway location and Internet address
to host mapping. Other classes may employ a similar strategy in other domains. The intent of this domain is to
provide a guaranteed method to perform host address to host name mapping, and to facilitate queries to locate all
gateways on a particular network in the Internet. Note that both of these services are similar to functions that could be
performed by inverse queries; the difference is that this part of the domain name space is structured according to
address, and hence can guarantee that the appropriate data can be located without an exhaustive search of the domain
space." In other words, this zone provides a database of all allocated networks and the DNS reachable hosts within
those networks. If your assigned network does not appear in this zone, it appears to be unallocated. And if your hosts
don't have a PTR record in this database, they appear to be unreachable through DNS. Assuming an A record exists
for a host, a missing PTR record may or may not impact on the DNS reachability of that host, depending upon the
applications running on that host. For example, a mail server will definitely be impacted as PTR records are used in
mail header checks and by most anti-SPAM mechanisms. Depending upon your web server configuration, it may also
depend upon an existing PTR record. This is why the DNS RFCs recommend that every A record has an associated
PTR record. But who should make and host those PTR records? Twenty years ago when you could buy a full Class C
network address (i.e. 254 host addresses) the answer was easy: you. Remember, the zone is concerned
with delegated network addresses. In other words, the owner of the network address is authoritative (i.e. responsible)
for the host PTR records associated with that network address space. If you only own one or two host addresses
within a network address space, the provider you purchased those addresses from needs to host your PTR records as
the provider is the owner of (i.e. authoritative for) the network address. Things are a bit more interesting if you have
been delegated a CIDR block of addresses. The zone assumes a classful addressing scheme where a
Class A address is one octet (or /8), a Class B is 2 octets (or /16) and a Class C is 3 octets (or /24). CIDR allows for
delegating address space outside of these boundaries--say a /19 or a /28. RFC 2317 provides a best current practice
for maintaining with these types of network allocations. Here is a summary regarding PTR records: •
Don't wait until users complain about DNS unreachability--be proactive and ensure there is an associated PTR record
for every A record. • If your provider hosts your A records, they should also host your PTR records. • If you only
have one or two assigned IP addresses, your provider should host your PTR records as they are authoritative for the
network those hosts belong to. • If you own an entire network address (e.g. a Class C address ending in 0), you are
responsible for hosting your PTR records. • If you are configuring an internal DNS server within the private address
ranges (e.g. or, you are responsible for your own internal PTR records. • Remember: the key to
PTR hosting is knowing who is authoritative for the network address for your domain. When in doubt, it probably is
not you.

Q:-DNS requirements for installing Active Directory

When you install Active Directory on a member server, the member server is promoted to a domain controller. Active
Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain
IP addresses of domain controllers.

During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically
registered in DNS, which are necessary for the successful functionality of the domain controller locator (Locator)
To find domain controllers in a domain or forest, a client queries DNS for the SRV and A DNS resource records of
the domain controller, which provide the client with the names and IP addresses of the domain controllers. In this
context, the SRV and A resource records are referred to as Locator DNS resource records.

When adding a domain controller to a forest, you are updating a DNS zone hosted on a DNS server with the Locator
DNS resource records and identifying the domain controller. For this reason, the DNS zone must allow dynamic
updates (RFC 2136) and the DNS server hosting that zone must support the SRV resource records (RFC 2782) to
advertise the Active Directory directory service. For more information about RFCs, see DNS RFCs.

If the DNS server hosting the authoritative DNS zone is not a server running Windows 2000 or Windows Server
2003, contact your DNS administrator to determine if the DNS server supports the required standards. If the server
does not support the required standards, or the authoritative DNS zone cannot be configured to allow dynamic
updates, then modification is required to your existing DNS infrastructure.

For more information, see Checklist: Verifying DNS before installing Active Directory and Using the Active
Directory Installation Wizard.


• The DNS server used to support Active Directory must support SRV resource records for the Locator mechanism to
function. For more information, see Managing resource records.

• It is recommended that the DNS infrastructure allows dynamic updates of Locator DNS resource records (SRV and
A) before installing Active Directory, but your DNS administrator may add these resource records manually after

After installing Active Directory, these records can be found on the domain controller in the following location:

Q:-How do you manually create SRV records in DNS?

this is on windows server

go to run ---> dnsmgmt.msc

rightclick on the zone you want to add srv record to and choose "other new record"

and choose service location(srv).....

Q:-Name 3 benefits of using AD-integrated zones.

1. you can give easy name resolution to ur clients.

2. By creating AD- integrated zone you can also trace hacker and spammer by creating reverse zone.
3. AD integrated zoned all for incremental zone transfers which on transfer changes and not the entire zone. This
reduces zone transfer traffic.

4. AD Integrated zones suport both secure and dmanic updates.

5. AD integrated zones are stored as part of the active directory and support domain-wide or forest-wide replication
through application pertitions in AD.

Q:-What are the benefits of using Windows 2003 DNS when using AD-integrated zones?


DNS supports Dynamic registration of SRV records registered by a Active Directory server or a domain controller
during promotion. With the help of SRV records client machines can find domain controllers in the network.

1. DNS supports Secure Dynamic updates. Unauthorized access is denied.

2. Exchange server needs internal DNS or AD DNS to locate Global Catalog servers.

3. Active Directory Integrated Zone. If you have more than one domain controller (recommended) you need not
worry about zone replication. Active Directory replication will take care of DNS zone replication also.

4. If your network use DHCP with Active Directory then no other DHCP will be able to service client requests
coming from different network. It is because DHCP server is authorized in AD and will be the only server to
participate on network to provide IP Address information to client machines.

5. Moreover, you can use NT4 DNS with Service Pack 4 or later. It supports both SRV record registration and
Dynamic Updates.

Using Microsoft DNS gives the following benefits:

If you implement networks that require secure updates.
If you want to take benefit of Active Directory replication.
If you want to integrate DHCP with DNS for Low-level clients to register their Host records in Zone database.

Q:-You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS.
Name a few possible causes.

The machine cannot be configured with DNS client her own

The DNS service cannot be run

Q:-What are the benefits and scenarios of using Stub zones?

One of the new features introduced in the Windows Server 2003-based implementation of DNS are stub zones. Its
main purpose is to provide name resolution in domains, for which a local DNS server is not authoritative. The stub
zone contains only a few records: - Start of Authority (SOA) record pointing to a remote DNS server that is
considered to be the best source of information about the target DNS domain, - one or more Name Server (NS)
records (including the entry associated with the SOA record), which are authoritative for the DNS domain
represented by the stub zone, - corresponding A records for each of the NS entries (providing IP addresses of the
servers). While you can also provide name resolution for a remote domain by either creating a secondary zone (which
was a common approach in Windows Server 2000 DNS implementation) or delegation (when dealing with a
contiguous namespace), such approach forces periodic zone transfers, which are not needed when stub zones are
used. Necessity to traverse network in order to obtain individual records hosted on the remote Name Servers is
mitigated to some extent by caching process, which keeps them on the local server for the duration of their Time-to-
Live (TTL) parameter. In addition, records residing in a stub zone are periodically validated and refreshed in order to
avoid lame delegations.

Q:-What are the benefits and scenarios of using Conditional Forwarding?

The benefits are speed up name resolution in certain scenarios. According to research that is forwarded to the correct
server or with specific speed. And down where DNS queries are sent in specific areas.

Q:-What are the differences between Windows Clustering, Network Load Balancing and Round Robin, and
scenarios for each use?

I will make a few assumptions here: 1) By "Windows Clustering Network Load Balancing" you mean Windows
Network Load Balancing software included in Windows Server software a.k.a NLB., and 2) By Round Robin, you
mean DNS Round Robin meaning the absence of a software or hardware load balancing device, or the concept of the
Round Robin algorithm available in just about every load balancing solution.

Microsoft NLB is designed for a small number (4 - 6) of Windows Servers and a low to moderate number of new
connections per second, to provide distribution of web server requests to multiple servers in a virtual resource pool.
Some would call this a "cluster", but there are suttle differences between a clustered group of devices and a more
loosely configured virtual pool. From the standpoint of scalability and performance, almost all hardware load
balancing solutions are superior to this and other less known software load balancing solutions [e.g. Bright Tiger
circa 1998].

DNS Round Robin is an inherent load balancing method built into DNS. When you resolve an IP address that has
more than one A record, DNS hands out different resolutions to different requesting local DNS servers. Although
there are several factors effecting the exact resulting algorithm (e.g. DNS caching, TTL, multiple DNS servers
[authoritative or cached]), I stress the term "roughly" when I say it roughly results in an even distribution of
resolutions to each of the addresses specified for a particular URL. It does not however, consider availability,
performance, or any other metric and is completely static. The basic RR algorithm is available in many software and
hardware load balancing solutions and simply hands the next request to the next resource and starts back at the first
resource when it hits the last one.

NLB is based on proprietary software, meant for small groups of Windows servers only on private networks, and is
dynamic in nature (takes into account availability of a server, and in some cases performance). "Round Robin", DNS
or otherwise, is more generic, static in nature (does not take into account anything but the resource is a member of the
resource pool and each member is equal), and ranges from DNS to the default static load balancing method on every
hardware device in the market.

Q:-How do I clear the DNS cache on the DNS server?

To clear DNS Cache do the following:

1. Start

2. Run

3. Type "cmd" and press enter

4. In the command window type "ipconfig /flushdns"

5.a If done correctly it should say "Successfully flushed the DNS Resolver Cache."

5.b If you receive an error "Could not flush the DNS Resolver Cache: Function failed during execution.", follow the
Microsoft KB Article 919746 to enable the cache. The cache will be empty however this will allow successful cache-
flush in future.

Q:-What is the address used for?

WINS server group address. Used to support autodiscovery and dynamic configuration of replication for WINS
servers. For more information, see WINS replication overview

WINS server group address. Used to support autodiscovery and dynamic configuration of replication for WINS
servers. For more information, see WINS replication overview
by following the below link

Q:-What is WINS and when do we use it?

WINS is windows internet name service who is use for

resolved the NetBIOS(computer name)name to IP address.This
is proprietary for Windows.You can use in LAN.
DNS is a Domain Naming System, which resolves Host names to
IP addresses. It uses fully qualified domain names. DNS is an Internet
standard used to resolve host names

Q:-Can you have a Microsoft-based network without any WINS server on it? What are the "considerations"
regarding not using WINS?

Yes, you can. WINS was designed to speed up information flow about the Windows workstations in a network. It
will work without it, and most networks do not utilize WINS servers anymore because it is based on an old protocol
(NetBUI) which is no longer in common use.

Q:-Describe the differences between WINS push and pull replications.

To replicate database entries between a pair of WINS servers, you must configure each WINS server as a pull partner,
a push partner, or both with the other WINS server.
A push partner is a WINS server that sends a message to its pull partners, notifying them that it has new WINS
database entries. When a WINS server's pull partner responds to the message with a replication request, the WINS
server sends (pushes) copies of its new WINS database entries (also known as replicas) to the requesting pull partner.

A pull partner is a WINS server that pulls WINS database entries from its push partners by requesting any new WINS
database entries that the push partners have. The pull partner requests the new WINS database entries that have a
higher version number than the last entry the pull partner received during the most recent replication.

Q:-What is the difference between tombstoning a WINS record and simply deleting it?

Simple deletion removes the records that are selected in the WINS console only from the local WINS server you are
currently managing. If the WINS records deleted in this way exist in WINS data replicated to other WINS servers on
your network, these additional records are not fully removed. Also, records that are simply deleted on only one server
can reappear after replication between the WINS server where simple deletion was used and any of its replication

Tombstoning marks the selected records as tombstoned, that is, marked locally as extinct and immediately released
from active use by the local WINS server. This method allows the tombstoned records to remain present in the server
database for purposes of subsequent replication of these records to other servers. When the tombstoned records are

replicated, the tombstone status is updated and applied by other WINS servers that store replicated copies of these
records. Each replicating WINS server then updates and tombstones

Q:-Name the NetBIOS names you might expect from a Windows 2003 DC that is registered in WINS.

54 name the netbios names you might expect from a windows 2003 dc that is registered in wins

Q:-What are router interfaces? What types can they be?

Router Interfaces

Routers can have many different types of connectors; from Ethernet, Fast Ethernet, and Token Ring to Serial and
ISDN ports. Some of the available configurable items are logical addresses (IP,IPX), media types, bandwidth, and
administrative commands. Interfaces are configured in interface mode which you get to from global configuration
mode after logging in.

Logging in to the Router

Depending on the port you're using, you might have to press enter to get the prompt to appear (console port). The first
prompt will look like Routername> the greater than sign at the prompt tell you that you are in user mode. In user
mode you can only view limited statistics of the router in this mode. To change configurations you first need to enter
privileged EXEC mode. This is done by typing enable at the Routername> prompt, the prompt then changes to
Routername#. This mode supports testing commands, debugging commands, and commands to manage the router
configuration files. To go back to user mode, type disable at the Routername# prompt. If you want to leave
completely, type logout at the user mode prompt. You can also exit from the router while in privileged mode by
typing exit or logout at the Routername# prompt.
Global Configuration Mode

Enter this mode from the privileged mode by typing configure terminal or (conf t for short). The prompt will
change to Routername(config)#. Changes made in this mode change the running-config file in DRAM. Use
configure memory to change the startup-config in NVRAM. Using configure network allows you to change the
configuration file on a TFTP server. If you change the memory or network config files, the router has to put them
into memory (DRAM) in order to work with them, so this will change your router's current running-config file.

Interfaces mode
While in global configuration mode you can make changes to individual interfaces with the command
Routername(config)#interface ethernet 0 or Routername(config)#int e0 for short, this enters the interface
configuration mode for Ethernet port 0 and changes the prompt to look like Routername(config-if)#.
Bringing Up Interfaces
If an interface is shown administratively down when the show interface command is given in privileged EXEC
mode, use the command no shutdown to enable the interface while in interface configuration mode.

Setting IP Addresses

In global configuration mode, enter the interface configuration mode (Routername(config)#int e0) and use the
command Routername(config-if)#ip address [ip address] [network mask]. If it is the first time using the
interface, also use the no shutdown command to enable and bring up the interface.

Router_2(config)#int e0
Router_2(config-if)#ip address
Router_2(config-if)#no shutdown
Secondary IP Addresses

You can add another IP address to an interface with the secondary command. The syntax is the same as setting an IP
address except you add secondary to the end of it. Using secondary interfaces, it allows you to specify 2 IP addresses
for 1 interface. Use subinterfaces instead, since they allow for more than 2 IP addresses on an interface and
secondaries will probably be replaced soon.


In global configuration mode you can create virtual interfaces (subinterfaces), so at the prompt Routername(config)#
type int e0.1 and the prompt will change to Routername(config-subif)#. For all practical purposes there isn't a limit
to the amount of subinterfaces an interface can have.

Show Interfaces
To view information about an interface, use the command:
Router_2#show interface e0
Ethernet0 is up, line protocol is up
Hardware is Lance, address is 0000.cc34.ec7d (bia 0000.cc34.ec7d)
Internet address is
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:07, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 input packets with dribble condition detected
614 packets output, 58692 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

Interface Problems

When using the command show interface [type #] interface problems can be seen and appropriate action taken.

Message Solution
Ethernet0 is up, line protocol is up None needed, interface working properly
Clocking or framing problem, check clock rate and encapsulation
Ethernet0 is up, line protocol is down
type on both routers
Cable or interface problem, check interfaces on both ends to ensure
Ethernet0 is down, line protocol is down
they aren't shutdown
Ethernet0 is administratively down, line The interface has been shutdown, use the no shutdown command in
protocol is down the interface's configuration mode

Serial Interfaces

The serial interface is usually attached to a line that is attached to a CSU/DSU that provides clocking rates for the
line. However, if two routers are connected together, one of the serial interfaces must act as the DCE device
and provide clocking. The DCE end of the cable is the side of the cable that has a female connector where it
connects to the other cable. The clocking rate on the DCE device is set in interface configuration mode with
the commands:
Router3(config)#int s0
Router3(config-if)#clock rate ?

Speed (bits per second)


<300-8000000> Choose clockrate from list above

Router3(config-if)#clock rate 56000


Cisco routers ship with T1 (1.544 mbps) bandwidth rates on their serial interfaces. Some routing protocols use the
bandwidth of links to determine the best route. The bandwidth setting is irrelevant with RIP routing. Bandwidth is
set with the bandwidth command and ranges from 1 - 10000000 kilobits per second.

Router3(config)#int s0
Router3(config-if)#bandwidth ?
<1-10000000> Bandwidth in kilobits

Router3(config-if)#bandwidth 10000000

Saving Changes

Any time you make changes and want them saved over the next reboot, you need to copy the running-config to the
startup-config in NVRAM. Use the command:

Router3#copy run start

You can see either of the files by using the commands:
Router3#show run
Router3#show start
To erase the startup file use the command:
Router3#erase start
Show Controllers

Tells you information about the physical interface itself, it also gives you the cable type and whether it is a DTE or
DCE interface. Syntax is:
Router_2#show controllers s 1

*Note there is a space between the s and the 1.

Q:-What is NAT?

NAT (Network Address Translation) is a technique for preserving scarce Internet IP addresses

Q:-What is the real difference between NAT and PAT?

NAT is a feature of a router that will translate IP addresses. When a packet comes in, it will be rewritten in order to
forward it to a host that is not the IP destination. A router will keep track of this translation, and when the host sends
a reply, it will translate back the other way.

PAT translates ports, as the name implies, and likewise, NAT translates addresses. Sometimes PAT is also called
Overloaded NAT

Q:-How do you configure NAT on Windows 2003?

To configure the Routing and Remote Access and the Network Address Translation components, your computer must
have at least two network interfaces: one connected to the Internet and the other one connected to the internal
network. You must also configure the network translation computer to use Transport Control Protocol/Internet
Protocol (TCP/IP).

If you use dial-up devices such as a modem or an Integrated Services Digital Network (ISDN) adapter to connect to
the Internet, install your dial-up device before you configure Routing and Remote Access.

Use the following data to configure the TCP/IP address of the network adapter that connects to the internal network:
TCP/IP address:
Subnet mask:
No default gateway
Domain Name System (DNS) server: provided by your Internet service provider (ISP)
Windows Internet Name Service (WINS) server: provided by your ISP
Use the following data to configure the TCP/IP address of the network adapter that connects to the external network:
TCP/IP address: provided by your ISP
subnet mask: provided by your ISP
default gateway: provided by your ISP
DNS server: provided by your ISP
WINS server: provided by your ISP
Before you continue, verify that all your network cards or all your dial-up adapters are functioning correctly.

Q:-Configure Routing and Remote Access

To activate Routing and Remote Access, follow these steps:

Click Start, point to All Programs, point to Administrative Tools, and then click Routing and Remote Access.

Right-click your server, and then click Configure and Enable Routing and Remote Access.

In the Routing and Remote Access Setup Wizard, click Next, click Network address translation (NAT), and then
click Next.

Click Use this public interface to connect to the Internet, and then click the network adapter that is connected to
the Internet. At this stage you have the option to reduce the risk of unauthorized access to your network. To do so,
click to select the Enable security on the selected interface by setting up Basic Firewall check box.

Examine the selected options in the Summary box, and then click Finish.

Q:-Configure dynamic IP address assignment for private network clients

You can configure your Network Address Translation computer to act as a Dynamic Host Configuration Protocol
(DHCP) server for computers on your internal network. To do so, follow these steps:

Click Start, point to All Programs, point to Administrative Tools, and then click Routing and Remote Access.

Expand your server node, and then expand IP Routing.

Right-click NAT/Basic Firewall, and then click Properties.

In the NAT/Basic Firewall Properties dialog box, click the Address Assignment tab.

Click to select the Automatically assign IP addresses by using the DHCP allocator check box. Notice that default
private network with the subnet mask of is automatically added in the IP address and the
Mask boxes. You can keep the default values, or you can modify these values to suit your network.

If your internal network requires static IP assignment for some computers -- such as for domain controllers or for
DNS servers -- exclude those IP addresses from the DHCP pool. To do this, follow these steps:
Click Exclude.

In the Exclude Reserved Addresses dialog box, click Add, type the IP address, and then click OK.

Repeat step b for all addresses that you want to exclude.

Click OK.

Q:-Configure name resolution

To configure name resolution, follow these steps:

Click Start, point to All Programs, point to Administrative Tools, and then click Routing and Remote Access.
Right-click NAT/Basic Firewall, and then click Properties.

In the NAT/Basic Firewall Properties dialog box, click the Name Resolution tab.

Click to select the Clients using Domain Name System (DNS) check box. If you use a demand-dial interface to
connect to an external DNS server, click to select the Connect to the public network when a name needs to be
resolved check box, and then click the appropriate dial-up interface in the list.

Q:-How do you allow inbound traffic for specific hosts on Windows 2003 NAT?

You can use the Windows Server 2003 implementation of IPSec to compensate for the limited protections provided
by applications for network traffic, or as a network-layer foundation of a defense-in-depth strategy. Do not use IPSec
as a replacement for other user and application security controls, because it cannot protect against attacks from within
established and trusted communication paths. Your authentication strategy must be well defined and implemented for
the potential security provided by IPSec to be realized, because authentication verifies the identity and trust of the
computer at the other end of the connection.

Q:-What is VPN? What types of VPN does Windows 2000 and beyond work with natively?

The virtual private network (VPN) technology included in Windows Server 2003 helps enable cost-effective, secure
remote access to private networks. VPN allows administrators to take advantage of the Internet to help provide the
functionality and security of private WAN connections at a lower cost. In Windows Server 2003, VPN is enabled
using the Routing and Remote Access service. VPN is part of a comprehensive network access solution that includes
support for authentication and authorization services, and advanced network security technologies.

There are two main strategies that help provide secure connectivity between private networks and enabling network
access for remote users.

Dial-up or leased line connections

A dial-up or leased line connection creates a physical connection to a port on a remote access server on a private
network. However, using dial-up or leased lines to provide network access is expensive when compared to the cost of
providing network access using a VPN connection.

VPN connections
VPN connections use either Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol/Internet
Protocol security (L2TP/IPSec) over an intermediate network, such as the Internet. By using the Internet as a
connection medium, VPN saves the cost of long-distance phone service and hardware costs associated with using
dial-up or leased line connections. A VPN solution includes advanced security technologies such as data encryption,
authentication, authorization, and Network Access Quarantine Control.


Network Access Quarantine Control is used to delay remote access to a private network until the configuration of the
remote access computer has been examined and validated.

Using VPN, administrators can connect remote or mobile workers (VPN clients) to private networks. Remote users
can work as if their computers are physically connected to the network. To accomplish this, VPN clients can use a
Connection Manager profile to initiate a connection to a VPN server. The VPN server can communicate with an
Internet Authentication Service (IAS) server to authenticate and authorize a user session and maintain the connection
until it is terminated by the VPN client or by the VPN server. All services typically available to a LAN-connected
client (including file and print sharing, Web server access, and messaging) are enabled by VPN.

VPN clients can use standard tools to access resources. For example, clients can use Windows Explorer to make drive
connections and to connect to printers. Connections are persistent: Users do not need to reconnect to network
resources during their VPN sessions. Because drive letters and universal naming convention (UNC) names are fully
supported by VPN, most commercial and custom applications work without modification.

VPN Scenarios
Virtual private networks are point-to-point connections across a private or public network such as the Internet. A
VPN client uses special TCP/IP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on
a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access
server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data
between the VPN client and the organization’s private network.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header. The header provides routing
information that enables the data to traverse the shared or public network to reach its endpoint. To emulate a private
link, the data being sent is encrypted for confidentiality. Packets that are intercepted on the shared or public network
are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is
known as a VPN connection.

A VPN Connection
There are two types of VPN connections:

Remote access VPN

Site-to-site VPN

Remote Access VPN

Remote access VPN connections enable users working at home or on the road to access a server on a private network
using the infrastructure provided by a public network, such as the Internet. From the user’s perspective, the VPN is a
point-to-point connection between the computer (the VPN client) and an organization’s server. The exact
infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a
dedicated private link.

Site-to-Site VPN
Site-to-site VPN connections (also known as router-to-router VPN connections) enable organizations to have routed
connections between separate offices or with other organizations over a public network while helping to maintain
secure communications. A routed VPN connection across the Internet logically operates as a dedicated WAN link.
When networks are connected over the Internet, as shown in the following figure, a router forwards packets to
another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link.

A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed
connection to the network to which the VPN server is attached. The calling router (the VPN client) authenticates
itself to the answering router (the VPN server), and, for mutual authentication, the answering router authenticates
itself to the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN
connection typically do not originate at the routers.
VPN Connecting Two Remote Sites Across the Internet

VPN Connection Properties

PPTP-based VPN and L2TP/IPSec-based VPN connection properties are described in the following sections.

VPN technology provides a way of encapsulating private data with a header that allows the data to traverse the

There are three types of authentication for VPN connections:

User authentication
For the VPN connection to be established, the VPN server authenticates the VPN client attempting the connection
and verifies that the VPN client has the appropriate permissions. If mutual authentication is being used, the VPN
client also authenticates the VPN server, providing protection against masquerading VPN servers.

The user attempting the PPTP or L2TP/IPSec connection is authenticated using Point-to-Point (PPP)-based user
authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Microsoft
Challenge-Handshake Authentication Protocol (MS-CHAP), Microsoft Challenge-Handshake Authentication
Protocol version 2 (MS-CHAP v2), Shiva Password Authentication Protocol (SPAP), and Password Authentication
Protocol (PAP). For PPTP connections, you must use EAP-TLS, MS-CHAP, or MS-CHAP v2. EAP-TLS using smart
cards or MS-CHAP v2 is highly recommended, as they provide mutual authentication and are the most secure
methods of exchanging credentials.

Computer authentication with L2TP/IPSec

By performing computer-level authentication with IPSec, L2TP/IPSec connections also verify that the remote access
client computer is trusted.

Data authentication and integrity

To verify that the data being sent on an L2TP/IPSec VPN connection originated at the other end of the connection
and was not modified in transit, L2TP/IPSec packets include a cryptographic checksum based on an encryption key
known only to the sender and the receiver.
Data Encryption

Data can be encrypted for protection between the endpoints of the VPN connection. Data encryption should always
be used for VPN connections where private data is sent across a public network such as the Internet. Data that is not
encrypted is vulnerable to unauthorized interception. For VPN connections, Routing and Remote Access uses
Microsoft Point-to-Point Encryption (MPPE) with PPTP and IPSec encryption with L2TP.

Address and Name Server Allocation

When a VPN server is configured, it creates a virtual interface that represents the interface on which all VPN
connections are made. When a VPN client establishes a VPN connection, a virtual interface is created on the VPN
client that represents the interface connected to the VPN server. The virtual interface on the VPN client is connected
to the virtual interface on the VPN server, creating the point-to-point VPN connection.

The virtual interfaces of the VPN client and the VPN server must be assigned IP addresses. The assignment of these
addresses is done by the VPN server. By default, the VPN server obtains IP addresses for itself and VPN clients using
the Dynamic Host Configuration Protocol (DHCP). Otherwise, a static pool of IP addresses can be configured to
define one or more address ranges, with each range defined by an IP network ID and a subnet mask or start and end
IP addresses.

Name server assignment, the assignment of Domain Name System (DNS) and Windows Internet Name Service
(WINS) servers to the VPN connection, also occurs during the process of establishing the VPN connection.

Tunneling Overview
Tunneling is a method of using a network infrastructure to transfer data for one network over another network. The
data (or payload) to be transferred can be the frames (or packets) of another protocol. Instead of sending a frame as it
is produced by the originating node, the tunneling protocol encapsulates the frame in an additional header. The
additional header provides routing information so that the encapsulated payload can traverse the intermediate

The encapsulated packets are then routed between tunnel endpoints over the network. The logical path through which
the encapsulated packets travel through the network is called a tunnel. After the encapsulated frames reach their
destination on the network, the frame is de-encapsulated (the header is removed) and the payload is forwarded to its
final destination. Tunneling includes this entire process (encapsulation, transmission, and de-encapsulation of

Tunneling Protocols
Tunneling enables the encapsulation of a packet from one type of protocol within the datagram of a different
protocol. For example, VPN uses PPTP to encapsulate IP packets over a public network such as the Internet. A VPN
solution based on either PPTP or L2TP can be configured.

PPTP and L2TP depend heavily on the features originally specified for PPP. PPP was designed to send data across
dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets within PPP frames and then
transmits the encapsulated PPP-packets across a point-to-point link. PPP was originally defined as the protocol to use
between a dial-up client and a network access server (NAS).

PPTP allows multiprotocol traffic to be encrypted and then encapsulated in an IP header to be sent across an
organization’s IP network or a public IP network such as the Internet. PPTP encapsulates Point-to-Point Protocol
(PPP) frames in IP datagrams for transmission over the network. PPTP can be used for remote access and site-to-site
VPN connections. PPTP is documented in RFC 2637 in the IETF RFC Database.

PPTP uses a TCP connection for tunnel management and a modified version of Generic Routing Encapsulation
(GRE) to encapsulate PPP frames for tunneled data. The payloads of the encapsulated PPP frames can be encrypted,
compressed, or both. The following figure shows the structure of a PPTP packet containing an IP datagram.

Structure of a PPTP Packet Containing an IP Datagram

When using the Internet as the public network for VPN, the PPTP server is a PPTP-enabled VPN server with one
interface on the Internet and a second interface on the intranet.

L2TP allows multiprotocol traffic to be encrypted and then sent over any medium that supports point-to-point
datagram delivery, such as IP, X.25, frame relay, or asynchronous transfer mode (ATM). L2TP is a combination of
PPTP and Layer 2 Forwarding (L2F), a technology developed by Cisco Systems, Inc. L2TP represents the best
features of PPTP and L2F. L2TP encapsulates PPP frames to be sent over IP, X.25, frame relay, or ATM networks.
When configured to use IP as its datagram transport, L2TP can be used as a tunneling protocol over the Internet.
L2TP is documented in RFC 2661 in the IETF RFC Database.

L2TP over IP networks uses User Datagram Protocol (UDP) and a series of L2TP messages for tunnel management.
L2TP also uses UDP to send L2TP-encapsulated PPP frames as tunneled data. The payloads of encapsulated PPP
frames can be encrypted, compressed, or both, although the Microsoft implementation of L2TP does not use MPPE to
encrypt the PPP payload. The following figure shows the structure of an L2TP packet containing an IP datagram.

Structure of an L2TP Packet Containing an IP Datagram

L2TP with IPSec (L2TP/IPSec)

In the Microsoft implementation of L2TP, IPSec Encapsulating Security Payload (ESP) in transport mode is used to
encrypt L2TP traffic. The combination of L2TP (the tunneling protocol) and IPSec (the method of encryption) is
known as L2TP/IPSec. L2TP/IPSec is described in RFC 3193 in the IETF RFC Database.

The result after applying ESP to an IP packet containing an L2TP message is shown in the following figure.

Encryption of L2TP Traffic with IPSec ESP

Routing for VPN

Routing for remote access and site-to-site VPN connections is described in the following sections.

Routing for Remote Access VPN Connections

Conventional routing occurs between routers over either LAN-based shared access technologies, such as Ethernet or
Token Ring, or WAN-based point-to-point technologies, such as T1 or frame relay.
Default Routing
The preferred method for directing packets to a remote network is to create a default route on the remote access client
that directs packets to the remote network (the default configuration for VPN remote access clients). Any packet that
is not intended for the neighboring LAN segment is sent to the remote network. When a connection is made, the
remote access client, by default, adds a default route to its routing table and increases the metric of the existing
default route to ensure that the newest default route is used. The newest default route points to the new connection,
which ensures that any packets that are not addressed to the local LAN segment are sent to the remote network.

Under this configuration, when a VPN client connects and creates a new default route, Internet sites that have been
accessible are no longer accessible (unless Internet access is available through the organization’s intranet). This poses
no problem for remote VPN clients that require access only to the organization’s network. However, it is not
acceptable for remote clients that need access to the Internet while they are connected to the organization’s network.

Split Tunneling
Split tunneling enables remote access VPN clients to route corporate-based traffic over the VPN connection while
sending Internet-based traffic using the user’s local Internet connection. This prevents the use of corporate bandwidth
for access to Internet sites.

However, a split tunneling implementation can introduce a security issue. If a remote access client has reachability to
both the Internet and a private organization network simultaneously, the possibility exists that the Internet connection
could be exploited to gain access to the private organization network through the remote access client. Security-
sensitive companies can choose to use the default routing model to help ensure that all VPN client communications
are protected by the corporate firewall.

Routing for Site-to-Site VPN Connections

With conventional WAN technologies, IP packets are forwarded between two routers over a physical or logical point-
to-point connection. This connection is dedicated to the customer across a private data network that is provided by the
WAN service provider.

With the advent of the Internet, packets can now be routed between routers that are connected to the Internet across a
virtual connection that emulates the properties of a dedicated, private, point-to-point connection. This type of
connection is known as a site-to-site VPN connection. Site-to-site VPN connections can be used to replace expensive
long-haul WAN links with short-haul WAN links to a local Internet service provider (ISP).

A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed
connection to the network to which the VPN server is attached. On a site-to-site VPN connection, the packets sent
from either router across the VPN connection typically do not originate at the routers.

To facilitate routing between the sites, each VPN server and the routing infrastructure of its connected site must have
a set of routes that represent the address space of the other site. These routes can be added manually, or routing
protocols can be used to automatically add and maintain a set of routes.

Site-to-Site Routing Protocols

There are two routing protocols that can be used in a site-to-site VPN deployment:

Routing Information Protocol (RIP)

Open Shortest Path First (OSPF)

RIP is designed for exchanging routing information within a small to medium-size network. RIP routers dynamically
exchange routing table entries.

The Windows Server 2003 implementation of RIP has the following features:

The ability to select which RIP version to run on each interface for incoming and outgoing packets.

Split-horizon, poison-reverse, and triggered-update algorithms that are used to avoid routing loops and speed
recovery of the network when topology changes occur.

Route filters for choosing which networks to announce or accept.

Peer filters for choosing which router’s announcements are accepted.

Configurable announcement and route-aging timers.

Simple password authentication support.

The ability to disable subnet summarization.

OSPF is designed for exchanging routing information within a large or very large network. Instead of exchanging
routing table entries like RIP routers, OSPF routers maintain a map of the network that is updated after any change to
the network topology. This map, called the link state database, is synchronized between all the OSPF routers and is
used to compute the routes in the routing table. Neighboring OSPF routers form an adjacency, which is a logical
relationship between routers to synchronize the link state database.

VPN and Firewalls Overview

The routing service supports a variety of inbound and outbound packet-filtering features that block certain types of
traffic. The filtering options include the following: TCP port, UDP port, IP protocol ID, Internet Control Message
Protocol (ICMP) type, ICMP code, source address, and destination address. A VPN server can be placed behind a
firewall or in front of a firewall. These two approaches are described in the following sections.

VPN Server Behind a Firewall

In the most common configuration, the firewall is connected to the Internet, and the VPN server is an intranet
resource that is attached to the perimeter network. The VPN server has an interface on both the perimeter network
and the intranet. In this scenario, the firewall must be configured with input and output filters on its Internet interface
that allow tunnel maintenance traffic and tunneled data to pass to the VPN server. Additional filters can allow traffic
to pass to Web, FTP, and other types of servers on the perimeter network. For an additional layer of security, the
VPN server should also be configured with PPTP or L2TP/IPSec packet filters on its perimeter network interface.

VPN Server in Front of a Firewall

When the VPN server is in front of the firewall and connected to the Internet, packet filters must be added to the VPN
server’s Internet interface to allow only VPN traffic to and from the IP address of that interface.

For inbound traffic, when the tunneled data is decrypted by the VPN server, it is forwarded to the firewall. Through
the use of its filters, the firewall allows the traffic to be forwarded to intranet resources. Because the only traffic that
crosses the VPN server is generated by authenticated VPN clients, in this scenario, firewall filtering can be used to
prevent VPN users from accessing specific intranet resources. Because Internet traffic allowed on the intranet must
pass through the VPN server, this approach also prevents the sharing of FTP or Web intranet resources with non-VPN
Internet users.

Technologies Related to VPN

Integrating VPN with the other network infrastructure components is an important part of VPN design and
implementation. VPN has to be integrated with directory, authentication, and security services, as well as with IP
address assignment and name server assignment services. Without proper design, VPN clients are unable to obtain
proper IP addresses and resolve intranet names, and packets cannot be forwarded between VPN clients and intranet

VPN-related technologies are described in the following sections:

Connection Manager




Name Server Assignment (DNS and WINS)


Connection Manager
Connection Manager is a service profile that can be used to provide customized remote access to a network through a
VPN connection. The advanced features of Connection Manager are a superset of basic dial-up networking.
Connection Manager provides support for local and remote connections by using a network of points of presence
(POPs), such as those available worldwide through ISPs. Windows Server 2003 includes a set of tools that enable a
network manager to deliver pre-configured connections to network users. These tools are:

The Connection Manager Administration Kit (CMAK)

Connection Point Services (CPS)

A network administrator can tailor the appearance and behavior of a connection made with Connection Manager by
using CMAK. With CMAK, an administrator can develop client dialer and connection software that allows users to
connect to the network by using only the connection features that the administrator defines for them. Connection
Manager supports a variety of features that both simplify and enhance implementation of connection support, most of
which can be incorporated using the Connection Manager Administration Kit Wizard.

CMAK enables administrators to build profiles that customize the Connection Manager installation package so that it
reflects an organization’s identity. CMAK allows administrators to determine which functions and features to include
and how Connection Manager appears to end-users. Administrators can do this by using the CMAK wizard to build
custom service profiles.

Connection Point Services (CPS) automatically distributes and updates custom phone books. These phone books
contain one or more Point of Presence (POP) entries, with each POP supplying a telephone number that provides dial-
up access to an Internet access point for VPN connections. The phone books give users complete POP information, so
when they travel they can connect to different Internet POPs rather than being restricted to a single POP.

Without the ability to update phone books (a task CPS handles automatically), users would have to contact their
organization’s technical support staff to be informed of changes in POP information and to reconfigure their client-
dialer software. CPS has two components:

Phone Book Administrator

Phone Book Service

Phone Book Administrator

Phone Book Administrator is a tool used to create and maintain the phone book database and to publish new phone
book information to the Phone Book Service.

Phone Book Service

The Phone Book Service runs on an IIS server and responds to requests from Connection Manager clients to verify
the current version of subscribers’ or corporate employees’ current phone books and, if necessary, downloads a phone
book update to the Connection Manager client.

For both PPTP and L2TP connections, the data being tunneled is a PPP frame. A PPP connection must be established
before data can be sent. The VPN server must have IP addresses available in order to assign them to a VPN server’s
virtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase that is part of the process
of establishing a PPP connection. The IP address assigned to a VPN client is also assigned to the virtual interface of
that VPN client.
For Windows Server 2003-based VPN servers, the IP addresses assigned to VPN clients are obtained through DHCP
by default. A static IP address pool can also be configured. DHCP is also used by remote access VPN clients to
obtain additional configuration settings after the PPP connection is established.

EAP-RADIUS is the passing of EAP messages of any EAP type by an authenticator to a Remote Authentication Dial-
In User Service (RADIUS) server for authentication. For example, for a remote access server that is configured for
RADIUS authentication, the EAP messages sent between the remote access client and remote access server are
encapsulated and formatted as RADIUS messages between the remote access server (the authenticator) and the
RADIUS server (the authenticator).

EAP-RADIUS is used in environments where RADIUS is the authentication provider. An advantage of using EAP-
RADIUS is that EAP types only need to be installed at the RADIUS server, not at each remote access server. In the
case of an IAS server, only EAP types need to be installed.

In a typical use of EAP-RADIUS, a server running Routing and Remote Access is configured to use EAP and to use
an IAS server for authentication. When a connection is made, the remote access client negotiates the use of EAP with
the remote access server. When the client sends an EAP message to the remote access server, the remote access
server encapsulates the EAP message as a RADIUS message and sends it to its configured IAS server. The IAS
server processes the EAP message and sends a RADIUS-encapsulated EAP message back to the remote access
server. The remote access server then forwards the EAP message to the remote access client. In this configuration, the
remote access server is only a pass-through device. All processing of EAP messages occurs at the remote access
client and the IAS server.

Routing and Remote Access can be configured to authenticate locally or to a RADIUS server. If Routing and Remote
Access is configured to authenticate locally, all EAP methods will be authenticated locally. If Routing and Remote
Access is configured to authenticate to a RADIUS server, then all EAP messages will be forwarded to the RADIUS
server with EAP-RADIUS.

The VPN server can be configured to use either Windows or RADIUS as an authentication provider. If Windows is
selected as the authentication provider, the user credentials sent by users attempting VPN connections are
authenticated using typical Windows authentication mechanisms, and the connection attempt is authorized using local
remote access policies.

If RADIUS is selected and configured as the authentication provider on the VPN server, user credentials and
parameters of the connection request are sent as RADIUS request messages to a RADIUS server.

The RADIUS server receives a user-connection request from the VPN server and authenticates and authorizes the
connection attempt. In addition to a yes or no response to an authentication request, RADIUS can inform the VPN
server of other applicable connection parameters for this user such as maximum session time, static IP address
assignment, and so on.

RADIUS can respond to authentication requests based on its own user account database, or it can be a front end to
another database server, such as a Structured Query Language (SQL) server or a Windows domain controller (DC).
The DC can be located on the same computer as the RADIUS server, or elsewhere. In addition, a RADIUS proxy can
be used to forward requests to a remote RADIUS server.

IAS is the Windows implementation of a RADIUS server and proxy.

Name Server Assignment (DNS and WINS)

Name server assignment, the assignment of Domain Name System (DNS) and Windows Internet Name Service
(WINS) servers, occurs during the process of establishing a VPN connection. The VPN client obtains the IP
addresses of the DNS and WINS servers from the VPN server for the intranet to which the VPN server is attached.

The VPN server must be configured with DNS and WINS server addresses to assign to the VPN client during IPCP
negotiation. For NetBIOS name resolution, you do not have to use WINS and can enable the NetBIOS over TCP/IP
(NetBT) proxy on the VPN server.

A network address translator (NAT) translates the IP addresses and Transmission Control Protocol/User Datagram
Protocol (TCP/UDP) port numbers of packets that are forwarded between a private network and the Internet. The
NAT on the private network can also provide IP address configuration information to the other computers on the
private network.

PPTP-based VPN clients can be located behind a NAT if the NAT includes an editor that can translate PPTP packets.
PPTP-based VPN servers can be located behind a NAT if the NAT is configured with static mappings for PPTP
traffic. If the L2TP/IPSec-based VPN clients or servers are positioned behind a NAT, both client and server must
support IPSec NAT traversal (NAT-T).

L2TP (layer 2 tunneling protocol )

vpn server is also know as L2TP server in native mode & in

PPTP in mixed mode

Q:-What is IAS? In what scenarios do we use it?

Internet Authentication Service

IAS is deployed in these common scenarios:
1)Dial-up corporate access.
2)Outsourced corporate access through service providers.
3)Internet access.

Q:-What's the difference between Mixed mode and Native mode in AD when dealing with RRAS?

The Mixed mode is for networks that have Windows 98/ME in addition to Windows 2000/XP/2003 clients. Mixed
mode requires the RAC (Remote Application Client) to be installed for proper communication with the clients. The
Native mode is for networks that consist only of Windows 2000/XP/2003 clients. The CMS server communicates
natively with the clients using Windows networking features that aren't available in 98/ME clients. The RAC program
is not needed. If you have no or few 98/ME clients, choose this option.

Q:-What are Conditions and Profile in RRAS Policies?

Remote access policies are an ordered set of rules that define whether remote access connection attempts are either
authorized or rejected. Each rule includes one or more conditions (which identifies the criteria), a set of profile
settings (to be applied on the connection attempt), and a permission setting (grant or deny) for remote access. This
can be compared like a brain of the door-keeper (VPN server) which allows entry to your network from outside.
Remote access policy decides who can access what resources from where using what tunnel settings. So configuring
proper set of policies are important.

Q:-How does SSL work?

Secure Sockets Layer uses a cryptographic system that encrypts data with two keys.
When a SSL Digital Certificate is installed on a web site, users can see a padlock icon at the bottom area of the
navigator. When an Extended Validation Certificates is installed on a web site, users with the latest versions of
Firefox, Internet Explorer or Opera will see the green address bar at the URL area of the navigator.

Q:-How does IPSec work?

IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication,
integrity, and confidentiality as data is transferred between communication points across IP networks. IPSec provides
data security at the IP packet level. A packet is a data bundle that is organized for transmission across a network, and
it includes a header and payload (the data in the packet). IPSec emerged as a viable network security standard
because enterprises wanted to ensure that data could be securely transmitted over the Internet. IPSec protects against
possible security exposures by protecting data while in transit

Q:-How do I deploy IPSec for a large number of computers?

Just use this program Server and Domain Isolation Using IPsec and Group Policy

Q:-What types of authentication can IPSec use?

Deploying L2TP/IPSec-based Remote Access

Deploying L2TP-based remote access VPN connections using Windows Server 2003 consists of the following:

* Deploy certificate infrastructure

* Deploy Internet infrastructure

* Deploy AAA infrastructure

* Deploy VPN servers

* Deploy intranet infrastructure

* Deploy VPN clients

Implantando L2TP/IPSec-based Acesso Remoto

Implantando L2TP com base em conexões VPN de acesso remoto usando o Windows Server 2003 é constituída pelos
seguintes elementos:

* Implantar certificado infra-estrutura

* Implantar infra-estrutura Internet
* Implantar infra-estrutura AAA
* Implementar VPN servidores
* Implantar intranet infra-estrutura
* Implementar clientes VPN

Q:-What is PFS (Perfect Forward Secrecy) in IPSec?

In an authenticated key-agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is
the property that ensures that a session key derived from a set of long-term public and private keys will not be
compromised if one of the (long-term) private keys is compromised in the future.

Forward secrecy has been used as a synonym for perfect forward secrecy [1], since the term perfect has been
controversial in this context. However, at least one reference [2] distinguishes perfect forward secrecy from forward
secrecy with the additional property that an agreed key will not be compromised even if agreed keys derived from the
same long-term keying material in a subsequent run are compromised.

Q:-How do I monitor IPSec?

To test the IPSec policies, use IPSec Monitor. IPSec Monitor (Ipsecmon.exe) provides information about which
IPSec policy is active and whether a secure channel between computers is established.

Q:-Looking at IPSec-encrypted traffic with a sniffer. What packet types do I see?

You can see the packages to pass, but you can not see its contents

IPSec Packet Types

IPSec packet types include the authentication header (AH) for data integrity and the encapsulating security payload
(ESP) for data confidentiality and integrity.
The authentication header (AH) protocol creates an envelope that provides integrity, data origin identification and
protection against replay attacks. It authenticates every packet as a defense against session-stealing attacks. Although
the IP header itself is outside the AH header, AH also provides limited verification of it by not allowing changes to
the IP header after packet creation (note that this usually precludes the use of AH in NAT environments, which
modify packet headers at the point of NAT). AH packets use IP protocol 51.
The encapsulating security payload (ESP) protocol provides the features of AH (except for IP header authentication),
plus encryption. It can also be used in a null encryption mode that provides the AH protection against replay attacks
and other such attacks, without encryption or IP header authentication. This can allow for achieving some of the
benefits of IPSec in a NAT environment that would not ordinarily work well with IPSec. ESP packets use IP protocol

Q:-What can you do with NETSH?

Netsh is a command-line scripting utility that allows you to, either locally or remotely, display, modify or script
the network configuration of a computer that is currently running.

Usage: netsh [-a AliasFile] [-c Context] [-r RemoteMachine]

[Command | -f ScriptFile]

The following commands are available:

Commands in this context:

? - Displays a list of commands.
add - Adds a configuration entry to a list of entries.
delete - Deletes a configuration entry from a list of entries.
dump - Displays a configuration script.
exec - Runs a script file.
help - Displays a list of commands.
interface - Changes to the `interface' context.
ras - Changes to the `ras' context.
routing - Changes to the `routing' context.
set - Updates configuration settings.
show - Displays information.

The following subcontexts are available:

routing interface ras

To view help for a command, type the command, followed by a space, and then
type ?.

Q:-How do I look at the open ports on my machine?

Windows: Open a command prompt (Start button -> Run-> type "cmd"), and type:
netstat -a

Linux: Open an SSH session and type:

netstat -an