Microsoft Windows 2000 Server Resource Kit

Contents About the Deployment Planning Guide xxxix Goals of This Guide xxxix Guide Features xl Guide Structure xl Chapter Structure xl Planning Worksheets xli Document Conventions xli Artwork Symbols xlii Resource Kit Compact Disc xlv Resource Kit Support Policy xlvi Part 1 Planning Overview 1 Chapter 1 Introducing Windows 2000 Deployment Planning 3 Starting Your Plan 5 Effectively Using This Book 5 How to Begin Planning 8 Overview of the Windows 2000 Product Family 8 Windows 2000 Professional 9 Windows 2000 Server Family 10 Windows 2000 Server Standard Edition 10 Windows 2000 Advanced Server 11 Terminal Services 12 Using Windows 2000 to Improve the Way You Work 12 IT Administrator 12 Department Manager 13 Sales Representative 14 Examples of How Business Needs are Satisfied by Windows 2000 15 Case Study 1: North American Industrial Manufacturer 15 Existing IT Environment 15 Goals for Deploying Windows 2000 16 Case Study 2: Large Multinational Manufacturer 17 Existing IT Environment 17 Goals for Deploying Windows 2000 18 Case Study 3: Multinational Financial Services Corporation 19 Existing IT Environment 19 Goals for Deploying Windows 2000 20 Case Study 4: International Software Development Company 21 Existing IT Environment 22 Goals for Deploying Windows 2000 22 Mapping Windows 2000 Features to Your Business Needs 24 Management Infrastructure Services 24 Desktop Management Solutions 26 Security Features 27 Information Publishing and Sharing 28 Component Application Services 28 Scalability and Availability 30 Networking and Communications 31 Storage Management 32 Planning Task List for Mapping Windows 2000 Features 34 Chapter 2 Creating a Deployment Roadmap 35 Creating a Project Plan 37 Preparing Your Project Planning Process 38 Determining Goals and Objectives 40 Feature Design and Development 41 Windows 2000 Pilot 42 Production Rollout 44 Deployment Scenarios 44 Scenario 1: Multinational Financial Services 45 Phase 1: Assessment 45 Phase 2: Design and Engineering 47 Phase 3: Testing 50 Phase 4: Migration 51 Scenario 2: Multinational Consumer and Industrial Manufacturer 52 Deployment Teams 52 The Server Deployment Team 54 The Client Deployment Team 60 Technology Dependencies 62 Active Directory and Domain Namespace 63 Active Directory and Exchange Server 63 Integrating Exchange Server 64 Remote OS Installation 64 Tips for Planning Your Windows 2000 Deployment 64 Planning Task List 68 Chapter 3 Planning for Deployment 69 Detailing Your Project Plan 71 Project Scope and Objectives 71 Personnel Requirements 72 Organizing Your Deployment Teams 73 Assigning Windows 2000 Team Roles 75 Current Computing Environment 77 Establishing Standards and Guidelines 78 Conducting a Gap Analysis 79 Testing and Piloting Windows 2000 80 Creating Project Planning Documents 81 Administrative Documents 81 Deployment Documents 82 Functional Specification 83 Communications Strategy 84 Education and Training Plan 85 Capacity Planning 85 Risk Assessment 86 Risk Management 87 Risk Assessment Matrix 88 Risk-Driven Schedule 89 Windows 2000 Deployment 90 Deployment Planning Task List 92 Chapter 4 Building a Windows 2000 Test Lab 93 Getting Started with Your Test Environment 95 Creating a Test Environment 95 Using the Lab for Risk Management 96 Lab Development Process 97 Testing Process 99 Setting Up a Preliminary Lab 100 Determining the Lab Strategy 100 Considering Return on Investment 101 Using the Lab During the Project Life Cycle 101 Planning 101 Developing 102 Deploying 102 Post-deployment 102 Evaluating Lab Models 103 Ad Hoc Labs 104 Change Management Labs 104 Selecting a Lab Model 106 Selecting a Lab Location 107 Testing in a Distributed Lab Environment 109 Case Study 1: Functional Lab Sites 109 Case Study 2: Contingency Lab Sites 110 Designing the Lab 110 Prerequisites for Designing the Lab 111 Designing for Test Scenarios 111 Simulating the Proposed Server Environment 111 Simulating the Proposed Client Computer Environment 115 Accommodating Test Processes 119 Documenting the Lab Configuration 120 Lab Description 121 Lab Diagrams 122 Building the Lab 126 Managing the Lab 128 Lab Management Responsibilities 128 Developing Lab Guidelines 129 Testing 130 Defining an Escalation Plan 131 Creating the Test Plan 131 Scope and Objectives 132 Testing Methodology 132 Resources Required 132 Features and Functions 133 Risks 134 Schedule 134 Designing Test Cases 134 Conducting Tests 135 Documenting Test Results 136 Testing After Deployment 137 Using the Lab for Change Management 137 Defining the Role of the Lab in Change Management 138 Planning Task Lists for Lab Testing 140 Lab Preparation Task List 140 Testing Task List 141 Chapter 5 Conducting Your Windows 2000 Pilot 143 Overview of Conducting a Pilot 145 Pilot Process 146 Starting with Information Technology 147 Prerequisites for a Production Pilot 147 Creating a Pilot Plan 147 Scope and Objectives 148 Pilot Scope 148 Pilot Objectives 149 Pilot Users and Sites 149 Pilot Training Plan 150 Pilot Support Plan 151 Communication 151 Pilot Rollback Plan 152 Schedule 152 Preparing for the Pilot 153 Preparing Pilot Sites 153 Preparing Pilot Users 154 Establishing Early Communication 154 Keeping Participants Informed 154 Developing the Rollout Process 155 Deploying the Pilot 155 Evaluating the Pilot 156 Monitoring the Pilot 156 Obtaining Feedback 157 Planning Task List for Conducting a Pilot 158 Part 2 Network Infrastructure Prerequisites 159 Chapter 6 Preparing Your Network Infrastructure for Windows 2000 161 Documenting Your Current Environment 163 Hardware and Software Inventory 163 Network Infrastructure 165 Physical Network Diagram 165 Logical Network Diagram 167 Network Configuration 167 File, Print, and Web Servers 169 Line-of-Business Applications 169 Directory Services Architecture 170 Domain Administration Model 170 Security 171 Preparing Your Network Architecture 173 Preliminary Steps 175 Stabilizing Your Existing Network 175 Reviewing Your Network Protocols 175 Preparing Your Physical Infrastructure 176 Preparing Your Servers 177 Preparing Your Domain Controllers 179 Preparing Your Member Servers 180 Preparing Your Security Infrastructure 180 Preparing Your Clients 181 Windows 2000 Professional Upgrade Considerations 182 Preparing to Operate with Other Systems 183 Network Infrastructure Preparation Task List 184 Chapter 7 Determining Network Connectivity Strategies 185 Network Connectivity Overview 187 Sites 187 Remote Connectivity Methods 187 Internal Local Area Network Connectivity Within Sites 188 External Connectivity Within an Organization 190 Designing the Demilitarized Zone 190 Site Connectivity for an Organization 191 Remote Client Connectivity 192 Windows 2000 TCP/IP 192 New Features in the Windows 2000 TCP/IP Suite 193 Automatic Private IP Addressing Configuration 193 Large Window Support 193 Selective Acknowledgment 194 Improved Estimation of Round Trip Time 194 Planning Considerations for Microsoft TCP/IP 194 IP Address Classes 194 Subnet Masks and Custom Subnetting 195 TCP/IP and Windows Internet Name Service 196 WINS Design Considerations 196 Routing and Remote Access 197 New Features of Windows 2000 Routing and Remote Access Service 197 Remote Access Policy 199 Remote Access Design Considerations 199 VPN Security 200 Benefits of Virtual Private Networking 200 Point-to-Point Tunneling Protocol VPNs 200 L2TP over IPSec VPNs 201 L2TP Deployment Considerations 201 L2TP Examples 202 VPN Security with IPSec 203 Internet Authentication Service and Centralized Management 205 Multihoming 206 IP Routing Infrastructure 207 Static Routed Networks 207 RIP-for-IP Network Design 208 OSPF Network Design 209 IPX Routing Structure 213 IPX Network Design 214 AppleTalk Routing Structure 215 Multicast Support 215 Network Address Translation 216 Windows 2000 DHCP 217 Benefits of Using DHCP 218 New Features of Windows 2000 DHCP 218 Enhanced Server Reporting 218 Additional Scope Support 218 DHCP and DNS Integration 219 Unauthorized DHCP Server Detection 219 Dynamic Support for Bootstrap Protocol Clients 219 Read-Only Console Access to the DHCP Manager 220 Designing DHCP Into Your Network 220 Network Infrastructure Size 220 Windows 2000 Asynchronous Transfer Mode 222 Benefits of Using Windows 2000 ATM 222 Features of Windows 2000 ATM 222 ATM User Network Interface Call Manager 222 Updated NDIS and ATM Hardware Support 223 ATM LAN Emulation 223 IP/ATM 224 Multicast and Address Resolution Service 224 PPP/ATM 225 ATM Design Considerations 225 Quality of Service 227 Planning Task List for Networking Strategies 228 Chapter 8 Using Systems Management Server to Analyze Your Network Infrastructure 229 Analyzing Your Network Infrastructure 231 Using Systems Management Server 231 How Systems Management Server Can Expedite Windows 2000 Deployment 233 Systems Management Server 1.2 Differences 234 Collecting Inventory 235 Assessing the Current State of Your Hardware 235 Hardware Capacity 235 Hardware Compatibility 236 Using Systems Management Server Hardware Inventory 237 Assessing the Current State of Your Software 238 Using Inventory to Prepare Your Network Infrastructure 240 Reporting the Collected Data 240 Sample Systems Management Server Report of Windows 2000 Readiness 241 Using the Product Compliance Subsystem 242 Analyzing and Using the Collected Data 246 Monitoring Your Network 246 Ensuring Application Compatibility 248 Network Analysis Planning Task List 249 Additional Resources 250 Part 3 Active Directory Infrastructure 251 Chapter 9 Designing the Active Directory Structure 253 Overview of Active Directory 255 Primary Active Directory Features 255 Providing a Foundation for New Technologies 256 Planning for Active Directory 257 General Design Principles 260 Composing Your Active Directory Structure Plans 261 Creating a Forest Plan 261 Forest Planning Process 263 Determining the Number of Forests for Your Network 263 Creating a Single Forest Environment 263 Creating a Multiple-Forest Environment 263 Incremental Costs for an Additional Forest 264 Creating a Forest Change Control Policy 267 Schema Change Policy 267 Configuration Change Policy 268 Changing the Forest Plan After Deployment 268 Creating a Domain Plan 268 Domain Planning Process 270 Determining the Number of Domains in Each Forest 270 How Creating Domains Has Changed 271 When to Create More Than One Domain 271 Incremental Costs for an Additional Domain 279 Choosing a Forest Root Domain 281 Assigning DNS Names to Create a Domain Hierarchy 282 Arranging Domains into Trees 282 Domain Naming Recommendations 284 Domain Names and Computer Names 287 Planning DNS Server Deployment 287 Authority and Delegation in DNS 288 Domain Controller Locator System 289 DNS Server Requirements 290 Locate Authoritative Servers 290 Optimizing Authentication with Shortcut Trust Relationships 292 Changing the Domain Plan After Deployment 293 Adding New Domains and Removing Existing Domains 293 Merging and Splitting Domains 294 Renaming Domains 294 Creating an Organizational Unit Plan 295 OU Structure and Business Structure 296 OU Planning Process 297 Creating OUs to Delegate Administration 297 Modifying Access Control Lists 298 Deciding What OUs to Create 299 Delegation Procedures 300 Creating OUs to Hide Objects 304 Creating OUs for Group Policy 304 Changing the OU Plan After Deployment 305 Creating a Site Topology Plan 305 Site Topology Planning Process 307 Defining Sites and Site Links 308 Creating Sites 308 Connecting Sites with Site Links 309 Placing Servers into Sites 312 Placing Additional Domain Controllers 312 Placing Global Catalog Servers 313 Placing DNS Servers 313 Changing the Site Topology After Deployment 315 Planning Task List for Designing the Active Directory Structure 315 Chapter 10 Determining Domain Migration Strategies 317 Starting the Migration Planning Process 319 Planning Process Phases 319 Determining Your Migration Roadmap 320 Migration Goals 321 Migration Concepts 322 Upgrading Clients and Servers 323 Domain Migration Considerations 324 Upgrade Decisions 324 Restructure Decisions 325 Application Compatibility 326 Interoperability Requirements 327 Disk Storage Requirements for Active Directory Objects 328 Planning Domain Upgrade 329 Determining Supported Upgrade Paths 330 Examining the Existing Domain Structure 331 Developing a Recovery Plan 332 Managing the Transition to the Windows 2000 Forest 333 Considering the Upgrade of Resource Domains 334 Determining a Strategy for Upgrading Domain Controllers 335 Windows 2000 Domain Modes 335 Upgrading the Windows NT PDC 338 PDC Emulation in Windows 2000 339 Access Control Components 340 Determining the Order for Upgrading Domains 342 Guidelines for Upgrading Account Domains 342 Guidelines for Upgrading Resource Domains 343 Child Domains and Trusts 343 Determining When to Move to Native Mode 347 Reasons for Continuing in Mixed Mode 347 Reasons for Moving to Native Mode 348 Examining Windows 2000 Groups 349 Local Groups 349 Domain Local Groups 349 Global Groups 349 Universal Groups 350 Nesting Groups 351 Group Membership Expansion 352 Effects of Upgrade on Groups 352 Using NetBIOS with Windows 2000 353 Transitioning to File Replication Service 354 LAN Manager Replication Service Process 354 The FRS Process 355 Maintaining LAN Manager Replication Service in a Mixed Environment 356 Using Routing and Remote Access Service in a Mixed Environment 358 Planning Domain Restructure 359 Determining the Reasons to Restructure Domains 359 Determining When to Restructure Domains 360 Examining the Implications of Restructuring Domains 361 Moving Security Principals 361 Moving Users and Global Groups 367 Moving Profiles and SIDhistory 367 Moving Computers 368 Moving Member Servers 369 Establishing Trusts 370 Cloning Security Principals 370 Domain Restructure Scenarios 370 Scenario #1: Migrating Users Incrementally from Windows NT to Windows 2000 370 Scenario #2: Consolidating a Resource Domain into an OU 372 Domain Migration Tools 374 ClonePrincipal 375 Netdom 376 Migration Planning Task List 377 Chapter 11 Planning Distributed Security 379 Developing a Network Security Plan 381 Security Risks 382 Security Concepts 383 Security Model 383 Domain Model 383 Trust Management 384 Security Policy 384 Security Configuration and Analysis 384 Symmetric Key Encryption 384 Public Key Encryption 384 Authentication 385 Single Sign-On 385 Two-Factor Authentication 385 Access Control 386 Data Integrity 386 Data Confidentiality 386 Nonrepudiation 386 Code Authentication 386 Audit Logs 387 Physical Security 387 User Education 387 Distributed Security Strategies 387 Authenticating All User Access 388 Planning Considerations 389 Kerberos Authentication and Trust 390 How Kerberos Authentication Works 390 Implementing Kerberos Authentication 391 Considerations about Kerberos Security 391 Smart Card Logon 392 How Smart Cards Work 392 Prerequisites for Implementing Smart Cards 392 How to Implement Smart Cards 393 Considerations about Smart Cards 393 Remote Access 394 How Remote Access Works 394 Remote Access Policies 394 How to Enable Remote Access 395 Considerations About Remote Access 395 Applying Access Control 396 Access Control Lists 397 How ACLs Work 397 Prerequisites for Implementing ACLs 397 How to Implement ACLs 397 Security Groups 398 How Security Groups Work 398 Security Group Types 399 Default Permissions of Security Groups 400 Prerequisites for Implementing Security Groups 400 Implementing Security Groups 400 Considerations About Security Groups 401 Establishing Trust Relationships 402 Domain Trust 403 How Trust Relationships Work 403 Prerequisites for Implementing Trusts 405 How to Implement Trusts 405 Considerations About Trusts 405 Enabling Data Protection 406 Encrypting File System 406 How EFS Works 407 Prerequisites for Implementing EFS 407 How to Implement EFS 407 Considerations About EFS 407 IP Security 409 How IPSec Works 409 Prerequisites for Implementing IPSec 410 How to Implement IPSec 410 Considerations for IPSec 411 Setting Uniform Security Policies 412 Group Policy 413 How Group Policy Works 413 Prerequisites for Implementing Group Policy 413 How to Implement Group Policy 413 Considerations About Group Policy 414 Group Policy Security Settings 415 Account Policies 415 Local Computer Policies 416 Event Log Policies 416 Restricted Groups Policies 417 Systems Services Policies 417 Registry Policies 418 File System Policies 418 Public Key Policies 418 IP Security Policies on Active Directory 418 Security Templates 419 How Security Templates Work 419 Prerequisites for Implementing Security Templates 419 How to Implement Security Templates 419 Considerations About Security Templates 419 Deploying Secure Applications 421 Authenticode and Software Signing 422 How Authenticode Works 422 Implementing Authenticode Screening 423 Considerations for Authenticode and Software Signing 423 Secure E-mail 424 How Secure E-mail Works 424 Considerations for Secure E-mail 424 Secure Web Sites and Communications 425 Considerations for Secure Web Sites 425 Managing Administration 426 Delegation 427 Security Groups, Group Policy, and Access Control Lists 427 Built-in Security Groups 427 Delegation of Control Wizard 427 Delegate Administration Wizard 428 Delegating Control of Group Policy Objects 428 Auditing 428 How Auditing Works 428 Prerequisites for Implementing the Audit Function 429 How to Implement the Audit Function 429 Considerations About Auditing 429 Planning Task List for Distributed Security 430 Chapter 12 Planning Your Public Key Infrastructure 433 Overview of Public Key Infrastructure 435 How PKI Works 435 Prerequisites for Implementing PKI 436 How to Implement PKI 437 Creating a Local Certification Authority 437 Managing Your Certificates 438 Using the Certificate Services Web Pages 439 Setting Public Key Policies in Group Policy Objects 439 Building Your Public Key Infrastructure 439 Designing Your Public Key Infrastructure 440 Identify Your Certificate Requirements 441 Basic Security Requirements for Certificates 441 Determining Which Certificate Types to Issue 442 Define Certificate Policies and Certification Authority Practices 443 Certificate Policies 444 Certificate Practices Statements (CPS) 444 Define Certification Authority Trust Strategies 445 Benefits of Certification Authority Trust Hierarchies 445 Benefits of Certificate Trust Lists 446 Additional Considerations for Certification Authority Trust Strategies 447 Define Security Requirements for Certification Authorities 448 Define Certificate Life Cycles 448 Define Certificate Enrollment and Renewal Processes 450 Define Certificate Revocation Policies 451 Policies for Revoking Certificates 451 Policies for Certificate Revocation Lists 451 Define Maintenance Strategies 451 Developing Recovery Plans 452 Failed Certification Authority 452 Compromised Certification Authority 452 Developing Optional Custom Applications 453 Performing Resource Planning 454 Deploying Your Public Key Infrastructure 455 Schedule Production Rollout in Stages 456 Install Certification Authorities 457 Install and Configure Supporting Systems and Applications 457 Configure Certificates to Be Issued 458 Examples of Configurations 458 Security Access Control Lists for Certificate Templates 458 Configure Certificate Revocation List Publication 459 Configure Public Key Group Policy 459 Configure Certificate Enrollment and Renewal 461 Start Issuing Certificates 461 Public Key Infrastructure Planning Task List 462 Part 4 Windows 2000 Upgrade and Installation 463 Chapter 13 Automating Server Installation and Upgrade 465 Determining Whether to Upgrade or Clean Install 467 Resolving Critical Planning Issues 467 Choosing Your Installation Method 469 Preparing for Installation 469 Creating Distribution Folders 471 Structuring the Distribution Folder 472 Installing Mass Storage Devices 476 Installing Hardware Abstraction Layers 477 Installing Plug and Play Devices 478 Converting File Name Size Using $$Rename.txt 479 Reviewing the Answer File 480 Creating the Answer File 481 Using the Answer File to Set Passwords 483 Extending Hard Disk Partitions 484 Using the Answer File with the Active Directory Installation Wizard 485 Reviewing the Windows 2000 Setup Commands 485 Winnt.exe 486 Winnt32.exe 486 Automating the Installation of Server Applications 487 Using Cmdlines.txt 487 Using the [GuiRunOnce] Section of the Answer File 489 Using Application Installation Programs 490 Using a Batch File to Control How Multiple Applications Are Installed 490 Automating the Installation of Windows 2000 Server 491 New Options for Automated Installation 492 Automated Installation Methods 493 Using Syspart on Computers with Dissimilar Hardware 494 Using Sysprep to Duplicate Disks 496 Overview of the Sysprep Process 497 Sysprep Files 497 Running Sysprep Manually 501 Running Sysprep Automatically After Setup Completes 503 Using Sysprep to Extend Disk Partitions 503 Using Systems Management Server 506 Using a Bootable Compact Disc 506 Installation Configuration Examples 507 Existing Servers 507 Example 1: Windows NT Server with Windows 2000 Compatible Server Applications 507 Example 2: Computers Running Windows NT Server 3.5 or Earlier, or Servers Running Non-Microsoft Operating Systems 509 New Servers 511 Installation Planning Task List 511 Chapter 14 Using Systems Management Server to Deploy Windows 2000 513 Using Systems Management Server to Distribute Software 515 Software Distribution with Systems Management Server 2.0 516 SMS Packages 516 Distribution 517 Advertising 518 SMS Software Distribution Best Practices 519 How SMS Can Help with Windows 2000 Deployment 519 Packaging Windows 2000 for Systems Management Server 521 Preparing the Windows 2000 Server Upgrade Package 521 Allowing User Input During the Upgrade 524 Examining the Windows 2000 Server Package Definition 525 Preparing the Windows 2000 Professional Upgrade Package 526 Windows 95 and Windows 98 Upgrades 527 Windows NT Workstation Upgrade 528 Distributing the Windows 2000 Packages 529 Preparing to Distribute the Packages 529 Check the Status of Site Servers and Distribution Points 529 Ensure Each Site Has an Adequate Number of Distribution Points 530 Use Distribution Point Groups 530 Ensure Sender Controls Are in Place 530 Ensure Fan-out Distribution Will Work 531 Select a Test Site 531 Distributing the Packages to Sites and Distribution Points 532 Testing the Distribution 533 Expanding the Distribution 533 Distributing by Means of the Courier Sender 533 Monitoring the Distribution 534 System Status Subsystem 534 Reporting Package Distribution Status 537 Troubleshooting the Distributions 537 Advertising the Windows 2000 Packages 538 Selecting Computers to Upgrade 538 Preparing Clients to Receive the Advertisements 540 Advertising the Packages to Computers 540 Expanding Security on Distribution Points 541 Upgrading Computers 542 Executing the Advertisement at Each Computer 542 Status of the Upgrade at Each Computer 543 Monitoring the Advertisements 544 The System Status Subsystem 544 Reporting Advertisement Status 546 Troubleshooting Advertisements 548 Using Systems Management Server to Ease Domain Consolidation and Migration 549 Examining Differences Between Systems Management Server 1.2 and Systems Management Server 2.0 550 Planning Task List for Using Systems Management Server to Deploy Windows 2000 551 Additional Resources 551 Chapter 15 Upgrading and Installing Member Servers 553 Planning for Member Server Upgrade and Installation 555 Process for Installing or Upgrading to Windows 2000 556 Creating an Upgrade and Installation Plan 557 Create a Schedule 557 Scenario: Minimizing Network Downtime During Server Upgrade 558 Preparing Member Servers for Upgrade or New Installation 559 Inventory the Existing Hardware 559 Determine System Requirements 559 Determine the Compatibility and Reliability of Existing Software 560 Determine Third-Party Software Compliance 561 Perform Pre-installation Tasks 562 Performing an Upgrade or Installation 562 Pre-Upgrade Checklist 563 Upgrading Member Servers 564 Performing a New Installation 564 Determining Server Roles for Each Windows 2000 Server 565 File Servers 565 Macintosh Volumes 566 Novell NetWare Volumes 567 Test File Shares 567 Print Servers 568 Print Server Setup 568 Guidelines for Setting up a Network Printing Environment 569 Active Directory Integration with Windows 2000 Server Print Services 569 Testing Printer Shares 569 Application Servers 570 Component Services 571 Terminal Services 571 Database Server 572 Web Servers 572 Proxy Servers 573 Performing Post-Upgrade and Installation Tasks 574 Testing Network Connectivity 574 Tuning Network Servers 574 Tools for System Administration 575 Planning Task List for Member Servers 576 Chapter 16 Deploying Terminal Services 577 Overview of Terminal Services 579 Terminal Services Licensing Components 581 Microsoft Clearinghouse 581 License Server 581 Terminal Server 581 Client Licenses 581 Required Licenses 582 Optional Terminal Services Licenses 583 Third-Party Expansion 584 Creating Your Terminal Services Deployment Plan 584 Process for Deploying Terminal Services 584 Assembling the Terminal Services Team 585 Identifying Your Terminal Services Requirements 586 Scenario 1: Terminal Services Remote Administration 586 Scenario 2: Remote Access 587 Scenario 3: Line of Business Applications 588 Scenario 4: Central Desktop Deployment 589 Deployment Requirements 590 Preparing Your Computing Environment 591 Install License Server on Domain Controller 591 Access Over Wide Area Network 591 Access to Network Services 591 Connecting the Terminal Services Client and Server 592 Assessing the Current Environment 592 Considerations for Application Deployment 593 Creating Your Terminal Services Deployment Design 593 Setting Up a License Server 594 Enabling a License Server 594 Activating a License Server 595 Installing Licenses 596 Using the Terminal Services Licensing Administrative Tool 597 Backing Up Your License Server 598 Designing Your Network for Terminal Server Access 598 Network Load Balancing and Terminal Services 599 Designing and Setting Up Your Domain Structure 600 Using Windows 2000 User Profiles or Roaming User Profiles 600 Roaming User Profiles 601 Group Policy 602 Access to Applications 602 Using Home Directories 603 Planning Security 604 NTFS File System 604 User Rights 605 Administrator Rights 605 Auto-Logon Procedures 606 Encryption 607 Additional Security Considerations 608 Remote Access 608 Terminal Services Over the Internet 608 Firewalls 608 Configuring Servers for Terminal Services Deployment 609 Preparing for Client Deployment 610 Deploying to Windows CE Based Terminals 610 Deploying to Client Computers 611 Upgrading to Terminal Services 612 Installing and Configuring Applications 612 Deploying Applications through Group Policy 613 Deploying Applications from a Domain Controller 613 Supporting Multilingual and International Users 614 Printing from Terminal Services 614 Printing to Your Local Printer by RDP Protocol 615 Network Shared Printers 615 Printing Across a WAN or Dial-up Connection 616 Best Practices for Client Configuration 616 Planning for Testing and Piloting 617 Considerations for the Test Lab 617 Monitoring Performance 618 Evaluating CPU Performance 618 Evaluating Memory Performance 619 Evaluating Network Performance 619 Using Help Desk and Administrative Tools 620 Remote Control 620 Tools for Administration 621 Terminal Services Deployment Planning Task List 622 Part 5 Advanced Management 623 Chapter 17 Determining Windows 2000 Network Security Strategies 625 Planning for Network Security 627 Assessing Network Security Risks 628 Determining Server Size and Placement 629 Preparing Your Staff 630 Developing Security Policies and Procedures 630 Creating a Plan for Deploying Your Security Technologies 631 Identifying User Categories and Their Security Needs and Risks 631 Developing Strategies for Secure Network Connections 632 Creating Secure Boundaries 632 Securing Against Everyone 633 Using Microsoft Proxy Server 633 Monitoring Your Network Security 634 Connecting to External Networks 635 Deploying Network Security Technologies 635 Preparing for Windows 2000 Network Security Technologies 635 Routing and Remote Access 636 Routing and Remote Access Security 638 Virtual Private Networks 639 Deploying VPNs 640 VPN Server Capacity 644 Internet Authentication Service 644 Deploying Strategies for Users 645 Deploying Strategies for Partners 646 Planning Task List for Determining Network Security Strategies 648 Chapter 18 Ensuring the Availability of Applications and Services 649 Making Applications and Services Highly Available 651 Overview of Windows 2000 Advanced Server 651 Process for Making Applications and Services Highly Available 652 Overview of Windows Clustering 653 Determining Availability Strategies 654 Assembling the Clustering Planning Team 654 Identifying High-Availability Needs for Applications and Services 655 Determining Hardware Compatibility for Advanced Features 657 Determining Your Clustering Requirements 658 Planning for Network Load Balancing 658 Process for Planning Your Network Load Balancing Clusters 660 Determining Which Applications to Use with Network Load Balancing 661 Using Network Load Balancing to Deploy Terminal Server Clusters 662 Configuring Network Load Balancing Clusters for Servers Running IIS/ASP and COM+ Applications 664 Identifying Network Risks 666 Planning for Network Load Balancing 667 Determining Server Capacity Requirements 668 Optimizing Network Load Balancing Clusters 669 Requirements for Network Load Balancing 669 Using a Router 670 Planning for Cluster Service 671 Process for Planning Your Server Clusters 671 Choosing Applications to Run on a Server Cluster 672 Identifying Network Risks 673 Determining Failover and Failback Policies for Resource Groups 674 Choosing a Server Role 675 Choosing a Server Cluster Model 676 Planning for Cluster Service 684 Tools to Automate the Deployment of Cluster Service 690 Optimizing Your Clusters 691 Planning for Fault-Tolerant Disks 692 Hardware RAID 692 Error Recovery 693 Testing Server Capacity 693 Planning a Cluster Backup and Recovery Strategy 694 Windows 2000 Cluster Planning Task List 695 Additional Resources 696 Chapter 19 Determining Windows 2000 Storage Management Strategies 697 Improving Your Storage Management Functions 699 Creating Your Storage Management Plan 700 Assessing Your Storage Needs 701 Selecting a Data Storage System 702 Managing Disk Resources 704 Disk Management 704 Basic and Dynamic Storage 705 Volume Management 707 Volume Mount Points 707 Disk Defragmentation 708 Considerations for Using Dynamic Storage 708 Removable Storage 709 Remote Storage 710 Relationship of Remote Storage and Removable Storage 711 Considerations for Using Remote Storage 711 Optimizing Data Management 712 Windows Clustering 712 Considerations for Using Clustering in Your Storage Strategy 714 File System Improvements 714 NTFS 714 Quota Management 715 Distributed File System 716 Considerations for Using Dfs in Your Storage Strategy 718 Indexing Service 719 Integration with Windows 2000 Components 720 Considerations for Using Indexing Service in Your Storage Strategy 721 Enhancing Data Protection 722 Fault Tolerance 722 Disk Management 722 Selecting a RAID Strategy 723 Backup 723 A Data Protection Strategy for Enterprise Networks 724 Considerations for Designing a Fault-Tolerant Storage System 724 Improving Your Disaster Recovery Capabilities 724 Creating Backup and Off-Site Storage Policies 725 Backup Policies 725 Considerations for Off-Site Storage 726 Creating a Disaster Recovery Plan 726 Testing System Recovery Strategies 727 Practicing Recovery Procedures 727 Documenting Recovery Procedures 728 Planning Task List for Storage Management 728 Chapter 20 Synchronizing Active Directory with Exchange Server Directory Service 729 Overview of Directory Synchronization 731 Process for Synchronizing the Directories 732 Windows 2000 Server Software Components 733 Key Advantages of Using ADC 734 Establishing Relationships Using Connection Agreements 736 Creating the ADC Connection Agreement Plan 737 Forming the Deployment Planning Team 737 Examining Your Domain Structure and Exchange Server Site Topology 738 Preparing Your Network for ADC Deployment 739 Considering Specific Network Requirements 739 Computer Requirements 740 Deployment Recommendations 741 ADC Implementation Strategy 742 ADC Schema and Object Mapping 743 Managing Objects 748 Administering Objects from Active Directory 748 Administering Objects from Exchange Server 5.5 Directory Service 749 Administering Objects from Both Active Directory and Exchange Server 5.5 Directory Service 749 Defining Objects for Directory Synchronization 750 Setting up Connection Agreements 752 Designing Your Connection Agreements 752 Documenting Your ADC Connection Agreement Plan 762 Testing Connection Agreement Configurations 762 Determining a Schedule for Directory Synchronization 763 Protecting Against Accidental Loss of Data 765 Planning Task List for Directory Synchronization 767 Additional Resources 768 Part 6 Windows 2000 Professional/Client Deployment 769 Chapter 21 Testing Applications for Compatibility with Windows 2000 771 Application Testing Overview 773 Business Application Definition 773 Application Testing Process 774 Managing Application Testing 775 Identifying and Prioritizing Business Applications 775 Identifying Your Applications 776 Gathering Application Information 776 Simplifying Your Application Environment 777 Prioritizing Your Applications 778 Preparing an Application Test Plan 779 Establishing Testing Scope 780 Defining the Testing Methodology 780 Case Study 1: Testing Festivals 781 Case Study 2: Preview Program 782 Identifying Resource Requirements 782 Defining Pass-Fail Criteria 783 Creating a Testing Schedule 783 Testing Applications 784 Developing Testing Strategies 785 Strategies for Commercial Applications 785 Strategies for Custom Applications 786 Testing Tips 786 Common Compatibility Issues 790 Tracking Test Results 791 Choosing a Tracking System 792 Capturing Data 793 Reporting Results 794 Resolving Application Incompatibilities 794 Planning Task List for Application Testing 795 Additional Resources 796 Chapter 22 Defining a Client Connectivity Strategy 797 Client Connectivity Overview 799 Basic Client Connectivity 800 Windows 2000 Services and Protocols 802 TCP/IP Network Clients 802 Active Directory 804 IPX Network Clients 804 Windows Client to Novell Server 806 Windows Client to Mixed Novell NetWare and Windows 2000 Server Environment 806 Printing to NetWare Printers 807 UNIX Network Clients 808 AppleTalk Network Clients 809 Advanced Client Connectivity 809 Asynchronous Transfer Mode 809 Directly Connected ATM 809 IP/ATM 810 Infrared Data Association Protocol Suite 810 Remote Access Client 810 Dial-up to Private Network 811 Virtual Private Networks 811 Remote Network Connection Methods 812 Small Office Networks 812 Small Office/Home Office Connectivity 813 SOHO Examples 815 Medium to Large Networks 817 Routing and Remote Access 817 Dial-up to Private Network 818 Medium to Large Network Example 819 Planning Task List for Client Connectivity 821 Chapter 23 Defining Client Administration and Configuration Standards 823 Making Client Systems Manageable 825 Defining User Types 827 Assessing Requirements for User Types 829 Defining Software Standards 829 Defining Hardware Standards 830 Defining Significant Support Issues 832 Defining an Administration Model and Standards 833 Summarizing Your Administrative and Configuration Goals 835 Using Group Policy to Administer Clients 835 Comparing Windows NT 4.0 System Policy and Windows 2000 Group Policy 835 Applying Windows NT 4.0 Policies to Windows 2000 837 Using Active Directory to Delegate Client Management 839 Delegating Administration of Group Policy 840 Special Group Policy Implementation Options 842 Comparing Stand-Alone and Active Directory-Based Management Features 848 Using Group Policy on Stand-alone Computers 850 Configuring Hardware 851 File System Support 852 Hardware Profiles 852 Defining User Interface Standards 853 Using Group Policy for Configuration Control 855 Customizing the Logon and Logoff Processes 855 Restricting Changes to the Desktop 856 Restricting Changes to the Start Menu 857 Configuring Options for Remote Users 858 Adding Multilingual Options 859 Considerations for Choosing the MultiLanguage Version 860 Upgrading to the Windows 2000 MultiLanguage Version 861 Planning a Windows 2000 MultiLanguage Version Installation 862 Making Systems More Accessible 865 Configuring Windows 2000 Features for Accessibility 865 Enabling Third-Party Devices 866 Using Group Policy to Fine-tune Configurations for Accessibility 867 Client Standards Planning Task List 868 Chapter 24 Applying Change and Configuration Management 869 Evaluating Change and Configuration Management 871 Technologies Used to Enable Change and Configuration Management 873 Identifying Change and Configuration Management Needs and Opportunities 874 Key Background Information 874 Using Systems Management Server to Supplement IntelliMirror 876 Planning for Enhanced Client Support with IntelliMirror 878 Enabling Remote OS Installation 879 Defining User Requirements 880 Using Remote OS Installation 881 Configuring the Remote Installation Service 883 Preparing Client Operating System Images 885 Using Group Policy to Improve Software Management 887 Preparing Software for Distribution 889 When Native Authoring Is Not Possible 890 Using Transforms 891 Distributing Software 892 Targeting Software 893 Software Management Options 893 Supporting Roaming Users 895 Supporting Shared Computers 896 Supporting Mobile Workers 896 Maintaining Software Using IntelliMirror 897 Patching Existing Software 899 Upgrading Existing Software 899 Software Removal 900 Maintaining User Data and Settings on a Network 901 Enabling Roaming User Profiles 903 Guidelines for Setting Up Roaming User Profiles 903 Redirecting Folders 904 Guidelines for Configuring Folder Redirection 905 Configuring the Synchronization of Offline Files 905 Guidelines for Configuring Offline Files 906 Setting Disk Quotas 907 Guidelines for Setting Disk Quotas 907 Selecting Change and Configuration Management Options for Your Organization 908 An Overview of Basic and Advanced Options 908 Meeting the Needs of Technical Users 910 Meeting the Needs of Stationary Professional Users 911 Meeting the Needs of Roaming Professional Users 911 Meeting the Needs of Mobile Professional Users 912 Meeting the Needs of Task-Based Users 913 Summary 914 Change and Configuration Management Planning Task List 916 Chapter 25 Automating Client Installation and Upgrade 917 Determining Whether to Upgrade or Clean Install 919 Resolving Critical Planning Issues 919 Choosing Your Installation Method 921 Preparing for Installation 921 Creating the Distribution Folders 923 Structuring the Distribution Folder 924 Installing Mass Storage Devices 928 Installing Hardware Abstraction Layers 929 Installing Plug and Play Devices 930 Converting File Name Size Using $$Rename.txt 931 Reviewing the Answer File 932 Creating the Answer File 933 Using the Answer File to Set Passwords 935 Extending Hard Disk Partitions 936 Reviewing the Windows 2000 Setup Commands 937 Winnt.exe 937 Winnt32.exe 938 Automating the Installation of Client Applications 939 Using Cmdlines.txt 939 Using the [GuiRunOnce] Section of the Answer File 940 Using Application Installation Programs 941 Using a Batch File to Control How Multiple Applications Are Installed 942 Using Windows Installer Service 943 Windows Installer Terminology 943 Windows Installer Package File 944 Automating the Installation of Windows 2000 Professional 944 New Options for Automated Installation 945 Automated Installation Methods 946 Using Syspart for Computers with Dissimilar Hardware 947 Using Sysprep to Duplicate Disks 949 Overview of the Sysprep Process 950 Sysprep Files 950 Running Sysprep Manually 955 Running Sysprep Automatically After Setup Completes 956 Using Sysprep to Extend Disk Partitions 956 Using Systems Management Server 959 Using a Bootable Compact Disk 959 Using Remote Operating System Installation 960 RIS Server Network Load Implications 961 Optimizing Performance 961 DHCP and DHCP Servers 962 Controlling RIS Server Selection and Balancing Load 963 Working with Routers 966 Installation Configuration Examples 966 Existing Client Computers 966 Example 1: Windows NT Workstation 4.0 with Windows 2000 Compatible Client Applications 967 Example 2: Windows NT Workstation 3.5 or Earlier, and Non-Microsoft Client Computers 969 New Client Computers 970 Installation Task List 971 Part 7 Appendixes 973 Appendix A Sample Planning Worksheets 975 Using This Appendix 976 Introducing Windows 2000 Deployment Planning 978 Management Infrastructure Services 978 Desktop Management Solutions 980 Security Features 982 Information Publishing and Sharing 984 Component Application Services 985 Scalability and Availability 986 Networking and Communications 988 Storage Management 990 Building a Windows 2000 Test Lab 992 Preparing Your Network Infrastructure for Windows 2000 995 Determining Domain Migration Strategies 996 Planning Distributed Security 998 Automating Server Installation and Upgrade 999 Upgrading and Installing Member Servers 1001 Member Server Planning Worksheet 1002 Server Data Backup and Disaster Recovery Plan 1004 Decide New Hardware Requirements 1004 Record Server Specifications 1005 Print Servers 1005 File Servers 1006 Application Servers 1006 Web Servers 1006 Schedule Your Upgrade or Clean Installation 1007 Prioritize Each Member Server for Deployment 1007 Ensuring the Availability of Applications and Services 1007 Identify Your High-Availability Needs 1008 Application and Service Specifications 1008 Plan Your Network Load Balancing 1012 Making Specific Choices for Network Load Balancing 1012 Synchronizing Active Directory with Exchange Server Directory Service 1014 Create Your Connection Agreements 1014 Identify the Connection Agreement Source and Target Servers 1015 Create Your Directory Synchronization Schedule 1017 Record Your Contacts for Directory Synchronization 1018 Schema Administrators Group 1018 Windows 2000 Domain Administration 1018 Exchange Server 5.5 Site Administration 1018 Testing Applications for Compatibility with Windows 2000 1019 Defining Client Administration and Configuration Standards 1021 Define Your Group Policy Requirements 1023 Applying Change and Configuration Management 1025 Automating Client Installation and Upgrade 1027 Appendix B Setup Commands 1029 Using Setup Commands to Install Windows 2000 1031 Winnt32.exe Command Syntax 1031 Winnt.exe Command Syntax 1035 Appendix C Sample Answer Files for Unattended Setup 1037 Answer File Format 1039 Answer File Keys and Values 1039 Sample Answer Files 1040 Sample 1 Default Unattend.txt. 1040 Sample 2 Unattended Installation of Windows 2000 Professional from CD-ROM 1042 Sample 3 Install and Configure Windows 2000 and Configure Microsoft Internet Explorer with Proxy Settings 1044 Sample 4 Install and Configure Windows 2000 Server with Two Network Adapters 1048 Sample 5 Install Windows 2000 Advanced Server with Network Load Balancing 1050 Sample 6 Install Windows 2000 Advanced Server with Windows Clustering 1054 Appendix D Deployment Tools 1059 Additional Resources 1069 Appendix E Accessibility for People with Disabilities 1071 Overview of Accessibility in Windows 2000 1073 Accessibility Benefits with Windows 2000 1073 Considerations Before Upgrading to Windows 2000 1075 Deploying Windows 2000 for Accessibility 1076 Microsoft Active Accessibility 1076 Third-Party Products and Services 1076 "Certified for Windows" Logo 1077 Using SerialKeys for Add-on Hardware and Software 1078 Customizing the Computer for Accessibility Options 1078 Remote Installation and Unattended Setup from a CD 1078 Windows Installer 1079 Group Policy 1079 Setting Multiple User Profiles 1079 Administrative Options 1080 Accessibility Reset (Time-out) 1080 Active Desktop 1080 Utility Manager 1081 Configuring Accessibility Features in Windows 2000 1081 Configuring Accessibility Options by Using the Accessibility Wizard 1083 Configuring Accessibility Options by Using Control Panel 1084 Setting Options by Type of Disability 1084 Options for Users with Cognitive Disabilities 1084 Synchronized Accessible Media Interchange 1085 Options for Users with Hearing Impairments 1085 Customizable Sound Schemes 1085 Adjusting the Volume 1086 ShowSounds 1086 SoundSentry 1086 Synchronized Accessible Media Interchange 1086 Options for Users with Physical Disabilities 1087 Keyboard Options 1087 Mouse Options 1090 Options for Users with Seizure Sensitivity 1090 Timing Patterns 1091 Sound Schemes 1091 Color and Contrast Settings 1091 Options for Users with Visual Impairments 1091 Microsoft Narrator 1092 Keyboard Audio Cues 1092 Microsoft Magnifier 1092 Fonts 1093 Size and Color Schemes 1093 High-Contrast Color Schemes 1094 New Mouse Pointers 1094 Additional Resources 1094 Glossary 1095 Index 1157 Contents Introduction 1 Document Conventions 2 Resource Kit Compact Disc 2 Resource Kit Support Policy 3 Part 1 Routing Chapter 1 Unicast Routing Overview 7 Internetwork Routing 9 Addressing in an Internetwork 10 Routing Concepts 10 Host Routing 11 Host Determination of the First Hop 12 Host Determination of the Entire Path 13 Router Routing 14 Routing Tables 15 Routing Table Structure 16 Locality of the Routing Table 17 Static and Dynamic Routers 18 Routing Problems 19 Routing Loops 19 Black Holes 20 Routers and Broadcast Traffic 21 Tunneling 22 Foundations of Routing Protocols 24 Distance Vector 24 Link State 26 Routing Infrastructure 27 Single Path vs. Multipath 27 Flat vs. Hierarchical 27 Autonomous Systems 28 Interior Gateway Protocols 29 Exterior Gateway Protocols 29 Additional Resources 29 Chapter 2 Routing and Remote Access Service 31 Introduction to the Routing and Remote Access Service 33 Windows 2000 Routing and Remote Access Service 33 Combining Routing and Remote Access 35 Authentication and Authorization 36 Accounting 37 Installation and Configuration 37 Refreshing the Configuration 38 Features of the Routing and Remote Access Service 38 Unicast IP Support 38 IP Multicast Support 39 IPX Support 40 AppleTalk 40 Demand-Dial Routing 40 Remote Access 41 VPN Server 41 RADIUS Client 41 SNMP MIB Support 41 Extensive LAN and WAN Support 42 Graphical and Command-Line Management Utilities 42 API Support for Third-Party Components 42 Architecture of the Routing and Remote Access Service 43 SNMP Agent 43 Management Applications 44 AAAA 44 DIM (Mprdim.dll) 44 Connection Manager 44 TAPI 45 IP Router Manager (Iprtmgr.dll) 45 IPX Router Manager (Ipxrtmgr.dll) 45 Unicast Routing Protocols 46 IP Multicast Protocols 47 Route Table Manager (Rtm.dll) 47 Multicast Group Manager 47 IP Filtering Driver (Ipfltdrv.sys) 47 IP Unicast Forwarder 48 IP Multicast Forwarder 48 IPX Filtering Driver (Nwlnkflt.sys) 48 IPX Forwarder Driver (Nwlnkfwd.sys) 48 Unicast IP Components and Processes 49 IP Multicast Components and Processes 51 IPX Components and Processes 52 Registry Settings 53 Routing and Remote Access Service Tools and Facilities 54 Routing and Remote Access Snap-In 54 Routing and Remote Access Floating Windows 54 Netsh Command-Line Tool 56 Authentication and Accounting Logging 59 Event Logging 59 Tracing 61 File Tracing 61 Chapter 3 Unicast IP Routing 63 Windows 2000 and IP Routing 65 Windows 2000 Router Features for IP Routing 65 Preference Levels 66 RIP for IP 67 RIP and Large Internetworks 67 Convergence in RIP Internetworks 68 Count-to-Infinity Problem 68 Reducing Convergence Time 71 RIP for IP Operation 74 RIP for IP Version 1 75 RIP v1 Message Format 75 Problems with RIP v1 76 RIP for IP Version 2 78 Features of RIP v2 78 RIP v2 Message Format 79 Authentication in RIP v2 80 Mixed RIP v1 and RIP v2 Environments 81 Windows 2000 as a RIP for IP Router 82 Troubleshooting RIP for IP 82 OSPF 84 OSPF Operation 85 Formation of the LSDB Using Link State Advertisements 85 Calculating the SPF Tree Using Dijkstra's Algorithm 86 Calculating the Routing Table Entries from the SPF Tree 87 Example of OSPF Operation 88 OSPF Network Types 90 Synchronizing the LSDB Through Adjacencies 91 Forming an Adjacency 91 Adjacency Configuration Parameters 93 Adding a Router to a Converged OSPF Internetwork 94 Designated Routers 95 DRs on Broadcast Networks 97 DRs on NBMA Nets 98 Backup Designated Router 98 Interface States 99 OSPF Communication on OSPF Networks 100 OSPF Areas 100 Reducing the Size of the LSDB 101 Reducing the Size of the Routing Table 101 Backbone Area 102 OSPF Router Types 103 Inter-Area Routing 103 Virtual Links 104 Configuring Virtual Links 105 External Routes 106 External Route Filters 107 ASBRs and Default Routes 107 Stub Areas 108 Troubleshooting OSPF 109 DHCP Relay Agent 112 DHCP Across IP Routers 112 Initial DHCP Configuration 112 Rebooted Renewal 114 Troubleshooting the DHCP Relay Agent 115 Network Address Translator 116 Static and Dynamic Address Mapping 118 Proper Translation of Header Fields 118 NAT Editors 119 NAT Processes in the Windows 2000 Router 119 Outbound Internet Traffic 120 Inbound Internet Traffic 122 Additional NAT Routing Protocol Components 124 DHCP Allocator 124 DNS Proxy 125 Troubleshooting NAT 125 IP Packet Filtering 127 Windows 2000 IP Packet Filtering 128 IP Header 128 TCP Header 129 UDP Header 129 ICMP Header 129 Input Filters 130 Output Filters 131 Configuring a Filter 131 Filtering Scenarios 132 Local Host Filtering 132 Web Traffic Filtering 134 FTP Traffic Filtering 134 PPTP Traffic Filtering 135 L2TP Server Filtering 136 Denying Spoofed Packets from Private IP Addresses 137 Fragmentation Filtering 137 ICMP Router Discovery 138 Router Advertisements 138 Router Solicitations 138 Additional Resources 139 Chapter 4 IP Multicast Support 141 IP Multicasting Overview 143 Mapping IP Multicast to MAC-Layer Multicast 144 IP Multicast Enabled Intranet 146 Hosts 146 Routers 148 Receive All IP Multicast Traffic 148 Forward IP Multicast Traffic 149 Receive and Process IGMP Host Membership Report Messages 150 Query Attached Subnets for Host Membership Status 150 Communicate Group Membership to Other IP Multicast Routers 151 MBone 152 IGMP 153 IGMP v1 153 Host Membership Report 154 Host Membership Query 154 IGMP v2 155 IGMP v2 Host Membership Report 156 Leave Group Message 157 IGMP Group-Specific Query 157 Routing and Remote Access Service IP Multicast Support 158 IGMP Protocol 158 IGMP Router Mode 159 IGMP Router Mode Settings 160 IGMP Proxy Mode 162 Router Mode vs. Proxy Mode 164 Multicast Boundaries 164 Scope-Based Boundaries 165 TTL-Based Boundaries 165 Multicast Rate Limiting 166 Multicast Heartbeat 166 IP-in-IP Tunnels 167 IP-in-IP Interfaces 167 Multicast Static Routes 168 Supported Multicast Configurations 169 Single Router Intranet 169 Single Router Intranet Connected to the MBone 170 Peripheral Router in a Multicast-Enabled Intranet 171 Multicast Support for Remote Access Clients 172 MBone Access for ISP Dial-Up Clients 172 Private Intranet Access for Dial-Up or VPN Clients 173 Multicast Support for Office Networks 174 IP Multicast Troubleshooting Tools 176 Routing and Remote Access Snap-In Tables 176 Multicast Forwarding Table 176 Multicast Statistics 177 IGMP Group Table 177 IGMP Interface Group Table 177 Mrinfo Command 178 Mtrace Support 179 Netsh Commands 179 IGMP Event Logging 180 Tracing 180 Additional Resources 180 Chapter 5 IPX Routing 181 Windows 2000 and IPX Routing 183 Windows 2000 Router Features for the IPX Protocol Suite 183 IPX Packet Filtering 184 IPX Header Structure 185 Demultiplexing an IPX Packet 188 The Windows 2000 Router IPX Packet Filtering 189 Configuring an IPX Filter 190 RIP for IPX 192 IPX Routing Tables 193 RIP for IPX Operation 194 RIP for IPX Packet Structure 195 RIP for IPX Route Filters 196 Static IPX Routes 199 SAP for IPX 200 IPX Routers and the Internal Network Number 200 IPX Traffic Before the IPX Internal Network 201 IPX Traffic After the IPX Internal Network 202 Windows 2000 Router and the IPX Internal Network and Internal Adapter 203 SAP Tables 204 SAP Operation for an IPX Router 205 SAP Packet Structure 206 SAP Filters 208 Static Services 209 NetBIOS Broadcasts 210 IPX WAN Broadcast 210 IPX WAN Broadcasts and Microsoft Networking 211 NetBIOS Over IPX Broadcast Packet Structure 212 Static NetBIOS Names 214 Additional Resources 214 Chapter 6 Demand-Dial Routing 215 Introduction to Demand-Dial Routing 217 Demand-Dial Routing and Remote Access 218 Types of Demand-Dial Connections 218 On-Demand and Persistent Connections 219 Two-Way and One-Way Initiated Connections 220 Components of Demand-Dial Routing 221 Calling Router 222 Answering Router 222 Connection Medium 223 Demand-Dial Routing Process 224 On-Demand Router-to-Router VPN 226 Testing Demand-Dial Connections 229 Manual Test 229 Automatic 229 Monitoring Initiated Demand-Dial Connections with Rasmon 230 Demand-Dial Routing Security 230 Remote Access Permission 231 Authentication 231 One-Way and Mutual Authentication 232 Encryption 233 Demand-Dial Interface Packet Filtering 234 Remote Access Policy Profile Packet Filtering 234 Creating User Accounts with the Demand-Dial Wizard 234 Preventing Demand-Dial Connections 236 Demand-Dial Filters 236 Dial-Out Hours 237 Demand-Dial Routing and Routing Protocols 237 On-Demand Connections 237 Manual Configuration of Static Routes 238 Autostatic Updates 239 Persistent Connections 242 Using Multilink and BAP 243 IPX Demand-Dial Connections 245 Troubleshooting Demand-Dial Routing 246 Troubleshooting Tools 252 Part 2 Remote Access Chapter 7 Remote Access Server 257 Remote Access Overview 259 Remote Access Versus Remote Control 259 Elements of a Dial-Up Remote Access Connection 260 Remote Access Client 260 Remote Access Server 260 Dial-Up Equipment and WAN Infrastructure 260 Remote Access Protocols 265 LAN Protocols 266 Elements of Secure Remote Access 266 Secure User Authentication 266 Mutual Authentication 266 Data Encryption 267 Callback 267 Caller-ID 268 Remote Access Account Lockout 268 Managing Remote Access 270 Managing Users 270 Managing Addresses 270 Managing Access 270 Managing Authentication 273 Managing Accounting 274 Network Management 274 Remote Access Server Architecture 274 IP, IPX, and AppleTalk Router 276 Packets from Remote Access Clients 277 Packets to Remote Access Clients 278 TCP/IP On-Subnet and Off-Subnet Addressing 278 On-Subnet Addressing and Proxy ARP 279 Off-Subnet Addressing and IP Routing 279 NetBIOS Gateway 280 Point-to-Point Protocol 281 PPP Encapsulation 282 Preventing the Occurrence of the Flag Character 284 PPP Link Negotiation with LCP 285 LCP Packet Structure 285 LCP Options 287 LCP Negotiation Process 289 Callback Negotiation with the Callback Control Protocol 291 Packet Structure 291 Negotiated Options 291 PPP Network Layer Negotiation with NCP 292 IPCP 292 IPXCP 294 ATCP 295 NBFCP 295 Compression Control Protocol 296 ECP 297 PPP Connection Process 298 Phase 1: PPP Configuration 298 Phase 2: Authentication 298 Phase 3: Callback 298 Phase 4: Protocol Configuration 299 A Sample PPP Connection 299 Network Monitor 299 PPP Tracing 304 PPP Connection Termination 306 PPP Authentication Protocols 306 PAP 307 SPAP 308 CHAP 308 MS-CHAP v1 309 MS-CHAP v2 310 EAP 312 EAP-MD5 312 EAP-TLS 313 EAP-RADIUS 314 Unauthenticated Connections 314 Remote Access and TCP/IP and IPX 315 TCP/IP 315 IP Address Allocation 315 DNS and WINS Address Assignment 317 Overriding IPCP-Allocated DNS and WINS Server IP Addresses with DHCPInform 319 Remote Access Server and the DHCP Relay Agent 320 IPX 321 Remote Access Policies 322 Connection Attempt Processing 323 Troubleshooting Remote Access Policies 325 Multilink and Bandwidth Allocation Protocol 325 PPP Multilink Protocol 325 Bandwidth Allocation Protocol (BAP) 327 Bandwidth Allocation Control Protocol (BACP) 329 Remote Access Server and IP Multicast Support 330 Multicast Traffic to Remote Access Clients 331 Multicast Traffic from Remote Access Clients 332 Internet-Based IP Multicast Traffic 332 Organization-Based IP Multicast Traffic 333 Troubleshooting the Remote Access Server 333 Common Remote Access Problems 333 Troubleshooting Tools 338 Chapter 8 Internet Authentication Service 341 IAS Overview 343 IAS Features 344 RADIUS Protocol 348 RADIUS Authentication Operation 348 RADIUS Packet Format 349 General Packet Structure 350 RADIUS Attributes 351 Vendor-Specific Attributes 353 RADIUS Packet Example 355 IAS Authentication 358 IAS Step-by-Step Authentication and Authorization 360 Compulsory Tunneling with IAS 367 Voluntary Tunneling 367 Compulsory Tunneling 369 Authentication Methods 371 Password Authentication Protocol 372 Challenge Handshake Authentication Protocol 372 Microsoft Challenge Handshake Authentication Protocol 374 Extensible Authentication Protocol 376 Unauthenticated Access 377 IAS Authorization 381 Remote Access Policies 381 Local vs. Centralized Policy Management 382 Dial-in Properties of a User Object 383 Elements of a Remote Access Policy 385 Vendor Profiles 391 Accepting a Connection Attempt 393 Remote Access Policy Administrative Models 394 IAS Accounting 398 RADIUS Accounting 398 IAS Log File 398 IAS Authentication and Windows Domain Modes 399 Windows 2000 Native-Mode Domains 399 Windows 2000 Mixed-Mode Domains or Windows NT 4.0 Domains 400 Windows 2000 Stand-Alone Servers 401 Behavior Differences Between Windows 2000 and Windows NT 4.0 IAS 402 Windows NT 4.0 IAS Behavior 402 Windows 2000 IAS Behavior 402 Security Considerations 402 RADIUS Proxy Security Issues 402 Firewall Protection 403 Remote Access Account Lockout 403 Performance Tuning and Optimization 403 Monitoring Performance and Health of the IAS Server 404 Troubleshooting 405 Troubleshooting IAS Inst