34 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork NOTE To connect to the Internet, you will need to have a registered IP address for your network. Some organizations, however, require far more addresses than they have available in their registered address set. To get around this issue, Request for Comments (RFC) 1918 provides unregis- tered addresses. To use them and still connect to the Internet, the orga- nization must translate between a registered IP address that is applied to an interface connected to the Internet, and the unregistered IP addresses that are applied to the hosts on the internal network. This process is called network address translation (NAT). RFC 1918 reserves the fol- lowing addresses: Class A–10.x.x.x Class B–172.16.x.x to 172.31.x.x Class C–192.168.1.x to 192.168.254.x RFC 1918 is available at ftp://www.arin.net/rfc/rfc1918.txt. The remaining addresses from 224 through 239 are reserved for class D, or multicasting. From 240 through 255, the addresses are considered class E or experimental. No matter what address a host is assigned, it must be unique on the internetwork. IP addressing and routing can be performed without the use of classes. This is called Classless InterDomain Routing (CIDR). Each distinct route on the network is not advertised separately. Instead, it is aggregated with multiple destinations. One benefit of using CIDR is to reduce the size of the routing tables. Each address must have a way of separating the network’s IP address from the host’s IP address. This is achieved with a mask. When you “sub- tract” the mask from the full address, the result separates the two. Each class of addresses has its own default mask. A class A address has the default mask of 255.0.0.0. As you see, the first octet is masked, enabling the IP address portion to remain. The default mask for class B is 255.255.0.0, and the default mask for class C is 255.255.255.0. When a network administrator wants to apply a network address to two different network segments, the IP address must be subnetted. Subnetting is the process of shifting the boundary from the network portion into part of the host portion. This creates multiple subnets that can be applied to physically distinct network segments. www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 34 Developing a Windows 2000 and Cisco Internetwork • Chapter 1 35 Subnets are achieved by adding more 1 bits to the default mask. For instance, a subnet mask for a class A address could be 255.192.0.0 instead of 255.0.0.0. The addition of two 1 bits changed the mask. If you add two 1 bits to a class C subnet mask, you create two subnets, each with a possible 62 hosts available to it. If you add three 1 bits, you create six subnets, each with a possible 30 hosts. www.syngress.com Dynamic Host Configuration Protocol for IP Address Management Until Dynamic Host Configuration Protocol (DHCP) arrived, IP address management was the bane of many a network administrator’s exis- tence. Each host was matched up with an IP address that had to be unique from all other IP addresses. In addition, the IP address uses a mask to determine on which network segment the host is located; to do so, all hosts on the same segment had to have the same mask. Errors in IP addressing, such as duplicate IP addresses and wrong subnet masks, were common. In addition, there tended to be an inefficient assignment of IP addresses. If a user went on vacation, his or her workstation’s IP address went unused during that time. If a workstation was replaced, it may have been assigned a new IP address and the old one remained assigned to a computer that was no more than a ghost on the network. With a dearth of IP addresses available, network administrators needed to reclaim any unused IP addresses that they could. DHCP was helpful because it could allocate an IP address automatically, as it was needed, and configuration of the mask was performed a single time for a group of IP addresses. Above all, DHCP assigned IP addresses through a leasing system that reclaimed an IP address after the lease expired. For Managers 71_BCNW2K_01 9/10/00 12:27 PM Page 35 36 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork Case Studies Throughout this book, various chapters will include discussions about implementing the technology for two fictional companies. ABC Chemical Company The ABC Chemical Company has the following characteristics. It is a large industrial chemical company involved in the manufacturing of pharmaceu- ticals, household products, and raw chemical supplies for clientele. The company is housed in one large area—a campus environment—with the exception of two distribution warehouses: one on the east coast, one on the west coast. The main campus consists of three large complex buildings that house the company’s five main departments: Research and Development, Executive Management, Sales and Marketing, Distribution, and IT/ e-commerce. There are 1100 employees; the breakdown per department is as follows: Research and Development: 500 Sales and Marketing: 250 Distribution: 150 Executive Management: 25 IT/e-commerce: 75 Warehouse East: 50 Warehouse West: 50 The ABC Chemical Company currently is running on a Windows NT network on the main campus with each of the warehouses dialing in to report to executive management. The network was designated originally for the Management and Sales divisions only, but over the years the network has evolved into a mainstay tool of the company. The immediate decision to upgrade to Windows 2000 and Active Directory is being considered in order to stay within FDA and government requirements for Internet and company security. Secondary objectives are to increase productivity and collaboration between the departments. There is also a desire to gain a strategic advantage over competition by utilizing video and audio confer- encing over the Internet for sales and communication with clients. Finally, the IT department intends to cut costs of administrating the internetwork. To accommodate the networking needs of the LAN environment on a campus backbone design, the company is investigating whether to deploy a “hub and spoke” switch-intensive design. The three main buildings at the www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 36 Developing a Windows 2000 and Cisco Internetwork • Chapter 1 37 main campus would be linked in a triangular fiber gigabit configuration to allow for redundant backbone functionality while providing the best pos- sible speed between the campus buildings. The switched network is pro- posed to be configured with two gigabit switches at the core, equipped with dual Route Switch Modules (RSM) and Supervisor cards. One of the gigabit switches may be configured as an online backup to the other gigabit switch utilizing Hot Standby Routing Protocol (HSRP) to allow for a com- pletely redundant network core. The RSM modules will be programmed to route between the department virtual local area networks (VLANs) (see later) and outlying company resources. Department switches are proposed to run into the core switches via fiber gigabit links to allow for connectivity to the user community. Each set of department switches will be configured with their own VLAN, thus allowing for better network performance within the departments and for tighter physical network security for data-sensitive areas such as Human Resources (a subsection of the Executive Management department) and Research and Development. The IT department is considering setting up its own VLANs, to be used exclusively for the corporate server farm and server backup systems. The IT department also houses two routers that it intends to keep: one for the Internet and voice communications systems and another to allow access via frame relay to the warehouse facilities. West Coast Accounting, L.L.C. West Coast Accounting, Limited Liability Corporation, is a medium-sized accounting firm with offices in key cities up and down the west coast. There are offices in Seattle, Los Angeles, Portland, and Phoenix, with the main headquarters in San Francisco. The San Francisco office has 100 employees, including Executive Management, Human Resources, Accounting, and IT departments. The IT department handles all connec- tivity to the Internet, e-commerce, and Web-hosting tasks, as well as thin- client server management and remote dial-in systems. Each of the branch offices house 50 employees, including accountants and support staff. There are a total of 300 employees. The company has grown over time via acquisition of smaller individual companies. This caused a scenario in which IT has had to support multiple network operating systems and configurations including peer-to-peer Windows sharing, Windows NT server/client architecture, and Novell NetWare architecture, as each acquisition was incorporated into the net- work. All interoffice collaboration was done via phone, fax, or individual Internet e-mail accounts. www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 37 38 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork The decision to install a Microsoft Windows 2000 and Cisco environ- ment is being considered due to West Coast’s need to consolidate the com- pany onto one cohesive networking system. This would allow data access to all offices and the Internet via one network in order to reduce overall communications, network administration costs, and to integrate the e-mail systems to one MS Exchange system for interoffice collaboration. Secondary objectives are to create an Internet presence for the entire com- pany under one Internet domain and to replace the old analog dial-in sys- tems with a more secure and dynamic virtual private network (VPN) access system. Finally, there is a desire to implement Voice over IP (VoIP) in the future to eliminate the long distance phone bills inherent in the operations of the multicity company. Under consideration is a new WAN design in which a new Cisco-routed architecture will be implemented over Frame Relay connections. The main site will have a switched core for the user community and central server farm running Windows Terminal Server (for centralized applications for billing and reporting) and will be linked to the remote offices using redun- dant core Cisco 3640 routers linked over Frame Relay to Cisco 2610s out at the offices. The Internet will be connected at the main site using a 2610 router equipped with the IP Plus feature set to allow for NAT translation and Cisco PIX Firewall capability. Summary Directory enabled networking (DEN) is a new technology specification that was originally developed by Microsoft and Cisco. The two companies then presented their specification to the Distributed Management Task Force (DMTF) and the Internet Engineering Task Force (IETF) for standardization. DEN specifies a directory service, which has a common schema. The schema is the list of classes, or types of objects that can exist within the directory. It also describes the attributes, or values, of the objects. Objects represent the services, resources, or user accounts that can participate on the network. The directory service can specify the policies that manage how these objects relate to each other. DEN’s value is in becoming a standard. If directory services developed by different vendors all meet DEN requirements, then different vendors’ directories can be integrated. The fewer directory services there are, the less administrative overhead will be utilized. This can free up a traditional information technology staff for more interesting projects than managing multiple user accounts in multiple directories. www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 38 Developing a Windows 2000 and Cisco Internetwork • Chapter 1 39 One of the opportunities for DEN is to enable policy-based networking such that a user’s account can be granted various capabilities on the inter- network through the application of a policy. The alternative to policy-based networking is to micromanage the granting of capabilities when neces- sary—for the IP address or host name of the user’s computer. Windows 2000 is the latest operating system released by Microsoft. This operating system has four versions: Windows 2000 Professional The workstation version, also considered the upgrade for Windows NT Workstation v4.0. Windows 2000 Server The workgroup server version, considered the upgrade for Windows NT Server v4.0. Windows 2000 Advanced Server The enterprise server version, consid- ered the upgrade for Windows NT Server v4.0 Enterprise Edition. Windows 2000 DataCenter Server A special original equipment manufac- turer (OEM) release for high-performance server equipment. Microsoft has released Windows 2000 with a new feature called Active Directory. Active Directory is a directory service that provides a hierar- chical management of the Microsoft network resources, services, and user accounts. The Active Directory is an implementation that closely resembles the DEN specification. Cisco develops routing and switching equipment. Cisco routers run the Cisco Internetwork Operating System (IOS). The IOS has the capability of scaling from small workgroup networks to global, wide area networks. Cisco produces not only the equipment and its operating system, but also several applications. Some of the tools available for designing and man- aging a Cisco internetwork include: Cisco ConfigMaker A free design tool that runs on Windows PCs. Cisco FastStep A free configuration tool for some of the Cisco routers and access servers, which also runs on Windows PCs. CiscoWorks A suite of management applications that has versions avail- able for UNIX and for Windows. Cisco and Microsoft converge their technologies with the Cisco Networking Services for Active Directory (CNS/AD). This technology enables true policy-based networking extended to the routing and infras- tructure equipment on the internetwork. Networking basics apply to understanding the Microsoft and Cisco technologies. These include the Open Systems Interconnection (OSI) www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 39 40 Chapter 1 • Developing a Windows 2000 and Cisco Internetwork protocol reference model developed by the International Organization for Standardization (ISO). The OSI model encompasses seven layers: Application layer (Layer 7) Provides the user interface and application interface to the network. Presentation layer (Layer 6) Provides data format services such as encryption and compression. Session layer (Layer 5) Establishes, maintains, and terminates end-to- end sessions between two network hosts. Transport layer (Layer 4) Provides data multiplexing, segmentation, and end-to-end reliability services. Network layer (Layer 3) Specifies the logical network segment and logical network node addressing, and provides routing of data between distinct physical segments. Data-link layer (Layer 2) Composed of two sublayers—the Media Access Control and the Logical Link Control layers. Provides the physical, or hard- ware address; also known as the MAC address. Physical layer (Layer 1) Specifies the data signaling and physical cabling in order to provide the raw bitstream of data over media. The Department of Defense (DoD) created a model for the TCP/IP pro- tocol stack. This is a four-layer model consisting of these layers. Application layer Handles application interface, data formatting, and end-to-end session services. Host to Host Transport layer Handles data multiplexing and segmenta- tion services; also enables reliability services. Internetwork layer Specifies the logical network and node addressing, and the routing of the data throughout the internetwork. Network Access layer Specifies the media access, hardware addressing, and the raw bitstream and frame format for data. In addition to understanding these models, you will need to understand the workings of Internet Protocol addressing. IP version 4 addressing is the most commonly used scheme on the Internet. It uses a 32-bit address and is commonly denoted in a dotted decimal format. Each byte is translated to a decimal by adding the binary value of the 8 bits, and then it is separated by a dot. The IP address of 01100111111100001010101100010011 is translated to 103.240.171.19 for dotted decimal format. There are three commonly used classes of IP addresses: www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 40 Developing a Windows 2000 and Cisco Internetwork • Chapter 1 41 Class A All networks with the first octet from 1 through 126 (network 127.x.x.x is reserved for loopback). The default subnet mask is 255.0.0.0. Class B All networks with the first octet from 128 through 191. The default subnet mask is 255.255.0.0. Class C All networks with the first octet from 192 through 223. The default subnet mask is 255.255.255.0. FAQs Q: What are the advantages of directory enabled servers? A: A suite of directory enabled server applications can share informa- tion. Another advantage is that network devices don’t need to be compatible with multiple schemas; they only need to speak a stan- dard protocol. Q: Does DEN replace SNMP? A: No. DEN is not a protocol like SNMP, it is a storage system that can store policies. www.syngress.com 71_BCNW2K_01 9/10/00 12:27 PM Page 41 71_BCNW2K_01 9/10/00 12:27 PM Page 42 A Tour of Windows 2000 Solutions in this chapter: ■ Windows 2000 overview ■ Understanding the changes since Windows NT 4 ■ The Active Directory architecture ■ Migrating an NT network to Windows 2000 Chapter 2 43 71_BCNW2K_02 9/10/00 12:10 PM Page 43 [...]... PM Page 60 Chapter 2 • A Tour of Windows 20 00 Figure 2. 9 An example of a forest and domain tree Forest root.com tree.com sub.root.com leaf.tree.com s1.sub.root.com Domain Tree Domain The Windows 20 00 Active Directory domain is a group of domain controllers, much the same as it was in Windows NT Each Active Directory domain is assigned a domain name, such as DOMAIN.COM, as well as a backward-compatible... least busy Network load balancing can ensure that a Web site is highly available and provides a high performance level www.syngress.com 71_BCNW2K_ 02 9/10/00 12: 10 PM Page 51 A Tour of Windows 20 00 • Chapter 2 Both of these are requirements for an Internet Web server, since timeouts and Server Not Found errors can cause a business to lose money and have irreparable damage to their brand name Windows 20 00. .. traveling across the wire For example, if a user connects with L2TP/IPSec and runs an e-mail application, that user’s e-mail messages would not be readable if a packet sniffer picked them up The Routing and Remote Access Console is illustrated in Figure 2. 4 Figure 2. 4 Routing and Remote Access Console Network Load Balancing Network load balancing is only available for Windows 20 00 Advanced Server and... 9/10/00 12: 10 PM Page 62 Chapter 2 • A Tour of Windows 20 00 Figure 2. 10 An OU hierarchy Figure 2. 11 User account www.syngress.com 71_BCNW2K_ 02 9/10/00 12: 10 PM Page 63 A Tour of Windows 20 00 • Chapter 2 Groups Groups are a form of an account within the Active Directory that logically arranges a set of accounts into a single unit An administrator can grant the group rights and privileges to network resources... share a common namespace, schema, configuration, and Global Catalog Note that namespaces cannot cross outside a domain tree or a forest An example of a domain tree is the group of root.com domains shown in Figure 2. 9 enclosed by an oval The namespace shared is root.com, while the schema, configuration, and Global Catalog are shared by all forest-wide domains www.syngress.com 59 71_BCNW2K_ 02 60 9/10/00 12: 10... replicated to all other domain controllers to synchronize them The Active Directory is a key differentiator between Windows 20 00 and Windows NT It enables central management of the Windows 20 00 network Even though there still exists a domain architecture for Windows 20 00 domain controllers, Active Directory provides the Global Catalog (GC), which holds partial information about all user accounts and network. .. mode is the default state for a new domain, and is backward compatible to Windows NT backup domain controllers For example, a domain local group can contain only user and global groups from any domain in mixed mode In native mode, however, the domain local group can also contain universal groups from any domain and domain local groups from the local domain Therefore, in native mode, groups can be nested... the data he www.syngress.com 57 71_BCNW2K_ 02 58 9/10/00 12: 10 PM Page 58 Chapter 2 • A Tour of Windows 20 00 needs to perform his job, which, unfortunately, leads to a form of “productive downtime.” Dfs can resolve this dilemma Dfs is a logical namespace It enables an administrator to assign other names to shares, names that more closely reflect the contents of the share Dfs also allows an administrator... Directory files as Server2.root.com, but will not have the same domain information as Host.tree.com The fact that each domain holds a separate partition of the Active Directory plays a part in how replication of data affects your infrastructure Balancing network utilization with user-perceived performance will play a part in deciding what the infrastructure looks like, as well as the Active Directory... contained within a domain and is used as a container for accounts and network resources OUs can be nested within each other, and as such, are able to create a hierarchical structure The OU forms the basis for delegation of administration for groups of users within a domain An example of an OU structure is shown in Figure 2. 10 User Accounts Users are represented within the Active Directory as user accounts . to remain. The default mask for class B is 25 5 .25 5.0.0, and the default mask for class C is 25 5 .25 5 .25 5.0. When a network administrator wants to apply a network address to two different network. architecture ■ Migrating an NT network to Windows 20 00 Chapter 2 43 71_BCNW2K_ 02 9/10/00 12: 10 PM Page 43 44 Chapter 2 • A Tour of Windows 20 00 Introduction Fasten your seatbelt! We are going to take a. readable if a packet sniffer picked them up. The Routing and Remote Access Console is illustrated in Figure 2. 4. Network Load Balancing Network load balancing is only available for Windows 20 00