Wednesday 4 April 2012

Active Directory Authentication Types

The two types of authentication are Mutual Authentication and NTLM. Mutual Authentication requires both the server and the client to identify them. NTLM only requires the client to be validated by the server.


Two types of authentication are Mutual Authentication and NTLM Authentication.

Mutual AuthenticationMutual Authentication is a security feature in which a client process must prove its identity to a server, and the server must prove its identity to the client, before any application traffic is sent over the client-to-server connection. Identity can be proved through a trusted third party and use shared secrets, as in Kerberos v5, or through cryptographic means, as with a public key infrastructure.

Support for mutual authentication is provided by the security support provider interface (SSPI) and is exposed directly through the SSPI APIs and services that layer upon SSPI, including RPC and COM+.

Not all security packages available to SSPI, or all services running Windows 2000 or later, support mutual authentication. An application must request mutual authentication and a supporting security package to obtain mutual authentication.

NTLM
NTLM authentication supports three methods of challenge/response authentication:LAN Manager (LM)
This is the least secure form of challenge/response authentication. It is available so that computers running Windows 2000 or later can connect in share level security mode to file shares on computers running Microsoft Windows for Workgroups, Windows 95, or Windows 98.
 
NTLM version 1
This is more secure than LM challenge/response authentication. It is available so that clients running Windows 2000 or later can connect to servers in a Windows NT domain that has at least one domain controller that is running Windows NT 4.0 Service Pack 3 or earlier.

NTLM version 2
This is the most secure form of challenge/response authentication. It is used when clients running Windows 2000 or later connect to servers in a Windows NT domain where all domain controllers have been upgraded to Windows NT 4.0 Service Pack 4 or later. It is also used when clients running Windows 2000 or later connect to servers running Windows NT in a Active Directory domain.
    Posted by Newbie at 18:47 0 comments
    Labels: ,

    WINS (Windows Internet Name Server)

    In the Windows Server family, the primary means for client computer to locate and communicate with other computers on a internet Protocol (IP) network is by using Domain Name System (DNS). However, clients that use older versions of Windows, such as Windows NT 4.0, use network basic I/O system (NetBIOS) names for network communication. Some applications that run on Windows Server 2003 may also use NetBIOS names for network communication. Using NetBIOS names requires a method of resolving NetBIOS names to IP addresses.


    One can implement Windows Internet Name Service (WINS) in a Windows Server 2003 network to ensure that clients using the older versions of Windows can locate and communicate with network resources as needed. One can use WINS both to register NetBIOS names and to resolve those names to IP addresses.


    The WINS service resolves NetBIOS names, which reduces broadcast traffic and enables clients to resolve the NetBIOS names of computers that are on different network segments (subnets).
    Components of WINS


    The complete Windows Server 2003WINS system includes the following components:
    WINS Server: a computer that processes name registration requests from WINS clients, registers the client's name and IP addresses, and responds to NetBIOS name queries that clients submit. The WINS server then returns the IP address of a queried name, if the name is listed in the server database.
    WINS database: the WINSdatabase stores and replicate the NetBIOS name to IP address mappings for a network.
    WINS Client: computers that are directly pointing to a WINS server to register their NetBIOS name and to communicate with other computers registered with same WINS server on that network.
    WINS proxy agents: a computer that monitors broadcast for name query and give responds for all those names which are not located on the local subnet. WINS server communicates with the proxy for resolving names and then it caches the names for a particular time period.
      Posted by Newbie at 18:43 0 comments
      Labels: ,

      NetBIOS Node Types


      A NetBIOS node type is a method that a computer uses to resolve a NetBIOS name into an IP address. A NetBIOS node type allows an administrator to configure the order and method that a client uses when resolving NetBIOS names to IP addresses.
      Understanding how the various node types function will help users to properly configure their WINS solution. Windows Server supports the following node types:
      • B-node (broadcast): it uses broadcasts for name resolution and registration. In a large network, a broadcast increases the network’s load. In addition, routers usually stop all broadcasts to forward, so only computers within the local network will respond.
      • P-node (peer-to-peer): it uses a NetBIOS name server such as WINS to resolve NetBIOS names. P-node does not work with broadcasts because it directly queries the name server, enabling computers to resolve NetBIOS names across routers. P-node requires all computers to be configured with the NetBIOS name server IP address. If the NetBIOS name server is not functioning, computers will not be able to communicate.netbios node types NetBIOS Node Types
      • M-node (mixed): combines B-node and P-node, but functions as B-node by default. If M-node cannot resolve name using broadcast, then it uses the NetBIOS name server P-node.
      • H-node (hybrid): combines P-node and B-node, but functions as P-node by default. If H-node cannot resolve a name with a NetBIOS name server, then a name broadcast is used.
      Windows Server 2003 and Windows XP are configured as B-node types by default. When Windows XP, Windows Server 2003, or Windows 2000 is running on a computer and is configured to use WINS server addresses for name resolution, it automatically changes to H-node as H-node node type is for NetBIOS name registration. However, other operating systems may use other node types.
      Users can use Dynamic Host Configuration Protocol (DHCP) options to assign the node type. To view a computer’s node type, type ipconfig/all at a command prompt.
      Posted by Newbie at 18:40 0 comments
      Labels: ,

      How to config DHCP Relay Agents


      The Dynamic Host Configuration Protocol (DHCP) is a service that runs at the application layer of the TCP/IP protocol stack to dynamically assign IP addresses to DHCP clients, and to allocate TCP/IP configuration information to DHCP clients. This includes subnet mask information, default gateway IP addresses, DNS IP addresses, and WINS IP addresses. The DHCP protocol is derived from the Bootstrap Protocol (BOOTP) protocol. The DHCP server is configured with a predetermined pool of IP addresses (scopes), from which it allocates IP addresses to DHCP clients. During the boot process, DHCP clients request IP addresses, and obtain leases for IP addresses from the DHCP server.


      When the DHCP client boots up on the network, the DHCP lease process occurs between the DHCP server and DHCP client. During the DHCP lease process, the DHCP scopes configured for a DHCP server is used to provide DHCP clients with IP addresses.


      The DHCP lease process consists of four messages sent between the DHCP server and the DHCP client:
      DHCPDISCOVER message: This message is sent by a client when it boots up on the network to request an IP address lease from a DHCP server. The message is sent as a broadcast packet over the network, requesting for a DHCP server to respond to it.
      DHCPOFFER message: This message is a response to a DHCPDISCOVER message, and is sent by one or numerous DHCP servers.
      DHCPREQUEST message: The client sends the initial DHCP server which responded to its request a DHCP Request message. The message indicates that the client is requesting the particular IP address for lease.
      DHCPACK message: The DHCP Acknowledge message is sent by the DHCP server to the DHCP client and is the process whereby which the DHCP server assigns the IP address lease to the DHCP client.


      Because the DHCPDISCOVER message is a broadcast message, and broadcasts only cross other segments when they are explicitly routed, you might have to configure a DHCP RelayAgent on the router interface so that all DHCPDISCOVER messages can be forwarded to your DHCP server. Alternatively, you can configure the router to forward DHCP messages and BOOTP message. In a routed network, you would need DHCP Relay Agents if you plan to implement only one DHCP server.


      For DHCP to operate, all of client computers should be able to contact the DHCP server. DHCP relies on the network topology, and is in turn relied on by all TCP/IP based hosts within your networking environment. Therefore, if your network has multiple segments, you have to perform either of the following:
      Place a DHCP server on each segment.
      Place a DHCP Relay Agent on each segment.
      Configure your routers to forward broadcast messages.


      The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP Relay Agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or which is not located on the local subnet. If you have no configured DHCP Relay Agent, your clients would only be able to obtain IP addresses from the DHCP server which is on the same subnet. To enable clients to obtain IP addresses from a DHCP server on a remote subnet, you have to configure the DHCP Relay Agent on the subnet that contains the remote clients, so that it can relay DHCP broadcast messages to your DHCP server.


      The systems that can use the DHCP Relay Agent are:
      • Windows NT Server. 
      • Windows 2000 Server. 
      • Windows Server 2003. 


      In routed networks, you need to either enable your routers to forward DHCP broadcast messages or configure a DHCP Relay Agent for the following reasons:
      The router will drop DHCP broadcast messages if it is not configured to forward them, and no DHCP Relay Agent exists.
      The DHCP lease process would not be able to place. The initial message sent by the DHCP client is a broadcast message.
      Configuring the DHCP Relay Agent


      The process for configuring the DHCP Relay Agent is outlined below:
      Enable Routing and Remote Access Server (RRAS).
      Install the DHCP Relay Agent routing protocol.
      Configure DHCP Relay Agent properties.
      Configure/enable the DHCP Relay Agent on the router interface to forward DHCP broadcast messages.
      View statistical information on the operation of the DHCP Relay Agent.


      How to enable Routing and Remote Access Server (RRAS):Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console.
      Right-click the node of your server, and then choose Configure And Enable Routing and Remote Access from the shortcut menu.
      The Routing and Remote Access Server Setup Wizard launches.
      Click Next on the initial page of the wizard.
      On the Configuration page, select the Custom Configuration option. Click Next.
      On the Custom Configuration page, enable the LAN Routing checkbox. Click Next.
      Verify your configuration settings on the Summary page.
      Click Finish.
      Click Yes when prompted to start the RRAS service.


      How to install the DHCP Relay Agent routing protocol:Open the Routing And Remote Access console.
      Expand the IP Routing node in the console tree.
      Right-click the General node, and then select New Routing Protocol from the shortcut menu.
      The New Routing Protocol dialog box opens.
      Select DHCP Relay Agent.
      Click OK.


      How to configure DHCP Relay Agent properties:Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console.
      Expand the IP Routing node in the console tree.
      Right-click the DHCP Relay Agent node, and then select Properties from the shortcut menu.
      On the General tab, enter the IP address of the DHCP server in the Server Address text box, and click Add.
      Repeat the above step for each DHCP server that you have to add.
      Click OK.


      How to enable the DHCP Relay Agent on a router interface:Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console.
      Expand the IP Routing node in the console tree.
      Right-click the DHCP Relay Agent node and then select New Interface from the shortcut menu.
      Select the interface that is on the same subnet as the DHCP clients.
      Click OK.
      In the DHCP Relay Properties dialog box, ensure that the Relay DHCP Packets checkbox is selected on the General tab.
      You can change the Hop-Count Threshold and Boot Threshold values.
      Click OK.


      How to view statistical information on the operation of the DHCP Relay Agent:Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console.
      Select the DHCP Relay Agent node, and view the statistical information that is displayed in the details pane of the Routing And Remote Access console:
      Received requests
      Received replies
      Discarded requests
      Discarded replies
      Posted by Newbie at 18:23 0 comments
      Labels: ,

      DHCP Scope


      A DHCP scope is a valid range of IP addresses that are available for assignment or lease to client computers on a particular subnet. In a DHCP server, a scope is configured to determine the address pool of IPs that the server can provide to DHCP clients.
      Scopes determine which IP addresses are provided to the clients. They should be defined and activated before DHCP clients use the DHCP server for its dynamic IP configuration. Users can configure as many scopes on a DHCP server as required in the network environment.

      DHCP Scope Properties

      DHCP Scope DHCP Scope
      Scope PropertyDescription
      Network IDThe network ID for the range of IP addresses
      SubnetmaskThe subnet mask for the network ID
      Network IP address rangeThe range of IP addresses that are available to clients
      Lease durationThe period of time that the DHCP server holds a leased IP address for a client before removing the lease.
      RouterA DHCP option that allows DHCP clients to access remote networks.
      Scope nameAn alphanumeric identifier for administrative purposes.
      Exclusion rangeThe range of IP addresses in the scope that is excluded from being leased.
      Each subnet can have a single DHCP scope that has a single continuous range of IP addresses. Specific addresses or groups of addresses can be excluded from the range that the DHCP scope specifies. Normally, only one scope can be assigned to a subnet. If more than one scope is required on a subnet, the scopes must first be created then combined into a super scope.
      For example, if there are two subnets, then users can create two separate scopes for the separate subnets on one DHCP server. Users create a separate scope because the subnets have different IP addressing schemes.

      Configuring DHCP Scopes in the Microsoft DHCP Server

      1. Open the DHCP console.
      2. In the console tree, click applicable DHCP server.
      3. On the action menu, click applicable DHCP server.
      4. In the new scope wizard, click next.
      5. On the scope name page, configure the name and description.
      6. On the IP address range page, configure the start IP address, end IP address, andsubnet mask.
      7. On add exclusive page, configure the start IP address and end IP address if applicable. If there is one IP address exclusion, configure only that IP address as the start IP address.
      8. On the lease duration page, configure the days, hours, and minutes.
      9. On the configure DHCP option page, select “no, I will configure these options later.”
      10. On the completing new scope wizard page, click finish.
      Posted by Newbie at 18:21 0 comments
      Labels: ,
      Most of the commands in this appendix are reserved for Technical Support use and are included for your
      reference only. In a few cases, however, these commands provide the only means of performing a configuration
      task for the host. Also, if you lose your connection to the host, executing certain of these commands through
      the command-line interface may be your only recourse—for example, if networking becomes nonfunctional
      and vSphere Client access is therefore unavailable.
      NOTE : If you use the commands in this appendix, you must execute the service mgmt-vmware restart
      command to restart the vmware-hostd process and alert the vSphere Client and other management tools that
      the configuration has changed. In general, avoid executing the commands in this appendix if the host is
      currently under the vSphere Client or vCenter Server management.
      The vSphere Client graphical user interface provides the preferred means of performing the configuration
      tasks described in this topic. You can use this topic to learn which vSphere Client commands to use in place
      of these commands. This topic provides a summary of the actions you take in vSphere Client, but does not
      give complete instructions. For details on using commands and performing configuration tasks through
      vSphere Client, see the online help.


      esxcfg-advcfg : Configures advanced options for ESXi. To configure advanced options in vSphere Client, click Advanced Settings. When the Advanced Settings dialog box opens, use the list on the left to select the device type or activity you want to work with and then enter the appropriate settings.
      esxcfg-dumppart :Configures a diagnostic partition or searches for existing diagnostic partitions.
      When you install ESXi, a diagnostic partition is created to store debugging information in the event of a system fault. You don’t need to create this partition manually unless you determine that there is no diagnostic partition for the host.You can perform the following management activities for diagnostic partitions in
      vSphere Client:
      n Determine whether there is a diagnostic partition —
      Click  Storage>AddStorage and check the first page of the Add Storage Wizard to see
      whether it includes th. If Diagnostic is not one of the options,ESXi already has a diagne Diagnostic optionostic partition.n Configure a diagnostic partition — Click Storage>Add Storage>Diagnostic and
      step through the wizard.

      esxcfg-info Prints information about the state of the VMkernel and various subsystems in the
      virtual network, and storage resource hardware.vSphere Client doesn’t provide a method for printing this information, but you can obtain much of it through different tabs and functions in the user interface. For
      example, you can check the status of your virtual machines by reviewing the
      information on the Virtual Machines tab.
      esxcfg-init Performs internal initialization routines. This command is used for the bootstrap
      process you should not use it under any circumstances. Using this command can cause problems for ESXi.
      There is no vSphere Client equivalent for this command.
      esxcfg-module Sets driver parameters and modifies which drivers are loaded during startup. This
      command is used for the bootstrap process and is intended for VMware Technical Support use only. You should not issue this command unless instructed to do so by a VMware Technical Support representative.
      There is no vSphere Client equivalent for this command.
      esxcfg-mpath Configures multipath settings for your Fibre Channel or iSCSI disks.To configure multipath settings for your storage in vSphere Client, click Storage.Select a datastore or mapped LUN and click Properties. When the Properties dialogbox opens, select the desired extent if necessary. Then, click Extent Device>ManagePaths and use the Manage Path dialog box to configure the paths.

      esxcfg-nas Manages NFS mounts. You use this command to create or unmount an NFS datastore.
      To view NFS datastores in vSphere Client, click Storage > Datastores and scroll
      through the datastores list. You can also perform the following activities from the
      Storage > Datastores view:
      n Display the attributes of an NFS datastore – Click the datastore and review the
      information under Details.
      n Create an NFS datastore – Click Add Storage.
      n Unmount an NFS datastore – Click Remove, or right-click the datastore to
      unmount and select Unmount.
      esxcfg-nics Prints a list of physical network adapters along with information on the driver, PCI
      device, and link state of each NIC. You can also use this command to control a physical
      network adapter’s speed and duplexing.
      To view information on the physical network adapters for the host in vSphere Client,
      click Network Adapters.
      To change the speed and duplexing for a physical network adapter in the vSphere
      Client, click Networking>Properties for any of the virtual switches associated with
      the physical network adapter. In the Properties dialog box, click Network
      Adapters>Edit and select the speed and duplex combination.
      esxcfg-resgrp Restores resource group settings and lets you perform basic resource group
      management.
      Select a resource pool from the inventory panel and click Edit Settings on the
      Summary tab to change the resource group settings.
      esxcfg-route Sets or retrieves the default VMkernel gateway route and adds, removes, or lists static
      routes.
      To view the default VMkernel gateway route in vSphere Client, click DNS and
      Routing. To change the default routing, click Properties and update the information
      in both tabs of the DNS and Routing Configuration dialog box.
      esxcfg-swiscsi Configures your software iSCSI software adapter.
      To configure your software iSCSI system in vSphere Client, click Storage Adapters,
      select the iSCSI adapter you want to configure, and click Properties. Use the iSCSI
      Initiator Properties dialog box to configure the adapter.
      esxcfg-scsidevs Prints a map of VMkernel storage devices. There is no vSphere Client equivalent for
      this command.
      ESXi Configuration Guide
      208 VMware, Inc.
      Table A-1. ESXi Technical Support Commands (Continued)
      Command Command Purpose and vSphere Client Procedure
      esxcfg-vmknic Creates and updates VMkernel TCP/IP settings for vMotion, NAS, and iSCSI.
      To set up vMotion, NFS, or iSCSI network connections in vSphere Client, click
      Networking > Add Networking. Select VMkernel and step through the Add
      Network Wizard. Define the IP address subnet mask and VMkernel default gateway
      in the Connection Settings step.
      To review your settings, click the blue icon to the left of the vMotion, iSCSI, or NFS
      port. To edit any of these settings, click Properties for the switch. Select the port from
      the list on the switch Properties dialog box and click Edit to open the port
      Properties dialog box and change the settings for the port.
      esxcfg-vswitch Creates and updates virtual machine network settings.
      To set up connections for a virtual machine in vSphere Client, click Networking >
      Add Networking. Select Virtual Machine and step through the Add Network
      Wizard.
      To review your settings, click the speech bubble icon to the left of the virtual machine
      port group. To edit any of these settings, click Properties for the switch. Select the
      virtual machine port from the list on the switch Properties dialog box, then click
      Edit to open the port Properties dialog box and change the settings for the port.
      Appendix: ESXi Technical Support Commands
      Posted by Newbie at 13:44 0 comments
      Labels:
      Subscribe to: Posts (Atom)
      Browser Name:
      Browser Version:
      Browser Code Name:
      User-Agent: