Kevin Remde's IT Pro Weblog
Hello all!
I’ve created a document containing useful links to related resources for our live-and-in-person TechNet Briefings this quarter. If you attended my event and want the document containing the LIVE links, or even if you’re just curious about resources relating to Windows Server 2003 Service Pack 1 or Microsoft SQL Server 2005, you’ll find this document useful.
CLICK HERE TO DOWNLOAD
Hope you find this helpful!
Kevin
RSS. Really Simple Syndication. “Feeds”. “” logos…
“What does it all mean, Kevin?”
Well.. Let me describe a very cool use of this technology as a way of introduction to you…
You want to know when there’s some new resource available of specific importance to you. For example, let’s say you are the SQL DBA or database server administrator for your company. You watch the Microsoft web sites, NNTP news groups, or perhaps you subscribe to some email lists. But you sure would like to be notified whenever there is a new KB article relating to the version of SQL you are managing. And you don’t want to subscribe to any more email lists. You would rather control exactly what you’re getting… only what you care about or need to know.
Enter RSS
Now, using news agreggator software, you can subscribe to and receive just the information you want or need.
Check out this article: RSS: Really Simple Syndication, for a great description of how this works. Also included here is a good list of links to news agreggator software available. (I happen to like the free SharpReader.)
“Why are you telling me this, Kevin?”
Many groups at Microsoft, including our TechNet team, are beginning to embrace this technology to allow you to control your own connection to us. We’ll make content and information available, and you can select and subscribe to just what you want to know about… so we aren’t invading your privacy by sending you unwanted emails, and you don’t have to keep checking the web sites manually for changes. You are in the driver’s seat!
Great examples of this might be to subscribe to all of or just categories of my blog (“I want to read everything Kevin has to say”, or, “I only care about Kevin’s TechNet Briefing postings.”), or subscribing to a site that has updates and event information for just when we’re coming to your area, just the speaker you want to see, or just on the topics that you specify. How cool is that?
In fact… If you right click on this orange picture and select “Copy Shortcut”, you can then paste the link into your news agreggator software and subscribe to all of my blog entries!
Another real world, very cool example is what is available now for Microsoft Knowledge Base articles. You can go HERE and select the RSS feeds to get updated lists of new KB articles for just the software you work with.
And another cool example is how sites can be built using agreggations of blog content shared from bloggers all over the place – as in the www.techedbloggers.com site.
So.. it’s time to understand and embrace RSS. It’s going to make it really simple to stay up-to-date and informed.
Questions or comments? Hit the feedback link below.
Resource Page for
Wednesday, April 20, 20051:00 P.M.–2:00 P.M. Pacific Time
Here are some resources relating to the webcast topic presented. I hope you find them useful.
—
Routing Overview
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch2.asp
Choosing a Replication Topology
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/sdccc_fsv_ohjv.asp
Common Server Configurations for Remote Access Servers
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ras_common_configuration.asp
Choosing Hardware or Software Routing
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbb_tcp_gdns.asp
Routing Tables
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_rras-ch2-adv_2.asp
Understanding the IP Routing Table
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_rras-ch5_4.asp
Choosing Static or Dynamic Routing
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbb_tcp_rfjd.asp
RIP for IP
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch2-Adv_4a.aspSetting Up a RIP-for-IP Routed Internetwork
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch3_03.aspHow NAT Works
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_nat_how.asp
Understanding Network Address Translation
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch2_16.asp
Setting Up Network Address Translation
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch3_06.asp
Understanding Demand-Dial Routing
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_rras-ch2-adv_12.asp
Setting Up Demand-Dial Routing
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch3_08.aspUnderstanding Router-to-Router VPNs
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS_und_VPN_node.asp
Deploying Router-to-Router VPNs
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch3_09.asp
Routing Tools and Utilities
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_rras-ch5_20.asp
Microsoft TechNethttp://www.microsoft.com/technet
Official Series Content Resource Pagehttp://www.microsoft.com/technet/tnt4–04
Free Windows Server 2003 Virtual Labs:http://www.microsoft.com/technet/traincert/virtuallab/windowsserver2003.mspx
Windows Server 2003 Evaluation kit:http://www.microsoft.com/windowsserver2003/evaluation/trial/evalkit.mspx
Windows Server 2003 Training and Events:http://www.microsoft.com/windowsserver2003/techinfo/training/default.mspx
New and improved Microsoft Events page:
http://www.microsoft.com/events
** UPDATE **
I've recorded a blogcast containing demos of NAT and Demand-Dial VPN from this session.
Click HERE for that blogcast.
Wednesday, April 27, 20051:00 P.M.–2:00 P.M. Pacific Time
Tune in for a look at maintenance and updates to Microsoft Windows Server 2003. This webcast will also cover Software Update Services (SUS), patching and services packs. Also, we will discuss patch management, how to use SUS and how to slipstream service packs.
Released: Windows Server Update Services RC
http://www.microsoft.com/windowsserversystem/updateservices/default.mspx
Windows Server Update Services Product Overview
http://www.microsoft.com/windowsserversystem/updateservices/evaluation/overview.mspx
Windows Server Update Services Datasheet
http://www.microsoft.com/windowsserversystem/updateservices/evaluation/datasheet.mspx
Windows Server Update Services Frequently Asked Questions
http://www.microsoft.com/windowsserversystem/updateservices/evaluation/faqs.mspx
Compare Microsoft Update, Update Services, and SMS
http://www.microsoft.com/windowsserversystem/updateservices/evaluation/compare.mspx
Windows Server Update Services Operations Guide
http://www.microsoft.com/windowsserversystem/updateservices/techinfo/operations.mspx
Windows Server Update Services Deployment Guide
http://www.microsoft.com/windowsserversystem/updateservices/techinfo/deployment.mspx
Wednesday, May 11, 20058:00 A.M.–9:30 A.M. Pacific Time
Tune in for a discussion of the out-of-the-box server management tools such as Active Directory Command Line tools-trusts and server roles.
Windows Server Administration Webcast Series Homework Assignment #12
1. http://blogs.technet.com/kevinremde
2. A Choice…
Go to the Windows Server Update Services Site and download the Release Candidate. Try it out. Check out the online resources and FAQ document there.
— OR —
Virtual Lab: “Managing Security Updates with SMS”http://www.microsoft.com/technet/vlab
This virtual lab allows you to:
On that Virtual Lab homepage, click on the Microsoft Systems Management Server (SMS) 2003 section
I may have blogged about this before. And I do think it’s a very useful tool. But it still needs improving…
The Events and Webcasts team responsible for the www.microsoft.com/events site have built a handy search page. You can find out about events by:
The result is a nice list of links to the events matching your wishes.
“Sounds great, Kevin. What could need improving?”
Well, my main suggested improvement for this site would be to give it the ability to generate an RSS link that would automatically populate a list of the results based on these criteria, and then a person could just watch their feed for new events as they become available – kinda like the cool link you can generate if you visit the MSDN Events site’s “Custom RSS Feeds” page, and what we’ll have soon for our TechNet Briefing’s, also.
Also – let me chose more than one product. Give me a multi-select list where I can check-off all of the products I use the first time I hit the site.
If both of those suggestions were implemented, it would mean that I would never have to visit that site again… unless I wanted to add or drop a product from my list of “what’s interesting to me”. That would be cool.
Windows Server Administration Webcast Series Homework Assignment #11
2. Online Documentation Review
Specifically, I think everyone should review the “Routing Overview”
..plus many others as posted in the Resource Page for part 11 of this series.
For Part 11 of the Windows Server 2003 Administration webcast series, I am unable to do all of the demos as written. One hour just isn’t long enough! So what I’ve done is to record the portion of the demo where I create a NAT configuration, and a Demand-Dial VPN connection, as a “blogcast”.
CLICK HERE to view the blogcast.
A blogcast is just a recorded media file – in my case a Windows Media .WMV file captured and recorded using the Windows Media Encoder. The ITEs (IT Evangelists) for Microsoft around the world have been recording these as yet another way to assist you in your learning and your work. (Check out the “Blogcast Queen”, Eileen Brown’s blog for some great blogcasts. As far as I know, she invented the term.)
Another great TechEd Memory… the Jam Sessions!
NetIQ and others over the years have sponsored evening Jam Sessions, which I really enjoy. Yeah, sure, the talent isn’t always the best, but it’s always entertaining and fun.
Are you gonna be there this year?
Then you're reading the wrong blog!
…Or more correctly... you should ALSO be reading these other folk’s blogs!
Allow me to introduce to you some great blogs for developers. These developers are members of our MSDN Events team:
And for general interest posts and news from the entire team, check out the
MSDN Events are national events structured much like TechNet Briefings, but for Developers. Whenever there is an TechNet Briefing in the morning, there is an MSDN Event there in the afternoon as well.
Here are the current MSDN Event topics:
Go ahead and register for their afternoon event. But if you’re also doing any IT Pro work, make sure you register for our morning event as well!
Wednesday, April 6, 20051:00 P.M.–2:00 P.M. Pacific Time
“What is DHCP?”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_what.asp
“How DHCP Works”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_how.asp
“DHCP Terminology”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_DHCP_ovr_Terms.asp
“Configuring Scopes”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DHCP_imp_ConfigScopes.asp
“IPv4 Multicasting Technical Reference”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_Mcast_Intro.asp
“Best Practices”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_DHCP_imp_BestPractices.asp
“DHCP Tools”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DHCP_ovr_tools.asp
“Security Information for DHCP”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DHCP_ovr_Security.asp
Wednesday, April 13, 20051:00 P.M.–2:00 P.M. Pacific Time
Join us for this presentation where we will investigate setup and configuration of RAS connections, the authorization of these connections, and finally implementing VPNs and IAS.
Resource Page forTechNet Webcast: Windows Server 2003 Administration Series (Part 10 of 12): VPN/RAS (Level 200) Wednesday, April 13, 20051:00 P.M.–2:00 P.M. Pacific Time
“What is Dial-up Remote Access?”
“How Dial-up Remote Access Works”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dura_How.asp
Remote Access Concepts
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_RASS_concepts.asp
Virtual Private Networks for Windows Server 2003
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx
“What is VPN?”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_vpn_what.asp
“How VPN Works”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_vpn_how.asp
Placing Remote Access Servers
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbf_vpn_zsom.asp
Selecting an VPN Protocol
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbf_vpn_riyr.asp
Concepts for IAS
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_tttg.asp
Determine the Role of the IAS Server
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_dprk.asp
Integrate IAS with the Certificate Infrastructure
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_xkyp.asp
Secure the IAS RADIUS Server and RADIUS Proxy
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_qnbl.asp
Join this webcast and learn what you need to know about routing, routing protocol and configuring routing on Windows Server 2003.
Windows Server Administration Webcast Series Homework Assignment #10
2. Windows Server 2003 Virtual Lab: VPN Scenarios with ISA 2004”
http://www.microsoft.com/technet/vlab
On that Virtual Lab homepage, click on the ISA section.
..and we only have to wait until May 12th!
That’s when, according to gameindustry.biz, the official unveiling will be done. And on MTV, of all places!
Sometimes I see or read about really cool things from Microsoft.. development tools and resources that really make me wish I were still a Software Engineer. I’ve always loved the creativity and problem solving that software development affords. Example: the new tools coming in Visual Studio 2005 still make me salivate, quite frankly.
I remember when I was a developer seeing good documentation coming from Microsoft and others, and getting really excited. I was especially pleased whenever Microsoft would release some white-paper about how THEY were doing development (the way I do now when I look at how Microsoft does IT, too.)
What made me think of that was a letter I found in my inbox this morning. Michael Howard sent a letter to the NTBugtraq e-mail listserver membership which was published earlier today. In it he describes a new Microsoft “Security Development Lifecycle” paper.
“The SDL is the process that Microsoft has implemented for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process. These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing during a focused "security push". Before software developed under the SDL can be released, it must undergo a Final Security Review by a team independent from its development group. When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities. This paper describes the SDL and discusses experience with its implementation across Microsoft software.”
So this is the sort of thing that, as a former developer, gets me excited on behalf of developers everywhere! You can compare your company’s secure development process to the way Microsoft does it, and borrow from our best practices. (Does the phrase, “Don’t reinvent the wheel” mean anything to you?)
And I encourage all of my counterparts on the MSDN team to blog about this paper, too.
My friend and colleague Chris Henley is leading a 12 week Webcast Series all about strategies and tools for the migration to Active Directory.
Chris is an excellent presenter and quite knowledgeable on the subject, so this is going to be a great series. Sign up for all of them! And if you missed some of them live, you can also view the previous session’s recordings on-demand.
(Free training – and a chance to win a Portable Media Center, too!)
The Microsoft Security Response Center has a blog address now. Check it out!
Subscribe to it if you’re interested in good security-related posts and updates.
Here, is this week’s “best of” Q&A log from the webcast. Sincere thanks again to my teammates for doing such a great job helping to answer questions! I give them the bulk of the credit for the information in this document. You guys are the best!
Also I want to make sure also have the link to the Session Resources I posted for Part 10, and the homework assignment also.
Part 10 Questions and Answers:
“Who's serving the popcorn?”
Yum… I don’t know. I can’t smell it on my end.
“I hear a country station, is that normal?”
Um… let’s see… how do I answer this without offending Country Music fans? <chuckle> I think I’ll just not say anything.
“Kevin, out of all the presenters I’ve heard, you provide clear on-point info, and your presenting is top notch!!!! GJ”
I know you can’t see it now, but I’m blushing. Thanks!
“Is the Connection Manager in SBS 2003 basically a VPN connection?”
Connection Manager is the package that allows you to install the client side of a connection - It will help you set up a VPN among many other connectivity options.
“Using ISA 2004 and AD can I restrict what servers a remote client can access?”
Yes you can.
“Can I use IAS authentication without active directory?”
Check out this great resource on IAS: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/d98eb914-258c-4f0b-ad04-dc4db9e4ee63.mspx
“Why does the VPN disconnect after about 3 minutes when connecting from a XP-SP2 machine?”
Do you have the VPN connection setting set to disconnect after three minutes of inactivity? If so, then after 3 minutes of doing nothing on the connection, it would disconnect.
“Well I create an entry in DNS to redirect www to other machine inside the network which has the company website.”
If this server on the internal side of the network is not accessible from the Internet, then users coming from the Internet will fail.
“For the umpteenth time I had problems connecting to these webcasts. I missed the beginning and effectively missed the whole webcast. I have wasted my time again fighting the system. This is getting beyond serious - to being utterly ridiculous!!!”
I agree wholeheartedly. We’re very sorry for the troubles these issues have caused. You are right, it is inexcusable. I encourage you to please visit this link to report these issues and voice your opinions: http://register.microsoft.com/contactus30/contactus.asp?domain=multimedia/webcast
“How much overhead in the protocol is estimated for the Microsoft VPN flavor?”
There is no specific number on this but PPTP has less overhead than L2TP. The reason there is no specific information is because hardware and connections are so varied.
“Has MPPE-128 been cracked?”
Not that I'm aware of.
“Certainly software based solutions generate more overhead than hardware based solutions. I was just curious on the overhead for Microsoft's version. Thanks”
We have always seen great performance and very little overhead. As a previous network engineer for Microsoft, I have never seen a limit hit.
“Is there a step-by-step guide for setup of L2TP with IPSec? Is there a step-by-step guide to setting up an L2TP VPN with IPSec on a Windows 2003 Server?”
To use different pre-shared keys for all L2TP over IPSec router-to-router VPN connections, configure the following...see http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/intwork/inbe_vpn_qaax.asp
“The wire server room is used a lot by you guys. Don’t you have other pictures?”
Yes we have a few, but that is by far one of all our favorites because we can relate, as we hope you can too. I guess I’ll use it a little less often now. <sigh>
“Can I save this event for resume later?”
You can download and view the event later.
“Is the following correct: VPN can accept 11 connections? If you need more create another VPN object?”
No, VPN can accept much more than 11 connections. If you have configured it to be limited to 11, then you are more than welcome to increase the limit.
“Is VPN in sbs2003?”
Yes, it is exactly the same as in a regular server. But one drawback is managing the VPN endpoint on a DC. That is a security risk. I would recommend one NIC and a router that allows PPTP (GRE and 1433) or L2TP NAT traversal to the one internal address.
“Where I can download the event?”
You will be receiving an email tomorrow with links to download.
“Is VPN preferable over Terminal Services for remote access?”
Both have a high level of encryption. VPN with RDP would be the most secure.
Why is there two VPN servers? is this another office? i though you just need one.
I think what you were seeing there was the use of VPN for a site-to-site connection – so instead of it just being an employee connecting to the office, it’s also used for connecting one office to another, with two VPN servers on either side of the pipe.
“Has PPTP been broken?”
I do believe that was the case back in the Windows 95 / 98 hey days (1999). However, updated DUN components were released for W9x to address this. Windows 2000, XP and 2003 are not susceptible to this (to the best of my knowledge).
“thanks”
Thanks for coming! Any questions are good questions!
“Are there any webcasts coming on ms cluster services?”
There was one done last Friday (April 8, 2005) with Clustering and SQL - Other than that one try searching on Clustering at http://www.microsoft.com/webcasts
“Was presenter referring 11 connections limit to something else or I have misunderstood?”
At that point I was just talking about the demo systems and the configuration implemented.
“I understood that UDP is not as reliable as TCP so, can you use TCP with L2TP?”
Yes L2TP is only the tunneling protocol, whatever packets TCP or UDP are then sent over that.
“Is there a step-by-step guide for setup of L2TP with IPSec? Is there a step-by-step guide to setting up an L2TP VPN with IPSec on a Windows 2003 Server? RE: Step-by-step Guide for L2tP/IPSec - How about using certificates instead of pre-shared keys - can that be done? Is there a step-by-step?”
Might start here - http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/l2tpclientadmin.asp
“If they (hackers, listeners) go to that extent, don’t you think they will find another way to get in (listen). I just find it amusing that anyone would make a VPN on a dial-up connection.”
Well.. consider this scenario: Someone only has dialup for Internet Access (Netscape, Net Zero, EarthLink, whatever) at home, but their employer has only set up Internet VPN access which this person will need to use. So – they’re doing VPN over the Internet, but via their dialup connection. In fact, I was doing this very thing for at least a year before I had highspeed access at home.
“If PPTP is only set on the RRAS server is there any benefit to selecting automatic on type of VPN?”
If you mean the client, then yes, auto is fine. It will try both.
“When you create a VPN connection is there a way to keep a connection to the local network?”
Once, you've created your VPN connection you're still on the local network. You're given a new IP address for the destination network but you have two IP addresses one for the local network and one for the VPN network. Now.. that doesn’t mean that your default gateway for Internet Access hasn’t changed. That’s another issue.
“For VPNs, for which firewall ports do I need to configure an allow policy?”
PPTP is 1723 and the GRE protocol 47. Most routers will not work with L2TP.
“What happens if both local networks have the same local IP configs. ie: both are 192.168.0.x?”
There is no way to route between them if both networks are the same.
“Do you need to put an ACL on your firewall to allow a VPN that you have set up on your DC and workstation?”
You have to allow 1723 and GRE
“Is there a good way to export and import large amount of RADIUS clients?”
How to Add and Remove Radius Clients, see http://www.microsoft.com/technet/security/topics/cryptographyetc/secmod190.mspx
“What does RADIUS stand for?”
Remote Authentication Dial-In User Service (RADIUS)
“What's the RADIUS port(s)?”
RADIUS messages are sent as User Datagram Protocol (UDP) messages. UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. Some network access servers might use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. By default, IAS supports receiving RADIUS messages destined to both sets of UDP ports. For information about changing the UDP ports that are used by IAS, see Configure IAS port information. Only one RADIUS message is included in the UDP payload of a RADIUS packet.
“Why won't most routers work with L2TP and what can you do, if anything, to work around this? What about PPTP?”
Until 2003 there was no way to get through NAT with IPSec or L2TP. Most companies use NAT to allow them to address their internal network in a way that doesn’t require large numbers of valid external IP addresses to be used internally. These are L2TP connections are UDP connections usually over port 500. You have to make sure you have a router that can perform and allow NAT traversal back to your VPN server. It is in most newer routers.
“How many ram have machine hosting the virtual machines?”
My laptop has a total of 2 GB of physical RAM. The virtual machines I am running for this series are configured to use 512MB, 512MB, and 256MB (two servers and an XP Pro Client).
“Is there information configuring radius for use with a wireless access point?”
A RADIUS client (typically a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates and authorizes the RADIUS client request, and sends back a RADIUS message response. RADIUS clients also send RADIUS accounting messages to RADIUS servers. Additionally, the RADIUS standards support the use of RADIUS proxies. A RADIUS proxy is a computer that forwards RADIUS messages between RADIUS-enabled computers. Seehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9ecf38e5-3200-490d-83d8-2c624da94d8b.mspx
“To all you out there configuring a ISA... Unpulg your connection to the interned until your ISA is configured. I was hacked between the time i configured the NIC and the ISA server. This was a timeframe less then 10 mins”.
Good point. And a good indication of the state of things today. NEVER connect a server or any PC directly to the Internet without first protecting it in some way. In your case, with your new server that is eventually going to be a firewall, you ran into something that is all too common. It takes now on average only 20 minutes for an unprotected machine to become infected. That is EXACTLY why we’re including things like Post Setup Security Update (PSSU) functions in Windows Server 2003 SP1 – installing the Windows Firewall and locking down external access until the machine is configured and up-to-date with the latest security updates.
“Thanks. I think I’ll see the recording. When will this be available? It`s 23.00 in Norway. Must get sleep :-)”
Thanks for staying up for us!
“I thought it was not a good practice to run RRAS or IAS on a domain controller.”
Generally speaking, yes. For our demos, we tend to "break" a lot of the best practices rules due to limitations on number of virtual machines we can run effectively in one session.
“OK Thanks. You guys are great.”
Thanks for attending. Always a pleasure to help.
“Can you specify a backup RADIUS server?”
Check out - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/54f4f112-d473-4b18-9501-53e92c5d4467.mspx
”1. Install 2003 server. 2. Configure NIC 3. Get hacked 4. Install ISA Server. Between 3 and 4 you are totally exposed, right?!”
If you are connected to the Internet during this installation process; yes, that is correct. If you were installing Windows 2003 with SP1 (slipstreamed), then the Firewall service would come active immediately to prevent step 3. (See my PSSU comment earlier) However, I would highly recommend that you install your servers without direct connectivity to the Internet until you've fully configured and secured it.
“Will there be a webcast on wireless w/certificate services for windows 2003?”
None currently planned that I’m aware of.
“Can I make this work with a Cisco router?”
As long as your router is up to date, PPTP is easy and L2TP is dependent on you having 2003 server and the ability for the router to pass L2TP.
“Applause!!!”
[bow] Thanks!
“Thank you ....when does this whole series repeat?”
You will be able to view or download the webcasts from this series anytime you want.
“My Cisco router has no firewall, but NAT is enabled. Is this a problem for L2TP?”
You will need to find out if it has the ability to allow l2tp traffic to pass through.
“I received an invitation to attend TechEd Europe in Amsterdam. Is this worth the money?”
TechEd is a very informative conference. And I am one of the biggest fans of TechEd you’re going to meet. One other noteworthy item is that our people in the product groups are GOALED on attending TechED and a couple of conferences. Therefore I do believe it would be worth your time.
“netopia made it sound like I need their router for a vpn, not true?”
Netopia offers a hardware based VPN solution. You can buy that, or you can go with a software solution such as the RRAS that’s already included in Windows Server 2003.
“I may be a little slow here, but what is the advantage of setting up a RADIUS server vs just VPN connections?”
RADIUS is just another way to authenticate users. It is a standard for both authentication and authorization, as well as accounting. Being standard, it can be used by many different hardware and software devices requiring authentication. And if it’s Microsoft’s IAS, it’s also able to use Active Directory accounts for that authentication. And it can be a central authorization point RAS servers with common Remote Access policies being managed there.
“I was thinking about choose the RAS client by IP or DNS”
I’m not sure what you were asking, but you may be referring to the demo where I configured the VPN client to connect to the external IP address of the VPN Server. Yes, if you want, you could also have a name defined for that address and as long as DNS is able to resolve it, you can add that in the connection parameters as well.
“Would running remote desktop connections through a VPN be a good practice or is that just a redundant level of security?”
Redundancy is always good - especially in Security. But if you are assured of an encrypted connection for RDP, you are safe.
“Is this correct - A person is using a WiFi and VPN into a network. Is the Internet controlled by VPN network permissions of by the WiFi provider?”
Completely by the VPN. WiFi would only be a concern if it was actually a connection on your internal network, then you would not need VPN.
“Can Kevin share those funny pictures with us?”
Absolutely!
Have a great day!
If you haven’t signed up already, you’d better get signed up soon! I’d love to meet you there!
Make sure you introduce yourself to me. I’ll probably be hanging out by the cabanas and answering questions when I’m not attending the many great IT Pro-related sessions going on.
See you there!
My friend and developer/MSDN presenter colleague Jacob posted about this, and I’m going to steal it from him. <heh>
Hitachi has a fun animation showing off the potential for new hard disk storage technology… a GREAT example of explaining something in simple terms that would otherwise cause most people’s heads to explode if simply described. Fun stuff!
Windows Server Administration Webcast Series HomeworkDHCPHomework Assignment #9
2. Review DHCP Online DocumentationClick on and read through at least the first two from my Session Resource Page:
“What is DHCP?”http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_what.asp
“How DHCP Works”http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_how.asp
Review DHCP Online Documentation
This question was asked during my TechNet Briefing event held yesterday (April 5th) in Appleton, Wisconsin.
The Answer: No, and Yes.
I found the answer in the Security Configuration Wizard Documentation, specifically page 10 of the deployment document which states:
“To configure multiple servers with a policy, you can use scwcmd configure /p:PolicyFile /i:MachineList at the command prompt, rather than this SCW UI procedure. Type scwcmd configure at the command prompt to learn about the parameters.”
Also – a VERY good resource of information is an on-demand webcast by Peter Meister, Lead Product Manager, Windows Server 2003, entitled “Windows Server 2003 Service Pack 1 – Security Configuration and Role-Based Server Deployment”
Enjoy!
Just a comment on what a strange day it’s been. I’m currently staying at a Sheraton in Madison, as tomorrow we’re doing live TechNet and other events at the Alliant Energy Center.
Today, however, in less than one hour, I’ll be doing a webcast from the hotel. Now… typically when I book my rooms I call the hotel to see if they have high-speed Internet. I’m a snob that way, I guess. <sigh> But mores if I’m going to do a webcast, I usually want to make sure that the Internet access is WIRED as opposed to WIRELESS.
Well… having not found any WIRED hotel rooms near the Alliant Energy Center, I decided to stay where the rest of my team were staying here at the Sheraton.
Problem: WiFi here has been up and down all day. Not good for webcasting at all.
Solution: The folks here are going to let me reserve the WIRED connection located in their Business Center here. They even provided me a phone for the audio portion of the webcast. (I’m heading down in just a couple minutes to set things up.)
In the meantime, I happened to see that the wireless from the hotel next door is available, so I’m using a low-signal, 1Mbps connection right now. I guess that’s the punch-line to an already interesting day.
Gotta run! Webcast time!
Yay! No major audio or timing issues this week! It’s so much fun when things go right!
Here, is this week’s “best of” Q&A log from the webcast. Sincere thanks again to my teammates for doing such a great job helping to answer questions! I give them the credit for the information in this document. Wonderful!
Also I want to make sure also have the link to the Session Resources I posted for Part 9, and the homework assignment also.
Part 9 Questions and Answers:
“Thank for the informative webcast every week. Some times would be nice, if the webcast would earlier in the morning for you. Because it is exhausting to see all the good webcast late in the evening for us in Europe.”
Yeah… that’s a problem I wish I had considered further when originally scheduling these. Much of my job involves travel. I do these webcasts more often-than-not in hotels or other Microsoft Offices. During my normal TechNet Event weeks, Wednesdays are usually travel days between Tuesday and Thursday events, so if I can’t get a flight out or drive to the next location on Tuesday night, I’ll be doing it Wednesday morning… which is why I thought later on Wednesday afternoon would be better.
If I get the opportunity to do another series (and I’d LOVE to!), I’ll see if we can do it Monday morning instead.
“Will the past 2 events be available in live meeting format soon?”
The last one [part 8] should be posted. We've had problems with and are still trying to recover part 7.
Keith Combs: “I love DHCP”
Thanks, Keith.
“Can we download any presentation WMA? not pdf. Thanks.”
The WMV archive will be available 72 hours after the event.
“This is off topic, but our company would like to use this MS Office Live Meeting 7 application format for providing online demos with government Public Health Laboratories. Can you direct me to more information of how to utilize this application for such purposes (purchase, configuration, etc.)? Good class.”
Thanks. Have you looked at http://www.microsoft.com/livemeeting?
“No, that is the kind of thing I was asking about. Thank you. Are there others you know of?”
Yes. You might also check http://www.microsoft.com/office/livecomm/prodinfo/default.mspx
“Would you include addresses that are going to be reserved in an exclusion range?”
Yes, that's another good way to self document those addresses.
“Is it better to use exclusions or a narrow pool range to place static entries for like servers and printers?”
Because of the inflexibility of Pools once you’ve defined them, I would make them large to begin with, and then use exclusions to narrow down what is actually being handed out by individual DHCP servers.
“Followup to the exclusion question - is there any impact to doing it either way?”
Other than the inflexibility of re-configuring pools, no.
“Is there anyway to issue out IPV6 ip addresses via DHCP?”
Not aware of any - Great Overview here - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03mngd/14_s3ip6.mspx
“If you have an address range for DHCP to give out, but some of those addresses are used in reservations, would DHCP know not to give out those addresses or would it cause conflicts?”
Yes, it will not give that out, but be aware that if it is already in use, it won't force a release on the address.
“We have a number of remote users and I want to assign them an address when they VPN in. Is there a good article describing this when using a domain controller with and a separate RRAS server?”
An address that is the same each time they connect, or just any address from a pool?
“Can be either. Whatever would be the best practice.”
Most people set up a pool for VPN clients. Less maintenance and hassle.
“OK Is there a good KB article for setting up a pool?”
All of the VPN deployment and planning docs will go through this. It is also in the ISA Server 2004 planning documents in case you are using our firewall product.
“Should you confirm that there are no entries in the other tabs in TCP/IP properties before you switch to automatic pickup?”
No need.
“Does the DHCP server have to have a static address or can it obtain a reserved IP address from it's own database?”
It should have a static address.
“If you are going from a static IP environment to a DHCP environment, will you have to touch each PC to make that change, or is there another way?”
You could use NETSH - http://support.microsoft.com/default.aspx?scid=kb;en-us;257748
“I have a Linux-based computer set up for DHCP now. Can I configure a W2k server for DCHP while it's running on the Linux box - or do I need to shut down the Linux box first before configuring DHCP on the W2k server?”
It’s just another DHCP server on the line, so there shouldn’t be any issues unless they are both being configured to hand out the same or overlapping address ranges.
“Can you delete the bad scope are just leave it alone?”
You can delete it. I just left it in the demo so I could also show how superscopes were configured.
“When configuring a pool with a router, how will the dhcp know which ip address to give out for each subnet?”
Like most things computer related, it will do only what you tell it to – not what you WANT it to. If you’re using your router as a DHCP server, then you have to be aware what addresses it’s responsible for, just as you would if you were configuring more than one DHCP server within the same physical networked area.
“How can we integrate dhcp with DNS?”
Active Directory Integrated with DDNS - http://support.microsoft.com/default.aspx?scid=kb;en-us;816592
“I would like Kevin to settle a debate. When is DCHP is best handled; by a gateway vs. server?”
I wasn’t aware there was a debate. Do you mean, “Should I have my router handle addressing for me or should I have a separate server?” ? If you are happy with how your router is working, and if you don’t mind having that single point of failure, and want to limit how much (if any) logging or auditing you have available.. and don’t want flexible configuration options… then by all means, use your router. <grin>
“One DHCP server with multiple subnets all with different address pools, how can i insure the right IP address goes to the correct subnet”
Typically that is the job of the Relay Agent on a particular subnet - http://support.microsoft.com/default.aspx?scid=kb;en-us;120932
“I was trained to use DORK acronym discover offer release acknowledge”
Cool.
“Are the clients still can connect to resources on the network if i reboot the dhcp server?”
Yes. A DHCP server will only affect the clients if they go to request an address, and it's down.
Cheers!