Windows 2000 Remote Access

dingdongboomNetworking and Communications

Oct 27, 2013 (4 years and 7 months ago)


Windows 2000 Remote Access

Remote Access Overview

With Windows

2000 remote access, remote access
clients connect to remote access servers and are
transparently connected to the remote access
server, known as point
point remote access
connectivity, or transparently connected to the
network to which the remote access server is
attached, known as point
LAN remote access
connectivity. This transparent connection allows
remote access clients to dial
in from remote
locations and access resources as if they were
physically attached to the network.

Remote Access Overview


2000 remote access provides two
different types of remote access connectivity:

up remote access

With dial
up remote access, a remote access
client uses the telecommunications infrastructure
to create a temporary physical circuit or a virtual
circuit to a port on a remote access server.

Virtual private network (VPN) remote access

With virtual private network remote access, a VPN
client uses an IP internetwork to create a virtual
point connection with a remote access
server acting as the VPN server.

VPN Introduction

A Virtual Private Network
(VPN) connects the
components of one network
over another network. VPNs
accomplish this by allowing
the user to

through the
Internet or another public
network in a manner that
provides the same security
and features formerly
available only in private

Elements of a VPN Connection

VPN server

VPN client


VPN connection

Tunneling protocols

Tunneled data

Transit internetwork

VPN Connections

Creating the VPN is very similar to establishing a point
point connection using dial
up networking and demand
dial routing procedures. There are two types of VPN

Remote Access VPN Connection

Router VPN Connection

Common Uses of VPNs

Remote User Access Over the

Common Uses of VPNs

Connecting Networks Over the Internet

Using dedicated lines to connect a branch office
to a corporate LAN

Using a dial
up line to connect a branch office
to a corporate LAN

Common Uses of VPNs

Remote Access over an Intranet

Common Uses of VPNs

Connecting Networks over an Intranet

Basic VPN Requirements

User Authentication

Address Management

Data Encryption

Key Management

Multiprotocol Support



is a method of using an internetwork
infrastructure to transfer data for one network over
another network.


Tunneling technologies have been in
existence for some time. Some examples of
mature technologies include:

SNA tunneling over IP internetworks

IPX tunneling for Novell NetWare over IP

Point Tunneling Protocol (PPTP

Layer 2 Tunneling Protocol (L2TP)

IP Security (IPSec) Tunnel Mode

Tunneling Protocols

Tunneling Protocols and the Basic Tunneling


User Authentication

Token card support

Dynamic address assignment

Data compression

Data encryption

Key Management

Multiprotocol support

Tunneling Protocols

Point Protocol (PPP)

Phase 1: PPP Link Establishment

Phase 2: User Authentication

Password Authentication Protocol (PAP)

Handshake Authentication Protocol

Microsoft Challenge
Handshake Authentication
Protocol (MS

Phase 3: PPP Callback Control

Phase 4: Invoking Network Layer Protocol(s)

Transfer Phase

Tunneling Protocols

Point Tunneling Protocol (PPTP)

Layer 2 Forwarding (L2F)

Layer 2 Tunneling Protocol (L2TP)

Active Directory

A core feature of distributed systems in
Microsoft Windows 2000

Logical Structure in

Active Directory

Active directory is the directory service used to store information
about network objects and implements service that make information
available within its domain and usable to users, computers and

It Is based on the Lightweight Directory Access Protocol (LDAP).
LDAP is implemented for several UNIX OS and is derived from DAP
and X.500 protocol

Domain Name System
(DNS) hierarchical naming system and Windows
trust relationships

provide a consistent, logical structure

1. Active directory stores information about objects in one or more


2. Trust Relationship: A logical relationship established between domains that
allows pass
through authentication in which a trusting domain honors the
logon authentications of a trusted domain

Domain Hierarchy in

Active Direcotory

In Windows 2000, a domain defines both an administrative boundary and a
security boundary for a collection of objects that are relevant to a specific
group of users on a network

way hierarchy: not a flat structure as in Window NT

1 .Implicitly transitive.

2. A
llow to search multiple domain in one query because each domain
knows the domain immediately below and above it

Active Directory and DNS

DNS is a naming system used for locating domain names on the
Internet and on private TCP/IP networks. DNS provides a service for
mapping DNS domain names to IP addresses, and vice versa

Similarities: window 2000 uses DNS naming standards for
hierarchical naming of Active Directory domains and computers. For
this reason, domain and computer objects are part of both the DNS
domain hierarchy and the Active Directory domain hierarchy. Both
share an identical domain structure.

Difference: although these domain hierarchies have identical names,
they represent separate namespaces. In each namespace, specific
rules determine how names can be created and used. DNS stores
zones and resource records, and Active Directory stores domains and
domain objects. Active directory stores information about objects in
one or more domains.

Domain Controller in

Active Directory

A domain controller is a computer that is running Windows 2000
Server and hosts Active Directory. Each domain controller must have
a DNS server installed.

A domain controller stores directory partitions. Directory partitions
(also known as "naming contexts") correspond to the logically
distributed segments of Active Directory

Earlier versions of Windows NT used multiple domain controllers,
only one of which was allowed to update the directory database. This
master scheme required all changes to be replicated from the
primary domain controller to the backup domain controllers.

In Windows 2000, every domain controller can receive changes, and
the changes are replicated to all other domain controllers

DNS Hostnames and Window
2000 Computer Names

Windows NT 4.0 and earlier, DNS names were not required. A
computer is identified primarily by a NetBIOS name

a name that
is recognized by WINS (Windows Internet Name Service).

maps the name to a static IP address or to an address configured
dynamically by the
Dynamic Host Configuration Protocol (DHCP)

In Unix, NIS service provide the similar service for name resolution

For backward compatibility, window 2ooo computer DNS name has
two parts

1. DNS hostname: computer's account that is stored in Active Directory,

is NetBIOS computer name

2. DNS suffix: DNS domain name

Active Directory and DNS

Active Directory and

Window 2000 Architecture

Two processor access mode: kernel and user

security subsystem

in user mode is the module in which
Active Directory runs. The
security reference monitor
, which
runs in kernel mode, is the primary authority for enforcing the
security rules of the security subsystem

The tight integration of the directory service and security
subsystem services is key to the implementation of windows 2000
distributed system. For example, Access to all directory objects
first requires proof of identity
, which is performed
by components of the security subsystem, and then validation of
access permissions authorization, which is performed by the
security subsystem in conjunction with the security reference
monitor. The security reference monitor enforces the

applied to Active Directory objects

Active Directory within

Window 2000 OS

Directory Service Architecture

Active Directory functionality can be described as a layered
architecture in which the layers represent the server processes that
provide directory services to client applications

Active Directory consists of three service layers and several interface
and protocols

The three service layers accommodate the different types of
information that are required to locate records in the directory
database. Above the service layers in this architecture are the
protocols and APIs (APIs are on the clients only) that enable
communication between clients and directory services

Directory Service Architecture

Active Directory Data Model

The Active Directory data model is derived from the X.500 model of
objects and attributes

An object is a distinct, named set of attributes that represents
something concrete, such as a user, a printer, or an application

Container is a structural class of object

The universe of objects that can be stored in Active Directory is
defined in the schema

Schema defines the objects and specifies the relationships between
classes of objects

Location of the Schema in

Active Directory

The objects stored in Active Directory are arranged in a logical
hierarchy called the
Directory Information Tree (DIT)

Active Directory includes a preconfigured database (commonly
referred to as the
base DIT
) that contains the information that is
required to install and run Windows 2000 and Active Directory

The Directory Information Tree is divided into directory partitions. A
directory partition

is a tree of directory objects that forms a unit of
replication in Active Directory

All changes made to Active Directory are validated first against the

Active Directory Replication

Replication is the process by which the changes that are made on one
domain controller are synchronized with all other domain controllers
in the domain or forest that store copies of the same information.

Data integrity is maintained by tracking changes on each domain
controller and updating other domain controllers in a systematic way

Replication topology

is the set of connections by which domain
controllers in a forest synchronize the directory partition replicas that
they have in common.

The Knowledge Consistency Checker (KCC) is a built
in process that
runs on all domain controllers and creates the replication topology for
the forest. By default, the KCC runs at 15
minute intervals and
designates the replication routes between domain controllers on the
basis of the most favorable connections that are available at the time.