Windows 2000 Remote Access

dingdongboomNetworking and Communications

Oct 27, 2013 (3 years and 7 months ago)

54 views

Windows 2000 Remote Access




Remote Access Overview



With Windows

2000 remote access, remote access
clients connect to remote access servers and are
transparently connected to the remote access
server, known as point
-
to
-
point remote access
connectivity, or transparently connected to the
network to which the remote access server is
attached, known as point
-
to
-
LAN remote access
connectivity. This transparent connection allows
remote access clients to dial
-
in from remote
locations and access resources as if they were
physically attached to the network.



Remote Access Overview


Windows

2000 remote access provides two
different types of remote access connectivity:


Dial
-
up remote access


With dial
-
up remote access, a remote access
client uses the telecommunications infrastructure
to create a temporary physical circuit or a virtual
circuit to a port on a remote access server.


Virtual private network (VPN) remote access


With virtual private network remote access, a VPN
client uses an IP internetwork to create a virtual
point
-
to
-
point connection with a remote access
server acting as the VPN server.


VPN Introduction


A Virtual Private Network
(VPN) connects the
components of one network
over another network. VPNs
accomplish this by allowing
the user to
tunnel

through the
Internet or another public
network in a manner that
provides the same security
and features formerly
available only in private
networks



Elements of a VPN Connection



VPN server


VPN client


Tunnel


VPN connection


Tunneling protocols


Tunneled data


Transit internetwork




VPN Connections



Creating the VPN is very similar to establishing a point
-
to
-
point connection using dial
-
up networking and demand
-
dial routing procedures. There are two types of VPN
connections:



Remote Access VPN Connection



Router
-
to
-
Router VPN Connection





Common Uses of VPNs



Remote User Access Over the
Internet

Common Uses of VPNs


Connecting Networks Over the Internet


Using dedicated lines to connect a branch office
to a corporate LAN


Using a dial
-
up line to connect a branch office
to a corporate LAN

Common Uses of VPNs


Remote Access over an Intranet

Common Uses of VPNs


Connecting Networks over an Intranet

Basic VPN Requirements


User Authentication



Address Management



Data Encryption



Key Management



Multiprotocol Support



TUNNELING Basics



Tunneling

is a method of using an internetwork
infrastructure to transfer data for one network over
another network.


TUNNELING Basics


Tunneling technologies have been in
existence for some time. Some examples of
mature technologies include:


SNA tunneling over IP internetworks



IPX tunneling for Novell NetWare over IP
internetworks



Point
-
to
-
Point Tunneling Protocol (PPTP
)


Layer 2 Tunneling Protocol (L2TP)



IP Security (IPSec) Tunnel Mode




Tunneling Protocols



Tunneling Protocols and the Basic Tunneling
Requirements

:


User Authentication



Token card support



Dynamic address assignment



Data compression



Data encryption



Key Management



Multiprotocol support


Tunneling Protocols

Point
-
to
-
Point Protocol (PPP)


Phase 1: PPP Link Establishment


Phase 2: User Authentication




Password Authentication Protocol (PAP)



Challenge
-
Handshake Authentication Protocol
(CHAP)



Microsoft Challenge
-
Handshake Authentication
Protocol (MS
-
CHAP)


Phase 3: PPP Callback Control


Phase 4: Invoking Network Layer Protocol(s)


Data
-
Transfer Phase


Tunneling Protocols


Point
-
to
-
Point Tunneling Protocol (PPTP)


Layer 2 Forwarding (L2F)


Layer 2 Tunneling Protocol (L2TP)






Active Directory


A core feature of distributed systems in
Microsoft Windows 2000


Logical Structure in

Active Directory


Active directory is the directory service used to store information
about network objects and implements service that make information
available within its domain and usable to users, computers and
applications


It Is based on the Lightweight Directory Access Protocol (LDAP).
LDAP is implemented for several UNIX OS and is derived from DAP
and X.500 protocol


The
Domain Name System
(DNS) hierarchical naming system and Windows
2000
trust relationships

provide a consistent, logical structure



1. Active directory stores information about objects in one or more


domain


2. Trust Relationship: A logical relationship established between domains that
allows pass
-
through authentication in which a trusting domain honors the
logon authentications of a trusted domain


Domain Hierarchy in

Active Direcotory


In Windows 2000, a domain defines both an administrative boundary and a
security boundary for a collection of objects that are relevant to a specific
group of users on a network


Two
-
way hierarchy: not a flat structure as in Window NT


1 .Implicitly transitive.


2. A
llow to search multiple domain in one query because each domain
knows the domain immediately below and above it


Active Directory and DNS


DNS is a naming system used for locating domain names on the
Internet and on private TCP/IP networks. DNS provides a service for
mapping DNS domain names to IP addresses, and vice versa


Similarities: window 2000 uses DNS naming standards for
hierarchical naming of Active Directory domains and computers. For
this reason, domain and computer objects are part of both the DNS
domain hierarchy and the Active Directory domain hierarchy. Both
share an identical domain structure.



Difference: although these domain hierarchies have identical names,
they represent separate namespaces. In each namespace, specific
rules determine how names can be created and used. DNS stores
zones and resource records, and Active Directory stores domains and
domain objects. Active directory stores information about objects in
one or more domains.





Domain Controller in

Active Directory


A domain controller is a computer that is running Windows 2000
Server and hosts Active Directory. Each domain controller must have
a DNS server installed.


A domain controller stores directory partitions. Directory partitions
(also known as "naming contexts") correspond to the logically
distributed segments of Active Directory


Earlier versions of Windows NT used multiple domain controllers,
only one of which was allowed to update the directory database. This
single
-
master scheme required all changes to be replicated from the
primary domain controller to the backup domain controllers.


In Windows 2000, every domain controller can receive changes, and
the changes are replicated to all other domain controllers




DNS Hostnames and Window
2000 Computer Names


Windows NT 4.0 and earlier, DNS names were not required. A
computer is identified primarily by a NetBIOS name


a name that
is recognized by WINS (Windows Internet Name Service).

Wins
maps the name to a static IP address or to an address configured
dynamically by the
Dynamic Host Configuration Protocol (DHCP)


In Unix, NIS service provide the similar service for name resolution


For backward compatibility, window 2ooo computer DNS name has
two parts


1. DNS hostname: computer's account that is stored in Active Directory,
which





is NetBIOS computer name




2. DNS suffix: DNS domain name


Active Directory and DNS

Active Directory and

Window 2000 Architecture


Two processor access mode: kernel and user


The
security subsystem

in user mode is the module in which
Active Directory runs. The
security reference monitor
, which
runs in kernel mode, is the primary authority for enforcing the
security rules of the security subsystem


The tight integration of the directory service and security
subsystem services is key to the implementation of windows 2000
distributed system. For example, Access to all directory objects
first requires proof of identity
authentication
, which is performed
by components of the security subsystem, and then validation of
access permissions authorization, which is performed by the
security subsystem in conjunction with the security reference
monitor. The security reference monitor enforces the
access
control

applied to Active Directory objects

Active Directory within

Window 2000 OS

Directory Service Architecture


Active Directory functionality can be described as a layered
architecture in which the layers represent the server processes that
provide directory services to client applications


Active Directory consists of three service layers and several interface
and protocols


The three service layers accommodate the different types of
information that are required to locate records in the directory
database. Above the service layers in this architecture are the
protocols and APIs (APIs are on the clients only) that enable
communication between clients and directory services


Directory Service Architecture

Active Directory Data Model


The Active Directory data model is derived from the X.500 model of
objects and attributes


An object is a distinct, named set of attributes that represents
something concrete, such as a user, a printer, or an application


Container is a structural class of object


The universe of objects that can be stored in Active Directory is
defined in the schema


Schema defines the objects and specifies the relationships between
classes of objects

Location of the Schema in

Active Directory


The objects stored in Active Directory are arranged in a logical
hierarchy called the
Directory Information Tree (DIT)
.


Active Directory includes a preconfigured database (commonly
referred to as the
base DIT
) that contains the information that is
required to install and run Windows 2000 and Active Directory


The Directory Information Tree is divided into directory partitions. A
directory partition

is a tree of directory objects that forms a unit of
replication in Active Directory


All changes made to Active Directory are validated first against the
schema





Active Directory Replication


Replication is the process by which the changes that are made on one
domain controller are synchronized with all other domain controllers
in the domain or forest that store copies of the same information.


Data integrity is maintained by tracking changes on each domain
controller and updating other domain controllers in a systematic way


Replication topology

is the set of connections by which domain
controllers in a forest synchronize the directory partition replicas that
they have in common.


The Knowledge Consistency Checker (KCC) is a built
-
in process that
runs on all domain controllers and creates the replication topology for
the forest. By default, the KCC runs at 15
-
minute intervals and
designates the replication routes between domain controllers on the
basis of the most favorable connections that are available at the time.