What underlying technology is common to Active Directory Domain Services and the other client-server features included with Windows Server 2008? The basic network protocols that are used for communicating across the Internet and most enterprise networks today: Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv4 is nearly 30 years old and its structural weaknesses are impacting network design and utilization, its biggest challenge being the exhaustion of available IP addresses. IPv6 was introduced in 1996, its address space is large enough for every human alive to own billions and billions of addresses. What happened to IPv5? It was created, but it was designed as a complement to, not a replacement for IPv4. IPv5, also known as the Internet Stream Protocol, was designed for transmitting streams of data such as digital audio and video, it was never introduced for public usage.

This chapter examines the details of managing both static and dynamic IP addresses, routing, and security technologies built on top of IPv4. Topics that are covered include:

• Configure IPv4 and IPv6 addressing.
• Configure Dynamic Host Configuration Protocol (DHCP).
• Configure routing.
• Configure IPsec.

  Configuring IPv4 and IPv6 addressing

In this section we will examine configuring IP addresses from a client point of view. Other perspectives, such as that of a Dynamic Host Configuration Protocol (DHCP) server or a network device such as a router, are discussed in subsequent sections of this chapter. To manage IP address information using a graphical tool open Network and Sharing Center in Control Panel and select Manage network connections. The Network Connections folder includes a list of installed network adapters, right-click on an adapter and select Properties. You can view and configure the clients, protocols, and services bound to the adapter. Double-click on Internet Protocol Version 4 to make changes to the primary address, click Advanced to configure multiple addresses and gateways, as shown in figure 1. There are Add, Edit, and Remove buttons for both IP addresses and default gateways.

Figure 1: Configuring Advanced TCP/IP Settings.

Click the DNS tab in the Advanced TCP/IP Settings dialog box as shown in figure 2. From here you can configure additional DNS servers, modify existing ones, and change the order of preference. You can also configure DNS suffixes and enable or disable Register this connection’s address in DNS, this option determines whether the DHCP client will automatically register itself with the DNS Server via Dynamic DNS.

Figure 2: Configuring Advanced DNS Settings.

Click the WINS tab the Advanced TCP/IP Settings dialog box as shown in figure 3 to configure WINS servers and NET/BIOS over TCP/IP. Although WINS is not required for a network that only includes current Windows clients, Windows servers, and AD DS there are other applications and platforms that do require it.

Figure 3: Configuring WINS and NET/BIOS over TCP/IP

Normally servers will be assigned static IP addresses; in fact certain servers such as those providing DNS, WINS, and DHCP services must be. However it is possible to configure other classes of servers to use dynamic addresses. If you do that then another tab becomes available in the Internet Protocol Version 4 (TCP/IP) Properties dialog box called Alternate Configuration. The settings defined in this tab are used if the DHCP client is unable to contact a DCHP server. The default behavior is for the client to use Automatic Private IP Addressing (APIPA) to select an address between 169.254.0.1 and 169.254.255.254 with a subnet mask of 255.255.0.0. You can configure the computer to use a static address instead of APIPA on this tab.

Figure 4: Configuring the TCP/IP Alternate Configuration

The TCP/IP settings can also be configured from a command prompt using netsh. Netsh is a powerful tool that can be used to manage virtually all TCP/IP settings, the Windows Firewall with Advanced Security, and IPsec. It leverages helpers, Dynamic Link Library (.dll) files that extend its capabilities. You access different helpers by changing the netsh context. An example might make this easier to understand, open a command prompt and enter netsh. You should now see the netsh prompt, enter interface to switch to the interface context. At any time you can enter ? to see what commands and contexts are available from your current netsh context. An interesting capability of netsh is to create and read configuration scripts, this makes it easy to copy configurations between computers. Enter dump filename to create a script of the current context’s configuration, enter exec filename to read and apply a script. Here’s a more complex example of a command from the interface context that adds the IP address 192.168.1.5 to the network adapter named Local Area Connection:

Additional examples of using netsh are provided later in this chapter, it’s a very powerful tool with a wide range of capabilities. I suggest that you experiment with it and review the articles about netsh noted in the References section at the end of the chapter.

Configuring IPv6 addresses is virtually identical to the IPv4 examples above, the differences are the format of the addresses, the format of the subnets, and the fact that IPv6 does not support WINS.

Note: When you install the Hyper-V role the installation wizard will automatically configure the primary network adapter to use DHCP even if you had previously configured it with a static IP address.

Configuring Dynamic Host Configuration Protocol Servers

A DHCP server dynamically allocates IP addresses to DHCP clients. When clients boot up they send out a broadcast packet requesting an address from a DHCP server, if a server is on the same broadcast network it will assign an address to the client then send the address, subnet mask, DNS server addresses, default gateway addresses, and other TCP/IP configuration information to the client. DHCP relay agents can receive these broadcasted requests and forward them to a DCHP server that is on a different network, the DHCP server can then send the address back to the client via the relay agent.

Installing the DHCP Server Role

The installation wizard for the DHCP server role asks for initial configuration information such as which network adapters should be used and what ranges of addresses should be assigned to DHCP clients. You can modify all of the information that you provide at any time after installation using the DHCP Manager console. To install the DHCP server role from Server Manager do the following:

1. Click on Add Roles.
2. Select DHCP Server and click Next.
3. Select one or more network adapters and click Next.
4. Configure IPv4 DNS settings such as the addresses for the preferred and alternate servers and the parent DNS domain, click Next.
5. If WINS is required on the network configure the preferred and alternate WINS server addresses, click Next.
6. Enter one or more DHCP scopes, a DHCP scope is a range of IP addresses that will be assigned to DHCP clients on the network to which it is linked, figure 4 illustrates the Add Scope dialog box.  When you are finished adding scopes click Next.

Figure 5: Adding a DHCP Scope.

 

7. Enable or disable DCHPv6 stateless mode, this must match the configuration of the IPv6 routers on the network.
8. Configure IPv6 DNS settings such as the addresses for the preferred and alternate servers and the parent DNS domain, click Next.
9. Authorize the DCHP server with AD DS if desired, click Next.
10. Verify the installation information on the Confirm Installation Selections page, click Install, and complete the wizard.

 Configuring DHCP Scopes

Scopes are a continuous grouping of IP addresses on a subnet that the DHCP server assigns to client computers connected to the physical network to which the scope is linked. A scope includes the following:

• A scope name.
• A range of addresses, e.g. 192.168.3.1 to 192.168.3.254.
• A subnet mask, e.g. 255.255.255.0 (for IPv4 scopes only).
• A value for lease duration, which determines how frequently clients will ask to renew their IP address lease.
• Any DHCP options such as WINS and DNS server addresses or the address of the default gateway for the subnet (for IPv4 scopes only).
• One or more reservations, which can be used to make sure that a client always receives the same address.
• One or more exclusion ranges for addresses that you do not want the DHCP server to use, e.g. 192.168.3.100 to 192.168.3.131.

To create a scope using the DHCP Manager console navigate to the IPv4 or IPv6 folder, right-click on it, and select New scope. The wizards for IPv4 and IPv6 are similar, but there are differences that you should note such as not specifying a subnet mask for IPv6 scopes. Create a scope of each type for practice purposes. Expand the IPv4 folder, then expand the scope. The Address Pool folder shows you the range of addresses and the exclusions for the scope. To add a new exclusion range right-click on the Address pool folder and selection New Exclusion Range. The Address Leases folder lists the current DCHP leases for the scope. The Reservations folder lists all of the reserved IP address for the scope, right click on the folder and select New Reservation to add a new one. Note that you must provide the media access control (MAC) address for the network adapter of the client that will use the reserved address.

The Scope Options folder lists optional configuration information that will be included with DHCP leases. Right-click on the Scope Options folder and select Configure Options to modify or delete existing ones or add new ones. There are a lot options available on the General tab of the Scope Options dialog box, many you may not have heard of before. Dozens of additional options can be configured on the Advanced tab, as shown in figure 6. For the purposes of the exam I do not believe that you need to memorize all of the options but you should be familiar with how this dialog box works. There are four vendor classes available on the first drop-down list. After selecting a vendor class you specify a user class from the second drop-down list. The list of options visible in the Available Options box varies depending upon which values are specified for vendor class and user class. To configure an option enable it by clicking the check box on the left and entering the appropriate type of data in the Date entry box below.

Figure 6: Configuring DHCP Scope Options.

You can also configure options at the server level so that they apply to all scopes managed on the server, to do so right-click on the Server Options folder below either IPv4 or IPv6 and select Configure Options. Options can be configured to support Preboot eXecution Environment (PXE) on the network by specifying the name of the PXE boot server in the Boot Server Host Name option and the name of the executable boot file in the Bootfile Name option. Remote Installation Services (RIS) has been replaced by Windows Deployment Services (WDS) in Windows Server 2008. WDS includes the ability to act as a PXE boot server.

Configuring Additional DHCP Settings

There are other commands available in DHCP Manager, right-click on the DHCP server name in the navigation pane to see the menu of server operations. Windows Server Backup will backup the DHCP database and everything else on the server, however you can use the Backup and Restore commands on this menu to quickly backup or restore the database and nothing more. Selecting Properties allows you to modify the location where the database and backups are stored.

Right-clicking on IPv4 or IPv6 causes a different menu to appear, you can view statistics; create scopes; define user and vendor classes; reconcile information about scopes between the database and registry; and open the Properties dialog boxes. Compare the versions of these dialog boxes for IPv4 and IPv6, as shown in figures 7 and 8. The IPv6 dialog box is different in several ways: General tab does not include the option to show the BOOTP table; the DNS tab does include the option to dynamically update DNS records for clients that do not support Dynamic DNS; the Advanced tab does not include the conflict detection value; and the Network Access Protection (NAP) tab is not available because NAP cannot be used to enforce health requirements when IPv6 is used.

Figure 7: Viewing IPv4 Properties.

Figure 8: Viewing IPv6 Properties.

Using DHCP Relay Agents

A DHCP relay agent can forward messages between DHCP servers and clients that are on separate subnets, they can be used to reduce the number of DHCP servers that must be deployed. Normally they also support the bootstrap protocol (BOOTP), a predecessor to DHCP. The routers between the subnets must support DHCP relay, most business class routers do. If yours do not check with the manufacturer to see if a software or firmware upgrade is available. Many routers can act as the relay agent too, if not Windows Server 2008 can be configured as a relay agent. You must install Routing and Remote Access Services (RRAS), a component of the Network Policy and Access Services server role. Figure 9 shows the necessary role services from the Add Roles Wizard.

Figure 9: Installing Routing and Remote Access Services

Once RRAS is installed open the Routing and Remote Access Services console, right-click on the server in the navigation pane, and select Configure and Enable Routing and Remote Access. Configure the server for LAN Routing, when the wizard is complete expand either IPv4 or IPv6, right-click General, select New Routing Protocol, select DHCP Relay Agent, and click OK. To specify which DCHP servers will be relayed right-click DHCP Relay Agent in the navigation pane, select Properties, then click the Server tab, enter the DHCP server address and click Add. Only the DHCPv6 Relay Agent Properties dialog box includes the ability to customize logging settings on the General tab, as shown in figure 10.To specify which subnets will be relayed select New Routing Protocol, select New Interface, and click OK.

Figure 10: Configuring DCHPv6 Relay Agent Logging.

Subnetting, Supernetting, and Superscoping

You should have a clear understanding of subnet masks, a computer determines whether another host is on the local network by comparing the other hosts IP address with its own address and subnet mask. Subnetting is the process of splitting up networks into smaller pieces in order to make more efficient use of available IP addresses. For example, if your firm was assigned a class C block of 256 addresses that you needed to use in 4 different offices you could split it into 4 separate blocks each with 64 addresses and a subnet mask of 255.255.255.192.

Supernetting is the reverse process in which multiple adjacent networks of the same class are combined into a single network. For example, two class C networks, 192.168.3/24 and 192.168.4/24 could be combined into a single address with addresses ranging from 192.168.3.1 to 192.168.4.254 with a subnet mask of 255.255.254.0.

Superscoping is feature of the DHCP Server role used to assign multiple non-supernetted or non-consectutive networks to the same physical network. You assign multiple IP addresses to the DHCP server, one for each network that it will be assigning addresses or you assign multiple address to a DHCP relay agent.

Configuring Routing

Routers are network devices that forward, or route, traffic between different networks.  When configured as a router RRAS supports both static and dynamic IP routing. In RRAS, static routes are manually entered; IPv4 routing can be automated using the Routing Internet Protocol (RIP). You add static routes in the Routing and Remote Access console by right-clicking the Static Routes container under either IPv4 or IPv6 and selecting New Static Route. You must specify the network interface, destination network address, the subnet mask for IPv4 or prefix for IPv6, gateway, and a metric, as shown in figure 11.

Figure 11: Adding a Static Route in RRAS.

RIP is not configured by default, to enable it right-click on the General container under  IPv4, select New Routing Protocol, click RIP Version 2 for Internet Protocol, and click OK. RIP is very easy to deploy and configure, RIP-capable routers will automatically find each other and share enough information so that each can automatically build and maintain accurate routing tables. When a new router appears on the network, or when a router is no longer available, after a few minutes the routers will sense the change and reconfigure their routing tables. Unfortunately RIP does not scale well, routes that involve more than 15 hops are not supported, which means RIP isn’t appropriate for large networks.

Two other protocols supported by RRAS are Internet Group Management Protocol (IGMP) and Network Address Translation (NAT). IGMP is used to manage membership of IP multicast groups, NAT is a method of sharing a single public, routable IP address. A router can convert the internal, private addresses to the public address before sending each packet to its destination. Conversely, by tracking which internal hosts have established connections with external systems, the router can redirect incoming responses to the correct internal host. Technically speaking, neither IGMP nor NAT are routing protocols, nevertheless these are both enabled via the New Routing Protocol dialog box, just like RIP.

Note: The Open Shortest Path First (OSPF) routing protocol is no longer available in RRAS, RIP is the only routing protocol for automatically configuring routes in dynamic environments that is available in Windows Server 2008. Version 2 of RIP is included with RRAS in Windows Server 2008, it does not support IPv6 routing.

Keep in mind the fact that all hosts use routing. Windows servers and clients that do not have RRAS installed automatically create a short routing table to ensure that the system directs traffic correctly to either the appropriate gateway or local network via one of the network adapters. You can manually add static routes using the route command prompt tool. Entering route print generates a list of all of the routes on the system, use the add parameter to add a new route to the table. The following command adds a route to the 192.168.6/24 network via the 192.168.3.1 gateway with a metric of 4 on interface 3:

Enter route /? to see information about adding, changing, and deleting routes. By default, when you add a static route with this tool it will be discarded when the computer shuts down. To make a route persistent, that is, to force Windows to save the route permanently, add the /p switch like this:

 Configuring IPsec Policies

Why is IPsec important? It allows you to isolate computers from unauthorized computers such as vendor representatives who plug into your network. It’s a robust enforcement method for Network Access Protection (NAP), which is discussed in detail in Configuring Network Access. IPsec is also an effective way to encrypt network traffic on your internal network. These capabilities mean that implementing IPsec is one of the most effective ways to increase network security. Since its built into Windows its also very cost effective.

Windows Vista combines the management of IPsec and the firewall into a single graphical tool: Windows Firewall with Advanced Security. These can also be managed via group policy, the location for doing so has changed in Windows Vista and Windows Server 2008, as you can see in figure 12. The new location is Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security. The original location for configuring IPsec policies was Computer Configuration\Policies\Windows Settings\Security Settings\IP Security Policies on Active Directory, and the original location for configuring the firewall was Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Windows Firewall. The original locations are still available in the version of group policy included with Windows Server 2008. This is for backwards compatibility, if you configure settings in the original locations they will be applied to computers running Windows Vista, however you should use the new location if possible. You can also manage IPsec and the firewall from a command prompt using netsh.

Figure 12: Configuring the Windows Firewall Via Group Policy.

The user interfaces for the Windows Firewall with Advanced Security console and the group policy editor are virtually identical, for brevity the remainder of the chapter will only focus on the console. IPsec has been available in Windows since Windows 2000 was release nearly nine years ago but it developed a reputation of being complex to implement and difficult to manage so few organizations deployed it. The technology is complex because its so flexible, the tools included with earlier versions of Windows exposed much of this flexibility, which made the tools appear to be very complicated. The tools became somewhat easier to use in Windows XP and Windows Server 2003, and Microsoft started publishing detailed implementation guidance several years ago, but I still was not seeing many organizations take advantage of it. Microsoft decided to greatly simplify IPsec management in Windows Firewall with Advanced Security by hiding many of the options from the New Connection Security Rule Wizard, and making many others available as advanced options within the wizard. To see some of these options do the following:

1. Open Windows Firewall with Advanced Security, right-click on Windows Firewall with Advanced Security in the navigation pane and select Properties.
2. Select the IPsec Settings tab, you can enable or disable ICMP exemptions using the drop-down list.
3. Click the Customize button under IPsec defaults.
4. For most deployments the default settings will suffice, as shown in figure 13.

Figure 13: Customizing IPsec Settings.

You can change them by selecting Advanced and then clicking Customize under any of the three sections. Do this under Key exchange (Main Mode) to open the Customize Advanced Key Exchange Settings dialog box, as shown in figure 14. The default Key exchange algorithm, Diffie-Hellman Group 2, is a strong key change algorithm, stronger ones are available but verify that other IPsec clients on the network support them before using them.

 

Figure 14: Customizing Key Exchange Settings.

Click the Add button under Security methods to add another method, you can specify a different encryption algorithm and integrity algorithm. Its important that you understand the difference between encryption and integrity. Encrypting data protects it from eavesdropping and tampering by unauthorized people while integrity only protects the data from tampering. Close the Customize Advanced Key Exchange Settings dialog box, click select Advanced and then click Customize under Data Protection (Quick Mode) to open the Customize Data Protection Settings, as shown in figure 15. These settings are used by connection security rules to protect the traffic. Click Add under Data integrity, you can select either ESP or AH. ESP stands for Encapsulated Security Payload while AH is short for Authentication Headers. ESP is capable of encryption, but for the purposes of data integrity its only used to calculate a digital signature of the packet’s payload, no encryption is applied. AH is not capable of encryption, it can only be used for data integrity, but it calculates a digital signature for the entire packet including the header. The drawback of AH is that its not compatible with most NAT devices. Click Add under Data integrity and encryption, you can specify either ESP alone, or ESP and AH together, as well as encryption and integrity algorithms.

Figure 15: Customizing Data Protection Settings.

Close the Customize Data Protection Settings dialog box, click select Advanced and then click Customize under Authentication Method to open the Customize Advanced Authentication Method, as shown in figure 16. The first authentication is the method used for computer authentication during the first phase of IPsec negotiations. The second authentication is the method used for user authentication during the second phase of IPsec negotiations. You can click Add under either first authentication or second authentication to specify an additional type of authentication, you can mark either as optional too.

Figure 16: Customizing Authentication Methods.

Prior to Windows Vista IPsec rules were referred to as IPsec policies in the configuration tools, now they are called connection security rules. Right-click Connection Security Rules in the navigation pane and select New Rule to launch the New Connection Security Rule Wizard. The wizard quickly guides you through the process of configuring IPsec rules to isolate computers, establish authentication between computers, allow authentication exemptions for certain computers, and to establish a tunnel or virtual private network (VPN) between two hosts, as shown in Figure 17.

Figure 17: Starting the New Connection Security Rule Wizard.

 You should experiment with the wizard to create several different rules in order to familiarize yourself with the various selections available. After creating a rule right-click on it, from this menu you can enable, disable, delete, or view the properties of the rule. Click on Properties to change any of the settings you specified in the wizard. Before leaving this topic you should delete or disable all of the IPsec rules you created in order to avoid problems with exercises presented in other chapters.

---

IPsec in the Real World

The first enterprise-wide deployment of IPsec that I experienced was at Microsoft. Several years ago the Information Technology Group (ITG) started deploying IPsec policies to protect key business data from unauthorized access. I was not part of the teams that designed, deployed, or supported IPsec so I do not know all of the details that drove the project and its implementation. I learned what I do know because I was trained to talk to customers about the project and I examined the IPsec policies that were being applied to my computers at work. I suspect one of the key motivators was the highly publicized attacks against Microsoft’s internal network, I know one of the goals was to reduce the risk of source code leaking out of the company and I believe that goal has been met in full.

ITG spent plenty of time planning the project, designing the implementation, and testing everything but once deployment started we were all amazed at how quickly the project concluded. Things went very smoothly, after initially deploying the policies to a few floors of an office building in Redmond, Washington they quickly applied the policies across the entire headquarters campus. It did not take long before these policies were in effect worldwide. Very few unexpected problems arose, there were problems that had been anticipated, but from a security perspective they were desirable outcomes. For example, visitors to Microsoft offices could no longer plug in their computers and start accessing whatever servers they cared to visit, their computers had to be joined to one of the corporate AD DS domains or they had to have data forwarded to them by someone who could access it. This made working with partners, consultants, and vendors more complex but all of those systems were protected from inadvertent and deliberate misuse too.

The details could fill an entire book, I’ll try to summarize how the policies work briefly and point you to a couple of documents where you can read about the subject in much more depth. You should not configure IPsec policies on certain types of servers because clients need to be able to access them in order to join the domain in the first place, e.g. domain controllers, DHCP servers, and DNS servers. The servers that host the most sensitive data, such as financial data or source code for software products, will only accept connections from specific groups of users, groups representing the employees, partners, and vendors who actually have a legitimate need to utilize the data. Most other computers are configured to require IPsec for incoming connections, but they’ll accept connections from any host or user. ITG decided to use IPsec ESP with null encryption, this means that the packet payload cannot be tampered with in transit so the host that requires IPsec can be assured that the other computer does not belong to an attacker attempting to impersonate a legitimate user. The packet payload is not encrypted though. They also made sure that people could still use their mobile computers while away from the office by only requiring IPsec connections while the domain profile was active.

ITG published a whitepaper in 2004 about their project called Improving Security with Domain Isolation: Microsoft IT implements IP Security (IPsec). My former teammates created a detailed guide for implementing this solution in 2005, the advice given still applies even though some of the procedures would change when applied to Windows Server 2008 and Windows Vista: Server and Domain Isolation Using IPsec and Group Policy.

---

Summary

In this chapter you learned how to configure Windows Server 2008 to use both dynamic and static IPv4 and IPv6 addresses. You also learned how to install the DHCP Server role and configure it to support various scenarios including PXE clients. Installation of RRAS, a role service that is part of the Network Policy and Access Services server role, was covered. Details on configuring RIP and other aspects or RRAS were also discussed. Finally, IPsec was introduced, including both basic and advanced options and the various management tools available for implementing IPsec policies.

Chapter Review

This section presents a list of review questions designed to help reinforce the knowledge presented earlier in the chapter. To persuade you to explore the management tools more deeply a few questions may require you to examine those tools further rather than rereading the chapter.

Questions

5. It is not possible to configure Windows Server 2008 to use dynamic IPv4 addresses.
   1. True.
   2. False.
6. What happens if a computer running Windows Server 2008 is unable to contact a DHCP server if it is configured to use a dynamic IPv4 address during the boot process?
   1. The last IP address is reused.
   2. The alternate configuration is applied.
   3. No IP address is assigned.
   4. A random address from the last active subnet is selected and applied.
7. Which netsh command is used to generate a script of the current context’s configuration?
   1. Exec.
   2. Commit.
   3. Set.
   4. Pushd.
   5. Dump.
8. An small business with a single office has a stable network where client computers are assigned addresses from a DHCP server running Windows Server 2008. The business is expanding to a second location. What options are available for assigning IP addresses to client computers in the new office?
   1. Install an additional DHCP server in the new location.
   2. Configure the computers in the new location with static IP addresses.
   3. Install a DHCP relay agent in the new location and configure it to forward DHCP messages to the DHCP server in the original location.
   4. All of the above.
9. The DHCP relay agent is available with which server role?
   1. Network Policy and Access Services.
   2. Routing and Remote Access Services.
   3. DHCP Server.
   4. Windows Deployment Services.
   5. Peer Name Resolution Protocol.
10. Which of the following cannot be part of an IPv4 DCHP scope?
    1. The name of a boot server.
    2. A range of IPv4 addresses to exclude from client assignment.
    3. A time period for lease duration.
    4. The IPv4 address for the primary domain controller emulator.
    5. IPv4 addresses for DNS and WINS servers.
11. Which of the following cannot be part of an IPv6 DCHP scope?
    1. The name of a boot server.
    2. A range of IPv6 addresses to exclude from client assignment.
    3. A time period for lease duration.
    4. IPv6 addresses for DNS and WINS servers.
    5. IPv6 address reservations.
12. Which routing protocols are supported the version of RRAS included with Windows Server 2008?
    1. Open Shortest Path First (OSPF).
    2. Border Gateway Protocol (BGP).
    3. Routing Internet Protocol (RIP).
    4. Interior Gateway Routing Protocol (IGRP).
    5. Enhanced Interior Gateway Routing Protocol (EIGRP).
13. Look at figure 18, where would you click to adjust the DNS address to be assigned to DHCP clients?

Figure 18: The DHCP Management Console.

1. The server name, dc1.dillard.test.
2. The IPv4 object.
3. The Scope [192.168.3.0] first scope object.
4. The Address Pool object.
5. The Scope Options object.
13. Which of the following commands will manually add a static route to the 192.168.8.0/27 network via the 192.168.4.1 gateway with a metric of 50 on interface 2?
    1. Route add 192.168.8.0 mask 255.255.255.0 192.168.4.1 metric 50 IF 2
    2. Route add 192.168.8.0 mask 255.255.255.192 192.168.4.1 metric 50 IF 2
    3. Route add 192.168.8.0 mask 255.255.255.224 192.168.4.1 metric 50 IF 2
    4. Route change 192.168.8.0 mask 255.255.255.224 192.168.4.1 metric 50 IF 2
14. Which of the following tools cannot be used to manage IPsec connection rules, also known as IPsec policies?
    1. Ipsecpol.
    2. Group Policy.
    3. Windows Firewall with Advanced Security.
    4. Netsh.
    5. None of the above.
15. Which of the following IPsec protocols ensure that data is not modified while being transmitted across a network?
    1. Encapsulated Security Payload (ESP).
    2.  Authentication Headers (AH).
    3. Advanced Encryption Standard 192 (AES-192)
    4. Date Encryption Standard (DES)
    5. Both A and B.
16. Look at figure 19, which tab would you click to adjust the IP connection rule’s NAP enforcement configuration?

Figure 19: Viewing the Properties of an IPsec Connect Rule.

1. Computers.
2. Authentication.
3. Advanced.
4. None of the above.
17. Which of the following statements concerning IPsec connection rules is true?
    1. They can require that both the remote host and the user logged onto the host authenticate.
    2. Preshared keys can be used for user authentication.
    3. Health certificates can be used for computer authentication.
    4. Preshared keys can be used for computer authentication in conjunction with either Kerberos v5 or NTLMv2 user authentication.

Answers

11. B is correct. Its possible to configure Windows Server 2008 to use either static or dynamic addresses; however some server roles such as domain controllers and DHCP servers should only use static ones.
12. B is correct, the Alternate Configuration tab is only visible on the Internet Protocol Version 4 (TCP/IP) Properties dialog box if the computer is configured to use a dynamic address. The default behavior for the alternate configuration is for the computer to use APIPA to select an address between 169.254.0.1 and 169.254.255.254 with a subnet mask of 255.255.0.0; however you can specify a static address instead.
13. E is correct. Exec is the command used to apply a script; commit is the command that applies changes made while in offline mode; set  is used to configure settings; and pushd pushes the current context to the first-in-last-out stack.
14. D is correct, which is best will depend on a variety of factors however its probable that either installing a new DHCP server or a DHCP relay agent would be better than assigning static addresses.
15. A is correct. B is wrong because while the DHCP relay agent is part of RRAS, RRAS is not a server role but rather a role service that is part of Network Policy and Access Services. C and D are incorrect because neither includes the agent, regardless of how logical it may seem to you to include it with the DHCP Server role. E is wrong because the Peer Name Resolution Protocol is one of a couple dozen optional features available with Windows Server 2008. The point of this language parsing exercise is not to annoy you but rather ensure that you remember which features are part of each server role and make sure that you understand the difference between server roles, role services, and features.
16. D is correct, all of the other settings can be configured for a DHCP scope.
17. D is correct. While you can configure scope options for recursive DNS servers WINS is not an available option.
18. C is correct. Although OSPF is available in older versions of RRAS it was removed in Windows Server 2008. BGP is the core routing protocol of the internet, it is much more scalable than OSPF or RIP and its built into most enterprise-class routers but its not included with RRAS. IGRP and EIGRP are proprietary routing protocols created by Cisco.
19. E is correct. While you can adjust the dynamic DNS behavior for the scope by right-clicking the scope object and selecting properties you can only adjust the address of the DNS servers for a scope by navigating to Scope Options.
20. C is correct. The subnet masks for A and B are incorrect, the question identified the network as 192.168.8.0/27, which means the subnet mask must be 255.255.255.224. D is wrong because the change command is used to modify an existing route.
21. A is correct, ipsecpol is a command prompt tool for managing IPsec policies in Windows 2000 that is included in the Microsoft Windows 2000 Resource Kit
22. E is correct, both AH and ESP can provide data integrity protection. Data integrity is ensured using digital hashing algorithms such as Secure Hash Algorithm 1 (SHA1) and Message Digest algorithm 5 (MD5). AES-192 and DES are both encryption algorithms.
23. B is correct, enable Advanced on the Authentication tab, then click Customize and configure a user authentication method under Second authentication on the Customize Advanced Authentication Methods dialog box.
24. A is correct. B is incorrect because preshared keys can only be used for computer authentication, and when they are used a second authentication cannot be used, making D incorrect. C is incorrect because NAP health certificates are used for user authentication even though they represent the state of health of the computer where the user is logged in.

References

Using Netsh.

How to Use the Netsh.exe Tool and Command-Line Switches.

How the PXE Server Works.

Routing and Remote Access.

The Microsoft IPsec page.