active directory trainers ppt mod 10

8/8/2019 Active Directory Trainers PPT Mod 10

1/27

Design of Physical Network

2006 IIHT Limited

Module Design of Physical Network

Overview

In this module we will study the concepts of Routing and Networking where

concepts of routers and network topologies, registering domain name,

internet connectivity and issues regarding segmentation of internet and

intranet are discussed. Also there is a considerable amount of discussionon IP addressing schemes, DHCP, location of routers and perimeter

network.

Lessons covered in the module

1. Routing and Networking

2. Subnetting the Organization

3. Routing and Remote Access Infrastructure Design

4. Availability of Remote Access Infrastructure


2/27


2006 IIHT Limited

Lesson 1 Routing and Networking

Introduction

In this chapter we are going to discuss the designing of a network topology,

including routing, router placement, Internet connectivity, addressing and

subnetting, and firewall considerations.

Topics covered in this lesson

Networking and Routing

Internet Connectivity

Registration of Domain Name

Segmentation of Internet from the Intranet

Network Topology Definitions


3/27


2006 IIHT Limited

Topic 1 - Networking and Routing

The very first thing that needs to be considered for building any reliable andscalable network is assessing and designing a network that can supportcontemporary and any future requirements i.e. scalability factor must betaken into account.One important thing that needs to be ensured is you have a supportedprivate internal IP addressing scheme and a registered external IP

addressing scheme for your network.Other factor that needs to be considered is how to properly segment theinternal and external network.Consideration need to be taken for the placement of the router and security.


4/27


5/27


2006 IIHT Limited

Topic 3 - Registration of Domain Name

Every organization that is willing to conduct business over the Internet has

to have a domain name.

To acquire an appropriate domain name, you need to deal with companies

that specialize in registering these for you. The first thing you need to do is

choose a domain name.

This will not be easy, because most organizations want a .com and mostof these are taken.

You will also need to research the chosen domain name to avoid any

trademark conflicts. After choosing the domain name get it registered.

It is also useful to have a registered domain name for internal use with

Active Directory.

Maintaining a registered name internally helps to resolve any conflicts in thefuture.

A good solution is to select an internal domain name with a suffix that is not

a Top Level Domain or any of the country-specific domains.


6/27


2006 IIHT Limited

Topic 4 - Segmentation of Internet from

the Intranet

Mostly two different yet similar methods of separating the intranet from theInternet are used by organizations.Routers are used as both a stand-alone method and in conjunction with afirewall. Some routers have built-in firewall features to help alleviate havingmultiple pieces of equipment.

Depending on how much work will be required of the router, it might makesense to have a separate firewall to offload the work from the router.An intranet is an internal Web environment that serves an organizationspersonnel, and is generally not accessible to the public.An extranet is means of selectively extending an organizations intranet toindividuals and organizations through the Internet who are not physicallyconnected to the organizations network.

Routers will help to route IP traffic in and out of the intranet and Internet.Firewalls are mostly used to filter what IP traffic can pass from the Internetto the intranet.Proxy servers and authentication servers are used for filtering andmonitoring what IP traffic flows from the intranet to the Internet


7/27


2006 IIHT Limited

Topic 5 - Network Topology Definitions

There are three basic physical topologies viz. bus, ring, and star and havesame components.

Bus Topology - In this topology all nodes are connected together by a

single bus and use an open-ended cable in which all network devices are

connected. Both ends of this cable must be terminated. Generally, this

topology is best suited for small networks because it does not require theuse of a switch or hub.

Ring Topology - In this topology every node has exactly two branches

connected to it. Ring topology uses a cable that is connected to all network

devices in a ring formation so there is no termination because there are no

open ends.

Star Topology - In this topology peripheral nodes are connected to a centralnode, which rebroadcasts all transmissions received from any peripheral

node to all peripheral nodes on the network, including the originating node.

Here each device is connected centrally to a switch or hub. The star

topology is physically and logically the same. Each device is independently

connected to the media and does not have to concern itself on how the other

devices are connected.


8/27


9/27


2006 IIHT Limited

Topic 1 - Segmenting the Organization

into Subnet

A subnet is just a way of taking a complete network and reducing it to

manageable and optimized chunks. Every organization wants to create a

network that will be both fast and secure.

Creating subnets will help the organization to achieve this goal by reducing

the size of the network and thus help to control network traffic.

At times an organization will require creating subnets to separate groups ofdevices from one another and also want to have each floor of your building

on a different subnet which is considered to be better way for creating

subnets.


10/27


2006 IIHT Limited

Topic 2 - IP Addressing and DHCP

The Dynamic Host Control Protocol (DHCP) is a message-based serviceand is used in Windows Server 2003 to provide automatic TCP/IPaddressing and management of the addresses.

Information that is required by a designer to create a strong DHCP designconsists of the three management features supported by DHCP and areScopes, Superscopes, & TCP/IP optionsNow we will discuss the DHCP server and the DHCP client. DHCP candistribute IP addresses from a scope of addresses, or it can always give adevice the same IP address.When the networks increase in size and complexity then the management

of IP addressing becomes increasingly important.DHCP is a client/server process which is used to assign and manage the IPaddresses.Windows Server 2003 can host the DHCP Server service to facilitate theassigning and managing of IP addresses.


11/27


2006 IIHT Limited

Topic 3 - Location of Routers

To control access and bandwidth it is important to place the Router

appropriately. For this you need to know where to place the routers and how

to calculate a subnet with enough available hosts to accommodate the

number of nodes in a particular location. It is important when designing a

network that you assess the current router placement or design a new

router placement that will provide a fast and stable network.

Performance

Redundancy

Scalability

Manageability

Cost


12/27


2006 IIHT Limited

Topic 4 - Perimeter Network

One of the important aspects of a network design is security and protecting

a network from the outside is difficult so it is necessary to design your

network with this protection in mind.

The Network perimeter consists of a combination of firewalls, routers, and

remote access equipments.

Router is the first line of defence against the Internet in any network.Using IP filtering to control data and also considering a firewall in your

design for security is a must.

A firewall is designed to handle network perimeter security and should

always be used in a network design.

A firewall inspects incoming and outgoing packets and compares them to a

set of rules to determine if they should be denied access, dropped, orpermitted to pass through to the connected network.


13/27


2006 IIHT Limited

Lesson 3 Routing and Remote Access

Infrastructure Design

Introduction

This chapter discusses the designing of Routing and Remote Access

Infrastructure.

Topics covered in this lesson

Design Requirements

Perimeter Requirements

Intranet and Extranet

Authentication Requirements of Intranet

Windows 2003 Server Authentication

RADIUS and RADIUS Policies


14/27


2006 IIHT Limited

Topic 1 - Design Requirements

The selection of hardware and software for remote access solution is

decided after it is clear that how your remote access solution will be used.

You need to collect the data to ensure you are designing a remote access

solution that will fit the needs of the current environment and also the future

requirements.

Because the organization supplies these users with home workstations thatwill connect back to the environment.

All this information is required to scale the server to meet the demand.

The other question that needs to be answered is, are there any partners of

the organization who will require access to the network environment as this

information will help to properly design the VPN and/or dial-up access to

allow partners to get to the necessary information.


15/27


2006 IIHT Limited

Topic 2 - Perimeter Requirements

Perimeter is the point at which all remote access will flows into the network

environment. All the clients or partners access your network through the

perimeter.

Windows Server 2003 is a good solution for implementing on the perimeter

to support the remote access solution and provide security for this solution

which can support dial-in access and VPN access by using Routing andRemote Access Server (RRAS).

Even it can provide TCP/IP filtering to help protect it from intruders that are

located at the perimeter of the network.


16/27


2006 IIHT Limited

Topic 3 - Intranet and Extranet

Extranet can be supported if you are using a secure remote access solution

and they who wish to connect to you are using methods for connecting to

your network that are compatible with your remote access solution.

The best solution is typically a site-to-site VPN. Windows Server 2003 can

provide this solution with the use of RRAS and dial-on-demand.

The site-to-site VPN works in the following manner when traffic that isdestined for your network from other network occurs, using the existing

Internet connection, a VPN connection is initiated from the other network

Windows Server 2003 RRAS and the VPN connection is established with

your Windows Server 2003 RRAS.

This takes place with the assistance of dial-on-demand and can occur in

either direction.


17/27


2006 IIHT Limited

Topic 4 - Authentication Requirements of

Intranet

After authentication is established only then secure remote access solution

can be supported. For supporting authentication, you will have requirements

on your intranet that will be accessed from the perimeter remote access

solutions. There are two choices for authentication:

Windows Authentication

Remote Authentication Dial-In User Service (RADIUS)


18/27


2006 IIHT Limited

Topic 5 - Windows 2003 Server

Authentication

Using the Windows Authentication will suffice if you are planning on one

RRAS server.

The Windows Server 2003 with RRAS, if it is a member server, will use

Active Directory for authentication.

But if it is a stand-alone server then it will use its internal user database.


19/27


2006 IIHT Limited

Topic 6 - RADIUS and RADIUS Policies

To incorporate more than one RRAS server Windows Server 2003 must be

configured to use RADIUS for authentication purposes. This access control

protocol i.e. RADIUS uses a challenge/response method for authentication.

Each Windows Server 2003 RRAS server acts as a RADIUS client and

each of these RADIUS clients authenticates via a top-level RADIUS server,

which itself can then authenticate to Active Directory.In intranet RRAS policies allow you to control connection security,

connection times, user and group access, etc. These policies are beneficial

for creating a secure RRAS environment.

Policies basically allow you to control how you want clients to connect to

your organizations network.


20/27


2006 IIHT Limited

Lesson 4 Availability of Remote Access

Infrastructure

Introduction

In this chapter we will discuss the concepts pertaining to availability of

remote access infrastructure and will discuss the topics like determining the

Sizing of Remote Access Infrastructure, Availability of Remote Access

Server, Placing the Components of RRAS Server and Scalability,

Availability and Failover of RRAS.

Topics covered in this module

Determining the Sizing of Remote Access Infrastructure

Availability of Remote Access Server

Placing the Components of RRAS Server Scalability, Availability and Failover of RRAS


21/27


2006 IIHT Limited

Topic 1 - Determining the Sizing of

Remote Access Infrastructure

We need to design a remote access solution so we have to determine howmuch of it we require. You need to know how many hosts will be using thenetwork.The same goes for remote access. Now we are going to determine whatand where we should place these solutions and also examine the level ofscalability and availability we need to design into the solution.The things you need to determine is how many users will need to connectremotely via VPN and/or dial-in apart from if any other remote accessclients like site-to-site are there.This can be called the starting point for sizing. Many network designs todaydo not want to use dial-in because of its cost and speed.And there is a better choice i.e. VPN as it does not require the provisioning

of additional analog or ISDN lines within the organization.


22/27


2006 IIHT Limited

Topic 2 - Availability of Remote Access

Server

Its important to provide a remote access solution for the scalability of a

network for the future. In Windows Server 2003, each server providing up to

1000 concurrent VPN connections, and the solution should be scalable.

Provide the scalability in the hardware for ensuring the server more

connections than are required. The key here is to provide the monitoring of

the servers system resources for maintaining this availability.Provide the means for failover for ensuring the availability. And the way is to

provide multiple remote access servers.

You can then either provide users with multiple remote access entries or

with a dial-in solution and a VPN solution.

Another consideration for remote access availability and failover is done by

providing dial-on demand for backing up routers.


23/27


2006 IIHT Limited

Topic 3 - Placing the Components of

RRAS Server

It is important that we place devices where they can function efficiently and

securely. Functionality and security is always a constant trade-off.

At times security measures can be ignored to provide clients with more

freedom to use the network.

Designing any system that has a security aspect associated with it is to get

the right balance between security and operation. While deploying aWindows Server 2003 server that is providing VPN access to the network, it

should be placed in a DMZ behind a firewall.

This is just to protect the server from attacks, and the DMZ will isolate the

inside network from that server in the event of security threat.

But if we are dealing with a Windows 2003 Server providing dial-in access

to the network then place this server inside the network perimeter.


24/27


2006 IIHT Limited

Topic 4 - Scalability, Availability and

Failover of RRAS

Scalability is an important issue in respect of providing a remote access

solution. Scalability is having in mind the future needs.

For this it is better to use Windows Server 2003 as each server is capable

of providing up to 1000 concurrent VPN connections.

You need to provide the scalability in the hardware to ensure that the server

can maintain more connections than are required.This availability is maintained by monitoring the servers system resources.

While installing RRAS on a server choice of creating a pool of IP address to

give to clients or to use DHCP for IP addressing is given and the better

option of the both is DHCP for IP addressing as it will allow you to manage

your organizations IP addressing in a better manner.

The RRAS server reserves 10 IP addresses from the DHCP server whenthe service starts and when these services are used up then another 10 IP

addresses are reserved.


25/27


2006 IIHT Limited

Conclusion

Summary of the Module

Internet connectivity provides a means of communication that is both cost

effective and expedient.

Every organization that is willing to conduct business over the Internet has

to have a domain name.To acquire an appropriate domain name, you need to deal with companies

that specialize in registering these for you.

Proxy servers are very beneficial in separating the intranet from the Internet.

There are three basic physical topologies viz. bus, ring, and star and have

same components.

A subnet is just a way of taking a complete network and reducing it tomanageable and optimized chunks.

The Dynamic Host Control Protocol (DHCP) is a message-based service

and is used in Windows Server 2003 to provide automatic TCP/IP

addressing and management of the addresses.


26/27


2006 IIHT Limited

Conclusion


NAT translates the private IP addresses to public IP addresses.

To control access and bandwidth it is important to place the Router

appropriately.

The selection of hardware and software for remote access solution isdecided after it is clear that how your remote access solution will be used.

Perimeter is the point at which all remote access will flows into the network

environment. All the clients or partners access your network through the

perimeter.

Extranet can be supported if you are using a secure remote access solution

and they who wish to connect to you are using methods for connecting toyour network that are compatible with your remote access solution.


27/27


2006 IIHT Limited

Conclusion


There are two choices for authentication: Windows Authentication and

Remote Authentication Dial-In User Service (RADIUS)

To incorporate more than one RRAS server Windows Server 2003 must be

configured to use RADIUS for authentication purposes.It is important that we place devices where they can function efficiently and

securely. Functionality and security is always a constant trade-off.

Scalability is an important issue in respect of providing a remote access

solution. Scalability is having in mind the future needs.

active directory trainers ppt mod 10

Documents