Professional Documents
Culture Documents
IFM Limitations
It only works for the same domain, so you cannot back up a domain controller in
domain A and create a new domain B using that media.
It's only useful up to the tombstone lifetime with a default of 60 days.Soifyouhave
an old backup, then you cannot create a new domain controller using that, because
you'll run into the problem of reanimating deleted objects.
Answer
Link:http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm
How can you forcibly remove AD from a server, and what do you do later?
Demoting Windows Server 2003 DCs: DCPROMO (Active Directory Installation Wizard)isa
toggleswitch,whichallowsyoutoeitherinstallorremoveActiveDirectoryDCs.Toforcibly
demote a Windows Server 2003 DC, runthefollowingcommandeitherattheStart,Run,or
at the command prompt:
dcpromo /forceremoval
Note: If you're running Certificate Services on the DC, you must first remove Certificate
Services before continuing. Ifyouspecifythe/forceremovalswitchonaserverthatdoesn't
have Active Directory installed, the switch is ignored and the wizard pretends that you
want to install Active Directory on that server.
Once the wizard starts,youwillbepromptedfortheAdministratorpasswordthatyouwant
to assign to the local administrator in the SAM database. If you haveWindowsServer2003
ServicePack1installedontheDC,you'llbenefitfromafewenhancements.Thewizardwill
automatically run certain checks and will prompt you to take appropriate actions. For
example, if the DC is a Global Catalog server or a DNS server, you will be prompted. You
will also be prompted to take an action if your DC is hosting any of theoperationsmaster
roles.
Demoting Windows 2000 DCs: On a Windows 2000 domain controller, forced demotion is
supported with Service Pack 2 and later. The rest of the procedure is similar to the
procedure I described for Windows Server 2003. Just make sure that while running the
wizard, you clear the "This server is the last domain controller in the domain" check box.
OnWindows2000Serversyouwon'tbenefitfromtheenhancementsinWindowsServer2003
SP1, so if the DC you are demoting is a Global Catalog server, you may have to manually
promote some other DC to a Global Catalog server.
Cleaning the Metadata on a SurvivingDC:Onceyou'vesuccessfullydemotedtheDC,your
job is not quite done yet. Now you must clean up theActiveDirectorymetadata.Youmay
be wondering why I need to clean the metadata manually. The metadata forthedemoted
DC is not deleted fromthesurvivingDCsbecauseyouforcedthedemotion.Whenyouforce
a demotion, Active Directory basically ignores other DCs and does its own thing. Because
the other DCs are not aware that you removed the demoted DC from the domain, the
references to the demoted DC need to be removed from the domain.
Although Active Directory has made numerous improvements over the years, one of the
biggest criticisms of Active Directory is that it doesn't clean up the mess verywell.Thisis
obvious in most cases but, in other cases, you won't know it unless you start digging deep
into Active Directory database.
To clean up the metadata you use NTDSUTIL. The following procedure describes how to
clean up metadata on a Windows Server 2003 SP1. According to Microsoft, the version of
NTDSUTIL in SP1 has been enhanced considerably and does a muchbetterjobofclean-up,
which obviously means that the earlier versions didn't do a very good job. For Windows
2000 DCs, you might want to check out Microsoft Knowledge Base article 216498, "How to
remove data in Active Directory after an unsuccessful domain controller demotion."
Heres the step-by-step procedure for cleaning metadata on Windows Server 2003 DCs:
1. Logon to the DC as a Domain Administrator.
2. At the command prompt, type ntdsutil.
3. Type metadata cleanup.
4. Type connections.
5. Type connect to server servername, where servername is the name of the server
you want to connect to.
6. Type quit or q to go one level up. You should be at the Metadata Cleanup prompt.
7. Type select operation target.
8. Type list domains.Youwillseealistofdomainsintheforest,eachwithadifferent
number.
9. Type select domain number, where number is the number associated with the
domain of your server
10. Type list sites.
11. Type select site number, where number is the number associated with the site of
your server.
12. Type list servers in site.
13. Type selectservernumber,wherenumberisthenumberassociatedwiththeserver
you want to remove.
14. Type quit to go to Metadata Cleanup prompt.
15. Type remove selected server. You should see a confirmation that the removal
completed successfully.
16. Type quit to exit ntdsutil.
You might also want to cleanup DNS database by deleting all DNS records related to the
server.
In general, you will have better luck using forced promotion on Windows Server 2003,
because the naming contexts and other objects don't get cleaned as quickly on Windows
2000 GlobalCatalogservers,especiallyserversrunningWindows2000SP3orearlier.Dueto
the nature of forced demotion and the factthatit'smeanttobeusedonlyasalastresort,
there are additional things that you should know about forced demotion.
Evenafteryou'veusedNTDSUTILtocleanthemetadata,youmaystillneedtodoadditional
cleaning manually using ADSIEdit or other such tools. You might want to check out
Microsofts Knowledge Base article 332199, "Domain controllers do not demote gracefully
when you use the Active DirectoryInstallationWizardtoforcedemotioninWindowsServer
2003 and in Windows 2000 Server," for more information
Read original full answer at
http://redmondmag.com/columns/print.asp?EditorialsID=1352
And best read this also
http://www.petri.co.il/forcibly_removing_active_directoy_from_dc.htm
Can I get user passwords from the AD database?
As of my Knowledge there isnowaytoextractthepasswordfromADDatabase.Bytheway
there is a tool called cache dump. Using it we can extract the cached passwords from
Windows XP machine which is joined to a Domain.
What tool would I use to try to grab security related packets from the wire?
Network Monitor, Ethereal or Wireshark.
Name some OU design considerations.
Design OU structure based on Active Directory business requirements
NT Resource domains may fold up into OUs
Create nested OUs to hide objects
Objects easily moved between OUs
Departments , Geographic Region, Job Function, Object Type
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be
upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or toWindows2000SP2
(or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten
tial domain controller corruption.
For more information about preparing your forest and domain see KB article Q3311
61 at http://support.microsoft.com.
[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement, type
C and then press ENTER to continue. Otherwise, type any other key and press ENT
ER to quit.
C
Opened Connection to SAVDALDC01
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 31
Connecting to "SAVDALDC01"
Logging in as current user using SSPI
Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries.....................................................
......................................................
139 entries modified successfully.
DSmod
Adding objects is great, but therearetimesinWindows2003whenyouneedtochangethe
Active Directory properties.
Scenario, you wish to quickly change a user's password. This is task you are goingtohave
to do regularly, and you would like to able todoitquicklyfromthecommandline.Letus
now modify the the user's password with DSmod
Introduction to DSadd
DSadd is the most important memberofthisDSscriptingfamily.TheprimaryuseofDSadd
is toquicklyadduseraccountstoWindowsServer2003ActiveDirectory.However,youcan
also use this method to create OUs computers, groups, or even contacts.
Note 1: dsaddou.ThiscommandtellsActiveDirectorywhichobjecttocreate,inthiscase
an OU (not a user).
Note 2:You only really need speech marks if there is a space in any of your names. So
ou=guyds, dc=cp, dc=com would work fine, but ou=GUY Space DS, dc=cp, dc=com fails
because of the spacesintheGUYSpaceDS,name.Inthissecondexampleyouwouldtype:
"ou=GUY Space DS, dc=cp, dc=com"
Example 2 Employing DSadd to Create a User. (Assumes you have completed Example 1)
The purpose of this example is to create a new user in an OU called guyds.
Preparation:
Logon to your domain controller.
Examine the script below. Decide if cn= or ou= or dc= need editing.
Run, CMD then copy your scriptandpasteintothecommandwindow.Alternativelytypeit
starting with dsadd user .........
Note: DSadd requires the complete distinguished name. Note also that the distinguished
name is encased in double "speech marks". I expect you spotted that the user will be
created in the guyds organizational unit that was created in the first example. Change
"cn=guyt to a different user name if you wish.
DS Error Messages
DS has its own family of error messages. I found that they are specific and varied, just
remember to pay attention to detail. READ ERROR MESSAGES SLOWLY.
Learning Points
Note 1:dc does NOT mean domain controller, it means domain context.
Note 2: The dc commands are not case sensitive, but they dislike spaces.
dc=mydom, dc=com will draw an error.
Note 3: If you haven't got any OUs (Organizational Units), I seriously suggest that you
create some to organize your users.
Note 4: Best of all, in this scenario, you can substitute domainroot for dc=cp.
Example 2 - To find all users in the default Users folder with DSQuery
In this example we just want to trawl the users folder and find out who is in that container.
Commands: dsquery user cn=users,dc=cp,dc=com
Learning Points
Note 1: The default users' folder is actually a container object called cn=users. Mypoint
is if you try ou=users, the command fails.
Note 2: I queried users, however dsquery requires the singular user, not userS. Other
objects that you can query are computer (not computers!), group or even contact.
Challenge 1: Substitute OU=xyz for cn=users, where xyz is the name of your OU.
Unfortunately, cn=users domainroot does not work.
Challenge 2: Substitute computer for user
Learning Points
Note 1: Amazingly, dsquery server, the simplest command get the job done.
Note 2: I thank Jim D for pointing out that we want here is the singular 'server'.
Learning Points
Note 1: The command is -hasfsmo not ?hasfsmo as in some documents.
Example 5 - DSQuery to find all users whose name begins with smith*
This DSQueryexampleshowstwowaystofilteryouroutputandsohomeinonwhatyouare
looking for. Let us pretend that we know the user's namebuthavenoideawhichOUthey
are to be found. Moreover, we are not sure whether their name is spelt Smith, Smithyor
Smithye.
Commands :
dsquery user domainroot -name smith*
or
dsquery user dc=cp,dc=com -name smith* d
or plain
dsquery user smith*
Learning Points
Note 1: Remember to type the singular user.
Note 2: Probably no need to introduce *, you probably realize it's a wildcard.
Note 3: -name is but one of a family of filters. -desc or -disabled are others.
Learning Points
Note 1: o is the letter oh (not a number). In my minds eye o stands for output.
Note 2: There is a switch -o dn, but this is not a switch I use.
Summary - DSQuery
Knowledge is power. The DS family in general and DSQuery in particular, are handy
commands for interrogating Active Directory from thecommandline.Perhapsthedaywill
come when you need to findauser,computerorgroupwithoutcallingfortheActiveUsers
and Computers GUI.
DSGet
DSGet is a logical progression from DSQuery. The idea is that when DSQuery returnsalist
of objects, DSGet can interrogate those objects for extra properties such as, description,
manager or department. Naturally this pre-supposes you enteredtherelevantinformation
in the user's properties sheet!
Introduction to DSGet
My assumption is that you are comfortable with DSQuery, if this is not the case take the
time to have a refresher
Next a reminder to pay close attention to DS syntax. In this instance what we need is a
pipe symbol ( | ) to join DSQuery with DSGet. Justtobeclear,youtypethispipe(|)with
the shift key and the key next to the Z. (A colon : would produce an error).
Learning Points
Note1:YouneedaWindowsServer2003machine.Perhapsyoucouldremotedesktopinto
such a server?
Note 2: Feelfreetochangesmith*tooneofyourusers.Betterstill,createatestaccount
and start filling in those user properties.
Note 3: This example is just to build a foundation. Now let us move on to DSGet.
Learning Points
Note 1: To read the file type, notepad dsget.txt
Note 2: I am impressed by the column format of the output
I would like to leave you with a few more DSGet object that you can interrogate or
experiment with. In addition to user, there are the following DSGet commands :
Computer, also Server - meaning DC, OU, Group, even Site and Subnet.
Note. There are also two commandscalledpartitionandquota,however,inthecontextof
DSGet, partition and quota refer to Active Directory, not disk. For example, the
application partition in Active Directory. Tell the truth, it was a big disappointment that
DSGet did not return the disk information, but on reflection I was expecting the
impossible. DSGet partition means Active Directory partition.
Summary - DSGet
As far as DSGet is concerned, I have come fromPhilistinetochampion.NowIreallyenjoy
thechallengeofDSGetandappreciatethewayitworkshandinglovewithDSQuery.Italso
reminds of that old truism the more you know the easier it gets.
What's the difference between LDIFDE and CSVDE? Usage considerations?
CSVDE isacommandthatcanbeusedtoimportandexportobjectstoandfromtheADinto
a CSV-formatted file. A CSV(CommaSeparatedValue)fileisafileeasilyreadableinExcel.
I will not go to length into this powerful command,butIwillshowyousomebasicsamples
of how to import a large number of users into your AD. Of course, as with the DSADD
command, CSVDE can do more than just import users.Consultyourhelpfileformoreinfo.
Like CSVDE, LDIFDE is a command that can be used to import and export objects to and
from the AD into a LDIF-formatted file.ALDIF(LDAPDataInterchangeFormat)fileisafile
easily readable in any text editor; however it is not readable in programs like Excel. The
major difference between CSVDE and LDIFDE (besides the file format) is the fact that
LDIFDE can beusedtoeditanddeleteexistingADobjects(notjustusers),whileCSVDEcan
only import and export objects.
What are the FSMO roles? Who has them by default? What happens when each one
fails? *****
Number of DCs
FSMO Role Original DC holding the FSMO role
holding this role
The firstDCinthefirstdomainin
Schema One per forest the forest (i.e. the Forest Root
Domain)
Domain
One per forest
Naming
PDC Emulator
Infrastructure
Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and
Infrastructure Master FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative
Tools folder.
2. Right-click the Active Directory Users and Computers icon again and press
Operation Masters.
3. Select the appropriate tab for the role you wish to view.
4. When you're done click Close.
Finding the Domain Naming Master via GUI
To find out who currently holds the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative
Tools folder.
2. Right-click theActiveDirectoryDomainsandTrustsiconagainandpressOperation
Masters.
3. When you're done click Close.
Finding the Schema Master via GUI
To find out who currently holds the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing: regsvr32
schmmgmt.dll
2. Press OK. You should receive a success confirmation.
3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click it and press
Operation Masters.
8. Press the Close button.
I want to look at the RID allocation table for a DC. What do I do?
What's the difference between transferring a FSMO role and seizing one?
PDC Emulator
Infrastructure
Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master
FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative
Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click
the icon next to Active Directory Users and Computers and press Connect to Domain
Controller.
3. Select the domain controller that will be the new role holder, the target, and press
OK.
4. Right-click the Active Directory Users and Computers icon again and press Operation
Masters.
5. Select the appropriate tab for the role you wish to transfer and press the Change
button.
6. Press OK to confirm the change.
7. Press OK all the way out.
Transferring the Domain Naming Master via GUI
To Transfer the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative
Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in,
right-click the icon next to Active Directory Domains and Trusts and press Connect to
Domain Controller.
3. Select the domain controller that will be the new role holder and press OK.
4. Right-click the Active Directory Domains and Trusts icon again and press
Operation Masters.
5. Press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
Transferring the Schema Master via GUI
To Transfer the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
1. Press OK. You should receive a success confirmation.
2. From the Run command open an MMC Console by typing MMC.
3. On the Console menu, press Add/Remove Snap-in.
4. Press Add. Select Active Directory Schema.
5. Press Add and press Close. Press OK.
6. If you are NOT logged onto the target domain controller, in the snap-in,
right-click the Active Directory Schema icon in the Console Root and press Change
Domain Controller.
7. Press Specify .... and type the name of the new role holder. Press OK.
8. Right-click right-click the Active Directory Schema icon again and press
Operation Masters.
9. Press the Change button.
10. Press OK all the way out.
Transferring the FSMO Roles via Ntdsutil
To transfer the FSMO roles from the Ntdsutil command:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of
Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and
then click OK.
1. Type roles, and then press ENTER.
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool,
type ?, and then press ENTER.
1. Type connections, and then press ENTER.
2. Type connect to server <servername>, where <servername> is the name of the
server you want to use, and then press ENTER.
1. At the server connections: prompt, type q, and then press ENTER again.
1. Type transfer <role>. where <role> is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer rid master:
Options are:
1. You will receive a warning window asking if you want to perform the transfer.
Click on Yes.
2. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
3. Restart the server and make sure you update your backup.
Domain Naming
RID
Infrastructure
Another consideration before performing the seize operation is the administrator's group membership,
as this table lists:
PDC Emulator
Infrastructure
To seize the FSMO roles by using Ntdsutil, follow these steps:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active
Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then
click OK.
C:\WINDOWS>ntdsutil
2. Type roles, and then press ENTER.
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then
press ENTER.
1. Type connections, and then press ENTER.
fsmo maintenance: connections
server connections:
2. Type connect to server <servername>, where <servername> is the name of the server you want
to use, and then press ENTER.
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
Server connections:
1. At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:
2. Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID
Master role, you would type seize rid master:
Options are:
Seize domain naming master
Seize infrastructure master
Seize PDC
Seize RID master
Seize schema master
7. You will receive a warning window asking if you want to perform the seize. Click on Yes.
fsmo maintenance: Seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300,
problem 5002 (UNAVAILABLE)
, data 1722
Source :
http://www.petri.co.il/mcse_system_administrator_active_directory_interview_questions.htm
What is LSDOU?
Its group policy inheritance model, where the policies are applied to Local machines, Sites,
Domains and Organizational Units.
What can be restricted on Windows Server 2003 that wasnt there in previous products?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up
TCP/IP properties. Users may be selectively restricted from modifying their IP address and
other network configuration parameters.
Where is secedit?
Its now gpupdate.
You want to create a new group policy but do not wish to inherit. Make sure you check
Block inheritance among the options when creating the policy.
Whats the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides
extensive permission control on both remote and local files.
Ihaveafiletowhichtheuserhasaccess,buthehasnofolderpermissiontoreadit.Canhe
access it?
It is possible for a user to navigate to a file forwhichhedoesnothavefolderpermission.This
involves simply knowing the path of the file object. Even if the user cant drill down the
file/folder tree using My Computer, he can still gain access to the file using the Universal
Naming Convention (UNC). The best way to start would be to type the full path of a file into
Run window.
Were using the DFS fault-tolerant installation, but cannot access itfromaWin98box.Use
the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant
shares.
How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared key.
What third-party certificate exchange protocols are used by Windows 2003 Server?
Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7
certificate response to exchange CA certificates with third-party certificate authorities.
Whats the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.
How many passwords by default are remembered when you check "Enforce Password
History Remembered"?
Users last 6 passwords.
Active Directory stores and retrieves information from a wide variety of applications and
services.
What is Global Catalog Server?
A global catalog server is a domain controller itisamastersearchabledatabasethatcontains
information about every object in every domain in a forest. The global catalog contains a
complete replica of all objects in Active Directory for its host domain, and contains a partial
replica of all objects in Active Directory for every other domain in the forest. It have two
important functions:
Provides group membership information during logon and authentication
Helps users locate resources in Active Directory
What is the ntds.tit file default size?
40 MB
What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog?
SMTP 25, POP3 110, IMAP4 143, RPC 135, LDAP 389, Global Catalog - 3268
What is IPv6? Internet Protocol version 6 (IPv6) is a network layer IP standard used by
electronic devices to exchange data across a packet-switched internetwork. It follows IPv4 as
the second version oftheInternetProtocoltobeformallyadoptedforgeneraluse.ipv6itisa
128 bit size address. This is total 8 octants each octant size is 16 bitsseparatedwith:,itis
in hexa decimal format. These 3 types:
1. unicast address
2. multicast address
3. anycast address
loopback address of ip v6 is ::1
How do you double-boot a Win 2003 server box?
The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To
change the Boot.ini timeout and default settings, use the System option inControlPanelfrom
the Advanced tab and select Startup.
If you uninstall Windows Server 2003, which operating systems can you revert to?
Win ME,Win98,2000,XP.Note,however,thatyoucannotupgradefromMEand98toWindows
Server 2003.
Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain
Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster
peer-to-peer read and write relationship that hosts copies of the Active Directory.
How long does it take for security changes to be replicated among the domain controllers?
Security-related modifications are replicated within a siteimmediately.Thesechangesinclude
account and individual user lockout policies, changes to password policies, changes to
computer account passwords, and modifications to the Local Security Authority (LSA).
If I delete a user and then create a new account with the same username and password,
would the SID and permissions stay the same?
No. If you delete a user account and attempt to recreate it with the same user name and
password, the SID will be different.
What do you do with secure sign-ons in an organization with many roaming users?
Credential Management feature of Windows Server 2003 provides a consistent single sign-on
experience for users. This can be useful for roaming users who move between computer
systems. The Credential Management feature provides a secure store of user credentials that
includes passwords and X.509 certificates.
Anything special you should do when adding a user that has a Mac?
"Save password as encrypted clear text" must be selected on User Properties Account Tab
Options, since the Macs only store their passwords that way.
Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are stored locally on the
system, and, when the user logs off, all changes to thelocallystoredprofilearecopiedtothe
shared server folder. Therefore, the first time a roaming user logs on to a new system the
logon process may take some time, depending on how large his profile folder is.
Where are the settings for all the users stored on a given machine?
\Document and Settings\All Users
What languages can you use for log-on scripts?
JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)
What are the differences between a site-to-site VPN and a VPN client connecting to a
VPN server? What protocols are used for these?
>
EXPERT RESPONSE
Site-to-site VPNs connect entire networks to each other -- for example, connecting a
branch office network to a company headquarters network. In a site-to-site VPN, hosts do
not have VPN client software; they send and receive normal TCP/IP traffic through a
VPN gateway. The VPN gateway is responsible for encapsulating and encrypting
outbound traffic, sending it through a VPN tunnel over the Internet, to a peer VPN
gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts
the content, and relays the packet towards the target host inside its private network.
Remote access VPNs connect individual hosts to private networks -- for example,
travelers and teleworkers who need to access their company's network securely over the
Internet. In a remote access VPN, every host must have VPN client software (more on this
in a minute). Whenever the host tries to send any traffic, the VPN client software
encapsulates and encrypts that traffic before sending it over the Internet to the VPN
gateway at the edge of the target network. Upon receipt, that VPN gateway behaves as
described above for site-to-site VPNs. If the target host inside the private network returns
a response, the VPN gateway performs the reverse process to send an encrypted response
back to the VPN client over the Internet.
The most common secure tunneling protocol used in site-to-site VPNs is the IPsec
Encapsulating Security Payload (ESP), an extension to the standard IP protocol used by
the Internet and most corporate networks today. Most routers and firewalls now support
IPsec and so can be used as a VPN gateway for the private network behind them. Another
site-to-site VPN protocol is Multi-Protocol Label Switching (MPLS), although MPLS
does not provide encryption.
Remote access VPN protocols are more varied. The Point to Point Tunneling Protocol
(PPTP) has been included in every Windows operating system since Windows 95. The
Layer 2 Tunneling Protocol (L2TP) over IPsec is present in Windows 2000 and XP and is
more secure than PPTP. Many VPN gateways use IPsec alone (without L2TP) to deliver
remote access VPN services. All of these approaches require VPN client software on
every host, and a VPN gateway that supports the same protocol and options/extensions for
remote access.
Over the past few years, many vendors have released secure remote access products that
use SSL and ordinary web browsers as an alternative to IPsec/L2TP/PPTP VPNs. These
"SSL VPNs" are often referred to as "clientless," but it is more accurate to say that they
use web browsers as VPN clients, usually in combination with dynamically-downloaded
software (Java applet, ActiveX control, or temporary Win32 program that is removed
when the session ends). Also, unlike PPTP, L2TP, and IPsec VPNs, which connect remote
hosts to an entire private network, SSL VPNs tend to connect users to specific
applications protected by the SSL VPN gateway.
To learn more about VPN protocols and topologies, watch my New directions in VPN
searchSecurity webcast, or read this InfoSec Magazine article on SSL VPNs.
What are