System Administrator Job Interview Questions - Part 1 Networking Technical Interview Questions Networking What is an IP address?

What is an IP address? What is a subnet mask? What is ARP? What is ARP Cache Poisoning? What is the ANDing process? What is a default gateway? What happens if I don't have one? Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway? What is a subnet? What is APIPA? What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them) What is RFC 1918? What is CIDR? You have the following Network ID: 192.115.103.64/27. What is the IP range for your network? You have the following Network ID: 131.112.0.0. You need at least 500 hosts per network. How many networks can you create? What subnet mask will you use? You need to view at network traffic. What will you use? Name a few tools How do I know the path that a packet takes to the destination? What does the ping 192.168.0.1 -l 1000 -n 100 command do? What is DHCP? What are the benefits and drawbacks of using it? Describe the steps taken by the client and DHCP server in order to obtain an IP address. What is the DHCPNACK and when do I get one? Name 2 scenarios. What ports are used by DHCP and the DHCP clients? Describe the process of installing a DHCP server in an AD infrastructure. What is DHCPINFORM? Describe the integration between DHCP and DNS. What options in DHCP do you regularly use for an MS network? What are User Classes and Vendor Classes in DHCP? How do I configure a client machine to use a specific User Class? What is the BOOTP protocol used for, where might you find it in Windows network infrastructure? DNS zones describe the differences between the 4 types. DNS record types describe the most important ones. Describe the process of working with an external domain name Describe the importance of DNS to AD. Describe a few methods of finding an MX record for a remote domain on the Internet. What does "Disable Recursion" in DNS mean? What could cause the Forwarders and Root Hints to be grayed out? What is a "Single Label domain name" and what sort of issues can it cause? What is the "in-addr.arpa" zone used for? What are the requirements from DNS to support AD? How do you manually create SRV records in DNS? Name 3 benefits of using AD-integrated zones. What are the benefits of using Windows 2003 DNS when using AD-integrated zones? You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few possible causes. What are the benefits and scenarios of using Stub zones? What are the benefits and scenarios of using Conditional Forwarding? What are the differences between Windows Clustering, Network Load Balancing and Round Robin, and scenarios for each use? How do I work with the Host name cache on a client computer? How do I clear the DNS cache on the DNS server? What is the 224.0.1.24 address used for? What is WINS and when do we use it? Can you have a Microsoft-based network without any WINS server on it? What are the "considerations" regarding not using WINS? Describe the differences between WINS push and pull replications.

What is the difference between tombstoning a WINS record and simply deleting it? Name the NetBIOS names you might expect from a Windows 2003 DC that is registered in WINS. Describe the role of the routing table on a host and on a router. What are routing protocols? Why do we need them? Name a few. What are router interfaces? What types can they be? In Windows 2003 routing, what are the interface filters? What is NAT? What is the real difference between NAT and PAT? How do you configure NAT on Windows 2003? How do you allow inbound traffic for specific hosts on Windows 2003 NAT? What is VPN? What types of VPN does Windows 2000 and beyond work with natively? What is IAS? In what scenarios do we use it? What's the difference between Mixed mode and Native mode in AD when dealing with RRAS? What is the "RAS and IAS" group in AD? What are Conditions and Profile in RRAS Policies? What types or authentication can a Windows 2003 based RRAS work with? How does SSL work? How does IPSec work? How do I deploy IPSec for a large number of computers? What types of authentication can IPSec use? What is PFS (Perfect Forward Secrecy) in IPSec? How do I monitor IPSec? Looking at IPSec-encrypted traffic with a sniffer. What packet types do I see? What can you do with NETSH? How do I look at the open ports on my machine?

Technical Interview Questions Active Directory What is Active Directory? What is LDAP? Can you connect Active Directory to other 3rd-party Directory Services? Name a few options. Where is the AD database held? What other folders are related to AD? What is the SYSVOL folder? Name the AD NCs and replication issues for each NC What are application partitions? When do I use them How do you create a new application partition How do you view replication properties for AD partitions and DCs? What is the Global Catalog? How do you view all the GCs in the forest? Why not make all DCs in a large forest as GCs? Trying to look at the Schema, how can I do that? What are the Support Tools? Why do I need them? What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN? What are sites? What are they used for? What's the difference between a site link's schedule and interval? What is the KCC? What is the ISTG? Who has that role by default? What are the requirements for installing AD on a new server? What can you do to promote a server to DC if you're in a remote location with slow WAN link? How can you forcibly remove AD from a server, and what do you do later? Can I get user passwords from the AD database? What tool would I use to try to grab security related packets from the wire? Name some OU design considerations. What is tombstone lifetime attribute? What do you do to install a new Windows 2003 DC in a Windows 2000 AD? What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD? How would you find all users that have not logged on since last month? What are the DS* commands? What's the difference between LDIFDE and CSVDE? Usage considerations? What are the FSMO roles? Who has them by default? What happens when each one fails?

What FSMO placement considerations do you know of? I want to look at the RID allocation table for a DC. What do I do? What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why? How do you configure a "stand-by operation master" for any of the roles? How do you backup AD? How do you restore AD? How do you change the DS Restore admin password? Why can't you restore a DC that was backed up 4 months ago? What are GPOs? What is the order in which GPOs are applied? Name a few benefits of using GPMC. What are the GPC and the GPT? Where can I find them? What are GPO links? What special things can I do to them? What can I do to prevent inheritance from above? How can I override blocking of inheritance? How can you determine what GPO was and was not applied for a user? Name a few ways to do that. A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for? Name a few differences in Vista GPOs Name some GPO settings in the computer and user parts. What are administrative templates? What's the difference between software publishing and assigning? Can I deploy non-MSI software with GPO? You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that?

Technical Interview Questions Exchange 2003 Tell me a bit about the capabilities of Exchange Server. What are the different Exchange 2003 versions? What's the main differences between Exchange 5.5 and Exchange 2000/2003? What are the major network infrastructure for installing Exchange 2003? What is the latest Exchange 2003 Service Pack? Name a few changes in functionality in that SP. What are the disk considerations when installing Exchange (RAID types, locations and so on). You got a new HP DL380 (2U) server, dual Xeon, 4GB of RAM, 7 SAS disks, 64-bit. What do you do next to install Exchange 2003? (you have AD in place) Why not install Exchange on the same machine as a DC? Are there any other installation considerations? How would you prepare the AD Schema in advance before installing Exchange? What type or permissions do you need in order to install the first Exchange server in a forest? In a domain? How would you verify that the schema was in fact updated? What type of memory optimization changes could you do for Exchange 2003? How would you check your Exchange configuration settings to see if they're right? What are the Exchange management tools? How and where can you install them? What types of permissions are configurable for Exchange? How can you grant access for an administrator to access all mailboxes on a specific server? What is the Send As permission? What other management tools are used to manage and control Exchange 2003? Name the tools you'd use. What are Exchange Recipient types? Name 5. You created a mailbox for a user, yet the mailbox does not appear in ESM. Why? You wanted to change mailbox access permissions for a mailbox, yet you see the SELF permission alone on the permissions list. Why? What are Query Based Distribution groups? What type of groups would you use when configuring distribution groups in a multiple domain forest? Name a few configuration options for Exchange recipients. What's the difference between Exchange 2003 Std. and Ent. editions when related to storage options and size?

Name a few configuration options related to mailbox stores. What are System Public Folders? Where would you find them? How would you plan and configure Public Folder redundancy? How can you immediately stop PF replication? How can you prevent PF referral across slow WAN links? What types of PF management tools might you use? What are the differences between administrative permissions and client permissions in PF? How can you configure PF replication from the command prompt in Exchange 2003? What are the message hygiene options you can use natively in Exchange 2003? What are the configuration options in IMF? What are virtual servers? When would you use more than one? Name some of the SMTP Virtual Server configuration options. What is a Mail Relay? Name a few known mail relay software or hardware options. What is a Smart Host? Where would you configure it? What are Routing Groups? When would you use them? What are the types of Connectors you can use in Exchange? What is the cost option in Exchange connectors? What is the Link State Table? How would you view it? How would you configure mail transfer security between 2 routing groups? What is the Routing Group Master? Who holds that role? Explain the configuration steps required to allow Exchange 2003 to send and receive email from the Internet (consider a one-site multiple server scenario). What is DS2MB? What is Forms Based Authentication? How would you configure OWA's settings on an Exchange server? What is DSACCESS? What are Recipient Policies? How would you work with multiple recipient policies? What is the "issue" with trying to remove email addresses added by recipient policies? How would you fix that? What is the RUS? When would you need to manually create additional RUS? What are Address Lists? How would you modify the filter properties of one of the default address lists? How can you create multiple GALs and allow the users to only see the one related to them? What is a Front End server? In what scenarios would you use one? What type of authentication is used on the front end servers? When would you use NLB? How would you achieve incoming mail redundancy? What are the 4 types of Exchange backups? What is the Dial-Tone server scenario? When would you use offline backup? How do you re-install Exchange on a server that has crashed but with AD intact? What is the dumpster? What are the e00xxxxx.log files? What is the e00.chk file? What is circular logging? When would you use it? What's the difference between online and offline defrag? How would you know if it is time to perform an offline defrag of your Exchange stores? How would you plan for, and perform the offline defrag? What is the eseutil command? What is the isinteg command? How would you monitor Exchange's services and performance? Name 2 or 3 options. Name all the client connection options in Exchange 2003. What is Direct Push? What are the requirements to run it? How would you remote wipe a PPC? What are the issues with connecting Outlook from a remote computer to your mailbox? How would you solve those issues? Name 2 or 3 methods What is RPC over HTTP? What are the requirements to run it? What is Cached Mode in OL2003/2007? What are the benefits and "issues" when using cached mode? How would you tackle those issues?

What is S/MIME? What are the usage scenarios for S/MIME? What are the IPSec usage scenarios for Exchange 2003? How do you enable SSL on OWA? What are the considerations for obtaining a digital certificate for SSL on Exchange? Name a few 3rd-party CAs. What do you need to consider when using a client-type AV software on an Exchange server? What are the different clustering options in Exchange 2003? Which one would you choose and why.

1.domain authentication protocol 2.diferenece b/w 2000 and 2003 3.Global catalog server 4.How do you configure mandatory profiles 1) Assuming you don't have the GPMC installed, where would you edit a copy of the default domain policy on your Win 2000 DC? 2) If your policy is working on some but NOT all of your 2000 clients, what must you do to ensure the policy takes effect immediately? 3) What is the difference between an Incremental and Differential backup? 4) What is circular logging and what is the main advantage of using CL in Exchange? 1) Windows 2003 server is more secure than Windows 2000 sever. 2) In win 2000 sever IIS version is 5.0, In win 2003 server IIS version is 6.0 so it contain some advanced features. 3) In Win 2003 Server we can apply more Group policies. 4) In Win 2003 Server Active Directory also contain more features. 1. In 2k3 We can Rename the Domain and Domain Controller name. 2. Stub zone is available. 3. Remote Desktop connection is there. 4. Automated System Recovery(ASR) is there, but 2k only Emergency Repair Explain the Windows XP, 2000 and 2003 Boot Process? 1. POST 2.The MBR reads the boot sector which is the first sector of the active partition. 3. Ntldr locket path of os from boot.ini 4.Ntldr to run ntdedetect.com to get information about installed hardware. 5.Ntldr reads the registry files then select a hardware profile, control set and loads device drivers. 6. After that Ntoskrnl.exe takes over and starts winlogon.exe which starts lsass.exe this is the program that displays the welcome screen. Disk(ERD) is there

Address Resolution Protocol (arp)

The address resolution protocol (arp) is a protocol used by the Internet Protocol (IP) [RFC826], specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol. The protocol operates below the

network layer as a part of the interface between the OSI network and OSI link layer. It is used when IPv4 is used over Ethernet. The term address resolution refers to the process of finding an address of a computer in a network. The address is "resolved" using a protocol in which a piece of information is sent by a client process executing on the local computer to a server process executing on a remote computer. The information received by the server allows the server to uniquely identify the network system for which the address was required and therefore to provide the required address. The address resolution procedure is completed when the client receives a response from the server containing the required address. An Ethernet network uses two hardware addresses which identify the source and destination of each frame sent by the Ethernet. The destination address (all 1's) may also identify a broadcast packet (to be sent to all connected computers). The hardware address is also known as the Medium Access Control (MAC) address, in reference to the standards which define Ethernet. Each computer network interface card is allocated a globally unique 6 byte link address when the factory manufactures the card (stored in a PROM). This is the normal link source address used by an interface. A computer sends all packets which it creates with its own hardware source link address, and receives all packets which match the same hardware address in the destination field or one (or more) pre-selected broadcast/multicast addresses. The Ethernet address is a link layer address and is dependent on the interface card which is used. IP operates at the network layer and is not concerned with the link addresses of individual nodes which are to be used.The address resolution protocol (arp) is therefore used to translate between the two types of address. The arp client and server processes operate on all computers using IP over Ethernet. The processes are normally implemented as part of the software driver that drives the network interface card. There are four types of arp messages that may be sent by the arp protocol. These are identified by four values in the "operation" field of an arp message. The types of message are: 1. 2. 3. 4. ARP request ARP reply RARP request RARP reply

The format of an arp message is shown below:

Format of an arp message used to resolve the remote MAC Hardware Address (HA) To reduce the number of address resolution requests, a client normally caches resolved addresses for a (short) period of time. The arp cache is of a finite size, and would become full of incomplete and obsolete entries for computers that are not in use if it was allowed to grow without check. The arp cache is therefore periodically flushed of all entries. This deletes unused entries and frees space in the cache. It also removes any unsuccessful attempts to contact computers which are not currently running.

Example of use of the Address Resolution Protocol (arp)

The figure below shows the use of arp when a computer tries to contact a remote computer on the same LAN (known as "sysa") using the "ping" program. It is assumed that no previous IP datagrams have been received form this computer, and therefore arp must first be used to identify the MAC address of the remote computer.

The arp request message ("who is X.X.X.X tell Y.Y.Y.Y", where X.X.X.X and Y.Y.Y.Y are IP addresses) is sent using the Ethernet broadcast address, and an Ethernet protocol type of value 0x806. Since it is broadcast, it is received by all systems in the same collision domain (LAN). This is ensures that is the target of the query is connected to the network, it will receive a copy of the query. Only this system responds. The other systems discard the packet silently. The target system forms an arp response ("X.X.X.X is hh:hh:hh:hh:hh:hh", where hh:hh:hh:hh:hh:hh is the Ethernet source address of the computer with the IP address of X.X.X.X). This packet is unicast to the address of the computer sending the query (in this case Y.Y.Y.Y). Since the original request also included the hardware address (Ethernet source address) of the requesting computer, this is already known, and doesn't require another arp message to find this out.

By merely injecting two ARP reply packets into a totally trusting LAN, any malicious computer is able to receive all traffic going back and forth between any two computers on the LAN such as any target machine and the LAN's gateway.

In normal operation the computers on the LAN use ARP protocol to acquire and memorize each other's NIC MAC address which they use for sending network data to each other.

But the ARP protocol provides no protection against misuse. An attacking computer on the same LAN can simply send spoofed ARP Replies to any other computers, telling them that its MAC address should receive the traffic bound for other IP addresses.

This "ARP Cache Poisoning" can be used to redirect traffic throughout the LAN, allowing any malicious computer to insert itself into the communications stream between any other computers for the purpose of monitoring and even alter the data flowing across the LAN.

What does this mean?

ARP Reply spoofing for the purpose of ARP Cache Poisoning allows any computer on the local area network to obtain one of the most dangerous and powerful attack postures in network security: the so-called "Man In The Middle" (MITM). The man in the middle is able to monitor, filter, modify and edit any and all traffic moving between the LAN's unsuspecting and inherently trusting computers. In fact, there is nothing to prevent it from filling every computer's ARP cache with entries pointing to it, thus allowing it to effectively become a master hub for all information moving throughout the network.

Internet "switches" offer no help

As you can see from the diagram above, the use of a standard Internet switch (as compared with a hub), which prevents passive monitoring and sniffing of the LAN's traffic by isolating the traffic of each computer from all others, is of no help in the face of active ARP cache poisoning since the LAN's traffic is being actively sent to the attacking computer.

The harsh reality of today's Ethernet LAN technology carrying IP traffic is that:

Anything can happen if you share a LAN with an untrusted computer.

In situations where only trusted users are connecting to a LAN, the threat to the integrity and privacy of any computer's data is negligible. But the prevalence and popularity of the Internet has spread the use of Ethernet LAN technology into many environments where unknown and inherently untrusted computers and users may be sharing a common local area network. For example, WiFi wireless networking technology uses Ethernet LAN technology for carrying its Internet IP traffic. Since the reception range of WiFi is generally out of the user's control, using WiFi is exactly like running a wire out of your network hub or switch out into the front yard with a big sign inviting any interested hackers to come by and plug in. You should now be able to clearly see just how dangerous this can be. Only if your WiFi network is strongly secured with WPA encryption can you be assured that no one can gain access to your traffic. Since WiFi's Ethernet packets are themselves encrypted by the network's encryption, ARP cache poisoning cannot be accomplished without knowing the encryption key. Another high-risk LAN environment for travelling road warriors is the increasingly common high-speed access offered by hotels. A hotel will typically have a single very large and very active Ethernet LAN. Such LANs will offer incredibly rich opportunities for ARP cache poisoning attackers. Only if your computer's network traffic is securely encrypted through the use of some sort of virtual private network or other encrypted tunneling technology would your use of public LANs be immune from exploitation of ARP cache poisoning.

Is the threat from ARP poisoning just theoretical, or can it be easily accomplished? The intrinsic weakness of Ethernet LAN security is well known within the hacker community and many easy-to-use "point and click" tools have been developed and are in constant use by malicious hackers. Since many of these tools have recently migrated from the less common Linux and Unix platform to the ubiquitous Windows environment, their use is rapidly becoming more widespread. Here's text from the introductory description of a well known Windows tool set known as Cain & Abel v2.8.1:
"The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms."

Or this bit from the list of features added to Cain & Abel v2.8:
RDPv4 session sniffer for APR: "Cain can now perform man-in-the-middle attacks against the heavy encrypted [Windows] Remote Desktop Protocol (RDP), the one used to connect to the Terminal Server service of a remote Windows computer. The entire session from/to the client/server is decrypted and saved to a text file. Client-side key strokes are also decoded to provide some kind of password interception. The attack can be completely invisible because of the use of APR (Arp Poison Routing) and other protocol weakness."

As a work of reverse engineering and technology hacking, I tip my hat to Cain's author, who is clearly a talented software engineer in his own right. Just LOOK at the complete (and horrifying) Cain & Abel feature list and the online manual (javascript required). Unfortunately, impressive as this work is, the ready availability of these tools to

malicious hackers who would never be able to create them for themselves opens up the exploitation of these inherent Ethernet LAN technology weaknesses to a much larger audience. But Cain & Abel is hardly alone in the field of ARP cache poisoning exploitation: Arpoison is a simple and straightforward command-line utility which generates and sends spoofed ARP replies. The user simply specifies the source and destination IP and MAC addresses and the target's ARP cache will be poisoned with whatever information the user desires. dsniff is an advanced password sniffing tool set which includes "arpspoof" and "dnsspoof" to allow man-in-themiddle (MITM) attacks against redirected SSH and HTTPS (secure web) sessions. ettercap Quoting Ettercap's home page: "Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis." Check out the Ettercap screen shots showing, among other things, it capturing eMail passwords passing over a LAN. Parasite Parasite supports traffic sniffing on switched networks by performing ARP man-in-the-middle spoofing. It supports target selection, denial of service (DOS) and a host of other features. WinArpSpoofer From the program's description: "WinArpSpoofer is a program to manipulate the ARP table of another computer on a LAN. Especially, by changing the ARP table of a router, this program can in effect pull all packets on the local area network. After pulling and collecting all packets, this has a function that can forward them to the router (gateway). If you run this program and any sniffer program, you can even get and see all user IDs/passwords on the switch network." So . . . you get the idea. The complete lack of Ethernet endpoint authentication, and the ease with which it can be exploited, continues to spawn an already large and growing number of easily written tools for compromising the security and privacy of local area networks. Once upon a time, when every machine on one's own local area network was known and trustworthy this wasn't a huge problem. But here again the demand for features and convenience has out paced any serious consideration of security and privacy.

Is there no hope for securing Ethernet LAN networks? The complete lack of Ethernet LAN endpoint authentication is an obvious, critical, and glaring problem which has not been missed by the people who design and implement new networking standards. The "802.1X" and "802.11X" standards which provide for "Port Based Network Access Control" are emerging but not yet widely supported. Windows XP implements 802.1X for wired LAN environments, but since nothing that Windows is plugged into generally does, this solution is not yet readily available. And huge public LAN environments such as hotels will probably never be able to manage any sort of ad hoc secure authentication. Now and for the foreseeable future, the security and privacy of roaming users will remain their own individual responsibility. ARP Cache Poisoning
We spent time determining the valid ranges of addresses on a given subnet for a reason. Recall from our earlier look at TCP/IP communication that when a host wishes to communicate with another host, it must first determine whether the destination is local (on the same subnet) or remote (on a different subnet). In cases where hosts are local, they can communicate directly. In cases where the destination host is on a different network, the packets must be sent to a router, who will then forward them along on their journey to the destination network. In order to determine whether a destination host is local or remote, a computer will perform a simple mathematical computation referred to as an AND operation. While the sending host does this operation internally, understanding what takes place is the key to understanding how an IP-based system knows whether to send packets directly to a host or to a router.

An AND operation is very simple two binary digits are compared, and the based on their combination, a resultant value is formed. It is neither adding nor subtracting, so do not consider it as such. In the most simple terms, there are only three possibilities when ANDing two binary digits. The list below outlines these operations and their results. 0 AND 0 = 0 0 AND 1 = 0 1 AND 1 = 1 Notice that when the binary digits 1 and 1 are ANDed, the result is 1, and that any other combination produces a result of 0. The question now becomes how this is actually used. When a host wishes to figure out whether a destination host is local or remote, it goes through the following steps.

1.
2. 3.

The host takes its own IP address and ANDs it with its own subnet mask, producing a result. The host then takes the destination IP address and ANDs it with its own subnet mask, producing another result. Finally, the host compares the two results. In cases where the ANDing results are identical, it means that the hosts reside on the same subnet. In cases where the results are different, it means that the destination host is remote.

Consider this example. Computer A has an IP address of 192.168.62.14 with a subnet mask of 255.255.248.0. It wishes to communicate with host 192.168.65.1. In order to determine whether this destination is local or remote, it will go through the ANDing process. Its IP address and subnet mask are lined up in binary, and then vertically compared to find the AND result. The same is then done for the destination address, again using the subnet mask of the source host. This is illustrated in the figure below.

Notice that when the resulting AND values are converted back to binary, it becomes clear that the two hosts are on different networks. Computer A is on subnet 192.168.56.0, while the destination host is on subnet 192.168.64.0, which means that Computer A will next be sending the data to a router. Without ANDing, determining local and remote hosts can be difficult. Once youre very familiar with subnetting and calculating ranges of addresses, recognizing local and remote hosts will become much more intuitive. Whenever youre in doubt as to whether hosts are local or remote, use the ANDing process. You should also notice that the ANDing process always produces the subnet ID of a given host. Classless Inter-Domain Routing (CIDR)

What Is CIDR?
CIDR is a new addressing scheme for the Internet which allows for more efficient allocation of IP addresses than the old Class A, B, and C address scheme.

Why Do We Need CIDR?

With a new network being connected to the Internet every 30 minutes the Internet was faced with two critical problems:

Running out of IP addresses Running out of capacity in the global routing tables

Running Out of IP Addresses There is a maximum number of networks and hosts that can be assigned unique addresses using the Internet's 32-bit long addresses. Traditionally, the Internet assigned "classes" of addresses: Class A, Class B and Class C were the most common. Each address had two parts: one part to identify a unique network and the second part to identify a unique host in that network. Another way the old Class A, B, and C addresses were identified was by looking at the first 8 bits of the address and converting it to its decimal equivalent. Address Class # Network Bits # Hosts Bits Decimal Address Range Class A Class B Class C 8 bits 16 bits 24 bits 24 bits 16 bits 8 bits 1-126 128-191 192-223

Using the old Class A, B, and C addressing scheme the Internet could support the following:

126 Class A networks that could include up to 16,777,214 hosts each Plus 65,000 Class B networks that could include up to 65,534 hosts each Plus over 2 million Class C networks that could include up to 254 hosts each

(Some addresses are reserved for broadcast messages, etc.). Because Internet addresses were generally only assigned in these three sizes, there was a lot of wasted addresses. For example, if you needed 100 addresses you would be assigned the smallest address (Class C), but that still meant 154 unused addresses. The overall result was that while the Internet was running out of unassigned addresses, only 3% of the assigned addresses were actually being used. CIDR was developed to be a much more efficient method of assigning addresses. Global Routing Tables At Capacity A related problem was the sheer size of the Internet global routing tables. As the number of networks on the Internet increased, so did the number of routes. A few years back it was forecasted that the global backbone Internet routers were fast approaching their limit on the number of routes they could support. Even using the latest router technology, the maximum theoretical routing table size is approximately 60,000 routing table entries. If nothing was done the global routing tables would have reached capacity by mid-1994 and all Internet growth would be halted.

How Were These Problems Solved?

Two solutions were developed and adopted by the global Internet community:

Restructuring IP address assignments to increase efficiency Hierarchical routing aggregation to minimize route table entries

Restructuring IP Address Assignments Classless Inter-Domain Routing (CIDR) is a replacement for the old process of assigning Class A, B and C addresses with a generalized network "prefix". Instead of being limited to network identifiers (or "prefixes") of 8, 16 or 24 bits, CIDR currently uses prefixes anywhere from 13 to 27 bits. Thus, blocks of addresses can be assigned to networks as small as 32 hosts or to those with over 500,000 hosts. This allows for address assignments that much more closely fit an organization's specific needs.

A CIDR address includes the standard 32-bit IP address and also information on how many bits are used for the network prefix. For example, in the CIDR address 206.13.01.48/25, the "/25" indicates the first 25 bits are used to identify the unique network leaving the remaining bits to identify the specific host. CIDR Block Prefix # Equivalent Class C # of Host Addresses /27 /26 /25 /24 /23 /22 /21 /20 /19 /18 /17 /16 /15 /14 /13 1/8th of a Class C 1/4th of a Class C 1/2 of a Class C 1 Class C 2 Class C 4 Class C 8 Class C 16 Class C 32 Class C 64 Class C 128 Class C 256 Class C (= 1 Class B) 512 Class C 1,024 Class C 2,048 Class C 131,072 hosts 262,144 hosts 524,288 hosts 32 hosts 64 hosts 128 hosts 256 hosts 512 hosts 1,024 hosts 2,048 hosts 4,096 hosts 8,192 hosts 16,384 hosts 32,768 hosts 65,536 hosts

Hierarchical Routing Aggregation To Minimize Routing Table Entries The CIDR addressing scheme also enables "route aggregation" in which a single high-level route entry can represent many lower-level routes in the global routing tables. The scheme is similar to the telephone network where the network is setup in a hierarchical structure. A high level, backbone network node only looks at the area code information and then routes the call to the specific backbone node responsible for that area code. The receiving node then looks at the phone number prefix and routes the call to its subtending network node responsible for that prefix and so on. The backbone network nodes only need routing table entries for area codes, each representing huge blocks of individual telephone numbers, not for every unique telephone number. Currently, big blocks of addresses are assigned to the large Internet Service Providers (ISPs) who then re-allocate portions of their address blocks to their customers. For example, Pacific Bell Internet has been assigned a CIDR address block with a prefix of /15 (equivalent to 512 Class C addresses or 131,072 host addresses) and typically assigns its customers CIDR addresses with prefixes ranging from /27 to /19. These customers, who may be smaller ISPs themselves, in turn re-allocate portions of their address block to their users and/or customers. However, in the global routing tables all these different networks and hosts can be represented by the single Pacific Bell Internet route entry. In this way, the growth in the number of routing table entries at each level in the network hierarchy has been significantly reduced. Currently, the global routing tables have approximately 35,000 entries.

User Impacts
The Internet is currently a mixture of both "CIDR-ized" addresses and old Class A, B and C addresses. Almost all new routers support CIDR and the Internet authorities strongly encourage all users to implement the CIDR addressing scheme. (We recommend that any new router you purchase should support CIDR). The conversion to the CIDR addressing scheme and route aggregation has two major user impacts:

Justifying IP Address Assignments Where To Get Address Assignments

Justifying IP Address Assignments Even with the introduction of CIDR, the Internet is growing so fast that address assignments must continue to be treated as a scarce resource. As such, customers will be required to document, in detail, their projected needs. Users may be required from time to time to document their internal address assignments, particularly when requesting additional addresses. The current Internet guideline is to assign addresses based on an organization's projected three month requirement with additional addresses assigned as needed. Where To Get Address Assignments In the past, you would get a Class A, B or C address assignments directly from the appropriate Internet Registry (i.e., the InterNIC). Under this scenario, you "owned" the address and could take it with you even if you changed Internet Service Providers (ISPs). With the introduction of CIDR address assignments and route aggregation, with a few exceptions, the recommended source for address assignments is your ISP. Under this scenario, you are only "renting" the address and if you change ISPs it is strongly recommended that you get a new address from your new ISP and renumber all of your network devices. While this can be a time-consuming task, it is critical for your address to be aggregated into your ISP's larger address block and routed under their network address. There are still significant global routing table issues and the smaller your network is, the greater your risk of being dropped from the global routing tables. In fact, networks smaller than 8,192 devices will very likely be dropped. Neither the InterNIC nor other ISPs have control over an individual ISP's decisions on how to manage their routing tables. As an option to physically re-numbering each network device, some organizations are using proxy servers to translate old network addresses to their new addresses. Users should be cautioned to carefully consider all the potential impacts before using this type of solution.

Network Monitoring Platforms (NMPs) [Contents]

AdventNet Web NMS Airwave Management PlatformT (AMP) wireless network management software provides centralized control for Wi-Fi networks. Features include: access point configuration management, reporting, user tracking, help desk views, and rogue AP discovery. akk@da is a simple network monitoring system designed for small and middle size computer networks. Its purpose is to quick detect system or network fault and to display information about detected problems for administrators. akk@da is designed as a pro-active network monitor. It does not wait for information from any agents, systems, etc. It collects information every single minute (you can decrease this period to 1 second). Almost all services of the monitored hosts are discovered automatically. Andrisoft WANGuard Platform provides solutions for WAN links monitoring, DDoS detection and mitigation, traffic accounting and graphing. Axence nVision monitors network infrastructure: Windows, TCP/IP services, web and mail servers, URLs, applications (MS Exchange, SQL etc.). It also monitors routers and switches: network traffic, interface status, connected computers. nVision collects network inventory and audit license usage - it can alert in case of a

program installation or any configuration change on a remote node. With the agent you can monitor user activity and access computers remotely. Castle Rock CITTIO Watchtower WatchTower is an automated network and systems monitoring platform. It automatically discovers, configures, thresholds, and monitors IP-enabled devices from servers and switches to security cameras and HVAC. CommandCenter NOC from Raritan provides polling, Windows and UNIX/Linux server management, intrusion detection, vulnerability scanning, and traffic analysis in an integrated appliance. Cymphonix Network Composer monitors Internet traffic by user, application, and threat. Includes controls to shape access to Internet resources by user, group, and/or time of day. Also featuring anonymous proxy blocking, policy management, and real time monitoring. David system allows you to manage your resources and services through both Intranet and Internet. provide auto-discovering and network topology building features to help keep an intuitive view of your IT infrastructure. Resources, real-time monitoring and accessibility of historical data enable reaction to failures. Configured interfaces for monitored devices allow you to focus on the most important aspects of their work. dopplerVUe provides network discovery, mapping and rules system enables monitoring of Ping, SNMP, syslog, and WMI performance metrics. Can be used to monitor IPv6 devices. Monitors services such as DNS, http and email. EM7 from Sciencelogic is an NMS integrated with trouble-ticketing, event management, reporting, IP management, DNS and monitoring. Fidelia also has the Helix entry level tool for small enterprises. FreeNATS, is an open-source network monitoring, alerting and reporting system available as PHP source and as a virtual appliance. Intellipool Network Monitor is a solution for monitoring, notification, and reporting. It includes agentless monitoring of Windows, Unix, Linux, and BSD operating system. It also includes distributed testing, a unique feature that makes it possible to monitor servers, routers and other network connected equipment that are behind a firewall or only accessible trough a VPN. InterMapper Networking monitoring and alerting software for Mac, Windows, Linux, and Solaris. ipMonitor is a network monitoring solution that allows network administrators, webmasters, and Internet service providers to monitor any networked device on the Internet, corporate intranet, or TCP/IP LAN and receive alerts immediately via audible alarm, message, e-mail, or third-party software when a connection fails. It is a powerful personal monitoring product delivering low cost, simplicity of operation, and round-the-clock coverage. Just For Fun Network Monitoring System (JFFNMS) is FREE and designed to maintain a IP SNMP / Syslog / Tacacs+ Network. It can be used to monitor any standards compilant SNMP device, Server, TCP port or Custom Poller, also it has some Cisco oriented features. Klogie a commercial remote network monitoring system that designed for ease of use. LANsurveyor network and desktop management software providing automatic network maps, asset management reports, network monitor and remote administration and distribution. LITHIUM LITHIUM|Core is an integrated device and service monitoring platform with a tightly coupled incident tracking and case management system and incorporates a web-based interface as well as Windows XP/Vista and Mac OS X monitoring consoles. Little:eye, for management of IT infrastructure of enterprise provides management of fault, performance, inventory and configuration. LogisoftAR provides is an NMP running under Windows providing device discovery, mapping, fault (using SNMP traps and syslog) and performance management. Reporting is provided in HTML pages. MoniTiL continuously monitors applications, services, networks and events using WMI, snmp, web, tcp and ping. Monitoring Genie is a large scale data collection and monitoring platform built for telcos and large service providedrs, able to monitor multiple parameters in 100Ks of nodes in very shory cycles of about a minute using multiple protocols (icmp,snmp,sql,http,telnet,ssh,wmi,registry,open ports...). It can perform actions based on monitoring status changes using conditions and correlation rules. The platform comes with a builtin reporting system and pre made reports, and can extended to monitor any parameter in the supported protocols.

The platform can work as a stand alone product or connect to existing management platforms (hpov, tivoli & micromuse, unictenter, etc). Monolith a commercial Syslog, Trap, NT Eventlog Aggregator package. Netcool suite offers five product families that support domain-specific IT management, end-to-end consolidated operations and business service management. NetQoS Performance Center Monitors and provides insight into: end-to-end performance, traffic analysis, VoIP quality, and device performance. N-vision provides availability, performance, security and service management to multiple customers from one central Web console. NetCrunch from AdRem, provides visualization of physical network topology; flexible performance monitoring, trending and reporting; event filtering and escalation; SNMP management; web access. NetMechanica provides low-cost network masnagement services. Netview NimBUS for Network Monitoring solution verifies network connectivity to devices (routers, switches, servers, etc.) and application services (FTP, SMTP, HTTP, etc.) revealing accessibility and network latency. The solution auto-discovers network interfaces, monitors interface traffic and calculates bandwidth utilization. Uses SNMP and if not available then syslog can be used. Opr Monitor provides active monitoring of the IT infrastructure - hardware, traffic & services. This includes connected components from servers, routers and printers services such as mail services, web servers and virus programmes. It is based on Nagios. OpenNMS OpenView Pandetix MSOware is a web based service for monitoring, managing, reporting and notification of events for IP enabled devices. MSOware monitors your host with the selected tool. There is a free trial version. Pandora the Free Monitoring System is a Free Software set of programs, set under the GPL license, that monitors and detects network systems using remote tests (ICMP, TCP Sweep, Network scan, SNMP monitoring...), or using local agents to grab application/system datga (has agents for Linux, AIX, HP-UX, Solaris and Windows XP,2000/2003). Pandora FMS is able to fire alarms, draw graphs and keep event history for each element using a SQL backend SecureMyCompany provides hosted, On Demand network and systems management software for a low monthly fee. Solutions include SNMP, WMI, Event Log and many more monitoring features. ServersCheck is a web based monitoring tool for monitoring networks and servers (e.g. temperatures etc.) Smarts from EMC is an automated root cause tool with topology views of the network infrastructure, applications and the business layer. SolarWinds Orion Network Performance Monitor will monitor and collect data from routers, switches, servers, and any other SNMP enabled devices. Additionally, Orion monitors CPU Load, Memory utilization, and available Disk Space. Orion NPM is highly scalable, capable of monitoring from 10 to over 10,000 nodes. Spectrum (ex Cabletron, then Aprisma then Concord Communications then CA). Network Tool specialized in Fault Management and Root Cause Analysis engine. Helps optimize MTTR and MTBF.The tool is modular in that it can also monitor/manage QOS,MPLS/VPN,Multicast Network, Device Configurations. StableNet PME Carrier-Grade performance management tool, built upon open standards. Supports active (Ping, SAA) and passive (SNMP, RMON, NetFlow, SFlow) measurements. Integrated topology/inventory, SLA/SLM, reporting. Sun Solstice SwitchMonitor from NetLatency is a network performance monitoring system that runs on Windows and is designed to monitor network devices for utilization and errors using SNMP. SysOrb monitors both network equipment and servers/applications and is accessed via a web interface. Monitoring is done with Agents and IP and SNMP polling. SysOrb comes with an embedded database for stats, alert notification module, report generator etc. SysUpTime is a free distributed network/systems management product. It provides users out-of-box capabilities to efficiently and proactively manage networks of any size. Tembria Tembria Server Monitor is an affordable server monitoring platform with deep support for Windows server monitoring plus support for Linux and SNMP devices too.

VitalNet from Lucent provides on-demand access to data to track, analyze, manage and predict problems, improve capacity utilization and meet service quality commitments. It provides Web-based graphical visibility into wireless or wireline multi-vendor network for DSL, VPN, IP Centrex, streaming video, GigE and diverse 3G wireless services. WhatsUpGold Simple network monitoring tool, detects unavailable services, sends alarms to pagers and produces web page of colorful alerts.

How can I trace the path?

There is really only one good way to trace the path of a packet and that is to trick each router on the path the packet takes into thinking it needs to tell the sender there was an error in communication. The best and most common way is to attempt to ping the target hosts IP address using and incremental Time to Live identifier in the IP header. The TTL or Time to Live identification is used to tell routers how many times the packet can be routed before it should just be thrown away and discarded. Every router is considered a hop, and every hop the TTL value is decremented by one. Once it reaches 0 the router that has it discards the packet and then sends an ICMP control message back to the caller telling it that the packet timed out and did not reach the destination. Some routers are not courteous enough to respond with the ICMP control message; these routers are called black hole router due to the fact packets go in but may not come out. To find out each router a packet goes through and effectively determine the number of hops it must take requires a simplistic algorithm of sending a special packet with a TTL of 1 and incrementing it to N which is the value TTL is when you reach the target. This algorithmic process is called a Trace Route. A program that comes with Windows called TraceRt.exe is very familiar to a lot of network administrators because it does exactly what was just described. Developers can add this functionality to their programs using an ActiveX control called TraceRoute Wizard.
DHCP Messaging DHCP messaging has been covered in many different publications and online documents, so much of the following information may not be new to you. However, we include it for the sake of completeness. For further information, see the Microsoft Windows NT Server Networking Guide.
To obtain, renew, rebind, and release an IP address from a Microsoft DHCP server, a client and server exchange the following information:
1. DHCP Discover When the client starts for the first time as a DHCP/TCP/IP client, it broadcasts a dhcpdiscover frame of either 342 or 590 bytes. The frame includes o the Ethernet header portion (the broadcast address of 255.255.255.255) o the IP header portion (source address 0.0.0.0 and destination address 255.255.255.255) o the UDP header (contains the UDP source and destination ports 68 and 67) o the DHCP discover packet components (includes Client Identifier, MAC Address, and Host name) in case the server has a reserved address for the client

The client initially sends four dhcpdiscover messages. If it doesnt receive a response from the DHCP server, it retries every five minutes until it is successful.

2.

DHCP Offer When the server receives the dhcpdiscover message, it responds with a dhcpoffer message of 342 bytes. The frame includes o the Ethernet header portion (the MAC address of the client) o the IP header portion (the source address of the DHCP server and destination address 255.255.255.255) o the UDP header o the DHCP offer packet components (contains the proposed client address, proposed lease and renewal periods, and the DHCP server IP address)

The effect of the DHCP offer is to tell the client of the proposed address and lease period. Because the client doesnt yet have an IP address, the server has no choice but to broadcast the message.

3.

DHCP Request When the client receives the dhcpoffer message, it examines the parameters and if they are suitable, it sends out a DHCP request of either 342 or 590 bytes. The frame includes o the Ethernet header portion (broadcast) o the IP header portion (source address 0.0.0.0 and destination address 255.255.255.255)

o o

the UDP header portion the DHCP request packet components (contains the requested address and the server identifier IP address of server from which it is requesting)

The effect of the DHCP request is to ask a specific server for an IP address; it also tells all other servers that the client is making this request and therefore not to make any more offers. According to the DHCP standards, the client can accept only part of the request for example, the IP address but not the renewal time. Our experiments have never demonstrated this capability on Microsoft clients, although some of the Unix workstations have demonstrated this ability. Typically, you should consider using Microsoft DHCP servers primarily for Windows clients.

4.

DHCP Acknowledgment After the server receives the DHCP request, it responds with a dhcpack message of 342 bytes that includes o the Ethernet header (the broadcast address) o the IP header (the source address of the DHCP server and the destination address, which is again a broadcast) o the UDP header o the DHCP acknowledgment packets (contains the client IP address, options and leasing, and renewal and rebinding times)

5.

DHCP Decline After receiving the lease in the dhcpack, NT 4.0 clients with Service Pack 2 or later broadcast an Address Resolution Protocol (ARP) message to see whether another client is currently using the IP address that was obtained from the DHCP server. If another client responds, the original client sends a dhcpdecline message to the server, and the server flags this IP address as a bad address. At this point, the server offers the next IP address in its scope, and steps 2 5 are repeated. The dhcpdecline message may not be recognized by non-Microsoft DHCP servers. See Errors in DHCP and How to Correct Them later in this chapter for more information. Dhcpdecline messages are sent only if conflict detection has been enabled on the server. To enable conflict detection from the DHCP Manager, select the server, click Properties, and check the selection.

Special Note: The following messages are sent from a DHCP server to a DHCP client:

dhcpack DHCP acknowledgment (Yes) dhcpnack DHCP negative acknowledgment (No) dhcpoffer Offer of a DHCP address

Typically, you see dhcpnack messages if the DHCP server is asked to provide an IP address that doesnt belong to its scope on that particular interface. This situation occurs most often when a computer is moved to a different subnetwork. If a different DHCP server is providing IP addresses to the client, it issues a dhcpnack when it receives the moved clients request for a renewal because the IP address requested by the client is outside its scope. The client sends a dhcpdiscover message and finally gets a valid IP address for that network. To see the messages sent from server to client and vice versa, check the System log in the Event Viewer under Administrative Tools for NT 4.0. DHCP may behave strangely under certain circumstances. Lets say you have a multihomed server with two network cards and two scopes that belong to two different subnetworks. A client may have always used one of the interfaces to get an IP address that belongs to that network. If that client is connected to a network to which the second interface belongs, you will see the server issue dhcpnack messages. The only solution we have found for this problem is to manually reserve an IP address for the second scope and provide it to the client. Once the client has an address that belongs to the second scope, it is possible to release the IP address and get another address for dynamic configuration.

When the client has a valid IP address, after half of the lease time has expired, the client enters the renewing state, in which it sends a directed (not broadcast) dhcprequest message to its server. If the IP address is still valid, the server responds with a dhcpack message as in step 4. If the request fails (if the server sends a dhcpnak message negative acknowledgment), the client makes one more attempt. If unsuccessful, the client sends dhcprequest messages every two minutes until the IP lease time is 87.5 percent expired. If still unsuccessful, the client broadcasts for another DHCP server until the lease expires. If the lease expires before the client receives a a successful acknowledgment, the client releases the IP address and the TCP/IP protocol is disabled.
Special Note: The Address Resolution Protocol (ARP) is used in IP Version 4 networks to find the physical or MAC address of a network card given its IP address. Even though both Unix and NT support RFC 862 for ARP, ARP is implemented differently on the two systems. NT doesnt broadcast ARP. The ARP cache on an NT system is meant for itself and not for others. On Unix systems,

it is possible to use a command like arp s ip-address mac-address pub to broadcast a particular MAC address to the network and then allow the client to keep it permanently. NT doesnt operate in the same way. As a result, it isnt possible to get NT to respond to ARP broadcasts with a MAC address that doesnt belong to itself. This situation is both good and bad good because its more difficult for someone to spoof a MAC address, but bad because if you plan to use NT as a firewall, you cant implement network address translation without additional software and configuration.

Describe the importance of DNS to AD? When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet. While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher. When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet. While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher.