INTERCONNECTING CISCO NETWORK DEVICES

INTRODUCTION

Course Acronym: ICND (640 – 801)                Course Duration: 40 Hours

Course Content:

·         Concepts and commands required to configure Cisco switches and multiprotocol internetworks.

·         Demonstrations, exercises, and laboratory projects to identify and recommend the best Cisco solutions.

·         Basic configuration procedures to build a multirouter, multigroup internetwork that uses LAN and WAN interfaces for the most commonly used routing and routed protocols.

·         Installation, configuration, and troubleshooting information that technical support people required to install and configure Cisco products.

Who Should Attend:              

·         Network Administrators responsible for implementing and managing small & medium business networks.

·         Customers or channel sellers new to Cisco products or to internetworking industry.

·         Network support staff who will act as network device installers & first-line support.

·         Network technicians new to Cisco products and services.

·         CCNA candidate

·         CCNP candidate

Content by Module:

·         Module 1: Getting Started with Cisco Networks

·         Chapter1: Course Introduction

·         Chapter 2: Selecting Cisco Network Devices

·         Chapter 3: Assembling and Cabling Cisco Network Devices

·         Chapter 4: Operating and Configuring a Cisco IOS Devices

·         Chapter5: Managing Your Network Environment

·         Module 2: Interconnecting Cisco Switches

·         Chapter 6: Catalyst Switch operations

·         Chapter 7: Extending Switch Functionality

·         Module 3: Interconnecting Cisco Routers

·         Chapter 8: Configuring IP Addressing

·         Chapter 9: Adding Basic IP Routing Protocols

·         Chapter 10: Basic IP Traffic Management with Access Lists

·         Chapter 11: Configuring Novell IPX

·         Module 4: Extending the Network to WAN

·         Chapter 12: Establishing Serial Point-to-Point Connections

·         Chapter 13: Completing an ISDN BRI Call

·         Chapter 14: Establishing a Frame Relay PVC Connection

·         Module 5: Solving Network Problems

·         Chapter 15: Solving basic Network Problems

REVISED CCNA COURSE CONTENTS

 

NAT     :     NETWORK ADDRESS TRANSLATION

PAT      :     PORT ADDRESS TRANSLATION

EIGRP:      EXTENDED INTERIOR GATEWAY ROUTING PROTOCOL

OSPF    :      OPEN SHORTEST PATH FIRST

VLSM:       VARIABLE LENGTH SUBNET MASKS

Functional Levels Server 2008

The features available in a Windows Server 2008 domain depend on the functional level. Therefore, you can add additional features to a domain by raising the functional level. Windows Server 2008 supports three different domain functional levels. The three domain functional levels are:

* Windows 2000
* Windows Server 2003
* Windows Server 2008

Windows 2000

When you configure a new Windows Server 2003 domain, the default domain functional level is Windows 2000. This functional level supports Windows 2000, 2003 and 2008 domain controllers. Other available features include universal groups, group nesting, group conversions and security identifier history.

Windows Server 2003

The second domain functional level is Windows Server 2003. Upgrading to this domain functional level provides support for Windows Server 2003 and 2008 domain controllers. You get all the features under the Windows 2000 functional level and additional ones that include:

* Netdom.exe management tool
* Logon time stamp dates
* Ability to redirect Users and Computers container
* Ability for Authorization Manager to store its authorization policies in AD DS
* Constrained delegation
* Selective delegation

Windows Server 2008

The third domain functional level is Windows Server 2008. This domain functional level only provides support for Windows Server 2008 domain controllers. If you want to take advantage of all the features included with Windows Server 2008, you must implement this functional level. Along with the features introduced at the previous levels, you can also take advantage of the following:

* Distributed File System
* Advanced Encryption Standard support for the Kerberos protocol
* Last Interactive Logon Information
* Fine-grained password policies

Functional levels determine the features that are available and the domain controllers that are supported. In a previous article, you learned about the three domain functional levels that are supported under Windows Server 2008. There are also functional levels at the forest level.

Windows Server 2008 supports the following three forest functional levels:

* Windows 2000 Native
* Windows Server 2003 Interim
* Windows Server 2003

Windows 2000 Native

Windows 2000 native is the default forest functional level. It provides support for Windows 2000, 2003 and 2008 domain controllers. This functional level support all of the default AD DS features.

Windows Server 2003

This forest functional level supports Windows Server 2003 and 2008 domain controllers. Along with the default features, the following features are introduced at this level:

* Forest trust
* Domain rename
* Linked-value replication
* Read-only domain controller
* Improved Knowledge Consistency Checker
* Ability to create the dynamic auxiliary class named dynamicObject
* Ability to create instances on new group types to support role-based
authorization.
* Deactivation and redefinition of attributes and classes in the schema

Windows Server 2008

The third forest functional level is Windows Server 2008. As the name implies, only domain controllers running Windows Server 2008 are supported. No additional features are introduced at this level.

Active Directory database file NTDS.DIT.doc

Downalod My Document

Active Directory database file NTDS.DIT.doc 


Downlaod

25. Name some OU design considerations.

Windows admin interview questions (includes Vista)

OU design requires balancing requirements for delegating administrative rights - independent of Group Policy needs - and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.

Delegating administrative authority

usually don't go more than 3 OU levels

http://technet.microsoft.com/en-us/library/cc783140.aspx

24. What tool would I use to try to grab security related packets from the wire?

Windows admin interview questions (includes Vista)

you must use sniffer-detecting tools to help stop the snoops. ...
A good packet sniffer would be "ethereal"

23. Can I get user passwords from the AD database?

Windows admin interview questions (includes Vista)

The passwords in AD are not stored encrypted by default, so they cannot be decrypted. They are hashed. The only way to recover the data from a hash is with some sort of a hacking algorithm that attempts to crack the hash (such tools exist).

22. How can you forcibly remove AD from a server, and what do you do later?

Windows admin interview questions (includes Vista)

Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you should still be able to change them.

Another way out too

Restart the DC is DSRM mode

a. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

b. In the right-pane, double-click ProductType.

c. Type ServerNT in the Value data box, and then click OK.

Restart the server in normal mode

its a member server now but AD entries are still there. Promote teh server to a fake domain say ABC.com and then remove gracefully using DCpromo. Else after restart you can also use ntdsutil to do metadata as told in teh earlier post

21. What can you do to promote a server to DC if you’re in a remote location with slow WAN link?

Windows admin interview questions (includes Vista)


First available in Windows 2003, you will create a copy of the system state from an existing DC and copy it to the new remote server. Run "Dcpromo /adv". You will be prompted for the location of the system state files

20. What are the requirements for installing AD on a new server?

Windows admin interview questions (includes Vista)

An NTFS partition with enough free space (250MB minimum)

· An Administrator's username and password

· The correct operating system version

· A NIC

· Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)

· A network connection (to a hub or to another computer via a crossover cable)

· An operational DNS server (which can be installed on the DC itself)

· A Domain name that you want to use

· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)

From the Petri IT Knowledge base. For more info, follow this link:

http://www.petri.co.il/active_directory_installation_requirements.htm

19. What is the ISTG? Who has that role by default?

Windows admin interview questions (includes Vista)

Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role. 
By Default the first Server has this role. If that server can no longer preform this role then the next server with the highest GUID then takes over the role of ISTG.

Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).

18. What is the KCC?

Windows admin interview questions (includes Vista)

With in a Site, a Windows server 2003 service known as the KCC automatically generates a topology for replication among the domain controllers in the domain using a ring structure.Th Kcc is a built in process that runs on all domain controllers.

The KCC analyzes the replication topology within a site every 15 minute to ensure that it still works. If you add or remove a domain controller from the network or a site, the KCC reconfigures the topology to relect the change.

KCC is Knowledge Consistency Checker, which creates the connection object that links the DCs into common replication topology and dictates the replication routes between one DC to another in Active Directory forest.

17. What’s the difference between a site link’s schedule and interval?

Windows admin interview questions (includes Vista)

Any time two networks are separated by links that are heavily used during parts of the day and are idle during other parts of the day, put those networks into separate sites. You can use the ability to schedule replication between sites to prevent replication traffic from competing with other traffic during high usage hours.
In simple words you can define it as the time when you allow the replication to happen.
Interval is also a part of schedule but it takes cares of the replication polling frequency. In other words in a said schedule of say 9:00 AM to 1 PM replication polling shuld occur in every 15 minutes.
Schedule here is 9:00 AM to 1 PM
Interval is every 15 minutes.

16. What are sites? What are they used for?

Windows admin interview questions (includes Vista)


Sites in Active Directory represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. You use Active Directory Sites and Services to define sites and site links. A site is a set of well-connected subnets. Sites differ from domains; sites represent the physical structure of your network, while domains represent the logical structure of your organization.
Read More: http://technet.microsoft.com/en-us/library/cc782048%28WS.10%29.aspx

15. What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?

Windows admin interview questions (includes Vista)


The Lightweight Directory Access Protocol, or LDAP is an application protocol for querying and modifying directory services running over TCP/IP.[1]
A directory is a set of objects with attributes organized in a logical and hierarchical manner. The most common example is the telephone directory, which consists of a series of names (either of persons or organizations) organized alphabetically, with each name having an address and phone number attached.


An LDAP directory tree often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use Domain name system (DNS) names for structuring the topmost levels of the hierarchy. Deeper inside the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else that represents a given tree entry (or multiple entries).
Its current version is LDAPv3, which is specified in a series of Internet Engineering Task Force (IETF) Standard Track Requests for comments (RFCs) as detailed in RFC 4510.
LDAP means Light-Weight Directory Access Protocol. It determines how an object in an Active directory should be named. LDAP (Lightweight Directory Access Protocol) is a proposed open standard for accessing global or local directory services over a network and/or the Internet. A directory, in this sense, is very much like a phone book. LDAP can handle other information, but at present it is typically used to associate names with phone numbers and email addresses. LDAP directories are designed to support a high volume of queries, but the data stored in the directory does not change very often. It works on port no. 389. LDAP is sometimes known as X.500 Lite. X.500 is an international standard for directories and full-featured, but it is also complex, requiring a lot of computing resources and the full OSI stack. LDAP, in contrast, can run easily on a PC and over TCP/IP. LDAP can access X.500 directories but does not support every capability of X.500
What is REPLMON?

A: Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions.

for more go to http://www.techtutorials.net/articles/replmon_howto_a.html
What is ADSIEDIT?

A: ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool:
• ADSIEDIT.DLL
• ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary
What is NETDOM?
A: NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels
A:
Enables administrators to manage Active Directory domains and trust relationships from the command prompt.
Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
You can use netdom to:

Join a computer that runs Windows XP Professional or Windows Vista to a Windows Server 2008 or Windows Server 2003 or Windows 2000 or Windows NT 4.0 domain.
Provide an option to specify the organizational unit (OU) for the computer account.
Generate a random computer password for an initial Join operation.
Manage computer accounts for domain member workstations and member servers. Management operations include:
Add, Remove, Query.
An option to specify the OU for the computer account.
An option to move an existing computer account for a member workstation from one domain to another while maintaining the security descriptor on the computer account.
Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:
From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows NT 4.0 domain.
From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain in another enterprise.
Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains in an enterprise (a shortcut trust).
The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos protocol realm.
Verify or reset the secure channel for the following configurations:
Member workstations and servers.
Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas.
Manage trust relationships between domains, including the following operations:
Enumerate trust relationships (direct and indirect).
View and change some attributes on a trust.

Syntax
Netdom uses the following general syntaxes:

NetDom [] [{/d: | /domain:} ] []
NetDom help http://technet.microsoft.com/en-us/library/cc772217.aspx

14. What are the Support Tools? Why do I need them?

The Windows 2003 support tools are a collection of resources with the aim of assisting administrators to simplify management tasks. These include: troubleshooting operating systems, configuring networking and security features, managing Active Directory, and automating application deployment. With the use of these tools, the user is able to pin-point problematic issues with the system and will therefore be able to find a solution more easily.


The Windows 2003 Support Tools consist of a number of command-line utilities, visual basic scripts, GUI based applications, and documents - all of which you must install from a separate application. The Support Tools are not automatically installed when you install Windows 2003; their installation isn’t an option in the Windows 2003 setup. The installation program is located on the CD-ROM in the \support\tools folder and the setup file (suptools.msi) must be opened manually to initiate the installation wizard. You can also download support tool fromhttp://www.microsoft.com/downloads/en/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en

13. Trying to look at the Schema, how can I do that?

Windows admin interview questions (includes Vista)


Active Directory Schema Tools and Settings
When existing class and attribute definitions in the Active Directory schema do not meet the needs of your organization, you can use schema-based administrative tools to modify or add schema objects. You can modify an existing attribute or add a new class or attribute to the schema to store a new type of information in the directory. The process of modifying or updating the schema is often referred to as “extending the schema.” In addition to using schema tools to extend the schema, you can perform most schema extensions by using customized applications or Active Directory Service Interfaces (ADSI) scripts.
The following tools are associated with the Active Directory schema.
Adsiedit.exe: ADSI Edit
ADSI Edit is included when you install Support Tools for Windows Server 2003 and later.
ADSI Edit is a Microsoft Management Console (MMC) snap-in that uses ADSI, which uses the Lightweight Directory Access Protocol (LDAP). You can use ADSI Edit to view and modify directory objects in the Active Directory database. You can also use it to view schema directory partition objects and properties. When you open ADSI Edit, the Schema container is displayed by default. You can expand the container to view schema classes and attributes.
Csvde.exe: Csvde
Csvde is a command-line tool that ships with Windows Server 2003.
You can use Csvde.exe to export directory information to an Excel spreadsheet or to import data from a spreadsheet into Active Directory. You can use this format only for additions to the directory. Csvde.exe cannot be used to modify or delete objects.
Ldifde.exe: Ldifde
Ldifde is a command-line tool that ships with Windows Server 2003.
Active Directory supports the use of files that are formatted with the LDAP Data Interchange Format (LDIF) for importing and exporting information in the directory. This includes information that is stored in the schema, such as schema modifications. After an LDIF file is created, a tool such as Ldifde.exe performs the import operation by using the LDIF file for input. You can also use Ldifde.exe to add, modify, and delete directory objects; export Active Directory user and group information to other applications or services; and populate Active Directory with data from other directory services.



Schmmgmt.msc: The Active Directory Schema snap-in
The Active Directory Schema snap-in is an MMC snap-in in Administrative Tools that is installed automatically on all domain controllers running Windows Server 2003. However, you must register it manually before you use it for the first time. To register the Active Directory Schema snap-in, run Regsvr32 Schmmgmt.dll from the command prompt or from the Run command on the Start menu. Open MMC and add Active directory schema snap in.
ADSI and Visual Basic Scripts
Active Directory provides a set of interfaces that you can use programmatically to gain access to directory objects, including schema objects. ADSI conforms to the Component Object Model (COM), and it supports standard COM features. ADSI defines a directory service model and a set of COM interfaces that you can easily use with a variety of programming languages. With Microsoft Visual Basic, Scripting Edition and ADSI, you can write scripts to modify the directory in various ways, including extending the schema.

12. Why not make all DCs in a large forest as GCs?

Windows admin interview questions (includes Vista)

Unless you have some really bad connections that may not be able to handle the extra traffic, you should make every DC a GC. In ANY single domain forest, it is recommended and beneficial to make all DCs GCs since it has no replication impact and serves to better distribute query load.

11. How do you view all the GCs in the forest?

Windows admin interview questions (includes Vista)


DSQUERY server can be used to locate global catalogs
To search the entire forest
dsquery server -forest -isgc
To locate global catalogs in your current (logon) domain
dsquery server –isgc.
To locate global catalogs in a specific domain
dsquery server -domain tech.cpandl.com -isgc
Here, you search for global catalog servers in the tech.cpandl.com domain.



You can also search for global catalog servers by site, but to do this, you must know the full site name, and cannot use wildcards. For example, if you wanted to find all the global catalog servers for Default-First-Site-Name, you would have to type
dsquery server –site Default-First-Site-Name.
The resulting output is a list of DNs for global catalogs, such as
"CN=CORPSVR02,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=cpandl,DC=com"

10. What is the Global Catalog?

Windows admin interview questions (includes Vista)

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers

9. How do you view replication properties for AD partitions and DCs?

Windows admin interview questions (includes Vista)




Install Replication Monitor from Support tools, run from command line with "replmon" command, and add DC and it will show you all partitions that DC holds and all replication partners for each partition.

8. How do you create a new application partition

Windows admin interview questions (includes Vista)

You can create an application directory partition by using the create nc option in the domain management (partition management in windows 2008) menu of Ntdsutil. When creating an application directory partition using LDP or ADSI, provide a description in the description attribute of the domain DNS object that indicates the specific application that will use the partition. For example, if the application directory partition will be used to store data for a Microsoft accounting program, the description could be Microsoft accounting application. Ntdsutil does not facilitate the creation of a description.
To create or delete an application directory partition
The sample commands below were written for Windows Server 2008. If you're using Windows 2003, you don’t need to include the ACTIVE INSTANCE NTDS command, and you would use DOMAIN MANAGEMENT instead of PARTITION MANAGEMENT.
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: partition management
partition management: connections
Connected to \\server1.contoso.com using credentials of locally logged on user.
server connections: connect to server server1.contoso.com
Disconnecting from \\ server1.contoso.com...
Binding to server1.contoso.com ...
Connected to server1.contoso.com using credentials of locally logged on user.
server connections: quit
partition management: list
Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts and language support are loaded Found 5 Naming Context(s)
0 - CN=Configuration,DC= contoso,DC=com
1 - CN=Schema,CN=Configuration,DC= contoso,DC=com
2 - DC=contoso,DC=com
3 - DC=DomainDnsZones,DC=contoso,DC=com
4 - DC=ForestDnsZones,DC=contoso,DC=com



partition management: create nc dc=app1,dc=contoso,dc=com
server1.contoso.com
adding object dc=app1,dc=contoso,dc=com
partition management: list
Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts and language support are loaded Found 5 Naming Context(s)
0 - CN=Configuration,DC= contoso,DC=com
1 - CN=Schema,CN=Configuration,DC= contoso,DC=com
2 - DC=contoso,DC=com
3 - DC=DomainDnsZones,DC=contoso,DC=com
4 - DC=ForestDnsZones,DC=contoso,DC=com
5 - DC=app1,DC=contoso,DC=com
Create an application directory partition by using the DnsCmd command
Use the following syntax:
DnsCmd ServerName /CreateDirectoryPartition FQDN of partition
To create an application directory partition that is named CustomDNSPartition on a domain controller that is named DC-1, follow these steps:



1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command, and then press ENTER: dnscmd DC-1 /createdirectorypartition CustomDNSPartition.contoso.com
When the application directory partition has been successfully created, the following information appears:
DNS Server DC-1 created directory partition: CustomDNSPartition.contoso.com Command completed successfully.
Configure an additional domain controller DNS server to host the application directory partition
Configure an additional domain controller that is acting as a DNS server to host the new application directory partition that you created. To do this, use the following syntax with the DnsCmdcommand:
DnsCmd ServerName /EnlistDirectoryPartition FQDN of partition
To configure the example domain controller that is named DC-2 to host this custom application directory partition, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command, and then press ENTER: dnscmd DC-2 /enlistdirectorypartition CustomDNSPartition.contoso.com
DNS Server DC-2 enlisted directory partition: CustomDNSPartition.contoso.com Command completed successfully.

7. What are application partitions? When do I use them

Windows admin interview questions (includes Vista)

An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.



Application directory partitions are usually created by the applications that will use them to store and replicate data. TAPI is an example it. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
Application directory partitions can contain any type of object, except security principals. The data in it can be replicated to different domain controllers in a forest (for redundancy, availability, or fault tolerance).