Drew Heywood's Windows 2000 Network Services

Chapter 12: Managing and Monitoring Corrections\ We have already discussed several Windows 2000 connection-management tools, most particularly the Network and Dial-Up Connections applet in Chapter 1 and IPCONFIG in Chapter 5. We also examined Network Monitor in several chapters, although discussion to this point has been limited to interpreting network traces. This is a catch-all chapter in which we will examine Network Monitor in greater detail as well as a variety of utilities that assist in managing and troubleshooting network connections.\ We'll start by discussing the use of Network Monitor and Performance Monitor, after which we will examine command-line utilities from the Windows 2000 Server CD-ROM and the Windows 2000 Server Resource Kit.\ Network Monitor\ We have encountered Network Monitor in several places, most particularly in Chapter 2, "TCP/IP Protocol Concepts." While we examined some network traces, we didn't discuss the procedures for using Network Monitor in the first place.\ Network Monitor extends your network analysis capability by enabling you to capture network frames for detailed examination. After frames are captured, you can look inside them to perform a thorough analysis of the network's operation.\ Network Monitor is equipped with a wide variety of protocol parsers, which are modules that examine network frames to decode their contents. The most important ones for the purposes of this book are Ethernet, ARP, IP, TCP, UDP, and a variety of Internet application-layer protocols. Network Monitor also includes parsers for token ring and other network access protocols, IPX, and a variety of other protocols including such Microsoft-specific protocols as Server Message Blocks (SMB).\ In this section, we will be focusing on the procedures for using Network Monitor, not on the interpretation of frame contents. See Chapter 2 for more information about the structures of frames carrying IP communication.\ Network Monitor and Systems Management Server\ As shipped with Windows 2000 Server, Network Monitor has one particularly significant limitation: It can capture only those frames that originate from or are delivered to the computer on which Network Monitor is running, including broadcast and multicast frames that the computer receives or originates. It cannot capture frames that are not sent to or from the server on which it is running.\ Microsoft's stated reason for hobbling Network Monitor as it ships with Windows 2000 Server is to prevent unauthorized users from using it to examine network traffic. That explanation seems a bit thin. I'm not sure why a user might go to the expense of obtaining a copy of Windows 2000 Server just to snoop the network when inexpensive analyzers are readily available.\ Since several other features of the Windows 2000 Server Network Monitor are unavailable, a more plausible reason for distributing a limited version of Network Monitor is that Microsoft wants to sell you their Systems Management Server (SMS) product. SMS includes a noncrippled version of Network Monitor that can capture all network packets and can obtain network statistics from any Windows computer that is running a Network Monitor Agent, such as the Windows 2000 Network Monitor driver. (Agents are proxy programs that collect data and forward them to another computer for analysis.)\ Ordinarily, computers on a network are selective and will only receive frames that are addressed to them. As shipped with Windows 2000, Network Monitor is designed to work with standard network adapter cards, which in part accounts for the restriction that Network Monitor can capture only those frames that originate from or are delivered to the computer on which Network Monitor is running.\ The SMS Network Monitor captures network traffic in promiscuous mode, meaning that it can capture all network data regardless of the destination of the frames. This enables SMS to monitor any computer running a Network Monitor Agent. However, capturing data in promiscuous mode is intense work, and performance will suffer on the computer running SMS. Therefore, monitoring the network with SMS Network Monitor is an activity best reserved for a dedicated network management computer. (On some network types, such as token ring, special network adapters are required to support promiscuous mode. Because the Network Monitor included with Windows 2000 Server does not operate in promiscuous mode, special network adapters are not required.)\ SMS has other capabilities as well, including hardware inventory management and software management. Unless you require SMS capabilities other than Network Monitor, however, SMS is neither the most powerful nor the most cost-effective way to analyze network traffic. SMS is not an inexpensive product, particularly because it requires Microsoft SQL Server. Also, Network Monitor's capabilities fall short of those offered by third-party network analyzers, 4 particularly regarding analysis of other vendors' protocols.\ Most network administrators will be well served by moderately priced software-based protocol analyzers such as Network Associate's Sniffer Basic or Sniffer Pro (www. sniffer. com), or the EtherPeek and TokenPeek products from Wildframes (www.wildpackets. com). Sniffer Basic (about $1,500 for a two-year license with maintenance) and EtherPeek/TokenPeek ($995 without maintenance) are extremely capable and cost-effective products. Other affordable protocol analyzers include LanExplorer ($799; www. intellimax. com), LANtracer ($995 for single license; www.lantracer.com), and LANSleuth ($649-$949; www.lansleuth.com). All of these products are available via download for trial use. I can only endorse Sniffer (Basic and Pro) and EtherPeek, but any of these products equals or exceeds the capabilities of Network Monitor.\ Installing Network Monitor\ Network Monitor consists of two components:\ \ Network Monitor Driver. Install this component on computers that will be monitored by a server running SMS. The driver can be installed on Windows 2000 Professional or Windows 2000 Server.\ Network Monitor Tools. Install this component on Windows 2000 Server computers that will be used to collect and analyze network frames. Installing the Network Monitor Tools component also installs and enables the Network Monitor driver, which captures frames for analysis in Network Monitor.\ \ The Network Monitor driver is installed as a connection component. In the Properties dialog box for the desired connection, click Install, open Protocol, and select Network Monitor Driver. The driver requires no configuration. See "Configuring Local Area Network Connections" in Chapter 1 for further discussion of the procedure. Only members of the Administrators group can install this driver.\ Use Add/Remove Programs in the Control Panel to install Network Monitor Tools, which is located under Add/Remove Windows Components in the Management and Monitoring Tools component category. The Network Monitor driver is installed with Network Monitor Tools and is enabled in the properties of all connections. See "Installing Windows 2000 Components" in Chapter 1 for procedural details.\ Network Monitor Security\ The Network Monitor agent that is included with Windows 2000 Server can be configured with passwords to restrict access to captured data. Passwords are not required for the Windows 2000 network monitor driver. Only members of the Administrators group can examine data captured by a Network Monitor driver...

Introduction.1. Installation: Planning and Execution.Planning for Installation.Planning TCP/IP. Planning the Directory. A Learning and Planning Roadmap.Identifying a Windows 2000 Computer. Windows 2000 Installation and Network Services. Configuring Local Area Network Connections.Using Network and Dial-Up Connections. Configuring the Internet Protocol Component. Configuring the NWLink (IPX/SPX) Protocol Component.Installing Windows 2000 Components. Using the Microsoft Management Console.The Console Tree. The Details Pane. Creating Custom MMC Consoles. Saving Custom Consoles. Starting Consoles. Creating Shortcuts for Consoles. Modifying Consoles Saved in User Mode.Installing the Windows Support Tools. The Windows 2000 Server Resource Kit. Microsoft Knowledge Base. Now On with the Show.2. TCP/IP Protocol Concepts.Obtaining TCP/IP Documentation. The TCP/IP Protocol Stack.The Internet Protocol Model. The Network Access Layer. SNAP Encapsulation. Packet Delivery. The Internet Layer. The Host-to-Host Layer. The Process/Application Layer.IP Addressing.IP Address Representation. IP Address Classes. Special IP Addresses. Examples of Class-Based Addressing. The Problem with IP Address Classes. Subnetting. Default Subnet Masks. Supernetting. Classless IP Addresses. Obtaining IP Addresses. The Dynamic Host Configuration Protocol.Those Are the Basics.3. The Domain Name System.DNS Architecture.The Domain Hierarchy. Domain Names. Making DNS Queries. Resource Records.Deploying DNS Servers.Servicing a Zone with Multiple Name Servers. Delegating Authority. Reducing WAN Traffic with Forwarding DNS Servers. Reverse Lookup Zones.Managing DNS in a Small Domain.Installing the DNS Server Service. Managing Remote DNS Servers. Configuring the DNS Server. Creating the Primary Forward Lookup Zone. Creating the Primary Reverse Lookup Zone. Creating a Secondary Forward Lookup Zone. Creating a Secondary Reverse Lookup Zone. Modifying Zone Properties. Managing Resource Records. Supporting Aliases. Scaling DNS for Large Networks. Supporting Round Robin Addressing.Configuring Reverse Lookup Zones to Support Classless IP Addresses. Importing and Exporting BIND Databases.Importing Data from BIND. Exporting Data to BIND. BIND Database File Formats. Reverse Lookup Database Files. The Cache Database File.Integrating DNS Zones with Active Directory. Using NSLOOKUP.Making Noninteractive Queries. Making Interactive Queries.Now, You're the DNS Master.4. Active Directory Concepts.The Active Directory Architecture.Objects, Attributes, Classes, and Schemas. Security Principles. Domains. Domain Forests. Global Catalogs. Organizational Units.Models for Managing Active Directory and DNS Domains.Active Directory Using a Domain in the Internet Namespace. Active Directory Using a Private DNS Namespace. Active Directory and External DNS Using Separate Domains in the Internet Namespace. Active Directory Using a Private DNS Namespace, External DNS Using the Internet Namespace.Configuring Domain Controllers.Creating the First DC in a New Domain. AD Child Domains and Resource Records in DNS. Adding a DC to a Domain. Creating a Child Domain. Configuring a Private DNS Root Name Server. Creating a New Tree in an Existing Forest. Demoting a Domain Controller.Managing Organizational Units.Creating OUs. Delegating Control in OUs.Managing Object Security.Controlling Inheritance from the Parent Container. Advanced Object Security.Group Policy.Group Policy Inheritance. Overriding Group Policy Inheritance. Managing Group Policy.Managing Sites.Defining Sites. Defining Subnets. Managing Servers.Active Directory Afterthoughts.5. Dynamic Host Configuration Protocol.DHCP Concepts.DHCP Leases. DHCP Relay Agents. Scopes and Superscopes.Managing the DHCP Service.Managing DHCP Servers. Creating and Managing Scopes. Managing Reservations. Managing DHCP Options. Managing Superscopes.Configuring Windows 2000 DHCP Clients. The IPCONFIG Utility. Building a Fault-Tolerant DHCP Service.Splitting a Subnet Address Range Among Multiple DHCP Servers. DHCP Fault Tolerance Using Address Conflict Detection. DHCP Fault Tolerance Using Server Clusters.DHCP on the Wire. What a Relief!6. NetBIOS Name Support: LMHOSTS and WINS.NetBIOS Names.The Structure of NetBIOS Names. The NetBIOS Namespace. NetBIOS Name Resolution Modes. Name Resolution with LMHOSTS Files.NetBIOS Naming with WINS.Architecture of WINS. The WINS Name Life Cycle. When Name Resolution Fails.Implementing a WINS Service.Planning for WINS Installation. Installing the WINS Server Service. Configuring a Statically Addressed WINS Client. Renewing a Client Registration. Configuring WINS Proxies. Configuring DHCP Clients as WINS Clients. Naming Versus Browsing. Managing WINS Servers. Maintaining the WINS Database. Backing Up the Database. Managing Remote WINS Servers Through Firewalls.What's in a Name?7. Routing with Routing and Remote Access Service.Rules of Routing. Routing with Two Networks. Enabling Routing Support on a Windows 2000 Router.Enabling Routing. Testing the IP Routing Configuration.Configuring IP Unicast Routing.Configuring Default Gateways on Internets with Three Networks. Configuring Default Gateways on Internets with More Than Three. Networks. Building Static Routing Tables. Effective Use of a Default Router. Routing with Multiple Default Gateways. Managing Routing Tables with route.Testing Routing with tracert.Configuring RIP for IP. Configuring OSPF. Configuring IP Interfaces.Configuring IP Multicast Routing.Adding IGMP Multicast Support to RRAS. Adding and Configuring IGMP Interfaces. IGMP Interface Configuration: The Router Tab. Displaying the Interface Group Table. Configuring Interface Multicast Boundaries.Configuring the DHCP Relay Agent.Adding the DHCP Relay Agent to RRAS. Adding and Configuring DHCP Relay Agent Interfaces. Configuring DHCP Relay Agent Properties.Configuring IPX Routing.Adding and Configuring IPX Interfaces. NetBIOS Broadcast Statistics. Defining IPX Static Routes. Defining IPX Static Services. Defining Static NetBIOS Names. Modifying RIP for IPX Properties. Modifying RIP for IPX Interface Properties. Modifying SAP for IPX Properties. Modifying SAP for IPX Interface Properties.Network Address Translation Firewalls.Configuring Interfaces for NAT. Adding Network Address Translation to RRAS. Adding NAT Interfaces.Building a High-Performance Routing Infrastructure.8. Supporting Dial-Up Connections with Routing and Remote Access Service.Installing and Configuring Dial-Up Hardware.Installing a Modem. Configuring Communications Ports. Modem Properties.Creating a Dial-Up Connection to the Internet.Reviewing and Modifying Dial-Up Connection Properties.Configuring RRAS Server Properties.RRAS Server Properties: The General Tab. RRAS Server Properties: The Security Tab. RRAS Server Properties: The IP Tab. RRAS Server Properties: The IPX Tab. RRAS Server Properties: The AppleTalk Tab. RRAS Server Properties: The PPP Tab. RRAS Server Properties: The Event Logging Tab.Configuring a RRAS Demand-Dial Interface.Creating a New Demand-Dial Interface. Configuring RRAS Dial-Out Credentials. Configuring RRAS Dial-Up Properties. Testing the Dial-Up Interface. Setting IP Demand-Dial Filters. Setting Dial-Out Hours. Configuring Remote-Access Logging. Enabling NAT Dial-Out Networking.Creating a Demand-Dial Interface to the Internet. Enabling a Demand-Dial NAT Interface. Creating a Default Route to the Demand-Dial Interface. Test the Demand-Dial Interface.RRAS Dial-In.Configuring the Remote Access Server. Dial-In User Authorization Models. RAS Client Authentication Models. Considerations for Remote Access Client and Server Configuration. Using Wizards to Configure the Dial-Up Client and Server.Configuring Dial-Up Router Connections.Configuring RRAS Server Properties for Demand-Dial Routing. Configuring RRAS Ports for Demand-Dial Routing. Creating the Demand-Dial Routing Interface. Testing the Demand-Dial Connection. Configuring Routes for Demand-Dial Connections. Remote Access Properties and Demand-Dial Connections. Testing Automatic Demand-Dial Connections. Persistent Connections. Controlling Demand-Dial Connections.RRAS Support for IPX. Managing the Internet Authentication Service.Installing IAS. Configuring IAS Server Properties. Adding IAS Clients. Registering the IAS Server in Active Directory. Managing IAS Remote Access Policies. Configuring RRAS for IAS Authentication and Accounting. IAS Logging.Onward to VPNs and Encryption.9. Data Communication Security Concepts.The Tools of Digital Data Security.Message Digests. Secret Key Cryptography. Public Key Cryptography.Authentication.Kerberos. Key Distribution Center Services. Authorizing Client Access to Services. Configuring Kerberos Policy Settings. Configuring Password Policy Settings.Now That You Know the Concepts, Let's Get Busy.10. Planning and Implementing a Public Key Infrastructure.Certification Authorities.Issuing Public Key Certificates. Validating the Certificate. CA Hierarchies. Cryptographic Service Providers. Policy Modules. Exit Modules. Certificate Templates.Installing and Managing a Certification Authority.Protecting CAs. Enterprise Versus Stand-Alone CAs. Managing Certificate Lifetimes. Planning CA Configuration Parameters. Installing a CA. Managing Certification Authorities. Automating Certificate Requests. Backing Up and Restoring the CA.Requesting Certificates.Requesting Certificates with the Certificate Request Wizard. Requesting Certificates with the Web Enrollment Pages.Managing Certificates.Certificate Stores. Organizing Certificates in the Certificates Console. Examining Certificate Contents. Viewing and Modifying Certificate Properties. Exporting Certificates. Importing Certificates. Renewing Certificates.Concluding Remarks Regarding Certification Services.11. Securing IP Communication.Secure Sockets Layer/Transport Layer Security.SSL and the Internet Protocol Stack. SSL/TLS Functionality. SSL/TLS Operation. Distinctions Between SSL Version 3.0 and TLS. Enabling Support for SSL/TLS. Conclusions About SSL/TLS.The IP Security Service (IPSec).IPSec Security Protocols. Security Associations and Key Management. The Internet Key Exchange. IPSec Policies. Applying IP Security: A Simple Example. Scaling IPSec. Troubleshooting IPSec. Some Concluding Remarks Regarding IPSec.Configuring IPSec Tunnels and Virtual Private Networks.Protocol Layering and Tunneling Protocols. Tunneling Protocols. IPSec Tunneling. VPN Configuration. Supporting Client-to-Server VPN Connections.We Finally Can Say Goodbye to RRAS.12. Managing and Monitoring Connections.Network Monitor.Network Monitor and Systems Management Server. Installing Network Monitor. Network Monitor Security. Capturing Network Frames. Creating an Address Database. Selecting the Network to be Monitored. Managing the Capture Buffer. Avoiding Dropped Frames. Using Capture Filters. Using Capture Triggers. Saving Capture Data. Examining Captured Data.Monitoring TCP/IP with System Monitor. The Simple Network Management Protocol.Organization of SNMP Management. The Management Information Base. Network Management Stations. Configuring SNMP Support on Windows 2000.Troubleshooting Utilities.ARP. TRACERT. NETDIAG. NETSTAT.Management. Not Glamorous, but Essential.13. Interoperating with Non-Windows Environments.Interoperating with UNIX.Services for UNIX 2.0. Services for UNIX Features. Services for UNIX Requirements. Installing Services for UNIX. MKS Demoware. Password Synchronization. Uninstalling Services for UNIX. How Do I Purchase Services for UNIX 2.0?Interoperating with NetWare.Gateway Services for NetWare. Services for NetWare 5.0.Interoperating with Macintosh.File and Print Services for Macintosh. Sharing Folders for Macintosh Clients. Creating Printers for Macintosh Clients.Windows 2000's Interoperating Solutions. Additional Online Resources.Index.

\ BooknewsCovers many of the network services supported by Windows 2000, providing network administrators with both the procedures for managing services and the theory required to understand their function. The author describes how to design a DNS and active directory domain structure that fits given requirements, manage client configuration with the dynamic host configuration protocol, implement local and demand-dial routing with the routing and remote access service, and plan a public key infrastructure. Annotation c. Book News, Inc., Portland, OR (booknews.com)\ \