IP Addressing and Subnetting, Including IPv6

91_FP.qx

11/28/00

4:09 PM

Page 1

TROUBLESHOOTING

WINDOWS 2000

T C P/I P

“This book is an important ally in keeping your Windows 2000 TCP/IP network running smoothly.” —Excerpt from Foreword by Ted Rohling, Chief Technical Officer Decision Networks, Inc.

FREE Monthly Technology Updates One-year Vendor Product Upgrade Protection Plan FREE Membership to Access.Globalknowledge

Debra Littlejohn Shinder, MCSE, MCP+I, MCT Thomas W. Shinder, M.D., MCSE, MCP+I, MCT

91_tcpip_FM.qx

2/28/00

10:58 AM

Page i

[email protected] With over 1,000,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally. By listening, we've learned what you like and dislike about typical computer books. The most requested item has been for a web-based service that keeps you current on the topic of the book and related technologies. In response, we have created [email protected], a service that includes the following features: ■

A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades. We will provide regular web updates for affected chapters.

■

Monthly mailings that respond to customer FAQs and provide detailed explanations of the most difficult topics, written by content experts exclusively for [email protected].

■

Regularly updated links to sites that our editors have determined offer valuable additional information on key topics.

■

Access to “Ask the Author”™ customer query forms that allow readers to post questions to be addressed by our authors and editors.

Once you've purchased this book, browse to www.syngress.com/solutions.

To register, you will need to have the book handy to verify your purchase. Thank you for giving us the opportunity to serve you.

91_tcpip_FM.qx

2/28/00

10:58 AM

Page ii

91_tcpip_FM.qx

2/28/00

10:58 AM

Page iii

TROUBLESHOOTING

WINDOWS 2000

TCP/IP

91_tcpip_FM.qx

2/28/00

10:58 AM

Page iv

Syngress Media, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through Skill Enhancement™” is a trademark of Syngress Media, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010

SERIAL NUMBER MBN123WER6 BUT432GHPL VTR987EDXA LKN567YTG7 QQWZA2BNM9 183ABC7891 VCRTED1984 CRTY1534XX MNPPP19875 XXCVB98345

PUBLISHED BY Syngress Media, Inc. 800 Hingham Street Rockland, MA 02370 Troubleshooting Windows 2000 TCP/IP Copyright © 2000 by Syngress Media, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-11-3 Copy edit by: Beth Roberts Technical edit by: Thomas W. Shinder, M.D. Index by: Robert Saigh Project Editor: Julie Smalley Distributed by Publishers Group West

Proofreading by: James Melkonian Page Layout and Art by: Emily Eagar and Vesna Williams Co-Publisher: Richard Kristof

91_tcpip_FM.qx

2/28/00

10:58 AM

Page v

Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin Murray, Dale Leatherwood, Shelley Everett, Laurie Hedrick, Rhonda Harmon, Lisa Lavallee, and Robert Sanregret of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe and the team at Rt. 1 Solutions for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Michael Ruggiero, Kevin Votel, Brittin Clark, Sarah Schaffer, Luke Kreinberg, Ellen Lafferty and Sarah MacLachlan of Publishers Group West for sharing their incredible marketing experience and expertise. Peter Hoenigsberg, Mary Ging, Caroline Hird, Simon Beale, Julia Oldknow, Kelly Burrows, Jonathan Bunkell, Catherine Anderson, Peet Kruger, Pia Rasmussen, Denelise L'Ecluse, Rosanna Ramacciotti, Marek Lewinson, Marc Appels, Paul Chrystal, Femi Otesanya, and Tracey Alcock of Harcourt International for making certain that our vision remains worldwide in scope. Special thanks to the professionals at Osborne with whom we are proud to publish the best-selling Global Knowledge Certification Press series.

v

91_tcpip_FM.qx

2/28/00

10:58 AM

Page vi

From Global Knowledge At Global Knowledge we strive to support the multiplicity of learning styles required by our students to achieve success as technical professionals. As the world's largest IT training company, Global Knowledge is uniquely positioned to offer these books. The expertise gained each year from providing instructor-led training to hundreds of thousands of students worldwide has been captured in book form to enhance your learning experience. We hope that the quality of these books demonstrates our commitment to your lifelong learning success. Whether you choose to learn through the written word, computer based training, Web delivery, or instructor-led training, Global Knowledge is committed to providing you with the very best in each of these categories. For those of you who know Global Knowledge, or those of you who have just found us for the first time, our goal is to be your lifelong competency partner. Thank your for the opportunity to serve you. We look forward to serving your needs again in the future. Warmest regards,

Duncan Anderson President and Chief Executive Officer, Global Knowledge

vi

91_tcpip_FM.qx

2/28/00

10:58 AM

Page vii

Contributors Debra Littlejohn Shinder (MCSE, MCP+I, MCT) is an instructor in the AATP program at Eastfield College, Dallas County Community College District, where she has taught since 1992. She is Webmaster for the cities of Seagoville and Sunnyvale, TX, as well as the family Web site at www.shinder.net. She and her husband, Dr. Thomas W. Shinder, provide consulting and technical support services to Dallas area organizations. She is also the proud mother of daughter, Kristen, who is currently serving in the U.S. Navy in Italy, and son, Kris, who is a high school chess champion. Deb has been a writer for most her life, and has published numerous articles in both technical and non-technical fields. She can be contacted at [email protected]. Thomas W. Shinder, M.D. (MCSE, MCP+I, MCT) is a technology trainer and consultant in the Dallas-Ft. Worth metroplex. Dr. Shinder has consulted with major firms including Xerox, Lucent Technologies and FINA Oil, assisting in the development and implementation of IP-based communications strategies. Dr. Shinder attended Medical School at the University of Illinois in Chicago, and trained in Neurology at the Oregon Health Sciences Center in Portland, Oregon. His fascination with interneuronal communication ultimately melded with his interest in internetworking and led him to focus on Systems Engineering. Tom works passionately with his beloved wife, Deb Shinder, to design elegant and cost-efficient solutions for smalland medium-sized businesses based on Windows NT/2000 platforms.

vii

91_tcpip_FM.qx

2/28/00

10:58 AM

Page viii

Foreword When facing a new operating environment such as Windows 2000, resources such as this book are essential to your success. Here you will find all the information you need to understand the new TCP/IP administration tools available in the Windows 2000 environment. Rather than looking through countless CDs and volumes of documentation, you can look here. You will find the helpful hints you need to locate and troubleshoot the problems you will inevitably face. Experience and knowledge work together to help you do your job. This book is an important ally in keeping your Windows 2000 TCP/IP network running smoothly. Our success as network analysts is often judged by our ability to find and fix problems. In the past, the process was often a hit-or-miss proposition made worse by difficult-to-use vendor documentation. I have spent countless hours with co-workers just trying to find clues to the nature of a problem because not enough good information was available. Hopefully this book will save you from the hit-or-miss approach, immediately increasing your value as a Windows 2000 network analyst. Read, highlight, dog-ear, tab, use sticky notes; in short, make the book yours! —Ted Rohling, MCP, CCNA, CCDA Mr. Rohling is the Chief Technical Officer of Decision Networks, Inc., a computer networks consulting and training company in San Antonio, Texas. Ted has over 33 years of experience in the computer and networking field.

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page ix

Contents Preface Chapter 1: TCP/IP Overview Introduction TCP/IP’s “Net” Worth More Power, More Flexibility—and More Potential for Problems What’s Ahead in This Chapter TCP/IP: Where It Came From, and Where It’s Going History of the TCP/IP Protocols The Role of the U.S. Department of Defense From ARPAnet to the Internet Another Contender for the Title: The OSI Protocol Suite The Future of TCP/IP Looking Ahead to IPv6 Networking Models The Purpose of the Models Why Use Layered Models? The ISO OSI Model Seven Layers of the Networking World Layer 7: The Application Layer Layer 6: The Presentation Layer Layer 5: The Session Layer Layer 4: The Transport Layer Layer 3: The Network Layer Layer 2: The Data Link Layer Layer 1: The Physical Layer The DoD Model The Application/Process Layer The Host-to-Host (Transport) Layer The Internetworking Layer The Network Interface Layer The Microsoft Windows 2000 Networking Model The Application and User Mode Services Component The API Boundary Layer The File System Drivers The TDI Boundary Layer The Network Transport Protocol Component The NDIS Boundary Layer The NDIS Wrapper A Family of Protocols: The TCP/IP Suite Application Layer Protocols FTP SNMP

xxv 1 2 2 4 4 5 5 6 7 8 10 10 14 15 15 16 16 18 19 20 21 24 25 29 33 34 34 34 34 34 35 36 37 37 38 38 38 38 38 39 39

ix

91_TCPIP_TOC.qx

x

2/25/00

6:21 PM

Page x

Troubleshooting Windows 2000 TCP/IP • Contents

Telnet SMTP HTTP NNTP Transport Layer Protocols TCP UDP Network Layer Protocols IP ARP and RARP ICMP IGMP TCP/IP Utilities Basic Network Design Planning as Preventative Medicine Testing and Implementation Prototyping Pilot Programs Rollout Summary FAQs

Chapter 2: Setting Up a Windows 2000 TCP/IP Network Introduction Designing a New Windows 2000 TCP/IP Network The Planning Team Planning the Hardware Configurations Planning the Physical Layout Diagramming the Network Layout Planning for Sites What Is an Active Directory Site? Planning the Namespace Planning the Addressing Scheme Installing and Configuring Windows 2000 TCP/IP Installing TCP/IP on a Windows 2000 Computer The Protocol Installation Process Configuring TCP/IP Upgrading to Windows 2000 from Windows NT 4.0 The Windows NT Domain Models Single Domain Single Master Domain Multiple Master Domains Complete Trust

40 40 41 41 42 42 42 42 42 42 43 43 43 44 44 44 44 45 46 47 48

51 52 52 53 53 54 55 56 56 59 60 61 62 63 66 68 68 69 69 71 72

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xi

Windows 2000 Configuration Wizards • Contents

Which Model Is Easiest to Upgrade? Other Pre-Upgrade Issues Windows 32-Bit Applications DOS Applications Windows 16-Bit Applications OS/2 and POSIX Application Support in Windows 2000 Application Support Summary Common Upgrade Problems Migrating to Windows 2000 from Novell NetWare Understanding the NetWare Implementation of TCP/IP Premigration Issues Using the Directory Services Migration Tool Common Migration Problems Migrating to Windows 2000 from UNIX Understanding the UNIX Implementation of TCP/IP Summoning the Daemons UNIX TCP/IP Utilities Peaceful Coexistence: The Hybrid Network Environment NetWare Interoperability Client Services for NetWare (CSNW) Gateway Services for NetWare (GSNW) NetWare Protocol Support File and Print Services for NetWare Troubleshooter UNIX Interoperability Interoperability with IBM Mainframe Networks Summary FAQs

Chapter 3: General Windows 2000 TCP/IP Troubleshooting Guidelines Introduction The Ten Commandments of Troubleshooting 1: Know Thy Network 2: Use the Tools of the Trade 3: Take It One Change at a Time 4: Isolate the Problem 5: Recreate the Problem 6: Don’t Overlook the Obvious 7: Try the Easy Way First 8: Document What You Do 9: Practice the Art of Patience 10: Seek Help from Others Windows 2000 Troubleshooting Resources Microsoft Documentation

73 75 75 75 76 76 77 78 78 79 80 80 82 82 83 83 83 84 84 85 85 85 85 86 86 86 87 88

91 92 92 92 93 93 94 95 95 96 96 97 98 99 99

xi

91_TCPIP_TOC.qx

xii

2/25/00

6:21 PM

Page xii

Troubleshooting Windows 2000 TCP/IP • Contents

Help Files Resource Kits White Papers TechNet Newsgroups Third-Party Documentation Internet Mailing Lists Usenet Newsgroups Web Resources General Troubleshooting Models Differential Diagnosis Model Examination Diagnosis Treatment Follow-Up SARA Model Scanning Analysis Response Assessment Putting the Models to Work for You The Information-Gathering Phase Questions to Ask Question Format Log Files Application Log System Log Security Log Tools of the Trade The Problem Isolation Phase Organizing and Analyzing the Information Setting Priorities Prioritizing the Problems Prioritizing the Solutions Taking Corrective Measures One Change at a Time Order of Implementation Monitoring Results Using Forms and Check lists Summary FAQs

Chapter 4: Windows 2000 TCP/IP Internals Introduction RFC Compliance Enhancements to the TCP/IP Stack in Windows 2000 RFC 1323: TCP Extensions for High Performance

100 101 102 103 104 105 105 106 106 107 108 108 109 109 109 110 110 111 111 112 112 112 112 113 117 117 117 120 122 122 123 125 126 126 127 127 127 127 128 131 133

135 136 136 138 140

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xiii

Windows 2000 Configuration Wizards • Contents

Scalable TCP Window Size TCP Timestamps RFC 2018: SACK (Selective Acknowledgment) RFC 1577: IP over ATM RFC 2001: TCP Fast Retransmit RFCs 2211 and 2212: Quality of Service RFC 2205: Resource Reservation Protocol IPSec Purpose and Uses of IPSec IP Security Options IPSec Configuration IPSec Troubleshooting NDIS 5.0 Inside the Windows 2000 Internet Protocol (IP) Classless Inter-Domain Routing Multihoming Problems Related to Multihoming IP Multicasting Multicast Address Range Troubleshooting IP Multicasting Duplicate IP Address Detection Inside the Windows 2000 Transport Protocols (TCP and UDP) Transmission Control Protocol Dead Gateway Detection Delayed Acknowledgments TCP Keep-Alives Avoiding the Silly Window Syndrome User Datagram Protocol Understanding TCP/IP Registry Settings Using the Registry Editing Tools Configuring TCP/IP Behavior through the Registry Creating a New Value Editing Common TCP/IP Registry Values Registry Settings that Should Not Be Edited Summary FAQs

Chapter 5: Using Network Monitoring and Troubleshooting Tools in Windows 2000 Introduction Windows 2000 Monitoring Tools Basic Monitoring Guidelines Baselining Documentation Backing Up Analysis

140 150 152 153 155 156 157 158 158 159 160 161 164 165 166 167 168 169 170 171 171 172 172 173 173 174 174 175 175 176 178 179 180 181 182 185

187 188 188 188 188 189 189 189

xiii

91_TCPIP_TOC.qx

xiv

2/25/00

6:21 PM

Page xiv

Troubleshooting Windows 2000 TCP/IP • Contents

Performance Logs and Alerts Counters Log File Format Alerts Network Monitor Filtering Security Issues Installation Using the Program Capture Window Panes Extra Tools Buffers Collecting Data Filtered Captures Event Viewer Using TCP/IP Utilities PING -t Switch -n Switch -r Switch -i Switch -w Switch Using PING nslookup PATHPING tracert ARP Using ARP Static ARP Cache Entries ipconfig netstat and nbtstat netdiag Using netdiag SNMP What SNMP Does Installing the Agent Using IPSec Encryption Network Management Programs Microsoft Systems Management Server NTManage Summary FAQs

Chapter 6: Troubleshooting Windows 2000 NetBIOS Name Resolution Problems Introduction to Name Resolution Services NetBIOS Name Resolution

190 192 196 196 198 199 199 199 199 200 200 202 204 207 216 219 219 220 220 220 221 221 221 223 223 225 227 227 227 228 233 238 239 242 242 244 250 250 250 251 251 252

257 258 258

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xv

Troubleshooting Windows 2000 TCP/IP • Contents

Windows 2000 Methods of NetBIOS Name Resolution NetBIOS Name Cache NetBIOS Name Server Broadcast LMHOSTS HOSTS DNS Server The Order of NetBIOS Resolution B-Node P-Node M-Node H-Node The Windows 2000 Windows Internet Name Service (WINS) NetBIOS Name Registration NetBIOS Name Query Request NetBIOS Name Release Multihomed Computers and WINS WINS Proxy Agents WINS Configuration Issues Static Mappings WINS Replication Partnership Agreements WINS Partner Autodiscovery WINS Network Topologies Spoke and Hub topology Push and Pull Partnerships Backing Up the WINS Database Scavenging the Database Interactions with DNS Servers Pointing WINS Servers to Themselves The Browser Service, WINS and Multihomed Masters Windows 2000 WINS Enhancements Persistent Connections Manual Tombstoning Is WINS Ever Going to Go Away? Troubleshooting Common NetBIOS Communication Problems Summary Don’t Multihome Your WINS Server Use a WINS Proxy Agent on Segments with non-WINS Clients Avoid Static Records in the WINS Database Define Replication Partners Based on Link Factors Avoid Split Registration Use the Hub and Spoke Model in Multisite Environments Configure DNS Servers to Resolve NetBIOS Names Don’t Multihome Master Browsers Use Manual Tombstoning Instead of Deleting Records Consider the Ramifications before Disabling NetBT FAQs

261 261 262 263 263 265 266 266 266 267 267 268 271 271 273 274 274 275 276 276 277 278 281 282 283 283 288 290 290 296 299 302 302 302 305 306 309 309 310 310 310 311 311 311 311 312 312 313

xv

91_TCPIP_TOC.qx

xvi

2/25/00

6:21 PM

Page xvi

Troubleshooting Windows 2000 TCP/IP • Contents

Chapter 7: Troubleshooting Windows 2000 DNS Problems Introduction The Difference between NetBIOS Names and Host Names Flat versus Hierarchical Namespace NetBIOS on a TCP/IP Network Characteristics of Host Names The Need for a Name Resolution Service Domains: The “Family Name” The Domain Name System A Hierarchical Naming System Domain Levels Fully Qualified Domain Names Host Name Resolution Name Resolution Sequence The Caching Resolver Using the HOSTS File for Name Resolution Sending the DNS Query to a DNS Server The Recursion Process UNC Paths and DNS Queries Connecting over the Internet via UNC Qualified versus Unqualified Names Appending DNS Suffixes Host Name Resolution via WINS Lookups Multiple DNS Zones and WINs Naming Conventions and Issues Windows 2000 Support for RFC 2181 The Controversial Underscore Character Integrity Check Extended Character Set and Zone Transfers Lowercase Only Domain Naming Schemes and Implementation Problems Same Intranet and Internet Domain Name Solution: Separate DNS Zone Databases Different Intranet and Internet Domain Names Advantages of Using Different Internal and External Domain Names Proxy Configuration Corporate Mergers and Domain Management The Problem: Corporate Merger Proposed Solution Testing the Solution DNS Zone Design and Troubleshooting Standard Zones Zone Transfer Refresh Interval

317 318 319 319 320 321 321 321 322 322 323 324 329 329 329 331 332 333 335 335 336 338 338 338 339 339 340 340 342 342 342 343 343 345 345 345 345 346 347 348 350 352 358 360

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xvii

Troubleshooting Windows 2000 TCP/IP • Contents xvii

DNS Notify Request for Information Query Fast Transfer Reverse Lookup Zones The in-addr.arpa Domain Pointer Records Active Directory Integrated Zones Common Problems with Integrated DNS Zones Advantages of Active Directory Integration Zone Delegations Troubleshooting Delegation Problems Special Troubleshooting Issues with Windows 2000 DDNS Servers DNS Security and Internet Intruders Tracking Down the Problem The Solution: Forwarders and Slaves Solving WINS Client Ambiguity with WINS Lookup Zones Setting Up a Dedicated Zone for WINS Referrals Interoperability Problems WINS and WINS-R Incompatibility with BIND Servers DHCP and Resource Record Updates Troubleshooting Tools for Windows 2000 DDNS Servers nslookup ipconfig Event Viewer Network Monitor DNS Trace Logs Performance Summary FAQs

Chapter 8: Troubleshooting Windows 2000 IP Addressing Problems Introduction How IP Addressing Works Logical IP Addresses versus Physical MAC Addresses What an IP Address Represents Subnet Masking Determining Address Class How Network IDs Are Assigned How Host IDs Are Assigned within the Network Private versus Public Addresses How IP Addresses Are Used in Network Communications A Map for the Mail Carrier Getting from the Logical to the Physical Putting It All Together IP Communications on a Nonrouted Network (within the Subnet) IP Communications on a Routed Network (to a Remote Subnet)

361 362 362 363 364 364 366 366 367 369 370 371 371 372 372 373 374 376 377 379 380 380 382 382 383 386 387 390 394

397 398 399 399 400 403 405 408 408 413 414 415 415 417 417 418

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xviii

xviii Troubleshooting Windows 2000 TCP/IP • Contents

Overview: IP Addressing Configuration Errors Duplicate IP Addresses Locating the Other Computer that Is Using the Address Address Conflicts with Computers Using DHCP Invalid IP Addresses DHCP Configuration Problems How DHCP Works: Condensed Version Common DHCP Problems Server Configuration Problems Client Configuration Problems Other Common DHCP Problems Automatic Addressing (APIPA) How to Disable APIPA Hardware Address Problems Duplicate MAC Addresses Troubleshooting Subnetting Problems Why Divide the Network? Subnetting Scenario 1 Subnetting Scenario 2 Subnets Subnet Masks ANDing Tricking IP Making the Mask Subnet Masking for a Class A Network Subnet Masking for a Class B Network Subnet Masking for a Class C Network Errors in Subnet Masking Summary FAQs

Chapter 9: Troubleshooting Remote Access in a Windows 2000 TCP/IP Network Introduction Overview of Windows 2000 Remote Access Services Types of Remote Access Distinguishing between Remote Access and Remote Control Establishing a Remote Access Connection Software Needed for a Remote Access Connection The WAN Link The Remote Access Protocols Serial Line Internet Protocol The Point-to-Point Protocol Preventing Problems Related to the WAN Protocol Understanding Encapsulation Tools for Troubleshooting PPP Connections Using Network Monitor for PPP Analysis

420 420 421 422 422 423 423 425 426 443 444 446 447 448 448 448 449 450 450 450 451 451 452 452 452 455 457 459 460 463

465 466 467 467 468 470 470 471 482 484 484 486 486 487 487

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xix

Troubleshooting Windows 2000 TCP/IP • Contents

Enabling PPP Event Logging Enabling PPP Tracing Troubleshooting Remote Access Configuration Problems Remote Access Server Problems Inability to Establish a Remote Access Connection with the Server Inability to Aggregate the Bandwidth of Multiple Telephone Lines Inability to Access the Entire Network Client Configuration Problems Inability to Establish a Remote Connection Troubleshooting Remote Access Policy Problems Determining Which Multiple Policy Is Causing the Problem Troubleshooting NAT and ICS Configuration Problems The Difference between ICS and NAT Common NAT Configuration Problems Incorrect Public Address Range Incompatible Application Programs Other NAT Problems Troubleshooting VPN Connectivity Problems The Tunneling Protocols PPTP: Point-to-Point Tunneling Protocol L2TP: Layer 2 Tunneling Protocol Troubleshooting VPN Connections Inability to Connect to the Remote Access Server Summary FAQs

Chapter 10: Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level Introduction Problems with Network Interface Card Configuration The Role of the NIC Types of NICs Driver Issues Updating Drivers Problems with Cable and Other Network Media Network Cable Specifications Cable Length Issues The Role of Network Connectivity Devices Understanding Layer 1 and 2 Connectivity Devices How and Why Repeaters and Hubs Are Used How and Why Switches Are Used How and Why Bridges Are Used Understanding Upper-Layer Connectivity Devices

487 487 489 489 489 492 494 494 494 496 497 498 498 498 500 500 501 502 502 502 502 502 503 503 505

509 510 510 511 511 512 512 514 514 515 516 517 517 521 523 526

xix

91_TCPIP_TOC.qx

xx

2/25/00

6:21 PM

Page xx

Troubleshooting Windows 2000 TCP/IP • Contents

How Routers Work How and Why Routers Are Used How and Why Brouters Are Used How and Why Layer 3 Switches Are Used How and Why Gateways Are Used Troubleshooting Layer 1 and 2 Connectivity Devices Problems with Repeaters and Hubs The 5-4-3 Rule Passive, Active, and Intelligent Hubs Problems with Passive Hubs Problems with Active Hubs Problems with “Intelligent” Hubs Problems with Bridges Performance Problems Bridge Latency Bridge Looping Network Monitoring Problems Selecting a Connectivity Device Summary FAQs

Chapter 11: Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level Introduction A Routing Example IP Routing Overview Routing Fundamentals Direct Routing Indirect Routing The Default Gateway Routing Interfaces Routing Tables Viewing the Routing Table Understanding the Routing Table Simple Routing Scenario The Windows 2000 Router Routing Protocols How Static Routing Works Characteristics of Static Routing The Dynamic Routing Protocols RIP for IP OSPF Windows 2000 as an IP Router Installing Routing Protocols Windows 2000 Router Management Tools Remote Router Administration Using ICMP Router Discovery

526 528 529 530 530 531 531 531 532 532 532 532 532 533 533 533 536 537 538 539

541 542 543 544 545 545 546 547 549 550 550 552 553 553 555 555 557 558 558 563 570 571 572 572 574

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xxi

Troubleshooting Windows 2000 TCP/IP • Contents

Using the Netshell Utility (NETSH) Router Configuration Preconfiguration Check List Configuring Windows 2000 Static IP Routing Troubleshooting Static Routing Configuration Configuring RIP for IP Troubleshooting RIP Configuration Configuring OSPF OSPF Password Protection Windows 2000 Router Logging Using Event Logging Using the Tracing Function Troubleshooting Common Windows 2000 Routing Problems Troubleshooting Static Routing Using PING and TRACERT Using the ROUTE Command Static Routing and Routing Loops Troubleshooting RIP for IP Viewing RIP Neighbors Viewing the Routing Table Summary: Common RIP Problems Troubleshooting OSPF Resetting the Windows 2000 Router Summary FAQs

Chapter 12: Troubleshooting Selected Services on a Windows 2000 TCP/IP Network Introduction Troubleshooting IIS Problems Log Files Enabling Site Logging Log File Formats Logging Problems Troubleshooting Web Server Problems Performance Problems Problems with Site Name Resolution Inaccessible Virtual Directories Problems with Hosting Multiple Sites on a Windows 2000 Server Some Clients Unable to Access Site Changing IIS Properties Troubleshooting FTP Server Problems End-User Problems New Connections Not Being Accepted Users Prompted for Username and Password Connection Limit Exceeded Troubleshooting NNTP Server Problems

574 576 576 577 578 578 580 581 583 583 583 584 586 586 586 586 586 588 588 589 589 590 591 591 595

599 600 600 602 602 604 608 609 609 611 612 613 614 616 617 617 617 619 620 621

xxi

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xxii

xxii Troubleshooting Windows 2000 TCP/IP • Contents

Using Event Viewer for NNTP Troubleshooting Common NNTP Problems Summary FAQs

Chapter 13: Windows 2000 TCP/IP Fast Track Introduction TCP/IP: What It Is (and Isn’t) TCP/IP History and Future in a Nutshell Where TCP/IP Fits into the Networking Models The Members of the Suite Network Design and Planning Issues Design and Setup of a Windows 2000 Network Special Considerations for Windows 2000 Networks Active Directory Sites Active Directory Namespace IP Addressing Scheme Network Design Check List Installing and Configuring the TCP/IP Protocol Special Considerations when Upgrading from NT 4.0 Upgrading the Single Domain Model Upgrading the Single Master Domain Model Upgrading the Multiple Master Domain Model Upgrading the Complete Trust Model Upgrade Tools Special Considerations when Migrating from NetWare Migration Problems Special Considerations when Migrating from UNIX Hybrid Networks General Troubleshooting Guidelines Troubleshooting Resources Troubleshooting Models Differential Diagnosis Model SARA Model Information-Gathering Tips Questions to Ask Log Files Organizing Information Forms and Check Lists Inside TCP/IP Windows 2000 Enhancements Inside IP CIDR Support Multihoming IP Multicasting Duplicate Address Detection Inside TCP and UDP

621 622 626 628

631 632 632 632 633 634 635 635 636 636 636 636 637 637 637 637 637 638 638 638 639 639 639 639 640 640 641 641 641 641 641 642 642 642 643 643 643 643 643 644 644 644

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xxiii

Troubleshooting Windows 2000 TCP/IP • Contents xxiii

TCP UDP TCP/IP Registry Settings Network Monitoring Tools Monitoring Guidelines Baselining Documentation Performance Logs and Alerts Network Monitor Capture Filters Display Filters Event Viewer TCP/IP Utilities Name Resolution Problems WINS and NetBIOS Name Resolution DNS and Host Name Resolution Resolving Host Names to IP Addresses Planning the DNS Namespace Zones Tools IP Addressing Issues The IP Address How IP Addresses Are Assigned ARP Common IP Addressing Errors DHCP Subnetting Problems Remote Access Connectivity Remote Access versus Remote Control Remote Access Links Remote Access Protocols RRAS Configuration Problems Server Configuration Client Configuration Multilink Network Access Remote Access Policy NAT and ICS NAT Configuration Virtual Private Networking (VPN) The Network Interface Level Connectivity Devices Repeaters Hubs Switches Bridges The 5-4-3 Rule The 80/20 Rule

644 644 645 645 645 645 645 645 646 646 646 647 647 647 648 649 649 649 650 650 650 650 651 651 652 652 653 653 653 654 654 654 654 655 655 655 655 655 656 656 657 657 657 657 657 657 658 658

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xxiv

xxiv Troubleshooting Windows 2000 TCP/IP • Contents

Looping The Internetwork Level Routing Tables Features of the Windows 2000 Router Routing Protocols RIP Features OSPF Features Windows 2000 Router Logging Selected Services Site Logging Web Server FTP Server NNTP Server Summary

Appendix A: TCP/IP Troubleshooting Secrets Lesser-Known Shortcuts Finding the Consoles Control the Index Server Windows 2000 Telnet Client and Server Telnet Server Under-Documented Features and Functions The FTP Command Set The nslookup Utility Using ipconfig Switches For Experts Only The Future of IP Communications IP Telephony TAPI 3.0 and H.323 Telephony and Active Directory Planning the Transition to IPv6 How Is IPv6 Different? The Scary Part How to Prepare for the Transition Securing IP: IPSec End-to-End Security IPSec Functions Security Troubleshooting Tunnel Mode IPSec and NAT

Index

658 658 659 659 659 660 660 661 661 662 662 662 663 663

665 666 666 666 667 668 670 670 671 672 674 674 674 675 675 676 676 676 677 677 677 678 678 678 679

681

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xxv

Preface and Acknowledgements There are few people today who "don’t do Windows." The Microsoft operating systems – Windows 3.x, Windows 95, Windows 98, Windows NT – have populated the desktops of millions. And over the last several years, Windows NT 4.0 has gained a large and increasing portion of the server market with almost 40 million installations throughout the world. At the same time, the popularity of networking in general and Internet connectivity in particular has increased exponentially. Now, with the release of Windows 2000, networking and internetworking have come into their own. And the default local area network (LAN) protocol for Windows 2000 is TCP/IP, which not coincidentally, is the protocol stack on which the global Internet is built. Many books have been written about TCP/IP, and there will be many written about Windows 2000. We have worked with both for a long time and find them to be a very stable combination. TCP/IP was originally designed with reliability as a first priority, and the Windows 2000 operating system is, by far, the most reliable and robust Microsoft operating system ever released. Even so, the sheer complexity of both means problems will occur from time to time. This book was written for those times. We have not attempted to make this book an all-encompassing guide to Windows 2000 or the TCP/IP protocol suite. What we have attempted to do is provide a foundation of useful information for network administrators and others responsible for setting up and maintaining a Windows 2000 TCP/IP network. That means this book is for you. Virtually all networks will run TCP/IP as their primary transport protocol due to the need to connect to the Internet. We have included some background on how TCP/IP communications work, as well as the specifics of Microsoft’s implementation of the protocols in Windows 2000, but our focus is on what can go wrong, and how to fix it when it does. This book is not a regurgitation of the Microsoft documentation and Internet Requests For Comments (RFCs), although we refer to those resources on occasion. Much of the information is based on our own experiences in working with TCP/IP in Windows 2000, both in the classroom/lab and in the field. We have also drawn on the experiences of fellow consultants and instructors who, like us, have been working with Windows 2000 since the early beta versions. Microsoft has provided a tremendous amount of documentation: comprehensive articles in TechNet, Help Files that (unlike in earlier versions) actually help, and numerous white papers and Knowledge Base entries. Even so, there are a number of “little things,” tips and tricks and required ways of doing things that aren’t fully and/or clearly documented. We have included a liberal sprinkling of notes, tips and warnings throughout the text to advise you of those little stumbling blocks and to document the xxv

91_TCPIP_TOC.qx

2/25/00

6:21 PM

Page xxvi

xxvi Troubleshooting Windows 2000 TCP/IP • Preface

"Eureka!" moments we experienced in learning to work with—and love—the new operating system. Another thing this book is not is a study guide. Although we both teach Microsoft certification classes and have written other books aimed specifically at those seeking their MCP or MCSE, the primary audience for this book is the administrator running Windows 2000 who needs help with TCP/IP-related problems now, not in theory, but in fact. On the other hand, in order to make the material relevant to new administrators as well as those with many years of experience, we have provided a fair amount of explanatory information, analogies, and anecdotes that might be helpful in some aspects of studying for the Windows 2000 exams. Troubleshooting Windows 2000 TCP/IP was not just another tech writing project for us. It started out as a challenge and an opportunity. The challenge was to adequately cover a very complex and technical topic that has been addressed by many before us, some of whom have been recognized experts in the field for decades. The opportunity was to take material that is complex and technical, and present it in a way that is understandable, useful, and maybe even at times enjoyable to read. That became our goal, the one that turned this project into a true labor of love. This book would not have been possible without the help and support of a large number of people, and we would like to recognize them here. First, we both want to thank everyone at Syngress, especially Matt Pedersen, who believed in our ability and gave us this chance, and Julie Smalley, who suffered with us each step of the way. Deb particularly wants to thank Neal Wilson at Eastfield College, who encouraged her to expand her horizons and leave the nest when the time came; her children, Kris and Kristen, who always made it easier to accomplish great things in other areas of life because she could count on her great kids to be there; her mom, Sue Harris; and, posthumously, her dad, Tommie Harris, who she misses every day. Tom especially wants to thank his own mom, Eleanora Shinder, and his brothers Rich and Dee, along with fellow Microsoft professionals Jim Truscott and Doyal Alexander, whose experiences contributed to this book. Both of us want to extend a special thank you to Thomas Lee, our tech writing role model, and to Brian Miller, who made our first time fun instead of painful. Most of all, we want to thank each other. The writing and tech editing of this book was a partnership effort, like our marriage. We argued some of the fine points, nit-picked one another’s wording, questioned each other’s facts and conclusions, and in so doing, made this a better book. We worked together, struggled together to meet the deadlines, shared the frustrations and the profound gratification, and now celebrate together the birth of this "baby." We look forward to doing it again. Debra Littlejohn Shinder Dr. Thomas W. Shinder

91_tcpip_01.qx

2/25/00

12:26 PM

Page 1

Chapter 1

TCP/IP Overview

Solutions in this chapter: ■

History of TCP/IP (ARPAnet); The Future of TCP/IP (IPv6)

■

The TCP/IP Protocol Suite

■

The OSI, DoD, and Windows Networking Models

■

Basic Network Design Issues

1

91_tcpip_01.qx

2

2/25/00

12:26 PM

Page 2

Chapter 1 • TCP/IP Overview

Introduction The Transmission Control Protocol/Internet Protocol (also referred to as the TCP/IP protocol stack, or just plain TCP/IP) is a familiar—if poorly understood—networking component to most modern network administrators and Information Technology (IT) professionals. If you work in any but the smallest networked environment, chances are you’ve encountered TCP/IP. However, it wasn’t always that way. Just a few short years ago, TCP/IP was regarded as a somewhat sluggish, difficult-to-configure protocol used primarily by university or government networks participating in an exotic wide area networking project called ARPAnet. It was considered too slow and complex to be an appropriate choice for most private organizations’ local area networks (LANs). Microsoft and IBM workgroups ran fine on NetBEUI, a fast and simple transport protocol that could be set up easily and quickly by someone without a great deal of expertise. Novell NetWare LANs used the IPX/SPX stack, which was routable and thus could be used with larger serverbased networks. Few business networks had any need for a powerful but high-overhead set of protocols like TCP/IP. Then something happened: the Internet.

NOTE Administrators and users may also be familiar with the higher-level protocols used on the Internet, such as File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), and Telnet. These, along with other protocols, are often packaged with TCP/IP as part of the “suite.”

TCP/IP’s “Net” Worth The obscure worldwide network of networks had formerly been used by only a handful of elite groups until it was discovered by the corporate world—and then by individual computer users. An online population explosion erupted. Everyone rushed to get connected to the global Net, and TCP/IP, on which it was based, catapulted to the top of the protocol popularity polls. There have been occasional attempts to usurp its position at the top. The Open Systems Interconnection protocol suite, based on the famous (or infamous) seven-layer OSI networking model, was conceived with the idea of unseating the incumbent and replacing TCP/IP as a universal standard for internetworking communications. In fact, in the late 1980s

91_tcpip_01.qx

2/25/00

12:26 PM

Page 3

TCP/IP Overview• Chapter 1

the U.S. government, which had played an important part in creating and developing TCP/IP, made plans to phase it out in favor of the OSI suite. It didn’t quite work out that way. TCP/IP turned out to be the protocol stack that refused to go quietly into that good night.

NOTE Request for Comments (RFC) 1180, available on the Web, provides an authoritative tutorial on the TCP/IP protocol suite.

In fact, TCP/IP has flourished. It is available as a standard protocol included with all Windows operating systems and is installed by default in Windows 2000.

NOTE Although TCP/IP is a “universal” protocol stack, which allows communication between machines running different operating systems or even running on different platforms, be aware that different vendors’ implementations of the protocols may differ slightly. This book focuses on Microsoft’s implementation of TCP/IP in Windows 2000, although we also discuss interoperability with NetWare and UNIX networks.

UNIX machines, the original cornerstones of Internet communication, have been running on TCP/IP since the early days of its development, and TCP/IP support is a part of every popular Linux distribution. Apple Macintosh computers and IBM’s AS/400 machines use TCP/IP. Even NetWare, long a holdout for its Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX) stack, has finally come over to the TCP/IP camp; NetWare 5 is the first version designed to run on “pure” IP. On the other hand, as you scroll through the list of protocols that can be installed from the Windows 2000, NT, or 9x CD-ROM, you won’t see “OSI protocol suite” among them. The OSI model is an accepted standard for networking implementation, and the OSI suite mapped to the model more elegantly than other protocol sets already in use, However, TCP/IP was too firmly engrained to be easily dethroned as king of the internetworking world. It was as if someone announced that he had discovered a replacement for dirt and suggested that we uproot all the trees and plants and then “reinstall” them in the new, superior substance. Restructuring the huge,

3

91_tcpip_01.qx

4

2/25/00

12:26 PM

Page 4

Chapter 1 • TCP/IP Overview

sprawling global Internet to plant it in a different protocol environment— regardless of any advantages that new environment might offer—is just too overwhelming an undertaking. TCP/IP may have to adapt as computer communications continue to evolve (the expected transition to IPv6 is one example), but it is likely to be around for some time to come.

More Power, More Flexibility—and More Potential for Problems TCP/IP had to be good to survive the challenges and attain the position it occupies today in computer networking, but that doesn’t mean its implementation is always free of problems. On the contrary, the complexity that makes it so flexible and capable of connecting large, diverse networks also makes it prone to configuration errors and difficult to troubleshoot. Luckily for network administrators, necessity being the mother of invention resulted in the development of many tools and utilities for troubleshooting TCP/IP connectivity problems. Many of these are free, and several are included as part of Windows 2000’s implementation of the TCP/IP protocol suite. Administrators of TCP/IP networks will also find the documentation of the TCP/IP protocol far more extensive than that for any other network/transport protocol. Because it is used on such a widespread basis, books, articles, courses, and Web resources for troubleshooting IP connectivity problems are plentiful.

What’s Ahead in This Chapter In this chapter, we will look at both the history and the future of the TCP/IP suite, to better help us understand what it is and how it works today. We’ll examine in some depth the more generic OSI networking model and TCP/IP’s own model, often referred to as the Department of Defense (DoD) model. We will break down the components of the so-called “suite” of protocols that have taken up residence with the original TCP and IP stack. We’ll also examine how common connectivity devices, such as repeaters, bridges, routers, and switches, are used to expand or segment TCP/IP networks. Finally, we’ll discuss some general guidelines for planning, testing, and implementing a big change such as the setup or migration of a Windows 2000 TCP/IP network. Just as a physician is better able to treat a sick patient if he knows the person’s background, characteristics, and how the patient normally behaves when not ill, network administrators confronted with “sick” dysfunctioning networks will be at a big advantage if they know the network’s “anatomy” or components well. The protocol on

91_tcpip_01.qx

2/25/00

12:26 PM

Page 5

TCP/IP Overview• Chapter 1

which the network depends for communication is one of its most important “body parts.” The objective of this chapter is to give you a detailed patient history and a quick review of TCP/IP physiology that will allow you to recognize symptoms, diagnose its illnesses, and select the most effective treatment. We know that a healthy network makes for a happy network administrator.

TCP/IP: Where It Came From, and Where It’s Going Acronyms abound in the computer industry, and network administrators may think of TCP/IP as just another collection of mysterious letters used to refer to some obscure concept whose name they’ve long forgotten. If pressed, most could tell you that it’s a protocol—and some even know that a protocol is a set of standardized rules for communicating. Maybe one or two could even tell you that the word comes from the Greek word protocollon, which referred to a leaf of paper glued to a manuscript volume that described the volume’s contents. But any basic networking text lists dozens or even hundreds of protocols: hardware protocols, routing protocols, remote access protocols, printing protocols, LAN and WAN protocols, encapsulation protocols. Why should we get all excited about TCP/IP? What makes it so special? For the answer to that question, let’s consider the origins of the TCP/IP protocol suite, and what it’s used for today.

History of the TCP/IP Protocols “The subject of history is the gradual realization of all that is practically necessary.” (Friedrich Schlegel, 1772–1829, German philosopher). Practical necessity is the driving force behind most important inventions and developments, and the need for a reliable set of communications protocols suitable for connecting large networks led to the creation of the TCP/IP stack. In the 1960s, computer networking was in its infancy. The benefits of connecting computers together so they could share resources were only beginning to become apparent. The equipment was expensive, and products from different manufacturers were, for the most part, incompatible. Few business entities had the money or inclination to bother with creating local networks, much less attempt to get their computers to “talk” to distant systems.

5

91_tcpip_01.qx

6

2/25/00

12:26 PM

Page 6

Chapter 1 • TCP/IP Overview

The Role of the U.S. Department of Defense The U.S. Department of Defense recognized the value of establishing electronic communications links between major military installations. (Grim as it may seem, a primary motivation was the desire to maintain communication capabilities in the event of the mass destruction that would come with nuclear war.) Major universities were also involved in networking projects. The DoD funded research sites throughout the United States, and in 1968, the Advanced Research Projects Agency (ARPA) contracted with a company called BNN to build a network based on packet-switching technology.

For IT Professionals

Tech Talk

Many people easily confuse the terms packet switching and circuit switching. Even experienced network administrators, if they haven’t had much exposure to the conceptual and hardware sides of WAN technology, find them a little mysterious. They sound like the same thing, but they’re not. Circuit switching technology is something we use all the time, whether we’re aware of it or not. The public telephone system (which is formally called PSTN, or Public Switched Telephone Network) is the more familiar example of switched-circuit communication. An end-toend communication link is established when you place a telephone call, and that same physical path from one end (your telephone) to the other (Aunt Mary’s telephone in Boise, Idaho, for example) is maintained for the duration of that call. The path is reserved until you break the connection by hanging up. If you call Aunt Mary again next week, the pathway (also called the “circuit”) used may be completely different. That’s where the “switching” comes in, and that explains why sometimes when you talk to Aunt Mary, the connection is clear, while other times there’s so much noise and static on the line that you have to ask her to repeat herself when she tells you whose quilt won first prize at this year’s county fair. Packet switching is different in that there is no dedicated pathway or circuit established. It is known as a “connectionless” technology for that reason. If you send data from your computer to your company’s national headquarters in New York over a packet-switched Continued

91_tcpip_01.qx

2/25/00

12:26 PM

Page 7

TCP/IP Overview• Chapter 1

network, each individual packet, or chunk of data, can take a different physical route to get there. Most traffic sent across the Internet uses packet switching. A type of digital packet switching network called X.25 can also support virtual circuits, in which a logical connection is established for two parties on a dedicated basis for a certain duration (a Permanent Virtual Circuit, or PVC, is an ongoing, dedicated logical connection, but the physical circuit can be shared by more than one logical connection).

In1969 the ARPAnet was born when its first node, or connection point, was installed at the University of California at Los Angeles. Within three years, the network had spread across the United States, and two years after that, to the European continent. Remember that ARPAnet’s original purpose was to provide a network capable of surviving a devastating war. This meant redundancy and reliability took precedence over other considerations (like data transmission speed). Consequently, the first links were slow by today’s standards (56k leased lines).

NOTE An excellent detailed history of the creation of ARPAnet and its evolution into today’s Internet is available at the Web site of the international organization called the Internet Society (ISOC) at www.isoc.org/internet/ history/brief.html.

It was important that the networking protocols be reliable and scalable to accommodate multiple redundant sites and anticipated growth (although no one at that time expected the rate of growth that was to come). Perhaps following the timeworn advice that “if you want it done right, you have to do it yourself,” the developers of the ARPAnet designed a new group of protocols that fit the bill. Their first attempt was the Network Control Protocol, but it proved to be unsuitable as traffic increased. By the mid-1970s, necessity had mothered invention again, and the TCP/IP protocol suite was implemented.

From ARPAnet to the Internet The “network” continued to grow in population and popularity. It eventually split into two parts, with the military calling its part of the

7

91_tcpip_01.qx

8

2/25/00

12:26 PM

Page 8

Chapter 1 • TCP/IP Overview

internetwork Milnet, with ARPAnet still being used to describe the network that connected research and university sites. In the 1980s, ARPAnet was replaced by the Defense Data Network (a separate military network) and NSFNet, a network of scientific and academic sites funded by the National Science Foundation. In the 1990s, the global network (now called the Internet) went commercial in a big way. Corporations realized the advertising and marketing potential of a medium that spanned the whole world. Smaller businesses began to see the light—and the dollar signs—as well. Individuals wanted access to the vast amount of information (and entertainment) available on the World Wide Web. Internet Service Providers (ISPs) sprang up like weeds to satisfy the demand for connectivity.

NOTE Estimates vary, but according to the Internet Software Consortium, by July 1999 there were over 50 million host computers connected to the Internet.

As the year 2000 begins, the impact of the Internet on the computer industry and on lifestyles in general is being felt across the planet. We have, to a large extent, networked the world. The Internet, still running on the TCP/IP protocol suite, has made it possible to do things that could not have been imagined by the average person just a decade ago. School children have the equivalent of large libraries at their fingertips; business executives stay on top of what’s going on at the office from thousands of miles away; telecommuters do a full day’s work without ever leaving home. We can play the stock market via computer, do our banking online, or chat casually with close friends we’ve never met in places we might have never known existed except for the Net. Few of those whose lives have been changed by the rapid development of computer networking technology realize that they owe it all (well, at least a lot of it) to TCP/IP.

Another Contender for the Title: The OSI Protocol Suite The OSI protocol suite was intended to be TCP/IP’s replacement. In fact, a few years ago, it was an accepted “fact” in many parts of the computer industry that the future of networking would be built on the OSI suite. It seemed like a good idea at the time. The OSI suite consisted of a set of protocols that would map directly to the popular OSI networking model, and which would—at least in theory—make for less confusion and easier standardization of networking products among multiple vendors. The TCP/IP stack had been designed on the less finely tuned DoD networking model.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 9

TCP/IP Overview• Chapter 1

The OSI protocol suite was developed under the umbrella of a body called the ISO—making for an interesting conglomeration of initials. As if it weren’t already confusing enough, the full official name of the ISO is the International Organization for Standardization, which would seem to call for an acronym of IOS (which would be further confused with Cisco’s Internetworking Operating System, or IOS, used to command its fleet of routers). The organization is quick to point out that its short name— ISO—is not an acronym but a word, derived from the Greek isos, meaning “equal.” The ISO is, according to its own accounts, a worldwide federation of national standards bodies from 130 countries whose stated mission is the promotion of the development of standardization and related activities throughout the world. The ISO’s role in establishing standards is not confined to the computer industry. For years, photographers have been familiar with the ISO film speed codes used by manufacturers of photographic film. The ISO, headquartered in Geneva, Switzerland, has been instrumental in developing standards for the format of telephone and banking cards, so that the cards can be used in different countries throughout the world. The international country and currency codes are another example of an ISO standard.

NOTE For more information about the organizational structure and mission of the International Organization for Standardization (ISO), visit its Web site at www.iso.ch/.

The idea of a carefully planned and implemented new set of protocols for connecting to the global Internet that could be standardized throughout the world was an attractive proposition. A great deal of work went into development of the OSI protocol suite, hailed as the heir to the Internet protocol crown. But it turned out that the reports of TCP/IP’s death had been greatly exaggerated.

Survival of the Fittest? In the late 1980s, the Department of Defense decreed that by August 1990 all its computer communications would use OSI protocols, and the U.S. federal government formed a set of specifications called GOSIP (Government OSI Profile) that defined standards for these protocols. The federal government had, in effect, planned the death of the TCP/IP suite. TCP/IP was now considered a temporary solution to the problem of providing reliable internetworking protocols. The new proposed Internet standards included X.400 (for e-mail) and X.500 (for directory services).

9

91_tcpip_01.qx

10

2/25/00

12:26 PM

Page 10

Chapter 1 • TCP/IP Overview

The computer industry was gearing up to make the transition, but not everyone welcomed the change. So in 1990, the ISO Development Environment (ISODE) was created. The ISODE software allowed OSI applications to run over TCP/IP. The TCP/IP suite was already in wide use and was not going away as planned, so it was decided that GOSIP would incorporate TCP and IP, loosening its original “only OSI protocols” requirements. The current goals of OSI proponents seem to be less ambitious, now focused on a convergence of TCP and OSI Transport Protocol Class 4, which would support both OSI applications and applications from the Internet Protocol Suite. IPv6 (sometimes called IPng for IP “next generation”) is expected to be the big protocol player at the IP layer.

The Future of TCP/IP Although the TCP/IP suite has proven its endurance and is likely to be with us for a while, it will undoubtedly undergo some changes. For protocols, as for people, a long life usually requires the ability to adapt to changing conditions. As the Internet continues to grow, the most pressing need is a way to overcome the limitations of the current version of IP in terms of the number of IP addresses available. At the time IP’s 32-bit addressing scheme was designed, computers were still expensive devices used primarily by large companies. Many businesses were not yet computerized, and the idea of an individual owning a computer—much less setting up a home network—bordered on absurdity. It must have seemed that there would never be any danger of running out of addresses (and consequently, many usable addresses were “wasted” by the assignment method), but then at that time it was also inconceivable that computers would ever be as powerful and as inexpensive as they are today. When it comes to making predictions about technological progress, the one constant has been a tendency to underestimate. After all, Thomas Watson, former chairman of IBM, is best remembered for the following statement, made in 1949: “I think there is a world market for maybe five computers.”

Looking Ahead to IPv6 IPv6, or IPng (the “ng” stands for “next generation”), is the new version of the Internet Protocol (IP). The Internet Engineering Task Force (IETF) designed it as the next step up from IPv4. It builds on IPv4 and is a natural progression. It is compatible with IPv4, which is currently used on the Internet and other TCP/IP networks. The specific intent of IPv6 is to work efficiently in high-performance networks such as ATM (Asynchronous Transfer Mode), while still working efficiently over low-bandwidth networks (which would include many of the wireless technologies).

91_tcpip_01.qx

2/25/00

12:26 PM

Page 11

TCP/IP Overview• Chapter 1

Next Generation IP: A Luxury or a Necessity? Why do we need a “next generation” of IP? The answer can be summed up in one word: growth. Internet connectivity has exploded, and it shows no sign of slowing anytime soon. Technology gurus predict that in the future, even our household appliances will be wired to the Internet so we can communicate with them from afar. (This conjures up images of typing in a few commands and sending them off to your microwave oven, instructing it to have dinner ready when you get home—an idea that may become reality sooner than you think.) If we are to be prepared to assign an IP address to every refrigerator and toaster, we must think big in planning the next version of the protocol that will be used to accomplish these addressing feats. Perhaps the most important lesson to be learned from our experience with IPv4 is that the addressing and routing capabilities of the next generation’s Internet Protocol must be able to handle scenarios that may currently seem unlikely, based on seemingly exaggerated estimates of future growth.

How Many IP Addresses Are Enough? IPv4 uses IP addresses that are 32-bit binary numbers (usually expressed in dotted decimal for convenience). Each IP address consists of two parts that identify the network ID and the host ID. This provides for approximately 4 billion individual unique addresses—at least, mathematically and theoretically, it works out to that number. If there were actually this many usable addresses, we might not have to worry about running out anytime soon. Unfortunately, that’s not the case. Internet authorities do not assign IP addresses one at a time; rather, they are allocated as class A, B, or C networks, which consist of blocks of addresses of varying sizes. There are 126 usable class A networks, and each can have approximately 16 million hosts. There are far more class B networks: about 16 thousand, but each is limited to fewer hosts, about 65,000. As for class C networks, there can be around 2 million of them; however, they can have a maximum of 254 hosts. In the early days of the Internet, IP addresses were plentiful, and many were handed out with abandon. For instance, the entire Class A Network ID 127.0.0.0 was reserved for use as a “loopback” address (more about that later) used to test the integrity of a computer’s TCP/IP stack. This resulted in 16,777,216 wasted addresses! Class A and B networks were given to organizations that had nowhere near the number of allowed hosts, wasting more addresses. They weren’t missed, because there were plenty more where those came from; the mentality was the same sort that led to current environmental problems, shortages of once-plentiful natural resources and near-extinction of some animal species.

11

91_tcpip_01.qx

12

2/25/00

12:26 PM

Page 12

Chapter 1 • TCP/IP Overview

In 1991, there were a little over 1 million hosts on the global Internet. By 1997, there were over 16 million. Today, according to the Internet Society, there is an estimated 50 million. If growth continues at this rate, the prospect of using up all the available addresses will become very real. One way to solve the problem is to implement a new version of IP that uses a larger address space. IPv6 is based on 128-bit addresses. This provides for a total number of IP addresses which, represented exponentially, is 2 to the 128th power. The actual number would take up an entire line of space; it’s safe to say it definitely adds up to “a lot.” However, IPv6 does more than provide for a greater number of IP addresses. It also adds several improvements to IPv4, which will make routing and network autoconfiguration easier. Another concern in creating the new version of IP is to use a more flexible way of organizing addresses that are not dependent on the class structure. Classless InterDomain Routing (CIDR, pronounced “cider”) can be used to overcome some of the problems encountered with the old method of network/ address assignment.

The Market for IP Today IPv4 today serves what some have called the “computer market.” This market has driven the stupendous growth of the Internet over the last decade. It is based on the enormous number of private and public networks that have come into being, including computers of all types: business workstations and servers, home PCs, traditional mobile (laptop and notebook) computers, mini-mainframes, all the way up to supercomputers. This market has grown at an exponential rate, and continues to do so. However, industry experts predict that it will not necessarily be the driving force behind the next phase of growth, and it is that phase for which the next generation of IP must prepare us.

The IP Marketplace of the Future The computer market described previously is by no means going to disappear. It is logical to assume, however, that it will eventually reach a saturation point, and growth in that sector of the marketplace will stabilize. It is just as likely that other kinds of markets will develop, some of which we might not have imagined a few years ago. These new markets could fall into several categories. The potential offered by new high-speed, low-cost connectivity technologies such as DSL and cable makes it feasible to envision innovations in the near future that were the stuff of science fiction in the recent past. The set-top box, combining television with the Internet, is already a reality. “Smart homes,” with components strategically wired to the Net and capable of being managed from afar, can be built (albeit at a cost too high for the

91_tcpip_01.qx

2/25/00

12:26 PM

Page 13

TCP/IP Overview• Chapter 1

average homebuyer) today. Wireless Internet access via cellular technology is here already. Automobiles that incorporate networked computers are reportedly just around the corner. As impossible as it might seem today, it may be that 20 years from now, we’ll look back at the 1990s as a time when the Internet was small, “only” doubling in number of hosts every year. A new version of IP that will meet this challenge seems more and more of a necessity as we consider the possibilities.

Making the Transition Don’t worry; it’s not likely you’ll wake up one day and suddenly see an announcement that on a particular date, at a particular time, the Internet is switching to IPv6. The new version is expected to replace IPv4 gradually, and the two will coexist for a number of years as the transition occurs. Meanwhile, the groundwork is being laid. All Winsock 2.0-compliant applications will automatically support the IPv6 protocol stack. Microsoft is hard at work developing an implementation of IPv6. Cisco is building routers that will take advantage of the next generation of IP.

NOTE Microsoft Research (MSR) is working on an IPv6 implementation based on the Windows NT/2000 platform. An alpha version of this implementation is publicly available in both source and binary forms. For more information, see www.research.microsoft.com/msripv6/.

For IT Professionals

The 6to4 Protocol The IETF has created a new protocol called 6to4, the purpose of which is to encapsulate IPv6 packets inside IPv4 packets. This will allow networks that migrate to IPv6 early to be able to send their data across the Internet, even if the ISPs they use don’t yet support the new version of IP. Many ISPs are now using Network Address Translation (NAT) to allow for the translation of multiple private IP addresses, which don’t have to be registered, to a lesser number of public assigned addresses. For this reason, those ISPs have not been in a hurry to implement Continued

13

91_tcpip_01.qx

14

2/25/00

12:26 PM

Page 14

Chapter 1 • TCP/IP Overview

IPv6 support. Reconfiguring all of their equipment to use IPv6 addresses would be a big project, requiring a great deal of time and effort. The recent popularity of NAT devices and software implementations of NAT (along with inexpensive proxy software) has taken the edge off the urgency of upgrading, at least for some companies. NAT is built into Windows 2000 Server products, and a simple, “lighter” version of NAT called Internet Connection Sharing (ICS) is included in the Windows 2000 and Windows 98SE operating systems. Using one of these, all of the computers on a network can access the Internet using just one public registered IP address. The new 6to4 protocol will solve the compatibility problem for those corporate networks that do wish to adopt IPv6 sooner rather than later, and may make migration more attractive to others, too. The 6to4 protocol is installed on a router that serves as a gateway from the IPv6 network to the Internet. It works by automatically assigning a prefix to each IPv6 address, which identifies it as a 6to4 address. It then establishes a tunnel over IPv6 network.

Change is inevitable (except perhaps from vending machines), and network administrators may as well get ready to greet IPv6 with open arms. Like any major transition, there is sure to be some pain involved. The IETF has designed a migration strategy that defines IPv4 and IPv6 as two different protocols with two separate protocol stacks, and IPv6 was designed for compatibility with the older version so the upgrade could be done over time. DNS and DHCP servers will require updating, and the management of coexisting 32-bit and 128-bit addresses is expected to produce some problems. Resistance is futile; the next generation is upon us.

Networking Models As a network administrator, you are familiar with the common networking models You may have heard of both the OSI model and the DoD model (at the very least, you’ve seen references to them earlier in this chapter). You may even be able to recite from memory the seven layers of the OSI model, or tell how the four layers of the DoD model correspond to them. But do you really understand what the models represent? And do you know the functions of those layers you named? If not, keep reading. We will briefly visit the hallowed halls of Basic Networking Concepts 101 (or, in Microsoft parlance, Networking Essentials) and look at where the models fit into real-life network administration.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 15

TCP/IP Overview• Chapter 1

The Purpose of the Models A network protocol is a set of rules used by computers to communicate. Protocols had to be developed so that two computers attempting to transfer data back and forth would be able to “understand” one another. Some describe protocols as “languages,” but this isn’t entirely accurate and can cause confusion since computer languages are an entirely different concept. A protocol is more like the syntax of the language (the order in which the words are put together) than the language itself.

NOTE The words "data" and "information” are sometimes used interchangeably, but technically, they are two different things. In computer communications, data is the series of electrical charges arranged in patterns that represent information. The “data" is not the information itself; it is the encoded form of the information. “Information” is the data in usable form, the decoded form of the data that can be displayed as a word processing document or an e-mail message or used to make a calculation in a spreadsheet.

The first networking protocols were proprietary; that is, each vendor of networking products developed its own set of rules. Computers using a specific vendor’s protocol would be able to communicate with each other, but not with computers that were using the networking product of a different vendor. This had the effect of locking a business in; the business would always need to use the same vendor to maintain compatibility. The solution to this problem was the development of protocols based on open standards. Organizations such as the ISO were charged with overseeing the definition and control of these standards and publishing them so they would be available to any vendor that wanted to create products that adhered to them. The advantage to the consumer is that no longer is he forced to patronize a single vendor. The advantage to the vendor is that its products are more widely compatible and thus can be used in networks that started out using a different vendor’s products. A model provides an easy-to-understand description of the networking architecture and serves as the framework for the standards. The OSI model has become a common reference point for discussion of network protocols and connection devices.

Why Use Layered Models? As we look at each of the popular networking models, you’ll see that all use layers to represent areas of functionality. In OSI terms, each of the

15

91_tcpip_01.qx

16

2/25/00

12:26 PM

Page 16

Chapter 1 • TCP/IP Overview

layered specifications uses the services of the layer below to build an “enriched service.” The layered approach provides a logical division of responsibility, where each layer handles prescribed functions. This can be compared to the teamwork exhibited by a good assembly-line crew in building an automobile. One worker may be responsible for fitting a wheel onto the axis, another for inserting and tightening the screws, and so forth. There are several advantages to this type of working model: ■

■

■

■

Each worker only needs to be concerned with his or her own area of responsibility. Each worker becomes extremely proficient, through constant repetition, at his or her particular job. Working together in sequence, the team of workers is able to produce the final product much more quickly and efficiently than one person could, or than a group of people with no assigned responsibilities could. If something goes wrong (for instance, if a particular part was put on incorrectly), the supervisor knows who to blame for the problem.

Likewise, when the networking protocols are divided into layers, communication generally flows more smoothly, and when it doesn’t, troubleshooting is easier because you are better able to narrow down the source of the problem to a specific layer. We will examine three networking models: the ISO’s OSI model, the Department of Defense (DoD) TCP/IP model, and Microsoft’s Windows NT model. We’ll start with the most generic and work our way toward the more specific.

The ISO OSI Model The OSI model is used as a broad guideline for describing the network communications process. Not all protocol implementations map directly to the OSI model, but it serves as a good starting point for gaining a general understanding of how data is transferred across a network.

Seven Layers of the Networking World The OSI model consists of seven layers. The number seven carries many historical connotations; it is thought by some to signify perfect balance, or even divinity. Whether or not this was a factor when the designers of the model decided how to break down the functional layers, it’s safe to say that within the technical community, the Seven Layers of the OSI Model are at least as legendary as the Seven Deadly Sins and the Seven Wonders of the World.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 17

TCP/IP Overview• Chapter 1

The data is passed from one layer to the next lower layer at the sending computer, until the Physical layer finally puts it out onto the network cable. At the receiving end, it travels back up in reverse order. Although the data travels down the layers on one side and up the layers on the other, the logical communication link is between each layer and its matching counterpart, as shown in Figure 1.1. Figure 1.1 Communication takes place between corresponding layers. Sending Computer

Receiving Computer

Application

Application

Presentation

Presentation

Session

Session

Transport

Transport

Network

Network

Data Link

Data Link

Physical

Physical

Network Media

Here’s how it works: As the data goes down through the layers, it is encapsulated, or enclosed within a larger unit as each layer adds its own header information. When it reaches the receiving computer, the process occurs in reverse; the information is passed upward through each layer, and as it does so, the encapsulation information is evaluated and then stripped off one layer at a time. The information added by the Network layer, for example, will be read and processed by the Network layer on the receiving side. After processing, each layer removes the header information that was added by its corresponding layer on the sending side. It is finally presented to the Application layer, and then to the user’s application at the receiving computer. At this point, the data is in the form it was in when sent by the user application at the originating

17

91_tcpip_01.qx

18

2/25/00

12:26 PM

Page 18

Chapter 1 • TCP/IP Overview

machine. Figure 1.2 illustrates how the header information is added to the data as it progresses down through the layers. Note that in the foregoing example, the header information that is added by the Application layer is called a “link header,” as is that added by the Data Link layer. These headers mark the first and last headers to be added. The Data Link layer also adds a Link Trailer. Many books teach the OSI layers “upside down”; that is, starting with the bottom layer. In fact, the Physical layer is often referred to as Layer 1, the Data Link as Layer 2, and so on. Other descriptions start (seemingly logically) at the topmost layer. Which way you look at it depends not on which hemisphere you live in, but on whether you’re addressing the communication process from the viewpoint of the sending or the receiving computer. We will examine the process from the top down, as the data is prepared by the sending computer to go out over the cable or other media. We will, however, stick with the standard numbering convention. Figure 1.2 Each OSI layer except the Physical layer adds header information to the data.

Link Trailer

Data

Link Hdr

Data

Link Hdr

Pres Hdr

Data

Link Hdr

Pres Hdr

Ses Hdr

Data

Link Hdr

Pres Hdr

Ses Hdr

Transp Hdr

Data

Link Hdr

Pres Hdr

Ses Hdr

Transp Hdr

Net Hdr

Data

Link Hdr

Pres Hdr

Ses Hdr

Transp Hdr

Net Hdr

Application

Presentation Session

Transport

Network Link Hdr

Data Link

Layer 7: The Application Layer Keep in mind that the model describes only the networking components. If you remember that, you won’t make the common mistake of thinking the Application layer represents the user application software. What the

91_tcpip_01.qx

2/25/00

12:26 PM

Page 19

TCP/IP Overview• Chapter 1

Application layer really does is provide the interface and govern the interaction between that user application and the network protocols. The Application layer protocols accept user data for network transport. The data is created by the user application, above the networking layers. For instance, if you want to send an e-mail message, your user application might be Microsoft Outlook (the user program is sometimes referred to as the “user agent”). The user sees only the application interface. You type your letter to Cousin Mary, perhaps you attach graphics files containing photos of the grizzly bear who almost ate Uncle Joe from your last family outing to Yellowstone National Park and click SEND. Assuming you typed the correct email address in the “to” field, you have the software configured properly, your hardware is working, your phone lines aren’t down, and your ISP is on the ball (quite a lot of assumptions, to be sure), the message goes through and lands in Mary’s virtual mailbox. Neither you nor Cousin Mary has to know anything about what the networking components of your respective operating systems are doing in order to communicate via e-mail. That’s because the application itself (Outlook) sends the data (the message you typed) to the Application layer, which takes it from there. The Application layer adds header information, which will be used by the Application layer on the receiving end, and passes it down to the next layer.

Layer 6: The Presentation Layer No, the Presentation layer doesn’t turn the data into PowerPoint slides. However, as the name suggests, it is responsible for the way in which the data is presented, or formatted. The Presentation layer handles such things as encryption (presenting the data in such a way as to keep it from being readable by unauthorized persons) and compression (packaging the data in such a way as to get more of it through at a time). On the receiving side, the Presentation layer is responsible for translating the data into a format understandable by the application and presenting it to the Application layer. Since the Presentation layer handles the very important task of protocol translation, this layer is where many gateways operate. Remember how we said earlier that in order to “talk” to one another, computers need to be running the same protocol? Well, a gateway lets you circumvent this rule. It acts as a translator and allows computers using different protocols to communicate with one another. Examples include: E-mail gateway This software translates the messages from diverse, noncompatible e-mail systems into a common Internet format such as the Simple Mail Transfer Protocol (SMTP). Thus,

19

91_tcpip_01.qx

20

2/25/00

12:26 PM

Page 20

Chapter 1 • TCP/IP Overview

Cousin Mary is able to read your letter even though you were using Microsoft Outlook with an Exchange server and she is on a NetWare network using Groupwise mail. SNA gateway Systems Network Architecture (SNA) is a proprietary IBM architecture used in mainframe computer systems such as the AS/400. An SNA gateway allows personal computers on a local area network to access files and applications on the mainframe computer. Gateway Services for NetWare (GSNW) This software is included with Windows 2000 (and Windows NT) Server operating systems to allow the Windows server’s clients to access files on a Novell NetWare server. It translates between the SMB (Server Message Block) file sharing protocol used on Microsoft networks and NCP (NetWare Core Protocol), the file sharing protocol used by the NetWare networks.

NOTE Although many gateways operate in the Presentation layer, different gateways operate at different layers. A gateway can perform functions seen in any layer of the OSI model.

There are almost as many gateway products available as there are different protocol combinations, and more are being developed all the time as interoperability becomes increasingly important in our connectivityobsessed world.

Layer 5: The Session Layer The Session layer handles the task of establishing a one-to-one session between the sending and the receiving computers. The Session layer sets up and tears down application-to-application dialogs, and provides for checkpointing to synchronize the data flow for the applications. The Session layer also controls whether a transmission is established as half or full duplex. Full duplex is bidirectional communication in which both sides can send and receive simultaneously. Half duplex is also bidirectional communication, but the signals can flow in only one direction at a time. To illustrate the difference, think of how a telephone conversation works. Both parties can talk at the same time, and you can still hear the other person’s voice while you’re talking. That’s full duplex. With most two-way radios, when you key the microphone to speak, you can’t hear

91_tcpip_01.qx

2/25/00

12:26 PM

Page 21

TCP/IP Overview• Chapter 1

anything the other person might be saying while you’re speaking. Only one of you can broadcast over the channel at a time. That’s half duplex.

NOTE When the communication can only flow in one direction, and can never flow back the other way (unidirectional), it’s called simplex.

Another important responsibility of the Session layer is to define the rules for data exchange between the applications. In this respect, you might think of the Session layer as a referee or mediator who makes sure both parties (the sending and receiving computers) are aware of and agree to follow the “rules of the game” for that particular session. When two family members are at odds and seek counseling to help them communicate with one another, a good counselor or mediator will start the visit by getting both people to agree to certain rules. These might include who gets to talk first, and for how long, as well as the “format” of the communication (i.e., no yelling, screaming, or name-calling). Although computers aren’t known for getting emotional, before they can communicate effectively they also must negotiate communications guidelines. Otherwise, they may bombard each other with too much data to be processed, or both try to “talk” at the same time. The Session layer controls this flow of conversation so that the message will get through clearly. In this way, the Session layer provides for flow control. This usually works quite well. Family counselors undoubtedly wish their jobs were as easy as that of the Session layer protocols. Other duties of the Session layer include providing for data expedition, class of service, and reporting of problems occurring in the Session layer and those above it.

Layer 4: The Transport Layer The Transport layer’s primary responsibility is reliability. It must verify that the data sent arrives at the intended destination, in good condition. It also must have a way to differentiate between the communications that may be coming to the same network address (the IP address) from or to different applications.

Port Numbers Thanks to the multitasking capabilities of Windows 2000 and other modern operating systems, you can use more than one network application simultaneously. For example, you can use your Web browser to access

21

91_tcpip_01.qx

22

2/25/00

12:26 PM

Page 22

Chapter 1 • TCP/IP Overview

your company’s homepage at the same time your e-mail software is downloading your e-mail. You probably know that TCP/IP uses an IP address to identify your computer on the network, and get the messages to the correct system, but how does it separate the response to your browser’s request from your incoming mail when both arrive at the same IP address? That’s where ports come in. The two parts of an IP address that represent the network identification and the host (individual computer) identification are somewhat like a street name and an individual street number. In this analogy, the port number would identify the specific apartment or suite within the building. TCP and UDP, the Transport layer protocols, assign port numbers to each application so the data intended for the Web browser in Apartment A doesn’t get sent to the e-mail program living in Apartment B.

Connection Service Types Two types of connection services are used at the Transport layer: connection-oriented and connectionless. Which is most appropriate for sending a given message depends on whether reliability or speed is of highest priority.

NOTE In TCP/IP communications, data is sent over the network as a sequence of datagrams. A datagram is a collection of data sent as a single message. Each datagram is sent across the network individually.

A connection-oriented protocol such as TCP offers better error control, but its higher overhead means a loss of performance. A connectionless protocol such as UDP, on the other hand, suffers in the reliability department but, unhampered by error-checking duties, is faster. Connection-Oriented Services. As a provider of connection-oriented services, TCP first establishes a virtual connection between the sending and receiving computers. This is done through the use of acknowledgments and response messages.

NOTE An acknowledgment message is sometimes referred to as an “ACK.”

91_tcpip_01.qx

2/25/00

12:26 PM

Page 23

TCP/IP Overview• Chapter 1

The most commonly used analogy for differentiating between connection-oriented and connectionless communications compares different services available from the post office. If you need to send an important report to the manager of your company’s branch office in El Paso, you could put it in an envelope, affix the required amount of postage, and drop it in the corner mailbox. This would be the easiest, quickest way to take care of the task, but you would have no idea whether or when the report reached its destination. On the other hand, you could go to the post office and fill out a card to send the report via registered, certified mail, with a return receipt requested. It would cost more and it would take more time and effort on your part, but it would be a more reliable form of communication. You would get back an acknowledgment when the package was delivered, showing that it was indeed received by the person to whom it was addressed. Connection-oriented services are more like the second example, although they actually go one step further: They establish the connection before sending the data. This would be as if, before you sent your certified mail, you first got on the telephone with the El Paso manager and let him know the report was coming so he could be on the lookout for its arrival. If you’re really detail-minded (or paranoid), you could even ask that he call you back when it gets there, and let you know that all the pages are there in sequence and it wasn’t damaged along the way. You’ve taken pains to make sure your communication is as reliable as possible, but at a cost in time (and long distance charges) to both you and the intended recipient. Connectionless Services A connectionless transport protocol like the User Datagram Protocol (UDP) doesn’t provide the same acknowledgment of receipt process as the connection-oriented TCP does. Since UDP doesn't sequence the packets that the data arrives in, an application program that uses UDP has to be able to make sure that the entire message has arrived and is in the right order. To save processing time, network applications that have very small data units to exchange, and thus very little message reassembling to do, may use UDP instead of TCP. For example, DNS hostname lookup messages that will always fit in a single datagram can effectively use UDP. For these very short queries, you don't need all the complexity of TCP; if you don't receive an answer after a few seconds, you can just ask again. UDP doesn't split data into multiple datagrams, as TCP does. It doesn't keep track of what it has sent. Data can be resent if needed, and UDP doesn’t guarantee delivery or protect against duplication. However, it is not completely irresponsible: It does provide for a checksum capability, to

23

91_tcpip_01.qx

24

2/25/00

12:26 PM

Page 24

Chapter 1 • TCP/IP Overview

ensure that data arrives intact, and it provides port numbers to distinguish between the requests sent by different user applications.

NOTE Examples of applications that use UDP for communication include Trivial File Transfer Protocol (TFTP), Routing Information Protocol (RIP), RADIUS accounting, and some implementations of Kerberos authentication. The UDP header is shorter and simpler than the TCP header. It has the source and destination port numbers and a checksum, but it doesn’t include a sequence number, since UDP doesn’t do any sequencing.

Layer 3: The Network Layer Both TCP and UDP, operating at the Transport layer, rely on IP, the Network layer protocol, to actually get the data from the sending to the receiving computer. If you’ve studied the OSI model, you’ve probably heard hundreds of times that routing takes place at the Network layer. Routing is all about recognizing addresses and mapping out the most efficient way to get from one address to another.

The Routing Function You would be performing a function similar to that of the Network layer if you took on the job of navigator on a cross-country automobile trip. Just as TCP and IP, working together, have different responsibilities, you and the driver could divide the duties so that the journey goes more smoothly. It’s the driver’s job to get the car to the destination safely and all in one piece (somewhat like the Transport layer protocols). It’s the job of the navigator to consult a map, determine exactly which highways will take you there, where to turn off one road and onto another, and to consider such factors as the size of each thoroughfare, known areas of congestion, and anything else that might make one route more desirable than another. Likewise, this layer is responsible for finding a path through the network to the destination computer. It is also responsible for translating logical addresses (the IP addresses assigned by an administrator or a DHCP server) and names (like the destination computer’s NetBIOS name “EXCALIBUR”) into physical addresses. The physical, or Media Access Control (MAC), address is burned into a chip on the network interface card by its manufacturer. IP routes messages based on the network number of the destination address. Every computer has a table of network numbers, known as a routing table. If there is a an entry in the routing table for the destination

91_tcpip_01.qx

2/25/00

12:26 PM

Page 25

TCP/IP Overview• Chapter 1

network ID, the computer sends it to a “gateway” address, which represents the first router in the path to the destination. A default gateway address is included in the routing table to send packets to when a specific route to the destination network ID isn’t found in the routing table. The default gateway must be on the same network as the source computer. Each gateway, or router, that the message must go through is called a hop. You might say a journey of a thousand hops begins with a single step: the gateway address listed in the routing table for a particular network number.

Dynamic Routing It’s easy to map out a route to a friend’s house four blocks away. However, if you’re trying to get to the home of a relative who lives in the backwoods in another state, you may need more than a good map. You may need to call ahead and get directions from someone who has traveled there recently. As networks become larger and more complex, it becomes more difficult to manually maintain routing tables. When this happens, you will want to use a dynamic routing protocol. Dynamic routing protocols automatically update routes on all routers on the network. We will discuss various routing protocols, such as RIP and OSPF, in a later chapter. Routers (whether dedicated devices or Windows NT or 2000 servers acting with IP routing enabled) work at the Network layer.

The X.25 Standard Although IP is the best known protocol of the Network layer, another important inhabitant of this layer is the ITU X.25 standard, which specifies the interface for connecting computers on different networks through the use of an intermediate connection made through a packet-switched network. X.25 protocols also correspond to the Data Link and Physical layers of the OSI model.

Layer 2: The Data Link Layer The Data Link layer takes the datagram passed down to it from the Network layer and repackages it into a unit called a frame. The frame includes error-checking information, which is processed by the Data Link layer at the receiving end. This layer is responsible for error-free delivery of the data frames. Figure 1.3 shows how a frame might be structured. The Data Link layer is responsible for maintaining the reliability of the physical link, which is established at Layer One just below it. This is the only layer of the OSI model that is divided into sublayers: the LLC (Logical Link Control) and the MAC sublayers. We will look at each of these individually.

25

91_tcpip_01.qx

26

2/25/00

12:26 PM

Page 26

Chapter 1 • TCP/IP Overview

Figure 1.3 The Data Link layer adds a Cyclic Redundancy Check (CRC) for errorchecking.

Destination Address

Source Address

Control Information

Data

CRC

The Logical Link Control Sublayer The LLC sublayer is charged with ensuring the reliability of the link, or connection. IEEE 802.2 is an LLC standard that operates with the CSMA/CD (Carrier Sense Multiple Access/Collision Detection) and the Token Ring media access standards. Point-to-Point Protocol (PPP) also operates at the LLC level.

The Media Access Control Sublayer The MAC sublayer deals with the logical topology of the network. This may or may not be the same as the physical topology, or layout. For instance, IBM Token Ring networks are physical stars, as all computers connect to a central hub (called an MSAU, or MultiStation Access Unit). However, the logical topology is a ring, because inside the MSAU, the wiring is such that the data travels in a circle. A 10BaseT network connecting to an Ethernet hub, on the other hand, is logically a bus (which is why it is sometimes called a star bus). Access Control Methods MAC-level protocols govern the access control method, or how the data accesses the transmission media. The popular methods are grouped in three categories: contention methods, token passing, and polling methods. Contention methods include CSMA/CD, used in Ethernet networks; and Carrier Sense Multiple Access Collision Avoidance (CSMA/CA), used in AppleTalk networks. In both cases, computers that wish to transmit data on the network must compete for the use of the wire or other media. A collision occurs if two stations attempt to send at the same time. CSMA/CD and CSMA/CA differ in their ways of addressing this collision problem. With CSMA/CD, data collisions are detected and the data is sent again after a random amount of time. With CSMA/CA, an “intent to transmit” message is put out as a “feeler” before the computer transmits the actual data.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 27

TCP/IP Overview• Chapter 1

Token passing methods eliminate the possibility of collision by using a circulating signal called a token to determine which computer can transmit. A computer on a token passing network is more polite. Rather than blurting out its transmission whenever it has something to say, it waits patiently for its turn (when the token gets around to it) and sends data only when it “has the floor.” Polling methods are similar in some ways to token passing, except that instead of the group of computers policing themselves by passing around a token, there is a central unit that acts as a “chairperson.” This “presiding” unit asks members of the “committee” in turn whether they have something to say. Since the computers follow these “rules of parliamentary procedure,” data transmission proceeds in an orderly fashion. MAC Addressing. Although the permanent address burned into the NIC is sometimes called the “physical address,” its proper name is Media Access Control address. The MAC sublayer of the Data Link layer also handles MAC addressing functions.

NOTE MAC addresses on Ethernet cards are expressed as 12-digit hexadecimal numbers, which represent 4- bit (6-byte) binary numbers. The first three bytes contain a manufacturer code, which is assigned by the Institute of Electrical and Electronics Engineers (IEEE). The last three bytes are assigned by the manufacturer and represent that particular card.

Each computer must have a MAC address that is unique on the network. Higher-level protocols translate IP addresses (also called logical addresses) to the MAC address, which can be thought of as the real network location. Lower-level protocols cannot recognize or use IP addresses. Think of it this way: A city or county may assign a street name and house number to a structure, but this is really only a “logical” address. Logical addresses can be more easily changed. A neighborhood group will petition to have a street renamed, or the city council will change the numbering scheme to facilitate emergency response or to accommodate new construction. The location where the building stands also has a “physical” address: its geographic coordinates. When the land is surveyed, it will be identified by degrees of longitude and latitude, and these will

27

91_tcpip_01.qx

28

2/25/00

12:26 PM

Page 28

Chapter 1 • TCP/IP Overview

remain constant regardless of changes to the street name and number. That physical address is like the NIC’s MAC address; it will (almost always) remain the same.

NOTE Some network card manufacturers have made NICs that allow you to change the MAC address by “flashing” the card with a special software program. This is a precaution in case you have duplicate MAC addresses on a network because those manufacturers have begun to “recycle” their addresses.

Data Link Layer Devices There is some confusion among network administrators about the network connectivity devices called bridges that operate at the Data Link layer of the OSI model. Bridges can separate a network into segments, but they don’t subnet the network as routers do. In other words, if you use a bridge to physically separate two areas of the network, it will still appear to be all one network to higher-level protocols. Bridges can cut down on network congestion because they can do some basic filtering of data traffic based on the MAC address of the destination computer. When a transmission reaches the bridge, it will not pass it across to the other side of the network if the MAC address of the destination computer is known to be on the same side of the network as the sending computer. The bridge builds tables indicating which addresses are on which side, and uses them to determine whether to let the transmission across. The confusion comes in because there are different types of bridges. Although all work at the Data Link layer, some operate at the lower MAC sublayer and others at the higher LLC sublayer. There are some important differences. One practical question is whether you can use a bridge to connect network segments that use different media access methods (for instance, an Ethernet segment and a Token Ring segment). The answer is yes or no, depending on which type of bridge you’re referring to. A bridge that operates at the Logical Link Control sublayer, sometimes called a translation bridge, can connect segments using different access methods. However, a lower-level bridge (one that operates at the MAC sublayer) cannot. Either type can connect segments using different physical media (that is, a segment cabled with thin coax and a segment running on unshielded twisted pair).

91_tcpip_01.qx

2/25/00

12:26 PM

Page 29

TCP/IP Overview• Chapter 1

Another device that operates at the Data Link layer is the common switch, or switching hub, which has become very popular on Ethernet networks.

NOTE The switched hub is also called a Layer 2 switch. There are more sophisticated switches made by companies such as Cisco Systems that operate at the Network layer and can perform basic routing functions in addition to the type of switching described here.

Like hubs, these switches are central multiport units into which all the computers are connected. Like bridges, the switch keeps a table of MAC addresses, showing which computer is connected to which port. When data comes in, instead of sending it back out to all the computers as the hub does, the switch examines the destination address in the header, consults the table, and sends it only out the port to which the corresponding computer is attached. This cuts down overall network traffic considerably, and helps to prevent collisions.

Layer 1: The Physical Layer To many, the Physical layer is the easiest to understand because it deals with devices and concepts that are more tangible. The Physical layer deals with such things as the type of signal transmission used, the cable type, and the actual layout or path of the network wiring. These are things we can see, touch, or at least easily represent with a drawing or diagram. The functions of the Physical layer devices (NICs, cables, connectors, hubs, and repeaters) are also relatively easy to understand.

Physical Layer Devices Physical layer devices are the stuff of which a networking equipment catalog is made. The basics are deceptively simple: You insert a network card into an expansion slot on each computer, plug a piece of cable into each network card, and plug the other end of each cable into a hub. But leafing through the catalog will reveal that Physical layer issues are a little more complex. Some cable manufacturers offer literally thousands of different cables, and the variety of available network cards and connectivity

29

91_tcpip_01.qx

30

2/25/00

12:26 PM

Page 30

Chapter 1 • TCP/IP Overview

devices is just as overwhelming. Getting a network up and running at the Physical level requires a good bit of knowledge about what works with what, and which hardware type is best for your particular situation. The Network Interface Card (NIC) is the hardware device most essential to establishing communication between computers. Although there are ways to connect computers without a NIC (by modem over the phone lines, or via a serial “null modem” cable, for instance), in most cases where there is a network, there is a NIC (or more accurately, at least one NIC for each participating computer). Bottom line: The NIC must match the bus type for which you have an open slot in the computer, it must be of the correct media access type, it must have the correct connector for the cable your network uses, and it must be rated to transfer data at the proper speed (Ethernet normally transmits at either 10 or 100 Mbps, and Token Ring runs at 4 or 16 Mbps). The Network Media is the cable or wireless technology on which the signal is sent. Cable types include thin and thick coaxial cable (similar to cable TV cable), twisted pair (such as used for modern telephone lines, available in both shielded and unshielded types), or fiber optic (which sends pulses of light through thin strands of glass or plastic for fast, reliable communication, but is expensive and difficult to work with). Wireless media include radio waves, laser, infrared, and microwave. Hubs and Repeaters are connection devices. Repeaters connect two network segments (usually thin or thick coax) and boost the signal so the distance of the cabling can be extended past the normal limits at which attenuation, or weakening, interferes with the reliable transmission of the data. Hubs are generally used with Ethernet twisted pair cable, and most modern hubs are repeaters with multiple ports. Hubs also strengthen the signal before passing it back out to the computers attached to it. Hubs can be categorized as follows: ■

■

Active hubs are the type just described. They serve as both a connection point and a signal booster. Data that comes in is passed back out on all ports. Passive hubs serve as connection points only; they do not boost the signal. Passive hubs do not require electricity and thus won’t have a power cord as active hubs do.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 31

TCP/IP Overview• Chapter 1 ■

Intelligent or “smart” hubs include a microprocessor chip with diagnostic capabilities, so you can monitor the transmission on individual ports.

Recall that there is another type of hub, a switching hub, but it operates at the Data Link Layer rather than the Physical layer.

NOTE The NIC is responsible for preparing the data to be sent out over the network media. Exactly how that preparation is done depends on what media is being used. A Token Ring NIC is different from an Ethernet NIC, for example. It logically would have to be, since they use different access methods. And even though 10Base2, 10Base5 and 10BaseT Ethernet networks all use CSMA/CD as their access method, they use different cable and connector types; however, it is possible to get a “combo” card that has connectors for all three.

Signal Transmission Computers, at the machine level, are amazingly simple; they “think” only in binary, performing rapid calculations on combinations of 0s and 1s. Transferring these binary digits across network media requires a way of representing these 0s and 1s. Luckily, there are many ways to do this. An electrical signal or a pulse of light can indicate 1 when it’s on and 0 when it’s off. This is known as discrete state technology, and digital signaling works this way. Another consideration at the Physical layer is whether the signaling method will use the entire bandwidth of the cable to transmit the data, or will only use one frequency. When all frequencies are used, the transmission method is called baseband. If only part of the bandwidth is used (thus allowing other signals to share the bandwidth), it is referred to as broadband. Traditionally, baseband transmission has been associated with digital signaling, and broadband with analog, but this does not always hold true. For instance, Digital Subscriber Line (DSL) is a high-speed technology offered by many telephone companies for Internet connectivity. DSL is a broadband technology, because it uses only a part of the wire to transmit data. Voice communication can take place simultaneously on the same cable, using a different frequency than is being used by the data communications. Cable television is another example of broadband transmission, bringing dozens of different channels into your home on just one coax cable.

31

91_tcpip_01.qx

32

2/25/00

12:26 PM

Page 32

Chapter 1 • TCP/IP Overview

NOTE Analog signaling—the type used by common telephone lines—transmits by adding signals of varying frequency or amplitude to carrier waves of a particular frequency of alternating electromagnetic current. Unlike the absolute on/off state, it is represented by a waveform. When data is sent over regular phone lines, a modem must convert the computer’s digital signal to analog and back again at the receiving end.

Physical Topologies Another important Physical layer issue is the layout, or topology, of the network. This refers to whether the cables are arranged in a line going directly from computer to computer (bus), in a circle going from computer to computer with the last connecting back to the first (ring), or in a spoke-like fashion with each connecting directly to a central hub (star). A fourth topology, the mesh, is used when every computer is connected to every other computer, creating redundant data pathways and high fault tolerance, at the cost of increasing complexity as the network grows. Wireless communications can use a cellular topology such as is widely used for wireless telephone networks. In this case, an area is divided into slightly overlapping cells, representing connection points. The physical layout of the network will influence other factors, such as what media access method (and thus what cable type) is used. All the Physical layer factors (cable type, access method, topology, etc.), when considered together, define the architecture of the network. Popular network architectures include Ethernet, ARCnet, Token Ring, and AppleTalk.

The IEEE802 Standards The Institute of Electrical and Electronics Engineers, like the ISO, develops standards. The IEEE 802 specifications address various Physical and Data Link layer issues. Those most pertinent for the average network administrator are: ■

■

■

802.2 Establishes standards for the implementation of the LLC sublayer of the Data Link layer. 802.3 Sets specifications for an Ethernet network using CSMA/CD, a linear or star bus topology, and baseband transmission. 802.5 Sets standards for a token passing network using a physical star/logical ring topology; i.e., Token Ring.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 33

TCP/IP Overview• Chapter 1 ■

■

■

802.7 Establishes criteria for networks using broadband transmission. 802.8 Sets specifications for using fiber optic as a network medium. 802.11 Establishes standards for wireless networking.

The 802 Project was named after the year and month that the original committee met: February 1980.

The DoD Model The Department of Defense networking model is older than the OSI, and was developed in conjunction with TCP/IP itself. It is sometimes called the TCP/IP model, but more often referred to as the DoD model. It consists of only four layers, but they can be roughly mapped to the seven layers of the OSI model. The DoD model is illustrated in Figure 1.4. The various protocols in the TCP/IP suite fit nicely into the layers of the DoD model. Remember that the DoD model was designed in the 1970s. The OSI model came along a decade later, with the goal of more specifically defining the layers of functionality for the network components. Figure 1.4 The four layers of the DoD model map roughly to the seven OSI layers. DOD Model

OSI Model Application Layer

Application/ Process Layer

Presentation Layer Session Layer

Host-to-Host Layer Internetwork Layer

Network Interface Layer

Transport Layer Network Layer

Data Link Layer Physical Layer

33

91_tcpip_01.qx

34

2/25/00

12:26 PM

Page 34

Chapter 1 • TCP/IP Overview

The Application/Process Layer The top layer of the DoD model encompasses all three OSI upper layers: Application, Presentation, and Session. Thus, when referring to TCP/IP, you may read that encryption of data or checkpointing and dialog control take place at the Application layer. Remember that this does not mean the OSI Application layer and you’ll avoid confusion.

The Host-to-Host (Transport) Layer The Host-to-Host layer is sometimes labeled the Transport layer, even on four-layer DoD diagrams, and it maps to the Transport layer on the OSI model. TCP, UDP, and DNS operate here.

The Internetworking Layer This layer corresponds closely to the OSI Network layer. IP, ICMP, and ARP function at this layer. As we discussed earlier, IP deals with routing based on logical IP addresses. ARP (Address Resolution Protocol) translates logical addresses to MAC addresses. This translation is necessary because the lower layers can process only the MAC addresses.

The Network Interface Layer The Network Interface layer maps to OSI’s Data Link and Physical layers. The TCP/IP suite itself has no protocols that operate at these lower layers, but uses the standard Ethernet and Token Ring Data Link and Physical layer protocols.

The Microsoft Windows 2000 Networking Model While it’s easy to show the relationships between the OSI and DoD layers, the Microsoft implementation of the TCP/IP networking model is a bit different. It includes a new type of layer, a boundary layer, which interfaces between the actual networking component layers. The boundary layers are open specifications, while the component layers in between are operating system-specific. Figure 1.5 shows the Windows 2000 Networking Model. As you can see, a boundary layer acts as an interface between each pair of component layers. It’s no coincidence that the name of each boundary layer ends with the word “interface.” The three boundary layers are: Application Programming Interface ■ Transport Driver Interface ■ Network Device Interface Specification Let’s discuss each of the component and boundary layers in a little more detail. ■

91_tcpip_01.qx

2/25/00

12:26 PM

Page 35

TCP/IP Overview• Chapter 1

Figure 1.5 The Microsoft Windows Networking Model uses boundary layers. Applications and User Mode Services NetBIOS RPC Win32 Winsock

API Boundary Layer File System Drivers Named Pipes Mailslots Redirectors

TDI Boundary Layer Network Transport Protocols TCP UDP ICMP IP IGMP ARP

NDIS Boundary Layer NDIS Wrapper NDIS WAN Miniport Wrapper PPTP X.25 Asynch ISDN

X.25

Frame Relay

Token Ring

ATM

Ethernet

FDDI

The Application and User Mode Services Component This layer contains the supported types of user applications and services, including NetBIOS (Network Basic Input Output System), Remote Procedure Calls, Win32 and its subsystems, and Windows Sockets applications.

NetBIOS NetBIOS specifies a group of network function calls that lets applications on different computers communicate with each other within a local area network. It was originally developed by IBM, then adopted by Microsoft, and has been the basis for Microsoft networking. NetBIOS communications use a destination name (called, appropriately enough, a NetBIOS name) and a message location to get the data to the correct destination. NetBIOS supports a session mode for establishing a connection and transfer of large messages, and a datagram mode for connectionless transmissions such as broadcast messages.

35

91_tcpip_01.qx

36

2/25/00

12:26 PM

Page 36

Chapter 1 • TCP/IP Overview

NOTE Windows 2000 is the first Microsoft operating system that allows for disabling of NetBIOS, although this is feasible only on a network that has fully migrated to Windows 2000 and uses no NetBIOS network-enabled applications. A hybrid network containing computers running older Microsoft operating systems or NetBIOS applications will still need to use NetBIOS.

Winsock A Winsock program handles input/output requests for Internet applications in a Windows operating system, using the sockets convention for connecting with and exchanging data between two Application layer processes. Winsock runs as a .dll file (dynamic link library). A .dll file is a collection of small programs, any of which can be loaded when an application needs to use it but isn’t required to be included as part of the application.

NOTE A socket, in TCP/IP communications, is the combination of an IP address and a port number, along with a protocol.

The API Boundary Layer The API boundary layer is where the Application Programming Interface (API) operates. An API is the specific method that is set by a computer operating system or an application, allowing a developer, when writing a program, to make requests of the operating system or application.

RPC Remote Procedure Call is what it sounds like: RPC provides a service to application developers to allow for transparent use of a server to provide some action on behalf of the application. Remote procedure calls provide the programmer with a way of hiding an underlying message passing protocol. The RPC protocol was designed to work with IP, but in a way that’s different from TCP. The TCP protocol is used to transfer large data streams (for example, file downloads). RPC was designed for writing network programs, to allow a program to make a subroutine call on a remote machine.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 37

TCP/IP Overview• Chapter 1

NOTE The RPC protocol is documented in RFC 1831, which can be accessed on the Web at www.freesoft.org/CIE/RFC/1831.

Win32 API The Win32 API is a set of predefined Windows functions that are used to control the appearance and behavior of Windows elements. The API functions are stored as .dll files in the Windows system directory (in Windows 2000, the default system directory is /winnt).

The File System Drivers In the Windows NT architecture, on which Windows 2000 is based, network redirectors are implemented as file system drivers. A redirector is a software component that does what its name implies: redirects a request (in this case, from the local machine out over the network). The Server service and the Workstation service are examples of redirectors. Named pipes and mailslots are also network redirectors. Named pipes is used for connection-oriented communication, and mailslots for connectionless data transfer. The network redirectors allow all file systems to appear the same when accessed across the network, hiding their differences from the user. This is why a Windows 95 machine can read and manipulate files through a network share that are stored on an NTFS partition, even though the Windows 95 operating system does not include an NTFS file system driver and thus cannot itself read an NTFS file.

The TDI Boundary Layer The Transport Driver Interface is another boundary layer. The primary purpose of TDI is to define a standard application programming interface for the transport protocol stacks. That is, the low-level kernel-mode driver implementation of protocols such as TCP/IP and NetBEUI TDI provides for standard methods of protocol addressing, sending and receiving datagrams, and other related actions. TDI is an open specification, and programmers can develop TDI drivers written to the specification, which will make it possible for them to work within the Windows networking architecture.

37

91_tcpip_01.qx

38

2/25/00

12:26 PM

Page 38

Chapter 1 • TCP/IP Overview

The Network Transport Protocol Component The Network Transport Protocol layer is easy to understand and to map to the other networking models. This is similar to a combination of the Network and Transport layers in the OSI model (or the Internetwork and Host-to-Host layers in the DoD model). TCP, UDP, IP, ICMP, IGMP, and ARP operate here.

The NDIS Boundary Layer NDIS (Network Driver Interface Specification) is intended to define a standard API for NICs. All NICs made to be used with the same media access type (such as Ethernet or Token Ring) can be accessed using a common programming interface. The MAC device driver that hides the specifics of the hardware implementation is what makes this possible.

The NDIS Wrapper NDIS includes a library of functions (a wrapper) that can be used by MAC drivers and higher-level protocol drivers (such as TCP/IP). The wrapper functions make it easier to develop MAC and protocol drivers and to hide dependencies on a computer platform. The NDIS wrapper allows the higher-level protocols to work with such Data Link and Physical layer protocols as Ethernet, Token Ring, Frame Relay, FDDI, ATM, and X.25. There is also an NDIS WAN miniport wrapper that interfaces with wide area networking protocols like PPTP and ISDN.

A Family of Protocols: The TCP/IP Suite Although TCP and IP make up the protocol “stack” that gets the messages there, and ensures that they get there reliably, an entire suite of protocols has come to be associated with the name and are included in most vendors’ implementations. Some of these are used to provide additional services, while others are useful primarily as information-gathering or troubleshooting tools. As we address various types of TCP/IP connectivity problems throughout this book, we will be using many of these. The following is just an overview of some additional protocols included with Windows 2000 TCP/IP.

Application Layer Protocols The TCP/IP suite provides several protocols that operate at the Application layer to provide services such as news, mail and file transfer, and monitoring/diagnostics capability.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 39

TCP/IP Overview• Chapter 1

FTP The File Transfer Protocol is used for copying files from one computer to another. Windows 2000 includes both a command-line FTP client program (see Figure 1.6) and the FTP server service that is installed as part of Internet Information Server 5.0. FTP will be available at the command line only if the TCP/IP transport protocol is installed. Figure 1.6 Using the Windows 2000 command-line FTP client program to transfer files.

SNMP The Simple Network Management Protocol provides a way to gather statistical information. An SNMP management system makes requests of an SNMP agent, and the information is stored in a Management Information Base (MIB). The MIB is a database that holds information about a networked computer (for example, how much hard disk space is available).

WARNING You must be logged on as a member of the Administrators group to install the SNMP service.

The SNMP agent software is installed as a Windows Component and runs as a service. SNMP management software is not currently included with Windows 2000.

39

91_tcpip_01.qx

40

2/25/00

12:26 PM

Page 40

Chapter 1 • TCP/IP Overview

Telnet Telnet is a TCP/IP-based service that allows users to log on, run character-mode applications, and view files on a remote computer. Windows 2000 Server includes both Telnet server and Telnet client software. See Figure 1.7 for an example of a Windows 2000 Telnet session. Telnet differs from FTP in that you cannot transfer files from one computer to another (upload or download). Telnet is often used to access a UNIX shell account on an ISP’s server and delete e-mail messages directly from the server without downloading them to the local machine. The Telnet protocol itself is used to establish the initial connection to FTP and SMTP servers from the host’s user agent. Figure 1.7 Using Windows 2000’s Telnet client to connect to the iris.irs.ustreas.gov Telnet server.

SMTP The Simple Mail Transfer Protocol is used for sending e-mail on the Internet. SMTP is a simple ASCII protocol and is not vendor-specific.

NOTE For more information about SMTP, see RFC 821 at www.cis.ohiostate.edu/htbin/rfc/rfc821.html.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 41

TCP/IP Overview• Chapter 1

Because SMTP has limited capability in queuing messages at the receiving end, most e-mail client programs use SMTP for sending e-mail, and either POP3 or IMAP for receiving the messages that come in and are stored on a server.

HTTP The HyperText Transfer Protocol is perhaps the most familiar of the Application layer protocols because it is used on the World Wide Web, the most popular Internet service. HTTP allows computers to exchange files in various format (text, graphic images, sound, video, and other multimedia files) via client software called a Web browser. A computer running a Web server program, such as Microsoft’s Internet Information Server, stores files in HyperText Markup Language (HTML) format that can be accessed by the client browser. These HTML “pages” often contain hyperlinks for quickly and automatically connecting to other files on the Internet, on an intranet, or on the local machine. The current version is HTTP 1.1, which was developed by a committee of the IETF. It contains enhancements that allow for faster transfer of information.

NOTE The specifications for HTTP 1.1 are defined in proposed RFC 2068, which can be accessed on the Web at www.ics.uci.edu/pub/ietf/http/rfc2068.txt.

NNTP Network News Transfer Protocol is used for managing messages posted to private and public newsgroups. NNTP servers provide for storage of newsgroup posts, which can be downloaded by client software called a newsreader. Windows 2000 Server includes an NNTP server with IIS. Outlook Explorer, version 5, which is part of the Internet Explorer software included with Windows 2000, provides both an e-mail client and a newsreader.

41

91_tcpip_01.qx

42

2/25/00

12:26 PM

Page 42

Chapter 1 • TCP/IP Overview

Transport Layer Protocols The TCP/IP suite includes two Transport layer protocols, the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).

TCP As already discussed, TCP is the connection-oriented protocol that should be used when error control is of high priority. TCP provides highly reliable, full-duplex transport services, and supports sequence numbering so that large messages can be broken down and then reassembled at the receiving end.

UDP UDP performs the same basic function as TCP—transport of datagrams— but does so in a “bare bones” manner. It does not acknowledge receipt of the messages, nor does it sequence the datagrams. UDP should be used when speed is a high priority and assured delivery of the messages is less critical.

Network Layer Protocols The suite includes several protocols that operate at the Network layer of the OSI model, including one of the two “lead singers” of the suite: IP.

IP The Internet Protocol handles addressing and routing at the Network level, relying on logical (IP) addresses. It can use packet-switching methods to route different packets, which are all part of the same message, via different pathways. It can use dynamic routing protocols to determine the most efficient routes on a per-packet basis. IP is a connectionless protocol; it depends on TCP at the Transport layer above it to provide a connection, if necessary. However, it is able to use number sequencing to break down and reassemble messages, and uses a checksum to perform error-checking on the IP header.

ARP and RARP The Address Resolution Protocol (ARP) translates the logical IP addresses to physical MAC addresses. ARP discovers this information by way of broadcasts, and keeps a table of IP-to-MAC entries. This table is referred to as the ARP cache. Reverse Address Resolution Protocol (RARP) is a similar protocol that does just the opposite: Instead of starting with an IP address and finding the matching MAC address, it uses the MAC address to find the IP address, somewhat like a “criss-cross” telephone directory.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 43

TCP/IP Overview• Chapter 1

ICMP The Internet Control Message Protocol is known as a “maintenance” protocol and is required in TCP/IP implementations. It lets two computers on an IP network share IP status and error information. ICMP is used by the Ping utility discussed in Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000.”

NOTE The standards for ICMP are defined in RFC 792.

Computers and routers using IP can report errors and exchange control and status information via ICMP.

IGMP The Internet Group Management Protocol (IGMP) allows host computers on the Internet to participate in IP multicasting. A multicast address identifies a transmission session, instead of a particular physical destination. This allows for sending a message to a large number of recipients without the necessity for the source computer to know the addresses of all the recipients. The network routers translate the multicast address into host addresses.

NOTE IGMP was originally defined in RFC 1112. Extensions have been developed and are included in IGMP, version 2, addressed in RFC 2236.

A computer uses IGMP to report its multicast group memberships to multicast routers. IGMPv2 allows group membership terminations to be reported promptly to the routing protocol. IGMP is required to be used in host computers that wish to participate in multicasting.

TCP/IP Utilities In Chapter 4, we will be looking in detail at the following utilities, which are also included in the TCP/IP suite: ■

IPCONFIG

43

91_tcpip_01.qx

44

2/25/00

12:26 PM

Page 44

Chapter 1 • TCP/IP Overview ■ ■ ■ ■ ■ ■

NETSTAT NBTSTAT NSLOOKUP ROUTE TRACERT PING and PATHPING

Basic Network Design This book focuses on troubleshooting issues, and is not meant to be a comprehensive guide to designing a network. However, the best way to deal with trouble is to avoid it in the first place; thus, we will briefly discuss how thoughtful design can make your Windows 2000 TCP/IP network less prone to problems.

Planning as Preventative Medicine Whether you are setting up a brand new network or migrating to Windows 2000 from an earlier Windows NOS or a non-Microsoft NOS, putting some extra time into planning and preparation is likely to pay off in a reduction in time (and frustration) expended on troubleshooting later. Some common problems are specific to particular migration scenarios, and are discussed in Chapter 2, “Setting Up a Windows 2000 TCP/IP Network.” Some general network design issues apply, however, regardless of your situation and individual network characteristics. Let’s take a look at a few of those now.

Testing and Implementation Before you make significant changes to your production network, it is extremely important that you test those changes in a controlled environment. This is true whether you are merely trying out a new TCP/IP-based application or rolling out a whole new Windows 2000 network. Prototyping is also the first step in troubleshooting networking problems. This refers to creating a test environment in which you recreate the problem and can try various solutions without fear that the “cure will be worse than the disease” and cause loss of data or network downtime on your “real” network.

Prototyping Setting up a prototype environment, or test lab, can be your best troubleshooting tool. In this situation, you can test different installation procedures and options before deploying Windows 2000 to your production

91_tcpip_01.qx

2/25/00

12:26 PM

Page 45

TCP/IP Overview• Chapter 1

machines. This will help you to accurately predict any problems that may occur and find solutions to them. The key to the prototype environment is that it should be: ■ ■

Completely independent of your company LAN As identical as possible to the company LAN environment

To create a realistic test environment, you should have a server running the same operating system and other software as your production server(s), and one or more client computers using the same operating system as your network desktop systems, again with all the same software installed. The hardware for the prototype and production machines should also be as identical as possible. Prototyping allows you to uncover problems that might occur in an actual installation scenario, and address them beforehand. This prevents the loss of productivity and inconvenience to employees that would be a result of encountering “surprise” problems during the actual installation. The test lab is useful long after you’ve completed the deployment of Windows 2000. It can be used for troubleshooting problems that occur later, in a controlled and “safe” environment that won’t affect the network’s productivity. It can also be used to plan future upgrades, and as a training ground where administrators can familiarize themselves with the new software

Pilot Programs After you have tested the new operating system in a prototype environment that is isolated from all of your production machines, you may still wish to implement the change on a limited basis first. This will allow you to evaluate the transition in a realistic setting, with actual network users, and uncover problems that may not have manifested themselves in the more controlled test lab. In that case, a pilot program will add another layer of protection before you expose the entire network to potential upgrade problems. It may be best to choose a specific department, or you may find it more beneficial to upgrade the machines of selected users throughout the organization. It is probably best not to do so on a random basis. You will want to consider several factors when deciding which machines to upgrade: ■

One strategy is to choose a department or group that is not involved in mission-critical work, or one that is in a “slow period.” You would not want to select the Tax department for your pilot group if an important filing deadline is just around the corner, or if the company is currently being audited by the IRS.

45

91_tcpip_01.qx

46

2/25/00

12:26 PM

Page 46

Chapter 1 • TCP/IP Overview ■

An alternate method is to compile a pilot group made up of users from different departments who are considered “power users”; that is, those who are more computer-savvy and thus unlikely to panic if problems arise. A group of users with some technical knowledge may also be better able to document problems they encounter and more accurately report them to you.

Rollout Sooner or later, regardless of how little or how much testing you do, you must implement the new operating system throughout the organization. In a large company, you will probably want to do so in phases, and there may even be some users who, by choice or due to budget considerations or other factors, won’t be in the rollout list at all. However you do it, you can anticipate that there will be some problems involved in upgrading any network that has more than a few computers. Things will go more smoothly if you follow a few basic guidelines: Users should be trained prior to the implementation of the new operating system. This can be done through formal sessions in a classroom on-site or by sending them outside the company to classes in using the new operating system. Don’t deploy a brand new operating system that your users have never had an opportunity to use. Plan the rollout to create as little disruption as possible. The actual upgrade could take place on the weekend or during a time when the offices are closed, or when fewer employees are working if the office is occupied around the clock every day. If you can avoid interfering with users’ attempts to get work done, your job will go more smoothly. Always inform users of the upgrade schedule. As a rule, people don’t like suprises. Even those who are looking forward to the upgrade may not be happy to come in to work one Monday morning and find that their operating system has been replaced, without any prior notice or the chance for them to prepare psychologically for the change. Proper planning is always worth the time it requires. By mapping out your installation or upgrade strategy beforehand, and anticipating problems before they happen, you may find that they needn’t occur at all.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 47

TCP/IP Overview• Chapter 1

Summary In the computer industry, time moves at a pace that’s different from the rest of the world. By those standards, the TCP/IP protocol suite has a (relatively) long and venerable history. We can expect it to stay with us for years to come. TCP/IP is the protocol stack of the global Internet. Until that changes, its “job security” is assured. But IP must undergo changes to keep up with the extraordinary growth in the number of computers and networks that has been a hallmark of the 1990s, and is expected to continue well into the next millennium. One problem that must be addressed is the very practical one of providing for enough available IP addresses to ensure that we won’t run out anytime in the near future. IPv6, the “next generation” of the Internet Protocol, was designed with this goal in mind. It is already being implemented in some quarters, and is likely to enjoy a gradual but steady “takeover” until it finally replaces the current implementation, IPv4. TCP/IP as we know it today consists of an entire suite of protocols. To understand how various protocols in the suite work together, we can use one of the popular networking models as a reference point. Models give us a way to graphically represent and better understand the process of communication between computers that share their resources with one another. The Open Systems Interconnection (OSI) model is the current recognized standard. It was developed by the International Organization for Standardization and provides a set of common specifications to which networking components can be designed. Compliance with the standard ensures that products made by different manufacturers will still be able to interoperate. The Department of Defense (DoD) model is the one on which TCP/IP was originally based. It is an older model, and functions are not as finely divided as in the OSI model, but its layers can easily be mapped to those of the OSI model. Microsoft uses a different model, the Windows networking model, which includes a concept that isn’t encountered in the others: boundary layers. Boundary layers are interfaces that are open specifications, and act as “glue” between the component layers of the network operating system software. Understanding the networking models make it easier for administrators to troubleshoot problems with TCP/IP connectivity by helping to narrow down possible sources of the malfunction. The Windows 2000 TCP/IP suite also includes a virtual “toolkit” of utilities, which an administrator can use to gather information and test connections. The first step in troubleshooting is practicing “preventative medicine”; that is, ensuring that the setup of a new network or the migration to a

47

91_tcpip_01.qx

48

2/25/00

12:26 PM

Page 48

Chapter 1 • TCP/IP Overview

new operating system is done in a well-organized fashion. Testing and prototyping, pilot programs, and a thoughtfully-planned rollout strategy will go a long way toward reducing the incidence of troubleshooting that will be required later on.

FAQs Q: Why do some books specify that certain software components, such as redirectors, operate at the Application layer, while others say that redirectors work at the Presentation layer? A: There are a few reasons for the discrepancy. First, there are many different types of network redirectors, some of which are part of the operating system, and others (such as the Novell Client 32 software for connecting a Windows machine to a NetWare network) made by third parties. Additionally, some books reference the OSI networking model, which consists of seven layers, while others are basing their statements on the DoD model, which only has four. A component that operates at the Presentation layer of the OSI model would be operating at the Application (or Application/Process) layer of the DoD model. Q: It’s called TCP/IP. What are all those other protocols, and what are they for? A: TCP and IP are the “core” protocols (sometimes called the “protocol stack”), but an entire suite of useful protocols has grown up around them. Some of these provide for basic functionality in performing such common network tasks as transferring files between two computers (FTP) or running applications on a remote computer (Telnet). Others are used for information gathering (SNMP, NETSTAT, IPCONFIG), and many are troubleshooting tools that also allow you to perform basic configuration tasks (ARP, ROUTE). Q: What is the difference between TCP and UDP if they both operate at the Transport layer? A: Although both TCP and UDP are Transport layer protocols and provide the same basic function, TCP is a connection-oriented protocol, which means a session is established before data is transmitted, and acknowledgments are sent back to the sending computer to verify that the data did arrive and was accurate and complete. UDP is connectionless; no session or one-to-one connection is established prior to data transmission. This makes UDP the faster of the two, and TCP the more reliable.

91_tcpip_01.qx

2/25/00

12:26 PM

Page 49

TCP/IP Overview• Chapter 1

Q: What is the purpose of a networking model? How will knowing this theoretical stuff help me in administering my TCP/IP network? A: The models give us a way to understand the process that takes place when computers communicate with each other across the network, the order in which tasks are processed, and which protocols are responsible for handling which duties. Understanding the models will help you to narrow down the source of your TCP/IP connectivity problems. For example, if you know that the data is being sent but is not arriving at the correct destination, you will know to start troubleshooting by examining what is happening at the Network layer, since that’s where addressing and routing takes place. Q: Why do we need three different networking models? Why can’t everyone use the same one? A: Actually, that was the plan when the ISO developed the Open Systems Interconnection model. It was to be the common standard used by all vendors and software developers in describing the network communication process. The DoD model actually predates the OSI, and the seven-layer OSI model builds on (and further breaks down) the components of the DoD model. However, individual vendors such as Microsoft still use their own models, which map more closely to their software (such as the Windows NT/2000 model), although they also use the OSI model as a guideline. Q: What is a gateway, and why would I need one? A: The word gateway has many different meanings in the IT world. A protocol translating gateway translates between different protocols. Think of it as the United Nations interpreter of the networking world. If the president of the United States needs to exchange information with the president of France, but neither speaks the other’s language, they can call in someone who is fluent in both to help them get their messages across. Similarly, if a mainframe system and a Windows 2000 computer need to communicate with one another—perhaps the mainframe has important files that need to be accessed by the PC— but they don’t know how to “talk” to each other, you can install a gateway to clear up the confusion. The gateway is even more skilled than the interpreter is; it actually fools the mainframe into believing it’s communicating with another mainframe, and makes the PC think it is having a “conversation” with a fellow PC. Gateway is also the term used to refer to the address of a router that connects your network to another, acting as the gateway to the “outside world.”

49

91_tcpip_01.qx

2/25/00

12:26 PM

Page 50

91_tcpip_02.qx

2/25/00

12:30 PM

Page 51

Chapter 2

Setting Up a Windows 2000 TCP/IP Network

Solutions in this chapter: ■

Designing the Network

■

Migrating from Windows NT 4.0

■

Migrating from Novell NetWare

■

Setting Up a Windows 2000 TCP/IP Network from Scratch

51

91_tcpip_02.qx

52

2/25/00

12:30 PM

Page 52

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

Introduction The process of setting up a new TCP/IP-based Windows 2000 network can be relatively simple or hopelessly complex. Whether you’re building a brand new network from scratch or migrating to Windows 2000 from another operating system(s), planning is the key. No set formula works in every situation. You may encounter issues in upgrading your NT 4.0 network that will be completely different from those involved in migrating from NetWare or UNIX. If you’re starting at ground zero, constructing a new network where there was none before, you’ll have more options, but that can make your job more challenging instead of less. Fortunately, even though every case is different, there are some general guidelines that are common to all, and design checklists to get you started. Migrating or creating a network is a massive undertaking. A TCP/IP network will usually require more planning than one that runs on IPX or NetBEUI, due to the potential complexity of IP addressing issues. Likewise, planning a Windows 2000 network may require more (or a different type of) planning than one based on NT servers due to the greater complexity of the directory services structure. If a functioning network is already in place and is running a different protocol stack or network operating system, you will face special challenges. Each migration scenario presents its own unique problems and opportunities. In this chapter, we will examine some of the more common situations you may encounter in setting up a new Windows 2000 TCP/IP network, either “from the ground up” or making the switch from another popular network operating system.

Designing a New Windows 2000 TCP/IP Network Good network design is key in preventing later problems. As a network administrator, you may have come to the job too late to have much (or any) input into the design process. If the network infrastructure was already in place when you took on the position, you inherited the problems of your predecessor. Your network may have been carefully and thoughtfully planned, with future upgrades in mind. If so, count yourself lucky. All too often, a network just “grows that way.” As the computing and connectivity needs of the organization expand, a server is added here, a router is installed there, and systems are upgraded in some departments but not in others. The result is a diversity of hardware and software configurations in place

91_tcpip_02.qx

2/25/00

12:30 PM

Page 53

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

throughout the network. This can make for many administrative headaches. In building a new network, you face a lot of hard work, but you have the chance to learn from past mistakes (both yours and those of others who came before you) and do it right. Patience is a virtue, and this is never truer than when planning the design of a new Windows 2000 TCP/IP network.

The Planning Team Two or more heads are often better than one when it comes to putting together an upgrade plan. In all but the smallest organizations, you should first gather a planning team to share the multiplicity of tasks involved and to lend different perspectives in the important early design stages. Your team members should be well versed in the company’s unique needs, the Windows 2000 operating system, and how TCP/IP communication works. In some cases, it may be beneficial to hire outside consultants who are experienced in network design. However, those who will ultimately be responsible for administering the network should be heavily involved in the planning process from the beginning. Some companies make the mistake of asking for a “turn key operation,” thinking this means that no one on staff has to bother with design and setup issues. You pay someone else (usually quite handsomely) to do it all, and a few months later they hand you a complete, ready-to-go-online enterprise-level network. The idea sounds attractive, but it can turn into a nightmare later on. Those who will be working with the hardware and software on a daily basis can give valuable input during the planning stages, which may prevent many common post-deployment problems. Whether you recruit and lead a planning team from within the organization or work closely with an outside group, it’s important that you, the network administrator, be aware of some of the issues involved in establishing a new Windows 2000 network.

Planning the Hardware Configurations One of the strengths of the TCP/IP protocol stack is that it will run on almost any hardware platform. However, the Windows 2000 operating system has minimum hardware requirements that must be considered in planning any new installation, upgrade, or migration. Hardware-related problems can be mistaken for TCP/IP connectivity problems, so in order to reduce the time spent troubleshooting communication problems, start with the proper hardware.

53

91_tcpip_02.qx

54

2/25/00

12:30 PM

Page 54

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

You can avoid many problems by ensuring that your systems and their components meet the minimum requirements. Check the Hardware Compatibility List (HCL) on Microsoft’s Web site before implementing Windows 2000 on your network. Plan to upgrade hardware that does not meet the requirements, or alternately, to run so-called “down-level” operating systems on those computers (Windows NT or Windows 9x) until they can be upgraded or replaced.

NOTE Hardware Compatibility Lists for all current Windows operating systems can be found at www.microsoft.com/hwtest/hcl/.

In general, Microsoft’s published minimum system requirements to run Windows 2000 include: ■ ■

■ ■

Pentium 133 or equivalent processor 64MB RAM for Windows 2000 Professional; 128MB RAM for Windows 2000 Server/Advanced Server Approximately 1GB hard disk space VGA or better display; keyboard (mouse optional)

These should be taken as absolute minimums, not as recommendations. Optimum performance will require more memory and faster processor(s), especially for heavily-used servers. A Windows 2000 server acting as a domain controller (DC), due to the high overhead required for the Active Directory, realistically requires a minimum of 128 to 256MB of RAM for minimally acceptable performance. Disk space requirements vary widely depending on whether you are installing to a clean drive or upgrading a previous operating system, what file system is being used, and other factors. It is important that you assess your needs carefully, in accordance with budgetary and other considerations.

Planning the Physical Layout The physical layout, or topology, of the network will directly or indirectly influence such things as the type of cabling to be used, the media access control method, the limitations on cable distance, number of nodes per segment, and other “rules and regulations” with which you must comply to meet standard specifications for Ethernet, Token Ring, or other network types.

91_tcpip_02.qx

2/25/00

12:30 PM

Page 55

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

Numerous excellent resources offer guidance in the implementation of the popular network topologies and architectures. In some cases, the network administrator will be directly involved in selecting cable types and choosing individual pieces of network hardware. In a large network environment, an outside firm may be hired and given an overall “mission,” and granted the authority to make most such decisions. Either way, it is important to ensure that the final implementation complies with ISO, IEEE, and other industry standards, and building codes and other local regulations.

Diagramming the Network Layout One of your most important tasks in planning the physical layout is to diagram the network. There are many excellent software tools, such as Visio, that you can use to visually represent the layout and show the connections of servers, hubs, routers, workstations, and other network devices. See Figure 2.1 for an example of a Visio drawing using the network diagramming templates included with the software. Figure 2.1 A simplified sample network diagram.

Wkst1

Wkst2

Wkst3

Hub tacteam.net dev.tacteam.net Router

Proxy Server

federation.tacteam.net Hub Internet WkstA

WkstB

WkstC

55

91_tcpip_02.qx

56

2/25/00

12:30 PM

Page 56

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

Whether you use diagramming software to construct a professionallooking diagram or simply sketch the network layout manually, how you do it is less important than getting it done. You may be tempted to skip this step if you’re on a tight schedule, thinking you can always come back and create this documentation after the fact. However, the network diagram, properly used, is more than just a record of the network’s design. It is also a planning tool. It is much easier to move devices around and reroute cabling on paper (or on the screen) than it is to lug those heavy pieces of equipment from place to place or manipulate lengths of twisted pair through crawlspaces to “try out” different configurations in the corporeal world. You can save much time, effort, and aggravation by considering different options during the diagramming stage. Remember that later changes to the infrastructure will be expensive and time-consuming, and may result in high indirect costs due to downtime. The physical aspects of the network are its foundation, so get that right from the beginning and you will automatically reduce the chances of problems in the future.

TIP Visio 2000 Enterprise edition will even discover and draw out the network for you! For more information, see www.visio.com/visio2000/enterprise/.

Planning for Sites If you built or worked with wide area networks (WANs) based on NT 4.0 servers, you probably thought of each separate geographic location, such as a branch office, as a “site.” In Windows 2000 TCP/IP networking, the term “site” has a new and specific meaning, and site planning has taken on a new importance.

What Is an Active Directory Site? According to Microsoft, in Windows 2000 a site is defined as “one or more well-connected (highly reliable and fast) TCP/IP subnets that allows administrators to configure Active Directory access and replication topology quickly and easily to take advantage of the physical network.” Sites are published to the Active Directory, which uses the site information in performing replication and responding to service requests. The goal is to improve the efficiency and performance of the WAN.

91_tcpip_02.qx

2/25/00

12:30 PM

Page 57

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

Note that creating a site is a way of grouping together computers that have a fast connection. A site does not necessarily represent a group of computers that are at the same physical location. The site concept is independent of domain configuration. A site can span multiple domains, or one domain may include computers at different sites. In general, computers in the same TCP/IP subnet will share a fast connection (Microsoft documentation refers to them as “well connected”). Thus when you set up a new Windows 2000 network, subnetting decisions and site planning will go together. Sites are created and configured using the Sites and Services MMC. To access the MMC: Start | Programs | Administrative Tools | Active Directory Sites and Services. Figure 2.2 shows how a new site is created with this tool. Figure 2.2 Using the AD Sites and Services MMC to create a new site.

With this tool, you can establish links between two or more sites, set up replication frequency, configure site link cost, create subnets and associate them with sites, force replication over a connection, and perform many other tasks involved in using Active Directory sites.

57

91_tcpip_02.qx

58

2/25/00

12:30 PM

Page 58

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

NOTE Site link costs are defined by the administrator, using relative numbers. The cost of the replication over the link is based on the speed of the connection, in relation to other links. For example, if two sites A and B are connected with a high-speed T1 connection, and sites A and C are connected by a 56K modem connection, the “cost” value assigned to the AC link would be higher than that assigned to A-B.

How Sites Are Used in Windows 2000 Networks Once sites are set up, Windows 2000 and the Active Directory use them for three primary purposes: ■ ■ ■

To optimize logon authentication To optimize Active Directory replication To optimize Active Directory enabled services

Optimizing Logon Authentication Sites are used during domain logon, to optimize the logon authentication process. When a computer initiates logon to the domain, the global catalog (GC) will be searched for a domain controller that belongs to the same site as the computer that is logging on. This minimizes the possibility of computers using a slow WAN link to log on.

Optimizing Active Directory Replication The Active Directory uses Windows 2000 site information in determining how and when to replicate directory information between domain controllers. In Windows NT 4.0 networks, only the primary domain controller (PDC) has a writable copy of the security accounts database, and readonly copies are replicated to backup domain controllers (BDCs) on a regular basis. In Windows 2000 networks, all domain controllers have a complete read/write copy of the Active Directory partition, which contains the security database and other directory information. Since changes can be made to any of these domain controllers, it is important that those changes be replicated to other domain controllers throughout the network to keep each up to date. Replication traffic can become a problem on a heavily-used network, so Microsoft uses the site concept to attempt to achieve a balance and reduce “traffic jams” caused by frequent replication across low-bandwidth links.

91_tcpip_02.qx

2/25/00

12:30 PM

Page 59

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

Windows 2000 allows the administrator to customize the replication schedule between sites by creating site links. Replication between domain controllers within a site (intrasite replication) can take place at shorter intervals, while replication to domain controllers at remote sites can be scheduled less frequently, and/or configured to occur at low-usage times of the day.

Optimizing Active Directory Enabled Services Services that use the Active Directory for distribution of information will also show increased performance when AD sites are properly planned and implemented. In a Windows 2000 network, the Active Directory can be used to publish what Microsoft calls “service-centric” configurations to make a service more accessible and easier to manage. When the service is published to the Active Directory, applications can access the directory for information that they can use to access the servers’ services. The advantage is that the client doesn’t have to know which server a resource resides on in order to access it. The request for services is made to the Active Directory itself, which is always located on a domain controller.

TIP The Services node is not displayed by default in Active Directory Sites and Services. To show it, you must open the Sites and Services administrative tool and choose “Show services node” on the View menu.

What type of service information would you want to publish to the Active Directory? Most commonly, this would include configuration information. This information is then accessed by the client applications so that less manual configuration of applications is required of users and administrators.

Planning the Namespace An integral part of a Windows 2000 TCP/IP network is the Active Directory namespace. Unlike a Windows NT network, the Windows 2000 namespace is hierarchical. That is, domains are structured in trees, which start with a root domain under which subdomains (called “child domains”) exist, with each child domain incorporating the parent domain’s name as part of its own. Separate trees can be combined into forests in which each tree has a unique namespace, but within which the root domains of all the trees share a transitive trust relationship. Figure 2.3 demonstrates the domain relationships in a Windows 2000 network.

59

91_tcpip_02.qx

60

2/25/00

12:30 PM

Page 60

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

Figure 2.3 Two domain trees in a Windows 2000 forest. shinder.net tree

tacteam.net tree root domains tacteam. net

dev. tacteam. net

shinder. net

fed. tacteam. net

training. shinder. net

efc. training. shinder.net

You will notice that the hierarchical namespace used by Active Directory is patterned after the Domain Name System (DNS) namespace used on the Internet. In fact, DNS (or Windows 2000’s dynamic implementation, called Dynamic DNS, or DDNS) is a required service on a Windows 2000 network using Microsoft’s new directory services. You will want to plan the namespace carefully, considering such factors as: ■ ■ ■

■

Geographic divisions of the company Divisions of administrative responsibility Special needs requiring different domain policies (language and currency differences, for instance) Potential replication traffic

Creation of the namespace should be done in conjunction with the creation of IP subnets and Active Directory sites.

Planning the Addressing Scheme Another important aspect of planning the new network is giving some thought to your IP addressing scheme. For TCP/IP communication to take place, each network interface (which includes each network card in each computer, and each router interface) must be assigned an IP address that

91_tcpip_02.qx

2/25/00

12:30 PM

Page 61

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

is correct for the network segment to which it is attached. In configuring the TCP/IP protocol, it is mandatory that you either enter an address manually or set up the computer to get an address automatically from a DHCP server. You also must configure each TCP/IP computer with a subnet mask, which is used to determine what portion of its IP address represents the network identification and what part represents the particular host computer on that network. If your class A, B, or C network is divided into subnets, the subnet mask must be calculated based on the desired number of network IDs and the desired number of hosts per subnet. For more detailed information on IP subnetting, see Chapter 8, “Troubleshooting Windows 2000 NetBIOS Name Resolution Problems.”

NOTE If your network is not subnetted, you can use the default subnet mask for that network class. In decimal form, the default subnet masks are as follows: Class A: 255.0.0.0 Class B: 255.255.0.0 Class C: 255.255.255.0

In planning your IP addressing scheme, you need to consider whether you will reserve a block of public addresses so that each computer can access the Internet via a registered address, or whether you will use a proxy server or Network Address Translation (NAT) to provide Internet access to multiple computers through one registered address. Will you assign IP addresses manually, via a DHCP server, or a combination of the two? You must decide whether to divide the network into subnets. Unless it is a very small organization, it’s likely that you will need to do so in order to optimize performance. It will also be necessary to consider the best placement of routers, domain controllers, DNS, WINS, and DHCP servers.

Installing and Configuring Windows 2000 TCP/IP The first step in preventing problems with TCP/IP connectivity is to ensure that the protocols are installed and configured properly. Windows 2000 makes it easy; in fact, TCP/IP is the default networking protocol and is normally installed when you install the operating system. If it was not, or if it has been removed, installing the TCP/IP suite is a straightforward process.

61

91_tcpip_02.qx

62

2/25/00

12:30 PM

Page 62

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

Network Design Checklist ❏ Put together a planning team of persons who are ■ ■ ■

Knowledgeable about how a TCP/IP network works Knowledgeable about the Windows 2000 operating system Knowledgeable about the company’s unique needs

❏ Assess hardware ■ ■

Check the Hardware Compatibility List Upgrade if necessary

❏ Plan the physical layout of the network ■ ■

■

Select the topology Check requirements for compliance with standards and regulations Diagram the network

❏ Plan Active Directory sites ❏ Plan the Active Directory namespace ❏ Plan the IP addressing scheme

Installing TCP/IP on a Windows 2000 Computer Before beginning the installation process, be sure you have the information that will be needed as you go through the steps. First, you must know whether your network uses a DHCP server or manual IP address assignment. If you are going to assign an address manually, you will need to have the following information: ■

■ ■

■

A valid address for the network segment on which the computer will reside, not currently in use by another computer A valid subnet mask The IP addresses of the DNS and WINS servers that the computer will use for name resolution The IP address of the default gateway (router) for your network segment, if applicable

You should write this information down and keep it with other documentation for the computer, so that if the settings are lost and must be reconfigured at a later time, you will have it at hand.

91_tcpip_02.qx

2/25/00

12:30 PM

Page 63

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

NOTE If your network is not routed, the default gateway parameter is left blank.

When you have all of the required information, you can proceed with installing the protocols. You will need to configure TCP/IP for each network adapter card that will use the protocol.

TIP The easiest way to find the subnet mask, gateway, and name resolution server information is to look at the TCP/IP configuration screen on another computer that is successfully connected on the same network segment.

The Protocol Installation Process Those who are familiar with installing networking components in Windows NT will find that the interface has changed in Windows 2000. To install TCP/IP (or other protocols), open the Network and Dialup Connections applet: Start | Settings | Network and Dialup Connections You can then select the icon for the network connection over which you wish to use TCP/IP (or click the Make New Connection icon to create one). In our example, this is our local area network connection (see Figure 2.4). Double-click the connection’s icon and click PROPERTIES. This will open a screen similar to the one shown in Figure 2.5. The Properties sheet will list those protocols and components already installed, and allow you to install, uninstall, and configure the properties of networking components.

WARNING If you uninstall a protocol, it will be uninstalled for all network connections on your computer that use this adapter, not just the connection associated with the Properties sheet from which you uninstall it. For example, if you uninstall TCP/IP in the VPN connection Properties sheet, it will no longer be available for your local area connection. There is no warning message informing you of this, so be careful when uninstalling protocols.

63

91_tcpip_02.qx

64

2/25/00

12:30 PM

Page 64

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

Figure 2.4 Select a network connection for which you wish to install TCP/IP.

To install the TCP/IP protocol, click INSTALL. You will see the screen shown in Figure 2.6. Select Protocol from the list of component types, and click ADD. You will be shown a list of the protocols available for installation, as in Figure 2.7. Click Internet Protocol (TCP/IP), and click OK. The protocol stack will be installed on your computer, and will now show up in the list of protocols on the Properties sheet for the connection.

TIP Unlike Windows NT, Windows 2000 will not display TCP/IP (or other components) in the list of available protocols to be installed if it is already installed, so you cannot install multiple instances of the protocol.

91_tcpip_02.qx

2/25/00

12:30 PM

Page 65

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

65

Figure 2.5 The Properties sheet for the local area connection shows which components and protocols are installed for this network adapter.

Figure 2.6 The Select Network Component Type dialog box allows you to add client software, a network service, or a networking protocol.

91_tcpip_02.qx

66

2/25/00

12:30 PM

Page 66

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

Figure 2.7 Select TCP/IP from the list of available networking protocols.

Configuring TCP/IP The next step is to configure TCP/IP’s properties. To do so, select it on the Network Components Properties sheet (the same one shown previously in Figure 2.5) and click PROPERTIES. You will see the TCP/IP Properties sheet shown in Figure 2.8. If there is a DHCP server on your network that this computer will use to obtain an IP address, select the radio button to obtain an IP address automatically. Otherwise, you will need to manually configure the IP address, subnet mask, default gateway, and DNS server address(es).

NOTE Even if your network uses a DHCP server, some computers—because of their roles and functions—may need to be assigned static addresses manually. In general, domain controllers, DNS and WINS servers, and the DHCP server itself should not use dynamic addresses.

By clicking ADVANCED, you can add multiple IP addresses and gateways, fine-tune DNS and WINS settings, and enable and configure IP Security (IPSec) and TCP/IP filtering. These issues will be discussed in later chapters in conjunction with troubleshooting addressing, name resolution, and security problems.

91_tcpip_02.qx

2/25/00

12:30 PM

Page 67

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

Figure 2.8 Use the TCP/IP Properties sheet to assign addressing information.

TIP After installing and configuring TCP/IP, you may need to reboot the computer in order to log on to your Windows 2000 domain.

TCP/IP Installation and Configuration Checklist ❏ Gather needed information ■ ■

DHCP server address or IP address to be manually entered, DNS and WINS server addresses, subnet mask, and default gateway (if applicable)

❏ Install the TCP/IP protocol ❏ Configure the TCP/IP protocol

67

91_tcpip_02.qx

68

2/25/00

12:30 PM

Page 68

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

Upgrading to Windows 2000 from Windows NT 4.0 Microsoft designed Windows 2000 as the successor to Windows NT 4.0, thus some thought and planning were given to providing a viable upgrade path. You may find, however, that restructuring your NT 4.0 network prior to the upgrade will make the transition to Windows 2000 go more smoothly. There are several NT domain models, and some will be easier to upgrade than others. In particular, you may find it expedient to combine several NT domains into one before the upgrade. A Windows 2000 network generally requires fewer domains than NT networks. This is because in Windows NT networks, the domain was the smallest security entity. If you wished to decentralize administrative authority, you needed to create separate domains. Windows 2000 allows for more granular assignment of administrative privileges. Organizational units (OUs) can be created and control over different OUs given to different persons without making them administrators over the entire domain. Another reason for creating new domains in an NT network was the limitation on the number of security principals (user and group accounts) that could exist in a domain. Since Microsoft recommended that the Security Accounts Database not exceed 40MB in size, for practical purposes an NT domain could only contain about 40,000 accounts, which represented the total of user, computer, global group, and local group accounts. With Windows 2000, security information is kept in the Active Directory, which can hold literally millions of security objects.

NOTE Compaq Corporation has been able to run successful simulations of Windows 2000 Advanced Server with up to 16 million security principles!

The Windows NT Domain Models In Microsoft networking, a domain is a basic security unit, with a unique name, which provides access to the centralized user accounts and group accounts maintained by the administrator of the domain. Each domain has its own security policies and security relationships (called trust relationships) with other domains. Domains can span multiple physical locations.

2/25/00

12:30 PM

Page 69

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

Four basic domain models are recognized in NT server-based networking: ■ ■ ■ ■

Single domain Single master domain Multiple master domains Complete trust

Let’s look at each of these in the context of preparing for an upgrade to Windows 2000.

Single Domain The single domain model is simple. As the name implies, the network consists of one domain to which all user accounts and resources belong. See Figure 2.9 for an illustration of a simple single domain network. Figure 2.9 In the single domain model, all users log on to one domain, and all resources are located in the same domain.

User Accounts Single Domain Resources on

Log

Log

on

Logon

91_tcpip_02.qx

User

User

User

Obviously, no combining of domains is necessary in this situation.

Single Master Domain In the single master domain model, the network is structured into two or more domains, with all user accounts placed in one domain, called the master domain. All users log on to the master domain. Other domains,

69

91_tcpip_02.qx

70

2/25/00

12:30 PM

Page 70

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

which can hold computer accounts, shared files, printers, and other network resources, are called resource domains. Figure 2.10 shows the relationships of domains in the single master model. Figure 2.10 In the single master domain model, all user accounts are in the master domain, and resource domains trust the master domain.

User1

Log

on

User2

User3

User4 on

Log

Master Domain

Resource Domain 1

Resource Domain 2

Solid black arrows indicate trust relationships. In this illustration, the resource domains are shown trusting the master domain, which means users in the master domain can access shared files, printers, and so on in the resource domains.

NOTE In NT, the trust relationship is one-way. In a master domain model, resource domains do not have access to shares in the master domain.

The advantage of this model is that user accounts can be managed centrally, while departments or divisions can still manage their own resources.

2/25/00

12:30 PM

Page 71

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

Multiple Master Domains The multiple master domain model is an extension of the single master model. In this case, there are two or more master domains into which the user accounts are placed. This is a way of scaling the master domain concept to a large enterprise network, in which there are too many user accounts to fit into a single master domain. An example of the multiple master domain model is shown in Figure 2.11. Figure 2.11 In the multiple master domain model, user accounts reside in master domains, which trust each other, and each resource domain trusts all master domains.

User

User Logon

on

Log

Master Domain 1

Resource Domain 1

User Logon

User

Logon

91_tcpip_02.qx

Master Domain 2

Resource Domain 2

Resource Domain 3

Another reason for creating multiple master domains is to delegate administrative authority over the user accounts to different administrators. For example, a company has two distinct divisions, and each wants to maintain exclusive control over its user accounts. The company also wants all users from both divisions to be able to access resources throughout the parent company. The multiple master domain model would be appropriate in this situation.

71

91_tcpip_02.qx

72

2/25/00

12:30 PM

Page 72

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

Complete Trust The complete trust domain model certainly sounds good. After all, trust is the foundation of every good relationship, right? In this case, it turns out to be another one of those things that seems better in theory than in practice. The complete trust domain model usually ends up being an administrative nightmare. This is because, unlike the master and multiple master models, there is no hierarchical organization to the complete trust. Every domain has two one-way trust relationships with every other domain in the network. User accounts can be located in any domain, as can resources. As the number of domains increases, this model becomes more and more unwieldy and difficult to manage. There is no centralized control. Instead, each domain contains its own security groups and administrators. See Figure 2.12 for an illustration of how a complete trust works. Figure 2.12 In the complete trust domain model, all domains can contain both users and resources, and there are two one-way trust relationships between every domain and every other domain.

Users

Users

Domain 1

Domain 2

Resources

Resources

Domain 3

Users

Resources

The complete trust is used less often than the other domain models. As you can see from the illustration, the number of trusts will expand exponentially as additional domains are added to the network. Even with only three domains, six trusts must be created and managed. Adding just one more domain, for a total of four, will increase the required number of trusts to 12.

91_tcpip_02.qx

2/25/00

12:30 PM

Page 73

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

TIP To calculate the number of trusts created based on the number of domains, you can use the equation N2 – N, where N represents the number of domains.

Which Model Is Easiest to Upgrade? In regard to planning for the upgrade of a Windows NT network to Windows 2000, Microsoft’s recommendations focus on the benefits of having fewer (but larger) domains. These domains should also fit into the hierarchical structure of the Active Directory domain tree(s) that you plan to implement. Remember that the AD namespace is based on DNS naming, and in that respect is very different from the NT domain model’s flat namespace. The ideal domain model, then, would correlate exactly to the structure of your DNS and Active Directory design. The single domain network will generally be the easiest to upgrade, but it may not be possible to achieve in a large organization. You can, however, look at the possibility of reducing the number of domains necessary in light of Windows 2000’s new administrative features. If your present network consists of more domains than is ideal for the Windows 2000 network you are planning, there are ways to combine multiple domains into one and restructure the network, either before or after the operating system upgrade.

Combining Domains before the Upgrade In most cases, you will find it easier to wait until after the upgrade to combine domains. However, if you have a very large number of domains to be combined, there may be benefits to starting the project before the new operating system is rolled out. You can expect greatly increased demands on the IT department’s time after the upgrade, so doing some of this work beforehand could offset some of the burden later. Remember that if you choose to combine domains before upgrading, you are still limited by NT’s restrictions on the size of the security accounts database. Be sure the combined domain(s) will not exceed the 40MB recommended maximum. When you combine NT domains, this involves moving the user and group accounts, updating permissions, rights, and group memberships, moving computer accounts and resources, and shutting down and

73

91_tcpip_02.qx

74

2/25/00

12:30 PM

Page 74

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

decommissioning the domain controllers in the abandoned domain. There are NT 4.0 resource kit utilities to help you accomplish these steps: ■

■

■

ADDUSERS.EXE can be used to move user accounts to another domain by speeding the process of creating a new user account in the domain to which the users are moving for each user from the domain to which they originally belonged. This tool can also be used to move global groups and to update the memberships for local groups in the new domain. NETDOM.EXE and SHUTDOWN.EXE can be used to move computer accounts. NTRIGHTS.EXE can be used to update user rights.

The easiest way (which still can’t really be called “easy”) to combine NT domains is to move everything from the domain to be eliminated into the domain that will remain (and absorb the resources of the other). Combining more than two domains into one is more complex. Essentially, it should be handled as a series of two-into-one combinations (that is, if you wish to combine Domains 1, 2, and 3, you would first combine Domains 1 and 2, and then combine the resulting domain with Domain 3).

Combining Domains after the Upgrade If you choose to wait until after the Windows 2000 upgrade to combine domains and restructure your network, your goal will be to fit your new domain structure to your Active Directory namespace. You may wish to create a domain tree, with some of your old domains becoming child domains under the tree’s “root.” Or, you may want to combine resource domains or collapse them into other domains. This can be done by placing their resources into OUs within a single domain, and assigning administrative authority for the OUs. You then have the same administrative delegation that was formerly accomplished by putting resources into separate domains. The Windows 2000 resource kit contains the following tools to help you perform these tasks: ■

■

SHOWACCS.EXE and SIDWALK.EXE can be used to update permissions. Security Migration Editor is a snap-in for the MMC console that works in conjunction with SHOWACCS.EXE and SIDWALK.EXE.

If you want to move a subtree of objects (OUs and their contents) from one Windows 2000 domain to another, you can use the MOVETREE command-line utility to do so. You will need to use NETDOM to join computer accounts to the new domain.

91_tcpip_02.qx

2/25/00

12:30 PM

Page 75

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

NOTE There are third-party utilities available that are designed specifically to help you reconfigure your domains. Fastlane Technologies’ DM/Administrator, Simac Enterprise Suite, and Aelita’s Domain Reconfiguration Wizard are just a few of the many tools available to ease the task of splitting, consolidating, or reconfiguring domains.

Other Pre-Upgrade Issues Another important (and sometimes overlooked) consideration when you upgrade to Windows 2000 is to ensure that all needed applications are compatible with the new operating system. Even if your hardware meets or exceeds all system requirements, and every component is on the Hardware Compatibility List, this only means you will be able to install the operating system itself. However, it’s the application programs that allow you to actually do the work, so the nice new operating system won’t do you much good if the applications your users need won’t run on it.

Windows 32-Bit Applications Most Windows 32-bit applications work on both Windows 9x and Windows NT. However, not all programs that run on Windows 9x will work with NT. Although both use the Win32 API, there are differences in implementation. Don’t assume that just because an application works with Windows NT, it will also work with Windows 2000. Although a large number of such applications will run with no problems, some will not. This is especially likely in the case of proprietary programs that are specific to a particular industry or special purpose. Some popular third-party programs will not recognize Windows 2000 and will refuse to install altogether. Others will go through the installation process but then will not open. Still others will appear to install properly, but will lock up or cause errors.

DOS Applications Many businesses still use DOS applications, often written to serve a very specific purpose. Many DOS applications will work correctly with Windows 2000. However, those that try to access the hardware directly, or that require the FAT file system, may not be usable on Windows 2000 computers. Upgrading the operating system may present a good opportunity to assess the viability of some of these older programs with a look

75

91_tcpip_02.qx

76

2/25/00

12:30 PM

Page 76

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

toward upgrading or replacing them. This is especially true in light of Y2K compliance issues, since many DOS applications use the two-digit date system and may encounter problems with the year 2000.

Windows 16-Bit Applications Since Windows 16-bit applications were designed to run on the Windows 3.x shell on top of the DOS operating system, you may encounter some of the same problems that can be expected with DOS applications. Win 16 applications that require virtual device drivers will not be able to run on Windows 2000. Another problem with 16-bit applications stems from the cooperative multitasking method used by Windows 3.x, in which the applications share a memory space. This can cause lock-ups and other problems if you run several 16-bit programs simultaneously, since by default in Windows 2000, they will all run in one virtual machine. Luckily, Windows 2000 provides a way for you to work around this problem by opening each Win 16 application in its own separate memory space.

OS/2 and POSIX Application Support in Windows 2000 Windows NT included support for both OS/2 version 1.x programs and POSIX-compliant applications. Windows 2000 also provides limited support for these applications; however, in most cases, it would be beneficial to upgrade or replace such programs, since they are not able to take advantage of the Windows 2000 environment.

The Windows 2000 OS/2 Subsystem The OS/2 subsystem can be configured using an OS/2 editor to add config.sys commands to the c:\Config.sys file. These commands only affect the OS/2 subsystem. Remember that Windows 2000’s OS/2 application support, like NT’s, is limited to version 1.x programs only. These are textmode programs. Applications written for OS/2 1.x that require the Presentation Manager graphical user interface are not supported.

The Windows 2000 POSIX Subsystem The Portable Operating System Interface standards (POSIX) were designed to provide a set of criteria that would allow applications developers to build applications that could be easily ported to other systems. The POSIX compliance requirements, such as support for case-sensitive file names and hard links, are based on UNIX. Many government agencies adopted software specifications that required adherence to the POSIX standards, which is the reason Microsoft included the subsystem in its operating systems. As with OS/2 applications and many DOS and Win 16

91_tcpip_02.qx

2/25/00

12:30 PM

Page 77

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

applications, you will probably find it beneficial to upgrade such software or replace it with a more modern application that accomplishes the purpose.

For IT Professionals

What in the Heck Is a Hard Link, Anyway? The concept of “hard links” is a mystery to many network administrators who have studied and worked primarily with Microsoft products. Unless you have UNIX experience, you may wonder what the term means and how these links differ from regular old shortcuts in the Windows operating systems. Hard links are usually associated with UNIX, which also has something called “soft links.” The soft link is also referred to as a symbolic link, or alias, and the Windows shortcut is more like the soft link. A hard link is a real alternate name rather than an alias. If a hard link exists, removing the original directory doesn’t free up the disk space, because it still exists along the alternate path created through the hard link. Every file in UNIX has something called an “inode” identifying it. A directory entry maps a filename to its inode. Creating a hard link to a file adds another directory entry pointing to the file’s inode. A file can have one or more names pointing to it, and there is no difference between earlier or later links. When you delete a file, you are actually only deleting one link to a file. A file is only truly deleted on the system when it has no links to it. On the other hand, if you delete the original file that an NT shortcut points to, the shortcut becomes invalid.

Application Support Summary The only ways to be certain that your mission-critical applications will work with Windows 2000 are: ■ ■

Run only applications that have earned the Microsoft logo, or Test the applications thoroughly and completely in a prototype environment before installing them on Windows 2000 production machines.

77

91_tcpip_02.qx

78

2/25/00

12:30 PM

Page 78

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

It is also a good idea to check out the Web site or call the manufacturer of the software to find out if there are any known compatibility issues. Some vendors may provide update patches and “fixes” that will address these problems.

Common Upgrade Problems There are many benefits to upgrading an existing operating system instead of starting over with a fresh installation. If all goes well, an upgrade will take less time because your original settings will be preserved and you won’t, for instance, have to configure your TCP/IP properties and reinstall and configure your programs. The downside of upgrading is that any problems in the original operating system are likely to be carried over (and maybe magnified) in the new one. If there are compatibility problems, you may find that trying to untangle and fix them results in the upgrade taking far more time than a clean installation and reconfiguration would have taken. Tuning and thoroughly cleaning out extraneous files on the system before the upgrade can prevent many upgrade problems. Address any applications or operating system problems before deploying the upgrade, rather than just hoping the upgrade itself will repair them.

Windows NT to 2000 Upgrade Checklist ❏ Assess the current Windows NT domain model ❏ Determine if any domains can be combined ❏ Combine resource domains prior to the upgrade ❏ Upgrade the operating system ❏ Combine domains after the upgrade ❏ Assess current user applications and upgrade or replace if necessary

Migrating to Windows 2000 from Novell NetWare For many years, Novell NetWare dominated the PC network operating system market, and many current NT networks still have NetWare file and

91_tcpip_02.qx

2/25/00

12:30 PM

Page 79

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

print servers as part of the network. You may find yourself in the position of migrating an entire NetWare network or a number of NetWare servers to Windows 2000. The first step is to determine whether you will migrate all of your NetWare accounts to Windows 2000, or continue to use NetWare servers on the network in a “hybrid” environment. (See the section “Peaceful Coexistence: The Hybrid Network Environment,” later in this chapter for tips on how to accomplish the latter.) If you wish to implement a pure Windows 2000 environment, you can use the Directory Services Migration Tool, included with Windows 2000 Server, to transfer user and group accounts, permissions, and files from a NetWare server to your Active Directory (see Figure 2.13). The Migration Tool includes a wizard to walk you through the process of selecting objects to be migrated. We will look at how the tool is used later in this chapter. Figure 2.13 The Directory Service Migration Tool is used to transfer accounts, permissions, and files from a NetWare Server to the Active Directory.

Understanding the NetWare Implementation of TCP/IP The TCP/IP protocol stack is a standard which works with a large variety of operating systems and platforms. However, each vendor implements the protocols in a slightly different way. Although Novell included limited TCP/IP support in NetWare as early as version 3.0, NetWare networks traditionally ran on the IPX/SPX protocol stack. This had advantages; in many ways, IPX/SPX seems to be the ideal protocol choice. It is faster and more streamlined than TCP/IP, and

79

91_tcpip_02.qx

80

2/25/00

12:30 PM

Page 80

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

considerably easier to configure. Yet, unlike NetBEUI, it can be used in routed networks. Unfortunately for IPX/SPX, it lacks one of TCP/IP’s most important characteristics: Internet connectivity. Novell came to the realization that resistance was futile, and incorporated better support for TCP/IP. NetWare 5 is the first version that allows for a “pure IP” environment; IPX/SPX is not required. The architecture of the typical NetWare LAN maps loosely to the OSI model (remember that TCP/IP is based on the DOD model). TCP/IP is run on a NetWare server via the TCPIP.NLM (NetWare Loadable Module), which must be loaded and configured. NetWare 5 includes Novell’s implementation of the Simple Network Management Protocol (SNMP), and the TCPCON utility for monitoring and managing SNMP agents and gathering TCP/IP information. You may want to copy down the TCP/IP configuration information from your NetWare server, for reference in setting up the new Windows 2000 server. You can use TCPCON and NetWare’s CONFIG command at the server console to obtain information about the NetWare machine’s TCP/IP configuration.

Premigration Issues There is, of course, no “upgrade” path from NetWare to Windows 2000. It would be nice if we could install Windows 2000 over NetWare and retain network settings, applications, and so on, but it’s not (and likely never will be) that easy. If your NetWare servers are only file servers, the task of switching over to a pure Windows 2000 network will be less of a chore. The migration tool will help you in moving your security accounts and files to the new Windows 2000 server.

Using the Directory Services Migration Tool The Directory Services Migration Tool (DSMT) replaces the NetWare conversion utility (NWCONV.EXE) that was used with earlier versions of NT. DSMT is an MMC snap-in that is used to migrate bindery or NDS information, or both, to a Windows 2000 Active Directory. With the DSMT, you can migrate user accounts, group accounts, permissions/rights, files, and container structure. You can perform the migration on a project-by-project basis, so that one department or one object type (such as files) can be migrated now, and another project implemented later. Thus, the migration can be completed in phases. The migration tool gives you several options in moving the accounts or files. For instance, when migrating user accounts, you can choose to have a unique password randomly generated for each user, to have no

91_tcpip_02.qx

2/25/00

12:30 PM

Page 81

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

passwords assigned, to have each user’s logon name set as the password for the account, or to assign each user the same custom password. These choices are easy to make in the Options Property sheet for each project (see Figure 2.14). Figure 2.14 The Directory Services Migration Tool Property sheet lets you select migration options.

Other options include how to handle duplicate directories and files (a directory or file that is being migrated from the NetWare server already exists on the Windows 2000 Server), verification of the NDS tree metrics, and how to merge properties of existing objects. The migration tool works by letting you select the objects to be migrated, then create an offline database, and finally export the offline database into the Active Directory.

NOTE Third-party utilities such as OnePoint EA’s Domain Administrator tool, by Mission Critical Software (MCS) in Houston, TX, are designed to automate the migration from NetWare to Windows 2000. For more information, see www.missioncritical.com.

81

91_tcpip_02.qx

82

2/25/00

12:30 PM

Page 82

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

Common Migration Problems In a perfect world, every migration would go smoothly and quickly, and all information would be transferred completely and accurately. The migration tool works well most of the time, but there are a few common problems you may encounter. For example, if naming conventions differ between the NDS and Active Directory trees, you may have to “fine-tune” the data while you’re in the offline mode before you export the database into the Active Directory. In the offline database, you can right-click any of the objects and add, delete, or modify the object’s properties.

NetWare to Windows 2000 Migration Checklist ❏ Determine whether to migrate all NetWare accounts to Windows 2000 or maintain a hybrid network

❏ Use the Directory Services Migration Tool to migrate NDS or bindery information to the Active Directory

❏ Migrate files from the NetWare server to the Windows 2000 server

Migrating to Windows 2000 from UNIX UNIX is a much older operating system than Windows or NetWare. It is considered to be more stable, although somewhat more difficult to learn and use. UNIX has been the operating system of choice for very large networks, as it has been more scalable than the newer network operating systems (NOSs). However, UNIX is not without its disadvantages. Although there are graphical interfaces available, it does not have the sophisticated “pointand-click” ease of operation found in the Windows server family. Cost can be a factor as well. Although some versions, such as Linux and Free BSD, are available at no cost, other implementations, such as Sun Solaris, IBM’s AIX, and Hewlett-Packard’s HP/UX, can be quite expensive to deploy and support. But perhaps the greatest drawback to UNIX is what some consider its biggest strength: open source code. Open source has led to many similar, but different, “flavors” of the operating system, which are not necessarily compatible with one another. Microsoft has positioned Windows 2000 as a more cost-effective and easier-to-use NOS that, with the enhancements that Windows 2000

91_tcpip_02.qx

2/25/00

12:30 PM

Page 83

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

brings to its support of enterprise networking, can be a viable alternative to UNIX for large organizations with complex networks. Migrating from a UNIX to a Windows 2000 environment will present many challenges, and is probably best done in phases for all but the smallest networks.

Understanding the UNIX Implementation of TCP/IP UNIX is the native platform of the TCP/IP protocol suite. When TCP/IP was developed in the 1960s to be the protocol of the ARPAnet, that network was comprised of university and government computers running the UNIX operating system. In fact, the University of California at Berkeley, which developed the BSD version of UNIX, played a big role in the development of TCP/IP. You might say the two grew up together.

Summoning the Daemons In UNIX, daemons are programs that run all the time, and service requests from all computers. A daemon can also forward requests to other programs if necessary. Daemons are comparable to Windows NT/2000 “services.” An example of a daemon is LPD, the line printer daemon that runs on a UNIX print server. The bootpd daemon is the UNIX bootp program, and the bootpgw daemon is used to set up a UNIX computer as a bootp relay agent. UNIX supports BIND-based DNS, and DHCP programs are available for various UNIX versions. The /etc/services file is used by UNIX to map port names to numbers and determine what daemons run on which ports.

UNIX TCP/IP Utilities Each of the different UNIX versions implements the TCP/IP stack in a slightly different way, but in most cases, the commands are the same. Many of the TCP/IP utilities that originated with UNIX have been ported to the Windows and NetWare operating systems’ implementations of the protocol. You will also see some TCP/IP tools and commands in various flavors of UNIX that you may not be familiar with if your only exposure to TCP/IP has been with Microsoft and Novell products. Following are some of the “extras” you’ll find on UNIX systems: ■

snoop This command is found in Sun Solaris, and acts somewhat like a protocol analyzer, allowing you to see information about Internet packets that are going across the network cable in real time.

83

91_tcpip_02.qx

84

2/25/00

12:30 PM

Page 84

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network ■

■ ■

tcpdump Similar to snoop, but found on BSD versions of UNIX and some versions of Linux. dig A tool for troubleshooting DNS problems. ripquery Used to obtain information about RIP packets.

UNIX to Windows 2000 Migration Checklist ❏ Install Windows 2000 domain controller(s) ❏ Gather information from UNIX servers to be used in recreating accounts

❏ Recreate user accounts in Windows 2000 domain(s) ❏ Install user applications ❏ Determine Windows 2000 services to take over functionality of UNIX daemons

❏ Implement Windows 2000 services (DNS servers, DHCP servers)

❏ Migrate files to Windows 2000 servers

Peaceful Coexistence: The Hybrid Network Environment Some people (and companies) find it difficult or impossible to “forsake all others” and make a commitment to a ”one and only”; in this case, to one NOS. It may be a budgetary consideration or there may be special factors, such as an application that runs only on a particular operating system. Whatever the reasons, many networks will continue to be “hybrid environments,” with different server types existing (peacefully or otherwise) on the same network. Microsoft has provided several interoperability tools with Windows 2000 that make it easier to connect to servers running other NOSs, as well as services to allow client machines running “foreign” operating systems to access the Windows 2000 network.

NetWare Interoperability Because Novell NetWare still has a strong presence in many LANs, and because many companies will wish to keep their NetWare file and print

91_tcpip_02.qx

2/25/00

12:30 PM

Page 85

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

servers even when upgrading their NT servers to Windows 2000, Microsoft included a number of features for connectivity with NetWare networks.

Client Services for NetWare (CSNW) Like Windows NT, Windows 2000 includes a network redirector that can be installed on Windows 2000 Professional computers to allow them to connect directly to NetWare versions 2.x, 3.x, 4.x, or 5.x servers. CSNW is 32-bit NetWare client software that can be used in place of Novell’s Client 32 to allow access to NetWare files and printers. A user accessing a NetWare server via CSNW must have a valid user account set up on the NetWare server, with appropriate permissions assigned.

WARNING CSNW and Client32 will not peacefully coexist on the same computer; you must make a choice to use one or the other. If you install CSNW on a Windows 2000 machine, ensure first that any other NetWare clients have been removed.

Gateway Services for NetWare (GSNW) Members of the Windows 2000 Server family include Gateway Services for NetWare (GSNW). When installed on the Windows 2000 Server, GSNW allows the Windows 2000 server’s clients to go through the “gateway” to access a NetWare server without installing any NetWare client software on the client machines. The “catch” is that all the clients going through GSNW will have the same permissions, as they all use the same NetWare user account.

NetWare Protocol Support Windows 2000 includes NWLink, which is Microsoft’s IPX/SPX-compatible transport. IPX/SPX was required for NetWare networking prior to NetWare, version 5. Windows 2000 remote access servers are also capable of IPX routing and can act as SAP (Service Advertising Protocol) agents.

File and Print Services for NetWare Windows 2000 servers can run FPNW (File and Print Services for NetWare) to allow a NetWare server’s clients access to resources on the Windows 2000 Server. No Microsoft client software is required to be installed on the client computers. This software is not included with Windows 2000 Server, but may be purchased separately from Microsoft.

85

91_tcpip_02.qx

86

2/25/00

12:30 PM

Page 86

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

Troubleshooter Windows 2000 includes a CSNW/NetWare connectivity troubleshooting tool that helps you to pinpoint and find solutions to problems involving access to NetWare servers and NDS objects, NetWare printers, and using NetWare login scripts.

NOTE Microsoft Directory Synchronization Services (MDSS) is an add-on product that provides important interoperability technology for hybrid networks. MDSS helps you more easily integrate Windows 2000 Active Directory with Novell’s NDS, and consolidates management of the network’s directory services. It includes two-way synchronization, so administrators can manage shared data from either directory. For more information, see www.microsoft.com/presspass/press/1999/oct99/NewWinPR.htm.

UNIX Interoperability Windows 2000 includes the Microsoft Print Services for UNIX, which includes a Line Printer Remote (LPR) service and a Line Printer Daemon (LPD). The LPR service is used to send a print job to a print server, and the daemon runs on the print server that receives the print job. LPRMON is installed on a Windows 2000 machine and used to send print jobs to LPD services on UNIX print servers. LPDSVC is installed on a Windows 2000 print server, and allows it to receive documents to be printed from LPR utilities running on UNIX client computers.

NOTE Microsoft Windows Services for UNIX is designed to provide interoperability options for integrating Windows 2000 (and Windows NT) into existing UNIX network environments. For more information, see www.microsoft.com/windows/server/Deploy/interoperability/sfu.asp.

Interoperability with IBM Mainframe Networks Windows 2000 can use Microsoft’s SNA (Systems Network Architecture) Server with IBM mainframe and AS/400 computer networks running TCP/IP or SNA protocols. Windows 2000 clients can then access the data and applications on the IBM host from the Windows desktop interface.

91_tcpip_02.qx

2/25/00

12:30 PM

Page 87

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

Summary In this chapter, we looked at the importance of planning the deployment of your Windows 2000 network as a means of preventing TCP/IP connectivity problems. We discussed general planning concepts, such as creating a planning team, hardware considerations, planning and diagramming the physical layout of the network, planning the Active Directory structure and domain namespace, planning the site structure, and planning the most effective IP addressing scheme. We walked through the steps of installing and configuring the TCP/IP protocol stack on Windows 2000 computers, and explored some of the options Microsoft gives us in setting up a system to use TCP/IP communications. Common deployment scenarios were discussed, including: ■ ■ ■ ■ ■

Installation of a new Windows 2000 network from the ground up Upgrade of a Windows NT 4.0 network to Windows 2000 Migration of a NetWare network to Windows 2000 Migration of a UNIX network to Windows 2000 Deploying Windows 2000 in a hybrid environment

We examined in some detail the traditional NT domain models, how they differ from the Windows 2000 domain structure, and factors to be considered in upgrading. You learned about the tools included with Windows 2000 to help you ease the upgrade process and move users, groups, and computers from your NT domains to the new Windows 2000 domains. The chapter also discussed how accounts and files on NetWare servers can be migrated to Windows 2000, and the Directory Services Migration Tool designed for that purpose. We provided a brief overview of how NetWare’s TCP/IP implementation differs from Microsoft’s. We also looked at the UNIX operating system, and how the various “flavors” of UNIX implement TCP/IP. Finally, we talked about the interoperability of Windows 2000 with other operating systems in a hybrid environment, and how it can peacefully coexist with other NOSs on a large, complex TCP/IP-based network. Parts of this chapter may, at first glance, seem to have little to do with troubleshooting TCP/IP problems. However, many of the communications problems that result from poor planning or deployment that is not well thought out can mimic IP connectivity problems. Much time and effort could be wasted if you try to apply the techniques outlined in later chapters, when the real culprit is an incorrect configuration or an unsuccessful migration.

87

91_tcpip_02.qx

88

2/25/00

12:30 PM

Page 88

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

The objective of this chapter, then, is to set up your Windows 2000 network correctly from the beginning, so that when trouble does appear (and it will), it will make a far easier target for you to “shoot.”

FAQs Q: Why would my company’s network require fewer domains in Windows 2000 than we were using in our Windows NT 4.0 network? A: The domain model for Windows 2000 is very different from the NT model(s). In Windows NT networks, the domain was the smallest administrative boundary. You could not give someone administrative privileges with giving them those privileges for the entire domain. In Windows 2000, using Active Directory security, it is possible to create smaller areas of administrative authority called Organizational Units (OUs) and assign administrative privileges to one or more OUs without granting administrative authority throughout the entire domain. This means there is no longer a need to create a separate domain just to separate the administrative responsibilities. Q: Why is the recommended minimum amount of memory so much greater for Windows 2000 Server than for Windows 2000 Professional? A: Windows 2000 Professional will run adequately with Microsoft’s stated minimum of 64MB RAM unless it is used for heavy multitasking or running memory-intensive applications such as 3-D rendering programs. On the other hand, a Windows 2000 server acting as a domain controller (DC) will not generally perform at all satisfactorily with the stated minimum of 128MB RAM. To get acceptable performance from a Windows 2000 domain controller, 256MB RAM is more realistic. This is not due to the Server operating system itself, it is because the Active Directory requires heavy memory usage. In fact, a Windows 2000 member server, which does not participate in authentication and does not have a copy of the Active Directory, will actually perform acceptably (though not optimally) with only 64MB RAM. Q: What is SAP? Is that something I need in my Windows 2000 network? A: SAP is Service Advertising Protocol, used by NWLink to find the closest server at startup. It can also locate services. A Windows 2000 computer with RRAS installed uses SAP to listen for SAP advertisements and to make SAP advertisements on a regular basis. This allows it to maintain a table of available network services. The

91_tcpip_02.qx

2/25/00

12:30 PM

Page 89

Setting Up a Windows 2000 TCP/IP Network • Chapter 2

SAP Agent is the network service that allows a Windows 2000 computer’s services to advertise themselves. You need to install SAP if your network has NetWare clients, or if your Windows computers are running just the NWLink protocol; for instance, if you have configured your internal network to communicate using NWLink in order to protect it from Internet intruders running TCP/IP. Q: Do my Active Directory and DNS namespaces have to be identical? A: No. There are two ways to approach planning of the Active Directory namespace. The first, and in some ways easiest, is to create an Active Directory domain structure that uses as its root domain your registered DNS name. In this case, the internal network namespace and the external namespace, accessible via the Internet, will be the same. However, you can create two different namespaces for internal and external use. For instance, if mycompany.com is your registered domain name, your internal namespace might be myco.com. Having a different namespace will provide a security advantage, but requires that you register two domain names. Q: Can I still use my Windows 95 and Windows 3.1 clients and take advantage of Active Directory? A: Yes and no. Windows 95 and 98 computers can run the Active Directory client software available on the Windows 2000 Server CD in the “Clients” folder. Windows 3.1 computers cannot be Active Directory clients. To computers that are not running Active Directory client software, the directory will appear to be a Windows NT directory. There is a way to still utilize old machines that may be running Windows 3.x because they do not have the processor and memory resources to run Microsoft’s 32-bit operating systems. A Windows 2000 server can be configured as a terminal server, and older Windows operating systems can run terminal services software to allow them to function as “thin clients,” actually running the Windows 2000 desktop on the Windows 3.x operating system. In this way, users running those operating systems can still take advantage of Active Directory’s features. Q: Is there something I can tell my boss that will convince him that everyone needs to be running Windows 2000 machines?

89

91_tcpip_02.qx

90

2/25/00

12:30 PM

Page 90

Chapter 2 • Setting Up a Windows 2000 TCP/IP Network

A: Although Windows 9x and NT Workstation computers can be client computers in a Windows 2000 domain, those downlevel operating systems cannot take full advantage of the features of a Windows 2000 network. For instance, Group Policy, a powerful administrative tool for controlling users’ desktops and configurations, can be used only with Windows 2000 computers. You can tell your boss how Windows 2000 combines the reliability of NT with the plug-and-play ease of use of Windows 9x, and you can explain the security benefits of such Windows 2000 features as EFS (encrypting filesystem) and IPSec. You can talk up the advantages of Intellimirror technology, and you might mention its excellent support for terminal services, virtual private networking using the new L2TP protocol, and ATM connectivity. You might also be able to impress your boss with the increased stability of Windows 2000. The best way to do this is to set him up with a Windows 2000 Professional system of his own, and let him experience the difference.

91_03.qx

2/25/00

10:59 AM

Page 91

Chapter 3

General Windows 2000 TCP/IP Troubleshooting Guidelines

Solutions in this chapter: ■

General Troubleshooting Guidelines and Models

■

Information Gathering

■

Problem Isolation

■

Corrective Measures

■

Monitoring Results

91

91_03.qx

92

2/25/00

10:59 AM

Page 92

Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

Introduction Problems: We’ve all had them, all our lives. It’s the human condition, they say, but problems aren’t confined to people. It seems to be the nature of everything that does anything—humans, animals, mechanical devices, electronic components—to malfunction now and then. Even stars eventually burn out (although we hope it will be a long time before you, the star of your company’s IT department, do the same). The first step in solving a problem is recognizing that one exists. Sometimes, it’s impossible not to notice; some problems explode in our faces. When you come in to work Monday morning and already have 22 voicemail messages all screaming, “My e-mail isn’t working!” you have a problem you can’t overlook or ignore. Other problems manifest themselves in a more subtle way. Maybe network communication is gradually slowing down, and users are beginning to get frustrated but may not say anything about it for quite some time. It’s easy to brush these types of problems aside. After all, it’s still working, it’s just not working quite as efficiently. These problems are more insidious. Like a case of the sniffles that turns into a cold that starts to feel more like flu that ends up being pneumonia, you can find yourself in serious trouble before you know it. It’s usually easier to nip the “little” problems in the bud instead of pretending they don’t exist and hoping they’ll go away.

The Ten Commandments of Troubleshooting Regardless of the nature of your problem, there are some general troubleshooting guidelines that will help you to organize your thoughts and speed up the process.

1: Know Thy Network When trouble hits, you’re already one step ahead of the game if you’ve taken the time—when things were running smoothly—to get acquainted with your network. You should not wait until a network outage or slowdown occurs to start examining your network’s performance. Get out the protocol analyzer, fire up the network monitor, and get to know how your “net” works, while it is working properly. In Chapter 5, “Using Network Monitoring and Troubleshooting Tools,” we’ll show you how to use all those fascinating gadgets and software tools, both in establishing a baseline for a “healthy” network and in diagnosing and planning the treatment of a “sick” one.

91_03.qx

2/25/00

10:59 AM

Page 93

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3

One of the benefits of planning and designing a network from scratch, as discussed in Chapter 2, “Setting Up a Windows 2000 TCP/IP Network,” is having known your network ”all its life.” You’ve watched it grow, seen it through minor and major crises, and learned what was normal and what was not in terms of its operation and performance. Even if you “adopt” a network that’s been around for a while, a good way to get to know it is to do a complete diagram and inventory. This will require that you find out what equipment you have, where it is, and how it works.

2: Use the Tools of the Trade Having access to and knowing how to use the troubleshooting “tools of the trade” are essential elements in successfully resolving TCP/IP problems. Your training and experience are your first, albeit intangible, important pieces of “equipment”—but it’s not always enough. A doctor, despite long years spent studying and practicing medicine, is often unable to diagnose a patient’s illness if he or she doesn’t have access to basic “tools” like a stethoscope, X-ray or other imaging machine, sphygmomanometer (blood pressure cuff), and all those other mysterious instruments used to measure or better observe various bodily functions. In troubleshooting connectivity problems, you too will often require help, in the form of hardware devices or software tools. You will use these to confirm (or negate) your initial suspicions or to give you a starting point in your investigation. At the very least, you should have access to diagnostic utilities, network monitoring and protocol analyzer software, and LAN testing devices for tracking down cable and other physical layer problems. Of course, having the tools is only half the battle; you also need to know how to use them properly. A great deal of information can be gathered using just the utilities built into most vendors’ implementations of the TCP/IP suite, but many network administrators have only a vague idea of what they do and how to use them. In Chapter 5, we will discuss in detail how to make the familiar PING, TRACERT, ARP, and other included utilities work more effectively for you.

3: Take It One Change at a Time Modern computers are good at multitasking. They can have several entirely separate and distinct processes going on simultaneously, because their “brains” (microprocessors) are able to use “time slicing” to allocate time to one problem after another in rapid succession, switching back and forth so quickly that it appears both tasks are being performed continuously.

93

91_03.qx

94

2/25/00

10:59 AM

Page 94

Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

People don’t perform multiple simultaneous activities nearly as well. That’s why it’s important, when troubleshooting network problems, that you make changes one at a time and evaluate the effect before making another. When you have a problem such as an inability to connect to the server from a workstation, the tendency is to try everything you can think of that might fix the problem. An administrator in a hurry might uninstall, reinstall, and reconfigure the protocol, unplug the Ethernet cable and plug it back in, then reboot the computer and try logging on with a different account. If he’s able to connect this time, that’s great—but which action actually caused the difference? By trying only one “fix” at a time, you’re able to pinpoint what works, and what doesn’t.

4: Isolate the Problem Problem isolation is another important step in troubleshooting. More often than you might think, problems hang out in groups. And even if the original problem had a single source, attempts to correct it (by you or by the user who called you) may have created new “companion” problems. When we have multiple problems, we will probably need to address each one separately in order to get the network running smoothly again. Isolating the problem also means defining the specific nature of the problem. You will find it as hard to address a general problem like “I can’t get on the Internet” as a doctor would have in treating a patient who only reported “I don’t feel well.” It’s important to pinpoint the specific problem.

NOTE “Specific” is a relative term. If a user initially reports a problem as “my computer’s not working,” he may think he is being specific when he then tells you that he can’t get on the Internet. Specificity may have to be accomplished in steps.

Users often have as much trouble describing their connection problems with specificity as sick people have in telling their physicians exactly what their physical symptoms are. Good questioning may help overcome this to an extent (we’ll talk about how to get information from your users a little later in this chapter), but you can’t always rely on others’ descriptions to be accurate and complete. You’ll have to use your own observation skills as well, which brings us to the next step.

91_03.qx

2/25/00

10:59 AM

Page 95

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3

5: Recreate the Problem It’s no coincidence that this is listed as the fifth commandment out of 10. When you are able to reliably reproduce the problem, you’re half way home on the road to solving it. If you know that the user is able to send and receive e-mail, but receives a “404: File not found” error every time she tries to access the Web site of your company’s main competitor, you already have a lot of good information that will prevent you from wasting your time checking proxy settings or gateway configuration errors. Once you’ve narrowed down the problem, from “I can’t get on the Internet” to “I can’t access the Web site at www.thoseotherguys.com,” and you’ve verified that the problem can be reproduced by trying again to connect to the URL and getting the same message, you can consider what might cause this particular problem. In this case, there are several possibilities. One way to narrow it down further is to attempt to reproduce the problem again, from a different computer. If you type www.thoseotherguys.com into the browser on another machine, and you get the same error message, you’ve gained a valuable clue: The problem probably is not caused by an incorrect configuration on the first system; it’s more likely the problem is at the server end, or possibly a problem with the DNS server on your network.

6: Don’t Overlook the Obvious In the preceding example, an unaware troubleshooter could have spent hours attempting to “fix” the computer that “can’t get on the Internet,” uninstalling and reinstalling its TCP/IP stack, reconfiguring its DNS settings, or releasing and renewing its DHCP lease, only to overlook the most obvious answer: The file was not found because the file is not there. Sometimes it’s really that simple. On the other hand, if you try to reproduce the problem at another machine and find that you can access the site from there, you know there is most likely a problem with the first machine’s configuration. Then, it’s time to focus your investigation on that particular computer. Perhaps the first thing to check is whether you can access other Web sites or if it’s only this one that’s giving you problems. If our original complainant/user was right and “The Internet isn’t working,” or rather, the Web doesn’t seem to be working—but other Internet applications like e-mail are—our next step would be to determine whether we actually have a connectivity problem or just a name resolution problem. To do that, we can try connecting to a Web site using its IP address.

95

91_03.qx

96

2/25/00

10:59 AM

Page 96

Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

If you type http://www.microsoft.com into the browser’s address box and get nothing, but the Microsoft homepage comes up fine when you type in http://207.46.131.30, you know the “friendly” name is not being translated into the format that the computer understands, the IP address. Since you know DNS is the service that performs this resolution of fully qualified domain names (hierarchical “dotted” names like URLs), at this point we can be fairly certain that there is either a problem with the computer’s DNS settings or (if other computers that use the same DNS server are having the same problem) with the DNS server itself.

7: Try the Easy Way First Most of us have heard it said of someone, usually in a whispered voice accompanied by a frown, “He always has to do things the hard way.” The same critics may then turn their disapproval on someone else with the indictment that “he always takes the easy way out.” Did you ever wonder how both of those philosophies could be wrong? Or was the latter criticism tinged with a hint of jealousy? In troubleshooting connectivity problems, it certainly pays to at least try the easy way first. How many times have you been able to correct a problem simply by rebooting the machine? It may not work every time, but it never hurts to try simple solutions before implementing the more complex ones. In fact, you should make it a practice to always evaluate all the possible solutions to a problem, and then try those that are easiest, quickest, and/or least expensive, leaving the difficult, time-consuming, and costly fixes as last-resort alternatives. If you have two machines that won’t “talk” to one another on the network, you would not be advised to first try rewiring the building just in case it’s a cable problem.

8: Document What You Do It may seem like a lot to ask, after you’ve endured all that blood, sweat, and tears to finally get the problem solved and get the network back up and running, but documenting your troubleshooting activities is vitally important. Putting down on paper the steps you go through, as you perform them, serves several purposes. First, it helps you to stay organized and perform those steps methodically. If you’re writing it down, you’re less likely to skip steps, because it’s all there in front of you, in visual form. You don’t have to wonder, “Did I test that cable segment?” or “Did I check the default gateway setting?” Documenting your actions also provides a valuable record if you end up having to call in an outside consultation or otherwise request someone else’s assistance with the problem. Time, and often money, will be saved if you can provide detailed information about what you tried, how you

91_03.qx

2/25/00

10:59 AM

Page 97

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3

proceeded, and what the results were. Many network administrators lull themselves into a state of complacency about not documenting their behavior, because they see the documentation process as too time-consuming. However, if a mistake occurs because of a failure to document what you’ve done, or what you were planning to do, the amount of time lost far exceeds the time you would have spent actually writing things down in the first place. Unfortunately, in the corporate world, you may also sometimes find your documentation necessary for “CYA” purposes. A network outage that lasts for a significant amount of time can, in some businesses, cause a huge loss of profit, even threaten the company’s position in the industry or—in extreme cases—put a business out of business. Luckily, the consequences aren’t usually that dire, but you’d better believe that many firms are heavily dependent on their network communications. If your job description makes you responsible for the welfare of the network, you’re less likely to get caught in the scapegoat-hunting process if you have detailed documentation of your efforts to address the problem. Finally, you should document the troubleshooting and problem resolution process for a very practical reason: History tends to repeat itself, and human memory is imperfect. As you wipe the perspiration off your brow and breathe a silent sigh of relief at having finally tracked down and solved your connectivity problem, you may think that there is no way you will ever, ever forget what you did to fix it—not after going through all that agony. But a year later, when the same thing occurs again, it’s likely you’ll remember only, “This happened before and I fixed it … somehow.” The details tend to get lost, unless you write them down. One last caveat on documentation: It’s great to have a nice, neatlytyped (and maybe even illustrated) troubleshooting log, but if you do your record-keeping on the computer instead of manually, it’s a good idea not only to back it up to tape, floppy, writable CD, or other media, but also to print out a hard copy. It should be a given, but sometimes folks forget that when the computers go down, computerized documents may be inaccessible.

9: Practice the Art of Patience Patience is a virtue, so hurry up and develop this characteristic! Whether or not you aspire to be virtuous, patience is an asset in any sort of investigative work, and that’s what network troubleshooting is. This means being patient enough to go over each configuration setting in each machine, to test each cable segment, to try one solution and, if it doesn’t work, to keep trying new ideas until one does work. Finding the source of a connectivity problem is often like looking for needles in

97

91_03.qx

98

2/25/00

10:59 AM

Page 98

Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

haystacks; you must have a “system” and you must implement it systematically. This also requires that you be patient with users, even when they seem to be the bane of your existence. Remember, users are also one of the big reasons for your job’s existence—you’re there to support them, as well as the computers to which they’re “attached.” Finally, you must be patient with yourself. It’s easy to get exasperated when the network is down, the pressure is on, and nothing you do seems to help (or your best efforts seem to make the problem worse). If users are one of the reasons your expertise is needed, there’s an even bigger reason: problems. A network that ran smoothly all the time, one in which the server never mysteriously went offline and computers never suddenly stopped “talking” to one another for no apparent reason and communications never got strangely garbled, would be a network with no need for an administrator. So, when you hear about a problem coming your way, take an “attitude of gratitude” and thank your lucky stars that you have one! Trouble is what you live for—or should be! A good network administrator doesn’t see problems as something to fear or curse, but as challenges and learning experiences. Continuous learning is what the job is all about, and you’d better love learning new things if you intend to lead a happy life as an IT professional. There’s one thing that’s a certainty in this business: You can never learn it all. And if you did, there would be a brand new and different technology ready to take the place of the one you’d just mastered.

10: Seek Help from Others Network admin types tend to have some common personal characteristics: they’re bright, they’re self-starters, they’re just a bit (okay, maybe more than just a bit) more comfortable when they’re in control, and they have a lot of pride. Taking pride in doing a good job is an admirable trait, but that pride can also make it hard for you to admit that a problem has you “bumfuzzled,” as my grandmother used to say (meaning you’ve tried everything you can think of and the answer—sometimes even the question—still eludes you). Don’t be so proud that you can’t bring yourself, when necessary, to ask for help. Asking for help after you’ve exhausted all your ideas is not an admission of defeat; it’s just a step in the troubleshooting process. Using your resources is smart, and those resources include product documentation, books, Web sites, newsgroups, mailing lists, and other working professionals in the field.

91_03.qx

2/25/00

10:59 AM

Page 99

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3

Remember that the term “networking” has another meaning: getting acquainted with people in your profession who can be beneficial to your career. Someone you know may have struggled with the very same problem that is vexing you now. Why reinvent the wheel? Ask for help. How do you find knowledgeable, experienced IT pros whose brains you can pick when you have a problem? There are many ways to make contacts: attend seminars, join Internet discussion groups devoted to networking topics, stay in touch with classmates and instructors from the training courses you attend. There is a corollary to this commandment. Be available to share your own expertise with others when they need your help. The best networking methods, after all, are full duplex and use two-way communications.

NOTE Most people are flattered to be asked to share their hard-earned knowledge—as long as you don’t abuse the privilege. Calling good old George every couple of months with a quick question is likely to make him feel that you respect his expertise. Calling him every week with a complicated problem that you need solved “right away” will cause him to feel that you don’t respect his personal space, and will quickly make you “persona non grata” in his book.

Windows 2000 Troubleshooting Resources Even if you’re determined to solve the problem yourself, if you’ve sworn that this time you’re not going to bother George (or he has abandoned you to go off on a month-long vacation to Tahiti and isn’t available), there are still many troubleshooting resources at your disposal. Windows 2000 endured more beta testing—with more users at all levels working with the operating system before it was even released for sale—than any other software product in history. There is a great deal of documentation available, both “official” and not.

Microsoft Documentation Microsoft has published an enormous amount of support documentation for Windows 2000 itself, its networking services in general, and its TCP/IP implementation in particular. Despite the fact that Windows 2000 has only been available to the public for a short time, when it comes to information about the operating system, “It’s out there.”

99

91_03.qx

2/25/00

10:59 AM

Page 100

100 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

This creates a problem in itself; sometimes the sheer volume of documentation available makes it difficult to find what you want. The Microsoft Web site, although full of excellent technical support data, is not particularly easy to navigate, especially for the uninitiated. Let’s look at a few of the resources Microsoft has provided in support of Windows 2000.

Help Files Those who have worked with Windows NT for a long time may be laughing uproariously as they read this. “Help files as a source of actual help?” you may ask. The NT help files are, to be generous, somewhat sparse. However, the Windows 2000 online Help is better—much better. For example, in NT 4.0 if you go to the Help index and type “DNS,” you get the box shown in Figure 3.1. Figure 3.1 A typical Help window in NT 4.0.

On the other hand, if you access the Help index in Windows 2000 and type “DNS,” you’ll see the much more helpful list of specific topics shown in Figure 3.2. Each of the articles listed has links to related topics, “how to” topics list step-by-step procedures, and the search engine operates in a logical and intuitive fashion so that you can find the information you need quickly and easily. If you’ve gotten out of the habit of even bothering to look at the online help, as many NT administrators have, reacquaint yourself with this convenient, free feature in Windows 2000. The Help files will become your first line of defense in troubleshooting situations, and in some cases, the only reference you’ll need to solve your problem.

91_03.qx

2/25/00

10:59 AM

Page 101

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 101

Figure 3.2 The new and improved Windows 2000 Help system.

NOTE Note: If you find it difficult to read long Help files online, you’ll also be pleasantly surprised by the much improved printing capabilities in the Windows 2000 Help files.

Resource Kits Microsoft’s Resource Kits serve as the “official source of technical background information” about their products. There is a wealth of troubleshooting information in the Windows 2000 Resource Kit, much of which comes directly from the product development team. You are, in essence, getting a briefing on how the operating system works straight

91_03.qx

2/25/00

10:59 AM

Page 102

102 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

from “the horses’ mouths,” from the people who wrote the code and worked with the operating system from its earliest stages. The online documentation is only a small part of the Resource Kit. Also included are a variety of software utilities that can be used in troubleshooting and administration (see Figure 3.3). Figure 3.3 The Windows 2000 Resource Kit contains online documentation and utilities.

The CD that comes with the printed Resource Kit includes the books in electronic format, over 200 diagnostic and management tools and documentation for each, and information on error messages, Registry settings, and performance counters.

NOTE Web-based versions of the Microsoft Resource Kits are available to be downloaded by subscription, at the Resource Link Web site located at http://mspress.microsoft.com/reslink/.

White Papers Microsoft’s Web site contains many informative “white papers” that address various aspects of the Windows 2000 operating system and its components.

91_03.qx

2/25/00

10:59 AM

Page 103

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 103

It’s easy to search the site for these topic-specific articles with the search engine provided on the Microsoft “front page” and each subsequent level of the site. A simple search for white papers addressing the TCP protocol yields many articles. You can narrow the search further by using the “Search within results” feature, and you can sort the search results according to different criteria.

TechNet One of the primary benefits of obtaining Microsoft’s MCSE certification has been the free or reduced-price subscription to TechNet. A series of CDs is issued monthly, with updated product information, news releases, and the popular Knowledge Base. The latter contains articles addressing “known issues” and problems encountered by users working with Microsoft products, and the fixes or workarounds. (See Figure 3.4.) Figure 3.4 Microsoft’s TechNet is an invaluable source of troubleshooting information.

Microsoft has made most of the TechNet information, including the Knowledge Base, available free on their support Web site at www.microsoft.com/technet/support/default.htm. There are still benefits to owning the CD version, and it is available by subscription at www.microsoft.com/technet/subscription/about.htm. With the CD version, you get a more powerful search engine that can be customized, you can mark frequently-used articles or annotate them with

91_03.qx

2/25/00

10:59 AM

Page 104

104 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

your own notes, and of course, you aren’t dependent on having an Internet connection to access the information. When you subscribe to TechNet, you initially receive over 20 CDs (including service packs, utilities, and tools, and other documentation in addition to TechNet itself). Each month’s updates include three to five CDs. Microsoft estimates that approximately 2000 pages of new content are added to TechNet each month, and at least 20 percent of the existing content is revised.

NOTE TechNet Plus is a higher subscription level that includes copies of beta software for training/evaluation purposes.

Newsgroups Microsoft also hosts a large number of technical discussion newsgroups on their news servers. The public news server at msnews.microsoft.com includes newsgroups devoted to almost every Microsoft product imaginable, in many different languages, and subtopics such as Windows 2000 networking. (See Figure 3.5.) Figure 3.5 A small sampling of the newsgroups hosted on Microsoft’s public news server.

91_03.qx

2/25/00

10:59 AM

Page 105

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 105

There are over 1000 newsgroups available on the public news server. Microsoft also hosts a large number of private newsgroups, which require a username and password to access. These include groups for certified trainers, groups for participants in the corporate preview programs, groups for MSDN members, and others. The newsgroups are an often-overlooked source of free advice and tips. You can “meet” many fellow IT professionals through the groups, and Microsoft personnel monitor some of the groups and post “official” support information as well.

Third-Party Documentation Although Microsoft has attempted to be comprehensive in documenting Windows 2000, and provides you with some great troubleshooting resources, you are certainly not limited to their materials when problems occur. There are many independent IT professionals who have already encountered some of the same problems you might run up against, and who have shared their experiences in many forums.

NOTE Even if you’re already Microsoft-certified, or not interested in vendor certification, don’t overlook the troubleshooting information that is available in some of the MCSE study guides, such as the Windows 2000 certification series published by Syngress.

There are some excellent books available on various aspects of Windows 2000 networking. Check your local computer stores, larger book stores such as Barnes and Noble, or online booksellers like Amazon. Some monthly publications that can be highly beneficial include NT/Windows 2000 Magazine and for Microsoft certified professionals, MCP Magazine. Both frequently contain articles full of troubleshooting tips.

Internet Mailing Lists Up until a couple of years ago, it was easy to host a mailing list. Anyone who had a machine connected to the Internet that ran list server software could do it. Now it’s much easier—there are numerous free Web-based list-hosting services, such as ONElist at www.onelist.com, that are easy to set up and administer. Because of this, Internet discussion lists have proliferated.

91_03.qx

2/25/00

10:59 AM

Page 106

106 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

There are hundreds of lists devoted to Windows 2000 and/or TCP/IP issues. Some are restricted lists, where membership is by invitation or limited to those who meet certain qualification criteria. Others are public, and open to any and everyone. Some are populated by small groups of highly professional members, and others are huge “melting pots” with high noise-to-bandwidth ratios (a large volume of low-quality messages sprinkled with messages that contain valuable tips and tricks). Some generate perhaps two or three messages per day, while others may flood your inbox with literally hundreds of messages at a time.

TIP Information about Windows NT and Windows 2000 public mailing lists can be found at the following Web sites: www.saluki.com/maillist.htm—the Saluki MCSE lists www.swynk.com—comprehensive system administrators’ site www.tacteam.net—our own MCSEnow and Win2000now lists

The benefits of mailing lists are similar to those of newsgroups.

Usenet Newsgroups Just as Microsoft Corporation hosts newsgroups, other companies and organizations host groups that focus on Microsoft products. Most ISPs run news servers that make some or all of the available public Usenet newsgroups accessible to their users.

Web Resources There are thousands of excellent (and not so excellent) resources available on the Web. If you want to use the Web effectively as a troubleshooting tool, it is important that you use a good search engine, and that you know how to use it for best results. Too many experienced computer pros haven’t taken the time to learn which of the many search engines fit their needs. Nor have they explored all the features of the one(s) they’ve chosen. It’s not enough to go to Yahoo! and type in a couple of keywords that vaguely describe your problem. On many occasions, I’ve been asked about technical issues by students or other network admins who prefaced their question with, “I tried looking it up on the Web but I couldn’t find anything.” I’ve then sat down at the keyboard, pulled up my browser, spent three minutes with Infoseek or Alta Vista, and solved the problem or acquired the information, which I copied, pasted and returned to them.

91_03.qx

2/25/00

10:59 AM

Page 107

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 107

They think I’m really smart (which is okay with me—good PR never hurts), but the truth is: I’ve found a couple of good search sites and more importantly, I’ve practiced using them enough to get good at it. I chose Infoseek because it allows me to do a “search within results” so I can continuously narrow my search criteria, and I know that if I want to search for a whole phrase, I need to put quotation marks around it, and I know that if I choose the “advanced” feature, Alta Vista will let me do a Boolean query using operators like AND and NOT. Try different search engines, pick one that has the features you want and need, read all its online documentation so you’ll know the syntax for proper queries, and you’ll notice a world of difference in the effectiveness (and speed) of your Web searches.

NOTE Check out the following search engines: www.infoseek.com—allows you to “search within these results” www.altavista.com—allows for “advanced” search using Boolean operators www.hotbot.com—allows you to search the full text of pages rather than just keywords, allows advanced filtering of search results

Once you’ve learned the fine art of searching, you’ll find that the Web has numerous sites posted by companies, professional organizations, user groups and hobbyist clubs, and individuals, detailing others’ experiences with Windows 2000, their trials and tribulations, and how they solved the problems they encountered.

General Troubleshooting Models Regardless of the field, most professions exist for the purpose of anticipating, preventing, and/or solving problems. Physicians address medical problems, attorneys deal with legal problems, police officers confront problems involving criminal behavior, and network professionals are faced with connectivity and computer communications problems. Troubleshooting models have been developed and adopted and are used in the formal training in various occupations. These models describe a procedure, or a step-by-step process, that can be applied to most problem-solving situations regardless of the type of problem. Because the networking field is newer, training is less regimented and curricula haven’t been standardized throughout the industry. There is no

91_03.qx

2/25/00

10:59 AM

Page 108

108 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

“official” network-troubleshooting model. However, we can borrow popular problem-solving models that are in widespread use in other professions and apply their principles to the problems IT personnel are likely to come up against.

Differential Diagnosis Model When a medical doctor sees a new patient who complains of symptoms, whether vague (“I don’t feel well.”) or more specific (“I have a sharp pain that comes and goes in my lower-right side.”), the physician follows a step-by-step procedure to ascertain the cause of the problem and attempt to alleviate it. Generally, these steps fit the categories of: Examination, Diagnosis, Treatment, and Follow-up. A network administrator can follow the same steps when confronted by an “unhealthy” network.

Examination The first step involves gathering information. The doctor does this in several ways: Direct observation. He first assesses the patient’s general state of well-being based on things like demeanor, facial expression, skin coloration, whether the person is energetic or lethargic, whether the eyes are bright or dull, whether the person is over or underweight, voice, muscle tone, and so on. A network troubleshooter can also use observation skills, noticing if a cable is pinched or the lights on the NIC or hub are not lit as usual. Asking questions. The doctor will interview the patient, and ask her to fill out a medical history questionnaire. He will want to know such things as when the pain first appeared, what, if any, self-treatments she’s tried, whether there were any changes in her diet or activities, or if she was involved in an accident or otherwise injured just prior to the symptom’s appearance. The network professional asks very similar questions of the network users who are experiencing the problem. You need to know when the “symptom,” such as inability to connect to the network, began. You also will want to know if the user did anything to attempt to fix the problem, and whether anything on the computer or on that network segment was changed just prior to the loss of connectivity. Conducting tests. Even if the physician is able to establish a tentative diagnosis based on his observations and the answers to his questions, he will often order lab tests to provide objective confirmation. A network administrator who is trying to track down

91_03.qx

2/25/00

10:59 AM

Page 109

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 109

the source of a connectivity problem can also perform objective tests using software utilities and monitoring and diagnostic devices.

Diagnosis After the information has been gathered, the doctor puts this specific information about this patient together with the general knowledge acquired through his years of training and experience, to arrive at a diagnosis. This is defined as an opinion as to the nature and cause of the disease or injury based on the evaluation of patient history, examination, and review of laboratory data. The network troubleshooting process requires that you formulate an opinion as to the nature of the connectivity problem based on your evaluation of the history of the network (and the specific computer and user involved), your examination of the physical aspects like cabling, and your review of the data collected via cable testers, network monitors, protocol analyzers, and other tools.

Treatment The patient is usually less interested in having the doctor tell her why she feels lousy than in having him do something to make her feel good again. Likewise, the company’s management and the network’s users may not really care why the network is down—they just want you to get it up and running. The diagnosis is of academic interest, but the treatment is of practical concern. Your training and experience are important in this phase, too. But, like a doctor who isn’t expected to have encountered or memorized the treatments for every possible illness, neither can you be expected to know how to fix every possible connectivity problem, even after you’ve figured out the cause. This is where your research ability comes in; you must have resources that contain information on the “fixes” for common problems and you must know how to use them. You must be able to develop a treatment plan aimed at clearing up the symptom (loss of connectivity) and preventing it from happening again.

Follow-Up In the follow-up phase, the doctor has the patient return for a check-up, even though she may feel fine, to ensure that everything really is functioning normally and that there were no harmful side effects from the treatment he prescribed. You will want to do the same, assessing the results of your treatment, making sure that in fixing the original problem, you didn’t “break” something else.

91_03.qx

2/25/00

10:59 AM

Page 110

110 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

NOTE Another model used in medical circles is known as SOAPR: Subjective, Objective, Assessment, Plan, Review Results. This model uses basically the same steps, breaking the Examination phase into two parts: collection of subjective data (such as the patient’s statement that she feels “out of sorts all the time,” or the doctor’s observation that the patient seems “less responsive than usual”), and objective data (the “numbers” like blood pressure readings or white cell count). Otherwise, the steps are the same, with different names.

SARA Model Let’s look at a completely different profession and see how its model can be adapted to the network-troubleshooting world. SARA is a problem-solving technique widely accepted in the law enforcement community in recent years. The acronym stands for the steps in the problem-solving process: ■ ■ ■ ■

Scan Analyze Respond Assess

Although this model was designed to help the police do their work more effectively, it is equally applicable to tracking down the culprit that’s responsible for your network going down. See Figure 3.6 for an illustration of how the process works. This model can be applied to almost any type of problem solving. If we examine each of the SARA components, we’ll see that it is strikingly similar to the medical profession’s Diagnostic model.

Scanning This means that upon observing or being informed that a problem exists, the first thing you should do is scan, or take in the “big picture.” This is an important step and one that is often ignored, both by eager police officers who rush into a scene focused only on the area that appears to be the source of the trouble, and by network administrators, who likewise make assumptions and fall prey to a similar type of tunnel vision that prevents them from noticing important “clues.”

91_03.qx

2/25/00

10:59 AM

Page 111

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 111

Figure 3.6 The SARA problem-solving process.

S

SCAN Observe, Question, Collect data

A

ANALYZE Sort, Organize, Hypothesize

R

RESPOND Formulate and apply "treatment"

A

ASSESS Monitor results of "treatment"

Analysis After taking a moment to get an overview of the situation, the second step is to analyze the information available. A police officer on the street may have only a split second to perform this analysis. A network troubleshooter, even when under pressure from angry hoards of Internet-addicted users, generally has a bit more time to consider the possibilities and arrive at a logical course of action—which brings us to the next step.

Response In the preceding stage, you may have formulated several educated guesses as to the true source of the problem. Each of these hypotheses may in turn suggest several possible responses. Just as a police officer’s response to a combative subject could range from trying to “talk him down,” to using of physical force, your response to a computer that won’t communicate on the network could range from changing network configuration settings (talking it down), to reinstalling the operating system (shooting it).

91_03.qx

2/25/00

10:59 AM

Page 112

112 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

There are two important points regarding the response phase: ■

■

It is usually best to begin with the less drastic responses and “escalate” from there. Always be prepared for an unexpected response to your response.

Emergency services personnel know the importance of being ready for any contingency. Like them, even when you’ve made your decision as to how to handle the situation, you should have a backup plan.

Assessment After taking action, it’s time to step back and assess the effect of your action. Did it bring about the desired change? Did it make the situation worse? Did it have no effect at all? This assessment will determine what you do next: pack up and go back to your office (and send a bill for your high-dollar rescue operation), or start the whole process all over—once again scanning, perhaps a bit more carefully this time, to catch details you may have missed before.

Putting the Models to Work for You You can use one of these or any other similar problem-solving model to guide you through the troubleshooting process. The important thing is to develop a routine when you go into problem-solving mode, and follow the steps in the same order each time. This will help you to organize your thoughts and keep you from overlooking or discounting vital information. Regardless of which model you use, the steps it proposes will usually fall into the following categories: information gathering, problem isolation, taking corrective measures, and monitoring results.

The Information-Gathering Phase This is the Examination phase in a doctor’s Differential Diagnosis method, or the Scanning phase if you’re following SARA guidelines. In any event, it involves getting all the available data regarding the problem. There are several ways to gather data: we can ask questions of others, we can consult the computer’s log files, or we can bring in the “big guns,” diagnostic devices and software tools.

Questions to Ask The first step in responding to a report of connection problems should be to ask questions of the person reporting the problem, and anyone else who observed the problem. Our objective, in trying to determine what

91_03.qx

2/25/00

10:59 AM

Page 113

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 113

caused the problem, is to determine exactly how the problem manifested itself. The user who experienced the problem is in the best position to give us this information. Unfortunately, he or she may not always know how to tell us what we need to know. Remember the user we discussed earlier, who thought he was being specific when he reported that he “couldn’t get on the Internet?” You’ll find that many of the people who use the network, even those who consider themselves knowledgeable about computers, will suddenly draw a blank when they attempt to describe the problem to you. “I don’t know, it just doesn’t work,” is a common refrain. Police officers know that even when they’re lucky enough to have a perfect eye-witness to a crime, just because the person was there and saw it doesn’t mean he or she will be able to give a logical, chronological report of what happened that contains the information needed to solve the case—at least, not without some help. That’s why, for an investigator in any venue, questioning skills are so important. You are much more likely to get useful answers from your users if you ask the right kinds of questions.

Question Format There are no “good questions” and “bad questions.” There are appropriate and inappropriate questions, given the situation and the personality and knowledge level of the questionee. Open-ended questions, like “What happened?” may be useful as an opening, to get the person talking, or with a technically savvy user who is able to remember and has the vocabulary to describe what prompted him to call you for help. More often, though, open-ended questions will get broad, vague responses that aren’t very helpful. Asking more specific questions will result in more specific (and therefore more useful) answers. Some good questions to ask include: Exactly what task were you trying to perform when the problem occurred? Was he attempting to transfer a file, to access a Web page, to download e-mail, to dial up a remote connection with a modem? Exactly where in the process did the problem occur? For instance, if the user was trying to get his mail and got an error message, did this happen when he tried to connect to the ISP, after establishing the ISP connection when he tried to connect to the mail server, or was he able to download a few messages and then got disconnected? Were you doing anything else in addition to this primary task when the problem occurred? What other programs were open in the background? Was a virus checker or disk defragmenter or

91_03.qx

2/25/00

10:59 AM

Page 114

114 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

other utility running? Was anyone else accessing data on his computer across the network? Was it time for any scheduled tasks to start? What error messages (if any) did the computer display? Error messages can be a great source of information in troubleshooting—if your user can remember what they said. More often, this question will elicit the response, “It gave me some sort of error message, but I don’t remember what it said.” Instead of following your natural impulses and wringing the user’s neck at this point, there are several things you can do. Sometimes you can ask questions that are more specific: Was the error message on a blue screen or was it in a small text box? Did it say anything about a page fault with a bunch of funny numbers and letters? Was there anything in the message about a file not being found? The best thing to do in this situation is to try to recreate the error yourself. If you can’t, try asking the user to do exactly what he did before when the error message appeared, and see if he can reproduce the error. (Watching the user go through the steps without any guidance or directions from you can sometimes produce one of those “Eureka!” moments, when you realize that he’s trying to “browse the local network” using Netscape, or uncover some other equally amusing—if only it hadn’t wasted two hours of your valuable time—misunderstanding). Even if you’re lucky enough to have users who faithfully record every error message, or to see them with your own eyes, it’s a sad fact of life in the IT field that some error messages are more helpful than others. An error message that says “MOST_IMPORTANT_FILE.DLL cannot be found at <systemroot\ system32\important_files\” might be a good starting point for addressing the problem. A message box that says “The operating system will now shut down” doesn’t help much. Nonetheless, even an error message that seems almost completely indecipherable may give you a clue as to whether the problem is network-related, system-related, or both. Is anyone else experiencing the same problem? This is an important question for helping you to determine whether the network is involved. Have the user perform the same task on a different computer, in the same way. Does it work? If he has the

91_03.qx

2/25/00

10:59 AM

Page 115

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 115

same problem, you know it’s not related to the configuration or hardware of the original computer; rather, it has to do with the way he’s performing the steps, or it involves the server or other network equipment. Have you ever been able to perform this task on this computer? Don’t overlook the possibility that the system is not capable of doing what the user is trying to do, either because the hardware doesn’t meet requirements, the necessary software isn’t installed, the operating system or application hasn’t been configured, or the user’s account permissions, or the security policies on the network, don’t allow it. Sometimes, reported “network problems” are not really problems at all—it’s just the security system doing what it’s supposed to do (or what it thought it was supposed to do). You’ll save yourself a lot of time if you remember to ask this question before you spend a lot of time trying to “fix” something that never got broken because it never worked in the first place. If the answer to this question is yes, then you need to question further: When was the last time you were able to perform this task on this computer? Was he able to connect to the server yesterday, but found himself unable to do so when he came in to work this morning? Was she able to surf the Web this morning, but after rebooting the operating system, every URL she typed in returned a “404 error?” Did he have sound prior to installing that new office suite add-on? Try to pinpoint as exactly as possible when the problem first showed itself.

NOTE One way to make the troubleshooting job a little easier in the future is to train your users to write down any error messages they encounter. Take them into the fold, make them a party to the investigation, and impress upon them the vital importance of preserving this piece of “evidence” until you arrive. Some users will always greet you with, “Sorry, I forgot to write it down, and I thought maybe if I restarted the computer that would fix it.” But many of them will be more than happy to help you if you make them feel they’re contributing something valuable.

91_03.qx

2/25/00

10:59 AM

Page 116

116 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

What changes have occurred since the last time you were able to perform this task? Has he deleted any files? “Housecleaning,” or removing “extra, unneeded” files to clear up hard disk space, is a common cause of all sorts of computer malfunctions. Perhaps an important networking component was inadvertently thrown out with the trash. Has she run any utility programs? Some of these, especially third-party products, may attempt to “repair” a system by resetting configurations to the defaults. For instance, I’ve had the experience of installing new application software and finding that my DNS server entries in TCP/IP properties were removed, making it impossible for me to access a Web site using the fully qualified domain name. Has he installed new hardware, or removed any hardware peripherals? New device drivers can conflict with already-existing devices (such as the network card), or the problem may be caused by the operating system “looking” for a piece of hardware that is no longer attached to the computer. Has she opened any Word documents that use macros, or accessed any Web sites that run Active-X or Java scripts? Macros, scripts, and other executables can include intentionally malicious or badly written code or viruses that can affect connectivity, cause general instability, or bring down the entire system. Remember that if you ask the general question (“What changes have occurred?”) you may or may not get a useful answer. Most users will say something like, “Nothing, really.” You must ask about each specific possible change that could have been made to get the real story.

NOTE Don’t assume that just because the computers on your network are running antivirus software, they’re safe. New viruses are being written every day, and your protection is only as good as the latest updates to the virus definition files. Just as some folks get a tetanus shot and then never worry about it again—until they step on a rusty nail 25 years later—some people install Norton or McAfee antivirus programs and then proceed with a false sense of security, even though they haven’t downloaded the update files in months.

91_03.qx

2/25/00

10:59 AM

Page 117

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 117

Log Files Another source of information that you’ll want to consult during the datagathering phase are the Windows 2000 log files. These files are accessed via the Event Viewer, in the Administrative Tools menu. The Windows 2000 Event Viewer, like Windows NT, provides the following log files: ■ ■ ■

Application System Security

NOTE A Windows 2000 Server, depending on its configuration, may also contain additional event logs in Event Viewer, such as the Directory Service log, the DNS Server log, and the File Replication Service log. In addition, many services such as DHCP, RAS, DNS, and WINS maintain text-based log files in their own directories. You can configure these text log files within the Management Console of each respective service.

Application Log The Application log contains errors and events logged by application programs. What events, if any, are logged is determined by the application developer and written into the program code.

NOTE If there is binary data included in the event details, you can save it by saving the log with the .EVT extension. You can also save the logs in text or comma-delimited text format (.TXT or .CSV), but this does not preserve the binary data. The binary data is shown in hexadecimal, and generally will be useful only to a programmer. Some programs don’t generate binary data.

System Log The System log may prove to be more useful, as it contains events logged by the Windows 2000 operating system. If a service fails to initialize during the bootup of the operating system, for instance, Windows 2000 will enter an event in the System log. You will also see a message displayed

91_03.qx

2/25/00

10:59 AM

Page 118

118 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

telling you that one or more services failed to start and advising you to check the System log for more information. See Figure 3.7 for an example of the Windows 2000 System log. Figure 3.7 The Windows 2000 Event Viewer allows you to access log files.

You will note that in the illustration, three types of messages are shown: Information, Warning, and Error messages. ■

■

An Information message announces that an event occurred, such as the message shown in Figure 3.8, informing you that the DHCP service has cleaned up the database for unicast IP addresses and telling you how many leases were recovered and how many records were removed from the database. A Warning message pertains to an event that could indicate the potential for a problem in the future, but is not currently of enough significance to result in an error message. An example of a Warning message is shown in Figure 3.9, advising that the time service has not been able to find a domain controller with which it could synchronize. Warning messages are indicated in the log by a yellow triangular icon with an exclamation point.

91_03.qx

2/25/00

10:59 AM

Page 119

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 119

Figure 3.8 The details of an informational message in the System log.

Figure 3.9 An example of a Warning message in the Windows 2000 System log.

91_03.qx

2/25/00

10:59 AM

Page 120

120 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines ■

Error messages are the most serious of the three message types, and are used to denote significant problems that already have or could result in data loss, performance degradation, or functionality. An example of an error message is shown in Figure 3.10, advising that a remote WINS server aborted the attempt to connect, and replication did not take place. Error messages are represented in the log by red circles with a white “X” through the middle.

Figure 3.10 An example of an Error message in the Windows 2000 System log.

Security Log The Security log is used to record security-related events such as access to resources, successful or failed logon attempts, or exercise of user rights. When an administrator enables auditing (via the Group Policy settings) and specifies the events to be audited, the results will be displayed in the Security log.

NOTE You must be logged on with administrative privileges to access the Group Policy settings and enable auditing.

91_03.qx

2/25/00

10:59 AM

Page 121

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 121

Working with the Log Files in the Event Viewer A handy feature in the Windows 2000 Event Viewer is the ability to copy the contents of the message detail to the clipboard simply by clicking a button (marked by an icon showing two sheets of paper with the corners turned down, the third button in the previous figures). You can archive an event log by selecting the log you wish to save in the Event Viewer console tree, clicking the Action menu, then clicking the Tasks command, and choosing Save As.

TIP Archiving a log does not clear the contents of the log; to do that, you must choose Clear All Events from the Action menu.

You can specify logging options by clicking Properties on the Action menu and choosing the desired options on the General tab, as shown in Figure 3.11 Figure 3.11 Setting logging options in the Log Properties dialog box.

91_03.qx

2/25/00

10:59 AM

Page 122

122 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

This is where you configure the maximum amount of disk space the log can occupy, and what should occur when the limit is reached. You can also clear the log here, with the click of a button. You can also filter the events in a specified log. When you archive the log, however, the entire log will be saved regardless of filtering.

NOTE You must be an administrator in order to set logging options.

Tools of the Trade Chapter 4 will look in detail at some of the tools you can use to assist in your “diagnosis” and plan a “cure” for the problem. Perhaps the most important tool for a network troubleshooter is a good protocol analyzer. To really learn what’s going on with the network, you have to examine the packets themselves. This requires not only that you have a good analyzer, but that you learn how to use it. There are many types available, from stand-alone and handheld devices to software-only solutions. Microsoft’s Network Monitor (often referred to as ”NetMon”) is a good tool for analyzing Windows-based networks. A big advantage is that a basic version of NetMon is included with the Windows 2000 Server operating systems (see Figure 3.12). This free version of NetMon will only capture packets that are sent from or to the server on which it is installed. If you want to capture packets for the entire network, you need the enhanced version of Network Monitor, which is part of Microsoft’s System Management Server. In Chapter 4, we will discuss in detail how to use NetMon and other network analysis tools. When we have finally gathered as much data as possible, we can move on to the next phase in the troubleshooting process.

The Problem Isolation Phase This is the Diagnostic, or Analysis phase. This is where you take the large amount of information gathered from your investigative sources (results of monitoring and analysis equipment, users’ answers to questions, and your own personal observations), determine which bits are relevant and which can be discarded (in any thorough investigation, there will always be much more “data” than useful “information”), and use the rest to put together the pieces of the puzzle and solve the mystery.

91_03.qx

2/25/00

10:59 AM

Page 123

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 123

Figure 3.12 The Microsoft Network Monitor included with Windows 2000 Server.

One of your objectives during this phase is to look for patterns. Has this problem occurred here before? Do the “symptoms” match something you’ve heard about or read about? The first step in analyzing the information is to organize it in a fashion that will allow you to notice trends and pick out the key facts.

Organizing and Analyzing the Information This step may be done on paper, on screen, or in your head, but it is important that you sort through all the random facts and numbers you’ve gathered to determine which facts support which theories (and which would tend to negate which theories, too). In its simplest form, the process would work like this: Your user reports that the network file server, BIGSERVER, is “gone” from the network. (BIGSERVER is a Windows 2000 member server in a mixed-mode domain).

91_03.qx

2/25/00

10:59 AM

Page 124

124 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

Given that information, what are some scenarios that could cause the problem? It’s possible, although unlikely, that BIGSERVER has crashed. Since the machine itself sits a few feet away from your own workstation, you use your visual observation skills to confirm that BIGSERVER is up and running. You’ve eliminated one possibility. Another is that BIGSERVER’s network card has malfunctioned, a cable has loosened, or something else has caused the server to become disconnected from the network. You continue your investigation by trying to access BIGSERVER from your own workstation. You are able to ping the server with no problem using its IP address. You have eliminated another possibility: you now know that BIGSERVER is connected to the network. And since you can ping him successfully, you know his TCP/IP configuration is okay. You now consider the possibility of a name resolution problem. Perhaps the network’s DNS server is down. You try pinging BIGSERVER by name, and get a response. The DNS server is working properly. Could the problem be with the network’s browser service? You check “My Network Places” and find that BIGSERVER is listed in the domain. Perhaps there’s a problem with NetBIOS name resolution. The user didn’t say what application he was using that made BIGSERVER disappear, so maybe its not a host name problem, but a NetBIOS name problem. You double-click BIGSERVER in the My Network Places windows, and you see all of BIGSERVER’s network shares. At this point, you’ve narrowed the problem down considerably, and decided that it must be specific to the complaining user’s workstation. You go to that computer, which is running NT Workstation, and question the user further. What exactly does he mean when he says BIGSERVER is “gone?” The user tells you that he has tried to FTP to BIGSERVER and is unable to do so. He also opens up My Network Places and clicks on BIGSERVER’s name. Nothing happens. At this point you suspect a problem with the workstation’s configurations, but don’t know whether it’s a browse issue, a name resolution issue, or a TCP/IP connectivity issue. You ask if he tried to ping BIGSERVER and he replies that he did, using the server’s IP address, but received “some kind of error message.” Now you’re hot on the trail of the problem! You know it’s not a name resolution problem, since that wouldn’t affect your ability to ping by IP address. You know the server’s IP address is configured and working properly because you were able to ping from your own workstation. Now you open a command prompt, attempting to ping BIGSERVER and reproduce the problem. When you type “ping 192.168.1.2” at the command line, you receive the message shown in Figure 3.13.

91_03.qx

2/25/00

10:59 AM

Page 125

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 125

Figure 3.13 Ping error message.

This error indicates that something is wrong with the TCP/IP stack. You get the same message when you attempt to ping the loopback address, 127.0.0.1. That convinces you that TCP/IP is not working. You open the local area connection’s Properties box and discover that TCP/IP is not installed on the machine. Upon further questioning, the user tells you that he uninstalled the protocol from “another connection.” He points to the connection icon for the VPN, assuring you that he didn’t change anything on the local area connection. You sigh and explain that uninstalling the protocol from one connection removes it from all of them that use that network card, and you reinstall and reconfigure TCP/IP. BIGSERVER magically reappears. The user asks you why he was still able to “see” the other servers, and you show him that the NetBEUI protocol was still installed after he removed TCP/IP. The servers he was still able to connect to were on his local network segment and were running NetBEUI. Since BIGSERVER’s only networking protocol is TCP/IP and the workstation’s only protocol was NetBEUI, they had no common protocol over which they could communicate. You go back to your station to reassess the company’s practice of allowing users to be administrators of their own workstations.

Setting Priorities Since troubles tend to come in threes (or even bigger “gangs”), an important step in troubleshooting is to first prioritize the problems themselves, and then prioritize the factors that affect your efforts to solve them.

91_03.qx

2/25/00

10:59 AM

Page 126

126 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

Prioritizing the Problems In categorizing problems, priorities are usually set based on one of two criteria (or a combination of both): ■ ■

Productivity factors Political factors

The first is easy to understand, and prioritizing problems based on their effect on productivity is fairly easy to do. It’s obvious that, in general: 1. Problems that affect the entire network are higher priority than those that affect only a few users. 2. Problems that affect mission-critical activities (such as on-time delivery of time-sensitive material) are higher priority than those that affect less urgent activities (such as routine archiving of data). 3. Problems that are ongoing and worsen with time are higher priority than those that occur only occasionally and then clear up on their own. The second prioritization factor is a bit subtler, and may not be talked about or even acknowledged. In fact, the “unwritten rules” may be in direct conflict with the company’s stated policies. Every organization has its “pecking order” and its internal politics. It might seem that a problem affecting a whole department of clerks’ ability to access word processing documents is clearly a higher priority than a problem that prevents one user from surfing the Web. However, if that one user happens to be the CEO, who is addicted to his daily dose of online stock market reports and is in the throes of withdrawal, logical methods of prioritizing may not be applicable.

Prioritizing the Solutions When developing possible solutions, you will want to decide what factors are most important to your company in general, and in this particular instance. Factors to consider: Cost. Don’t forget that the immediate monetary outlay to implement the solution doesn’t tell the whole story in terms of total cost. You must also consider ongoing associated costs, and intangibles, just as the time of those who will do the work and the time lost by those who are unable to work while the network is down. Time. This is closely related to cost, and is a potentially high cost due to loss in productivity. Sometimes the (seemingly) more

91_03.qx

2/25/00

10:59 AM

Page 127

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 127

expensive solution, if it fixes the problem more quickly, is more cost-effective in the long run. Longevity. Do you need a long-lasting solution that will solve the problem permanently, or are you planning to reconfigure the entire network and install all new equipment three months from now and you only need a “fix” that will last until then? Performance. If a more expensive solution also improves overall performance at the same time it fixes the problem, it may be well worth the extra expense. Sometimes problems present perfect upgrade opportunities.

Taking Corrective Measures Sometimes there will be several available solutions; which one you implement will depend on many factors, including the priorities you’ve set. In some cases, the decision will be determined by budgetary restrictions. For instance, if too many users log on the domain at the same time when they start work each morning and cause a network slowdown, one solution is to buy additional servers to act as domain controllers. Another, less expensive answer might be to stagger the times at which employees’ workdays begin in 15-minute increments. In other cases, performance or time is the top priority, regardless of cost.

One Change at a Time Remember the third commandment: Only implement one change at a time and assess the effects of that change before trying something else. This will save you much grief in the long run.

Order of Implementation It makes sense to try the easiest solutions, the least time-consuming ones, the less expensive ones, and the least invasive ones first. If a patient complains of a minor headache, a doctor is likely to have him try taking a couple of aspirin to see if that relieves the symptom, rather than starting out with a more drastic treatment, like brain surgery.

Monitoring Results The last official step in troubleshooting is to assess the results of your actions, determine whether your “fix” worked, whether it was

91_03.qx

2/25/00

10:59 AM

Page 128

128 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

only a temporary workaround or actually solved the problem, and what can be done to prevent the problem from recurring in the future. The assessment and follow-up stage should also include developing a succinct summarization of the problem and solution, which may be disseminated to any or all of the following: Superiors within the company: If the problem had significant or ongoing impact on the operation of the network, you may need to submit a report to your supervisors or management personnel. The affected user(s): One way to prevent problems in the future is to make them a learning experience for the users (as well as for you). Educate the users about what happened, inform them of anything they can do to prevent it from happening, or failing that, the best course of action for them to take if it does happen. The hardware or software vendor(s): If the problem indicates a failure of network hardware or a bug in a software component, you may want to notify the vendor. Submitting a formal report makes it more likely the problem and its solutions may be incorporated into the vendor’s own documentation, such as the Microsoft Knowledge Base. Your permanent records: Don’t forget to record the details in your log or journal, so that if the problem arises again—even if you’ve been promoted to a high-level upper-management jet-setting position and are not on hand when it happens—all the information will be there and time won’t be spent researching or engaging in the same trial-and-error experimentation all over again.

Using Forms and Check lists Forms serve a useful purpose by helping you to organize your information at the same time you’re collecting it. A form that incorporates check lists can serve as a guideline for your queries, and helps ensure that you don’t forget something important. It can also speed up the troubleshooting process. Finally, the form itself can serve as the permanent record of what happened and how it was addressed. You can develop your own forms that contain fields specific to your company and its network, using the following sample form as a starting point.

91_03.qx

2/25/00

10:59 AM

Page 129

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 129

Network Troubleshooting Information Form Date:

Time:

Person reporting problem: Name/location of computer displaying problem:

Briefly describe the nature of the problem as specifically as possible:

History–former occurrences of this problem:

Exactly what was being done on the computer when the problem occurred?

What programs and processes were running when the problem occurred?

What error messages (if any) were displayed?

Was the computer restarted? ❏ restarted by operator

❏ automatic restart

If the computer was restarted, did it boot into the operating system normally?

If no, describe any problems, freezes, error messages, or unusual behavior upon reboot.

Operating system: Domain/workgroup:

Version

91_03.qx

2/25/00

10:59 AM

Page 130

130 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

Network Protocols installed (in order of binding):

Network connectivity check: ❏ Network accessible via browse list ❏ Can connect to other computers via UNC path ❏ Can ping loopback ❏ Can ping local host ❏ Can ping another computer on same segment ❏ Can ping near side of router ❏ Can ping far side of router ❏ Can ping host on a remote segment Error messages encountered in PING attempts:

TCP/IP Configuration check list: ❏ DHCP client ❏ IP address ❏ Subnet mask ❏ Default gateway ❏ DNS primary ❏ WINS primary ❏ Advanced TCP/IP settings: ❏ MAC address ❏ Protocol Analysis: Tool Used

Secondary Secondary

Results:

Hardware/Physical environment check list: ❏ NIC ❏ Hub(s) ❏ Router(s) ❏ Cables ❏ Power ❏ Temperature ❏ Humidity ❏ EMI/RFI/ESD

91_03.qx

2/25/00

10:59 AM

Page 131

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 131

Antivirus: Virus check run:

Updated

Event Logs: significant entries:

Narrative (in chronological order, describe your response to the problem):

Diagnosis:

Solution:

Recommended follow-up:

Summary In this chapter, we covered some general principles of troubleshooting and problem-solving and discussed ways of applying them to our jobs as network support professionals. We discussed the Ten Commandments of Troubleshooting: 1. Know thy network. 2. Use the tools of the trade. 3. Take it one change at a time. 4. Isolate the problem. 5. Recreate the problem. 6. Don’t overlook the obvious. 7. Try the easy way first.

91_03.qx

2/25/00

10:59 AM

Page 132

132 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines

8. Document what you do. 9. Practice the art of patience. 10. Seek help from others. We discussed the many sources of troubleshooting documentation available for Windows 2000 administrators, both from Microsoft and from third parties. We looked at the new and vastly improved Help file system, and the printed material, online books, and utilities included in the Microsoft Resource Kits. We talked about MS Press publications, and how to use both the Web-based and the CD versions of TechNet. We also looked at the many newsgroups and mailing lists, hosted by Microsoft and others, that allow Windows 2000 administrators and users to share their experiences and pool their knowledge. Then we talked about how to use the World Wide Web as a troubleshooting resource, including ways of conducting an effective search and how to sort through this huge global repository of information. We examined a couple of widely popular problem-solving models, the Differential Diagnosis model used in medicine and the SARA (Scan, Analyze, Respond, Assess) model that has become a standard in modern law enforcement agencies. We discussed the steps involved in the problem-solving process, and how to apply the principles to network troubleshooting. We broke each step down into its basic components: 1. Information gathering 2. Problem isolation 3. Taking corrective measures 4. Monitoring results. We looked at some of the useful troubleshooting tools built into or included with Windows 2000, such as the System, Application, and Security logs, and the basic Network Monitor software. Finally, we discussed the ways in which forms and check lists can speed up the troubleshooting process and increase our efficiency, and provided a sample form that network administrators can customize for use in their own companies.

91_03.qx

2/25/00

10:59 AM

Page 133

Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 133

FAQs Q: Why is it important to follow a model or set of steps in troubleshooting? A: Adopting a problem-solving model and proceeding through the steps in a methodical manner, in the same order each time, offers several advantages: ■ It forces you to organize your thoughts. ■ It guides you in asking questions and gathering information. ■ It prevents you from forgetting important steps. Q: How and why should I attempt to reproduce the problem? A: You should attempt to reproduce the same problem on the same machine and on a different machine. This will help you determine whether the problem is user-specific, machine-specific, or a networkwide problem. Q: What are some troubleshooting resources provided by Microsoft for Windows 2000 and its components? A: Help files and readme files, online documentation on the Microsoft Web site (white papers, TechNet and the Knowledge Base, Resource Link), the Resource Kits, other MS Press publications, and finally public and private newsgroups. Q: What are the four basic steps common to all problem-solving models? A: Information gathering (also called Scanning or Examination); problem isolation (also referred to as Analysis or Diagnosis); taking corrective measures (also called Response or Treatment); and monitoring results (also known as Assessment or Follow-up). Q: What is a protocol analyzer and why do I need one? A: A protocol analyzer is a software tool or dedicated hardware device that actually examines the contents of the packets that travel over the network. Windows 2000 includes a “light” version of the Network Monitor software. The fully functional version, which can capture packets not only from the machine on which it’s installed but also those sent to and from other machines on the network, is part of Microsoft’s Systems Management Server.

91_03.qx

2/25/00

10:59 AM

Page 134

91_tcpip_04.qx

2/25/00

10:57 AM

Page 135

Chapter 4

Windows 2000 TCP/IP Internals

Solutions in this chapter: ■

Windows 2000 Enhancements to the TCP/IP Stack

■

Windows 2000 TCP/IP Architecture

■

IP in Windows 2000

■

TCP and UDP in Windows 2000

■

IPSec

■

TCP/IP Registry Settings

135

91_tcpip_04.qx

2/25/00

10:57 AM

Page 136

136 Chapter 4 • Windows 2000 TCP/IP Internals

Introduction Microsoft has rewritten and enhanced its TCP/IP stack on several occasions. The protocols that were extensively redesigned for NT 3.5 have evolved with each improvement to the corporate operating system, and many new and exciting features have been added in the Windows 2000 implementation. The focus in Windows 2000 has been on creating a TCP/IP stack that is scalable, in keeping with Windows 2000’s intended use in enterprise networks, and one that is versatile, easy to administer, and performs well. Windows 2000 still supports the features that made the Windows NT TCP/IP stack easy to work with, such as IP routing and Internet Group Management Protocol (IGMP), version 2, which supports IP multicasting. Microsoft has also added new features to make Windows 2000 their most TCP/IP-friendly operating system yet. TCP/IP is the native network/transport protocol for Windows 2000 and is installed by default when you install the operating system.

RFC Compliance The Windows 2000 implementation of Microsoft TCP/IP supports a large number of RFCs (Requests for Comments) that define various aspects of how the protocols work. RFCs are used to describe Internet standards, and go through a formal approval process before being adopted. Microsoft states that Windows 2000 TCP/IP supports the following RFCs: 768 783 791 792 793 816 826 854 862 863 864 865 867 894

User Datagram Protocol (UDP) Trivial File Transfer Protocol (TFTP) Internet Protocol (IP) Internet Control Message Protocol (ICMP) Transmission Control Protocol (TCP) Fault Isolation and Recovery Address Resolution Protocol (ARP) Telnet Protocol (TELNET) Echo Protocol (ECHO) Discard Protocol (DISCARD) Character Generator Protocol (CHARGEN) Quote of the Day Protocol (QUOTE) Daytime Protocol (DAYTIME) IP over Ethernet

91_tcpip_04.qx

2/25/00

10:57 AM

Page 137

Windows 2000 TCP/IP Internals • Chapter 4 137

919, 922 IP Broadcast Datagrams (broadcasting with subnets) 950 Internet Standard Subnetting Procedure 959 File Transfer Protocol (FTP) 1001, 1002 NetBIOS Service Protocols 1009 Requirements for Internet Gateways 1034, 1035 Domain Name System (DNS) 1042 IP over Token Ring 1055 Transmission of IP over Serial Lines (IP-SLIP) 1112 Internet Group Management Protocol (IGMP) 1122, 1123 Host Requirements (communications and applications) 1134 Point-to-Point Protocol (PPP) 1144 Compressing TCP/IP Headers for Low-Speed Serial Links 1157 Simple Network Management Protocol (SNMP) 1179 Line Printer Daemon Protocol 1188 IP over FDDI 1191 Path MTU Discovery 1201 IP over ARCNET 1231 IEEE 802.5 Token Ring MIB (MIB-II) 1256 ICMP Router Discovery Messages 1323 TCP Extensions for High Performance 1332 PPP Internet Protocol Control Protocol (IPCP) 1334 PPP Authentication Protocols 1518 An Architecture for IP Address Allocation with CIDR 1519 Classless Inter-Domain Routing (CIDR): An Address Assignment and Aggregation Strategy 1533 DHCP Options and BOOTP Vendor Extensions 1534 Interoperation Between DHCP and BOOTP 1541 Dynamic Host Configuration Protocol (DHCP) 1542 Clarifications and Extensions for the Bootstrap Protocol 1547 Requirements for Point-to-Point Protocol (PPP) 1548 Point-to-Point Protocol (PPP) 1549 PPP in High-level Data Link Control (HDLC) Framing 1552 PPP Internetwork Packet Exchange Control Protocol (IPXCP)

91_tcpip_04.qx

2/25/00

10:57 AM

Page 138

138 Chapter 4 • Windows 2000 TCP/IP Internals

1825 1826 1827 1828 1829 1851 1852 2014 2085 2136 2205 2236

Security Architecture for the Internet Protocol IP Authentication Header (AH) IP Encapsulating Security Payload (ESP) IP Authentication using Keyed MD5 ESP DES-CBC Transform The ESP Triple DES-CBC Transform IP Authentication using Keyed SHA HMAC: Keyed Hashing for Message Authentication HMAC-MD5 IP Authentication with Replay Prevention Dynamic Updates in the Domain Name System (DNS UPDATE) Resource ReSerVation Protocol (RSVP), Version 1 Functional Specification Internet Group Management Protocol, Version 2

New standards are, of course, being approved on an ongoing basis, and we can expect Microsoft to incorporate new RFC specifications into the TCP/IP stack with subsequent updates. In this chapter, we will examine more closely some of the RFCs listed and how they are implemented in Windows 2000. Of special interest are RFC 1323, TCP Extensions for High Performance, which discusses scalable TCP window sizes; and 1519, which addresses Classless Inter-Domain Routing (CIDR). We will also look at the architecture of the Windows 2000 TCP/IP stack, and how the boundary layers function with the TCP/IP protocols. We will examine the internals of IP, TCP, and UDP, and then we’ll look at one of Windows 2000’s most interesting new features: IP Security. Finally, we’ll talk about how to solve connectivity problems and enhance performance by making changes to Windows 2000 Registry.

Enhancements to the TCP/IP Stack in Windows 2000 The most important enhancements that Microsoft has made to the TCP/IP protocol stack in Windows 2000 have to do with increasing performance. We will look at the operating system’s support for the following, and how you can use these changes to benefit your TCP/IP network: ■

■

RFC 1323 TCP extensions: scalable TCP window size and timestamping Selective Acknowledgments (also called SACK) in accordance with RFC 2018

91_tcpip_04.qx

2/25/00

10:57 AM

Page 139

Windows 2000 TCP/IP Internals • Chapter 4 139 ■

■ ■ ■ ■ ■

Support for IP over ATM (Asynchronous Transfer Mode) as detailed in RFC 1577 TCP Fast Retransmit Quality of Service (QoS) Resource Reservation Protocol (often referred to as RSVP) IPSecurity (IPSec) The Network Driver Interface Specification, version 5.0

For IT Professionals

How an RFC Becomes an Internet Standard RFCs are submitted by any interested party and assigned an RFC number. Not all RFCs describe standards, but if a document is to become a standard, it goes through three stages: Proposed Standard Draft Standard Internet Standard RFC 2226, “Instructions to Authors,” contains information on how to write and format a draft (called an Internet Draft, or I-D). The Internet Engineering Steering Group (IESG) then reviews the document, which is a part of the Internet Engineering Task Force (IETF). The IETF’s working groups (WGs) create a large number of the I-Ds. For more detailed information, see www.ietf.org/home.html. After review and approval, the document is edited and published. The RFC editor, employed by the Internet Society, maintains and publishes a master list of RFCs, and is also responsible for final editing of the documents. The RFC editor’s homepage is located at www.rfceditor.org/. Technical experts and/or an appointed task force classify each RFC as one of the following: Required Status—Must be implemented. Recommended Status—Encouraged. Elective Status—May be implemented, but not required. Limited Use Status—Not intended for general implementation. Not Recommended Status—Implementation is discouraged. Continued

91_tcpip_04.qx

2/25/00

10:57 AM

Page 140

140 Chapter 4 • Windows 2000 TCP/IP Internals

For more information about the RFC submission and approval process, see RFC 2026 at ftp://ftp.isi.edu/in-notes/rfc2026.txt. The RFC editor also provides a search engine at www.rfc-editor.org/rfcsearch.html, where you can search the master RFC database, download the entire collection of RFCs, and vote for your favorite RFC.

RFC 1323: TCP Extensions for High Performance RFC 1323, which is available on the Web for you to view at http://freesoft.org/CIE/RFC/1323/index.htm, discusses the specifications for extensions to TCP, the connection-oriented Transport layer protocol, which will give better performance over high-speed links. Scalable TCP windows, which allow for much larger packets than in the past, and TCP timestamps options are two RFC 1323 features supported by Windows 2000 that we will look at more closely.

TIP You may notice that at this layer, the packets or “chunks” of data are often called segments. TCP doesn’t recognize messages as complete units; it sends a group of bytes, not a complete “message.”

Scalable TCP Window Size NT administrators are familiar with the concept of sliding windows, the method used by the TCP protocol to control the flow of data. The sliding “window,” which is really a buffer, is the amount of data that can be buffered during a TCP communication.

NOTE A buffer is a holding place in memory for data, which allows a device or process to operate at different speeds or with different rules or priorities without one being “held back” by the other.

To really understand how sliding windows work, we must look at the process of establishing a TCP communication with another computer.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 141

Windows 2000 TCP/IP Internals • Chapter 4 141

The Three-Way Handshake Computers using TCP to communicate have both a Send window and a Receive window. At the beginning of a TCP communication, the protocol uses a three-way handshake to establish the session between the two computers. Because TCP (unlike its Transport layer “sibling,” UDP) is connection-oriented, a session, or direct one-to-one communication link, must be created prior to the sending and receiving of data. The client computer initiates the communication with the server (the computer whose resources it wants to access). The “handshake” includes the following steps: 1. Sending of a SYN (synchronization request) segment by the client machine. An initial sequence number, sometimes just referred to as the ISN, is generated by the client and sent to the server along with the port number the client is requesting to connect to on the server. 2. Sending of an ACK message and a SYN message back to the client from the server. The ACK segment is the client’s original ISN plus 1, and the server’s SYN is an unrelated number generated by the server itself. The ACK acknowledges the client’s SYN request, and the server’s SYN indicates the intent to establish a session with the client. The client and server machines must synchronize one another’s sequence numbers. 3. Sending of an ACK from the client back to the server, acknowledging the server’s request for synchronization. This ACK from the client is, as you might have guessed, the server’s ISN plus 1. When both machines have acknowledged each other’s requests by returning ACK messages, the handshake has been successfully completed and a connection is established between the two. See Figure 4.1 for an illustration of how this process works. For example, in Figure 4.1 the client wishes to establish an SMTP session with the server. The client sends a SYN segment that includes an ISN of 8261457 and the port number 25, which is the well-known port for Simple Mail Transfer Protocol (SMTP).

NOTE The SYN segment’s TCP header will also contain the source port to be used by the client, and TCP options such as the maximum segment length.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 142

142 Chapter 4 • Windows 2000 TCP/IP Internals

Figure 4.1 The TCP “three-way handshake” that establishes a communication session.

Step 1

SYN segment Client

Server

ACK message

Step 2

SYN segment Client

Step 3

Server

ACK message Server

Client

Connection Established!

In the second step, the server receives the SYN segment. It sends back an ACK message of 8261458. It also sends its own SYN message, with its own ISN of 2118922. The client receives the ACK and SYN. It increments the server’s ISN by 1 and returns an ACK of 2118923. At that point, the handshake is complete and the two are ready to “talk.” In case the concept is still a little muddy, here’s an analogy to help you understand the process: If you want to establish a one-to-one session (conversation) over the telephone with your best friend to tell him that you just got a big promotion and pay raise, you would not just dial up his number and then announce, “I got the Regional Manager job!” as soon as someone picked up on the other end. Instead, when the telephone was answered with “Hello?” you would ask, “Is this Jeff?” Jeff would then send you an acknowledgment: “Yes,” and a request of his own, “Mutt, is that you?” Once you replied in the affirmative, acknowledging Jeff’s message, the real “session” would be established and you can now send your information (“I got the job!”) over this “reliable connection.”

91_tcpip_04.qx

2/25/00

10:57 AM

Page 143

Windows 2000 TCP/IP Internals • Chapter 4 143

One point to remember is that TCP options are sent only in SYN segments, thus the final step in the handshake (the ACK from the client for the server’s SYN message).

NOTE A similar process occurs when the connection is terminated (sometimes referred to as session “tear down”). However, it actually requires the sending of more packets to end the connection than are required to establish it. Four packets must be sent in order to terminate the connection. This is because it is a two-way (full duplex) connection and it must be terminated for each direction separately. The client and server must each initiate a sequence to close the flow of data originating from its side. The request to close the connection is called a FIN message. The process works like this: (1) The client sends a FIN to the server, (2) the server sends an ACK to the client, (3) the server sends a FIN to the client, and (4) the client responds with an ACK back to the server. This is sometimes called “four-way disconnect.” Unlike the opening of the session, the server’s FIN is a separate transmission that is not part of its ACK of the client’s FIN.

Window Size Negotiation During the handshake, information is also sent to negotiate the size of the TCP window, or buffer. The usual procedure is to set the Send window to the same size as the other computer’s Receive window (the exception is when the Send window is smaller than the other computer’s Receive window). The destination computer first “advertises” a window size, and the sending computer adjusts its window size to match and sends the data. If the receiving computer is not able to process the data as quickly as the other computer sends it, the receiver will acknowledge the data and then reduce its window size, which signals the sender that it still has data in the buffer. Once the receiver “catches up,” it will advertise a larger window size again. Thus the TCP window size is dynamic, changing throughout the session. The size of the TCP Receive window on the destination computer limits how much data the sending computer can transmit before it has to stop and wait for an acknowledgment from the destination computer. In other words, the Receive window size (on the destination computer) refers to the amount of data that is buffered.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 144

144 Chapter 4 • Windows 2000 TCP/IP Internals

One change in Windows 2000 is default window sizes, which have been increased for better performance. Here’s how the process works: 1. A Maximum Segment Size (MSS) is negotiated between the sending and receiving computers during the three-way handshake that establishes the connection. The Maximum Segment Size is the maximum number of bytes that can be sent per TCP transmission (a unit of data that is acknowledged). In general, a larger MSS will result in faster performance—up to the point that fragmentation (breaking up of the segment) occurs. 2. TCP adjusts its Receive window size, instead of using a hardcoded default size. This is based on even increments of the MSS.

NOTE The default segment size is 536 bytes. This is the size used if there is no MSS set in the TCP options in the SYN message. The MSS can only be as large as the Maximum Transfer Unit (MTU) for the sending network interface. If the network is an Ethernet network, the MTU would be up to 1460 bytes. Commonly, the MSS is expressed as a multiple of 512, so it would be 1024 in most Ethernet-based TCP communications.

When a Windows 2000 computer sends a request for a TCP connection to another computer, it advertises a 16K Receive window. Then, when the connection is made, that size gets rounded upward to an even increment of the MSS. This means that on an Ethernet network, the window will ordinarily be 17,520 bytes, because that is 16K rounded upward to 12 1460-byte segments.

NOTE You can adjust the size of the Receive window to a particular value by editing the Windows 2000 Registry.

How the Windows Work In a TCP communication, each packet must be acknowledged. That way, if a packet fails to arrive at its destination (and thus the receiving computer does not send back an acknowledgment for it), it will be sent again. That’s why TCP is considered a reliable communication protocol.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 145

Windows 2000 TCP/IP Internals • Chapter 4 145

TCP must provide some method of controlling the “flow” of data transmission when multiple TCP connections have to share a busy link. Flow control is necessary so that the receiving computer doesn’t get “overwhelmed” by a sending computer that deluges it with data faster than it can be processed, or alternately, so that the receiver doesn’t sit around waiting for the data to “trickle” in. Flow control is the process of matching the outflow of data from the sending computer to the receiving computer’s inflow. This is done by setting a limit on the number of packets that can be sent before acknowledgment is required, which signals the sender to slow down (or stop and wait) if data is “piling up” in the receiver’s buffer. If the buffer overflows, data will be lost and must be retransmitted. Think of flow control as the effective management of the data flow between devices in a network so that the data can be handled at an efficient pace. A real-world example of flow control is the timing of the conveyor belt in a factory that uses an assembly line. It must be adjusted so that the outflow at the beginning of the line corresponds to the amount of time it takes the worker at each station to perform his or her task on each object before it moves on. In the TCP communication process, the “window” is those bytes of data that could be considered active. That is, they’re ready to be sent, or they have been sent and are awaiting acknowledgment. As acknowledgments are received, the window “slides” past those bytes, to send additional bytes. See Figure 4.2 for an illustration of this concept. A sequence number is added to the data in the Send window by TCP. The data is passed “down” the protocol stack to IP in the Internetwork layer, where addressing and routing takes place. There, the TCP segments are encapsulated in IP datagrams. A retransmit timer is added to each segment as it is sent. This indicates how long TCP should wait for an acknowledgment before resending the packet.

NOTE The sliding window protocol determines how much data is being transmitted based on actual bytes, rather than segments. When the packets reach the destination computer and enter its Receive window, they are put back into proper order based on the sequence number. When an acknowledgment is received by the sending computer, the Send window slides past those bytes. If no acknowledgment is received before the time set in the retransmit timer expires, the sending computer will send the unacknowledged bytes again.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 146

146 Chapter 4 • Windows 2000 TCP/IP Internals

Figure 4.2 How the TCP windows “slide” as bytes are sent, received, and acknowledged.

Send Window Acknowledged 1

2

3

4

5

6

7

3

2

1

TCP sliding "window"

Receive Window

7

6

5

4

The Receive window moves as the acknowledgments are received. The bytes within the Send window do not, however, have to be sent immediately A delayed-ACK timer is started when a destination computer gets the packets out of sequence. TCP doesn’t always send an acknowledgment the instant it receives a packet. The ACK can be delayed for up to 200 milliseconds. If the packets that are missing from the sequence aren’t received before the delayed-ACK timer expires, an acknowledgment will be sent for the first packet but not the rest of the packets received. This means that if the retransmit timer is not set to a value greater than the delayed-ACK timer, there will be unnecessary retransmitting of packets. Here is an example of how it works: If packets 1 and 3 are received but packet 2 is missing, TCP will wait, anticipating the arrival of packet 2. If it does not arrive before the timer expires, TCP will send an ACK for packet 1 only. If packet 2 still does not arrive, this may cause both packets 2 and 3 to be retransmitted. As you can see, resending packets adds to the amount of traffic on the network. Larger TCP windows will increase network performance on a fast link. In Windows NT, an acknowledgment is sent after every two sequenced packets are received. With Windows 2000, with RFC 1323 options enabled, the window size is scalable and larger windows can be utilized to increase network performance on a high-bandwidth link. This

91_tcpip_04.qx

2/25/00

10:57 AM

Page 147

Windows 2000 TCP/IP Internals • Chapter 4 147

speeds up the transfer of data on networks that are built on fast media and can take advantage of the feature.

NOTE The delayed ACK timer is set and used by the destination computer. The sending computer uses something called a retransmission timer when it is anticipating an ACK. At the time it sends the TCP segment, the sending computer starts a retransmit timer based on the Roundtrip Time (RTT). This is not a set time, but varies depending on the speed of the connection and other factors. If no ACK is sent back before the retransmit timer expires, the data will be re-sent. With all of these safeguards in place to ensure that every segment sent arrives at the destination computer, you can begin to see why TCP is called a “reliable” protocol.

How Flow Control Works For best performance, a large number of unacknowledged packets would be allowed to remain outstanding—as long as the number is not so large that some packets are dropped by the routers because of the overcrowding. When packets are dropped, they will be re-sent, increasing the overall traffic on the network and resulting in a performance hit. TCP handles this by starting with a smaller window size, then if no packets are lost, increasing the size until there is some loss of packets detected, and “scaling back” the size of the Send window to balance speed of transfer with amount of available bandwidth. At first, the Send window size will be set to equal one Maximum Segment Size. If an acknowledgment is received, the next transmission will be equal to two MSS, and will be increased by one MSS per acknowledged segment, each time the transmission is acknowledged. So, if the two MSS transmission is acknowledged, the next will be four MSS, and so on. As long as the acknowledgments keep coming back and the window does not exceed the maximum allowed window size (set in the Registry’s TcpWindowSize parameter as we will discuss a little later in this chapter), the process will continue. As you can see, the size of the window increases exponentially. This goes on until the maximum window threshold is reached. When that happens, the window will continue to grow as long as acknowledgments are received, but it will grow at a linear rate instead of an exponential one. After the threshold is reached, the window will

91_tcpip_04.qx

2/25/00

10:57 AM

Page 148

148 Chapter 4 • Windows 2000 TCP/IP Internals

increase by one in each RTT for which a whole window’s worth of acknowledgements is received. At some point, the transmission rate becomes so fast that the link becomes congested somewhere along the way and a timeout will finally occur. The sender will not receive the acknowledgment before the timer expires, and when this happens, TCP will adjust the threshold value to one-half the size of the window at that time. The window size itself will be reset to one MSS. The sending computer will start over again with the process of increasing the window size as acknowledgments are received, and the whole process will repeat itself.

Negotiating Scaling Factors Windows 2000 supports scalable TCP windows, in accordance with RFC 1323. By “scalable,” we mean the window size can be larger on networks that use high-speed links; thus, TCP windows can adjust to best fit the particular network’s needs. When this support is implemented, the TCP protocol can negotiate a scaling factor during the three-way handshake. The Window Scale option is sent in the SYN segment, and tells the receiving computer that the sending computer will support scaling. This does not automatically mean window scaling will occur. The receiving computer must also return a Window Scale option in its SYN segment. Window scaling is enabled only if both computers send Window Scale options—scaling is an all-or-nothing proposition (i.e., scaling is either enabled in both directions or not at all).

NOTE The Window Scale option can be sent in the SYN segment sent by a computer that is originating a TCP connection. It can be sent in the acknowledgment segment returned by the receiving computer that includes its own SYN bit, but only if the original SYN segment it is responding to included a Window Scale option.

Finding the Scale Factor To find out what the scale factor is, you can examine the packets that created the connection (the three-way handshake) in Network Monitor or a similar protocol analysis tool. This will appear as “TCP Option Type = Window Scale” with the option length and the scale factor shown after. If the TcpWindowSize value in the Registry, which sets the limit on the maximum TCP Receive window size that will be offered, is specified as

91_tcpip_04.qx

2/25/00

10:57 AM

Page 149

Windows 2000 TCP/IP Internals • Chapter 4 149

more than 64K, Windows 2000 will normally use window scaling (unless you specifically disable it). This setting is found at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interface \

See Figure 4.3 for an illustration of the new Registry value. Figure 4.3 Create a new DWORD type value and set it to the number of bytes to specify the maximum TCP Receive window size.

Remember that this setting should be an even increment of the MSS, as discussed previously. This setting controls only the specific network interface selected. You can also set a global value, for all interfaces, by creating a value called GlobalMaxTcpWindowSize. However, if an interface has a specific setting, it will override the global one. Even if a value of more than 64K is set, it will only be used when connecting to another system that also is capable of and configured to support the RFC 1323 options.

TIP This parameter is not visible by default. You must create it. The value is of the REG_DWORD type, and the value should be entered as a number in bytes.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 150

150 Chapter 4 • Windows 2000 TCP/IP Internals

Disabling Scaling in Windows 2000 To disable scaling, you must create and set the value for another Registry key, Tcp1323Opts. As with the TcpWindowSize key, you must use a Registry Editor such as regedt32 and navigate to the same Tcp\Parameters subkey. Create a new REG_DWORD value called Tcp1323Opts and set the value to 0 or 2, according to the following: 0 1 2 3

= = = =

disables both RFC 1323 options (window scaling and timestamping) enables window scaling only enables timestamping only enables both RFC 1323 options

If you disable window scaling, the maximum TCP window size will be limited to 64K.

TCP Timestamps Timestamping is another RFC 1323 option supported by Windows 2000, and is used for measurement of the RTT. The RTT is defined as the amount of time that it takes for a packet to travel from the client to the server and then for the acknowledgment to arrive back to the client. This does not include the time used for transmission of the packet, but does include delays between the two end systems as well as the time required for processing at the two end systems. Timestamping is especially useful when TCP connections are using large windows, to help TCP determine the RTT. This information is needed so the protocol can adjust timeout times for the retransmission timer, which optimizes. The reason timestamping is more important in communications that use the large window size is because the traditional way of measuring the RTT, which involves sampling of only one packet per window, gives a reasonable approximation when the window size is small, but the more packets there are in the buffer, the larger the margin of error becomes. Consequently, a more accurate method of measurement is needed.

How Timestamping Works Using the RFC 1323 option of timestamping, the sending computer puts a timestamp in the header of the TCP packets. This header is 10 bytes long and includes a 1-byte field designating the “kind,” (that is, showing that this header is a timestamp), a 1-byte field showing length, and two 4-byte timestamp fields: Timestamp Value (which shows the present value indicated by the sending computer’s clock at the time of sending) and

91_tcpip_04.qx

2/25/00

10:57 AM

Page 151

Windows 2000 TCP/IP Internals • Chapter 4 151

Timestamp Echo Reply (the value indicated by the receiving computer’s clock when it sends the acknowledgment). See Figure 4.4 for an illustration of the TCP timestamps option header. Figure 4.4 A TCP header showing the fields used to indicate the timestamp value. Present value shown by sender's clock

Kind = 8

10

TS Value (TSVal)

Present value shown by receiver's clock

TS Echo Reply (TSecr)

Valid only if the TCP segment is an ACK

In Figure 4.4, the first field with the value of 8 tells us this is a timestamp header; the second field shows a value of 10, indicating the total length of the header; and the next two fields show us the values of the sender’s and receiver’s clocks, respectively. The value of the receiver’s clock is shown only in an ACK message. The receiving computer reflects the timestamps back when it sends an acknowledgment. The sending computer can then subtract the value in its original header from the value in the acknowledgment segment, and this provides an accurate RTT for every ACK. The timestamp values are obtained from a virtual clock referred to as the timestamp clock.

TIP RFC 1323 specifies that timestamping should always be used when large window sizes (more than 64K) are used, and timestamps should be sent and echoed in both directions.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 152

152 Chapter 4 • Windows 2000 TCP/IP Internals

If a large window size is used, ensuring that timestamping is enabled will solve TCP instability problems caused by inaccurate RTT estimates, which can lead to a condition called congestion collapse. This occurs when there are a great many undelivered packets on a busy TCP/IP network, and connections timeout. Timestamping is enabled in Windows 2000 by default, although it can be disabled as shown by setting the Registry value Tcp1323Opts to 0 or 1.

RFC 2018: SACK (Selective Acknowledgment) Selective Acknowledgment, also called SACK, is another feature that will enhance performance when large window sizes are used. With Windows 2000, Microsoft introduces support for this feature, which is discussed in RFC 2018. As with timestamping, SACK uses TCP headers, which are sent in a SYN segment. In standard TCP transmission, if several packets are lost from one window’s worth of data, the sending computer only finds out about one lost packet per RTT. This means the lost packets will be slow to be retransmitted. Alternately, if the sender is aggressive about resending, it may resend packets that have actually been received and don’t need to be retransmitted, thus adding unnecessary network traffic. The purpose of the SACK option is to send additional acknowledgment information in a SACK option that is included in a segment from the receiving computer, about dropped packets or out-of-sequence packets. This information tells the sending computer exactly which packets were received and which are missing. When the connection is established, a “SACK permitted” option must be included in the SYN message to enable this feature. The benefit of SACK is that it allows the sending machine to resend only the data that was not received, and avoids congesting the network with unnecessary retransmittal of packets that were already received. If SACK has been enabled in the SYN message, SACK options will be included in all ACKs that don’t acknowledge the highest sequence number that is in the receiving computer’s buffer. This situation indicates that data has been lost or was received out of sequence, and the receiving computer is missing some segments. You will recall that normally, this situation causes both the missing segment and those following it to be retransmitted. SACK is called “Selective” because it allows the sending computer to retransmit only the selected segments that were not received. SACK is enabled by default in Windows 2000. It can, however, be disabled by editing the Tcpip\Parameters\SackOpts value in the Registry.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 153

Windows 2000 TCP/IP Internals • Chapter 4 153

This is a DWORD Boolean value type, which is set to 0 to disable SACK support or 1 to enable it. SACK can be very useful in solving performance slowdowns caused by lost packets or duplicate sending of packets on connections using large TCP windows.

NOTE The SACK header can be sent only on SYN (synchronization) segments. You should never find it on non-SYN segments.

RFC 1577: IP over ATM Another new feature in Windows 2000 is its support for the standards set forth in RFC 1577, which discusses operation of the Internet Protocol (IP) on a network based on Asynchronous Transfer Mode (ATM) technology. ATM has several advantages, including its ability to work well on very high-speed networks, and its flexibility, allowing the client to control the accuracy and speed of the data transfer. Other characteristics of ATM include: ■

■

■

Connection-oriented transmission Ethernet and Token Ring are connectionless technologies that depend on protocols in the higher layers to provide synchronization, acknowledgment, etc. No inherent limits on speed of transmission As speed increases in an Ethernet network, maximum segment length decreases, thereby effectively placing a cap on realistic attainable speeds that may be higher or lower depending on the media used. Quality of service The end points in an ATM communication negotiate a “contract” that specifies a guaranteed quality of service; this is not done in traditional technologies such as Ethernet and Token Ring.

Because of the high bandwidth that is possible using ATM, it is emerging as a popular technology. However, ATM networks differ from more traditional LAN technologies, like Ethernet, in that ATM is a nonbroadcast technology. This presents a challenge in regard to physical address resolution. In a broadcast-based network, clients use ARP broadcasts to resolve IP addresses to the physical addresses (called MAC addresses in Ethernet and Token Ring networks).

91_tcpip_04.qx

2/25/00

10:57 AM

Page 154

154 Chapter 4 • Windows 2000 TCP/IP Internals

When IP is run over ATM technology, there must be some means of resolving those IP addresses to ATM (physical) addresses. The solution is to set up an Address Resolution server (or ARP server) with special ARP server software, to which clients connect by being configured with the ATM address of the server. This works a little like WINS does in resolving IP addresses to NetBIOS names in that when a client computer comes online, it connects to its ARP server and sends its IP address and ATM address to be entered into the server’s database. Then, when the client wants to connect to another ARP client, it can query the ARP server for the other client’s ATM address.

NOTE ATM switching technology provides a dedicated connection, breaking up data into fixed-length packets that are called cells and are always exactly 53 bytes. ATM uses digital signaling and can achieve high transmission speeds (currently 155.520 Mbps or 622.080 Mbps; however up to 10 Gbps is possible). Windows 2000 supports this means of address resolution, and Windows 2000 machines can be configured as ATM ARP clients or ATM ARP servers via the Registry. The ARP client parameters are found in the network interface’s TCP/IP parameters. By editing the values in the AtmArpC subkey, you can specify such settings as the timeout for ATM address resolution, maximum number of resolution attempts, how long the client will wait after a negative response from the ARP server before trying again, and other specifications. To edit this value, use a Registry editing tool to set the parameters in the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters\Interfaces\\AtmArpC. ATM is implemented via hardware, as a replacement for Ethernet or Token Ring, and the components in an ATM network must support ATM. This makes ATM expensive, which is the primary reason it has not yet been implemented more widely.

NOTE ATM can use LANE (LAN emulation) software to provide support for traditional LAN applications and protocols. LANE causes the ATM network to appear as an Ethernet LAN to the higher-level protocols and applications. This is a way to increase performance of TCP/IP, but doesn’t give you the full benefits of ATM, such as Quality of Service guarantees.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 155

Windows 2000 TCP/IP Internals • Chapter 4 155

RFC 2001: TCP Fast Retransmit You will remember that the TCP protocol is connection-oriented and depends on an acknowledgment from the receiving computer to verify that all packets arrived at their destination—if no ACK is received, the computer that originally sent the data will retransmit it. At the time the packet is handed down to the IP protocol at the Network layer, a retransmission timer is started, and when the time expires, if no ACK has come back, TCP resends that packet. However, this can lead to long periods in which no data is transmitted because TCP is waiting for the retransmission timer to expire. Windows 2000 supports a feature called fast retransmit, discussed in RFC 2001, which allows TCP to resend the data before the specified retransmission time has expired. Here’s how and why that happens: If a packet arrives at the destination computer with an out-of-order sequence number (for instance, the next expected packet would be number 7, but the computer receives number 8), the receiver will send an ACK for the missing packet number 7, as well as for the packet number 8 that was received. If number 9 then arrives next, the receiving computer sends another ACK for number 7 as well as for packet 9. This continues as long as higher-sequenced packets arrive and number 7 is still missing, and the acknowledgments are called Duplicate ACKs. Normally, of course, only one ACK is sent per packet. So when the computer that originally sent the data starts receiving multiple acknowledgments for packet number 7, this tells it that packet 7 must have been lost. Then, the sending computer will resend packet number 7, even if the retransmission timer has not yet expired for that packet. See Figure 4.5 for a graphical representation of how this works. Of course, fast retransmit doesn’t replace the use of retransmission timers; it merely supplements them, enhancing TCP performance.

NOTE TCP on the sending side has no way of knowing whether a duplicate ACK was sent because of a lost segment or if the segments just got out of order. To resend in the latter case would add to network congestion, so TCP waits until several duplicate ACKs have been received. In Windows 2000’s implementation of TCP, the maximum number of duplicate acknowledgments is set to 3 by default (as specified in RFC 2001), so whenever a sending computer receives the third ACK for the same sequence number, and that number is lower than the number of the packet it last sent, it will retransmit the packet that is “missing in action.” You can change this value by specifying a different number in the TcpMaxDupAcks value in the Tcpip\parameters Registry key.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 156

156 Chapter 4 • Windows 2000 TCP/IP Internals

Figure 4.5 With fast retransmit, a packet is resent after three duplicate ACKS are received. packet 6 ACK 6

packet 8 ACK 7

ACK 8 Receiver

Sender packet 9 ACK 9

ACK 7

Sender

Sender packet 10 ACK 10

ACK 7

Sender

Receiver

packet 7 Sender

Receiver

It is estimated that on the average network, fast retransmit can improve throughput by up to 20 percent. Remember that in order for it to work, both the sending and receiving computers must support this feature.

RFCs 2211 and 2212: Quality of Service QoS, or Quality of Service, is another feature supported by Windows 2000 that was not supported by NT 4.0. A way that network applications can reserve bandwidth between the client and server is by using an extension to the Winsock API called General Quality of Service, or GQOS. What it does is provide an application interface to the Resource Reservation Protocol (RSVP), which is discussed in the next section. Together, QoS and RSVP are used by the application to deliver a flow of data from client to server, with the assurance that necessary bandwidth will be available. Obviously, this is useful for high-bandwidth applications such as video or high-quality audio. If a certain amount of bandwidth is necessary to maintain quality that is acceptable (for instance, if you need to be able to rely on having 1.5

91_tcpip_04.qx

2/25/00

10:57 AM

Page 157

Windows 2000 TCP/IP Internals • Chapter 4 157

Mbps in order to transmit video that is not jerky or otherwise unsatisfactory), the application can send a “flow specification” both for sending and receiving at the time it is initialized. This can be specified as “guaranteed,” or a lower level of assurance such as “best effort.” The specifications are sent to GQOS, which then works in conjunction with RSVP to make a “reservation.”

NOTE RFC 2211 discusses controlled-load service, and specifications for guaranteed QoS are addressed in RFC 2212. Clients that request controlledload service provide an estimate of the amount of data traffic they will generate. Acceptance of a request for controlled-load service is defined to imply a commitment by the network element to provide the requestor with service closely equivalent to that provided to uncontrolled (best-effort) traffic under lightly-loaded conditions.

RFC 2205: Resource Reservation Protocol After the flow specification parameters, which include latency limits, delay variations, and peak bandwidth, go to GQOS, RSVP is invoked via an API call. It sends special “path messages” to the destination IP address (the one to which the data will be sent). These messages signal the routers along the path, and they assess their available resources and decide whether they can accept the “reservation.” If all routers respond positively, the application is assured of having the needed bandwidth for the connection. RSVP functions as an Internet control protocol (like ICMP). It is also similar to a routing protocol in that it executes in the background. However, it is not a routing protocol itself, but works in conjunction with routing protocols. The routing protocols specify where the packets go, while RSVP only addresses the QoS of the packets. RSVP resides on top of IP, and will work with both IPv4 and IPv6. It also works with both unicast and multicast transmissions.

NOTE An RSVP request reserves bandwidth resources in only one direction.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 158

158 Chapter 4 • Windows 2000 TCP/IP Internals

IPSec The Internet Protocol Security protocol (IPSec) is yet another of Windows 2000’s new features, and one that Microsoft has made a big “selling point” for the new operating system. Security has become a major concern for more and more network professionals, as once-private networks have become joined by their connections to the global Internet. It is beyond the scope of this chapter to fully discuss the intricacies of IPSec, but for more information, see the book Configuring Windows 2000 Server Security, published by Syngress Media.

TIP Microsoft provides a great deal of documentation for the Windows 2000 implementation of IPSec. An excellent general overview is available in the Internet Protocol Security technical notes article published in TechNet. Also see the Windows 2000 Server Resource Kit for further information.

Purpose and Uses of IPSec The purpose of IPSec is to protect an IP-based network from eavesdropping, IP spoofing, denial of service and other “hack attacks.” IPSec offers protection of individual IP packets, and provides a general first line of defense against security breaches. It is especially useful with virtual private networking protocols (Point-to-Point Tunneling Protocol and Layer Two Tunneling Protocol, supported by Windows 2000), allowing for endto-end security.

NOTE End-to-end security methods are those in which it is necessary only for the “endpoint” computers (the machine from which the data originates and the final destination computer) to be aware of and support the IPSec protocols. The assumption is that the link connecting the two is not secure, thus the sender and receiver both handle security at their ends. The advantage of this is that IPSec can be implemented in a variety of scenarios without the requirement that systems along the data path be IPSecenabled.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 159

Windows 2000 TCP/IP Internals • Chapter 4 159

IPSec can provide for security protection at the Internetwork layer so that applications and protocols at higher levels are protected transparently. One major benefit of using IPSec is that, unlike more traditional Application Layer security protocols, it can be implemented without the necessity for making changes to individual client computers or installing extra software.

IP Security Options With IPSec, you have two options: Authentication Header (AH) provides for authentication of the sender of the data, and Encapsulating Security Payload (ESP) both authenticates the sender and encrypts the data itself. IPSec uses a header that follows the IP packet header to convey the information associated with each of these services. You can also select separate key protocols, such as ISAKMP/Oakley. IPSec establishes cryptographic keys for each security relationship. Windows 2000’s implementation of IPSec can also use the popular Data Encryption Standard (DES) for encrypting data.

For IT Professionals

About DES Data Encryption You will recall that IPSec gives you two choices: to only authenticate the sender, or to also encrypt the data. In a network environment where sensitive data is stored (confidential medical or legal records, trade secrets and formulae, and similar information), it becomes important not only to protect the network via authentication of users, but also to add another layer of protection by encrypting the data. Encryption involves translating data into another, encoded form, which is called a cipher. Ciphers work by applying a particular algorithm or formula to the bits (the binary form of the data), which rearranges them so they cannot easily be reassembled by someone who lacks the key (the unlocking algorithm). The decryption key will effectively undo what was done by the encryption key and put the data back into useable form. DES is a widely used encryption algorithm developed in the 1970s by IBM (and known then as “Lucifer”) that uses a 56-bit key— which actually appears at first glance to be 64 bits; however, one bit per byte (or 8 bits total) is used for parity. DES uses a randomization process to generate different key values. There are said to be 72 Continued

91_tcpip_04.qx

2/25/00

10:57 AM

Page 160

160 Chapter 4 • Windows 2000 TCP/IP Internals

quadrillion possible keys. DES is known as a private or secret key algorithm, because the sender and receiver must both know and use the same key to encrypt and then decrypt the data. DES is known as a “strong encryption” method, and the U.S. government restricted the exportation of DES to other countries. An even stronger version is called triple DES because it applies three different keys, one after another. The Advanced Encryption Standard (AES) is expected to replace DES, since the National Institute of Standards and Technology (NIST) has declined to recertify DES. AES is said to be an encryption method that will provide more reliable security. The DES algorithms have been broken, although this required a concerted, exhaustive attack that involves approximately 255 steps. However, there have been many attempts to crack DES, and the Electronic Frontier Foundation (EFF) developed a project called "Deep Crack," which used a specially designed supercomputer together with a worldwide network of nearly 100,000 PCs on the Internet, to crack a DES encryption in a record-breaking 22 hours and 15 minutes. You can read about the AES development effort on the AES homepage at www.nist.gov/aes. RSA Laboratories’ security Web site provides a FAQ with much useful information on DES and other cryptography methods at www.rsasecurity.com/rsalabs/faq/.

IPSec Configuration Windows 2000 lets you configure the AH or ESP services by using IPSec policies, either locally or via Group Policy in the Active Directory. To make it easier for administrators to implement IP Security, Microsoft included with Windows 2000 a group of predefined IPSec policies, which include the following: ■

■

■

Client (Respond Only) For computers such as intranet clients that don’t usually need to use IPSec. The computer will be able to respond to requests for secure communications, but otherwise will not use IP Security. Server (Request Security) For computers that generally will transmit data that should be secured. The computer can accept nonsecured transmissions, but will request security from the sender. Secure Server (Require Security) For computers whose data should always be secured, without exception. Unsecured

91_tcpip_04.qx

2/25/00

10:57 AM

Page 161

Windows 2000 TCP/IP Internals • Chapter 4 161

communications will not be accepted, and outgoing transmissions will always be secured. You can also define custom policies and rules and set IP filtering on inbound or outbound traffic, or both. IP packet filtering will identify transmissions from a particular computer, identified by its IP address, and apply a rule (such as blocking the traffic, negotiating security, or allowing the packets to pass through unsecured).

IPSec Troubleshooting In some cases, what appears to be a connectivity problem may in fact be a matter of misconfigured security policies; thus, it is important that you be familiar with how IPSec and other security features work, and keep this possibility in mind when troubleshooting.

Failure of RAS Secured Communications When secured communications fail but unsecured communications go through without problems on remote access connections, you should check the authentication method selected for the RAS connection. Another possibility is that the RAS server with which you are attempting to communicate does not support the security method.

Failure of Internal (LAN) Secured Communications When you are unable to connect to another computer on your internal network (intranet), and you have verified that the computer is not offline, check your IP filter settings and ascertain that the list of acceptable security methods is correct. Restarting the IPSec policy agent will clear old security associations that could be causing conflicts. To restart the policy agent, from the System Service Management console, double-click the IPSec Policy Agent in the results pane and click Restart (this will restart the IPSec driver as well).

Broken Policy Links When more than one administrator is editing IPSec policies, links between the policy components could become broken due to the fact that the Active Directory assumes that whatever information is saved last is the current information. This is rare, but could occur if two administrators create rules that both use the same filter and then save the changes at the same time. Windows 2000 protects against this problem by providing a way to check the integrity of the IPSec policies. To do so, from the IP Security Management console, click the Action menu, select Task, and then click

91_tcpip_04.qx

2/25/00

10:57 AM

Page 162

162 Chapter 4 • Windows 2000 TCP/IP Internals

“Policy integrity check.” This will verify the validity of filters and settings and display an error message if any are found to be invalid.

Using the IPSec Monitor Windows 2000 includes the IPSec monitoring tool, which displays active security associations on local or remote systems. This will help you to recognize patterns and trends of failed security associations, failed authentications, or other indicators of bad policy settings. To use the IPSec monitor, click Start | Run, and type: ipsecmon

You should see an entry for every security association that is active, showing the policy name, the filter action, and the IP filter details. The tunnel endpoint will be shown, if applicable. Other statistical information that can be provided by IPSec Mon includes: ■ ■ ■ ■

Number of active security associations Types of active security associations Number of master and session keys generated Number of ESP or AH bytes sent and received

Using the IPSec monitor, you can determine whether your secured communications were transmitted successfully.

NOTE By default, the IPSec monitor’s information will be updated every 15 seconds. You can change the refresh rate by clicking OPTIONS. See Figure 4.6.

Using Event Viewer to Troubleshoot IPSec Problems The Windows 2000 Event Viewer can be used to troubleshoot IPSec, since the IPSec policy agent writes to the System log in several instances. For example, you can see in the Event Viewer whether local or Active Directory policy is being used, since the policy source is entered in the Event log. You can also view the Security log for entries pertaining to failures of secured communications or informational messages pertaining to the Oakley protocol. The Application log may also contain messages from ISAKMP/Oakley.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 163

Windows 2000 TCP/IP Internals • Chapter 4 163

Figure 4.6 The IPSec monitor can be accessed from the Windows 2000 command prompt.

Using Network Monitor to Troubleshoot IPSec Problems The Network monitor included with Windows 2000 (or the enhanced version that comes with System Management Server) can be used to view the AH and ESP transmissions. AH-secured packets will be indicated as TCP, UDP, or ICMP packets, but you will see the AH header when you open the packet. ESP packets are easier to spot, as they are marked as ESP packets. Because it is encrypted, however, you won’t be able to read the data itself when you open the ESP packet.

IPSec Files Missing IPSec is installed as part of the installation of TCP/IP. If problems occur due to files that are needed for IPSec being deleted or corrupted, you reinstall IPSec by removing and then reinstalling the TCP/IP protocol (see Chapter 1, “TCP/IP Overview,” for instructions).

Problems with Multihomed Computers If a computer has multiple default routes, as is likely to be the case with a multihomed system, this can cause problems with secured communications. To correct the problem, define a default route as follows: Select Run | Start | cmd

91_tcpip_04.qx

2/25/00

10:57 AM

Page 164

164 Chapter 4 • Windows 2000 TCP/IP Internals

At the prompt, type route print

Press ENTER. You will see a list of routes that make up the computer’s routing table. If one has a destination 0.0.0.0, or if there is more than one with a metric of 1 (or the lowest metric if none are shown as 1), take one of the following actions: ■ ■

Delete one of the default routes Ensure that one of the default routes has a lower metric value than all of the rest

Performance Slowdown When Using IPSec You should also be aware of the fact that implementing IPSec data encryption may slow the network; this is to be expected due to the overhead involved in processing the encryption algorithms. There are ways to alleviate this; for instance, NDIS 5.0 (discussed in the next section) allows for offloading of tasks. This means the encryption duties could be offloaded to the hardware so that the NIC would handle that task. Of course, offloading requires a NIC that is designed to support IPSec hardware offloading.

NDIS 5.0 NT administrators will be familiar with the Network Driver Interface Specification (NDIS), which is Microsoft’s means of allowing communication between the networking protocols and the network interface card (NIC). NDIS is implemented as a boundary layer in the NT/Windows 2000 networking model. Windows 2000 supports NDIS, version 5.0, which includes all the features and functions of NDIS 4.0, as well as the following additional specifications: ■ ■ ■ ■

■ ■ ■

■

Support for NDIS power management Support for Plug and Play Support for Windows Management Instrumentation Support for a new standardized .INF format that will be used by both Windows 9x and Windows 2000 operating systems Improved miniport performance Task offload support Support for ATM, ADSL, and network streaming (connectionoriented NDIS) QoS support

91_tcpip_04.qx

2/25/00

10:57 AM

Page 165

Windows 2000 TCP/IP Internals • Chapter 4 165

Because Windows 2000 is designed to provide better functionality on laptop and notebook computers than Windows NT, power management support is an important factor. NDIS 5.0 supports Network Power Management and Wake On LAN (assuming the NIC also supports these features). An important function of the NDIS interface is the ability to bind multiple protocols to one network card, and/or bind a protocol to multiple NICs. Windows 2000 TCP/IP supports Ethernet, FDDI, Token Ring, ATM, ARCnet, and WAN protocols such as ISDN and X.25. Windows 2000 also supports LAN emulation with ATM adapters that are designed to use LANE.

NOTE Network Power Management is supported only when using the Microsoft TCP/IP protocol stack.

Inside the Windows 2000 Internet Protocol (IP) IP operates at the Internetwork layer of the Department of Defense’s TCP/IP networking model, with responsibility for routing; that is, getting packets to their destination based on their IP addresses. Remember that at the sending computer, the data travels down from the Transport (Host-to-Host) layer to the Internetwork layer, so IP receives the TCP segment (or UDP for connectionless communications such as broadcasts) and then passes it down to the Network Interface layer. Before handing it down, however, IP performs an important function: It looks at the destination IP address on the packet and then consults its local routing table to determine what to do with the packet. It can pass the data to the network card (or if it is a multihomed system, determine which of the attached network cards to pass it to), or it can discard it. When a Windows 2000 computer starts, the routing table is constructed. Certain entries, such as the addresses for the loopback, the local network, and the default gateway (if configured in TCP/IP properties) are added automatically. Other routes can be added by ICMP messages from the gateway, by dynamic routing protocols (RIP or OSPF), or you can manually add routes using the route command at the command prompt. Windows 2000 also includes Routing and Remote Access (RRAS) and can be configured to act as a router for IP or IPX traffic.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 166

166 Chapter 4 • Windows 2000 TCP/IP Internals

NOTE Packets are often referred to as datagrams at this level. These datagrams contain the source and destination IP addresses, which will be translated to MAC (physical) addresses at a lower layer.

Classless Inter-Domain Routing As we’ve discussed, in the early days of IP networking, it was believed that there was a more than adequate number of IP addresses, and address blocks were allocated liberally; those practices resulted in many “wasted” addresses. At that time, networks were divided into class A, B, and C types based on the number of host addresses (along with class D, used for multicasts, and class E, reserved for experimental purposes). Again, because of the lack of planning and the way in which the network IDs were initially distributed, all of the class A addresses and most of the class B addresses were soon taken. However, with the growth and popularity of the Internet, more and more organizations had a need for public IP addresses, and many of these networks were larger than the limits of a class C network, which was the only type left to be assigned. For this reason, in the mid-1990s a new concept was developed to allow for allocation of network numbers without regard to the A, B, and C classifications. This is called Classless Inter-Domain Routing, or CIDR (pronounced like “cider”). Routes are aggregated, and what were once designated as class C networks can be combined through “supernetting” to create larger networks by “stealing bits” from the network portion of the IP address, which is the direct opposite of the way a large network can be subnetted into smaller networks by borrowing bits from the host portion to represent the network ID. Benefits of CIDR include: ■ ■ ■ ■

Smaller Internet routing tables Less updating of external routes required More efficient allocation of address space Increase in number of available Internet addresses

CIDR addresses contain network prefixes which are part of the IP address and vary in length according to how many bits are actually needed, instead of being forced into the class A, B, or C specifications. CIDR addresses also contain a slash followed by the number of bits that represent the network ID, so a CIDR address looks like the following:

91_tcpip_04.qx

2/25/00

10:57 AM

Page 167

Windows 2000 TCP/IP Internals • Chapter 4 167

192.204.76.0/14 The “/14” indicates that the first 14 bits identify the network, and the remaining 18 bits identify the host. RFCs 1517 through 1520 all document aspects of specifications for Classless Inter-Domain Routing. RFC 1817 discusses CIDR and so-called “Classful” (traditional) routing.

NOTE The CIDR FAQ at www.ibm.net.il/~hank/cidr.html is a useful source of questions and answers about Classless Inter-Domain Routing, maintained by Hank Nussbacher of Tel Aviv University and IBM Israel.

Multihoming Microsoft refers to a computer that has multiple IP addresses as a multihomed host. This doesn’t necessarily mean the computer has multiple NICs, although the term is often understood that way.

NOTE You can assign more than one address to the same physical NIC, creating virtual interfaces. To the Internetwork layer and the IP protocol, they are separate interfaces.

Windows 2000 supports both types of multihoming. If there are multiple physical network cards, they can be assigned addresses on the same network (or subnet), or there can be a card assigned to each network. In the latter case, Windows 2000 can act as an IP router, passing transmissions from one subnet to another.

NOTE When TCP/IP is bound to multiple IP addresses on one NIC, NetBIOS over TCP/IP (NetBT) can only be bound to one of the IP addresses. The address listed first in the TCP/IP advanced properties box will be used for NetBIOS name registration.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 168

168 Chapter 4 • Windows 2000 TCP/IP Internals

To assign multiple IP addresses to a NIC, select: Start | Settings | Network and Dialup Connections | Right-click the connection and choose Properties, then highlight TCP/IP, select Properties, and click ADVANCED. Click ADD under IP addresses and enter the new address, as shown in Figure 4.7. DHCP servers and DNS servers can be multihomed machines, although there may be some special configuration considerations. Figure 4.7 Multiple IP addresses assigned to a single NIC.

Problems Related to Multihoming You may encounter some of the following common problems with multihomed computers on a Windows 2000 TCP/IP network.

Networks Linked by RAS If a multihomed computer has IP addresses on two networks that are linked by a remote access connection, because the networks are not aware of one another there may be problems with routing. In this case, the solution is to create static routes. This can be done by manually adding the routes to the routing table.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 169

Windows 2000 TCP/IP Internals • Chapter 4 169

Multiple Default Gateways If a multihomed computer has addresses on two networks that are unaware of one another, and you configure it with different default gateways on the different networks, you may experience an inability to connect or other connectivity problems. The solution is to configure only one default gateway. This should be the one on the larger or primary network. You can then create static routes in the routing table to get to the computers on the smaller network.

NOTE Only one default gateway can be active at a given time, regardless of how many a computer is configured to use.

Multihoming and WINS There is potential for numerous problems when WINS servers or clients are multihomed machines. See Chapter 6, “Troubleshooting Windows 2000 NetBIOS Name Resolution Problems,” for more information.

IP Multicasting Multicasting means sending data to multiple destinations on the network at the same time, using a single multicast address. This differs from a broadcast in that computers belong to a multicast group, and only those that are designated as members of the group receive the multicast messages. Messages sent to the broadcast address, on the other hand, are sent to every computer on the subnet. The Internet Group Management Protocol (IGMP) is used for managing multicast membership. Computers can join or leave multicast groups by sending an IGMP message (computers that are not members of the group can still send multicast messages to the group). A computer can also belong to multiple multicast groups simultaneously. When a computer wishes to join a multicast group, it will send a message called an IGMP host membership report. With this message, it declares itself a member of a particular multicast group. The same message is used when a multicast router issues a query requesting group information. There are two types of multicast groups: ■ ■

Permanent multicast group Transient multicast group

91_tcpip_04.qx

2/25/00

10:57 AM

Page 170

170 Chapter 4 • Windows 2000 TCP/IP Internals

NOTE “Permanent” or “transient” refers to the group address. Membership in a permanent group is still dynamic; computers can join and leave at any time. A permanent group has a reserved IP address, and it continues to exist even if all computers leave the group. A transient group ceases to exist if its membership drops to zero, and its address is returned to the pool available for assignment to another group in the future.

A group can have members that belong to different networks as long as the routers between the networks support multicasting.

Multicast Address Range Windows 2000 complies with RFC 1112 level-2 standards for IP multicasting and uses the following class D addresses. The multicast addresses are in the range 224.0.0.0 through 239.255.255.255, shown in Table 4.1. These addresses are reserved for multicast transmissions with the Internet Assigned Name Authority (IANA). Table 4.1 Multicast Addresses Address

Purpose

224.0.0.0

Base address (reserved).

224.0.0.1

The All Hosts multicast group (includes all systems on the same network segment).

224.0.0.2

The All Routers multicast group (includes all routers on the same network segment).

224.0.0.5

The Open Shortest Path First (OSPF) AllSPFRouters address.

224.0.0.6

The OSPF AllDRouters address.

224.0.0.9

The RIP Version 2 group address.

224.0.1.24

WINS server group address.

NOTE For more information on reserved multicast addresses, see www.isi.edu/ in-notes/iana/assignments/multicast-addresses.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 171

Windows 2000 TCP/IP Internals • Chapter 4 171

Troubleshooting IP Multicasting Windows 2000 includes several multicasting utilities that can be useful in troubleshooting problems with multicast transmissions.

Command-Line Utility: mrinfo The command-line utility mrinfo displays the configuration of a multicast router. The information returned by the mrinfo command includes version number, the list of interfaces and the neighbors on each interface, metrics, Time to Live (TTL) thresholds, and flags.

Command-Line Utility: netsh routing ip mib show mfe The command-line utility netsh routing ip mib show mfe can be used to display the entries in the Multicast Forwarding Table. (The Multicast Forwarding Table can also be accessed through the Routing and Remote Access console).

Command-Line Utility: netsh routing ip mib show mfestats The command-line utility netsh routing ip mib show mfestats is used to display packet statistics and input and output interface information for multicast forwarding entries in the Multicast Forwarding Table. (The Multicast Statistics table can also be accessed through the Routing and Remote Access console).

Command-Line Utility: netsh routing ip mib show joins The command-line utility netsh routing ip mib show joins is used to display the list of multicast groups that are locally joined on each interface.

Duplicate IP Address Detection Because IP addresses must be unique on the network, there must be some mechanism in place to detect duplicate addresses. Unlike the MAC addresses, which are hard-coded into the chip on the interface card by the manufacturer, IP addresses are assigned by the network administrator. If addresses are assigned manually instead of by a DHCP server, it is very easy to make the mistake of assigning the same IP address to two machines. Having two machines on the network with the same address can obviously cause problems with delivery of data packets. If you have a common name like John Smith, you may have had the experience of having someone else with the same name at your workplace or in a class at school. You know how confusing it is when the name “John Smith” is called, and neither of you knows for whom the message is intended. You may have

91_tcpip_04.qx

2/25/00

10:57 AM

Page 172

172 Chapter 4 • Windows 2000 TCP/IP Internals

received memos or correspondence that should have gone to the other John Smith. Networks try to avoid this type of “mistaken identity” situation. If a computer is configured with the same IP address as another computer on the network, when it comes online and broadcasts an ARP message for its own address (sometimes called a “gratuitous ARP broadcast”), the computer that is already using that address will reply. This will cause an error message, and the computer that just came online will not be able to use the IP address; IP will be disabled and an entry will be made in the System log. The computer that “got there first” will still be able to communicate via IP, but will also display an error message to notify you that there was an address conflict.

NOTE The computer with the duplicate address may still be able to communicate with other computers on the network if another common protocol is installed (NetBEUI or IPX).

Inside the Windows 2000 Transport Protocols (TCP and UDP) The Transport (host-to-host) layer protocols, TCP and UDP, handle flow control and provide for reliable end-to-end communications. For more information about what takes place at this level and how it fits into the OSI and DOD models, see Chapter 1. We will discuss some of the features included in the Windows 2000 TCP/IP stack’s Transport layer protocols. Knowledge of these features can be useful in unraveling connectivity problems that originate at this level.

Transmission Control Protocol We will first look at TCP, the connection-oriented member of the pair. TCP is used in Microsoft networks to handle important one-to-one communications such as logons, file and printer sharing, and replication between Windows 2000 domain controllers.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 173

Windows 2000 TCP/IP Internals • Chapter 4 173

Dead Gateway Detection The Dead Gateway Detection feature in Windows 2000 makes TCP aware when the IP address configured to be the default gateway fails. This allows for a process called triggered reselection to take place, so that another default gateway can be chosen and implemented, and routed communications can continue. Here’s how it works: TCP attempts to send a packet to its default gateway and does not receive a response. It will keep trying, up to one-half the value set in the Registry key TcpMaxDataRetransmissions. If there is still no response from that gateway, TCP will try the next default gateway. The Route Cache Entry for the destination IP address on that packet will be changed to the new default gateway. If the gateway is dead, the same thing will happen to subsequent communications. If this continues to the point that 25 percent of the TCP connections have given up on the first gateway and moved on to use the second, IP will change the computer’s default gateway setting to the new gateway that the 25 percent are using. If the second gateway should also fail, the same process will occur and the next one on the list will be tried. If all gateways in the list are attempted and the last one fails, TCP will start over with the first default gateway listed. In this way, Windows 2000 maximizes the possibility of finding a gateway through which the packets destined for remote network segments can be routed.

Delayed Acknowledgments TCP is able to maintain reliable communications because it uses acknowledgments (ACKs) to keep the sending computer “in the know” about the packets that have and haven’t arrived at the receiving computer. However, the acknowledgment messages themselves take bandwidth and can slow the communication process and cause congestion on the cable. Microsoft addresses this problem by implementing Delayed ACKs according to the specifications in RFC 1122. This reduces the number of packets on the wire and helps prevent a congested condition. Using Delayed ACKs, TCP will send back an acknowledgment if one of two circumstances exists: 1) if there was no acknowledgment sent for the previous packet that was received, or 2) if another packet doesn’t arrive within 200 milliseconds after a packet arrives. This results in an ACK being sent for every other received packet instead of one ACK for every packet, thereby effectively cutting in half the number of ACK messages sent back over the cable.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 174

174 Chapter 4 • Windows 2000 TCP/IP Internals

TCP Keep-Alives As discussed earlier, a TCP connection normally stays open until a FIN message is sent and acknowledged to disconnect. Some mechanism is needed, then, to determine whether the computer on the other end is still “there” when no packets have been received for a long period of time. TCP uses keep-alive packets to verify that a computer on the other end of a TCP connection is “still alive and kicking” (that the remote computer is still available). By default, a keep-alive message is sent every two hours (expressed as 7,200,000 milliseconds). This value can be changed by editing the Tcpip\Parameters value KeepAliveTime. A keep-alive message is only sent if no other packets have been sent for the time period. The keep-alive message is actually an acknowledgment, but with a sequence number that is the current sequence number minus one. If the computer on the other end responds to the keep-alive packet, the keep-alive timer will be reset, and if another two hours goes by without communications over the connection, the process will occur again. If the computer on the other end does not respond, 10 attempts will be made. If there is still no response after 10 tries, the connection will be terminated.

NOTE TCP keep-alive messages are not enabled by default. To enable them for Winsock applications, edit the SetSockOpt value. TCP keep-alives generally are not sent on NetBIOS connections.

Avoiding the Silly Window Syndrome The Silly Window Syndrome, discussed in RFCs 813 and 1122, may have a silly name, but it can become a problem in TCP/IP networks, slowing down TCP communications. SWS occurs when the receiving computer slides its TCP window to the right when it has additional space available, and the sending computer uses this very small window to send correspondingly small data segments. In this situation, you end up with tiny segments of data being sent despite the fact that both computers have much more buffer space. The Silly Window Syndrome may be caused by either the client or the server. For example, the client might send data so fast that the server’s buffer fills up, and it then reduces its Receive window size to 1. This causes the client to send data in 1-byte increments, and the server responds by acknowledging only 1 byte at a time. Now, if the client stops

91_tcpip_04.qx

2/25/00

10:57 AM

Page 175

Windows 2000 TCP/IP Internals • Chapter 4 175

sending data, the buffers will clear and the window size will increase, but if the client keeps sending one byte at a time, performance will slow drastically. To avoid this situation, Windows 2000’s implementation of TCP/IP will not send additional segments until the receiving computer advertises a large enough window size to be able to receive a full segment. Additionally, if Windows 2000 is running on the receiving computer, TCP will not open the Receive window except in increments of a full segment. The Silly Window Syndrome can cause such drastic performance hits, so SWS avoidance is an important feature in Windows 2000.

User Datagram Protocol The User Datagram Protocol, UDP, is a connectionless Transport layer protocol that is used for broadcast and multicast transmissions and other situations where guaranteed delivery is not required. UDP works with IP, similarly to TCP, but UDP doesn’t break up the messages into smaller chunks (packets) and then reassemble the packets on the receiving end, as TCP does. There is no sequencing information in the UDP header. It’s up to the application to ensure that all the data arrived and to put it into the correct order. Like TCP, UDP provides for ports to differentiate between multiple connections. Therefore, if two applications are using UDP to communicate, using the same network interface, they will be assigned different port numbers. The advantage of UDP is speed—because it does not send acknowledgments and perform the other functions that make the TCP protocol more reliable, it also doesn’t have as much overhead.

NOTE The specifications for the User Datagram Protocol are discussed in RFC 768.

Understanding TCP/IP Registry Settings TCP/IP gets its information (such as whether to obtain an IP address and other information automatically, or the specific manually, configured information) from the Windows 2000 Registry. The Registry, as you will recall, is the centralized hierarchical database that took the place of multiple initialization (.ini) files in early versions of Windows operating systems. When the protocols initialize, they look to the Registry for their configuration settings.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 176

176 Chapter 4 • Windows 2000 TCP/IP Internals

When you configure the TCP/IP protocol settings in your network connection properties sheet, you are indirectly making changes or additions to the Windows 2000 Registry. The configuration information you enter in the dialog boxes will become values in the Tcpip\Parameters key, which is located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. There are a great many values contained in this subkey that were entered into the Registry at the time TCP/IP was set up on the computer. There are additional values that don’t appear by default, which you can add to optimize or change the behavior of the TCP/IP protocol driver.

NOTE The driver that implements the TCP/IP protocols in Windows 2000 is Tcpip.sys.

It is always better, if possible, to make changes to the Registry through the graphical user interface. For instance, if you wish to change the IP address of your computer, you should make that Registry change by entering the information in the TCP/IP property sheet. However, the GUI contains only a limited number of changes that can be made. There are many more specifications that can be made only by directly editing the Registry keys. We will discuss a few of these changes, and how to make them, in this section.

WARNING Microsoft always stresses the importance of caution in making direct changes to the Windows Registry. If you implement any of these changes, be sure to follow directions exactly. Of course, it’s always a good idea to first back up the Registry before making any changes.

Using the Registry Editing Tools Windows 2000, like NT, provides two Registry editing tools, regedit and regedt32. Regedit.exe is the registry editor that is also included in Windows 95. It is a powerful tool, but has some limitations. For instance, you cannot change security settings in the Registry using this application. Perhaps more importantly, regedit does not include a “read only” mode, as does its

91_tcpip_04.qx

2/25/00

10:57 AM

Page 177

Windows 2000 TCP/IP Internals • Chapter 4 177

cousin, regedt32. This means it is easier to mistakenly make changes that can affect the stability or even the bootability of your system. Why then would you ever use regedit? It does have one advantage over regedt32 in that its search engine is more powerful. If you need to do a detailed search, you might want to choose this tool. Another difference between the two is their appearance. Regedit, shown in Figure 4.8, resembles Windows Explorer. Figure 4.8 The Regedit.exe interface.

Regedt32.exe is the tool you will most commonly use when you already know the key and value you want to edit and don’t need the more sophisticated search features. Regedt32 will allow you to invoke “read only” mode so that you can look at your settings with no fear of accidentally making changes.

NOTE In both Registry editors, there is no “save changes” function. Changes that you make to the values take effect immediately.

Regedt32 also looks a bit different; as you can see in Figure 4.9, its interface shows each Registry hive key in a separate window instead of one hierarchical structure. Either tool can be used for editing the TCP/IP settings. Open the chosen Registry editor by typing either regedit or regedt32 at the command prompt or in the Run box from the Start menu.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 178

178 Chapter 4 • Windows 2000 TCP/IP Internals

Figure 4.9 Regedt32 presents the Registry information as separate windows for each key.

NOTE Notice that the “i” is omitted from “regedt32.” A common mistake is typing the command with the “i,” resulting in a File Not Found message.

Configuring TCP/IP Behavior through the Registry All of the values we will discuss will be found under the same Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters. Remember that TCP/IP can be bound to more than one NIC, and can be configured differently for each NIC to which it is bound. For values that are specific to an adapter, you will find a subkey for each NIC that contains its individual settings. The network interface subkeys are found

91_tcpip_04.qx

2/25/00

10:57 AM

Page 179

Windows 2000 TCP/IP Internals • Chapter 4 179

under “Adapters,” and each interface is represented as a hexadecimal number, as shown in Figure 4.10. Most of the parameters that we will discuss will not already be present in the Registry by default. In order to modify the protocol settings using the parameters that you don’t find already present, you must create the new value. Figure 4.10 Each NIC has a separate subkey for its settings.

Creating a New Value To create a new value in the Registry using the regedt32 tool, from the Edit menu, choose “New value.” You will see a dialog box as shown in Figure 4.11, which allows you to enter a name for the value, and select the data type from a drop-down box. Figure 4.11 You can add a new value to the Registry if it does not already exist.

The value can be one of five data types: ■

■ ■

REG_DWORD Hexadecimal data with a maximum limit of 4 bytes REG_EXPAND_SZ An expandable string REG_MULTI_SZ A multiple string

91_tcpip_04.qx

2/25/00

10:57 AM

Page 180

180 Chapter 4 • Windows 2000 TCP/IP Internals ■

■

REG_SZ A single data string (group of characters handled as one entity) REG_BINARY Zeros and ones (“machine language”)

Be sure you select the correct data type, as given in the instructions, when creating a new value.

Editing Common TCP/IP Registry Values We will discuss only a few of the many Registry settings that can be edited to change TCP/IP behavior. For a complete list, see the Microsoft TechNet article “MS Windows 2000 TCP/IP Implementation Details.”

Changing the Timeout for the ARP Cache You can change the timeout value of the ARP cache from the defaults (2 minutes for unused entries and 10 minutes for those that have been used) by creating a new value in the Tcpip\Parameters subkey called ArpCacheLife. The value type is REG_DWORD, and the value should be set as the number of seconds for timeout, in hexadecimal (0 – 0xffffffff).

Changing the Number of ARP Retries Another configuration setting you might want to change to speed initialization is the number of times the computer will send a “gratuitous” ARP broadcast for its own IP address, to determine if the address is already being used on the network. Once again, you must create a value of REG_DWORD type and enter the number of ARP retries desired. The default is 3, which is also the maximum. You can change this to either 1 or 2.

Changing the Default TTL You can change the number in the outgoing IP headers that represents the maximum amount of time the packet can remain “alive.” If it does not reach its destination by the time set, it will be dropped. What this does is limit how many routers the packet can “hop” through before it “dies.” This will also be a new REG_DWORD value called DefaultTTL, set to the number of seconds/hops, and can be from 1 to 0xff (255 in decimal notation). The default is 128.

Enabling or Disabling Dead Gateway Detection By default, dead gateway detection is enabled. You can disable it (or reenable it after it’s been disabled) by editing the EnableDeadGWDetect value. The value type is REG_DWORD (Boolean), and the only valid settings are 0, which disables dead gateway detection, or 1, which enables it.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 181

Windows 2000 TCP/IP Internals • Chapter 4 181

Enabling Multicast Forwarding In Windows 2000, IP multicast forwarding is not enabled by default. However, it can be enabled by creating a Registry value called EnableMulticastForwarding of the REG_DWORD (Boolean) type, and setting it to 1, for True.

Enabling IP Address Autoconfiguration Automatic configuration of IP address is enabled in Windows 2000 by default. Although this feature is often useful, it can be disabled by setting the IPAutoconfigurationEnabled value for the specific interface to a value of 0. You can reenable it by setting the value to 1.

Changing the Interval between TCP Keep-Alive Transmissions By default, keep-alive messages will be sent every 1000 milliseconds (one second) until a reply is received. You can edit the KeepAliveInterval value to change this to a different time (in milliseconds). This is a REG_DWORD data type.

Changing the Maximum Transmission Unit (MTU) By editing the MTU value for the specific interface, you can set a limit on the packet size (in bytes) that will be transmitted over the network. This value is set as a REG_DWORD type, specifying the number of bytes. This value cannot be less than 68. If you set it to a number that is less than 68, the MTU will be 68.

Registry Settings that Should Not Be Edited Some settings are configured by the services, such as DHCP, and should not be changed via editing the Registry. Others can, and should, be changed via the GUI instead of by editing the Registry directly. Below is a partial list: ■ ■ ■ ■ ■

■

IPAutoconfigurationAddress DHCP Default gateway Can be set in TCP/IP properties box in the GUI EnableDhcp Can be set in TCP/IP properties box in the GUI IPAddress Can be set in TCP/IP properties box in the GUI IPEnableRouter Can be set in TCP/IP properties (Advanced) in the GUI IPEnableRouterBackup Set by setup and should not be changed manually

91_tcpip_04.qx

2/25/00

10:57 AM

Page 182

182 Chapter 4 • Windows 2000 TCP/IP Internals ■

■

DhcpDefaultGateway Written by the DHCP client service and should not be changed DhcpIPAddress Configured by DHCP (Note: None of the DHCP assigned values should be changed manually.)

Summary In this chapter, we discussed how TCP/IP works, its “internals” or the components of its architecture as implemented in Windows 2000. We got an overview of the enhancements that Microsoft has made to its TCP/IP stack. We learned a little about Internet Requests for Comments (RFCs), and discussed in detail some of the RFCs with which Microsoft’s newest operating system complies. In particular, we examined some of the more significant RFCs such as: RFC 1323, which provides for scalable (and larger-sized) TCP windows, a feature that can optimize performance on highbandwidth networks. We explained the purpose and function of sliding windows, how the TCP three-way handshake works and how it establishes the window size, and how sliding windows provide for flow control in TCP communications. We looked at how the scaling factor is negotiated and how you can determine what the current scaling factor is by examining the packets that created the connection. Then we looked at another TCP extension specified in RFC 1323, timestamping, and how it can solve instability problems that are caused by bad estimates of Roundtrip Time (RTT) that result from other methods of measuring RTT. RFC 2018, which deals with TCP selective acknowledgments. We saw how SACK can enhance network performance when large window sizes are being used. We also discussed how to disable SACK by editing the Windows 2000 Registry. RFC 1577, which lays out specifications for running an IP network over ATM. We discussed some of the advantages of Asynchronous Transfer Mode networks, such as their connection orientation, lack of inherent limits on speed, and Quality of Service. We talked about the use of an ARP server in ATM networks for resolution of IP addresses to physical addresses, since ATM is a nonbroadcast network. We also briefly touched on LAN emulation (LANE), which allows you to use traditional LAN software and hardware for an ATM network.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 183

Windows 2000 TCP/IP Internals • Chapter 4 183

RFC 2001, which gives the specs for TCP Fast Retransmit, a feature that provides for faster performance by allowing TCP to resend data before the specified retransmission time has expired. RFCs 2211 and 2212, defining QoS, or Quality of Service, a new feature in Windows 2000 that lets the network reserve bandwidth between client and server to ensure that a high-bandwidth application will have sufficient bandwidth. RFC 2205, which gives specifications for another new feature, the Resource Reservation Protocol, also known as RSVP. We talked about how RSVP works with general Quality of Service (GQoS) to reserve bandwidth, using functioning as a control protocol similarly to ICMP. In this chapter, we also looked at IP Security (IPSec) and how it provides for greater protection of data sent over an IP network. We looked at the two IPSec Security options: AH, or Authentication Header security, and ESP (Encapsulating Security Payload), which encrypts the data itself. We talked about how IPSec is configured and the predefined IPSec policies included with Windows 2000: ■ ■ ■

Client (Respond Only) Server (Request Security) Secure Server (Require Security)

We went a little further, to discuss definitions of custom policies and setting of filtering on inbound and outgoing traffic. Then we looked at several IPSec troubleshooting scenarios, including the failure of RAS secured connections, the failure of LAN secured connections, and broken policy links. We discussed how to use the IPSec monitor to gather statistical information such as: ■ ■ ■ ■

Number of active security associations Types of active security associations Number of master and session keys generated Number of ESP or AH bytes sent and received

We also looked at how to use the Windows 2000 Event Viewer and the Network Monitor to troubleshoot IPSec problems. We talked about what to do when IPSec files are missing or corrupted, how to deal with problems with multihomed machines, and how to address performance slowdowns when using IP Security. Then we turned our attention to NDIS 5, the latest version of the Network Driver Interface Specification, and the changes between NDIS 4 and 5.

91_tcpip_04.qx

2/25/00

10:57 AM

Page 184

184 Chapter 4 • Windows 2000 TCP/IP Internals

Next, we examined IP, the Internet Protocol that operates at the Internetwork layer of the DoD model. We talked about CIDR, Classless Inter-Domain Routing, which is beginning to replace the old and inefficient way of allocating IP addresses in blocks defined as class A, B, and C networks. We discussed multihoming, the practice of assigning more than one IP address to a single computer, either by installing multiple physical network interfaces or by creating virtual interfaces for one network card. We addressed some of the problems that arise with multihomed machines, particularly when networks are linked by Remote Access Services, when multiple default gateways are assigned, and how multihoming and WINS interact. We then moved to IP multicasting, defining a multicast transmission as the sending of data to multiple computers using only one IP address, called a multicast address. We discussed the multicast address range, and how computers can join two kinds of multicast groups: permanent and transient. We looked at some of the problems that can occur with multicasting, and how to troubleshoot those problems using tools like mrinfo, and other command-line utilities included with Windows 2000. We discussed duplicate IP address detection and how Windows 2000 attempts to avoid this situation. We also examined some characteristics of the Transport layer protocols, TCP and UDP. We talked about TCP dead gateway detection and how Windows 2000 maximizes the possibility that the packets destined for a remote network segment will be routed even if a gateway fails. We looked at the delayed acknowledgments feature, and how, using Delayed ACKs, TCP will send back an acknowledgment if one of two circumstances exists: 1) if there was no acknowledgment sent for the previous packet that was received, or 2) if another packet doesn’t arrive within 200 milliseconds after a packet arrives. This results in an ACK being sent for every other received packet instead of one ACK for every packet, thereby effectively cutting in half the number of ACK messages sent back over the cable. We talked about TCP keep-alive messages, sent every two hours to verify that the remote computer is still available. We also discussed the Silly Window Syndrome (SWS), and how Windows 2000’s TCP/IP stack was designed to avoid this problem. Then we discussed User Datagram Protocol (UDP), the connectionless transport protocol used for broadcasts and other messages that don’t require acknowledgments, sequencing, and the other high-overhead features of TCP. Finally, we looked at how the TCP/IP settings are implemented in the Windows 2000 Registry, which contains all of the protocol’s initialization

91_tcpip_04.qx

2/25/00

10:57 AM

Page 185

Windows 2000 TCP/IP Internals • Chapter 4 185

parameters. We looked at how to edit selected Registry setting to enhance performance, and also listed some Registry settings that should never be edited manually.

FAQs Q: What are the three ways in which TCP/IP information can be configured in Windows 2000? A: 1) Manual configuration, where the administrator enters the IP address, subnet mask, default gateway, and other configuration information directly into the TCP/IP properties box for each NIC on each computer individually; 2) Dynamic configuration, in which the computer is configured to contact a DHCP server to obtain a leased IP address, along with other TCP/IP configuration information; and 3) Automatic configuration, in which the computer that is unable to contact a DHCP server assigns itself an address from the APIPA (Automatic Private IP Addressing) range for temporary use until a DHCP server can be contacted. Q: Can I have more than one default gateway configured on a computer? A: Sort of. If you have two network adapters, you can configure a different default gateway for each, but only the default gateway of the first adapter will be used. The only time the second adapter’s gateway will be used is if the first becomes unavailable. Q: What is a default gateway, anyway? A: The default gateway is the “way out of the network.” In a TCP/IP network, the default gateway serves an important purpose. It is the route that will be used when a host wants to communicate with any other host that is not on its local subnet. The IP address of the default gateway is the IP address of the subnet’s router (which can be a dedicated device or an NT or Windows 2000 machine with IP forwarding enabled, functioning as a router). Q: We know that IANA and InterNIC assign IP addresses. Where do the hardware addresses on the network cards come from?

91_tcpip_04.qx

2/25/00

10:57 AM

Page 186

186 Chapter 4 • Windows 2000 TCP/IP Internals

A: The physical addresses, burned into a chip on the network card, are known as Media Access Control (MAC) addresses in Ethernet and Token Ring network cards. Registration of MAC addresses is overseen by the IEEE, the Institute of Electrical and Electronics Engineers. The IEEE assigns the first three bytes of a MAC address to each company that manufactures network cards, and the manufacturer assigns the last three bytes to individual network adapters. Q: What is the difference between “connectionless” and “unreliable” in the discussion of network protocols? A: The term connectionless refers to a communication in which no session is established prior to the commencement of the transmission of data. Unreliable, on the other hand, means that delivery of the packets is not guaranteed. Unreliable protocols make a “best-effort” attempt to deliver each data packet. If a packet is lost, duplicated, or delayed, the unreliable protocol does not “care.” IP is an “unreliable” protocol, which is why TCP (a reliable protocol) handles acknowledgments and error recovery at the Transport layer. Q: What is the difference between TCP ports and UDP ports? What are some of the “well-known ports?” A: TCP ports are more complex and they operate differently from UDP ports, although both are used for the purpose of identifying a packet’s destination more specifically within an IP address. A UDP port operates as a single message queue. The UDP port is the endpoint for UDP communications. Each TCP port, on the other hand, is identified by dual endpoints (one address/port pairing for each connected host). Well-known ports include TCP ports 20 and 21 (FTP), 23 (Telnet), 53 (DNS zone transfer), 80 (Web server), and 139 (NetBIOS session). Wellknown UDP ports include 69 (TFTP), 137 (NetBIOS name service), 138 (NetBIOS datagram service), 161 (SNMP), and 520 (RIP).

91_tcpip_05.qx

2/25/00

12:49 PM

Page 187

Chapter 5

Using Network Monitoring and Troubleshooting Tools in Windows 2000

Solutions in this chapter: ■

Windows 2000 Monitoring Tools: Performance, NetMon

■

TCP/IP Utilities: SNMP, ping, tracert, ipconfig, nbtstat, netstat

■

Network Management Tools: SMS, NetXray, Tivoli

■

Cable Testers, Protocol Analyzers, Sniffers

187

91_tcpip_05.qx

2/25/00

12:49 PM

Page 188

188 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

Introduction In this chapter, we will examine a host of tools and utilities that you can use to monitor, assess, and diagnose your network. One of the great advantages of using TCP/IP as your network protocol of choice is the vast array of tools available for troubleshooting. We’ll first look at some tools that allow you to monitor network activity, such as the Network Monitor, Event Viewer, and the Performance Console. These are all GUI-based tools you can use to gather statistics and information, allowing greater insight into the behavior of the network “under the hood.” After looking at the monitoring tools, we’ll dive into some of the TCP/IP command-line tools such as PING, PATHPING, IPCONFIG, and more. We will see how each tool works, and then apply each to a specific troubleshooting scenario, which will give you some context to see how they work in actual practice.

Windows 2000 Monitoring Tools Microsoft has included two powerful network-monitoring tools with Windows 2000: The Performance Console and the Network Monitor. With these tools, you can monitor the health of your network from a single location, and you can listen in on network activity in real time. Both of these utilities allow you as the administrator to have more control over the health and efficiency of your network. Before diving into the tools, let’s talk first about some basic monitoring guidelines that will help optimize your use of the tools discussed in this chapter.

Basic Monitoring Guidelines When monitoring aspects of your network, you need to have a good idea of what it is that you’re looking for. Are you looking for clues for login validation errors? Are you looking for reasons for complaints of network sluggishness from your users? Are you looking for possible security leaks? Are you just obtaining baseline measures so that you have something to compare to when the network is acting abnormally?

Baselining Baselining is the process of collecting information on a network when everything is working the way you want it to work. It would make no sense to collect baseline information when your network is “acting up,” or is the subject of complaint and ridicule. With this in mind, you definitely do not want to collect baseline information about network performance

91_tcpip_05.qx

2/25/00

12:49 PM

Page 189

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 189

and behavior soon after the implementation of a new network or network segment. There is always a “shakedown” period when you are going to have to “fix” the things that weren’t done correctly the first time, and to fine-tune those aspects of the network implementation that were correctly implemented. After the network has “settled down” for a period of several weeks, and no one is complaining and you are not aware of any problems, then you should start a network baseline collection procedure. You may want to use some or all of the tools discussed in this chapter to obtain your network baseline.

Documentation The key to your success in network monitoring and maintenance is good and organized documentation. You must have a system in place that allows you to quickly and efficiently return to previous measurements, and to measure trends that may be extant in the measurements you have taken. Whether you are using Network Monitor, System Monitor, netdiag, netstat, ipconfig, or whatever, have a location on your hard disk to keep the information that you have collected, and keep all your information in this location.

Backing Up It is important that you back up this information to multiple locations for fault tolerance reasons. If you have multiple backups, it is unlikely that any of them will fail, but if you have a single backup, there is a good chance that it will be corrupt. Think of this as an extension of Murphy’s Law.

Analysis After you have decided on a location to keep your precious data, you need a system to collate it and bring it together so that you can spot trends. Most of the tools that we will work with in the chapter allow you to save data in some kind of delimited text file.

NOTE A delimited text file is a text-based database file format with data that is separated by either commas or tabs. Spreadsheet or database programs such as Microsoft Excel or Microsoft Access allow you to easily import this delimited text information into a database format, which makes it easier to spot trends. Both programs have sophisticated charting and graphing capabilities that allow you to visually depict important information.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 190

190 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

If you work for a larger organization, you may have available more sophisticated programs that perform network analysis for you and provide detailed reporting capabilities. Programs such as Network Associates’ Network Informant, Computer Associates’ Unicenter TNG, and Microsoft Systems Management Server all provide built-in reporting facilities that are both simple to use and extremely sophisticated in their reporting capabilities. Whatever tools you decide to use, keep in mind that your monitoring efforts are done for several reasons: ■ ■ ■

To find network faults To obtain baseline measurement To provide documentation you might need in order to obtain the equipment you desire to improve your network’s functionality

With this in mind, let’s look at some of the tools available to us to monitor and investigate network functionality.

Performance Logs and Alerts The application formerly known as “Performance Monitor” has undergone a name change and a minor overhaul in its appearance in Windows 2000. In fact, it appears to have a couple of different names, depending on the Microsoft documentation you read. It is called either “Performance” or the “System Monitor.” For our purposes, we’ll refer to it as the “Performance Console” or “System Monitor.” You can use the Performance Console to obtain real-time data on network performance parameters such as TCP, Web, FTP, and Proxy server statistics. This information can be saved in a log file for later analysis, and it can even be replayed. To open the Performance Console, go to the Administrative Tools and click Performance, as shown in Figure 5.1. Note that there are two panes in the Performance Console. On the left, you see entries for the System Monitor, and then several options for Performance Logs and Alerts. The System Monitor is the counterpart of the Windows NT 4.0 Performance Monitor. There are three views available in the System Monitor: ■ ■ ■

Chart view Histogram view Report view.

When working with the Chart view, note that it will display up to 100 units of time. You select the unit of time for which measurements are taken by right-clicking anywhere on the chart area itself, and selecting Properties, as seen in Figure 5.2.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 191

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 191

Figure 5.1 The Performance Console.

NOTE The old “Log View” has been moved away from the System Monitor area into its own area under the “Performance Logs and Alerts” section.

Notice where it says “Update automatically every:” and then a number of seconds. You can enter the number of seconds you want the chart updated, and the entire chart will contain data for up to 100 update intervals. If we left this as it is, with the update taking place every 1 second, then we could see up to 100 seconds of activity on the chart, which is equal to 1 minute and 20 seconds.

TIP If you would like to see an entire day’s worth of activity on one chart screen, you could divide the number of seconds in one day by 100, or 86400/100 = 864 seconds. By setting the chart interval to 864 seconds, you’ll be able to see an entire day’s worth of data on a single chart screen.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 192

192 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

Figure 5.2 The Properties dialog box in the Chart view.

Counters There are a great variety of network-related counters you can add to the System Monitor. A noncomprehensive list of these counters includes IP, IIS Global, ICMP Browser, FTP Server, UDP, TCP Redirector, SMTP Server, RAS Port RAS Total, NNTP Server, NNTP Commands, and Network Interface. One of the nice things about the System Monitor application in Windows 2000 is that when you populate the Chart view with a number of counters, you don’t have to repopulate the Report view. For example, let’s say that I want to add all the counters for the Network Interface Performance Object. I click on the “+” sign on the toolbar and the Add Counters dialog box appears, as shown in Figure 5.3. To select all counters from a performance object, all you need to do is select the “All counters” option button, and it adds all the counters to the list. Then click ADD and they all appear in the chart. After the counters are added to the Chart view, you can see statistics gathered from those counters in both the Report and the Histogram views. Figure 5.4 shows all the counters in the Report view.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 193

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 193

Figure 5.3 The Add Counters dialog box.

Notice that all the counters are carried over to the Chart view, which is a real convenience. The same is true for the Histogram view, which you can see in Figure 5.5. Figure 5.4 The Network Interface counters in Report view.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 194

194 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

Figure 5.5 The Histogram view carries over the counters selected in the Chart view.

If you would like to create a log file so that you can come back to the information that you’ve gathered at a later time, click the Counter Logs object and then right-click in the right pane and select New Log Settings. You will first encounter the New Log Settings dialog box where you put in the name of the log. Make it something meaningful and descriptive so you can find the information later. You will then be faced with a three-tabbed dialog box, such as that seen in Figure 5.6. The first tab is the General tab, and this is where you begin to add new counters to the log file. Click ADD and add counters as you did in the Chart view. After adding the counters, they will populate the area labeled “Counters.” When you click the Log Files tab, you will see what appears in Figure 5.7. Note the location and name of the log file.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 195

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 195

Figure 5.6 The Log File dialog box.

Figure 5.7 The Log Files tab in the Log File dialog box.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 196

196 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

Log File Format In the “Log file type:” drop-down list box, you can choose what format you want the log file to be saved in. The main choices are binary format and delimited text formats. If you save the logs in delimited text formats, you can import the data into an Excel or Access database. Regardless of the format you choose, you can still bring the information back to the System Monitor Console for later analysis in the same way you were able to open log files for later viewing using the Windows NT 4.0 Performance Monitor.

Alerts To create an alert, you click the Alerts object in the left pane and then right-click in the right pane and select New Alert Settings from the context menu. Enter the name of the alert and click OK. You will see what appears in Figure 5.8. Figure 5.8 The General tab in the Alert dialog box.

You add counters for which you want to be alerted by clicking ADD; in this example, we have selected the Pages/sec counter in the Memory object. After selecting the counter, you need to set parameters that will trigger the alert. In this case, we want to be alerted if the number of pages/sec exceeds 20 per second. The sample interval is every 5 seconds by default. Click the Action tab and you will see what appears in Figure 5.9.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 197

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 197

Figure 5.9 The Action tab in the Alert dialog box.

You set what actions should take place after an alert is triggered. In this case, we have configured the alert to be sent to the Application log and a network message to be sent to the administrator’s workstation. This is a NetBIOS name, and NetBIOS must be enabled on both the machine generating the alert and the machine receiving an alert as a network message in order for this to work. This is something to keep in mind when you feel that your network has reached a point where you can completely disable NetBIOS. If you do reach that point, you must reenable NetBIOS on the source and destination machines, at least temporarily, in order for alerts to be sent via network messages. You also have the choice of starting a log that you have already created after an alert condition has been met. We might want to create a log that tracks other memory-related parameters if the number of pages/sec exceeds 20. In that case, we would choose to “Start performance data log” and select the name of the log from the drop-down list. You could also choose to start a program after the alert condition parameters have been met. Click the Schedule tab and you will see what appears in Figure 5.10. Here you can schedule when you want to the system to look for alert conditions. In this instance, we have selected the date and time when the system should start looking for the alert condition, and set that the system should stop looking after one day. You can see from the dialog box the other options you have when scheduling alerts.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 198

198 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

Figure 5.10 The Schedule tab in the Alert dialog box.

Network Monitor The Microsoft Network Monitor is a software protocol analyzer that allows you to capture and analyze traffic on your network. The version of Network Monitor that comes with the Windows 2000 server family is limited in its scope because it does not allow you to place the network adapter in what is known as “promiscuous mode.” When an adapter is placed in promiscuous mode, it is able to listen to all the traffic on the segment, even if that traffic is not destined for the machine running the Network Monitor software. However, one of the disadvantages of this state of affairs is that promiscuous mode capturing can potentially overtax your computer’s processor. Even with these limitations, the Network Monitor is a very useful tool for assessing the activity on the network. You can use the tool to collect network data and analyze it on the spot, or save your recording activities for a later time. Network Monitor allows you to monitor network activity and set triggers for when certain events or data cross the wire. This could be useful, for instance, if you are looking for certain “key words” in e-mail communications moving through the network (we’ll look at an example of how to do this later in this section).

91_tcpip_05.qx

2/25/00

12:49 PM

Page 199

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 199

NOTE A more full-featured version of Network Monitor that allows for promiscuous mode is included with Microsoft System Management Server (SMS).

Filtering The Network Monitor program allows you to capture only those frames that you are interested in, based on protocol or source or destination computer. You can apply even more detailed and exacting filters to data that you have finished collecting, which allows you to pinpoint the precise elements you might be looking for in the captured data. We’ll discuss how to filter what data you want to capture, and how to fine-tune the captured data after you’ve collected it.

Security Issues The Network Monitor program is a network sniffer. Any person with administrative privileges can install it on a Windows 2000 server family computer and start “listening” to activity on the wire. If you feel this is a cause for concern, you are correct. This easy availability of such a powerful tool should lead to even further consideration of the security implications when you give someone administrative rights. Fortunately, the Network Monitor is able to detect when someone else on the segment is using Network Monitor, and provide you with his or her location. However, don’t stake your career on this working correctly, because we have had very rare success at it actually identifying all computers running Network Monitor on the same segment.

Installation Network Monitor is not installed by default. If it isn’t installed on your computer, you can install it via the Add/Remove Programs applet in the Control Panel.

Using the Program After you have installed the program, go to the Administrative Tools menu and click Network Monitor; you will see what appears in Figure 5.11. This Capture Window is the starting point on your adventure of network monitoring. Note that there are four panes to this window.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 200

200 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

Figure 5.11 The Network Monitor Capture Window.

Capture Window Panes The top left pane is in the “gas gauge” type format, which provides information on percent network utilization, broadcasts per second, and other parameters in real time. Just under that is a pane that provides information about individual sessions as they are established, showing who established a session with whom, and how much data was transferred between the two. The right pane is the local machine’s session statistics pane, and provides detailed summary (is that an oxymoron?) information about the current capturing session. The bottom pane provides information about each detected host on the segment, and statistics gathered on the host’s behavior.

Extra Tools Before we get into the details of a capture, let’s look at some of the extra tools available with Network Monitor.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 201

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 201

First, select the Tools menu, and then click Identify Network Monitor Users. You will see the Identify Network Monitor Users dialog box as it appears in Figure 5.12. Figure 5.12 The Identify Network Monitor Users dialog box.

NOTE This dialog box provides you with the username and NetBIOS name of the machine or machines currently running Network Monitor.

As mentioned earlier, you might not always get accurate readings right away when running this utility. The Microsoft documentation regarding how it finds other Network Monitor users is not clear on how the identification process takes place. Machines running either the Network Monitor Application or Agent are supposed to register NetBIOS names with the service identifier of [BFh] and [BEh], respectively, but if you look at the following, you will be led to think otherwise: Local Area Connection: Node IpAddress: [192.168.1.186] Scope Id: [] NetBIOS Local Name Table Name - - - EXETER

Type - - - <00> UNIQUE

Status - - - Registered

91_tcpip_05.qx

2/25/00

12:49 PM

Page 202

202 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 TACTEAM EXETER EXETER TACTEAM INet~Services IS~EXETER ADMINISTRATOR

<00> <03> <20> <1E> <1C> <00> <03>

GROUP UNIQUE UNIQUE GROUP GROUP UNIQUE UNIQUE

Registered Registered Registered Registered Registered Registered Registered

Local Area Connection: Node IpAddress: [192.168.1.3] Scope Id: [] NetBIOS Local Name Table Name - - - DAEDALUS TACTEAM DAEDALUS DAEDALUS TACTEAM TSHINDER INet~Services IS~DAEDALUS DAEDALUS

Type - - - <00> UNIQUE <00> GROUP <03> UNIQUE <20> UNIQUE <1E> GROUP <03> UNIQUE <1C> GROUP <00> UNIQUE <01>

UNIQUE

Status - - - Registered Registered Registered Registered Registered Registered Registered Registered Registered

These are the printouts of the nbtstat –n commands run on two of the Windows 2000 computers identified by Network Monitor as running Network Monitor. Neither of them has registered NetBIOS names indicating that they are running either the Network Monitor Agent or Application. The WINS database on this network also contains no entries to this effect. The moral of this story? Take advantage of this application, but take a couple of precautions: 1) Let it run for an hour or so before concluding that no other Network Monitor users are on the network, and 2) Don’t bet your job on it!

Buffers Now click the Capture command and click Buffer Settings. You’ll see what appears in Figure 5.13. The buffer size, in megabytes, determines the amount of data you can capture in a single recording session.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 203

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 203

Figure 5.13 The Capture Buffer Settings dialog box.

TIP The default value is 1MB, but you can choose up to 1024MB (1GB). However, since this data is stored in memory during the recording phase, your practical limit is the amount of available RAM.

Even if you are running Network Monitor on a machine with a gigabyte of RAM, you still need to be careful because it needs to write this information to disk. You need the equivalent amount of free disk space as well. You can also choose how much of each frame you want to capture. Typically, you’ll choose Full to maximize your ability to find the things you’re looking for. Select the Options menu, and then click the Change Temporary Capture Directory command. You’ll see a scary message like the one in Figure 5.14. Figure 5.14 A scary message about changing the Temporary Capture Directory.

The whole program is for advanced users only! We’re still trying to figure out what the danger is that they want to communicate regarding changing the

91_tcpip_05.qx

2/25/00

12:49 PM

Page 204

204 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

location of the temporary folder, which is the temporary folder location defined in the system environment variable. Click OK and you can then choose another folder to contain the temporary capture files. You might want to do this if you’ve chosen a buffer size that is larger than the amount of disk space you have available on the partition that contains your temp directory.

Collecting Data Now that we’re finished with the preliminaries, let’s get to the job of collecting some data. The first thing you should try out is to start a capture without filters, just to get a feel for how the capture process works.

NOTE There are a couple of ways to get the capture started: You can select the Capture menu, and then click Start, or you can click the little right-pointing arrow in the toolbar. Either one will begin the capture. When it is running, you’ll see the gas gauges moving, and the statistics being collected on the recording session.

After letting the capture run for a little bit, or after the % Buffer Used value is 100, click the button that has the eyeglasses next to a square (the stop and view button). This stops the capturing process and allows you to see the frames that have been captured. You’ll see the Capture Summary window as seen in Figure 5.15. This window provides a list of all the frames that were captured during the session. If you scroll to the bottom of the list, you’ll note that there is a summary frame that contains statistics about the current capture. Take note of the column headers, which all should be self-explanatory. Notice something unusual about the data in Figure 5.15? How about the information that appears in the “Src MAC Addr” and “Dst MAC Addr” fields? Those don’t look like MAC addresses to me. If you did notice this seeming anomaly, congratulations! MAC addresses aren’t much fun to look at, so we took advantage of another utility that translates the MAC addresses to Machine Names. Select the Display menu, and then click the Find All Names command. It will search for names and then inform you of its results, and transform the fields containing MAC addresses to NetBIOS names if it can find this information. Now, double-click one of the frames, and you will see the display transform into a tripane view as seen in Figure 5.16.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 205

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 205

Figure 5.15 The Capture Summary window.

The top pane is just like the one you just saw. The middle pane contains translated information from the captured frame that provides details of the frame headers and protocol information. The bottom pane shows the raw Hex and translations of the collected frame data. At the very bottom of the windows, in the status bar area, there is a description of the frame selected in the top pane (which in this case is Ethernet/802.3 MAC Layer), the frame number out of the total number of frames, and an “offset” value for the selected character in the bottom pane. In the preceding example, we selected frame number 244, which is an ARP broadcast frame. Notice in the middle pane some of the details. It indicates the hardware type and speed, and the source and destination IP and hardware address. Note that the destination hardware address is the Ethernet broadcast address [FFFFFFFFFFFF] because the whole purpose of the ARP broadcast is to resolve the IP address to a hardware address. The capture was taken from EXETER. The ARP broadcast was issued by CONSTELLATION for DAEDALUS, which is the machine with the IP address of 192.168.1.3. Do you think we would find the ARP reply later in the capture? The answer is no. That is because the reply will not be sent

91_tcpip_05.qx

2/25/00

12:49 PM

Page 206

206 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

Figure 5.16 Tripane view in the Capture Summary window.

to the hardware broadcast address, but to CONSTELLATION’s hardware address; therefore, the Network Monitor on EXETER will not be able to capture that conversation. The only reason we were able to see the ARP Request is because it was directed to the hardware broadcast address, which means that every machine on the segment had to evaluate the request to see if it was for them. The bottom pane in this instance isn’t very exciting. It shows the Hex data on the left and an ASCII translation on the right. However, it can get interesting, as shown in Figure 5.17. Looking at the ASCII translation in this case, we see that we have a problem user on the network, perhaps an overly enthusiastic Linux fan. We are able to actively search for text strings in captured data in order to find out about the existence of just this kind of communication. In this case, the offensive text string was found embedded in an SMB packet transmitting a Microsoft Mail message from the e-mail server to the destination computer. Other frames in the capture indicate the source of the message.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 207

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 207

Figure 5.17 Capture file with revealing ASCII data.

Filtered Captures The capture we did earlier was an unfiltered capture. The advantage of doing an unfiltered capture is that you can gather data on every communication into and out of the computer doing the capture, so you can be sure that you’re not missing anything. However, you could end up collecting a whole lot of information that you don’t need, and the extra information only serves to obscure the data that you’re actually looking for. Perhaps you’re only interested in the information exchange taking place between your computer and one other computer, or two other computers. You can limit the frames that are captured by creating a capture filter.

NOTE A capture filter is one of the two types of filters you’ll be working with, the other being the display filter, which we’ll explore in a little bit.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 208

208 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

The purpose of the capture filter is to limit the frames that are actually saved in the capture buffer. This allows you to make better use of your buffer space, because the limited amount of buffer you have can be devoted to looking at the precise targets of interest. It also reduces the amount of “extraneous” information that could cause you to overlook something important during your investigations. To create a capture filter, select the Capture menu, and click Filter. First you’ll see a warning that tells you that for “security” reasons, you can only capture traffic moving to and from the machine running Network Monitor. Click OK to move away from that dialog box, and you’ll see what appears in Figure 5.18. Figure 5.18 The Capture Filter dialog box.

There are two ways you can filter the capture information: ■ ■

By machine address pairs By a specified pattern in the frames that is examined during the capture sequence

Filtering by Address Pairs Let’s first see how we filter via address pairs. We can define up to four address pairs to filter. For example, suppose there are 30 computers on the segment that’s running Network Monitor, and we don’t want to capture information destined to and coming from all 30 of those machines, just four of them. We can do that.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 209

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 209

To start adding address pairs, double-click the [AND] (Address Pairs) statement. You should see what appears in Figure 5.19. Take a close look at the elements of this dialog box. Near the top are two option buttons for Include and Exclude. Any address pair that you select for Include will be included in the capture. Any address pair that you set for Exclude will be excluded from the capture. For example, if you choose to include *Any (which indicates all frames coming to and leaving this computer), you could choose to exclude a pair of computers so that you can ignore messages being sent to and arriving from that machine. Figure 5.19 The Address Expression dialog box.

Under the Include and Exclude options are three panes: Station 1, Direction, and Station 2. Station 1 and Station 2 will define the computers named in the address pairs that will be included or excluded from the filter, with Station 1 always being the machine running the Network Monitor application. The Direction arrows allow you to filter based on the direction of the traffic. The "# symbol represents traffic leaving Station 1 to Station 2 and arriving from Station 2 to Station 1, the # represents traffic leaving Station 1 to Station 2, and the " represents traffic arriving from Station 2 to Station 1.

NOTE If we were using the full version of Network Monitor that comes with Microsoft Systems Management Server, Station 1 could be any computer on the network and not just the local machine.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 210

210 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

The chance is good that the machine you want to designate as Station 2 is not included on the list. To add the machine of interest to the list, click EDIT ADDRESSES. You will see what appears in Figure 5.20. Figure 5.20 The Addresses Database dialog box.

This shows the Addresses Database in its current state on the machine running the Network Monitor. The first column gives the machine’s NetBIOS name, the second column the machine’s addresses, the third column denotes the type of address included in the second column, and the fourth column includes a comment about the entry in the database. What we want to do is add an entry, so therefore we need to click ADD. You will see what appears in Figure 5.21. Figure 5.21 The Add Address Information dialog box.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 211

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 211

In the Add Address Information dialog box you enter the name of the machine, whether this is a permanent name for the machine, the address, the type of address you are entering, and an optional comment.

TIP A hint here is that before you enter the address, you must choose what type of address you wish to enter. The dialog box defaults to a MAC address, and if you try to enter an IP address when it says “ETHERNET” in the type box, it won’t work.

Click OK and the address is entered into the database. These addresses will only stay in the database for the time that you have Network Monitor open. If you find that you’ve created a lot of addresses for machines on your network, you certainly don’t want to have to do that again. To prevent such a waste of time, you can save these addresses. To do so, click SAVE, choose a location and a name for the file, and these addresses will be saved so that you can load them on a subsequent monitoring session. Click CLOSE, which returns you to the Address Expression dialog box that you were at previously. I’m going to select EXETER for Station 1, CONSTELLATION for Station 2, and choose the double arrow for the direction of traffic. After doing so, the screen looks like it does in Figure 5.22. Figure 5.22 The completed Capture Filter.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 212

212 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

With this capture filter in place, only traffic between EXETER and CONSTELLATION will be retained in the capture filter, and all other packets will be rejected. This implies that all packets continue to be examined by the application, and that is true.

TIP The filtering process can be processor-intensive, especially if you have set up complex filters. Keep this in mind before running an extended capture session on a machine that is already heavily taxed.

Now we’re ready to start the capture session. Click OK in the Capture Filter dialog box to remove it from sight. To start the capture, we’ll click the right-pointing arrow in the toolbar. After letting the capture run for a very short period of time, you can click the “stop and view” button on the toolbar. The collected data appear in Figure 5.23. Figure 5.23 The results of a filtered data collection.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 213

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 213

Display Filters Now that we have some captured data, we’ll look at a second type of filter, known as a display filter. The display filter allows us to look for very specific elements of the captured data, and allows for a much more refined filtering than we can accomplish with the capture filter.

NOTE A display filter can be used as a database search tool, where the captured frames are the data in our database.

Imagine that we had captured this data because we wanted to see what types of messages were being passed around the network regarding Windows 2000. First, we’d have to decide what kind of messages we want to look for. In this case, let’s assume that we want to see if users have been using the net send command to exchange ideas or opinions regarding Windows 2000. To get started, select the Display menu, and click Filter. You should see what appears in Figure 5.24. Figure 5.24 The Display Filter dialog box.

What we want to do is filter out everything except the protocol of interest, and then identify a key phrase contained within the protocol of

91_tcpip_05.qx

2/25/00

12:49 PM

Page 214

214 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

interest. Since we’re looking at net send messages being sent between the users, we know that they use the SMB protocol. That’s where we’ll start. Double-click the line that says “Protocol==Any”. You will see the Expression dialog box as it appears in Figure 5.25. Figure 5.25 The Expression dialog box.

Notice that the Protocol tab is where we are located. By default, all protocols are enabled, which means that the filter is letting frames from all protocols appear. Our goal is to allow only frames from the SMB protocol to appear, so we can sift through just those frames to find what our users are saying about Windows 2000. The first step is to disable all the protocols by clicking DISABLE ALL. After clicking DISABLE ALL, all the protocols are moved to the right side, into the Disabled Protocols section. Now, scroll through the list of disabled protocols and find the SMB protocol. Click on the SMB protocol and then click ENABLE. Your screen should appear as it does in Figure 5.26. When the display filter is enabled, we will see only the SMB frames. However, we don’t want to see all the SMB frames, we just want to see those that have the term “Windows 2000” in them. In order to drill down to just those frames, click the Property tab. After clicking the Property tab, scroll down the list of protocols until you find the SMB protocol. Double-click the protocol to see all the SMB frame properties. Then scroll down the list of SMB frame properties until you find the Data property. You should see what appears in Figure 5.27.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 215

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 215

Figure 5.26 The SMB protocol is now the only enabled protocol.

In Figure 5.27, we have selected the “contains” option in the Relation text box, and then entered the value “Windows 2000.” This will filter out any SMB frames that do not contain the text string “Windows 2000.” Note toward the bottom of this dialog box there are two option buttons, Hex and ASCII, and that ASCII is selected. Figure 5.27 The SMB protocol Properties dialog box.

Click OK, then click OK again, and we see a single frame that contains a reference to Windows 2000, as it appears in Figure 5.28.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 216

216 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

Figure 5.28 The result of the display filter.

Apparently, our rollout of Windows 2000 on the network is being well received!

Event Viewer The Event Viewer can be used to check on the status of a number of network services. Windows 2000 systems are configured to report significant fault situations to the Event Viewer. You should make it a regular practice, perhaps the first thing you do every day, to check out the Event Viewer on all of your primary servers to see if any of the Windows 2000 services running on these servers are reporting error conditions (see Figure 5.29). Normal status events are reported with a blue “i”; hence the phrase, “may your Event Viewer always show blue.” Red and white “Xs” indicate an error condition serious enough to warrant investigation. In this example, we can see that two important network services, the DHCPServer and WINS, are both reporting error conditions.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 217

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 217

Figure 5.29 The Windows 2000 Event Viewer.

NOTE We are viewing the System Log in this case. Most of the networking services will report fault conditions to the System Log; however, you should investigate the Application Log as well.

To find out the nature of the problem, double-click one of the errors to see the details of the problem (see Figure 5.30). The Event Viewer reports that the Jet Database returned error number 1032. Now, how do we figure out what Event 1032 might be? The key is the Windows 2000 Resource Kit.

Interpreting Error Messages The Resource Kit contains a section called “Error and Event Messages Help,” which provides a comprehensive list of error messages that you might encounter in the Event Viewer. We can’t guarantee that all the

91_tcpip_05.qx

2/25/00

12:49 PM

Page 218

218 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

Figure 5.30 Details of a DHCPServer error.

errors you encounter will be found here, but this one was. When we did a search for this error, we came up with the following: Event Message: The DHCP service encountered the following error when backing up the registry configuration: code Event Source Log Event ID Event Type DhcpServer 1032 Explanation: An internal error occurred in the Dynamic Host Configuration Protocol (DHCP) service. User Action: Look up the indicated error in the event log in Event Viewer, and take appropriate action. If this message appears often, you might want to restore an earlier version of your DHCP database from backup, or reinstall DHCP.

In this case, we have to take a leap of faith, since it recommends that we look in the Event Viewer, which is where we found the error in the first place. However, it does sound like our DHCP database might be damaged, and we are given a couple of options: either restore the DHCP Server database from a backup, or reinstall the DHCP server service—not very encouraging.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 219

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 219

DNS Log The Event Log does contain an added feature in addition to what was not found in Windows NT: the DNS log. Because of the added importance of DNS in the normal functioning of domain-related activity, Microsoft deemed the DNS service important enough to warrant its own log in the Event Viewer. If you are experiencing any DNS-related problems, you should check here first before getting into more involved DNS monitoring (such as DNS trace logs).

Using TCP/IP Utilities The group of command-line TCP/IP utilities included with Windows 2000 is similar to those available in Windows NT 4.0. We have the familiar set of TCP/IP tools such as: ■ ■ ■ ■ ■ ■ ■

PING NSLOOKUP TRACERT ARP IPCONFIG NBTSTAT NETSTAT

These basic TCP/IP command-line tools have either the same or enhanced functionality compared to what they could do in Windows NT 4.0. In addition to these tools, Windows 2000 offers some new commandline TCP/IP tools, including PATHPING and NETDIAG. We will see what each of these tools can do, and then look at some examples of how to apply their functionality to investigate a particular problem.

PING The PING (Packet INternet Groper) command uses ICMP echo messages to communicate with destination computers. The PING command is used most often to test basic TCP/IP connectivity. You can ping a computer by IP address or by host name. The PING command has the following switches: -t

Ping the specified host until stopped. To see statistics and continue - type Control-Break

91_tcpip_05.qx

2/25/00

12:49 PM

Page 220

220 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

-a -n -l -f -i -v -r -s -j -k

count size TTL TOS count count host-list host-list

-w timeout

To stop - type Control-C. Resolve addresses to hostnames. Number of echo requests to send. Send buffer size. Set Don’t Fragment flag in packet. Time To Live. Type Of Service. Record route for count hops. Timestamp for count hops. Loose source route along host-list. Strict source route along host-list. Timeout in milliseconds to wait for each reply.

-t Switch The –t switch is useful when you want to continuously monitor a connection. For example, you want to restart a machine remotely, and then want to know when the machine is up again so you can reestablish your remote connection. Use the ping –t command and watch when the destination computer begins to respond, and then reestablish the connection.

-n Switch If you don’t want to continuously ping a remote host, you can specify the name of echo request messages sent to the destination by using the –n switch. For example, if we want to ping constellation.tacteam.net 10 times, we would type at the command prompt: ping constellation.tacteam.net –n 10

It would then ping 10 times and stop after the tenth attempt.

-r Switch The –r command shows you the routes taken with each ping attempt. For example, if we type: ping shinder.net -n 3 -r 9

we get the following output: Pinging shinder.net [204.215.60.153] with 32 bytes of data: Reply from 204.215.60.153: bytes=32 time=100ms TTL=252 Route: 209.44.40.10 -> 209.44.40.69 -> 204.215.60.1 -> 204.215.60.153 ->

91_tcpip_05.qx

2/25/00

12:49 PM

Page 221

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 221 209.44.40.70 -> 209.44.40.9 -> 209.44.40.10 Reply from 204.215.60.153: bytes=32 time=100ms TTL=252 Route: 209.44.40.54 -> 209.44.40.69 -> 204.215.60.1 -> 204.215.60.153 -> 209.44.40.70 -> 209.44.40.9 -> 209.44.40.10 Reply from 204.215.60.153: bytes=32 time=150ms TTL=252 Route: 209.44.40.10 -> 209.44.40.69 -> 204.215.60.1 -> 204.215.60.153 -> 209.44.40.70 -> 209.44.40.9 -> 209.44.40.10 Ping statistics for 204.215.60.153: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 90ms, Maximum =

150ms, Average =

110ms

Notice how the path changes with each ping? Think of this as a quickand-dirty way to investigate your routing configuration.

-i Switch The default Time To Live (TTL) set on the ICMP echo messages is 252, but you can change that value by setting the –i switch.

-w Switch Use the –w switch to configure a custom time out period on your requests. The default time out is 1000 milliseconds. If you don’t want to wait that long for a time out, change the value using the –w switch.

Using PING Now let’s look at a common situation where we would use PING to investigate a connectivity problem. You are called by your junior assistant regarding a connectivity problem between Computer A with an IP address of 192.168.1.1 and subnet mask of 255.255.255.0, and Computer B with an IP address of 192.168.2.5 and a subnet mask of 255.255.255.0. She tells you that they

91_tcpip_05.qx

2/25/00

12:49 PM

Page 222

222 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

were able to connect to each other yesterday, but since they’ve been “playing with the network,” the machines haven’t been able to connect. The first thing you should do is go to Computer A and check it out for yourself. Ping 192.168.2.5 and confirm that there is indeed no network connectivity. Far too many users and neophyte administrators consider the inability to browse a destination computer as a sign of lost network connectivity. Remember, Microsoft did not put the browser service into place as a network diagnostic tool! If you fail to get a response from Computer B, ping the loopback address, 127.0.0.1, to assess whether TCP/IP was installed correctly. Then trying pinging another machine on the same segment, such as 192.168.1.2. If you get a response from that machine, you know that the problem isn’t related to errors in the local machine’s protocol stack itself. Now, ping the default gateway, which had better be on the same segment as Computer A! You might try pinging the default gateway before pinging another machine on the same segment, if you’re in a hurry. Now ping the far side of the default gateway. In this case, you should know what interface the router table uses to forward packets to the destination network ID 192.168.2.0. Be sure that you ping that interface.

NOTE If you ping an interface on the router that doesn’t route packets to your destination host, you aren’t getting the information you need. If the router has multiple interfaces, the interface you are interested in could be down, while the other ones are up. This means you may need to check out the routing tables on the router itself.

If the far side of the gateway responds, try pinging another host on the same segment as the machine that is failing to respond. If you get a response, you know that there are no problems related to the segment itself, such as excessive traffic that might cause the pings to time-out. In our present case, everything worked fine except pinging the destination host, Computer B. When we went to Computer B, we found that it was a Linux box that had the default gateway misconfigured. We corrected the problem by removing Linux and upgrading the machine to Windows 2000. Another happy ending. (Another solution might have been to correct the configuration of the default gateway on the Linux machine—but why miss a golden opportunity?)

91_tcpip_05.qx

2/25/00

12:49 PM

Page 223

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 223

nslookup The nslookup command is the tool you use to investigate problems with your DNS server and zone databases. You can use the nslookup tool to probe the contents of your zone database files, and investigate problems with host name resolution. We will cover this tool in detail in Chapter 7, “Troubleshooting Windows 2000 DNS Problems.”

PATHPING Think of the PATHPING utility as the PING utility on steroids. The PATHPING utility sends ICMP echo request messages to each router along the path to the destination host and calculates how long it takes the roundtrip from request to reply. The default number of hops is 30, period 250 milliseconds, and queries to each router 100.

NOTE The PATHPING tool combines the capabilities of both TRACERT and PING, and gives you additional information that you can’t get easily from using either tool individually. PATHPING will calculate round-trip times, percent of requests that were lost at each router, and percent of requests lost between the routers.

PATHPING provides some interesting statistics because it gives you information regarding where the packet loss is taking place, and the level of stress a particular router may be experiencing. For example, when I type in the command: pathping shinder.net

I get the following output: Tracing route to shinder.net [204.215.60.153] over a maximum of 30 hops: 0 DAEDALUS.tacteam.net [192.168.1.3] 1 stablazer.tacteam.net [192.168.1.16] 2 tnt-dal.dallas.net [209.44.40.10] 3 grf-dal-ge002.dallas.net [209.44.40.9] 4 dal-net70.dallas.net [209.44.40.70] 5 aux153.plano.net [204.215.60.153] Computing statistics for 125 seconds... Source to Here This Node/Link Hop RTT Lost/Sent = Pct Lost/Sent = Pct

Address

91_tcpip_05.qx

2/25/00

12:49 PM

Page 224

224 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 0 1

0ms 0/ 100 =

0

0/ 100 =

0%

2

79ms 0/ 100 =

0% 0/ 100 =

0%

3

78ms 1/ 100 =

1% 0/ 100 =

0%

4

99ms 1/ 100 =

1% 0/ 100 =

0%

5

94ms 2/ 100 =

2% 0/ 100 =

0%

DAEDALUS.tacteam.net [192.168.1.3] 0/ 100 = 0% | starblazer.tacteam.net [192.168.1.16] 0/ 100 = 0% | tnt-dal.dallas.net [209.44.40.10] 1/ 100 = 1% | grf-dal-ge002.dallas.net [209.44.40.9] 0/ 100 = 0% | dal-net70.dallas.net [209.44.40.70] 1/ 100 = 1% | aux153.plano.net [204.215.60.153]

Trace complete.

Note that PATHPING first does a tracert and identifies all the routers in the path to the destination, and provides a list of those routers in the first section. Then, PATHPING provides statistics about each router and each link between routers. From this information, you can assess whether a router is being “overloaded,” or whether there is congestion in the link between the routers. The last two columns provide the most useful information when troubleshooting routers and links. Notice in the last column the name of the router, the IP address, and the percentage to the left of the router. If there is a high number of lost pings to a router, that is an indication that the router itself may be overloaded. Just under the name of the router you see a | character. This represents the link between the router and the next-hop router. When there is a large percentage of lost pings for the link, it indicates congestion on the network between hops. In this case, you would want to investigate problems with network congestion rather than with the router itself.

NOTE The PATHPING algorithm takes advantage of the fact that there are two paths the ping request can take: the “fast path” and the “slow path.” The fast path is that taken when a router just passes the packet to the next hop, without actually doing any “work” on that packet. This is in contrast to the slow path, where the router is the recipient of the ICMP echo request and must use processing resources to respond to the request by issuing an ICMP echo reply.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 225

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 225

tracert The tracert utility allows you to trace the path of routers to a destination host. You can use the tracert utility to assess whether a router or link on the path to the destination host may be congested. The tracert utility sends a series of ICMP echo requests, with each request having a incrementally higher TTL value. The first echo request has a TTL of 1. When the first router receives the message, it will decrease the TTL by 1. Since the TTL on the request was 1, it now is 0, and the router will return a “Time Exceeded” message to the requesting computer. The tracert utility then increases the TTL to 2 on the ICMP echo request message. When the message hits the first router, the TTL is decreased by 1, and when it hits the second router, it is decreased by 1 again. The second router then sends a “Time Exceeded” message to the source host. The process continues until the all routers have been traversed to the destination host. Figure 5.31 demonstrates how the tracert utility works. Figure 5.31 How the tracert utility works. Tracert Tracert increments the TTL on the ICMP Echo Request with each attempt. When the TTL reaches zero, the destination router returns a "Time Exceeded" message.

TTL=1 Time Exceeded Message

TTL=2

TTL=1

Time Exceeded Message

TTL=3 Time Exceeded Message

TTL=2

TTL=1

91_tcpip_05.qx

2/25/00

12:49 PM

Page 226

226 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

For example, when we type tracert www.digitalthink.com

at the command prompt, we get the following output: C:\>tracert www.digitalthink.com Tracing route to www.digitalthink.com [216.35.144.147] over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms stablazer.tacteam.net [192.168.1.16] 2 70 ms 80 ms 70 ms dal-colo13.dallas.net [209.44.40.13] 3 80 ms 91 ms 110 ms grf-dal-ge002.dallas.net [209.44.40.9] 4 70 ms 120 ms 100 ms atm9-0-04.CR-1.usdlls.savvis.net [209.44.32.9] 5 120 ms 120 ms 170 ms tm9-0-013.CR-1.ussntc.savvis.net [209.83.222.41] 6 120 ms 140 ms 120 ms 209.144.160.142 7 110 ms 131 ms 330 ms bbr01-g6-0.sntc01.exodus.net [216.33.147.35] 8 140 ms 130 ms 120 ms bbr01-p2-0.sntc02.exodus.net [209.185.249.110] 9 170 ms 130 ms 161 ms bbr02-p3-0.sntc04.exodus.net [209.1.169.254] 10 130 ms 141 ms 120 ms dcr01-g2-0.sntc04.exodus.net [216.34.2.33] 11 121 ms 130 ms 170 ms rsm11-vlan920.sntc04.exodus.net [216.34.2.154] 12 131 ms 140 ms 150 ms 216.35.142.250 13 150 ms 140 ms 141 ms www.digitalthink.com [216.35.144.147] Trace complete.

The ping is sent three times to each router, and the round-trip time for each ping is noted. Each router’s name and IP address is also listed. There are a handful of switches you can use to change the tracert output: C:\>tracert Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name Options: -d Do not resolve addresses to hostnames. -h maximum_hops Maximum number of hops to search for target. -j host-list Loose source route along host-list. -w timeout

Wait timeout milliseconds for each reply.

The –d switch prevents tracert from resolving the IP address of the router to a host name, which can speed up your tracerts significantly. The default number of hops is 30, but you can change the number of hops by using the –h switch. The default timeout period is 1000ms, but you can change the timeout period by using the –w switch and specifying the number of milliseconds you want to the timeout to be.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 227

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 227

ARP The ARP utility allows you to view and manipulate entries in the arp cache. The arp cache is a list is MAC addresses for computers that have been recently contacted. The ARP utility is helpful when troubleshooting problems that are related to duplicate IP addresses or duplicate MAC addresses on a segment.

Using ARP For example, suppose that Computer A and Computer B have inadvertently been given the same IP address 192.168.1.10. Computer A is supposed to be 192.168.1.10, and Computer B is supposed to be 192.168.1.11. When machines on the same segment as these two computers try to contact 192.168.1.10, an ARP broadcast is done to resolve the IP address to a MAC address. Depending on which computer responds first, that will be the computer to which the connection will be made. Depending on which computer’s MAC address is in the arp cache, that will be the computer that is contacted. Another ARP broadcast will be done after the entries “age out” of the arp cache, which can lead to the other computer’s MAC address being included in the arp cache. You can see the contents of the arp cache by typing: arp –a

You will then see something like the following: Interface: 192.168.1.3 on Interface 0x1000003 Internet Address 192.168.1.1 192.168.1.2 192.168.1.16

Physical Address 00-00-1c-3a-64-68 00-40-05-37-c6-18 00-40-f6-54-d7-43

Type dynamic dynamic dynamic

192.168.1.185

00-50-da-0d-f5-2d

dynamic

Static ARP Cache Entries The ARP utility allows you to add and delete entries in the arp cache. When you add an entry into the arp cache, you create a static entry. A static entry will appear as static in the type field in the arp cache. You might want to create static arp entries for frequently accessed servers on the segment, or perhaps for the default gateway. When you create static entries, the source machine does not need to issue ARP broadcasts to resolve IP addresses to MAC addresses.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 228

228 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

WARNING Static entries can get you in trouble. We were once consulted to assess why no machines on a particular segment were able to contact a particular server. Each client on the segment was able to connect to any other client on the segment, and the server itself was able to connect to any of the clients. The only problem was that the clients were unable to connect to this server. To reduce ARP broadcast traffic on the network, the administrator had created a batch file that automatically placed static entries for each server on the same segment, and the default gateway for the segment. He then placed the batch file in the startup group, so that when a machine was restarted, the entries would be placed in the arp cache again. The problems with connectivity started after they replaced the NIC on the server. The administrator who created the batch file was no longer at the company, and the new administrator was unaware of the batch file. Only by doing an ipconfig on the server, and then checking the arp caches on the clients did we discover the existence of the batch file, which we updated. The clients were again able to connect to the server.

ipconfig The ipconfig utility included with Windows 2000 has all the functionality of that included with Windows NT 4.0, but with some added features. The ipconfig utility with switches provides you basic IP configuration data for the installed interfaces on your computer, as seen in Figure 5.32.

Figure 5.32 Basic IP configuration information provided by the ipconfig utility.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 229

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 229

The basic ipconfig command gives only the IP address, subnet mask, and default gateway for network interfaces on a particular machine. This can be handy when trying to figure out what IP address and subnet mask has been assigned to a DHCP client computer. You can get detailed information by using the ipconfig /all command, and see output similar to that in Figure 5.33. Figure 5.33 Comprehensive IP configuration information provided by the ipconfig /all command.

TIP By using the /all switch, you get information about the DNS servers, the Primary and Secondary WINS servers, and the MAC address. If you are troubleshooting DNS-related problems, it’s a quick way to ascertain the host name and Primary DNS suffix the machine uses when issuing DNS queries to its DNS servers.

Like previous versions of ipconfig, you can use the /renew and /release switches to renew and release DHCP leases, respectively. However, there are some new switches included with ipconfig that you will find very useful. At the command prompt, type ipconfig /? and you will see what appears in Figure 5.34. The /flushdns switch is used to clear the client DNS cache. This is particularly useful if you’ve made some changes to the DNS zone

91_tcpip_05.qx

2/25/00

12:49 PM

Page 230

230 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

database files, and now find that clients are not able to resolve host names correctly because old entries are included in the DNS cache. Figure 5.34 ipconfig switches included with Windows 2000.

TIP This is also a good way to clear out “negatively cached” entries from the DNS cache.

The /displaydns switch allows you to see the contents of the local DNS cache. After typing the ipconfig /displaydns command at the command prompt, you should see output similar to the following: C:\>ipconfig /displaydns Windows 2000 IP Configuration localhost. - - - - - - - - - - - - - - - - - - - - - - - - - Record Name . . . . . : localhost Record Type . . . . . : 1 Time To Live . . . . : 31517057 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 127.0.0.1

91_tcpip_05.qx

2/25/00

12:49 PM

Page 231

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 231 constellation.tacteam.net. - - - - - - - - - - - - - - - - - - - - - - - - Record Name . . . . . : constellation.tacteam.net Record Type . . . . . : 1 Time To Live . . . . : 2715 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 192.168.1.185 daedalus.tacteam.net. - - - - - - - - - - - - - - - - - - - - - - - - Record Name . . . . . : daedalus.tacteam.net Record Type . . . . . : 1 Time To Live . . . . : 31517057 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 192.168.1.3 3.1.168.192.in-addr.arpa. - - - - - - - - - - - - - - - - - - - - - - - - Record Name . . . . . : 3.1.168.192.in-addr.arpa Record Type . . . . . : 12 Time To Live . . . . : 31517057 Data Length . . . . . : 4 Section . . . . . . . : Answer PTR Record . . . . . : daedalus.tacteam.net boris.prognet.com. - - - - - - - - - - - - - - - - - - - - - - - - Record Name . . . . . : BORIS.PROGNET.com Record Type . . . . . : 1 Time To Live . . . . : 1632 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 209.66.98.16 dns6.cp.msft.net. - - - - - - - - - - - - - - - - - - - - - - - - Record Name . . . . . : DNS6.CP.MSFT.NET Record Type . . . . . : 1 Time To Live . . . . : 1435 Data Length . . . . . : 4 Section . . . . . . . : Answer

-

-

-

-

-

91_tcpip_05.qx

2/25/00

12:49 PM

Page 232

232 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 A (Host) Record . . . : 207.46.138.20 dns.prognet.com. - - - - - - - - - - - - - - - - - - - - - - - - - Record Name . . . . . : DNS.PROGNET.com Record Type . . . . . : 1 Time To Live . . . . : 1560 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 205.219.198.34 1.0.0.127.in-addr.arpa. - - - - - - - - - - - - - - - - - - - - - - - - - Record Name . . . . . : 1.0.0.127.in-addr.arpa Record Type . . . . . : 12 Time To Live . . . . : 31517056 Data Length . . . . . : 4 Section . . . . . . . : Answer PTR Record . . . . . : Localhost

The /registerdns switch will refresh DHCP leases for all adapters for the machine, and re-register the machine’s host name and IP address with a Dynamic DNS server. The is a helpful switch to use when you’ve made changes to the local machine’s IP address configuration and want to quickly re-register with the DNS server. After running this switch, you will see the following output: Windows 2000 IP Configuration Registration of the DNS resource records for all adapters of this computer has been initiated. Any errors will be reported in the Event Viewer in 15 minutes.

Two additional DHCP-related switches are /showclassid and /setclassid. You can use these switches to manipulate what classid information a DHCP client sends to a DHCP server to identify it as a member of a particular user class or vendor class.

NOTE For a detailed explanation of DCHP vendor and user classes, you might find Managing Windows 2000 Network Services, published by Syngress Media, very helpful.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 233

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 233

netstat and nbtstat The netstat utility provides a great deal of useful information regarding the current connections of the computer running the utility. It provides you detailed information about each protocol and port that is listening or has established a connection. You should always exercise the netstat utility when beginning your security analysis on a server to assess which ports are open, and which may need to be blocked for security purposes.

NOTE netstat can also provide useful information about network performance.

At the command prompt, type netstat /? and you will see what appears in Figure 5.35.

Figure 5.35 netstat switches available in Windows 2000.

The netstat –s switch gives you detailed statistics regarding protocol performance. You can limit which protocols are reported on by using the –p switch, or if you want performance statistics on all TCP/IP protocols, use only the –s switch. After typing netstat –s at the command prompt, you will see output similar to the following: IP Statistics Packets Received Received Header Errors

= 223516 = 0

91_tcpip_05.qx

2/25/00

12:49 PM

Page 234

234 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 Received Address Errors Datagrams Forwarded Unknown Protocols Received Received Packets Discarded Received Packets Delivered Output Requests Routing Discards Discarded Output Packets Output Packet No Route Reassembly Required Reassembly Successful Reassembly Failures Datagrams Successfully Fragmented Datagrams Failing Fragmentation Fragments Created

= 470 = 0 = 0 = 0 = 223419 = 148039 = 0 = 0 = 0 = 4 = 2 = 0 = 67 = 0 134

ICMP Statistics Messages Errors Destination Unreachable Time Exceeded Parameter Problems Source Quenches Redirects Echos Echo Replies Timestamps Timestamp Replies Address Masks Address Mask Replies

Received 125 0 6 0 0 0 0 0 119 0 0 0 0

TCP Statistics Active Opens Passive Opens Failed Connection Attempts Reset Connections Current Connections Segments Received Segments Sent Segments Retransmitted UDP Statistics

Sent 124 0 5 0

0 119 0 0 0 0 0

= 481 = 16 = 17 = 78 = 27 = 195688 = 146696 = 47

91_tcpip_05.qx

2/25/00

12:49 PM

Page 235

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 235 Datagrams Received No Ports Receive Errors

= 1549 = 26172 = 11

Datagrams Sent

= 1136

These statistics are for the current session only, and are reset when the computer is rebooted.

TIP A couple of things to watch out for in these statistics are the “discards” entries (both “discards in” and discards out”). These should be hanging around zero. If you find a large number of discards, you likely have problems with the network card itself, or the segment is very busy and messages are lost or corrupted in the NIC buffer.

By using a combination of the –a and –n switches, you get a list of open ports on the machines, and the current status of those ports. The –n switch speeds up the screen print process by preventing netstat from translating port numbers to services. Try it with and without the –n switch and you’ll see what I mean. When you issue the netstat –a –n command from the command prompt, you should see something like the following: Active Connections Proto TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP

Local Address 0.0.0.0:21 0.0.0.0:25 0.0.0.0:42 0.0.0.0:53 0.0.0.0:80 0.0.0.0:119 0.0.0.0:135 0.0.0.0:443 0.0.0.0:445 0.0.0.0:563 0.0.0.0:1045 0.0.0.0:1047 0.0.0.0:1056 0.0.0.0:1063 0.0.0.0:1064 0.0.0.0:1066

Foreign Address 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0

State LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING

91_tcpip_05.qx

2/25/00

12:49 PM

Page 236

236 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP

0.0.0.0:1077 0.0.0.0:1104 0.0.0.0:1109 0.0.0.0:1111 0.0.0.0:1113 0.0.0.0:1114 0.0.0.0:1123 0.0.0.0:1124 0.0.0.0:1133 0.0.0.0:1135 0.0.0.0:1139 0.0.0.0:1141 0.0.0.0:1142 0.0.0.0:1154 0.0.0.0:1268 0.0.0.0:1270 0.0.0.0:1503 0.0.0.0:1720 0.0.0.0:1755 0.0.0.0:2057 0.0.0.0:2826 0.0.0.0:3074 0.0.0.0:3372 0.0.0.0:3762 0.0.0.0:3934 0.0.0.0:3937 0.0.0.0:3969 0.0.0.0:6666 0.0.0.0:7007 0.0.0.0:7778 127.0.0.1:15841 192.168.1.3:42 192.168.1.3:135 192.168.1.3:135 192.168.1.3:135 192.168.1.3:139 192.168.1.3:1063 192.168.1.3:1064 192.168.1.3:1109 192.168.1.3:1111 192.168.1.3:1113 192.168.1.3:1114 192.168.1.3:1123

0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 192.168.1.185:3919 192.168.1.2:1651 192.168.1.2:1653 192.168.1.2:1656 0.0.0.0:0 192.168.1.16:42 192.168.1.185:42 192.168.1.2:135 192.168.1.2:135 192.168.1.2:1089 192.168.1.2:1089 192.168.1.2:1654

LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED LISTENING ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED

91_tcpip_05.qx

2/25/00

12:49 PM

Page 237

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 237 TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP UDP

192.168.1.3:1124 192.168.1.3:1129 192.168.1.3:1129 192.168.1.3:1133 192.168.1.3:1135 192.168.1.3:1139 192.168.1.3:1141 192.168.1.3:1142 192.168.1.3:1154 192.168.1.3:1268 192.168.1.3:1270 192.168.1.3:1448 192.168.1.3:1448 192.168.1.3:1569 192.168.1.3:1569 192.168.1.3:2057 192.168.1.3:2826 192.168.1.3:3762 192.168.1.3:3934 192.168.1.3:3937 192.168.1.3:3968 192.168.1.3:3969 192.168.1.3:3976 0.0.0.0:42 0.0.0.0:135 0.0.0.0:161

192.168.1.2:1089 0.0.0.0:0 192.168.1.16:139 192.168.1.16:1057 192.168.1.16:1057 192.168.1.16:1074 192.168.1.2:135 192.168.1.2:135 192.168.1.16:1074 192.168.1.185:3389 192.168.1.2:5631 0.0.0.0:0 192.168.1.185:139 0.0.0.0:0 192.168.1.1:139 192.168.1.16:5631 192.168.1.2:1089 209.185.128.149:1863 192.168.1.185:389 192.168.1.185:389 192.168.1.186:1002 192.168.1.185:445 192.168.1.185:389 *:* *:* *:*

UDP

0.0.0.0:445

*:*

ESTABLISHED LISTENING ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED LISTENING ESTABLISHED LISTENING ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED TIME_WAIT ESTABLISHED TIME_WAIT

You can see that I have quite a large number of open and listening ports, which would represent a significant security risk if this machine were directly connected to the Internet at any time. The first column lists the protocol, the second column lists the open port on the local machine and the IP address on the local machine with the open port, the third column lists the destination computer’s IP address and port for the connection, and the last column lists the present state of the connection.

NOTE “Listening” means that the port is open, but no active connections have been made to it. “Established” indicates that the connection is active. “Time-Wait” and “Close-Wait” represent connections that have been established, but are in the process of timing out and closing.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 238

238 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

The netstat command can provide you with a wealth of information. Every systems administrator should run this command on a periodic basis to assess the state of the ports on his servers for security reasons, and to obtain quick TCP/IP statistics.

netdiag The netdiag command is new with Windows 2000. It is the “Swiss Army Knife” of network diagnostics for your Windows 2000 installation. When you run this command, it sets forth to test 24 different aspects of the networking subsystem for the machine. When netdiag is run without any switches, it prints the results to the screen. But, you will likely want to save the results of the analysis, and netdiag allows you to save everything it has discovered to a log file, which you can read at your leisure, or send to somebody else so they can figure out what’s wrong. Perhaps the greatest value of the netdiag command is you can easily tell a user or a junior administrator to run this command and not have to worry about walking him or her through 24 different command-line tests and switches, which would in all probability lead to a minor disaster. A list of the tests run when the netdiag command is issued without switches appears in Table 5.1. The netdiag command includes several switches, which you can find by typing netdiag /? at the command prompt. You should see what appears in Figure 5.36. Figure 5.36 Listing of netdiag switches.

The /q switch will only show you the errors that netdiag finds, so your screen doesn’t get too busy with the results from all the tests. If you want the real nitty-gritty details, use the /v switch to get the “verbose” output printed to the screen. If “verbosity” is your middle name, use the /debug switch to wring out every possible bit of information and print that to the screen.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 239

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 239

The /fix switch is said to fix “trivial” problems. These problems are related to entries in the HOSTS file and DNS; however, we have yet to figure out what it actually “fixes.” The most useful switch is the /l switch, which allows saving all the output to a log file. Table 5.1 Tests Run When the netdiag Command Is Issued Test

What the Test Does

Ndis

Tests the NIC

IpConfig

Runs ipconfig

Member

Tests the machine's domain membership

NetBTTransports

Test NetBIOS over TCP/IP Transports

Autonet

Autonet address test

IpLoopBk

Pings the loopback address

DefGw

Pings the default gateway

NbtNm

NetBT name test

WINS

Tests the WINS servers

Winsock

Tests WinSock integrity

DNS

Tests that correct names are entered in DNS

Browser

Tests the workstation services and browser service

DsGetDc

Discovers domain controller availability

DcList

DC list test

Trust

Tests trust relationships

Kerberos

Kerberos test

Ldap

Tests Lightweight Directory Access Protocol

Route

Tests the routing table

Netstat

Runs netstat and records the results

Bindings

Bindings test

WAN

Tests the WAN configuration

Modem

Performs modem diagnostics

Netware

Tests NetWare connectivity

IPX

Tests IPX components

Using NetDiag When you have users at a remote site reporting problems with connectivity, have them run netdiag with the /debug and the /l switches. Then,

91_tcpip_05.qx

2/25/00

12:49 PM

Page 240

240 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

have them e-mail the NetDiag.log file to you as an attachment. This is an excellent way to start troubleshooting without having to ask a lot of questions of someone who might have marginal understanding of the networking subsystems of the machine. If you run the netdiag command without switches, you will see output similar to the following: Computer Name: CONSTELLATION DNS Host Name: CONSTELLATION.tacteam.net System info : NT Server 5.0 (Build 2128) Processor : x86 Family 6 Model 7 Stepping 3, GenuineIntel List of installed hotfixes : Q147222 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Local Area Connection Netcard queries test . . . : Passed Host Name. . . . . . . . . : CONSTELLATION IP Address . . . . . . . . : 192.168.1.185 Subnet Mask. . . . . . . . : 255.255.255.0 Default Gateway. . . . . . : 192.168.1.16 Primary WINS Server. . . . : 192.168.1.185 Secondary WINS Server. . . : 192.168.1.16 Dns Servers. . . . . . . . : 192.168.1.185 204.215.60.2 AutoConfiguration results. . . . . . : Passed Default gateway test . . . : Passed NetBT name test. . . . . . : Passed WINS service test. . . . . : Passed Ipx configuration Network Number . . . . : 00000000 Node . . . . . . . . . : 0050da0df52d Frame type . . . . . . : 802.2 Adapter : IPX Internal Interface Netcard queries test . . . : Passed Ipx configration Network Number . . . . : 7a542943 Node . . . . . . . . . : 000000000001 Frame type . . . . . . : Ethernet II Adapter : IpxLoopbackAdapter Netcard queries test . . . : Passed Ipx configration Network Number . . . . : 7a542943

91_tcpip_05.qx

2/25/00

12:49 PM

Page 241

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 241 Node . . . . . . . . . : 000000000002 Frame type . . . . . . : 802.2 Adapter : NDISWANIPX Netcard queries test . . . : Passed Ipx configration Network Number . . . . : 00000000 Node . . . . . . . . . : 0a1420524153 Frame type . . . . . . : Ethernet II Global results: Domain membership test . . . . . . : Passed NetBT Transports configuration List of NetBt transports currently configured. NetBT_Tcpip_{70449B09-8401-4CEA-A1CA-7AB134414172} 1 NetBt transport currently configured. Autonet address test . . . . . . . : Passed IP loopback ping test. . . . . . . : Passed Default gateway test . . . . . . . : Passed NetBT name test. . . . . . . . . . : Passed Winsock test . . . . . . . . . . . : Passed DNS test . . . . . . . . . . . . . : Passed PASS - All the DNS entries for DC are registered on DNS server 192.168.1.185 and other DCs also have some of the names registered. [WARNING] The DNS entries for this DC are not registered correctly on DNS se rver 204.215.60.2. Please wait for 30 minutes for DNS server replication. Redir and Browser test . . . . . . : Passed List of NetBt transports currently bound to the Redir NetBT_Tcpip_{70449B09-8401-4CEA-A1CA-7AB134414172} The redir is bound to 1 NetBt transport. List of NetBt transports currently bound to the browser NetBT_Tcpip_{70449B09-8401-4CEA-A1CA-7AB134414172} The browser is bound to 1 NetBt transport. DC discovery test. . . . . . . . . : Passed DC list test . . . . . . . . . . . : Passed Trust relationship test. . . . . . : Skipped Kerberos test. . . . . . . . . . . : Passed LDAP test. . . . . . . . . . . . . : Passed Bindings test. . . . . . . . . . . : Passed WAN configuration test . . . . . . : Skipped No active remote access connections. Modem diagnostics test . . . . . . : Passed

91_tcpip_05.qx

2/25/00

12:49 PM

Page 242

242 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 Netware configuration You are not logged in to Netware User Name. . . . Netware Server Name. . . Netware Tree Name. . . .

your preferred server . . . . : . . . : . . . :

Netware Workstation Context. . :

Make the netdiag utility your first line of offense when troubleshooting connectivity programs. An entire report takes less than a minute to complete, and the information gathered is invaluable.

SNMP The Simple Network Management Protocol is not a utility in and of itself. Rather, it is a protocol used to communicate status messages from devices distributed throughout the network to machines configured to receive these status messages. Machines that report their status run SNMP Agent software, and machines that receive the status messages run SNMP Management software. One way to remember how this works is to think of the agent software as the “secret agent” that gets information about a network device, and then reports the information to his “manager” at headquarters.

What SNMP Does While the name of the protocol itself would lead you to believe that the primary function is to allow you to “manage” objects on the network, management in this context is more related to monitoring rather than actually effecting any changes to the devices themselves. Administrators typically think of managing something as taking an active role in configuring or changing the behavior of a device, so don’t let the name of the protocol fool you. SNMP allows you to audit the activities of servers, workstations, routers, bridges, intelligent hubs, and just about any network-connected device that supports the installation of agent software. The agent software available with the Windows 2000 implementation allows to you monitor Windows 2000 server and professional operating system parameters, the DHCP service, the WINS service, the Internet Information Services, QoS Admission Control Services, the Routing and Remote Access Service (RRAS), and the Internet Authentication Service (IAS). All these Windows 2000 services can be monitored remotely by SNMP Management software. In order for agent software to collect information regarding a particular service, a Management Information Base (MIB) must be created.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 243

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 243

NOTE The MIB is a database and a collection of instructions about how and what information should be gathered from a system. The MIBs included with Windows 2000 allow the agent software to communicate a wide range of information.

The agent is responsible for reporting the information gathered by the MIB. However, agents rarely volunteer information spontaneously. Rather, the agent must be queried by an SNMP management system before it gives up its knowledge. There is an exception to this: a “trap” message. A trap message is sent spontaneously by an agent to the SNMP Management System for which is has been configured to send. For example, we could set a trap message to indicate that the World Wide Web service is hung. We would then configure the agent to send a trap message to the IP address of our computer running the SNMP Management software so that we can quickly handle this catastrophic event. Figure 5.37 shows how the conversation takes place. SNMP messages themselves are sent to UDP Port 161 for typical GET and SET type messages, and UDP Port 162 for trap messages. Figure 5.37 SNMP Management System and agent communications.

SNMP Management Station sends "get" message

SNMP Management Station

SNMP Agent returns requested data to SNMP Management Station

File Server

Enterprise Router running SNMP Agent send Trap Message to SNMP Managment Station

SNMP Management Station

Enterprise Router

91_tcpip_05.qx

2/25/00

12:49 PM

Page 244

244 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

NOTE A GET message is a request that is sent from an SNMP Management System requesting information from an agent. A SET message allows the SNMP Management System to write changes to an MIB, and therefore extend its information-gathering abilities.

Installing the Agent In order for a system to report to the SNMP Management System, you must install the agent software first. To install the agent on Windows 2000 machines, go to the Control Panel, open the Add/Remove Software applet, select Add/Remove Windows Components, scroll down to find Management and Monitoring Tools and select it, then click DETAILS. Place a check mark in the Simple Network Management Protocol check box and click OK, as seen in Figure 5.38. Figure 5.38 Installing the SNMP agent software.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 245

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 245

Once the agent software is installed, we can configure its behavior. In Windows NT 4.0, we configured the agent’s behavior from the Services tab in the Network Properties dialog box. It is not quite so easy to find in Windows 2000. The way we configure the SNMP agent behavior in Windows 2000 is by getting into the Services applet, which is no longer found in the Control Panel. To get to the Services applet, go to Administrative Tools, and then click Services. Then scroll down to the SNMP Service. After you install the service, it should start automatically, and you’ll see that stated on the SNMP Service line. Right-click the SNMP Service entry, click Properties, and click the Agent tab. You should see what appears in Figure 5.39.

Figure 5.39 The Agent tab in the SNMP Service Properties dialog box.

This tab is for descriptive purposes only. SNMP Management Systems can obtain information about a contact person and location from information provided here. Also, information about what type of system the agent is running on is indicated by the selections made in the Service frame area. Click the Traps tab and you see what appears in Figure 5.40. If you want the agent to initiate a trap message, you need to make the agent part of a community that the agent and the SNMP Management software have in common. The community name can be anything you

91_tcpip_05.qx

2/25/00

12:49 PM

Page 246

246 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

like, and it is not related to domain names, usernames, or any other security principle you might think of in Windows 2000. Figure 5.40 The Traps tab in the SNMP Service Properties dialog box.

NOTE The community name does represent a somewhat primitive degree of security, because only machines from the same community can communicate with the agent. Microsoft documentation states that you should make your community name hard to guess. However, since the community name is transmitted in clear text, it really doesn’t make much of a difference how difficult to guess the name of the community might be.

After configuring at least one community membership, you then need to enter the IP addresses or host names of the machines that will receive the trap message. You do so by clicking ADD under the “Trap destinations” text box. Now click the Security tab and see what appears in Figure 5.41. On the Security tab, you can configure some basic security parameters for the SNMP agent. In the “Accepted community names” frame, you can add new communities that the agent can report to, and define the

91_tcpip_05.qx

2/25/00

12:49 PM

Page 247

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 247

level of permissions for Management Station access to the agent and MIBs. Figure 5.41 The Security tab in the SNMP Service Properties dialog box.

In the lower part of Figure 5.41, you see the “SNMP Service Configuration” dialog box, which appears after clicking EDIT in the “Accepted community names” frame. ■ ■

■

■

“None” means no permissions. “Notify” means only traps will be sent to the Management Station, and that the Management Station cannot make SNMP requests. “Read Only” allows the Management Station to read the values of the information provided by the MIBs. “Read Write” and “Read Create” do the same thing, which is to allow a SET command to be sent to the agent.

One really nice addition to the Windows 2000 SNMP agent is a GUI utility that allows you to configure which events will elicit a trap message. By default, no events will send a trap, which isn’t very useful. However, there is a GUI utility that you can access from the Run command. Type

91_tcpip_05.qx

2/25/00

12:49 PM

Page 248

248 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

evntwin.exe at the Run command and click OK. You will see what appears in Figure 5.42. Figure 5.42 The Event to Trap Translator.

This brings up the “Event to Trap Translator,” which allows you to configure which events will elicit trap messages. Notice the DEFAULT option button is selected, and list of events that are configured to send trap messages by default. That’s right, none! In order to configure trap events, click the CUSTOM option button, and then click EDIT>>. In the lower-left pane titled “Event sources,” doubleclick the Security folder. You should see another security folder under that one. Click that security folder, scroll down to Event ID 529, and click that. You should see what appears in Figure 5.43. Note that in the lower-right pane, you are able to select from a number of different security events for which you can elicit trap messages to be sent to a Management Station. After selecting Event ID 529, click ADD. You will see what appears in Figure 5.44. You can decide if the trap will be sent after a certain number of instances take place over a specified time interval. Click OK, and this event will be listed in the top pane of the Translator window. If you prefer a command-line version of this program, type evntcmd.exe at the command prompt and you will receive some help on how to use the command-line version of the program.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 249

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 249

Figure 5.43 Customizing trap events using the Event to Trap Translator.

Figure 5.44 The Trap Event dialog box.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 250

250 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

Using IPSec Encryption As mentioned earlier, the SNMP messages are sent over the wire in clear text. One way around this problem is to use IPSec encryption between the SNMP Management Station and the SNMP agent. In this way, the clear text messages are encapsulated in encrypted IPSec packets and are not vulnerable to network “sniffers.” When configuring IPSec, you need to ensure that filters are created for both normal SNMP traffic and trap messages. Remember that nontraprelated messages are send to UDP Port 161, and trap messages are sent to Port 162. You should also include TCP Ports 161 and 162 when creating your filter rules. The procedure for creating these rules is a relatively easy but tedious one.

NOTE For details on how to configure IPSec security for SNMP Management Stations, see Configuring Windows 2000 Server Security, published by Syngress Media.

Network Management Programs There are a number of products on the market that automate the process of network monitoring and management. Two worthy of mention are the Microsoft Systems Management Server 2.0 and a program called NTManage by Lanware systems. Both of these programs provide a greater or lesser degree of network management capabilities.

Microsoft Systems Management Server Microsoft SMS provides a full-service network management solution for the enterprise organization. Systems Management Server contains modules to perform network diagnostics, automate software distribution, and perform hardware inventory for the entire organization. One of the best features of Systems Management Server is its ability to collect information from machines throughout the enterprise, and then create predefined or customized reports using the Crystal Reports reporting engine. These reports are preformatted and can be used to provide compelling presentations when budget time rolls around.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 251

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 251

NOTE For the full details on the services and capabilities available with Microsoft Systems Management Server 2.0, check out www.microsoft.com/smsmgmt/.

NTManage NTManage provides network-monitoring capabilities on a different level than Systems Management Server. Its greatest strength is as an SNMP Management Station. It is able to monitor all SNMP agents for critical faults, and reports those to you. It has an Autodiscovery mode that allows you to find all the machines on the network, and identify those machines running the SNMP service. It then will aid you in creating a network map that allows you to manage and monitor those objects on your network.

NOTE For more details and added capabilities of NTManage, check out Lanware’s Web site at www.lanware.net.

Summary In this chapter, we reviewed some of the tools available to monitor and manage your network. We started with a look at the System Monitor tool (also known as Performance) and its new and improved capabilities. You saw how to create performance logs and how to save those logs in delimited text format that can be imported into other programs, allowing you to store information from multiple monitoring sessions over time. We then examined one of your most powerful tools in investigating network conditions, the Network Monitor. The version of Network Monitor that comes with Windows 2000 Server family products is limited to some extent, because you can only capture information arriving to and leaving the machine running the Network Monitor software. However, it still provides a great deal of functionality. We saw how you can configure which machines you are capturing from, and how to find specific information contained within the capture itself.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 252

252 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

The Windows 2000 operating system includes a suite of TCP/IP command-line utilities that allow you to monitor and assess the current status of network performance and communications. Some of these tools include: ■ ■ ■ ■ ■ ■ ■

netstat nbtstat netdiag ipconfig ping tracert pathping

We saw how these tools can be used to answer specific questions regarding network activities. Devices running an SNMP agent to communicate with machines running SNMP Management Software use the Simple Network Management Protocol. We examined how to configure the SNMP agent software that comes with Windows 2000, and how to configure the limited security available with SNMP. We also discussed how to configure which events would be considered catastrophic enough to warrant a “trap message,” which is the only type of message that is initiated by the SNMP agent itself. Finally, we briefly looked at a couple of enterprise management software packages: the Microsoft Systems Management Server, which includes a full-featured version of Network Monitor capable of capturing packets in promiscuous mode; and Lanware’s NTManage program. You can get more information about these packages from their respective Web sites.

FAQs Q: I am able to ping a machine by using its NetBIOS name, but not its host name. What do you think the problem might be? A: This is an interesting problem, because by the very nature of your question, it sounds like you are creating two different namespaces, one for NetBIOS and one for the host name portion of the Fully Qualified Domain Name. Since you are able to ping the machine by its NetBIOS name, the destination machine must either be on the local segment so that broadcast messages are about to reach it, or your machine is configured with a WINS server that is able to resolve the NetBIOS name to an IP address. If you are not able to PING the

91_tcpip_05.qx

2/25/00

12:49 PM

Page 253

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 253

machine by its host name, it may be that the machine is not registered in DNS, or the DNS entry is misspelled. To get a list of names contained in the zone database, you can use the nslookup command. To do this, enter nslookup in interactive mode, and then use the ls command with the domain name of interest, as in the following: > ls tacteam.net. [constellation.tacteam.net] tacteam.net. tacteam.net tacteam.net tacteam.net gc._msdcs.tacteam.net. AESCULAPIUS.tacteam.net constellation.tacteam.net. daedalus.tacteam.net. defiant.tacteam.net. ds2000.tacteam.net. east.tacteam.net. daedalus.east.tacteam.net. exeter.tacteam.net. falcon-nx.tacteam.net. imserver.tacteam.net. kris.tacteam.net. neuro.tacteam.net. news.tacteam.net. north.tacteam.net. daedalus.north.tacteam.net. prometheus.tacteam.net. starblazer.tacteam.net. starfleet.tacteam.net. stuff.tacteam.net. west.tacteam.net. daedalus.west.tacteam.net. wins.tacteam.net.

A NS NS NS A A A A A A NS A A A A A A A NS A A A A NS NS A

192.168.1.185 server = constellation.tacteam.net server = daedalus.tacteam.net server = mercury.seagoville.net 192.168.1.185 192.168.1.17 192.168.1.185 192.168.1.3 192.168.1.2 192.168.1.201 server = daedalus.east.tacteam.net 192.168.1.3 192.168.1.186 192.168.1.1 192.168.1.185 192.168.1.145 192.168.1.254 192.168.2.55 server = daedalus.north.tacteam.net 192.168.1.3 192.168.1.14 192.168.1.16 192.168.1.1 server = daedalus.tacteam.net server = daedalus.west.tacteam.net 192.168.1.3

NS

server = constellation.tacteam.net

Q: I am having logon validation problems with one of my downlevel (NT) clients. It seems as if it isn’t able to contact any of the Backup Domain Controllers. These downlevel clients are only able to log on when a Primary Domain Controller is online. Can I use any of these tools to investigate the problem?

91_tcpip_05.qx

2/25/00

12:49 PM

Page 254

254 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000

A: Yes. To do this, you’ll need the version of Network Monitor that comes with Systems Management Server, or you’ll need to run a monitoring session from every computer that is a domain controller on your network. What you want to do is monitor all traffic coming into and out of the machine that is having problems logging on. After the capture is complete, filter the data so that you see only the netlogon protocol activity. This should give you an indication of what the problem might be. Q: Can you go over PATHPING again, and how I can use it to identify different types of problems? A: PATHPING is a tool similar to tracert in that it sends multiple PING requests to routers along the path to a destination host. What the PATHPING algorithm allows you to do is ascertain whether the problems might be related to a congested router, or a congested link between the routers. Take a look at the following: C:\>pathping www.shinder.net Tracing route to www.shinder.net [209.217.17.13] over a maximum of 30 hops: 0 DAEDALUS.tacteam.net [192.168.1.3] 1 starblazer.tacteam.net [192.168.1.16] 2 tnt-dal.dallas.net [209.44.40.10] 3 grf-dal-ge002.dallas.net [209.44.40.9] 4 dal-net70.dallas.net [209.44.40.70] 5 www.shinder.net [209.217.17.13] Computing statistics for 125 seconds... Source to Here This Node/Link Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address 0 DAEDALUS.tacteam.net [192.168.1.3] 0/ 100 = 0% | 1 0ms 0/ 100 = 0% 0/ 100 = 0% starblazer.tacteam.net [192.168.1.16] 0/ 100 = 0% | 2 150ms 0/ 100 = 0% 0/ 100 = 0% tnt-dal.dallas.net [209.44.40.10] 0/ 100 = 0% | 3 151ms 1/ 100 = 1% 1/ 100 = 1% grf-dal-ge002.dallas.net [209.44.40.9] 0/ 100 = 0% | 4 166ms 0/ 100 = 0% 0/ 100 = 0% dal-net70.dallas.net [209.44.40.70] 1/ 100 = 1% | 5 140ms 1/ 100 = 1% 0/ 100 = 0% www.shinder.net [209.217.17.13] Trace complete.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 255

Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 255

The lines that include the “hop count” value and the name/IP address of the router contain information regarding the level of “congestion” a router may be experiencing. The higher the percentage of lost packets on these lines, the more likely it is that the router is dropping these packets because it is being overwhelmed. Just underneath the lines that contain the router information are those that have a “pipe” ( | ), which symbolizes the link between the routers. If the percentage of lost pings is higher for these lines, it indicates that there is congestion of the network between the routers, rather than a problem with the routers themselves. Q: Can I obtain information about other machines on my network using the System Monitor? A: Yes. To do this, you have to have the Network Monitor Agent installed on the target machines. You can install the agent from the Add/Remove Programs applet in the Control Panel, and then click Add/Remove Windows Components. After you add the Network Monitor Agent, you will be able to collect performance data from other machines on the network. If you wish to collect information from downlevel clients (NT machines), you must be sure that the Network Monitor Agent from Systems Management Server 2.0 is installed on these clients.

91_tcpip_05.qx

2/25/00

12:49 PM

Page 256

91_tcpip_06.qx

2/25/00

1:00 PM

Page 257

Chapter 6

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Solutions in this chapter: ■

NetBIOS Naming conventions

■

WINS configuration problems

■

Problems with multihomed machines

257

91_tcpip_06.qx

2/25/00

1:00 PM

Page 258

258 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Introduction to Name Resolution Services If we took a survey, we would probably find name resolution problems at the top of the list of things that drive network administrators crazy. On TCP/IP-based networks, the endpoint of communication is the IP address of the hosts and destination computers. However, because IP addresses are difficult to remember, and because programs are not written to be “aware” of IP addresses, there must be a mechanism that will allow users to access network resources via computer or host names, rather than just IP addresses. Names resolution services fall into two broad categories: ■ ■

NetBIOS name resolution Host name resolution

Programs written to the NetBIOS interface must have a mechanism for translating the NetBIOS name to an IP address so that the request can be passed down the TCP/IP stack. Host name resolution allows users to remember and access network resources via friendly names, rather than having to access these resources via an IP address directly. Network access would be fraught with error if everyone had to remember the IP address of every host with which they wanted to communicate! This chapter will address NetBIOS name resolution, and how WINS is implemented in Windows 2000 TCP/IP networks. In the first part of the chapter, we’ll look at the “hows and whys” of NetBIOS name resolution, and we’ll define and analyze the major methods of NetBIOS resolution. After examining how NetBIOS name resolution services are supposed to work, we’ll turn our attention to troubleshooting problems related to the WINS name resolution services.

NetBIOS Name Resolution The history of Microsoft networking is the history of NetBIOS. NetBIOS was developed in 1983 for IBM by a company named Sytek, Inc. The NetBIOS transport protocol was designed to accommodate small LANs located on a single segment.

NOTE In its initial implementation, NetBIOS was created as a monolithic transport protocol. NetBIOS now exists as a Session layer interface that can be utilized by all network protocols. This allows programs written to the NetBIOS interface to function in network environments that do not use NetBIOS natively.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 259

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 259

The NetBEUI transport protocol is an outgrowth of the NetBIOS transport protocol. NetBEUI uses the instruction set provided with the NetBIOS standard and has “extended” it; hence the name “NetBIOS Extended User Interface” (NetBEUI). Windows NT actually used a more advanced version of the NetBIOS protocol called NetBIOS frames, or NBF. Windows 2000 continues in the great tradition of NetBIOS and provides the NetBEUI protocol as one of the optional protocols that can be installed. Programs written to the NetBIOS interface use NetBIOS names as the “endpoint” of communications. Each computer on a NetBIOS network must have a NetBIOS name, which consists of 16 bytes. Only the first 15 bytes of the NetBIOS name are configurable by the user. The 16th byte is used by the operating system to denote the availability of network services. NetBIOS programs must know the name of the destination computer in order to establish a session. For example, imagine that we have two computers and their NetBIOS names are EXETER and DAEDALUS. If EXETER wants to establish a session and access resources on DAEDALUS, EXETER will need to contact DAEDALUS via its NetBIOS name. To do this, EXETER will “yell out” (broadcast) the name of the destination computer, DAEDALUS. All computers on the segment will process this broadcast message to see if it is intended for them. Computers not named DAEDALUS will drop the packet, essentially ignoring it. However, when DAEDALUS gets the packet, it recognizes that the request is for it. DAEDALUS will return its MAC address to EXETER, and at that point, a session can be established. The limitations of NetBIOS become evident with this example. In order to access the destination computer, a broadcast is used. This means that all computers must be on the same physical segment, since normally broadcast messages don’t cross routers. In larger network installations, say more than 40 computers, the volume of broadcast traffic will become so “loud” that no useful information will be communicated. This is comparable to going out to eat at a noisy restaurant. People are always yelling back and forth at each other (for reasons that I hope to someday understand). The total volume of the “yelling” increases with the number of people in the restaurant. When a certain threshold number of people enter the restaurant and start yelling at each other, you will no longer be able to maintain any reliable information exchange with your partner seated on the other side of the table. NetBIOS is broadcast-based, limited to a single segment, and uses NetBIOS names as the endpoint of communications. This presents a significant challenge to NetBIOS programs that want to function on a TCP/IP-based network. The TCP/IP protocol stack was designed to work on large internetworks, with each segment separated by a router. Routers do not forward broadcasts by default. Therefore, NetBIOS applications

91_tcpip_06.qx

2/25/00

1:00 PM

Page 260

260 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

would not be able to access resources on computers located on another segment. Even if we open the NetBIOS ports on the routers, we still have the problem of NetBIOS applications using only NetBIOS names. Before the request can be passed down the TCP/IP protocol stack, the NetBIOS name must be converted, or resolved, to an IP address. The entire process of matching up a NetBIOS name with an IP address is called NetBIOS name resolution. In order to get TCP/IP to “care” about NetBIOS names, and deal with them in an orderly fashion, we need to add something to the TCP/IP protocol stack. This add-on is called NetBIOS over TCP/IP, or NetBT, or NBT. NetBT is implemented in the NetBIOS Session layer interface. When a request for network services is passed from the user application to the Application layer of the TCP/IP stack, NetBT intercepts the request and the NetBIOS name is resolved to an IP address. After the IP address is discovered, the request includes the destination computer’s IP address, and it moves down the stack to the Transport layer, then to the Internet layer, and finally to the Network layer and onto the wire. Figure 6.1 displays the “chain of command.” Figure 6.1 A request for network services moving down the TCP/IP protocol stack. Application (FTP)

APPLICATION LAYER

WINSOCK

NETBIOS

TRANSPORT (HOST-TO-HOST)

INTERNETWORK

NETWORK INTERFACE

Internet

91_tcpip_06.qx

2/25/00

1:00 PM

Page 261

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 261

It is by this process that we take an inherently nonroutable protocol and turn it into a routable one. Once the request is turned into a request for an IP address, it becomes a routable request. Here’s an analogy: Think of a child who writes a letter to his mother. He will address it to “Mom,” the friendly name by which he identifies her. If the child were to leave this letter on the kitchen table, there would be no problem getting it to its destination host (Mom). This is because the kitchen table is on the local segment. However, if the child put the letter in the mailbox, the postman would have a challenge trying to get the letter to the correct destination. “Mom” is like a NetBIOS name in that it is not a routable address. However, if the child’s father took that letter, and put it into another envelope that had both “Mom” and the house address on the front, then the post office would be able to deliver the message. The house address is a routable address, so it will now find its way to the right “Mom.” What Dad did is similar to what NetBT does for NetBIOS names: It converts NetBIOS name requests to IP address requests, so the message or communication will get to the intended host.

Windows 2000 Methods of NetBIOS Name Resolution Microsoft has included several different ways to resolve NetBIOS names to an IP address. This is because it is pivotal for NetBIOS applications to be able to access the IP address of a destination host on a TCP/IP-based network. If the NetBIOS name cannot be resolved, the NetBIOS application will not be able to establish a session with the destination host. NetBIOS names can be resolved by the following mechanisms: ■ ■ ■ ■ ■ ■

NetBIOS Remote Name Cache NetBIOS name servers Broadcasts LMHOSTS file HOSTS file DNS server

Let’s take a closer look at each of these.

NetBIOS Name Cache The NetBIOS Remote Name Cache contains the name and IP address mappings of machines recently accessed. This cache is searched first before any other method of NetBIOS name resolution takes place. On Windows 2000 machines, an entry stays in the NetBIOS name cache for

91_tcpip_06.qx

2/25/00

1:00 PM

Page 262

262 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

600,000 milliseconds (10 minutes). You can edit this value in the Registry by navigating to the key: HKLM\System\CurrentControlSet\Services\NetBT\Parameters\CacheTimeout

The value is in milliseconds and you can change it to another value. The NetBIOS Remote Name Cache is displayed in Figure 6.2. Figure 6.2 The NetBIOS Remote Name Cache.

NetBIOS Name Server A NetBIOS name server keeps track of NetBIOS names and their associated IP addresses. The NetBIOS name server’s function is similar to a DNS server, except that the DNS server maintains mappings for host names and IP addresses.

NOTE Basic design parameters for NetBIOS name servers are delineated in RFCs 1001 and 1002. The NetBIOS name server supplied with Windows 2000 is RFC-compliant, and contains many added features as well.

In reality, NetBIOS is only in widespread use on Microsoft networks, in the form of WINS. It’s unlikely that you’ll ever run into any other implementation of NetBIOS name servers, so from this point forward, we will refer to NetBIOS name servers as WINS servers. WINS servers provide two basic functions. The first is NetBIOS name registration, where the WINS server registers computers’ NetBIOS names

91_tcpip_06.qx

2/25/00

1:00 PM

Page 263

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 263

and IP addresses. A WINS server dynamically and automatically updates WINS clients’ NetBIOS names when WINS clients start up. The second major function of a WINS server is to resolve NetBIOS name queries, when NetBIOS clients query the WINS server for the IP address of a destination NetBIOS host. We will talk about how WINS servers do all this in detail later in this chapter.

Broadcast Even on TCP/IP-based networks, NetBIOS clients can still broadcast for the IP address of the destination host. The effectiveness of the broadcast method is limited because, by default, routers do not pass traffic over UDP Ports 137 and 138 (the NetBIOS Name Service and the NetBIOS datagram services, respectively). Therefore, NetBIOS name resolution via broadcast works only when destination clients are located on the same segment.

LMHOSTS The LMHOSTS file is a static, manually-updated text file that contains NetBIOS name and IP address mappings for NetBIOS hosts. In this respect, the LMHOSTS file is similar to the HOSTS file used for host name resolution for WinSock programs (which we will discuss in the next section). However, the LMHOSTS file has added functionality, because Microsoft has added “tags” that can be placed in an LMHOSTS file to provide extra information other than just NetBIOS names and IP addresses. The LMHOSTS file is a very simple file to create. An example LMHOSTS file, which we use on our small office network, appears in Figure 6.3. Figure 6.3 Example LMHOSTS file.

The LMHOSTS file resolves NetBIOS names by reading the file from top to bottom. This means the most frequently accessed computers

91_tcpip_06.qx

2/25/00

1:00 PM

Page 264

264 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

should have their names placed on top, while less frequently accessed files should have their names placed toward the bottom. There are a number useful “tags” you can place in the LMHOSTS file that provide added value. For example, in Figure 6.3 you see two of the tags, #PRE and #DOM. The #PRE tag causes its associated entry to be placed in the NetBIOS Remote Name Cache during system startup, and it will remain there for the entirety of that machine’s session. The #DOM tag indicates that the machine is a domain controller.

NOTE The entries with the #PRE tag are placed at the bottom of the list. This is because the list is searched from top to bottom. There is no reason to place the entries with the #PRE tag above any of the others, since they have already been searched for during the lookup in the NetBIOS Remote Name Cache.

One of the most common name resolution related errors you will encounter is a misspelled name or an incorrect IP address in the LMHOSTS file. If you have problems with NetBIOS name resolution, and you are using LMHOSTS files, always check the spelling and the IP addresses listed in the LMHOSTS files. Another major faux pas committed by less-experienced administrators occurs when saving the LMHOSTS file. This file has no file extension. However, it is typically edited in Notepad (notepad.exe), which is the default text editor provided with Windows 2000. If you don’t put quotation marks around the filename when saving the file, Notepad will save it as lmhosts.txt. If you save it as lmhosts.txt, Windows 2000 will not read it, and it will not be used for NetBIOS name resolution. The LMHOSTS file is placed in the %system_root%\system32\ drivers\etc folder.

TIP You can get information on the other available tags that can be used in the LMHOSTS file by referring to the LMHOSTS.SAM file that is placed in the “etc” folder during the operating system installation. Do not use this file as your LMHOSTS file by just adding your entries to the end of the file. This will not work properly, because even though the lines that begin with a # are read as “comments” (comparable to the “rem” entry in batch files or the config.sys file), these lines are still parsed to assess whether they contain valid tags.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 265

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 265

For the most part, the LMHOSTS file is of historical interest, because it does not work well in networks that use dynamically-assigned IP addresses, or in large enterprise networks. This is due to the static nature of the LMHOSTS file. Some administrators might find it useful as a backup method of NetBIOS name resolution for key servers and domain controllers for downlevel clients. Just remember that the file must be placed on the hard drives of the machines that are using it for name resolution. There is no mechanism that allows you to just create a central LMHOSTS file on a server, and then point the clients to this file. There are ways, described in the LMHOSTS.SAM file, that you can create central LMHOSTS files, but the NetBIOS name to IP address mapping must exist on client LMHOSTS files too (assuming that alternate methods of NetBIOS name resolution have failed).

HOSTS The HOSTS file is constructed similarly to the LMHOSTS file, except that fully qualified domain names (FQDNs) are mapped to IP addresses instead of NetBIOS names. The HOSTS file is a carryover from the original HOSTS.TXT file that was used for host name resolution in the early days of the ARPAnet. There are no tags used in the HOSTS file to denote any special server role or network services. Whenever a # sign is used in the HOSTS file, anything entered after the symbol will be treated as a comment.

NOTE One of the most common errors we have encountered when consulting on host name resolution problems is the use of LMHOSTS tags in HOSTS files. Remember that the tags used in LMHOSTS files can only be used on those files, and not in HOSTS files.

Although the primary purpose of the HOSTS file is to map FQDNs to IP addresses, NetBIOS names can be resolved from this file if traditional NetBIOS methods have failed. In this case, the first 15 characters to the left of the first period are stripped from the FQDN and treated as a NetBIOS name. This provides just one reason why you might want to use the same naming convention for both your NetBIOS and HOST names on your Windows 2000 network. You can get further information from the HOSTS file included with Windows 2000. Note that a default entry, 127.0.0.1, is included. This is the localhost address.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 266

266 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

DNS Server The Domain Name System (DNS) server provides for host name to IP address resolution. This is similar to the service provided by the WINS server, except that the WINS server provides NetBIOS name to IP address resolution. Networks running operating systems that contain both WINS clients and non-WINS clients can benefits from having a DNS server provide NetBIOS to IP addresses resolution. A non-WINS client will not be able to query a WINS server directly. However, a DNS server can be configured to query a WINS server for a NetBIOS name to IP address resolution. A DNS server can cache successful WINS lookups, which means that it can provide a measure of fault tolerance for WINS clients. In a situation where the WINS clients cannot access their configured WINS servers, they may be able to resolve a NetBIOS name by querying a DNS server. Although the DNS server itself may not be able to query the WINS server (for instance, if the WINS server is offline), the DNS server still contains cached WINS entries. This is another reason to configure DNS servers to provide for NetBIOS name lookups from a WINS server.

The Order of NetBIOS Resolution So, as we’ve seen, there are many different ways a NetBIOS name can be resolved to an IP address. Which of these methods will be applied in a given situation? The answer lies in the NetBIOS Node Type assigned to the WINS client. The NetBIOS Node Type will determine which services will be queried, and in what order, when resolving a NetBIOS name to an IP address. The NetBIOS node types include: ■ ■ ■ ■

b-node p-node m-node h-node

Let’s look at each node type in a little more detail, and examine in which circumstances each node might find its best use.

B-Node A b-node (broadcast node) client uses broadcasts instead of a WINS server. A Windows computer without a configured WINS server is a b-node client. The NetBIOS name resolution order for the b-node client is: 1. NetBIOS Remote Name Cache 2. Broadcast 3. LMHOSTS

91_tcpip_06.qx

2/25/00

1:00 PM

Page 267

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 267

4. HOSTS 5. DNS server

P-Node A p-node (peer node) WINS client uses a WINS server and does not use broadcasts. When a WINS client is configured as a p-node WINS client, it will not broadcast to resolve a NetBIOS name to an IP address. The advantage of configuring WINS clients as p-nodes is that there is no possibility of NetBIOS name resolution broadcast traffic using up valuable network bandwidth. On the other hand, if the p-node client is not able to access a WINS server, it will have to use other alternate methods to resolve the NetBIOS name to an IP address, even if the p-node client needs to access a remote DNS server to resolve a local IP destination client. You might want to consider implementing your WINS clients as p-node clients if you have degree of fault tolerance for name resolution services on the local segment for the p-node clients. Typically, this will include at least two WINS servers, or a WINS server and a DNS server on the same segment. The NetBIOS name resolution order for the p-node client is: 1. NetBIOS Remote Name Cache 2. WINS server 3. LMHOSTS 4. HOSTS 5. DNS server

M-Node M-node (mixed node) WINS clients use both broadcasts and WINS servers to resolve NetBIOS names to IP addresses. The mixed node client preferentially uses broadcasts before seeking the aid of a WINS server. When you first think about this, it might seem self-defeating to use m-node clients. By using broadcasts first, you will increase the amount of NetBIOS name resolution and NetBIOS name registration broadcast traffic. However, there are certain circumstances in which you might want to use m-node WINS clients. Suppose you have a company that has three sites. The main site is located in Dallas, and has 1200 computers. The company also maintains two satellite offices, one in El Paso and another in Phoenix, which have 20 computers each. The satellite offices require very little in terms of network services from the main office, and most communication take place between the machines located within the site. The only WINS server is located in the Dallas office.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 268

268 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

In this situation, you would be better off to configure the computers in the satellite offices as m-node clients, because those computers will all be located on the same segment, and broadcasts will easily resolve the NetBIOS names to IP addresses. This will also prevent the machines from having to query the WINS server for local addresses. Since the WINS queries would have to cross a slow WAN link, broadcast name resolution is faster and more efficient than traversing the WAN. If the client needs to resolve names for machines on remote segments, it can still query the remote WINS server. The NetBIOS name resolution order for the m-node client is: 1. NetBIOS Remote Name Cache 2. Broadcast 3. WINS server 4. LMHOSTS 5. HOSTS 6. DNS server

H-Node H-node (hybrid node) WINS clients are similar to M-node, but use WINS NetBIOS name resolution first, before initiating a NetBIOS broadcast message.

NOTE The H-node setup is the most typical, and is the default NetBIOS node type for WINS clients.

The node type can be changed manually by editing the Registry, or can be automatically assigned when using a DHCP server. The NetBIOS node type setting is stored in the registry at:HKLM\System\CurrentControlSet\ Services\NetBT\Parameters. The entry is of type REG_DWORD and the possible values are: B-node = 0x1 P-node = 0x2 M-node = 0x4 H-node = 0x8 Hybrid node clients are best suited for a multiple segment LAN/WAN environment, where destination NetBIOS clients and resources are located on remote segments. The H-node client will register with and query a WINS server before initiating a NetBIOS broadcast. This minimizes the

91_tcpip_06.qx

2/25/00

1:00 PM

Page 269

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 269

amount of NetBIOS traffic on the local segment, and allows NetBIOS communication throughout the intranet. The NetBIOS name resolution order for the H-node client is: 1. NetBIOS Remote Name Cache 2. WINS server 3. Broadcast 4. LMHOSTS 5. HOSTS 6. DNS server

Enabling LMHOSTS, HOSTS, and DNS Resolution As you’ve read here, and perhaps in other books, the NetBIOS name resolution sequence includes two methods that are usually thought of as being reserved for host name resolution: HOSTS and DNS servers. While these methods are available and will be used by all node types, you may have to make some configuration changes to utilize these host name resolution methods, or to allow the system to use the LMHOSTS file. In order to enable these services, right-click on My Network Places and click Properties. Double-click one of the LAN connections, and click PROPERTIES. This takes you to the Local Area Connection dialog box. Scroll through the list of services, select the “Internet Protocol (TCP/IP)” entry, and click PROPERTIES. This takes you to the Internet Properties dialog box. Click ADVANCED, which takes you to the Advanced TCP/IP Settings dialog box, shown in Figure 6.4. Click the DNS tab. You must have at least one DNS server on this list in order to use a DNS server to resolve NetBIOS names. The Hosts files will also be enabled when you enable DNS. Click the WINS tab. There must be a check mark in the “Enable LMHOSTS lookup” in order for the system to use the LMHOSTS file (see Figure 6.5). Note that unlike in Windows NT 4.0, there is no check mark for “Use DNS for WINS resolution.” This will be done by default when you enter a DNS server in the DNS tab’s list. There is one more thing: Just because you have instructed the client to use a DNS server for NetBIOS name resolution doesn’t mean that the DNS server will be able to resolve the NetBIOS name. You will have to configure the DNS servers to use WINS lookups at the DNS server itself. We’ll cover this issue during our discussion of DNS servers.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 270

270 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Figure 6.4 Configuring Advanced TCP/IP Properties settings.

Figure 6.5 Enabling the use of an LMHOSTS file for NetBIOS name resolution.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 271

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 271

The Windows 2000 Windows Internet Name Service (WINS) The Windows 2000 WINS server is fully RFC-compliant and includes many extra features that optimize its use on Windows networks. The Windows 2000 WINS server is also interoperable with “downlevel” (NT) WINS servers, which allows it to peacefully coexist in hybrid Windows 2000/Windows NT 4.0 networks. In this section, we’ll examine the types of exchanges that take place between the WINS client and WINS server, and look at the WINS Proxy Agent.

NetBIOS Name Registration When a WINS client starts up, it will register its NetBIOS name with a configured WINS server via a “NetBIOS Name Registration Request.” If the WINS client’s name does not already exist in the WINS server’s database, the WINS server will send a “Positive NetBIOS Name Registration Response” to the WINS client. If the WINS client’s name is already in the WINS database, the WINS server returns a WACK (wait for acknowledgement) message to the WINS client. The WINS server then issues a “challenge” (NetBIOS Node Adapter Status message) to the IP address associated with that NetBIOS name in its database. If there is no response from the registered owner of the NetBIOS name, the WINS server will return a “Positive NetBIOS Name Registration Response” to the WINS client, and its name and IP address will be recorded in the WINS database. If the owner does respond to the challenge, the WINS client that is attempting to register the name will receive a “Negative NetBIOS Name Registration Response” and will not be able to initialize its TCP/IP stack.

NOTE If the computer that is registering its name and the IP address is the same as the one in the WINS database, it will be treated as a refresh of the WINS database entry, and the renewal date will be updated for the entry.

A WINS database entry must be renewed periodically. The amount of time that can pass before the WINS client must renew its name is the “renewal interval,” which is configured at the WINS server. The default for the Windows 2000 WINS server is 6 days, or 144 hours. (This is correct.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 272

272 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Six days is 144 hours. If you have read some of the Windows NT 4.0 books on the market, you might have noticed that many of them state the Windows NT 4.0 WINS server’s default renewal interval was “4 days, or 144 hours.” While you might have figured this was just “WINS new math,” it was in fact an error in the Windows NT WINS server help file which was then perpetuated by the authors of several popular books.) Figure 6.6 shows the default settings on a Windows NT 4.0 WINS server. Figure 6.6 Default interval settings on a Windows NT 4.0 WINS server.

NOTE The renewal interval for WINS entries was 96 hours, or 4 days, for the WINS server included with Windows NT 3.5.

Figure 6.7 shows the help file entry for the WINS server. This machine is running Service Pack 5. If a name is not renewed within the renewal interval, the record is marked as “Released” in the WINS database. A released record can be updated without challenge. If the record is not renewed or updated for a period of time called the “extinction interval,” the record will be tombstoned and removed from the WINS database during scavenging. We’ll cover scavenging and tombstoning later in the chapter.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 273

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 273

Figure 6.7 Help file on the Windows NT 4.0 WINS Server renewal intervals.

NetBIOS Name Query Request When a WINS client needs the IP address of a destination host, it will send a NetBIOS Name Query Request to the WINS server. If the WINS server has a mapping for the NetBIOS name sought after, it will return the IP address in a Positive NetBIOS Name Query Response. If it does not have the name ,it will return a Negative NetBIOS Name Query Response. If the first WINS server that is queried does not contain a mapping, the WINS client will move through a list of “Secondary WINS servers” and query each one of those in turn until one of the Secondary WINS servers returns a Positive Name Query Response. The Windows 2000 WINS client services allow you to enter up to 12 Secondary WINS servers. While this leads to a greater degree of fault tolerance for your WINS queries, you should exercise care when assigning multiple WINS servers. If you configure a client to use 10 Secondary WINS servers, and none of them have a mapping for the destination host, you will have to wait for all of these

91_tcpip_06.qx

2/25/00

1:00 PM

Page 274

274 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

WINS servers to be queried before moving to the next step in the NetBIOS name resolution process. Multiple Secondary WINS servers, therefore, should be considered a double-edged sword.

NetBIOS Name Release When a WINS client is shut down “gracefully,” it will issue a NetBIOS Name Release message to the WINS server with which it registered its name. This will mark the NetBIOS name as inactive and will allow other machines to use the name without a challenge. If the WINS client is not shut down gracefully, the release message will not be sent, and another computer will not be able to use the name without first going through the challenge process.

Multihomed Computers and WINS What about multihomed machines? How do they register their name with a WINS server? There are different types of multihomed machines. One type has multiple IP addresses bound to a single network card. In this arrangement, only the first IP address assigned to the machine will be registered with this machine’s NetBIOS name in the WINS database. The second type of multihomed machine is more common: a machine with multiple network adapters, each with a single IP address assigned to it. Each adapter will register its NetBIOS name and IP address with the WINS server, and the WINS server will mark these entries for the multihomed computer as a multihomed name registration. When the WINS server receives a NetBIOS Name Query Request for the NetBIOS name of the multihomed machine, it will send all the IP addresses it has registered to that NetBIOS name. Now that the client has a bunch of IP addresses to choose from, how will it decide which one to use? If one of the IP addresses returned by the WINS server is on the same subnet as the computer that made the request, it will try to connect to that IP address first. If multiple IP addresses are returned that are on the same subnet, it will pick one of those at random. If none of those in the list are on the same subnet, then, again, an IP address will be chosen at random. For multihomed WINS servers, Windows 2000 does not guarantee the binding order for NetBIOS when more than one connection is present and active. A multihomed WINS server should have all installed connections configured as routable interfaces.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 275

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 275

A multihomed WINS server must have its primary IP addresses assigned to each network connection (assuming you’ve configured more than one IP address per connection), and you should configure each primary IP address as Push and Pull partners at other servers that will replicate with the multihomed WINS server. Each IP address should be configured as a replication partner to all other WINS servers that it will be partnering with. When configuring replication partners, you can ensure that a specific network connection is used if you specify an IP address for the remote multihomed server you are adding at a WINS server. If you enter a NetBIOS name instead of IP addresses, when replication partners are specified and resolved by a name entered in the WINS console, it is possible that a packet generated by WINS could use any of the interfaces and their respective IP addresses. This apparently random behavior results from WINS referring to its local IP routing table, which contains all of the installed interfaces, before it sends packets to the remote server.

WINS Proxy Agents A WINS Proxy Agent is a machine configured to listen for NetBIOS Name Query Requests and forward these to a WINS server. WINS Proxy Agents are useful when you have non-WINS-enabled machines on a segment that need NetBIOS name resolution services. When a non-WINS-enabled machine (which includes b-node clients) issues a NetBIOS Name Query Request, the WINS Proxy Agent intercepts the request and forwards it to its configured WINS server. If the WINS server contains a mapping for the NetBIOS name in question, it will send a Positive NetBIOS Name Query Response to the WINS Proxy Agent, which in turn sends the answer to the machine that issued the broadcast. The WINS Proxy Agent also caches the successful query. If a subsequent request for the same NetBIOS name is broadcast again, the WINS Proxy Agent will be able to answer the request from its cache, rather than referring the request to a WINS server. A question that comes up from time to time is how to alter the Proxy’s name cache timeout. The WINS Proxy Agent uses the NetBIOS Remote Name Cache Table for that computer, thus you can configure the CacheTimeout parameter in the Registry, mentioned earlier, to customize the WINS Proxy Agent’s cache settings.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 276

276 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

TIP WINS servers do not respond to NetBIOS Name Query Request Broadcast messages. Several times, we have encountered a “problem” with a WINS server that was not “responding.” In each case, the WINS server was on the same segment as the WINS clients. The administrators felt that since the WINS server was on the same segment as the clients, the WINS server should be able to respond to the Name Query Request. This is not the case. Therefore, if you have non-WINS clients that must resolve NetBIOS names for remote nodes, you should install a WINS Proxy Agent on the subnet with the non-WINS clients, regardless of whether there is a WINS server on that subnet or not.

WINS Configuration Issues After a WINS server is installed, a certain amount of configuration needs to be accomplished. While this book isn’t about installation and configuration of Network Services, some configuration issues are worth mentioning in the context of trouble prevention and troubleshooting. (For complete coverage of installation and configuration of Windows 2000 Network services, we highly recommend “Managing Windows 2000 Networking Services” published by Syngress Media.)

Static Mappings One of the great strengths of WINS is that it is a dynamic database. Unlike an LMHOSTS file that has to be manually updated every time a machine changes its IP address, WINS clients automatically update their records in WINS. This is especially wonderful in an environment that utilizes DHCP, where managing LMHOSTS files would quickly wear down the resolve of even the staunchest of network administrators. However, non-WINS clients are not able to register themselves with the WINS server. If you have non-WINS clients running NetBIOS applications, you may want to include their names in the WINS database so that WINSenabled clients can query the database and find the IP addresses of the non-WINS enabled clients. To do this, you must enter a “static mapping” for each non-WINS client into the WINS database. Static mappings allow WINS clients to find these non-WINS computers’ IP addresses by performing WINS queries. This circumvents the need to create and distribute LMHOSTS file entries for the non-WINS clients.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 277

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 277

For IT Professionals

Problems with Static WINS Entries Static mappings should only be used for non-WINS clients that intend to stay non-WINS clients. Some administrators may import LMHOSTS files and create static mappings for computers that have the capability to be WINS clients. If you do this, you should enable the “Migrate On” setting. By default, static entries are not overwritten by dynamic name registrations. If you decide to WINS-enable clients that were not formerly WINS-enabled, they will not be able to dynamically update their WINS records. However, if you enable Migrate On at the WINS servers, static entries will be overwritten by dynamic name registrations. This is great when it works. However, there are times when the static entries are not overwritten. One example is the <1Ch> entries in the WINS database. These entries represent domain controllers, and this value is used by downlevel WINS clients to find machines with which they can authenticate. That means if you decide to change the IP address of a domain controller, even if you have subsequently enabled it as a WINS client, it will not update its IP address with the WINS database. If a WINS client queries the WINS database for a domain controller, and finds that static entry and attempts to authenticate against the static entry that no longer exists, bad things will happen. This problem is further exacerbated by replication of the static entry. When a static record is replicated, its status as a static record is replicated with it. This means that you must delete the record at all WINS servers, to prevent it from being rereplicated back to a machine from which it had been deleted. In NT 4.0, after the entry was deleted from all the WINS servers, you had to restart the domain controller. However, Windows 2000 allows you to reregister the WINS client by using the nbtstat –RR command.

WINS Replication Networks with more than a single WINS server will need to synchronize the contents of the WINS database among all WINS servers on the network. This process of database synchronization is accomplished via WINS replication.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 278

278 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

The WINS replication process ensures that every WINS server on a network has WINS database records for all the WINS servers on the network. In this way, it shouldn’t matter what WINS server you query, because all WINS servers will contain the same database records. When a computer registers its NetBIOS name and IP address with its Primary WINS server, that server is called the “owner” of that record. The record is also given a “version ID.” The most recent record registered at a WINS server defines the most recent version ID of the WINS database. When a WINS server replicates its records to other WINS servers, only records with higher version IDs than the ones contained on the other WINS servers are replicated, because those are the only ones that have changed since the previous replication. The owner of a WINS record has the highest version ID for each record that it owns. If this is not the case, then something strange is going on, and you need to investigate!

Partnership Agreements WINS servers replicate their information by forming partnerships. There are two types of partnerships you can form between WINS servers: Pull and Push. When a WINS server is a Pull partner of another WINS server, it will send an update trigger to its partner on a periodic basis. This is configured at the WINS server that is the Pull partner. When a WINS server is a Push partner to another WINS server, that WINS server sends an update trigger when a certain number of records or “version IDs” have changed.

NOTE In general, Microsoft recommends that you configure Windows 2000 WINS servers to be both Push and Pull partners of each other. However, there may be times when you prefer to configure WINS servers to be only Pull partners. This would be the case when WINS servers are separated by slow WAN links, and you wish to minimize the traffic on the WAN link during busy times of the workday. In this case, you configure the WINS servers to be Pull partners of each other, and configure the replication trigger to be sent during the quiet times of the evening or early morning.

Each WINS record is about 40 bytes when replicated. If you have 1000 updated WINS records to replicate, that would require about 40,000 bytes, or 40KB. That’s not very much traffic, even for a 56 Kbps WAN link. However, if you had 10,000 WINS updates to send during a replication, that would be about 400,000 bytes, or 400KB. This would make an impact on a 56 Kbps WAN link, since it transfers less than 7 KBps.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 279

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 279

In actual practice, the transfer of 400KB would take about two minutes on a typical analog modem. Depending on the type of responsiveness you expect from your link, this may or may not be acceptable. Remember that it is unlikely that an organization of 10,000 computers will have all of them update their records simultaneously. The only time this might occur is if there was a large-scale power outage, and all the machines updated their WINS records at the same time when coming back online. This is somewhat unlikely, but you should be prepared in case it happens.

NOTE It’s easy to get confused when we start talking about kilobits (abbreviated as “kb”) and kilobytes (abbreviated as “KB”). Just remember that (in most computer systems) a byte equals eight bits. A bit consists of a single binary digit, 0 or 1.

WINS partnerships are configured in the WINS management console, which you can access via the Administrative Tools menu (see Figure 6.8). Note the “Unknown” WINS server names. These WINS servers were added via WINS Autodiscovery, and their NetBIOS names are not included on the Replication Partners list, just the IP addresses. Figure 6.8 The WINS management console.

Right-clicking the Replication Partners node in the left pane of the console and clicking Properties will bring up the Replication Partners Properties dialog box. Click the Push Replication tab and you will see the dialog box shown in Figure 6.9.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 280

280 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Figure 6.9 The Push Replication settings in the Replication Partners Properties dialog box.

Now click the Pull Replication tab and you see something similar to Figure 6.10. Figure 6.10 The Pull Replication settings in the Replication Partner Properties dialog box.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 281

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 281

This all seems pretty straightforward. However, after you have configured Push and Pull partners, right-click on one of the partners in the right pane, and then click Properties. You will see the box shown in Figure 6.11. Figure 6.11 Replication Properties for a specific replication partner.

If you’re thinking the figures appear to be different, you are correct. In this first case, when you right-clicked on the Replication Partners node in the left pane, you were setting defaults for all replication partners for this WINS server. You can get more granular control over replication parameters by setting replication parameters for each WINS server separately. This is something to keep in mind when replication intervals do not appear to be what you thought they should be.

WINS Partner Autodiscovery Do you find the whole process of figuring out what WINS servers to make partners, and then configuring the replication parameters, a little confusing? There may be some help for you. Windows 2000 WINS servers can be configured to find other WINS servers by using an Autodiscovery process. A WINS server configured to find its own replication partners will broadcast IGMP messages to a multicast group with the group address of 224.0.1.24.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 282

282 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

NOTE The 224.0.1.24 group address is reserved for Microsoft WINS servers.

This multicast will take place every 40 minutes by default, but the interval can be configured via the WINS console. Each member of the group will respond to the multicast announcement with its IP address. After the partners are automatically discovered, they will be set up as Push and Pull partners. Then Pull replication triggers will be sent every two hours to discovered partners.

TIP Autodiscovery is best used in small LANs where two WINS servers are located on a single segment. You can use automatic partner configuration in a routed environment by opening up the routers to IGMP multicast traffic to the WINS group address. The amount of broadcast traffic for a network with two or three segments would be minimal. After the partners are discovered, you can then configure replication parameters on an individual basis.

If you choose to take advantage of WINS autoconfiguration on a segmented network, you can control how many hops the multicast message will extend. Go to the Registry and open: HKLM\System\CurrentControlSet\Services\WINS\Parameters

Open the McastTtl entry. The default value is two hops, with a limit of 32. Note that this is different from the default value of six hops seen in Windows NT 4.0. In a larger WINS network with many routed subnets, WINS automatic replication would create more problems than it’s worth, both from the multicast traffic standpoint, and the WINS replication architectural viewpoint.

WINS Network Topologies According to Microsoft recommendations, you only need one Primary WINS server and one Secondary WINS server for every 10,000 computers on your network.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 283

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 283

NOTE Microsoft documentation even goes so far as to recommend that you call Microsoft Consulting Services if your network installation consists of more than 20 WINS servers. In reading this documentation, you almost get a sense of urgency about this issue. Why would Microsoft be so concerned about the number of WINS servers deployed by an organization? Based on our own consulting experiences, here’s a guess: Many organizations employ far too many WINS servers than they actually need, and in the process of deploying these redundant WINS servers, problems in WINS database synchronization “pop up.” Many companies with multiple WINS servers create Push and Pull partner relationships in an almost arbitrary fashion. This does not optimize WINS database consistency throughout the organization. Microsoft may be trying to “head trouble off at the pass” by urging customers to call before getting themselves into this sort of situation. A WINS network topology needs to be defined for any company with more than two WINS servers. The preferred WINS topology is the “Spoke and Hub” arrangement.

Spoke and Hub topology In the Spoke and Hub model, one WINS server is chosen to be a “Hub” WINS server. This Hub collects WINS updates from all the other “Spoke” WINS servers. After collecting all the WINS changes on the network, the Hub WINS server is able to replicate the collective knowledge of all the WINS servers on the network. This model is similar to the relationships between the Domain Master Browser and Master Browser(s) on a multiple segment network. If your organization contains multiple, geographically disparate sites, you will need to put together a WINS replication model for each site, and another model for intersite WINS replication. Intrasite replication should be based on the Spoke and Hub model. A single WINS server at each site is selected as a Hub WINS server. All other WINS servers are Spoke servers, and they are configured to be both Push and Pull partners of the Hub WINS server. By employing the Hub and Spoke model, you can simplify the replication partnerships, and be assured that all WINS servers will receive updates to changes in each WINS server’s database.

Push and Pull Partnerships Microsoft recommends that you always configure machines as Push and Pull partners when they are separated by fast LAN connections. When WINS servers are located across relatively slow WAN links, it is

91_tcpip_06.qx

2/25/00

1:00 PM

Page 284

284 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

sometimes preferred to have them configured as Pull partners only. For example, imagine that your company consists of 7500 computers distributed among three geographically separated sites. The main headquarters is located in Dallas, Texas, where there are 3500 machines. You also have regional headquarters located in Los Angeles, California and Portland, Oregon. Each of the regional offices has 2000 computers. Your network is a Windows-based network, and all computers are capable of being WINS clients. You have been asked to create a WINS network to accommodate two different scenarios. The first scenario has the remote sites connected to the Dallas site, but not to each other. The second scenario has all the sites connected to each other with WAN links of equal speed. In this first scenario, we would select a single WINS server as a site Hub for Dallas, Los Angeles, and Portland. The remaining Spoke WINS servers within each site would be configured as Push and Pull partners of their respective Hub server. This configuration assures full replication of WINS database entries among all WINS servers within each site. To ensure WINS database consistency among all WINS servers in the organization, the Hub servers need to replicate their WINS databases. We will create another Spoke and Hub arrangement among the site Hubs, using the Dallas WINS server as the “Hub of the Hubs.” Dallas is chosen as the Hub-Hub server because each remote site is connected to Dallas via WAN links, but the remote sites are not connected to each other. The remote sites are configured as Pull partners to the Dallas hub to minimize impact on the WAN links. By using this configuration, all changes are pooled at the Dallas WINS server. These changes are then distributed back to the remote Hub servers, which then distribute the changes back to their respective Spoke WINS servers. This design is seen in Figure 6.12. The major drawback of using a single central Hub server for synchronizing all the Hubs across the WAN is that it there is a single point of failure. If the Dallas server becomes unavailable, no WINS database replication takes place across the WAN until it comes back online. This can have a major impact in destabilizing the WINS synchronization scheme, because in order to bring all the WINS servers back into equilibrium, we have to take into account not only the time to bring the downed WINS back online, but also the convergence time for all the sites. We’ll talk about convergence time a little later in this chapter. In the second scenario, we have WAN links of equal speed connecting all three sites. Intrasite replication would be configured in the same fashion as seen in the first scenario, using a central Hub server setup as a Push and Pull replication partner to the remaining Spoke servers. This design is seen in Figure 6.13.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 285

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 285

Figure 6.12 Hub servers replicating with a central server. Spoke Server

Central Hub Remote WINS act as Spokes for Dallas Central Hub WINS

Spoke Server

Spoke Server

Dallas Hub

Spoke Server

Spoke Server

Spoke Server

Los Angeles Hub

Portland Hub

Spoke Server

Figure 6.13 Each site Hub replicates with adjacent Hubs. Spoke Server

Ring Replication Each Hub Server Replicates with its Adjacent Hub Server

Spoke Server

Spoke Server

Dallas Hub

Spoke Server

Spoke Server

Spoke Server

Los Angeles Hub

Portland Hub

Spoke Server

91_tcpip_06.qx

2/25/00

1:00 PM

Page 286

286 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

However, the Hub servers would be configured in a “Ring,” where each adjacent member in the ring is configured as a Pull partner of the other. This arrangement avoids a single point of failure. Also, in this three-site scenario, convergence of the WINS database takes place more quickly.

Convergence Time Convergence time represents the total time it would take for a changed WINS record to be replicated to all the WINS servers on the network. Let’s continue with the scenarios we’ve been working with. In the first scenario, all site Hubs were connected to the central Dallas Hub. If the intrasite Pull interval was 5 minutes, and the intersite Pull interval was 15 minutes, what is the maximum time required to get an updated WINS record from a machine in Portland to a machine in Los Angeles? The answer is 40 minutes. It would take 5 minutes to get the changed record from a Spoke server in Portland to the Portland Hub. Then it would take up to 15 minutes to get the record from the Portland Hub to the Dallas Hub. Then another 15 minutes would pass to get the record from the Dallas Hub to the Los Angeles Hub, and finally another 5 minutes to replicate the record from the Los Angeles Hub to the Los Angeles Spoke. The WINS intersite “hop count” was two: one hop to the Dallas Hub, and a second hop from the Dallas to the Los Angeles Hub. What is the convergence time in the second scenario? All site Hubs are only one hop away from any other site Hub. For a changed WINS record to get to Los Angeles, it would take 5 minutes for the Portland Spoke to get the information to the Portland Hub, then 15 minutes for the Portland Hub to the Los Angeles Hub, and then 5 minutes from the Los Angeles Hub to the Los Angeles Spoke, for a total of 25 minutes. It would appear that the Ring model is more efficient, as well as being fault tolerant. However, the speed of convergence is related to the number of intersite hops (assuming all intrasite hops are always equal to 1, and the Pull interval is the same for all intrasite servers). A ring of four intersite Hubs would have a maximum hop count of 2 and a maximum convergence time of 40 minutes, as seen in Figure 6.14. The same would be true of a five-node intersite setup. So, using the Ring replication model appears to be equal, or superior to the Hub model for networks of up to five sites.

91_tcpip_06.qx

2/25/00

1:00 PM

Page 287

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 287

Figure 6.14 A four-node Ring has a maximum intersite hop count of 2.

5 min

5 min 15 min

15 min

15 min

15 min 5 min

5 min

4-Node Ring Convergence Time in Worst Case Scenario is 40 minutes with a Maximum Hop Count of two.

But what happens in our five-intersite model if one of the sites goes down? The maximum hop count is no longer 2; it is now 3, as shown in Figure 6.15. The convergence time in the five-intersite Hub model with one downed site is now 50 minutes and requires three hops! In the example in Figure 6.15, the convergence time is now 50 minutes. When planning your WINS networks, think about the level of fault tolerance required for NetBIOS name resolution using WINS. As time passes, reliance on WINS and NetBIOS should lessen as applications and network clients are upgraded to Windows 2000. In a pure Windows 2000 environment, WINS can be done away with entirely as the Windows 2000 computers will be able to use DDNS (which, like WINS, is updated dynamically) instead.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 288

288 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Figure 6.15 A five-node Ring with one downed site has a maximum hop count of 3. 5 min

15 min

5 min

15 min

5 min

15 min

15 min 15 min 5 min

5 min

5-Node Ring Convergence Time in Worst Case Scenario is 50 minutes with a Maximum Hop Count of three.

Backing Up the WINS Database The Windows 2000 WINS server automatically backs up the WINS database to a folder of your choice every three hours. The rub here is that you must configure this directory first before the WINS server will automatically back up the WINS database. To configure WINS backup, open the WINS console, right-click on the name of your WINS server in the left pane, and click Properties. You will see the dialog box that appears in Figure 6.16. In Figure 6.16, you can see that a directory named WINSBAK on drive C: is dedicated to the WINS backup files. The WINS server does not create this directory. You must first create the physical directory on the server’s hard drive, and then come to this dialog box and type in the path to the backup directory that you created. For fault tolerance reasons, you might think it would be a good idea to put the backup files on a mapped network drive. In that way, you could quickly access them in case of a hard disk crash. Unfortunately, this won’t work, as the WINS service will not save backup copies of the WINS database to a remote location. Be sure to include your backup directory in your normal tape backup procedure, and all will be well.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 289

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 289

Figure 6.16 The WINS server Properties dialog box.

The best practice is to have the WINS server back up its database, and then you “back up the backup.” You might even consider a special backup schedule for the files in the WINS backup folder that you’ve specified. On more than one occasion, we’ve seen the look of dismay on the face of a network administrator after a server crash when there were no WINS backups on hand. It’s not a pretty sight.

Backing Up the WINS Registry Settings If you have a relatively complex WINS replication scheme, you should also back up the WINS server’s Registry settings. You can do this by opening regedt32 from the run command, and then navigating to: HKLM\System\CurrentControlSet\Service\WINS

NOTE Some people have told me that they don’t think backing up a WINS database is that important. Their reasoning is that all the WINS clients will end up reregistering themselves again with the WINS server, and the rebuilt WINS server will get replicated copies of all other WINS entries as well. While this is all true, be forewarned that you will end up with quite a bit of additional network traffic if you choose this option. Replication partners will have to send all the records that they own, as well as records with version IDs higher than ones that have already been replicated to the rebuilt WINS server. This can take quite some time as the WINS database is reconverged. Also, WINS clients that reregister with the rebuilt WINS server will need to create new WINS records on that server, and these records will need to be replicated as new version ID records with the rebuilt server’s replication partners.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 290

290 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Then click the Registry menu, and click Save Key. Back up the saved key to a safe place. When you need to rebuild the WINS server, open the Registry editor on the new machine, click the Registry menu, and click Restore. This will copy the saved key into the new Registry.

Scavenging the Database The WINS database contains both active and inactive records. Over time, this database can grow very large, with many of the entries no longer being used. In order to clean up the “garbage” in the database, the WINS server goes through a periodic scavenging process. When the database is scavenged, obsolete records are removed; this shrinks the size of the file. The advantage is that smaller WINS databases can be searched more quickly and will improve WINS record registrations and queries. WINS will automatically scavenge and remove tombstoned records based on the intervals set in the WINS server Properties sheet. If a WINS client fails to renew its record during the period of time called the “renewal interval,” the record is marked as inactive. The record will remain in the inactive state for a period called the “extinction interval.” If the record is not updated during the extinction interval, it will be tombstoned. The record remains in the tombstoned state for a period called the “extinction timeout.” After the extinction timeout passes, the record will be automatically scavenged from the database (will be deleted). After the records are removed, you may be surprised to find that the database is still about the same size. This is because empty fields are still represented in the database. You must compact the database to regain disk space and speed database searches. If you choose to manually compact the database, be sure to stop the WINS server first. You can stop the WINS server by opening a command prompt and typing net stop wins, or from the WINS console by rightclicking your WINS server in the left pane, tracing down to All Tasks, and then tracing over and clicking Stop. Then restart the WINS server after compacting by clicking Start at the same location you clicked Stop. Or, from the command prompt, type net start wins.

Interactions with DNS Servers As discussed earlier, you can configure DNS servers to resolve NetBIOS names to IP addresses. Configuring a DNS server to do this is simple.

TIP WINS will automatically compact the database when the WINS server is not in use. If the database size reaches a size of more than about 40MB, you should manually compact the database using the jetpack.exe command from the command prompt.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 291

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 291

TIP Searching the Windows 2000 Help files and TechNet for guidance on how to compact the Windows 2000 WINS database will leave you with an empty feeling inside. To manually compact the Windows 2000 database, do the following: ■ At the command prompt, type net stop wins and press ENTER. ■ Change to the %systemroot%\system32\wins directory. ■ Type jetpack wins.mdb tmp.mdb. ■ The jetpack engine will inform you that the process has completed successfully. ■ Restart the WINS service by typing net start wins at the command prompt.

Configuring the DNS Server to Use WINS Forward Lookup Open the DNS management console, and right-click one of your forward lookup zones. Note here that in order to enable a DNS server to do a WINS forward lookup, you must have at least one forward lookup zone enabled. After right-clicking one of the forward lookup zones, click Properties and then click the WINS tab. You will see a dialog box like the one in Figure 6.17. After you’ve put a check mark in the “Use WINS forward lookup” and entered an IP address in the “IP address” box, the DNS server will search for NetBIOS name and IP address mappings at a WINS server. However, it’s not always quite as simple as that. You might wonder how the DNS server knows that you are searching for a NetBIOS name. And how does it know when it’s time to check the WINS server database Figure 6.17 The WINS tab in the forward lookup zone Properties dialog box.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 292

292 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

to resolve a NetBIOS name? Does the DNS server just strip off everything to the right of the leftmost period in a fully qualified domain name (FQDN), and send what’s left to the WINS server? Does it send every unqualified name to a WINS server directly? Wow, those are good questions. To answer them, we need to get a better idea of how DNS clients send queries to a DNS server, and what kind of information is sent to the DNS server from the DNS client when it sends a DNS query.

Examining DNS Configuration Settings Open the TCP/IP Properties sheet, and click ADVANCED as you did earlier in the chapter. Click the DNS tab. You will see a dialog box like the one that appears in Figure 6.18. Figure 6.18 The DNS tab in the Advanced TCP/IP Settings Properties sheet.

The DNS server addresses section is straightforward: Those are the IP addresses that DNS queries are sent to. The top one is the first DNS server to be queried, and if it returns a “host not found” message, the next DNS server will be queried. Those other settings have been somewhat of a

91_tcpip_06.qx

2/25/00

1:01 PM

Page 293

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 293

mystery to some NT administrators in the past, and for the most part, were usually ignored. However, if you know the meanings of the other options, you will be able to troubleshoot problems with your WINS lookups (and DNS lookups) more easily.

Resolution of Unqualified Names The first option button that says “Append primary and connection specific DNS suffixes” causes a DNS query for an unqualified DNS request to automatically append the machine’s domain membership and a connection-specific domain membership to the request. For example, if my machine belongs to the tacteam.net domain, and I type http://blah in my browser’s address box, this represents an unqualified domain name, because no domain suffix is included in the request. Since DNS servers need to know what zone database to check, you must include a domain name in the request. My machine belongs to the tacteam.net domain, so the request issued to the DNS server is actually for blah.tacteam.net, and the DNS server will attempt to resolve that name first. (If I had included another domain name in the “DNS suffix for this connection:” text box, it would send another query for blah..) Each network interface card (NIC) can be assigned its own domain suffix to send that is independent of the machine’s domain membership.

Determining Domain Membership How do you know your machine’s domain membership? Right-click on My Computer, click Properties, then click the Network Identification tab. You will see something similar to the dialog box shown in Figure 6.19. All right, now that we’ve got all that down, let’s look at another unqualified DNS query. This time, we’ll type http://DAEDALUS into the Web browser’s address box. The DNS query is sent to the Preferred DNS server as daedalus.tacteam.net. The tacteam.net domain does not contain a resource record for a computer named DAEDALUS, so it strips off everything to the right of the leftmost period in the FQDN and only sends the host name portion to the WINS server. The WINS server will check for “DAEDALUS” in its database, and if a NetBIOS mapping exists, it is returned to the DNS server. The DNS server then returns the IP address to my computer, and the http request is made to that IP address.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 294

294 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Figure 6.19 The Network Identification tab in the System Properties dialog box.

Problems with Heterogeneous DNS Environments If you are running a mixed DNS environment that includes both Microsoft and non-Microsoft servers, you might have trouble with zone database replication between a Microsoft Primary DNS server and non-Microsoft Secondary DNS servers if the “Do not replicate this record” check box is not marked. Non-Microsoft DNS servers won’t know what to do with the WINS-enabled zone, and may reject it. So, if you have a mixed DNS environment, you must leave that box checked, and not allow WINS lookups for the zone. The way around this problem is to create a zone dedicated for WINS lookups. For example, if we were running a mixed DNS environment here, I would create a wins.tacteam.net zone, and then I would configure the clients (either manually or using DHCP) to append the wins.tacteam.net domain suffix to their DNS queries by including it in the DNS suffix search order. Here’s how it works: You type the name http://EXETER into your Web browser. The wins.tacteam.net domain suffix is appended to the DNS query. When the DNS server receives the query, it will look for a resource record in the wins.tacteam.net zone database. It won’t find one, because we will not include any host records in that zone.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 295

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 295

Since the wins.tacteam.net server doesn’t have any resource records for that zone, it will then query the WINS server. If the WINS server has a mapping for that NetBIOS name, it will be returned to my computer, and I can establish a connection to the Web server on EXETER. In the domain suffix search order, I would put tacteam.net on top of the list, and then the wins.tacteam.net under it. This ensures that if there is a machine with the name exeter.tactem.net on the network, its host name will be properly resolved. If I had placed wins.tacteam.net on the top of the domain suffix search order, EXETER would have been sent immediately to the WINS server for resolution. This brings up another problem. What if I had two zones, such as: dev.tacteam.net sales.tacteam.net These are in addition to the wins.tacteam.net zone. Now imagine that there is a host record for EXETER in the sales.tacteam.net zone. For computers in the dev.tacteam.net domain, I want the DNS server search order to be: dev.tacteam.net sales.tacteam.net wins.tacteam.net For machines in the sales.tacteam.net domain, I want the DNS server search order to be: sales.tacteam.net dev.tacteam.net wins.tacteam.net All zones are enabled to perform WINS lookups. What happens when I send a DNS query for EXETER from a machine located in the sales.tacteam.net domain? Since all machines in the sales.tacteam.net zone will append sales.tacteam.net to unqualified domain names, it will find a host record for EXETER and send the IP address of EXETER.sales.tacteam.net. But what happens when I send a DNS query for EXETER from a machine in the dev.tacteam.net domain? The request will append dev.tacteam.net to the DNS query, and send a request for EXETER.dev.tacteam.net to the DNS server. Since there is no host record for EXETER.dev.tacteam.net in the dev.tacteam.net zone, it will issue a query to the WINS server. If the WINS server has an entry for a machine that has a NetBIOS name of EXETER, it will send that IP address. But what if the machine with the NetBIOS name of EXETER is not the same machine as EXETER.sales.tacteam.net? Then, you will end up connecting to a different IP address from the one that the computer located in the sales.tacteam.net domain connected to!

91_tcpip_06.qx

2/25/00

1:01 PM

Page 296

296 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Although this is a rare problem that you would only see if you named a computer with different NetBIOS and host names, we can avoid the problem altogether by disabling WINS lookups on all zones but the WINS referral zone.

Enabling WINS Lookups on the Referral Zone Only What happens when we only enable WINS lookups for the WINS referral zone? For the machine located in the sales.tacteam.net domain, the DNS query will be sent as EXETER.sales.tacteam.net. Since there is a host record for that computer, the IP address will be returned to the requesting client. For a machine located in the dev.tacteam.net domain, a query will first be sent for EXETER.dev.tacteam.net, and no record will be found. The machine will issue another query for EXETER.sales.tacteam.net, and will receive the IP address for EXETER.sales.tacteam.net. Now everyone who issues an unqualified DNS query will access the same machine!

TIP Only when there are no host records for a machine in any of the zones will the wins.tacteam.net domain suffix be appended. Only then will the WINS server be queried in response to a client’s DNS request.

Pointing WINS Servers to Themselves When you set up a new WINS server, you will eventually have to configure its TCP/IP properties. One of the configuration options you routinely must set is the Primary and Secondary WINS servers’ addresses. Since you know that it is good practice to set different WINS servers as a Primary and a Secondary, you might configure the WINS server with its own address as a Primary, and then another WINS server as a Secondary. If you have done this, you might have also experienced some unexplained authentication attempts and browser service problems. And, if you’re like most administrators, you’ve probably chalked it up to the vagaries of the NTLM authentication process and the equally unpredictable behavior of the browser service. However, some of the problems might lie in the fact that you didn’t configure the WINS server’s Primary and Secondary WINS server addresses to point to itself. This can lead to problems related to “split registrations” of NetBIOS services. The problems are compounded when these split registrations are replicated to other WINS servers.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 297

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 297

Problems Arising from Split Registrations Let’s look at an example. You are installing a new WINS server, and give it the NetBIOS name NEWWINS. You install the WINS service and then go to the TCP/IP Advanced Properties dialog box on this new WINS server. You configure this new WINS server’s Primary WINS server address to point to itself, say 192.168.1.185. Then, because you want WINS resolution on this server to be fault-tolerant, you configure the Secondary WINS server’s address to be 192.168.1.16, the address of another WINS server on your network. Now, just for laughs, imagine that the machine we’re setting up is also the Primary Domain Controller (PDC) for your organization. When you restart NEWWINS, it will begin to register its NetBIOS names with its Primary WINS server. Since the WINS server service will not have started when the machine begins registering its NetBIOS names, it will switch over to the Secondary WINS server after three failed attempts. But here’s the catch: While the computer is registering its NetBIOS services with the Secondary WINS server, it is still trying to contact its Primary WINS server. When the WINS service initializes on NEWWINS, it will suddenly find that its Primary WINS server is now available and will begin to register its NetBIOS names with itself. As you can see, some of NEWWINS NetBIOS services have been registered with its Secondary WINS server over at 192.168.1.16, and some of its services have been registered with itself (as its Primary WINS server) at 192.168.1.185. So what? Well, imagine that the following NetBIOS names were registered with NEWWINS: WINS Server 192.168.1.185 NEWWINS[20h] DOMAINNAME[1Ch] The following NetBIOS name were registered at NEWWINS Secondary WINS server at 192.168.1.16: WINS Server 192.168.1.16 NEWWINS[00h] NEWWINS[03h] DOMAINNAME[1Bh] On the network, some clients will have their Primary WINS server set to look at NEWWINS at 192.168.1.185, and some clients will be configured to query NEWWINS’s Secondary server at 192.168.1.16. Now, let’s say a machine needs to connect to a network share on NEWWINS, and it queries the WINS server at 192.168.1.16 for the NetBIOS name NEWWINS[20h] to the IP address mapping for its server service. Whoops! There isn’t one! That NetBIOS name was registered over at 192.168.1.185. The client will not be able to connect to any network shares on NEWWINS because it cannot find an entry for its server service.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 298

298 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Now, let’s make it even more exciting. Imagine that a Master Browser on another subnet queries NEWWINS at 192.168.1.185 for the location of the Domain Master Browser. Whoops again! The NetBIOS domain name registration for that service was sent to 192.168.1.16! Now the browse list cannot be synchronized with the Master Browser of that subnet. The problems become even more complex when the WINS servers begin to replicate their databases. Look at Figure 6.20 and examine the replication layout and the locations of NEWWINS and its Secondary WINS server at 192.168.1.16. Figure 6.20 Replication layout for NEWWINS and its Secondary WINS server. WAN Link

Replicate WINS Hub

WINS Hub

Replicate Replicate

NEWWINS WINS Spokes

Replicate

NEWWINS [00h] NEWWINS [03h] DOMAIN [1Bh]

WINS Spokes NEWWINS [20h] DOMAIN [1Ch]

Split Registration

As the figure shows, NEWWINS is a Spoke WINS server, while its Secondary WINS server is a Hub WINS server. When the HUB WINS server replicates its WINS database across the WAN to the other site’s HUB WINS server, its records are replicated to its Spoke WINS servers. Now, no computer at the other site is able to connect to the NEWWINS server service, because the NetBIOS name NEWWINS[20h] was not included. Over time, the entire WINS database for the WINS network will reconcile as all the WINS records for each server are merged, but in the meantime, there can be big problems with authentication and access to network resources.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 299

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 299

While this situation might seem unusual, something that we have not found uncommon is disparate entries for the Primary and Secondary WINS servers on a WINS server. It’s also not unusual to find that organizations are running WINS servers on their PDCs (regardless of the wisdom—or lack thereof—of this action). Keep this possibility in mind the next time you run into “strange” behaviors related to authentication and access to network shares for your downlevel clients.

NOTE Authentication issues related to NetBIOS name registration problems are not an issue for Windows 2000 clients, since they search the DNS server for domain controllers, not WINS servers. Additionally, Windows 2000 clients will still be able to access shared resources that are published in the Directory, even without WINS, since this is a DNS operation as well. However, many organizations will be running at least some Windows 9x and NT client computers on their Windows 2000 networks for many years to come.

The Browser Service, WINS and Multihomed Masters The Browser service is a NetBIOS-based service that provides a “browse list” for the user to access shared network resources via the “My Network Places” application.

How the Browser Service Works When a server on the network starts up, it broadcasts that it is running the server service, and its name is added to the browse list.

NOTE In this context, “server” means any computer that is configured to share its resources over the network. It does not have to be running the Server operating system.

A computer can take on one of several roles in order to make the browser service work. Typically, the PDC Emulator will take on the role of the “Domain Master Browser.” The job of the Domain Master Browser is to collect browse list information gathered from all subnets.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 300

300 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

A Master Browser is a computer designated on each segment to collect information about all servers on that segment. Each segment will have one Master Browser (on the segment where the Domain Master Browser resides, it will act as both Domain Master and Master Browser for its segment). A “Backup Browser” receives the browse list from the Master Browser on its segment. When a client requests the browse list, a broadcast is sent to the segment. This broadcast message is intended for the Master Browser. The Master Browser responds to the request by providing the client with the names of up to three Backup Browsers. The client then requests the browse list from a Backup Browser, which sends the list to the client. All these communications take place via NetBIOS broadcast messages. Because these are NetBIOS broadcasts, they will not usually pass through the network gateways.

Role of the Domain Master Browser In order for all Master Browsers on the network to share the names of all servers on the network, a mechanism must be in place that allows the Master Browsers to share information with each other. This is the function of the Domain Master Browser. The Master Browser on each segment shares the information it has for the servers on its segment with the Domain Master Browser. The Domain Master Browser collates all the information from all the Master Browsers, and shares this synchronized list with all the Master Browsers on the network. In this way, users on any segment will be able to find entries for servers that exist on all segments in their browse lists. When a Domain Master Browser starts up, it registers its NetBIOS domain name with its Primary WINS server using the [1Bh] service identifier. Master Browsers on each subnet will query the WINS server for the [1Bh] to find the Domain Master Browser.

Problems with Multihomed Masters So what happens when the PDC emulator is a multihomed machine? A multihomed machine has multiple network interface cards. Each network interface will register its domain name and IP address with its Primary WINS server. When a remote Master Browser on segment A queries the WINS database, it will receive the IP address for adapter 1, and exchange its browse list with the Domain Master Browser on a connection established with adapter 1 on the Domain Master Browser. When a Master Browser on segment B queries the WINS server for a Domain Master Browser, it receives the IP address for adapter 2 on the Domain Master Browser. It then exchanges its browse list with the Domain Master Browser by establishing a connection with the Domain Master Browser’s adapter 2.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 301

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 301

This would all work very well except for one problem: The browse lists gathered on each interface on the Domain Master Browser are not merged. This leads to a disjointed browse list, and there is no way to bring the information gathered by adapter 1 and adapter 2 together. Unfortunately, there is also no way to point Master Browsers to a specific interface on the Domain Master Browser machine, through which to exchange browse lists. Moral of the story: Do not multihome your PDC emulator if you want the browse list to be complete. In the same fashion, the Master Browser on each subnet cannot be multihomed. When servers on the multihomed Master Browser’s segment start up, they broadcast their server status to the segment. If the Master Browser is multihomed, its first adapter may pick up some of these announcements, and the second adapter will pick up other announcements. When the Domain Master Browser connects to the Master Browser to exchange browse lists, it will connect to it via its NetBIOS name, via a single IP address. The Domain Master Browser therefore will obtain information from only one of the network interfaces on the Master Browser, and thus only the servers registered with that adapter’s IP address. Again, do not multihome Master Browsers. Check out Figure 6.21 for an illustration of how this works. Figure 6.21 Multihomed Domain Master and Master Browsers.

WINS

Router PDC (Multihomed Domain Master)

Multihomed

BDC (Multihomed Master)

91_tcpip_06.qx

2/25/00

1:01 PM

Page 302

302 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Solving the Multihomed Master Problem in Windows 2000 There is a way to make this work in Windows 2000. You can selectively disable NetBIOS on all adapters except one on the PDC emulator and each segment’s Master Browser. The remaining network interface will be the only one to listen to server announcements, and the only one to register with a WINS server. This solves the problem with fragmented browse lists, but if you multihomed your servers to increase throughput for NetBIOS applications, you’ve then lost that benefit, and you might as well just use a single adapter.

Windows 2000 WINS Enhancements Windows 2000 offers several improvements over its predecessor in Windows NT 4.0. Many of these improvements are cosmetic, such as the news WINS Management Console. And some of them provide easier access to configuration changes that in the past required editing the registry directly. There are two improvements worth noting: persistent connections and manual tombstoning.

Persistent Connections Windows 2000 WINS servers can be configured to maintain persistent connections with their configured replication partners. By always maintaining an open channel, the session setup process only needs to be done once. This reduces the amount of overhead involved in creating and tearing down sessions between WINS replication partners on a frequent basis. Microsoft states that this should have a salutary effect on overall server performance with a minimum of network overhead, since no data is being transferred over the open connection the majority of the time.

Manual Tombstoning How many Windows NT administrators have looked into the WINS manager, opened the WINS database of one of the servers, and seen little “crosses” in the status field, and wondered, “What the heck does that mean?” Right now, go survey 10 MCSEs and ask them what those crosses mean. Five of them will say, “What are you talking about?” and four will say, “Dunno.” One might know that they mean that the record was tombstoned. If you ask what “tombstoned” means, you’re likely to get a puzzled look.

The WINS Record Life Cycle To understand tombstoning, we need to understand the WINS record life cycle. When a WINS client registers its NetBIOS names with a WINS server, a WINS database record is created for that client. This record stays active in the WINS database for a period of time determined by the

91_tcpip_06.qx

2/25/00

1:01 PM

Page 303

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 303

“renewal interval.” The WINS client must update its record with the WINS server within the period defined by the renewal interval for it to remain active. If the WINS client does not renew its record before the renewal interval expires, it will be marked Inactive. The main difference between an active and an inactive WINS database record is that when someone else tries to register the same name in the WINS database, if there is an active record, the owner of the record will be challenged. If the record is marked as inactive, then no challenge is issued, and the new computer is able to register its NetBIOS name and IP address. A record will remain in the WINS database for a period known as the “extinction interval.” The extinction interval defines how long the inactive record will remain in the WINS database in the inactive state. After remaining in the inactive state for the period defined by the extinction interval, the record will be marked as “tombstoned.” The record will remain in the tombstoned state for a period defined by the “extinction timeout,” and then it is removed or scavenged by the WINS server that owns it after the extinction timeout period runs out. If a WINS server has a copy of a replicated tombstoned record owned by another WINS server, it will check with the owner WINS server after completion of the “verification interval” to see if the record is valid or absent. If the record is no longer at the owner WINS server, it is then scavenged from the non-owner WINS servers after completion of the verification interval. One question most administrators come up with is, “Why doesn’t the WINS server just delete the record after the extinction interval has passed? Why bother with this tombstoning stuff?” The reason we tombstone a record is to make sure that a record doesn’t “reappear” after it’s been deleted from the WINS database.

The Value of Tombstoning Imagine that we have three WINS servers in our WINS network: WINS-1, WINS-2, and WINS-3. Let’s make WINS-2 the Hub of the WINS network, and make WINS-1 and WINS-3 Spokes. WINS-1 receives a NetBIOS name registration for a computer named VOYAGER. After registering its NetBIOS name, we decide that we’re going to take VOYAGER off the network. Meanwhile, VOYAGER’s record is replicated to WINS-2, and WINS-2 replicates the record to WINS-3. You don’t want extra records in your WINS database, so you open your WINS Management Console and delete the record for VOYAGER, and now you’re done with it. You figure that the deletion will be replicated over to the other WINS servers, and you can bid bye-bye to VOYAGER from your WINS network. When WINS-1 next replicates with WINS-2, it doesn’t replicate VOYAGER’s WINS record. As a matter of fact, it doesn’t replicate anything

91_tcpip_06.qx

2/25/00

1:01 PM

Page 304

304 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

at all about VOYAGER, because the record has been removed from the WINS-1 database. What happens when WINS-2 replicates with WINS-1? Since WINS-2 still has VOYAGER’s record in its database, it replicates it back to WINS-1. And now VOYAGER has arisen from the dead and appears again, marked active, in the WINS-1 database. Eventually, VOYAGER’s record will pass its renewal time, then its extinction interval, then its extinction timeout, and finally will be deleted. But if you just delete records, it can take a lot longer than it should, and they still take up room in the WINS database. While deleting a single record won’t cause you much trouble, if you delete records on a regular basis (for example, hundreds at a time), you are doing yourself a disservice.

Manual Tombstoning The Windows 2000 WINS console allows you to manually tombstone WINS database records, rather than delete them outright. When a record is tombstoned, its tombstoned status is replicated with it. When you tombstone a record, it doesn’t “magically” reappear as an active record on the owner WINS server again. The tombstoned record will be removed from the WINS-1 database after completion of the extinction timeout, and will be removed from WINS-2 and WINS-3 after completion of the verification interval. When we deleted the record outright, it stayed an extra amount of time in the WINS network, equal to the time it had left in its renewal period, and the amount of time in the extinction interval. To tombstone a WINS record, open the WINS Management Console and click Active Registrations. Right-click Active Registrations and select Find by Owner. On the Owners tab, select the option button for All owners, and click Find Now. Right-click one of the records in the right pane and select Delete. You will see a dialog box as shown in Figure 6.22. Figure 6.22 The Delete WINS Record dialog box.

Note that the dialog box offers you the option to “Replicate deletion of the record to other servers (tombstone).” This does a decent job of explaining what tombstoning does for the record.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 305

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 305

Is WINS Ever Going to Go Away? Microsoft makes it clear that NetBIOS is on the way out, and many pages of documentation are dedicated to the “decommissioning” of WINS servers on your Windows 2000 network. The core networking services of Windows 2000 are not NetBIOS-dependent; therefore, you can run a Windows 2000-only network without NetBIOS support. As a matter of fact, you can disable NetBIOS support for any of the adapters attached to the computer. Go into the Advanced TCP/IP Properties dialog box and click the WINS tab. You’ll see the dialog box shown in Figure 6.23. Figure 6.23 The WINS tab in the Advanced TCP/IP Settings Properties box.

WARNING When you disable NetBIOS on an interface, you disable all NetBIOS-based communications going into and out of that interface. Some programs that you might use regularly will no longer work.

The browser service is a NetBIOS-based program, and you will no longer see entries in the browse list after disabling NetBIOS. This should

91_tcpip_06.qx

2/25/00

1:01 PM

Page 306

306 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

be a significant boon to network administrators who have to deal with users not being able to “see” computers over the network. The only shares the users will be able to access via the My Network Places applet are those that you explicitly publish to the Active Directory. This will probably reduce the number of support calls you get from hapless users and junior administrators who believe the network is disconnected because the computer’s name doesn’t show up in the browse list. After you disable NetBIOS, you would expect that popular NetBIOSbased services such as the Workstation, Server, Net Send, and Net Use wouldn’t work anymore. However, you will find that you can still share resources without problems, and you can still access those shared resources without difficulty. After you disable NetBIOS, a connection is made to a share via TCP Port 445. When testing this, you may find that access to shared data is faster with NetBIOS turned off. The Net Send continues to work via the messenger service without problems. However, in our tests, the Alerter service does not seem to function, so if you want to enable alerts based on Performance Monitoring, you’re going to need to enable NetBIOS at least temporarily. While the failure of the Alerter service to work after NetBIOS is disabled is a bit annoying, the workaround isn’t difficult to implement. Where you will find a profound impact from disabling NetBIOS is when you are working in a mixed-mode environment. Mixed-mode environments contain both Windows 2000 and downlevel domain controllers, and clients that authenticate with either a Windows 2000 domain controller or a Windows NT domain controller. Windows 2000 machines that authenticate with a Windows 2000 domain controller will have no problems, since they search DNS for a SRV entry pointing to the Windows 2000 domain controller to authenticate against. However, downlevel clients use a NetBIOS-based Domain Locator mechanism, so if the downlevel client is to authenticate against a Windows 2000 domain controller, the NetBIOS over TCP/IP services must be in place. If they’re not, the downlevel clients will not be able to access the Windows 2000 domain controller for authentication.

Troubleshooting Common NetBIOS Communication Problems When troubleshooting NetBIOS name resolution problems, the first step is to ask: What is the service that is causing the problem? Components of network communications that are involved with NetBIOS communications and name resolution include:

91_tcpip_06.qx

2/25/00

1:01 PM

Page 307

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 307 ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

The TCP/IP protocol stack NetBIOS over TCP/IP (NetBT) WINS server Broadcasts LMHOSTS files DNS servers HOSTS files The Browser service The Server service The Workstation (Redirector) service My Network Places The “net” commands: net use, net view, net send. The Alerter service

While this is far from a comprehensive list of NetBIOS programs and interfaces, it’s a good place to start. Let’s look at a common situation where you might have to figure out what’s wrong with a NetBIOS communication.

Troubleshooting Scenario One of your apprentice network administrators comes to you and says that he can’t “see” computers on any subnet other than his own, and tells you that he thinks that the router might be down, and would you come over and take a look at things. You tell him that you’d be glad to help, thinking maybe you can teach him a thing or two in the process. When you get to his office you see that, sure enough, only the computers on his local segment are visible in the My Network Places application. You ask him if he has done anything else toward solving the problem and he tells you that he’s pinged the loopback address (127.0.0.1), his own IP address, and the IP address of another machine on his own segment. Everything turned out to be okay. He tells you that he wants to confirm that it’s a problem with the router because he was able to PING the near side of the router, and that was okay, too. When you ask him if he PINGed the far side of the router, he tells you that he was “going to do that next.” When you PING the far side of the router, you see that the router is functioning correctly, and when you PING a remote host through the same router, you also get a normal response. It’s clear there is no problem with the router. The TCP/IP stack is okay. Maybe there is a problem with NetBIOS name resolution. Thus far, you’ve been PINGing machines by their IP addresses but not by their NetBIOS names. However, when

91_tcpip_06.qx

2/25/00

1:01 PM

Page 308

308 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

you PING a machine on the local segment by its NetBIOS name and then a remote machine by its NetBIOS name, both machines respond with an echo reply. So, we’ve ruled out problems with the TCP/IP protocol stack, the router itself, and NetBIOS name resolution. How about the Browser service? Since the Browser service is responsible for populating the browse list seen in My Network Places, maybe there’s a problem there. Consider what situation would limit browsing to just computers on the local subnet. Think about how computers register their server status with the Master Browser, and how Master Browsers receive information about servers on other segments. Several possibilities come to mind: ■

■

■

■

One possibility is that the Master Browser on the segment is down. However, there should have been a browser election to create another Master Browser for the segment. Perhaps the Master Browser cannot contact the Domain Master Browser. Another possibility is that the Domain Master Browser cannot contact the Master Browser. Perhaps the PDC emulator is down, in which case after further investigation you’ll see that every segment is limited to “seeing” only local machines in the My Network Places application.

Once you’ve come up with some hypotheses, you can start checking them out. Use the browstat.exe utility in the NT Resource Kit to find out which machine is currently the Master Browser. Go to that machine and see if it can ping the Domain Master, by IP address, and NetBIOS name. Go to the Domain Master Browser and see if it can contact the segment’s Master Browser, both by NetBIOS name and IP address. Check out other segments and see if they are having similar difficulties. After completing your investigation, tally the results and come up with a plan for solving the problem. If you still can’t figure it out, consider “weird” problems related to multihomed machines, or PDC emulators running WINS servers that would lead to split registrations and disjointed browse lists. If you still can’t solve the problem, check out TechNet, Microsoft newsgroups, the Help files, mailing lists, and colleagues. One of the things that distinguishes network/computer diagnostics from medical diagnosis is that there is almost always a rational explanation for the networking problem. Operate on the premise that there is an explanation and a solution, and that finding that solution—given enough hard work and a little luck—is inevitable.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 309

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 309

Summary In this chapter we’ve discussed how to troubleshoot problems relating to NetBIOS and NetBIOS name resolution. NetBIOS was originally implemented as a monolithic transport protocol. It is now implemented as a Session layer interface in the TCP/IP protocol stack that allows NetBIOS names to be resolved to IP addresses. Programs written to the NetBIOS interface use NetBIOS names as the endpoint for communication, and NetBIOS names are required for NetBIOS applications to establish a session with a NetBIOS application on a destination computer. Microsoft provides a number of methods to resolve, or match up, NetBIOS names to IP addresses in Windows 2000. These include Broadcasts, WINS servers, NetBIOS Remote Name Cache, LMHOSTS files, HOSTS files, and DNS servers. Depending on the NetBIOS hosts node type, a certain order of services will be used to accomplish NetBIOS name resolution. A NetBIOS name server is a computer that maintains a database containing the NetBIOS names and IP addresses of machines on a TCP/IPbased network. NetBIOS applications can query the NetBIOS name server’s database to find the IP address of a destination host, so that a session can be established over a TCP/IP-based network. The best-known and most widely used NetBIOS name server is the Microsoft Windows Internet Name Service, or WINS. WINS is RFC 1001/1002-compliant, and contains many features over and above those specified in the RFC.

Don’t Multihome Your WINS Server While WINS servers do a lot of different things, their primary duties involve accepting NetBIOS Name Registration Requests and answering NetBIOS Name Query Requests. When a WINS-enabled computer starts up, it registers its NetBIOS name with its configured WINS server. When a computer on the network running a NetBIOS application wants to establish a session with another computer, it will query the WINS server for the IP address of the destination NetBIOS named host. If the Primary WINS server contains an IP address mapping for the requested NetBIOS name, it will return a Positive NetBIOS Query Response, and if it doesn’t have a mapping for the destination computer, it will return a Negative NetBIOS Query Response. If the WINS client receives a Negative NetBIOS Query Response, it will check its Secondary WINS server until it gets a definitive reply. It is not good practice to multihome WINS servers. The WINS service binds to a single IP address, and hosts connect to a WINS server via its NetBIOS name. Name resolution problems will almost always result when you multihome a WINS server.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 310

310 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

Use a WINS Proxy Agent on Segments with nonWINS Clients A WINS Proxy Agent will intercept NetBIOS Name Query Requests broadcasted by both WINS and non-WINS-enabled hosts. A WINS Proxy Agent forwards these requests to a WINS server, and the WINS server sends a response back to the WINS Proxy Agent, who in turn sends the response to the machine that broadcasted the request. WINS Proxy Agents are valuable on segments that contain non-WINS clients. Remember that WINS servers do not respond to broadcasted query requests, even if the WINS or non-WINS client is on the same segment. If you have a nonWINS client on the same segment as a WINS server, you will still need to include a WINS Proxy Agent on that segment.

Avoid Static Records in the WINS Database The WINS server contains all its information in a WINS database. The records in the WINS database can be either dynamic or static. Dynamic records are updated by WINS clients whenever there is a change in the NetBIOS name or IP address of a computer registering with the WINS server. A static record is manually entered by the administrator, and it will not be overwritten by another computer that might try to register the same name unless the “Migrate On” option is enabled. Migrate On allows static records to be overwritten by dynamic records. There are some important exceptions to this, and it is good practice to avoid static records in a WINS database if possible.

Define Replication Partners Based on Link Factors The WINS database, to be useful, represents a distributed database. When you have multiple WINS servers on your network, there must be a mechanism for each server to share the information in its database. WINS servers share information by using the WINS replication process. The replication process is accomplished by forming partnerships between WINS servers. These WINS replication partners can enter into either a Push or Pull (or both) partnership. A Push partner sends a replication trigger to its partner when a certain number of changes in the WINS database have taken place. A Pull partner sends a replication trigger after a set interval of time. Most partnerships are defined by both Push and Pull relationships. In some circumstances, such as replication over slow and expensive WAN links, it may be better to just define Push partnerships.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 311

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 311

Avoid Split Registration WINS servers should point to themselves when configuring their TCP/IP parameters. If you configure a WINS server to point to itself as its Primary WINS server, and point to another WINS server as it Secondary, this can lead to “split registrations.” A split registration is when some of the NetBIOS names of a computer are registered on itself, and some are on another WINS server. This can lead to authentication and Browser service problems.

Use the Hub and Spoke Model in Multisite Environments WINS networks should be designed with the Hub and Spoke model in mind. In a multisite WINS environment, each site should have a Hub WINS server with which all other WINS servers at the site have Push and Pull replication partnerships with. Site Hubs can be configured in a number of different ways, such as a central “Hub of Hubs” or in a Ring relationship. The total amount of time it takes for a new or updated WINS record to be replicated to all WINS server in the organization is called the “convergence” time. The convergence time should represent the “worst-case scenario” for replicating a WINS record between the two WINS servers separated by the largest WINS hop count. Be aware of the hop count when configuring either a “Hub of Hubs” or Ring replication scheme to assess which might be superior for your organization.

Configure DNS Servers to Resolve NetBIOS Names NetBIOS names can be resolved by DNS servers, but the DNS servers must be configured to send name requests to a WINS server before this happens. Unqualified DNS queries are those that do not contain an FQDN. When a DNS resolver formulates a DNS query, it will append a domain name to the unqualified request. If the DNS server is unable to resolve the request, it will strip everything off to the right of the leftmost period, and then send the name included to the left of the first period to the WINS server for NetBIOS name resolution.

Don’t Multihome Master Browsers The Browser service is used to populate the browse list, which is seen when a user opens up the My Network Places application. Servers announce themselves via NetBIOS broadcast messages, and the Master Server on each segment collects the names of the servers on its segment to build its browse list. The Domain Master Browser, which is the PDC

91_tcpip_06.qx

2/25/00

1:01 PM

Page 312

312 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

emulator on a Windows 2000 network, communicates with each segment’s Master Browser, and collects the information each segment’s Master Browser has about servers on its segment. The Domain Master Browser collates this information from all the Master Servers, and then distributes this list to all the Master Servers. Master Browsers should not be multihomed. Multihomed Master Browsers collect browse list information on each adapter that is independent of information collected on its other adapters. When the Domain Master Browser collects the browse list information from a multihomed Master Browser, it contacts only one adapter associated with the Master Browser’s NetBIOS name. This leads to incomplete browse list information on the Domain Master Browser. In the same way, when Master Browsers contact a multihomed Domain Master Browser, they exchange browse list information with only one of the adapters. Different Master Browsers may contact different adapters of browse list exchange. This leads to a disjointed network browse list.

Use Manual Tombstoning Instead of Deleting Records Tombstoning a record marks a WINS record for future deletion. When you tombstone a record, you avoid having a record replicate back to a WINS server that it was deleted on. You should avoid deleting records from a WINS server, and tombstone them instead. In this way, the record’s tombstoned status is replicated to other WINS servers and shortens the life span of that obsolete record on the WINS network.

Consider the Ramifications before Disabling NetBT NetBIOS over TCP/IP (NetBT) can be disabled on any adapter attached to a Windows 2000 computer. Windows 2000 machines are able to locate and authenticate with a domain controller without NetBIOS support because Windows 2000 clients use DNS for locating domain controllers. Downlevel clients use a Domain Locator that is dependent on NetBIOS, and therefore require NetBIOS support for authentication. If no domain controllers exist on the network that support NetBIOS, downlevel clients will not be able to successfully authenticate. If you disable NetBIOS, some network services that you are accustomed to using will no longer function. The Alerter service will no longer be able to locate a username or computer name over the network because it is a NetBIOS-dependent service. The Browser service is also NetBIOSdependent, and disabling NetBIOS will cause My Network Places to be empty. Other services traditionally thought of as NetBIOS services include

91_tcpip_06.qx

2/25/00

1:01 PM

Page 313

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 313

the messenger service and the “net” commands. However, alternate mechanisms are used to provide these services functionality on TCP/IP networks without NetBT. Similarly, the Server service and the Workstation service will continue to function, and at times function more efficiently after disabling NetBIOS.

FAQs Q: When should I turn off NetBIOS on my computers? A: NetBIOS can be removed from your network when you no longer need it for compatibility with downlevel clients and applications. The first step is to upgrade all downlevel clients to Windows 2000. This means removing or upgrading all your DOS, Win9x, and Windows NT servers and workstations to Windows 2000. After upgrading all machines to Windows 2000, they will all be able to authenticate without the aid of NetBIOS. However, before you completely remove NetBIOS over TCP/IP support from all the adapters on your network, you must ensure that no vital network legacy applications exist that will require NetBIOS. There are several ways you can assess whether your applications require NetBIOS support. You can call the vendor, although often you’ll have difficulty contacting someone who is technically adept. A better place to start would be the vendor’s Web site. If the Web site is not helpful, the best thing you can do is check it out for yourself. Set up a test bed and configure the application in question to work properly over the network. Then disable NetBIOS support on all the adapters in the test bed. If the application continues to work normally, it does not require NetBIOS support. Use Network Monitor during this test period to gain further insight about what protocols the application uses. Q: How many WINS servers do I need on my network? A: Microsoft states that you should never need more than 20 WINS servers, regardless of the size of your organization. If you believe that you need more than 20 WINS servers, it’s recommended that you call Microsoft Consulting Services. WINS servers can handle a remarkable number of NetBIOS registrations and NetBIOS query requests per second. A single WINS server can process over 5000 NetBIOS name query requests per second, and well over 1000 NetBIOS name registrations per second. Even more NetBIOS name registrations can be handled via a method known as “burst handling.” When a WINS server goes into “burst

91_tcpip_06.qx

2/25/00

1:01 PM

Page 314

314 Chapter 6 • Troubleshooting Windows 2000 NetBIOS Name Resolution Problems

mode,” it will acknowledge a NetBIOS name registration immediately, and then give a short time-to-live (TTL) for the registration, which allows the WINS server to process more registrations, more quickly, when a flood of them comes in simultaneously. A good general rule of thumb for the number of WINS servers required is one for every 10,000 computers, and a backup WINS server for that one. However, you should also consider the physical topology of your network before deciding how many WINS servers you need. You should have at least one WINS server on each side of a WAN link in order to minimize the amount of WAN traffic dedicated to WINS registrations and queries. Q: Can my DNS servers do the exact same thing as WINS? Can’t I just whack my WINS servers and use DNS only? A: DNS servers can resolve NetBIOS names without the aid of a WINS server. In order to make this work, you should unify your organization’s naming structure so that DNS host names are the same as NetBIOS names. You must use only legal DNS characters in your NetBIOS names for this to work optimally. Set up your domains with host records that will resolve to the IP addresses of the computers that are running the NetBIOS applications that the clients need to connect to. Configure the clients to append the proper domain suffix so the DNS query resolves to the correct IP address. You can also speed up the NetBIOS name resolution for the clients by making them b-node clients. The drawback of using a DNS-only solution is that clients will always use broadcasts first to resolve the NetBIOS name. The negative impact can be ameliorated with strategic placement of bridges or LAN switches. Q: What’s that Hub and Spoke Model thing again? A: The Hub and Spoke model is used to optimize the replication partnerships between WINS servers. This model prevents the often haphazard approach used to configure WINS replication partners. Within each site, a single WINS server acts as a “Hub” server, and every other WINS server at the site is configured to replicate with this Hub WINS server. All other WINS servers at the site are considered “Spoke” servers. The replication relationship between the Spokes and the Hub are both Push and Pull in both directions. If you have a multisite organization, you need to configure each site Hub to replicate with other site Hubs. You can do this by selecting one of the sites to be a central “Hub of Hubs,” and make the other

91_tcpip_06.qx

2/25/00

1:01 PM

Page 315

Troubleshooting Windows 2000 NetBIOS Name Resolution Problems • Chapter 6 315

WINS servers Spokes to that central WINS server. You could also use a “Ring” approach, where other WINS servers are configured to replicate with those adjacent to them. There are other replication models as well. When configuring the intersite replication partnerships, be sure to keep in mind the WINS hop count, to assess the convergence time of the WINS database. Q: My users drive me nuts saying that they can’t “see” computers on the network. You mentioned something about “publishing” shares in the Active Directory. How do I do that? That My Network Places was put there so users could drive me insane! A: After disabling NetBIOS from your network, you can make shared resources easily available to users in the My Network Places applet. To publish a shared resource in the Active Directory, open the Active Directory Users and Computers management console from the Administrative Tools menu. Right-click the domain name, or any of the organizational unit names, and select New and then Shared Folder. Put in a name for the published share, and the UNC path. When the users look in the “Directory” in the My Network Place application, they will see the published share. By publishing shares, you can control where the users will find shared resources, and avoid those irritating questions about not being able to “see” machines on the network.

91_tcpip_06.qx

2/25/00

1:01 PM

Page 316

91_tcpip_07.qx

2/25/00

11:08 AM

Page 317

Chapter 7

Troubleshooting Windows 2000 DNS Problems

Solutions in this chapter: ■

Host Naming Conventions

■

DNS Configuration Problems

■

Windows 2000 Dynamic DNS

317

91_tcpip_07.qx

2/25/00

11:08 AM

Page 318

318 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Introduction The Windows 2000 Domain Name System (DNS) server represents a major overhaul of DNS services available in previous versions of Windows. There was no DNS server included with Windows NT 3.1 and 3.5x; however, a DNS was available with the Windows NT Resource Kit for Windows NT 3.5x. While it wasn’t very functional, it demonstrated that Microsoft was on its way to providing name services for Internet applications. Windows NT 4.0 saw the first fully functional DNS server provided for Microsoft operating systems. This DNS server was RFC-compliant, and reliable and robust. The DNS server that came with Windows NT 4.0 wasn’t used very much. Most Windows NT-based networks were firmly based on the NetBIOS standard; therefore, DNS servers were not an integral part of those networks. The DNS server was more of a curiosity than something administrators depended on to provide fault-tolerant name services for their enterprise. That’s all changed. Windows 2000 has divorced itself from NT’s dependence on NetBIOS for networking services and domain-related activities, such as the logon authentication process. Because Microsoft realizes that the Internet and Internet technologies in general are driving the computer industry to new heights, Windows 2000 uses DNS as its primary name server and resource locator. This brings Windows 2000 closer to the world of UNIX administrators, who have traditionally been the keepers of DNS. In order to troubleshoot DNS, you first must understand how it works. Therefore, in this chapter we’ll start with a basic explanation of the differences between NetBIOS and DNS naming conventions. You’ll see how DNS is organized, learn about DNS naming conventions, and see where you can go wrong in the DNS naming process. The difference between DNS zones and domains will be covered, and we’ll look at some scenarios that will help you avoid making egregious errors during your design process. The Windows 2000 DNS server is a major advance over previous versions of Microsoft’s implementations of DNS, primarily because of two features: integration with the Active Directory and Dynamic Name Registration Services. When Windows 2000 DNS services are integrated with the Active Directory, the DNS servers all become primaries, which significantly improves fault tolerance. The Dynamic Name Registration Services provided with the Windows 2000 DNS server allows DNS host machines on the Windows 2000 network to automatically register and refresh their names in the DNS database (à la the WINS model).

91_tcpip_07.qx

2/25/00

11:08 AM

Page 319

Troubleshooting Windows 2000 DNS Problems • Chapter 7 319

Along with the advantages provided with Active Directory and Dynamic DNS come pitfalls. We will look at some special issues that you need to consider in order to avoid big problems when implementing the Windows 2000 DNS server. Finally, we’ll look at a full bag of troubleshooting tools you can use to investigate and fix problems related to Windows 2000 DNS.

The Difference between NetBIOS Names and Host Names As we discussed in Chapter 6, “Troubleshooting Windows 2000 NetBIOS Name Resolution Problems,” NetBIOS is implemented as a Session layer interface in the TCP/IP protocol stack. This interface allows programs that were written for the NetBIOS programming interface to work on TCP/IP networks.

Flat versus Hierarchical Namespace The NetBIOS namespace is “flat.” The most important characteristic of a flat namespace is that no two computers participating on the same network can have the same NetBIOS name. All machines are on the same “level.” It is as if everyone in the world had just a first name, and no middle name or last name. In order to identify one person from the other by name, we would have to ensure that each one had a different first name. If two people had the same first name, messages or communications intended for one person might go to another person.

NOTE Some network administrators we’ve known have toyed with the concept of segmenting the NetBIOS namespace by using NetBIOS Scope IDs. A NetBIOS Scope ID allows you to segment the NetBIOS namespace so that two computers on the same network can have the same name. For example, you can have two computers with the name PROMETHEUS, one that belongs to the STUFF Scope, and another in the BLOBAL Scope. The NetBIOS names of these computers are, respectively, PROMETHEUS.STUFF and PROMETHEUS.BLOBAL. However, machines that belong to different NetBIOS Scopes will not be able to communicate with each other via NetBIOS. Unless you have security concerns related to NetBIOS communications, and need to “wall-off” NetBIOS communications between groups of computers, it is recommended that you do not implement NetBIOS Scopes to segment the namespace.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 320

320 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

For NetBIOS-based programs, the NetBIOS name can be considered the endpoint of communications. NetBIOS programs must know the NetBIOS name of the destination machine. If they do not have access to that name, no communication will take place.

NetBIOS on a TCP/IP Network NetBIOS itself was designed for small, broadcast-based, single-segment networks; it was not designed for use in large, multisegmented internetworks. And NetBIOS definitely wasn’t designed to work on a TCP/IPbased network. NetBIOS applications have a problem when running on TCP/IP-based networks. The TCP/IP protocol stack only cares about the IP address of the destination host, while NetBIOS applications only care about the NetBIOS name of the destination host. In order for information to move from the Application layer down the TCP/IP protocol stack, we have to “translate,” or resolve, the NetBIOS name to an IP address. As we saw in Chapter 6, a NetBIOS name server can be used to provide the most efficient method of NetBIOS name resolution. (See Figure 7.1.) Figure 7.1 NetBIOS application accessing the network protocol stack.

NetBIOS Application (e.g.Web browser, mail client)

Application Layer WinSock Interface

NetBIOS Interface

Host-to-Host Layer (Transport)

Internet Layer

Network Interface Layer

NetBIOS Name Resolution

91_tcpip_07.qx

2/25/00

11:08 AM

Page 321

Troubleshooting Windows 2000 DNS Problems • Chapter 7 321

Characteristics of Host Names Host names are completely different animals. While NetBIOS applications are dependent on the functions of the NetBIOS interface for network communications, applications that use the WinSock interface do not have the same issues. WinSock applications, in this context, can be thought of as a group of programs written specifically for the TCP/IP protocol stack. Examples of Winsock applications include Web browsers and servers, FTP clients and servers, newsgroup clients and servers, e-mail clients and servers, and many others. These Winsock applications all have one thing in common: They do not require computer names of any kind to establish a session with a destination computer. WinSock programs were written to function specifically on TCP/IP networks, and therefore they are only concerned about having the IP address of the destination computer to make contact. Computers don’t have a problem working with numbers, but people have a heck of a time trying to remember a bunch of numbers. Try to recall the IP addresses of all the Web servers you contacted last week when surfing the Net. It’s unlikely that you know any of them, because you didn’t contact those servers via their IP addresses; rather, you used the destination computer’s host name. A host name is a convenience created for the benefit of humans. WinSock applications do not require host names to create a session with another computer, but host names provide a way for us to easily remember how to access another machine on the network without having to commit dozens of IP addresses to memory.

The Need for a Name Resolution Service When we use host names to contact machines on the network, we add another level of complexity. Similar to what happens with NetBIOS applications on a TCP/IP-based network, we must now have some mechanism to translate, or “resolve”, host names to IP addresses. That is the purpose of the DNS server. The DNS Server contains a database of host names and IP addresses, and any machine configured as a DNS client can query this database.

Domains: The “Family Name” Host names do not live in isolation as do their NetBIOS counterparts. While each NetBIOS machine is considered a member of the same “family,” DNS hosts are members of domains. Therefore, multiple DNS hosts can share the same host name, as long as they are members of different domains. More than one person can be named Tom, and we can differentiate each Tom from the others because they belong to different families;

91_tcpip_07.qx

2/25/00

11:08 AM

Page 322

322 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

for example, Tom Shinder, Tom Petty, and Tom Jefferson. This is how we get thousands of machines on the Internet to have the same name, “www.” Each of these machines with the host name “www” belongs to a different domain, such as www.syngress.com, www.microsoft.com, and www.shinder.net. Each host named “www” is differentiated from the others because they all belong to different families or domains. This is a good time to go into more detail about DNS, and how domains are organized on the Internet and on an intranet.

The Domain Name System When the Internet was in its infancy, host names were resolved to IP addresses via a plain text file named “hosts.txt.” This file was located at the Stanford Research Institute’s Network Information Center (SRI-NIC). Whenever a machine was added to the network, or an existing machine’s IP address was changed, the hosts.txt file had to be edited. This hosts.txt file then had to be downloaded from SRI-NIC so that all machines on the network would have an accurate list of host names and IP addresses for host name resolution.

NOTE Microsoft operating systems can still use a HOSTS file for resolution of fully qualified domain names (FQDNs); however, this HOSTS file does not use the .txt (or any) extension. A common mistake in creating a HOSTS file in Notepad or other text editors is that the application saves it with the .txt extension, which means it will not work.

A Hierarchical Naming System There were several problems with using the hosts.txt file. First, it used a flat namespace, like that seen in NetBIOS. The flat namespace required each computer to have a different name. Second, as more and more machines joined the network, traffic at SRI-NIC became a significant bottleneck to network communications. Third, the size of the hosts.txt file got increasingly large, which led to long download times, and reduced performance for lookups. To solve these problems, Paul Mockapetris in 1987 developed and proposed the Domain Naming System. The DNS was designed to be a hierarchical naming system, and responsibility for the DNS database was distributed.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 323

Troubleshooting Windows 2000 DNS Problems • Chapter 7 323

NOTE A distributed database has several benefits: host name lookups are sped up significantly, and it also creates fault tolerance for the DNS. No single location is responsible for maintaining the contents or the integrity of the DNS database.

Domain Levels At the top of the DNS hierarchy is the root domain. The root domain is sometimes represented as a period surrounded by quotation marks (“.”), or as a space surrounded by quotation marks. If you have read many books on TCP/IP, I’m sure you’ve seen it represented as both. Which one is correct? We will come back to that question when we finishing discussing FQDNs.

Top-Level Domains Just underneath the root domain are the top-level domains. The top-level domains consist of a two- or three-letter designation, such as .com, .net, .org (called generic domains), or .au, .us, .de (country codes). The toplevel domains are intended to subdivide the DNS namespace into logical groups based on the nature of the organization participating in a specific top-level domain space hierarchy. For example, organizations participating in the .com hierarchy were originally meant to be commercial, profitmaking entities. Groups in the .org hierarchy were expected to be nonprofit entities. The .net domain was intended for network providers such as ISPs (Internet Service Providers). The two-letter designations are country codes, although some countries use a two-letter designation to denote the type of organization within a specific country code hierarchy; for example, www.bbs.co.uk.

Second-Level Domains The second-level domains lie below the top-level domains. These secondlevel domains are named for the organizations that own the domain names. A second-level domain name can be obtained from a Domain Registrar, such as Network Solutions, Inc. (NSI). NSI was the only registrar for second-level domains in the United States until 1999. There are other domain registrars participating in second-level domain registrations now, but NSI continues to be the primary purveyor.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 324

324 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

NOTE New domain name registrars are being approved on a continuous basis. For an up-to-date listing of authorized registrars, see ICANN’s Web site at www.icann.org/registrars/accredited-list.html.

The second-level domain name places your organization in a unique position in the DNS hierarchy. Examples of second-level domains are microsoft.com, syngress.com, and shinder.net.

Subdomains The root domain, top-level domains, and second-level domains are the only centralized aspects of the Domain Naming System. After you have registered your second-level domain name with a Domain Registrar, you are free to create as many subdomains as you like. For example, Microsoft might want to create subdomains for their marketing and development divisions, so they could create subdomains named marketing.microsoft.com and dev.microsoft.com.

The Domain Tree Each domain in the DNS hierarchy represents a branch in the “tree.” Each branch terminates with a leaf object (an endpoint object that cannot contain other objects), which is a host name for a machine that belongs to a specific domain. The Microsoft subdomain dev.microsoft.com might have machines with the host names like www and vbs. Those host names, then, are leaf objects, or termination points in the DNS tree. Figure 7.2 depicts an example of a DNS tree’s branches and leaf objects. Each leaf object (or host) can be identified by its location in the tree. Remember that only the root, top-level, and second-level domains are centrally managed. It is the responsibility of the DNS administrator to maintain the DNS database of host names and IP addresses for all objects within the subdomain, and any subdomains contained within his subdomain. In this example, the DNS administrator responsible for the dev.microsoft.com subdomain must manage the resources represented by hosts www and vbs, which includes their IP address entries in the DNS database.

Fully Qualified Domain Names In order to identify a host participating in the DNS, you must include more than just the host name. Each computer, or host, belongs to a

91_tcpip_07.qx

2/25/00

11:08 AM

Page 325

Troubleshooting Windows 2000 DNS Problems • Chapter 7 325

Figure 7.2 DNS tree with branches and leaf objects. Root

net

shinder.com

com

org

microsoft.com

syngress.com

dev.microsoft.com

www.dev.microsoft.com

marketing.microsoft.com

vbs.dev.microsoft.com

specific domain, and it is identified by its domain membership. The combination of a host name and its domain name is referred to as its fully qualified domain name (FQDN). All hosts participating in the DNS are identifiable via their FQDNs. The FQDN is comparable to a full path location for a file on a machine’s hard drive. For example, if you have a file called cache.dns located in the dns subdirectory, which is in the system32 subdirectory, which is in the WINNT subdirectory, which is contained on the C: drive, the full path to the cache.dns file would be: C:\WINNT\system32\dns\cache.dns

The location moves from general to specific as you move from left to right in this file path example. When specifying an FQDN, the path moves from specific to general. For example: www.dev.microsoft.com.

The leftmost entry is the host name of the machine. The dev domain is a subdomain of the larger microsoft domain, which in turn is a subdomain of the larger com domain. Each level in the FQDN is separated by a “dot,” or period. The information between the dots is referred to as a label, and each individual

91_tcpip_07.qx

2/25/00

11:08 AM

Page 326

326 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

label can contain up to 63 octets or characters. The entire FQDN is limited to 255 octets. You should be aware that although labels and FQDNs are allowed a defined number of octets, many applications will not accept labels of this length. Domain Registrars have traditionally limited domain names to 22 characters.

NOTE Notice that octets, rather than characters, define labels. This is because the Windows 2000 DNS server supports UTF-8 characters in FQDN labels. Each UTF-8 character can be longer than the typical ASCII single-byte (8 bits, or octet) characters; therefore, a four-character UTF-8 label may contain more than 4 bytes.

In order to be fully qualified, the name must be terminated with a dot. This is an error that many network administrators fail to appreciate when they run into problems. This is typically not a problem when users enter FQDNs into a WinSock application such as a Web browser or e-mail client, but can be a major issue when using DNS diagnostic tools such as nslookup. Look at the following interchange between a DNS client and DNS server when trying to first resolve an unqualified name and then a qualified name. The only difference between the two queries is that a dot was included at the end of the host name. C:\>nslookup -ds deb.stuff.tacteam.net [NO DOT TERMINATES THIS QUERY] —————— Got answer: HEADER: opcode = QUERY, id = 1, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: 185.1.168.192.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 185.1.168.192.in-addr.arpa name = constellation.tacteam.net ttl = 3600 (1 hour) —————— Server: constellation.tacteam.net Address: 192.168.1.185 ——————

91_tcpip_07.qx

2/25/00

11:08 AM

Page 327

Troubleshooting Windows 2000 DNS Problems • Chapter 7 327 Got answer: HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: deb.stuff.tacteam.net.tacteam.net, type = A, class = IN AUTHORITY RECORDS: -> tacteam.net ttl = 3600 (1 hour) primary name server = constellation.tacteam.net responsible mail addr = debshinder.tacteam.net serial = 1095 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) —————— —————— Got answer: HEADER: opcode = QUERY, id = 3, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: deb.stuff.tacteam.net.wins.tacteam.net, type = A, class = IN AUTHORITY RECORDS: -> wins.tacteam.net ttl = 3600 (1 hour) primary name server = constellation.tacteam.net responsible mail addr = tshinder.tacteam.net serial = 2 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 900 (15 mins) —————— —————— Got answer: HEADER: opcode = QUERY, id = 4, rcode = NOERROR

91_tcpip_07.qx

2/25/00

11:08 AM

Page 328

328 Chapter 7 • Troubleshooting Windows 2000 DNS Problems header flags: response, auth. answer, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: deb.stuff.tacteam.net, type = A, class = IN ANSWERS: -> deb.stuff.tacteam.net internet address = 192.168.1.234 ttl = 3600 (1 hour) —————— Name: deb.stuff.tacteam.net Address: 192.168.1.234 C:\>nslookup -ds deb.stuff.tacteam.net. [THIS QUERY IS DOT TERMINATED] —————— Got answer: HEADER: opcode = QUERY, id = 1, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: 185.1.168.192.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 185.1.168.192.in-addr.arpa name = constellation.tacteam.net ttl = 3600 (1 hour) —————— Server: constellation.tacteam.net Address: 192.168.1.185 —————— Got answer: HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: deb.stuff.tacteam.net, type = A, class = IN ANSWERS: -> deb.stuff.tacteam.net internet address = 192.168.1.234 ttl = 3526 (58 mins 46 secs)

91_tcpip_07.qx

2/25/00

11:08 AM

Page 329

Troubleshooting Windows 2000 DNS Problems • Chapter 7 329 —————— Name: deb.stuff.tacteam.net Address: 192.168.1.234

Note that the first query was not fully qualified, since there was no period at the end. Because of that, it was processed as an unqualified DNS query, which took a number of steps to resolve. The second query was for the FQDN, and resolution took only a single step. We will examine the details of host name resolution in the next section.

The $64,000 Question Before taking leave of this subject, we have one more issue to resolve. You might still be wondering what the proper representation of the root domain should be. In defining our FQDNs, we saw that each label was separated by a period. When we fully qualify our domain name, we include a period at the end. What lies to right of the rightmost period? Nothing. The root domain lies at the right of the rightmost period! So, if you really wanted to be technically correct, you would represent the root domain as “ ” —an empty space. Now, aren’t you glad you bought this book?

Host Name Resolution Host name resolution is the process a DNS client machine goes through to match up the destination host name with an IP address. Windows 2000 machines can discover the IP address of a destination host using a number of different methods. Collectively, these methods comprise the host name resolution sequence.

Name Resolution Sequence You might remember learning the host name resolution sequence for Windows NT 4.0 machines: “Large Hard Drives? Can We Buy Legally?” or LHDCWBL. Many students of Microsoft networking have used this mnemonic aid to remember the services that resolve host names to IP addresses. Those services or methods were Localhost, HOSTS, DNS, NetBIOS Remote Name Cache, WINS, Broadcast, and LMHOSTS. Note that only the first three methods are DNS-specific; the rest are part of the normal NetBIOS name resolution sequence.

The Caching Resolver The rules change a little with Windows 2000, because Windows 2000 includes a systemwide caching resolver. This caching resolver is responsible for formulating and issuing queries on behalf of the DNS client for

91_tcpip_07.qx

2/25/00

11:08 AM

Page 330

330 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

host name resolution. The caching resolver is implemented as part of the DNS Client Service. The caching resolver is able to cache both positive and negative responses. When a positive response is cached, the time-to-live (TTL) on the record returned to the client is respected by the DNS client receiving the DNS response. For example, if you resolve www.shinder.net to 209.217.17.13, the response from the DNS server resolving the request will include a TTL for that record. If you issue the command: nslookup –ds www.shinder.net.

you will receive the TTL on the record, which is 24 hours. If you issue the command a second time within the TTL period, you will receive an answer of “nonauthoritative answer,” as seen in Figure 7.3. This indicates that the record was retrieved from cache, rather than from the authoritative server itself. Notice that the TTL for the record retrieved from cache has decreased from 24 hours to 23 hours 51 mins 58 seconds. This demonstrates the aging of the cached DNS record. Figure 7.3 Nonauthoritative answer received from cache.

The caching resolver caches queries that have been answered positively, and also caches negative results. When a DNS query fails, this failed result is placed in cache for five minutes, by default. If the machine issues a DNS query for the same object within five minutes, no query will be sent, and a failure message will be retrieved from cache. This can significantly reduce the overall DNS query traffic on a large network. Figure 7.4 shows an example of a negatively-cached DNS query result.

TIP Disabling the DNS Client Service in the Services applet in the Administrative Tools folder can turn off the caching resolver.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 331

Troubleshooting Windows 2000 DNS Problems • Chapter 7 331

Figure 7.4 Query for a failed DNS lookup appears as a negatively cached query.

Using the HOSTS File for Name Resolution Another change to how host names are resolved involves the HOSTS file. Earlier, we discussed the hosts.txt file that was used in the early days of the Internet for host name resolution. The Microsoft DNS client service can use the HOSTS file (no file extension) to resolve host names to IP addresses. In Windows NT 4.0, the HOSTS file was parsed each time a DNS query was sent. In Windows 2000, entries in the HOSTS file are entered into the caching resolver. Therefore, any host name to IP address mapping included in the HOSTS file is entered into cache as soon as the HOSTS file is saved. You do not need to restart the computer or even the DNS Client Service. You can prove it to yourself by trying this: Open Notepad, select the File menu, click Open, and then in the filename box, type: “c:\winnt\system32\drivers\etc\hosts”

WARNING Be sure to include the quotation marks, or else Notepad will look for hosts.txt, and it won’t open the HOSTS file.

Minimize Notepad. Now, open a command prompt and type:

91_tcpip_07.qx

2/25/00

11:08 AM

Page 332

332 Chapter 7 • Troubleshooting Windows 2000 DNS Problems ipconfig /flushdns

This will empty your local DNS cache. At the command prompt, type: ipconfig /displaydns

This will show the contents of your DNS cache after it has been emptied. Return to Notepad and type in the IP address and the FQDN name of a fictitious computer on your network. Save the file, return to the command prompt, and display the DNS cache again. You will see the entry for the fictitious computer in cache. Return to Notepad, delete the fictitious entry, and save the file. Display the DNS cache again from the command prompt, and you’ll see that the computer no longer appears in cache. Considering the effect of the caching resolver and the way the HOSTS file is automatically loaded into the caching resolver, we can come to a conclusion regarding host name resolution sequence. The sequence in Windows 2000 is Localhost, caching resolver, DNS, NetBIOS Remote Name Cache, WINS, LMHOSTS. This is important to remember during your host name troubleshooting adventures, so someone had better come up with a catchy mnemonic for it soon.

Sending the DNS Query to a DNS Server When the DNS client service formulates a DNS query, what is it actually asking for? The question to the DNS server includes the FQDN of the destination computer, the type of records to search for (which is typically an A Host record), and a request for recursion. If the request is entered as an unqualified request in the host application, the DNS Client Service (resolver) will append a domain name to the request based on decisions you made earlier about how to handle unqualified requests. (We will cover unqualified requests later in this section.) Do an nslookup with the –ds switch for www.shinder.net. You will see the question asked for the DNS server in the response: HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: www.shinder.net, type = A, class = IN ANSWERS: -> www.shinder.net internet address = 209.217.17.13 ttl = 44450 (12 hours 20 mins 50 secs)

91_tcpip_07.qx

2/25/00

11:08 AM

Page 333

Troubleshooting Windows 2000 DNS Problems • Chapter 7 333

After the resolver formulates the question, it sends a DNS query requesting recursion to the Preferred DNS server that has been configured on the client machine. When the DNS server receives a request for recursion, it means that the DNS must respond with a definitive response. A definitive response is either “Here’s the IP address of the host name that you’re looking for,” or “Nope, I can’t find it.” When a host requests recursion, that means that it is not interested in referrals to other DNS servers that might know the IP address of the sought-after host. This would be like me asking you, “Who was the 17th President of the United States?” If I request you to perform recursion, that means I want you to answer the question. I am not interested in you telling me the names of other people I can ask who might know the answer. The DNS server receives the query from the DNS client that requests recursion. The DNS server checks its zone files to assess whether it is authoritative for the zone being queried. If the server is authoritative for the zone, and has a resource record for the host in question, it returns the answer to the DNS client. The DNS client now has the IP address, and can now attempt to establish a session with the destination computer.

The Recursion Process If the DNS server is not authoritative for the zone, it will check its cache to see if it has an entry for the destination host. If there is no entry in cache, it will begin the process of recursion. In order to complete recursion, the DNS server will issue iterative queries to other DNS servers. An iterative query does not contain a request for recursion. For example, I’ve asked you the question, “Who was the 17th president of the United States?” and requested recursion. Since I’ve requested recursion, you must supply me with a definitive answer, either the name of the president, or that you don’t know. To complete this recursive request, you will ask other people to help you. You might ask Bob first, and Bob says to you, “I don’t know, but Larry might know.” You then ask Larry, and Larry says, “I don’t know, but Debi might know.” So you ask Debi, and she tells you it was Andrew Johnson. You complete recursion by telling me. “It was Andrew Johnson.” When you queried Bob, Larry, and Debi, you did not request recursion. By not requesting recursion, you were telling Bob, Larry and Debi that you were willing to accept referral answers. A referral is a “helpful hint” or a pointer to another location where the answer to the question might be found. When DNS servers act as DNS clients (to complete the DNS recursive query request from its DNS client), they will issue iterative queries such as this to other DNS servers to resolve a host name to an IP address. Once the client’s DNS server receives a definitive answer,

91_tcpip_07.qx

2/25/00

11:08 AM

Page 334

334 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

it completes recursion by returning either the IP address or the “host not found” result to the DNS client. Let’s look at a simple example of how this process works. Refer to Figure 7.5 while reading the description. Figure 7.5 DNS server issuing iterative queries to complete recursion.

Constellation queries root DNS. Root returns IP address of .com DNS. Root DNS Server Constellation queries .com DNS. The .com DNS refers to the syngress DNS server. Constellation.tacteam.net

.com DNS Server

Exeter.tacteam.net syngress DNS Server

Constellation queries syngress.com DNS. Syngress.com returns IP address of host www.syngress.com.

You are sitting at a client machine named Exeter, which is a member of the tacteam.net domain. You want to visit a Web site at www.syngress.com. You type the URL in the Web browser and the DNS Client Service formulates the DNS query to send to Exeter’s Preferred DNS server. The Preferred DNS server is Constellation.tacteam.net. Constellation is authoritative for only the tacteam.net zone. When Constellation receives the DNS query for www.syngress.com, it first checks to see if it is authoritative for syngress.com. Since it is not, it then checks its DNS cache to see if it has successfully resolved the request recently. If the entry for www.syngress.com is not in cache, it will then attempt to issue a series of iterative queries in order to complete recursion.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 335

Troubleshooting Windows 2000 DNS Problems • Chapter 7 335

Constellation will first contact one of the Internet Root DNS servers and issue a DNS query for www.syngress.com. The Root is not authoritative for this domain, but it does have a NS record for the .com domain DNS server, and returns the IP address for the .com domain’s DNS server to Constellation. Next, Constellation sends the query for www.syngress .com to the .com domain’s DNS server. The .com domain’s DNS server is not authoritative for syngress.com, but it does have an NS record for Syngress’s DNS server, and sends that IP address to Constellation. Armed with this information, Constellation sends the query for www.syngress.com to the syngress.com DNS server. The syngress.com DNS server is authoritative for the zone, and it contains an address record for a host named www. The IP address for www.syngress.com is sent to Constellation. Constellation then sends this IP address to Exeter, and recursion is complete! As you can see just in this single query, Constellation learns quite a bit about the DNS namespace while it is resolving the recursive query for Exeter. It has learned the IP addresses for the DNS servers .com domain and syngress.com domain. This information will be kept in cache for the amount of time configured in the DNS server console. Even a mediumsized organization will benefit from this caching at the DNS server, and will decrease the number of times the DNS server will have to reach out to the Internet in order to resolve host names to IP addresses.

UNC Paths and DNS Queries When you communicate with another machine using a NetBIOS application, you target the destination computer using a UNC (Universal Naming Convention) path such as \\servername\sharename. For example, the “net view” command is a NetBIOS application that allows you to view visible shares on another machine on the network. The Windows 2000 NetBIOS resolver will recognize any computer name that has 15 characters or less and no periods as a NetBIOS name, and will send the computer name through the NetBIOS name resolution sequence. If you use a NetBIOS program and enter a computer name that is longer than 15 characters, or if the computer name contains a “dot” (you can use periods in NetBIOS names legally), name resolution will be sent through the host name resolution sequence.

Connecting over the Internet via UNC For example, let’s say that you want to connect to a share via a UNC path over the Internet. You could type in the UNC path using the computer’s NetBIOS name, such as \\constellation\stuff, but that won’t work if you’re connected to the Internet through a regular dial-up via your ISP.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 336

336 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

There is no mechanism for resolving NetBIOS names on the Internet. However, Constellation is a member of tacteam.net. If you type in \\constellation.tacteam.net\stuff, the computer name will be sent through the host name resolution sequence rather than the NetBIOS name resolution sequence. This is a reminder to disable the server service on Internet connection interfaces.

WARNING If you use periods in your NetBIOS names, those computers will not be able to have the same host names as their NetBIOS names. This is because the period is used as a separator between labels in the FQDN. If you try to enter a host name with a period in the DNS management console, you will find that it won’t be accepted. You thus create a schism between your NetBIOS name and host name conventions.

Qualified versus Unqualified Names What happens when someone types in a URL that is not fully qualified? For example, if users are accustomed to connecting to a departmental Web server by typing http://marketing, how does the DNS Client Service formulate the query to send to the client’s Preferred DNS server? The answer lies in how you configure the Advanced TCP/IP settings in the Network Properties dialog box. Figure 7.6 shows the Advanced TCP/IP Settings properties sheet. By default, if an unqualified request is made, the DNS Client Service will append the primary and connection-specific domain names to the request. If the user’s computer belongs to tacteam.net, and the request was made for marketing, then the DNS Client Service would send a request to the DNS server for marketing.tacteam.net. If you enter another domain suffix in the “DNS suffix for this connection,” a request will be sent for that domain as well. For example, if the query for marketing.tacteam.net was not successful, and a connectionspecific suffix of shinder.net was entered, then another query would be sent, this time for marketing.shinder.net.

NOTE Each network interface card (NIC) in a Windows 2000 machine can be affiliated with its own domain. What is the primary DNS suffix? This is what you see when you rightclick My Computer on the desktop, click Properties, and click the Network Identification tab. To the right of “Domain:” is the primary DNS suffix, as seen in Figure 7.7.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 337

Troubleshooting Windows 2000 DNS Problems • Chapter 7 337

Figure 7.6 The DNS tab of the Advanced TCP/IP Settings properties sheet.

Note the check mark next to “Append parent suffixes of the primary DNS suffix” in Figure 7.6. This will allow the DNS Client Service to append parent suffixes to a DNS query if the primary query fails. What does that mean? For example, let’s say that you’re working at a computer named Excimer, which is a member of the dev.microsoft.com domain. You enter an unqualified name into the Web browser, such as http://accounting. The first query will be for accouting.dev.microsoft.com. If there is no host record for that machine, the DNS Client Service will devolve the query. Pretty good word, eh? When the query is devolved, the leftmost Figure 7.7 The primary DNS suffix appears in the System Properties dialog box.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 338

338 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

portion of the domain name is removed, and the query is resubmitted for accounting.microsoft.com. If there is no host record for accounting in the microsoft.com domain, it will not be further devolved; that is, no query will be sent to resolve accounting.com.

Appending DNS Suffixes There may be occasions when you want to specifically control which DNS suffixes you want to append to unqualified requests. In this case, you select the option “Append these DNS suffixes (in order),” click ADD, and type in the domain names you want appended to unqualified requests. When would you want to do this? You might want add your own customized list of domain suffixes when you have WINS clients that are not registered in the Dynamic DNS (DDNS). If you are managing your Windows 2000 DNS entirely via DDNS, and you are not using a Windows 2000 DHCP server to act as an intermediary between your downlevel clients and the DDNS server, you might want to enable WINS lookups on your DNS servers to resolve WINS clients’ IP addresses via unqualified DNS queries.

Host Name Resolution via WINS Lookups Like the DNS server included with Windows NT 4.0, the Windows 2000 DNS server is able to resolve host names by referring to a WINS server. The DNS server can be configured to look up host names by opening up the DNS management console, and then right-clicking the zone that you want to use WINS lookups. After right-clicking the zone, click Properties, and click the WINS tab. You should see the dialog box shown in Figure 7.8. When a DNS query is made for a host name that is not included in the destination machine’s zone, it will check its cache, and then complete recursion by issuing iterative queries if the client requested recursion. If the DNS server does not receive a positive reply, it can query a WINS server for the IP address of the destination host. The DNS server strips off all characters to the right of the period, and sends the host name portion of the FQDN to the WINS server for name resolution. The DNS server will forward the result, either positive or negative, to the DNS hosts after querying the WINS server.

Multiple DNS Zones and WINs When an organization has multiple zones, and WINS clients on the network that are not registered with DNS, you need to be mindful of which zones are WINS-enabled. This is because WINS lookups can lead to false information regarding the domain membership of these NetBIOS clients. For example, imagine that we have two zones: dev.tacteam.net sales.tacteam.net

91_tcpip_07.qx

2/25/00

11:08 AM

Page 339

Troubleshooting Windows 2000 DNS Problems • Chapter 7 339

Figure 7.8 The WINS tab in the DNS zone Properties dialog box.

Both of these are WINS-enabled. When an unqualified query is sent from a machine belonging to the dev.tacteam.net zone, its domain suffix will be attached to the query. If the dev.tacteam.net zone does not contain an entry for the destination host, and ends up searching the WINS database successfully, it will return the result with the dev.tacteam.net domain suffix appended. The same will happen when a query is issued from the sales.tacteam.net host. So, now we have two successfully resolved DNS queries, which resolve to the same IP address, but different domains. This can pose problems for security and network diagnostic and inventory software. We will see later, when discussing zones, how we can avoid confusion related to WINS lookups by creating special WINS lookup zones.

Naming Conventions and Issues Requests for Comments (RFCs) 952 and 1123 describe the naming conventions for Internet host names. According to these standards, names were limited to upper and lowercase letters (A–Z and a–z), numbers 0–9, and the hyphen (-). The DNS server specifications defined in RFC 1035 maintained the name standards defined in the earlier RFCs.

Windows 2000 Support for RFC 2181 The Windows 2000 DNS server supports name specifications in RFC 2181, which essentially states that any binary string can be included in a

91_tcpip_07.qx

2/25/00

11:08 AM

Page 340

340 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

DNS name. The Windows 2000 DNS server supports a superset of the ASCII character set known as UTF-8. The UTF-8 character set supports the alphabets of all known languages, and therefore allows for true internationalization of the Domain Name System. This is good news to those who included unconventional characters in the NetBIOS names of the downlevel clients they now seek to upgrade to Windows 2000.

The Controversial Underscore Character Perhaps the most glaring issue is the use of the underscore in the NetBIOS names of downlevel clients; for example, DAL_TX_001 and My_Server.

NOTE The underscore is a completely legitimate character in the NetBIOS naming scheme.

If you decide to upgrade these computers, you can continue to use the underscore in the machines’ host names on Windows 2000 networks. The rub is that these machines, for the most part, will be limited to the DNS structure of the Windows 2000 network, since most third-party DNS servers (such as UNIX DNS servers) do not use the RTF-8 format, and will not recognize host records for machines with the extended character set. In fact, if you are interested in interoperability, you should avoid the UTF-8 characters, and stick with the traditional host naming schemes described in the earlier RFCs.

TIP If you do decide to use the extended character set in your host names, be aware that the characters in the name will not comprise 1 byte each, as does the ASCII character set. You will need to be mindful of the number of bytes used by each label, and the total number of bytes used in the entire FQDN, so that they do not exceed the 63 and 255 octet limits, respectively.

Integrity Check The DNS server is able to check the integrity of the names included in the DNS database, and does check them when the zone is loaded. Depending

91_tcpip_07.qx

2/25/00

11:08 AM

Page 341

Troubleshooting Windows 2000 DNS Problems • Chapter 7 341

on how you configure name checking, names will be accepted or invalid. Figure 7.9 show the Advanced tab of the DNS server Properties sheet. You can get there by opening the DNS management console, right-clicking on the DNS server name, clicking Properties, and selecting the Advanced tab. Figure 7.9 The Advanced tab of the DNS server Properties dialog box.

In the “Name checking” drop-down list box, you have three choices: ■ ■ ■

Strict RFC (ANSI) All Names Multibyte (UTF8)

The default is Multibyte character checking.

NOTE You might see references stating otherwise in the documentation, but Multibyte is the default, to allow the greatest tolerance when DNS is loading the zone and checking characters.

If you choose one of the other modes, the DNS server will load names from the zone file that contain either valid ANSI or ASCII characters, but

91_tcpip_07.qx

2/25/00

11:08 AM

Page 342

342 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

will not recognize characters from the Unicode set provided by UTF-8 as valid characters. This doesn’t pose too much of a problem unless you’ve selected “Fail on load if bad zone data.”

WARNING If “Fail on load if bad zone data” is selected and you choose a mode other than Multibyte, the zone will not load and the server will not be able to answer queries for the zone until the error condition is addressed.

Extended Character Set and Zone Transfers Another issue regarding zones that contain names using the extended character set involves zone transfers. If the Windows 2000 DNS server attempts to transfer zone information to another DNS server that does not recognize the extended character set, the zone transfer may fail. Again, use extended characters only when you know that all machines will be using Windows 2000 and that all WinSock applications are able to accommodate the use of the extended character set when URLs are entered for resource locations.

Lowercase Only Although the RFC domain naming specification allows for both upper and lowercase naming, the Windows 2000 DNS server will respect only lowercase domain names. This is done for compatibility reasons, and the server will lowercase names regardless of what character set is used

Domain Naming Schemes and Implementation Problems When designing a domain naming scheme for your organization, you will have to decide whether your company is going to have an Internet presence or not. This might be considered a rhetorical question, since today just about all but the smallest companies do or plan to maintain an Internet presence. If you do have an Internet presence, you will need to decide whether you are going to use the same domain name for your intranet and your Internet resources, or different domain names. Both arrangements have their own advantages and disadvantages. Let’s look at the first situation, where you have the same domain name used for intranet and Internet resources.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 343

Troubleshooting Windows 2000 DNS Problems • Chapter 7 343

Same Intranet and Internet Domain Name If your organization decides to use the same domain name for intranet and Internet resource assignments, you’ll have some special issues to deal with. For example, imagine that we have registered the domain name tacteam.net. We already have an Internet presence using that name, and our employees are familiar with accessing Internet resources using the tacteam.net domain. We didn’t use DNS naming much before, because our NT 4.0 network was doing fine using NetBIOS names only. Now we want to upgrade to Windows 2000 and require that each computer on the intranet has an FQDN. No problem. We assign our internal Web server, mail server, and news server the names www.tacteam.net, mail.tacteam.net, and news.tacteam.net, respectively. We also run a Web, mail, and news server for our channel partners, so we name them www.tacteam.net, news.tacteam.net, and mail.tacteam.net, respectively. Oops. Looks like we have a problem here. Our employees want and need access to the material available on the internal Web server, which contains proprietary information. They also need access to information contained on the Internet-available Web server. We could change the name of the internal server, but we have 17,500 employees who use the computer, and they are very accustomed to accessing the Web servers by typing www.tacteam.net. The same is true for our other servers. The internal network is using private IP addresses and connects to the Internet via a proxy server. Proxy servers are configured to recognize internal and external IP addresses. Any request for an external IP address is sent to the proxy server. Local access can be done directly. How do we configure DNS for both internal and Internet resources?

Solution: Separate DNS Zone Databases One solution to this problem is to maintain two distinct DNS zone databases. One is kept and maintained on the intranet DNS server, and the other is maintained on the Internet DNS server. The intranet DNS server contains resource records for internal hosts only. The Internet DNS server will contain resource records for Internet-available resources. In this way, we protect our internal network’s DNS database. Even though we are using a firewall and a proxy server, a list of our servers and their IP addresses could be very useful for some uninvited guest who might come to “visit” sometime. To make this work, we must “mirror” the contents of the Internet resources internally. This takes a lot of extra work, because you must mirror the newsgroups, Web resources, and perhaps the mail servers internally.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 344

344 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

But it does solve the problem. When an internal user connects to news.tacteam.net, a DNS query is sent to the internal DNS server, and is resolved to the IP address of the internal news server. A user connecting to news.tacteam.net via the Internet contacts the DNS server outside the firewall, and receives the IP address of the Internet-located news server. At no time do your internal resources become threatened or touched by Internet users. Figure 7.10 displays a simplified network layout of this configuration. Note the two DNS servers, one internal and one external. Each of the DNS servers will have different zone databases, and they most definitely will not participate in zone transfer with each other. This is the most common scenario you’ll encounter because most organizations already have a domain name and are wary of change. However, if you are blessed enough to be working with a new network installation, or an unusually flexible company, the second approach is a lot easier, and more flexible. Figure 7.10 Network layout with same internal and external domain name.

Internal Proxy/DNS is located in DMZ internal to the firewall. 'Net Web

Proxy/DNS

Firewall

TACTEAM.NET

'Net Mail

'Net News/DNS TACTEAM.NET Internal Web

Internal Mail

Internal News

External Servers External to the Firewall are directly exposed.

Internet

91_tcpip_07.qx

2/25/00

11:08 AM

Page 345

Troubleshooting Windows 2000 DNS Problems • Chapter 7 345

Different Intranet and Internet Domain Names The best way to go is with different domain names representing your intranet and Internet resources. In this case, we could have two domain names, taccorp.net and tacteam.net. The former is used for internal resources, and the latter for Internet resources. The internal servers would be www.taccorp.net, mail.taccorp.net, and news.taccorp.net. The Internet servers would be www.tacteam.net, news.tacteam.net, and mail.tacteam.net. The DNS server on the intranet is authoritative for the taccorp.net zone so that all DNS requests for internal resources can be answered by the intranet DNS server. All DNS queries for Internet resources are answered by the external DNS server, which is authoritative for the tacteam.net zone.

Advantages of Using Different Internal and External Domain Names While each zone still has to be maintained separately, with this solution you don’t have to keep track of two different IP addresses for servers with the same name. You also won’t have to duplicate external resources on internal servers, since the internal clients can access the Internet servers via the proxy through the firewall, as they would contact any other server on the Internet (See Figure 7.11).

Proxy Configuration The proxy server should be configured to use an internal DNS server that is configured as a slave server. The slave will send the DNS request to its forwarder for Internet host name resolution. The firewall should be configured to allow DNS queries and responses via UDP and TCP Port 53. Normally, DNS queries and responses use UDP Port 53, but if the response won’t fit into a single UDP segment (i.e., the response has been “truncated”), then the DNS server will “fall back” to TCP to accommodate the message.

Corporate Mergers and Domain Management If you read the business section of your local newspapers regularly, you are aware that corporate mergers are a frequent phenomenon. Merging companies are likely to each have its own network, and someone has the job of making them work together as a new integrated intranet. Let’s look at an example that builds on what we’ve done so far to see how we handle the integration of two networks that have both an Internet presence and corporate intranets.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 346

346 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Figure 7.11 Different internal and external domain names.

Internal Proxy/DNS is located in DMZ internal to the firewall. Resolve internal - forwards external requests 'Net Web

Proxy/DNS

Firewall

TACCORP.NET

'Net Mail

Internet

'Net News/DNS TACTEAM.NET Internal Web

Internal Mail

Internal News

External External DNS Server Resolves Internet ResourcesActs as forwarder for internal DNS

The Problem: Corporate Merger The first company is TACteam, the one that we’ve been working with in the previous sections. TACteam uses different domain names to identify its intranet versus Internet resources. TACteam’s intranet resources use private IP addresses and access Internet resources via a proxy server. The internal domain is taccorp.net, and the Internet domain is tacteam.net. TACteam has merged with Shinder, Inc. Shinder, Inc. maintains a single domain name for both internal and Internet resources. They mirror their Internet resources on their intranet, and maintain separate and distinct shinder.net zones for their intranet and Internet DNS servers. The shinder.net DNS administrators keep track of the different IP addresses for machines with the same name between the intranet and the Internet. Shinder.net is an old company and has been connected to the Internet for several years; therefore, they are using public IP addresses for their

91_tcpip_07.qx

2/25/00

11:08 AM

Page 347

Troubleshooting Windows 2000 DNS Problems • Chapter 7 347

internal network. They do not use a proxy server, but do use a firewall to protect the intranet from Internet intruders. Your job is to redesign the network so that all users from both domains will be able to access both the internal and Internet resources of both companies. The long-term goal is to migrate the shinder.net resources over to tacteam.net and taccorp.net. but long experience dictates that this is going to take a long time. You need to get the two networks interacting as soon as possible.

Proposed Solution Starting at TACteam, you would configure the proxy server to include the public network IDs that are in use at shinder.net so that they are recognized as internal resources. By configuring them as internal addresses, you ensure that DNS requests for these resources will be referred to internal DNS servers at taccorp.net, and not sent to the proxy server for resolution. On the taccorp.net internal DNS server, create a delegation for shinder.net and include a host A resource record for the internal DNS server at shinder.net.

NOTE DNS zone delegation is a way of distributing the responsibility of name resolution to other servers.

When a DNS query arrives at the taccorp.net DNS server for a resource at shinder.net, it will now be referred to the intranet DNS server at shinder.net based on the information included in the delegation record. Since shinder.net is an internal resource, it won’t be going through the proxy server. We do have a problem: How are we are going to get the taccorp.net machines, which use private IP addresses, to communicate with the shinder.net machines that are using public IP addresses? We can completely wall off the intercompany link from the Internet using dedicated leased lines, but that is a very expensive proposition. A much more cost-effective solution is to create a Virtual Private Network (VPN) over the Internet to connect the two companies. We would then install a VPN server at the taccorp.net site and configure the VPN server to use Network Address Translation (NAT). We then configure our routers to direct all traffic destined for the shinder.net network IDs to our VPN server, which will itself route traffic to shinder.net to use the VPN connection. The VPN connection will terminate at the VPN

91_tcpip_07.qx

2/25/00

11:08 AM

Page 348

348 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

server at shinder.net. Since both taccorp.net and shinder.net lie behind firewalls, the firewalls will be configured to pass VPN traffic to and from both companies. Over on the shinder.net side, we configure their intranet DNS server with a delegation for taccorp.net and the IP address of the taccorp.net DNS server. Then, we configure the routers at shinder.net to direct traffic destined for the taccorp.net network IDs to be sent to the VPN server on the shinder.net side. NAT is not required on the shinder.net side and is handled on the other side’s VPN. (See Figure 7.12.)

Testing the Solution Let’s see what happens when some DNS queries are issued.

Scenario 1 A client on the taccorp.net domain wants to access the Web server for the shinder.net domain. A DNS query is issued to the taccorp.net internal DNS server, which contains a referral for the shinder.net domain. The taccorp.net DNS server queries the shinder.net DNS server through the VPN for the IP address of www.shinder.net and receives a reply, which is sent to the DNS client in the taccorp.com. The taccorp.net client then connects to the shinder.net internal Web servers at www.shinder.net via the VPN because the IP address is recognized as internal.

Scenario 2 A DNS client on the shinder.net side wishes to connect to the Internet Web server for tacteam.net. A DNS query is sent to the shinder.net internal DNS server. The shinder.net internal DNS server is not authoritative for the tacteam.net domain, and forwards the request to the external shinder.net DNS server. The external shinder.net DNS is not authoritative, and therefore will complete recursion by issuing iterative requests until the host name is resolved. Once the IP address is received, the external DNS server returns it to the internal DNS server, which in turn returns it to the DNS client on the shinder.net side. The shinder.net DNS client then connects to the tacteam.net via the Internet connection that is not the VPN connection, since tacteam.net is dedicated to Internet resources only. This is only one possible way you could solve this problem, but it does give you the general idea of what the potential problems are, and some ways you can address them.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 349

Troubleshooting Windows 2000 DNS Problems • Chapter 7 349

Figure 7.12 The joys of corporate mergers.

Web Server

Proxy/DNS

Mail Server

News Server

VPN Web Mail Internet News/DNS

Proxy/DNS

VPN

Web

Mail Web Server

Mail Server

News Server News/DNS

91_tcpip_07.qx

2/25/00

11:08 AM

Page 350

350 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

DNS Zone Design and Troubleshooting DNS domains are conceptual entities. They exist in a conceptual framework we know as the Domain Name System, but the actual resource records, such as the IP address to host name mappings, are contained within a “physical” file known as a zone file. A single zone can contain multiple contiguous domains. For example, a single zone can contain microsoft.com, dev.microsoft.com, and west.dev.microsoft.com. These domains are contiguous, meaning they lie next to each other. You could not include msn.com in the same zone, because it is not contiguous with the other domains. Figure 7.13 shows this domain arrangement. Figure 7.13 Example of contiguous and noncontiguous domains.

Root DNS

.com DNS

.net DNS

msn.com zone

microsoft.com zone

west DNS

microsoft DNS

msn DNS

dev DNS

mail

Microsoft Domains are not contiguous with the MSN domains

Zone planning and configuration are especially important when we work with standard DNS zones rather than Active Directory integrated zones. We will talk more about Active Directory integrated zones later, but be aware that the situation we discuss here is a little different with the introduction of the Active Directory integration. The actual management of domain resources is done via adding and updating records in a DNS zone database. This database is created when

91_tcpip_07.qx

2/25/00

11:08 AM

Page 351

Troubleshooting Windows 2000 DNS Problems • Chapter 7 351

you make a new zone in the Windows 2000 DNS server. Creating a new zone is easy with the Windows 2000 DNS server because a wizard guides you through the process. There’s not much of a chance of making a mistake when you use the wizard. The zone database file is a text file that is located at: %systemroot%\system32\dns\.dns

An example of the contents of the zone file appears in Figure 7.14. Figure 7.14 Example zone database file for blah.com.

The zone database file is compatible with BIND (Berkeley Internet Name Domain) zone database files used by many UNIX-based DNS servers. In fact, you can use the DNS management console or directly edit the zone file to manage your DNS zones.

TIP We highly recommend that you use the DNS management console to avoid problems related to “clumsy fingers.”

A zone is named by the topmost domain represented in a particular zone file. For example, if our zone contains the microsoft.com and the

91_tcpip_07.qx

2/25/00

11:08 AM

Page 352

352 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

dev.microsoft.com domains, then the name of the zone is the microsoft.com zone, since microsoft.com is the topmost member of the zone. If we had another zone that consisted of marketing.microsoft.com and west.marketing.microsoft.com, the name of the zone would be the marketing.microsoft.com zone, because marketing.microsoft.com is the topmost member of the zone.

Standard Zones Standard zones are categorized as either Primary or Secondary. When you first create a new zone in the Windows 2000 DNS management console, you will be configuring a Primary zone.

NOTE A Primary zone is the only read/write copy of the zone database. Because there is only one read/write copy of the zone database file, the Primary zone DNS server becomes a single point of failure if updates need to be made to the zone database.

DNS was designed to have at least two DNS servers configured for each zone. This is for fault tolerance reasons. When a copy of a zone is maintained on another DNS server, that server is known as a Secondary DNS server. The Secondary DNS server houses a read-only copy of the zone database file. You cannot directly edit the copy of the zone database file on a Secondary DNS server. You can easily create a new zone by using the New Zone Wizard included with the Windows 2000 DNS server. After installing the DNS service on your computer, open the DNS management console. Right-click on the name of your server, and select New Zone, as seen in Figure 7.15. Just answer the wizard’s questions, and you’ve got yourself a new zone. Zones are populated with resource records. There are a number of different resource record types. The most common resource record is the host, or A, record. This host record supplies the host name and IP address mapping for a computer within the zone. To add a new host, right-click on your new zone, select New Host, and then enter the host name and the IP address as shown in Figure 7.16. Other common resource record types you will encounter include the NS (name server), MX (Mail Exchanger), and CNAME (canonical name) records. The NS record is used to define the host names of the servers that are authoritative for a zone. This can be a Primary or Secondary DNS server

91_tcpip_07.qx

2/25/00

11:08 AM

Page 353

Troubleshooting Windows 2000 DNS Problems • Chapter 7 353

Figure 7.15 Creating a new zone in the DNS management console.

for the zone. The NS record informs machines that send DNS queries to the DNS server that “I know what is true regarding this zone, and the buck stops here.” Figure 7.17 shows the Name Servers tab that appears in the domain’s Properties sheet. You can find this by right-clicking the name of one of your domains, selecting Properties, and then clicking the Name Servers tab. You can add the name and IP address of another DNS server that will be authoritative for the domain by clicking ADD. Be sure that you’ve configured the machine that you’re adding here as a Secondary DNS server for the zone, so that it can act as an authority for the zone. Did you notice that ADD is grayed out in Figure 7.17? That is because we took this screen shot from a machine that is a Secondary for the tacteam.net zone.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 354

354 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Figure 7.16 Adding a New Host Address record in the newly created domain.

TIP You can only define NS records for Secondary name servers on the Primary DNS server for the zone.

The MX record is used to identify the name of the server that is the intended destination for e-mail for a given zone. For example, mail sent to anyone for tacteam.net, such as [email protected], would be send to the server identified in DNS with an MX record. Figure 7.18 show the New Resource Record MX dialog box. Note that the “Host or domain” text box is empty. This record defines a Mail Exchanger for the tacteam.net domain, and this record is being created in the tacteam.net domain. By leaving this text box empty, it will identify this record as applying to the parent domain, which is listed at the top of the dialog box.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 355

Troubleshooting Windows 2000 DNS Problems • Chapter 7 355

Figure 7.17 The Name Servers tab in the domain Properties sheet.

Enter the name of the mail server that will handle the mail, and then the “Mail server priority.” This is a number from 0 to 65535 that is used to determine an order of “priority” if there are multiple MX records for the domain.

TIP Lower numbers have priority over higher numbers. If two MX records for the same domain have the same priority number, one will be chosen at random. Mail is routed to the machine with the highest priority (lowest priority number). If the machine doesn’t respond, the next highest priority machine is sent the mail.

Notice that we enter the FQDN in the “Mail server” text box. There must be a host record for that machine in order for the MX record to properly route the mail to the destination Mail Exchanger. The CNAME record allows you to create aliases for computers that already have host records in the DNS database. The most common use of the CNAME record is to allow you to use “standard” names for servers offering services on the Internet or intranet. Servers are often named

91_tcpip_07.qx

2/25/00

11:08 AM

Page 356

356 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Figure 7.18 The New Resource Record MX dialog box.

based on the services they provide, such as “ftp,” “www,” and “mail” for an FTP server, Web server, and Mail server, respectively. Figure 7.19 shows the add CNAME record Properties sheet. In this example, EXETER is a machine on the tacteam.net network. We really don’t want our users to have to remember the host names of all the machines on the network, so we can create a CNAME record for each machine based on the type of service it provides. When a DNS client issues a query for mail.tacteam.net, it will be connected to EXETER. An nslookup reveals the following: C:\>nslookup -ds mail.tacteam.net. —————— Got answer: HEADER: opcode = QUERY, id = 1, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: 185.1.168.192.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 185.1.168.192.in-addr.arpa name = constellation.tacteam.net

91_tcpip_07.qx

2/25/00

11:08 AM

Page 357

Troubleshooting Windows 2000 DNS Problems • Chapter 7 357 ttl = 3600 (1 hour) —————— Server: constellation.tacteam.net Address: 192.168.1.185 —————— Got answer: HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 2, authority records = 0, additional = 0 QUESTIONS: mail.tacteam.net, type = A, class = IN ANSWERS: -> mail.tacteam.net canonical name = exeter.tacteam.net ttl = 3600 (1 hour) -> exeter.tacteam.net internet address = 192.168.1.186 ttl = 1200 (20 mins) —————— Name: exeter.tacteam.net Address: 192.168.1.186 Aliases: mail.tacteam.net

The nslookup confirms that mail.tacteam.net is indeed EXETER. You can confirm that the alias is functional by pinging the host by its CNAME alias. Be very careful when you enter the “Fully qualified name for target host” in the provided text box. If you include a period at the end of the FQDN to truly fully qualify the record, it will not work. Try it both ways to confirm that this is true.

TIP Ever wonder why they call it a canonical record? Here are some definitions that will explain things: Canonical: Music. Having the form of a canon. Canon: Music. A composition or passage in which the same melody is repeated by one or more voices, overlapping in time in the same or a related key. So, a CNAME record allows multiple host names to “sing” for the same computer!

91_tcpip_07.qx

2/25/00

11:08 AM

Page 358

358 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Figure 7.19 The add CNAME record Properties sheet.

Zone Transfer How does the information contained in the zone database file on the Primary DNS server find its way to its Secondary DNS servers? This sharing of information is done via a mechanism know as a zone transfer (see Figure 7.20). For standard zones, this is merely copying the zone database resource records from the Primary DNS server to its designated Secondaries.

NOTE A vocabulary lesson is in order here. The Primary DNS server that is transferring the zone database to its Secondary is typically referred to as a “Master” server. The other side of the Master—that is, the machine receiving the zone database entries—is sometimes referred to as a “slave” server, a Secondary, or the DNS server receiving a copy of the zone entries. We prefer to stay away from using the term slave, since “slave DNS server” has a very specific meaning, and its not related to zone transfer. Just keep this in mind when you’re reading various references about zone transfers.

Be aware that a Secondary DNS server can be a Master DNS server to another Secondary DNS server. Confusing, huh? Here’s how it works: A

91_tcpip_07.qx

2/25/00

11:08 AM

Page 359

Troubleshooting Windows 2000 DNS Problems • Chapter 7 359

Secondary DNS server has a copy of a zone database that it received from a Primary DNS server. This Secondary DNS server can transfer the readonly copy that it has to another Secondary DNS server, in which case it becomes a Secondary Master. Also, a Primary DNS server for one zone, such as shinder.net, can become a secondary server DNS server for another zone, such as microsoft.com. Try this: Configure your DNS server at home as a Primary DNS server for your local domain. Then connect to your ISP in the usual way, and see if you can become a Secondary to your ISP’s DNS server (of course, you won’t really be a Secondary because there is no NS record for your computer, although you could make one on your server if you wish). You now have a read-only copy of your ISP’s publicly available DNS records, and your DNS server is both a Primary and a Secondary DNS server. Figure 7.20 Zone transfers between Primary and Secondary DNS servers.

dns1.shinder.net becomes a master DNS server as it transfers the shinder.net zone to the Primary DNS server for the tacteam.net zone, dns.tacteam.net

dns.shinder.net is Primary for shinder.net. Zone transfer takes place between shinder.net Primary (master) and dns1.shinder.net which is Secondary for the shinder.net zone

dns1.shinder.net

dns.shinder.net

Zone Transfer dns.tacteam.net

In this example, the shinder.net zone Primary DNS server is the master server during a zone transfer to its Secondary, dns1.shinder.net. When the shinder.net zone is transferred to the tacteam.net Primary, dns.shinder.netbecomes a master server. This displays how Secondary DNS servers become master servers, and how Primary's can become "slaves"

91_tcpip_07.qx

2/25/00

11:08 AM

Page 360

360 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Several things can trigger a zone transfer from a Primary DNS to a Secondary, including: ■ ■ ■

The refresh interval has expired. The Secondary server has booted up. The Primary DNS server is configured to notify Secondaries when changes take place.

Refresh Interval The refresh interval is the period the Secondary DNS server waits between requests for a zone transfer from the Primary. This value is part of the Start of Authority (SOA) resource record, which is the first record created for a new domain. You can view the values contained in the SOA record for a domain by double-clicking the SOA record in the domain. You will see a dialog box similar to the one in Figure 7.21. Figure 7.21 The Start of Authority record for the tacteam.net domain.

By default, the refresh interval is 15 minutes. If the Primary server does not respond when the Secondary tries to contact it, it will try again based on the value in the “Retry interval” text box. If the Secondary is not able to contact the Primary at all for the period of time defined in the “Expires after” text box, the Secondary will no longer respond to queries for that domain.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 361

Troubleshooting Windows 2000 DNS Problems • Chapter 7 361

Once the Secondary is able to contact the Primary again, it will start to answer queries again for the domain. This is to ensure that invalid and outdated information isn’t passed to DNS clients making queries for that zone.

DNS Notify A Windows 2000 DNS server supports DNS Notify, which allows the Primary DNS server to initiate the zone transfer, rather than the Secondary. In a sense, this is a “push” mechanism for zone transfer. This is a very handy feature to ensure that your servers have an up-to-date copy of the zone information contained on the Primary DNS server. Each time a change is made to the zone database, the Primary will either contact all its Secondary DNS servers, as they are defined on the Name Servers tab, or you can create a customized list of servers to which the updates will be sent. Figure 7.22 shows the Zone Transfers tab on the taccorp.net domain Properties sheet. The Notify dialog box appears after you click NOTIFY on the Zone Transfers tab. Figure 7.22 The Zone Transfers tab and the Notify dialog box.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 362

362 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Request for Information Query When a Secondary DNS server requests a zone transfer, either from initiating the request itself, or after having been “reminded” to make the request after a notify message, it will issue a query for the SOA record on the Primary DNS server. The Secondary DNS server will examine the “serial number” on the Primary DNS server’s SOA record. If the serial number on the Primary is higher than the one on its own SOA record for the zone, it will request, via another query, transfer of zone database information. This request for information query can be either a request for the entire zone database file, or for just those records that have changed since the last time it received a zone transfer. The AXFR query transfers the entire zone database file, and is the only type of transfer mechanism available to downlevel DNS servers, such as Windows NT 4.0. Windows 2000 DNS servers support the IXFR query, where only the records that have changed are sent to the Secondary DNS server. The IXFR query is clearly less bandwidth intensive than the AXFR query.

Fast Transfer Another mechanism that Windows 2000 uses to lessen bandwidth requirements of zone transfers is to use a “compressed” form of resource record transfer sometimes known as a fast transfer.

WARNING If you use BIND DNS servers version 4.x or lower, they will not be able to accept fast transfers, and the zone transfer will fail. If you have problems with zone transfers to BIND Secondaries, you can disable fast transfers.

Be aware that this is a feature that applies to all zones configured on a single server, and suppression of fast transfers cannot be done on a granular basis. Figure 7.23 shows the Advanced tab on the DNS server’s Properties sheet. You can get there by right-clicking the server name itself in the DNS management console, and clicking Properties. Your primary problems related to zone transfers when you implement your Windows 2000 DNS solution will usually be related to compatibility issues with downlevel (all other) DNS servers. Keep this in mind when troubleshooting zone transfer difficulties.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 363

Troubleshooting Windows 2000 DNS Problems • Chapter 7 363

Figure 7.23 The Advanced tab on the DNS server’s Properties sheet.

Reverse Lookup Zones The type of queries we’ve been dealing with up to this point are often referred to as forward lookups. A forward lookup is when you send the name of the destination host in order to obtain the IP address associated with that name. The opposite is known as a reverse lookup. When you do a reverse lookup, you already know the IP address, and you want to obtain the host name associated with that IP address. Reverse lookups are not something that can be easily accomplished using forward lookup zones. Think of forward lookup zones as something similar to a phone book. A phone book is indexed using people’s last names. If you want to find a telephone number quickly, you just go to the letter of the alphabet for the last name, and then go down the alphabetical list until you find the name. The phone number is right next to the person’s name. What if we already knew the phone number, and wanted to find out whose name goes with that phone number? Since the phone book is indexed using names, our only alternative would be to look at every phone number in the book and hope to be lucky and find that it’s one in the front of the book (assuming that we start looking in the front first).

91_tcpip_07.qx

2/25/00

11:08 AM

Page 364

364 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

This clearly isn’t a very efficient method to search the IP address namespace. At one time, inverse lookups were used to trawl the IP addresses namespace, but these were very limited because they searched forward lookup zones. As we have seen, that is very time consuming and inefficient.

The in-addr.arpa Domain To solve the problem, a new domain was created, the in-addr.arpa domain. The in-addr.arpa domain indexes host names based on IP addresses, and makes reverse lookups much more efficient and speedy. You can create reverse lookup zones easily using the Windows 2000 DNS management console. Just right-click your computer name in the console, and select New Zone. That will start the New Zone Wizard that walks you through the process of creating new zones, either forward or reverse lookup. The wizard will ask what type of zone you want to create, and you will select Reverse Lookup Zone rather than forward. The wizard will ask for the network ID and automatically create a zone database file based on your answers. Note the construction of the reverse lookup zone database file. The name of the file is the network ID in reverse, so if you created a reverse lookup zone for 192.168.1.0, the name of the reverse lookup zone would be 1.168.192.in-addr.arpa. This is because queries are examined and executed from right to left, just as they are with forward lookup zones.

Pointer Records A pointer record (PTR) is created for each computer included in the reverse lookup zone. The pointer record can be created when a new host record is entered, or you can create one separately.

TIP Our experience is that the PTR records are not always created when entering a new host address, so you will want to check the PTR records for all hosts you create on the DNS server. One problem that we’ve run into is that the dynamic update information sent to the DNS server doesn’t always update the PTR record reliably. Therefore, if you are having problems with reverse lookups, check to make sure the PTR record is correct.

The following is an example of the contents of a reverse lookup zone database file:

91_tcpip_07.qx

2/25/00

11:08 AM

Page 365

Troubleshooting Windows 2000 DNS Problems • Chapter 7 365 ; ; Database file 1.168.192.in-addr.arpa.dns for 1.168.192.in-addr.arpa zone. ; Zone version: 20 ; @

IN SOA constellation.tacteam.net. tshinder.tacteam.net. ( 20 ; serial number 900 ; refresh 600 ; retry 86400 ; expire 3600 ) ; minimum TTL

; ; Zone NS records ; @ NS constellation.tacteam.net. ; ; WINSR (NBSTAT) lookup record ; @ WINSR L2 C900 (tacteam.net. ) ; ; Zone records ; 1 PTR starfleet.tacteam.net. 9 PTR falcon-nx.tacteam.net. 16 PTR stablazer.tacteam.net. 185 PTR constellation.tacteam.net. 186 PTR exeter.tacteam.net. 19216813 PTR daedalus.tacteam.net. 2 PTR defiant.tacteam.net. 203 PTR NOSTROMO.blah.com. 254 PTR neuro.tacteam.net. 3 PTR daedalus.tacteam.net. 2 PTR defiant.tacteam.net. 55

PTR

neuro.blah.com.

Here’s a very handy tip that will save you a lot of time and grief when you create a new forward lookup zone. You may have noticed that after having created a new forward lookup zone, your nslookup DNS queries either fail or give you timeout error messages. You can fix this quickly by creating a reverse lookup zone for the network ID on which the DNS server is located, and then creating a PTR record for the DNS server itself.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 366

366 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

NOTE Although you are not required to create reverse lookup zones, you might find queries execute faster once you’ve put one in place. If you are running any type of security or IP diagnostic software, reverse lookup zones are a must.

Active Directory Integrated Zones The standard zone file is stored in a dedicated text-based file on the DNS server. Windows 2000 DNS servers allow you the option of “integrating” your zone database files into the Active Directory. There are several advantages to integrating your DNS zones into the Active Directory, including: ■ ■ ■ ■

Taking advantage of the Active Directory Replication Engine Per Property zone transfer mechanism Secure zone transfers and updates Multimaster DNS topology

One of the major design issues and problems you have to deal with relates to where you place your DNS servers. When working with standard DNS zones, you have to consider the optimal placement of both your domain controllers and your DNS servers. When you integrate your DNS zones, they are stored on domain controllers, and you no longer have to plan separate placement and replication topologies for DNS and domain controllers. All DNS servers that use directory integrated zones are Primary DNS servers. This solves the problem wherein the standard Primary DNS zone server is a single point of failure. This is especially important when working with Dynamic DNS update. Standard DNS zones that experience a failure of the Primary DNS server for the zone will not be able to complete dynamic updates, which can lead to disintegration of name services integrity. Therefore, directory integrated DNS zones are multimaster. Each DNS server for a directory integrated zone is a Master DNS server, and replicates its DNS database information to other domain controllers based on your Active Directory replication design.

Common Problems with Integrated DNS Zones You might incur some problems when working with Active Directory integrated DNS zones.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 367

Troubleshooting Windows 2000 DNS Problems • Chapter 7 367

“Loose Consistency” Since every DNS server is a Primary, two different administrators could make changes on the same record. The same machine could have address records pointing to two different IP addresses, or a CNAME record for www could point to two different address records. The zone becomes fractionated at this point, or what Microsoft refers to as “loosely consistent.” The name conflict will resolve itself by accepting the resource record with the most recent timestamp as valid. But until then, you will have some incongruities in your name resolution scheme. The optimal solution is to limit manual updates to the zone to a single administrator. The designated administrator can be located anywhere, because he can open any zone from any location using the DNS management console.

Advantages of Active Directory Integration There are several advantages to integrating the DNS zones with Active Directory.

Reduction of Network Traffic Zone transfer traffic is decreased by using Active Directory integrated zones because the entire record is not replicated during transfer; only the changed properties are sent to other AD integrated zone. If you have large zones, and zone transfer traffic is eating up a significant amount of your bandwidth, consider integrating it with the Active Directory. You do not need to include DNS notify for the Active Directory integrated zones. The DNS server will poll the Active Directory every 15 minutes for changes to the zone.

Enhanced Security Another major advantage of Active Directory enabled zones is improved security. Standard zones allow you to set up a modicum of security by configuring the IP addresses of machines that are allowed to request a zone transfer. Typically, this list includes the machines you have placed in the DNS server list in the zone’s Properties sheet, although you can add other IP addresses if you wish. If you enable the zone to accept dynamic updates, any machine will be allowed to update a host and pointer record in the zone. The Active Directory enabled zone allows for secure dynamic updates. Windows 2000 DNS clients can update their own addresses and pointer records on either a standard Windows 2000 zone or a Directory integrated zone.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 368

368 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

NOTE The resource records are not secure in a standard zone, and any computer claiming a name can update a resource record for a particular DNS client. Active Directory enabled zones employ Kerberos authentication mechanisms to prevent “outlaw” DNS clients from falsely updating a legitimate resource record.

Ownership Disputes With secure DNS zone updates, only the “owner” of the record can update a resource record. This improves overall security, but it can cause some problems you might have to deal with. For example, let’s say that you are using a DHCP server to assign IP addresses to Windows 2000 clients. The default behavior for Windows 2000 DNS clients is to update their own address records and to allow the DHCP server to update the pointer record. The DNS client therefore “owns” the address record, and the DHCP server “owns” the pointer record. Now let’s suppose the DHCP server that you have been using crashes. You have a backup DHCP server, so you might not worry about it too much. However, when the backup DHCP server tries to update the pointer record for the DNS client, it won’t be able to—because it doesn’t own that pointer record! Another situation where you might run into problems is when you are working with downlevel clients. Suppose that you have a Windows NT 4.0 computer that has been receiving its IP addressing information from a Windows 2000 DHCP server. The Windows 2000 DHCP server has been acting as a “proxy” for the downlevel client and has been registering the downlevel DNS client’s address record and pointer record for it. What happens after you upgrade the downlevel client to Windows 2000? The Windows 2000 DNS client is now capable of updating its own DNS information. Unfortunately, when the upgraded client tries to do this, it will not be able to, since the DHCP server that originally registered its address and pointer records owns them. The solution to these problems is to place the DHCP servers into a special group known as the DnsUpdateProxy group. When a DHCP server creates an entry for a machine in DNS that is a member of this group, no security information is attached to the record. For example, let’s say a DHCP server creates an address record and a pointer record for a

91_tcpip_07.qx

2/25/00

11:08 AM

Page 369

Troubleshooting Windows 2000 DNS Problems • Chapter 7 369

machine by the name of daedalus.tacteam.net. Normally, the DHCP server would become the owner of this record, but if the DHCP server is a member of the DnsUpdateProxy group, no one will be registered as the owner of the resource records it records. Now we have another problem: We’ve just eliminated secure dynamic updates for DHCP clients! Any machine can be brought online and claim the name of a machine that has been legitimately registered by a DHCP server. What we really want to do is allow the Windows 2000 DNS client to update both its address and pointer records, and not allow the DCHP server the update the clients’ records.

Domain Controllers in the DnsUpdateProxy Group The most significant issue relating to membership in the DnsUpdateProxy group is that of a domain controller. If the DHCP server is on a domain controller, it will register the domain controller’s information in a nonsecure context. That means that any machine can come around and register itself with the same name as the domain controller in question, and replace the legitimate IP address with a bogus one—all of which represents a tremendous security breech. For this reason, we highly recommend that you not implement DHCP servers on domain controllers.

Zone Delegations Zone Delegations allow you to distribute the responsibility for name resolution to other servers. For example, you are the DNS administrator stationed in Dallas for tacteam.net. A new operation is starting up in San Francisco, and the personnel in San Francisco will be maintaining the zone. You do not want to be responsible for maintaining records for the San Francisco domain, which will be called west.tacteam.net. You do, however, want DNS clients that point to your DNS server in Dallas, constellation.tacteam.net, to be able to resolve host names in the west.tacteam.net domain. Well, here’s how you do it: 1. In Dallas, we go to the DNS server at constellation.tacteam.net and open the DNS management console. (Actually, we could do this from anywhere, as long as we open the host constellation.tacteam.net in the DNS management console.) 2. Right-click the tacteam.net domain, and select New Delegation. 3. When going through the Delegation Wizard, assign the Domain to the delegated DNS server in San Francisco.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 370

370 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

4. In San Francisco, open the DNS server that will be housing the resource records for west.tacteam.net in the management console. Create a New Primary or Directory integrated zone called “west.tacteam.net.” Add resource records.

Troubleshooting Delegation Problems This all seems pretty straightforward, and it is. However, if your delegation doesn’t work, here are some things to check out: 1. Make sure you have configured reverse lookup zones for all network IDs involved on both servers. 2. Make sure there is a host record for the new DNS server on that DNS server. 3. Make sure that there is a pointer record for the new DNS server on both DNS servers. These are the most common reasons for delegation failures.

Learning Zone Delegation Zone delegation has not been traditionally included in Microsoft’s networking training and documentation, and it is certainly not an intuitive process. We recommend you practice by creating a DNS server on your test network, and creating some delegations. To get an idea of how this is done, pretend that you are the DNS administrator for the com. domain. Then do the following: 1. Perform an nslookup –ds for the following domains: syngress.com osborne.com microsoft.com 2. Write down the IP address for each of the authoritative DNS server IP addresses that were returned to you when you did the nslookup. The microsoft.com domain probably gave you about seven addresses—just use the first one. 3. Open the DNS management console and create a new primary zone for the com. domain. 4. After the com domain is created, right-click it and select New Delegation. Add Syngress, Osborne, and Microsoft domains. For the authoritative servers, include the IP addresses of the machines you received when you did your nslookup lookups for the authoritative DNS servers for each domain.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 371

Troubleshooting Windows 2000 DNS Problems • Chapter 7 371

5. To test this, go into your network properties and make your machine its own preferred DNS server. Flush the DNS cache by issuing the ipconfig /flushdns command from the command prompt. Now ping www.microsoft.com, ftp.microsoft.com, www.osborne.com, and www.syngress.com. You should be able to successfully resolve the names of those sites, although Microsoft won’t let you ping them. Now try to ping www.ibm.com. You should not be able to resolve the name, because your machine is now authoritative for the com. domain, and you do not have a delegation for the ibm.com domain. 6. After completing the exercise, go back into the Network Properties sheet and return your Preferred DNS server to what it was. Go back into the DNS management console and delete the com. domain you created. Finally, return to the command prompt and perform another ipconfig /flushdns command. You should be able to resolve domain names correctly again. Congratulations! You are ready to be the DNS administrator for the com. domain (almost). Please write to us if you have problems with this exercise. It should give you a lot of insight into how delegations work, and will allow you to be successful in creating and troubleshooting your own organization’s delegations.

Special Troubleshooting Issues with Windows 2000 DDNS Servers In this section, we’ll examine various issues that can pose some problems for you when implementing your Windows 2000 DNS solutions. We’ll examine problems related to DNS server security, WINS clients that seem to appear in more than one domain, and zone scavenging. We’ll also explore the arcane meanings of the options in the Advanced tab of the DNS server Properties sheet.

DNS Security and Internet Intruders The situation: You’ve had a good weekend, and come into work on Monday in a good mood. Part of your usual routine is to get a cup of coffee, open your e-mail, and see what’s been happening over the weekend. Since not much happens over the weekend, you expect to see the usual amount of spam, and maybe some good e-mails from the [email protected] mailing list you’re subscribed to.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 372

372 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

You almost jump out of your chair when you see a message from Joe Hacker. In the e-mail message, he lists all of the server names and IP addresses that your internal network clients have accessed over the past month, and he also included a complete listing of all the resource records in your DNS zone databases! Right after you check your blood pressure to make sure you’re not having a stroke, you try to figure out what happened. How did Joe Hacker get this information? What might be the security problem with the DNS server, and most importantly, how can you fix it?

Tracking Down the Problem Recall what happens when a DNS client sends a recursive DNS query to its Preferred server. First, the DNS server checks to see if it is authoritative for the zone in the request. If it is not, it checks its cache to see if the information is located there. If the data is not in cache, it will complete recursion by issuing a series of iterative queries to other DNS servers. In the process of completing recursion, it will likely need to contact DNS servers on the Internet. When the internal DNS server makes a request from an Internet DNS server, the IP datagram includes the source and destination IP address, along with the information contained in the DNS query itself. When the Internet DNS servers reply, they include their source and destination IP address and their responses to the DNS queries. So, you suspect that Joe Hacker has been listening in on your DNS queries. “But wait a minute,” you say, “I have a firewall in place!” True, but in order to allow your internal DNS server to contact the Internet DNS servers for name resolution of Internet hosts, the firewall must have, at least, UDP Port 53 open on the outbound side, and a number of ports open on the receive side to allow the internal DNS server (typically 10245000) to send and receive DNS messages. Joe Hacker knew what the open ports were on the receive side because that information was included in the return datagram from the Internet DNS server. How do you fix this problem before he gets even more adventurous? By implementing a combination of DNS forwarders and slaves.

The Solution: Forwarders and Slaves A DNS forwarder is a DNS server that accepts recursive queries from another DNS server, typically a DNS server on the inside of a firewall. The forwarder will complete recursion for the DNS server that sent the request, and then send the results back to the requesting DNS server. The forwarding DNS server then returns the results, sent by the forwarder, to the client that issued the initial DNS query.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 373

Troubleshooting Windows 2000 DNS Problems • Chapter 7 373

A slave DNS server is one that is not able to complete recursion. When recursion is disabled, the computer is only able to answer DNS queries with information contained in its own zone databases. If the slave is not authoritative for the zone in question, it cannot honor the DNS client’s request for recursion, and returns a failure message. However, if you configure the slave server to use forwarders, it can offload the responsibility for recursion to the forwarder. It then becomes the forwarder’s job to complete recursion by issuing a series of iterative queries to Internet DNS servers. A DNS server that is not a slave server can still use forwarders. But, if the forwarder fails to resolve the query successfully, the forwarding computer then will attempt recursion, and issue its own series of iterative queries to Internet DNS servers. This is exactly what we want to prevent. Our security scheme will include an internal DNS server that is configured as a slave server. This internal server can contain our DNS zone data because it no longer has any need to contact servers on the Internet. The slave is configured to use a forwarder located on the outside of the firewall. The forwarder will be a caching-only DNS server. A caching-only DNS server does not contain any zone database files, and uses the root hints file that contains the Internet root servers and its local DNS cache to answer queries for the slave server. The firewall itself will be configured to allow outbound DNS communications only from the slave DNS server, and inbound DNS communication from the forwarder. Now, if Joe Hacker tries to obtain information from the forwarder, he’ll be disappointed because there is no zone information. After implementing this security scheme, you won’t have to worry about getting another DNS hack from Joe Hacker next Monday.

Solving WINS Client Ambiguity with WINS Lookup Zones You may be in the unenviable position of supporting a heterogeneous DNS network that includes Microsoft DNS servers and BIND-based servers. The majority of your network clients are Windows clients. Some of those Windows clients use Windows 2000 DNS servers as their preferred server, and others use the Windows 2000 DNS server as their preferred server. When the DNS clients of the Windows 2000 DNS servers attempt to resolve a NetBIOS name not included in the DNS zone database, the Windows 2000 DNS server can query a WINS server in an attempt to resolve the NetBIOS name. However, the DNS clients of the BIND server cannot resolve a name that is not included in its configured zones, and the query will fail without checking WINS.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 374

374 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Figure 7.24 DNS slave and forwarder protecting the internal DNS zone information.

root dns

.com dns

microsoft dns

Internet

Forwarding DNS server (Slave)

Forwarder Firewall

Forwarders and Slaves DNS client sends query to forwarding DNS Server. Forwarding server sends DNS request to forwarder on outside of firewall. Forwarder makes direct contact with Internet DNS Servers. Forwarder sends query result to Forwarding DNS server, which sends the result to the DNS Client.

DNS Client

While there are a number of solutions to this problem, such as upgrading the computer running the BIND DNS server, a particularly elegant one is to use a dedicated zone that will be used for WINS server referrals.

Setting Up a Dedicated Zone for WINS Referrals For example, our domain tacteam.net uses Windows 2000 DNS server and BSD DNS servers. The BSD server cannot forward requests to a WINS server for name resolution. What we can do is create a new domain, such as wins.tacteam.net, and configure that domain to be the one that performs all WINS server referrals. On the Windows 2000 DNS server, we create the new zone wins.tacteam.net and enable it to perform WINS lookups as shown in Figure 7.25. On the BIND server, we create the wins.tacteam.net zone and then create a delegation so that the requests for wins.tacteam.net are sent to the Windows 2000 DNS server.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 375

Troubleshooting Windows 2000 DNS Problems • Chapter 7 375

Figure 7.25 Configuring the wins.tacteam.net zone to perform WINS referrals.

To make this work, we need to configure the DNS clients correctly. The procedure is a little different, depending on whether you use Windows 9x, Windows NT, or Windows 2000 DNS clients. The goal here is to configure a list of domain names that are appended to unqualified DNS requests. Figure 7.26 shows how we configure the list in our present situation on a Windows 2000 DNS client. The key is to put the wins.tacteam.net “WINS resolution zone” at the bottom of the list. This allows you to search for clients with a legitimate resource record in a number of domains first before querying a WINS server. When a DNS client in the tacteam.net domain sends an unqualified query to its Preferred DNS server, it will likely append the tacteam.net domain suffix to the end of the request. So, if the request was for Excalibur, the request would be made fully qualified by sending it for Excalibur.tacteam.net. If Excalibur were not in the zone database, the DNS server would send the request to WINS for resolution and return the answers as Excalibur.tacteam.net. If another client in west.tacteam.net sent the same query to its Preferred DNS server, and that server successfully performed a WINS referral, the returned answer would be Excalibur.west.tacteam.net.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 376

376 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Figure 7.26 DNS client configuration of DNS suffixes appended to unqualified requests.

By disabling WINS lookups from all zones except the wins.tacteam.net zone, all queries that are resolved via a WINS lookup will be resolved as wins.tacteam.net. This eliminates the ambiguity of how the name was resolved, and its domain membership.

NOTE To make this solution work best, you should disable WINS lookups for all other domains. Only the WINS lookup domain should be capable of querying a WINS server.

Interoperability Problems The Windows 2000 DNS Server is a powerful, standards-based DNS server solution both for Windows 2000-only networks and for heterogeneous networks that contain downlevel clients and DNS servers. However, if you are running a mixed environment, you need to be aware of some limitations and issues that can crop up.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 377

Troubleshooting Windows 2000 DNS Problems • Chapter 7 377

WINS and WINS-R Incompatibility with BIND Servers If you have zones that employ WINS and WINS-R resolution, you may have problems with zone transfer to DNS servers that do not support the WINS and WINS-R resource records. BIND DNS servers do not support these resource records and may choke during a zone transfer from a Windows 2000 or Windows NT DNS server. You can prevent problems by configuring the Windows DNS server not to replicate the WINS records, as seen in Figure 7.27. You get to this dialog box by right-clicking the zone of interest, and then clicking the WINS tab. Figure 7.27 Preventing the replication of the WINS resource records.

To prevent the replication of a WINS-R record, you need to know where the WINS-R record is located. That’s right, it is located in the reverse lookup zone. Right-click the reverse lookup that is participating in the zone transfer, click Properties, and click the WINS-R tab, as seen in Figure 7.28 For both the WINS and the WINS-R record, you must place a checkmark in the check box for “Do not replicate this record” to prevent replication of the record during a zone transfer. While we’re here, did you notice something interesting in Figure 7.28? There is a text box that allows you to configure the domain name returned when you issue reverse lookups. If you have a WINS referral domain configured, you should enter the name of that domain in the text box.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 378

378 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Figure 7.28 The WINS-R tab in the reverse lookup zones Properties sheet.

As we mentioned earlier, if you have BIND Secondaries, they will not be able to support the fast transfer method of zone transfer. This can be done via the Advanced tab in the zone’s Properties sheet.

NOTE A DNS server must be able to support SRV records in order to participate in a Windows 2000 DNS solution. This is because the domain locator uses DNS to identify the location of the domain controllers on the network. BIND versions earlier than 8.x do not support SRV records, and therefore should be upgraded to a later version of BIND—or better, upgraded to Windows 2000 DNS servers.

If your DNS server does not support dynamic updates, such as Windows NT 4.0 DNS or BIND 4.x, you must include SRV records that are needed to support the use of Active Directory. You can find these records, which you must manually enter into the downlevel DNS server, at: %system_root%\system32\config\netlogon.dns

91_tcpip_07.qx

2/25/00

11:08 AM

Page 379

Troubleshooting Windows 2000 DNS Problems • Chapter 7 379

This contents of the file look like this: tacteam.net. 600 IN A 192.168.1.185 _ldap._tcp.tacteam.net. 600 IN SRV 0 100 389 CONSTELLATION.tacteam.net. _ldap._tcp.pdc._msdcs.tacteam.net. 600 IN SRV 0 100 389 CONSTELLATION.tacteam.net. _ldap._tcp.a8601abf-4067-4919-8c0b-df02d9f90a6d.domains._msdcs.tacteam.net. 600 IN SRV 0 100 389 CONSTELLATION.tacteam.net. dee92009-f0b8-42a8-9e0d-7b063b6a2e43._msdcs.tacteam.net. 600 IN CNAME CONSTELLATION.tacteam.net. _kerberos._tcp.dc._msdcs.tacteam.net. 600 IN SRV 0 100 88 CONSTELLATION.tacteam.net. _ldap._tcp.dc._msdcs.tacteam.net. 600 IN SRV 0 100 389 CONSTELLATION.tacteam.net. _kerberos._tcp.tacteam.net. 600 IN SRV 0 100 88 CONSTELLATION.tacteam.net. _kerberos._udp.tacteam.net. 600 IN SRV 0 100 88 CONSTELLATION.tacteam.net. _kpasswd._tcp.tacteam.net. 600 IN SRV 0 100 464 CONSTELLATION.tacteam.net. _kpasswd._udp.tacteam.net. 600 IN SRV 0 100 464 CONSTELLATION.tacteam.net. _ldap._tcp.Default-First-Site-Name._sites.tacteam.net. 600 IN SRV 0 100 389 CONSTELLATION.tacteam.net. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.tacteam.net. 600 IN SRV 0 100 88 CONSTELLATION.tacteam.net. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.tacteam.net. 600 IN SRV 0 100 389 CONSTELLATION.tacteam.net. _kerberos._tcp.Default-First-Site-Name._sites.tacteam.net. 600 IN SRV 0 100 88 CONSTELLATION.tacteam.net. _ldap._tcp.gc._msdcs.tacteam.net. 600 IN SRV 0 100 3268 CONSTELLATION.tacteam.net. gc._msdcs.tacteam.net. 600 IN A 192.168.1.185 _gc._tcp.tacteam.net. 600 IN SRV 0 100 3268 CONSTELLATION.tacteam.net. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.tacteam.net. 600 IN SRV 0 100 3268 CONSTELLATION.tacteam.net. _gc._tcp.Default-First-Site-Name._sites.tacteam.net. 600 IN SRV 0 100 3268 CONSTELLATION.tacteam.net.

A Windows NT 4.0 DNS server with Service Pack 4 will support SRV records. However, we recommend upgrading to Windows 2000 rather than manually configuring the downlevel DNS server.

DHCP and Resource Record Updates If you are using a mixed environment of Windows 2000 and downlevel DHCP servers, be aware that the non-Windows 2000 DHCP server will not update address records on the Windows 2000 DNS server. If you have a

91_tcpip_07.qx

2/25/00

11:08 AM

Page 380

380 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

mix of Windows 2000 and downlevel DHCP servers, this can create a problem whereby some of the DHCP clients will have their resource records updated for them, while others will not be included in the DNS zone database. The Windows 2000 DNS clients can update their own resource records, but if you have downlevel DNS clients assigned IP addressing information from a downlevel DHCP server, there is no mechanism to allow these clients to update their DNS address information. The only solution to this problem is to update either the DNS clients or DHCP servers to Windows 2000.

Troubleshooting Tools for Windows 2000 DDNS Servers There are plenty of tools available to troubleshoot your Windows 2000 Dynamic DNS installation. In this section, we’ll look at some of these and see how you can use them to investigate DNS troubles.

nslookup The nslookup utility allows you to test and query your DNS server’s zone databases. Nslookup actually works in two modes: interactive and command mode. Command mode is used when you only want to do a single query. For example, if I type the command: nslookup defiant.tacteam.net.

I get the following output: Server: constellation.tacteam.net Address: 192.168.1.185 Name: defiant.tacteam.net Address: 192.168.1.2 C:\>

Notice that we get thrown back to the command prompt following the returned information. If you plan on doing a number of lookups, you would use interactive mode. To enter interactive mode, just type nslookup at the command prompt; your output should look like this: C:\>nslookup Default Server: constellation.tacteam.net Address: 192.168.1.185 >

91_tcpip_07.qx

2/25/00

11:08 AM

Page 381

Troubleshooting Windows 2000 DNS Problems • Chapter 7 381

Notice that you are not returned to the command prompt, but to the nslookup command’s interactive prompt. Once you enter interactive mode, you can use the “set” commands to determine the nature of your queries. Some of the “set” commands are included in Table 7.1. When you’re ready to leave the interactive mode and return to the command prompt, just type exit. Table 7.1 List of Set Commands that Can Be Used in nslookup Interactive Mode Command

Description

all

Prints out a list of current options and server parameters

[no]debug

Prints out detailed information from the lookup

[no]d2

Prints out "exhaustive" debugging information

[no]defname

Appends a specific domain name to each query

[no]recurse

Ask for recursion for the query

[no]search

Uses the domain suffix search list

[no]vc

Always use a virtual circuit

domain=NAME

Allows you to set a default domain name for the lookup

root=NAME

Define the name of the root server to use for lookup

retry=X

Define the number of retries for the lookup

timeout=X

Define the timeout for the lookup

type=X

Defines the query type For example: ANY, CNAME, MX, NS, PTR, SOA, SRV

The d2 option gives you the most information about the query you’re performing. If you don’t want to stay in interactive mode, and you want to perform a single quick lookup and still get the benefits of the debug mode, you can issue an nslookup using the –ds switch. For example, type the command: nslookup –ds www.microsoft.com.

You get detailed information about the query with the –ds switch.

TIP When you do an nslookup, be aware that the most likely reason that you might receive a nonauthoritative answer to a query is because your DNS server is answering from cache.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 382

382 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Throughout this chapter we have been working with nslookup to check on the behavior of our queries and the integrity of the zone database. We highly recommend that you practice doing many nslookups using the –ds switch or the debug/d2 set command in order to get familiar with how the utility works and the information returned to you.

ipconfig You probably have been using the ipconfig command for years if you’re an experienced Windows NT professional. The command has been improved in Windows 2000, and has some new switches that increase its usefulness as a tool for getting IP addressing information about your machines. Three ipconfig command switches are of particular interest when working with our DNS servers: ipconfig /flushdns The flushdns switch allows you to clear the local machine’s DNS cache. When you make zone changes or machine IP address configuration changes and then do an nslookup, you may receive information that doesn’t reflect the changes you thought you made. This is because the information is being retrieved from cache rather than from the DNS server itself. Use the flushdns switch to clear the cache, and then repeat the nslookup you were doing before. ipconfig /displaydns The displaydns switch prints out the local DNS cache. This is particularly helpful to use after you have completed the flushdns command, to confirm that the cache is indeed empty. The displaydns switch allows you to see the entries in the HOSTS file loaded into the cache. ipconfig /registerdns The /registerdns switch will renew a DHCP client’s lease and reregister the DNS client’s address information with a DNS server. This is sometimes helpful in “reminding” the DNS server of the DNS client’s addressing information. The ipconfig command has definitely been “souped up,” and you’ll find yourself using it even more now than you did in Windows NT 4.0.

Event Viewer The Windows 2000 Event Viewer has a dedicated container for DNS information. The Event Viewer can provide information on when zone transfers are taking place, if there was a problem with a zone transfer, when changes have taken place within the zone, or even if too many changes are happening in the zone.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 383

Troubleshooting Windows 2000 DNS Problems • Chapter 7 383

Since the Event Viewer is easy to access and doesn’t require configuration changes on your part, it is often wise to start here first and see if it supplies any clues to what the problem might be.

Network Monitor The Network Monitor supplied with Windows 2000 Server products allows you to analyze packets coming into, and out of, the server running Network Monitor.

NOTE If you want a “full-fledged” version of Network Monitor that allows you to listen to all traffic on the segment, you can purchase Microsoft Systems Management Server 2.0.

Network Monitor will allow you to identify problems with network communications, including malformed packets, jitter causing “garbage” packets, and details of the packets sent and received for DNS queries. Figure 7.29 displays the Network Monitor screen after a capture of DNS packets has been done. Figure 7.29 Capture of DNS packets in Microsoft Network Monitor.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 384

384 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Something to note when analyzing a DNS message is the message identifier, which is the first thing you see on the Description line. For example, look at frames 376 and 377. Each of those has at the beginning of the description line “0x174E,” which is the query identifier. You can use this number to track related queries and responses. If there is a packet of particular interest (for example, a failure message is returned by the server), you can select the frame in the top pane and then click the Edit menu and then Copy. Open Notepad or another text editor and paste the contents of the frame into the application. For example, after copying packet 377, we get this: 377 23.543854 LOCAL 0050DA62684E DNS 0x174E:Std Qry Resp. for www.dallasnews.com. of type Canonical name on class INET addr. CONSTELLATION DAEDALUS IP Frame: Base frame properties Frame: Time of capture = 1/1/2000 11:48:18.587 Frame: Time delta from previous physical frame: 0 microseconds Frame: Frame number: 377 Frame: Total frame length: 108 bytes Frame: Capture frame length: 108 bytes Frame: Frame data: Number of data bytes remaining = 108 (0x006C) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 0050DA62684E ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 0050DA0DF52D ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 108 (0x006C) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 94 (0x005E) IP: ID = 0x6A65; Proto = UDP; Len: 94 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 94 (0x5E) IP: Identification = 27237 (0x6A65) IP: Flags Summary = 0 (0x0) IP: .......0 = Last fragment in datagram IP: ......0. = May fragment datagram if necessary IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80)

91_tcpip_07.qx

2/25/00

11:08 AM

Page 385

Troubleshooting Windows 2000 DNS Problems • Chapter 7 385 IP: Protocol = UDP - User Datagram IP: Checksum = 0x4C1D IP: Source Address = 192.168.1.185 IP: Destination Address = 192.168.1.3 IP: Data: Number of data bytes remaining = 74 (0x004A) UDP: Src Port: DNS, (53); Dst Port: Unknown (1068); Length = 74 (0x4A) UDP: Source Port = DNS UDP: Destination Port = 0x042C UDP: Total length = 74 (0x4A) bytes UDP: UDP Checksum = 0x23D4 UDP: Data: Number of data bytes remaining = 66 (0x0042) DNS: 0x174E:Std Qry Resp. for www.dallasnews.com. of type Canonical name on class INET addr. DNS: Query Identifier = 5966 (0x174E) DNS: DNS Flags = Response, OpCode - Std Qry, RD RA Bits Set, RCode - No error DNS: 1............... = Response DNS: .0000........... = Standard Query DNS: .....0.......... = Server not authority for domain DNS: ......0......... = Message complete DNS: .......1........ = Recursive query desired DNS: ........1....... = Recursive queries supported by server DNS: .........000.... = Reserved DNS: ............0000 = No error DNS: Question Entry Count = 1 (0x1) DNS: Answer Entry Count = 2 (0x2) DNS: Name Server Count = 0 (0x0) DNS: Additional Records Count = 0 (0x0) DNS: Question Section: www.dallasnews.com. of type Host Addr on class INET addr. DNS: Question Name: www.dallasnews.com. DNS: Question Type = Host Address DNS: Question Class = Internet address class DNS: Answer section: www.dallasnews.com. of type Canonical name on class INET addr.(2 records present) DNS: Resource Record: www.dallasnews.com. of type Canonical name on class INET addr. DNS: Resource Name: www.dallasnews.com. DNS: Resource Type = Canonical name for alias DNS: Resource Class = Internet address class DNS: Time To Live = 10493 (0x28FD) DNS: Resource Data Length = 2 (0x2) DNS: Owner primary name: dallasnews.com.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 386

386 Chapter 7 • Troubleshooting Windows 2000 DNS Problems DNS: Resource Record: dallasnews.com. of type Host Addr on class INET addr. DNS: Resource Name: dallasnews.com. DNS: Resource Type = Host Address DNS: Resource Class = Internet address class DNS: Time To Live = 10493 (0x28FD) DNS: Resource Data Length = 4 (0x4) DNS: IP address = 207.238.232.133 00000: 00 50 DA 62 68 4E 00 50 DA 0D F5 2D 08 00 45 00 .PÚbhN.PÚ.õ-..E. 00010: 00 5E 6A 65 00 00 80 11 4C 1D C0 A8 01 B9 C0 A8 .^je.. .L.À¨.?À¨ 00020: 01 03 00 35 04 2C 00 4A 23 D4 17 4E 81 80 00 01 ...5.,.J#Ô.N∞ .. 00030: 00 02 00 00 00 00 03 77 77 77 0A 64 61 6C 6C 61 .......www.dalla 00040: 73 6E 65 77 73 03 63 6F 6D 00 00 01 00 01 C0 0C snews.com.....À. 00050: 00 05 00 01 00 00 28 FD 00 02 C0 10 C0 30 00 01 ......(?..À.À0.. 00060: 00 01 00 00 28 FD 00 04 CF EE E8 85

....(?..Ïîè…

You get all the details of Ethernet, IP, and UDP protocols, and it allows you to find any anomalies that are present. See Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000,” for more details on how to use Network Monitor and how to create network captures with capture and display filters.

DNS Trace Logs If you want to get really “down and dirty” and know everything the DNS server has been doing, you can enable trace logging on the DNS server. A trace log reports in detail about the queries the server has processed. While you can get similar information from doing nslookup queries, you are only aware of the questions and answers you send when performing those. A trace log will track queries received and answered by the DNS server. To enable trace logging, right-click the server name in the DNS management console and click Properties. Click the Logging tab, and you will see a dialog box similar to that in Figure 7.30.

WARNING Trace logging can be a very processor- and disk-intensive procedure, so be judicious in your use of this feature.

The logs are stored in a plain text file located at: %system_root%\system32\dns\dns.log

91_tcpip_07.qx

2/25/00

11:08 AM

Page 387

Troubleshooting Windows 2000 DNS Problems • Chapter 7 387

Figure 7.30 Configuring trace logging for the DNS server.

We have had some difficulty getting reliable trace logging for the Query, Questions, and Answers options. Hopefully, this bug will be fixed by the time the final release product becomes available.

Performance The Windows 2000 DNS server includes a large number of counters you can use to monitor the behavior and performance of your DNS server. Many new counters have been added to the Windows 2000 DNS Object counter list. Table 7.2 lists these counters and their functions. The Performance Monitoring tool gives you comprehensive monitoring capabilities of you DNS server. For more information on how to use the Performance management console, see Chapter 5. Table 7.2 DNS Performance Counters

Counter

Description

AXFR Request Received

Total full zone transfer requests received by the Master DNS server Total full zone transfer requests sent by the Secondary DNS server

AXFR Request Sent

91_tcpip_07.qx

2/25/00

11:08 AM

Page 388

388 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Counter

Description

AXFR Request Received

Total full zone transfer requests received by the Master DNS server AXFR Request Sent Total full zone transfer requests sent by the Secondary DNS server AXFR Response Total full zone transfer responses received by the Received Secondary DNS server AXFR Success Received Total successful full zone transfers received by the Secondary DNS server AXFR Success Sent Total successful full zone transfers of the Master DNS server Caching Memory Total amount of caching memory used by the DNS server Database Node Memory Total database node memory used by the DNS server Dynamic Update Total number No-operation/empty dynamic update NoOperation requests received by the DNS server Dynamic Update Rate at which No-operation/empty dynamic NoOperation/sec update requests are received by the DNS server Dynamic Update Total dynamic updates that are queued by the Queued DNS server Dynamic Update Received Dynamic Update Received/sec Dynamic Update Rejected Dynamic Update TimeOuts Dynamic Update Written to Database Dynamic Update Written to Database/sec IXFR Request Received IXFR Request Sent IXFR Response Received

Total dynamic update requests that are received by the DNS server Rate at which dynamic update requests are received by the DNS server Total dynamic updates rejected by the DNS server Total dynamic update timeouts of the DNS server Total dynamic updates written to the database by the DNS server Rate at which dynamic updates are written to the database by the DNS server Total of incremental zone transfer requests received by the Master DNS server Total of incremental zone transfer requests sent by the Secondary DNS server. Total incremental zone transfer responses received by the Secondary DNS server Continued

91_tcpip_07.qx

2/25/00

11:08 AM

Page 389

Troubleshooting Windows 2000 DNS Problems • Chapter 7 389

Counter

Description

IXFR Success Received

Total successful incremental zone transfers received by the Secondary DNS server Total successful incremental zone transfers of the Master DNS server Total successful TCP incremental zone transfers received by the Secondary DNS server Total successful UDP incremental zone transfers received by the Secondary DNS server Total Nbstat memory used by the DNS server Total notifies received by the Secondary DNS server

IXFR Success Sent IXFR TCP Success Received IXFR UDP Success Received Nbstat Memory Notify Received Record Flow Memory Recursive Queries Recursive Queries/sec Recursive Query Failure

Total record flow memory used by the DNS server Total recursive queries received by the DNS server Rate at which recursive queries are received by the DNS server Total of recursive query failures

Recursive Query Failure/sec

Rate of recursive query failures

Recursive Send TimeOuts Recursive TimeOut/sec Secure Update Failure Secure Update Received

Total of recursive query sending timeouts

Rate recursive query sending timeouts Total secure update failures of the DNS server Total secure update requests received by the DNS server Secure Update Rate at which secure update requests are received Received/sec by the DNS server TCP Message Memory Total TCP message memory used by the DNS server TCP Query Received Total TCP queries received by the DNS server TCP Query Received/sec Rate TCP queries are received by the DNS server TCP Response Sent Total TCP responses sent by the DNS server TCP Response Sent/sec Rate TCP responses are sent by the DNS server Total Query Received Total queries received by the DNS server Total Query Received/sec Rate at which queries are received by the DNS server Total Response Sent Total Responses sent by the DNS Server Total Response Sent/sec Rate at which responses are sent by the DNS server Continued

91_tcpip_07.qx

2/25/00

11:08 AM

Page 390

390 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

Counter

Description

UDP Message Memory

Total UDP message memory used by the DNS server UDP Query Received Total UDP queries received by the DNS server UDP Query Received/sec Rate UDP queries are received by the DNS server UDP Response Sent Total UDP responses sent by the DNS server UDP Response Sent/sec Rate at which UDP responses are sent by the DNS server WINS Lookup Received Total WINS lookup requests received by the DNS server WINS Lookup Rate at which WINS lookup requests are received Received/sec by the DNS server WINS Response Sent Total WINS lookup responses sent by the DNS server WINS Response Sent/sec Rate at which WINS lookup responses are sent by the server WINS Reverse Lookup Received WINS Reverse Lookup Received/sec

Total WINS reverse lookup requests received by the DNS server Rate at which WINS reverse lookup requests are received by the DNS server

WINS Reverse Response Sent WINS Reverse Response Sent/sec Zone Transfer Failure Zone Transfer Request Received Zone Transfer SOA Request Sent

Total WINS reverse lookup responses sent by the DNS server Rate at which WINS reverse lookup responses are sent by the server Total failed zone transfers of the Master DNS server Total zone transfer requests received by the Master DNS server Total zone transfer Start of Authority (SOA) requests sent by the secondary DNS server

Summary The Microsoft Windows 2000 DNS is a standards-based Domain Name System server that represents a tremendous forward stride over the DNS server provided with Windows NT 4.0. With DNS becoming the mechanism for authentication for Windows 2000 networks, DNS no longer is the “add-on” product it was considered as in Windows NT 4.0 networks. Applications written to the NetBIOS interface use the destination NetBIOS name as the endpoint of network communication. WinSock

91_tcpip_07.qx

2/25/00

11:08 AM

Page 391

Troubleshooting Windows 2000 DNS Problems • Chapter 7 391

applications, which were written specifically for the TCP/IP protocol, are not dependent on computer names, and use the destination IP address as the endpoint of communication. NetBIOS applications require a mechanism to allow NetBIOS names to be translated to IP addresses in order to work on TCP/IP-based networks. NetBIOS name resolution is the process of translating NetBIOS names to IP addresses that can be passed down the TCP/IP protocol stack for network communications between two NetBIOS applications. WinSock applications do not rely on computer names, and only require the destination machine’s IP address to establish a session with the destination host. However, people find it a lot easier to remember names, rather than IP addresses. Therefore, a system of naming machines on a TCP/IP network was developed to aid our failing memories. The Domain Name System was developed in order to accommodate a world-wide network of computers where there was little central authority of the naming of the machines participating on the Internet. The Domain Naming System is a hierarchical name system, which allows a multiplicity of computers throughout the world to have the same computer name, as long as those computers belong to different domains. The Domain concept allowed for distribution of responsibility over who will maintain the world-wide database of host names and IP addresses associated with those host names. The only centralized aspects of the naming system are in the maintenance of the root, top, and second-level domains on the Internet. Maintaining the DNS database below these levels is the responsibility of the administrators for each individual domain. The Windows 2000 DNS server allows you to keep a database of host names and IP addresses. The Windows 2000 DNS also allows for the dynamic update of host names and IP addresses in a manner very similar to how WINS servers function. Dynamic DNS is a new feature in the Windows 2000 DNS server and was not available in the Windows NT 4.0 DNS server. DNS clients can resolve a host name to an IP address in several ways. The DNS client service features a caching resolver, which keeps a list of recently resolved host names and IP addresses. If a sought-after mapping is not in the resolver cache, the DNS clients will query a DNS server. If the DNS cannot resolve the host name, the DNS client will go through the NetBIOS name resolution sequence and attempt to resolve the name by using WINS server, broadcasts, or LMHOSTS files. When a DNS client needs to resolve a host name to an IP address, it will query a DNS server. DNS servers themselves can be DNS clients. There are two basic types of queries: recursive and iterative. When a DNS client requests recursion, it is essentially putting the responsibility on the

91_tcpip_07.qx

2/25/00

11:08 AM

Page 392

392 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

DNS server to take over the job of resolving a host name to an IP address. The DNS client that requests recursion expects a definitive answer, and will not accept referrals to other machines that may help it resolve a query. An iterative query is issued when a DNS server attempts to complete recursion for the DNS client. It will issue iterative queries and accept referrals from other DNS servers that point it to the DNS server that can resolve the request. A fully qualified domain name (FQDN) includes the host name, which lies to the left of the leftmost period in an FQDN, and the host’s domain membership. A fully qualified query must end with a period, although most applications will automatically include the period before sending it out for resolution. If the request is not fully qualified, the DNS request is known as an “unqualified” request. The DNS client service must formulate a query based on an FQDN. By default, the domain membership of the machine issuing the query will be appended to the request. A list of other domain suffixes can be configured to be appended to unqualified requests, if you choose to create one. When an organization has an intranet and a presence on the Internet, you must choose whether you will use the same domain name on both. The advantage of using the same domain name is that it is easier on users in terms of remembering the names of clients, and they don’t have to worry if the corporate resource is on the intranet or the Internet. The drawback is that you will have to mirror your servers internally, and DNS clients will not access external corporate host resources. It is typically easier to use different domain names for intranet and Internet resources. You do not need to mirror servers, and there is no chance for confusion as to what is an internal resource and what is an external resource. The Internet domain name must be registered, but it is optional whether you register the intranet domain name. It is a good idea to register the internal domain name to prevent confusion. You would not want your boss to try to show off some intranet resource from his home (by mistake) using the internal domain name, and have some competitor’s site show up instead! While domains represent a conceptual framework, the actual domains and hosts are contained in files called zone files. Zone files are database files that contain resource records, which track the resources contained in a domain. The Windows 2000 DNS server supports standard and Active Directory integrated zones. Standard zones are characterized by having a single Primary DNS server, and multiple Secondary DNS servers. The Primary DNS server has the only read/write copy of the zone database, and this database is copied to Secondary DNS servers. Secondary DNS servers provide for fault tolerance, load balancing, and faster lookups for local hosts.

91_tcpip_07.qx

2/25/00

11:08 AM

Page 393

Troubleshooting Windows 2000 DNS Problems • Chapter 7 393

Standard zones are copied from Primary to Secondary DNS server via a process called zone transfer. Zone transfer is a pull operation, where the Secondary DNS server requests from the Primary the zone database if there are any updates. The Windows 2000 DNS server supports both the AXFR and the IXFR zone request. Downlevel DNS servers, such as the Windows NT 4.0 DNS server, can only send an AXFR query for zone transfer; therefore, whenever a change takes place in a zone, the entire zone file is sent to the Secondary. The Windows 2000 DNS server supports the IXFR, which allows for incremental zone transfers. The incremental transport only sends records that have changed since the previous zone transfer. A reverse lookup zone allows DNS clients to issue reverse queries. A reverse query is when the IP address is sent to the DNS server for resolution to a host name. The reverse lookup zone is useful when you have security and diagnostic software that depends on reverse lookups. Although the reverse lookup zone is not required, it will help you avoid certain error messages when you create a new zone. Active Directory integrated zones offer several advantages over standard zones. The Active Directory integrated zone has multiple masters, and each domain controller becomes a Primary DNS server. You do not have to worry about maintaining separate Active Directory and DNS replication topologies. Active Directory integrated zones allow for per-property zone transfer, rather than having to send the entire record, which saves bandwidth. Active Directory integrated zones allow for secure dynamic updates. A delegation is a means to assign responsibility or “authority” to a machine for a zone. Secondary DNS server have a copy of the zone database file, and therefore are able to deliver authoritative answers based on the contents of the zone files they contain. You create NS records on DNS servers to indicate to clients the host name of a server that is authoritative for a particular zone. You want your DNS servers to avoid contact with DNS servers over the Internet to prevent hackers from intercepting DNS communications and potentially damaging your network. One popular way to do this is by using a combination of slave and forwarder DNS servers. A slave DNS server does not perform recursion, and sends all DNS queries for zones that it is not authoritative for to another DNS server, called a forwarder. The forwarder is typically a caching-only DNS server and does not contain any zone database files. The forwarder performs recursion for the slave DNS server and returns to the slave the results of its queries, which the slave in turn returns to the DNS client that made the initial request. While the Windows 2000 DNS server is standards based, there are some interoperability issues. If you have existing BIND DNS servers on

91_tcpip_07.qx

2/25/00

11:08 AM

Page 394

394 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

your network, they will not support zone transfer for WINS and WINS-R records. They also do not support the fast transfer method of zone transfer where several records can be included in a single packet. You can easily upgrade your BIND servers to Windows 2000 DNS by transferring the BIND zone over to the Windows 2000 server and then changing it to a Primary zone. There are a number of tools you can use to investigate problems with your DNS server. These tools include nslookup, a new and improve version of ipconfig that allows you to view and clear the local DNS cache, Event Viewer, Network Monitor, trace logging, and a supercharged Performance Monitor that includes many new counters to allow you to get a fine bead on the health and performance of your DNS server.

FAQs Q: Do my NT and Win9x clients have to be upgraded to Windows 2000 to have their address information automatically entered into a Windows 2000 DNS server? A: You do not need to upgrade your downlevel clients—including Windows NT Workstation, Windows NT Servers, and Win 9x clients—in order to have their addresses added automatically to the Dynamic DNS zone database files. However, since these clients cannot update their own records, you will need to make your downlevel clients Windows 2000 DHCP clients. The Windows 2000 DHCP server will act as a “proxy” and update address information for them on the DDNS server. Q: I keep getting error messages when I use the nslookup command on my new DNS installation. Is there anything I can do to fix this? A: The most common reason for receiving this kind of message, after ensuring that you’ve done everything else correctly, is the absence of a reverse lookup zone. Create a reverse lookup zone for the network ID that the DNS server belongs to. Then, create an A Host resource record for that DNS server. Check to see if a pointer record was created for the DNS server after you create the host record. If one was not created, make one manually. This should correct problems you have with error messages related to “DNS server not found.” Q: What is a CNAME record? How can I use it in my organization?

91_tcpip_07.qx

2/25/00

11:08 AM

Page 395

Troubleshooting Windows 2000 DNS Problems • Chapter 7 395

A: The CNAME resource record allows you to create aliases for a machine that already has an A Host resource record in the DNS database. For example, you already have a machine by the name of bigboy .mydomain.com. You want to run Web services and FTP services on that machine, and you want DNS queries for www.mydomain.com and ftp.mydomain.com to resolve to the same IP address that is owned by bigboy in the DNS database. To do this, you create CNAME records for www and ftp that point to bigboy. Be sure that whenever you create a CNAME record, it points to a machine that already has a host addresses record; otherwise, it won’t work. Q: What is that DNSUpdateProxy Group for again? A: You are referring to the DNSUpdateProxy Group. The DNSUpdateProxy Group allows a DHCP server to make entries in the DNS zone database files without becoming the owner of those entries in the zone database. This solves the problems you might encounter if a particular DHCP server registers entries in the zone database and then goes offline. Since the offline DHCP server owns the record, neither a backup DHCP server nor the client itself will be able to update the record if the zone has secure dynamic updates enabled. The solution is to make the DHCP server a member of the DNSUpdateProxy Group, so it will be able to create entries without “security” information attached to them. The next machine to “touch” the record (for example, if the host itself, or another DHCP server that is not a member of the DNSUpdateProxy Group, tries to update the record) will become the owner of the DNS zone database entry. The drawback is that there is no security; therefore, any machine claiming a particular name can update the record after it is created by the DHCP server that is a member of the DNSUpdateProxy Group. Never install DHCP services on a domain controller if you choose this solution. Q: My NT 4.0 DNS server doesn’t let me add SRV records. What’s wrong? A: The Windows NT 4.0 DNS server that comes “out of the box” with NT does not support SRV records. If you want your NT DNS server to able to participate in the domain locator services, you must update it to Service Pack 4 or later, and then manually enter the SRV resource records that are contained in the domain controller’s netlogon.dns file. Q: What’s the cache.dns file for? Where can I get a new one?

91_tcpip_07.qx

2/25/00

11:08 AM

Page 396

396 Chapter 7 • Troubleshooting Windows 2000 DNS Problems

A: The cache.dns file contains what are sometimes called root hints. The file has the names and IP addresses of the root DNS servers, which are used when iterative queries are issued to resolve Internet host names. To get the latest version of this file, go to ftp://ftp.rs.internic.net/domain/named.root. Note that when you check that site out, you’ll find that they don’t update the file very frequently. The last update was August 27, 1997. Q: I want to upgrade my BIND server to Windows 2000, but I don’t want to lose my zone database files. Is there an easy way to do this? A: The easiest way to do this is to create the same zone on an existing Windows 2000 DNS server. Make the zone a secondary zone, and initiate a zone transfer from the BIND DNS server. Change the zone type to a Primary zone by right-clicking the zone and clicking CHANGE beside the word “Type.” Take down the BIND server and upgrade it to Windows 2000. After the upgrade, create the same zone on the new Windows 2000 DNS server, and make it a secondary zone. Initiate a zone transfer from the previous DNS server. Now change the zone type to Primary on the new DNS server, and to Secondary on the old one. Q: I’m running a DNS server using standard zones. My Primary DNS server died about 36 hours ago. My users cannot get answers to their DNS queries! I thought the Secondary DNS servers would add fault tolerance to my host name resolution system. Why didn’t they? A: This is probably because the Secondary DNS servers are no longer answering queries for the zone. If a Secondary DNS server cannot contact a Primary DNS server from which it receives zone transfers, for over the period of time defined in the “Expires by” text box in the SOA Record, it will no longer answer queries for that zone. One solution to this problem is to change the zone type to a Primary zone and configure delegations on the new Primary DNS server for all of your Secondaries.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 397

Chapter 8

Troubleshooting Windows 2000 IP Addressing Problems

Solutions in this chapter: ■

Subnetting Problems

■

DHCP Configuration Problems

■

APIPA

397

91_tcpip_08.qx

2/25/00

11:10 AM

Page 398

398 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Introduction One of TCP/IP’s great strengths, and a primary reason that it has become the standard for large networks, including the Internet, is its scalable addressing scheme that can accommodate networks of all sizes. In Chapter 1, “TCP/IP Overview,” we discussed some of the limitations of the current IP addressing system, called IPv4, which uses 32-bit addresses, unique to every network interface, to specify the network and individual host identification. Although IPv6 is expected to solve the anticipated problem of running out of unique addresses at some point in the near future, it’s safe to say the addressing scheme will be around for some time to come. Many problems with TCP/IP connectivity turn out to be IP addressing problems. Although manually assigning IP addresses to each computer increases the likelihood of human error (mistyping or transposing numbers, forgetting that an address has already been assigned and assigning it to a second machine, etc.), using the Dynamic Host Configuration Protocol (DHCP) or allowing Automatic Private IP Addressing (APIPA) to assign addresses on your network will not absolutely guarantee troublefree address assignment. Configuration problems can cause address conflicts to occur with the automatic addressing services, too. In this chapter, we will briefly recap how IP addressing works and what distinguishes the Internetwork-layer IP address from the physical address (which actually is addressed at the Data Link layer of the OSI model). We will take a look at the practice of assigning addresses manually, and discuss when this is appropriate, as well as common problems that arise. Then we will discuss the automatic addressing services, DHCP and APIPA (the latter is new to Windows 98 and Windows 2000). We’ll examine some of the configuration problems that are commonly encountered when utilizing these services. We will discuss how the IP address is used in the process of network communication, and we’ll look at the differences between private and public addresses and how not knowing when to use which can cause a network administrator a world of headaches. Finally, we will address some specific troubleshooting scenarios, including those involving duplicate IP addresses, those that stem from using invalid addresses, the most common DHCP configuration problems, APIPA and Internet Connection Sharing (ICS), and how to troubleshoot IP subnetting problems.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 399

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 399

How IP Addressing Works Under the current IP addressing system, IPv4, there are “only” a little over 4 billion possible IP addresses (4,294,967,296 or 232 for those who like to be precise). In the beginning (the early 1980s), this seemed to be more than enough for the foreseeable future. At that time, when IP specifications became standardized, a two-level hierarchical addressing structure was imposed, consisting of the network ID (sometimes called the network prefix) and the Host ID. Networks were divided into “classes” A, B, and C (as well as D and E, but these two were not allocated to networks but rather reserved for special purposes). This is referred to as “classful” addressing. A newer method of identifying networks via an “IP prefix” is called Classless Inter-Domain Routing (CIDR), which we discussed briefly in Chapter 4, “Windows 2000 TCP/IP Internals.” Instead of designating networks as class A, B, or C, a network is referred to as a /16, /24, etc. depending on the number of bits used for the network ID portion of the address.

Logical IP Addresses versus Physical MAC Addresses The IP address is a “logical” address, assigned by the network administrator. It bears no direct relation to the network interface card’s (NIC) “physical” address (often referred to as the MAC address because it is used at the Media Access Control sublayer of the OSI’s Data Link layer). Changing a computer’s (or more precisely, an individual NIC’s) IP address is a software function. If you have administrative privileges, it’s as simple as clicking the mouse a few times to open the proper dialog box and typing in a new number (the hardest part is knowing what number to type in). The MAC address, on the other hand, is hard-coded into the chip on the network card in the typical Ethernet network. Some network cards provide for a way to change the MAC address via jumper settings or software configuration, but this is not usual and you are limited to only a few possible settings. An Ethernet MAC address is a 48-bit number represented in hexadecimal, so it will look something like this: 00-80-C8-6A-FA-00. You can find out the physical address of your Ethernet card by typing ipconfig /all at the command line, which will give you the information shown in Figure 8.1.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 400

400 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Figure 8.1 Determining your network card’s physical (MAC) address using the ipconfig command.

As you can see in the screenshot, the IP and MAC addresses are in two very different formats and have no logical relationship to one another. The Address Resolution Protocol (ARP), discussed in Chapter 11, “Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level,” is responsible for “keeping tabs” on which IP addresses match up with which physical addresses, and relaying that information so computers can communicate at the physical (network interface) level.

What an IP Address Represents In order to communicate over the network using the TCP/IP protocols, a computer must have an IP address that is unique on that network. A network administrator can manually assign the IP address, or it can be automatically assigned by an addressing service such as DHCP, APIPA, or ICS autoaddressing. In any event, there will be no IP communication without an address. If you don’t know what IP address is being used, you can find that information the same way you accessed the physical address, using the ipconfig command. In fact, the /all switch is not necessary to display the IP address, as shown in Figure 8.2. The IP address is usually represented as shown, in “dotted decimal” (also called “dotted quad”) notation with four sections, called octets, separated by dots. This decimal notation is merely a “user friendly” way to express the binary number used by the computers to communicate. The octets are called that because each represents eight binary digits.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 401

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 401

Figure 8.2 Determining the computer’s IP address using the ipconfig command.

The Language of 1s and 0s For a true understanding of IP addressing, subnetting, supernetting, and related topics, it is essential that you learn to work with the underlying binary. Although the base two numbering system, into which all data is converted by the machines, may seem confusing and a little frightening at first, it is actually pretty simple, and it will save you many hours of pulling out your hair as you try to make sense of the decimal representations (which, taken alone, don’t make sense). Let’s look at how IP addresses look at the binary level and maybe we’ll take some of the mystery out of “machine language” while we’re at it. The IP address shown in Figure 8.2 in dotted decimal, 192.168.1.185, really represents the following binary number: 11000000.10101000.00000001.10111001

If you look closely, you’ll see that this number is indeed made up of four groups of eight binary digits. But how do you know that 192 in decimal equals 11000000 in binary? Well, there are a couple of ways to find out. The easy way to convert decimal to binary, or vice versa, is to use the Windows calculator in scientific mode (choose Scientific from the View menu). Just check the “dec” radio button and enter the number in decimal, then click on the “bin” radio button and tada! As if by magic, you have the binary equivalent (see Figure 8.3). That’s the easiest way and the fastest way, but not necessarily the best way. If you don’t really understand how binary is converted to decimal, you may be confused by the calculator’s results. For instance, when you convert the decimal 1 to binary, the result is 1. You know that an octet has eight digits, but the calculator only displays one. Do you put seven 0s before or after the 1? If you know how to do the conversion manually, it’s obvious.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 402

402 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Figure 8.3 Using the Windows calculator in scientific mode to convert decimal to binary.

Here’s how to convert a binary octet to decimal without a calculator: We have eight binary digits, and each of them represents a decimal value, beginning with the rightmost digit and working our way back to the leftmost.

NOTE The rightmost digits are sometimes referred to as the low order bits, and the leftmost as the high order bits.

Each bit that is “turned on” (that is, shows a 1 instead of a 0) represents the value of that bit as shown in Figure 8.4. As you can see, the value increases by a power of 2 as you move from right to left. A bit that is “off” (represented by a 0) counts as 0. All we have to do then is add up the values of the bits that are “on.” Figure 8.4 Calculating the value of each binary digit in an octet.

Bits 1

1

1

128 64 32

1

1

1

1

1

16 8 Values

4

2

1

91_tcpip_08.qx

2/25/00

11:10 AM

Page 403

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 403

Using this simple formula, to convert an octet in binary form, such as 10111001, to decimal, we start at the right and look at which digits are on. We see that the bits represented by 1s have decimal values of 1, 8, 16, 32, and 128. If we add up those values, we get a total of 185 for the octet, which matches the value we get when we use the scientific calculator to convert 10111001 to decimal. Another way of seeing how this is done when you’re first learning how to convert to binary is to “line” up the numbers in three columns like this: 128x1=128 64x0=0 32x1=32 16x1=16 8x1=8 4x0=0 2x0=0 1x1=1 Then add up the number in the last column, which in this case is 185. If all bits in an octet are “off,” the decimal value is 0, and if all are “on,” the value (total of 1, 2, 4, 8, 16, 32, 64, and 128) is 255.

Subnet Masking An IP address is divided into two parts: a designated number of bits on the left represent the network identification, and the bits to the right of that represent the host identification. Most network administrators are familiar with the purpose of the subnet mask, a 32-bit binary number (usually represented in “dotted decimal” like the IP address) that indicates which portion of an IP address identifies the network and which part identifies the individual host computer. Most also know the default subnet masks, shown in Table 8.1. Table 8.1 Default Subnet Masks Address Class

Default Subnet Mask (Decimal)

Default Subnet Mask (Binary)

Class A

255.0.0.0

11111111 00000000 00000000 00000000

Class B

255.255.0.0

11111111 11111111 00000000 00000000

Class C

255.255.255.0

11111111 11111111 11111111 00000000

These are called the default masks because they apply to networks that have not been subnetted (the dividing of one network into additional

91_tcpip_08.qx

2/25/00

11:10 AM

Page 404

404 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

subnetworks) or supernetted (combining of several class C networks into a single logical network). This means the subnet mask of 255.255.0.0 when applied to a class B network indicates an unsubnetted network. However, the same mask of 255.255.0.0, if applied to a class A network, would be a subnetted network. (In the next section, we will show you how to determine the address class).

NOTE It is important to remember that a subnet mask by itself has no class—it must be combined with a network ID to have meaning. That is because of the practices of variable subnetting and supernetting, which will be discussed in some detail in the section Troubleshooting Subnetting Problems.

Understanding the default masks is simple. Those octets designated by 255 (all 1s in binary), represent the network ID, and those that are 0s (also 0 in binary) represent host computers. In binary, a class C default subnet mask would like this: 11111111 11111111 11111111 00000000 Remember that all computers on the same network (subnet) must have the same network ID, and that no two computers on the same network can have the same Host ID. To understand variable length subnet masks, which indicate that the network is divided into subnets, you must once again go to the binary or you will probably end up hopelessly confused. Variable length subnet masks are created by “stealing” (or borrowing, if you don’t like the connotation of the other) bits from the portion of the IP address normally used for the Host ID and using them for the network (or subnet) ID. For instance, if you borrow four bits from the host portion of a class C network address, your subnet mask will look like this: 11111111 11111111 11111111 11110000 or, in decimal: 255 255 255 240 This technique allows us to divide our class C network into 16 subnets with 14 hosts on each subnet, using the following formulae: Number of subnets = 2x, where x = the number of bits borrowed from the Host ID. Number of hosts = 2x – 2, where x = the number of unmasked Host ID bits remaining.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 405

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 405

NOTE The formula given for determining number of subnets assumes that using all 0s and all 1s for the Subnet ID is allowed. RFC 1878 specifications allow for subnets using all 0s and all 1s, although Microsoft generally recommends against it and some routers will not support it. If you wish to follow the more conservative policy of disallowing all 0s and all 1s, the preceding example would result in 14 subnets with 14 hosts each.

Subnetting and using variable length subnet masks will be discussed in detail in the section Troubleshooting Subnetting Problems later in this chapter.

Determining Address Class Never try to use the subnet mask, as networking “rookies” sometimes do, to reliably determine which class of network you’re dealing with. Although 255.255.255.0 is the default class C mask, it could also be used on a subnetted class B network. Instead, the network classes are identified by the “high order” bits, or the leftmost bits in the binary notation. In simple English, this means you can tell the class of a network by its first octet. Let’s look at that idea in relation to each of the network classes.

Class A Addresses: 1–126 If we look at the class A default subnet mask, 255.0.0.0, we see that only one octet is being used to identify the network, and the remaining three are used for hosts. This means there are over 16 million possible Host IDs per class A network, which is a tremendous number of computers. The downside is that this leaves only 128 values left for the network ID (two of which are reserved for other purposes), so the number of class A networks is severely limited. In fact, the class A network IDs were all used up long ago. They are assigned to the largest networks, such as IBM. A class A address, like a huge gorilla lumbering down the street, is easy to recognize. Class A addresses always have the first (leftmost) bit set to 0. When you convert this to decimal notation, it means the first octet in a class A address will fall into the range of 0 to 127. Since 0 is not used as a network ID and 127 is assigned as a “loopback” address (which we will discuss in the section Troubleshooting Subnetting Problems later in this chapter), that leaves only 126 actual network addresses.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 406

406 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

NOTE The address range for class A is 1.0.0.0 to 126.255.255.255.

Class B Addresses: 128–191 Class B addresses are the “middle siblings.” You can see from the default mask of 255.255.0.0 that they use about half the bits for the network ID and the other half for Host IDs. Thus, there are many more possible class B networks than class A, over 16,000. On the other hand, each is limited to far fewer hosts: about 65,000. Class B networks are large, but not of the colossal proportions that mark a class A. Microsoft’s network is an example of a class B network. Class B networks are identified by their two high order bits, which are always “10” in the W octet. Again translating this to decimal, since that’s the way we normally express IP addresses, this puts the first octet of a class B address in the 128 to 191 range.

NOTE The address range for class B is 128.0.0.0 to 191.255.255.255.

Class C Addresses: 192–223 Class C addresses are assigned to the “little guys.” Compared to a class A, these networks seem tiny; each can have only 254 host computers. This is because the first three octets are traditionally used to identify the network, and only the last, lone octet is available for Host IDs. Ah, but that also means there are lots more class C network addresses to go around: more than 2 million. Class C networks are assigned to small companies or, more recently, are assigned to Internet Service Providers (ISPs), who then sell blocks of addresses to other organizations. Class C addresses have the three high-order bits in the “W” octet set to 110 in binary, which is represented as 192 to 223 for the first octet in decimal.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 407

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 407

NOTE The address range for class C is 192.0.0.0 to 223.255.255.255.

Class D Addresses: 224–239 Following the logical progression we started earlier, you would think class D addresses would be for tiny little networks, of which there could be gazillions. But it doesn’t quite work that way, and if you think about it, you’ll see that the only subnet mask left for a class D network would be 255.255.255.255. Hmmm . . . that indicates that all the bits would be used for the network ID, leaving none at all for the host. Thus a class D network could have no computers on it. It would be a little difficult to run a network like that, wouldn’t it? Maybe that’s why the Powers That Be, in designating the address classes, decided to do something different with class D addresses. Class D addresses are used for multicast groups. Earlier in the book, we discussed Windows 2000’s support for multicasting, the sending of a message to multiple computers using only one IP address that represents the entire group. That group address comes from the class D range, in which the four leftmost bits are set to 1110, making for a first octet in the 224 to 239 range.

NOTE See Chapter 4 for more information on how multicasting works.

Class E Addresses: 240–247 And you thought there were only three address classes? If you’ve never heard of class E IP addresses, there’s a good reason: They aren’t generally used for anything. Class E is actually designated as “reserved for future use,” although it’s likely that IPv6 and classless addressing will replace the present system, making the point moot. Class E is also often referred to as an “experimental” address class. This seems sensible; if someone is going to be out there conducting experiments on IP addresses, it certainly

91_tcpip_08.qx

2/25/00

11:10 AM

Page 408

408 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

seems preferable that he or she use an otherwise unused class of addresses rather than those on which the Internet and our private networks run. The class E address range has its five leftmost bits set to (you guessed it!) 11110, and its first octet will range from 240 to 247. And with that, we have covered all of the designated address classes. Now we’ll talk about how the network addresses are assigned, and why all of this “class stuff” will likely mean absolutely nothing in the not-too-distant future.

How Network IDs Are Assigned The network ID designates either a logical or physical network, and that network ID must be unique on any internetwork to which the network is connected. Because most networks today are connected to the global Internet (or expect to be in the future), it is vital that there not be duplicate network numbers. This would result in confusion for the routers responsible for getting data packets to their destinations. This means there must be some world-wide authority given the responsibility for allocating unique network numbers for IP networks and ensuring that those IDs are valid and duplicates do not occur. The Internet Assigned Numbers Authority (IANA) oversees the management of the IP address spaces, which are allocated through NSI (Network Solutions, Inc., formerly referred to as InterNIC) and other authorized registrars.

NOTE A “stand-alone” network, which is not connected to the Internet or any other internetwork, can be configured to use any network ID you choose. However, it is best practice to use the so-called “private” (or nonregistered) network addresses, which are specifically designated by the IANA for that purpose. We discuss private versus public addresses in the section IP Addressing Configuration Errors later in this chapter.

Remember that once you have been assigned a network ID and block of IP addresses, you can also subnet your network to divide it into two or more in order to cut down on broadcast traffic, isolate geographically or politically separate parts of the network, and so forth.

How Host IDs Are Assigned within the Network Within the network, the administrator can assign IP addresses from the appropriate range to individual computers. This can be done on an individual basis (manual address assignment) or by entering a scope of

91_tcpip_08.qx

2/25/00

11:10 AM

Page 409

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 409

addresses into a DHCP server’s configuration. Alternately, Windows 2000 can use APIPA if no DHCP server is available or, if Internet Connection Sharing is being used, addresses can be assigned to the ICS client computers by the ICS host using autoaddressing.

Manual Address Assignment The most straightforward way to assign IP addresses to the computers on your network (but also the method most prone to error) is manual assignment. A specific address is typed directly into the IP address section of the TCP/IP properties box for the particular network connection. See Figure 8.5. Figure 8.5 Manually assigning an IP address in the Windows 2000 TCP/IP Properties box.

When you manually assign an address, you must also enter the correct subnet mask, and if the network is routed, the IP address of the default gateway (router or computer performing routing functions). Although manual addressing is more time consuming if you have more than a few computers, and it is easy to make errors in entering the data which could result in loss of connectivity or odd network behavior, there are sometimes good reasons to manually assign addresses. If there is no DHCP server on the network, then obviously the addresses will need to be assigned manually. There are also certain systems, such as domain controllers and DNS and WINS servers, that need to have static

91_tcpip_08.qx

2/25/00

11:10 AM

Page 410

410 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

addresses. You may wish to assign their addresses manually (although you could alternately assign reserved addresses to them in DHCP configuration). Finally, the DHCP server itself cannot be a DHCP client, so it will require a manually configured IP address.

DHCP The Dynamic Host Configuration Protocol (DHCP) can be a network administrator’s best friend—unless he or she fails to configure it properly, in which case it can be a source of nightmares. DHCP’s purpose is to assign IP addresses dynamically, as computers come onto the network. Each computer only has to be set up in TCP/IP properties to get an IP address (and other TCP/IP configuration information) from a DHCP server, and the service does the rest. This has several advantages: Time saved. Network administrators don’t have to tediously enter the IP address, subnet mask, DNS and WINS server addresses, and other information over and over for every machine on the network. Likewise, if the IP address for the network’s DNS server changes, the change does not have to be made on every machine; the change is made in the DHCP server’s configuration and the new address is automatically disseminated to client computers when they obtain an address. Better accuracy. The possibility of mistyping an address in one of the machines is eliminated. A scope of addresses is defined only once, on the DHCP server, and the server manages the addresses. There is no possibility of the server “forgetting” that a particular address was already assigned to another machine and duplicating the address. More efficient use of addresses. If the number of available addresses is limited, DHCP optimizes their use since it only “leases” the addresses to computers for a predetermined period of time, instead of assigning them permanently as with manual assignment. When a computer goes offline, its address can be released so that it can then be assigned to a different system. In Windows 2000, configuring a computer to obtain an address from a DHCP server is simple. In the TCP/IP properties box, simply check the radio button option to “Obtain an IP address automatically” as shown in Figure 8.6.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 411

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 411

Figure 8.6 Configuring a computer to obtain an IP address from a DHCP server.

As you can see in Figure 8.6, you have several options. You can choose to have all IP addressing information assigned by the DHCP server, including the DNS server addresses, or you can manually assign a DNS server and have the other IP addressing information assigned automatically.

NOTE A new feature in Windows 2000 is the integration of DHCP with DNS. DHCP server and clients can now register with Dynamic DNS for name resolution.

We will further examine how DHCP works in the section Automatic Addressing later in the chapter.

APIPA and ICS Autoaddressing Two new services in Windows 2000, APIPA and ICS, also automatically assign IP addresses to computers under specific circumstances.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 412

412 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Automatic Private IP Addressing APIPA was included in Windows 2000 to make TCP/IP configuration easier and to help ensure that a computer would be able to communicate on a small (unsubnetted) TCP/IP network that does not have a DHCP server. In past versions of Microsoft’s operating systems, prior to the release of Windows 98 and then Windows 2000, if a computer did not have a manually entered address or an expired DHCP IP address lease and was not able to contact a DHCP server when it came online, it would not be able to join the TCP/IP network. With APIPA, the computer will first attempt to reach a DHCP server and negotiate a lease for an IP address. However, if this fails, it will then take the initiative and assign itself an address from the reserved APIPA range of 169.254.0.1 through 169.254.255.254 with a subnet mask of 255.255.0.0. This allows it to communicate on the network, using the APIPA address temporarily until a DHCP server can be reached. Internet Connection Sharing ICS is another new feature in Windows 2000. ICS is used to allow multiple computers to access the Internet or another outside connection via a single public IP address. ICS is a part of Windows 2000 Network and Dialup Connections and can be enabled on a Windows 2000 Professional or Server computer that has a dial-up connection to the Internet, thereby allowing other computers on the local area network to share that connection. ICS works by means of Network Address Translation (NAT), which will be discussed in more detail in Chapter 9, “Troubleshooting Remote Access in a Windows 2000 TCP/IP Network.” The ICS component that is of interest in the context of this chapter is the ability of the ICS host computer to automatically assign IP addresses to the ICS clients. When you enable ICS, the host machine that is sharing its connection will be configured with an IP address of 192.168.0.1 with a subnet mask of 255.255.255.0. You may recognize this as an address from the range of class C addresses designated as private or nonregistered addresses by IANA. We will discuss private versus public addresses later in this chapter. The ICS computer also becomes a DHCP allocator. This role differs from that of a full-fledged DHCP server in that the computer does not have to be running a server operating system. A Windows 2000 Professional computer can share its connection and act as a DHCP allocator. The DHCP allocator has a predefined scope of IP addresses that it can hand out to the client computers sharing its Internet connection. These addresses fall into the private class C address range, the 192.168.0.0 network.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 413

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 413

Although these services generally function as intended, there are situations in which the automatic addressing can result in problems or conflicts, as we will discuss later in this chapter in the section IP Address Configuration Problems later in this chapter.

NOTE See Chapter 9 for more information on ICS and NAT.

Private versus Public Addresses Public IP addresses are those addresses that are valid for connection to the Internet. These are also sometimes called “registered” addresses because they must be assigned by and registered with IANA/InterNIC. A public IP address, used for a direct connection to the Internet, must not be duplicated anywhere else on the public network. Without a proxy or NAT software, every computer on a LAN that needs to be connected to the Internet must have a separate public IP address. This is one of the reasons for the shortage of available IP addresses, which was a driving force in the development of inexpensive and easy-to-implement NAT solutions. With NAT, only one public IP is necessary (used by the computer with the direct connection to the Internet). However, the other computers on the LAN still must be assigned IP addresses to communicate with each other and with the NAT server via TCP/IP. This creates a need for some method of “recycling” IP addresses. Since local area networks behind the NAT (or proxy) computer will not be visible to the Internet, they don’t have to have unique addresses. In actuality, you could use any IP address range for your LAN. However, this could lead to problems if one of the computers did connect directly to the Internet and was using a public address already allocated to someone else. Thus IANA/InterNIC specified a range of network IDs in each address class that would never be used on the Internet. These addresses can be used safely by anyone on any private network (on computers not directly connected to the Internet). The reserved address ranges are shown in Table 8.2. The private address will not route through the Internet, so even if a computer from the private network had a direct physical link to the Internet, the address would not cause a conflict.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 414

414 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Table 8.2 Private IP Address Ranges Private Address Class or Type

Range of Valid Private Addresses

Class C private network

192.168.0.1 to 192.168.255.254

Class B private network

172.16.0.1 to 172.31.255.254

Class A private network

10.0.0.1 to 10.255.255.254

APIPA reserved addresses

169.254.0.1 to 169.254.255.254

Thousands of different organizations can use the very same addresses from this range on their internal networks. They do not have to be (in fact, cannot be) registered with any name/number authority. Proper use of private addresses can save a corporation a great deal of money, and preserves the diminishing pool of public addresses for assignment to ISPs. Using NAT/proxy services to provide Internet access to internal computers also provides additional security for the local network.

NOTE See RFC 1597 for more information about the assignment of the private network addresses.

How IP Addresses Are Used in Network Communications Once IP addresses have been assigned to all computers on the network, the addresses are used to identify both the network (or subnet) and the individual host, in the same way your home address can be used to identify both the street you live on and the individual house. A computer across the office or across the world can send a packet intended for your computer, just as a friend down the street or in another country can mail a letter intended to reach your post office address. In the latter case, the postal service is responsible for delivering the letter to the correct house. IP, working at the Internetwork layer, is responsible for getting the packet to the right computer interface. When it arrives there, IP’s job is done just as the mail carrier’s duty has been fulfilled when the letter goes into your mailbox. Before the letter can be “processed” or the packet can perform its function, there is another step. In many cases, more than one person resides at the same

91_tcpip_08.qx

2/25/00

11:10 AM

Page 415

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 415

address and more than one application is using TCP/IP communications. Getting the letter to the intended recipient requires another designation, your name. Getting the packet to the right application also requires another designation, in this case a TCP or UDP port number. Just as the mail carrier hands off the responsibility for getting the letter to the right person in the house to whomever checks the mailbox, the Internetwork layer hands off the task of getting the packet to the right port to the Transport (host-to-host) layer. The data is then passed on up the protocol stack to the application (such as an e-mail client) that can use it.

A Map for the Mail Carrier Wait a minute. The preceding scenario sounds good, but there’s still something missing. How does the mail carrier know where “1539 Indigo Road” is physically located? The bad thing about street addresses (at least, from the perspective of the mail carrier) is the fact that they can change. Cities are always renaming a thoroughfare to honor some favorite son, or houses get renumbered to accommodate new construction when large plots of land are subdivided. Even if the addressing scheme in your town remains stable, a new mail carrier won’t necessarily know where Indigo Street is. That’s when it comes in handy to have a map.

Getting from the Logical to the Physical Your street address is a “logical” address, as is an IP address. Using that logical address to arrive physically at the correct location requires some sort of mechanism that will translate the logical address to a physical one. A map does this by providing a “view” of where the property is located, and a very precise map will supply the geographic coordinates (latitude and longitude). You can think of ARP, the Address Resolution Protocol, as a sort of map for IP packets. If you know the IP address, ARP can tell you where to actually go on the network to get there. It does this by maintaining a table of IP addresses matched to physical (MAC) addresses. The physical address could be compared to the geographic coordinates that pinpoint where your house actually sits. Even if your street name or number changes, the physical location will remain the same, and this is also (generally) true of the NIC’s physical address.

How ARP Works ARP is designated as a required specification for TCP/IP by RFC 826. This is because, without some means of resolving IP addresses to physical hardware addresses, packets cannot reach their destinations. ARP uses

91_tcpip_08.qx

2/25/00

11:10 AM

Page 416

416 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

broadcasts to determine which physical addresses match up with which logical (IP) addresses. This information is then cached so that it will remain available. Caching the information reduces network traffic by eliminating redundant broadcasts. The cached information stays in the cache for up to 10 minutes. When an IP/physical address pair is entered into the cache, a timer is started. If two minutes pass and the entry is not used again, ARP removes it from the cache. If it is used within that time, the timer is reset and it gets another two minutes. If it continues to be used, its life will be extended every two minutes, up to 10 minutes. These are called dynamic ARP entries. You can also add static entries to the ARP cache, which will stay in the cache until you shut down or reboot your computer. To add a static entry, at the command line type arp –s followed by the IP address and then the physical address. For example, to add an ARP cache entry that matches IP address 192.168.1.24 with MAC address 00-34-d4-32-c6-27, you would type the following command: arp –s 192.168.1.24 00-34-d4-c6-27

NOTE When adding an ARP entry, the IP address is entered in decimal and the physical address in hexadecimal, with hyphens separating the two-digit bytes.

You can also use the arp command-line utility to view the current ARP cache, as shown in Figure 8.7, by typing arp –a. Figure 8.7 You can view the ARP cache by typing arp –a at the command prompt.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 417

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 417

If you have multiple network interface cards (NICs) on your Windows 2000 computer, there will be a separate ARP cache for each adapter.

NOTE RARP (Reverse Address Resolution Protocol) is a TCP/IP utility that performs somewhat the opposite function of ARP; instead of providing a hardware address when given an IP address, it provides an IP address from a gateway server’s ARP cache, when a RARP client provides its physical address. RARP is not included in Windows 2000.

Putting It All Together We discussed name resolution and the services that perform it (WINS and DNS) in Chapters 6 and 7. When NetBIOS or fully qualified domain names (FQDNs) are used by a client to make a request to a server, the first step in establishing the connection is to resolve the “user-friendly” name to a more computer-friendly number. In TCP/IP communications, this means an IP address that, together with a subnet mask, will identify both the network on which the computer resides and the specific network interface on that network with which we want to communicate. If the destination computer is on the same subnet as the sending system (which we can determine through a procedure called anding, a calculation applied to the IP addresses of the two computers), the process is relatively straightforward.

IP Communications on a Nonrouted Network (within the Subnet) When a computer wishes to communicate with another computer on the same subnet, IP determines, based on the IP addresses of both along with the subnet mask, that the destination computer is on the local subnet. The sending computer checks the ARP cache for a MAC address that matches the destination computer’s IP address. If no match is found in the cache, the sending computer will send an ARP broadcast message to all computers on the local subnet. This message essentially asks, “What is the physical address associated with ?” The sending computer’s own IP and MAC addresses are included in the ARP message. All computers on the local subnet receive the message. Those whose IP addresses don’t match the one in the message ignore it. The computer

91_tcpip_08.qx

2/25/00

11:10 AM

Page 418

418 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

whose IP does match the one in the ARP message first puts the sending computer’s IP/MAC address information in its own ARP cache, then sends a response to the sending computer with the information about its MAC address. When the sending computer gets the response, it adds the destination computer’s IP/MAC address information to its cache, and can now send data to the destination computer.

IP Communications on a Routed Network (to a Remote Subnet) If the destination computer is not on the same local subnet, it works slightly differently. In this case, ARP will resolve the remote IP address to the physical address of the router that can forward the message on to the subnet on which the destination computer resides. The IP protocol again checks the IP addresses and subnet mask and this time determines that the destination computer is not on the local subnet. IP determines the IP address of the default gateway (router), and the sending computer checks the ARP cache for a physical address that matches the router’s IP address.

For IT Professionals

IP Addresses and the Internet As we all know by now, TCP/IP is the protocol suite used for communications over the vast global network of networks that we call the Internet. We also know that in order for communications to take place on a TCP/IP network, every network ID on the internetwork must be unique, and every Host ID must be unique to that network. In theory, this means that of the millions of computers connected to the Internet, there should be no two with the same IP address. In practice, however, this is not strictly true. Due to the shortage of available IP addresses, and also because registering multiple addresses adds to the cost of running a network, many companies and home networks use some method of connecting many computers to the Internet through a single IP address. There are two popular types of software designed to accomplish this: Network Address Translation (NAT) and Proxy Services. Network Address Translation (NAT). This is a means of configuring one computer, which has a dial-up or dedicated connection to Continued

91_tcpip_08.qx

2/25/00

11:10 AM

Page 419

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 419

the Internet through an ISP, to serve as a gateway through which other computers on the LAN can obtain Internet access without being assigned separate “public” addresses. With NAT, these client computers use “internal” addresses from the private address range, which are not visible to systems outside the local network. To the Internet, there appears to be only one computer connected—and indeed, only the “gateway” computer (sometimes called the NAT or ICS host computer) is actually connected to the Internet. There are third-party software implementations of NAT, such as Sygate and NAT32. A new feature in Windows 2000 is built-in support for NAT. Windows 2000 Professional includes Internet Connection Sharing, which is a somewhat limited form of NAT that is simple to configure and administer. Windows 2000 Server includes ICS too, but it also provides for a more flexible form of NAT through RRAS (Routing and Remote Access Service), which allows for changing the IP address range, use of multiple public addresses, and multiple LAN interfaces. ICS does not support these advanced features. Both ICS and NAT include components for address assignment, translation of the private internal addresses to the public external address(es), and name resolution services. Proxy Services. A proxy server is a more sophisticated means of providing a shared connection to the Internet, which provides for greater security through complex filtering. Proxy software, such as Microsoft Proxy Server or Winproxy, requires a higher level of configuration and contains other features in addition to address translation. For example, proxy servers can be set up to cache often-accessed Web sites so that performance will be optimized and less actual access to the Internet is required. Generally, however, proxy servers use the same address translation technique as NAT— requests for Internet access go through the server, which maps each clients’ internal IP address and the application making the request to a port on the server. The proxy then presents the request to the “outside world” as if it came directly from the server itself, and the internal machines’ addresses are hidden from the Internet. The result is that there are many, many more individual computers “on the Net” than it would appear from the number of public IP addresses visible to the outside network. What appears to be one computer, with one IP address, may be a NAT host or proxy server that is forwarding requests and responses for dozens or even hundreds of computers on its local network.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 420

420 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

If it doesn’t find one, it broadcasts an ARP message to find the router’s physical address, using the same process as in the previous example. When the router, which is attached to the local subnet, receives the ARP message and determines the IP matches its own, it responds with its physical address after putting the sender’s IP/MAC information into its cache. The sender updates its own cache with the router’s information, and now will send any messages addressed to the remote destination computer through the router. The router will forward the message to the destination computer (or another router, if it is not directly connection to the destination computer’s subnet) using the same process.

Overview: IP Addressing Configuration Errors A large percentage of TCP/IP connectivity problems can be traced to IP addressing configuration errors. Thus, one of the first things you should check, if your TCP/IP-based computer is not able to communicate on the network, is the TCP/IP Properties sheet. Ensure that if you have manually assigned the IP address, it is a valid address for the subnet. Also check the address of the default gateway, DNS and WINS servers, and the subnet mask. Simply making this quick check can eliminate many problems. Common errors include transposing two digits within an address and switching two addresses between fields (such as entering the computer’s address in the default gateway field, and vice versa). It sounds elementary, but remember one important rule of troubleshooting is to always check the “simple stuff” first.

NOTE Microsoft documentation attributes the majority of TCP/IP connectivity problems to incorrectly entered IP address information. This is one case where typos do count.

Duplicate IP Addresses Duplicate addresses can be a problem in a network where some or all of the IP addresses are manually assigned, especially if there is more than one administrator or other personnel are responsible for configuring TCP/IP properties on computers.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 421

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 421

If this happens, the following situation may occur: When a Windows 2000 computer comes online (or when its IP address is changed), and its TCP/IP stack is initialized, it sends a “gratuitous” ARP message, requesting the hardware address associated with its own IP address. If another computer responds, thus claiming the IP address as its own, the newly initialized computer will stop using IP. If there is another network protocol installed, it may be able to continue communicating on the network using the other protocol. If TCP/IP is the only network protocol installed, it will not be able to communicate on the network. Windows 2000 tries to prevent duplicate address errors in several ways. If you change the TCP/IP settings and enter an IP address that is already in use on the network, you will get a message indicating the address is taken and instructing you to change your settings. If you change the settings while offline and then come back onto the network, you will receive a message informing you that there is an IP address conflict. The computer that is already using the address will also display an error message (see Figure 8.8) indicating that there is an address conflict, although it will be able to continue communicating via TCP/IP using the address. Figure 8.8 Windows 2000 displays an error message when a duplicate address is detected.

One way to track down this problem is by checking the System Log in the Windows 2000 Event Viewer. An error message will appear, indicating that the system detected an IP address conflict.

Locating the Other Computer that Is Using the Address There are several ways to locate which other computer on the network is using the address. If it is a Windows 2000 or NT computer, there will be an event entered in its System Log reporting the conflict, although the computer that “got there first” will be able to go on using the address. You can also use the tracert command on the address to find out the name of the computer using it, or you can use arp –a to find out the physical address of the computer using the IP address, as long as the other computer is on your local subnet.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 422

422 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

TIP There is third-party IP management software that will do sophisticated tracking and auditing of IP address information. One such product that is compatible with Windows 2000 is Meta IP. For more information, see www.metainfo.com/products/metaip.cfm.

Address Conflicts with Computers Using DHCP If you receive a message that you have an IP address conflict at bootup and the machine is using DHCP, you can release the address so the DHCP server will assign a new address. To release the address, use the ipconfig /release command.

Invalid IP Addresses If the computer is given an IP address that is “illegal” or just invalid for use on that particular network, it will not be able to communicate with other computers over TCP/IP. As mentioned earlier, if you are running a private network that has no connection to the “cloud” (as many books and illustrations represent the Internet), you can use any IP addresses you wish, including those that have already been assigned for public use. This will not cause a problem—unless you later decide to connect your network to the Internet without changing the addressing scheme. At that point, your addresses may conflict with those of another organization that has registered that address space. Packets intended for computers on your network will be routed to the “legal” holder of the addresses. An invalid address may not be illegal, but does not “fit” into the local network’s addressing scheme. If the LAN is using the network ID of 192.168.1.0 with a subnet mask of 255.255.255.0, then the computers that are on that network must have IP addresses that use 192.168.1 for the first three octets. If you assign one of the computers an address that is not on that network (or if it is assigned an address with a different network ID by APIPA because a DHCP server could not be contacted), when IP attempts to contact another computer on the same segment it will identify the address as belonging to a remote host and will send the packet to its default gateway. Also remember that Host IDs of all 0s or all 1s are not valid for assignment as a computer’s IP address. A Host ID of all 0s is used to

91_tcpip_08.qx

2/25/00

11:10 AM

Page 423

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 423

identify the network, and a Host ID of all 1s is used as the broadcast address, for messages to be sent to all computers on the network. Thus, on a class B network using the default subnet mask of 255.255.0.0, both the addresses 138.21.0.0 and 138.21.255.255 would be unavailable for Host IDs. On a class C network using the default subnet mask of 255.255.255.0, the same would be true of the addresses 201.45.3.0 and 201.45.3.255.

DHCP Configuration Problems The Dynamic Host Configuration Protocol runs on a Windows 2000 Server and automatically assigns IP addresses to computers configured to be DHCP clients. DHCP originated as a derivative of BOOTP, the Bootstrap Protocol used in earlier networks to assign IP addresses dynamically, usually in the context of booting diskless workstations from the network.

NOTE The specifications for BOOTP are defined in RFCs 951 and 1084.

How DHCP Works: Condensed Version Most network administrators are familiar with DHCP and aware of the four-step process required for a DHCP client to obtain a “lease” on an IP address. We will briefly review those steps to identify the points in the process where things can go wrong.

NOTE DHCP is not a Microsoft-specific feature. UNIX, NetWare, and other network operating systems (server software programs) also use DHCP.

The four steps in the lease process involve the sending of four special messages between the DHCP client and a DHCP server. These messages are called: ■ ■

DHCP Discover DHCP Offer

91_tcpip_08.qx

2/25/00

11:10 AM

Page 424

424 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems ■ ■

DHCP Request DHCP Acknowledgment

The process is relatively simple.

DHCP Discover When a computer that is configured to be a DHCP client comes online and its TCP/IP stack is initialized, it accesses the Registry settings pertaining to TCP/IP parameters and recognizes that it must obtain an IP address from a DHCP server. It does not, however, know how to reach a DHCP server. Unlike DNS and WINS servers addresses, the IP address of a DHCP server is not entered in the TCP/IP configuration properties. That means the computer must broadcast for a DHCP server. The client sends a broadcast message (addressed to the broadcast address 255.255.255.255) called a DHCP Discover message, which essentially asks DHCP to come to its aid and assign it an IP address.

NOTE Since the client does not have an IP address at this point, it uses the address 0.0.0.0 as its source address. The server would not be able to identify the client that sent the request from this address, so the message also includes the client computer’s name and its physical MAC address.

DHCP Offer If there is an authorized DHCP server on the network, it hears the client’s plea for help and responds with a message called a DHCP Offer. This message contains an IP address from its predefined scope of addresses that can be allocated, as well as other information such as duration of the lease. This message is also sent as a broadcast, since the client computer doesn’t yet have an IP address to which the server can send the message directly. The Offer message includes the IP address that is available (and the server temporarily reserves it during the extension of the offer), a subnet mask, a lease duration (which is specified by the administrator in configuring DHCP), and the server’s IP address.

DHCP Request The client will receive “offers” from more than one source if there are multiple DHCP servers on the network that have available addresses. The client will accept the first offer that arrives, and will send back a message

91_tcpip_08.qx

2/25/00

11:10 AM

Page 425

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 425

called a DHCP Request. This is also a broadcast—so the other servers who made offers will know that they’ve been “rejected” and will release the addresses they had temporarily reserved for the client—which we might think of as a formal acceptance of the first server’s offer. It includes the IP address of the server whose offer is being accepted.

DHCP Acknowledgment The final message, the one that “clinches the deal,” comes from the DHCP server. It acknowledges the acceptance of its offer and assigns the IP address to the client for it to use for the duration of the lease period. It also includes other TCP/IP configuration information, such as the default gateway and subnet mask, and the addresses of DNS and WINS servers, if the client is configured to get this information through DHCP. After receiving this message, the client will be able to use the IP address for TCP/IP communications over the network. This last message is called an ACK. If the server is for some reason unable to complete the transaction, it sends instead a NACK, or negative acknowledgment.

NOTE A NACK occurs when a client attempts to lease an IP address it held previously, which has become unavailable, or if the client has relocated to a different subnet and the address it is trying to lease is now invalid.

Common DHCP Problems Next, we will look at some of the problems that can occur as this scenario plays out.

NOTE Windows 2000 Pro cannot be a DHCP server, although it can serve as a DHCP allocator, performing somewhat the same function, when set up to share its Internet connection as an ICS host.

Traditionally, most problems with DHCP fall into a few broad categories: ■ ■

Server configuration problems Client configuration problems

91_tcpip_08.qx

2/25/00

11:10 AM

Page 426

426 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems ■ ■

Unauthorized DHCP servers Unavailable DHCP server

We will discuss each of these, how Windows 2000’s TCP/IP enhancements help to reduce the frequency of these problems, and best practices for optimizing DHCP performance and decreasing the chances of problems.

Server Configuration Problems As might be expected, the majority of DHCP problems stem from incorrect initial configuration or failure to update the configuration on the DHCP server(s).

TIP Remember that the DHCP server itself cannot be a DHCP client; it must be manually configured with a static IP address and other TCP/IP configuration information.

In Windows 2000, Microsoft has incorporated the management of the DHCP server services into the Microsoft Management Console (MMC), providing a new, more standardized look and feel for administrators. See Figure 8.9 for an example of the DHCP management console snap-in. Figure 8.9 The DHCP server is configured from the MMC.

You can access the DHCP MMC via Start | Programs | Administrative Tools | DHCP on the server. If DHCP is not performing as expected across the network, the first thing you should check is the configuration on the DHCP server.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 427

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 427

NOTE If DHCP is not functioning at all, one thing to check is whether the DHCP service has been stopped. Windows NT administrators are used to stopping and starting services from the Services applet in Control Panel, but you won’t find that applet in Windows 2000 Server. Instead, right-click My Computer, choose Manage, and navigate down the tree in the left panel to expand Services and Applications. Select DHCP, right-click (or choose the Action menu), and select All Tasks. Here you can start, stop, pause, resume, or restart the service, as shown in Figure 8.10. Figure 8.10 Starting and stopping the DHCP service via the Computer Management MMC.

As you can see in Figure 8.10, you can perform configuration tasks such as creating new scopes, reconciling scopes, defining classes from the Computer Management snap-in, and starting or stopping the service.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 428

428 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

These tasks can also be performed from the DHCP MMC accessed through Administrative Tools; this can be confusing when you first start working with Windows 2000.

Scopes and Address Pools In the context of DHCP, a scope is a group of consecutive IP addresses that can be allocated to clients on a subnet. For example, a scope might be defined as 192.168.1.140 through 192.168.1.160. Note that these addresses are contiguous. To define a scope, simply click DHCP in Computer Management, and on the Action menu, select New Scope. This will start the New Scope Wizard, which walks you painlessly through the process. A scope must have a name, a range of IP addresses, and a subnet mask. You can also define the lease duration, reserve certain addresses for certain DHCP clients, and define options.

NOTE After you define the scope, you must activate it before it will be used by DHCP.

In some cases, you may want to exclude certain addresses within the scope’s range from being offered to DHCP clients, such as those used by routers or computers with manually configured static addresses. For instance, if you have three DNS servers on the network with manually configured IP addresses that fall within the scope, you would exclude those addresses (another option is to reserve addresses for those computers, so that DHCP will assign them the same addresses each time they request a lease, as we will discuss a little later in the chapter). Suppose the manually assigned IP addresses of the three DNS servers are: 192.168.1.150 192.168.1.151 192.168.1.152 You don’t want DHCP handing out those addresses to its clients, or you will end up with an IP address conflict. You can define an exclusion range of 192.168.1.150 through 192.168.1.152, and those addresses will be excluded from the DHCP scope. You can choose to exclude a range of addresses during the creation of the scope, using the New Scope Wizard. To exclude a range of addresses after the scope has been created, simply expand the Scope object in the left panel of the MMC, and right-click

91_tcpip_08.qx

2/25/00

11:10 AM

Page 429

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 429

Address Pool. Choose New Exclusion Range, as shown in Figure 8.11, and the Exclusion Range dialog box will be displayed. Enter the first and last address in the range of addresses that you wish to exclude, or to exclude just one address, enter it in the Start field (not in both fields). Figure 8.11 You can exclude a range of IP addresses from the DHCP scope.

Common Problems Associated with Scopes and Address Pools Common problems that arise in relation to DHCP scopes include: ■

■ ■

■

Not excluding the addresses within the scope range that have been assigned to routers, network print devices, or computers whose IP addresses were configured manually. Specifying an incorrect subnet mask. Defining too small a scope so that the DHCP server does not have enough IP addresses to assign to all requesting DHCP clients. Not activating the scope after defining it. To activate the scope, right-click the scope you want to activate under DHCP in Computer Management, and select Activate, as shown in Figure 8.12.

91_tcpip_08.qx

2/25/00

11:10 AM

Page 430

430 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Note in Figure 8.12 that Windows 2000 places a warning icon by the scope name to notify you that it has not yet been activated. Figure 8.12 After creating the scope, you must activate it before DHCP can use it.

Superscopes When a single physical network segment consists of more than one logical IP subnet, and when two DHCP servers are tasked with managing separate logical subnets on the same physical network, Microsoft recommends that you implement a superscope. This allows DHCP servers to assign addresses from more than one scope to the same subnet. Without superscopes, this situation may cause DHCP clients to receive NACKS when they come online and attempt to renew their previous leases, and/or when a new address is obtained, it might put the client on a different subnet from the one for which it had been configured before. Superscopes prevent these problems by allowing each of the two DHCP servers to recognize and “respect” addresses assigned by the other. To configure superscopes, all of the DHCP servers on the segment are set up to recognize all subnets on the segment. Exclusion ranges are used on each server to prevent their address ranges from overlapping. In other words, you configure each server so that its superscope includes all the

91_tcpip_08.qx

2/25/00

11:10 AM

Page 431

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 431

subnets, including those whose addresses are allocated by other DHCP servers. You then set up exclusion ranges for the addresses that are allocated by the other servers. This way, each server will recognize all the addresses in the superscope as valid, but will only allocate those addresses that are not excluded in its configuration.

Lease Duration As we already learned, when a DHCP server allocates an IP address to a client, it does not grant permission to use that address permanently. Instead, it “leases” the use of the address for a specified period of time, called the lease duration. During the creation of a new scope, the Windows 2000 New Scope Wizard allows you to change the default lease duration of eight days, as shown in Figure 8.13. Figure 8.13 The New Scope Wizard allows you to change the duration of DHCP leases.

You are not, however, stuck with the lease duration that is set during the scope creation. You can change the duration of leases handed out by the server at any time, by editing the Properties page for the scope. Right-click the name of the scope for which you wish to change the lease duration, and select Properties. You will see the dialog box shown in Figure 8.14. As you can see, the duration can be set to the number of days, hours, and minutes desired, just as could be done during the creation of the

91_tcpip_08.qx

2/25/00

11:10 AM

Page 432

432 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Figure 8.14 You can change the lease duration for DHCP clients through the Scope Properties sheet.

scope. Another option you have, which was not given by the New Scope Wizard, is to choose not to limit the duration of the DHCP leases. In that case, clients will retain their leases until the lease is manually released.

WARNING It is usually not desirable to set the lease duration to unlimited, because this means that even if the computer holding the lease goes offline forever, that IP address cannot be reused until or unless the lease is manually released.

If a DHCP client goes down, the administrator can force the lease to be released by right-clicking Address Leases under the Scope name in the console, selecting the IP address/computer name combination for the lease to be released in the right pane, right-clicking and selecting Delete, as shown in Figure 8.15. This will free the IP address to be allocated to another DHCP client.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 433

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 433

Figure 8.15 You can manually force a DHCP to be released by deleting the lease in the management console.

NOTE If you find that all of the IP addresses in the scope are being used even though you have fewer computers on the network than the number of addresses to be allocated, check the Address Leases to determine if RRAS is assigning multiple DHCP addresses to the same computer(s). In Figure 8.15, those IP address leases that have icons showing a telephone beside the computer are assigned by RRAS.

The Lease Renewal Process If you sign a one-year lease for a house, and you wish continue living on the property, you probably will not wait until the day the lease is up to negotiate a renewal of the lease with the landlord. If you did, you might find yourself out on the streets with no place to live. Similarly, DHCP clients “think ahead” to ensure that they aren’t left high and dry without an IP address when their leases expire.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 434

434 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

When the lease period, as set in the lease duration configuration, is halfway expired, the DHCP client will send a message to the DHCP server requesting a renewal of the lease (as you can see, DHCP clients plan further ahead than do most residential tenants). Normally, the DHCP server then renews the lease. But what if the server from which the lease was obtained has gone down? The client will try again when 87.5 percent of the lease has expired. The first renewal attempt is made by sending a DHCP Request directly to the DHCP server holding the lease. If no response is received, the client tries to obtain a lease from any available DHCP server, broadcasting a DHCP Request. If the client doesn’t get a response from any DHCP server (or if it gets a negative response) before the expiration time is up, it cannot continue to use the address. At that point, it must start all over with the leasing process in order to be assigned a new IP address.

TIP You can force the client to manually request a renewal of its lease at any time by using the ipconfig /renew command.

Common Problems Associated with Lease Duration The network problems commonly associated with lease duration can be solved or reduced by taking advantage of Windows 2000’s option to change the duration as shown in the foregoing section. These problems include: Network slowdown caused by excessive lease renewal traffic. Looking back at the process for obtaining and renewing DHCP leases, you can see how DHCP is capable of adding a lot of network traffic. This is especially true if the network is large, with many DHCP clients. You can alleviate some of the congestion by extending the lease period beyond the default if there are plenty of IP addresses available and the clients are stable. In this case, you might consider increasing lease duration to 21 or even 30 days. Inefficient use of DHCP addresses resulting in server(s) not having enough addresses for all requesting clients. This problem can occur when there is a limited number of IP addresses in the DHCP scope and you have an unstable client situation; that is, computers configured to use DHCP that move on and off the network, as with laptop/notebook systems. DHCP client computers running Microsoft operating systems do not release their leases when they shut down, so if laptops are removed from the network,

91_tcpip_08.qx

2/25/00

11:11 AM

Page 435

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 435

their leases will still be assigned to them for the duration of the lease even though they are not being used. If this happens, you may find it beneficial to decrease the lease duration to a shorter period than the default, so addresses will be more quickly returned to the pool of available addresses to be assigned to other clients.

Reserved Addresses Some computers—primarily servers—need to always have the same IP address. One way to accomplish this is to manually configure their TCP/IP properties, but this means that if other TCP/IP configuration information changes (for instance, the address of the WINS server), they will all have to be manually changed. There’s a way to allow these computers to enjoy the benefits of DHCP, such as the ability to make those changes on the DHCP server and have it automatically disseminated to the clients, and still ensure that the computers that need to always have the same address can. This is accomplished by assigning reserved addresses to those computers. Adding a reserved address is easy in Windows 2000. Right-click Reservations under the Scope in the MMC, and select New Reservation. You will see a dialog box, as shown in Figure 8.16. Figure 8.16 You can make an address reservation for a client that needs to always have the same address.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 436

436 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

1. Type in a name for the reservation, the IP address to be reserved, and the physical (MAC) address of the computer for which you are reserving the address. 2. The Description field is optional. 3. You must choose the allowed client type (DHCP, BOOTP, or both). 4. Click ADD to enter the new reservation into the DHCP database.

WARNING The MAC address must be entered correctly or the DHCP server will not assign the reserved address to the computer. Although the reservation name can be the name of the client computer, the DHCP server uses the hardware address to recognize the computer for which an address reservation is made. Unlike when you enter the MAC address to configure a static arp cache entry, you must NOT put dashes in the MAC address when you configure a client reservation at the DHCP server.

Determining the Physical Address of a Computer To find the hardware address of a computer while sitting at the computer itself, type ipconfig /all at the command line. To find the hardware address of another computer on the network, first ping the computer name if you don’t know its IP address. When you have the IP address, type arp –a at the command line to find its physical address. If you have the Windows 2000 Resource Kit, you can use the getmac utility.

NOTE Although the MAC address is displayed in the ipconfig and arp utilities with dashes between each pair of hexadecimal digits, do not use dashes when you enter the MAC address in the New Reservation dialog box.

DHCP Options There are four types of DHCP scope options, in increasing order of specificity: ■ ■

Server options Scope options

91_tcpip_08.qx

2/25/00

11:11 AM

Page 437

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 437 ■ ■

Client options Class options

Server options. These are the default options that are applied to all scopes configured on a particular DHCP server. You can use them to define configuration information used by all the client computers, such as the address of the WINS or DNS server. Scope options. As the name implies, these apply only to clients whose addresses are leased from the specified scope. This allows you to set information specific to a particular subnet (when there is a separate scope for each subnet) such as the default gateway address. Client options. In some cases, you may need to define options that apply only to a specific client or clients. These are used for clients with reserved addresses. Class options. When you use the Server, Scope, or Client Options dialog boxes, you can use the Advanced tab to configure and enable options for clients that are members of a specified user or vendor class. Only the DHCP clients that identify themselves according to the criteria for the selected class will be given the options data you have set up for that class.

How to Configure Options To configure the Server options, right-click Server Options in the left pane of the console, and select Configure Options. To configure Scope options, right-click Scope Options and do the same. Configuration of client options is a little trickier. First, you must have a client reservation. Expand the Reservations container, select the client reservation for which you wish to configure client options, right-click it, and select Configure Options (shown in Figure 8.17).

NOTE Some Microsoft documentation refers to the Server options as “Global” options. Class options are new to Windows 2000. Microsoft provides three predefined classes: a default user class, the Microsoft Dynamic BOOTP class, and the Microsoft RRAS class, as shown in Figure 8.18. Options are applied in the following order of priority: 1. Specific client options are used before scope or global options. 2. Scope options are used before Server options.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 438

438 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

3. Class options can override values assigned and set at the same context (server, scope, or client options) or the values that are inherited from options at a higher context. Class options are divided into two types: user class and vendor class. The most commonly used options include: Figure 8.17 Client options can only be configured for clients with address reservations.

■ ■ ■ ■ ■

IP addresses of routers. IP addresses of DNS servers. DNS domain name. NetBIOS node type. IP addresses of WINS server.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 439

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 439

Figure 8.18 Class options apply only to members of specified classes.

NOTE Class-based options only apply to DHCP clients that are identified as members of the specified user or vendor class.

Monitoring the DHCP Server Another improvement that Microsoft has made in Windows 2000 includes enhancements to the ability to monitor and provide statistical information for the DHCP server(s). A common DHCP-related problem is the depletion of available IP addresses, so Windows 2000 allows you to set up a predefined point at which an alert will be sent informing you that the specified percentage of available IP addresses has been used (you can also configure a second notice to be sent when the addresses are all gone). The Windows 2000 DHCP management tool supports the Simple Network Management Protocol (SNMP), as discussed in Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000,” for

91_tcpip_08.qx

2/25/00

11:11 AM

Page 440

440 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

monitoring of DHCP-related statistics. There is a great deal of useful information available via the DHCP manager, including the number of DHCP Discover, Offer, Request, and ACK/NACK messages that have been sent since the server last started (see Figure 8.19). Figure 8.19 The DHCP management administrative tool displays statistical information.

To access the statistical information, go to Start | Programs | Administrative Tools | DHCP. In the DHCP Manager, right-click the DHCP server name, and select Display Statistics. As you can see, the statistical summary provides you with the number of scopes configured, total addresses allocated for assignment, how many of those are in use, and how many are still available.

NOTE Another source of information about DHCP activities is the Event Viewer, which logs informational, warning, and error messages, and DHCP audit logs if you have logging enabled.

The DHCP Database The DHCP database can become corrupt, or data might be accidentally deleted or destroyed due to hardware problems, power problems, viruses, or other reasons.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 441

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 441

The database files are stored in <systemroot>\System32\DHCP and include the following files: ■ ■ ■ ■

Dhcp.mdb Dhcp.tmp J50.log and J50#####.log J50.chk

NOTE Do not remove or alter these files. You may be accustomed to deleting temp files to free disk space; however, the Dhcp.tmp file is used as a swap file, and Microsoft documentation warns that it should not be deleted.

Windows 2000 backs up the DHCP database by default at one-hour intervals. You can edit the Registry to change the backup interval. To do so, use a Registry editor to open the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP \Parameters

WARNING Always back up the Registry before making changes. Editing the Registry should always be done with care, as incorrect entries could cause the system to become unbootable.

Edit the value BackupInterval by entering the number of minutes desired between database backups, as shown in Figure 8.20. By default, the value is shown in hexadecimal, but you can convert it to decimal by selecting the appropriate radio button.

NOTE The DHCP database backup files are stored on the DHCP server in the <systemroot>\System32\DHCP\Backup\Jet directory. A copy of the DCHP\Parameters subkey of the Registry is stored in the Backup directory with the file name DHCPCFG.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 442

442 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Figure 8.20 Edit the Registry to change the interval between DHCP database backups.

If the operating system detects that the DHCP database has become corrupt, it will automatically restore from backup when the service restarts. To manually restore the database from the backup files, you must edit the Registry. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\DHCPServer\Parameters and set the RestoreFlag value to 1.

NOTE It is not necessary to edit the Registry again to reset the RestoreFlag entry. After the database is restored, the server will automatically return the value to 0.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 443

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 443

If you are unable to edit the Registry entry, another way to restore the database is by copying the <systemroot>\System32\DHCP\Backup\Jet folder to <systemroot>\System32\DHCP. Be sure you stop the DHCP service before copying the files. After you have copied the files, restart the DHCP service to restore the database.

Client Configuration Problems A number of problems can affect a DHCP client’s ability to use the service. If other DHCP clients on the subnet are having no problems obtaining and using IP addresses, and if you have checked and determined that the server’s address allocation has not been depleted, this indicates the problem is related to the configuration or operation of the client computer.

Client Cannot Obtain an IP Address This indicates that the client machine was not able to reach a DHCP server. There could be many causes for this, including a hardware problem. Be sure the client has a network connection to the server by pinging the server from the client computer. If you cannot, check cables, NICs, and other hardware devices. If you can ping the server from other computers on the same subnet, check the client computer’s protocol configuration. Be sure TCP/IP is installed and functioning by pinging the loopback address (127.0.0.1).

TIP If you are using a DHCP Relay Agent, make sure that the machine is functioning and that its IP configuration parameters are correct. A common error is adding the DHCP Relay Agent service and then failing to configure a DHCP server for it to contact.

Client Has an Invalid IP Address If the client is unable to communicate with other computers on the network, and ipconfig indicates that the client is using an address that is invalid for the subnet (from the 169.254.0.1 through 169.254.255.254 range), this indicates that the client was unable to contact a DHCP server and assigned itself an address via APIPA. Try to ping the server. If you are able to do so, try manually renewing the lease. To disable APIPA, see the section Automatic Private IP Addressing earlier in this chapter.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 444

444 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Client Is Missing Configuration Information If the client was assigned an IP address by the DHCP server but did not properly receive additional configuration information, such as the DNS server address, ensure that the client supports the options and that the options have been properly configured at the server.

Multiple Clients Are Suddenly Unable to Obtain IP Addresses If many clients become unable to obtain leases for IP addresses, check the following: ■

■

■

■

Ensure that the DHCP server is up, and that its IP address has not been changed. Ensure that the DHCP server’s IP address is in the same network range as the scope it is servicing. Be sure that you don’t configure multiple DHCP servers on the same subnet with overlapping scopes. If you are using Active Directory domains, be sure that the DHCP server has been authorized in the Active Directory.

NOTE If one of the DHCP servers is running Microsoft Small Business Server, be aware that the DHCP Server service in the SBS will automatically stop if it detects that there is another DHCP server on the local subnet.

Other Common DHCP Problems Most of the time, DHCP works well, saving administrators a lot of time and headaches. However, as with any other service, things can go wrong. Microsoft has attempted to address and prevent potential problems as much as possible in Windows 2000, but you should be aware of some of the common DHCP-related problems that can occur.

Unauthorized (“Rogue”) DHCP Servers Problems can occur on a network when there are unauthorized DHCP servers. Perhaps someone configured a server as a DHCP server by mistake, or in order to practice with the service. The “rogue” server could begin handing out IP addresses—perhaps in a range that is invalid for the subnet—when DHCP clients broadcast a Discover message. This would result in those clients being unable to communicate with other clients on the subnet whose addresses were allocated by the authorized server.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 445

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 445

Windows 2000 attempts to prevent this situation by building in a feature to disallow address allocation by DHCP servers that have not been authorized by an administrator in the Active Directory. No responses will be returned to DHCP inform messages sent by unauthorized servers. When a Windows 2000 DHCP server comes online, it attempts to check the Directory to determine if it is authorized. If not, it does not respond to DHCP client requests.

NOTE Unfortunately, this detection/prevention of “rogue” DHCP servers only works with Windows 2000 servers. A Windows NT 4.0 DHCP server will not be detected as a “rogue.”

DHCP Clients and Server on Different Subnets In order for a DHCP server to provide IP addresses to clients across a router, the router must be able to act as a DHCP relay agent, or there must be a machine that is running the DHCP relay service on the client subnet. A Windows NT 4.0 or Windows 2000 server can be configured to run as a DHCP relay agent. However, most modern routers are able to support DHCP/BOOTP relay.

NOTE DHCP/BOOTP relay agent specifications are described in RFC 1542.

Multiple DHCP Servers The Microsoft documentation suggests that if you have multiple DHCP servers, you should put them on different subnets for fault-tolerance purposes. The servers should not have common IP addresses in their scopes (each server should have a unique pool of addresses). With the routers configured for relay or a DHCP relay agent on each subnet, if the DHCP server on the local subnet goes down, requests will be relayed to a remote subnet. Then, the DHCP server on the remote subnet can respond to DHCP requests—if it contains a scope of IP addresses that are valid for the requesting subnet.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 446

446 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

WARNING If the remote server does not have a scope defined for the requesting subnet, it won’t be able to provide IP addresses to the requesting clients even if it has addresses available for other scopes.

By configuring each DHCP server with a pool of addresses for each subnet, each will be able to provide IP addresses for remote clients whose own DHCP server is offline.

Automatic Addressing (APIPA) The automatic addressing feature in Windows 2000 (first introduced in Windows 98) was designed to solve a common problem with DHCP: In earlier Microsoft operating systems, when a computer that was configured to be a DHCP client came online and no DHCP server was available, it had no way of obtaining an IP address and thus could not communicate using IP. APIPA circumvents this situation by giving DHCP clients a “contingency plan.” When the computer comes online, it will first attempt to reach a DHCP server to obtain an address, but if it fails to do so, using APIPA it can assign itself a temporary IP address to use until the DHCP server is back up. This is all well and good, but not always as useful as it sounds. The problem is that the addresses assigned by APIPA come from a range reserved for that purpose, the class B 169.254.0.0 network with a subnet mask of 255.255.0.0. This means the computer will only be able to communicate with other computers whose addresses were also assigned by APIPA, or that were manually configured to use 169.254.x.x addresses. Assuming your network uses a different network ID, the APIPA computer won’t be able to communicate over IP with the rest of your network, and automatic addressing serves little purpose.

NOTE Use the ipconfig command to determine whether a computer is using an APIPA address. If the IP address being used by the computer is in the 169.254.x.x range, an APIPA-assigned address is being used.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 447

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 447

You may wish to disable APIPA, especially if your network uses routers, and/or the computers on your network are all connected directly to the Internet without going through a proxy server or a NAT gateway. See the following section for instructions.

NOTE APIPA can also be used during the Windows 2000 setup process to automatically assign temporary addresses in order to get the servers up and running quickly. This is an option in the Networking Settings dialog box when you select Typical settings.

How to Disable APIPA To disable automatic address configuration, you have to edit the Registry. 1. Use a Windows 2000 registry editor (Regedt32 or Regedit) to open the Registry. 2. Locate the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ Parameters\Interfaces\adapter_name

3. You must create a new value of the REG_DWORD type. Name the new value as follows: IPAutoconfigurationEnabled

4. Now double-click the new value name when it appears in the right pane, and assign it a value of 0 (“False”) to turn off APIPA. You can reenable APIPA at a later time by editing the key and changing this value to 1, or by deleting the IPAutoconfigurationEnabled entry (if it does not exist, the default value of 1 is in effect).

WARNING You should always back up the Registry before making any changes.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 448

448 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

NOTE If you have more than one network adapter and you wish to disable APIPA on all of them, you don’t have to individually edit each adapter’s parameters. Instead, you do it in one fell swoop by creating the IPAutoconfigurationEnabled entry and setting it to 0 in the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters

Hardware Address Problems The ARP command-line utility is your best starting place for troubleshooting problems related to hardware addresses. Use the arp –a command to view the current ARP cache. If IP addresses have been reassigned, it is possible that the cache contains the old IP-to-MAC address mapping. Although dynamic entries are cleared from the cache within 10 minutes, this problem would be more likely to occur if a static entry had been made, since it would then remain in the cache until the computer was rebooted.

TIP If you want to remove a static entry from the arp cache, use the arp –d command.

Duplicate MAC Addresses In theory, this problem should never occur. Each network card manufacturer is allocated a range of hardware addresses to be assigned to the computers it manufactures, and there should be no two NICs in the world with the same hardware address. However, like IP addresses, MAC addresses have become less plentiful, and some manufacturers have started to reuse addresses. Additionally, errors do occur in the manufacturing process, and cards have shipped accidentally with duplicate addresses. This is not a problem if the two NICs with identical addresses end up on separate networks.

Troubleshooting Subnetting Problems Let’s now delve into the subject of subnet masking. We are going to use the principle of reserving or masking bits as we did with the Net ID

91_tcpip_08.qx

2/25/00

11:11 AM

Page 449

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 449

portion of the address earlier, but this is going to be a little more complicated. Subnetting a network means dividing it into two or more smaller networks (called, appropriately enough, subnets). There are several reasons why you might want to subnet your network ID. When you receive a group of IP addresses to use on the Internet, you are assigned a network ID and a subnet mask. Of course, most people get their IP addresses from their ISPs, who have already assigned you a subnet mask for the group. Assignment of public IP addresses to internal network clients isn’t as big an issue for medium to large companies now as it once was, because most of them are using proxy servers and NAT. But whether you are using private or public IP addresses, the principles we discuss in this section will apply; they just are not as stringent when working with private IP address classes.

Why Divide the Network? A network ID is typically subnetted to allow for multiple physical segments. Each physical segment should have its own network ID. If you have 10,000 computers and are given the network ID 12.0.0.0 with a subnet mask of 255.0.0.0, this would work—in theory. However, all the machines would be on the same physical network, and it is likely that the broadcast traffic would be so intense that no communication could take place. If you were given a class B network ID of 169.254.0.0 and a subnet mask of 255.255.0.0, you could likewise put all your hosts on the same network ID, but then again, the amount of broadcast traffic that would be generated makes this a bad idea.. Even if you only have 120 clients and are given the class C network ID of 206.136.88.0 and a subnet mask of 255.255.255.0, you still would end up with all 120 clients on the same network. Because of the nature of Ethernet and Windows networking’s NetBIOS traffic, that is still too many for good performance. The maximum number of clients on a single segment is optimally less than 50. Networks that use private address classes don’t have as much of a problem, since they are free to use whatever private network IDs they want. If you choose to use the private address class 192.168.0.0 with a subnet mask of 255.255.255, you could theoretically create 256 networks with 256 clients each, which would be the same as a single class B network. You just configure your routing tables to accommodate each network. Those using public IP addresses don’t have this luxury, though, and they have to learn how to subnet the network IDs they are provided with by either IANA or their ISP.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 450

450 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Subnetting Scenario 1 Let’s say we were given a class C Net ID. How many Host IDs are available in a class C network? How many bits are used for the Net ID? A class C Net ID uses the first three octets, so it uses 24 bits, leaving only 8 bits for Host IDs. How many Host IDs for each class C Network then? The answer is 28=256, and then subtract two for the all 0s and all 1s, which gives us 254 Host IDs per class C network. We certainly don’t want 256 hosts on a single network for our business. Also, we might want to have some hosts on a network in another state. What we could do is “split” up the Net ID in such a manner that we can have some of our hosts on a different physical network in another state, and some in our local office. Breaking up a Net ID into multiple “subnetworks” is called “subnetting.”

Subnetting Scenario 2 Let’s look at another example: What if we got a class B Net ID? How many Host IDs are there on a class B Network? How many bits are available for a class B Host ID? Well, the Net ID is going to take the first two octets, so that’s 16 we have to take away from the total of 32 available. That leaves us with 16 bits to use for Host IDs. How many Host IDs can we have? 216=65536 and then subtract two for the all 0s and all 1s, which gives us 65,534. Now, if the InterNIC gives us a class B Net ID, do we really want all 65,000 hosts on the same subnet? The broadcast traffic would be so bad that no useful network activity could take place. So, we definitely have to break up those Net IDs into smaller chunks so that we can get a reasonable number of hosts on each physical segment, or subnet.

Subnets Remember that IP determines whether a message is for the local or remote host. If the destination is local, IP will have ARP broadcast for the destination host’s MAC address. If it is remote, IP will ARP broadcast for the default gateway, and then send the message to the default gateway. So, IP is like the post office employee, who first checks the ZIP code to see if it is local before bothering to check the house number and street address. Each subnet is like a different ZIP code within the same city. If the Net ID represents the city, then each neighborhood has its own ZIP code, or subnet.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 451

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 451

Subnet Masks How does IP figure out what your Net ID and Host ID are? Well, IP isn’t as smart as we are, because it doesn’t know about the rules regarding the high order bits and their connection to the IP address class. Rather, IP has to use something called a subnet mask to tell it which part of the IP address is the Net ID and which part is the Host ID. The subnet mask “masks” the Net ID portion of the IP address. It does this by covering up with 1s the Net ID and leaving “open” the Host ID with 0s. The default subnet masks are: Class A: Class B: Class C:

255.0.0.0 255.255.0.0 255.255.255.0

Or in binary: Class A: Class B: Class C:

11111111.00000000.00000000.00000000 11111111.11111111.00000000.00000000 11111111.11111111.11111111.00000000

How does IP use the subnet mask? All IP really cares about is whether the destination IP address is local or remote, so that it will know whether to broadcast or send the request to the default gateway.

ANDing The process that IP uses to determine whether the destination host is local or remote is called bitwise ANDing. In bitwise ANDing, the rules are: 1 AND 1 = 1 1 AND 0 = 0 0 AND 0 = 0 This is how it’s done: IP Address: 192.168.1.1 Subnet Mask: 255.255.255.0 In binary: IP Address: Subnet Mask: ANDed:

11000000.10101000.00000001.00000001 11111111.11111111.11111111.00000000 11000000.10101000.00000001.00000000

This will be the ANDed result of the machine originating a message. Let’s suppose this computer wants to send a message to: IP Address: 192.168.3.1 Subnet Mask: 255.255.255.0

91_tcpip_08.qx

2/25/00

11:11 AM

Page 452

452 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

In binary: IP Address: Subnet Mask: ANDed:

11000000.10101000.00000011.00000001 11111111.11111111.11111111.00000000 11000000.10101000.00000011.00000000

Now, we compare the ANDed results of the originating and destination hosts: Sender: Destination:

11000000.10101000.00000001.00000000 11000000.10101000.00000011.00000000

If the results are the same, IP will use a local subnet ARP broadcast because the two computers are on the same subnet. If the results are different, it will forward the request to the default gateway. In the preceding example, the ANDed results are different. IP will forward the message to the default gateway.

Tricking IP It is by manipulating the subnet mask that we can “trick” IP into thinking that there are more digits in the Net ID than the default number of digits defined by each class. Remember the default number of binary digits for the Net ID in each IP address class? Class A: 8 Class B: 16 Class C: 24 By manipulating the subnet mask, we can allow for more digits to be used for the Net ID by stealing some digits from the Host ID portion of the IP address. We can use the subnet mask to break up a Net ID into several subnetworks, and in that way trick IP into sending the message to the router so that it can get to the destination subnet. The routers will have the routing information to guide the packet to its correct location.

Making the Mask When we use a subnet mask other than the default subnet mask, it is often called a custom or variable-length subnet mask.

Subnet Masking for a Class A Network Let’s look at the example of a class A network. The Net ID will be 75.0.0.0 and we’ll use the default subnet mask of 255.0.0.0. In binary:

91_tcpip_08.qx

2/25/00

11:11 AM

Page 453

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 453

NetID: Mask:

01001011.00000000.00000000.00000000 11111111.00000000.00000000.00000000

How could we break up this giant network into two separate subnetworks? Well, in binary, the number 2 is represented as 10. Therefore, it takes two bits to get the number 2. What we’ll do in order to get those two subnets we want is “steal” two bits from the Host ID portion of the IP address. So now, the subnet mask will look like this: Mask:

11111111.(11)000000.00000000.00000000

We could use any combination for those two bits we stole from the Host ID. Looking only at the second octet (the subnetted octet) of the IP address, what are the numbers that could comprise the second octet? (The masked bits are in parentheses.) 1. 2. 3. 4.

(01)000000 (10)000000 (11)000000 (00)000000

to to to to

(01)111111 (10)111111 (11)111111 (00)111111

However, we have to view the Subnet ID in isolation. The Subnet ID includes those bits reserved by the subnet mask to be used for the network ID that have been “stolen” from the Host ID. The Subnet ID must comply with the same rules as the Net ID and the Host ID: No all 0s or all 1s. So, we have to cross out the last two ranges because their Subnet ID is all 0s or 1s. So, range 1 in decimal is: 64–127 and range 2 in decimal is: 128–191 For the subnet mask itself, the second octet would be: (11)000000 = 192 indicating that we are taking two bits from the Host ID portion in the second octet. The all 0s or all 1s rule doesn’t apply to the subnet mask, since the 1s in the subnet mask just represent which bits in the IP address will represent the Net ID. We have broken up the entire network into two subnetworks, one with the Subnet ID of 64 and one with the Subnet ID of 128. How many Host IDs can we have on each subnet? How many bits are available for Host IDs after we’ve stolen two of them for the Net ID? Before

91_tcpip_08.qx

2/25/00

11:11 AM

Page 454

454 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

subnetting we had 24, but now we only have 22 after losing two of them to the subnet mask. That would be 222, which is 4,194,304, and then subtract 2 for the all 0s and all 1s, and that gives us 4,194,302 per subnet. Hey! What happened? If I use all the Host IDs for both subnets I created, I’ll have: 4,194,302 x 2 = 8,388,608 Host IDs If I hadn’t subnetted my network, I would have had: 224 = 16,777,216 The moral of the story? The more subnets you create, the more Host IDs you’re going to lose. So, for our class A network with a Net ID of 75.0.0.0 and subnet mask of 255.192.0.0, our two subnet address ranges are: From: To:

01001011.(01)000000.00000000.00000001 (75.64.0.1) 01001011.(01)111111.11111111.11111110 (75.127.255.254)

And the second range: From: To:

01001011.(10)000000.00000000.00000001 (75.128.0.1) 01001011.(10)111111.11111111.11111110 (75.192.255.254)

NOTE Remember that the more subnets you create, the fewer hosts you will be able to have on the networks.

By using the custom subnet mask of 255.192 on the class A network, we see that we stole two bits from the second octet to give to the Net ID, and that those two digits actually represent something called the subnet ID. What is the significance of 192? 192 in binary is 11000000, which indicates that two digits will be used for the Net ID that would have otherwise been used for the Host ID. What if our subnet mask were 224? What is 224 in binary? (111)00000 A subnet mask of 224 would indicate that we would be taking three digits from the Host ID portion and giving them to the Net ID. How many subnets could we create with a subnet mask of 224? What is the number of possible combinations that we can create from three bits?

91_tcpip_08.qx

2/25/00

11:11 AM

Page 455

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 455

000 (0) 001 (32) 010 (64) 011 (96) 100 (128) 101 (160) 110 (192) 111 (224) (the numbers in parentheses represent the Subnet ID in decimal). Did you notice something about the progression of Subnet IDs? In this case, it is 32, which just happens to be the value of the last position in the Subnet ID (for example, Subnet ID 64 is 010xxxxx; that makes it the 6th position from the right in the octet, which has the value of 32). The value is called the block value. Each subnet represents a block of IP addresses. Remember that our Subnet ID can’t be all 0s or all 1s. Therefore, we have to throw out the first and last Subnet IDs listed above. That would give us six subnets that we could use if we have a subnet mask of 224. Another way to figure this out is 23 = 8, and then subtract 2 for the all 0s and all 1s, and that gives us six subnets. What if we stole four digits from the Host ID to give to the Net ID? We can use the formula! 24 = 16, and then subtract 2 for the all 0s and all 1s, and that gives us a total of 14 subnets when we steal four bits from the Host ID. What would that subnet mask octet be? 11110000 = 240. So, if we want to break up a network into 14 useable subnets, we could use the subnet mask of 240. What do you think the block value would be in this case? We are stealing four digits from the Host ID. Therefore, a possible octet value could be 0110xxxx (the xs represent the Host ID portion of the octet). The rightmost digit of the Net ID portion is the 5th digit of the octet, and the 5th digit’s binary value is 16. Thus, the block value is 16 when your subnet mask is 224.

Subnet Masking for a Class B Network Let’s take another example from a class B network address. Our Net ID is 144.17.0.0. Using the information we’ve just learned, how could we create six subnets outs of this class B network? How many binary digits would be required to come up with 6? One won’t be enough, because 21 = 2. Two won’t be enough, because 22 = 4. How about three? 23 = 8, and then remember to subtract 2 for the all 0s and all 1s Subnet IDs. That will give us a total of six subnets if we steal three digits from the Host ID. On a

91_tcpip_08.qx

2/25/00

11:11 AM

Page 456

456 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

class B network, octets y and z are used for the Host ID, so we’ll steal two digits from the y octet in order to create our six subnets. What will the subnet mask be in this case? (111)00000 = 224 These are the valid IP address ranges in this case: Range 1 10010000.00010001.(001)00000.00000001 (144.17.32.1) to 10010000.00010001.(001)11111.11111110 (144.17.63.254) Range 2 10010000.00010001.(010)00000.00000001 (144.17.64.1) to 10010000.00010001.(010)11111.11111110 (144.17.95.254) Range 3 10010000.00010001.(011)00000.00000001 (144.17.96.1) to 10010000.00010001.(011)11111.11111110 (144.17.127.254) Range 4 10010000.00010001.(100)00000.00000001 (144.17.128.1) to 10010000.00010001.(100)11111.11111110 (144.17.159.254) Range 5 10010000.00010001.(101)00000.00000001 (144.17.160.1) to 10010000.00010001.(101)11111.11111110 (144.17.191.254) Range 6 10010000.00010001.(110)00000.00000001 (144.17.192.1) to 10010000.00010001.(110)11111.11111110 (144.17.223.254) (The Subnet ID portion is in parentheses within the binary IP addresses.) What address ranges did we lose here? What Subnet IDs are illegal when we are using three bits for our Subnet ID?

91_tcpip_08.qx

2/25/00

11:11 AM

Page 457

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 457

000 111 Remember, the all 0s and all 1s won’t work! 10010000.00010001.(000)00000.00000001 (141.17.0.1) to 10010000.00010001.(000)11111.11111110 (144.17.31.254) 10010000.00010001.(111)00000.00000001 (144.17.224.1) to 10010000.00010001.(111)11111.11111110 (144.17.255.254) In effect, we lose the first and the last blocks. What is the block size in this example? What is the rightmost digit in the Subnet ID? It is digit 6 in the octet, so that block value is: 32. Thus we see that Subnet IDs 0 (0–31) and 224 (224–255) are lost!

TIP The first and last block values will always be lost when we calculate our ranges of legal IP addresses.

Subnet Masking for a Class C Network The last example is that of a class C address. Let’s say that we have a class C Net ID of 211.40.88.0 and we want to break it into 14 subnets. How many binary digits does it take to create 14 subnets? Three will only create 6 (8–2), so that won’t be enough. If we use four binary digits, that will give us 24 = 16, and then we subtract 2 for the all 0s and all 1s, and we get 14 valid Subnet IDs. 211.40.88.17 to 211.40.88.30 211.40.88.33 to 211.40.88.46 211.40.88.49 to 211.40.88.62 211.40.88.65 to 211.40.88.78 211.40.88.81 to 211.40.88.94 211.40.88.97 to 211.40.88.110 211.40.88.113 to 211.40.88.126 211.40.88.129 to 211.40.88.142 211.40.88.145 to 211.40.88.158

91_tcpip_08.qx

2/25/00

11:11 AM

Page 458

458 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

211.40.88.161 211.40.88.177 211.40.88.193 211.40.88.209 211.40.88.225

to to to to to

211.40.88.174 211.40.88.190 211.40.88.206 211.40.88.222 211.40.88.238

What is the block size in this case? With a 4-bit subnet mask, the rightmost digit in the mask is digit 5 in the octet. The 5th digit in the octet’s binary value is 16, so the block size is 16. That explains why the first and last blocks are missing. 211.40.88.1 to 211.40.88.16 and 211.40.88.239 to 211.40.88.254 But look at the gaps in the other IP address. What happened to 211.40.88.31 and 211.40.88.32? Look at the last octet of those two IP addresses: (0001)1111 (0010)0000

NOTE In both cases, we have an illegal Host ID number, being either all 0s or all 1s. You will find that to be the case for all the missing IP addresses. The Host ID or the Subnet ID will be illegal. Remember, the first and last member of the block is always illegal. So, in this case, with a class C address and a block size of 16, we will only have 14 legal IP addresses per subnet. Note: Be aware that this is the traditional approach to subnet masking as taught in the Microsoft Windows NT 4.0 official training curriculum. In fact, in the field you will see that the Subnet ID portion of the network ID is not restricted to the “no all 0s and 1s” rule, and that the Subnet ID is incorporated into the network ID as a single entity. The same rules apply regarding the Host ID not being all 0s or 1s, and the network ID should not be all 0s or 1s either. Of course, if you are configuring your own routers, you have a lot of latitude regarding what addresses the router should consider legal and illegal.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 459

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 459

Errors in Subnet Masking Let’s look at a common error and see what happens when it occurs. The most common error is when one of the clients on the segment has been configured with the wrong subnet mask. This is most likely done when a machine has a manually configured IP address, and the technician entered a wrong digit in the subnet mask text boxes. For example, a machine is configured with the IP address 192.168.1.33 and a subnet mask of 255.255.255.224. The rest of the machines on the network are configured with IP addresses of 192.168.1.x with a subnet mask of 255.255.255.240, with the default gateway for that network having an IP address of 192.168.1.17. What happens when the client tries to contact another computer on the same segment? If the machine is able to obtain the IP address of another computer on the same segment, it will recognize the other computer’s IP address as being on a different subnet, and will send the message to the default gateway. Why would the client assess that any other computer on the segment would be on a different subnet? Our incorrectly configured client is configured to be on Subnet ID 32, or network ID 192.168.1.32/27. All the clients on the segment are configured on Subnet ID 16, or network ID 192.168.1.16/28. The valid range of IP addresses on the misconfigured client’s subnet is 192.168.1.33 to 192.168.1.62. The valid range of IP addresses for the other machines on the segment is 192.168.1.17 to 192.168.1.30. Let’s look at this in the binary: Miconfigured client’s IP information: 192.168.1.(001)00001 255.255.255.(111)00000 The first and last valid IP addresses on the misconfigured client’s subnet are: 192.168.1.00100001 = 192.168.1.33 192.168.1.00111110 = 192.168.1.62 IP information for all other clients on the subnet: 192.168.1.(xxxx)xxxx 255.255.255.(1111)0000 Since we know that the default gateway is located at 192.168.17, we can figure out the Subnet ID of the segment: 192.168.1.(0001)0001 255.255.255.(1111)0000

91_tcpip_08.qx

2/25/00

11:11 AM

Page 460

460 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Subnet ID = 16 or (0001)0000 or Network ID = 192.168.1.16/28 What is the legal range of IP addresses contained on the default gateway’s subnet? 192.168.1.(0001)0001 = 192.168.1.17 192.168.1.(0001)1110 = 192.168.1.30 Therefore, when the misconfigured client attempts to send a message to any machine whose IP address is in the legal range for the subnet, IP will recognize that other machine’s address as being on a remote network, and will send it to the default gateway. However, we have another problem now: The default gateway is seen as being on another subnet. Therefore, the packet will go nowhere. If you test this out on your own by doing a ping of the out-of-range addresses, you’ll see an error regarding a “bad IP address.”

NOTE RFC 1878 discusses the standards and specifications for variable-length subnet masking.

Summary In this chapter, we have examined how IP addressing works, and how the logical addresses assigned during the TCP/IP configuration/initialization process relate to the network interface card’s (NIC) physical, or hardware address (called the MAC address in Ethernet networks). We learned how to determine a NIC’s IP and hardware address(es) for troubleshooting purposes using common TCP/IP utilities. We then looked at what “all those numbers” in the IP addresses really mean. We dissected the sections or octets that make up an IP address, and delved into how to convert the “easy on the eyes” dotted decimal notation used by humans into the 1s and 0s that the machines actually process. We briefly discussed subnet masking, and the default subnet masks for each IP address class. This led to a discussion of address classification and so-called “classful” addressing and its more modern replacement, Classless Inter-Domain Routing, or CIDR (sometimes just referred to as “classless addressing”). We learned how to determine which class an IP address belongs to based on its high order bits, and how to extrapolate

91_tcpip_08.qx

2/25/00

11:11 AM

Page 461

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 461

the binary into its decimal translation. We also discussed the class D multicast addresses, and the “experimental” class E. Next, we examined how network IDs and Host IDs are assigned, and discussed the pros and cons of manual address assignment and automatic addressing. We identified the characteristics of the Dynamic Host Configuration Protocol (DHCP), Automatic Private IP Addressing (APIPA), and how Internet Connection Sharing’s autoaddressing function works. We defined the differences between public and private addresses, and then looked at how IP addresses are actually used for communication on a network. We talked about the Address Resolution Protocol (ARP), which maps IP addresses to physical (MAC) addresses, and stepped through the IP communication process as it applies to both nonrouted and routed networks. Then we talked about specific IP addressing problems. We discussed how to detect and correct such situations as duplicate IP addresses, “illegal” addresses, and addresses that are invalid for the subnet. We made a detailed study of DHCP: how to configure the client and server, the process used by a DHCP client to obtain an address, and some common DHCP troubleshooting scenarios. We learned about the messages used by the DHCP service: DHCP Discover, DHCP Offer, DHCP Request, and DHCP Acknowledgment (ACK) and Negative Acknowledgment (NACK). After that, we turned to discussion of common DHCP server configuration problems, how and why they occur, and what to do about them. We reviewed some basic settings that should be checked: ■

■ ■

■

■

Ensuring that the DHCP server itself has a static manually configured IP address Making sure that the DHCP service is started Ascertaining that a scope of addresses has been defined and activated Excluding addresses within the scope that have been manually assigned to routers or computers Specifying the correct subnet mask

We discussed using superscopes to allow DHCP servers to assign addresses to more than one logical subnet on the same physical network. Next, we took a close look at how DHCP lease duration can affect network performance, and situations in which changing the duration can solve problems or optimize the speed of network communications. We saw how to set lease duration during the creation of a new scope, and how to change the lease duration after a scope has already been created and activated. We talked about the ramifications of granting clients unlimited lease periods.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 462

462 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Then we discussed how to reserve addresses for computers that need to have the same address all the time but still want to take advantage of the benefits of being a DHCP client. We talked about DHCP Server, scope, Client, and Class options, and how to configure each in the DHCP management console. We learned how to use DHCP monitoring tools to gather statistical information about the performance of the DHCP services, such as the number of Discover, Offer, Request, and ACK/NACK messages sent; length of time the server has been up; how many scopes are configured; how many addresses are allocated to DHCP; how many are assigned and how many are still available. We examined the components of the DHCP database, which is stored in the <systemroot>\System32\DHCP directory on the DHCP server. We talked about the files that make up the database: Dhcp.mdb, Dhcp.tmp, J50.log, and J50.chk. We discussed how to edit the Registry to change the backup interval from the default of 60 minutes, and how to restore the DHCP database from backup in one of two ways: ■ ■

Setting the RestoreFlag value to 1 Copying the <systemroot>\System32\DHCP\Backup\Jet folder to <systemroot>\System32\DHCP and restarting the service

Then we talked about some common client configuration problems, and what to do about them. We discussed DHCP clients’ inability to obtain an IP address due to not being able to reach the server, and clients operating with addresses that are invalid for the subnet due to an APIPA assignment. We talked about what to do if the client can obtain an address but is missing some configuration information, and discussed the possible causes of multiple clients on a network being unable to obtain addresses from the DHCP server. Next we took on the problem of “rogue” (unauthorized) DHCP servers and what Microsoft has done in Windows 2000 to address this potential source of trouble. We discussed how to handle multiple DHCP servers on a network and made recommendations for locating them on separate subnets to increase fault tolerance. We talked about using a DHCP relay agent or router configured to support BOOTP relay so the DHCP server(s) can assign addresses across subnets. We then discussed Automatic Private IP Addressing (APIPA), which uses the reserved address range 169.254.0.0 to 169.254.255.254 with a subnet mask of 255.255.0.0, so that if a DHCP client is unable to contact a DHCP server, it can still communicate via TCP/IP by assigning itself an address from this range. We also learned how to disable APIPA on our computers by editing the Registry.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 463

Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 463

After a brief look at hardware address problems, we discussed how to troubleshoot subnetting problems, and how to use variable-length subnet masking. We then examined the concept of supernetting and how Classless Inter-Domain Routing (CIDR) is used to help alleviate the problems caused by classful addressing. IP addressing is the foundation of TCP/IP communications. It’s a complex subject, and there is much that can go wrong if addresses are configured improperly. This chapter in no way attempts to cover every possible addressing configuration problem, but we have provided an overview of the most common addressing problems and the tools that can be used to diagnose and correct them.

FAQs Q: The DHCP server log shows NACKs being returned to DHCP clients requesting leases, and I have tried to renew the client’s lease manually but am unable to do so. What is the problem, and how do I solve it? A: This situation will occur if the IP address range configured for the DHCP server is conflicting with (overlapping) the range that some other DHCP server on the network is offering. Change the address pool for the scopes on one or both servers so that they do not overlap. Add exclusions if needed. You can also enable address conflict detection on the server by right-clicking it in the management console, selecting Properties | Advanced, and setting the value for Conflict Detection Attempts to a number greater than 0. Q: How can I manually release or renew a DHCP lease? A: At the command prompt, type ipconfig /release to release the address, or ipconfig /renew to renew the lease. Q: When should I deactivate a superscope on a DHCP server? How do I do so? A: Use the Deactivate command only if you want to retire all scopes that are members of the superscope and delete the superscope itself from the server. You should not use this command to merely pause the superscope, and you should not reactivate a superscope after you have deactivated it. If deactivation is still desired, click the superscope in the DHCP management console tree, open the Action menu, and select Deactivate.

91_tcpip_08.qx

2/25/00

11:11 AM

Page 464

464 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems

Q: What is a DHCP scope? A: A scope is a group of computers on a subnet that use DHCP to obtain IP addresses, which defines the parameters used by the clients. A scope includes the IP address range used for DHCP lease offers and any excluded ranges, a subnet mask that signifies the subnet, a name (which is assigned to the scope when it is created), and the lease duration period that applies to leases offered to DHCP clients when they receive IP addresses. Q: What are the similarities and differences between BOOTP and DHCP? A: BOOTP is the predecessor to DHCP, used to automatically assign IP addresses, which was traditionally used for booting diskless workstations over the network. DHCP adds enhancements to BOOTP that make it the automatic address assignment protocol of choice today. Both protocols use the same type of request and reply messages, which consist of UDP datagrams 576 bytes in length. The message headers are almost the same for both protocols; the only difference is that the last field is called the vendor-specific field in BOOTP and can only be 64 octets, whereas in DHCP, the last field is called the options field and can be up to 312 octets in size. Both use UDP port 67 to listen for and receive client messages, and clients use port 68 to accept replies from the server. BOOTP normally reserves an address permanently in its database for each client computer, while DHCP leases the addresses and reserves them temporarily in its database. Q: What are the two types of class options, and what are the differences between them? A: The class options are divided into user classes and vendor classes. User class identifications are configured with the ipconfig command, while the vendor class IDs are set by the vendor (for example, Microsoft). You create user classes in order to identify all the DHCP clients that have something in common for which you wish to assign options. For instance, you could create a user class to identify all the clients in a particular site, or all the clients that are mobile computers. The vendor classes are created to take advantage of vendor-specific functions. Clients using products of other vendors will not receive DHCP options from other vendors.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 465

Chapter 9

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Solutions in this chapter: ■

RAS and RRAS Configuration Problems

■

General Internet Connectivity Problems

■

NAT and ICS Configuration Problems

■

Virtual Private Networking Problems

465

91_tcpip_09.qx

2/25/00

11:13 AM

Page 466

466 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Introduction From one perspective, this could be a very short chapter (but don’t get your hopes up). Windows 2000 TCP/IP networking over a remote access connection is, in most respects, the same as participating on a cabled or wireless LAN. Once properly connected through the telephone lines or VPN and logged on to and authenticated by the domain controller, a RAS client can do virtually anything on the network that a local client can do (provided the appropriate access permissions have been granted). However, there are some special factors to consider when troubleshooting TCP/IP problems involving remote access. Windows 2000 Routing and Remote Access Service (RRAS), combined with dial-up networking, has made it easy to set up a connection over the Public Switched Telephone Network (PSTN) analog lines, ISDN, DSL, X.25, and other remote links. From dialing in to an Internet Service Provider (ISP) or online service with a 56K modem to establishing a dedicated high-speed WAN link, remote access becomes easier and less expensive with each passing year. There are still some challenges involved in getting computers miles or even continents apart to “talk” to each other. In this chapter, we will focus on how Windows 2000 RRAS works, how to configure the service for various connection scenarios, and common configuration problems that can arise. Because such a large number of remote access connections today are for the purpose of accessing the global Internet, we will discuss Internet connectivity. We’ll also look at how your organization can save money and reduce the “hassle factor” of giving multiple computers access to the Internet or another remote network, using Windows 2000’s built-in Internet Connection Services and Network Address Translation. We will talk about virtual private networking, which is growing in popularity due to its ability to provide for a secure connection to a private network by “tunneling” through the Internet. We’ll take some time to examine how VPNs work, how to configure Windows 2000 machines as VPN clients and servers, and the two tunneling protocols supported by Windows 2000: Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). We will address VPN security problems, and come back to the subject of IPSec (which was introduced in Chapter 4, “Windows 2000 TCP/IP Internals”), along with Microsoft Point to Point Encryption (MPPE), in the context of virtual private networking.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 467

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 467

Today’s business world is moving toward a time when much of the work will be done offsite, in order to reduce company overhead and increase the flexibility and job satisfaction of workers who can be as productive (maybe more so) when telecommuting from home as when stationed in an office cubicle in corporate headquarters. As the marketplace becomes more international, executives, salespeople, and others spend much of their time traveling, and need to do their networking “on the go.” TCP/IP is still the protocol on which most of this remote connectivity is based, and knowing how to configure and manage remote connections will be even more important to network administrators in the future than it is today.

Overview of Windows 2000 Remote Access Services Remote access is provided by Windows 2000 as part of RRAS.

Types of Remote Access Dial-up and virtual private networking are the two types of remote access supported by Windows 2000 RRAS. Although there are similarities between the two, in terms of TCP/IP communications and connectivity, each has its advantages—and its problems. Dial-up access: Using the telephone lines (either regular analog lines or high-speed digital lines), a remote client creates a temporary link (called a virtual circuit) to a remote access server, over which configuration parameters are negotiated and data packets are exchanged. See Figure 9.1. VPN: A virtual private networking connection is made using an internetwork to which both the client and server are separately connected (such as the global Internet). A point-to-point link is made by creating a “tunnel” through the larger internetwork using a tunneling protocol (PPTP or L2TP). Data packets are encapsulated and encrypted within this tunnel. See Figure 9.2. With both types of remote access, once the connection to the server has been established, the client can communicate with the server (and, with the proper permissions, with other computers connected to the server on the LAN) via any local area network protocol that is used on the private LAN. This means that you are not limited to TCP/IP communications; in the case of virtual private networking, NetBEUI or IPX/SPX (NWLink) packets can actually be encapsulated inside the TCP/IP link that is used to connect to the Internet.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 468

468 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Figure 9.1 A dial-up connection involves dialing directly in to the remote access server.

Remote client Modem

ct Dire k t lin poin t-toines poin ne l pho tele

via

Dial-up Connection

Modem

Remote access server

Distinguishing between Remote Access and Remote Control It is important to understand the difference between a remote access connection and another popular means of connecting computers remotely, called remote control. On the surface, the two appear to be the same: in both cases, you can establish a link over a dial-up or dedicated telephone line or through the Internet. However, there are important differences.

Remote Access: How It Works When you establish a remote access connection by using a modem to dial in to a remote server, or by creating a VPN link, the remote access client becomes a true node on the remote network. From it, you can log on to the domain, access shares on the server and other nodes for which you have permissions, print to shared printers, and do anything you would be able to do as a local node on the network. Other computers with shared resources that are on your subnet will show up in your Network Places window. The only significant difference to the user between participating on the network from a remote node and being cabled to the network as a local node is speed. Telephone lines are inherently much slower than the slowest LAN cable.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 469

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 469

Figure 9.2 A VPN connection involves creating a “tunnel” through the Internet.

Internet Service Provider

Modem

ne Tun ual

Virt

Remote Client

l

Internet

ual

Virt el

n Tun

Internet Service Provider

Dedicated link Remote server

NOTE Windows 2000 includes remote access client and server software. When we discuss remote access servers in this chapter, we will be referring to a Windows 2000 Server computer configured to accept remote connections via RRAS. However, a Windows 2000 Professional workstation can also function as a dial-up server and accept incoming calls.

Remote Control: How It Works Remote control is a different concept and is used for different purposes. Remote control requires special software on the client and server. Thirdparty programs such as PCAnywhere, ControlIT, Remotely Possible, and LapLink can be used to establish a remote control session with another computer. In a remote control session, the remote computer actually takes over the desktop of the host computer and has complete control of

91_tcpip_09.qx

2/25/00

11:13 AM

Page 470

470 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

it. Sitting at the remote computer, you see on your screen an exact replica of the host computer’s display screen. You can make configuration changes, run applications, and so forth on the remote machine (assuming you’re logged on to it with the proper permissions). If someone is sitting in front of the host machine, he will see the cursor move as you move your mouse from the remote location. Remote control doesn’t just allow you to access shares on the host; it’s “the next best thing to being there.” Remote control is useful for troubleshooting or performing administrative duties from home or when on the road, or on a computer that is located offsite. Remote access, then, is used to connect to the network and participate as a node on the network. Remote control is used—generally by administrative personnel—to take control of a server or other computer and operate it from a remote location.

NOTE You can also remotely control a server using Windows 2000 terminal services in remote administration mode.

Establishing a Remote Access Connection In order to anticipate and prevent problems involving remote access, it is important to understand the components of remote access networking and how they work together.

Software Needed for a Remote Access Connection In order to be a remote access client, a Windows 2000 computer must have Routing and Remote Access installed and configured properly. We will look at configuration problems and how to properly set up RRAS a little later in this chapter. In addition to RRAS, Windows 2000 uses the Dial-up Networking component to create a link over the telephone lines. The remote access server uses RRAS components to accept dial-up connections from clients and forward data between the remote clients and other computers on the local network. On a stand-alone Windows 2000 computer, you can configure the computer to accept incoming dial-up connections using the New Connection Wizard that is accessed from the following:

91_tcpip_09.qx

2/25/00

11:13 AM

Page 471

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 471

Start | Settings | Network and Dialup Connections | Make New Connection If the Windows 2000 computer is a server that belongs to or controls a domain (including a member server), you will not be able to configure incoming dial-up services this way. When you attempt to do so, you will see a dialog box as shown in Figure 9.3. Figure 9.3 Incoming connections must be configured through RRAS for Windows 2000 servers that belong to a domain.

It is necessary to use the RRAS management console to configure a server in a domain to accept incoming remote connections. We will look at how RRAS is configured for a remote server in a later section of this chapter.

NOTE The same Windows 2000 computer can function as both a dial-up client and a dial-up server. It can even do both at the same time, provided it has two modems installed with separate phone lines connected to them.

The WAN Link Remote access requires some kind of physical link between the computers. Most commonly, this is a dial-up or dedicated telephone line of some sort. When troubleshooting remote access problems, you must always keep in mind the possibility that the problem is with the line itself (just as many LAN problems can be attributed to damaged, unplugged, or incorrectly installed cable).

NOTE One way to think of a remote access connection is that, logically, it is the same as a local cabled connection, while physically, the modem takes the place of the network interface card (NIC) and the phone line takes the place of the Ethernet cable.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 472

472 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

At the physical level, the starting point for a remote access connection is the wide area networking link over which it is made. This can be the public switched telephone network, a dial-up or dedicated digital line like ISDN, a line using the newer DSL technology, or an X.25 network. See Table 9.1 for a summary of common WAN technologies. Table 9.1 Common Wide Area Networking Technologies WAN Link Type

Speed

Characteristics

PSTN (analog phone system)

56K (53K legal limit in U.S.)

Often unable to reach top speeds due to “noise.”

ISDN

64K (1 channel) 128K (BRI) 1.544M (PRI)

“Clean” digital connection provides fast connect, top speeds attainable in practice.

DSL

256K to 6M (ADSL) Up to 50M (VDSL)

Low cost, high speed. Not available in all areas.

T-carrier

1.544M (T1) 6.312M (T2) 44.736M (T3) 274.176M (T4)

Dedicated leased line; guaranteed bandwidth. Very expensive.

X.25

64K (typical)

Packet switched network; very high reliability.

NOTE Other WAN technologies, such as Frame Relay, ATM, and SONET are used for wide area networking, and are beyond the scope of this chapter, which deals with those links most commonly used with Windows 2000 remote access services. T-carrier lines are dedicated leased lines and are included here for speed comparison purposes.

Understanding PSTN Connections The public switched telephone network is “formally” known as PSTN, but in the telecommunications industry is often referred to as POTS, which stands for “plain old telephone service.” These are the analog telephone lines that are available in almost every part of the United States.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 473

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 473

NOTE In many European countries, ISDN is now used routinely to provide regular telephone service.

The biggest advantage of the public telephone system is its omnipresence—telephone lines reach to even isolated areas, and service can be established relatively easily and quickly. Another advantage is cost; in most cases, a POTS line will be less expensive than digital links.

NOTE With the advent of Digital Subscriber Line (DSL) technology, the cost differential between analog and digital is not as great as it was a few years ago.

Analog modems are cheap, plentiful, and fairly easy to set up and use. Windows 2000 and other modern operating systems support a wide variety of modems, and plug-and-play technology makes installation and configuration straightforward and simple in most cases. To make a dial-up connection, you merely install the modem (or connect an external modem via a serial port), install the drivers, plug in a phone line, and set up dial-up networking to dial the number of a phone line connected to a modem that is installed on the stand-alone computer or network to which you want to connect. The modem translates the digital signaling used by the computer into analog so it can travel along the telephone line, and a modem at the other end converts it back to digital form so it can be “understood” by the receiving computer.

TIP The process of converting from analog to digital signaling and back is called modulation and demodulation; hence the name “modem.”

PSTN has some significant disadvantages when it comes to remote computing, however. The traditional telephone network was designed for voice communication, not as a data link. Performance (speed of transfer) rates that work fine for voice seem slow when we use the lines to transmit

91_tcpip_09.qx

2/25/00

11:13 AM

Page 474

474 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

large data files. Those of us who remember the venerable 900 baud modems of the early days of remote networking have a lot of respect for today’s 56K modems, but the brave new world of Internet communications has made us all impatient. The sad truth is that analog technology is approaching its practical “speed limit.” Even with compression, telecom experts say we are not going to be able to squeeze much higher data transfer rates out of our old phone lines. Yet most travelers on the Information Autobahn—replete with huge software downloads, large graphics, and sound files, streaming audio and video, Java-scripted and Active-X’d Web sites and other highbandwidth demands—need (or think we need) more speed. When our remote network activities are mission-critical, we may also need more reliability than poor old POTS can provide. That’s where digital WAN links come in.

Understanding ISDN Most telephone companies offer, in addition to standard analog service (and usually at a higher cost), Integrated Services Digital Network (ISDN) lines. ISDN uses multiple channel digital lines to provide a connection that is faster, more reliable, and suffers less from noise interference and other problems common to analog connections. ISDN was originally developed with the intent that it would eventually replace PSTN. In some countries this has been achieved, although in the United States—due to tariffs, cost, early installation nightmares, and thus low public demand—ISDN is not universally used in business telephone systems and is still rather uncommon for residential service.

NOTE An ISDN connection requires a special piece of equipment that is sometimes referred to as an ISDN modem. Technically, it is not a modem because there is no modulation and demodulation required since ISDN signaling is digital. However, the device—which is properly called an ISDN terminal adapter— performs basically the same function as an analog modem in terms of dialing and establishing the connection with the computer on the other end.

ISDN does, however, have some important advantages over PSTN, and a substantial, though not overwhelming, number of businesses do use ISDN for their voice communications and their organization’s connection

91_tcpip_09.qx

2/25/00

11:13 AM

Page 475

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 475

to an ISP or to other branch offices within the company network. Some ways in which ISDN is superior to analog service include: Faster connection. ISPs offer both dial-up and dedicated ISDN accounts. With a dedicated account, you essentially dial the ISP when you set up the line and then never have to hang up. The line is always connected so that the computer with the ISDN connection is online 24 hours a day, 7 days a week. There is no need to dial up the ISP each time you want to connect to the Internet, or dial up the remote access server at another site each time you want to connect to the branch office. With a dial-up account, you hang up when you finish accessing the Internet and then dial again when you want to go back online. Even so, because ISDN is digital, there is not the delay of waiting for the phone to ring and be answered that is experienced with analog phone lines and modems. The connection is established so quickly that, in most cases, it is almost indistinguishable from a dedicated connection. Faster data transfer. ISDN service is generally offered by the telephone service in one of two options: Basic Rate ISDN (BRI) and Primary Rate ISDN (PRI). With BRI service, you get one 16 Kbps channel used for control signaling (called a D channel), and two channels over which data can be transferred, (called B channels). Each operates at 64 Kbps and can be multilinked to provide a 128 Kbps connection. In normal practice, each B channel is a separate phone line and is assigned two different telephone numbers (although some phone companies will assign the same phone number to both lines, if you desire). These lines can also be used for voice communications; in fact, with most ISDN adapters, you can plug one or two analog phones into the adapter (which contains a component that converts the digital signal to analog) and hold a voice conversation on one of the channels while you are transferring data on the other. With PRI service, you get 23 64 Kbps B channels and one 64 Kbps D channel, for a total speed of 1.544 Mbps (T1 speed). A “cleaner” connection. Digital lines are less prone to interference and “noise,” which is a problem that often results in analog lines being able to connect at only a fraction of the speed of the modem being used. This means that the 64 Kbps or 128 Kbps speed of a BRI link lets you actually connect at that speed, unlike 56 Kbps analog modems that rarely connect at more than 50 Kbps (and in some areas, may never get above 40 Kbps).

91_tcpip_09.qx

2/25/00

11:13 AM

Page 476

476 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Disadvantages of ISDN include: Higher cost than analog lines. Some telephone companies charge by the minute or by the amount of data transferred. Others that offer flat rate ISDN often charge twice as much for a Basic Rate ISDN line as the rate for a standard analog line—although you should keep in mind that with BRI you are actually getting two telephone lines. Installation difficulties. Traditionally, ISDN “modems” have been more difficult to configure than analog modems, although modern models have gone a long way toward alleviating that problem. In some cases, getting the line itself installed proves to be a major undertaking. Phone company technicians in some areas are not nearly as familiar with ISDN installation, and long waits for installation or difficulties caused by improper installation are not uncommon, although this has improved in recent years in most locations. Less widespread availability. ISDN is not available in all areas where POTS can be had. The telephone CO, or central switching office, must have equipment that can handle digital signaling. Although most COs in urban areas have been updated to include this, some outlying areas still do not have the physical capability to offer ISDN service to customers. ISDN is a viable, medium-cost solution in areas where DSL service has not yet been implemented. However, its popularity has dropped as telephone companies have “rolled out” the newest, fastest, and leastexpensive digital technology.

Tips for Troubleshooting ISDN Connections Connection problems with ISDN, assuming the line itself is in working order, can be due to one of several problems: ■

■

■

Ensure that the ISDN “modem” or adapter has updated and properly installed software drivers. Ensure that the com port being used is configured to support the desired data transfer rate. If you are only able to connect with one channel on a twochannel ISDN line (thus connecting at 64 Kbps instead of 128 Kbps), ensure that your connection is configured to use multilink and that your ISP or remote access server also supports it.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 477

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 477

Understanding DSL In the late 1990s, telephone companies in the United States began to offer a new type of digital service called DSL, or Digital Subscriber Line. DSL comes in several flavors: ■

■

■ ■

■

ADSL (Asymmetric Digital Subscriber Line) Downstream speed is higher than upstream (optimized for most consumer use, where much more data is downloaded from the server than uploaded to the server). SDSL (Symmetric Digital Subscriber Line) Downstream and upstream speed are the same. HDSL (High-speed DSL) Requires two lines. VDSL (Very high-speed DSL [up to 50 Mbps]) Could also be called Very expensive DSL; not in common use. IDSL: DSL technology over ISDN lines.

Currently, most telephone companies offer ADSL. DSL is usually implemented as an “always on” technology; that is, you stay connected all the time. DSL transmission is implemented over regular copper wires, and a “splitter” is installed on the line so that it can be used for both data and voice at the same time. Since two different frequencies are used, you can actually talk over the phone at the same time you are using the line for the data connection. Special equipment is required; a DSL “modem” (actually a ATU-R, which stands for ADSL Terminal Unit – Remote) is plugged into a NIC in the computer. As with ISDN, the telephone company CO that services your location must be equipped to handle DSL. Major advantages of DSL over ISDN include: High Speed. ADSL speeds vary from 256 Kbps up to about 6 Mbps, the typical speed being 1.544, the same as a T1 line. This is considerably faster than Basic Rate ISDN. Low cost. ADSL cost varies with the telephone company, but in most areas is significantly lower than ISDN despite the fact that it is from two to over 10 times faster. “Always on.” A dedicated ISDN connection generally costs several times more than a dial-up connection. All ADSL connections are dedicated (full time). As might be expected, DSL has its drawbacks, too. Some of which are: Availability. DSL only began to be offered by major U.S. phone companies in the mid-to-late 1990s. It is not yet nearly as widely available as ISDN, although many telcos are rolling out DSL in

91_tcpip_09.qx

2/25/00

11:13 AM

Page 478

478 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

metropolitan and suburban areas at a furious pace. It may be a while before DSL is available in more outlying areas. Equipment. DSL modems are not commonly stocked at computer outlets like analog and ISDN equipment. In many cases, you must purchase the equipment from the telephone company, and pay whatever price they set. Distance limitations. Unfortunately, using current technology DSL only works within a specified distance of a CO. The telephone company will not install DSL if your location is beyond that limit, which is usually set at 17,500 feet. Many believe these disadvantages are only temporary, and that DSL and other broadband technology (such as the cable modem) are the future of the Internet. You might wonder, if DSL attains speeds of 1.544 Mbps and beyond, the same speeds as T-carrier lines, why anyone would pay several thousand dollars per month for a T1 line when DSL typically costs less than a hundred dollars per month. The answer is simple: guaranteed bandwidth, also sometimes referred to as CIR or Committed Information Rate (although this term is more frequently associated with Frame Relay technology). With a T1 line, you are assured that you will have the full 1.544 Mbps bandwidth, while a 1.544 DSL line only means that you can get up to that speed; your actual “mileage may vary.” (Some telcos provide a minimum rate, such as 384 Kbps for a connection that tops out at 1.544). Another reason is that, as mentioned, DSL availability is limited due to the newness of the technology and the required proximity to a CO. If you need a guaranteed, reliable high-speed line for mission-critical work, and/or your location doesn’t qualify for DSL, it may be worth it to pay extra for a T1 connection.

Tips for Troubleshooting DSL Connections Problems with DSL connections usually fall into one of two categories: inability to connect, or a slow link. Troubleshoot connection problems in the same way you would troubleshoot any TCP/IP connectivity problem, using PING, IPCONFIG, and the TCP/IP utilities to determine the extent of your ability (or inability) to connect. When performance is the issue, this is often due to packet drops. If there is a bad router on the WAN somewhere that is causing packets to be lost, TCP/IP will assume the loss is due to overloading and will slow down (even if this is not the case). In most cases, these problems will need to be addressed with your telco and/or ISP.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 479

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 479

Understanding X.25 Windows 2000 supports remote access via an X.25 network. X.25 is a Consultative Committee for International Telegraph and Telephone (CCITT) standard that defines a method of transmitting data across a public packet switching network. An X.25 connection uses a PAD (Packet Assembler/Disassembler), which is an asynchronous terminal concentrator that lets several terminals share a single network line. The user calls the X.25 PAD through a modem, and the call is processed by a digital modem and forwarded to the terminal server. The terminal server, using the password that has been designated in the caller’s connection profile, then authenticates the call. When authentication is successful, the session is established. Windows 2000 supports the X.25 protocol in two ways: ■

■

The Windows 2000 RRAS client and server software both allow for the use of X.25 smart cards. The cards connect to the X.25 network, and send and receive data using the X.25 protocol. The Windows 2000 client software allows for use of smart cards and also allows a user to dial in to a PAD.

See Figure 9.4 for an illustration of how an X.25 connection works. Figure 9.4 A remote access client can dial in to a PAD to connect to an X.25 network.

Remote client

Modem

PSTN

PAD

X.25 Smart Card Remote Access Server

X.25

91_tcpip_09.qx

2/25/00

11:13 AM

Page 480

480 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Windows 2000 Remote Access Services don’t differentiate between types of media, so RAS does not “know” whether it is running over an X.25 network or the public phone lines. The only difference in configuring an X.25 connection is that you must specify the PAD type and the X.121 address for the RAS server. Windows 2000 allows you to do this easily by editing the Options tab on the Properties sheet of your dial-up connection. See Figure 9.5. Figure 9.5 On the Options tab of the connection Properties, select the X.25 button.

You can select a PAD type from the drop-down box, and enter an X.121 address in the text box, as shown in Figure 9.6. There is also a provision for entering optional user and/or facilities data.

NOTE “Smart card” in this context does not refer to the smart cards used for secure authentication. An X.25 smart card is an X.25 adapter used to connect to an X.25 network.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 481

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 481

Figure 9.6 You can set X.25 parameters by configuring the properties of a dialup connection.

It is important that these parameters be configured properly for your X.25 connection to work. If you are having problems connecting to an X.25 network, check these settings.

TIP One of the most common problem sources with X.25 is related to the parameter settings on the X.25 provider’s network.

Tips for Troubleshooting X.25 Connection Problems When you are having trouble establishing a remote connection via X.25, first ensure that the RAS client is able to make a PSTN connection with the RAS server, to confirm that the RAS software on the server and client is working properly. If you have problems with the PSTN connection as well, test the modem, and make sure that the serial port and cable are not defective and are configured correctly.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 482

482 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

If you are able to connect with no problems over PSTN, you will know that the problem is with the X.25 network or with the X.25 configuration on the RAS server. Set the X.25 network software to the default settings.

NOTE Eicon is one of the most common providers of X.25 network hardware and software. Others supported by Windows 2000 include SprintNet, InfoNet, and Alascom/Tymnet/MCI.

Try using a terminal program such as Hyperterminal to communicate between the client and server to check their connectivity. If this works but the RAS connection doesn’t, your problem may reside in the parameter settings. Verify that the X.25 provider has properly configured the network according to Microsoft’s specifications.

The Remote Access Protocols Remote access communications use a WAN (wide area network) protocol to establish the link across the phone lines in conjunction with the LAN protocol(s) used for transferring data between the two distant computers. Over a remote link, two computers can communicate using standard local area networking protocols like TCP/IP, IPX/SPX or NetBEUI. However, these protocols are actually wrapped inside the “outer” WAN protocol to make the journey across the WAN link. This wrapping process is called encapsulation. Many network administrators are already familiar with the two popular WAN protocols used for dial-up communications to ISPs or remote access servers: ■ ■

Serial Line Internet Protocol (SLIP) Point-to-Point Protocol (PPP)

The latter is more commonly used today, as it supports encryption and compression (SLIP does not). There are still some UNIX servers, however, that require the connection be established using SLIP. Windows 2000, like Windows NT 4.0, supports both PPP and SLIP as dial-out WAN protocols. The Windows 2000 Remote Access Server services, however, supports only PPP for dial-in connections.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 483

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 483

For IT Professionals

Xs and Oh! Even if your network uses X.25 technology, you may find the literature about it confusing. You’ll see discussions of X.28 PADs, X.21, X.3 standards, X.121 addresses, and X.29 something-or-another. What do all those Xs pertain to, anyway? We’ll try to answer a few of those questions. The “X numbers” are standards or specifications of the International Telecommunications Union, formerly known as the Consultative Committee for International Telegraph and Telephone (CCITT). This organization is the primary international entity devoted to developing and maintaining cooperative standards for telecommunications equipment and systems. X.25 and the others mentioned earlier relate to a particular type of wide area networking packet switching technology. X.25 is actually the Network (or internetwork, in DoD terminology) layer protocol. It uses an addressing scheme called channel addressing, similar to the logical addressing used by IP, except that there is an address maintained for each connection. The addresses are called X.121 addresses. X.21 is a Physical layer interface that is part of the X.25 protocol suite. X.28 and X.29 are PAD specifications. X.28 defines the DTE/DCE interface for start-stop mode DTE accessing the PAD in a public data network, and X.29 defines the procedures for the exchange of PAD control information and user data. X.3 defines the Packet Assembly/Disassembly (PAD) facility in a public data network. In the command mode, a user issues X.3 commands to the PAD. X.25 is generally slower than TCP/IP because it is subject to delays caused by its store-and-forward mechanism, a switching technique where frames, packets, or messages are temporarily received and buffered at intermediate points between the source and destination. However, X.25 provides for error checking from one node to the next, instead of just end-to-end error checking like TCP/IP. In fact, its high reliability and extensive error-checking capabilities are distinguishing characteristics of the X.25 suite.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 484

484 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

NOTE Windows 2000 remote access also supports the AppleTalk Remote Access Protocol (ARAP) for Macintosh clients, and Asynchronous NetBEUI (also referred to as AsyBEUI) for clients that are running older Microsoft operating systems such as Windows for Workgroups, MS-DOS, and Windows NT 3.1.

Let’s take a closer look at the two most common WAN protocols.

Serial Line Internet Protocol The Serial Line Internet Protocol, SLIP, is an older protocol that provides basic connectivity over a serial link, but does not have the advantages of error detection and both synchronous and asynchronous support that PPP offers.

NOTE To use SLIP, your ISP or server administrator must provide you with a static IP address to enter in the configuration box. While PPP supports dynamic assignment of IP addresses, SLIP cannot.

The Point-to-Point Protocol PPP has become the standard WAN link protocol used by most ISPs on their servers, as well as corporate Windows NT and Windows 2000 remote access servers. PPP works at the Data Link layer, and in the context of TCP/IP communications it works in conjunction with IP at the Network layer. PPP encapsulates, or packages, the TCP/IP packets and forwards them to the ISP’s server.

NOTE For more information about PPP, see RFC 1171.

Advantages of PPP over SLIP include:

91_tcpip_09.qx

2/25/00

11:13 AM

Page 485

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 485 ■

■ ■ ■ ■

The ability to encapsulate more than one protocol within a session Supports encryption and compression Uses Link Control Protocol (LCP) to verify line quality Supports dynamic IP address assignment Uses a Cyclical Redundancy Check (CRC) for error checking

The Anatomy of a PPP Connection A PPP connection has four parts, which must occur in sequence: 1. Configuration: During this initial phase, the choice of parameters, multilink options, and negotiation of which authentication protocol will be used take place. 2. Authentication: The authentication method negotiation in step 1 is implemented. 3. Callback: If callback security has been configured, the PPP client and server hang up and the remote server calls back to reestablish the connection. 4. Protocol configuration: LAN protocols are negotiated.

NOTE PPP authentication methods include Password Authentication Protocol (PAP), Shiva (SPAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft’s MS-CHAP (versions 1 and 2), and Extensible Authentication Protocol (EAP), including EAP-RADIUS. PPP can also provide unauthenticated connections.

Troubleshooting Loss of PPP Connection Most commonly, the termination of a PPP connection can be attributed to one of the following causes: ■ ■ ■ ■

Authentication failure Inadequate link/line quality Loss of carrier Timeout

Be sure to verify that the correct authentication method is enabled, as this is a common source of inability to establish a PPP connection. The rest of these problems primarily lie at the carrier’s end, and you should address them with your service provider.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 486

486 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Preventing Problems Related to the WAN Protocol Proper configuration is your primary protection against problems related to PPP or SLIP. When you set up dial-up networking in Windows 2000, you can configure which of the WAN protocols to use in the Networking tab of the Dial-up Connection properties box, as shown in Figure 9.7. Figure 9.7 A PPP or SLIP connection is designated in the Dial-Up Connection properties.

It is very important that, if you are dialing into an NT or Windows 2000 server (or other server using PPP for its dial-in connections), the selection for PPP be checked. If you are unable to connect to your ISP or NT/Windows 2000 Remote Access Server, be sure to check that the server type is properly identified.

Understanding Encapsulation We mentioned that the packets destined for the remote LAN are encapsulated inside the PPP (or SLIP) Data Link layer protocol. Let’s look in a little more detail at how this works. When a message is sent over a remote access connection, after being passed down the stack from the Application layer, the LAN adapter passes

91_tcpip_09.qx

2/25/00

11:13 AM

Page 487

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 487

a frame to the appropriate LAN miniport driver. This is done using the Network Device Interface Specification, or NDIS (see Chapter 4, “Windows 2000 TCP/IP Internals,” for more information on NDIS and Windows 2000 networking architecture). The LAN miniport driver then hands off the IP datagram to the TCP/IP protocol driver. The datagram is sent to the WAN adapter by TCP/IP, using NDISWAN, which adds the PPP header and trailer (this is where the encapsulation or wrapping takes place). Finally, the WAN miniport driver sends the datagram to the WAN adapter through NDIS. When the TCP/IP (or other LAN protocol) packet is encapsulated inside the WAN protocol, it is “invisible” as it travels over the WAN link.

Tools for Troubleshooting PPP Connections Windows 2000 provides two important tools to allow you to gather data about your PPP connections.

Using Network Monitor for PPP Analysis Network Monitor can be used to capture PPP packets. This is useful for troubleshooting the process of connection establishment and for ensuring that encryption and compression are being implemented. To see the data structure inside the PPP encapsulation, you have to disable compression and encryption, since Network Monitor does not interpret compressed/encrypted data. The data captured by Network Monitor can be saved as a file, so that you can examine it later or send it to Microsoft tech support for analysis.

Enabling PPP Event Logging The RRAS components in Windows 2000 provide for logging of PPP events in the System Log. To enable PPP logging, follow these steps: 1. In the RRAS management console snap-in, select the remote access server. 2. Right-click and choose Properties. 3. Select the Event Logging tab, and click Enable Point-to-Point (PPP) Logging (see Figure 9.8).

Enabling PPP Tracing The PPP log in Windows NT 4.0 has been replaced by the tracing function. To duplicate the PPP log, you need to enable file tracing for the PPP key. By default, the PPP log is stored as ppp.log in the <systemroot>\Tracing folder.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 488

488 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Figure 9.8 Enabling PPP logging will cause PPP connection information to be recorded in a log file.

Tracing can be enabled for each routing protocol. To do this, you can configure the following registry value entries for each protocol key:

NOTE Tracing consumes system resources and should be used sparingly to help identify network problems. After the trace is captured or the problem is identified, you should immediately disable tracing.

EnableFileTracing REG_DWORD 1 Enable logging tracing information to a file by setting EnableFileTracing to 1. The default value is 0. FileDirectory REG_EXPAND_SZ Path You can change the default location of the tracing files by setting FileDirectory to the path you want.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 489

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 489

NOTE You cannot use PPP tracing to view user data.

Troubleshooting Remote Access Configuration Problems Now that we have a general idea of how remote access works, and an understanding of the hardware and software components involved in different wide area networking links, we can discuss the most common source of problems affecting remote connectivity over which administrators can exert some control: configuration of the server and client computers.

Remote Access Server Problems One common cause of remote access connectivity problems is misconfiguration of the Remote Access Server. We will look at how to prevent or resolve problems related to server settings.

Inability to Establish a Remote Access Connection with the Server If a connection with the Remote Access Server cannot be established by any client, check the following: ■

■

Ensure that the server’s modem or ISDN adapter is functioning properly. Ensure that the RRAS service is started on the server.

To check on the status of the RRAS service, open the Routing and Remote Access Administrative tool. In the console tree in the left pane of the RRAS snap-in, double-click Routing and Remote Access, and click Server Status. To start the RRAS service, right-click the name of the remote server in the right pane of the console, select All Tasks, and choose Start, as shown in Figure 9.9. You will note that there is a red warning icon notifying you when the service is stopped. Ensure that the server’s ports are configured for remote access.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 490

490 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Figure 9.9 If remote access connections cannot be established, ensure that RRAS is started.

To configure ports to accept inbound remote connections, open the RRAS console, click the name of the remote server in the left panel, and click Ports in the right panel. Select Properties, and choose Configure. You will see a dialog box, as shown in Figure 9.10. Check the check box for “Remote access connections (inbound only)” to set up the remote server to accept incoming calls, and click OK. Ensure that the Properties for IP (or IPX, NetBEUI, AppleTalk—whatever LAN protocol you wish to use for the connection) are configured to allow remote access. To configure the protocol to allow remote access, right-click the name of the remote server in the left panel of the RRAS console, select Properties, and choose the tab for the protocol you want to configure. You will see a dialog box similar to the one in Figure 9.11. Check the check box to “Allow IP-based remote access and demanddial connections,” and click OK. Check the status of the server’s remote ports to ensure that they are not all in use.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 491

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 491

Figure 9.10 The remote server port must be configured to accept inbound connections.

Figure 9.11 IP-based remote access connections must be enabled on the IP Properties sheet.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 492

492 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

To check the status of the ports, select the remote access server in the right pane of the RRAS console and double-click Ports in the right panel. You will see a display similar to Figure 9.12, informing you which ports are active and which are inactive. Figure 9.12 Check the status of the remote server ports for activity.

Ensure there are sufficient IP addresses in the static address pool of addresses assigned by RRAS to dial-in clients if the server is configured with a static address pool. To add addresses to the static pool, right-click the server name in the left pane of the RRAS console, select Properties, select the IP tab, and click ADD.

Inability to Aggregate the Bandwidth of Multiple Telephone Lines If you have multiple telephone lines (for instance, two ISDN channels) and are unable to aggregate the bandwidth of the two lines, check the following: ■

Ensure that your ISDN adapter supports multiple lines, or that you have two functional modems, each attached to a separate working telephone line.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 493

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 493 ■

Ensure that the Remote Access Server’s PPP options are configured to support multilink.

On the Remote Access Server, PPP configuration options are set in the RRAS console’s Properties sheet for the remote access server, as shown in Figure 9.13. Figure 9.13 Windows 2000 RRAS allows you to configure PPP options on the remote server.

Here, you can select the following PPP options to be used by the server: ■

■

■

■

Select whether multilink connections are allowed. Multilink is a way of aggregating two or more phone lines for greater bandwidth. If multilink is enabled, you can select whether to use the Bandwidth Allocation Protocols (BAP and BACP) to allow multilink to adapt to changing bandwidth demands. Choose to enable the Link Control Protocol (LCP) extensions. For information about LCP options, see RFC 1661. Enable software compression for greater throughput.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 494

494 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Inability to Access the Entire Network If the client is able to establish a remote connection but cannot access the resources of any computer other than the remote server, ensure that IP routing has been enabled on the server. Check the Enable IP Routing check box on the IP Properties sheet for the server (refer back to Figure 9.11 to see this Properties sheet). Also, check to see that packet filtering has not been configured to prevent TCP/IP packets from being sent. If a static address pool has been configured instead of using DHCP, ensure that the routes to the address range(s) of the static IP address pool can be reached by the hosts and routers on the network. You may have to add routes to your routers via a static routing entry, or use a dynamic routing protocol like RIP or OSPF.

NOTE If you have set up the remote access server to use DHCP for IP address allocation, and the DHCP server is not available, APIPA addresses (169.254.0.1 through 169.254.255.254) will be used. Unless your network computers are using addresses from this range, the remote clients will not be able to communicate over IP with them.

Client Configuration Problems Although there is much more that can be misconfigured on the server, if only one client is having connection problems, and there is no physical reason (bad cable, NIC, etc.), chances are good that the client machine is not configured properly to make the remote connection.

Inability to Establish a Remote Connection ■

■

Ensure that the client is configured to use the same authentication method as the remote server. Ensure that the client is configured to use the same encryption strength as the remote server.

To check (and change) the authentication method on the client machine, right-click the connection name after clicking Start | Settings | Network and Dial-up Connections, and select Properties. On the Security tab, choose ADVANCED, and you will see a dialog box similar to the one in Figure 9.14.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 495

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 495

Figure 9.14 The authentication method and encryption are set in Advanced Security settings.

The client and server must both use a common authentication and encryption method. Ensure that the user account is configured to allow dial-in access. To do so, from the Active Directory Users and Computers administrative tool on a domain controller, expand the domain in the left pane of the console and right-click the user’s name in the right pane. Select Properties, and then select the Dial-in tab, shown in Figure 9.15. The Allow Access radio button must be checked for the user account to be able to make a remote connection. ■

NOTE The user Properties Dial-in sheet also allows you to configure callback security requirements, assign a static IP address for remote connections, or apply static routes.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 496

496 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Figure 9.15 Remote access permission must be granted in the user Properties sheet.

Troubleshooting Remote Access Policy Problems Remote access policies consist of conditions and parameters placed on the incoming connection. Windows 2000 allows you to set policies to control client access based on such things as day of the week or time of the day, group membership, connection type (VPN or dial-in), and set limits on duration of connection, idle time after which the connection is disconnected, and security parameters. Figure 9.16 shows some of the limitations that can be placed on dial-in access. When a user attempts to make a remote connection, the characteristics of the connection attempt are compared with the authentication information, user dial-in properties, and remote access policies. When the connection attempt doesn’t match any of the remote access policies, access will be denied. Multiple remote access policies can be in place, but this makes troubleshooting connection denials more complex.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 497

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 497

Figure 9.16 Remote access policies let you place restrictions on dial-in access.

Determining Which Multiple Policy Is Causing the Problem Microsoft recommends that one way to verify which policy is causing the denial is to create a new remote access policy called Troubleshooter and configure it to grant remote access permission for all days/times. Then, move this policy to the top of the list so it will be processed first. If the connection is denied, the problem is either with the Troubleshooter test policy itself, or more likely, with the user account’s dial-in Properties settings. If the connection succeeds, move the test policy down one level and attempt to connect again. If this connection fails, the problem is most likely with the policy just above the Troubleshooter policy. If it succeeds, keep moving the test policy down the hierarchy until a connection is denied, and then examine the properties of the policy that is causing the denial.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 498

498 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Troubleshooting NAT and ICS Configuration Problems Windows 2000 makes it easy to share a single public IP address for access to the Internet by using Internet Connection Sharing (ICS) on a Windows 2000 Professional computer or a choice of ICS or Network Address Translation (NAT) on a Windows 2000 Server.

The Difference between ICS and NAT ICS is available on both Windows 2000 Professional and Server, while NAT is only available on the Server family of operating systems. This statement in itself could be a little confusing, since ICS actually is a form of NAT. You can think of Internet Connection Sharing as NAT Lite—it uses NAT to map internal network IP addresses and ports to a single external IP address, but it is not as flexible and configurable as the fullfledged form of NAT that comes with Windows 2000 Server.

Common NAT Configuration Problems If you are having problems with the NAT computer not properly performing translation, so that packets don’t get delivered to the internal computer (NAT client) for which they are intended, check the configuration of the NAT interfaces. The NAT routing protocol must have both public and private interfaces. To check this, in the RRAS console, under the server name, expand IP Routing and select Network Address Translation. You should see a public and a private interface listed, as shown in Figure 9.17. The public interface connects to the ISP, and the private interface connects to the LAN. Ensure that the public interface is configured for address translation, as shown in Figure 9.18. Right-click the interface name and select Properties. The radio button for “Public interface connected to the Internet” must be selected. You should also check the Translate TCP/UDP headers check box to allow NAT clients to send and receive data through the interface. Now, ensure that the private interface is also properly configured. Right-click the private interface’s name, and select Properties. The same configuration box will appear, only in this case the “Private interface connected to private network” radio button should be checked.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 499

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 499

For Managers

Which Connection Sharing Solution Is Right for My Network? If you have a small network that needs access to the Internet, and only one public IP address, Windows 2000 Server gives you the choice of using ICS or NAT to provide Internet access to the entire network through a single computer’s Internet connection. Either of these solutions will save the cost of additional phone lines, modems, and ISP accounts for connecting additional computers to the Net, as well as the time and work involved in setting them all up for Internet access and the difficulty of maintaining and monitoring their access. Which one, then, should you use to connect your network? ICS and NAT work in a similar fashion, but NAT is the more sophisticated of the two. ICS is configured by right-clicking the connection’s icon in Network and Dial-up Connections and selecting Sharing. It is quick and easy to configure and suitable for many small, simple networks. ICS assumes that this is the only computer on the network that is connected to the Internet, and it sets up all the internal network addresses. By selecting Enable Internet Connection Sharing for this Connection, you make the computer an ICS host. This computer will assign IP addresses to its ICS clients as a DHCP allocator. ICS is appropriate if you don’t have DNS servers, DHCP servers, Windows 2000 domain controllers, or systems using static IP addresses. That limits its use to small peer-to-peer networks. For larger or more complex networks, sharing of an Internet connection can be accomplished via NAT, which is configured as part of RRAS. To use it, you must install and configure the Routing and Remote Access Service (if it is not already installed). NAT requires more configuration by the administrator, but also allows you to specify or change the IP address range assigned to NAT clients, and can be used on Windows 2000 domain networks or those connected to gateways or routers. So, if you have a small peer-to-peer workgroup among which you wish to share an Internet connection, and don’t need control over the IP address range, ICS will be the simplest solution. In most business networks, you will need the more sophisticated features of NAT.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 500

500 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Figure 9.17 NAT requires both a public and a private interface.

Incorrect Public Address Range Another problem that can occur with NAT configuration is incorrect configuration of the public addresses when you have multiple public IP addresses. Ensure that the addresses are entered in the Properties sheet of the public interface, under the Address Pool tab. All addresses entered here should be addresses that were assigned to you by your ISP.

NOTE NAT can provide address translation using multiple public IP addresses; ICS cannot.

Incompatible Application Programs The packets of some programs will not work through NAT. If a program runs from the NAT host computer but you cannot run it from a NAT client, it may be because the program uses a protocol that is not translatable by NAT. Windows 2000 NAT includes NAT editors for the following common protocols: FTP, ICMP, PPTP, and NetBIOS over TCP/IP. Additionally, some protocols such as HTTP do not require a NAT editor.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 501

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 501

Figure 9.18 The public interface must be configured for address translation.

NOTE A related problem, and a major limitation of NAT, is the inability to use it with IPSec for host-to-host security (sometimes called end-to-end). This is because IPSec hides the IP headers required by NAT for translation. You can, however, use NAT if you are using IPSec for a gateway-to-gateway solution.

Other NAT Problems If none of the solutions just discussed uncovers the culprit, ensure that IP packet filtering is not configured to prevent sending and receiving IP traffic. If the problem is related to name resolution, ensure that NAT name resolution has been enabled on the private interface. Troubleshoot Internet name resolution problems as outlined in Chapter 7, “Troubleshooting Windows 2000 DNS Problems.”

91_tcpip_09.qx

2/25/00

11:13 AM

Page 502

502 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Troubleshooting VPN Connectivity Problems Virtual Private Networking (VPN) is a popular solution for those who need a secure, yet inexpensive way to connect from a remote computer to a LAN when dialing in directly either isn’t possible or is costly due to long distance charges. Using encapsulation and encryption, a VPN allows you to establish a private “tunnel” through a public network such as the Internet, using the client’s and server’s Internet connections.

NOTE A detailed explanation of how VPN works is beyond the scope of this book, but if you are interested in the basic “how-to’s” of setting up a VPN, see “Managing Windows 2000 Network Services,” published by Syngress.

The Tunneling Protocols Windows 2000 supports VPN connections using either Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP).

PPTP: Point-to-Point Tunneling Protocol PPTP is an industry standard tunneling protocol. It was in Windows NT 4.0 and is also supported in Windows 2000. PPTP is an extension of the Point-to-Point Protocol (PPP) and uses the authentication, compression, and encryption mechanisms of PPP.

L2TP: Layer 2 Tunneling Protocol The Layer Two Tunneling Protocol (L2TP) supports multiprotocol VPNs that allow remote users to access corporate networks securely across the Internet. It is similar to PPTP in that it can be used for tunneled end-toend Internet connections through the Internet or other remote access media. However, unlike PPTP, L2TP doesn’t depend on vendor-specific encryption technologies to establish a fully secured and successful implementation. L2TP utilizes the benefits of IPSec, and will likely eventually replace PPTP as the “tunneling protocol of choice.”

Troubleshooting VPN Connections Troubleshooting a remote VPN connection is similar to troubleshooting other remote access connections, with a bit of added complexity.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 503

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 503

Inability to Connect to the Remote Access Server There are many causes for this problem. As usual, you should begin with the most basic and simplest possibilities: ■ ■ ■

■

■ ■

■

■

Ensure that the RRAS service is started on the VPN server. Ensure that RRAS is installed and enabled on the VPN server. Ensure that PPTP or L2TP ports are enabled for inbound remote access traffic. Ensure that LAN protocol(s) used by the VPN client are enabled on the VPN server. Ensure that all PPTP or L2TP ports are not already in use. Ensure that the VPN client and server are configured with a common authentication method and a common encryption method. Ensure that the user account has the proper dial-in permissions granted. Ensure that remote access policies are not causing a denial of the connection.

As you can see, most of these problems are related to the same configuration considerations we discussed earlier concerning general RRAS troubleshooting.

Summary In this chapter, we have provided some basic information about how Windows 2000’s Routing and Remote Access Services, hand-in-hand with the dial-up networking component, make it easy for users to connect to a remote server and for administrators to provide dial-in access to those on their networks. We looked at the differences between a remote access connection to the company network and participating as a local (cabled) node on the network, and concluded that the only practical difference is the speed of the connection. Data transfer speed is limited to the media over which the connection is made, and we saw that typical wide area networking links provide for speeds from 56 Kbps or less (analog modems) to about 6 Mbps (high-speed ADSL). We examined the differences between remote access and remote control, and learned that the latter is usually used by administrators to take over control of the server from a remote location. This is often done to troubleshoot problems or administer the server services when the administrator is offsite. We saw that remote access is used to connect to the

91_tcpip_09.qx

2/25/00

11:13 AM

Page 504

504 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

network and access shared files, print to shared printers, or otherwise participate as another node on the network. We then discussed the elements of different available wide area networking technologies over which our remote access sessions can be established. We provided an overview of remote networking using the analog phone lines on the Public Switched Telephone Network (PSTN). We then looked at a faster and “cleaner” technology, Integrated Services Digital Network (ISDN). We learned that ISDN is usually provisioned in one of two forms: Basic Rate ISDN (BRI), which provides two 64 Kbps data channels, and Primary Rate ISDN (PRI), which provides for up to 23 64 Kbps data channels for a total throughput of 1.544 Mbps. Next we talked about the newest “kid on the block,” Asymmetric Digital Subscriber Line (ADSL), and how its cost advantage and “always on” technology make it a popular alternative to ISDN—if your location is within 17,500 feet of a telephone company Central Office (CO). After that, we looked at how Windows 2000 supports connection to an X.25 network, which uses a Packet Assembler/Disassembler (PAD) and provides for data transfer over a public packet switched network. Then we discussed the WAN protocols used for remote access networking: SLIP and PPP. We learned that SLIP is used on some UNIX servers, but Windows 2000, like NT 4.0, supports only PPP for dial-in connections. We talked about the four steps involved in making a PPP connection: configuration, authentication, callback (optional), and configuration. Then we moved on to some specific tips for troubleshooting PPP problems, which include authentication failures, inadequate link/line quality, loss of carrier, and timeouts. We looked at how to configure a dial-up connection to use PPP, and we gained an understanding of encapsulation, the method by which TCP/IP or other LAN protocol packets are wrapped inside the PPP or SLIP protocol headers. Next we saw how we could use Network Monitor and PPP trace logging for gathering information about a PPP connection. We then focused on troubleshooting configuration problems. We looked at common configuration problems involving the remote access server, including inability to establish a remote connection, inability to aggregate the bandwidth of multiple phone lines, and the inability to access the rest of the network even though a connection with the server is established. After that, we looked at client configuration problems, and the importance of ensuring that the remote client uses the same authentication and encryption methods as the remote server.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 505

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 505

We talked about remote access policies, and some of the common problems that arise in using them. We also learned a method of determining which of multiple policies is causing a connection denial problem, by creating a test policy and manipulating its position in the order of application. Next we looked at Internet Connection Sharing (ICS) and Network Address Translation (NAT), and discussed common configuration and implementation problems that can occur when you share an Internet connection with a network through one ICS/NAT host. We learned that ICS is configured through Network and Dialup Connections, while NAT is configured via the RRAS console. We also found out that NAT requires both a public interface (connected to the ISP) and a private interface (connected to the LAN), and that each must be configured according to its role. We discussed the ramifications of entering the wrong public IP address range in NAT properties, incompatible application programs whose protocols cannot be translated, and the importance of ensuring that IP packet filtering is not configured to prevent IP traffic from getting through. Finally, we took a brief look at virtual private networking (VPN), the two tunneling protocols supported by Windows 2000 (PPTP and L2TP), and how to troubleshoot VPN connectivity problems. Remote access gets easier to configure with each new Microsoft operating system, but there are still many things that can go wrong with a remote connection. These problems benefit from a methodical, organized approach to troubleshooting—keeping in mind that a remote access connection in many ways is no different from a cabled network connection, except for the added layer of the WAN link used to achieve it.

FAQs Q: How can I use caller ID with RRAS to enhance dial-in security? A: If the phone system(s) used by the caller and the remote access server support the caller ID feature, you can use the caller ID feature when you set dial-in security. You can specify the phone number from which the user must dial in. If the user calls from a different phone number, the connection will not be successful. Be careful in using this feature, because if you do configure dial-in security with a specified caller ID phone number for the user and the system does not support caller ID, the connection will be denied. Note that if the connection is a VPN connection, the caller ID number will be the IP address of the client.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 506

506 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network

Q: Does Windows 2000 work with modem-pooling equipment? A: Yes, as long as the modem-pooling device generates and accepts command strings equivalent to one of the supported modem types listed in the Install New Modem wizard. In that case, you connect the equipment to the COM ports and configure the ports for remote access using RRAS. Microsoft recommends that you configure modem-pooling devices to behave like a Hayes-compatible modem since that is a commonly used standard. Q: Does the Windows 2000 remote access server support callback security on an X.25 network? A: No, Microsoft advises that callback is not currently supported on X.25 connections. Q: In what way is Windows 2000’s remote access component more configurable in terms of security than Windows NT 4.0? A: In NT 4.0, a user’s authorization to dial in to the network was dependent on one simple check box to grant dial-in permission to user, set in User Manager or the Remote Access Administrative Tool. Windows 2000 allows you to grant or deny remote access to a user in the user’s property sheet in Active Directory Users and Computers, and also allows you to further restrict dial-in permissions based on remote access policies, which can be applied to members of specific groups, to specific connection types, and other more broad-based criteria. Q: What is BAP, and how does it work? A: The Bandwidth Allocation Protocol (BAP) is used to increase the efficient use of the network bandwidth by adding or dropping additional links according to changes in traffic flow, on a dynamic basis. To do this, BAP works in conjunction with Multilink PPP in Windows 2000. BAP policies can be set through the remote access policy feature to make it easy for administrators to control connection costs and still provide for optimum bandwidth for users. Q: What are NAT editors, and why might I need one? A: NAT editors are software components that are added to NAT in order to make modifications to the IP packet beyond the translation of the IP address in the IP header, TCP port in the TCP header, and UDP port in

91_tcpip_09.qx

2/25/00

11:13 AM

Page 507

Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 507

the UDP header. This additional translation is required with certain protocols that store the IP address, TCP port, or UDP port in the payload (for instance, FTP). Windows 2000 includes NAT editors already built-in for FTP, ICMP, and PPTP. Windows 2000 doesn’t include editors to translate SNMP, LDAP, Microsoft COM, or RPC.

91_tcpip_09.qx

2/25/00

11:13 AM

Page 508

91_tcpip_10.qx

2/25/00

11:15 AM

Page 509

Chapter 10

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level Solutions in this chapter: ■

NICs

■

Cable

■

Hubs and Repeaters

■

Bridges

509

91_tcpip_10.qx

2/25/00

11:15 AM

Page 510

510 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

Introduction Now that we have discussed some of the protocols and services related to TCP/IP, and know how to use the built-in utilities and add-on monitoring and troubleshooting tools, we’ll take a look at connectivity problems from the ground up—or perhaps we should say “from the bottom up.” That’s the bottom of the OSI and DoD networking models we’re referring to, of course. You’ll recall that the Network Interface layer in the DoD model is roughly equivalent to the Physical and Data Link layers of OSI. In this chapter, we will examine some of the things that can go wrong at this level, and how to address them. The Network Interface layer involves physical problems—network interface cards (NICs), cable, and network connectivity devices such as hubs, repeaters, and bridges. The differences between these various Network Interface layer devices, and how they compare to higher layer devices such as Layer 3 switches, routers, and gateways, is sometimes a source of confusion even for IT professionals. For that reason, we will look at how the various connectivity devices work, and some of the reasons they don’t always work properly. Because the DoD Network Interface layer also encompasses the OSI Data Link layer, it also involves software drivers for the hardware. We will discuss the importance of updated and properly configured NIC drivers in making it possible for the TCP/IP protocol suite (or any other) to send data across the network. We will not spend a lot of time discussing the details of how to install and configure networking hardware. In this chapter, we will be pointing out those areas in which Network Interface layer problems, such as those related to physical devices or software drivers, can affect TCP/IP connectivity and even mimic protocol configuration problems.

Problems with Network Interface Card Configuration Configuration of the NIC at the physical level is the first step in achieving a TCP/IP connection. Although an improperly configured card is not a protocol-specific issue, it may be mistaken for one, and much time can be lost in trying to troubleshoot TCP/IP when the problem lies elsewhere. Thus, it is important for an administrator to know how to determine when the connection is failing due to a lower-level problem. One easy way to determine that the problem lies in the lower layers is to attempt to establish a connection using a different protocol. If your computer is unable to communicate with others on the network using TCP/IP, but can make the connection when NetBEUI or NWLink is

91_tcpip_10.qx

2/25/00

11:15 AM

Page 511

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 511

installed on the machines, you know to start troubleshooting the protocol configuration. If you still have no luck in making a connection with other network transport protocols, it is likely that you have a problem with the hardware or the hardware drivers. This simple test can save you much time and effort.

The Role of the NIC The NIC (also sometimes called the network adapter, or just the network card) plays an essential role in TCP/IP and other network communications. The NIC is the device that physically joins the computer and the cable or other network media, but its function is more complex than that. The data cannot just flow through the network card and out onto the cable (or from the cable through the NIC into the computer’s memory) because the form in which the computer processes the data is different from the format necessary to send it out over the cable. The NIC must convert outgoing data from a parallel format, in which bits of information are sent in multiple lines or paths, as takes place inside the computer, to serial format, where the bits move in “single file” on the cable. Network cards also have memory chips, called buffers, in which information is stored so that if the data comes in or goes out too quickly, it can “rest” there while the bottleneck clears and there is room for it to pass onto the cable or up into the computer’s components.

Types of NICs Of course, it is essential that you ensure that the NIC installed in the computer is the proper type for both the media and architecture used by your network. For instance, Ethernet and Token Ring require different types of NICs. This is because of the different ways in which the media access methods function. And, of course, the card must have the proper connector for the cable type being used. These are basic, relatively straightforward issues, but don’t overlook them when troubleshooting connectivity problems.

NOTE Be sure to check the Windows 2000 Hardware Compatibility List (HCL) to ensure that your card is supported. The list can be accessed from the Microsoft Web site at www.microsoft.com/hcl. Although devices not listed may still work with Windows 2000, if your card is on the list you can be confident that it has been tested and is compatible with the operating system.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 512

512 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

Driver Issues Like other hardware devices, the NIC requires a software driver to provide the interface between the operating system and the card. Be sure the driver that is designated for your specific model of NIC is installed, and that it is the latest incarnation. Experienced administrators know that simply installing an updated NIC driver can solve countless connection problems.

NOTE Windows 2000 supports a large number of common brands and models of NICs, and the drivers are included on the Windows 2000 CD. However, these may not be the latest versions. Always check the manufacturer’s Web site for a download area where you can obtain the latest drivers.

Since Windows 2000, unlike NT 4.0, is a plug-and-play operating system, supported cards are more likely to be automatically detected and the drivers installed from the Windows 2000 installation files (or you will be prompted to supply the disk or network location). Be cautioned again, however, that the drivers installed by the operating system may be outdated.

NOTE Windows NT did have the capability to detect some network cards with its limited plug-and-play capability.

Updating Drivers NIC drivers (and drivers for other hardware devices) can be updated through the Device Manager. To do so, click Start | Settings | Control Panel | System. Select the Hardware tab and click DEVICE MANAGER. The list of installed devices will be displayed, as shown in Figure 10.1. You can select the card you wish to configure or update and doubleclick it, then select the Driver tab. This interface makes it easy for you to update the files, as shown in Figure 10.2, and also makes available useful information about the resources being used by the device, any conflicts, and troubleshooting tools. A handy feature is the Hardware Troubleshooter, which can be accessed from the General tab.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 513

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 513

Figure 10.1 Use Device Manager to configure and update drivers for the NIC.

Figure 10.2 The properties sheet for the device provides valuable information about the driver.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 514

514 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

WARNING In order to access the Device Manager and install or update device drivers, you must be logged on to an account with the appropriate permissions. Be aware that network policy settings (Group Policy, IPSec, and other security settings) may also prevent you from performing these tasks.

Problems with Cable and Other Network Media Another type of problem that can mimic TCP/IP protocol configuration problems is damaged, defective or improperly installed cable or other network media. Broken or shorted cables can be detected with a cable tester or TDR (time domain reflectometer). Some of the more sophisticated (and more expensive) LAN testers will even pinpoint the exact location of the break. As a network administrator, you may have other personnel who handle hardware and cabling. It is important, however, that you are able to recognize the symptoms of Physical layer problems so that you will know when to call in the technicians, rather than spend your time attempting to “fix what isn’t broken.” Damage to the media is not the only factor when considering Physical layer problems. All network architectures—for example, Ethernet, Token Ring, AppleTalk—include specifications that must be met concerning networking equipment and media. If those rules are ignored, connectivity may be lost completely, or you may experience intermittent problems. Common areas of noncompliance, which can result in difficulties in establishing or maintaining a connection, include cable type and grade, and the limitations on the allowable segment length for various network/cable types.

Network Cable Specifications Be sure that the cabling for your network meets specifications for the particular architecture. For instance, a 10Base2 network requires not just thin coaxial cable, but a particular type of thin coax: RG-58 A/U (the cable grade is usually indicated on the side of the cable itself). Don’t try

91_tcpip_10.qx

2/25/00

11:15 AM

Page 515

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 515

to substitute something else that is “close” or looks similar; you will be setting yourself up for connectivity problems if you do. It is not an unknown occurrence for a cable technician (or perhaps more likely, a net admin with little hardware experience) to attempt to replace a broken or bad length of thin coax cable with RG-58 U or even RG-59 (the cable used for cable TV). Therefore, in checking the Physical layer for the source of a connectivity problem, ascertain not only that the cable is connected and appears to be undamaged, but that the cable type meets specifications. Another example of improper cable type would be substituting category 3 twisted pair for cat 5, when running a 100 Mbps (100BaseT) network.

NOTE Cable type is generally indicated on the cable itself. If it is not, you can identify the cable type by counting the wire pairs or measuring the ohm rating.

Cable Length Issues You undoubtedly are also aware that because of the susceptibility of copper cabling to attenuation, or signal loss over distance, network specifications place limits on the acceptable length of a segment of cable, depending on the architecture and cable type. A cable segment is generally defined as the length of cable between repeaters. A repeater (or other connectivity devices that perform boosting of the signal) allows you to increase the distance of your network. We will discuss these devices in the next section of this chapter. Violating the length specifications may be tempting, especially if you only need to go “a tiny bit further” in order to get the cable to a specific office or other location. You might get away with it—the cable does not just automatically stop working when you exceed the specified distance. But going beyond these limitations can cause you to have connectivity problems that you might easily mistake for software/protocol problems when the real trouble is at the physical level. Table 10.1 shows common network/cable types and the maximum cable segment length for acceptable performance.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 516

516 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

Table 10.1 Cable Length Limitations Network Type

Cable Type

Distance Limitation per Segment

10Base2

RG-58 A/U Thin coax

185 meters (607 feet)

10Base5

RG-8 or RG-11 Thick coax

500 meters (1640 feet)

10BaseT 100BaseTX

Category 5 UTP

100 meters (328 feet)

The Role of Network Connectivity Devices We call them “network connectivity devices” for the obvious reason: They are used to connect networks (also called network segments or subnets). But why are there so many different types, and how do we know when to use which on our TCP/IP networks? Let’s first think about the characteristics of the TCP/IP suite. One of its strong suits—in fact, the number-one reason it is the protocol of choice for so many networks today, as well as the protocol of the global Internet—is its routing capability. Routing refers to transferring data from one network or subnetwork to another. Thus, it makes sense that connectivity devices are common in TCP/IP networks. Usually the type of device we associate with an internetwork is the router, which works at the DoD’s Internetwork layer (Network layer in the OSI model). We will briefly discuss routers in this chapter, in the context of how they differ from the Network Interface layer devices, and we will devote an entire chapter (Chapter 11, “Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level”) to routing problems and other Internetwork layer troubleshooting. But we also should remember that there are other, lower-level devices that can be used for such purposes as: ■ ■

■

Extending the distance limitations of network cable Connecting network segments that use different media types (for instance, thin coax and UTP) Segmenting the network to reduce traffic without dividing the network into separate IP subnets

Although a large percentage of network connectivity problems occur at the Network Interface level, it is often overlooked in the troubleshooting process. That is, until you discover, after spending an entire afternoon completely reconfiguring both your server and your client, that your inability to connect or your loss of data packets was caused by a physical problem with your repeater or bridge.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 517

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 517

Understanding Layer 1 and 2 Connectivity Devices There are three basic types of network connectivity devices that operate at the Network Interface level. In OSI terminology, this means Layers 1 (Physical layer) and 2 (Data Link layer). These are: ■ ■ ■ ■

Repeaters Hubs Switches Bridges

We will discuss each of these device types, its advantages and disadvantages, and how each one behaves in passing TCP/IP packets. Networking hardware technology is constantly advancing, and new devices are appearing on the market all the time. In addition, different manufacturers, perhaps out of a misunderstanding of the terminology or perhaps in the effort to make their own products stand out in a crowd, will sometimes give their equipment a name that confuses the issue further, in terms of exactly what the device does and at which layer of the standard networking models it functions.

NOTE Some books refer to components such as BNC barrel connectors as connectivity devices. Strictly speaking, since they do indeed connect two lengths of cable, this would be correct. In this chapter, when we speak of connectivity devices, we are referring to active devices, not mere connection points. See the discussion of active vs. passive hubs for more information on this.

How and Why Repeaters and Hubs Are Used We will discuss repeaters and hubs together because, in many cases, they are the same thing. In fact, you will hear hubs referred to as “multiport repeaters.” All that means is that the hub does what a repeater does: boosts the signal before passing it on from one segment of cable on which it came in, to another on which it goes out. Hubs are different from basic repeaters, however, in that the latter generally has only two ports. The repeater is used to extend the usable length of a given type of cable. For instance, a 10Base5 Ethernet network, using thick coax cable, has a maximum cable segment length of 500 meters, or 1640 feet. At that distance, attenuation (signal loss due to distance) begins to take place. But when you place a repeater at the end of

91_tcpip_10.qx

2/25/00

11:15 AM

Page 518

518 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

the cable and attach another length to the repeater’s second port, the signal is boosted and the data can travel further without damage or loss. See Figure 10.3. Figure 10.3 A repeater is used to address attenuation problems.

500 meters

500 meters

Repeater

Repeaters extend distance limits

Data loss or complete loss of connectivity may occur if a network is constructed with a segment length greater than that designated in the IEEE specifications for the architecture/cable type, and no connectivity device is used to boost the signal. Remember to always check for physical problems rather than assume software/networking protocol configuration is at fault when packets are lost.

What’s the Difference between Repeaters, Amplifiers, and Hubs? A repeater boosts the signal traveling across an Ethernet cable in much the same way an amplifier boosts the signal input from an old radio tuner. The difference between a repeater and an amplifier lies not in what they do, but in what kind of signals they do it to. While amplifiers boost analog signals (such as those used in the public telephone network or in older home stereo systems), a repeater boosts the digital signals used in most computer communications. The typical Ethernet hub is also a kind of repeater, a multiport repeater that allows for 5, 8, 12, 16, 24 or more connections. While a

91_tcpip_10.qx

2/25/00

11:15 AM

Page 519

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 519

standard repeater is more often associated with 10Base2 and 10Base5 (coax) networks, hubs are used with 10BaseT and other UTP-based networks.

NOTE Repeaters are not very “smart” devices; they simply boost whatever signal they receive—not distinguishing between data and noise—and pass it on. They also aren’t very “polite.” They don’t follow the usual CSMA/CD process that NICs use, listening for traffic on the network before transmitting. A repeater just goes ahead and transmits even if another node is in the middle of a transmission. This, of course, results in a data collision, which means data must be re-sent, and network performance is negatively impacted. This is the reason for the Ethernet (coax) 5-4-3 Rule: The total length of the network cable must be limited so that all computers on the network will be able to monitor all segments before they transmit, since the repeater won’t do it for them.

Using a Repeater in Troubleshooting A repeater can be of use in troubleshooting situations, in that it allows you to isolate a segment when there is a failure or fault condition. You can disconnect one side of a repeater to effectively isolate the associated segment(s) from the rest of the network. You can then perform troubleshooting functions without any impact on the rest of your production network.

NOTE Repeaters do not logically segment or subnet the network and do no filtering of traffic, nor do they divide the network into collision domains. You cannot reduce the traffic load or increase available network bandwidth by using repeaters; you can only amplify the signal and extend the maximum length of the cable. The repeater divides the network into “segments” only in relation to maximum segment length for purposes of avoiding attenuation problems.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 520

520 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

Types of Hubs The multiport repeater we are talking about here accepts the incoming signal, boosts it, and then sends it back out over all the ports to the rest of the computers that are attached to the hub (or other hubs that are uplinked to it).

NOTE Many hubs include an uplink port, which is wired so that the transmit and receive pairs in the cable are reversed. This port is used to connect two hubs together. The uplink port of one hub is connected to a regular port on the other (if you connected two uplink ports to each other, you would defeat the purpose, and the hubs would not be able to communicate with one another). If your hubs don’t have uplink ports, you can connect two hubs’ regular ports via a crossover cable to achieve the same result. This is a twisted-pair Ethernet cable with the transmit and receive wires crossed.

This type of hub, which boosts the signal before sending it back out, requires electric power and is also sometimes called an active hub. There are several other types of hubs, as summarized in Table 10.2. Table 10.2 Basic Hub Types Type of Hub

Characteristics

Active hub

Requires electric power; boosts the incoming signal before sending it back out all ports.

Passive hub

Does not require electric power; serves as a connection point, sending the signal back out on all ports without boosting it.

Intelligent hub (also known as "managed hub")

Includes a processor chip with diagnostic features that allow you to troubleshoot individual port problems. This is helpful when you need to troubleshoot ports remotely and cannot just look at the lights on the hub.

Switching hub (also known as "switch")

Sends the signal out the port to which the destination computer is connected only.

Switching hubs, or switches, are becoming more and more popular (and becoming less expensive, which contributes to the popularity). Let’s examine this connectivity device a little more closely.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 521

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 521

NOTE Another type of hub, called a concentrator, is a sophisticated device that offers the ability to provide each client with exclusive access to the full bandwidth of the media. Each workstation plugs into a separate port, and there is no connection. These hubs also allow for buffering and filtering of packets so that unwanted packets are discarded. Another feature of these hubs is support for SNMP (Simple Network Management Protocol) to configure and administer the hub. The term concentrator is most often associated with Token Ring hubs (also called Multistation Access Units, or MAUs). A remote access hub that handles incoming dial-up calls for an Internet (or other network) point-of-presence and performs other services is referred to as a concentrator (or aggregator).

How and Why Switches Are Used Layer 2 switches, or switching hubs, work at the Data Link layer, and they are installed in place of the active hubs that traditionally have been used to connect computers on a UTP-cabled network. Replacing hubs with switches will cost a bit more, but offers several important advantages.

Advantages of Switches over Hubs A switch combines the characteristics of hubs and bridges (we’ll discuss bridges in the next section). Like a bridge, a switch constructs a table of MAC addresses. The switch knows which computer network interface (identified by its physical address) is attached to which of its ports. It can then determine the destination address for a particular packet and route it only to the port to which that NIC is attached. Obviously, this cuts down a great deal on unnecessary bandwidth usage since the packet is not sent out to the other ports, where it will be disregarded when those computers determine that it is not intended for them. See Figure 10.4. Using switches instead of hubs creates individual “collision domains” for each segment. This means a particular computer receives only the packets addressed to it, to a multicast address to which it belongs, or to the broadcast address. You increase potential bandwidth in this way by the number of devices connected to the switch, because each can send and receive at the same time another node is doing so.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 522

522 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

Figure 10.4 A switch reduces traffic by sending data only out the port with which the destination MAC address is associated.

B

A

for Pac F's ket MA des C a tine dd d res s

Switch consults table, sends out port connected to Computer F only

Switch

D

C

E

F

Advantage of Switches over Bridges Switches can forward data frames more quickly than bridges, because instead of reading the entire incoming Ethernet frame before forwarding it to the destination segment, the switch typically only reads the destination address in the frame, and then retransmits it to the correct segment. This is why switches can offer fewer and shorter delays throughout the network, resulting in better performance. Bridges normally have only two ports, dividing the network into two parts, while switches have multiple ports, each of which may connect directly to a host computer (or alternately can connect to a hub or another switch).

Switching Modes Switches generally use one of two methods of forwarding data: cutthrough or store-and-forward. Cut-through mode. Switches that use cut-through mode read only the first few bytes of the packet to determine the source and

91_tcpip_10.qx

2/25/00

11:15 AM

Page 523

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 523

destination addresses, and then pass the packets through to the destination segment. The rest of the packet is not checked for errors. This means invalid packets can still be passed on to other segments, but there is the advantage of speed; there is very little delay involved in packet throughput with this mode. Store-and-forward mode. Switches using store-and-forward could be thought of as careful and methodical, but not speedy. They buffer and examine the entire packet, and filter out any bad packets that are detected. The good packets are then forwarded to the correct segment. This results in some delay in throughput, but fewer errors get through to other segments.

When to Switch to a Switch Replacing hubs with switches is a good idea when there is a great deal of point-to-point network traffic. Switches won’t cut down on network congestion problems caused by broadcasts, since broadcast messages will still be sent out all ports. This is another way in which they are similar to bridges. Switches offer the following benefits: ■

■

■

■

Switches eliminate contention (one of the major disadvantages of Ethernet), and therefore allow each port to use the full bandwidth. A switch can be used to divide an overloaded network into segments, creating separate collision domains and increasing performance. Switches offer low latency, which improves the efficiency and performance of the network. Switches can be used to create virtual networks, or VLANs.

How and Why Bridges Are Used A bridge builds a MAC table like a switch, but like the repeater, it is a two-port device rather than a multiport device like a hub or switch. The bridge is used to segment a network to reduce traffic and collisions. It also boosts the signals that it passes across.

How Bridges Reduce Network Traffic A bridge monitors the data frames it receives to construct its MAC address table, using the source addresses on the frames. This is a simple table that tells the bridge on which side a particular address resides. The bridge can then look at the destination address on a frame, and if it is in the table, determine whether to let it cross the bridge (if the address is on

91_tcpip_10.qx

2/25/00

11:15 AM

Page 524

524 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

the other side) or not (if the address is on the side from which it was received). In this way, there is less unnecessary traffic, because when a computer on side A sends a message to another computer that is also on side A, the signal goes only to those computers on side A. Those on side B, on the other side of the bridge, go blithely on with their business and never have to deal with it. See Figure 10.5. Figure 10.5 A bridge segments the network to reduce traffic.

Side A

Bridge recognizes destination MAC address and does not send to Side B

Side B

Bridge

Data is transmitted from a computer on Side A to another computer on Side A

Using a bridge can, in effect, double the available bandwidth since there can be two “conversations” between computers going on simultaneously, on opposite sides of the bridge, without data collision.

What Is a Translation Bridge? Bridges can be used not only to segment a network, but also to connect two network segments that use different types of media. For instance, you can use an AUX/BNC bridge to connect one segment running on thick coax cable (10Base5) to another segment running on thin coax (10Base2).

91_tcpip_10.qx

2/25/00

11:15 AM

Page 525

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 525

A translation bridge is a type of bridge that can go a step further, and not only connect two different media types, but can connect segments using two different media access methods. The translation bridge “translates” between the two access methods, typically Ethernet and Token Ring.

NOTE Translation bridges do not translate between protocols. Bridges are unaware of and not dependent on which network/transport protocols are used for communication. Bridges can use only the MAC addresses. Because bridges do not look at the upper-layer protocols (such as IP), they cannot make decisions about where to send data frames based on the IP address.

In most cases, a better solution for connecting Ethernet and Token Ring, when both are using TCP/IP, is a router, which is capable of complex routing based on protocols and the logical network address.

Advantages and Disadvantages of Bridges Bridges enjoy several advantages over other connectivity devices: ■ ■

■

■

■

Bridges are less expensive than routers and brouters. Bridges allow you to add more computers and segments to the network. Bridges are transparent to higher-level protocols like TCP/IP because they operate at the Data Link layer of the OSI model. Bridges can be used with nonroutable protocols like NETBEUI (which will not cross a router). Bridges localize network traffic and thus can increase network performance.

Some disadvantages of bridges include their propensity to cause broadcast storms because they pass broadcast messages across the bridge, and the fact that the bridge is not “smart” enough to evaluate and use the most efficient path for each transmission as a router does. Bridges are not very efficient for use in large, complex networks. If your network fits that description, you may need to consider a router, which works at a higher layer of the OSI model.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 526

526 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

Understanding Upper-Layer Connectivity Devices Like hubs and switches, routers are multiport connectivity devices. Unlike hubs and switches, routers are appropriate for use on large, complex networks because they are able to use the logical IP address to determine where packets need to go.

How Routers Work How does using the IP address help to simplify the routing process? You will recall that an IP address is divided into two parts: the network ID and the Host ID. The network ID is the key here, as it “narrows down” the location of the particular destination computer by acting somewhat like the zip code does for the post office.

Using the Network ID to “Narrow the Search” In a small town, all streets may share the same zip code, so that a letter addressed to 100 Hall Street, Seagoville TX doesn’t really need a zip code. It will reach its destination because there is only one Seagoville post office, and it can easily keep up with where all the streets in town are located. In a big city, however, a letter addressed to 100 Hall Street, Dallas TX will have more difficulty reaching its destination. That’s because there are several post offices in Dallas, each designed to serve only a designated part of the city. The zip code identifies which of these post office stations will handle the delivery of the letter, much as the network ID identifies which subnet, or part of the network, a destination computer is on. In order to use this information, though, the post office must be zip code-aware. That is, the employees there who sort the mail must understand what the zip codes mean. If we had employees performing this task who came from the era before the advent of zip codes, they would see the series of numbers at the end of the address and, not understanding their significance, disregard it. Like those postal employees from a former time, bridges and other lower-layer devices don’t recognize IP addresses or utilize them in making decisions about where to send the data. Routers, however, working at the Network layer where IP operates, can understand and use IP addresses. A router keeps a table, too, but unlike a bridge or switch, which only deals in MAC addresses, the routing table tells the router how to get to other known networks (or subnets) based on the network ID. Then, when a packet reaches the appropriate network, the Host ID is used to get it to the particular computer for which it is destined.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 527

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 527

The Routing Table Where does the router get this information? Routes can be entered into its routing table manually (this is necessary when static routing protocols are used), or the router can “learn” routes from other routers with which it communicates, using dynamic routing protocols (such as RIP and OSPF, both supported by Windows 2000).

The Routing Process A packet is routed across multiple subnets using a complex process of stripping off and replacing the header information as it goes from one network to the next. This is necessary because the source and destination address change for each network it goes through. In other words, the process works something like this: 1. Computer A with IP address 192.168.1.4 sends a message to Computer B with IP address 201.234.1.12. Both have a subnet mask of 255.255.255.0. 2. Because IP recognizes that the destination address is not on the same subnet as the source address, it sends the message to Router 1, which is Computer A’s default gateway. 3. Router 1 is connected to the 192.168.1.0 network and the 210.45.9.0 network. It is not connected to the 201.234.1.0 network, but it has an entry in its routing table telling it that the way to get there is via Router 2. 4. Router 1 replaces the original source address (Computer A’s) with its own, and sends the packet to Router 2. 5. Router 2 is connected to both the 210.45.9.0 network and the 201.234.1.0 network. It replaces the source address with its own and routes the packet to the destination computer (Computer B), which with an address of 201.234.1.12, is on its subnet. 6. Now when Computer B replies, it will send the packet back to Router 2, which will forward it to Router 1, which will return the response to Computer A. See Figure 10.6 for an illustration of this process. Routers must understand the network protocol being used, thus they are called protocol-specific devices. A bridge isn’t concerned with protocols, but a router must support the protocol(s) used by your network.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 528

528 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

Figure 10.6 Packets are forwarded from one router to the next across multiple subnets.

Computer A 192.168.1.4 192.168.1.4 Router 210.45.9.1

210.45.9.2 Router 201.234.1.1

Computer B 201.234.1.12

How and Why Routers Are Used Routers are used to handle complex routing tasks. Routers also reduce network congestion by confining broadcast messages to a single subnet.

NOTE A router can either be a dedicated device (such as those made by Cisco) or a computer running an operating system that is capable of acting as a router. Windows 2000, like Windows NT, can function as a router when two network cards are installed and IP forwarding is enabled.

Routers are capable of filtering, so that you can, for instance, block inbound traffic. This allows the router to act as a firewall, creating a barrier that prevents undesirable packets from either entering or leaving a particular designated area of the network.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 529

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 529

WARNING The more filtering a router is configured to do, the slower the performance.

Okay, if routers are so great, is there any reason not to use one? Why bother with any of the other connectivity devices? Routers have a few disadvantages: ■

■

Cost Routers cost significantly more than lower-layer connectivity devices. If you don’t need the router’s sophisticated capabilities, you should use a less expensive bridge or switch to reduce network traffic. Performance All that complexity involved in communicating with other routers and building routing tables and making routing decisions comes with higher overhead than the simpler devices. Thus, a router can slow performance somewhat—although that may be balanced by the reduction of congestion.

How and Why Brouters Are Used Although its name may sound like the weird result of some recombinant DNA experiment, the brouter is a device that attempts to combine the features of bridges and routers into a “best of both worlds” solution. This may be useful when some nodes on the network are running unroutable protocols, such as NetBEUI, while others use protocols that can benefit from routing. The brouter functions like a router, using IP addresses to make routing decisions, when packets are sent using a routable protocol like TCP/IP. If a nonroutable protocol is used, the brouter will use the MAC address to function as a bridge.

NOTE Because it performs the functions of both a router and a bridge, brouters operate at both the Data Link and the Network layers of the OSI model.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 530

530 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

How and Why Layer 3 Switches Are Used Recently, a type of switch that operates at the Network layer, or Layer 3 of the OSI model, has become a popular connectivity option. Layer 3 switches are sometimes referred to as switch routers. Although a Layer 2 switch (switching hub) is unable to distinguish between protocols, a Layer 3 switch actually performs some of the functions of a router. A Layer 3 switch can filter the packets of a particular protocol to allow you to further reduce network traffic. Layer 3 switches perform the same tasks as routers and can be deployed in the same locations that a router would traditionally be used. Yet the Layer 3 switch overcomes the performance disadvantage of routers, layering routing on top of switching technology. The Layer 3 switch, manufactured by such companies as Cisco (one of the most well-known makers of traditional routers), is quickly becoming the solution of choice for enterprise network connectivity.

How and Why Gateways Are Used Gateways are usually not implemented as “devices,” but rather as software programs running on servers. However, because they are also used to connect disparate networks, we will touch briefly on what they are, and why you might implement them in your network. Gateways normally operate at higher levels of the OSI model—typically at the Application layer—and can be used to connect two networks using entirely different protocols. For instance, an SNA (System Network Architecture) gateway will allow personal computers running Windows operating systems to communicate with an IBM mainframe computer, even though the two systems are truly “alien” to one another. Another type of gateway is used to allow Windows NT or 2000 machines, which use the SMB file-sharing protocol, to “talk” to a file server that runs the NetWare NOS and uses NCP, the Netware Core Protocol. There are many other different types of gateways, such as e-mail gateways that translate between different e-mail protocols.

WARNING Don’t confuse these application gateways with the use of the term default gateway, which identifies the IP address of the router on a network that is connected to an internetwork.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 531

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 531

Troubleshooting Layer 1 and 2 Connectivity Devices Because repeaters and hubs operate at the Physical layer, problems affecting these devices will be physical problems, or hardware problems. This layer is not concerned with high-level protocols like TCP and IP, and problems with these devices will interfere with communications regardless of the network transport protocols being used. However, Physical layer device problems can mimic TCP/IP protocol configuration problems. Always consider the Physical layer when troubleshooting connectivity problems. If the hardware doesn’t work, all the software reconfiguration in the world won’t solve the problem.

Problems with Repeaters and Hubs If you are unable to establish a connection between computers, you need to first verify that TCP/IP is properly installed (by pinging the loopback address as discussed in Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000”), check the configuration and operability of the NIC (as discussed earlier in this chapter), and confirm that there are no shorts, breaks, or other problems with the cable (also discussed in a preceding section of this chapter). If you still are unable to connect, look at your connectivity devices such as repeaters and hubs: ■ ■

■

Ensure that the device has power. Ensure that the computers’ NICs are communicating with the device (by checking status lights). Ensure that devices are installed in accordance with the IEEE specifications for the particular network architecture.

The last includes compliance with any distance limitations for the media being used and, for coax networks, the restrictions imposed by the 5-4-3 Rule.

The 5-4-3 Rule This rule states that on a 10Base2 or 10Base5 network (using coax cable and a bus configuration), you should have no more than five segments, connected by no more than four repeaters, and that only three of those segments should be populated. A populated node is one that has nodes (computers or other network devices) attached to it.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 532

532 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

NOTE In this context, a network “segment” is the length of the cable between repeaters.

Passive, Active, and Intelligent Hubs Troubleshooting the hubs that connect a 10BaseT network will depend in part on the type of hub being used.

Problems with Passive Hubs Passive hubs are simply connection points and give you few clues as to whether they are operating correctly. Fortunately, because it is a simple, nonpowered device, not much can go wrong with a passive hub. The pins and wiring inside the hub or a damaged female RJ-45 jack could create connection problems. This can be prevented by ensuring that the hubs are handled properly, since most such damage is caused by human mistreatment.

Problems with Active Hubs An active hub (multiport repeater) does give you a few clues to help you in troubleshooting connectivity problems. The pretty flashing lights that indicate network communication (or collisions) on each port are a starting point. By observing the status lights, you can ascertain if one port is “dead,” indicating either a problem with the jack or cable at that port, or a problem originating with the computer attached to it.

Problems with “Intelligent” Hubs The intelligent or “smart” hub (also called a managed hub) is a bit more helpful. This type of hub runs software with which you can communicate with the hub from a terminal or across the network. In this case, the software program will provide information about port status, and in some cases will run diagnostic applications to assist you in troubleshooting connectivity problems.

Problems with Bridges Bridges are useful devices for segmenting a network and controlling the amount of traffic. However, bridges introduce an extra layer of complexity and thus the potential for several different types of problems.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 533

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 533

Performance Problems The primary reason for using a bridge to divide your network is to increase network performance. However, it is possible that bridging can have the opposite effect if it is not implemented correctly.

Bridge Latency You will find that bridging the network, while cutting down on overall traffic, will also slightly increase latency for those communications that must cross the bridge. This term refers to delays in transmission of the data in route to the destination computer. The reason for this is the way in which the bridge decides whether to forward traffic across the bridge; it must first analyze the header information in the data frame to find out the destination computer’s MAC address, and then it must look up that address in its routing table. This takes some time, although in most cases the performance hit will not be significant, and will be offset by the overall reduction in network traffic. By adhering to accepted guidelines, you prevent noticeable performance degradation.

The 80/20 Rule One popular networking guideline pertaining to the use of bridges states that 80 percent of network traffic should be “local” (same side of the bridge), and no more than 20 percent should cross the bridge. For best performance, ensure that those computers that communicate with one another most often are on the same side of the bridge. Frequently accessed file or print servers should be placed on the same side of the bridge as those clients that use them most often. Before implementing a bridging solution, carefully analyze the normal flow of network traffic and try to group nodes so that most communication, and especially transfer of large amounts of data, takes place without the need to cross the bridge.

Bridge Looping Bridge looping can occur when there is more than one active bridge on a network. In a bridge loop, when the bridges don’t know the location of a destination computer, they send the data frame across the bridge. This results in multiple copies of the same data frame on the network, causing unnecessary congestion—but it’s worse than that. As each bridge detects the frame sent by the other bridge, it passes the frame back across to the other side. The frames coming from the other bridge cause each bridge to make incorrect entries in its routing table for the destination computer, and this in turn prevents the destina-

91_tcpip_10.qx

2/25/00

11:15 AM

Page 534

534 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

tion computer from receiving data intermittently. The problem is intermittent because the bridges keep resetting the entries in the routing table based on where the data frames are coming from. This can go on forever in an endless loop, hence the name “bridge looping.” See Figure 10.7 for an example of how this can happen. Figure 10.7 When two bridges are connected in parallel, bridging loops can form.

A

B

Hub 1 C

D Bridge 1

E

G

Bridge 2

Hub 2

F

H

In the scenario shown, if Computer B sends a message to Computer A, both bridges would detect the data frame. Neither bridge knows where Computer A is located, so both bridges would transmit the frame to the other segment. They would put an entry in the routing tables identifying Computer B as being off the left-side port. Two copies of the data frame have now been transmitted onto the right-side bridge port. Now each bridge will also detect the copy of the data frame sent by the other bridge on the right-side port. They see the source address and think this is Computer B sending Computer A another frame. They will now pass the frame back to the left-side port. Assuming Computer B is now on the right-side port, they change the table to reflect that status.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 535

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 535

This can go on forever, with both bridges detecting each other’s transmitted frames and passing them across, then changing Computer B’s status in the table from the right- to the left-side port over and over again. When the table is incorrectly set, Computer B will not be able to receive any data. When the table changes again and Computer B is identified as being on the correct bridge port, it will be able to receive data, but only until the tables are changed once more. The problem here is that a bridge looks at the source and destination addresses, but cannot identify duplicate frames. This does not mean that you can’t have two bridges on a network. In fact, redundancy is a good idea, in case one bridge “dies.” So how do you prevent the looping behavior?

The Spanning Tree Algorithm One solution to the problem of bridging loops is the Spanning Tree Protocol. If your bridge supports and is configured to use this protocol, it will be able to communicate with other bridges on the network. The two bridges will then work cooperatively, with one functioning in active mode and the other on standby unless or until it detects a failure of the first bridge. At that point, the second bridge will take over passing data frames. With only a single pathway available at any given time, there is no possibility of a loop.

For IT Professionals

Transparent Bridges and the Spanning Tree Protocol A transparent bridge is generally used on Ethernet networks. Another type of bridge, called the Source Route bridge, is used with Token Ring. The bridge is called “transparent” because the bridge is not visible to the host computers on the network. At the Network layer of the OSI model, IP does not “see” the bridge, and for its purposes, all the networks that are connected by a bridge might as well be physically connected. This type of bridge basically configures itself, constructing its routing table after it automatically initializes. It makes routing decisions based on the information in its routing table. This works fine with a simple network using only one bridge. It gets more complicated if you add bridges to the network. Continued

91_tcpip_10.qx

2/25/00

11:15 AM

Page 536

536 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

Multiple bridges on the network normally are unaware of one another’s presence. They operate as separate entities. When there are multiple bridges, redundant paths to a destination exist, and this is what causes looping behavior to occur. The solution defined by IEEE 802.1D is the “Spanning Tree Algorithm.” The objective of the Spanning Tree Algorithm (or Spanning Tree Protocol) is to find these redundant paths and eliminate them. Here’s how it works: One of the bridges on the network is designated as the Root (don’t confuse this with the root account, which is the master administrative account on a UNIX system). The bridge with the lowest bridge ID is selected as the root. If there is duplication in bridge IDs, the bridge with the lowest MAC address will be chosen. On all other bridges on the network, the port with the lowest cost path to the Root bridge will be designated as that bridge’s root port. This port will be used to communicate with the Root bridge. This Root bridge will send a message at regular intervals, which is called a Bridge Protocol Data Unit (BPDU). All of the bridges attached to the Root will receive the message and pass it on, until it reaches the segments of the network that have no more bridges. This creates the “spanning tree.” A designated bridge and port is selected for each LAN. Obviously, if there is only one bridge connected to a LAN, it must be the designated bridge for that LAN. If there is more than one, the bridge with the lowest cost path to the Root bridge will be designated. Now, each port on each bridge will have one of the following as its status: 1. It is the Root port, 2. It is the designated port for one of the LANs, or 3. It is blocked. When you power up the bridge, it will assume it is the Root bridge and will send a configuration BPDU. This message includes the bridge ID. When a bridge receives a configuration BPDU that has a lower bridge ID than the ID of the bridge it assumes is Root, it updates its tables. In this way, the bridges will identify the Root bridge and create the spanning tree.

Network Monitoring Problems Bridges can interfere with your ability to effectively use network monitoring and protocol analysis tools, because the bridge isolates traffic that is

91_tcpip_10.qx

2/25/00

11:15 AM

Page 537

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 537

“local” to one side of the network. This can prevent you from seeing the entire network, because you will typically only be able to monitor the traffic on the side of the bridge on which the monitoring device or software is located. This means you may have to put a protocol analyzer on each side of the bridge in order to monitor all the traffic on the network, unless the bridge incorporates a special port to allow monitoring of both sides.

Selecting a Connectivity Device Because the network connectivity devices perform similar but different functions, it is sometimes difficult to know which is the best choice in a given situation. Table 10.3 will help you in the decision-making process. Table 10.3 Comparison of Connectivity Device Features Repeater

Hub

Bridge

Switch (Layer 2) Router

Use to lengthen the overall distance spanned by the network media.

Use to connect computers in a LAN using UTP cable. Choose an active hub, or multiport repeater, to boost the signal.

Use to reduce network traffic by segmenting the network into two sides, so that data intended for a computer on the same side does not go to those on the other side. Forwards broadcast traffic.

Use to reduce network traffic by creating a two-node collision domain, so that data is only sent out the port attached to the destination computer.

Use to reduce network traffic by separating the network into subnets and isolating broadcast traffic to each individual subnet instead of sending it to the entire network.

Boosts signal and passes it on; doesn't distinguish between types of traffic (data vs. noise).

Sends signal Recognizes MAC back out all address, and ports. either sends data across to the other side or contains it on one side based on the address.

Recognizes MAC address, and sends data only to the computer for which it is destined.

Recognizes IP addresses and routes data based on network ID.

Operates at the OSI Data Link layer.

Operates at the OSI Network layer.

Moderately expensive.

Most expensive.

Operates at Operates at the OSI the OSI Physical layer. Physical layer. Least expensive.

Operates at the OSI Data Link layer.

Relatively Relatively inexpensive. inexpensive.

91_tcpip_10.qx

2/25/00

11:15 AM

Page 538

538 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

Summary In this chapter, we have taken a brief look at some of the common connectivity problems that can occur at the Network Interface level. This layer of the DoD model maps to OSI’s Physical and Data Link layers, and includes such issues as compatibility, functionality, and configuration of network interface cards (NICs); cable media; IEEE specifications for popular networking architectures; and network connectivity devices. We discussed the role of the NIC in TCP/IP and other network communications, and the importance of having the correct, properly installed, configured and updated device drivers. We then looked at media issues, and how cable type and length can impact connectivity. Then we examined the roles of the different connectivity devices. We learned the differences between a repeater and a hub, and how to distinguish passive, active, and intelligent hubs. We gave special attention to the so-called switching hub, also commonly referred to as a Layer 2 switch. We talked about bridges and how they can be useful in reducing network traffic by segmenting the network into two parts. We provided a brief overview of routing and routers, and how a dedicated routing device or a Windows NT or 2000 computer configured to enable IP forwarding can be used to reduce network traffic by blocking broadcasts and other selected traffic. We then discussed advantages and disadvantages of each of the connectivity devices, and how to determine which is best for your network. In summary, we concluded that: ■

■

■

■

Repeaters are inexpensive and useful for boosting a signal that has degraded due to distance, thus extending the length of the network. Hubs are central connection points for networks that use unshielded twisted-pair cabling, and active hubs function as multiport repeaters, boosting incoming signals before sending them back out over all ports to all attached computers. Intelligent hubs include small processors and run diagnostic software. Repeaters and hubs pass on all network traffic. Layer 2 switches are a type of hub that can read MAC addresses and build a table matching those addresses to ports, allowing the switch to send a data frame out only on the port attached to the computer whose MAC address is shown as the destination in the frame header. Switches pass specifically addressed traffic only to the destination, but send broadcasts out over all ports. Bridges are used to segment a network into two parts, using the MAC address in a data frame to determine whether to pass the

91_tcpip_10.qx

2/25/00

11:15 AM

Page 539

Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 539

■

■

frame across the bridge to the rest of the network. Bridges pass on broadcast traffic. Routers use the IP address to determine what network (or subnet) the destination computer is on, and then route the data to that subnet by the most efficient path. Routers can use dynamic routing protocols that allow them to communicate with each other and learn the routes to distant networks from one another. Brouters combine the functions of bridges and routers into two devices, acting like a bridge when a nonroutable protocol is used for communication, or like a router when a routable protocol such as TCP/IP is used.

We further examined specific problems that can occur with each of the connectivity device types, such as bridge latency, bridging loops, and monitoring limitations caused by segmentation of the network. In the next chapter, we will build on this discussion by going one layer higher, to the Internetwork layer of the DoD model where routing takes place. We will look at some of the problems that can occur in a routed TCP/IP network, how to prevent them or—failing that—how to deal with them.

FAQs Q: How does a bridge improve network performance if it still passes broadcast traffic? A: In an Ethernet network in particular, a bridge can have a significant impact on performance. By dividing the network into two parts (segments), the bridge creates a situation where computers only have to contend or compete with the other machines on the same segment. This way, two NICs on opposite sides of the bridge can actually be transmitting at the same time, without causing a collision. Q: How does a bridge affect the maximum cable length for an Ethernet network? A: The bridge effectively doubles the length limitation by acting as a node on each segment. That is, before the bridge transmits traffic that it is passing over from the other side, it listens to the cable to ensure that it is clear first (as an Ethernet NIC does).

91_tcpip_10.qx

2/25/00

11:15 AM

Page 540

540 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level

Q: Which network connectivity device offers the best performance? A: In general, switches are faster than either bridges or routers. This is because switches direct the data frames across the different network segments in a both a faster and a more efficient way, by using onboard logic and Application-Specific Integrated Circuits (ASICs). Q: What is the difference between segment switching and port switching? A: A segment switch has an entire network connected to each of its ports. This means you can connect more computers with fewer switches (or a switch with fewer ports). This gives you some flexibility, in that you could place just one machine on a port and have a single node segment so that you can give high-use machines such as servers their own dedicated path. The port switch is what we refer to as a switching hub. In this case, there is one machine or device per port. Port switching is more expensive because it requires more switches and/or ports as well as more cable. Both switch types will increase network performance. Q: What is a VLAN? A: A Virtual Local Area Network, or VLAN, involves establishing multiple logical networks on one larger physical network, using a switch to restrict which computers or network segments will have access to which parts of the network. VLANs are used to increase network performance and also to increase security. The data from selected hosts or segments can be filtered out; for instance, you may wish to filter out packets from the busy parts of the network to avoid slowdowns on a particular virtual LAN. Q: What are some reasons to subnet a network with a router? A: Reasons for dividing the network into subnets include 1) diminishing bandwidth as the network grows, 2) performance slowdowns caused by excess broadcast traffic, 3) need for better manageability of the network, and 4) network security. Creating subnetworks will address all of these issues, while still allowing computers on different subnets to communicate with one another by using a routable protocol such as TCP/IP, which can be forwarded from one subnet to another by a router.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 541

Chapter 11

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Solutions in this chapter: ■

Router Problems

■

Router Configuration

■

Windows 2000 as an IP Router

■

ARP / RARP Problems

541

91_tcpip_11.qx

2/25/00

11:17 AM

Page 542

542 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Introduction The Internetwork layer of the DoD model, where the Internet Protocol (IP) operates, could be thought of as the heart of TCP/IP communications. Without it, computers would be unable to “talk” to one another. After all, this is the layer responsible for routing; in other words, for actually getting the data to its destination. Troubleshooting problems at the Internetwork layer actually involves both IP addressing problems, which we discussed in Chapter 8, “Troubleshooting Windows 2000 IP Addressing Problems,” and routing decisions, which we will look at in this chapter. Networks are growing larger and larger, and most networks today are routed networks. A routed network is generally defined as a network that is connected to other networks, or subnets, via a gateway. The gateway is either a dedicated device called a router or a computer running an operating system (such as Windows NT or Windows 2000) that allows it to function as the router/gateway. In Windows 2000 Server, the Routing and Remote Access Service (RRAS) is a full-featured software router and provides an open platform for routing and internetworking. RRAS is fully integrated with the operating system and can be extended with application programming interfaces (APIs) that allow developers to construct customized networking solutions.

NOTE In this chapter, in the context of troubleshooting TCP/IP problems, we will be discussing routing of IP packets. Windows 2000 is also capable of IPX routing.

Distinguishing characteristics of the gateway device or computer are: ■

■

It must be running software that makes it capable of performing IP forwarding. It must have a network interface to more than one network (sides of the gateway). When a computer is acting as a router, it must have multiple network interface cards (NICs), or a NIC and a wide area network (WAN) interface, such as a modem.

IP routing involves discovering a pathway from the sending computer (or forwarding router) to the destination computer whose address is designated in the IP header. In concept, this is not unlike what you would do when planning a trip from your home to a distant location. To navigate a

91_tcpip_11.qx

2/25/00

11:17 AM

Page 543

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 543

course, you would sit down with a map and plot out the best route based on several factors. Distance, simplicity, and congestion might be some things you would consider when deciding which roads to take.

A Routing Example As an example, let’s envision a road trip from Dallas, Texas to a street address in Memphis, Tennessee. You would focus first not on the specific area of Memphis in which the destination address was located; your initial goal is to get to the correct city. Comparing this to network routing, we can understand that the first concern is to get the packet to the proper network (or subnet); we’ll worry about getting it to the specific host later. Thus, if our data is “traveling” from sending computer 192.168.1.32 to destination computer 201.12.115.7, our “navigator” (IP) will look at the network IDs and concern itself with how best to get from the 192.168.1.0 network (Dallas) to the 201.12.115.0 network (Memphis). Unfortunately, no interstate highway goes directly from Dallas to Memphis. However, we can get there by going through Little Rock, Arkansas. We would drive from our home in Dallas to the Dallas gateway, Interstate 30 North. Our routing table tells us this is the road to take to eventually end up in Memphis, even though it doesn’t go there itself. When we reach Little Rock, we find that the interstate highway system comes together there, providing a connection between the “Dallas” network that we reached via I-30 and the “Memphis” network that we can reach via I-40. The I-30 gateway is like a router that is connected to the 192.168.1.0 network (Dallas) and the 214.40.2.0 network (Little Rock). From Little Rock, we travel the second leg of our trip: to Memphis. The router on the 214.40.2.0 network (Little Rock) is also connected to the 201.12.115.0 network (Memphis). See Figure 11.1 for an illustration of this process. Once we reach Memphis, then we become concerned with the specific street address, and once the packet reaches the destination network, then IP becomes concerned with the Host ID to get the packet to the specific computer. This is a simplistic example, but it serves to illustrate how routing works, whether it’s taking place on the nation’s roadways or across the cables and wireless connections of computer networks. In our example, we took the straightest and presumably the fastest path between cities, the interstate highways. However, if we happened to know that Interstate 30 was shut down or heavily congested at some point between Dallas and Little Rock, we might have diverted our course to take Interstate 20 from Dallas to Jackson, Mississippi, and then take

91_tcpip_11.qx

2/25/00

11:17 AM

Page 544

544 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Interstate 55 from Jackson to Memphis. The distance would be longer, but based on the road conditions this could prove to be a more efficient route. Figure 11.1 The trip from Dallas to Memphis involves two “hops.”

Dallas

Memphis

Little Rock

Hop 2

Hop 1

IP routers are also capable of making such assessments and choosing alternate routes. This is made possible by the use of dynamic routing protocols, which we will discuss a little later in the chapter. In routing parlance, each “leg” of our trip (Dallas to Little Rock, Little Rock to Memphis) is called a hop. The hop count is one of the factors that a routing protocol takes into account when calculating the cost of choosing a particular route to the destination. As we go through this chapter, we will look at how the different routing protocols perform all these tasks, what can go wrong along the way, and what we can do about problems when they arise.

IP Routing Overview IP is the Network layer component of the TCP/IP protocol suite. IP handles Network layer addressing and routing of packets, and can be used across any group of physically connected networks in which the computers are running the IP protocol.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 545

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 545

IP routing refers to the forwarding of packets from the source computer to the destination computer by going through routers that support IP routing. The distance traveled from one router to the next is called a hop, and at each router, the destination IP address on the packet is compared to the routing table, and the best route is used to decide the endpoint of the next hop.

Routing Fundamentals Computers on an internetwork send packets to one another in one of two ways: directly (if the source and destination computers are on the same subnet), or indirectly (if the source and destination computers are on different subnets) by forwarding the packets to a router.

Direct Routing The term direct routing is sometimes used to describe the process of routing data to a destination computer that is on the same network (subnet) as the sending computer. When IP reads the network ID portion of the source and destination addresses and determines that they are the same, the packet can be sent directly to the destination address without going through a gateway. No forwarding is necessary. See Figure 11.2 for an example of direct routing. Figure 11.2 Direct routing is used when the source and destination network IDs are the same.

Source address: 192.168.1.2 Destination address: 192.168.1.6 Da

ta

192.168.1.2

Pa

cke

t

192.168.1.5 192.168.1.3

192.168.1.6 192.168.1.4

91_tcpip_11.qx

2/25/00

11:17 AM

Page 546

546 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

When only direct routing is needed (all computers that share a physical connection have the same network ID), the network may be called an unrouted network.

Indirect Routing When we speak of a routed network, we are really talking about indirect routing. Indirect routing occurs when the network ID portion of the IP address is not the same for the source address as in the destination address. Indirect routing involves forwarding of the IP packet from one network (subnet) to another, through a gateway (the router) that has an entry in its routing table telling it how to reach the destination network. We will talk about how routes are added to the routing table later in this chapter. An illustration of indirect routing is shown in Figure 11.3. Figure 11.3 Indirect routing is used when the source and destination network IDs are different. Source address: 192.168.1.4 Destination address: 201.12.121.8

192.168.1.4 Data Packet

192.168.1.1 Router

201.12.121.1

Data Packet Gateway

201.12.121.8

You can see in Figure 11.3 that the network ID portions of the source and destination computers are different. Therefore, the source computer sends the packet to a gateway (in this case, the router that has an

91_tcpip_11.qx

2/25/00

11:17 AM

Page 547

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 547

interface on the source’s network, 192.168.1.1). The packet is then forwarded across the gateway to its second interface (201.12.121.1), which connects to the destination computer’s network. From there, the packet can be directly routed.

The Default Gateway It would be impossible for a computer’s routing table to contain routes to every possible destination. For that reason, a TCP/IP computer that will be connected to an internetwork is set up with a default gateway. This is the IP address to which all “foreign” packets (those whose destination address is located on a network other than the local subnet) should be sent when no specific route to the destination address exists in the routing table. The default gateway is a very important concept in TCP/IP networking because without it, communications are limited to the local subnet. The router that is designated as the subnet’s default gateway will be configured with routing information for how to reach remote networks that are connected to the internetwork. This improves the efficiency of operation, because instead of requiring all computers to maintain extensive routing tables, the default gateway takes on that chore.

Multiple Gateways Windows 2000 allows you to specify multiple default gateways for a network interface when configuring the TCP/IP protocol. However, only one default gateway can be active at a time. The primary gateway is used unless it fails; then the secondary gateway will be used instead.

NOTE If the computer has two NICs, each configured with a different default gateway, the gateway on the first NIC will be used. The gateway for the second NIC will be a backup, used if the first card’s gateway fails.

Proper Configuration of the Gateway A common problem related to the Internetworking layer is improper configuration of the default gateway (or failure to configure a gateway at all). This will result in the inability of the computer to communicate with computers on remote networks. If the computer is able to send data to computers on its own subnet but cannot successfully send to computers whose network IDs are different from its own, suspect a problem either with configuration of the gateway or a failure of the gateway device itself.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 548

548 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Figure 11.4 shows the TCP/IP Properties sheet where the default gateway setting is configured. Figure 11.4 The default gateway is configured in the TCP/IP Properties sheet.

The TCP/IP Properties sheet is accessed by selecting Start | Settings | Network and Dialup Connections, double-clicking the local area connection, and then clicking PROPERTIES. Next, select Internet Protocol (TCP/IP) in the list and click PROPERTIES. The default gateway address must be the IP address of a router or a computer that has IP forwarding enabled to allow it to function as a router.

TIP The IP address entered for the default gateway must be on the same network as the IP address assigned to the NIC. If the network is subnetted, ensure that according to the subnet mask specified, the IP address setting and the default gateway setting are members of the same subnet.

If you do wish to enter additional gateway addresses, you can do so by clicking ADVANCED, which will display the dialog box shown in Figure 11.5.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 549

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 549

Figure 11.5 Setting multiple gateways in the Advanced TCP/IP Settings box.

When you add or edit a gateway’s settings, you can specify a metric, or “cost,” which is a number representing the number of hops it takes to reach the destination. This can be specified for both the gateway and the network interface. The default metric is 1.

Routing Interfaces Typically, a router is connected to two or more networks or subnets. The router, a dedicated device or a computer acting as a router, is said to have an interface to each network to which it is connected. The router’s interface can connect to a LAN or to a WAN. The WAN interface can be a modem, an ISDN terminal adapter, or other WAN media connection device. The LAN interface is a network adapter card. Each interface must have an IP address with a network ID appropriate for the network to which it is connected. The router functions at the Internetwork layer of the DoD networking model (the Network layer of the OSI model).

91_tcpip_11.qx

2/25/00

11:17 AM

Page 550

550 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Routing Tables Each Windows 2000 computer that functions as a router has a routing table, a database that contains the routes designating the location of network IDs on the internetwork. Host computers (nonrouters) can also have routing tables, which they use to decide upon the best route for sending data. Three types of routes can be entered in the routing table: ■

■

■

Network route This is a route to a particular network based on the network ID in the IP address. Host route This entry has information about the route to a specific computer, based on the network and Host IDs in the IP address. Default route This route is used when there is no other route available for the destination IP address.

Understanding the IP routing table is important for troubleshooting Internetwork layer problems on a routed TCP/IP network. The routing table is the basis for routing decisions made by computers using the TCP/IP protocols, and the information in the routing table can be the starting point for diagnosing routing problems.

Viewing the Routing Table Windows 2000 provides two ways to view the table: you can use the command line, or the graphical interface.

Viewing the Table via the Command Line To view the routing table, use the ROUTE PRINT command, as shown in Figure 11.6. You will note that no persistent routes have been defined in the routing table shown in Figure 11.6. A persistent route is one that remains in the table after the computer is rebooted. Normally, the routes you add are not retained when you restart the system.

Viewing the Table via the GUI Windows 2000 provides a more user-friendly way to view the routing table, using the graphical interface of the Microsoft Management Console (MMC). To access the table this way, open the RRAS MMC by selecting Start | Programs | Administrative Tools | Routing and Remote Access. In the console tree in the left pane, under the RRAS server name, expand IP Routing. Then right-click Static Routes and select Show IP Routing Table, as shown in Figure 11.7.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 551

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 551

Figure 11.6 Use the ROUTE PRINT command to view the static routing table.

Figure 11.7 To view the routing table via the graphical interface, use the RRAS MMC.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 552

552 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Selecting this option will display the routing table as shown in Figure 11.8. Figure 11.8 The routing table as displayed in the graphical interface.

You can also view the multicast forwarding table, if you are using multicast, by right-clicking IP Routing | General, and selecting Show Multicast Forwarding Table.

Understanding the Routing Table Table 11.1 summarizes the information that is provided in the Windows 2000 graphical version of the IP routing table. Table 11.1 Information Contained in the Windows 2000 IP Routing Table Column Heading

Description of Information

Destination

This column shows the destination host, subnet address, or network address. It can also show the default route, which is 0.0.0.0.

Network Mask

The network mask is used along with the destination IP address, to determine the route to be used. If the mask is 255.255.255.255, this means that only an exact match of the destination uses this route. A host route will have a mask of 255.255.255.255. A mask of 0.0.0.0 means the route can be used by any destination; no match is required. A mask between these two indicates how much of the destination address must match in order to use the route. For example, if the mask is 255.255.248.0, and the IP address of the destination is 172.16.8.0, the first two octets and the first five bits of the third octet must match.

Gateway

This column shows the IP address of the next router on the route to which the packet should be forwarded. The gateway must be within direct reach of this router. Continued

91_tcpip_11.qx

2/25/00

11:17 AM

Page 553

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 553

Column Heading

Description of Information

Interface

This column shows the name of the interface, such as the Local Area Connection, that is used to reach the next router.

Metric

This number indicates the "cost" of using this route to reach the destination, shown in hop count (number of routers that must be crossed).

Protocol

The last column shows any routing protocol being used (OSPF, RIP, etc.). Local indicates that no routing protocol is being used.

Simple Routing Scenario In the simplest routing scenario, two LANs (subnets) are joined by an IP router. The router has an interface connected to each subnet, configured as a member of that subnet. The computers on each subnet have the router’s “near side” interface set as their default gateway.

NOTE The “near side of the router” refers to the IP address of the interface that is connected to the local subnet. The interface(s) connected to a remote subnet is called the “far side of the router.”

See Figure 11.9 for a graphical illustration of this simple routing setup. Note that in this situation, it is not necessary to use routing protocols. This is because the router is connected to all subnets to which packets will be routed, and there is no need to propagate routing table information.

The Windows 2000 Router Microsoft refers to a computer that is running RRAS and providing local or wide area networking routing services as a Windows 2000 router. Some of the features of the Windows 2000 router include: ■ ■

■

Multiprotocol routing (IP, IPX, and AppleTalk are supported) Support for standard dynamic routing protocols (OSPF and RIP, versions 1 and 2) Packet filtering

91_tcpip_11.qx

2/25/00

11:17 AM

Page 554

554 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level ■ ■ ■

Router advertisement and discovery (via ICMP) Multicast services (IGMP) Unicast routing

Figure 11.9 A simple scenario with a router connecting two subnets.

192.168.1.23

192.168.1.45

192.168.1.71

Network 192.168.1.0 Subnet mask 255.255.255.0 Default gateway 192.168.1.1 Router Interface A 192.168.1.1 Router Router Interface B 201.212.21.1 Network 201.212.21.0 Subnet mask 255.255.255.0 Default gateway 201.212.21.1

201.212.21.4

201.212.21.18

201.212.21.34

NOTE Unicast routing is defined as forwarding packets addressed to a single destination over an internetwork, using routers to connect subnetworks together based on network IDs. Multicast routing refers to communicating multicast information from one router to another. Multicasting involves sending packets to a group of destination addresses.

Multicast routing requires the use of special multicast routing protocols. Although Windows 2000 does not include any built-in multicast routing protocols, it does include APIs that allow vendors to extend the platform to add multicast protocols.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 555

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 555

Routing Protocols Routing comes in two basic “flavors,” static and dynamic. With static IP routing, the routing table must be constructed manually; an administrator must enter the IP addresses defining the routes to remote networks one by one. Using a dynamic routing protocol, the table is configured and maintained automatically, because the dynamic router can communicate with and “learn” from other routers on the network. This saves the administrator a great deal of time. Dynamic routing requires a separate protocol, such as the Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).

NOTE Static and dynamic routing can coexist; they are not mutually exclusive. It is possible to place a dynamic router in a network that uses static routing, to allow the static network to communicate with a dynamic one. The static router requires manual configuration as usual. The dynamic router will require that some static routes be entered into its routing table, to allow it to communicate with the static router.

Next we will look at how routing works with a static routing table, and then we’ll discuss the popular dynamic routing protocols.

How Static Routing Works To build a static routing table with Windows 2000, you can use the Route command-line utility. (You can also use the GUI). See Figure 11.10 for the available options. As you can see in Figure 11.10, there are several switches and commands that can be used with the Route command to invoke optional behavior. These are summarized in Table 11.2.

NOTE With the PRINT and DELETE commands, you can use a wildcard (represented by an asterisk) for the destination or gateway value.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 556

556 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Figure 11.10 Options available with the Windows 2000 Route command.

Table 11.2 Windows 2000 Route Command Switches and Commands Switch or Command

Action

-f

Clears all gateway entries Can be used with other from the routing table. commands to clear the table before invoking the action of the other command.

-p

Creates a persistent route.

PRINT

Prints the route.

ADD

Adds a route to the table.

DELETE

Removes a route from the table.

CHANGE

Allows you to modify a route that is already in the table.

Comments

Is used with the ADD command. Causes the entry to stay in the table when the computer is restarted.

Continued

91_tcpip_11.qx

2/25/00

11:17 AM

Page 557

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 557

Switch or Command

Action

destination

Identifies the host computer that is the destination address.

MASK

Signals the netmask value as the next entry.

netmask

Identifies the subnet mask.

gateway

Identifies the IP address of the gateway.

interface

Identifies the interface number for the route.

METRIC

Sets the cost for the destination.

Comments

Default is 255.255.255.255.

By default, cost per hop is 1, but this can be modified.

Characteristics of Static Routing Static routing not only requires that you painstakingly set up the routing table, you also must manually enter every change, addition, and deletion that occurs. This reprogramming of the routers each time a change is made can be time-consuming and tedious. Why would anyone ever use static routing? Actually, most networks don’t, but static routing does have a couple of advantages: ■

■

■

Static routing can be implemented with a minimum of equipment. No dedicated routing device is needed; you can set up a multihomed Windows NT or Windows 2000 computer to be a static router. A multihomed computer is one that has two (or more) network interfaces. The initial cost of implementing static routing is less than dynamic routing, because of the cost of routing devices. You have more specific control over routes used in a static routing situation since you enter the routes into the table manually. You can delete or change routes and ensure that packets use the desired route.

These benefits are not enough, however, to make static routing an attractive solution to most network administrators, due to its many disadvantages: ■

There is no real fault tolerance in a static routing environment. If one of the routers becomes unavailable, others cannot detect

91_tcpip_11.qx

2/25/00

11:17 AM

Page 558

558 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

■

■

its absence. Since a static-routed internetwork will generally be a single-path environment (only one path available between any two endpoints), this can result in the inability of some hosts to communicate with others on the network. A great deal of administrative maintenance is required to keep routing tables updated on a static network if new routes need to be added or removed. Static routing is appropriate only for small internetworks (those having from two to 10 networks). Beyond this, administration becomes unmanageable.

The Dynamic Routing Protocols Routers running dynamic routing protocols can automatically build their routing tables and make modifications when the network changes. These changes are propagated throughout the network as the dynamic routers communicate with one another. Windows 2000 includes built-in support for the two most popular dynamic routing protocols, RIP and OSPF.

RIP for IP The Routing Information Protocol (RIP) has been used for many years and works well with small and medium-sized networks, although it does not scale well to large internetworks. RIP is a distance vector protocol (for more information, see the sidebar For IT Professionals in this chapter) with a maximum hop count of 15. For practical purposes, this means that if it takes more than 15 hops to reach another network (subnet), RIP interprets it as “destination unreachable.” RIP’s usefulness is enhanced by the fact that it is a standard implemented by many vendors. RIP is implemented as an Interior Gateway Protocol (IGP) within individual networks that make up the internetwork. EGP, the Exterior Gateway Protocol, is used to provide communications between these individual, autonomous networks.

NOTE RFC 1058 defines standards for the Routing Information Protocol.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 559

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 559

How RIP Propagates Routing Table Information RIP for IP works by sending an announcement message at regular intervals that contains the information in its routing table. Other RIP routers receive this message and add the information to their own tables. In this way, route information spreads throughout the network. RIP routers also use triggered updates to spread their information. An update is triggered by a change in the network, such as the failure of a gateway. When a router detects the failure, it updates its own table and then sends out the new information immediately instead of waiting for the next scheduled update period.

NOTE Version 1 of RIP sends its announcements via broadcast packets. Version 2 can also send announcements via broadcast packets, but can also use multicast packets.

Windows 2000 RIP Features The Windows 2000 router supports the following features designed to avoid some of RIP’s traditional problems, such as routing loops and slow recovery: Split horizon. This is an algorithm used by routers for learning route information that prohibits advertising messages from going back out on the same port to which the information came in, thus preventing routing loops. The “simple split horizon” scheme omits routes learned from one neighboring router in updates that are sent to that neighbor. Poison reverse. This is an algorithm used in conjunction with split horizon, sometimes called “split horizon with poison reverse,” that improves RIP information convergence by advertising all network IDs. Poison reverse is safer than simple split horizon. If two routers on the network have routes pointing at one another, reverse routes are advertised with a metric of 16. This will break the loop immediately because the route will be marked as unreachable due to RIP’s hop count limit. If the reverse routes were not advertised, the erroneous routes would not be eliminated until a timeout occurred.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 560

560 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Triggered updates. Even though split horizon and poison reverse prevent routing loops when only two routers are involved, it is still possible for looping to occur if there are three or more gateways. Triggered update algorithms invoke a rule that says when a gateway changes the metric for a route, it must send update messages almost immediately, even if it is not yet time for the regular update announcement to be sent. This speeds the convergence of information and corrects more complex looping problems.

NOTE In the best of all possible worlds, the network would be frozen in place while the cascade of triggered updates is happening. If this were possible, bad routes would always be removed immediately, and routing loops could never occur. In the real world, however, regular updates may be happening at the same time the triggered updates are being sent. Routers that haven’t received the triggered update will still send out information based on the bad route that no longer exists. The problem occurs when a router has already received the triggered update, then afterward receives a regular update from a router that hasn’t yet received the triggered update. This would reestablish the bad route. The key is making the triggered updates occur quickly enough to prevent this situation.

RIP Listening (Silent RIP) The Windows 2000 router also supports “RIP listening.” You will find this referred to in RFC 1058 as “silent RIP processes.” The RFC defines a silent process as one that normally does not send out any messages, but listens to messages sent by others. Hosts that do not act as gateways themselves, but wish to keep their internal routing tables up to date, can use silent RIP to do so. This service can also be useful in some dial-up network situations, for instance if the computer is operating as a remote access client over a dial-up connection to a corporate network. Before you can use RIP listening in Windows 2000, it must be enabled. You do this by installing the RIP Listener in the Networking Services properties sheet of Add/Remove Windows Components, accessed through the Add/Remove Programs applet in Control Panel. This is done on a TCP/IP host computer; this component will not be available on a server computer that has RRAS installed. See Figure 11.11.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 561

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 561

Figure 11.11 Enabling RIP listening on a TCP/IP host computer.

NOTE Although Windows 2000 RRAS supports both versions 1 and 2 of RIP, RIP listening only “hears” and updates route information sent by routers using RIP, version 1. When Windows 2000 is configured to unicast routing information to neighboring routers, silent hosts will not be able to receive the announcements.

RIP Implementation Both hosts and gateways may implement RIP. The protocol is used to convey information about routes to destinations. A destination can be an individual host, a network, or a special destination that is used to identify a default route. Note that a host that uses RIP is assumed to have interfaces to one or more networks, and is assumed to have a routing table that contains an entry for every destination that is reachable on the network. The metric is the most important piece of information in each entry, because RIP uses that information to determine the “cost” of the route, or to mark a network unreachable because that cost exceeds the maximum hop count of 15.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 562

562 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

NOTE RIP uses the UDP transport protocol to send and receive announcement and update messages on UDP port 520.

Preventing Trouble by Using Multiphased Implementation Microsoft recommends that you deploy a RIP network in stages in order to make troubleshooting easier. Under this strategy, you would first set up basic RIP (version 1) and ensure that it is working properly. Then, add advanced features one at a time, testing each before adding more.

Advantages and Disadvantages of RIP The biggest advantages of RIP are its history as an industry standard (and thus wide support by routing devices) and its relative simplicity to set up. Its disadvantages include: ■

■

■

■

A hop count limitation of 15, which renders any subnet 16 or more hops away as unreachable. Excessive network traffic caused by RIP announcements, especially as the network grows larger. High convergence time, requiring up to several minutes for changes to propagate throughout the network. Possibility of routing loops while the routers are reconfiguring themselves after changes, which can cause data to be lost.

Common RIP Problems Common problems with RIP routing include convergence problems, routing loops, and the “count to infinity” problem. Convergence problems. Because RIP is a distance vector protocol, it announces routing information without synchronization or acknowledgments, which can lead to convergence problems. It takes a certain amount of time for updates to propagate throughout the network. It is possible to modify the announcement algorithms to reduce the convergence time, although this may not work in all situations. Routing loops. Loops occur when a routing table has inaccurate entries. In this case, a path may be created through the network that loops back on itself. For example, if the routing table on

91_tcpip_11.qx

2/25/00

11:17 AM

Page 563

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 563

Router A says the best route to Network 3 is via Router B, and the routing table on Router B says the best route to Network 3 is via Router C, and the routing table on Router C says the best route to Network 3 is via Router A, you have a routing loop. Count-to-infinity. The “count-to-infinity” problem results from the lack of synchronized convergence. RIP routers add new routes to the tables based on routes advertised by other routers. When they do this, they retain only the lowest-cost route. A low-cost route is normally not updated with a higher-cost one. If a router goes down, unless every other router knows that it is down, count-toinfinity can occur. If a network becomes inaccessible, all the immediately neighboring routers will time out and set the metric to that network to 16 (which is considered “infinity”). All the other routers in the system will converge to new routes that go through one of those routers with a direct but unavailable connection. When convergence takes place, all the routers will have metrics of 16 for the vanished network. Since 16 indicates infinity, all routers then regard the network as unreachable. Rogue RIP routers. When using Windows 2000 RIP, version 1, be aware that there is no protection provided from “rogue” RIP routers. This means that regardless of the source of the RIPv1 announcement, it will be processed. This allows for the RIP routers to be overwhelmed with false or inaccurate routes by someone who wishes to disrupt the network communications.

NOTE RIPv2 supports password authentication so the origin of RIP announcements can be confirmed.

OSPF To overcome some of the limitations imposed by RIP, Windows 2000 offers another choice of dynamic routing protocols: Open Shortest Path First (OSPF). OSPF was designed to handle the types of networks that RIP doesn’t handle well: large, complex internetworks.

NOTE OSPF standards are defined in RFCs 1247 and 1583 (OSPF, version 2).

91_tcpip_11.qx

2/25/00

11:17 AM

Page 564

564 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

OSPF is efficient; it does not require much overhead. This is especially important in the large internetwork environments for which it is designed. Further, OSPF’s Shortest Path First (SPF) algorithm is not vulnerable to routing loops that can plague RIP routes. SPF calculates the shortest path between the router and remote networks by creating and maintaining a map of the internetwork. The map is called a link state database, and OSPF is referred to as a link state protocol.

For IT Professionals

Distance Vector versus Link State Algorithms One of the significant ways in which RIP and OSPF differ is in the algorithms used to calculate routing decisions. RIP is a distance vector protocol, while OSPF is a link state protocol. Distance Vector Algorithms Distance vector algorithms are also called Bellman-Ford or FordFulkerson algorithms. The latter authors were the first to document the distance vector algorithm class, which is based on “Bellman’s equation” that forms the foundation of dynamic programming. The distance vector algorithms are a long-standing standard, used for network routing calculations in global networking’s infancy in the 1960s, in the ARPANET that was the predecessor of today’s Internet. The distance vector algorithms allow gateways (routers) to share and exchange routing table information. This provides a huge benefit over static routing, which require tables to be constructed and maintained manually. RIP descended from the Xerox networking protocols, and the name “Routing Information Protocol” was first used in conjunction with XNS. Another variation is “Berkeley’s Routed.” Distance vector algorithms, although a vast improvement over static routing, suffer from several limitations. The maximum path length is 15 hops, and they are vulnerable to routing loops, caused by a behavior called “count to infinity.” RIP and the other distance vector protocols were designed for use in moderately sized networks, not for an internetwork as vast as the Internet. That’s why they are implemented as Interior Gateway Protocols. Continued

91_tcpip_11.qx

2/25/00

11:17 AM

Page 565

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 565

This brings us to the need for another type of routing protocol that can better handle routing over enormous, disparate networks. Link State Algorithms The link state protocol used by OSPF maps the network and updates the mapping database (called the link state database) whenever any changes are made to the network. Link state protocols are also referred to as Shortest Path First (SPF) or distributed database protocols. The first link state protocol was designed for use in the ARPANET. Later, modifications were made to reduce traffic overhead and add fault tolerance. A link state routing protocol builds a consistent view of the network by mapping the network topology. Each router broadcasts (or multicasts) data about the cost of the path to each of its neighboring routers. This information is disseminated to all nodes on the network. Link state protocols are more efficient but more complex than distance vector protocols. As the link state database grows, memory and processor requirements and the time required to calculate routes increase. In order to address this problem with link state protocols, OSPF divides the internetwork into areas (these are groups of contiguous networks) that are connected to each other through a backbone area. Each router then keeps a link state database only for those areas that are connected to the router. Link state protocols use TCP directed packets to communicate with other routers directly in an area, thus reducing broadcast traffic on the network. With link state protocols, convergence occurs as soon as the databases are updated, avoiding the slow convergence problems of distance vector algorithms. Link state routing protocols also allow for security of the record update messages. The database update packets are transmitted in a secure manner and protected by a checksum. Link state records are also protected by timers that remove them from the database if a refresh packet doesn’t arrive within the timeout specified. For even more security, the messages can be passwordauthenticated.

In an OSPF network, the database is synchronized between the OSPF routers, which use it to calculate routes in the routing table. OSPF supports load balancing and multipath routing, and can be used with both broadcast networks (such as Ethernet) or nonbroadcast

91_tcpip_11.qx

2/25/00

11:17 AM

Page 566

566 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

networks (such as ATM or X.25). OSPF has different protocols for broadcast and multicast network types.

NOTE OSPF uses the Dijkstra algorithm, which comes from the branch of mathematics known as graph theory, to calculate the lowest-cost path to a destination from a given source.

OSPF on a Broadcast Network On a broadcast network, OSPF uses a packet called a Hello protocol message, which is a broadcast message by which routers locate one another. A router is selected to be the Designated Router (DR), and all the other routers exchange routing information with the DR. Then, the DR updates neighboring routers. The DR is elected by an exchange of Hello packets. Each packet includes the current DR, the sending router’s router ID, and its router priority (which can be set during configuration of OSPF). The router with the highest priority is selected to be the DR. If more than one router has the same priority, the one that has the highest router ID will become the DR. A backup DR is also elected for multiaccess networks, so if the DR becomes unavailable, connectivity will not be lost.

WARNING Configuring an OSPF router with a priority of 0 means it cannot become a DR. There must be at least one router on the multiaccess network that has a priority of 1 or above. Otherwise, no router can become DR and the link state database cannot be synchronized, resulting in no traffic being passed across that network.

OSPF on a Nonbroadcast Network On a network using a nonbroadcast architecture, such as ATM, OSPF has to be initially configured manually with the addresses of neighboring routers. A DR is also used, but rather than sending the routing information via broadcast or multicast, it is sent point to point, between the DR and the other routers. This means a greater number of virtual

91_tcpip_11.qx

2/25/00

11:17 AM

Page 567

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 567

connections are required for complete connectivity, making it more complex and more resource-intensive than a broadcast network implementation.

OSPF on a Point-to-Point Network OSPF can also be used on a dedicated point-to-point network such as T-1 leased lines, connecting only two routers. IP multicast addresses are used for the OSPF messages.

OSPF’s Hierarchical Routing Structure The routing tables used by a distance vector protocol like RIP have a flat structure, and every RIP router on the internetwork must contain an entry for every network. The networks are not divided into areas or groups; all are seen as individual entities—thus the “flat” description. Link state protocols like OSPF create a hierarchical structure by dividing the internetwork into areas. Every OSPF router belongs to an area, identified by a 32-bit number, expressed in dotted decimal called the area number. This greatly reduces the size of the routing table for each router, since it only has to keep entries for its area.

NOTE Although the area address is in the same format as an IP address, it is an entirely different number, assigned by the administrator. It has no relationship to the network ID, although if the networks in an area are all in one subnetted network ID, you could, for convenience, use the network ID as the Area ID. Windows 2000 allows you to configure up to 16 areas for an interface.

There is also a backbone area designated as area 0.0.0.0. The router that connects an area to the backbone area is called an Area Border Router (ABR). This router is a member of its area and contains routing information for that area, but also is a member of area 0.0.0.0 and can route between the two areas. See Figure 11.12 for an illustration of this. The ABR has a separate link state database for each area to which it belongs, and SPF calculations are performed independently for each area.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 568

568 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Figure 11.12 The hierarchical structure of OSPF routing architecture. Router

Router

Router

Area 0.0..0.1 Router

Router Area 0.0.1.0

ABR

ABR

Router

ABR

Router

Area 0.0.0.0 (The backbone area)

Router

ABR Area 0.0.1.1

Router

Router

Area 0.1.0.0 Router

Router

OSPF Areas An area can consist of one or more networks or subnets. The advantage of splitting the internetwork into areas is that you reduce the bandwidth used for routing so that it is proportionate to the size of the area rather than the size of the internetwork as a whole. ABRs can summarize the routes within their areas. Route summarization means that each ABR communicates a single route for its area to the backbone router. Thus, the Area 0.0.0.0 routing table contains only the number of routes that correspond to the number of areas, rather than all routes for each area. In Figure 11.12, Area 0.0.0.0’s database would be required to contain only four routes, regardless of how many routers and routes exist within each of the four areas. Route summarization also decreases recalculations of routes. Whenever a network is added or removed, each OSPF router must recalculate the database. By using areas, if a new network is added to Area 0.0.1.1, the routers in other areas will not be required to recalculate since the summarized route is still valid.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 569

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 569

OSPF Router Classifications OSPF routers on the internetwork are designed as one of the following: ■

■ ■ ■

ABR Area Border Router (routes between the area to which it belongs and the backbone area). IR Internal Router (routes within its area). BR Backbone Router (Area 0.0.0.0 router). ASBR Autonomous System Border Router (used on global internetworks, such as the Internet, to add another layer of the hierarchy. An Autonomous System, or AS, represents an entire enterprise network within the global internetwork).

NOTE AS numbers are allocated by the Internet Assigned Numbers Authority (IANA), as they must be globally-unique.

OSPF uses 32-bit router identification numbers (router IDs) rather than the routers’ IP addresses to keep track of individual routers on the internetwork. This is because each router will have more than one IP address.

TIP The administrator assigns the router ID. It is common practice, although in no way required, to use the router’s lowest IP address for its router ID.

The Protocols Used by OSPF The following protocols are used within OSPF: Common header protocol. The common header used for OSPF messages includes the version number, type, packet length, the router ID, Area ID, a checksum, and an authentication field (messages can be sent with password authentication or no authentication). Hello protocol. The Hello protocol is used on broadcast networks to discover the identities and routes of neighboring routers.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 570

570 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Exchange protocol. The Exchange protocol uses database description packets in a master-slave relationship. The master sends the database description packets, and the slave sends an acknowledgment. Flooding protocol. The Flooding protocol is used when a link changes state, as when the link between two routers goes down. The router that is responsible for the changed link issues the new link state information, and the updated information is sent in regular intervals until an acknowledgment is received. Aging Link State Records protocol. The Aging Link State Records protocol is used to remove old, outdated records from the database. When the record is originally issued, its age is set as 0. It is incremented by 1 every second and on each hop, and when its age matches the designated maximum, the router removes it and informs neighboring routers of the change.

Advantages of OSPF Despite the fact that it is much more complex and requires more technical expertise to implement properly, OSPF has many advantages over RIP and other distance vector protocols: ■ ■ ■ ■ ■ ■ ■ ■

More efficient calculation of routes Faster convergence Support for load balancing Low bandwidth utilization No routing loops or count-to-infinity problems Hierarchical structure isolates instability within an area More scalability, appropriate for larger networks Secure password authenticated transmission of update messages

Windows 2000 as an IP Router A Windows 2000 multihomed host computer is configured as an IP router to provide packet forwarding for other TCP/IP computers by enabling the RRAS service and setting up a routed IP network. This can be a static routed network, a RIP for IP routed internetwork, or an OSPF routed internetwork. For more information about installing RRAS, see Chapter 9, “Troubleshooting Remote Access in a Windows 2000 TCP/IP Network.” The Windows 2000 router supports both RIP (versions 1 and 2) and OSPF dynamic routing protocols.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 571

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 571

Installing Routing Protocols The Windows 2000 router supports dynamic routing, using RIP or OSPF. To install the RIP or OSPF protocol, open the RRAS management console. In the left console pane, expand the name of the RRAS server, expand IP Routing, and right-click General. Select New Routing Protocol, as shown in Figure 11.13. Figure 11.13 Adding a dynamic routing protocol to the Windows 2000 router.

You will be given a choice to select either RIP or OSPF. Make the appropriate choice, and the protocol will be added. You can now configure it by right-clicking on its name, which will show up in the left console pane under IP Routing.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 572

572 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Windows 2000 Router Management Tools Windows 2000 provides built-in router management tools for the administration of the static, RIP, or OSPF router. A Windows 2000 router can be administered locally or remotely from another Windows 2000 computer running RRAS.

Remote Router Administration Windows 2000 allows you to administer a remote Windows 2000 router via the RRAS management console. To do so, open the RRAS MMC, and in the left pane of the console tree, right-click Server Status, then Add Server. A dialog box as shown in Figure 11.14 will appear. Figure 11.14 Use the Add Server dialog box to select the computer(s) to administer remotely.

As you can see, you can select “The following computer:” and type in the name of the Windows 2000 router computer, you can select to administer all RRAS computers in a designated domain, or you can browse the Active Directory to find the computer to be administered. If you choose to browse the Directory, you will see a dialog box like the one displayed in Figure 11.15. If you elect to administer all RRAS servers in the domain, the names of all Windows 2000 computers in the domain running RRAS will be displayed in the left console of the MMC, as shown in Figure 11.16. You may notice in Figure 11.16 that there are three Windows 2000 computers running RRAS in the tacteam domain. One of them, DS2000, is marked with a red and white “X” to indicate that this computer is not a router or RRAS server and cannot be administered remotely (DS2000 is a Windows 2000 Professional workstation).

91_tcpip_11.qx

2/25/00

11:17 AM

Page 573

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 573

Figure 11.15 You can browse the Directory to find Windows 2000 routers or RAS servers.

You can now add new interfaces and routing protocols, and manage the routing components on the remote Windows 2000 router computer just as you could locally. Figure 11.16 Windows 2000 RRAS computers that can be remotely administered are displayed.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 574

574 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Using ICMP Router Discovery You can use the Internet Control Message Protocol (ICMP), a TCP/IP utility, to configure IP host computers with the IP addresses of local routers (and establish a method for the hosts to detect that a router is down). To do so, implement router solicitation and advertisement.

NOTE ICMP router discovery messages are discussed in RFC 1256.

Here’s how it works: 1. Host computers send router solicitation messages to discover the routers on their networks. 2. Routers send router advertisement messages in response to the solicitations. The routers also send advertisements on a regular basis (unsolicited) to inform the host computers that the routers are still up and available. To enable ICMP router discovery, open the RRAS console, and in the left pane of the console tree, under the Windows 2000 router on which you wish to enable discovery messages, click General under IP Routing. In the right console pane, right-click the name of the router interface you wish to enable for ICMP, then click Properties. Select the General tab, as shown in Figure 11.17, and check the “Enable router discovery advertisements” check box. Here, you can set the lifetime of the advertisement (the time after which a router will be considered to be down or unavailable) in minutes. You can also set the minimum and maximum rates for sending of ICMP advertisements by the router. “Level of preference” refers to the level of preference for this Windows 2000 router to be the default gateway for host computers on the network.

Using the Netshell Utility (NETSH) NETSH is a command-line utility included with Windows 2000, with which you can configure routes, interfaces, and routing protocols on Windows 2000 RRAS routers. The NETSH utility will allow you to display the configuration of routers that are running on Windows 2000 RRAS computers, and supports scripting so that you can run commands as batch files for a particular router.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 575

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 575

Figure 11.17 Enabling router discovery advertisement messages.

NETSH is used for management of other services, such as DHCP and WINS. To change the NETSH context to routing, use the routing command within NETSH, as shown in Figure 11.18. Figure 11.18 Use the NETSH command to display routing information.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 576

576 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Table 11.3 lists some of the commands available in the IP routing context. Table 11.3 Netshell IP Routing Commands Command

Description

add

Adds a configuration entry to a table

delete

Deletes a configuration entry from a table

dump

Dumps a configuration script

igmp

Changes to 'routing ip igmp' context

nat

Changes to 'routing ip nat' context

ospf

Changes to 'routing ip ospf' context

relay

Changes to 'routing ip relay' context

reset

Resets IP routing to clean state

rip

Changes to 'routing ip rip' context

routerdiscovery

Changes to 'routing ip routerdiscovery' context

set

Sets configuration information

show

Displays information

Update

Updates autostatic routes on an interface

?

Displays help

Standard TCP/IP tools, such as PING, TRACERT, and PATHPING, are the common starting point for troubleshooting an IP routing problem. See Chapter 4, “Windows 2000 TCP/IP Internals,” for more information on how to use these command-line utilities.

Router Configuration Proper configuration of the router(s) will prevent many problems. Configuring Windows 2000 as an IP router, for either static routing or using RIP or OSPF, is a relatively painless procedure, but it is important that you follow the steps exactly and don’t change settings unless you know what effect it will have.

Preconfiguration Check List Remember that before installing and configuring IP routing, you must ensure that the following have been done:

91_tcpip_11.qx

2/25/00

11:17 AM

Page 577

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 577 ■

■ ■

■

■

Install the proper hardware (the Windows 2000 computer acting as a router must have two network interfaces) and the drivers for the hardware. Check the Windows 2000 HCL to ensure compatibility of the hardware. TCP/IP must, of course, be installed and configured. The RRAS service must also be enabled and configured (see Chapter 9 for more information on proper installation of RRAS). Determine whether you will set up the Windows 2000 router for static or dynamic routing. Determine which routing protocols will be used on the network.

Configuring Windows 2000 Static IP Routing Deployment of static routing on a Windows 2000 router is relatively simple. You should first analyze the internetwork topology, to determine where each network is and where routers and TCP/IP host computers are located on the networks. Then, a unique network ID is assigned to each IP network, and IP addresses are assigned to each router interface.

TIP Common practice is to give the lowest IP addresses for the network ID to the routers. Thus, for network 192.168.1.0 (a class C network defined by a subnet mask of 255.255.255.0), the router (default gateway) address that would be assigned is 192.168.1.1. This is not required, but is an industry tradition.

Default routes can be configured on peripheral routers, although this is not required. A default route is used for sending packets to a destination for which there is no route available in the routing table. Nonperipheral routers (internal routers) should have routes to remote networks added to their routing tables as static routes. Each route should include the following: ■ ■ ■ ■

■

Destination network ID Subnet mask Gateway address Metric (number of hops required to get to the destination network) Interface that is to be used to send data to the destination network

91_tcpip_11.qx

2/25/00

11:17 AM

Page 578

578 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

These static routes should be entered in the routing tables of each nonperipheral router.

TIP Routes are added using the command-line ROUTE utility. To make a route persistent across system reboots, use the –p option.

Troubleshooting Static Routing Configuration If the router is not forwarding data properly in a static routing environment, you should do the following: 1. First, confirm that IP routing is enabled on the Windows 2000 router, by checking the RRAS management console. 2. Use IPCONFIG at the command line to ensure that the TCP/IP configuration for the interface is correct. Use standard TCP/IP tools such as PING to verify connection to hosts on the network segment. 3. Ensure that the default route is configured correctly. The default route is used for sending packets to destinations that are unknown to the router. Be sure that the route set as the gateway for the route is reachable and is on the same network as the interface.

NOTE Routers should be configured to use a static IP address, instead of getting an IP address via DHCP.

Configuring RIP for IP Remember that RIP is most appropriately used for medium-sized internetworks (those consisting of 10 to 50 networks). RIP can be used with multipath networks, where there is more than one pathway a packet could take between two endpoints on the network. RIP will also work in an environment where the network topology changes, and networks are added and removed.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 579

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 579

In designing the RIP network, keep in mind the maximum hop count limitation of 15. This limits the number of routers through which a packet must go to reach any destination from any source, for practical purposes, to 14 (called the maximum physical router diameter). As in deploying static routing, you should first analyze the internetwork, assign network IDs, and assign IP addresses, following the same basic rules discussed earlier. Then, decide whether to use RIPv1 or RIPv2 on each Windows 2000 computer functioning as a router. Add the appropriate RIP protocol to each Windows 2000 router interface, as shown in Figure 11.19. Figure 11.19 Adding the RIP protocol to a router interface.

Once the protocol has been added, right-click the Interface name in the right console pane of the MMC, and select Properties to configure it (see Figure 11.20). To configure RIPv2, do the following: 1. In Outgoing Packet Protocol on the General tab of the Properties sheet: a) select RIPv2 broadcast if there are version 1 RIP

91_tcpip_11.qx

2/25/00

11:17 AM

Page 580

580 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

routers on this network, or b) select RIPv2 multicast if all RIP routers on the network are version 2 routers. 2. In Incoming Packet Protocol, select RIP, version 1 and 2 if it is a mixed RIP environment, and RIP, version 2 only if there are only RIPv2 routers on this network. Figure 11.20 RIP Properties dialog box.

Troubleshooting RIP Configuration Some of the more common RIP configuration problems include incorrect routes in the mixed RIP (version 1 and 2) environment, silent hosts not getting route updates, auto-static updates not working properly, and host routes and/or default routes not being propagated to other routers.

Problems with Mixed RIP Versions When a network includes some routers running RIPv1 and others running RIPv2, the version 2 routers must be configured to send broadcasts if you want the version 1 routers to receive their announcements. If you have this problem, ensure that your RIPv2 router interfaces are all set to broadcast their announcements, not multicast.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 581

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 581

Problems with Silent Hosts RIP listeners (silent hosts) cannot receive multicast announcements. If you have silent RIP hosts that fail to receive announcements, confirm that the silent hosts are using RIPv1 and that the RIPv2 routers on the network are set to send broadcast, not multicast, announcements.

Problems with Autostatic Updates If you have demand-dial routing interfaces using auto-static updates (see Chapter 9 for more information about RRAS demand dial), the demanddial interfaces need to be set to broadcast announcement messages instead of multicasting. Autostatic updates are used with demand-dial routing over a remote access link. The “auto” in the term refers to the automatic adding of the requested routes as static routes in the routing table upon an explicit request via RRAS or the NETSH utility. The demand-dial link must be connected. If an autostatic request is made, existing autostatic routes that are in the table are deleted. Then, the update is requested from other routers. This can lead to problems: If other routers don’t response to the update request, the router cannot replace the routes it has deleted. This could cause loss of connectivity to remote networks.

Problems with Propagation of Host and Default Routes RIP does not propagate host and default routes by default. You must specifically enable propagation, which can be done by right-clicking the Interface name in the right console pane of the RRAS MMC, selecting Properties, and then selecting Advanced. See Figure 11.21. The RIP Properties box is also used to set Security on the update announcement messages and to specify RIP neighbors and determine the router’s behavior in regard to those neighbors.

Configuring OSPF The OSPF dynamic routing protocol is installed similarly to RIP, via the New Protocol selection, when you right-click the General tab under IP Routing in the RRAS management console. Once the protocol is enabled, configure it by following these steps: 1. Click on OSPF in the left pane console tree. 2. In the right pane, right-click the interface you want to configure, and choose Properties.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 582

582 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Figure 11.21 Setting RIP to propagate host and default routes in the Advanced Properties box.

3. Select the “Enable OSPF for this address” check box on the General tab. Where it says Area ID, click the ID of the area to which this interface belongs. 4. Set the priority of the router over the interface in “Router priority.” 5. Use the scroll arrows to set the cost of sending a packet over the interface under Cost. 6. Type in a password, if password protection is enabled for that area. 7. Select the OSPF interface type under Network type.

TIP If this interface has more than one IP address configured, select the IP Address box on the General tab and configure OSPF for each address.

The OSPF Interface Properties dialog box appears in Figure 11.22.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 583

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 583

Figure 11.22 The OSPF Interface dialog box showing the contents of the General tab.

OSPF Password Protection All OSPF routers in the Area must use the same password. To set the password, click OSPF in the left pane of the console tree, and select Properties. On the General tab, type the correct password in the Password box. Remember that OSPF passwords are case-sensitive.

Windows 2000 Router Logging You can enable router logging for the Windows 2000 router to assist you in troubleshooting routing problems. You can either enable event logging, to log router events in the system log in Event Viewer, or enable trace logging, which will log information to a file (or you can do both).

Using Event Logging You can enable event logging on the Event Logging tab on the Properties sheet of a remote access server. Choose the RRAS server, right-click and select Properties, then select the Event Logging tab, as shown in Figure 11.23.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 584

584 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Figure 11.23 You can select from four levels of event logging in the RRAS server Properties sheet.

You can choose the level of information you wish to be logged to the system log. There are four levels: logging of errors only, logging of errors and warning messages, logging of the maximum possible amount of information, or no logging (disabled).

NOTE The default setting is logging of errors and warning messages.

Remember that logging uses a great deal of system resources and should be used only when necessary and disabled when the problem has been addressed.

Using the Tracing Function The Windows 2000 router supports tracing, a feature that can be used for troubleshooting complex network routing problems. When you enable tracing in Windows 2000 Server, the tracing information will be logged to files.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 585

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 585

To enable the tracing feature, it is necessary to edit the Windows 2000 Registry.

WARNING Editing the Windows 2000 Registry incorrectly can cause serious damage to the operating system, including making your computer unbootable. Always back up important data before you make changes to the Registry.

To enable tracing, open the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing

Tracing is enabled separately for each routing protocol, by setting the appropriate Registry values. Each of the routing protocols appears as a subkey in the Registry, under the Tracing key. Select the protocol for which you wish to enable tracing (for example, OSPF).

TIP Tracing can be enabled or disabled while the router is running.

Configure the following Registry value entries for each protocol key to enable tracing for that protocol: ■

■

■

■

EnableFileTracing (value type is REG_DWORD) Set EnableFileTracing to 1 (the default value is 0) to enable logging tracing information to a file. FileDirectory (value type is REG_EXPAND_SZ ) To change the default location of the tracing files, set the FileDirectory value to the desired path. The filename for the log file is the name of the component for which tracing is enabled. Tracomg log files are placed in the systemroot\Tracing folder by default. FileTracingMask (value type is REG_DWORD) This setting indicates how much tracing information is logged to the file. MaxFileSize (value type is REG_DWORD) Set this value to change the size of the log file. The default value is 10000 (64K).

91_tcpip_11.qx

2/25/00

11:17 AM

Page 586

586 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

TIP Tracing uses a significant amount of system resources. Use it sparingly for identification of network problems. After you capture the trace, disable tracing. Never leave tracing enabled on multiprocessor systems.

Troubleshooting Common Windows 2000 Routing Problems Now that we have discussed how IP routing works in a static, RIP, or OSPF environment, let’s look at some of the common problems that arise with Windows 2000 computers configured to perform IP routing.

Troubleshooting Static Routing Because static routing is much less complex than dynamic routing, troubleshooting is in some ways simplified. The standard TCP/IP commandline utilities can be used for many troubleshooting tasks. Remember that static routing is appropriate for small, simple internetworks (no more than 10 subnetworks). For best results, there should be only one path available between any two endpoints, and the internetwork topology should not change often.

Using PING and TRACERT Test connectivity between the host computers using the TCP/IP utilities PING and TRACERT (as discussed in Chapter 4, “Windows 2000 TCP/IP Internals”) to ensure that routing paths are accessible.

Using the ROUTE Command As discussed earlier, static entries are made to the routing table using the ROUTE command and its options. You can also modify or delete routes, and make routes persistent over reboots.

Static Routing and Routing Loops A problem that can occur in a network using static routing happens when you configure two routers with default routes that point to one another. A default route is used for data packets addressed to destinations that reside on remote networks (networks not directly connected to the router). If two neighboring routers have default routes that point to one another,

91_tcpip_11.qx

2/25/00

11:17 AM

Page 587

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 587

this can create a routing loop when packets are sent to unreachable destinations. To prevent this problem, don’t configure neighboring routers with default routes pointing to each other. The following shows what a router loop might look like after doing a tracert: C:\>tracert 199.70.51.234 Tracing route to 199.70.51.234 over a maximum of 30 hops 1 2 3 4 5 ] 6 7

<10 441 180 311 691

ms ms ms ms ms

<10 561 741 711 551

ms ms ms ms ms

<10 330 561 681 331

ms ms ms ms ms

starblazer.tacteam.net [192.168.1.16] tnt-dal.dallas.net [209.44.40.10] grf-dal-ge002.dallas.net [209.44.40.9] atm9-0-04.CR-1.DllsTX.savvis.net [209.44.32.9] sl-gw13-fw-10-0-T3.sprintlink.net [144.228.137.5

471 ms 711 ms 540 ms sl-bb11-fw-2-2.sprintlink.net [144.232.11.65] 691 ms 551 ms 340 ms sl-gw17-fw-4-0-0.sprintlink.net [144.232.11.106]

8 521 ms 391 ms 671 ms sl-att-5-0-0-T3.sprintlink.net [144.232.193.70] 9 721 ms 531 ms 340 ms gbr2-a90s6.dlstx.ip.att.net [12.123.16.22] 10 661 ms 341 ms 701 ms gbr2-p40.attga.ip.att.net [12.122.2.90] 11 481 ms 681 ms 541 ms gbr2-p40.wswdc.ip.att.net [12.122.3.238] 12 351 ms 621 ms 560 ms br2-a340s8.wswdc.ip.att.net [12.127.7.190] 13 370 ms 511 ms 330 ms dc2-h110.mdtva.ip.att.net [12.127.15.5] 14 501 ms 391 ms 671 ms 12.127.11.238 15 501 ms 801 ms 541 ms dc2-a350s1.mdtva.ip.att.net [12.127.11.237] 16 701 ms 801 ms 671 ms 12.127.11.238 17 571 ms 391 ms 550 ms dc2-a350s1.mdtva.ip.att.net [12.127.11.237] 18 581 ms 671 ms 551 ms 12.127.11.238 19 791 ms 541 ms 471 ms dc2-a350s1.mdtva.ip.att.net [12.127.11.237] 20 741 ms 661 ms 390 ms 12.127.11.238 21 711 ms 560 ms 391 ms dc2-a350s1.mdtva.ip.att.net [12.127.11.237] 22 591 ms 380 ms 761 ms 12.127.11.238 23 540 ms 661 ms 571 ms dc2-a350s1.mdtva.ip.att.net [12.127.11.237] 24 721 ms 801 ms 551 ms 12.127.11.238 25 691 ms 842 ms 520 ms dc2-a350s1.mdtva.ip.att.net [12.127.11.237] 26 731 ms 751 ms 791 ms 12.127.11.238 27 561 ms 711 ms 541 ms dc2-a350s1.mdtva.ip.att.net [12.127.11.237] 28 611 ms 781 ms 802 ms 12.127.11.238 29 621 ms 811 ms 841 ms dc2-a350s1.mdtva.ip.att.net [12.127.11.237] 30 580 ms 842 ms 751 ms 12.127.11.238

91_tcpip_11.qx

2/25/00

11:17 AM

Page 588

588 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Troubleshooting RIP for IP Testing and troubleshooting a RIP network can be done using tools that are built into Windows 2000. Proper planning and multiphased deployment that includes testing of each added feature will make problem isolation and solutions easier.

Viewing RIP Neighbors The ability to view the Windows 2000 router’s RIP neighbors is useful for verifying that the router is receiving RIP announcements from all of its neighboring RIP routers. To view RIP neighbors, open the RRAS management console, and in the left pane of the console tree, right-click RIP and select Show Neighbors, as shown in Figure 11.24. Figure 11.24 To view the neighboring RIP routers, right-click RIP and select Show Neighbors.

This will allow you to see the IP address of RIP neighbors, the RIP version each is using, and bad packets and bad routes for each.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 589

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 589

Viewing the Routing Table The Windows 2000 routing table can be viewed either via the commandline utility ROUTE PRINT or through the RRAS graphical interface, as discussed earlier in this chapter. Examine the routing table and confirm that all routes that should be learned from RIP are entered in the table.

Summary: Common RIP Problems Following are some tips for troubleshooting problems that commonly occur when using RIP routing.

RIP Router Does Not Receive Routes Properly If a Windows 2000 router that is using RIP does not receive the expected routes, it can be because of the way in which your network is subnetted. Variable-length subnet masking, or using supernetting in a network where RIP, version 1 is deployed, can result in routes not being propagated properly. This is because RIP, version 1 does not support variablelength subnet masking; however, RIP, version 2 does support it. The solutions to this problem are: ■

■

■

■

■

Don’t use variable-length subnetting or supernetting, or deploy RIP, version 2 only on the network. If you are using authentication, ensure that all network interfaces are using the same password (passwords are casesensitive). Ensure that RIP route filtering, if enabled, is configured properly. If you have configured RIP neighbors, ensure that the correct IP addresses are entered for unicast announcements. Ensure that packet filtering is not filtering out RIP announcements.

WARNING When password protection is enabled on a RIPv2 router, the password is sent in plain text format. This means any user with network sniffer software, such as the Microsoft Network Monitor, can capture the RIPv2 announcements and view the password.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 590

590 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Troubleshooting OSPF OSPF routing problems are often caused by improper configuration preventing adjacencies from forming properly. Adjacencies are the relationships between adjacent OSPF routers. When the protocol is configured properly, all OSPF routers will learn the lowest-cost routes from their adjacent OSPF routers after convergence takes place. If the adjacencies don’t form, the link state database can’t be updated and synchronized. If you find that the databases for the DR and BDR are not synchronized, verify that the adjacencies have formed, as discussed in the next section.

Adjacency Problems Some factors to consider if the proper adjacencies don’t form are: ■

■ ■ ■ ■

■

■

■

Ping the neighboring router to be sure you have an IP connection. Use TRACERT to determine the route to the neighboring router. Ensure that there are no routers between neighboring routers. Enable OSPF logging and check the log file for errors. Ensure that if authentication is enabled, the same password is being used by both routers. Ensure that the Hello interval and Dead interval are set to the same value for both routers. Ensure that the neighboring routers both have the same Area ID. Ensure that packet filtering isn’t set to filter out OSPF messages.

NOTE Windows 2000 routers running OSPF have authentication enabled by default. The default password is 12345678, but can (and should) be changed.

Problems with Bad OSPF Routes or No Routes If no summarized OSPF routes are being received for an area, be sure that the Area Border Router is properly configured, with the correct network ID and subnet mask. Be sure that all ABRs are connected to the backbone area (Area 0.0.0.0) physically or logically through a virtual link. Make sure there are not any routers that connect two areas without going through the backbone area to do so.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 591

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 591

Resetting the Windows 2000 Router To reset the RRAS service to its original defaults, you must have the appropriate permissions. Open the RRAS console and right-click on the name of the RRAS computer you want to reset. Select Disable Routing and Remote Access. Now right-click the computer name again, and choose Configure and Enable Routing and Remote Access. This will invoke the RRAS wizard. Follow the steps of the wizard, and start the RRAS service when prompted. Settings will be returned to the defaults, based on the options you choose in the wizard setup.

WARNING Resetting the RRAS service will delete IP routing protocols and their configuration information.

Summary In this chapter, we began with an overview of IP routing concepts. We looked at how routers work, whether dedicated devices or Windows 2000 computers were functioning as routers. We discussed how routers make routing decisions, and provided an example of simple routing in an IP network. We discussed the difference between direct routing, which involves sending packets to a destination that is on the same subnet as the sending computer, and indirect routing, where the destination address is on a different address and the packet must go through one or more gateways (routers) to reach it. Then we examined the concept of a default gateway—defined as an IP address to which packets whose destination IP address has a different network ID are sent, to begin their journey across the internetwork to the correct subnet and finally, to the correct destination host. We learned that using a default gateway eliminates the need for all hosts to maintain huge, extensive routing tables, since the default gateway takes over that task for all the hosts on its subnet. We also discussed how Windows 2000 allows us to assign multiple default gateways to a network interface, which function as “backup” gateway routes if the first gateway goes down. Next, we discussed routing interfaces. We learned that a Windows 2000 router can be connected to one or more subnets via NICs, modems, ISDN terminal adapters, or other WAN connection devices.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 592

592 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

We then talked about routing tables, and the three types of routes that can be entered into a routing table: ■ ■ ■

Network routes Host routes Default route

We learned two ways to view the IP routing table: by using the ROUTE PRINT command-line utility, and through the graphical interface of the RRAS management console, accessed by right-clicking Static Routes under IP Routing, and then selecting Show IP Routing Table. Then we looked at each column of information contained in the routing table: ■ ■ ■ ■ ■ ■

Destination address Network mask Gateway address Interface name Metric, or “cost” of the route Routing Protocol (if any) being used

Next, we examined in detail the features of the Windows 2000 router, including multiprotocol routing for IP, IPX, and AppleTalk; support for dynamic routing protocols RIP and OSPF; packet filtering; ICMP router discovery and advertisement; IGMP multicast services; and unicast routing. We talked about the difference between static and dynamic routing, and the advantages of using dynamic routing protocols such as OSPF or RIP in simplifying administration and maintenance of the routing table. We talked about how to use the ROUTE utility and its subcommands to add, delete, and change routes, and make other configuration modifications. We discussed the lack of fault tolerance in static routing, and learned that it is really suitable only for small internetworks containing 10 or fewer networks. We then discussed the dynamic routing protocols and their characteristics and configuration. First we talked about RIP for IP, and its implementation as an Interior Gateway Protocol within individual networks that make up the Internet. We talked about how RIP uses announcement messages to propagate routing table information to other RIP routers on the internetwork, and how RIP can also use triggered updates to send information more quickly when a change such as the failure of a router occurs. We examined the features built into the Windows 2000 RIP implementation that help to prevent problems such as routing loops. These include

91_tcpip_11.qx

2/25/00

11:17 AM

Page 593

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 593

the split horizon and poison reverse algorithms, along with the use of triggered updates for situations where three or more gateways are involved (and thus split horizon and poison reverse may not prevent the problem). We also talked about RIP listening, a feature (also referred to as Silent RIP) that allows TCP/IP host computers that aren’t routers to “hear” the RIP announcement messages, although it does not send RIP messages of its own. We learned that both gateways (routers) and TCP/IP hosts can implement RIP, and that a host that uses RIP is assumed to have a routing table. We also talked about the importance of the metric, a number that designates the relative “cost” of using that route to reach that particular destination. Then we discussed some preventative medicine: how to deploy RIP in stages in order to make the transition to RIP routing easier. Finally, we summarized the advantages and disadvantages of RIP. Advantages discussed include its simplicity of setup when compared to OSPF and other link state protocols, and its history as a longtime industry standard. Disadvantages we pointed out include the hop count limit that makes any network requiring 16 or more “hops” unreachable, and the excessive network traffic caused by RIP announcements, along with the possibility of data loss due to slow convergence. Along with slow convergence, we discussed a couple of other problems to which RIP is prone: routing loops and the count-to-infinity problem. We also touched on the issue of rogue RIP routers, from which RIPv1 offers no protection. Next, we discussed the difference between distance vector algorithms used by RIP and link state algorithms. This brought us to the second supported dynamic routing protocol: OSPF. We talked about the advantages of OSPF over RIP, how it supports load balancing and multipath routing and can be used with either broadcast or nonbroadcast network architectures. We learned that when OSPF is used on a broadcast network, it sends Hello messages, which are broadcast messages used by the OSPF routers to locate each other. The Hello packet contains the router’s priority and network ID. The Designated Router (DR) is selected by comparing priorities and router IDs and choosing the router with the highest priority or, if there is a “tie,” based on the highest network ID. We looked at how OSPF works on a nonbroadcast network like ATM, where it must be manually configured with the addresses of neighboring routers. We learned that the routing information is sent point-to-point instead of via broadcast or multicast, making this implementation more complex and costly in terms of resources than a broadcast network implementation.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 594

594 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

Then we discussed the hierarchical routing structure used by OSPF, through the designation of areas, as opposed to the flat routing table structure of RIP. We learned that each area is given a unique Area ID, which is a 32-bit number, and that there must be a “backbone area” with the Area ID of 0 (or 0.0.0.0 as expressed in Microsoft’s OSPF implementation). We also examined the roles that routers can play in an OSPF: ■ ■ ■ ■

ABR (Area Backbone Router) IR (Internal Router) BR (Backbone Router) ASBR (Autonomous System Border Router)

Then we talked about the protocols used within OSPF: the common header protocol, the Hello protocol, and the Exchange protocol, along with the flooding protocol and the aging link state record protocol. This brought us to a discussion of the advantages of OSPF over RIP, which include: ■ ■ ■ ■ ■ ■ ■ ■

More efficient calculation of routes Faster convergence Support for load balancing Low bandwidth utilization No routing loops or count-to-infinity problems Hierarchical structure isolates instability within an area More scalable; appropriate for larger networks Secure password authenticated transmission of update messages

Next, we addressed the installation and configuration of the Windows 2000 IP router. We looked at how to set up static routes, and how to install both RIP and OSPF. We discussed the Windows 2000 router management tools, and learned about remote administration of a router running on another server through RRAS, as well as how to use the Netshell utility at the command line to configure routes, interfaces, and protocols. We took a look at a preconfiguration check list, ensuring that before we attempt to install and configure IP routing on a Windows 2000 server, we have the proper hardware, software drivers, and services installed. We addressed common problems with Silent RIP hosts, as well as the problems that occur in a mixed RIPv1 and RIPv2 environment. Then we talked about problems with autostatic updates on demand-dial remote access routers, and how to enable propagation so that host and default routes (which are not propagated by default) will be propagated on the network.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 595

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 595

We discussed password protection of update information on OSPF routers, learning that all OSPF routers on the internetwork must use the same password, and that it is case-sensitive. Then we looked at how to use Windows 2000 logging features to gather information that is helpful in troubleshooting routing problems. We discussed the two types of logging: ■

■

Event Logging which logs routing events to the System log in Event Viewer and is enabled through the RRAS console. Tracing which logs routing information to a file and must be enabled by editing the Registry.

We discussed use of the common TCP/IP utilities, like TRACERT and PING, to ensure that the routing paths are accessible, and saw what a routing loop looks like in a TRACERT display. Next, we discussed how to set and view RIP neighbors, and what to do when RIP routers do not receive routes properly from other routers. After that, we examined OSPF troubleshooting issues, learning that many OSPF routing problems are due to failure of adjacencies to form, and the steps to take if you suspect an adjacency problem. We talked about bad route information stemming from incorrect configuration of the Area Border Router, and the necessity that all ABRs be connected to the backbone area (Area 0). Then we learned how to reset the Windows 2000 RRAS service to its original default settings, deleting all IP routing protocols and their configurations and allowing us to “start from scratch” if necessary, in rebuilding our routing tables.

FAQs Q: What special factors must be considered when deploying RIP on a nonbroadcast network such as Frame Relay? A: RIP was really designed as a broadcast and multicast-based protocol, so configuration for a nonbroadcast network requires special planning. The configuration method differs according to whether virtual circuits appear as separate adapters on the Windows 2000 computer, or the adapter appears as a single adapter for all virtual circuits. The single adapter model is called NBMA (nonbroadcast multiple access). In this case, the Frame Relay adapter interface should be configured to use unicast for sending RIP announcement messages to RIP neighbors. If the Frame Relay network uses spoke-and-hub

91_tcpip_11.qx

2/25/00

11:17 AM

Page 596

596 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level

topology, you must disable split horizon on the hub router’s interface, or the spoke routers will not receive routes from one another. With the multiple adapter model, each circuit has a separate network ID and appears as a point-to-point link. The endpoints have IP addresses assigned from a designated network ID. In this case, you can use broadcast or multicast announcements. Broadcast should be used if the endpoints are both on the same network ID; use multicast if they are not. Q: When password authentication is enabled on a RIPv2 router, what happens if an announcement message is received with a password that doesn’t match the one set for the interface? A: Any announcement whose password does not match the one set is considered to be from an unauthorized router, and the message is discarded. Q: What types of networks are most likely to use OSPF instead of RIP? A: Large enterprise networks and very large internetworks, such as corporate campuses and global networks. Microsoft documentation generally recommends that OSPF be used for internetworks that include more than 50 networks. OSPF is also appropriate for networks in which the topology changes frequently, and those that include more than one path between pairs of endpoints. Q: How does the RRAS router view the network routing equipment? A: Windows 2000 sees this equipment as a series of interfaces, devices, and ports. An interface can be a LAN interface (typically a network interface card, or NIC); a demand-dial interface, which is a logical interface representing a point-to-point connection; or an IP-in-IP tunnel interface that forwards IP multicast traffic from one area of the intranet to another area of the intranet across a part of the intranet that does not support multicast forwarding or routing. Devices are defined as both physical devices such as modems and ISDN terminal adapters, and virtual devices such as an established VPN. PPTP and L2TP are seen as devices by RRAS. Devices can be multiport or single port. A port is a channel located on a device that represents one pointto-point connection. A modem is a single-port device, so the port and the device will be the seen as one entity. With multiport devices, like a modem bank or a two-channel ISDN terminal adapter, each point-topoint connection occurs over a separate port.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 597

Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 597

Q: How do you prevent invalid routes from external sources (RIP routes or static routes) from being propagated into an OSPF autonomous system? A: The Autonomous System Boundary Routers can be configured to use route filters. To do so, first you must enable Autonomous System Boundary Router on the General tab of OSPF properties for the interface being configured. Then you can configure the external route filters either to limit allowed routes to those specified on a list, or to discard routes that match those on a specified list. External route filters can only be used for filtering of routes that come from nonOSPF sources.

91_tcpip_11.qx

2/25/00

11:17 AM

Page 598

91_tcpip_12.qx

2/25/00

11:19 AM

Page 599

Chapter 12

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

Solutions in this chapter: ■

IIS Services

■

FTP Services

599

91_tcpip_12.qx

2/25/00

11:19 AM

Page 600

600 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

Introduction In this book, we’ve examined how TCP/IP connectivity works, and addressed some of the problems that can occur with Windows 2000 computers using the TCP/IP protocol. We’ve looked at general network connectivity problems such as IP addressing problems, NetBIOS name resolution problems, and DNS/DDNS problems. We then discussed services such as remote access and routing. In this chapter, we’ll look at troubleshooting issues pertaining to some of the special services included with Windows 2000 Server products that are dependent on the TCP/IP protocols. Internet Information Server 5.0 now comes with Windows 2000 Server, and we will look at the services it includes: Microsoft’s Web server, its companion FTP server, and the NNTP news server. We’ll look at some of the problems that may be encountered when running these server services, what you can do to prevent them, and how to address them when they do occur.

Troubleshooting IIS Problems Internet Information Services (IIS) is Microsoft’s software for creating and managing Web sites. IIS also includes other Internet services, such as File Transfer Protocol (FTP) and Network News Transfer Protocol (NNTP). Microsoft has added a number of new features to IIS version 5.0, which is included in Windows 2000 Server family products. IIS 5.0 is fully integrated with the operating system, and includes support for Active Server Pages (ASP), Windows Media Services (WMS), and Distributed Authoring and Versioning. Table 12.1 describes some of the differences between IIS 4.0 and IIS 5.0. Table 12.1 Comparison of Features in IIS, Versions 4 and 5 Feature or Procedure

Changes in IIS 5.0

Running applications

IIS 4: Applications could be run in a separate process or in the same process as IIS. IIS 5: You can group applications together into pooled processes to increase performance. By default, Web services run in a separate process, and other applications run in a pooled process. Continued

91_tcpip_12.qx

2/25/00

11:19 AM

Page 601

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 601

Feature or Procedure

Changes in IIS 5.0

Custom error files

IIS 4: If you created custom error files, they were stored in :\winnt\Help\common. IIS 5: Custom error files have moved to :\winnt\Help\iisHelp\common. They now have the extension .bak

HTML Internet Services Manager

IIS 4: A Web-based administration tool that was available from the Start menu. IIS 5: To start the Web-based administration tool, you must open a Web browser and type the domain name and the assigned port number for the Administration Site.

ASP Buffering

IIS 4: Buffering was turned off by default. IIS 5: Buffering is turned on by default.

ASP File Security

IIS 4: If an include file was located in a virtual root that was mapped to a physical path, ASP did not use the security credentials of the physical path to process that file. IIS 5: ASP does use the physical path's security credentials to process include files.

Configuration information storage

IIS 4: some of the configuration information was stored in IIS keys in the Registry and some of the configuration information was stored in the metabase. IIS 5: More of this configuration information is stored in a new hierarchical database called the metabase.

Security administration

Security administration has been simplified in IIS 5 by the addition of wizards.

Along with this added functionality comes added complexity and the potential for brand new problems that you may not have encountered with previous versions of IIS. We’ll look at some common IIS 5.0 troubleshooting scenarios in this section.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 602

602 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

Log Files The Web and FTP servers can be configured to log information about server and user activity, which can be helpful in troubleshooting Web site problems.

NOTE Some IIS events will also be logged to the system log in Event Viewer. IIS site logging is configurable and more extensive.

Enabling Site Logging To enable site activity logging, perform the following steps: 1. Open the Internet Services Manager console from the Administrative Tools menu. 2. Choose a Web or FTP site, as shown in Figure 12.1. Right-click its name and select Properties. Figure 12.1 Open the Properties sheet for a Web or FTP site to enable logging.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 603

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 603

3. This will open the Default Web Site Properties sheet, as shown in Figure 12.2. Check the Enable Logging check box and select one of the four available logging formats: W3C Extended Log File Format (the default), ODBC Logging, NCSA Common Log File Format, or Microsoft IIS Log Format. Figure 12.2 Check the Enable Logging check box and choose a format for the active log.

4. You can also set extended logging options by clicking PROPERTIES. Selecting the W3C format will display the dialog box shown in Figure 12.3. 5. The Extended Logging Properties dialog box will vary depending on the format chosen. For instance, if you select to log to an ODBC database, you will need to set the data source name and table name in the ODBC Logging Properties dialog box shown in Figure 12.4. 6. After making your logging selections, click APPLY on the Web Site tab to apply the changes.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 604

604 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

Figure 12.3 Setting extended logging properties.

Figure 12.4 The Extended Properties dialog box for logging to an ODBC database.

Log File Formats You can select from the following log file formats:

91_tcpip_12.qx

2/25/00

11:19 AM

Page 605

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 605 ■ ■ ■ ■

W3C Extended Log File Format Logging to an ODBC database NCSA Common Log File Format Microsoft IIS Log Format

Regardless of which format you select, the IIS log files are ASCII text files. A different format can be chosen for each Web site or FTP site. You can also disable logging for particular directories on a site where logging is enabled (see the Microsoft IIS 5 online documentation for instructions).

W3C Extended Log File Format The W3C Extended Log File Format contains a number of fields; however, you can select which fields are to be included to control the size of the log file. This is done in the Extended Logging Properties sheet, shown in Figure 12.5. Figure 12.5 Selecting the fields to be logged in the W3C Extended Log File Format.

By default, the following fields are logged: ■

Time The time the logged activity occurred (times are shown in Greenwich Mean Time).

91_tcpip_12.qx

2/25/00

11:19 AM

Page 606

606 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network ■

■

■ ■

Client IP address The IP address of the client that accessed the server. Method The action the client was attempting to perform (such as GET or PUT). URI stem The resource that was accessed (such as index.html). HTTP status The status of the action in HTTP terms. (You can also select to log Win32 status, which will give the status of the action in Windows 2000 terms.)

Other useful fields that are not logged by default include number of bytes sent and received, the server port that the client connected to, and the length of time the activity took.

NOTE IIS 5 includes a template for SQL databases that will set up the table for ODBC logging with the appropriate fields. The template file is located in the <systemroot>\system32\inetsrv directory.

ODBC Logging With ODBC logging, you can log information to an ODBC-compliant database, such as Microsoft Access or SQL Server. In this case, you must already have a database set up, and specify the name of the database the data is to be logged to. Then you must set up the ODBC database to receive the data. Before you can use ODBC logging, the following must be done: 1. Set up a database in your database program and create a table that includes the fields for the data to be logged. Certain fields are required (see “Required Fields for ODBC” in this section). 2. Assign a Data Source Name (DSN) to the database. This is the name used by the software to find information. 3. Enter the name of the database and table in the IIS Properties sheet for OBDC. If a username and password are required, also enter these. Required Fields for ODBC Database. The following fields are required. Other fields can be added. ■ ■ ■

ClientHost Username LogTime

91_tcpip_12.qx

2/25/00

11:19 AM

Page 607

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 607 ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

Service Machine ServerIP ProcessingTime BytesRecvd BytesSent Server Status Win32Status Operation Target Parameters

NOTE In ODBC logging, the time is shown as local time.

NCSA Common Log File Format Unlike W3C Extended and ODBC logging, the NCSA Common Format cannot be customized and can be used only for Web site logging, not for FTP. It creates an ASCII file with the following information: ■ ■ ■ ■ ■ ■

Remote host IP address and name Username Date and time (shown in local time with GMT offset) Request type HTTP status Bytes received

In the NCSA log, the fields are separated by spaces, making the log file a space-delimited database file. An entry would look like the following: 192.168.1.201 DS2000 TACTEAM\dshinder [08/Jan/2000:19:39:04 -0800] "GET/scripts/iisadmin/ism.dll?http/serv HTTP/1.0" 200 3401

The preceding log entry indicates that the user dshinder in the TACTEAM domain, with IP address 192.168.1.180 and remote host name DS2000, sent an HTTP GET command to download a file at 19:39:04

91_tcpip_12.qx

2/25/00

11:19 AM

Page 608

608 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

(7:39 P.M.) on January 8, 2000. 3401 bytes of data were returned to the user.

Microsoft IIS Log Format Microsoft IIS Format, like NCSA, is not customizable (called a “fixed file format”). It does, however, include more information fields than NCSA. Along with the same items logged by NCSA and described previously, the Microsoft IIS Log format also logs the following: ■ ■

■ ■ ■

Elapsed time for the activity The action performed (such as a file download), and the command Service (such as W3SVC) and instance (1, 2, etc.) The target file Windows 2000 status code

This format may be easier for you to read, since it separates the fields by commas instead of spaces. The ASCII file can be opened in a text editor such as Notepad. Following is an example of a Microsoft IIS log file: 192.168.1.201, — , 12/20/99, 2:55:20, W3SVC2, CONSTELLATION, 192.168.1.185, 4502, 163, 3223, 200, 0, GET, deb&tom.gif

In this example, an anonymous user (indicated by the hyphen that is in the field for username) at IP address 192.168.1.180 sent an HTTP GET command to the server named CONSTELLATION at IP address 192.168.1.185 at 2:55:20 (2:55 A.M.) on December 20, 1999. The activity required 4502 milliseconds (4.5 seconds) to complete. 3223 bytes of data were sent to the user in response to the request. (0 and 200 are the service status and Windows 2000 status codes.)

Logging Problems If you find that you cannot access a log file, or that logging is not taking place, check the following: ■ ■

You must stop the site before you can access the current log file. IIS logging will shut down if the server runs out of disk space while the service is trying to add a log entry (an event will be logged to Event Viewer when this occurs).

91_tcpip_12.qx

2/25/00

11:19 AM

Page 609

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 609

Troubleshooting Web Server Problems The Web server functionality is the most used and the most complex of the IIS services. Thus, troubleshooting Web site issues is a major concern to IIS administrators. IIS 5 is prone to some of the same problems as IIS 4, plus a few new ones.

Performance Problems IIS can use a great deal of network bandwidth, depending on the Internet server service(s) being run and the amount of access. This can result in performance problems affecting the services and the network as a whole.

Connection Capacity Bottleneck Ensure that you have adequate network bandwidth to handle the amount of data that will be transferred by your server. Network saturation is a common problem when running a moderately busy Web server on a 10 Mbps network interface. One solution is to upgrade the hardware to 100 Mbps Fast Ethernet or FDDI. You can also use multiple 10 Mbps NICs on the server. To monitor connection capacity, use Network Monitor (see Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000”) to measure network utilization. If it is close to 100 percent for either the client or the server, this indicates the network is the bottleneck that is causing slow performance. You can also use System Monitor (Performance) to examine the Bytes Total/sec or the Current Bandwidth counter in the Network Interface object, and compare the numbers with the total bandwidth of your connection. Normal load should be around 50 percent (or lower) to leave a “cushion” for peak usage periods. IIS provides for the option to throttle the bandwidth used by the services. This means limiting the amount of network bandwidth that can be used on a site-by-site basis. To do so, in the IIS MMC console (Internet Service Manager on the Administrative Tools menu), choose the site that you wish to throttle, right-click, and select Properties. Then choose the Performance tab, as shown in Figure 12.6. Check the “Enable bandwidth throttling” check box and set a maximum for network utilization in kilobytes per second.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 610

610 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

Figure 12.6 Limiting the amount of network bandwidth to be used by a site.

CPU Utilization Bottlenecks Another common problem with a heavily used Web or FTP server is overutilization of the server machine’s Central Processing Unit (CPU), also just referred to as the processor. The processor does the processing of instructions and, along with the memory (RAM) and hard disk, determines how quickly requests are processed and data is transferred. A server running IIS will benefit from a fast processor or multiple processors. To determine whether the CPU is the bottleneck that is slowing IIS performance, check the System Monitor (Performance) Processor object counters (see Chapter 4 for more information about using the System Monitor). If you find that CPU utilization is high (over 80 percent), you can improve performance by doing one of the following: ■

Upgrade the CPU to a faster processor. Processor clock speeds are expressed in megahertz (333 MHz, 450 MHz, 600 MHz, etc.). However, clock speed is not the only factor affecting actual performance of a processor. You will get better performance from a processor that has a large Level 1 (L1). The bus speed of the motherboard is another important consideration.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 611

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 611 ■

■

Add more processors. Windows 2000 Server supports up to four processors, and Advanced Server supports eight. Multiprocessing will increase performance by spreading the processing load across the processors. Move applications that use a lot of CPU time (such as database applications like SQL Server) to a separate computer so that IIS is not competing with them for processor time.

Another solution is to replicate the site to a second computer, and take advantage of DNS round robin. This will allow for load balancing between the servers, as users will be randomly assigned the IP addresses to the Web servers. Just as you can throttle network bandwidth, IIS also provides a way to throttle CPU usage. To limit the amount of processor time that is used for processing applications such as CGI and ISAPI on each Web site, check the “Enable process throttling” check box on the Web site Properties Performance sheet, and set a maximum percentage of CPU usage for each site. This is especially useful when running multiple Web sites on one computer, to ensure that one site is not hogging all the processor time.

NOTE Pooled-process applications are not affected by process throttling.

Enabling process throttling will cause an event to be written to the system log if total processor usage goes over the limit set. Checking the “Enforce limits” check box will have the following consequences: ■

■

If the processor usage surpasses 150 percent of the set limit, not only is an event written to the system log, but out-of-process applications on the site (ASAPI, CGI) will be set to Idle for CPU priority. If the processor goes over 200 percent of the set limit, all the out-of-process applications on the site will be stopped.

Problems with Site Name Resolution If the name or address of the Web site or FTP site does not display as expected in the description in the site’s property sheet, verify the computer’s IP address and network name.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 612

612 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

1. Use the IPCONFIG command-line utility to confirm that the computer’s IP address is correct (see Chapter 4 for more information on using the IPCONFIG utility). 2. Check the computer’s name in the Network Identification tab of the computer’s System Properties sheet, accessed by rightclicking My Computer, selecting Properties, and choosing the Network Identification tab, as shown in Figure 12.7. Figure 12.7 Verifying the computer name in the Network Identification property sheet.

Note that the property sheet shows the DNS name for the computer (Fully Qualified Domain Name, or FQDN) if the computer is a member of a Windows 2000 domain.

Inaccessible Virtual Directories Creating virtual directories allows you to use files on your Web site that are physically located on a different computer or in a directory other than the service’s root directory. Those who transitioned directly

91_tcpip_12.qx

2/25/00

11:19 AM

Page 613

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 613

from IIS 3 to IIS 5 will notice a difference in the accessibility of virtual directories. In IIS 3, if a virtual directory was not associated with a particular IP address, it was accessible from all Web sites that were hosted on that server. This is no longer true in IIS 4 and IIS 5. Making a virtual directory accessible from multiple Web sites that use multiple IP addresses requires you to add the virtual directory to every individual site.

Problems with Hosting Multiple Sites on a Windows 2000 Server To host multiple sites on the same computer, you must either assign multiple IP addresses to multiple network interface cards (NICs) or, if using only one IP address, you must append port numbers to the end of the IP address. Another option is using host header names with a single IP address.

Appended Port Numbers To reach the site, the client must append the port number, except for the site using the default Web server port, TCP Port 80. If clients are unable to connect to your multiple sites, ensure that they are entering the port number. The port number can be appended to either a “friendly” DNS name or IP address; for example, http://www.shinder.net:12345 or ftp://209.217.17.13:12345.

Multiple IP Addresses If you want clients to be able to use names instead of IP addresses to connect to the sites, you can use multiple IP addresses. You can either assign multiple IP addresses to a single adapter, or install multiple adapters and assign an IP address to each one. You must assign a specific IP address to each Web site hosted on the server. Note that if the sites are made available across the Internet, the IP addresses need to be “legal” addresses allocated by an authorized registrar. If the sites are only being made available on the intranet, you can use private (unregistered) IP addresses.

Host Header Names Another way of hosting multiple sites on one computer is to use host header names to distinguish them from one another. The host name must be entered in DNS for this to work. Be aware that host header names can’t be used with SSL (Secure Sockets Layer). This is because the host

91_tcpip_12.qx

2/25/00

11:19 AM

Page 614

614 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

headers would be encrypted, thus there would be no way to interpret them and route the request to the correct site. Older browsers (including Internet Explorer prior to version 3.0) will have problems with host header names. If clients are using older browsers and cannot access the sites, you can edit the Registry and then redirect the browser to provide them with a way to access the sites. There are detailed instructions for doing this in the IIS 5.0 online documentation that is installed when you install IIS 5.0. To access the documentation, type http://localhost/iisHelp/ in your browser URL box. Of course, a better solution may be to have clients update their browser software.

Some Clients Unable to Access Site If some clients are able to access your Web site and others can’t, and the users whose requests fail receive a “403” message (Access Forbidden), ensure that IIS is not set to deny access to that IP address or domain name. Other reasons for receiving this message include: ■ ■

User does not have a valid user account User does not have Web permissions for the requested resource

NOTE If the user does not have NTFS permissions for the resource, a “401” message (Access Denied) will be returned.

To ascertain if IIS is set to deny access to the IP address or domain name, select the Web site in the IIS management console and select the Directory Security or File Security property sheet (depending on the resource the client is unable to access), as shown in Figure 12.8. When you click EDIT in the second section, “IP address and domain name restrictions,” you will see a dialog box as shown in Figure 12.9. If the client’s IP address or domain name is listed here, and you wish to give the client access, you can remove the restrict or edit the properties of each entry here.

NOTE If a user goes through a proxy server to access your Web site, the IP address of the user will appear to be that of the proxy server, not the client computer.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 615

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 615

Figure 12.8 The Directory Security properties sheet is used to grant or deny access by IP address or domain name.

Figure 12.9 The IP Address and Domain Name Restrictions dialog box.

It is also possible that a group of computers has been denied access based on their network ID and a subnet mask. All computers in a subnet have the same subnet ID, but they have unique Host IDs. Specifying a network ID and a subnet mask allows you to designate a group of computers that are to be denied access.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 616

616 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

For instance, if the IP address of the host computer is 172.16.16.1 and the subnet mask is 255.255.0.0, all of the computers in that subnet will have IP addresses that begin with 172.16. If 172.16.0.0 is entered in the Network ID text box and 255.255.0.0 in the Subnet Mask text box, all computers in the subnet will be denied access.

Changing IIS Properties Many of the properties of IIS can be edited by using the IIS snap-in; this is the method that should be used whenever possible. However, some configuration parameters that are specific to a service, as well as some of those that are global for all IIS services, cannot be configured through the snap-in. If you have used the Registry Editor to make changes to IIS 4 configuration settings, be aware that many of the keys that existed in the previous version of IIS have been moved, in Windows 2000’s IIS 5, to a hierarchical database called the metabase. Although IIS Registry keys still are included for backward compatibility with IIS 4 and prior versions, new information should always be written to the metabase, not to the old Registry keys.

NOTE IIS 4 also used the metabase for storage of configuration information.

The IIS Metabase The metabase is hierarchically structured, similar to the Registry, for storing configuration values for Internet Information Services. Most configuration keys and values that were stored in the Registry for earlier versions of IIS are now stored as properties in the metabase. Some new keys and values have also been added for better and more granular administrative control. The metabase allows you to set the same property differently at different nodes. You can make changes to the metabase by configuring its values using administration tools such as the IIS snap-in and Internet Services Manager (HTML). The metabase can also be modified programmatically by configuring values through the use of the IIS Admin Objects and the IIS Admin Base Object.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 617

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 617

TIP The Internet Information Server 4.0 Resource Kit also contains a tool called “metaedit.exe,” which allows you to directly edit the metabase in the same fashion that the Registry Editor allows you to edit the registry.

Troubleshooting FTP Server Problems IIS 5 also includes the File Transfer Protocol server service, which allows you to publish files to a site to be accessed and downloaded by users. Many of the same troubleshooting tips discussed in regard to Web services are also applicable to problems with FTP servers. In this section, we will briefly look at some common FTP problems and how to address them. Most FTP problems are authentication or permissions problems. Since FTP is simpler than many other services, it is in many ways easier to troubleshoot. FTP commands and arguments are all sent together in the same packet, which it makes it easy to troubleshoot the service with a protocol analysis tool like Sniffer because you don’t have to put the “pieces” back together.

End-User Problems A large number of FTP connection problems result from incorrectly typed username and password information. A protocol analyzer can be used to examine the packets and verify that the user is typing the correct username and password (see Chapter 5 for more information on using protocol analyzers).

New Connections Not Being Accepted If the FTP server is not accepting new connections, but requests are still being processed, it is possible that the site has been paused. Checking the status of a site is simple: In the left pane of the IIS management console, if the site is paused or stopped, it will be indicated in parentheses after the site name, as shown in Figure 12.10.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 618

618 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

Figure 12.10 Restarting a paused FTP site.

Although you cannot directly restart a paused site from the command line, you can stop the service and then start it, and it will no longer be paused. To do so, use the commands: net stop msftpsvc net start msftpsvc

See Figure 12.11 to see these commands executed. Note that the same net stop and start commands can be used for other services such as the Web service, NNTP, and SMTP. When using the net start and net stop commands for the World Wide Web service, use w3svc in the command as the service name. For the NNTP service, use nntpsvc; for SMTP, use smtpsvc.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 619

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 619

Figure 12.11 Stopping and starting the FTP service at the command line.

WARNING Pausing the service prevents new users from connecting to the FTP site, but has no effect on those users already connected. Stopping the service will disconnect all users, and cause their downloads to halt.

Users Prompted for Username and Password In order to allow anonymous connections from clients who do not have a specific user account and password, you must ensure that Allow Anonymous Connections has been enabled in the Security Accounts property sheet for the site. See Figure 12.12. To access the properties sheet, right-click the site name, and select Properties and the Security Accounts tab. Note that you must also specify a valid user account through which the anonymous connections will connect. IUSER_<servername> is the default. It is added to the Guests group. Also note that the anonymous account must have the user right to log on locally. Otherwise, IIS will not be able to service any anonymous requests.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 620

620 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

Figure 12.12 Allowing anonymous connections to an FTP site.

NOTE The IUSR_<servername> accounts on domain controllers are not assigned the right to log on locally by default. You must allow it the user right to Log On Locally if you want to allow anonymous requests.

Connection Limit Exceeded Another reason that a user might not be able to connect to an FTP site is if the limit on number of connections is exceeded. Check the FTP Site Properties sheet to increase the number of allowed connections or to allow unlimited connections, shown in Figure 12.13. Note that the connection timeout can also be set in this dialog box. If users are being disconnected too quickly after idle time, this value can be increased.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 621

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 621

Figure 12.13 Limits may be set on number of simultaneous connections in the FTP Site Properties sheet.

Troubleshooting NNTP Server Problems The Network News Transfer Protocol is used for managing newsgroups that can be accessed using newsreader software such as Outlook Express. The Microsoft NNTP news service, like the other components of Internet services, is well integrated with Windows 2000 Server and can use the operating system’s monitoring and reporting tools to full advantage. The System Monitor (Performance) can be used to monitor NNTP performance issues, as the installation of NNTP automatically adds the appropriate counters to System Monitor. NNTP status and error messages are written to the system log and can be accessed through the Event Viewer. SNMP supported is also included (see Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000,” for more information about using SNMP).

Using Event Viewer for NNTP Troubleshooting The NNTP service writes error messages to the system log in Event Viewer. If you are having problems with the service, check the log for any messages pertaining to NNTP. If there are a large number of messages in the

91_tcpip_12.qx

2/25/00

11:19 AM

Page 622

622 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

system log, you can use filtering to view only those associated with the NNTP service, by typing NNTPSVC in the Source box when you click Filter Events from the View menu of the Event Viewer.

Common NNTP Problems Problems with the NNTP news server are usually related to one of the following: ■ ■ ■

Network connectivity NNTP service availability Security settings

We will look at each of these areas separately in the next sections.

Network Connectivity Problems When a client is unable to access newsgroups, the first thing to check is network connectivity to the server. Use the PING command to verify that you are able to contact the news server. If you are unable to establish a connection using the server name, try to ping the IP address of the server. If this is successful, the problem lies with name resolution (DNS). See Chapter 7, “Troubleshooting Windows 2000 DNS Problems,” for more information. If you still are unable to establish a connection using the IP address, the problem is with network connectivity. Check the hardware and physical media between the client and server.

NNTP Service Availability Assuming you have confirmed that there is no network connectivity problem, as discussed in the preceding section, the next step is to ensure that the NNTP service is responding properly when you issue NNTP commands. The purpose of this is to narrow down the problem to determine whether it is a client or server issue. Use Telnet to verify the availability of the NNTP service, as follows: 1. Open the Microsoft Telnet program by typing telnet at the command line. Type the following line: open <port number>

where the IP address is the IP address of the NNTP server and the port number is the port being used (the standard port number for the NNTP service is 119). See Figure 12.14.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 623

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 623

Figure 12.14 Using Telnet to verify availability of the NNTP service.

2. If the NNTP service is available and accepting connections, you will receive a message, as shown in Figure 12.15. Figure 12.15 A 200 message indicates that the service is “alive and well.”

3. You can now type list in the telnet window to receive a list of the newsgroups that are available, as shown in Figure 12.16. (Note that the characters are not echoed back to you by default.)

Figure 12.16 Type list to see the list of available newsgroups.

On the other hand, if you get back a message from Telnet that says “Connect Failed,” the service is not accepting connections. This could be because the service is not running. Check the status of the service in the

91_tcpip_12.qx

2/25/00

11:19 AM

Page 624

624 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

IIS management console, as shown in Figure 12.17, and restart the service if necessary. Figure 12.17 A “Connect Failed” message could indicate the service has been stopped.

A 480 message (Logon Required) indicates that anonymous connections are not allowed, and you must supply a username and password. If you are able to list the newsgroups using Telnet, this means the connection problem is probably on the client side. See the documentation for the client newsreader software to ensure that it is properly configured.

Security Settings Newsgroup access problems can also be related to security settings. The Microsoft NNTP service allows you to configure security to restrict access based on the client IP address, or by using Windows 2000 permissions to restrict access to the directories that contain the newsgroups. If one user is unable to access the news service and others can, check the permissions settings on the directories. Also check to see if SSL authentication is required.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 625

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 625

If you want everyone to be able to access the newsgroups with no restrictions, without entering a username or password, be sure anonymous access is enabled. To do so, right-click the NNTP service, select Properties, select the Access tab, and click AUTHENTICATION. You will see a dialog box, as shown in Figure 12.18. Figure 12.18 Allow anonymous access if you want everyone to be able to access newsgroups.

Another possibility is that the client’s IP address is part of a group that is denied access. To check on this, right-click the NNTP virtual server in the IIS management console, and select Properties. Choose the Access tab again, and click Connection under the Connection Control section. Any IP addresses that are restricted will appear in the dialog box shown in Figure 12.19. For more information about using the Microsoft NNTP service, see the online documentation that is installed when you install the NNTP service, in the <systemroot>\help directory in a file named news.chm.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 626

626 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

Figure 12.19 Ensure that the client’s IP address has not been denied access.

Summary In this chapter, we have discussed some common problems that occur with the Internet services (IIS 5.0) that are included with the Windows 2000 Server family operating systems. These include the Web server, the FTP server, and the NNTP news server. All are managed from the Internet Information Services (IIS) management console. We briefly discussed some of the differences between IIS 4.0, which was a separate add-on product used with Windows NT 4.0, and IIS 5.0, which is part of Windows 2000 Server. We learned that changes have been made in the areas of running applications, the location of custom error files, the Web-based HTML Internet Services Manager, Active Server Pages, security, configuration information storage, and others. We talked about how Windows log files can be used in troubleshooting the Internet services, and discussed how to enable site logging. We learned that the following options are available for selecting a log file format: ■ ■ ■ ■

W3C Extended Log File Format Logging to an ODBC database NCSA Common Log File Format Microsoft IIS Log Format

We learned that all log files are ASCII text format, and that W3C and ODBC can be customized, while NCSA and IIS formats are fixed (noncustomizable). Then we looked at each of the specific Internet services: Web services, FTP, and NNTP. We discussed problems with the IIS 5.0 Web server,

91_tcpip_12.qx

2/25/00

11:19 AM

Page 627

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 627

including performance problems such as connection capacity bottlenecks and exceeding CPU utilization limits. We learned how to throttle bandwidth and processes to address these problems. We discussed the change from IIS 3.0: It is now required that virtual directories using multiple IP addresses be added to each site to be accessible. We also discussed problems that arise in hosting multiple sites on a single computer, in regard to each of the different ways in which multiple site hosting can be accomplished: ■ ■ ■

Using appended port numbers Using multiple IP addresses Using host header names

We examined some reasons why a client may be unable to access a Web site, and the differences between common error messages, such as 401 (Access Denied) and 403 (Access Forbidden). We looked at the role of permissions and IP address restrictions, and we discussed the IIS metabase, the database in which configuration information for IIS is stored. Next, we discussed the Microsoft File Transfer Protocol service. We learned that end-user problems, such as an incorrectly typed password, are the most common problems with FTP. We also looked at how to ensure that the FTP service is started, and how to pause, start, and stop the service both through the graphic management console and at the command line. We discussed how to ensure that anonymous FTP access is enabled, and what to do if users are denied access because the connection limit has been exceeded. Finally, we looked at the Network News Transfer Protocol. We discussed common NNTP problems, which generally fall into one of three categories: ■ ■ ■

Network connectivity problems NNTP service availability Security settings

We looked at how to use the PING command to verify network connectivity, and how to use Telnet to determine that the NNTP service is operational and accepting commands. We also discussed how to check security settings and ensure that users have not inadvertently been restricted from accessing the newsgroups, and how to enable anonymous access if we want all users to be able to use the newsgroups without supplying a username and password.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 628

628 Chapter 12 • Troubleshooting Selected Services on a Windows 2000 TCP/IP Network

FAQs Q: My ISP has only given me one external IP address, but I want to host multiple Web sites on my server. Is there a way I can do that? A: Yes. In order to host multiple Web sites with a single IP address, you’ll have to create host headers for each of the Web sites. These Web sites cannot be SSL enabled because the header must not be encrypted during communications. The client Web browsers must also support host headers. Q: I want to host multiple FTP sites for different companies. How can I do that? A: You must create a virtual FTP server for each FTP site, and each FTP site must have a different IP address or port number assigned to it. Unlike Web sites, you cannot assign host headers to your FTP sites, which means you cannot use a single IP address and port number to host multiple FTP servers. Q: I’ve installed Internet Information Server on my Windows 2000 Advanced Server box. I want my users to be able to use it as our corporate mail server, but I’m having problems with the users not being able to get their mail from the server. A: Internet Information Server 5.0, which comes with Windows 2000 Advanced Server, includes an SMTP server. The SMTP server allows you to send mail to it, which can be forwarded to other servers, or have mail left in a subdirectory of the SMTP root folder. IIS does not include a POP3 server from which users can retrieve their mail. There are many POP3 solutions available, including Microsoft’s Exchange 2000, which includes its POP3 server component. Q: I believe that someone has been sniffing the segment that contains my FTP server. My users log on to the FTP server with their usernames and passwords, but it’s coming through as clear text. I want to enable Windows Integrated Authentication. How do I do that? A: Because of the way commands are processed by the FTP server, you cannot enable Windows Integrated Authentication for users logging on to your FTP server. Your best choice is to enable only anonymous access to your FTP server. If that is not an option, you can enable IPSec on the FTP server and the clients to prevent network sniffing of your usernames and passwords.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 629

Troubleshooting Selected Services on a Windows 2000 TCP/IP Network • Chapter 12 629

Q: I have set up a new Web site and put up the home page index.html. However, when users type in the URL for the Web site, http://www.mynewwebsite.com, they get a 404 error. What do you think the problem might be? A: The default “default documents” for Internet Information Server 5.0 are default.asp and default.htm. If users do not type the filename for the folder they are accessing (which in this case is the root folder of www.mynewwebsite.com), they are delivered the contents of one of the default documents. For a user to receive index.html as a default document, you will need to add it in the Documents tab of the Web site’s Properties sheet. Q: How is the port number assigned to the Administrative Web Site? Does it change every time the server is restarted? I’ve heard people say different things about this. A: The port number for the Administrative Web Site is assigned randomly when the Web Server component is installed. Unless you decide to change the number yourself (which you can do), it will remain the same until you reinstall the Web server. If you do change the port number, do not change it to 80, since that is the port number used for the default Web site.

91_tcpip_12.qx

2/25/00

11:19 AM

Page 630

91_tcpip_13.qx

2/25/00

11:21 AM

Page 631

Chapter 13

Windows 2000 TCP/IP Fast Track

Solutions in this chapter: ■

Rapid Review of Chapter Concepts

631

91_tcpip_13.qx

2/25/00

11:21 AM

Page 632

632 Chapter 13 • Windows 2000 TCP/IP Fast Track

Introduction TCP/IP is a very powerful—and thus very complex—suite of protocols. Its complexity is necessary in order to achieve the sort of flexibility and scalability needed in the large networks and huge global internetworks that rely on it for everyday communications. That complexity also makes for more potential problems, more chances for configuration errors, and more opportunities for something to go wrong. This book attempts to address some of the more common problems facing the typical administrator of a TCP/IP network based on the new Windows 2000 operating system. This Fast Track section summarizes the key points of each chapter. We hope it will be useful as a handy “condensed version” quick reference after you’ve read the book, or as an overview of the topics covered if you haven’t yet read the book.

TCP/IP: What It Is (and Isn’t) TCP/IP is a suite of protocols operating together to allow computers to communicate with one another across a network. It was developed in the 1960s by the creators of the ARPAnet, and is the protocol suite used today on the Internet. TCP/IP’s unique addressing scheme makes it appropriate for routing across a global network, and it is supported by computers running on a variety of platforms and operating systems. It is the closest thing in existence to a “universal” protocol, despite attempts to develop replacement protocol suites, such as OSI.

TCP/IP History and Future in a Nutshell The TCP/IP suite is based on the Department of Defense (DoD) networking model as part of the collaboration between the U.S. military and major educational institutions to build a reliable, stable, wide area network. This was the ARPAnet, which eventually evolved into the Internet. TCP/IP and the Internet “grew up” together and are inexorably intertwined. The protocols are still growing and changing to meet the challenges posed by the enormously increased popularity of the Internet as it becomes a part of everyone’s everyday life. The Internet Protocol’s (IP) current 32-bit addressing scheme has been pushed to the limits. Therefore, in order to provide for more IP addresses for all the devices that will need them in the future, the Internet Engineering Task Force (IETF) is hard at work preparing for the transition to IPv6 (also called IPng for IP next generation). The new version of IP will use 128-bit addresses, and is designed to work efficiently with high-performance technologies, such as ATM.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 633

Windows 2000 TCP/IP Fast Track • Chapter 13 633

Where TCP/IP Fits into the Networking Models Networking models are used to graphically represent the network communication process, showing the responsibilities of various components of the networking software and hardware as layers. The DoD networking model is sometimes referred to as the TCP/IP networking model. The protocol suite maps directly to its four-layered structure: ■ ■ ■ ■

Application Host-to-Host (Transport) Internetwork Network Interface

TCP, the Transmission Control Protocol, operates at the Host-to-Host layer. This is where reliability, acknowledgments, and error checking take place. UDP, the suite’s connectionless transport protocol, also operates at this layer. IP works at the Internetwork layer. Logical addressing issues and routing are handled at this layer. The suite includes a variety of additional protocols such as FTP, SNMP, SMTP, Telnet, and others that operate at the Application layer. It is important to keep in mind that the Application layer of the DoD model encompasses much more than the layer by the same name in the standard Open Systems Interconnect (OSI) model taught in most computer networking classes. The OSI model uses a seven-layer structure to represent the same communication process: ■ ■ ■ ■ ■ ■ ■

Application Presentation Session Transport Network Data Link Physical

The Data Link layer of the OSI model is further divided into two sublayers: Logical Link Control (LLC) and Media Access Control (MAC). The DoD and OSI models roughly correspond to one another, as shown in Table 13.1. As you can see, the tasks and responsibilities that are broken up into several layers by OSI may all be encompassed in just one layer of the DoD model.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 634

634 Chapter 13 • Windows 2000 TCP/IP Fast Track

Table 13.1 Comparing the DoD and OSI Networking Models DoD Model

OSI Model

Application

Application Presentation Session

Host-to-Host

Transport

Internetwork

Network

Network Interface

Data Link Physical

Microsoft uses its own networking model in the Windows operating systems, which uses what the company refers to as “boundary layers” between the networking component layers. Boundary layers represent open specifications, and component layers are operating-system specific. The Windows networking model consists of the following layers: ■ ■ ■ ■ ■ ■ ■

Application and User Mode Services (component) Application Programming Interface (boundary) File System Drivers (component) Transport Driver Interface (boundary) Network Transport Protocols (component) Network Driver Interface Specification (boundary) NDIS Wrapper/Physical media

The Members of the Suite TCP and IP form the network/transport “stack” that gets the data packets to their destinations on the network. However, the suite that bears their name actually consists of a larger number of protocols operating on different layers of the networking model to perform specific tasks. The included protocols may vary according to vendors’ implementation, but the Windows 2000 TCP/IP suite includes the following: ■ ■ ■ ■ ■ ■

File Transfer Protocol/FTP (Application layer) Simple Network Management Protocol/SNMP (Application layer) Telnet (Application layer) Simple Mail Transfer Protocol/SMTP (Application layer) HyperText Transfer Protocol/HTTP (Application layer) Network News Transfer Protocol/NNTP (Application layer)

91_tcpip_13.qx

2/25/00

11:21 AM

Page 635

Windows 2000 TCP/IP Fast Track • Chapter 13 635 ■ ■ ■ ■

■

■

Transmission Control Protocol/TCP (Transport layer) User Datagram Protocol/UDP (Transport layer) Internet Protocol/IP (Network or Internetwork layer) Address Resolution Protocol and Reverse Address Resolution Protocol/ARP and RARP (Network or Internetwork layer) Internet Message Control Protocol/ICMP (Network or Internetwork layer) Internet Group Management Protocol/IGMP (Network or Internetwork layer)

Windows 2000’s TCP/IP implementation also includes the following command-line utilities for troubleshooting and information gathering: ■ ■ ■ ■ ■ ■ ■

IPCONFIG NETSTAT NBTSTAT NSLOOKUP ROUTE TRACERT PING and PATHPING

Network Design and Planning Issues Proper planning is the key to preventing problems in the future, and taking time to design the network’s physical structure and logical addressing scheme will make implementation and maintenance of the TCP/IP-based network easier in the long run. One excellent troubleshooting tool, which will pay for itself many times over, is the prototype lab, where solutions can be tested before they’re applied to the production network. Another good tactic for rolling out important changes is the use of pilot programs that allow you to apply solutions to small, selected groups before rolling them out across the network.

Design and Setup of a Windows 2000 Network Good network design is a key factor in preventing problems later. Whether building a new network or upgrading an existing one, you should plan for future needs. Some important elements of good network design and planning include:

91_tcpip_13.qx

2/25/00

11:21 AM

Page 636

636 Chapter 13 • Windows 2000 TCP/IP Fast Track ■

■

■

■

Establishing a planning team consisting of members from IT, administrative, and operational divisions of the company. This is important even if you also hire outside consultants to design the network. Planning the hardware configurations and ensuring that equipment is sufficient or can be upgraded to handle the software you will run and to provide the network bandwidth you will need. Planning the physical layout or topology of the network with future expansion in mind. Diagramming the network layout, either manually or with one of many popular software tools, such as Visio.

Special Considerations for Windows 2000 Networks Windows 2000 introduces some new network concepts that will affect your planning and design.

Active Directory Sites As you plan the physical and logical structure of the network, take into account whether you will be dividing the network into Active Directory sites (one or more IP subnets connected by a fast link, defined for replication and authentication optimization).

Active Directory Namespace Consider how you will divide your network into domains, and whether the domains will be based on geographic location, administrative units, or some other factor. Remember that with Windows 2000, domains that share a contiguous namespace (parent and child domains) can be joined in a domain tree, and separate trees can group domains sharing a noncontiguous namespace into a forest. Windows 2000 domains that belong to the same tree or forest enjoy implicit, two-way transitive trusts. Also consider the placement of domain controllers, global catalog servers, operations masters, and other servers with special roles or functions to fulfill.

IP Addressing Scheme Consider whether and how you will subnet the network, using subnet masking to divide the allocated network ID into separate segments joined by routers, to reduce broadcast traffic and organize the flow of data on a large network.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 637

Windows 2000 TCP/IP Fast Track • Chapter 13 637

Determine whether you will need a large block of registered IP addresses for communicating with the “outside” world over the Internet, or whether you will use a Network Address Translation (NAT) or proxy solution to provide your internal computers with Internet access, all using one or a few registered addressees.

Network Design Check List Use the design and planning check list supplied in Chapter 2, “Setting Up a Windows 2000 TCP/IP Network,” or construct your own to meet the unique needs of your company.

Installing and Configuring the TCP/IP Protocol TCP/IP (and other supported network protocols) is installed through the Network and Dialup Connections screen accessible from the Settings submenu on the Start menu in Windows 2000. Once installed, the protocol is configured through the TCP/IP Properties sheet. Required configuration includes one of the following: ■

■

Specification of an IP address and subnet mask, and for a routed network, a default gateway address. Selection of “obtain an IP address automatically,” which requires a DHCP server on the network with available IP addresses to allocate.

Special Considerations when Upgrading from NT 4.0 The Windows 2000 domain structure is considerably different from the NT domain models, and you will usually need fewer domains in a Windows 2000 network. This is because administrative authority can now be delegated to Organizational Units (OUs), so the domain is no longer the smallest administrative boundary.

Upgrading the Single Domain Model In the single domain model, all users log on to the same domain, and all resources are located in that domain. Upgrading the single domain model to Windows 2000 is often relatively easy, especially since Microsoft recommends that,when possible, a Windows 2000 network should be based on one domain.

Upgrading the Single Master Domain Model In an NT network using the single master domain model, one domain is designated as master domain, and all user accounts are located in that domain. Other domains are resource domains, and all resource domains

91_tcpip_13.qx

2/25/00

11:21 AM

Page 638

638 Chapter 13 • Windows 2000 TCP/IP Fast Track

trust the master domain. This is done so that different divisions, departments, or branches can have administrative control over their resources. In a Windows 2000 network, the same thing can be accomplished by using OUs. When transitioning a single master domain network to Windows 2000, resource domains should usually be combined. This can be done either before or after the upgrade.

Upgrading the Multiple Master Domain Model The multiple master model works like the single master model, except that user accounts have been split into two or more domains. This is usually done because the network has grown so large that the limits of the NT domain’s account database have been exceeded. This is not a problem in Windows 2000 networks, because a single domain can handle millions of objects, as compared to the approximately 40,000 allowed in NT domains. For this reason, you will usually be able to collapse the multiple master domains into one, as well as combine some or all of your resource domains.

Upgrading the Complete Trust Model A complete trust model is one in which the network is divided into domains, any or all of which can contain both user accounts and resources, and all of which trust one another. Because of the administrative nightmare it poses for all but the smallest networks, the complete trust model is not often used. Upgrading a network of this type to Windows 2000 requires careful analysis of the reasons the separate domains were created, and whether the same objective can be attained with fewer domains.

Upgrade Tools There are several tools in the NT Resource Kit that will help you in combining domains prior to the upgrade, including: ■ ■ ■

ADDUSERS.EXE NETDOM.EXE NTRIGHTS.EXE

There are also several tools included in the Windows 2000 Resource Kit that will help you combine domains if you choose to wait until after the upgrade to do so: ■ ■

SHOWACCS.EXE SIDWALK.EXE

91_tcpip_13.qx

2/25/00

11:21 AM

Page 639

Windows 2000 TCP/IP Fast Track • Chapter 13 639 ■ ■

Security Migration Manager MOVETREE

Special Considerations when Migrating from NetWare Microsoft has provided the Directory Services Migration Tool to make it easy to migrate from a Novell NetWare-based network to Windows 2000. This tool allows you to transfer user and group accounts, permissions, and files from a NetWare server to the Active Directory. The DSMT replaces the old NetWare conversion utility (NWCONV.EXE) that was used with earlier versions of NT. DSMT works as an MMC snapin. There are also third party utilities available that will automate the migration from NetWare to Windows 2000.

Migration Problems Naming conventions may differ between the NetWare and Windows networks, in which case the data may need to be “fine-tuned.” The DSMT provides several options in moving files and accounts. Ensure that you consider the ramifications of each before making a selection. Network settings, applications, and other information (other than user and group accounts and files) unfortunately cannot be migrated, and will have to be installed or configured from scratch on the new Windows 2000 server.

Special Considerations when Migrating from UNIX There is no upgrade path, nor even a real migration path, provided from UNIX to Windows 2000. You must install the Windows 2000 domain controllers, gather information from your UNIX servers, to be used to recreate accounts on the Windows 2000 servers, and then manually create the accounts, install applications, and implement services such as DNS, DHCP, and so forth. Finally, you can migrate your files to the Windows 2000 machines. You should back up all the important data on the UNIX machines before starting the migration process.

Hybrid Networks Windows 2000 provides numerous features and tools designed to allow the operating system to peacefully coexist with others, such as NetWare and UNIX, in a hybrid network environment. Some of these include:

91_tcpip_13.qx

2/25/00

11:21 AM

Page 640

640 Chapter 13 • Windows 2000 TCP/IP Fast Track ■ ■ ■ ■ ■

Client Services for NetWare (CSNW) Gateway Services for NetWare (GSNW) NWLink (Microsoft’s implementation of the IPX/SPX protocol) File and Print Services for NetWare (FPNW) Microsoft Print Services for UNIX (LPD and LPR services)

SNA (Systems Network Architecture) is a separate software package from Microsoft that can be used to connect Windows PC networks to IBM mainframe networks.

General Troubleshooting Guidelines Troubleshooting TCP/IP and other network problems is made easier if you follow the Ten Commandments of Troubleshooting: 1. Know thy network. 2. Use the tools of the trade. 3. Take it one change at a time. 4. Isolate the problem. 5. Recreate the problem. 6. Don’t overlook the obvious. 7. Try the easy way first. 8. Document what you do. 9. Practice the art of patience. 10. Seek help from others.

Troubleshooting Resources There is a great deal of troubleshooting information for TCP/IP issues in general and for Windows 2000-specific problems. Be sure to take advantage of the following: ■

■

Microsoft documentation, including Help files, the Resource Kits, white papers, TechNet, official newsgroups, and the Microsoft Web site Third-party documentation, including Internet mailing lists, Usenet public newsgroups, Web resources, local user groups, and books and magazines

91_tcpip_13.qx

2/25/00

11:21 AM

Page 641

Windows 2000 TCP/IP Fast Track • Chapter 13 641

Troubleshooting Models Following a set procedure allows you to organize the troubleshooting process and makes it less likely that you will overlook something important along the way. The problem-solving models used by other professions can be applied to network troubleshooting as well, as discussed in the following sections.

Differential Diagnosis Model This model is used in the medical field and consists of the following steps: 1. Examination 2. Diagnosis 3. Treatment 4. Followup These same steps can be used in solving TCP/IP connectivity problems.

SARA Model This model is popular in the criminal justice world, in use by law enforcement agencies practicing community-oriented policing. It includes the following steps: 1. Scanning 2. Analysis 3. Response 4. Assessment Comparing the models, you see that although the terminology differs, the actual steps involve the same processes. Problem-solving basics are the same regardless of the type of problem.

Information-Gathering Tips Gathering information is always one of the first steps in problem solving. In network troubleshooting, as in most areas, this involves asking questions.

Questions to Ask What questions to ask (and of whom) vary according to the situation, but the following can serve as a guideline to get you started: ■

Exactly what task were you trying to perform when the problem occurred?

91_tcpip_13.qx

2/25/00

11:21 AM

Page 642

642 Chapter 13 • Windows 2000 TCP/IP Fast Track ■

■ ■ ■ ■ ■

Were you doing anything else in addition to this primary task at the time? What error message(s), if any, were displayed? Is anyone else on the network experiencing the same problem? Have you ever been able to perform this task on this computer? When was the last time you were able to do so? What changes have occurred since the last time you were able to do so?

Log Files The Windows 2000 log files provide information that may be helpful in troubleshooting. These files are accessed via the Event Viewer, and include the following logs: ■ ■ ■

System log Application log Security log

Organizing Information In order to make a diagnosis or analysis of the information, you must organize it in a logical manner. This means learning to sift through and discard irrelevant information, and looking for patterns in the data. This also means setting priorities according to such factors as who is affected by the problem, how many are affected by the problem, what production activities are affected by the problem, and how often the problem occurs. Solutions, once formulated, should also be prioritized according to cost, time involved, longevity, and long-term effect on performance.

Forms and Check Lists You can devise forms and check lists to guide you through the troubleshooting process in an organized manner, or you can use the ones supplied in Chapter 3, “General Windows 2000 TCP/IP Troubleshooting Guidelines.” Forms are useful in helping you to gather information, and check lists force you to approach problem solving in a methodical, stepby-step way that is more conducive to success.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 643

Windows 2000 TCP/IP Fast Track • Chapter 13 643

Inside TCP/IP The Windows 2000 implementation of TCP/IP supports a large number of Internet standards as outlined in various RFCs. For a list of those documents, see Chapter 4, “Windows 2000 TCP/IP Internals.”

Windows 2000 Enhancements The following are some of the most exciting enhancements Microsoft has made to the TCP/IP stack: ■ ■ ■ ■ ■ ■ ■ ■

Scalable TCP window size and timestamping (RFC 1323) Selective Acknowledgments (RFC 2018) Support for IP over ATM (RFC 1577) TCP fast retransmit Quality of service (QoS) Resource Reservation Protocol (RSVP) IPSec NDIS 5.0 support

Inside IP IP operates at the Internetwork layer and is responsible for routing packets to their destination addresses.

CIDR Support IP in Windows 2000 supports Classless Interdomain Routing (CIDR), which is a way of aggregating routes once designated as class C networks using “supernetting” to create larger networks by “stealing” bits from the network portion of the IP address to allow for more Host IDs. CIDR is useful for the following purposes: ■ ■ ■ ■

Smaller Internet routing tables Less updating of external routes More efficient allocation of address space Increase in number of available (host) Internet addresses

Multihoming A computer that has multiple IP addresses is called a multihomed host. This can be a computer with more than one NIC, or a computer that has multiple IP addresses assigned to one NIC. Windows 2000 supports both types of multihoming.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 644

644 Chapter 13 • Windows 2000 TCP/IP Fast Track

A multihomed computer with two NICs can act as a router, passing transmissions from one subnet to another.

IP Multicasting Multicasting refers to sending data to multiple destinations on the network at the same time, using a single multicast address. Computers are designated as members of a multicast group, and only group members receive the messages. A computer can belong to multiple multicast groups simultaneously. There are two types of multicast groups: permanent and transient. The Internet Group Management Protocol (IGMP) is used to manage multicast membership. The multicast address range consists of the class D addresses 224.0.0.0 through 239.255.255.255. Windows 2000 includes the following utilities that are useful in troubleshooting multicast transmissions: ■ ■ ■ ■

MRINFO NETSH ROUTING IP MIB SHOW MFE NETSH ROUTING IP MIB SHOW MFESTATS NETSH ROUTING IP MIB SHOW JOINS

Duplicate Address Detection In order for computers to communicate on a TCP/IP network, each network interface must have a unique IP address. Windows 2000 uses a “gratuitous ARP broadcast” when a computer comes online to detect whether another computer is already using the IP address it is configured to use. If there is duplication, the second computer with the IP address will not be allowed to use it.

Inside TCP and UDP TCP and UDP are Host-to-Host (Transport) layer protocols. They handle flow control and provide for reliable end-to-end communications.

TCP TCP is a connection-oriented protocol that handles important one-to-one communications such as logons, file and printer sharing, and replication. Windows 2000 TCP includes dead gateway detection, delayed acknowledgments, TCP keep-alives, and avoidance of the Silly Window Syndrome.

UDP UDP is a connectionless protocol used for broadcast transmissions and other situations where guaranteed delivery is not required. UDP doesn’t

91_tcpip_13.qx

2/25/00

11:21 AM

Page 645

Windows 2000 TCP/IP Fast Track • Chapter 13 645

break messages into smaller chunks and reassemble them on the other end as TCP does. UDP is faster than TCP, but less reliable. Both UDP and TCP provide for ports to differentiate between multiple connections using the same IP address.

TCP/IP Registry Settings TCP/IP gets configuration information from the Windows Registry. You can use a Registry Editor to change the behavior of the Windows 2000 TCP/IP stack, but this should be done with caution. See Chapter 4 for a listing of Registry settings that can be changed, and instructions on how to do so.

Network Monitoring Tools Windows 2000 includes various tools and utilities that can be used to verify connectivity, gather information, monitor performance, and even analyze the packets themselves to assist you in troubleshooting your TCP/IP network. These include graphic tools such as Network Monitor, Event Viewer, and the Performance console (also called System Monitor), as well as command-line utilities standard to the TCP/IP suite.

Monitoring Guidelines Monitoring network activity gives you a chance to gather information over a period of time, detect and analyze patterns, and compare changes.

Baselining The first step in any monitoring program is to establish a baseline; this can be described as the process of collecting information about the “patient” (the network) before it gets sick. Gather your baseline information when the network is working properly, so you can use it for comparison purposes when things go wrong.

Documentation Be sure to document everything you do, and keep your documentation orderly and organized. This will assist you in maintaining the network and allow you to quickly and efficiently return to previous measures.

Performance Logs and Alerts The administrative tool formerly known as Performance Monitor, now called the System Monitor or listed simply as “Performance” in the MMC,

91_tcpip_13.qx

2/25/00

11:21 AM

Page 646

646 Chapter 13 • Windows 2000 TCP/IP Fast Track

can be used to obtain real-time data on network performance parameters. This information can be saved in a file for later analysis. The System Monitor can also be configured to alert you when counters reach a specified limit.

Network Monitor The Microsoft Network Monitor is a software protocol analyzer that allows you to capture and analyze traffic on your network. The Network Monitor is a very useful tool for assessing the activity on the network. You can use the tool to collect network data and analyze it on the spot, or save your recording activities for a later time. It allows you to monitor network activity and set triggers for when certain events or data cross the wire, which could be useful if you are looking for certain “key words” in e-mail communications moving through the network. The Network Monitor program allows you to capture only those frames that you are interested in, based on protocol or source or destination computer. You can apply even more detailed and exacting filters to data that you have finished collecting, which allows you to pinpoint the precise elements you might be looking for in the captured data. Network Monitor is not installed by default. If it isn’t installed on your computer, you can install it via the Add/Remove Programs applet in the Control Panel. There are two types of filters used by Network Monitor: capture filters and display filters.

Capture Filters The purpose of the capture filter is to limit the frames that are actually saved in the capture buffer. This allows you to make better use of your buffer space, because the limited amount of buffer you have can be devoted to looking at the precise targets of interest. It also reduces the amount of “extraneous” information that could cause you to overlook something important during your investigations. You can filter the capture information in two ways: by machine address pairs, or by a specified pattern in the frames that are examined during the capture sequence.

Display Filters The display filter allows us to look for very specific elements of the captured data and allows for a much more refined filtering than we can accomplish with the capture filter. A display filter can be used as a database search tool, where the capture frames are the data in our database.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 647

Windows 2000 TCP/IP Fast Track • Chapter 13 647

Event Viewer The Event Viewer can be used to check on the status of a number of network services. Windows 2000 systems are configured to report significant fault situations to the event viewer. You should make it a regular practice, perhaps the first thing you do every day, to check out the Event Viewer on all of your primary servers to see if any of the Windows 2000 services running on these servers are reporting error conditions. The Event Log does contain an added feature over what was found in Windows NT: the DNS log. Because of the added importance of DNS in the normal functioning of domain-related activity, Microsoft deemed the DNS service important enough to warrant its own log in the Event Viewer.

TCP/IP Utilities The group of command-line TCP/IP utilities included with Windows 2000 is similar to those available in Windows NT 4.0. We have the familiar set of TCP/IP tools, such as: ■ ■ ■ ■ ■ ■ ■

PING NSLOOKUP TRACERT ARP IPCONFIG NBTSTAT NETSTAT

Each of these basic TCP/IP command-line tools has either the same or enhanced functionality compared to what it could do in Windows NT 4.0. In addition to these tools, Windows 2000 offers some new commandline TCP/IP tools, including PATHPING and NETDIAG. For detailed information on how to use these command-line utilities in troubleshooting TCP/IP problems, see Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000.”

Name Resolution Problems Name resolution problems are one of the most common causes of the inability to connect to another TCP/IP computer on the network. These problems fall into one of two categories: NetBIOS name resolution and host name resolution. In Windows 2000, as in other Windows operating systems, NetBIOS resolution is handled primarily by WINS, the Windows Internet Name

91_tcpip_13.qx

2/25/00

11:21 AM

Page 648

648 Chapter 13 • Windows 2000 TCP/IP Fast Track

Service; and host name resolution is handled by the Domain Name System service, DNS (or its updated incarnation, Dynamic DNS).

WINS and NetBIOS Name Resolution A NetBIOS name server is a computer that maintains a database of NetBIOS names and matching IP addresses. WINS is the best known and most widely used NetBIOS name server. Windows 2000’s implementation of WINS complies with RFC 1001/1002 and contains new features not included in WINS in NT 4.0. Components of network communications that are involved with NetBIOS name resolution include: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

The TCP/IP protocol stack NetBIOS over TCP/IP (also called NetBT) WINS and DNS servers Broadcasts LMHOSTS and HOSTS files The Browser service The Server and Workstation services My Network Places The “net” commands (net use, net view, net send) The Alerter service

This list can provide a starting point in troubleshooting NetBIOS name resolution problems. To prevent or solve NetBIOS name resolution problems, follow these guidelines: ■ ■

■ ■ ■ ■ ■ ■ ■ ■

Don’t multihome your WINS server(s). Use a WINS proxy agent on network segments that have nonWINS clients. Avoid static records in the WINS database. Define replication partners based on link factors. Avoid split registration. Use the “hub and spoke” model in multisite environments. Configure your DNS servers to resolve NetBIOS names. Don’t multihome the master browser(s). Use manual tombstoning instead of deleting records. Consider all the ramifications before disabling NetBT.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 649

Windows 2000 TCP/IP Fast Track • Chapter 13 649

DNS and Host Name Resolution The NetBIOS namespace is “flat,” but DNS uses a hierarchical (multilevel) namespace. DNS resolves Fully Qualified Domain Names (FQDNs) to IP addresses. These names are in the format myserver.mydomain.com. The Windows 2000 DNS is standards-based and is now capable of dynamic update (hence the new name, Dynamic DNS, or DDNS). DNS is used for resolution of names on the global Internet, and in Windows 2000 has moved to the forefront as the name resolution method of choice for Microsoft networks as well.

Resolving Host Names to IP Addresses DNS clients can resolve a host name to IP address in several ways. The Windows 2000 DNS client service features a caching resolver, which keeps a list of recently resolved host names and IP addresses. If a soughtafter mapping is not there, the client will query a DNS server. If the DNS server can’t resolve the name, the client will go through NetBIOS name resolution sequence and attempt to resolve the name using the WINS server, broadcasts, or LMHOSTS files. There are two basic types of queries: ■ ■

Recursive Iterative

An FQDN includes the host name and the host’s domain membership. A fully qualified query must end with a period, although most applications will automatically include it before sending the request. If the request is unqualified, by default the domain membership of the machine issuing the query will be appended to the request. A list of other domain suffixes can be configured that will be appended to unqualified requests.

Planning the DNS Namespace If a company has both an internal Windows 2000 network and an Internet presence, it can choose to represent the namespace in one of two ways: ■

■

Use the same domain name for the internal and external namespaces Use different domain names for the internal and external namespaces

The first choice requires registration of only one domain name, and provides for more continuity and consistency. However, servers will have

91_tcpip_13.qx

2/25/00

11:21 AM

Page 650

650 Chapter 13 • Windows 2000 TCP/IP Fast Track

to be mirrored internally, and DNS clients will not access external corporate host resources. The second choice eliminates the need to mirror servers and reduces confusion as to what is an external and what is an internal resource. You should, however, register both domain names (although only the external one is actually required to be registered).

Zones The actual domains and hosts are contained in zone files. These database files contain resource records, which track the resources contained in a domain. The Windows 2000 server supports both standard and Active Directory integrated zones. Active Directory integrated zones offer several advantages, including faster and more efficient replication and secure dynamic updates.

Tools Windows 2000 includes a number of tools for investigating problems with the DNS server, including: ■ ■ ■ ■ ■ ■

NSLOOKUP IPCONFIG Event Viewer Network Monitor Trace logging System Monitor (Performance)

IP Addressing Issues The IP address, a 32-bit binary number usually represented as its dotted decimal equivalent, is the basis for “getting it there” in TCP/IP communications. IP addressing errors, or misconfiguration of important addresses such as that of the default gateway or proxy server, are a common source of connectivity problems. IP addresses are logical addresses, assigned by the administrator, and are not to be confused with the more permanent physical address burned into the NIC, the MAC address.

The IP Address An IP address has two parts: one identifies the network, and the other identifies the host (individual computer) on that network. How many bits represent each depends on the subnet mask.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 651

Windows 2000 TCP/IP Fast Track • Chapter 13 651

IP addresses were originally divided into classes based on the size of the networks, as shown in the Table 13.2. Table 13.2 Address Classes Address Class

Number of Networks

Number of Hosts

Default Subnet Mask

Class A

126

16,777,214

255.0.0.0

Class B

16,384

65,534

255.255.0.0

Class C

2,097,152

254

255.255.255.0

The trend now is toward classless addressing, using variable-length subnet masks.

How IP Addresses Are Assigned In a Windows 2000 TCP/IP network, there are two ways in which IP addresses (host addresses) can be assigned: ■

■

Manual address assignment, where an administrator enters the information in the TCP/IP configuration properties sheet of every interface Automatic addressing, which includes DHCP, APIPA, and ICS autoaddressing

Manual assignment is time-consuming and more prone to errors. DHCP requires that there be a DHCP server on the network configured with a block of addresses to allocate. APIPA “self-assigns” an address from a preset range to a computer that can’t find a DHCP server. An ICS host computer that shares its Internet connection can act as a DHCP “allocator” and assign addresses to other computers for purposes of sharing the connection.

ARP The Address Resolution Protocol is used to resolve IP addresses to physical (MAC) addresses. ARP uses broadcasts, and caches the information. You can also add static entries to the ARP cache. You can view the current ARP cache by typing arp –a at the command prompt. Reverse Address Resolution Protocol (RARP) resolves MAC addresses to IP addresses.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 652

652 Chapter 13 • Windows 2000 TCP/IP Fast Track

Common IP Addressing Errors Some of the most common IP addressing errors that affect TCP/IP communications include: ■ ■ ■

Duplicate IP addresses on the network Use of invalid or “illegal” IP addresses DHCP configuration problems

DHCP The Dynamic Host Configuration Protocol (DHCP) server is configured and managed from the MMC. Most configuration problems are at the server end.

DHCP Server Issues DHCP uses scopes of addresses, which are groups of consecutive IP addresses that can be allocated to client computers. The New Scope Wizard is used to define the scope. A scope must have a name, a range of IP addresses, and a subnet mask. You can also exclude certain addresses within the scope from being offered to clients. Superscopes are used when a single physical network segment consists of more than one logical IP subnet, and there are two DHCP servers managing separate subnets on the same network. DHCP lease duration can be set or changed for a scope. The default is eight days. You can reserve addresses for computers that need to always have the same address, such as server machines. There are three types of DHCP options that can be configured: ■ ■ ■

Scope options Client options Class options

The DHCP database files are stored in <systemroot>\System32\DHCP and include four files: dhcp.mdb, dhcp.tmp, j50.log, and j50.chk. You can edit the backup interval at which Windows 2000 backs up the DHCP database. You also must edit the Registry to manually restore the database from backup. See Chapter 8, “Troubleshooting Windows 2000 IP Addressing Problems,” for explicit instructions. Windows 2000 protects against “rogue” (unauthorized) DHCP servers by requiring that Windows 2000 DHCP servers be registered in the Directory, but this does not prevent rogue NT DHCP servers on the network.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 653

Windows 2000 TCP/IP Fast Track • Chapter 13 653

DHCP Client Issues Most client configuration problems are relatively simple. Ensure that you have TCP/IP connectivity with the DHCP server by using PING. Check to see that the client is configured to obtain an IP address automatically. If the client is unable to communicate with other computers and you find it is using an address from the 169.254.0.0 range, this indicates it was unable to contact a DHCP server and assigned itself an address via APIPA. APIPA can be disabled by editing the Registry.

Subnetting Problems Subnetting means dividing a network into two or more parts (smaller networks). You use a subnet mask to designate which bits in the address represent the network, and which represent the host. IP then uses a process called ANDing to determine whether the destination host is local or remote relative to the source host. Subnetting problems (incorrect subnet mask) are common reasons for the inability of TCP/IP computers to connect. Subnetting is a complex topic; for examples and walk-throughs on how to calculate subnet masks for different network classes, see Chapter 8.

Remote Access Connectivity Windows 2000’s Routing and Remote Access service (RRAS) allows you to establish a TCP/IP connection across a wide area link. In many cases, troubleshooting a remote connection is similar to troubleshooting a local connection. However, there are some special considerations. RRAS supports remote access through the traditional dial-up method, or via Virtual Private Networking (VPN).

Remote Access versus Remote Control Remote access is different from remote control. In the latter, you actually “take over the desktop” of a remote computer, controlling it from another location. With remote access, you become another node on the remote network, able to access network resources as you would if your computer were cabled to the network locally. RRAS provides for a Windows 2000 computer to act as both a remote access client and a remote access server. RRAS must be installed and configured properly, and dial-up networking must also be installed and configured if you wish to dial out as a remote client. You can use the New Connection Wizard to set up a dial-up connection.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 654

654 Chapter 13 • Windows 2000 TCP/IP Fast Track

Remote Access Links Remote access requires a physical link of some sort, commonly a telephone line. WAN links vary in type, speed, and cost. Some common technologies include: ■

■

■ ■ ■

Public Switched Telephone Network/PSTN (regular analog phone lines) Integrated Services Digital Network/ISDN (high-speed digital phone lines) Digital Subscriber Line/DSL (higher-speed digital phone lines) T-Carrier/T-1, T-2, T-3 (dedicated leased line) X.25 (packet-switched network)

Remote Access Protocols Remote access protocols work across the WAN link (and are sometimes called WAN protocols) in conjunction with the LAN protocols used by the network to which you are remotely connecting. The LAN protocol is “wrapped” (encapsulated) inside the WAN protocol. The two popular WAN protocols are: ■ ■

Serial Line Internet Protocol (SLIP) Point-to-Point Protocol (PPP)

PPP is more commonly used, as it supports encryption, compression, and automatic IP address assignment by a DHCP server. SLIP is used primarily by some UNIX servers. Windows 2000 can use either SLIP or PPP to dial out, but uses only PPP for dial-in connections. You can enable PPP event logging and use PPP tracing to gather information useful in troubleshooting PPP connections. For instructions on how to do so, see Chapter 9, “Troubleshooting Remote Access in a Windows 2000 TCP/IP Network.”

RRAS Configuration Problems Configuration problems can stem from either the RRAS server or the remote client.

Server Configuration The first step in troubleshooting the inability to establish a dial-up connection to the remote server is to ensure that the server’s modem or ISDN adapter is working properly, and that the RRAS service is started on the server. You should ensure that the server’s ports are configured for remote access, and that the properties for the LAN protocol being used

91_tcpip_13.qx

2/25/00

11:21 AM

Page 655

Windows 2000 TCP/IP Fast Track • Chapter 13 655

(IP) are configured to allow remote access. Also be sure there are enough IP addresses in the static address pool assigned by RRAS, if this feature is being used by the RRAS server.

Client Configuration First, check physical connections; then ensure that the client is configured to use the correct authentication method for the remote server, and is set to use the same encryption strength as the remote server. Be sure the user account is enabled to allow dial-in access.

Multilink RRAS allows you to aggregate the bandwidth of multiple telephone lines. If you have trouble doing so, you should ensure that your ISDN adapter supports multiple lines or that you have two functional modems, each attached to a separate working telephone line. Then, ensure that the remote access server’s PPP options are configured to support multilink. You can also elect to use Bandwidth Allocation Protocol (BAP) to allow multilink to adapt to changing bandwidth demands.

Network Access If a remote client can access the server, but not the rest of the network, you should ensure that IP routing has been enabled on the server. Check to see that packet filtering has not been configured to block TCP/IP packets, and ensure that the LAN protocol is configured to allow access to the entire network.

Remote Access Policy You can set policies on the RRAS server governing remote access that place conditions and parameters on incoming connections. Policies can be set to limit dial-in to certain days or time of day, connection types, or group memberships, and limits can be set on the duration of the connection. When a user attempts to make a connection, the characteristics of the connection attempt are compared with the authentication information, user dial-in properties, and remote access policies. Access will be denied if the connection attempt doesn’t match any of the remote access policies.

NAT and ICS Internet Connection Sharing (ICS) and Network Address Translation (NAT) allow you to provide Internet access to many computers using only one dial-up connection and registered IP address. ICS is actually a “light” version of NAT. ICS is available on both Windows 2000 Professional and

91_tcpip_13.qx

2/25/00

11:21 AM

Page 656

656 Chapter 13 • Windows 2000 TCP/IP Fast Track

Server computers, but NAT is available only on server products. NAT is more flexible and configurable.

NAT Configuration NAT must be configured for both public and private interfaces, as NAT “translates” private IP addresses used internally on the LAN to one or more public registered IP addresses that are “seen” on the Internet. The public interface connects to the ISP, and the private one to the local network. Some programs will not work through NAT because they use protocols that are not translatable (due to the way the packet headers are constructed). NAT editors are available and included in Windows 2000 for many common protocols such as FTP, ICMP, PPTP, and NetBT. Some protocols, such as HTTP, don’t require a NAT editor. NAT cannot be used with IPSec for host-to-host security.

Virtual Private Networking (VPN) VPNs are a popular solution for creating a secure yet inexpensive way to connect from a remote computer to a LAN across the Internet. Virtual private networking allows you to establish a “tunnel” in which messages are encapsulated and encrypted. Windows 2000 supports two tunneling protocols: ■ ■

Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP)

Troubleshooting VPN connections is similar to troubleshooting other remote connections, with a bit more complexity. Some guidelines include: ■ ■ ■

■

■ ■

■

■

Ensure that RRAS is installed and enabled on the VPN server. Ensure the RRAS service is started on the VPN server. Ensure that PPTP or L2TP ports are enabled for inbound remote access traffic. Ensure that LAN protocols used by the VPN client are enabled on the server. Ensure that all PPTP or L2TP ports are not already in use. Ensure that the VPN client and server are configured with a common authentication method and a common encryption method. Ensure that the user account has the proper dial-in permissions granted. Ensure that remote access policies are not causing a denial of the connection.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 657

Windows 2000 TCP/IP Fast Track • Chapter 13 657

The Network Interface Level Connectivity problems can occur at any layer of the networking model. The network interface level includes physical and data link issues, such as: ■ ■ ■ ■

The network interface card (NIC) NIC drivers Cable and other media Connectivity devices

Connectivity Devices Layer 1 and 2 connectivity devices include repeaters, hubs, switches, and bridges. Each of these serves a different purpose and works in a different way.

Repeaters Repeaters simply connect two segments of cable and boost the signal to extend the network beyond the cable’s normal distance limitations. Repeaters do no filtering or logical division of the network, and pass everything, including noise, from one side to the other.

Hubs Most hubs are multiport repeaters. They connect computers in a star topology. These active hubs boost the signal and then send it back out all ports to all computers. Hubs actually come in several varieties: ■ ■ ■ ■

Passive Do not boost the signal Active Boost the signal Intelligent Contain diagnostic chips for management Switching (also called a switch; see the next section)

Switches Switches, or switching hubs, increase effective network bandwidth. They are multiport devices like hubs, but they send packets only out the port to which the destination computer is attached, based on the MAC address in the header.

Bridges Bridges segment the network, dividing it into two parts. They reduce network traffic by isolating traffic to one side of the bridge, when possible.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 658

658 Chapter 13 • Windows 2000 TCP/IP Fast Track

Bridges determine whether to forward a packet across based on the MAC address and the bridge’s own routing table, which it builds as it “learns” the locations of computers on the network.

The 5-4-3 Rule A standard guideline is that coax Ethernet networks may have no more than five network segments, connected by no more than four repeaters, and no more than three of those segments may be populated by nodes (computers or other network devices).

The 80/20 Rule With bridges, a popular guideline is that 80 percent of the network traffic should be local (same side of the bridge), and 20 percent (or less) should cross the bridge. For best performance, you should ensure that computers that communicate with each other are most often on the same side of the bridge.

Looping Bridge looping is a common problem that can occur if there is more than one active bridge on the network. The Spanning Tree Algorithm was developed as a solution to bridge looping.

The Internetwork Level The Internetwork layer of the DoD model (equivalent to the Network layer in OSI) is responsible for routing. Windows 2000 allows a computer to function as an IP router (also called a gateway) when two network interfaces are installed and RRAS is properly configured for IP forwarding. IP routing involves finding a pathway from the sending computer or forwarding router to the destination computer, whose address is designated in the IP header. The distance from one router to the next is called a hop. There are two types of routing: direct and indirect. Indirect routing refers to routing data to a computer on the same subnet, while indirect routing refers to sending data through a gateway or gateways to a computer on a different subnet. Each TCP/IP computer on a routed network has a designated default gateway to which packets addressed to a destination with a different network ID are sent. Windows 2000 allows you to configure multiple default gateways, but only one is active at a given time. If the first fails, the second is used. The default gateway must be on the same IP subnet as the IP address assigned to the interface.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 659

Windows 2000 TCP/IP Fast Track • Chapter 13 659

A router’s interface can connect to a LAN or a WAN. Each interface must have an IP address with a network ID appropriate for the network on which it is connected.

Routing Tables Each Windows 2000 computer that functions as a router has a routing table. This is a database that contains the routes, designating the network IDs on the internetwork. Host computers can also have routing tables. Three types of routes can be entered in a routing table: ■ ■ ■

Network route Host route Default route

You can make a route persistent across reboots of the system by using the route –p command. To view the routing table, use the route print command, or you can view the table from the GUI using the RRAS management console. The routing table has the following columns: ■ ■ ■ ■ ■

Destination Gateway Interface Metric Protocol

Features of the Windows 2000 Router A Windows 2000 computer running RRAS and providing routing services supports the following features: ■ ■ ■ ■ ■ ■

Multiprotocol routing (IP, IPX, and AppleTalk) Support for standard dynamic routing protocols (RIP and OSPF) Packet filtering Router advertisement and discovery (ICMP) Multicast services (IGMP) Unicast routing

Routing Protocols Routing can be either static or dynamic. Static routing requires manually entering routes into the routing table. Dynamic routing requires special protocols. Windows 2000 supports the following dynamic routing protocols:

91_tcpip_13.qx

2/25/00

11:21 AM

Page 660

660 Chapter 13 • Windows 2000 TCP/IP Fast Track ■ ■ ■

RIPv1 RIPv2 OSPF

RIP Features Windows 2000’s Routing Information Protocol (RIP) supports split horizon, poison reverse, and triggered updates, which are designed to avoid some of RIP’s problems such as routing loops. RIP listening (Silent RIP) is also supported. With Silent RIP, hosts that are not routers themselves can listen to RIP messages sent by other computers and use them to update their tables. Both hosts and gateways can implement RIP. RIP is relatively easy to set up, but has the following disadvantages and problems: ■ ■ ■ ■ ■ ■

Hop count limit of 15 Excessive network traffic caused by RIP broadcasts High convergence time Possibility of routing loops Count-to-infinity problem Rogue RIP routers

RIPv2 supports password authentication so the origin of RIP announcements can be confirmed. RIP is a distance vector protocol.

OSPF Features Open Shortest Path First (OSPF) is a link state protocol. As such, it is efficient and doesn’t require much overhead. The Shortest Path First algorithm is not vulnerable to routing loops. SPF calculates the shortest path between the router and remote networks by creating and maintaining a map of the network, called the Link State Database (LSDB). Windows 2000’s OSPF can be used on a broadcast network like Ethernet, a nonbroadcast network like ATM, or a point-to-point network using a dedicated leased line. OSPF’s routing table structure is hierarchical, unlike RIP’s flat structure.

Areas and Router Classifications OSPF divides the network into areas, which are assigned an area number. There is always a “backbone” area, called Area 0, to which the Area Border Router (ABR) of every other area is connected. An area can consist of one or more networks or subnets. ABRs can summarize their routes, which decreases the need for OSPF to recalculate routes. OSPF routers are classified as:

91_tcpip_13.qx

2/25/00

11:21 AM

Page 661

Windows 2000 TCP/IP Fast Track • Chapter 13 661 ■ ■ ■ ■

ABRs (Area Border Routers) IRs (Internal Routers) BR (The Backbone Router) ASBR (Autonomous System Border Routers)

OSPF Protocols OSPF uses the following protocols: common header protocol, hello protocol, exchange protocol, flooding protocol, and the aging link state record protocol.

OSPF Advantages Although it is more complex and requires more technical expertise to implement, OSPF enjoys the following advantages over RIP: ■ ■ ■ ■ ■ ■ ■ ■

More efficient calculation of routes Faster convergence times Support for load balancing Low bandwidth utilization No routing loops or count-to-infinity problems Hierarchical structure isolates instability within an area More scalable, appropriate for larger networks Secure password authentication for transmission of update messages

Windows 2000 Router Logging You can enable logging to assist in troubleshooting the Windows 2000 router in one of two ways: ■

■

Enable event logging: Writes events to the system log in Event Viewer Enable tracing: Logs to a file

To enable tracing, you must edit the Windows 2000 Registry. For instructions on how to do so, see Chapter 11, “Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level.”

Selected Services Windows 2000 includes the Internet Information Services (IIS 5.0): Web server, FTP server, NNTP news server, gopher and SMTP mail server. All of these services depend on the TCP/IP suite and are fully integrated with the operating system.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 662

662 Chapter 13 • Windows 2000 TCP/IP Fast Track

Site Logging You can enable site logging to assist with troubleshooting the Web and FTP services. This is done through the IIS management console. There are four types of logging formats from which to choose: ■ ■ ■ ■

W3C Extended Log File Format Logging to an ODBC database NCSA Common Log File Format Microsoft IIS Log Format

WC3 and ODBC logging can be customized, while NCSA and Microsoft IIS formats are fixed (noncustomizable) file formats.

Web Server The Web server is subject to the following common problems: ■

■

■

■

■

■

Connection capacity bottleneck To solve this, you can throttle network bandwidth. CPU utilization bottleneck To solve this, you can enable processor throttling, upgrade the CPU, add additional CPUs (multiprocessing), or move applications that use a great deal of processor time to another computer. Site name resolution problems You can use IPCONFIG and standard name resolution troubleshooting techniques. Inaccessible virtual directories You must add the virtual directory to every individual site. Problems hosting multiple site You must properly configure appended port numbers, assign multiple IP addresses, or configure host headers. Permissions problems Check NTFS permissions, ensure that IIS is not set to deny access to that IP address or domain, and check the user account.

IIS configuration information is stored in the metabase, which is a hierarchical database similar to the Registry. Changes can be made to the metabase using the IIS snap-in to the MMC or the HTML Web-based Internet Services Manager.

FTP Server Most FTP problems are authentication or permissions problems, or connectivity problems. Troubleshoot general network connectivity using PING.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 663

Windows 2000 TCP/IP Fast Track • Chapter 13 663

FTP commands and arguments are all sent together in the same packet, which makes it easy to troubleshoot the service with a protocol analysis tool like Sniffer because you don’t have to reassemble the packets. Ensure that you know how to restart a paused or stopped FTP site. You can do this within the Internet Services MMC or from the command line.

NNTP Server The NNTP service can be monitored using System Monitor (Performance). You can also use Event Viewer’s system log, to which NNTP error messages are written. Common NNTP problems involve network connectivity, or NNTP service availability. Both of these can be checked using standard TCP/IP command-line utilities. For detailed instructions on how to do so, see Chapter 11. Another common source of problems involves security settings. Always check the permissions on the directories where the newsgroup resides, ensure that the IP address or domain has not been restricted, and check to see if SSL is required.

Summary The TCP/IP protocol suite has been around for—in the context of computer technology—a long time. The Windows 2000 operating system is new. Together, they work effectively to provide reliable network communications over networks of all sizes. They also present some unique troubleshooting challenges (also known as opportunities) to the network administrator. Learning to live with (and love) them is more a job requirement than an option; it looks as if both will be around for some time to come.

91_tcpip_13.qx

2/25/00

11:21 AM

Page 664

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 665

Appendix A

TCP/IP Troubleshooting Secrets

Solutions in this chapter: ■

Lesser-Known Shortcuts

■

Under-Documented Features and Functions

■

For Experts Only

665

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 666

666 Appendix A• TCP/IP Troubleshooting Secrets

Lesser-Known Shortcuts The following are some of the lesser-known shortcuts available with Windows 2000.

Finding the Consoles Windows 2000 has a great many preconfigured Management Consoles that you can use right out of the box. Many of these consoles are available to you directly from the Administrative Tools menu, which you can access from the Start menu. However, if you would like to look at some of the “undocumented” consoles available in Windows 2000, you can use the Find command from the Start menu to help your search. Click the Start menu, go to Search, and then click on Files or Folders. From there, type in the “Search for file or folders named” text box the string: *.msc

This will cause the Find utility to search for all the Microsoft Management Consoles on your machine. The number of handy MMCs that Microsoft has included might pleasantly surprise you. If you find them useful, you can create a shortcut on your desktop to any of these consoles you discovered.

Control the Index Server The Index Server that comes with Windows 2000 can be incredibly resourceintensive. If you find that you have frequent spikes of processor activity attributable to the cisvc.exe or cidaemon.exe processes, you might want to wrestle some control over the amount of system resources dedicated to the Index Server. Luckily, Microsoft gives you a way to do this easily. Open the Computer Management console from the Administrative Tools menu. Then expand the Services and Applications node in the left pane, and click on Indexing Service. First you need to stop the Index Server by rightclicking the Indexing Service node and selecting Stop. After you have stopped the Index Server, right-click it again, trace down to All Tasks, and then over to click Tune Performance. You’ll see the dialog box displayed in Figure A.1. From this dialog box, you can configure how much of the system’s resources you want to dedicate to the Index Server Processes. The default is “Used often, but not dedicated to this service.” If you find that the service is used only occasionally, but you still want to avail yourself of the Index Server services periodically, choose the “Used occasionally” option button.

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 667

TCP/IP Troubleshooting Secrets • Appendix A 667

Figure A.1 The Indexing Service Usage properties dialog box.

Windows 2000 Telnet Client and Server In Windows NT 4.0, you could easily access the Telnet Client from the Accessories menu in the Start menu. If you try to find the Telnet Client in the same way in Windows 2000, you’ll be sadly disappointed. In order to access the Telnet Client in Windows 2000, you must type telnet at the Run command or command prompt. You will see a screen similar to Figure A.2. Figure A.2 The Windows 2000 Telnet Client application.

The Telnet Client is now entirely character-based. You no longer have the comfort of the nice GUI interface provided with the Telnet Client that was included with Windows NT 4.0. To configure the Telnet Client’s

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 668

668 Appendix A• TCP/IP Troubleshooting Secrets

behavior, type ? at the Telnet command prompt. You should see output similar to the following: Commands may be abbreviated. Supported commands are: close display open quit set status unset

close current connection display operating parameters connect to a site exit telnet set options (type 'set ?' for a list) print status information unset options (type 'unset ?' for a list)

?/help

print help information

In order to get more control over the appearance of your Telnet windows, you can include some “set” options. To find out what your set options are, type set ? at the Telnet command prompt. You should see something similar to the following: Microsoft Telnet> set ? NTLM LOCAL_ECHO TERM x CRLF

Turn ON NTLM Authentication. Turn ON LOCAL_ECHO. (where x is ANSI, VT100, VT52, or VTNT) Send both CR and LF

By using the “set” options, you can configure such properties as: ■ ■ ■

The terminal emulation type Whether you want to use NTLM authentication Whether the terminal windows should echo the characters that you type.

TIP If you find that you don’t care much for the command-line interface, you can always copy the telnet.exe program from a Windows NT 4.0 computer to your Windows 2000 machine and use the GUI interface.

Telnet Server There was no Telnet Server available “out of the box” for Windows NT 4.0. There was a Telnet Server available with the Windows NT 4.0 Resource Kit, although it was somewhat difficult to implement and was not always very reliable. Windows 2000 includes a Telnet Server right out of the box, which is a tremendous boon to administrators who wish to use command-line processes to execute instructions to remote machines.

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 669

TCP/IP Troubleshooting Secrets • Appendix A 669

To access the Windows 2000 Telnet Server, go to the Administrative Tools menu, and click Telnet Server Administration. You should see a screen similar to Figure A.3. Figure A.3 The Telnet Server Administration command window.

From here, you can configure the Telnet Server settings. The ones that you’ll be most concerned with will be related to displaying and changing the Registry settings that determine how the Telnet Server functions. If you select option 3 from this list, you will see a screen similar to Figure A.4. Figure A.4 The Telnet Server Registry settings options.

What do all these options mean? Open the Windows 2000 Help and search for Telnet. You will find the meanings and the configuration options for all settings there.

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 670

670 Appendix A• TCP/IP Troubleshooting Secrets

Under-Documented Features and Functions Here are several under-documented features and functions available in Windows 2000.

The FTP Command Set Have you ever wanted to be able to use the command-line FTP program like the pros do, but had no idea what the command set was? Table A.1 shows a list of the most useful commands you can execute from the Windows 2000 command-line FTP program. Table A.1 Command-Line FTP Program Commands Command

Action

!

Run the command on the local computer rather than on the FTP Server.

ASCII

Sets the file transfer type to ASCII, which is the default.

Bell

The computer will make a sound after a file transfer command is completed.

Binary

Sets the file transfer type to binary for binary file transfers such as program files.

Bye

This ends the FTP session.

CD

Changes your directory location on the FTP Server.

Debug

Causes the screen to print detailed information about the commands sent to and from the FTP Server.

Delete

Deletes files on the FTP Server.

Dir

Shows a listing of the Directories on the FTP Server.

Get

Copies a file on the FTP Server to your computer.

Glob

Allows you to GET groups (globs) of files using wildcard characters.

Lcd

Changes the directory where files will be downloaded on the local machine.

Ls

Lists files and directories on the FTP Server.

Mget

GETS multiple files from the FTP Server.

Mput

Copies multiple files from the local machine to the FTP Server.

Open

Connects to a specified FTP Server.

Put

Copies local files to the FTP Server. Continued

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 671

TCP/IP Troubleshooting Secrets • Appendix A 671

Command

Action

Prompt

When multiple files are being transferred, prompt will cause the system to prompt you for your wish to download subsequent files. This is turned on by default.

Status

Informs you of the current status of FTP connections and toggled options.

Type

Sets or displays the file transfer type.

Verbose

Gives you detailed information about all FTP commands executed during the session.

The nslookup Utility One of the most useful utilities you have is the nslookup command. Traditionally, however, Windows NT network administrators have not had very much training in how to use the utility. You can use nslookup to troubleshoot problems with host name resolution, and to investigate problems with the DNS server itself, such as absent records in the zone database file. There may be times when you are not at a machine that has the DNS Console available, but you still need to know the contents of the zone database file to troubleshoot a host name resolution problem. In that case, you can still access the entries in the zone database by using the nslookup command. First, start nslookup in interactive mode. Remember that interactive mode allows you to stay in the nslookup command context until you type exit from the nslookup command prompt. Then type ? to see the available commands. In order to see all the entries in the zone of interest, type the command: ls –d tacteam.net.

Replace the zone name with your own. What you will see is a list of all the entries in the zone of interest. If you want to see only a list of CNAME records for the domain, type: ls –a tacteam.net.

again replacing the zone name with the one that you’re interested in. You can use the –t [Record Type] command to list only those records you are interested in. For example, if you only wanted to see the NS records for the zone, you could type: ls -t NS tacteam.net.

and a list of all the NS records would be returned.

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 672

672 Appendix A• TCP/IP Troubleshooting Secrets

Take some time to acquaint yourself with the nslookup command. You will find it a faithful ally in solving many of your DNS-related problems.

Using ipconfig Switches You have undoubtedly run into the ipconfig command and some of its new features. The ipconfig command now allows you to set and show the class IDs available to DHCP clients on your Windows 2000 network. The Windows 2000 DHCP service allows you to use class IDs that the DHCP client sends to the DHCP server to let it know that it is a member of a “class,” either a “user class” or a “vendor class.”

NOTE The user classes are those that you can create yourself, and the vendor classes are implemented by vendors of specific hardware and software.

The trick is, how do you actually implement these class IDs? If you look at the online help for the ipconfig command, you see the following: C:\>ipconfig /? Windows 2000 IP Configuration

USAGE: ipconfig [/? | /all | /release [adapter] | /renew [adapter] | /flushdns | /registerdns | /showclassid adapter | /setclassid adapter [classidtoset] ] adapter

Full name or pattern with '*' and '?' to 'match', * matches any character, ? matches one character.

Options /? /all /release /renew /flushdns /registerdns /displaydns

Display this help message. Display full configuration information. Release the IP address for the specified adapter. Renew the IP address for the specified adapter. Purges the DNS Resolver cache. Refreshes all DHCP leases and re-registers DNS names Display the contents of the DNS Resolver Cache.

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 673

TCP/IP Troubleshooting Secrets • Appendix A 673 /showclassid Displays all the dhcp class IDs allowed for adapter. /setclassid Modifies the dhcp class id. The default is to display only the IP address, subnet mask and default gateway for each adapter bound to TCP/IP. For Release and Renew, if no adapter name is specified, then the IP address leases for all adapters bound to TCP/IP will be released or renewed. For SetClassID, if no class id is specified, then the classid is removed.

To see the available class IDs, you can use the showclassid switch. Notice that the command must include the adapter name. Now, how do you know your adapter name? You could use the ipconfig command with the /all switch and see something like the following: C:\>ipconfig /all Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : EXETER Primary DNS Suffix . . . . . . . : tacteam.net Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : blah.com wins.tacteam.net Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC (3C905B-T) Physical Address. . . . . . . . . : 00-50-04-70-EC-D3 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.186 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.16 DNS Servers . . . . . . . . . . . : 192.168.1.185 192.168.1.16 Primary WINS Server . . . . . . . : 192.168.1.185

Looking at this example, what do you think the adapter name is? If you guessed 3Com EtherLink XL 10/100 PCI TX NIC (3C905B-T), you’re wrong! The actual adapter name is Local Area Connection. So, what do you think you would get if you typed ipconfig /showclassid Local Area Connection? You would get an error message! That is because you

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 674

674 Appendix A• TCP/IP Troubleshooting Secrets

need to put the phrase “Local Area Connection” in quotation marks. This is certainly tricky. If that sounds like a big pain to you, one thing you can do to simplify using the adapter name in commands like this is to rename your adapter. To rename your adapter, all you have to do is right-click on My Network Places, click the Properties command, and then right-click the Local Area Connection icon and choose the Rename command. Make it something simple, all one word like “3Com,” and then you won’t have to worry about using quotation marks or remembering and mistyping long character strings. Now, when I type the command ipconfig /showclassid 3Com, we see the following: C:\>ipconfig /showclassid 3Com Windows 2000 IP Configuration DHCP Class ID for Adapter "3Com": DHCP ClassID Name . . . . . . . . : Microsoft Dynamic BOOTP Class DHCP ClassID Description to dynamic BOOTP clients

. . . . : User class for options specific

You can use the new adapter name when setting class IDs for your DHCP clients as well. For more information on how to create and use user and vendor class IDs, check out Managing Windows 2000 Network Services published by Syngress Media.

For Experts Only Here are some of the more advanced features of Windows 2000.

The Future of IP Communications As we enter the twenty-first century, the ways we communicate continue to change. Technologies once dreamed of only by science fiction writers are becoming reality—and many of those technologies are based on IP.

IP Telephony One exciting development is IP telephony, which offers simultaneous voice, video, and data transmission over the Internet or the local network.

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 675

TCP/IP Troubleshooting Secrets • Appendix A 675

IP telephony will work over a variety of physical media: analog telephone lines, ISDN, DSL, coax and UTP, T-carrier and satellite. Now, instead of building separate, expensive networks to handle voice, data, and video traffic, all can travel over a common transport: IP. This makes for lower cost, better manageability, and better integration. Applications include distance learning, telecommuting, videoconferencing, and more.

TAPI 3.0 and H.323 Windows 2000 supports the Telephony API (TAPI) version 3.0, which provides for H.323 conferencing and multicast conferencing, and uses Active Directory and QoS support to improve both the transmission quality and administrative functionality. H.323 is an ITU (International Telecommunications Union) standard for multimedia communications over connectionless networks that don’t provide guaranteed QoS (such as the Internet and other IP networks). TAPI 3.0 evolves the features of its predecessor, TAPI 2.1, into the COM model, so that applications can be written in C, C++, VB, or other languages. The TAPI 3.0 API is implemented as a suite of five COM objects: ■

■ ■

■

■

The TAPI object, representing all telephony resources the computer can access An address object, representing the origin or destination of a call A terminal object, representing the hardware (telephone or microphone) or a file or other device capable of receiving input or creating output The call object, representing an address’s connection between the local address and one or more addresses The callhub object, representing a set of related calls

Telephony and Active Directory What’s the role of the Active Directory in all this? Well, a problem with H.323 telephony over dial-up connections has been the fact that a user’s IP address can change between H.323 sessions. But now there’s a solution: TAPI uses the Active Directory to perform user-to-IP address resolution by storing mapping information via the Internet Locator Service (ILS), one of Active Directory’s components. This information is dynamically updated. This is just one way in which Windows 2000 makes high-end communications more feasible than ever before.

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 676

676 Appendix A• TCP/IP Troubleshooting Secrets

Planning the Transition to IPv6 IPv6 is the “next generation” of IP; hence, its other moniker, IPng. Version 6 was designed to address some of the problems of the current IPv4 (we can presume that IP, like giving birth to twins, skips a generation) and inherits the role of Internet protocol of choice. The replacement is not occurring as quickly as predicted. This is due to many factors, perhaps in part to the reluctance of old net admins to learn new tricks—or new protocols. Will you have to forget everything you knew about IP to implement this “new fangled” version? Absolutely not! IPv6 builds on the characteristics of IPv4 and retains many of its familiar features. Of course, there will be many changes as well. What can you do to prepare for the inevitable transition?

How Is IPv6 Different? Some of IPv6’s capabilities have been incorporated into IPv4, and others will represent a significant change from “IP as we know it.” A few mandatory functions of the new IP, according to RFC 2460, are: ■ ■ ■ ■ ■ ■

Expanded addressing (from a 32-bit to a 128-bit address space) Auto configuration capability Better security Flow labeling for real-time communications Better support for extensions Simplified header format

IPv6 addresses are categorized as unicast, multicast, or anycast. The first two will be familiar to you; the last identifies a group of hosts, but a packet addressed to an anycast address will be sent to only one of the group (usually the group member nearest the sender).

The Scary Part Now for the scary part: What does an IPv6 address look like? When we speak of a 128-bit address, we may envision a monstrous number. Well, here is a typical IPv6 address: 0243:0000:0000:0001:4323:4355:0022:7667

Pretty scary, right? The address is divided into eight 16-bit integers separated by colons, with each integer having four hexadecimal bits. So, do you have to deal with long, difficult-to-remember addresses like this all the time? (No wonder the world has been slow in adopting IPv6!) Actually, there are some conventions that allow you to shorten the address to a (more) manageable length:

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 677

TCP/IP Troubleshooting Secrets • Appendix A 677 ■

■

Leading zeros can be skipped (so the first and third integers in the preceding example could be expressed as 243 and 1, respectively). Consecutive fields of all zeros can be replaced by a double colon (for instance, the second and third integers in our example).

This means the foregoing address could be expressed as: 243::1:4323:22:7667

That’s a little better—although the nostalgic among us are likely to miss good old 192.168.1.1 for a long time.

How to Prepare for the Transition Because the switch to IPv6 will not happen overnight, it is important that Internet nodes and company networks maintain IPv4 compatibility even while making the transition to IPv6. RFC 1933 lays out transition mechanisms to help accomplish this. These include: ■

■

IPv6/IPv4 nodes These dual nodes are capable of transmitting and receiving both types of packets. IPv6 over IPv4 Tunneling The IPv6 packets are encapsulated inside IPv4 packets in order to be sent across the IPv4 network.

For more information on IPv6, see RFCs 2373 (IPv6 Addressing Architecture), 2460 (IPv6 Specifications), and 1933 (Transition Mechanisms for IPv6 Hosts and Routers).

Securing IP: IPSec IPSec is a new encryption technology included with Windows 2000. One of the great advantages of using IPSec as part of your security solution is that applications do not need to be aware of IPSec for them to work. This sets it apart from encryption technologies and methodologies such as SSL, PCT, or PGP, where the application must be written specifically to take advantage of the security technology. IPSec is considered a Layer 3 encryption technology because it encrypts information as it moves through the Network layer of the OSI model. Because it works directly at the Network layer, its activities are completely transparent to users and user applications.

End-to-End Security Another advantage of IPSec is that it can provide “end-to-end” security for communicating machines. Unlike the type of security provided by Link layer encryption schemes such as MS-CHAP (that only protect the link, but not all the links along the path), IPSec protects data every step of the

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 678

678 Appendix A• TCP/IP Troubleshooting Secrets

way from the source to the destination machine. No device along that path needs to be aware of IPSec in order for it to work.

IPSec Functions IPSec provides three primary functions in the realm of security depending on how you implement it: Authentication, Integrity, and Confidentiality. ■

■

■

Authentication refers to being assured that the source is indeed who it claims to be, and not someone who has intervened in the conversation. Integrity assures that the message that is received at the destination computer is indeed the message that was sent from the source computer. Confidentiality assures that if a communication is intercepted anywhere along the path from source to destination, it will not be readable by the person who intercepted it.

Security Troubleshooting IPSec is particularly useful in the context of TCP/IP security troubleshooting, because many processes are not encrypted when they move across the wire. For example, when you use nslookup to obtain the contents of the zone database file, that information moves through the network in clear text, and is easily captured by anyone who has a protocol analyzer plugged into the network. When users log on to an FTP server, their passwords are sent over the wire unencrypted, and when SNMP Agents and Management Stations interface, their messages are also sent over the wire in clear text. IPSec can offer an elegant solution to provide security for these otherwise insecure processes. The two main implementations of IPSec are either to provide end-toend security within a single site, or to provide highly secure communications between security gateways at both ends of two sites.

Tunnel Mode In the latter situation, IPSec is combined with LT2P and works in what is known as “tunnel mode,” functioning in a fashion similar to that found with PPTP. In this case, the information is not secured until its reaches the security gateway; at that point, IPSec protects it. The information continues to be protected by IPSec as it moves through the Internet. When it reaches the destination security gateway, the IPSec header is removed, and the data is passed to the destination computer’s internal network with IPSec protection.

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 679

TCP/IP Troubleshooting Secrets • Appendix A 679

IPSec and NAT A major limitation of IPSec is that it cannot work on networks that depend on Network Address Translation (NAT). Security negotiations required by IPSec cannot pass through a network address translator. This is because there is a phase in the establishment of secure “keys” known as the “Internet Key Exchange” (IKE) that contain IP addresses that cannot be changed by NAT. This is because the addresses themselves are encrypted, or because changing the information en route would break the integrity of the message and therefore would be considered invalid from IPSec’s viewpoint.

91_tcpip_app.A.qx

2/25/00

11:22 AM

Page 680

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 681

INDEX -d switch, 226 -ds switch, 381 -i switch, 221 -n switch, 220, 235 -p switch, 233 -r switch, 220–221 -s switch, 233 -t switch, 220 -w switch, 221, 226 5-4-3 rule, 519, 531–532, 658 6to4 protocol, 13–14 10Base2 network, 519, 531 10Base5 Ethernet network, 517 10Base5 network, 519, 531 10BaseT, 519 80/2 rule, 658 100BaseT network, 515 322Network Interface Card (NIC). See also SRINIC.

A ABR. See Area Border Router. Access control methods, 26–27 Access (Microsoft), 606 ACK. See Acknowledgment request. Acknowledgment request (ACK), 22, 141, 142, 147, 425, 440, 461. See also Delayed ACKs; Duplicate ACKs; Dynamic Host Control Protocol; Negative acknowledgment. message, 151 timer. See Delayed-ACK timer. Acknowledgments. See Delayed acknowledgments.

Active Directory (AD), 73, 89, 444, 675 enabled services, optimization, 59 integrated zones, 366–369, 650 integration, advantages, 367–369 namespace, 636 planning, 62 replication, optimization, 58–59 sites, 57, 636 definition, 56–59 planning, 62 Active Directory Replication Engine, 366 Active hubs, 30, 532, 657 problems, 532 Active Server Page (ASP), 600 ActiveX scripts, 116 AD. See Active Directory. Address Resolution Protocol (ARP), 34, 42, 48, 93, 136, 219, 227–228, 400, 416, 651 broadcast, 172, 452 frame, 205 cache, 418 entries. See Static ARP cache entries. timeout change, 180 clients, 154 entries. See Dynamic ARP entries. function, explanation, 415–417 message, 418 retries, number change, 180 usage, 227, 647 Addresses. See Class A; Class B; Class C; Duplicate MAC addresses; Internet

Protocol addresses; Multiple IP addresses; Reserved addresses. assignment. See Manual address assignment. class, determination, 405–408 detection. See Duplicate address detection. inefficient usage. See Dynamic Host Control Protocol. pairs, filtering, 208–212 pools, 428–429 problems, 429–430 problems. See Hardware. usage, 410 computer location, 421–422 Addressing scheme, planning, 60–61 ADDUSERS.EXE, 74 ADSL. See Asymmetric Digital Subscriber Line. Advanced Encryption Standard (AES), 160 Advanced Research Projects Agency (ARPA), 6 ARPAnet / ARPANET, 7, 564, 565 Advanced Research Projects Agency (ARPAnet), 7–8 AES. See Advanced Encryption Standard. Agent software, installation, 244–249 Aggregator, 521 Aging Link State Records protocol, 570 AH. See Authentication Header. AIX (IBM), 82 Alerter service, 312 681

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 682

682 Index Alerts, 196–198. See also Performance. Amplifiers, difference. See Repeaters. Analog lines, 476 Analog signaling, 32 Analysis, 189–190 ANDing, 451–452 ANSI, 341 API. See Application Programming Interface. APIPA. See Automatic Private IP Addressing. AppleTalk, 32, 514, 553, 659 AppleTalk Remote Access Protocol (ARAP), 484 Application component, 35–36 layer, 18–19, 34 protocols, 38–41 log, 117, 642 programs, incompatibility, 500–501 support, summary, 77–78 Application Programming Interface (API), 34, 542. See also Win32 API. boundary layer, 36–37 Application-to-application dialogs, 20 ARAP. See AppleTalk Remote Access Protocol. ARCnet, 32 Area Border Router (ABR), 568, 569, 590, 660, 661 Area classifications, 660–661 Area ID, 590 ARP. See Address Resolution Protocol. ARPA. See Advanced Research Projects Agency. AS/400, 3 ASAPI, 611

ASBR. See Autonomous System Border Router. ASCII, 215, 326 characters, 341 set, 340 file, 607, 608 protocol, 40 translation, 206 ASP. See Active Server Page. AsyBEUI. See Asynchronous NetBEUI. Asymmetric Digital Subscriber Line (ADSL), 477, 503 Asynchronous NetBEUI (AsyBEUI), 484 Asynchronous Transfer Mode (ATM), 10, 38, 139, 472, 566, 632, 643, 660 addresses, 154 networks, 153 ATM. See Asynchronous Transfer Mode. Attenuation, 30, 515 ATU-R, 477 Authentication, 485, 678 information, 496 Authentication Header (AH), 159, 160, 162, 183 header, 163 Auto configuration capability, 676 Autoaddressing. See Automatic Private IP Addressing; Internet Connection Sharing. Automatic addressing, 446–448 Automatic Private IP Addressing (APIPA), 398, 400, 412, 443, 446–448, 461, 462, 651 addresses, 494 autoaddressing, 411–413 disabling process, 447–448

Autonomous System Border Router (ASBR), 569, 597, 661 AUX/BNC bridge, 524 Availability, 476–478 AXFR query, 362

B B-Node, 266–267 Backbone Router (BR), 569, 661 Backing up, 189. See also Windows Internet Name Service. Backup Domain Controller (BDC), 58, 253 Bandwidth aggregation, inability. See Multiple telephone lines. utilization, 570 Bandwidth Allocation Protocol (BAP), 493, 506, 655 BAP. See Bandwidth Allocation Protocol. Baseband, 31 Baselining, 188–189, 645 Basic Rate ISDN (BRI), 475, 476 BDC. See Backup Domain Controller. BDR, 590 Bellman-Ford algorithm, 564 Berkeley Internet Name Domain (BIND), 362 BIND-based DNS, 83 BIND-based servers, 373 DNS server, 374, 396 Secondaries, 378 servers, 374, 396 WINS/WINS-R incompatibility, 377–379 BIGSERVER, 123–125 Binary language, 401–403

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 683

Index 683 BIND. See Berkeley Internet Name Domain. Bitwise ANDing, 451 BNC barrel connectors, 517 BNC bridge. See AUX/BNC bridge. BOOTP, 436 class, 437 Boundary layer, 34. See also Network Driver Interface Specification. BR. See Backbone Router. BRI. See Basic Rate ISDN. Bridges, 4, 29, 657–658. See also Transparent bridges. advantages/ disadvantages, 525 definition. See Translation bridge. latency, 533 looping, 533–536 performance problems, 533–536 problems, 532–537 switch advantages, 522 usage. See Network. process/reason, 523–525 Broadcast, 263, 268, 307, 329 network, OSPF usage, 566 packets, 559 traffic, 259 Broken policy links, 161–162 Brouters, usage process/reason, 529 Browser service, 299–302 function, explanation, 299–300 Buffers, 143, 202–204, 511

C Cable, 29, 443, 494, 657. See also Local Area Network.

length issues, 515–516 media, problems, 514–516 specifications. See Network. Caching resolver, 329–331 Callback, 485 Canonical NAME (CNAME), 352, 367, 394–395, 671 Capture filters, 207, 212, 646 window panes, 200 Captures. See Filtered captures. Carrier Sense Multiple Access Collision Avoidance (CSMA/CA), 26 Carrier Sense Multiple Access Collision Detection (CSMA/CD), 31, 32 Central Processing Unit (CPU), utilization bottlenecks, 610–611, 662 CGI, 611 Channel addressing, 483 Character-mode applications, 40 Character set. See Extended character set. Check lists, 642 Checklists, usage, 128–131 Checkpointing, 20 CIDR. See Classless InterDomain Routing. Class A addresses, 405–406 network, subnet masking, 452–455 Class B addresses, 406 network, subnet masking, 455–457 Class C addresses, 406–407 networks, 166

subnet masking, 457–458 Class D addresses, 170, 407 Class E addresses, 407–408 Class options, 437, 652 Classless Inter-Domain Routing (CIDR), 12, 137, 138, 166–167, 399, 460 support, 643 Client Services for NetWare (CSNW), 85, 640 Clients. See Internet Protocol addresses. configuration, 655 information, 444 problems, 443–444, 494–496 IP address, 606 options, 437, 652 CNAME. See Canonical NAME. Collision domains, 521 Comma-delimited text format, 117 Command-line utility, 171 Common header protocol, 569 Complete trust, 72–73 model, upgrade, 638 Computer, location. See Addresses. Concentrator, 521 Confidentiality, 678 Congestion collapse, 152 Connection-oriented protocol, 644 Connection-oriented services, 22–23 Connection-oriented transmission, 153 Connectionless communication, 186 Connectionless services, 23–24 Connections. See Persistent connections.

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 684

684 Index capacity bottleneck, 609–610, 662 cleanliness, 475 exceeded limit, 620–621 sharing solutions, usage. See Network. speed, increase, 475 time-out, 620 unacceptability, 617–619 Connectivity devices, 517, 529, 540, 657–658 role. See Network. selection, 537 understanding. See Layer 1 connectivity devices; Layer 2 connectivity devices; Upperlayer connectivity devices. problems, 109, 532 troubleshooting. See Virtual Private Networking; Windows 2000. Connectors, 29 Contention methods, 26 Convergence, 570 problems, 562 time, 286–288, 660 Corporate mergers, 345–349 problem, 346–347 solution, 347–348 testing, 348–349 Corrective measures, 127 Count-to-infinity, 563 problems, 570, 660 Counters, 192–195 CPU. See Central Processing Unit. CRC. See Cyclical Redundancy Check. Crystal Reports, 250 CSMA/CA. See Carrier Sense Multiple Access Collision Avoidance. CSMA/CD. See Carrier Sense Multiple Access Collision Detection.

CSNW. See Client Services for NetWare. Cut-through mode, 522–523 CYA, 97 Cyclical Redundancy Check (CRC), 485

D Daemons, 83 Data collection, 204–207 Data Encryption Standard (DES), data encryption, 159–160 Data Link layer, 18, 25–29, 398, 399, 486, 510, 633 devices, 28–29 Data Source Name (DSN), 606 Data transfer, increase, 475 Database. See Windows Internet Name Service (WINS). scavenging, 289–290 searches, 290 synchronization, 277 Datagrams, 22, 166 DC. See Domain Controller. DDNS. See Dynamic DNS. Dead gateway detection, 173 enabling/disabling, 180 Dedicated zone setup. See Windows Internet Name Service. Deep Crack, 160 Default documents, 629 Default gateway, 181, 185, 459, 547–549 Default masks, 403, 404 Default routes, 550, 577 Default subnet mask, 452 Default Time To Live (TTL), change, 180 Delayed-ACK timer, 146 Delayed acknowledgments (ACKs), 173 Delegation learning. See Zones.

problems, troubleshooting, 370–371 Delimited text file, 189 Demand-dial link, 581 Department of Defense (DoD), 4, 48 model, 14, 33–34, 49, 172, 184, 658 Network Interface layer, 510 networking model, 8, 632, 633 role. See Transmission Control Protocol/Internet Protocol. TCP/IP model, 16 DES. See Data Encryption Standard. Designated Router (DR), 566, 590, 593 Destination IP address, 173 Destination network ID, 577 DHCP. See Dynamic Host Control Protocol. DhcpDefaultGateway, 182 DhcpIPAddress, 182 Dial-in connections, 482 Dial-up access, 467 Dial-up connection, 486 Differential diagnosis model, 108–110, 641 dig, 83 Digital Subscriber Line (DSL), 12, 31, 466. See also Asymmetric Digital Subscriber Line; High Digital Subscriber Line; Integrated Services Digital Network; Symmetric Digital Subscriber Line; Veryhigh Digital Subscriber Line. connections, troubleshooting, 478 technology, 472, 473

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 685

Index 685 understanding, 477–478 Direct routing, 545–546 Directory Services Migration Tool (DSMT), 79, 639 usage, 80–82 Directory Synchronization Services (MDSS), 86 Discrete state technology, 31 Display filters, 213–216, 646 Distance, limitations, 478 Distance vector algorithms, link state algorithm difference, 564–565 DLL. See Dynamic Link Library. DNS. See Domain Name System. DnsUpdateProxy group, domain controllers, 369 Documentation, 96–97, 189, 645. See also Microsoft documentation; Thirdparty documentation. DoD. See Department of Defense. Domain Controller (DC), 54. See also Backup Domain Controller; Primary Domain Controller. placement, 61 Domain Master Browser, 299, 308, 312 machine, 301 role, 300 Domain Name System (DNS), 137, 322–329, 600, 649–650. See also Berkeley Internet Name Domain; Dynamic DNS. cache, 229, 230 clients, 321, 326, 334, 348 configuration

errors, 95 settings, examinations, 292–293 DNS-related problems, 229 domain name, 438 entry, 253 environments, problems. See Heterogeneous DNS environments. hostname, 23 log, 219 lookup, 293 namespace, planning, 649–650 Notify, 361 queries, 293, 295, 335–336, 344, 348 sending, 332–335 traffic, 330 resolution, enabling, 269 round robin, 611 security, 371–373 server, 14, 96, 116, 168, 223, 232, 266, 307, 311, 332–335, 648, 649, 671. See also Internal DNS servers; Internet; Intranet; Preferred DNS server; Primary DNS server; Secondary DNS server. configuration, 290–292, 311 interactions, 290–296 settings, 96 suffixes, appending, 337–338 tools, 650 topology. See Multimaster DNS topology. trace logs, 386–387 zones, 350, 366. See also Multiple DNS zones.

databases, separation, 343–344 design/troubleshooti ng, 350–371 problems. See Integrated DNS zones. Domain Name System (DNS) problems, 84 troubleshooting, 317, 372 FAQs, 394–396 implementation problems, 342–350 Domain Registrars, 326 Domain-related activities, 318 Domains, 68, 321–322. See also Collision domains; Multiple master domain; Resource domains; Root domain; Secondlevel domains; Single domain; Single master domain; Subdomains. combination, 73–75 controllers. See DnsUpdateProxy group. levels, 323–324 management, 345–349 membership, determination, 293–294 models. See Windows NT. name, 649. See also Fully Qualified Domain Name; Internet; Intranet domain name. usage advantages. See External domain names; Internal domain names. naming schemes, 342–350 tree, 324

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 686

686 Index DOS applications, 75–76 Dotted decimal, 400, 401 Dotted quad, 400 DR. See Designated Router. Drivers issues. See Network Interface Card. updating, 512–514 DSL. See Digital Subscriber Line. DSMT. See Directory Services Migration Tool. DSN. See Data Source Name. DTE/DCE interface, 483 Duplicate ACKs, 155 Duplicate address detection, 644 Duplicate IP addresses, 420–422 detection, 171–172 Duplicate MAC addresses, 448 Dynamic ARP entries, 416 Dynamic DNS (DDNS), 60, 287, 319, 338, 600 server troubleshooting issues, 371–380 tools, 380–390 Dynamic Host Control Protocol (DHCP), 117, 182, 276, 379–380, 400, 410–411, 652–653 acknowledgment, 425 addresses, inefficient usage, 434–435 allocator, 499 clients, 369, 423, 445 computer, 229 issues, 653 configuration problems, 423–425 database, 218, 440–443, 462 DHCPServer, 216 function, explanation, 423–425

interaction, 137 leases, 229, 232, 432 offer, 424 options, 436–437 configuration process, 437–439 problems, 425–446 programs, 83 queries, 294 request, 424–425 scope, 464 servers, 14, 24, 61, 66, 168, 171, 368, 369, 637, 651. See also Rogue DHCP servers; Unauthorized DHCP servers. address, 67 issues, 652 monitoring, 439–440 service, 218 service, 118, 242 Dynamic Link Library (DLL), 36, 114 Dynamic router, 555 Dynamic routing, 25, 659 protocols, 165, 544, 558–570

E E-mail gateway, 19–20 EFF. See Electronic Frontier Foundation. EGP. See Exterior Gateway Protocol. Electronic Frontier Foundation (EFF), 160 EnableDhcp, 181 EnableFileTracing REG_DWORD 1, 488 Encapsulated data, 17 Encapsulating Security Payload (ESP), 159, 162 packets, 163 transmissions, 163 Encapsulation, 482 understanding, 486–487

Encryption. See Data Encryption Standard; Internet Protocol Security. End-to-end error checking, 483 End-to-end security, 677–678 End-user problems, 617 Enriched service, 16 Error-checking capabilities/duties, 22, 483 Error messages, 114, 421 interpretation, 217–218 ESP. See Encapsulating Security Payload. Ethernet, 30, 32, 38, 153, 514, 523 cable, 94 card, 399 hub, 519 networks, 29, 144, 399, 539, 658. See also 10Base5 Ethernet network. protocols, 386 Event logging, 595 enabling. See Point-toPoint Protocol. Event Viewer, 117, 216–219, 382–383, 421, 440, 608, 642, 647 console tree, 121 log files usage, 121–122 usage. See Internet Protocol Security; Network News Transfer Protocol. evntwin.exe, 248 Exchange protocol, 570 Extended character set, 342 Exterior Gateway Protocol (EGP), 558 External domain names, usage advantages, 345 Extinction Interval, 290, 303

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 687

Index 687

F Family name, 321–322 Fast retransmit. See Transmission Control Protocol. Fast transfer, 362–363 FAT filesystem, 75 FDDI, 38 File and Print Services for NetWare (FPNW), 85, 640 File system drivers, 37, 634 File Transfer Protocol (FTP), 137, 600, 610, 627, 633, 656, 678 hosting, 628 servers, 602 site, 605, 611, 619, 620 File Transport Protocol (FTP), 39, 40, 48, 500 command set, 670–671 problems, troubleshooting, 617–621 Server, 192, 661–663 FileDirectory REG_EXPAND_SZ, 488 Filtered captures, 207–216 Filtering, 199. See also Address pairs. Filters. See Display filters. Flat namespace, hierarchical namespace difference, 319–320 Flooding protocol, 570 Flow control, 21 function explanation, 147–148 Flow labeling, 676 Ford-Fulkerson algorithm, 564 Forms, 642 usage, 128–131 Forward lookup, 363 usage. See Windows Internet Name Service. Forwarders, 372–373

FPNW. See File and Print Services for NetWare. FQDN. See Fully Qualified Domain Name. Frame Relay, 38, 472, 595 FTP. See File Transfer Protocol; File Transport Protocol. Full duplex, 20 Fully Qualified Domain Name (FQDN), 265, 311, 324–329, 336, 339, 343, 392, 417, 612 name, 332 resolution, 649

G Gateway Services for NetWare (GSNW), 20, 85, 640 Gateways, 19, 49, 658. See also Default gateway; Multiple default gateways; Multiple gateways. address, 25, 548, 577 configuration, 547–549 detection. See Dead gateway detection. Gateways, usage process/reason, 530 GC. See Global Catalog. General Quality of Service (GQOS), 156, 157 Global Catalog (GC), 58 Gopher, 661 GOSIP. See Government OSI Profile. Government OSI Profile (GOSIP), 9 GQOS. See General Quality of Service. Graphical User Interface (GUI), 181, 550, 659 interface, 667 utility, 247 Group Policy settings, 120 GSNW. See Gateway Services for NetWare.

GUI. See Graphical User Interface.

H H-Node, 268–270 H.323, 675 Half duplex, 20 Handshake, 141. See also Three-way handshake. Hard link, definition, 77 Hardware address problems, 448 assessment, 62 configurations, planning, 53–54 vendors, 128 Hardware Compatibility List (HCL), 54, 511, 577 HCL. See Hardware Compatibility List. HDLC. See High-level Data link Control. HDSL. See High Digital Symmetric Line. Header format, 676 Header protocol. See Common header protocol. Hello protocol, 569 Help files, 100–101 Heterogeneous DNS environments, problems, 294–296 Hierarchical namespace, difference. See Flat namespace. Hierarchical naming system, 322–324 Hierarchical routing structure. See Open Shortest Path First. High Digital Symmetric Line (HDSL), 477 High-level Data link Control (HDLC), 137 Hop, 544, 593 Hop count, 287 Host header names, 613–614

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 688

688 Index Host IDs, 11, 423, 450–456, 458, 461, 526, 615, 643 assignation process. See Network. Host names characteristics, 321 difference. See Network Basic Input Output System. resolution, 329–339, 649–650 WINS lookups, usage, 338–339 Host route, 550 Host-to-Host layer, 34, 165, 644 Hosting problems. See Multiple sites. HOSTS, 265, 268, 329. See also LMHOSTS. file, 239, 382, 648 usage, 331–332 resolution, enabling, 269–270 HP/UX (Hewlett-Packard), 82 HTML. See HyperText Markup Language. HTTP. See HyperText Transfer Protocol. Hubs, 29, 30, 284, 311, 657. See also Active hubs; Ethernet; Intelligent hubs; Passive hubs; Smart hubs; Switching. difference. See Repeaters. model, 314–315, 648 usage. See Multisite environments. problems, 531 switches, advantages, 521–522 topology, 283 types, 520–521 usage, process/reason, 517–525 WINS server, 283 Hybrid networks, 639–640

environment, 84–86 HyperText Markup Language (HTML), 616, 662 HyperText Transfer Protocol (HTTP), 41, 500 GET command, 607 status, 606

I IANA. See Internet Assigned Numbers Authority. IAS. See Internet Authentication Service. IBM mainframe networks, interoperability, 86 ICMP. See Internet Control Message Protocol. ICS. See Internet Connection Sharing. IDSL. See Integrated Services Digital Network. IEEE. See Institute of Electrical and Electronics Engineers. IETF. See Internet Engineering Task Force. IGMP. See Internet Group Management Protocol. IGP. See Interior Gateway Protocol. IIS. See Internet Information Service. IKE. See Internet Key Exchange. ILS. See Internet Locator Service. IMAP, 41 Implementation. See Network; Rollout. order. See Problem isolation phase. in-addr.arpa domain, 364 Index server, control, 666–667 Indirect routing, 546–547

Information analysis/organization, 123–125 organization, 642 query, request, 362 Information gathering phase, 112–122 questions/question format, 112–116 tips, 641–642 Information Technology (IT) advice, 6–7, 13–14, 77, 159–160, 277, 418–419, 483, 535–536, 564–565 department, 73 Installation, 199 difficulties, 476 Institute of Electrical and Electronics Engineers (IEEE), 55, 531 802 standards, 32–33 802.2, 32 802.3, 32 802.5, 32, 137 802.7, 33 802.8, 33 802.11, 33 Integrated DNS zones, problems, 366–367 Integrated Services Digital Network (ISDN), 38, 466, 472, 473, 654. See also Basic Rate ISDN; Primary Rate ISDN. adapter, 492 advantages, 475 channels, 492 connections, troubleshooting, 476–478 disadvantages, 476 DSL (IDSL), 477 terminal adapter, 474 understanding, 474–476 Integrated zones. See Active Directory. Integrity, 678

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 689

Index 689 check, 340–342 Intelligent hubs, 31, 532, 657 problems, 532 Interfaces. See Routing. layer. See Network. Interior Gateway Protocol (IGP), 558, 564 Internal DNS servers, 372 Internal domain names, usage advantages, 345 Internal Router (IR), 569, 661 Internal secured communications, failure, 161 International Organization for Standardization (ISO), 55 Development Environment (ISODE), 10 OSI model, 16–33 Internet, 7–8, 418–420 connection, UNC usage, 335–336 connectivity, 11 discussion group, 99 DNS servers, 346 domain name, 343–349 intruders, 371–373 mailing lists, 105–106 standards, 139–140 Internet Assigned Numbers Authority (IANA), 185, 408, 412 Internet Authentication Service (IAS), 242 Internet Connection Sharing (ICS), 398, 412–413, 466, 655–656 autoaddressing, 400, 411–413 host, 425 NAT, difference, 498 Internet Control Message Protocol (ICMP), 43, 136, 157, 165, 500, 656, 659 Browser, 192

echo messages, 219, 221, 223 reply, 224 requests, 225 router discovery, usage, 574 Internet Engineering Task Force (IETF), 10, 632 Internet Group Management Protocol (IGMP), 43, 169, 281, 644, 659 Internet Information Service (IIS), 242, 600–626 Global, 192 log format, 605, 608, 662 management console, 625 metabase, 616–617 performance problems, 609–611 properties, changing, 616–617 Internet Key Exchange (IKE), 679 Internet Locator Service (ILS), 675 Internet Packet eXchange (IPX), 52, 553, 659 traffic, 165 Internet Packet eXchange/Sequenced Packet eXchange (IPX/SPX), 79, 80, 467 stack, 2 Internet Protocol (IP), 42, 136, 643–644. See also Routing Information Protocol; Serial Line Internet Protocol; Windows 2000. communications future, 674 usage. See Nonrouted network; Routed network.

forwarding, 528 IP over ATM, 153–154, 643 IP-to-MAC address mapping, 448 market/marketplace, 12–13 multicasting, 169–170; 644 troubleshooting, 171 next generation, 11 packet filtering, 161 router, 167 Windows 2000 usage, 570–576 routing, 544–553 configuration. See Windows 2000. telephony, 674–675 tricking, 452 Internet Protocol (IP) addresses, 167, 246, 418–419, 650–651. See also Destination IP address; Duplicate IP addresses; Invalid IP addresses; Logical IP addresses; Multiple IP addresses; Routers. assignation process, explanation, 651 autoconfiguration, enabling, 181 clients, usage, 443 configuration, 232 detection. See Duplicate IP address detection. entries, 324 mapping, 263, 291 multiple clients, usage, 444 representation, 400–403 resolution, 649 saturation, 11–12 usage process. See Network. Internet Protocol (IP) addressing, 52. See also Automatic private IP addressing.

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 690

690 Index configuration errors, 420–448 errors, 650, 652 function, explanation, 399–413 issues, 650–653 problem troubleshooting FAQs, 463–464 problems, 397 scheme, 60, 62, 636–637 Internet Protocol next generation (IPng), 10, 11, 632 Internet Protocol Security (IPSec), 139, 158–164, 183, 501, 643, 656, 677–679 configuration, 160–161 encryption, usage, 250 functions, 678 missing files, 163 monitor, usage, 162 options, 159–160 problem troubleshooting Event Viewer usage, 162–163 Network Monitor, usage, 163 purpose, 158–159 troubleshooting, 161–164 usage, 158–159. See also Performance. Internet Protocol version 4 (IPv4), 157 nodes, 677 Internet Protocol version 6 (IPv6), 4, 10–14, 157 difference, 676 IPv6 over IPv4 tunneling, 677 nodes, 677 transition planning, 676–677 preparation, 677 Internet Service Providers (ISPs), 8, 13, 19, 106, 359, 466, 476, 499

connection, 113 Internet Society (ISOC), 7 Internetnetwork level, troubleshooting. See Windows 2000. Internetwork layer, 414 Internetworking layer, 34 level, 658–661 Internetworking Operating System (IOS), 9 Interoperabilitiy problems, 376 Interoperability. See IBM mainframe networks; NetWare; UNIX. Intranet, 343 DNS server, 346, 347 Intranet domain name, 343–349 Invalid IP addresses, 422–423, 443 Inverse lookups, 364 IOS. See Internetworking Operating System. IP over ATM. See Internet Protocol. IPAddress, 181 IPAutoconfiguration Address, 181 IPCONFIG, 43, 48, 188, 219, 478, 578, 612, 635, 647, 662 ipconfig, 228–232, 252, 382, 398 switches, usage, 672–674 IPEnableRouterBackup, 181 IPng. See Internet Protocol next generation. IPSec. See Internet Protocol Security. IPv6. See Internet Protocol version 6. IPX. See Internet Packet eXchange. IPX/SPX. See Internet Packet eXchange/Sequenced Packet eXchange.

IR. See Internal Router. ISAKMP/Oakley, 159, 162 ISDN. See Integrated Services Digital Network. ISO. See International Organization for Standardization. ISOC. See Internet Society. ISODE. See International Organization for Standardization. ISPs. See Internet Service Providers. IT. See Information Technology. ITU, 25 IXFR query, 362

J Java scripts, 116

K Keep-alives. See Transmission Control Protocol. Knowledge Base, 128 Knowledge level, 113

L L2TP. See Layer 2 Tunneling Protocol. Label, 325 LAN. See Local Area Network. LANE. See Local Area Network. Latency. See Bridges. Layer 1 connectivity devices troubleshooting, 531–532 understanding, 517–525 Layer 2 connectivity devices troubleshooting, 531–532

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 691

Index 691 understanding, 517–525 Layer 2 Tunneling Protocol (L2TP), 158, 466, 467, 502, 656, 678 Layer 3 switches, usage process/reason, 530 Layered models, usage reasons, 15–16 Layout. See Network; Physical layout. LCP. See Link Control Protocol. Leaf object, 324 Lease duration, 431–433, 435 renewal process, 433–435 traffic, increase, 434 Link. See Wide Area Network. factors. See Replication partners. header, 18 state algorithms, difference. See Distance vector algorithms. Link Control Protocol (LCP), 485, 493 Link State Database (LSDB), 660 Linux distribution, 3 LLC. See Logical Link Control. LMHOSTS, 263–265, 268, 276, 329 files, 307, 391, 648, 649 resolution, enabling, 269–270 Load balancing, support, 570 Local Area Network (LAN), 2, 153, 268, 422, 536, 549. See also Private LAN; Virtual Local Area Network. adapter, 486 cable, 468

connections, 269, 283, 553 Emulation (LANE), 154 environment, 45 failure, 161 protocols, 5, 485, 654–656 testers, 514 Log. See Application log; Domain Name System; Security; System log. files, 117–122, 602–608, 642 format, 196, 604–608. See also NCSA; World Wide Web Consortium. usage. See Event Viewer. format. See Internet Information Services. tools, 122 Logging, problems, 608 Logical addresses, 27, 399, 415–417 Logical IP addresses, physical MAC address comparison, 399–400 Logical Link Control (LLC), 25, 32, 633 sublayer, 26, 28 Logon authentication, optimization, 58 Lookup zones. See Reverse lookup zones. Loopback address, 11 Looping, 658. See also Bridges. Loose consistency, 367 Lowercase only, usage, 342 LSDB. See Link State Database.

M M-Node, 267–268 MAC. See Media Access Control.

Mail carrier map, 415–417 Mail eXchanger (MX), 352, 354 Mailing lists. See Internet. Management Information Base (MIB), 39, 137, 242, 244, 644 Manual address assignment, 409–410 Manual tombstoning, 302–304 usage, 312 Mappings. See Static mappings. Masking. See Subnet masking. Masks. See Default masks; Subnets; Variable length subnet masks. making, 452–458 Master Browser, 298, 302, 308. See also Domain Master Browser. multihoming, 311–312 role. See Domains. Master domain, 69. See also Multiple master domain; Single master domain. MAU. See Multistation Access Unit. Maximum physical router diameter, 579 Maximum Segment Size (MSS), 144, 147 Maximum Transmission Unit (MTU), 144, 181 MCSE, 302 MDSS. See Directory Synchronization Services. Media Access Control (MAC), 633 addresses, 204, 211, 227, 229, 259, 415–418, 450, 529, 533, 536, 650. See also Duplicate MAC addresses; Physical MAC addresses.

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 692

692 Index comparison. See Logical IP addresses. table, 523 addressing, 27–28 device drivers, 38 sublayer, 25, 26 Metabase, 616, 662. See also Internet Information Services. MIB. See Management Information Base. Microsoft documentation, 99–105 Microsoft Management Console (MMC), 80, 426–428, 435, 579, 609, 645, 663. See also Routing and Remote Access Service. Microsoft Point to Point Encryption (MPPE), 466 Migration. See Windows 2000. problems, 82 Mission-critical work, 45 Mixed-mode domain, 123 MMC. See Microsoft Management Console. Modem-pooling equipment, 506 Monitoring guidelines, 188–190 tools. See Windows 2000. usage. See Network. MOVETREE, 74 MPPE. See Microsoft Point to Point Encryption. mrinfo, 171 MSAU. See Multistation Access Unit. MSS. See Maximum Segment Size. MTU. See Maximum Transmission Unit. Multicast address, 644 range, 170

forwarding, enabling, 181 group. See Permanent multicast group; Transient multicast group. routing, 554 Multicast Forwarding Table, 171 Multicasting. See Internet Protocol. Multihomed computers problems, 163–164 WINS usage, 274–275 Multihomed host, 643 Multihomed masters, 299–302 problem, solving. See Windows 2000. problems, 300–301 Multihomed name registration, 274 Multihoming, 167–169; 643–644. See also Master browsers; Windows Internet Name Service. problems, 168–169 Multilink, 655 Multimaster DNS topology, 366 Multiphase implementation, usage. See Routing Information Protocol. Multiple default gateways, 169 Multiple DHCP servers, 445–446 Multiple DNS zones, 339 Multiple gateways, 547 Multiple IP addresses, 613 Multiple master domain, 71 model, upgrade, 638 Multiple sites, hosting problems, 662 Multiple telephone lines, bandwidth aggregation inability, 492–493 Multiport repeaters, 657

Multisite environments, hub/spoke model usage, 311 Multistation Access Unit (MSAU / MAU), 26, 521 Multitasking, 93–94 MX. See Mail eXchange.

N Name cache. See Network Basic Input Output System. Name resolution, 331–332, 622. See also Network Basic Input Output System; Unqualified names. problems, 647–650 troubleshooting. See Windows 2000. sequence, 329–332 service, 258–271 value, 321 Name Server (NS), 352, 353 Namespace. See Flat namespace. planning, 59–60. See also Active Directory; Domain Name System. Naming conventions, 339–342. See also Universal Naming Convention. issues, 339–342 schemes. See Domains. system. See Hierarchical naming system. NAT. See Network Address Translation. National Institute of Standards and Technology (NIST), 160 National Science Foundation (NSF), 8 NSFnet, 8 NBMA. See Nonbroadcast Multiple Access.

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 693

Index 693 NBTSTAT, 44, 219, 635, 647 nbtstat, 233–238, 252 NCP. See Netware Core Protocol. NCP Block, 20 NCSA, common log file format, 603, 607–608, 662 NDIS. See Network Driver Interface Specification. NDS, 80, 82 tree metrics, 81 Negative acknowledgment (NACK), 425, 430, 440, 461, 463 Net ID, 450–455, 457 Net send command, 213 Net view command, 335 NetBEUI, 52, 125, 467, 525, 529 NetBIOS. See Network Basic Input Output System. NetBT, 167, 260, 307, 656 disabling ramifications, 312–313 NETDIAG, 219, 647 netdiag, 238–242, 252 usage, 239–242 NETDOM.EXE, 74 NetMon, 122 NETSH. See Netshell. netsh routing ip mib show joins, 171 netsh routing ip mib show mfe, 171 netsh routing ip mib show mfestats, 171 Netshell (NETSH) utility, usage, 574–576, 581 NETSTAT, 44, 48, 219, 635, 647 netstat, 233–238, 252 NetWare. See Gateway Services for NetWare; Novell NetWare. implementation, understanding. See Transmission

Control Protocol/Internet Protocol. interoperability, 84–86 migration. See Windows 2000. considerations, 639 protocol support, 85 server, 85 Netware Core Protocol (NCP), 530 NetWare Loadable Module (NLM), 80 Network. See Point-topoint network. access, 655 inability, 494 analysis, 111 assessment, 112 cable specifications, 514–515 cards, 29 communications, IP address usage process, 414–420 connection sharing solutions, usage, 499 connectivity devices, role, 516–530 design, 44–46. See also Transmission Control Protocol/Internet Protocol. checklist, 62 design/setup. See Windows 2000. diagnosis, 109 dividing, reasons, 449–450 environment. See Hybrid networks. examination, 108–109 follow-up, 109 host IDs, assignation process, 408–413 IDs, 11, 166, 365, 407, 461, 545–548, 615, 636, 659

assignation process, 408 usage. See Search. knowledge, 92–93 layer, 24–25 protocols, 42–43 layout, diagramming, 55–56 linkage, RAS usage, 168 management programs, 250–251 media, 30 problems, 514–516 monitoring FAQs, 252–255 guidelines, 645 problems, 536–537 tools, 645–647 usage, 187 performance, 233 physical layout plan, 62 pilot programs, 45–46 planning, 44. See also Transmission Control Protocol/Internet Protocol. prototyping, 44–45 response, 111–112 rollout, 46 route, 550 scanning, 110–111 slowdown, 434 testing/implementation, 44 topologies. See Windows Internet Name Service. traffic reduction, 367 bridges, usage, 523–524 treatment, 109 Network Address Translation (NAT), 13, 14, 347, 348, 413, 419, 466, 655–656, 679 configuration, 656 problems, 498–501

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 694

694 Index difference. See Internet Connection Sharing. editors, 506–507 problems, troubleshooting, 498–501 Network Basic Input Output System (NetBIOS), 24, 35–36, 167, 186, 252, 502, 647 communication problems, troubleshooting, 306–308 name, 291, 292 resolution, 264 Name Query Requests, 309 NetBIOS-based program, 305 node type, 438 Remote Name Cache, 329 resolution, order, 266–270 traffic, 449 usage. See Transmission Control Protocol/Internet Protocol. Network Basic Input Output System (NetBIOS) names, 197, 201, 204, 210, 295 cache, 261–263 host names, difference, 319–322 query request, 273–274 registration, 271–273 release, 274–275 resolution, 258–261, 311, 648 FAQs, 313–315 problems, troubleshooting. See Windows 2000.

Windows 2000 methods, 261–266 Network Control Protocol, 7 Network Driver Interface Specification (NDIS), 34, 183, 634, 643 boundary layer, 38 version 5.0, 164–165 wrapper, 38 Network interface layer, 34. See also Department of Defense. level, 657–658 troubleshooting. See Windows 2000. Network Interface Card (NIC), 29, 30, 108, 164, 165, 167, 178, 336, 443, 494, 521, 539, 542, 643 address, 448, 650 configuration, 510–514 driver issues, 512–514, 657 physical address, 415 replacement, 228, 471 role, 511 types, 511 Network Monitor, 188, 198–216, 383–386, 609, 646 Agent, 202, 255 software, 251 tools, 200–202 usage, 199–200. See also Internet Protocol Security; Point-to-Point Protocol. Network News Transfer Protocol (NNTP), 41, 600, 618, 661 Commands, 192 problems, 622–626 security settings, 624–626 Server, 192

server, 663 problems, troubleshooting, 621–626 service availability, 622–624 troubleshooting, event viewer usage, 621–622 virtual server, 625 Network Transport Protocol Component, 38 Networking layers, 16–33 models, 14–38. See also Windows 2000. TCP/IP usage, 633–634 services, 318 subsystems, 240 Newsgroups, 104–105. See also Usenet newsgroups. NIC. See Network Interface Card. NIST. See National Institute of Standards and Technology. NLM. See NetWare Loadable Module. NNTP. See Network News Transfer Protocol. Noise-to-bandwidth ratios, 106 Non-Microsoft DNS servers, 294 Non-WINS clients, 266, 276, 277 segments, WINS proxy agent usage, 310 Non-WINS-enabled machine, 275 Nonbroadcast Multiple Access (NBMA), 595 Nonbroadcast network, 595 OSPF usage, 566–567 Nonperipheral routers, 577, 578

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 695

Index 695 Nonrouted network, IP communications usage, 417–418 NOS, 44 Notify. See Domain Name System. Novell NetWare, 78–82 NS. See Name Server. NSF. See National Science Foundation. NSLOOKUP, 44, 219, 635, 647 nslookup, 223, 380–382 utility, 671–672 NTFS, 37, 662 NTLM authentication, 668 NTManage, 251 NTRIGHTS.EXE, 74 Null modem cable, 30 NWLink, 467, 510, 640

O ODBC-compliant database, 606 ODBC database, 605, 662 required fields, 606 ODBC logging properties, 603 Open Shortest Path First (OSPF), 165, 494, 527, 553, 555, 558, 563–570 advantages, 570, 661 areas, 568 features, 66–661 hierarchical routing structure, 567–568 protocols, 661 usage, 569–570 routers, 572, 590 classifications, 569 routes, problems, 590 troubleshooting, 590 usage. See Broadcast; Nonbroadcast network; Point-topoint network. Open standards, 15 Open Systems Interconnection (OSI), 2, 510, 632. See also

Government OSI Profile. model, 14, 28, 33, 40–42, 172, 398, 516, 525, 535, 633. See also International Organization for Standardization. purpose, 15–16 protocol suite, 3, 8–10 Operating systems, 434, 512 implementation, 46 Organizational Unit (OU), 637 OS/2 application support. See Windows 2000. OSI. See Open Systems Interconnection. OSPF. See Open Shortest Path First. OU. See Organizational Unit. Out-of-range addresses, 460 Ownership disputes, 368–369

P P-Node, 267 Packet Assembly/ Disassembly (PAD), 483 Packet filtering, 655, 659 Packet INternet Groper (PING), 44, 93, 188, 219–222, 252, 307, 478, 576, 578, 622, 635, 662. See also PATHPING. command, 627 usage, 221–222, 586, 647 Packet-switched network, 6–7 PAD. See Packet Assembly/ Disassembly. Parallel format, 511

Partner autodiscovery. See Windows Internet Name Service. Partnerships. See Pull partnership; Push partnership. agreements, 278–281 Passive hubs, 30, 532, 657 problems, 532 PATHPING, 44, 188, 223–224, 252, 254, 576, 635, 647 PCT, 677 PDC. See Primary Domain Controller. Peer-to-peer networks, 499 Performance, 127, 387–390. See also Tasks. alerts, 190–198, 645–646 extensions, 140–152 logs, 190–198, 645–646 problems. See Internet Information Services. slowdown, IPSec usage, 164 Performance Monitor, 190 Permanent multicast group, 169 Permanent Virtual Circuit (PVC), 7 Permissions problems, 662 Persistent connections, 302 PGP. See Pretty Good Privacy. Physical addresses, 399, 415–417 determination, 436 Physical layer, 29–33, 514 devices, 29–31 Physical layout, planning, 54–55. See also Network. Physical MAC addresses, 436, 651 comparison. See Logical IP addresses.

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 696

696 Index Physical topologies, 32 PING. See Packet INternet Groper. Plain Old Telephone System (POTS), 472–474, 476 Planning. See Active Directory; Addressing scheme; Hardware configurations; Namespace; Network; Physical layout; Rollout; Sites. team, 53, 62 Point-to-point network, OSPF usage, 567 Point-to-Point Protocol (PPP), 137, 482, 484–485, 654 analysis, Network Monitor usage, 487 connection, 485 configuration, 485 loss, troubleshooting, 485 troubleshooting tools, 487–489 event logging, enabling, 487 tracing, enabling, 487–489 Point-to-Point Tunneling Protocol (PPTP), 38, 158, 466, 467, 500, 502, 656, 678 PoinTer Record (PTR), 364–366 Poison reverse, 559 Policy links. See Broken policy links. Polling methods, 27 POP3, 41, 628 Port numbers, 21–22 appending, 613 Portable Operating System Interface (POSIX) application support. See Windows 2000. POSIX. See Windows 2000.

POTS. See Plain Old Telephone System. PPP. See Point-to-Point Protocol. PPTP. See Point-to-Point Tunneling Protocol. Preferred DNS server, 375 Premigration issues, 80 Presentation layer, 19–20 Pretty Good Privacy (PGP), 677 PRI. See Primary Rate ISDN. Primary DNS server, 359, 361, 362, 371 Primary Domain Controller (PDC), 58, 253, 297 Emulator, 299, 300, 308 Primary WINS server, 282, 296, 297 Private addresses, public address comparison, 413–414 Private LAN, 467 Private network, 413 Problem isolation, 94 phase, 122–127 implementation order, 127 priorities, setting, 125–127 Problems examination, 95–96 experience, 114–115 occurrence, 113 prioritization, 126 re-creation, 95 Process layer, 34 Promiscuous mode, 198 Protocol. See Aging Link State Records protocol; Common header protocol; Exchange protocol; Flooding protocol; Hello protocol. analyzer, 133 configuration, 485

installation process, 63–66 usage. See Open Shortest Path First. Prototyping, 44. See Network. Proxy agents. See Windows Internet Name Service. configuration, 345 server, 343, 466, 614 ProxyUpdate, 395 PSTN. See Public Switched Telephone Network. PTR. See PoinTer Record. Public addresses comparison. See Private addresses. range, 500 Public Switched Telephone Network (PSTN), 6, 466, 654 connections, 472–474, 481 Pull partnerships, 283–288 Push partnerships, 283–288 PVC. See Permanent Virtual Circuit.

Q QoS. See Quality of Service. Qualified names, unqualified name difference, 336–338 Quality of Service (QoS), 139, 153, 156–157, 643, 675. See also General Quality of Service. Admission Control Services, 242 guarantees, 154 support, 675 Query request. See Network Basic Input Output System name.

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 697

Index 697

R RARP. See Reverse Address Resolution Protocol. RAS. See Remote Access Service. Record life cycle. See Windows Internet Name Service. Redirector service, 307 Referral answers, 333 Referral zone, 296 Refresh interval, 360–361 REG_BINARY, 180 REG_DWORD, 179, 181, 268 Regedit, 177 REG_EXPAND_SZ, 179 Registry, 442, 585 editing tools, usage, 176–178 entry, 443 new value, creation, 179–180 settings, 669. See also Transmission Control Protocol/Internet Protocol. editing, 181–182 usage. See Transmission Control Protocol/Internet Protocol. values. See Transmission Control Protocol/Internet Protocol. Registry Editor, 616, 617 REG_MULTI_SZ, 179 REG_SZ, 180 Remote access configuration problems, troubleshooting, 489–497 connectivity, 653–656 function, explanation, 468–469

links, 654 protocols, 482–485, 654 remote control, contrast, 468–470, 653 server connection, inability, 503 problems, 489–494 troubleshooting. See Windows 2000 TCP/IP. types, 467–470 Remote access connection establishment, 470–482 inability, 489–492 software needs, 470–471 Remote access policy, 655 problems determination, 497 troubleshooting, 496–497 Remote Access Service (RAS), 117 client, 481 overview, 467–489 Port, 192 secured communications, failure, 161 usage. See Network. Remote connection, establishment inability, 494–496 Remote control contrast. See Remote access. function, explanation, 469–470 Remote Procedure Call (RPC), 35–37 Remote router administration, 572–573 Remote subnet, 418–420 Repeaters, 4, 29–31, 657. See also Multiport repeaters.

amplifiers/hubs, differences, 518–519 problems, 531 usage. See Troubleshooting. process/reason, 517–521 Replication partners, link factor-based definition, 310 Request For Comment (RFC), 136–138, 271, 340. See also Strict RFC. 768, 136, 175 792, 43, 136 952, 339 1001, 137, 262, 648 1002, 137, 262, 648 1035, 137, 339 1112, 43, 137, 170 1123, 137, 339 1171, 484 1180, 3 1247, 563 1256, 137, 574 1323, 137, 138, 140–152, 182, 643 1517, 167 1519, 137, 138 1577, 139, 153–154, 182, 643 1583, 563 1661, 493 1817, 167 1831, 37 1878, 460 1933, 677 2001, 155–156, 183 2018, 138, 152–153, 182, 643 2026, 140 2068, 41 2181, 339–342 2205, 138, 157, 183 2211, 156–157, 183 2212, 156–157, 183 2226, 139 2236, 43, 138 2373, 677

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 698

698 Index compliance, 136–138 domain naming specification, 342 standardization, 139–140 Request security, 160 Reserved addresses, 435–436 Resource domains, 70, 78 Resource kits, 101–102 Resource record updates, 379–380 Resource Reservation Protocol (RSVP), 139, 156, 157, 643 Results, monitoring, 127–131 Retransmit timer, 145 Reverse Address Resolution Protocol (RARP), 42, 651 clients, 417 Reverse lookup zones, 363–366 RFC. See Request For Comment. RIP. See Routing Information Protocol. ripquery, 83 Rogue DHCP servers, 444–445 Rogue RIP routers, 563, 660 Rollout. See Network. planning, 46 Root domain, 323 RoundTrip Time (RTT), 148, 150, 182 ROUTE, 44, 48, 635 command, usage, 586 utility, 592 Routed network, IP communications usage, 418–420 Routers, 4, 25, 420. See also Area Border Router; Autonomous System Border Router; Backbone Router; Dynamic router;

Internal Router; Windows 2000. administration. See Remote router administration. classifications, 660–661. See also Open Shortest Path First. configuration, 576–583 cost, 529 discovery, usage. See Internet Control Message Protocol. function explanation, 526–528 ID, 566, 569 IP addresses, 438 link, 224 logging. See Windows 2000. performance, 529 placement, 61 preconfiguration check list, 576–577 usage, process/reason, 528–529. See also Brouters. Routing. See Direct routing; Dynamic routing; Indirect routing; Internet Protocol; Multicast; Unicast routing. example, 543–544 function, 24–25. See also Static routing. fundamentals, 545–549 interfaces, 549 loops, 562–563, 570, 586–587, 660 process, 527–528 protocols, 555–570, 659–661. See also Dynamic routing. installation, 571 scenario, example, 553 tables, 527, 550–553, 659 command line viewing, 550

GUI viewing, 550–552 understanding, 552–553 viewing, 550–552, 589 Routing and Remote Access Service (RRAS), 165, 242, 433, 466, 467, 469, 542, 560, 594 clients, 479 components, 470 configuration problems, 654–655 console, 490, 492, 498 graphical interface, 589 installation/ configuration, 653 management console, 471, 572, 580, 592, 659 MMC, 550, 572 routers, 574, 596 server, 571, 583 service, 489, 503, 570, 591, 654 support, 561 Routing Information Protocol (RIP), 24, 165, 494, 527, 553, 555, 558. See also Silent RIP. advantages/ disadvantages, 562 configuration, troubleshooting, 580–581 features, 660 implementation, 561–562 listening, 560–561 neighbors, viewing, 588 problems, 562–563, 589 RIP for IP, 558–563 configuration, 578–581 troubleshooting, 588–589

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 699

Index 699 routers, 563, 572, 580. See also Rogue RIP routers. routing, 562, 589 trouble prevention, multiphase implementation usage, 562 Routing structure. See Open Shortest Path First. RPC. See Remote Procedure Call. RRAS. See Routing and Remote Access Service. RSVP. See Resource Reservation Protocol. RTT. See RoundTrip Time.

S SACK. See Selective Acknowledgment. SAP. See Service Advertising Protocol. SARA. See Scan Analyze Respond Assess. Scalable TCP window size, 140–150 Scaling factors finding, 148–150 negotiation, 148 Scan Analyze Respond Assess (SARA) guidelines, 112 model, 110–113, 641 Scanning. See Network. Scopes, 428–429. See also Superscopes. options, 437, 652 problems, 429–430 SDSL. See Symmetric Digital Subscriber Line. Search. See World Wide Web. engines, 100 narrowing, network ID usage, 526

Second-level domains, 323–324 Secondary DNS server, 359, 361, 362 Secondary WINS server, 282, 296, 297 Secure Sockets Layer (SSL), 613, 677 Security, 676. See also Domain Name System. enhancement, 367–368 issues, 199 log, 120–122, 641 settings. See Network News Transfer Protocol. troubleshooting, 678 Selective Acknowledgment (SACK), 138, 152–153, 182, 643 Serial Line Internet Protocol (SLIP), 482, 484, 654 Server Message Block (SMB), 20 file-sharing protocol, 530 frames, 214 protocol, 214 Servers, 489–492. See also Multiple DHCP servers. configuration, 654–655 problems, 426–443 monitoring. See Dynamic Host Control Protocol. options, 437 problems. See World Wide Web. troubleshooting. See Network News Transfer Protocol. usage. See Subnets. Service Advertising Protocol (SAP), 88–89 Session layer, 20–21

Shortest Path First (SPF), 564, 565 SHOWACCS.EXE, 74 SHUTDOWN.EXE, 74 SIDWALK.EXE, 74 Signal transmission, 31–32 Silent RIP, 560–561 Silly Window Syndrome (SWS), 184 avoidance, 174–175 Simple Mail Transfer Protocol (SMTP), 40–41, 141, 618, 628, 633, 661 Server, 192 Simple Network Management Protocol (SNMP), 39, 137, 242–250, 439, 521, 621, 633, 634 agents, 80, 246, 678 function, explanation, 242–244 Simplex, 21 Single domain, 69 model, upgrade, 637 Single master domain, 69–70 model, upgrade, 637–638 Sites accessing, client inability, 614–616 hosting problems. See Multiple sites; Windows 2000. logging, 662 enabling, 602–604 name resolution, problems, 611–612, 662 planning, 56 Slaves, 372–373 SLIP. See Serial Line Internet Protocol. Smart cards. See X.25. Smart hubs, 31 SMB. See Server Message Block.

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 700

700 Index SMS. See Systems Management Server. SMTP. See Simple Mail Transfer Protocol. SNA. See Systems Network Architecture. SNMP. See Simple Network Management Protocol. snoop, 83 SOA. See Start Of Authority. SOAPR. See Subjective Objective Assessment Plan Review. Soft links, 77 Software/networking protocol configuration, 518 Software vendors, 128 Solutions, prioritization, 126–127 SONET, 472 Source host, 225 Spanning tree algorithm, 535–536 protocol, 535–536 SPF. See Shortest Path First. Split horizon, 559 Split registration, 648 avoidance, 311 Spoke model, 314–315, 648 usage. See Multisite environments. Spoke topology, 283 SQL Server, 606 SRI-NIC, 322 SRV entry, 306 SRV records, 378, 395 SSL. See Secure Sockets Layer. Stand-alone network, 408 Standard zones, 352–363 Star bus, 26 Start Of Authority (SOA), 360, 362 Static addresses, 428 Static ARP cache entries, 227–228

Static entries, 227, 277 Static IP addresses, 494 Static IP routing, configuration. See Windows 2000. Static mappings, 276–277 Static records, 648 avoidance. See Windows Internet Name Service. Static routing, 586–587 characteristics, 557–558 configuration, troubleshooting, 578 function, 555–558 troubleshooting, 586–587 Static WINS entries, problems, 277 Store-and-forward mode, 523 Strict RFC, 341 Subdomains, 324 Subjective Objective Assessment Plan Review (SOAPR), 110 Subnets, 417–418, 450, 540, 553. See also Remote subnet. ID, 405, 453–459, 615 masking, 403–405. See also Class A; Class B; Class C. errors, 459–460 masks, 403, 417, 451–452, 577. See also Default subnet mask; Variable length subnet masks. servers, usage, 445 Subnetting problems, 653 troubleshooting, 448–460 scenarios, 450 Superscopes, 430–431, 463

Switches, 4, 657 advantages. See Bridges; Hubs. switching, timing, 523 usage. See ipconfig. process/reason, 521–523 Switching, 657 hub, 31 modes, 522–523 SWS. See Silly Window Syndrome. Symmetric Digital Subscriber Line (SDSL), 477 SYN. See Synchronization request. Synchronization request (SYN), 141, 142 message, 152 segment, 148 System log, 117–120, 642 System Monitor, 190, 609, 621 Systems Management Server (SMS), 122, 190, 250–251 Systems Network Architecture (SNA), 86, 640 gateway, 20

T T-carrier lines, 478 T1 connection, 58 T1 line, 478 TAPI. See Telephony API. Tasks. See Multitasking. performance, 115–116 TCP. See Transmission Control Protocol. TCP/IP. See Transmission Control Protocol/Internet Protocol. tcpdump, 83 TDI. See Transport Driver Interface. TDR. See Time Domain Relectometer.

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 701

Index 701 TechNet, 103–104, 640 Telephone lines. See Multiple telephone lines. Telephony, 675. See also Internet Protocol. Telephony API (TAPI), version 3.0, 675 Telnet, 40, 623, 633, 634, 668 protocol, 136 server, 668–669. See also Windows 2000. Tests, conducting, 108–109 TFTP. See Trivial File Transfer Protocol. Third-party documentation, 105–107, 640 Third-party IP management, 422 Three-way handshake, 141–143 Time Domain Reflectometer (TDR), 514 Time-exceeded message, 225 Time To Live (TTL), 221, 225, 330. See also Default Time To Live. Timestamping, 152 Timestamps, 367. See also Transmission Control Protocol. clock, 151 Token passing, 27 Token Ring, 26, 30–32, 38, 153, 514 segment, 28 Tombstoning, 648. See also Manual tombstoning. value, 303–304 Tools, upgrade. See Windows NT. Topologies. See Hub topology; Spoke

topology; Windows Internet Name Service. Trace logs. See Domain Name System. TRACERT, 44, 93, 219, 576, 590, 635, 647 display, 595 usage, 586 tracert, 225–226, 252 Tracing, 595 Transient multicast group, 169 Translation bridge, definition, 524–525 Transmission Control Protocol/Internet Protocol (TCP/IP), 643–645 behavior configuration, registry usage, 178–181 communication, 53, 467 configuration, 63, 66–67, 412, 424, 435 checklist, 67 definition, 632–634 DoD role, 6–7 expert usage, 674–679 FAQs, 48–49 features/functions, 670–674 filtering, 66 future, 5, 10, 632–634 history, 632–634 installation, 67 introduction, 2–5 NetWare implementation, understanding, 79–82 network, 516. See also Windows 2000. design/planning, 635 NetBIOS usage, 320 networking, 547 origins, 5–14 power/flexibility, 4 properties, 409

protocols, 233 history, 5–10 installation/protocol, 637 stack, 259, 260, 320, 648 suite, 544 registry settings, 645 understanding, 175–182 registry values, editing, 180–181 stack, 5, 95, 136, 258 statistics, 238 suite, 38–44, 645 troubleshooting guidelines, 640–642 models, 641 resources, 640 secrets, 665 shortcuts, 666–669 UNIX implementation, understanding, 83 upgrade, 637–639 usage. See Networking. utilities, 43–44, 478, 647. See also UNIX. usage, 219–250 value, 2–4 Transmission Control Protocol (TCP), 22, 42, 172–175, 345, 635, 644–645 communication, 140 connection, 174 fast retransmit, 139, 155–156 header, 498 keep-alives, 174 transmissions, interval change, 181 packet, 150 ports, 250, 306 number, 415 protocol, 103 Redirector, 192 timestamp, 150–152

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 702

702 Index window size. See Scalable TCP window size. Transmission speed, limits, 153 Transparent bridges, 535–536 Transport Driver Interface (TDI), 34, 634 boundary layer, 37 Transport layer, 21–24, 34 protocols, 42 Trees, 59 Triggered updates, 559, 560 Trivial File Transfer Protocol (TFTP), 24, 136 Troubleshooter, 86 Troubleshooting. See Windows 2000; Windows 2000 TCP/IP. models, 107–112 repeaters, usage, 519 Trust relationships, 68 Tunnel mode, 678 Tunneling. See Internet Protocol version 6. protocols, 502

U UDP. See User Datagram Protocol. Unauthorized DHCP servers, 444–445 UNC. See Universal Naming Convention. Underscore character, 340 Unicast routing, 554, 659 Universal Naming Convention (UNC) paths, 335–336 usage. See Internet. Universal protocol stack, 3 UNIX, 52, 77, 340, 423 implementation, understanding. See Transmission Control

Protocol/Internet Protocol. interoperability, 86 migration. See Windows 2000. considerations, 639 networks, 3 print servers, 86 servers, 482, 639 TCP/IP utilities, 83–84 Unqualified names, difference. See Qualified names. Unqualified names, resolution, 293 Update trigger, 278 Upgrade. See Windows 2000; Windows NT. problems, 78 schedule, 46 Upper-layer connectivity devices, understanding, 526–530 URI stem, 606 Usenet newsgroups, 106 User Datagram Protocol (UDP), 22, 23, 42, 48, 136, 165, 172, 175, 184, 633, 644–645 counter, 192 header, 498 ports, 243, 250, 372 number, 415 protocols, 386 Users class, 672 mode services component, 35–36 username/password prompting, 619–620 Utilization bottlenecks. See Central Processing Unit. UTP, 516

V Variable length subnet masks, 404

VDSL. See Very-high Digital Subscriber Line. Vendors. See Hardware. class, 672 Very-high Digital Subscriber Line (VDSL), 477 Virtual directories, inaccessbility, 612–613, 662 Virtual Local Area Network (VLAN), 523, 540 Virtual Private Networking (VPN), 63, 125, 347, 467, 496, 653, 656 clients, 466 connections, 505 troubleshooting, 502–503 connectivity problems, troubleshooting, 502–503 link, 468 VLAN. See Virtual Local Area Network. VPN. See Virtual Private Networking.

W W3C. See World Wide Web Consortium. WACK. See Wait for Acknowledgment. Wait for Acknowledgment (WACK), 271 WAN. See Wide Area Network. Web. See World Wide Web. White papers, 102–103 Wide Area Network (WAN), 56, 268, 478, 482, 542, 548 links, 283, 284, 471–482, 484, 654 protocols, 5, 654 problem prevention, 486 technologies, 472 Win32 API, 37, 75

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 703

Index 703 Windows function, explanation, 144–147 panes. See Capture. size, negotiation, 143–144 Windows 16-bit applications, 76 Windows 32-bit applications, 75 Windows 2000 connectivity problems FAQs, 539–540, 595–597 internetwork level troubleshooting, 541 network interface level troubleshooting, 509 enhancements, 643 Internet Protocol, 165–172 methods. See Network Basic Input Output System name. monitoring tools, 188–219 multihomed master problem, solving, 302 NetBIOS name resolution problems, troubleshooting, 257 NetWare migration, 78–82 checklist, 82 network considerations, 636–637 design/setup, 635–640 networking models, 34–38 OS/2 application support, 76–77

subsystem, 76–77 POSIX application support, 76–77 subsystem, 76–77 pre-upgrade issues, 75–78 router, 553–554 features, 659 logging, 661 management tools, 572–576 resetting, 591 routing problems, troubleshooting, 586–591 selected services, 661–663 server, multiple site hosting problems, 613–614 static IP routing, configuration, 577–578 support, 339–342 Telnet client/server, 667–669 transport protocols, 172–175 troubleshooting FAQs, 252–255 resources, 99–107 tools, 187 UNIX migration, 82–84 checklist, 84 upgrade checklist, 78 NT 4.0 to 2000, 68–78 usage ease, 73–75 usage. See Internet Protocol. Windows 2000 TCP/IP configuration, 61, 66–67 FAQs, 88–90 Fast Track, 631 installation, 61–66 internals, 135 FAQs, 185–186

network, 51 design, 52–61 FAQs, 628–629 remote access troubleshooting, 465 services, troubleshooting, 599 stack, enhancements, 138–165 suite members, 634–635 troubleshooting FAQs, 133, 505–507 guidelines, 91–99 patience, 97–98 tools, 93 Windows Internet Name Service (WINS), 117, 169, 216, 271–276, 299–302, 339, 648 backup folder, 289 clients, 271, 273, 275, 277, 371 ambiguity solutions, WINS lookup zone usage, 373–376 configuration issues, 276–306 console, 282 database, 202, 272, 277, 286, 302 backup, 288–289 records, 304 static record avoidance, 310 disappearance, 305–306 enhancements, 302–304 entries, problems. See Static WINS entries. forward lookup, usage, 290–292 incompatibility. See Berkeley Internet Name Domain. lookups, 293, 296, 339, 374, 376 enabling, 296

71_tcp/ip_index.qx

2/28/00

11:02 AM

Page 704

704 Index usage. See Host name. zones, usage. See Windows Internet Name Service. management console, 279 network topologies, 282–302 partner autodiscovery, 281–282 proxy agents, 275–276 usage. See Non-WINS clients. queries, 273 record life cycle, 302–303 referral, dedicated zone setup, 374–376 registry settings, backing up, 289 replication, 277–281, 283 servers, 61, 62, 120, 229, 262–267, 271–275, 278, 281, 313–314. See also Hubs; Primary WINS server; Secondary WINS server. multihoming, 309 names, 279, 288 pointing, 296–299 service, 242, 288 settings, 66 synchronization, 284 topology, 283 usage. See Multihomed computers. WINS-R incompatibility. See Berkeley Internet Name Domain. Windows Media Service (WMS), 600

Windows NT 4.0, upgrade, 637–639 domain models, 68–75 pre-upgrade issues, 75–78 tools, upgrade, 638–639 upgrade. See Windows 2000. checklist, 78 usage ease, 73–75 WINS. See Windows Internet Name Service. Winsock, 36, 321 applications, 391 Winsock 2.0-compliant applications, 13 Wireless media, 30 WMS. See Windows Media Service. World Wide Web Consortium (W3C), 603, 607, 662 extended log file format, 605–606 World Wide Web (WWW / Web), 8 browser, 41, 334 permissions, 614 resources, 106–107 searches, 107 server, 662 problems, troubleshooting, 609–617 service, 618 sites, 95, 613, 614 surfing, 126 Wrapper. See Network Driver Interface Specification.

X X.25, 7, 38, 466 connection problems, troubleshooting, 481–482

network, 472, 480–482 PAD, 479 protocols, 25 smart cards, 479, 480 standard, 25 technology, 483 understanding, 479–481 X.28, 483 X.29 483 X.121 address, 480, 483 X.400, 10 X.500, 10 XNS, 564

Y Y2K compliance issues, 76

Z Zones, 382, 650. See also Active Directory; Multiple DNS zones; Reverse lookup zones; Standard zones. databases, 223, 344, 352 delegation, 350, 351, 369–371 learning, 370–371 design/troubleshooting. See Domain Name System. files, 350 problems. See Integrated DNS zones. setup. See Windows Internet Name Service. transfers, 342, 361, 366, 393 usage. See Windows Internet Name Service.

91_BM.qx

2/25/00

1:15 PM

Page 1

The Global Knowledge Advantage

Global Knowledge has a global delivery system for its products and services. The company has 28 subsidiaries, and offers its programs through a total of 60+ locations. No other vendor can provide consistent services across a geographic area this large. Global Knowledge is the largest independent information technology education provider, offering programs on a variety of platforms. This enables our multi-platform and multi-national customers to obtain all of their programs from a single vendor. The company has developed the unique CompetusTM Framework software tool and methodology which can quickly reconfigure courseware to the proficiency level of a student on an interactive basis. Combined with self-paced and on-line programs, this technology can reduce the time required for training by prescribing content in only the deficient skills areas. The company has fully automated every aspect of the education process, from registration and follow-up, to "just-in-time" production of courseware. Global Knowledge through its Enterprise Services Consultancy, can customize programs and products to suit the needs of an individual customer.

Global Knowledge Classroom Education Programs

The backbone of our delivery options is classroom-based education. Our modern, well-equipped facilities staffed with the finest instructors offer programs in a wide variety of information technology topics, many of which lead to professional certifications.

Custom Learning Solutions

This delivery option has been created for companies and governments that value customized learning solutions. For them, our consultancy-based approach of developing targeted education solutions is most effective at helping them meet specific objectives.

Self-Paced and Multimedia Products

This delivery option offers self-paced program titles in interactive CD-ROM, videotape and audio tape programs. In addition, we offer custom development of interactive multimedia courseware to customers and partners. Call us at 1-888427-4228.

Electronic Delivery of Training

Our network-based training service delivers efficient competency-based, interactive training via the World Wide Web and organizational intranets. This leading-edge delivery option provides a custom learning path and "just-in-time" training for maximum convenience to students.

91_BM.qx

2/25/00

1:15 PM

Page 2

Global Knowledge Courses Available Microsoft ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

Windows 2000 Deployment Strategies Introduction to Directory Services Windows 2000 Client Administration Windows 2000 Server Windows 2000 Update MCSE Bootcamp Microsoft Networking Essentials Windows NT 4.0 Workstation Windows NT 4.0 Server Windows NT Troubleshooting Windows NT 4.0 Security Windows 2000 Security Introduction to Microsoft Web Tools

Web Site Management and Development ■ ■ ■ ■ ■ ■

PERL, UNIX, and Linux ■ ■ ■ ■ ■ ■

Management Skills ■ ■ ■

Project Management for IT Professionals Microsoft Project Workshop Management Skills for IT Professionals

■ ■ ■ ■ ■ ■ ■

Understanding Computer Networks Telecommunications Fundamentals I Telecommunications Fundamentals II Understanding Networking Fundamentals Upgrading and Repairing PCs DOS/Windows A+ Preparation Network Cabling Systems

■ ■

■

■ ■ ■

■ ■ ■ ■

Building Broadband Networks Frame Relay Internetworking Converging Voice and Data Networks Introduction to Voice Over IP Understanding Digital Subscriber Line (xDSL)

Internetworking ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

ATM Essentials ATM Internetworking ATM Troubleshooting Understanding Networking Protocols Internetworking Routers and Switches Network Troubleshooting Internetworking with TCP/IP Troubleshooting TCP/IP Networks Network Management Network Security Administration Virtual Private Networks Storage Area Networks Cisco OSPF Design and Configuration Cisco Border Gateway Protocol (BGP) Configuration

Introduction to Red Hat Linux Red Hat Linux Systems Administration Red Hat Linux Network and Security Administration RHCE Rapid Track Certification

Cisco Systems

WAN Networking and Telephony ■

PERL Scripting PERL with CGI for the Web UNIX Level I UNIX Level II Introduction to Linux for New Users Linux Installation, Configuration, and Maintenance

Authorized Vendor Training Red Hat ■

Network Fundamentals

Advanced Web Site Design Introduction to XML Building a Web Site Introduction to JavaScript Web Development Fundamentals Introduction to Web Databases

■ ■ ■ ■ ■ ■ ■ ■ ■ ■

Interconnecting Cisco Network Devices Advanced Cisco Router Configuration Installation and Maintenance of Cisco Routers Cisco Internetwork Troubleshooting Designing Cisco Networks Cisco Internetwork Design Configuring Cisco Catalyst Switches Cisco Campus ATM Solutions Cisco Voice Over Frame Relay, ATM, and IP Configuring for Selsius IP Phones Building Cisco Remote Access Networks Managing Cisco Network Security Cisco Enterprise Management Solutions

Nortel Networks ■

■ ■ ■ ■ ■ ■ ■

Nortel Networks Accelerated Router Configuration Nortel Networks Advanced IP Routing Nortel Networks WAN Protocols Nortel Networks Frame Switching Nortel Networks Accelar 1000 Comprehensive Configuration Nortel Networks Centillion Switching Network Management with Optivity for Windows

Oracle Training ■ ■

Introduction to Oracle8 and PL/SQL Oracle8 Database Administration

91_BM.qx

2/25/00

1:15 PM

Page 3

Custom Corporate Network Training Train on Cutting Edge Technology We can bring the best in skill-based training to your facility to create a real-world hands-on training experience. Global Knowledge has invested millions of dollars in network hardware and software to train our students on the same equipment they will work with on the job. Our relationships with vendors allow us to incorporate the latest equipment and platforms into your on-site labs.

Maximize Your Training Budget Global Knowledge provides experienced instructors, comprehensive course materials, and all the networking equipment needed to deliver high quality training. You provide the students; we provide the knowledge.

Avoid Travel Expenses On-site courses allow you to schedule technical training at your convenience, saving time, expense, and the opportunity cost of travel away from the workplace.

Discuss Confidential Topics Private on-site training permits the open discussion of sensitive issues such as security, access, and network design. We can work with your existing network’s proprietary files while demonstrating the latest technologies.

Customize Course Content Global Knowledge can tailor your courses to include the technologies and the topics which have the greatest impact on your business. We can complement your internal training efforts or provide a total solution to your training needs.

Corporate Pass The Corporate Pass Discount Program rewards our best network training customers with preferred pricing on public courses, discounts on multimedia training packages, and an array of career planning services.

Global Knowledge Training Lifecycle Supporting the Dynamic and Specialized Training Requirements of Information Technology Professionals ■ ■ ■ ■ ■ ■ ■

Define Profile Assess Skills Design Training Deliver Training Test Knowledge Update Profile Use New Skills

91_BM.qx

2/25/00

1:15 PM

Page 4

Global Knowledge Global Knowledge programs are developed and presented by industry professionals with "real-world" experience. Designed to help professionals meet today’s interconnectivity and interoperability challenges, most of our programs feature hands-on labs that incorporate state-of-the-art communication components and equipment.

ON-SITE TEAM TRAINING Bring Global Knowledge’s powerful training programs to your company. At Global Knowledge, we will custom design courses to meet your specific network requirements. Call (919)-461-8686 for more information.

YOUR GUARANTEE Global Knowledge believes its courses offer the best possible training in this field. If during the first day you are not satisfied and wish to withdraw from the course, simply notify the instructor, return all course materials and receive a 100% refund.

REGISTRATION INFORMATION In the US: call: (888) 762–4442 fax: (919) 469–7070 visit our website: www.globalknowledge.com

91_BM.qx

2/25/00

1:15 PM

Page 5

Get More at access.globalknowledge

The premier online information source for IT professionals You’ve gained access to a Global Knowledge information portal designed to inform, educate and update visitors on issues regarding IT and IT education. Get what you want when you want it at the access.globalknowledge site: Choose personalized technology articles related to your interests. Access a new article, review, or tutorial regularly throughout the week customized to what you want to see. Keep learning in between Global courses by taking advantage of chat sessions with other users or instructors. Get the tips, tricks and advice that you need today! Make your point in the Access.Globalknowledge community with threaded discussion groups related to technologies and certification. Get instant course information at your fingertips. Customized course calendars showing you the courses you want when and where you want them. Get the resources you need with online tools, trivia, skills assessment and more! All this and more is available now on the web at access.globalknowledge. VISIT TODAY!

http://access.globalknowledge.com

91_BM.qx

2/25/00

1:15 PM

Page 6

SYNGRESS SOLUTIONS… AVAILABLE

PROFESSIONAL REFERENCE

Order now at www.syngress.com

MANAGING ACTIVE DIRECTORY FOR WINDOWS 2000 SERVER FREE Monthly Technology Updates

AVAILABLE Order now at www.syngress.com PROFESSIONAL REFERENCE

Windows 2000's Active Directory provides a single uniform interface to all of the network's resources, including printers, documents, e-mail addresses, databases, and users. It also manages naming, querying, registration, and resolution needs. This book covers everything a system administrator needs to know about Active Directory.

One-year Vendor Product Upgrade Protection Plan FREE Membership to Access.Globalknowledge

CONFIGURING WINDOWS 2000 SERVER SECURITY

FREE Monthly Technology Updates One-year Vendor Product Upgrade Protection Plan FREE Membership to Access.Globalknowledge

ISBN: 1-928994-07-5 $49.95

AVAILABLE Order now at

Microsoft has incorporated dra- www.syngress.com matic new security changes in Windows 2000 Server, including Kerberos Server Authentication, Public Key Infrastructure (PKI), IP Security (IPSec), Encrypting File System (EFS), and Active Directory permissions. This book is an indispensable guide for anyone bearing the responsibility for the overall security of a Windows 2000 Server network. ISBN: 1-928994-02-4 $49.95

AVAILABLE Order now at www.syngress.com

WINDOWS 2000 SERVER SYSTEM ADMINISTRATION HANDBOOK As an NT System Administrator, you must quickly master Windows 2000 Server’s new administration tools Don’t be left behind on Microsoft Management Console (MMC), Active Directory, IP routing, Kerberos security, and the many other new features of Windows 2000 Server. This is the one book you’ll need to quickly become proficient in configuring and running a Windows 2000 network. ISBN: 1-928994-09-1 $49.95

IP ADDRESSING AND SUBNETTING INCLUDING IPv6 Internet Protocol (IP) is the chosen protocol for the revolutionary convergence of telephony and data. The impact of a poorly designed addressing architecture on an enterprise wide network can be catastrophic. This book provides you with complete coverage of the latest strategies, configuration scenarios, tips, techniques and warnings to successfully deploy an IP Addressing and Subnetting scheme on your network. ISBN: 1-928994-01-6 $59.95

[email protected]

Document3

4/3/02

4:04 PM

Page 1