242 73 5MB
English Pages 737 Year 2000
TRO U BLESH O O TI N G
W I N DOW S 2 0 0 0
T C P/ I P
“This book is an important ally in keeping your Window s 2000 TCP/IP netw ork running smoothly.” —Excerpt from Foreword by Ted Rohling, Chief Technical Officer Decision Netw orks, Inc.
FREE Monthly Technology Up d ates One-year Vend or Prod uct Up grad e Protection Plan FREE Membership to Access.Globalknowledge
Debra Littlejohn Shinder, M CSE, M CP+ I, M CT Thomas W. Shinder, M .D., M CSE, M CP+ I, M CT
[email protected] With over 1,000,000 cop ies of our MCSE, MCSD, Com p TIA, and Cisco stud y guid es in p rint, we have com e to know m any of you p ersonally. By listening, we've learned what you like and d islike ab out typ ical com p uter b ooks. The m ost req uested item has b een for a web -b ased service that keep s you current on the top ic of the b ook and related technologies. In resp onse, we have created [email protected], a service that includ es the following features: ■
A one-year warranty against content ob solescence that occurs as the result of vend or p rod uct up grad es. We will p rovid e regular web up d ates for affected chap ters.
■
Monthly m ailings that resp ond to custom er FAQs and p rovid e d etailed exp lanations of the m ost d ifficult top ics, written b y content exp erts exclusively for [email protected].
■
Regularly up d ated links to sites that our ed itors have d eterm ined offer valuab le ad d itional inform ation on key top ics.
■
Access to “Ask the Author”™ custom er q uery form s that allow read ers to p ost q uestions to b e ad d ressed b y our authors and ed itors.
Once you've p urchased this b ook, b rowse to www.syngress.com/solutions.
To register, you will need to have the b ook hand y to verify your p urchase. Thank you for giving us the op p ortunity to serve you.
TROUBLESHOOTING
WINDOWS 2 0 0 0
TCP/IP
Syngress Media, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through Skill Enhancement™” is a trademark of Syngress Media, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010
SERIAL NUM BER MBN123WER6 BUT432GHPL VTR987EDXA LKN567YTG7 QQWZA2BNM9 183ABC7891 VCRTED1984 CRTY1534XX MNPPP19875 XXCVB98345
PUBLISHED BY Syngress Media, Inc. 800 Hingham Street Rockland, MA 02370 Troubleshooting Window s 2000 TCP/IP
Copyright © 2000 by Syngress Media, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-11-3 Copy edit by: Beth Roberts Technical edit by: Thomas W. Shinder, M.D. Index by: Robert Saigh Project Editor: Julie Smalley Distributed by Publishers Group West
Proofreading by: James Melkonian Page Layout and Art by: Emily Eagar and Vesna Williams Co-Publisher: Richard Kristof
Acknow ledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin Murray, Dale Leatherwood, Shelley Everett, Laurie Hedrick, Rhonda Harmon, Lisa Lavallee, and Robert Sanregret of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe and the team at Rt. 1 Solutions for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Michael Ruggiero, Kevin Votel, Brittin Clark, Sarah Schaffer, Luke Kreinberg, Ellen Lafferty and Sarah MacLachlan of Publishers Group West for sharing their incredible marketing experience and expertise. Peter Hoenigsberg, Mary Ging, Caroline Hird, Simon Beale, Julia Oldknow, Kelly Burrows, Jonathan Bunkell, Catherine Anderson, Peet Kruger, Pia Rasmussen, Denelise L'Ecluse, Rosanna Ramacciotti, Marek Lewinson, Marc Appels, Paul Chrystal, Femi Otesanya, and Tracey Alcock of Harcourt International for making certain that our vision remains worldwide in scope. Special thanks to the professionals at Osborne with whom we are proud to publish the best-selling Global Knowledge Certification Press series.
v
From Global Know ledge At Global Knowledge we strive to support the multiplicity of learning styles required by our students to achieve success as technical professionals. As the world's largest IT training company, Global Knowledge is uniquely positioned to offer these books. The expertise gained each year from providing instructor-led training to hundreds of thousands of students worldwide has been captured in book form to enhance your learning experience. We hope that the quality of these books demonstrates our commitment to your lifelong learning success. Whether you choose to learn through the written word, computer based training, Web delivery, or instructor-led training, Global Knowledge is committed to providing you with the very best in each of these categories. For those of you who know Global Knowledge, or those of you who have just found us for the first time, our goal is to be your lifelong competency partner. Thank your for the opportunity to serve you. We look forward to serving your needs again in the future. Warmest regards,
Duncan Anderson President and Chief Executive Officer, Global Knowledge
vi
Contributors Debra Littlejohn Shinder (MCSE, MCP+I, MCT) is an instructor in the AATP program at Eastfield College, Dallas County Community College District, where she has taught since 1992. She is Webmaster for the cities of Seagoville and Sunnyvale, TX, as well as the family Web site at www.shinder.net. She and her husband, Dr. Thomas W. Shinder, provide consulting and technical support services to Dallas area organizations. She is also the proud mother of daughter, Kristen, who is currently serving in the U.S. Navy in Italy, and son, Kris, who is a high school chess champion. Deb has been a writer for most her life, and has published numerous articles in both technical and non-technical fields. She can be contacted at [email protected]. Thomas W. Shinder, M.D. (MCSE, MCP+I, MCT) is a technology trainer and consultant in the Dallas-Ft. Worth metroplex. Dr. Shinder has consulted with major firms including Xerox, Lucent Technologies and FINA Oil, assisting in the development and implementation of IP-based communications strategies. Dr. Shinder attended Medical School at the University of Illinois in Chicago, and trained in Neurology at the Oregon Health Sciences Center in Portland, Oregon. His fascination with interneuronal communication ultimately melded with his interest in internetworking and led him to focus on Systems Engineering. Tom works passionately with his beloved wife, Deb Shinder, to design elegant and cost-efficient solutions for smalland medium-sized businesses based on Windows NT/2000 platforms.
vii
Forew ord When facing a new operating environment such as Windows 2000, resources such as this book are essential to your success. Here you will find all the information you need to understand the new TCP/IP administration tools available in the Windows 2000 environment. Rather than looking through countless CDs and volumes of documentation, you can look here. You will find the helpful hints you need to locate and troubleshoot the problems you will inevitably face. Experience and knowledge work together to help you do your job. This book is an important ally in keeping your Windows 2000 TCP/IP network running smoothly. Our success as network analysts is often judged by our ability to find and fix problems. In the past, the process was often a hit-or-miss proposition made worse by difficult-to-use vendor documentation. I have spent countless hours with co-workers just trying to find clues to the nature of a problem because not enough good information was available. Hopefully this book will save you from the hit-or-miss approach, immediately increasing your value as a Windows 2000 network analyst. Read, highlight, dog-ear, tab, use sticky notes; in short, make the book yours! —Ted Rohling, MCP, CCNA, CCDA Mr. Rohling is the Chief Technical Officer of Decision Networks, Inc., a computer networks consulting and training company in San Antonio, Texas. Ted has over 33 years of experience in the computer and networking field.
Contents Preface Chapter 1: TCP/IP Overview Introduction TCP/IP’s “Net” Worth More Power, More Flexibility—and More Potential for Problems What’s Ahead in This Chapter TCP/IP: Where It Came From, and Where It’s Going History of the TCP/IP Protocols The Role of the U.S. Department of Defense From ARPAnet to the Internet Another Contender for the Title: The OSI Protocol Suite The Future of TCP/IP Looking Ahead to IPv6 Networking Models The Purpose of the Models Why Use Layered Models? The ISO OSI Model Seven Layers of the Networking World Layer 7: The Application Layer Layer 6: The Presentation Layer Layer 5: The Session Layer Layer 4: The Transport Layer Layer 3: The Network Layer Layer 2: The Data Link Layer Layer 1: The Physical Layer The DoD Model The Application/Process Layer The Host-to-Host (Transport) Layer The Internetworking Layer The Network Interface Layer The Microsoft Windows 2000 Networking Model The Application and User Mode Services Component The API Boundary Layer The File System Drivers The TDI Boundary Layer The Network Transport Protocol Component The NDIS Boundary Layer The NDIS Wrapper A Family of Protocols: The TCP/IP Suite Application Layer Protocols FTP SNMP
xxv 1 2 2 4 4 5 5 6 7 8 10 10 14 15 15 16 16 18 19 20 21 24 25 29 33 34 34 34 34 34 35 36 37 37 38 38 38 38 38 39 39
ix
x
Troubleshooting Window s 2000 TCP/IP • Contents
Telnet SMTP HTTP NNTP Transport Layer Protocols TCP UDP Network Layer Protocols IP ARP and RARP ICMP IGMP TCP/IP Utilities Basic Network Design Planning as Preventative Medicine Testing and Implementation Prototyping Pilot Programs Rollout Summary FAQs
Chapter 2: Setting Up a Window s 2000 TCP/IP Netw ork Introduction Designing a New Windows 2000 TCP/IP Network The Planning Team Planning the Hardware Configurations Planning the Physical Layout Diagramming the Network Layout Planning for Sites What Is an Active Directory Site? Planning the Namespace Planning the Addressing Scheme Installing and Configuring Windows 2000 TCP/IP Installing TCP/IP on a Windows 2000 Computer The Protocol Installation Process Configuring TCP/IP Upgrading to Windows 2000 from Windows NT 4.0 The Windows NT Domain Models Single Domain Single Master Domain Multiple Master Domains Complete Trust
40 40 41 41 42 42 42 42 42 42 43 43 43 44 44 44 44 45 46 47 48
51 52 52 53 53 54 55 56 56 59 60 61 62 63 66 68 68 69 69 71 72
Window s 2000 Configuration Wizards • Contents
Which Model Is Easiest to Upgrade? Other Pre-Upgrade Issues Windows 32-Bit Applications DOS Applications Windows 16-Bit Applications OS/2 and POSIX Application Support in Windows 2000 Application Support Summary Common Upgrade Problems Migrating to Windows 2000 from Novell NetWare Understanding the NetWare Implementation of TCP/IP Premigration Issues Using the Directory Services Migration Tool Common Migration Problems Migrating to Windows 2000 from UNIX Understanding the UNIX Implementation of TCP/IP Summoning the Daemons UNIX TCP/IP Utilities Peaceful Coexistence: The Hybrid Network Environment NetWare Interoperability Client Services for NetWare (CSNW) Gateway Services for NetWare (GSNW) NetWare Protocol Support File and Print Services for NetWare Troubleshooter UNIX Interoperability Interoperability with IBM Mainframe Networks Summary FAQs
Chapter 3: General Window s 2000 TCP/IP Troubleshooting Guidelines Introduction The Ten Commandments of Troubleshooting 1: Know Thy Network 2: Use the Tools of the Trade 3: Take It One Change at a Time 4: Isolate the Problem 5: Recreate the Problem 6: Don’t Overlook the Obvious 7: Try the Easy Way First 8: Document What You Do 9: Practice the Art of Patience 10: Seek Help from Others Windows 2000 Troubleshooting Resources Microsoft Documentation
73 75 75 75 76 76 77 78 78 79 80 80 82 82 83 83 83 84 84 85 85 85 85 86 86 86 87 88
91 92 92 92 93 93 94 95 95 96 96 97 98 99 99
xi
xii
Troubleshooting Window s 2000 TCP/IP • Contents
Help Files Resource Kits White Papers TechNet Newsgroups Third-Party Documentation Internet Mailing Lists Usenet Newsgroups Web Resources General Troubleshooting Models Differential Diagnosis Model Examination Diagnosis Treatment Follow-Up SARA Model Scanning Analysis Response Assessment Putting the Models to Work for You The Information-Gathering Phase Questions to Ask Question Format Log Files Application Log System Log Security Log Tools of the Trade The Problem Isolation Phase Organizing and Analyzing the Information Setting Priorities Prioritizing the Problems Prioritizing the Solutions Taking Corrective Measures One Change at a Time Order of Implementation Monitoring Results Using Forms and Check lists Summary FAQs
Chapter 4: Window s 2000 TCP/IP Internals Introduction RFC Compliance Enhancements to the TCP/IP Stack in Windows 2000 RFC 1323: TCP Extensions for High Performance
100 101 102 103 104 105 105 106 106 107 108 108 109 109 109 110 110 111 111 112 112 112 112 113 117 117 117 120 122 122 123 125 126 126 127 127 127 127 128 131 133
135 136 136 138 140
Window s 2000 Configuration Wizards • Contents
Scalable TCP Window Size TCP Timestamps RFC 2018: SACK (Selective Acknowledgment) RFC 1577: IP over ATM RFC 2001: TCP Fast Retransmit RFCs 2211 and 2212: Quality of Service RFC 2205: Resource Reservation Protocol IPSec Purpose and Uses of IPSec IP Security Options IPSec Configuration IPSec Troubleshooting NDIS 5.0 Inside the Windows 2000 Internet Protocol (IP) Classless Inter-Domain Routing Multihoming Problems Related to Multihoming IP Multicasting Multicast Address Range Troubleshooting IP Multicasting Duplicate IP Address Detection Inside the Windows 2000 Transport Protocols (TCP and UDP) Transmission Control Protocol Dead Gateway Detection Delayed Acknowledgments TCP Keep-Alives Avoiding the Silly Window Syndrome User Datagram Protocol Understanding TCP/IP Registry Settings Using the Registry Editing Tools Configuring TCP/IP Behavior through the Registry Creating a New Value Editing Common TCP/IP Registry Values Registry Settings that Should Not Be Edited Summary FAQs
Chapter 5: Using Netw ork M onitoring and Troubleshooting Tools in Window s 2000 Introduction Windows 2000 Monitoring Tools Basic Monitoring Guidelines Baselining Documentation Backing Up Analysis
140 150 152 153 155 156 157 158 158 159 160 161 164 165 166 167 168 169 170 171 171 172 172 173 173 174 174 175 175 176 178 179 180 181 182 185
187 188 188 188 188 189 189 189
xiii
xiv
Troubleshooting Window s 2000 TCP/IP • Contents
Performance Logs and Alerts Counters Log File Format Alerts Network Monitor Filtering Security Issues Installation Using the Program Capture Window Panes Extra Tools Buffers Collecting Data Filtered Captures Event Viewer Using TCP/IP Utilities PING -t Switch -n Switch -r Switch -i Switch -w Switch Using PING nslookup PATHPING tracert ARP Using ARP Static ARP Cache Entries ipconfig netstat and nbtstat netdiag Using netdiag SNMP What SNMP Does Installing the Agent Using IPSec Encryption Network Management Programs Microsoft Systems Management Server NTManage Summary FAQs
Chapter 6: Troubleshooting Window s 2000 NetBIOS Name Resolution Problems Introduction to Name Resolution Services NetBIOS Name Resolution
190 192 196 196 198 199 199 199 199 200 200 202 204 207 216 219 219 220 220 220 221 221 221 223 223 225 227 227 227 228 233 238 239 242 242 244 250 250 250 251 251 252
257 258 258
Troubleshooting Window s 2000 TCP/IP • Contents
Windows 2000 Methods of NetBIOS Name Resolution NetBIOS Name Cache NetBIOS Name Server Broadcast LMHOSTS HOSTS DNS Server The Order of NetBIOS Resolution B-Node P-Node M-Node H-Node The Windows 2000 Windows Internet Name Service (WINS) NetBIOS Name Registration NetBIOS Name Query Request NetBIOS Name Release Multihomed Computers and WINS WINS Proxy Agents WINS Configuration Issues Static Mappings WINS Replication Partnership Agreements WINS Partner Autodiscovery WINS Network Topologies Spoke and Hub topology Push and Pull Partnerships Backing Up the WINS Database Scavenging the Database Interactions with DNS Servers Pointing WINS Servers to Themselves The Browser Service, WINS and Multihomed Masters Windows 2000 WINS Enhancements Persistent Connections Manual Tombstoning Is WINS Ever Going to Go Away? Troubleshooting Common NetBIOS Communication Problems Summary Don’t Multihome Your WINS Server Use a WINS Proxy Agent on Segments with non-WINS Clients Avoid Static Records in the WINS Database Define Replication Partners Based on Link Factors Avoid Split Registration Use the Hub and Spoke Model in Multisite Environments Configure DNS Servers to Resolve NetBIOS Names Don’t Multihome Master Browsers Use Manual Tombstoning Instead of Deleting Records Consider the Ramifications before Disabling NetBT FAQs
261 261 262 263 263 265 266 266 266 267 267 268 271 271 273 274 274 275 276 276 277 278 281 282 283 283 288 290 290 296 299 302 302 302 305 306 309 309 310 310 310 311 311 311 311 312 312 313
xv
xvi
Troubleshooting Window s 2000 TCP/IP • Contents
Chapter 7: Troubleshooting Window s 2000 DNS Problems Introduction The Difference between NetBIOS Names and Host Names Flat versus Hierarchical Namespace NetBIOS on a TCP/IP Network Characteristics of Host Names The Need for a Name Resolution Service Domains: The “Family Name” The Domain Name System A Hierarchical Naming System Domain Levels Fully Qualified Domain Names Host Name Resolution Name Resolution Sequence The Caching Resolver Using the HOSTS File for Name Resolution Sending the DNS Query to a DNS Server The Recursion Process UNC Paths and DNS Queries Connecting over the Internet via UNC Qualified versus Unqualified Names Appending DNS Suffixes Host Name Resolution via WINS Lookups Multiple DNS Zones and WINs Naming Conventions and Issues Windows 2000 Support for RFC 2181 The Controversial Underscore Character Integrity Check Extended Character Set and Zone Transfers Lowercase Only Domain Naming Schemes and Implementation Problems Same Intranet and Internet Domain Name Solution: Separate DNS Zone Databases Different Intranet and Internet Domain Names Advantages of Using Different Internal and External Domain Names Proxy Configuration Corporate Mergers and Domain Management The Problem: Corporate Merger Proposed Solution Testing the Solution DNS Zone Design and Troubleshooting Standard Zones Zone Transfer Refresh Interval
317 318 319 319 320 321 321 321 322 322 323 324 329 329 329 331 332 333 335 335 336 338 338 338 339 339 340 340 342 342 342 343 343 345 345 345 345 346 347 348 350 352 358 360
Troubleshooting Window s 2000 TCP/IP • Contents xvii
DNS Notify Request for Information Query Fast Transfer Reverse Lookup Zones The in-addr.arpa Domain Pointer Records Active Directory Integrated Zones Common Problems with Integrated DNS Zones Advantages of Active Directory Integration Zone Delegations Troubleshooting Delegation Problems Special Troubleshooting Issues with Windows 2000 DDNS Servers DNS Security and Internet Intruders Tracking Down the Problem The Solution: Forwarders and Slaves Solving WINS Client Ambiguity with WINS Lookup Zones Setting Up a Dedicated Zone for WINS Referrals Interoperability Problems WINS and WINS-R Incompatibility with BIND Servers DHCP and Resource Record Updates Troubleshooting Tools for Windows 2000 DDNS Servers nslookup ipconfig Event Viewer Network Monitor DNS Trace Logs Performance Summary FAQs
Chapter 8: Troubleshooting Window s 2000 IP Addressing Problems Introduction How IP Addressing Works Logical IP Addresses versus Physical MAC Addresses What an IP Address Represents Subnet Masking Determining Address Class How Network IDs Are Assigned How Host IDs Are Assigned within the Network Private versus Public Addresses How IP Addresses Are Used in Network Communications A Map for the Mail Carrier Getting from the Logical to the Physical Putting It All Together IP Communications on a Nonrouted Network (within the Subnet) IP Communications on a Routed Network (to a Remote Subnet)
361 362 362 363 364 364 366 366 367 369 370 371 371 372 372 373 374 376 377 379 380 380 382 382 383 386 387 390 394
397 398 399 399 400 403 405 408 408 413 414 415 415 417 417 418
xviii Troubleshooting Window s 2000 TCP/IP • Contents
Overview: IP Addressing Configuration Errors Duplicate IP Addresses Locating the Other Computer that Is Using the Address Address Conflicts with Computers Using DHCP Invalid IP Addresses DHCP Configuration Problems How DHCP Works: Condensed Version Common DHCP Problems Server Configuration Problems Client Configuration Problems Other Common DHCP Problems Automatic Addressing (APIPA) How to Disable APIPA Hardware Address Problems Duplicate MAC Addresses Troubleshooting Subnetting Problems Why Divide the Network? Subnetting Scenario 1 Subnetting Scenario 2 Subnets Subnet Masks ANDing Tricking IP Making the Mask Subnet Masking for a Class A Network Subnet Masking for a Class B Network Subnet Masking for a Class C Network Errors in Subnet Masking Summary FAQs
Chapter 9: Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork Introduction Overview of Windows 2000 Remote Access Services Types of Remote Access Distinguishing between Remote Access and Remote Control Establishing a Remote Access Connection Software Needed for a Remote Access Connection The WAN Link The Remote Access Protocols Serial Line Internet Protocol The Point-to-Point Protocol Preventing Problems Related to the WAN Protocol Understanding Encapsulation Tools for Troubleshooting PPP Connections Using Network Monitor for PPP Analysis
420 420 421 422 422 423 423 425 426 443 444 446 447 448 448 448 449 450 450 450 451 451 452 452 452 455 457 459 460 463
465 466 467 467 468 470 470 471 482 484 484 486 486 487 487
Troubleshooting Window s 2000 TCP/IP • Contents
Enabling PPP Event Logging Enabling PPP Tracing Troubleshooting Remote Access Configuration Problems Remote Access Server Problems Inability to Establish a Remote Access Connection with the Server Inability to Aggregate the Bandwidth of Multiple Telephone Lines Inability to Access the Entire Network Client Configuration Problems Inability to Establish a Remote Connection Troubleshooting Remote Access Policy Problems Determining Which Multiple Policy Is Causing the Problem Troubleshooting NAT and ICS Configuration Problems The Difference between ICS and NAT Common NAT Configuration Problems Incorrect Public Address Range Incompatible Application Programs Other NAT Problems Troubleshooting VPN Connectivity Problems The Tunneling Protocols PPTP: Point-to-Point Tunneling Protocol L2TP: Layer 2 Tunneling Protocol Troubleshooting VPN Connections Inability to Connect to the Remote Access Server Summary FAQs
Chapter 10: Troubleshooting Window s 2000 Connectivity Problems at the Netw ork Interface Level Introduction Problems with Network Interface Card Configuration The Role of the NIC Types of NICs Driver Issues Updating Drivers Problems with Cable and Other Network Media Network Cable Specifications Cable Length Issues The Role of Network Connectivity Devices Understanding Layer 1 and 2 Connectivity Devices How and Why Repeaters and Hubs Are Used How and Why Switches Are Used How and Why Bridges Are Used Understanding Upper-Layer Connectivity Devices
487 487 489 489 489 492 494 494 494 496 497 498 498 498 500 500 501 502 502 502 502 502 503 503 505
509 510 510 511 511 512 512 514 514 515 516 517 517 521 523 526
xix
xx
Troubleshooting Window s 2000 TCP/IP • Contents
How Routers Work How and Why Routers Are Used How and Why Brouters Are Used How and Why Layer 3 Switches Are Used How and Why Gateways Are Used Troubleshooting Layer 1 and 2 Connectivity Devices Problems with Repeaters and Hubs The 5-4-3 Rule Passive, Active, and Intelligent Hubs Problems with Passive Hubs Problems with Active Hubs Problems with “Intelligent” Hubs Problems with Bridges Performance Problems Bridge Latency Bridge Looping Network Monitoring Problems Selecting a Connectivity Device Summary FAQs
Chapter 11: Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level Introduction A Routing Example IP Routing Overview Routing Fundamentals Direct Routing Indirect Routing The Default Gateway Routing Interfaces Routing Tables Viewing the Routing Table Understanding the Routing Table Simple Routing Scenario The Windows 2000 Router Routing Protocols How Static Routing Works Characteristics of Static Routing The Dynamic Routing Protocols RIP for IP OSPF Windows 2000 as an IP Router Installing Routing Protocols Windows 2000 Router Management Tools Remote Router Administration Using ICMP Router Discovery
526 528 529 530 530 531 531 531 532 532 532 532 532 533 533 533 536 537 538 539
541 542 543 544 545 545 546 547 549 550 550 552 553 553 555 555 557 558 558 563 570 571 572 572 574
Troubleshooting Window s 2000 TCP/IP • Contents
Using the Netshell Utility (NETSH) Router Configuration Preconfiguration Check List Configuring Windows 2000 Static IP Routing Troubleshooting Static Routing Configuration Configuring RIP for IP Troubleshooting RIP Configuration Configuring OSPF OSPF Password Protection Windows 2000 Router Logging Using Event Logging Using the Tracing Function Troubleshooting Common Windows 2000 Routing Problems Troubleshooting Static Routing Using PING and TRACERT Using the ROUTE Command Static Routing and Routing Loops Troubleshooting RIP for IP Viewing RIP Neighbors Viewing the Routing Table Summary: Common RIP Problems Troubleshooting OSPF Resetting the Windows 2000 Router Summary FAQs
Chapter 12: Troubleshooting Selected Services on a Window s 2000 TCP/IP Netw ork Introduction Troubleshooting IIS Problems Log Files Enabling Site Logging Log File Formats Logging Problems Troubleshooting Web Server Problems Performance Problems Problems with Site Name Resolution Inaccessible Virtual Directories Problems with Hosting Multiple Sites on a Windows 2000 Server Some Clients Unable to Access Site Changing IIS Properties Troubleshooting FTP Server Problems End-User Problems New Connections Not Being Accepted Users Prompted for Username and Password Connection Limit Exceeded Troubleshooting NNTP Server Problems
574 576 576 577 578 578 580 581 583 583 583 584 586 586 586 586 586 588 588 589 589 590 591 591 595
599 600 600 602 602 604 608 609 609 611 612 613 614 616 617 617 617 619 620 621
xxi
xxii Troubleshooting Window s 2000 TCP/IP • Contents
Using Event Viewer for NNTP Troubleshooting Common NNTP Problems Summary FAQs
Chapter 13: Window s 2000 TCP/IP Fast Track Introduction TCP/IP: What It Is (and Isn’t) TCP/IP History and Future in a Nutshell Where TCP/IP Fits into the Networking Models The Members of the Suite Network Design and Planning Issues Design and Setup of a Windows 2000 Network Special Considerations for Windows 2000 Networks Active Directory Sites Active Directory Namespace IP Addressing Scheme Network Design Check List Installing and Configuring the TCP/IP Protocol Special Considerations when Upgrading from NT 4.0 Upgrading the Single Domain Model Upgrading the Single Master Domain Model Upgrading the Multiple Master Domain Model Upgrading the Complete Trust Model Upgrade Tools Special Considerations when Migrating from NetWare Migration Problems Special Considerations when Migrating from UNIX Hybrid Networks General Troubleshooting Guidelines Troubleshooting Resources Troubleshooting Models Differential Diagnosis Model SARA Model Information-Gathering Tips Questions to Ask Log Files Organizing Information Forms and Check Lists Inside TCP/IP Windows 2000 Enhancements Inside IP CIDR Support Multihoming IP Multicasting Duplicate Address Detection Inside TCP and UDP
621 622 626 628
631 632 632 632 633 634 635 635 636 636 636 636 637 637 637 637 637 638 638 638 639 639 639 639 640 640 641 641 641 641 641 642 642 642 643 643 643 643 643 644 644 644
Troubleshooting Window s 2000 TCP/IP • Contents xxiii
TCP UDP TCP/IP Registry Settings Network Monitoring Tools Monitoring Guidelines Baselining Documentation Performance Logs and Alerts Network Monitor Capture Filters Display Filters Event Viewer TCP/IP Utilities Name Resolution Problems WINS and NetBIOS Name Resolution DNS and Host Name Resolution Resolving Host Names to IP Addresses Planning the DNS Namespace Zones Tools IP Addressing Issues The IP Address How IP Addresses Are Assigned ARP Common IP Addressing Errors DHCP Subnetting Problems Remote Access Connectivity Remote Access versus Remote Control Remote Access Links Remote Access Protocols RRAS Configuration Problems Server Configuration Client Configuration Multilink Network Access Remote Access Policy NAT and ICS NAT Configuration Virtual Private Networking (VPN) The Network Interface Level Connectivity Devices Repeaters Hubs Switches Bridges The 5-4-3 Rule The 80/20 Rule
644 644 645 645 645 645 645 645 646 646 646 647 647 647 648 649 649 649 650 650 650 650 651 651 652 652 653 653 653 654 654 654 654 655 655 655 655 655 656 656 657 657 657 657 657 657 658 658
xxiv Troubleshooting Window s 2000 TCP/IP • Contents
Looping The Internetwork Level Routing Tables Features of the Windows 2000 Router Routing Protocols RIP Features OSPF Features Windows 2000 Router Logging Selected Services Site Logging Web Server FTP Server NNTP Server Summary
Appendix A: TCP/IP Troubleshooting Secrets Lesser-Known Shortcuts Finding the Consoles Control the Index Server Windows 2000 Telnet Client and Server Telnet Server Under-Documented Features and Functions The FTP Command Set The nslookup Utility Using ipconfig Switches For Experts Only The Future of IP Communications IP Telephony TAPI 3.0 and H.323 Telephony and Active Directory Planning the Transition to IPv6 How Is IPv6 Different? The Scary Part How to Prepare for the Transition Securing IP: IPSec End-to-End Security IPSec Functions Security Troubleshooting Tunnel Mode IPSec and NAT
Index
658 658 659 659 659 660 660 661 661 662 662 662 663 663
665 666 666 666 667 668 670 670 671 672 674 674 674 675 675 676 676 676 677 677 677 678 678 678 679
681
Preface and Acknow ledgements There are few people today who "don’t do Windows." The Microsoft operating systems – Windows 3.x, Windows 95, Windows 98, Windows NT – have populated the desktops of millions. And over the last several years, Windows NT 4.0 has gained a large and increasing portion of the server market with almost 40 million installations throughout the world. At the same time, the popularity of networking in general and Internet connectivity in particular has increased exponentially. Now, with the release of Windows 2000, networking and internetworking have come into their own. And the default local area network (LAN) protocol for Windows 2000 is TCP/IP, which not coincidentally, is the protocol stack on which the global Internet is built. Many books have been written about TCP/IP, and there will be many written about Windows 2000. We have worked with both for a long time and find them to be a very stable combination. TCP/IP was originally designed with reliability as a first priority, and the Windows 2000 operating system is, by far, the most reliable and robust Microsoft operating system ever released. Even so, the sheer complexity of both means problems will occur from time to time. This book was written for those times. We have not attempted to make this book an all-encompassing guide to Windows 2000 or the TCP/IP protocol suite. What we have attempted to do is provide a foundation of useful information for network administrators and others responsible for setting up and maintaining a Windows 2000 TCP/IP network. That means this book is for you. Virtually all networks will run TCP/IP as their primary transport protocol due to the need to connect to the Internet. We have included some background on how TCP/IP communications work, as well as the specifics of Microsoft’s implementation of the protocols in Windows 2000, but our focus is on what can go wrong, and how to fix it when it does. This book is not a regurgitation of the Microsoft documentation and Internet Requests For Comments (RFCs), although we refer to those resources on occasion. Much of the information is based on our own experiences in working with TCP/IP in Windows 2000, both in the classroom/lab and in the field. We have also drawn on the experiences of fellow consultants and instructors who, like us, have been working with Windows 2000 since the early beta versions. Microsoft has provided a tremendous amount of documentation: comprehensive articles in TechNet, Help Files that (unlike in earlier versions) actually help, and numerous white papers and Knowledge Base entries. Even so, there are a number of “little things,” tips and tricks and required ways of doing things that aren’t fully and/or clearly documented. We have included a liberal sprinkling of notes, tips and warnings throughout the text to advise you of those little stumbling blocks and to document the xxv
xxvi Troubleshooting Window s 2000 TCP/IP • Preface
"Eureka!" moments we experienced in learning to work with—and love—the new operating system. Another thing this book is not is a study guide. Although we both teach Microsoft certification classes and have written other books aimed specifically at those seeking their MCP or MCSE, the primary audience for this book is the administrator running Windows 2000 who needs help with TCP/IP-related problems now, not in theory, but in fact. On the other hand, in order to make the material relevant to new administrators as well as those with many years of experience, we have provided a fair amount of explanatory information, analogies, and anecdotes that might be helpful in some aspects of studying for the Windows 2000 exams. Troubleshooting Windows 2000 TCP/IP was not just another tech writing project for us. It started out as a challenge and an opportunity. The challenge was to adequately cover a very complex and technical topic that has been addressed by many before us, some of whom have been recognized experts in the field for decades. The opportunity was to take material that is complex and technical, and present it in a way that is understandable, useful, and maybe even at times enjoyable to read. That became our goal, the one that turned this project into a true labor of love. This book would not have been possible without the help and support of a large number of people, and we would like to recognize them here. First, we both want to thank everyone at Syngress, especially Matt Pedersen, who believed in our ability and gave us this chance, and Julie Smalley, who suffered with us each step of the way. Deb particularly wants to thank Neal Wilson at Eastfield College, who encouraged her to expand her horizons and leave the nest when the time came; her children, Kris and Kristen, who always made it easier to accomplish great things in other areas of life because she could count on her great kids to be there; her mom, Sue Harris; and, posthumously, her dad, Tommie Harris, who she misses every day. Tom especially wants to thank his own mom, Eleanora Shinder, and his brothers Rich and Dee, along with fellow Microsoft professionals Jim Truscott and Doyal Alexander, whose experiences contributed to this book. Both of us want to extend a special thank you to Thomas Lee, our tech writing role model, and to Brian Miller, who made our first time fun instead of painful. Most of all, we want to thank each other. The writing and tech editing of this book was a partnership effort, like our marriage. We argued some of the fine points, nit-picked one another’s wording, questioned each other’s facts and conclusions, and in so doing, made this a better book. We worked together, struggled together to meet the deadlines, shared the frustrations and the profound gratification, and now celebrate together the birth of this "baby." We look forward to doing it again. Debra Littlejohn Shinder Dr. Thomas W. Shinder
Chapter 1
TCP/IP Overview
Solut ions in t his chap t er: ■
History of TCP/IP (ARPAnet); The Future of TCP/IP (IPv6)
■
The TCP/IP Protocol Suite
■
The OSI, DoD, and Window s Netw orking M odels
■
Basic Netw ork Design Issues
1
2
Chapter 1 • TCP/IP Overview
Introduction The Transmission Control Protocol/Internet Protocol (also referred to as the TCP/IP protocol stack, or just plain TCP/IP) is a familiar—if poorly understood—networking component to most modern network administrators and Information Technology (IT) professionals. If you work in any but the smallest networked environment, chances are you’ve encountered TCP/IP. However, it wasn’t always that way. Just a few short years ago, TCP/IP was regarded as a somewhat sluggish, difficult-to-configure protocol used primarily by university or government networks participating in an exotic wide area networking project called ARPAnet. It was considered too slow and complex to be an appropriate choice for most private organizations’ local area networks (LANs). Microsoft and IBM workgroups ran fine on NetBEUI, a fast and simple transport protocol that could be set up easily and quickly by someone without a great deal of expertise. Novell NetWare LANs used the IPX/SPX stack, which was routable and thus could be used with larger serverbased networks. Few business networks had any need for a powerful but high-overhead set of protocols like TCP/IP. Then something happened: the Internet.
NOTE Ad m inistrators and users m ay also b e fam iliar with the higher-level p rotocols used on the Internet, such as File Transfer Protocol (FTP), Hyp ertext Transfer Protocol (HTTP), and Telnet. These, along with other p rotocols, are often p ackaged with TCP/IP as p art of the “suite.”
TCP/IP’s “Net” Worth The obscure worldwide network of networks had formerly been used by only a handful of elite groups until it was discovered by the corporate world—and then by individual computer users. An online population explosion erupted. Everyone rushed to get connected to the global Net, and TCP/IP, on which it was based, catapulted to the top of the protocol popularity polls. There have been occasional attempts to usurp its position at the top. The Open Systems Interconnection protocol suite, based on the famous (or infamous) seven-layer OSI networking model, was conceived with the idea of unseating the incumbent and replacing TCP/IP as a universal standard for internetworking communications. In fact, in the late 1980s
TCP/IP Overview • Chapter 1
the U.S. government, which had played an important part in creating and developing TCP/IP, made plans to phase it out in favor of the OSI suite. It didn’t quite work out that way. TCP/IP turned out to be the protocol stack that refused to go quietly into that good night.
NOTE Req uest for Com m ents (RFC) 1180, availab le on the Web , p rovid es an authoritative tutorial on the TCP/IP p rotocol suite.
In fact, TCP/IP has flourished. It is available as a standard protocol included with all Windows operating systems and is installed by default in Windows 2000.
NOTE Although TCP/IP is a “universal” p rotocol stack, which allows com m unication b etween m achines running d ifferent op erating system s or even running on d ifferent p latform s, b e aware that d ifferent vend ors’ im p lem entations of the p rotocols m ay d iffer slightly. This b ook focuses on Microsoft’s im p lem entation of TCP/IP in Wind ows 2000, although we also d iscuss interop erab ility with NetWare and UNIX networks.
UNIX machines, the original cornerstones of Internet communication, have been running on TCP/IP since the early days of its development, and TCP/IP support is a part of every popular Linux distribution. Apple Macintosh computers and IBM’s AS/400 machines use TCP/IP. Even NetWare, long a holdout for its Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX) stack, has finally come over to the TCP/IP camp; NetWare 5 is the first version designed to run on “pure” IP. On the other hand, as you scroll through the list of protocols that can be installed from the Windows 2000, NT, or 9x CD-ROM, you won’t see “OSI protocol suite” among them. The OSI model is an accepted standard for networking implementation, and the OSI suite mapped to the model more elegantly than other protocol sets already in use, However, TCP/IP was too firmly engrained to be easily dethroned as king of the internetworking world. It was as if someone announced that he had discovered a replacement for dirt and suggested that we uproot all the trees and plants and then “reinstall” them in the new, superior substance. Restructuring the huge,
3
4
Chapter 1 • TCP/IP Overview
sprawling global Internet to plant it in a different protocol environment— regardless of any advantages that new environment might offer—is just too overwhelming an undertaking. TCP/IP may have to adapt as computer communications continue to evolve (the expected transition to IPv6 is one example), but it is likely to be around for some time to come.
More Power, More Flexib ility—and More Potential for Prob lem s TCP/IP had to be good to survive the challenges and attain the position it occupies today in computer networking, but that doesn’t mean its implementation is always free of problems. On the contrary, the complexity that makes it so flexible and capable of connecting large, diverse networks also makes it prone to configuration errors and difficult to troubleshoot. Luckily for network administrators, necessity being the mother of invention resulted in the development of many tools and utilities for troubleshooting TCP/IP connectivity problems. Many of these are free, and several are included as part of Windows 2000’s implementation of the TCP/IP protocol suite. Administrators of TCP/IP networks will also find the documentation of the TCP/IP protocol far more extensive than that for any other network/transport protocol. Because it is used on such a widespread basis, books, articles, courses, and Web resources for troubleshooting IP connectivity problems are plentiful.
What’s Ahead in This Chap ter In this chapter, we will look at both the history and the future of the TCP/IP suite, to better help us understand what it is and how it works today. We’ll examine in some depth the more generic OSI networking model and TCP/IP’s own model, often referred to as the Department of Defense (DoD) model. We will break down the components of the so-called “suite” of protocols that have taken up residence with the original TCP and IP stack. We’ll also examine how common connectivity devices, such as repeaters, bridges, routers, and switches, are used to expand or segment TCP/IP networks. Finally, we’ll discuss some general guidelines for planning, testing, and implementing a big change such as the setup or migration of a Windows 2000 TCP/IP network. Just as a physician is better able to treat a sick patient if he knows the person’s background, characteristics, and how the patient normally behaves when not ill, network administrators confronted with “sick” dysfunctioning networks will be at a big advantage if they know the network’s “anatomy” or components well. The protocol on
TCP/IP Overview • Chapter 1
which the network depends for communication is one of its most important “body parts.” The objective of this chapter is to give you a detailed patient history and a quick review of TCP/IP physiology that will allow you to recognize symptoms, diagnose its illnesses, and select the most effective treatment. We know that a healthy network makes for a happy network administrator.
TCP/IP: Where It Came From, and Where It’s Going Acronyms abound in the computer industry, and network administrators may think of TCP/IP as just another collection of mysterious letters used to refer to some obscure concept whose name they’ve long forgotten. If pressed, most could tell you that it’s a protocol—and some even know that a protocol is a set of standardized rules for communicating. Maybe one or two could even tell you that the word comes from the Greek word protocollon, which referred to a leaf of paper glued to a manuscript volume that described the volume’s contents. But any basic networking text lists dozens or even hundreds of protocols: hardware protocols, routing protocols, remote access protocols, printing protocols, LAN and WAN protocols, encapsulation protocols. Why should we get all excited about TCP/IP? What makes it so special? For the answer to that question, let’s consider the origins of the TCP/IP protocol suite, and what it’s used for today.
History of the TCP/IP Protocols “The subject of history is the gradual realization of all that is practically necessary.” (Friedrich Schlegel, 1772–1829, German philosopher). Practical necessity is the driving force behind most important inventions and developments, and the need for a reliable set of communications protocols suitable for connecting large networks led to the creation of the TCP/IP stack. In the 1960s, computer networking was in its infancy. The benefits of connecting computers together so they could share resources were only beginning to become apparent. The equipment was expensive, and products from different manufacturers were, for the most part, incompatible. Few business entities had the money or inclination to bother with creating local networks, much less attempt to get their computers to “talk” to distant systems.
5
6
Chapter 1 • TCP/IP Overview
The Role of the U.S. Department of Defense The U.S. Department of Defense recognized the value of establishing electronic communications links between major military installations. (Grim as it may seem, a primary motivation was the desire to maintain communication capabilities in the event of the mass destruction that would come with nuclear war.) Major universities were also involved in networking projects. The DoD funded research sites throughout the United States, and in 1968, the Advanced Research Projects Agency (ARPA) contracted with a company called BNN to build a network based on packet-switching technology.
For IT Professionals
Tech Talk Many p eop le easily confuse the term s packet sw itching and circuit sw itching . Even exp erienced network ad m inistrators, if they haven’t had m uch exp osure to the concep tual and hard ware sid es of WAN technology, find them a little m ysterious. They sound like the sam e thing, b ut they’re not. Circuit switching technology is som ething we use all the tim e, whether we’re aware of it or not. The p ub lic telep hone system (which is form ally called PSTN, or Pub lic Switched Telep hone Network) is the m ore fam iliar exam p le of switched -circuit com m unication. An end -toend com m unication link is estab lished when you p lace a telep hone call, and that sam e p hysical p ath from one end (your telep hone) to the other (Aunt Mary’s telep hone in Boise, Id aho, for exam p le) is m aintained for the d uration of that call. The p ath is reserved until you b reak the connection b y hanging up . If you call Aunt Mary again next week, the pathway (also called the “circuit”) used may be completely different. That’s where the “switching” comes in, and that explains why sometimes when you talk to Aunt Mary, the connection is clear, while other times there’s so much noise and static on the line that you have to ask her to repeat herself when she tells you whose quilt won first prize at this year’s county fair. Packet switching is d ifferent in that there is no d ed icated p athway or circuit estab lished . It is known as a “connectionless” technology for that reason. If you send d ata from your com p uter to your com p any’s national head q uarters in New York over a p acket-switched Continued
TCP/IP Overview • Chapter 1
network, each ind ivid ual p acket, or chunk of d ata, can take a d ifferent p hysical route to get there. Most traffic sent across the Internet uses p acket switching. A typ e of d igital p acket switching network called X.25 can also sup p ort virtual circuits, in which a logical connection is estab lished for two p arties on a d ed icated b asis for a certain d uration (a Perm anent Virtual Circuit, or PVC, is an ongoing, d ed icated logical connection, b ut the p hysical circuit can b e shared b y m ore than one logical connection).
In1969 the ARPAnet was born when its first node, or connection point, was installed at the University of California at Los Angeles. Within three years, the network had spread across the United States, and two years after that, to the European continent. Remember that ARPAnet’s original purpose was to provide a network capable of surviving a devastating war. This meant redundancy and reliability took precedence over other considerations (like data transmission speed). Consequently, the first links were slow by today’s standards (56k leased lines).
NOTE An excellent d etailed history of the creation of ARPAnet and its evolution into tod ay’s Internet is availab le at the Web site of the international organization called the Internet Society (ISOC) at www.isoc.org/internet/ history/b rief.htm l.
It was important that the networking protocols be reliable and scalable to accommodate multiple redundant sites and anticipated growth (although no one at that time expected the rate of growth that was to come). Perhaps following the timeworn advice that “if you want it done right, you have to do it yourself,” the developers of the ARPAnet designed a new group of protocols that fit the bill. Their first attempt was the Network Control Protocol, but it proved to be unsuitable as traffic increased. By the mid-1970s, necessity had mothered invention again, and the TCP/IP protocol suite was implemented.
From ARPAnet to the Internet The “network” continued to grow in population and popularity. It eventually split into two parts, with the military calling its part of the
7
8
Chapter 1 • TCP/IP Overview
internetwork Milnet, with ARPAnet still being used to describe the network that connected research and university sites. In the 1980s, ARPAnet was replaced by the Defense Data Network (a separate military network) and NSFNet, a network of scientific and academic sites funded by the National Science Foundation. In the 1990s, the global network (now called the Internet) went commercial in a big way. Corporations realized the advertising and marketing potential of a medium that spanned the whole world. Smaller businesses began to see the light—and the dollar signs—as well. Individuals wanted access to the vast amount of information (and entertainment) available on the World Wide Web. Internet Service Providers (ISPs) sprang up like weeds to satisfy the demand for connectivity.
NOTE Estim ates vary, b ut accord ing to the Internet Software Consortium , b y July 1999 there were over 50 m illion host com p uters connected to the Internet.
As the year 2000 begins, the impact of the Internet on the computer industry and on lifestyles in general is being felt across the planet. We have, to a large extent, networked the world. The Internet, still running on the TCP/IP protocol suite, has made it possible to do things that could not have been imagined by the average person just a decade ago. School children have the equivalent of large libraries at their fingertips; business executives stay on top of what’s going on at the office from thousands of miles away; telecommuters do a full day’s work without ever leaving home. We can play the stock market via computer, do our banking online, or chat casually with close friends we’ve never met in places we might have never known existed except for the Net. Few of those whose lives have been changed by the rapid development of computer networking technology realize that they owe it all (well, at least a lot of it) to TCP/IP.
Another Contender for the Title: The OSI Protocol Suite The OSI protocol suite was intended to be TCP/IP’s replacement. In fact, a few years ago, it was an accepted “fact” in many parts of the computer industry that the future of networking would be built on the OSI suite. It seemed like a good idea at the time. The OSI suite consisted of a set of protocols that would map directly to the popular OSI networking model, and which would—at least in theory—make for less confusion and easier standardization of networking products among multiple vendors. The TCP/IP stack had been designed on the less finely tuned DoD networking model.
TCP/IP Overview • Chapter 1
The OSI protocol suite was developed under the umbrella of a body called the ISO—making for an interesting conglomeration of initials. As if it weren’t already confusing enough, the full official name of the ISO is the International Organization for Standardization, which would seem to call for an acronym of IOS (which would be further confused with Cisco’s Internetworking Operating System, or IOS, used to command its fleet of routers). The organization is quick to point out that its short name— ISO—is not an acronym but a word, derived from the Greek isos, meaning “equal.” The ISO is, according to its own accounts, a worldwide federation of national standards bodies from 130 countries whose stated mission is the promotion of the development of standardization and related activities throughout the world. The ISO’s role in establishing standards is not confined to the computer industry. For years, photographers have been familiar with the ISO film speed codes used by manufacturers of photographic film. The ISO, headquartered in Geneva, Switzerland, has been instrumental in developing standards for the format of telephone and banking cards, so that the cards can be used in different countries throughout the world. The international country and currency codes are another example of an ISO standard.
NOTE For m ore inform ation ab out the organizational structure and m ission of the International Organization for Stand ard ization (ISO), visit its Web site at www.iso.ch/.
The idea of a carefully planned and implemented new set of protocols for connecting to the global Internet that could be standardized throughout the world was an attractive proposition. A great deal of work went into development of the OSI protocol suite, hailed as the heir to the Internet protocol crown. But it turned out that the reports of TCP/IP’s death had been greatly exaggerated.
Survival of the Fittest? In the late 1980s, the Department of Defense decreed that by August 1990 all its computer communications would use OSI protocols, and the U.S. federal government formed a set of specifications called GOSIP (Government OSI Profile) that defined standards for these protocols. The federal government had, in effect, planned the death of the TCP/IP suite. TCP/IP was now considered a temporary solution to the problem of providing reliable internetworking protocols. The new proposed Internet standards included X.400 (for e-mail) and X.500 (for directory services).
9
10
Chapter 1 • TCP/IP Overview
The computer industry was gearing up to make the transition, but not everyone welcomed the change. So in 1990, the ISO Development Environment (ISODE) was created. The ISODE software allowed OSI applications to run over TCP/IP. The TCP/IP suite was already in wide use and was not going away as planned, so it was decided that GOSIP would incorporate TCP and IP, loosening its original “only OSI protocols” requirements. The current goals of OSI proponents seem to be less ambitious, now focused on a convergence of TCP and OSI Transport Protocol Class 4, which would support both OSI applications and applications from the Internet Protocol Suite. IPv6 (sometimes called IPng for IP “next generation”) is expected to be the big protocol player at the IP layer.
The Future of TCP/IP Although the TCP/IP suite has proven its endurance and is likely to be with us for a while, it will undoubtedly undergo some changes. For protocols, as for people, a long life usually requires the ability to adapt to changing conditions. As the Internet continues to grow, the most pressing need is a way to overcome the limitations of the current version of IP in terms of the number of IP addresses available. At the time IP’s 32-bit addressing scheme was designed, computers were still expensive devices used primarily by large companies. Many businesses were not yet computerized, and the idea of an individual owning a computer—much less setting up a home network—bordered on absurdity. It must have seemed that there would never be any danger of running out of addresses (and consequently, many usable addresses were “wasted” by the assignment method), but then at that time it was also inconceivable that computers would ever be as powerful and as inexpensive as they are today. When it comes to making predictions about technological progress, the one constant has been a tendency to underestimate. After all, Thomas Watson, former chairman of IBM, is best remembered for the following statement, made in 1949: “I think there is a world market for maybe five computers.”
Looking Ahead to IPv6 IPv6, or IPng (the “ng” stands for “next generation”), is the new version of the Internet Protocol (IP). The Internet Engineering Task Force (IETF) designed it as the next step up from IPv4. It builds on IPv4 and is a natural progression. It is compatible with IPv4, which is currently used on the Internet and other TCP/IP networks. The specific intent of IPv6 is to work efficiently in high-performance networks such as ATM (Asynchronous Transfer Mode), while still working efficiently over low-bandwidth networks (which would include many of the wireless technologies).
TCP/IP Overview • Chapter 1
Next Generation IP: A Luxury or a Necessity? Why do we need a “next generation” of IP? The answer can be summed up in one word: growth. Internet connectivity has exploded, and it shows no sign of slowing anytime soon. Technology gurus predict that in the future, even our household appliances will be wired to the Internet so we can communicate with them from afar. (This conjures up images of typing in a few commands and sending them off to your microwave oven, instructing it to have dinner ready when you get home—an idea that may become reality sooner than you think.) If we are to be prepared to assign an IP address to every refrigerator and toaster, we must think big in planning the next version of the protocol that will be used to accomplish these addressing feats. Perhaps the most important lesson to be learned from our experience with IPv4 is that the addressing and routing capabilities of the next generation’s Internet Protocol must be able to handle scenarios that may currently seem unlikely, based on seemingly exaggerated estimates of future growth.
How Many IP Ad d resses Are Enough? IPv4 uses IP addresses that are 32-bit binary numbers (usually expressed in dotted decimal for convenience). Each IP address consists of two parts that identify the network ID and the host ID. This provides for approximately 4 billion individual unique addresses—at least, mathematically and theoretically, it works out to that number. If there were actually this many usable addresses, we might not have to worry about running out anytime soon. Unfortunately, that’s not the case. Internet authorities do not assign IP addresses one at a time; rather, they are allocated as class A, B, or C networks, which consist of blocks of addresses of varying sizes. There are 126 usable class A networks, and each can have approximately 16 million hosts. There are far more class B networks: about 16 thousand, but each is limited to fewer hosts, about 65,000. As for class C networks, there can be around 2 million of them; however, they can have a maximum of 254 hosts. In the early days of the Internet, IP addresses were plentiful, and many were handed out with abandon. For instance, the entire Class A Network ID 127.0.0.0 was reserved for use as a “loopback” address (more about that later) used to test the integrity of a computer’s TCP/IP stack. This resulted in 16,777,216 wasted addresses! Class A and B networks were given to organizations that had nowhere near the number of allowed hosts, wasting more addresses. They weren’t missed, because there were plenty more where those came from; the mentality was the same sort that led to current environmental problems, shortages of once-plentiful natural resources and near-extinction of some animal species.
11
12
Chapter 1 • TCP/IP Overview
In 1991, there were a little over 1 million hosts on the global Internet. By 1997, there were over 16 million. Today, according to the Internet Society, there is an estimated 50 million. If growth continues at this rate, the prospect of using up all the available addresses will become very real. One way to solve the problem is to implement a new version of IP that uses a larger address space. IPv6 is based on 128-bit addresses. This provides for a total number of IP addresses which, represented exponentially, is 2 to the 128th power. The actual number would take up an entire line of space; it’s safe to say it definitely adds up to “a lot.” However, IPv6 does more than provide for a greater number of IP addresses. It also adds several improvements to IPv4, which will make routing and network autoconfiguration easier. Another concern in creating the new version of IP is to use a more flexible way of organizing addresses that are not dependent on the class structure. Classless InterDomain Routing (CIDR, pronounced “cider”) can be used to overcome some of the problems encountered with the old method of network/ address assignment.
The Market for IP Tod ay IPv4 today serves what some have called the “computer market.” This market has driven the stupendous growth of the Internet over the last decade. It is based on the enormous number of private and public networks that have come into being, including computers of all types: business workstations and servers, home PCs, traditional mobile (laptop and notebook) computers, mini-mainframes, all the way up to supercomputers. This market has grown at an exponential rate, and continues to do so. However, industry experts predict that it will not necessarily be the driving force behind the next phase of growth, and it is that phase for which the next generation of IP must prepare us.
The IP Marketp lace of the Future The computer market described previously is by no means going to disappear. It is logical to assume, however, that it will eventually reach a saturation point, and growth in that sector of the marketplace will stabilize. It is just as likely that other kinds of markets will develop, some of which we might not have imagined a few years ago. These new markets could fall into several categories. The potential offered by new high-speed, low-cost connectivity technologies such as DSL and cable makes it feasible to envision innovations in the near future that were the stuff of science fiction in the recent past. The set-top box, combining television with the Internet, is already a reality. “Smart homes,” with components strategically wired to the Net and capable of being managed from afar, can be built (albeit at a cost too high for the
TCP/IP Overview • Chapter 1
average homebuyer) today. Wireless Internet access via cellular technology is here already. Automobiles that incorporate networked computers are reportedly just around the corner. As impossible as it might seem today, it may be that 20 years from now, we’ll look back at the 1990s as a time when the Internet was small, “only” doubling in number of hosts every year. A new version of IP that will meet this challenge seems more and more of a necessity as we consider the possibilities.
Making the Transition Don’t worry; it’s not likely you’ll wake up one day and suddenly see an announcement that on a particular date, at a particular time, the Internet is switching to IPv6. The new version is expected to replace IPv4 gradually, and the two will coexist for a number of years as the transition occurs. Meanwhile, the groundwork is being laid. All Winsock 2.0-compliant applications will automatically support the IPv6 protocol stack. Microsoft is hard at work developing an implementation of IPv6. Cisco is building routers that will take advantage of the next generation of IP.
NOTE Microsoft Research (MSR) is working on an IPv6 im p lem entation b ased on the Wind ows NT/2000 p latform . An alp ha version of this im p lem entation is p ub licly availab le in b oth source and b inary form s. For m ore inform ation, see www.research.m icrosoft.com /m srip v6/.
For IT Professionals
The 6to4 Protocol The IETF has created a new p rotocol called 6to4, the p urp ose of which is to encap sulate IPv6 p ackets insid e IPv4 p ackets. This will allow networks that m igrate to IPv6 early to b e ab le to send their d ata across the Internet, even if the ISPs they use d on’t yet sup p ort the new version of IP. Many ISPs are now using Network Ad d ress Translation (NAT) to allow for the translation of m ultip le p rivate IP ad d resses, which d on’t have to b e registered , to a lesser num b er of p ub lic assigned ad d resses. For this reason, those ISPs have not b een in a hurry to im p lem ent Continued
13
14
Chapter 1 • TCP/IP Overview
IPv6 su p p o rt . Reco n fig u rin g a ll o f t h eir eq u ip m en t t o u se IPv6 a d d resses w o u ld b e a b ig p ro ject , req u irin g a g rea t d ea l o f t im e a n d effo rt . The recent p op ularity of NAT d evices and software im p lem entations of NAT (along with inexp ensive p roxy software) has taken the ed ge off the urgency of up grad ing, at least for som e com p anies. NAT is b uilt into Wind ows 2000 Server p rod ucts, and a sim p le, “lighter” version of NAT called Internet Connection Sharing (ICS) is includ ed in the Wind ows 2000 and Wind ows 98SE op erating system s. Using one of these, all of the com p uters on a network can access the Internet using just one p ub lic registered IP ad d ress. The new 6to4 p rotocol will solve the com p atib ility p rob lem for those corp orate networks that d o wish to ad op t IPv6 sooner rather than later, and m ay m ake m igration m ore attractive to others, too. The 6to4 p rotocol is installed on a router that serves as a gateway from the IPv6 network to the Internet. It works b y autom atically assigning a p refix to each IPv6 ad d ress, which id entifies it as a 6to4 ad d ress. It then estab lishes a tunnel over IPv6 network.
Change is inevitable (except perhaps from vending machines), and network administrators may as well get ready to greet IPv6 with open arms. Like any major transition, there is sure to be some pain involved. The IETF has designed a migration strategy that defines IPv4 and IPv6 as two different protocols with two separate protocol stacks, and IPv6 was designed for compatibility with the older version so the upgrade could be done over time. DNS and DHCP servers will require updating, and the management of coexisting 32-bit and 128-bit addresses is expected to produce some problems. Resistance is futile; the next generation is upon us.
Netw orking M odels As a network administrator, you are familiar with the common networking models You may have heard of both the OSI model and the DoD model (at the very least, you’ve seen references to them earlier in this chapter). You may even be able to recite from memory the seven layers of the OSI model, or tell how the four layers of the DoD model correspond to them. But do you really understand what the models represent? And do you know the functions of those layers you named? If not, keep reading. We will briefly visit the hallowed halls of Basic Networking Concepts 101 (or, in Microsoft parlance, Networking Essentials) and look at where the models fit into real-life network administration.
TCP/IP Overview • Chapter 1
The Purp ose of the Mod els A network protocol is a set of rules used by computers to communicate. Protocols had to be developed so that two computers attempting to transfer data back and forth would be able to “understand” one another. Some describe protocols as “languages,” but this isn’t entirely accurate and can cause confusion since computer languages are an entirely different concept. A protocol is more like the syntax of the language (the order in which the words are put together) than the language itself.
NOTE The word s "d ata " and "inform ation” are som etim es used interchangeab ly, b ut technically, they are two d ifferent things. In com p uter com m unications, d ata is the series of electrical charges arranged in p atterns that rep resent inform ation. The “d ata" is not the inform ation itself; it is the encod ed form of the inform ation. “Inform ation” is the d ata in usab le form , the d ecod ed form of the d ata that can b e d isp layed as a word p rocessing d ocum ent or an e-m ail m essage or used to m ake a calculation in a sp read sheet.
The first networking protocols were proprietary; that is, each vendor of networking products developed its own set of rules. Computers using a specific vendor’s protocol would be able to communicate with each other, but not with computers that were using the networking product of a different vendor. This had the effect of locking a business in; the business would always need to use the same vendor to maintain compatibility. The solution to this problem was the development of protocols based on open standards. Organizations such as the ISO were charged with overseeing the definition and control of these standards and publishing them so they would be available to any vendor that wanted to create products that adhered to them. The advantage to the consumer is that no longer is he forced to patronize a single vendor. The advantage to the vendor is that its products are more widely compatible and thus can be used in networks that started out using a different vendor’s products. A model provides an easy-to-understand description of the networking architecture and serves as the framework for the standards. The OSI model has become a common reference point for discussion of network protocols and connection devices.
Why Use Layered M odels? As we look at each of the popular networking models, you’ll see that all use layers to represent areas of functionality. In OSI terms, each of the
15
16
Chapter 1 • TCP/IP Overview
layered specifications uses the services of the layer below to build an “enriched service.” The layered approach provides a logical division of responsibility, where each layer handles prescribed functions. This can be compared to the teamwork exhibited by a good assembly-line crew in building an automobile. One worker may be responsible for fitting a wheel onto the axis, another for inserting and tightening the screws, and so forth. There are several advantages to this type of working model: ■
■
■
■
Each worker only needs to be concerned with his or her own area of responsibility. Each worker becomes extremely proficient, through constant repetition, at his or her particular job. Working together in sequence, the team of workers is able to produce the final product much more quickly and efficiently than one person could, or than a group of people with no assigned responsibilities could. If something goes wrong (for instance, if a particular part was put on incorrectly), the supervisor knows who to blame for the problem.
Likewise, when the networking protocols are divided into layers, communication generally flows more smoothly, and when it doesn’t, troubleshooting is easier because you are better able to narrow down the source of the problem to a specific layer. We will examine three networking models: the ISO’s OSI model, the Department of Defense (DoD) TCP/IP model, and Microsoft’s Windows NT model. We’ll start with the most generic and work our way toward the more specific.
The ISO OSI Mod el The OSI model is used as a broad guideline for describing the network communications process. Not all protocol implementations map directly to the OSI model, but it serves as a good starting point for gaining a general understanding of how data is transferred across a network.
Seven Layers of the Netw orking World The OSI model consists of seven layers. The number seven carries many historical connotations; it is thought by some to signify perfect balance, or even divinity. Whether or not this was a factor when the designers of the model decided how to break down the functional layers, it’s safe to say that within the technical community, the Seven Layers of the OSI Model are at least as legendary as the Seven Deadly Sins and the Seven Wonders of the World.
TCP/IP Overview • Chapter 1
The data is passed from one layer to the next lower layer at the sending computer, until the Physical layer finally puts it out onto the network cable. At the receiving end, it travels back up in reverse order. Although the data travels down the layers on one side and up the layers on the other, the logical communication link is between each layer and its matching counterpart, as shown in Figure 1.1. Figure 1.1 Com m unication takes p lace b etween corresp ond ing layers. Sending Computer
Receiving Computer
Application
Application
Presentation
Presentation
Session
Session
Transport
Transport
Network
Network
Data Link
Data Link
Physical
Physical
Netw ork M edia
Here’s how it works: As the data goes down through the layers, it is encapsulated, or enclosed within a larger unit as each layer adds its own header information. When it reaches the receiving computer, the process occurs in reverse; the information is passed upward through each layer, and as it does so, the encapsulation information is evaluated and then stripped off one layer at a time. The information added by the Network layer, for example, will be read and processed by the Network layer on the receiving side. After processing, each layer removes the header information that was added by its corresponding layer on the sending side. It is finally presented to the Application layer, and then to the user’s application at the receiving computer. At this point, the data is in the form it was in when sent by the user application at the originating
17
18
Chapter 1 • TCP/IP Overview
machine. Figure 1.2 illustrates how the header information is added to the data as it progresses down through the layers. Note that in the foregoing example, the header information that is added by the Application layer is called a “link header,” as is that added by the Data Link layer. These headers mark the first and last headers to be added. The Data Link layer also adds a Link Trailer. Many books teach the OSI layers “upside down”; that is, starting with the bottom layer. In fact, the Physical layer is often referred to as Layer 1, the Data Link as Layer 2, and so on. Other descriptions start (seemingly logically) at the topmost layer. Which way you look at it depends not on which hemisphere you live in, but on whether you’re addressing the communication process from the viewpoint of the sending or the receiving computer. We will examine the process from the top down, as the data is prepared by the sending computer to go out over the cable or other media. We will, however, stick with the standard numbering convention. Figure 1.2 Each OSI layer excep t the Physical layer ad d s head er inform ation to the d ata.
Link Trailer
Data
Link Hdr
Data
Link Hdr
Pres Hdr
Data
Link Hdr
Pres Hdr
Ses Hdr
Data
Link Hdr
Pres Hdr
Ses Hdr
Transp Hdr
Data
Link Hdr
Pres Hdr
Ses Hdr
Transp Hdr
Net Hdr
Link Hdr
Pres Hdr
Ses Hdr
Transp Hdr
Net Hdr
Data
Application
Presentation
Session
Transport
Network
Link Hdr
Data Link
Layer 7: The Application Layer Keep in mind that the model describes only the networking components. If you remember that, you won’t make the common mistake of thinking the Application layer represents the user application software. What the
TCP/IP Overview • Chapter 1
Application layer really does is provide the interface and govern the interaction between that user application and the network protocols. The Application layer protocols accept user data for network transport. The data is created by the user application, above the networking layers. For instance, if you want to send an e-mail message, your user application might be Microsoft Outlook (the user program is sometimes referred to as the “user agent”). The user sees only the application interface. You type your letter to Cousin Mary, perhaps you attach graphics files containing photos of the grizzly bear who almost ate Uncle Joe from your last family outing to Yellowstone National Park and click SEND. Assuming you typed the correct email address in the “to” field, you have the software configured properly, your hardware is working, your phone lines aren’t down, and your ISP is on the ball (quite a lot of assumptions, to be sure), the message goes through and lands in Mary’s virtual mailbox. Neither you nor Cousin Mary has to know anything about what the networking components of your respective operating systems are doing in order to communicate via e-mail. That’s because the application itself (Outlook) sends the data (the message you typed) to the Application layer, which takes it from there. The Application layer adds header information, which will be used by the Application layer on the receiving end, and passes it down to the next layer.
Layer 6: The Presentation Layer No, the Presentation layer doesn’t turn the data into PowerPoint slides. However, as the name suggests, it is responsible for the way in which the data is presented, or formatted. The Presentation layer handles such things as encryption (presenting the data in such a way as to keep it from being readable by unauthorized persons) and compression (packaging the data in such a way as to get more of it through at a time). On the receiving side, the Presentation layer is responsible for translating the data into a format understandable by the application and presenting it to the Application layer. Since the Presentation layer handles the very important task of protocol translation, this layer is where many gateways operate. Remember how we said earlier that in order to “talk” to one another, computers need to be running the same protocol? Well, a gateway lets you circumvent this rule. It acts as a translator and allows computers using different protocols to communicate with one another. Examples include: E-mail gateway This software translates the messages from diverse, noncompatible e-mail systems into a common Internet format such as the Simple Mail Transfer Protocol (SMTP). Thus,
19
20
Chapter 1 • TCP/IP Overview
Cousin Mary is able to read your letter even though you were using Microsoft Outlook with an Exchange server and she is on a NetWare network using Groupwise mail. SNA gateway Systems Network Architecture (SNA) is a proprietary IBM architecture used in mainframe computer systems such as the AS/400. An SNA gateway allows personal computers on a local area network to access files and applications on the mainframe computer. Gateway Services for NetWare (GSNW) This software is included with Windows 2000 (and Windows NT) Server operating systems to allow the Windows server’s clients to access files on a Novell NetWare server. It translates between the SMB (Server Message Block) file sharing protocol used on Microsoft networks and NCP (NetWare Core Protocol), the file sharing protocol used by the NetWare networks.
NOTE Although m any gateways op erate in the Presentation layer, d ifferent gateways op erate at d ifferent layers. A gateway can p erform functions seen in any layer of the OSI m od el.
There are almost as many gateway products available as there are different protocol combinations, and more are being developed all the time as interoperability becomes increasingly important in our connectivityobsessed world.
Layer 5: The Session Layer The Session layer handles the task of establishing a one-to-one session between the sending and the receiving computers. The Session layer sets up and tears down application-to-application dialogs, and provides for checkpointing to synchronize the data flow for the applications. The Session layer also controls whether a transmission is established as half or full duplex. Full duplex is bidirectional communication in which both sides can send and receive simultaneously. Half duplex is also bidirectional communication, but the signals can flow in only one direction at a time. To illustrate the difference, think of how a telephone conversation works. Both parties can talk at the same time, and you can still hear the other person’s voice while you’re talking. That’s full duplex. With most two-way radios, when you key the microphone to speak, you can’t hear
TCP/IP Overview • Chapter 1
anything the other person might be saying while you’re speaking. Only one of you can broadcast over the channel at a time. That’s half duplex.
NOTE When the com m unication can only flow in one d irection, and can never flow b ack the other way (unid irectional), it’s called simplex.
Another important responsibility of the Session layer is to define the rules for data exchange between the applications. In this respect, you might think of the Session layer as a referee or mediator who makes sure both parties (the sending and receiving computers) are aware of and agree to follow the “rules of the game” for that particular session. When two family members are at odds and seek counseling to help them communicate with one another, a good counselor or mediator will start the visit by getting both people to agree to certain rules. These might include who gets to talk first, and for how long, as well as the “format” of the communication (i.e., no yelling, screaming, or name-calling). Although computers aren’t known for getting emotional, before they can communicate effectively they also must negotiate communications guidelines. Otherwise, they may bombard each other with too much data to be processed, or both try to “talk” at the same time. The Session layer controls this flow of conversation so that the message will get through clearly. In this way, the Session layer provides for flow control. This usually works quite well. Family counselors undoubtedly wish their jobs were as easy as that of the Session layer protocols. Other duties of the Session layer include providing for data expedition, class of service, and reporting of problems occurring in the Session layer and those above it.
Layer 4: The Transport Layer The Transport layer’s primary responsibility is reliability. It must verify that the data sent arrives at the intended destination, in good condition. It also must have a way to differentiate between the communications that may be coming to the same network address (the IP address) from or to different applications.
Port Num b ers Thanks to the multitasking capabilities of Windows 2000 and other modern operating systems, you can use more than one network application simultaneously. For example, you can use your Web browser to access
21
22
Chapter 1 • TCP/IP Overview
your company’s homepage at the same time your e-mail software is downloading your e-mail. You probably know that TCP/IP uses an IP address to identify your computer on the network, and get the messages to the correct system, but how does it separate the response to your browser’s request from your incoming mail when both arrive at the same IP address? That’s where ports come in. The two parts of an IP address that represent the network identification and the host (individual computer) identification are somewhat like a street name and an individual street number. In this analogy, the port number would identify the specific apartment or suite within the building. TCP and UDP, the Transport layer protocols, assign port numbers to each application so the data intended for the Web browser in Apartment A doesn’t get sent to the e-mail program living in Apartment B.
Connection Service Typ es Two types of connection services are used at the Transport layer: connection-oriented and connectionless. Which is most appropriate for sending a given message depends on whether reliability or speed is of highest priority.
NOTE In TCP/IP com m unications, d ata is sent over the network as a seq uence of datagrams. A d atagram is a collection of d ata sent as a single m essage. Each d atagram is sent across the network ind ivid ually.
A connection-oriented protocol such as TCP offers better error control, but its higher overhead means a loss of performance. A connectionless protocol such as UDP, on the other hand, suffers in the reliability department but, unhampered by error-checking duties, is faster. Connection-Oriented Services.
As a provider of connection-oriented services, TCP first establishes a virtual connection between the sending and receiving computers. This is done through the use of acknowledgments and response messages.
NOTE An acknowled gm ent m essage is som etim es referred to as an “ACK.”
TCP/IP Overview • Chapter 1
The most commonly used analogy for differentiating between connection-oriented and connectionless communications compares different services available from the post office. If you need to send an important report to the manager of your company’s branch office in El Paso, you could put it in an envelope, affix the required amount of postage, and drop it in the corner mailbox. This would be the easiest, quickest way to take care of the task, but you would have no idea whether or when the report reached its destination. On the other hand, you could go to the post office and fill out a card to send the report via registered, certified mail, with a return receipt requested. It would cost more and it would take more time and effort on your part, but it would be a more reliable form of communication. You would get back an acknowledgment when the package was delivered, showing that it was indeed received by the person to whom it was addressed. Connection-oriented services are more like the second example, although they actually go one step further: They establish the connection before sending the data. This would be as if, before you sent your certified mail, you first got on the telephone with the El Paso manager and let him know the report was coming so he could be on the lookout for its arrival. If you’re really detail-minded (or paranoid), you could even ask that he call you back when it gets there, and let you know that all the pages are there in sequence and it wasn’t damaged along the way. You’ve taken pains to make sure your communication is as reliable as possible, but at a cost in time (and long distance charges) to both you and the intended recipient. Connectionless Services
A connectionless transport protocol like the User Datagram Protocol (UDP) doesn’t provide the same acknowledgment of receipt process as the connection-oriented TCP does. Since UDP doesn't sequence the packets that the data arrives in, an application program that uses UDP has to be able to make sure that the entire message has arrived and is in the right order. To save processing time, network applications that have very small data units to exchange, and thus very little message reassembling to do, may use UDP instead of TCP. For example, DNS hostname lookup messages that will always fit in a single datagram can effectively use UDP. For these very short queries, you don't need all the complexity of TCP; if you don't receive an answer after a few seconds, you can just ask again. UDP doesn't split data into multiple datagrams, as TCP does. It doesn't keep track of what it has sent. Data can be resent if needed, and UDP doesn’t guarantee delivery or protect against duplication. However, it is not completely irresponsible: It does provide for a checksum capability, to
23
24
Chapter 1 • TCP/IP Overview
ensure that data arrives intact, and it provides port numbers to distinguish between the requests sent by different user applications.
NOTE Exam p les of ap p lications that use UDP for com m unication includ e Trivial File Transfer Protocol (TFTP), Routing Inform ation Protocol (RIP), RADIUS accounting, and som e im p lem entations of Kerb eros authentication.
The UDP header is shorter and simpler than the TCP header. It has the source and destination port numbers and a checksum, but it doesn’t include a sequence number, since UDP doesn’t do any sequencing.
Layer 3: The Netw ork Layer Both TCP and UDP, operating at the Transport layer, rely on IP, the Network layer protocol, to actually get the data from the sending to the receiving computer. If you’ve studied the OSI model, you’ve probably heard hundreds of times that routing takes place at the Network layer. Routing is all about recognizing addresses and mapping out the most efficient way to get from one address to another.
The Routing Function You would be performing a function similar to that of the Network layer if you took on the job of navigator on a cross-country automobile trip. Just as TCP and IP, working together, have different responsibilities, you and the driver could divide the duties so that the journey goes more smoothly. It’s the driver’s job to get the car to the destination safely and all in one piece (somewhat like the Transport layer protocols). It’s the job of the navigator to consult a map, determine exactly which highways will take you there, where to turn off one road and onto another, and to consider such factors as the size of each thoroughfare, known areas of congestion, and anything else that might make one route more desirable than another. Likewise, this layer is responsible for finding a path through the network to the destination computer. It is also responsible for translating logical addresses (the IP addresses assigned by an administrator or a DHCP server) and names (like the destination computer’s NetBIOS name “EXCALIBUR”) into physical addresses. The physical, or Media Access Control (MAC), address is burned into a chip on the network interface card by its manufacturer. IP routes messages based on the network number of the destination address. Every computer has a table of network numbers, known as a routing table. If there is a an entry in the routing table for the destination
TCP/IP Overview • Chapter 1
network ID, the computer sends it to a “gateway” address, which represents the first router in the path to the destination. A default gateway address is included in the routing table to send packets to when a specific route to the destination network ID isn’t found in the routing table. The default gateway must be on the same network as the source computer. Each gateway, or router, that the message must go through is called a hop. You might say a journey of a thousand hops begins with a single step: the gateway address listed in the routing table for a particular network number.
Dynam ic Routing It’s easy to map out a route to a friend’s house four blocks away. However, if you’re trying to get to the home of a relative who lives in the backwoods in another state, you may need more than a good map. You may need to call ahead and get directions from someone who has traveled there recently. As networks become larger and more complex, it becomes more difficult to manually maintain routing tables. When this happens, you will want to use a dynamic routing protocol. Dynamic routing protocols automatically update routes on all routers on the network. We will discuss various routing protocols, such as RIP and OSPF, in a later chapter. Routers (whether dedicated devices or Windows NT or 2000 servers acting with IP routing enabled) work at the Network layer.
The X.25 Stand ard Although IP is the best known protocol of the Network layer, another important inhabitant of this layer is the ITU X.25 standard, which specifies the interface for connecting computers on different networks through the use of an intermediate connection made through a packet-switched network. X.25 protocols also correspond to the Data Link and Physical layers of the OSI model.
Layer 2: The Data Link Layer The Data Link layer takes the datagram passed down to it from the Network layer and repackages it into a unit called a frame. The frame includes error-checking information, which is processed by the Data Link layer at the receiving end. This layer is responsible for error-free delivery of the data frames. Figure 1.3 shows how a frame might be structured. The Data Link layer is responsible for maintaining the reliability of the physical link, which is established at Layer One just below it. This is the only layer of the OSI model that is divided into sublayers: the LLC (Logical Link Control) and the MAC sublayers. We will look at each of these individually.
25
26
Chapter 1 • TCP/IP Overview
Figure 1.3 The Data Link layer ad d s a Cyclic Red und ancy Check (CRC) for errorchecking.
Destination Address
Source Address
Control Information
Data
CRC
The Logical Link Control Sub layer The LLC sublayer is charged with ensuring the reliability of the link, or connection. IEEE 802.2 is an LLC standard that operates with the CSMA/CD (Carrier Sense Multiple Access/Collision Detection) and the Token Ring media access standards. Point-to-Point Protocol (PPP) also operates at the LLC level.
The Med ia Access Control Sub layer The MAC sublayer deals with the logical topology of the network. This may or may not be the same as the physical topology, or layout. For instance, IBM Token Ring networks are physical stars, as all computers connect to a central hub (called an MSAU, or MultiStation Access Unit). However, the logical topology is a ring, because inside the MSAU, the wiring is such that the data travels in a circle. A 10BaseT network connecting to an Ethernet hub, on the other hand, is logically a bus (which is why it is sometimes called a star bus). Access Control M ethods
MAC-level protocols govern the access control method, or how the data accesses the transmission media. The popular methods are grouped in three categories: contention methods, token passing, and polling methods. Contention methods include CSMA/CD, used in Ethernet networks; and Carrier Sense Multiple Access Collision Avoidance (CSMA/CA), used in AppleTalk networks. In both cases, computers that wish to transmit data on the network must compete for the use of the wire or other media. A collision occurs if two stations attempt to send at the same time. CSMA/CD and CSMA/CA differ in their ways of addressing this collision problem. With CSMA/CD, data collisions are detected and the data is sent again after a random amount of time. With CSMA/CA, an “intent to transmit” message is put out as a “feeler” before the computer transmits the actual data.
TCP/IP Overview • Chapter 1
Token passing methods eliminate the possibility of collision by using a circulating signal called a token to determine which computer can transmit. A computer on a token passing network is more polite. Rather than blurting out its transmission whenever it has something to say, it waits patiently for its turn (when the token gets around to it) and sends data only when it “has the floor.” Polling methods are similar in some ways to token passing, except that instead of the group of computers policing themselves by passing around a token, there is a central unit that acts as a “chairperson.” This “presiding” unit asks members of the “committee” in turn whether they have something to say. Since the computers follow these “rules of parliamentary procedure,” data transmission proceeds in an orderly fashion. M AC Addressing.
Although the permanent address burned into the NIC is sometimes called the “physical address,” its proper name is Media Access Control address. The MAC sublayer of the Data Link layer also handles MAC addressing functions.
NOTE MAC ad d resses on Ethernet card s are exp ressed as 12-d igit hexad ecim al num b ers, which rep resent 4- b it (6-b yte) b inary num b ers. The first three b ytes contain a m anufacturer cod e, which is assigned b y the Institute of Electrical and Electronics Engineers (IEEE). The last three b ytes are assigned b y the m anufacturer and rep resent that p articular card .
Each computer must have a MAC address that is unique on the network. Higher-level protocols translate IP addresses (also called logical addresses) to the MAC address, which can be thought of as the real network location. Lower-level protocols cannot recognize or use IP addresses. Think of it this way: A city or county may assign a street name and house number to a structure, but this is really only a “logical” address. Logical addresses can be more easily changed. A neighborhood group will petition to have a street renamed, or the city council will change the numbering scheme to facilitate emergency response or to accommodate new construction. The location where the building stands also has a “physical” address: its geographic coordinates. When the land is surveyed, it will be identified by degrees of longitude and latitude, and these will
27
28
Chapter 1 • TCP/IP Overview
remain constant regardless of changes to the street name and number. That physical address is like the NIC’s MAC address; it will (almost always) remain the same.
NOTE Som e network card m anufacturers have m ade NICs that allow you to change the MAC address by “flashing” the card with a special software program . This is a precaution in case you have duplicate MAC addresses on a network because those m anufacturers have begun to “recycle” their addresses.
Data Link Layer Devices There is some confusion among network administrators about the network connectivity devices called bridges that operate at the Data Link layer of the OSI model. Bridges can separate a network into segments, but they don’t subnet the network as routers do. In other words, if you use a bridge to physically separate two areas of the network, it will still appear to be all one network to higher-level protocols. Bridges can cut down on network congestion because they can do some basic filtering of data traffic based on the MAC address of the destination computer. When a transmission reaches the bridge, it will not pass it across to the other side of the network if the MAC address of the destination computer is known to be on the same side of the network as the sending computer. The bridge builds tables indicating which addresses are on which side, and uses them to determine whether to let the transmission across. The confusion comes in because there are different types of bridges. Although all work at the Data Link layer, some operate at the lower MAC sublayer and others at the higher LLC sublayer. There are some important differences. One practical question is whether you can use a bridge to connect network segments that use different media access methods (for instance, an Ethernet segment and a Token Ring segment). The answer is yes or no, depending on which type of bridge you’re referring to. A bridge that operates at the Logical Link Control sublayer, sometimes called a translation bridge, can connect segments using different access methods. However, a lower-level bridge (one that operates at the MAC sublayer) cannot. Either type can connect segments using different physical media (that is, a segment cabled with thin coax and a segment running on unshielded twisted pair).
TCP/IP Overview • Chapter 1
Another device that operates at the Data Link layer is the common switch, or switching hub, which has become very popular on Ethernet networks.
NOTE The switched hub is also called a Layer 2 switch. There are m ore sop histicated switches m ad e b y com p anies such as Cisco System s that op erate at the Network layer and can p erform b asic routing functions in ad d ition to the typ e of switching d escrib ed here.
Like hubs, these switches are central multiport units into which all the computers are connected. Like bridges, the switch keeps a table of MAC addresses, showing which computer is connected to which port. When data comes in, instead of sending it back out to all the computers as the hub does, the switch examines the destination address in the header, consults the table, and sends it only out the port to which the corresponding computer is attached. This cuts down overall network traffic considerably, and helps to prevent collisions.
Layer 1: The Physical Layer To many, the Physical layer is the easiest to understand because it deals with devices and concepts that are more tangible. The Physical layer deals with such things as the type of signal transmission used, the cable type, and the actual layout or path of the network wiring. These are things we can see, touch, or at least easily represent with a drawing or diagram. The functions of the Physical layer devices (NICs, cables, connectors, hubs, and repeaters) are also relatively easy to understand.
Physical Layer Devices Physical layer devices are the stuff of which a networking equipment catalog is made. The basics are deceptively simple: You insert a network card into an expansion slot on each computer, plug a piece of cable into each network card, and plug the other end of each cable into a hub. But leafing through the catalog will reveal that Physical layer issues are a little more complex. Some cable manufacturers offer literally thousands of different cables, and the variety of available network cards and connectivity
29
30
Chapter 1 • TCP/IP Overview
devices is just as overwhelming. Getting a network up and running at the Physical level requires a good bit of knowledge about what works with what, and which hardware type is best for your particular situation. The Network Interface Card (NIC) is the hardware device most essential to establishing communication between computers. Although there are ways to connect computers without a NIC (by modem over the phone lines, or via a serial “null modem” cable, for instance), in most cases where there is a network, there is a NIC (or more accurately, at least one NIC for each participating computer). Bottom line: The NIC must match the bus type for which you have an open slot in the computer, it must be of the correct media access type, it must have the correct connector for the cable your network uses, and it must be rated to transfer data at the proper speed (Ethernet normally transmits at either 10 or 100 Mbps, and Token Ring runs at 4 or 16 Mbps). The Network Media is the cable or wireless technology on which the signal is sent. Cable types include thin and thick coaxial cable (similar to cable TV cable), twisted pair (such as used for modern telephone lines, available in both shielded and unshielded types), or fiber optic (which sends pulses of light through thin strands of glass or plastic for fast, reliable communication, but is expensive and difficult to work with). Wireless media include radio waves, laser, infrared, and microwave. Hubs and Repeaters are connection devices. Repeaters connect two network segments (usually thin or thick coax) and boost the signal so the distance of the cabling can be extended past the normal limits at which attenuation, or weakening, interferes with the reliable transmission of the data. Hubs are generally used with Ethernet twisted pair cable, and most modern hubs are repeaters with multiple ports. Hubs also strengthen the signal before passing it back out to the computers attached to it. Hubs can be categorized as follows: ■
■
Active hubs are the type just described. They serve as both a connection point and a signal booster. Data that comes in is passed back out on all ports. Passive hubs serve as connection points only; they do not boost the signal. Passive hubs do not require electricity and thus won’t have a power cord as active hubs do.
TCP/IP Overview • Chapter 1 ■
Intelligent or “smart” hubs include a microprocessor chip with diagnostic capabilities, so you can monitor the transmission on individual ports.
Recall that there is another type of hub, a switching hub, but it operates at the Data Link Layer rather than the Physical layer.
NOTE The NIC is resp onsib le for p rep aring the d ata to b e sent out over the network m ed ia. Exactly how that p rep aration is d one d ep end s on what m ed ia is b eing used . A Token Ring NIC is d ifferent from an Ethernet NIC, for exam p le. It logically would have to b e, since they use d ifferent access m ethod s. And even though 10Base2, 10Base5 and 10BaseT Ethernet networks all use CSMA/CD as their access m ethod , they use d ifferent cab le and connector typ es; however, it is p ossib le to get a “com b o” card that has connectors for all three.
Signal Transm ission Computers, at the machine level, are amazingly simple; they “think” only in binary, performing rapid calculations on combinations of 0s and 1s. Transferring these binary digits across network media requires a way of representing these 0s and 1s. Luckily, there are many ways to do this. An electrical signal or a pulse of light can indicate 1 when it’s on and 0 when it’s off. This is known as discrete state technology, and digital signaling works this way. Another consideration at the Physical layer is whether the signaling method will use the entire bandwidth of the cable to transmit the data, or will only use one frequency. When all frequencies are used, the transmission method is called baseband. If only part of the bandwidth is used (thus allowing other signals to share the bandwidth), it is referred to as broadband. Traditionally, baseband transmission has been associated with digital signaling, and broadband with analog, but this does not always hold true. For instance, Digital Subscriber Line (DSL) is a high-speed technology offered by many telephone companies for Internet connectivity. DSL is a broadband technology, because it uses only a part of the wire to transmit data. Voice communication can take place simultaneously on the same cable, using a different frequency than is being used by the data communications. Cable television is another example of broadband transmission, bringing dozens of different channels into your home on just one coax cable.
31
32
Chapter 1 • TCP/IP Overview
NOTE Analog signaling—the typ e used b y com m on telep hone lines—transm its b y ad d ing signals of varying freq uency or am p litud e to carrier waves of a p articular freq uency of alternating electrom agnetic current. Unlike the ab solute on/off state, it is rep resented b y a waveform . When d ata is sent over regular p hone lines, a m od em m ust convert the com p uter’s d igital signal to analog and b ack again at the receiving end .
Physical Top ologies Another important Physical layer issue is the layout, or topology, of the network. This refers to whether the cables are arranged in a line going directly from computer to computer (bus), in a circle going from computer to computer with the last connecting back to the first (ring), or in a spoke-like fashion with each connecting directly to a central hub (star). A fourth topology, the mesh, is used when every computer is connected to every other computer, creating redundant data pathways and high fault tolerance, at the cost of increasing complexity as the network grows. Wireless communications can use a cellular topology such as is widely used for wireless telephone networks. In this case, an area is divided into slightly overlapping cells, representing connection points. The physical layout of the network will influence other factors, such as what media access method (and thus what cable type) is used. All the Physical layer factors (cable type, access method, topology, etc.), when considered together, define the architecture of the network. Popular network architectures include Ethernet, ARCnet, Token Ring, and AppleTalk.
The IEEE802 Stand ard s The Institute of Electrical and Electronics Engineers, like the ISO, develops standards. The IEEE 802 specifications address various Physical and Data Link layer issues. Those most pertinent for the average network administrator are: ■
■
■
802.2 Establishes standards for the implementation of the LLC sublayer of the Data Link layer. 802.3 Sets specifications for an Ethernet network using CSMA/CD, a linear or star bus topology, and baseband transmission. 802.5 Sets standards for a token passing network using a physical star/logical ring topology; i.e., Token Ring.
TCP/IP Overview • Chapter 1 ■
■
■
802.7 Establishes criteria for networks using broadband transmission. 802.8 Sets specifications for using fiber optic as a network medium. 802.11 Establishes standards for wireless networking.
The 802 Project was named after the year and month that the original committee met: February 1980.
The DoD Mod el The Department of Defense networking model is older than the OSI, and was developed in conjunction with TCP/IP itself. It is sometimes called the TCP/IP model, but more often referred to as the DoD model. It consists of only four layers, but they can be roughly mapped to the seven layers of the OSI model. The DoD model is illustrated in Figure 1.4. The various protocols in the TCP/IP suite fit nicely into the layers of the DoD model. Remember that the DoD model was designed in the 1970s. The OSI model came along a decade later, with the goal of more specifically defining the layers of functionality for the network components. Figure 1.4 The four layers of the DoD m od el m ap roughly to the seven OSI layers. DOD Model
OSI Model Application Layer
Application/ Process Layer
Presentation Layer Session Layer
Host-to-Host Layer
Internetwork Layer
Network Interface Layer
Transport Layer
Network Layer
Data Link Layer Physical Layer
33
34
Chapter 1 • TCP/IP Overview
The Application/Process Layer The top layer of the DoD model encompasses all three OSI upper layers: Application, Presentation, and Session. Thus, when referring to TCP/IP, you may read that encryption of data or checkpointing and dialog control take place at the Application layer. Remember that this does not mean the OSI Application layer and you’ll avoid confusion.
The Host-to-Host (Transport) Layer The Host-to-Host layer is sometimes labeled the Transport layer, even on four-layer DoD diagrams, and it maps to the Transport layer on the OSI model. TCP, UDP, and DNS operate here.
The Internetw orking Layer This layer corresponds closely to the OSI Network layer. IP, ICMP, and ARP function at this layer. As we discussed earlier, IP deals with routing based on logical IP addresses. ARP (Address Resolution Protocol) translates logical addresses to MAC addresses. This translation is necessary because the lower layers can process only the MAC addresses.
The Netw ork Interface Layer The Network Interface layer maps to OSI’s Data Link and Physical layers. The TCP/IP suite itself has no protocols that operate at these lower layers, but uses the standard Ethernet and Token Ring Data Link and Physical layer protocols.
The Microsoft Wind ows 2000 Networking Mod el While it’s easy to show the relationships between the OSI and DoD layers, the Microsoft implementation of the TCP/IP networking model is a bit different. It includes a new type of layer, a boundary layer, which interfaces between the actual networking component layers. The boundary layers are open specifications, while the component layers in between are operating system-specific. Figure 1.5 shows the Windows 2000 Networking Model. As you can see, a boundary layer acts as an interface between each pair of component layers. It’s no coincidence that the name of each boundary layer ends with the word “interface.” The three boundary layers are: Application Programming Interface ■ Transport Driver Interface ■ Network Device Interface Specification Let’s discuss each of the component and boundary layers in a little more detail. ■
TCP/IP Overview • Chapter 1
Figure 1.5 The Microsoft Wind ows Networking Mod el uses b ound ary layers. Applications and User M ode Services NetBIOS RPC Win32 Winsock
API Boundary Layer File System Drivers Named Pipes Mailslots Redirectors
TDI Boundary Layer Netw ork Transport Protocols TCP UDP ICMP IP IGMP ARP
NDIS Boundary Layer NDIS Wrapper NDIS WAN M iniport Wrapper PPTP X.25 Asynch ISDN
X.25
Frame Relay
Token Ring
ATM
Ethernet
FDDI
The Application and User M ode Services Component This layer contains the supported types of user applications and services, including NetBIOS (Network Basic Input Output System), Remote Procedure Calls, Win32 and its subsystems, and Windows Sockets applications.
NetBIOS NetBIOS specifies a group of network function calls that lets applications on different computers communicate with each other within a local area network. It was originally developed by IBM, then adopted by Microsoft, and has been the basis for Microsoft networking. NetBIOS communications use a destination name (called, appropriately enough, a NetBIOS name) and a message location to get the data to the correct destination. NetBIOS supports a session mode for establishing a connection and transfer of large messages, and a datagram mode for connectionless transmissions such as broadcast messages.
35
36
Chapter 1 • TCP/IP Overview
NOTE Windows 2000 is the first Microsoft operating system that allows for disabling of NetBIOS, although this is feasible only on a network that has fully m igrated to Windows 2000 and uses no NetBIOS network-enabled applications. A hybrid network containing com puters running older Microsoft operating system s or NetBIOS applications will still need to use NetBIOS.
Winsock A Winsock program handles input/output requests for Internet applications in a Windows operating system, using the sockets convention for connecting with and exchanging data between two Application layer processes. Winsock runs as a .dll file (dynamic link library). A .dll file is a collection of small programs, any of which can be loaded when an application needs to use it but isn’t required to be included as part of the application.
NOTE A socket , in TCP/IP com m unications, is the com b ination of an IP ad d ress and a p ort num b er, along with a p rotocol.
The API Boundary Layer The API boundary layer is where the Application Programming Interface (API) operates. An API is the specific method that is set by a computer operating system or an application, allowing a developer, when writing a program, to make requests of the operating system or application.
RPC Remote Procedure Call is what it sounds like: RPC provides a service to application developers to allow for transparent use of a server to provide some action on behalf of the application. Remote procedure calls provide the programmer with a way of hiding an underlying message passing protocol. The RPC protocol was designed to work with IP, but in a way that’s different from TCP. The TCP protocol is used to transfer large data streams (for example, file downloads). RPC was designed for writing network programs, to allow a program to make a subroutine call on a remote machine.
TCP/IP Overview • Chapter 1
NOTE The RPC p rotocol is d ocum ented in RFC 1831, which can b e accessed on the Web at www.freesoft.org/CIE/RFC/1831.
Win32 API The Win32 API is a set of predefined Windows functions that are used to control the appearance and behavior of Windows elements. The API functions are stored as .dll files in the Windows system directory (in Windows 2000, the default system directory is /winnt).
The File System Drivers In the Windows NT architecture, on which Windows 2000 is based, network redirectors are implemented as file system drivers. A redirector is a software component that does what its name implies: redirects a request (in this case, from the local machine out over the network). The Server service and the Workstation service are examples of redirectors. Named pipes and mailslots are also network redirectors. Named pipes is used for connection-oriented communication, and mailslots for connectionless data transfer. The network redirectors allow all file systems to appear the same when accessed across the network, hiding their differences from the user. This is why a Windows 95 machine can read and manipulate files through a network share that are stored on an NTFS partition, even though the Windows 95 operating system does not include an NTFS file system driver and thus cannot itself read an NTFS file.
The TDI Boundary Layer The Transport Driver Interface is another boundary layer. The primary purpose of TDI is to define a standard application programming interface for the transport protocol stacks. That is, the low-level kernel-mode driver implementation of protocols such as TCP/IP and NetBEUI TDI provides for standard methods of protocol addressing, sending and receiving datagrams, and other related actions. TDI is an open specification, and programmers can develop TDI drivers written to the specification, which will make it possible for them to work within the Windows networking architecture.
37
38
Chapter 1 • TCP/IP Overview
The Netw ork Transport Protocol Component The Network Transport Protocol layer is easy to understand and to map to the other networking models. This is similar to a combination of the Network and Transport layers in the OSI model (or the Internetwork and Host-to-Host layers in the DoD model). TCP, UDP, IP, ICMP, IGMP, and ARP operate here.
The NDIS Boundary Layer NDIS (Network Driver Interface Specification) is intended to define a standard API for NICs. All NICs made to be used with the same media access type (such as Ethernet or Token Ring) can be accessed using a common programming interface. The MAC device driver that hides the specifics of the hardware implementation is what makes this possible.
The NDIS Wrapper NDIS includes a library of functions (a wrapper) that can be used by MAC drivers and higher-level protocol drivers (such as TCP/IP). The wrapper functions make it easier to develop MAC and protocol drivers and to hide dependencies on a computer platform. The NDIS wrapper allows the higher-level protocols to work with such Data Link and Physical layer protocols as Ethernet, Token Ring, Frame Relay, FDDI, ATM, and X.25. There is also an NDIS WAN miniport wrapper that interfaces with wide area networking protocols like PPTP and ISDN.
A Family of Protocols: The TCP/IP Suite Although TCP and IP make up the protocol “stack” that gets the messages there, and ensures that they get there reliably, an entire suite of protocols has come to be associated with the name and are included in most vendors’ implementations. Some of these are used to provide additional services, while others are useful primarily as information-gathering or troubleshooting tools. As we address various types of TCP/IP connectivity problems throughout this book, we will be using many of these. The following is just an overview of some additional protocols included with Windows 2000 TCP/IP.
Ap p lication Layer Protocols The TCP/IP suite provides several protocols that operate at the Application layer to provide services such as news, mail and file transfer, and monitoring/diagnostics capability.
TCP/IP Overview • Chapter 1
FTP The File Transfer Protocol is used for copying files from one computer to another. Windows 2000 includes both a command-line FTP client program (see Figure 1.6) and the FTP server service that is installed as part of Internet Information Server 5.0. FTP will be available at the command line only if the TCP/IP transport protocol is installed. Figure 1.6 Using the Wind ows 2000 com m and -line FTP client p rogram to transfer files.
SNM P The Simple Network Management Protocol provides a way to gather statistical information. An SNMP management system makes requests of an SNMP agent, and the information is stored in a Management Information Base (MIB). The MIB is a database that holds information about a networked computer (for example, how much hard disk space is available).
WARNING You m ust b e logged on as a m em b er of the Ad m inistrators group to install the SNMP service.
The SNMP agent software is installed as a Windows Component and runs as a service. SNMP management software is not currently included with Windows 2000.
39
40
Chapter 1 • TCP/IP Overview
Telnet Telnet is a TCP/IP-based service that allows users to log on, run character-mode applications, and view files on a remote computer. Windows 2000 Server includes both Telnet server and Telnet client software. See Figure 1.7 for an example of a Windows 2000 Telnet session. Telnet differs from FTP in that you cannot transfer files from one computer to another (upload or download). Telnet is often used to access a UNIX shell account on an ISP’s server and delete e-mail messages directly from the server without downloading them to the local machine. The Telnet protocol itself is used to establish the initial connection to FTP and SMTP servers from the host’s user agent. Figure 1.7 Using Wind ows 2000’s Telnet client to connect to the iris.irs.ustreas.gov Telnet server.
SM TP The Simple Mail Transfer Protocol is used for sending e-mail on the Internet. SMTP is a simple ASCII protocol and is not vendor-specific.
NOTE For m ore inform ation ab out SMTP, see RFC 821 at www.cis.ohiostate.ed u/htb in/rfc/rfc821.htm l.
TCP/IP Overview • Chapter 1
Because SMTP has limited capability in queuing messages at the receiving end, most e-mail client programs use SMTP for sending e-mail, and either POP3 or IMAP for receiving the messages that come in and are stored on a server.
HTTP The HyperText Transfer Protocol is perhaps the most familiar of the Application layer protocols because it is used on the World Wide Web, the most popular Internet service. HTTP allows computers to exchange files in various format (text, graphic images, sound, video, and other multimedia files) via client software called a Web browser. A computer running a Web server program, such as Microsoft’s Internet Information Server, stores files in HyperText Markup Language (HTML) format that can be accessed by the client browser. These HTML “pages” often contain hyperlinks for quickly and automatically connecting to other files on the Internet, on an intranet, or on the local machine. The current version is HTTP 1.1, which was developed by a committee of the IETF. It contains enhancements that allow for faster transfer of information.
NOTE The sp ecifications for HTTP 1.1 are d efined in p rop osed RFC 2068, which can b e accessed on the Web at www.ics.uci.ed u/p ub /ietf/http /rfc2068.txt.
NNTP Network News Transfer Protocol is used for managing messages posted to private and public newsgroups. NNTP servers provide for storage of newsgroup posts, which can be downloaded by client software called a newsreader. Windows 2000 Server includes an NNTP server with IIS. Outlook Explorer, version 5, which is part of the Internet Explorer software included with Windows 2000, provides both an e-mail client and a newsreader.
41
42
Chapter 1 • TCP/IP Overview
Transp ort Layer Protocols The TCP/IP suite includes two Transport layer protocols, the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).
TCP As already discussed, TCP is the connection-oriented protocol that should be used when error control is of high priority. TCP provides highly reliable, full-duplex transport services, and supports sequence numbering so that large messages can be broken down and then reassembled at the receiving end.
UDP UDP performs the same basic function as TCP—transport of datagrams— but does so in a “bare bones” manner. It does not acknowledge receipt of the messages, nor does it sequence the datagrams. UDP should be used when speed is a high priority and assured delivery of the messages is less critical.
Network Layer Protocols The suite includes several protocols that operate at the Network layer of the OSI model, including one of the two “lead singers” of the suite: IP.
IP The Internet Protocol handles addressing and routing at the Network level, relying on logical (IP) addresses. It can use packet-switching methods to route different packets, which are all part of the same message, via different pathways. It can use dynamic routing protocols to determine the most efficient routes on a per-packet basis. IP is a connectionless protocol; it depends on TCP at the Transport layer above it to provide a connection, if necessary. However, it is able to use number sequencing to break down and reassemble messages, and uses a checksum to perform error-checking on the IP header.
ARP and RARP The Address Resolution Protocol (ARP) translates the logical IP addresses to physical MAC addresses. ARP discovers this information by way of broadcasts, and keeps a table of IP-to-MAC entries. This table is referred to as the ARP cache. Reverse Address Resolution Protocol (RARP) is a similar protocol that does just the opposite: Instead of starting with an IP address and finding the matching MAC address, it uses the MAC address to find the IP address, somewhat like a “criss-cross” telephone directory.
TCP/IP Overview • Chapter 1
ICM P The Internet Control Message Protocol is known as a “maintenance” protocol and is required in TCP/IP implementations. It lets two computers on an IP network share IP status and error information. ICMP is used by the Ping utility discussed in Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000.”
NOTE The stand ard s for ICMP are d efined in RFC 792.
Computers and routers using IP can report errors and exchange control and status information via ICMP.
IGM P The Internet Group Management Protocol (IGMP) allows host computers on the Internet to participate in IP multicasting. A multicast address identifies a transmission session, instead of a particular physical destination. This allows for sending a message to a large number of recipients without the necessity for the source computer to know the addresses of all the recipients. The network routers translate the multicast address into host addresses.
NOTE IGMP was originally d efined in RFC 1112. Extensions have b een d evelop ed and are includ ed in IGMP, version 2, ad d ressed in RFC 2236.
A computer uses IGMP to report its multicast group memberships to multicast routers. IGMPv2 allows group membership terminations to be reported promptly to the routing protocol. IGMP is required to be used in host computers that wish to participate in multicasting.
TCP/IP Utilities In Chapter 4, we will be looking in detail at the following utilities, which are also included in the TCP/IP suite: ■
IPCONFIG
43
44
Chapter 1 • TCP/IP Overview ■ ■ ■ ■ ■ ■
NETSTAT NBTSTAT NSLOOKUP ROUTE TRACERT PING and PATHPING
Basic Netw ork Design This book focuses on troubleshooting issues, and is not meant to be a comprehensive guide to designing a network. However, the best way to deal with trouble is to avoid it in the first place; thus, we will briefly discuss how thoughtful design can make your Windows 2000 TCP/IP network less prone to problems.
Planning as Preventative Med icine Whether you are setting up a brand new network or migrating to Windows 2000 from an earlier Windows NOS or a non-Microsoft NOS, putting some extra time into planning and preparation is likely to pay off in a reduction in time (and frustration) expended on troubleshooting later. Some common problems are specific to particular migration scenarios, and are discussed in Chapter 2, “Setting Up a Windows 2000 TCP/IP Network.” Some general network design issues apply, however, regardless of your situation and individual network characteristics. Let’s take a look at a few of those now.
Testing and Im p lem entation Before you make significant changes to your production network, it is extremely important that you test those changes in a controlled environment. This is true whether you are merely trying out a new TCP/IP-based application or rolling out a whole new Windows 2000 network. Prototyping is also the first step in troubleshooting networking problems. This refers to creating a test environment in which you recreate the problem and can try various solutions without fear that the “cure will be worse than the disease” and cause loss of data or network downtime on your “real” network.
Prototyping Setting up a prototype environment, or test lab, can be your best troubleshooting tool. In this situation, you can test different installation procedures and options before deploying Windows 2000 to your production
TCP/IP Overview • Chapter 1
machines. This will help you to accurately predict any problems that may occur and find solutions to them. The key to the prototype environment is that it should be: ■ ■
Completely independent of your company LAN As identical as possible to the company LAN environment
To create a realistic test environment, you should have a server running the same operating system and other software as your production server(s), and one or more client computers using the same operating system as your network desktop systems, again with all the same software installed. The hardware for the prototype and production machines should also be as identical as possible. Prototyping allows you to uncover problems that might occur in an actual installation scenario, and address them beforehand. This prevents the loss of productivity and inconvenience to employees that would be a result of encountering “surprise” problems during the actual installation. The test lab is useful long after you’ve completed the deployment of Windows 2000. It can be used for troubleshooting problems that occur later, in a controlled and “safe” environment that won’t affect the network’s productivity. It can also be used to plan future upgrades, and as a training ground where administrators can familiarize themselves with the new software
Pilot Programs After you have tested the new operating system in a prototype environment that is isolated from all of your production machines, you may still wish to implement the change on a limited basis first. This will allow you to evaluate the transition in a realistic setting, with actual network users, and uncover problems that may not have manifested themselves in the more controlled test lab. In that case, a pilot program will add another layer of protection before you expose the entire network to potential upgrade problems. It may be best to choose a specific department, or you may find it more beneficial to upgrade the machines of selected users throughout the organization. It is probably best not to do so on a random basis. You will want to consider several factors when deciding which machines to upgrade: ■
One strategy is to choose a department or group that is not involved in mission-critical work, or one that is in a “slow period.” You would not want to select the Tax department for your pilot group if an important filing deadline is just around the corner, or if the company is currently being audited by the IRS.
45
46
Chapter 1 • TCP/IP Overview ■
An alternate method is to compile a pilot group made up of users from different departments who are considered “power users”; that is, those who are more computer-savvy and thus unlikely to panic if problems arise. A group of users with some technical knowledge may also be better able to document problems they encounter and more accurately report them to you.
Rollout Sooner or later, regardless of how little or how much testing you do, you must implement the new operating system throughout the organization. In a large company, you will probably want to do so in phases, and there may even be some users who, by choice or due to budget considerations or other factors, won’t be in the rollout list at all. However you do it, you can anticipate that there will be some problems involved in upgrading any network that has more than a few computers. Things will go more smoothly if you follow a few basic guidelines: Users should be trained prior to the implementation of the new operating system. This can be done through formal sessions in a classroom on-site or by sending them outside the company to classes in using the new operating system. Don’t deploy a brand new operating system that your users have never had an opportunity to use. Plan the rollout to create as little disruption as possible. The actual upgrade could take place on the weekend or during a time when the offices are closed, or when fewer employees are working if the office is occupied around the clock every day. If you can avoid interfering with users’ attempts to get work done, your job will go more smoothly. Always inform users of the upgrade schedule. As a rule, people don’t like suprises. Even those who are looking forward to the upgrade may not be happy to come in to work one Monday morning and find that their operating system has been replaced, without any prior notice or the chance for them to prepare psychologically for the change. Proper planning is always worth the time it requires. By mapping out your installation or upgrade strategy beforehand, and anticipating problems before they happen, you may find that they needn’t occur at all.
TCP/IP Overview • Chapter 1
Summary In the computer industry, time moves at a pace that’s different from the rest of the world. By those standards, the TCP/IP protocol suite has a (relatively) long and venerable history. We can expect it to stay with us for years to come. TCP/IP is the protocol stack of the global Internet. Until that changes, its “job security” is assured. But IP must undergo changes to keep up with the extraordinary growth in the number of computers and networks that has been a hallmark of the 1990s, and is expected to continue well into the next millennium. One problem that must be addressed is the very practical one of providing for enough available IP addresses to ensure that we won’t run out anytime in the near future. IPv6, the “next generation” of the Internet Protocol, was designed with this goal in mind. It is already being implemented in some quarters, and is likely to enjoy a gradual but steady “takeover” until it finally replaces the current implementation, IPv4. TCP/IP as we know it today consists of an entire suite of protocols. To understand how various protocols in the suite work together, we can use one of the popular networking models as a reference point. Models give us a way to graphically represent and better understand the process of communication between computers that share their resources with one another. The Open Systems Interconnection (OSI) model is the current recognized standard. It was developed by the International Organization for Standardization and provides a set of common specifications to which networking components can be designed. Compliance with the standard ensures that products made by different manufacturers will still be able to interoperate. The Department of Defense (DoD) model is the one on which TCP/IP was originally based. It is an older model, and functions are not as finely divided as in the OSI model, but its layers can easily be mapped to those of the OSI model. Microsoft uses a different model, the Windows networking model, which includes a concept that isn’t encountered in the others: boundary layers. Boundary layers are interfaces that are open specifications, and act as “glue” between the component layers of the network operating system software. Understanding the networking models make it easier for administrators to troubleshoot problems with TCP/IP connectivity by helping to narrow down possible sources of the malfunction. The Windows 2000 TCP/IP suite also includes a virtual “toolkit” of utilities, which an administrator can use to gather information and test connections. The first step in troubleshooting is practicing “preventative medicine”; that is, ensuring that the setup of a new network or the migration to a
47
48
Chapter 1 • TCP/IP Overview
new operating system is done in a well-organized fashion. Testing and prototyping, pilot programs, and a thoughtfully-planned rollout strategy will go a long way toward reducing the incidence of troubleshooting that will be required later on.
FAQs Q: Why do some books specify that certain software components, such as redirectors, operate at the Application layer, while others say that redirectors work at the Presentation layer? A: There are a few reasons for the discrepancy. First, there are many different types of network redirectors, some of which are part of the operating system, and others (such as the Novell Client 32 software for connecting a Windows machine to a NetWare network) made by third parties. Additionally, some books reference the OSI networking model, which consists of seven layers, while others are basing their statements on the DoD model, which only has four. A component that operates at the Presentation layer of the OSI model would be operating at the Application (or Application/Process) layer of the DoD model. Q: It’s called TCP/IP. What are all those other protocols, and what are they for? A: TCP and IP are the “core” protocols (sometimes called the “protocol stack”), but an entire suite of useful protocols has grown up around them. Some of these provide for basic functionality in performing such common network tasks as transferring files between two computers (FTP) or running applications on a remote computer (Telnet). Others are used for information gathering (SNMP, NETSTAT, IPCONFIG), and many are troubleshooting tools that also allow you to perform basic configuration tasks (ARP, ROUTE). Q: What is the difference between TCP and UDP if they both operate at the Transport layer? A: Although both TCP and UDP are Transport layer protocols and provide the same basic function, TCP is a connection-oriented protocol, which means a session is established before data is transmitted, and acknowledgments are sent back to the sending computer to verify that the data did arrive and was accurate and complete. UDP is connectionless; no session or one-to-one connection is established prior to data transmission. This makes UDP the faster of the two, and TCP the more reliable.
TCP/IP Overview • Chapter 1
Q: What is the purpose of a networking model? How will knowing this theoretical stuff help me in administering my TCP/IP network? A: The models give us a way to understand the process that takes place when computers communicate with each other across the network, the order in which tasks are processed, and which protocols are responsible for handling which duties. Understanding the models will help you to narrow down the source of your TCP/IP connectivity problems. For example, if you know that the data is being sent but is not arriving at the correct destination, you will know to start troubleshooting by examining what is happening at the Network layer, since that’s where addressing and routing takes place. Q: Why do we need three different networking models? Why can’t everyone use the same one? A: Actually, that was the plan when the ISO developed the Open Systems Interconnection model. It was to be the common standard used by all vendors and software developers in describing the network communication process. The DoD model actually predates the OSI, and the seven-layer OSI model builds on (and further breaks down) the components of the DoD model. However, individual vendors such as Microsoft still use their own models, which map more closely to their software (such as the Windows NT/2000 model), although they also use the OSI model as a guideline. Q: What is a gateway, and why would I need one? A: The word gateway has many different meanings in the IT world. A protocol translating gateway translates between different protocols. Think of it as the United Nations interpreter of the networking world. If the president of the United States needs to exchange information with the president of France, but neither speaks the other’s language, they can call in someone who is fluent in both to help them get their messages across. Similarly, if a mainframe system and a Windows 2000 computer need to communicate with one another—perhaps the mainframe has important files that need to be accessed by the PC— but they don’t know how to “talk” to each other, you can install a gateway to clear up the confusion. The gateway is even more skilled than the interpreter is; it actually fools the mainframe into believing it’s communicating with another mainframe, and makes the PC think it is having a “conversation” with a fellow PC. Gateway is also the term used to refer to the address of a router that connects your network to another, acting as the gateway to the “outside world.”
49
Chapter 2
Setting Up a Window s 2000 TCP/IP Netw ork
Solut ions in t his chap t er: ■
Designing the Netw ork
■
M igrating from Window s NT 4.0
■
M igrating from Novell NetWare
■
Setting Up a Window s 2000 TCP/IP Netw ork from Scratch
51
52
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
Introduction The process of setting up a new TCP/IP-based Windows 2000 network can be relatively simple or hopelessly complex. Whether you’re building a brand new network from scratch or migrating to Windows 2000 from another operating system(s), planning is the key. No set formula works in every situation. You may encounter issues in upgrading your NT 4.0 network that will be completely different from those involved in migrating from NetWare or UNIX. If you’re starting at ground zero, constructing a new network where there was none before, you’ll have more options, but that can make your job more challenging instead of less. Fortunately, even though every case is different, there are some general guidelines that are common to all, and design checklists to get you started. Migrating or creating a network is a massive undertaking. A TCP/IP network will usually require more planning than one that runs on IPX or NetBEUI, due to the potential complexity of IP addressing issues. Likewise, planning a Windows 2000 network may require more (or a different type of) planning than one based on NT servers due to the greater complexity of the directory services structure. If a functioning network is already in place and is running a different protocol stack or network operating system, you will face special challenges. Each migration scenario presents its own unique problems and opportunities. In this chapter, we will examine some of the more common situations you may encounter in setting up a new Windows 2000 TCP/IP network, either “from the ground up” or making the switch from another popular network operating system.
Designing a New Window s 2000 TCP/IP Netw ork Good network design is key in preventing later problems. As a network administrator, you may have come to the job too late to have much (or any) input into the design process. If the network infrastructure was already in place when you took on the position, you inherited the problems of your predecessor. Your network may have been carefully and thoughtfully planned, with future upgrades in mind. If so, count yourself lucky. All too often, a network just “grows that way.” As the computing and connectivity needs of the organization expand, a server is added here, a router is installed there, and systems are upgraded in some departments but not in others. The result is a diversity of hardware and software configurations in place
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
throughout the network. This can make for many administrative headaches. In building a new network, you face a lot of hard work, but you have the chance to learn from past mistakes (both yours and those of others who came before you) and do it right. Patience is a virtue, and this is never truer than when planning the design of a new Windows 2000 TCP/IP network.
The Planning Team Two or more heads are often better than one when it comes to putting together an upgrade plan. In all but the smallest organizations, you should first gather a planning team to share the multiplicity of tasks involved and to lend different perspectives in the important early design stages. Your team members should be well versed in the company’s unique needs, the Windows 2000 operating system, and how TCP/IP communication works. In some cases, it may be beneficial to hire outside consultants who are experienced in network design. However, those who will ultimately be responsible for administering the network should be heavily involved in the planning process from the beginning. Some companies make the mistake of asking for a “turn key operation,” thinking this means that no one on staff has to bother with design and setup issues. You pay someone else (usually quite handsomely) to do it all, and a few months later they hand you a complete, ready-to-go-online enterprise-level network. The idea sounds attractive, but it can turn into a nightmare later on. Those who will be working with the hardware and software on a daily basis can give valuable input during the planning stages, which may prevent many common post-deployment problems. Whether you recruit and lead a planning team from within the organization or work closely with an outside group, it’s important that you, the network administrator, be aware of some of the issues involved in establishing a new Windows 2000 network.
Planning the Hard ware Configurations One of the strengths of the TCP/IP protocol stack is that it will run on almost any hardware platform. However, the Windows 2000 operating system has minimum hardware requirements that must be considered in planning any new installation, upgrade, or migration. Hardware-related problems can be mistaken for TCP/IP connectivity problems, so in order to reduce the time spent troubleshooting communication problems, start with the proper hardware.
53
54
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
You can avoid many problems by ensuring that your systems and their components meet the minimum requirements. Check the Hardware Compatibility List (HCL) on Microsoft’s Web site before implementing Windows 2000 on your network. Plan to upgrade hardware that does not meet the requirements, or alternately, to run so-called “down-level” operating systems on those computers (Windows NT or Windows 9x) until they can be upgraded or replaced.
NOTE Hard ware Com p atib ility Lists for all current Wind ows op erating system s can b e found at www.m icrosoft.com /hwtest/hcl/.
In general, Microsoft’s published minimum system requirements to run Windows 2000 include: ■ ■
■ ■
Pentium 133 or equivalent processor 64MB RAM for Windows 2000 Professional; 128MB RAM for Windows 2000 Server/Advanced Server Approximately 1GB hard disk space VGA or better display; keyboard (mouse optional)
These should be taken as absolute minimums, not as recommendations. Optimum performance will require more memory and faster processor(s), especially for heavily-used servers. A Windows 2000 server acting as a domain controller (DC), due to the high overhead required for the Active Directory, realistically requires a minimum of 128 to 256MB of RAM for minimally acceptable performance. Disk space requirements vary widely depending on whether you are installing to a clean drive or upgrading a previous operating system, what file system is being used, and other factors. It is important that you assess your needs carefully, in accordance with budgetary and other considerations.
Planning the Physical Layout The physical layout, or topology, of the network will directly or indirectly influence such things as the type of cabling to be used, the media access control method, the limitations on cable distance, number of nodes per segment, and other “rules and regulations” with which you must comply to meet standard specifications for Ethernet, Token Ring, or other network types.
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
Numerous excellent resources offer guidance in the implementation of the popular network topologies and architectures. In some cases, the network administrator will be directly involved in selecting cable types and choosing individual pieces of network hardware. In a large network environment, an outside firm may be hired and given an overall “mission,” and granted the authority to make most such decisions. Either way, it is important to ensure that the final implementation complies with ISO, IEEE, and other industry standards, and building codes and other local regulations.
Diagramming the Netw ork Layout One of your most important tasks in planning the physical layout is to diagram the network. There are many excellent software tools, such as Visio, that you can use to visually represent the layout and show the connections of servers, hubs, routers, workstations, and other network devices. See Figure 2.1 for an example of a Visio drawing using the network diagramming templates included with the software. Figure 2.1 A sim p lified sam p le network d iagram .
Wkst1
Wkst2
Wkst3
Hub tacteam.net dev.tacteam.net
Router
Proxy Server
federation.tacteam.net Hub Internet
WkstA
WkstB
WkstC
55
56
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
Whether you use diagramming software to construct a professionallooking diagram or simply sketch the network layout manually, how you do it is less important than getting it done. You may be tempted to skip this step if you’re on a tight schedule, thinking you can always come back and create this documentation after the fact. However, the network diagram, properly used, is more than just a record of the network’s design. It is also a planning tool. It is much easier to move devices around and reroute cabling on paper (or on the screen) than it is to lug those heavy pieces of equipment from place to place or manipulate lengths of twisted pair through crawlspaces to “try out” different configurations in the corporeal world. You can save much time, effort, and aggravation by considering different options during the diagramming stage. Remember that later changes to the infrastructure will be expensive and time-consuming, and may result in high indirect costs due to downtime. The physical aspects of the network are its foundation, so get that right from the beginning and you will automatically reduce the chances of problems in the future.
TIP Visio 2000 Enterp rise ed ition will even d iscover and d raw out the network for you! For m ore inform ation, see www.visio.com /visio2000/enterp rise/.
Planning for Sites If you built or worked with wide area networks (WANs) based on NT 4.0 servers, you probably thought of each separate geographic location, such as a branch office, as a “site.” In Windows 2000 TCP/IP networking, the term “site” has a new and specific meaning, and site planning has taken on a new importance.
What Is an Active Directory Site? According to Microsoft, in Windows 2000 a site is defined as “one or more well-connected (highly reliable and fast) TCP/IP subnets that allows administrators to configure Active Directory access and replication topology quickly and easily to take advantage of the physical network.” Sites are published to the Active Directory, which uses the site information in performing replication and responding to service requests. The goal is to improve the efficiency and performance of the WAN.
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
Note that creating a site is a way of grouping together computers that have a fast connection. A site does not necessarily represent a group of computers that are at the same physical location. The site concept is independent of domain configuration. A site can span multiple domains, or one domain may include computers at different sites. In general, computers in the same TCP/IP subnet will share a fast connection (Microsoft documentation refers to them as “well connected”). Thus when you set up a new Windows 2000 network, subnetting decisions and site planning will go together. Sites are created and configured using the Sites and Services MMC. To access the MMC: Start | Program s | Ad m inistrative Tools | Active Directory Sites and Services.
Figure 2.2 shows how a new site is created with this tool. Figure 2.2 Using the AD Sites and Services MMC to create a new site.
With this tool, you can establish links between two or more sites, set up replication frequency, configure site link cost, create subnets and associate them with sites, force replication over a connection, and perform many other tasks involved in using Active Directory sites.
57
58
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
NOTE Site link costs are d efined b y the ad m inistrator, using relative num b ers. The cost of the rep lication over the link is b ased on the sp eed of the connection, in relation to other links. For exam p le, if two sites A and B are connected with a high-sp eed T1 connection, and sites A and C are connected b y a 56K m od em connection, the “cost” value assigned to the AC link would b e higher than that assigned to A-B.
How Sites Are Used in Wind ows 2000 Networks Once sites are set up, Windows 2000 and the Active Directory use them for three primary purposes: ■ ■ ■
To optimize logon authentication To optimize Active Directory replication To optimize Active Directory enabled services
Op tim izing Logon Authentication Sites are used during domain logon, to optimize the logon authentication process. When a computer initiates logon to the domain, the global catalog (GC) will be searched for a domain controller that belongs to the same site as the computer that is logging on. This minimizes the possibility of computers using a slow WAN link to log on.
Op tim izing Active Directory Rep lication The Active Directory uses Windows 2000 site information in determining how and when to replicate directory information between domain controllers. In Windows NT 4.0 networks, only the primary domain controller (PDC) has a writable copy of the security accounts database, and readonly copies are replicated to backup domain controllers (BDCs) on a regular basis. In Windows 2000 networks, all domain controllers have a complete read/write copy of the Active Directory partition, which contains the security database and other directory information. Since changes can be made to any of these domain controllers, it is important that those changes be replicated to other domain controllers throughout the network to keep each up to date. Replication traffic can become a problem on a heavily-used network, so Microsoft uses the site concept to attempt to achieve a balance and reduce “traffic jams” caused by frequent replication across low-bandwidth links.
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
Windows 2000 allows the administrator to customize the replication schedule between sites by creating site links. Replication between domain controllers within a site (intrasite replication) can take place at shorter intervals, while replication to domain controllers at remote sites can be scheduled less frequently, and/or configured to occur at low-usage times of the day.
Op tim izing Active Directory Enab led Services Services that use the Active Directory for distribution of information will also show increased performance when AD sites are properly planned and implemented. In a Windows 2000 network, the Active Directory can be used to publish what Microsoft calls “service-centric” configurations to make a service more accessible and easier to manage. When the service is published to the Active Directory, applications can access the directory for information that they can use to access the servers’ services. The advantage is that the client doesn’t have to know which server a resource resides on in order to access it. The request for services is made to the Active Directory itself, which is always located on a domain controller.
TIP The Services nod e is not d isp layed b y d efault in Active Directory Sites and Services. To show it, you m ust op en the Sites and Services ad m inistrative tool and choose “Show services nod e” on the View m enu.
What type of service information would you want to publish to the Active Directory? Most commonly, this would include configuration information. This information is then accessed by the client applications so that less manual configuration of applications is required of users and administrators.
Planning the Nam esp ace An integral part of a Windows 2000 TCP/IP network is the Active Directory namespace. Unlike a Windows NT network, the Windows 2000 namespace is hierarchical. That is, domains are structured in trees, which start with a root domain under which subdomains (called “child domains”) exist, with each child domain incorporating the parent domain’s name as part of its own. Separate trees can be combined into forests in which each tree has a unique namespace, but within which the root domains of all the trees share a transitive trust relationship. Figure 2.3 demonstrates the domain relationships in a Windows 2000 network.
59
60
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
Figure 2.3 Two d om ain trees in a Wind ows 2000 forest. shinder.net tree
tacteam.net tree root domains tacteam. net
dev. tacteam. net
shinder. net
fed. tacteam. net
training. shinder. net
efc. training. shinder.net
You will notice that the hierarchical namespace used by Active Directory is patterned after the Domain Name System (DNS) namespace used on the Internet. In fact, DNS (or Windows 2000’s dynamic implementation, called Dynamic DNS, or DDNS) is a required service on a Windows 2000 network using Microsoft’s new directory services. You will want to plan the namespace carefully, considering such factors as: ■ ■ ■
■
Geographic divisions of the company Divisions of administrative responsibility Special needs requiring different domain policies (language and currency differences, for instance) Potential replication traffic
Creation of the namespace should be done in conjunction with the creation of IP subnets and Active Directory sites.
Planning the Ad d ressing Schem e Another important aspect of planning the new network is giving some thought to your IP addressing scheme. For TCP/IP communication to take place, each network interface (which includes each network card in each computer, and each router interface) must be assigned an IP address that
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
is correct for the network segment to which it is attached. In configuring the TCP/IP protocol, it is mandatory that you either enter an address manually or set up the computer to get an address automatically from a DHCP server. You also must configure each TCP/IP computer with a subnet mask, which is used to determine what portion of its IP address represents the network identification and what part represents the particular host computer on that network. If your class A, B, or C network is divided into subnets, the subnet mask must be calculated based on the desired number of network IDs and the desired number of hosts per subnet. For more detailed information on IP subnetting, see Chapter 8, “Troubleshooting Windows 2000 NetBIOS Name Resolution Problems.”
NOTE If your network is not sub netted , you can use the d efault sub net m ask for that network class. In d ecim al form , the d efault sub net m asks are as follows: Class A: 255.0.0.0 Class B: 255.255.0.0 Class C: 255.255.255.0
In planning your IP addressing scheme, you need to consider whether you will reserve a block of public addresses so that each computer can access the Internet via a registered address, or whether you will use a proxy server or Network Address Translation (NAT) to provide Internet access to multiple computers through one registered address. Will you assign IP addresses manually, via a DHCP server, or a combination of the two? You must decide whether to divide the network into subnets. Unless it is a very small organization, it’s likely that you will need to do so in order to optimize performance. It will also be necessary to consider the best placement of routers, domain controllers, DNS, WINS, and DHCP servers.
Installing and Configuring Window s 2000 TCP/IP The first step in preventing problems with TCP/IP connectivity is to ensure that the protocols are installed and configured properly. Windows 2000 makes it easy; in fact, TCP/IP is the default networking protocol and is normally installed when you install the operating system. If it was not, or if it has been removed, installing the TCP/IP suite is a straightforward process.
61
62
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
Netw ork Design Checklist ❏ Put together a planning team of persons w ho are ■ ■ ■
Knowled geab le ab out how a TCP/IP network works Knowled geab le ab out the Wind ows 2000 op erating system Knowled geab le ab out the com p any’s uniq ue need s
❏ Assess hardw are ■ ■
Check the Hard ware Com p atib ility List Up grad e if necessary
❏ Plan the physical layout of the netw ork ■ ■
■
Select the top ology Check req uirem ents for com p liance with stand ard s and regulations Diagram the network
❏ Plan Active Directory sites ❏ Plan the Active Directory namespace ❏ Plan the IP addressing scheme
Installing TCP/IP on a Wind ows 2000 Com p uter Before beginning the installation process, be sure you have the information that will be needed as you go through the steps. First, you must know whether your network uses a DHCP server or manual IP address assignment. If you are going to assign an address manually, you will need to have the following information: ■
■ ■
■
A valid address for the network segment on which the computer will reside, not currently in use by another computer A valid subnet mask The IP addresses of the DNS and WINS servers that the computer will use for name resolution The IP address of the default gateway (router) for your network segment, if applicable
You should write this information down and keep it with other documentation for the computer, so that if the settings are lost and must be reconfigured at a later time, you will have it at hand.
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
NOTE If your network is not routed , the d efault gateway p aram eter is left b lank.
When you have all of the required information, you can proceed with installing the protocols. You will need to configure TCP/IP for each network adapter card that will use the protocol.
TIP The easiest way to find the sub net m ask, gateway, and nam e resolution server inform ation is to look at the TCP/IP configuration screen on another com p uter that is successfully connected on the sam e network segm ent.
The Protocol Installation Process Those who are familiar with installing networking components in Windows NT will find that the interface has changed in Windows 2000. To install TCP/IP (or other protocols), open the Network and Dialup Connections applet: Start | Settings | Network and Dialup Connections
You can then select the icon for the network connection over which you wish to use TCP/IP (or click the Make New Connection icon to create one). In our example, this is our local area network connection (see Figure 2.4). Double-click the connection’s icon and click PROPERTIES. This will open a screen similar to the one shown in Figure 2.5. The Properties sheet will list those protocols and components already installed, and allow you to install, uninstall, and configure the properties of networking components.
WARNING If you uninstall a p rotocol, it will b e uninstalled for all network connections on your com p uter that use this ad ap ter, not just the connection associated with the Prop erties sheet from which you uninstall it. For exam p le, if you uninstall TCP/IP in the VPN connection Prop erties sheet, it will no longer b e availab le for your local area connection. There is no warning m essage inform ing you of this, so b e careful when uninstalling p rotocols.
63
64
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
Figure 2.4 Select a network connection for which you wish to install TCP/IP.
To install the TCP/IP protocol, click INSTALL. You will see the screen shown in Figure 2.6. Select Protocol from the list of component types, and click ADD. You will be shown a list of the protocols available for installation, as in Figure 2.7. Click Internet Protocol (TCP/IP), and click OK. The protocol stack will be installed on your computer, and will now show up in the list of protocols on the Properties sheet for the connection.
TIP Unlike Wind ows NT, Wind ows 2000 will not d isp lay TCP/IP (or other com p onents) in the list of availab le p rotocols to b e installed if it is alread y installed , so you cannot install m ultip le instances of the p rotocol.
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
65
Figure 2.5 The Prop erties sheet for the local area connection shows which com p onents and p rotocols are installed for this network ad ap ter.
Figure 2.6 The Select Network Com p onent Typ e d ialog b ox allows you to ad d client software, a network service, or a networking p rotocol.
66
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
Figure 2.7 Select TCP/IP from the list of availab le networking p rotocols.
Configuring TCP/IP The next step is to configure TCP/IP’s properties. To do so, select it on the Network Components Properties sheet (the same one shown previously in Figure 2.5) and click PROPERTIES. You will see the TCP/IP Properties sheet shown in Figure 2.8. If there is a DHCP server on your network that this computer will use to obtain an IP address, select the radio button to obtain an IP address automatically. Otherwise, you will need to manually configure the IP address, subnet mask, default gateway, and DNS server address(es).
NOTE Even if your network uses a DHCP server, som e com p uters—b ecause of their roles and functions—m ay need to b e assigned static ad d resses m anually. In general, d om ain controllers, DNS and WINS servers, and the DHCP server itself should not use d ynam ic ad d resses.
By clicking ADVANCED, you can add multiple IP addresses and gateways, fine-tune DNS and WINS settings, and enable and configure IP Security (IPSec) and TCP/IP filtering. These issues will be discussed in later chapters in conjunction with troubleshooting addressing, name resolution, and security problems.
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
Figure 2.8 Use the TCP/IP Prop erties sheet to assign ad d ressing inform ation.
TIP After installing and configuring TCP/IP, you m ay need to reb oot the com p uter in ord er to log on to your Wind ows 2000 d om ain.
TCP/IP Installation and Configuration Checklist ❏ Gather needed information ■ ■
DHCP server ad d ress or IP ad d ress to b e m anually entered , DNS and WINS server ad d resses, sub net m ask, and d efault gateway (if ap p licab le)
❏ Install the TCP/IP protocol ❏ Configure the TCP/IP protocol
67
68
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
Upgrading to Window s 2000 from Window s NT 4.0 Microsoft designed Windows 2000 as the successor to Windows NT 4.0, thus some thought and planning were given to providing a viable upgrade path. You may find, however, that restructuring your NT 4.0 network prior to the upgrade will make the transition to Windows 2000 go more smoothly. There are several NT domain models, and some will be easier to upgrade than others. In particular, you may find it expedient to combine several NT domains into one before the upgrade. A Windows 2000 network generally requires fewer domains than NT networks. This is because in Windows NT networks, the domain was the smallest security entity. If you wished to decentralize administrative authority, you needed to create separate domains. Windows 2000 allows for more granular assignment of administrative privileges. Organizational units (OUs) can be created and control over different OUs given to different persons without making them administrators over the entire domain. Another reason for creating new domains in an NT network was the limitation on the number of security principals (user and group accounts) that could exist in a domain. Since Microsoft recommended that the Security Accounts Database not exceed 40MB in size, for practical purposes an NT domain could only contain about 40,000 accounts, which represented the total of user, computer, global group, and local group accounts. With Windows 2000, security information is kept in the Active Directory, which can hold literally millions of security objects.
NOTE Com p aq Corp oration has b een ab le to run successful sim ulations of Wind ows 2000 Ad vanced Server with up to 16 m illion security p rincip les!
The Wind ows NT Dom ain Mod els In Microsoft networking, a domain is a basic security unit, with a unique name, which provides access to the centralized user accounts and group accounts maintained by the administrator of the domain. Each domain has its own security policies and security relationships (called trust relationships) with other domains. Domains can span multiple physical locations.
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
Four basic domain models are recognized in NT server-based networking: ■ ■ ■ ■
Single domain Single master domain Multiple master domains Complete trust
Let’s look at each of these in the context of preparing for an upgrade to Windows 2000.
Single Domain The single domain model is simple. As the name implies, the network consists of one domain to which all user accounts and resources belong. See Figure 2.9 for an illustration of a simple single domain network. Figure 2.9 In the single d om ain m od el, all users log on to one d om ain, and all resources are located in the sam e d om ain.
User Accounts
Single Domain Resources on
Log o
n
Logon
g Lo
User
User
User
Obviously, no combining of domains is necessary in this situation.
Single M aster Domain In the single master domain model, the network is structured into two or more domains, with all user accounts placed in one domain, called the master domain. All users log on to the master domain. Other domains,
69
70
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
which can hold computer accounts, shared files, printers, and other network resources, are called resource domains. Figure 2.10 shows the relationships of domains in the single master model. Figure 2.10 In the single m aster d om ain m od el, all user accounts are in the m aster d om ain, and resource d om ains trust the m aster d om ain.
User1
Lo g
User2
User3
on g Lo
User4 on
Master Domain
Resource Domain 1
Resource Domain 2
Solid black arrows indicate trust relationships. In this illustration, the resource domains are shown trusting the master domain, which means users in the master domain can access shared files, printers, and so on in the resource domains.
NOTE In NT, the trust relationship is one-way. In a m aster d om ain m od el, resource d om ains d o not have access to shares in the m aster d om ain.
The advantage of this model is that user accounts can be managed centrally, while departments or divisions can still manage their own resources.
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
M ultiple M aster Domains The multiple master domain model is an extension of the single master model. In this case, there are two or more master domains into which the user accounts are placed. This is a way of scaling the master domain concept to a large enterprise network, in which there are too many user accounts to fit into a single master domain. An example of the multiple master domain model is shown in Figure 2.11. Figure 2.11 In the m ultip le m aster d om ain m od el, user accounts resid e in m aster d om ains, which trust each other, and each resource d om ain trusts all m aster d om ains.
User
n
Logon
o Log
Master Domain 1
Resource Domain 1
User Logon
User Logon
User
Master Domain 2
Resource Domain 2
Resource Domain 3
Another reason for creating multiple master domains is to delegate administrative authority over the user accounts to different administrators. For example, a company has two distinct divisions, and each wants to maintain exclusive control over its user accounts. The company also wants all users from both divisions to be able to access resources throughout the parent company. The multiple master domain model would be appropriate in this situation.
71
72
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
Complete Trust The complete trust domain model certainly sounds good. After all, trust is the foundation of every good relationship, right? In this case, it turns out to be another one of those things that seems better in theory than in practice. The complete trust domain model usually ends up being an administrative nightmare. This is because, unlike the master and multiple master models, there is no hierarchical organization to the complete trust. Every domain has two one-way trust relationships with every other domain in the network. User accounts can be located in any domain, as can resources. As the number of domains increases, this model becomes more and more unwieldy and difficult to manage. There is no centralized control. Instead, each domain contains its own security groups and administrators. See Figure 2.12 for an illustration of how a complete trust works. Figure 2.12 In the com p lete trust d om ain m od el, all d om ains can contain b oth users and resources, and there are two one-way trust relationship s b etween every d om ain and every other d om ain.
Users
Users
Domain 1
Domain 2
Resources
Resources
Domain 3
Resources Users
The complete trust is used less often than the other domain models. As you can see from the illustration, the number of trusts will expand exponentially as additional domains are added to the network. Even with only three domains, six trusts must be created and managed. Adding just one more domain, for a total of four, will increase the required number of trusts to 12.
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
TIP To calculate the num b er of trusts created b ased on the num b er of d om ains, you can use the eq uation N2 – N, where N rep resents the num b er of d om ains.
Which M odel Is Easiest to Upgrade? In regard to planning for the upgrade of a Windows NT network to Windows 2000, Microsoft’s recommendations focus on the benefits of having fewer (but larger) domains. These domains should also fit into the hierarchical structure of the Active Directory domain tree(s) that you plan to implement. Remember that the AD namespace is based on DNS naming, and in that respect is very different from the NT domain model’s flat namespace. The ideal domain model, then, would correlate exactly to the structure of your DNS and Active Directory design. The single domain network will generally be the easiest to upgrade, but it may not be possible to achieve in a large organization. You can, however, look at the possibility of reducing the number of domains necessary in light of Windows 2000’s new administrative features. If your present network consists of more domains than is ideal for the Windows 2000 network you are planning, there are ways to combine multiple domains into one and restructure the network, either before or after the operating system upgrade.
Com b ining Dom ains b efore the Up grad e In most cases, you will find it easier to wait until after the upgrade to combine domains. However, if you have a very large number of domains to be combined, there may be benefits to starting the project before the new operating system is rolled out. You can expect greatly increased demands on the IT department’s time after the upgrade, so doing some of this work beforehand could offset some of the burden later. Remember that if you choose to combine domains before upgrading, you are still limited by NT’s restrictions on the size of the security accounts database. Be sure the combined domain(s) will not exceed the 40MB recommended maximum. When you combine NT domains, this involves moving the user and group accounts, updating permissions, rights, and group memberships, moving computer accounts and resources, and shutting down and
73
74
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
decommissioning the domain controllers in the abandoned domain. There are NT 4.0 resource kit utilities to help you accomplish these steps: ■
■
■
ADDUSERS.EXE can be used to move user accounts to another domain by speeding the process of creating a new user account in the domain to which the users are moving for each user from the domain to which they originally belonged. This tool can also be used to move global groups and to update the memberships for local groups in the new domain. NETDOM.EXE and SHUTDOWN.EXE can be used to move computer accounts. NTRIGHTS.EXE can be used to update user rights.
The easiest way (which still can’t really be called “easy”) to combine NT domains is to move everything from the domain to be eliminated into the domain that will remain (and absorb the resources of the other). Combining more than two domains into one is more complex. Essentially, it should be handled as a series of two-into-one combinations (that is, if you wish to combine Domains 1, 2, and 3, you would first combine Domains 1 and 2, and then combine the resulting domain with Domain 3).
Com b ining Dom ains after the Up grad e If you choose to wait until after the Windows 2000 upgrade to combine domains and restructure your network, your goal will be to fit your new domain structure to your Active Directory namespace. You may wish to create a domain tree, with some of your old domains becoming child domains under the tree’s “root.” Or, you may want to combine resource domains or collapse them into other domains. This can be done by placing their resources into OUs within a single domain, and assigning administrative authority for the OUs. You then have the same administrative delegation that was formerly accomplished by putting resources into separate domains. The Windows 2000 resource kit contains the following tools to help you perform these tasks: ■
■
SHOWACCS.EXE and SIDWALK.EXE can be used to update permissions. Security Migration Editor is a snap-in for the MMC console that works in conjunction with SHOWACCS.EXE and SIDWALK.EXE.
If you want to move a subtree of objects (OUs and their contents) from one Windows 2000 domain to another, you can use the MOVETREE command-line utility to do so. You will need to use NETDOM to join computer accounts to the new domain.
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
NOTE There are third -p arty utilities availab le that are d esigned sp ecifically to help you reconfigure your d om ains. Fastlane Technologies’ DM/Ad m inistrator, Sim ac Enterp rise Suite, and Aelita’s Dom ain Reconfiguration Wizard are just a few of the m any tools availab le to ease the task of sp litting, consolid ating, or reconfiguring d om ains.
Other Pre-Up grad e Issues Another important (and sometimes overlooked) consideration when you upgrade to Windows 2000 is to ensure that all needed applications are compatible with the new operating system. Even if your hardware meets or exceeds all system requirements, and every component is on the Hardware Compatibility List, this only means you will be able to install the operating system itself. However, it’s the application programs that allow you to actually do the work, so the nice new operating system won’t do you much good if the applications your users need won’t run on it.
Window s 32-Bit Applications Most Windows 32-bit applications work on both Windows 9x and Windows NT. However, not all programs that run on Windows 9x will work with NT. Although both use the Win32 API, there are differences in implementation. Don’t assume that just because an application works with Windows NT, it will also work with Windows 2000. Although a large number of such applications will run with no problems, some will not. This is especially likely in the case of proprietary programs that are specific to a particular industry or special purpose. Some popular third-party programs will not recognize Windows 2000 and will refuse to install altogether. Others will go through the installation process but then will not open. Still others will appear to install properly, but will lock up or cause errors.
DOS Applications Many businesses still use DOS applications, often written to serve a very specific purpose. Many DOS applications will work correctly with Windows 2000. However, those that try to access the hardware directly, or that require the FAT file system, may not be usable on Windows 2000 computers. Upgrading the operating system may present a good opportunity to assess the viability of some of these older programs with a look
75
76
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
toward upgrading or replacing them. This is especially true in light of Y2K compliance issues, since many DOS applications use the two-digit date system and may encounter problems with the year 2000.
Window s 16-Bit Applications Since Windows 16-bit applications were designed to run on the Windows 3.x shell on top of the DOS operating system, you may encounter some of the same problems that can be expected with DOS applications. Win 16 applications that require virtual device drivers will not be able to run on Windows 2000. Another problem with 16-bit applications stems from the cooperative multitasking method used by Windows 3.x, in which the applications share a memory space. This can cause lock-ups and other problems if you run several 16-bit programs simultaneously, since by default in Windows 2000, they will all run in one virtual machine. Luckily, Windows 2000 provides a way for you to work around this problem by opening each Win 16 application in its own separate memory space.
OS/2 and POSIX Application Support in Window s 2000 Windows NT included support for both OS/2 version 1.x programs and POSIX-compliant applications. Windows 2000 also provides limited support for these applications; however, in most cases, it would be beneficial to upgrade or replace such programs, since they are not able to take advantage of the Windows 2000 environment.
The Wind ows 2000 OS/2 Sub system The OS/2 subsystem can be configured using an OS/2 editor to add config.sys commands to the c:\Config.sys file. These commands only affect the OS/2 subsystem. Remember that Windows 2000’s OS/2 application support, like NT’s, is limited to version 1.x programs only. These are textmode programs. Applications written for OS/2 1.x that require the Presentation Manager graphical user interface are not supported.
The Wind ows 2000 POSIX Sub system The Portable Operating System Interface standards (POSIX) were designed to provide a set of criteria that would allow applications developers to build applications that could be easily ported to other systems. The POSIX compliance requirements, such as support for case-sensitive file names and hard links, are based on UNIX. Many government agencies adopted software specifications that required adherence to the POSIX standards, which is the reason Microsoft included the subsystem in its operating systems. As with OS/2 applications and many DOS and Win 16
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
applications, you will probably find it beneficial to upgrade such software or replace it with a more modern application that accomplishes the purpose.
For IT Professionals
What in the Heck Is a Hard Link, Anyway? The concep t of “hard links” is a m ystery to m any network ad m inistrators who have stud ied and worked p rim arily with Microsoft p rod ucts. Unless you have UNIX exp erience, you m ay wond er what the term m eans and how these links d iffer from regular old shortcuts in the Wind ows op erating system s. Hard links are usually associated with UNIX, which also has som ething called “soft links.” The soft link is also referred to as a sym b olic link, or alias, and the Wind ows shortcut is m ore like the soft link. A hard link is a real alternate nam e rather than an alias. If a hard link exists, rem oving the original d irectory d oesn’t free up the d isk sp ace, b ecause it still exists along the alternate p ath created through the hard link. Every file in UNIX has som ething called an “inod e” id entifying it. A d irectory entry m ap s a filenam e to its inod e. Creating a hard link to a file ad d s another d irectory entry p ointing to the file’s inod e. A file can have one or m ore nam es p ointing to it, and there is no d ifference b etween earlier or later links. When you d elete a file, you are actually only d eleting one link to a file. A file is only truly d eleted on the system when it has no links to it. On the other hand , if you d elete the original file that an NT shortcut p oints to, the shortcut b ecom es invalid .
Application Support Summary The only ways to be certain that your mission-critical applications will work with Windows 2000 are: ■ ■
Run only applications that have earned the Microsoft logo, or Test the applications thoroughly and completely in a prototype environment before installing them on Windows 2000 production machines.
77
78
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
It is also a good idea to check out the Web site or call the manufacturer of the software to find out if there are any known compatibility issues. Some vendors may provide update patches and “fixes” that will address these problems.
Com m on Up grad e Prob lem s There are many benefits to upgrading an existing operating system instead of starting over with a fresh installation. If all goes well, an upgrade will take less time because your original settings will be preserved and you won’t, for instance, have to configure your TCP/IP properties and reinstall and configure your programs. The downside of upgrading is that any problems in the original operating system are likely to be carried over (and maybe magnified) in the new one. If there are compatibility problems, you may find that trying to untangle and fix them results in the upgrade taking far more time than a clean installation and reconfiguration would have taken. Tuning and thoroughly cleaning out extraneous files on the system before the upgrade can prevent many upgrade problems. Address any applications or operating system problems before deploying the upgrade, rather than just hoping the upgrade itself will repair them.
Window s NT to 2000 Upgrade Checklist ❏ Assess the current Window s NT domain model ❏ Determine if any domains can be combined ❏ Combine resource domains prior to the upgrade ❏ Upgrade the operating system ❏ Combine domains after the upgrade ❏ Assess current user applications and upgrade or replace if necessary
M igrating to Window s 2000 from Novell NetWare For many years, Novell NetWare dominated the PC network operating system market, and many current NT networks still have NetWare file and
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
print servers as part of the network. You may find yourself in the position of migrating an entire NetWare network or a number of NetWare servers to Windows 2000. The first step is to determine whether you will migrate all of your NetWare accounts to Windows 2000, or continue to use NetWare servers on the network in a “hybrid” environment. (See the section “Peaceful Coexistence: The Hybrid Network Environment,” later in this chapter for tips on how to accomplish the latter.) If you wish to implement a pure Windows 2000 environment, you can use the Directory Services Migration Tool, included with Windows 2000 Server, to transfer user and group accounts, permissions, and files from a NetWare server to your Active Directory (see Figure 2.13). The Migration Tool includes a wizard to walk you through the process of selecting objects to be migrated. We will look at how the tool is used later in this chapter. Figure 2.13 The Directory Service Migration Tool is used to transfer accounts, p erm issions, and files from a NetWare Server to the Active Directory.
Und erstand ing the NetWare Im p lem entation of TCP/IP The TCP/IP protocol stack is a standard which works with a large variety of operating systems and platforms. However, each vendor implements the protocols in a slightly different way. Although Novell included limited TCP/IP support in NetWare as early as version 3.0, NetWare networks traditionally ran on the IPX/SPX protocol stack. This had advantages; in many ways, IPX/SPX seems to be the ideal protocol choice. It is faster and more streamlined than TCP/IP, and
79
80
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
considerably easier to configure. Yet, unlike NetBEUI, it can be used in routed networks. Unfortunately for IPX/SPX, it lacks one of TCP/IP’s most important characteristics: Internet connectivity. Novell came to the realization that resistance was futile, and incorporated better support for TCP/IP. NetWare 5 is the first version that allows for a “pure IP” environment; IPX/SPX is not required. The architecture of the typical NetWare LAN maps loosely to the OSI model (remember that TCP/IP is based on the DOD model). TCP/IP is run on a NetWare server via the TCPIP.NLM (NetWare Loadable Module), which must be loaded and configured. NetWare 5 includes Novell’s implementation of the Simple Network Management Protocol (SNMP), and the TCPCON utility for monitoring and managing SNMP agents and gathering TCP/IP information. You may want to copy down the TCP/IP configuration information from your NetWare server, for reference in setting up the new Windows 2000 server. You can use TCPCON and NetWare’s CONFIG command at the server console to obtain information about the NetWare machine’s TCP/IP configuration.
Prem igration Issues There is, of course, no “upgrade” path from NetWare to Windows 2000. It would be nice if we could install Windows 2000 over NetWare and retain network settings, applications, and so on, but it’s not (and likely never will be) that easy. If your NetWare servers are only file servers, the task of switching over to a pure Windows 2000 network will be less of a chore. The migration tool will help you in moving your security accounts and files to the new Windows 2000 server.
Using the Directory Services M igration Tool The Directory Services Migration Tool (DSMT) replaces the NetWare conversion utility (NWCONV.EXE) that was used with earlier versions of NT. DSMT is an MMC snap-in that is used to migrate bindery or NDS information, or both, to a Windows 2000 Active Directory. With the DSMT, you can migrate user accounts, group accounts, permissions/rights, files, and container structure. You can perform the migration on a project-by-project basis, so that one department or one object type (such as files) can be migrated now, and another project implemented later. Thus, the migration can be completed in phases. The migration tool gives you several options in moving the accounts or files. For instance, when migrating user accounts, you can choose to have a unique password randomly generated for each user, to have no
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
passwords assigned, to have each user’s logon name set as the password for the account, or to assign each user the same custom password. These choices are easy to make in the Options Property sheet for each project (see Figure 2.14). Figure 2.14 The Directory Services Migration Tool Prop erty sheet lets you select m igration op tions.
Other options include how to handle duplicate directories and files (a directory or file that is being migrated from the NetWare server already exists on the Windows 2000 Server), verification of the NDS tree metrics, and how to merge properties of existing objects. The migration tool works by letting you select the objects to be migrated, then create an offline database, and finally export the offline database into the Active Directory.
NOTE Third -p arty utilities such as OnePoint EA’s Dom ain Ad m inistrator tool, b y Mission Critical Software (MCS) in Houston, TX, are d esigned to autom ate the m igration from NetWare to Wind ows 2000. For m ore inform ation, see www.m issioncritical.com .
81
82
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
Com m on Migration Prob lem s In a perfect world, every migration would go smoothly and quickly, and all information would be transferred completely and accurately. The migration tool works well most of the time, but there are a few common problems you may encounter. For example, if naming conventions differ between the NDS and Active Directory trees, you may have to “fine-tune” the data while you’re in the offline mode before you export the database into the Active Directory. In the offline database, you can right-click any of the objects and add, delete, or modify the object’s properties.
NetWare to Window s 2000 M igration Checklist ❏ Determine w hether to migrate all NetWare accounts to Window s 2000 or maintain a hybrid netw ork
❏ Use the Directory Services M igration Tool to migrate NDS or bindery information to the Active Directory
❏ M igrate files from the NetWare server to the Window s 2000 server
M igrating to Window s 2000 from UNIX UNIX is a much older operating system than Windows or NetWare. It is considered to be more stable, although somewhat more difficult to learn and use. UNIX has been the operating system of choice for very large networks, as it has been more scalable than the newer network operating systems (NOSs). However, UNIX is not without its disadvantages. Although there are graphical interfaces available, it does not have the sophisticated “pointand-click” ease of operation found in the Windows server family. Cost can be a factor as well. Although some versions, such as Linux and Free BSD, are available at no cost, other implementations, such as Sun Solaris, IBM’s AIX, and Hewlett-Packard’s HP/UX, can be quite expensive to deploy and support. But perhaps the greatest drawback to UNIX is what some consider its biggest strength: open source code. Open source has led to many similar, but different, “flavors” of the operating system, which are not necessarily compatible with one another. Microsoft has positioned Windows 2000 as a more cost-effective and easier-to-use NOS that, with the enhancements that Windows 2000
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
brings to its support of enterprise networking, can be a viable alternative to UNIX for large organizations with complex networks. Migrating from a UNIX to a Windows 2000 environment will present many challenges, and is probably best done in phases for all but the smallest networks.
Und erstand ing the UNIX Im p lem entation of TCP/IP UNIX is the native platform of the TCP/IP protocol suite. When TCP/IP was developed in the 1960s to be the protocol of the ARPAnet, that network was comprised of university and government computers running the UNIX operating system. In fact, the University of California at Berkeley, which developed the BSD version of UNIX, played a big role in the development of TCP/IP. You might say the two grew up together.
Summoning the Daemons In UNIX, daemons are programs that run all the time, and service requests from all computers. A daemon can also forward requests to other programs if necessary. Daemons are comparable to Windows NT/2000 “services.” An example of a daemon is LPD, the line printer daemon that runs on a UNIX print server. The bootpd daemon is the UNIX bootp program, and the bootpgw daemon is used to set up a UNIX computer as a bootp relay agent. UNIX supports BIND-based DNS, and DHCP programs are available for various UNIX versions. The /etc/services file is used by UNIX to map port names to numbers and determine what daemons run on which ports.
UNIX TCP/IP Utilities Each of the different UNIX versions implements the TCP/IP stack in a slightly different way, but in most cases, the commands are the same. Many of the TCP/IP utilities that originated with UNIX have been ported to the Windows and NetWare operating systems’ implementations of the protocol. You will also see some TCP/IP tools and commands in various flavors of UNIX that you may not be familiar with if your only exposure to TCP/IP has been with Microsoft and Novell products. Following are some of the “extras” you’ll find on UNIX systems: ■
snoop This command is found in Sun Solaris, and acts somewhat like a protocol analyzer, allowing you to see information about Internet packets that are going across the network cable in real time.
83
84
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork ■
■ ■
tcpdump Similar to snoop, but found on BSD versions of UNIX and some versions of Linux. dig A tool for troubleshooting DNS problems. ripquery Used to obtain information about RIP packets.
UNIX to Window s 2000 M igration Checklist ❏ Install Window s 2000 domain controller(s) ❏ Gather information from UNIX servers to be used in recreating accounts
❏ Recreate user accounts in Window s 2000 domain(s) ❏ Install user applications ❏ Determine Window s 2000 services to take over functionality of UNIX daemons
❏ Implement Window s 2000 services (DNS servers, DHCP servers)
❏ M igrate files to Window s 2000 servers
Peaceful Coexistence: The Hybrid Netw ork Environment Some people (and companies) find it difficult or impossible to “forsake all others” and make a commitment to a ”one and only”; in this case, to one NOS. It may be a budgetary consideration or there may be special factors, such as an application that runs only on a particular operating system. Whatever the reasons, many networks will continue to be “hybrid environments,” with different server types existing (peacefully or otherwise) on the same network. Microsoft has provided several interoperability tools with Windows 2000 that make it easier to connect to servers running other NOSs, as well as services to allow client machines running “foreign” operating systems to access the Windows 2000 network.
NetWare Interop erab ility Because Novell NetWare still has a strong presence in many LANs, and because many companies will wish to keep their NetWare file and print
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
servers even when upgrading their NT servers to Windows 2000, Microsoft included a number of features for connectivity with NetWare networks.
Client Services for NetWare (CSNW) Like Windows NT, Windows 2000 includes a network redirector that can be installed on Windows 2000 Professional computers to allow them to connect directly to NetWare versions 2.x, 3.x, 4.x, or 5.x servers. CSNW is 32-bit NetWare client software that can be used in place of Novell’s Client 32 to allow access to NetWare files and printers. A user accessing a NetWare server via CSNW must have a valid user account set up on the NetWare server, with appropriate permissions assigned.
WARNING CSNW and Client32 will not p eacefully coexist on the sam e com p uter; you m ust m ake a choice to use one or the other. If you install CSNW on a Wind ows 2000 m achine, ensure first that any other NetWare clients have b een rem oved .
Gatew ay Services for NetWare (GSNW) Members of the Windows 2000 Server family include Gateway Services for NetWare (GSNW). When installed on the Windows 2000 Server, GSNW allows the Windows 2000 server’s clients to go through the “gateway” to access a NetWare server without installing any NetWare client software on the client machines. The “catch” is that all the clients going through GSNW will have the same permissions, as they all use the same NetWare user account.
NetWare Protocol Support Windows 2000 includes NWLink, which is Microsoft’s IPX/SPX-compatible transport. IPX/SPX was required for NetWare networking prior to NetWare, version 5. Windows 2000 remote access servers are also capable of IPX routing and can act as SAP (Service Advertising Protocol) agents.
File and Print Services for NetWare Windows 2000 servers can run FPNW (File and Print Services for NetWare) to allow a NetWare server’s clients access to resources on the Windows 2000 Server. No Microsoft client software is required to be installed on the client computers. This software is not included with Windows 2000 Server, but may be purchased separately from Microsoft.
85
86
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
Troubleshooter Windows 2000 includes a CSNW/NetWare connectivity troubleshooting tool that helps you to pinpoint and find solutions to problems involving access to NetWare servers and NDS objects, NetWare printers, and using NetWare login scripts.
NOTE Microsoft Directory Synchronization Services (MDSS) is an ad d -on p rod uct that p rovid es im p ortant interop erab ility technology for hyb rid networks. MDSS help s you m ore easily integrate Wind ows 2000 Active Directory with Novell’s NDS, and consolid ates m anagem ent of the network’s d irectory services. It includ es two-way synchronization, so ad m inistrators can m anage shared d ata from either d irectory. For m ore inform ation, see www.m icrosoft.com /p ressp ass/p ress/1999/oct99/NewWinPR.htm .
UNIX Interop erab ility Windows 2000 includes the Microsoft Print Services for UNIX, which includes a Line Printer Remote (LPR) service and a Line Printer Daemon (LPD). The LPR service is used to send a print job to a print server, and the daemon runs on the print server that receives the print job. LPRMON is installed on a Windows 2000 machine and used to send print jobs to LPD services on UNIX print servers. LPDSVC is installed on a Windows 2000 print server, and allows it to receive documents to be printed from LPR utilities running on UNIX client computers.
NOTE Microsoft Wind ows Services for UNIX is d esigned to p rovid e interop erab ility op tions for integrating Wind ows 2000 (and Wind ows NT) into existing UNIX network environm ents. For m ore inform ation, see www.m icrosoft.com /wind ows/server/Dep loy/interop erab ility/sfu.asp .
Interop erab ility with IBM Mainfram e Networks Windows 2000 can use Microsoft’s SNA (Systems Network Architecture) Server with IBM mainframe and AS/400 computer networks running TCP/IP or SNA protocols. Windows 2000 clients can then access the data and applications on the IBM host from the Windows desktop interface.
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
Summary In this chapter, we looked at the importance of planning the deployment of your Windows 2000 network as a means of preventing TCP/IP connectivity problems. We discussed general planning concepts, such as creating a planning team, hardware considerations, planning and diagramming the physical layout of the network, planning the Active Directory structure and domain namespace, planning the site structure, and planning the most effective IP addressing scheme. We walked through the steps of installing and configuring the TCP/IP protocol stack on Windows 2000 computers, and explored some of the options Microsoft gives us in setting up a system to use TCP/IP communications. Common deployment scenarios were discussed, including: ■ ■ ■ ■ ■
Installation of a new Windows 2000 network from the ground up Upgrade of a Windows NT 4.0 network to Windows 2000 Migration of a NetWare network to Windows 2000 Migration of a UNIX network to Windows 2000 Deploying Windows 2000 in a hybrid environment
We examined in some detail the traditional NT domain models, how they differ from the Windows 2000 domain structure, and factors to be considered in upgrading. You learned about the tools included with Windows 2000 to help you ease the upgrade process and move users, groups, and computers from your NT domains to the new Windows 2000 domains. The chapter also discussed how accounts and files on NetWare servers can be migrated to Windows 2000, and the Directory Services Migration Tool designed for that purpose. We provided a brief overview of how NetWare’s TCP/IP implementation differs from Microsoft’s. We also looked at the UNIX operating system, and how the various “flavors” of UNIX implement TCP/IP. Finally, we talked about the interoperability of Windows 2000 with other operating systems in a hybrid environment, and how it can peacefully coexist with other NOSs on a large, complex TCP/IP-based network. Parts of this chapter may, at first glance, seem to have little to do with troubleshooting TCP/IP problems. However, many of the communications problems that result from poor planning or deployment that is not well thought out can mimic IP connectivity problems. Much time and effort could be wasted if you try to apply the techniques outlined in later chapters, when the real culprit is an incorrect configuration or an unsuccessful migration.
87
88
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
The objective of this chapter, then, is to set up your Windows 2000 network correctly from the beginning, so that when trouble does appear (and it will), it will make a far easier target for you to “shoot.”
FAQs Q: Why would my company’s network require fewer domains in Windows 2000 than we were using in our Windows NT 4.0 network? A: The domain model for Windows 2000 is very different from the NT model(s). In Windows NT networks, the domain was the smallest administrative boundary. You could not give someone administrative privileges with giving them those privileges for the entire domain. In Windows 2000, using Active Directory security, it is possible to create smaller areas of administrative authority called Organizational Units (OUs) and assign administrative privileges to one or more OUs without granting administrative authority throughout the entire domain. This means there is no longer a need to create a separate domain just to separate the administrative responsibilities. Q: Why is the recommended minimum amount of memory so much greater for Windows 2000 Server than for Windows 2000 Professional? A: Windows 2000 Professional will run adequately with Microsoft’s stated minimum of 64MB RAM unless it is used for heavy multitasking or running memory-intensive applications such as 3-D rendering programs. On the other hand, a Windows 2000 server acting as a domain controller (DC) will not generally perform at all satisfactorily with the stated minimum of 128MB RAM. To get acceptable performance from a Windows 2000 domain controller, 256MB RAM is more realistic. This is not due to the Server operating system itself, it is because the Active Directory requires heavy memory usage. In fact, a Windows 2000 member server, which does not participate in authentication and does not have a copy of the Active Directory, will actually perform acceptably (though not optimally) with only 64MB RAM. Q: What is SAP? Is that something I need in my Windows 2000 network? A: SAP is Service Advertising Protocol, used by NWLink to find the closest server at startup. It can also locate services. A Windows 2000 computer with RRAS installed uses SAP to listen for SAP advertisements and to make SAP advertisements on a regular basis. This allows it to maintain a table of available network services. The
Setting Up a Window s 2000 TCP/IP Netw ork • Chapter 2
SAP Agent is the network service that allows a Windows 2000 computer’s services to advertise themselves. You need to install SAP if your network has NetWare clients, or if your Windows computers are running just the NWLink protocol; for instance, if you have configured your internal network to communicate using NWLink in order to protect it from Internet intruders running TCP/IP. Q: Do my Active Directory and DNS namespaces have to be identical? A: No. There are two ways to approach planning of the Active Directory namespace. The first, and in some ways easiest, is to create an Active Directory domain structure that uses as its root domain your registered DNS name. In this case, the internal network namespace and the external namespace, accessible via the Internet, will be the same. However, you can create two different namespaces for internal and external use. For instance, if mycompany.com is your registered domain name, your internal namespace might be myco.com. Having a different namespace will provide a security advantage, but requires that you register two domain names. Q: Can I still use my Windows 95 and Windows 3.1 clients and take advantage of Active Directory? A: Yes and no. Windows 95 and 98 computers can run the Active Directory client software available on the Windows 2000 Server CD in the “Clients” folder. Windows 3.1 computers cannot be Active Directory clients. To computers that are not running Active Directory client software, the directory will appear to be a Windows NT directory. There is a way to still utilize old machines that may be running Windows 3.x because they do not have the processor and memory resources to run Microsoft’s 32-bit operating systems. A Windows 2000 server can be configured as a terminal server, and older Windows operating systems can run terminal services software to allow them to function as “thin clients,” actually running the Windows 2000 desktop on the Windows 3.x operating system. In this way, users running those operating systems can still take advantage of Active Directory’s features. Q: Is there something I can tell my boss that will convince him that everyone needs to be running Windows 2000 machines?
89
90
Chapter 2 • Setting Up a Window s 2000 TCP/IP Netw ork
A: Although Windows 9x and NT Workstation computers can be client computers in a Windows 2000 domain, those downlevel operating systems cannot take full advantage of the features of a Windows 2000 network. For instance, Group Policy, a powerful administrative tool for controlling users’ desktops and configurations, can be used only with Windows 2000 computers. You can tell your boss how Windows 2000 combines the reliability of NT with the plug-and-play ease of use of Windows 9x, and you can explain the security benefits of such Windows 2000 features as EFS (encrypting filesystem) and IPSec. You can talk up the advantages of Intellimirror technology, and you might mention its excellent support for terminal services, virtual private networking using the new L2TP protocol, and ATM connectivity. You might also be able to impress your boss with the increased stability of Windows 2000. The best way to do this is to set him up with a Windows 2000 Professional system of his own, and let him experience the difference.
Chapter 3
General Window s 2000 TCP/IP Troubleshooting Guidelines
Solut ions in t his chap t er: ■
General Troubleshooting Guidelines and M odels
■
Information Gathering
■
Problem Isolation
■
Corrective M easures
■
M onitoring Results
91
92
Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
Introduction Problems: We’ve all had them, all our lives. It’s the human condition, they say, but problems aren’t confined to people. It seems to be the nature of everything that does anything—humans, animals, mechanical devices, electronic components—to malfunction now and then. Even stars eventually burn out (although we hope it will be a long time before you, the star of your company’s IT department, do the same). The first step in solving a problem is recognizing that one exists. Sometimes, it’s impossible not to notice; some problems explode in our faces. When you come in to work Monday morning and already have 22 voicemail messages all screaming, “My e-mail isn’t working!” you have a problem you can’t overlook or ignore. Other problems manifest themselves in a more subtle way. Maybe network communication is gradually slowing down, and users are beginning to get frustrated but may not say anything about it for quite some time. It’s easy to brush these types of problems aside. After all, it’s still working, it’s just not working quite as efficiently. These problems are more insidious. Like a case of the sniffles that turns into a cold that starts to feel more like flu that ends up being pneumonia, you can find yourself in serious trouble before you know it. It’s usually easier to nip the “little” problems in the bud instead of pretending they don’t exist and hoping they’ll go away.
The Ten Commandments of Troubleshooting Regardless of the nature of your problem, there are some general troubleshooting guidelines that will help you to organize your thoughts and speed up the process.
1: Know Thy Network When trouble hits, you’re already one step ahead of the game if you’ve taken the time—when things were running smoothly—to get acquainted with your network. You should not wait until a network outage or slowdown occurs to start examining your network’s performance. Get out the protocol analyzer, fire up the network monitor, and get to know how your “net” works, while it is working properly. In Chapter 5, “Using Network Monitoring and Troubleshooting Tools,” we’ll show you how to use all those fascinating gadgets and software tools, both in establishing a baseline for a “healthy” network and in diagnosing and planning the treatment of a “sick” one.
Window s 2000 TCP/IP Troubleshooting Guidelines • Chapter 3
One of the benefits of planning and designing a network from scratch, as discussed in Chapter 2, “Setting Up a Windows 2000 TCP/IP Network,” is having known your network ”all its life.” You’ve watched it grow, seen it through minor and major crises, and learned what was normal and what was not in terms of its operation and performance. Even if you “adopt” a network that’s been around for a while, a good way to get to know it is to do a complete diagram and inventory. This will require that you find out what equipment you have, where it is, and how it works.
2: Use the Tools of the Trad e Having access to and knowing how to use the troubleshooting “tools of the trade” are essential elements in successfully resolving TCP/IP problems. Your training and experience are your first, albeit intangible, important pieces of “equipment”—but it’s not always enough. A doctor, despite long years spent studying and practicing medicine, is often unable to diagnose a patient’s illness if he or she doesn’t have access to basic “tools” like a stethoscope, X-ray or other imaging machine, sphygmomanometer (blood pressure cuff), and all those other mysterious instruments used to measure or better observe various bodily functions. In troubleshooting connectivity problems, you too will often require help, in the form of hardware devices or software tools. You will use these to confirm (or negate) your initial suspicions or to give you a starting point in your investigation. At the very least, you should have access to diagnostic utilities, network monitoring and protocol analyzer software, and LAN testing devices for tracking down cable and other physical layer problems. Of course, having the tools is only half the battle; you also need to know how to use them properly. A great deal of information can be gathered using just the utilities built into most vendors’ implementations of the TCP/IP suite, but many network administrators have only a vague idea of what they do and how to use them. In Chapter 5, we will discuss in detail how to make the familiar PING, TRACERT, ARP, and other included utilities work more effectively for you.
3: Take It One Change at a Tim e Modern computers are good at multitasking. They can have several entirely separate and distinct processes going on simultaneously, because their “brains” (microprocessors) are able to use “time slicing” to allocate time to one problem after another in rapid succession, switching back and forth so quickly that it appears both tasks are being performed continuously.
93
94
Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
People don’t perform multiple simultaneous activities nearly as well. That’s why it’s important, when troubleshooting network problems, that you make changes one at a time and evaluate the effect before making another. When you have a problem such as an inability to connect to the server from a workstation, the tendency is to try everything you can think of that might fix the problem. An administrator in a hurry might uninstall, reinstall, and reconfigure the protocol, unplug the Ethernet cable and plug it back in, then reboot the computer and try logging on with a different account. If he’s able to connect this time, that’s great—but which action actually caused the difference? By trying only one “fix” at a time, you’re able to pinpoint what works, and what doesn’t.
4: Isolate the Prob lem Problem isolation is another important step in troubleshooting. More often than you might think, problems hang out in groups. And even if the original problem had a single source, attempts to correct it (by you or by the user who called you) may have created new “companion” problems. When we have multiple problems, we will probably need to address each one separately in order to get the network running smoothly again. Isolating the problem also means defining the specific nature of the problem. You will find it as hard to address a general problem like “I can’t get on the Internet” as a doctor would have in treating a patient who only reported “I don’t feel well.” It’s important to pinpoint the specific problem.
NOTE “Sp ecific” is a relative term . If a user initially rep orts a p rob lem as “m y com p uter’s not working,” he m ay think he is b eing sp ecific when he then tells you that he can’t get on the Internet. Sp ecificity m ay have to b e accom p lished in step s.
Users often have as much trouble describing their connection problems with specificity as sick people have in telling their physicians exactly what their physical symptoms are. Good questioning may help overcome this to an extent (we’ll talk about how to get information from your users a little later in this chapter), but you can’t always rely on others’ descriptions to be accurate and complete. You’ll have to use your own observation skills as well, which brings us to the next step.
Window s 2000 TCP/IP Troubleshooting Guidelines • Chapter 3
5: Recreate the Prob lem It’s no coincidence that this is listed as the fifth commandment out of 10. When you are able to reliably reproduce the problem, you’re half way home on the road to solving it. If you know that the user is able to send and receive e-mail, but receives a “404: File not found” error every time she tries to access the Web site of your company’s main competitor, you already have a lot of good information that will prevent you from wasting your time checking proxy settings or gateway configuration errors. Once you’ve narrowed down the problem, from “I can’t get on the Internet” to “I can’t access the Web site at www.thoseotherguys.com,” and you’ve verified that the problem can be reproduced by trying again to connect to the URL and getting the same message, you can consider what might cause this particular problem. In this case, there are several possibilities. One way to narrow it down further is to attempt to reproduce the problem again, from a different computer. If you type www.thoseotherguys.com into the browser on another machine, and you get the same error message, you’ve gained a valuable clue: The problem probably is not caused by an incorrect configuration on the first system; it’s more likely the problem is at the server end, or possibly a problem with the DNS server on your network.
6: Don’t Overlook the Ob vious In the preceding example, an unaware troubleshooter could have spent hours attempting to “fix” the computer that “can’t get on the Internet,” uninstalling and reinstalling its TCP/IP stack, reconfiguring its DNS settings, or releasing and renewing its DHCP lease, only to overlook the most obvious answer: The file was not found because the file is not there. Sometimes it’s really that simple. On the other hand, if you try to reproduce the problem at another machine and find that you can access the site from there, you know there is most likely a problem with the first machine’s configuration. Then, it’s time to focus your investigation on that particular computer. Perhaps the first thing to check is whether you can access other Web sites or if it’s only this one that’s giving you problems. If our original complainant/user was right and “The Internet isn’t working,” or rather, the Web doesn’t seem to be working—but other Internet applications like e-mail are—our next step would be to determine whether we actually have a connectivity problem or just a name resolution problem. To do that, we can try connecting to a Web site using its IP address.
95
96
Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
If you type http://www.microsoft.com into the browser’s address box and get nothing, but the Microsoft homepage comes up fine when you type in http://207.46.131.30, you know the “friendly” name is not being translated into the format that the computer understands, the IP address. Since you know DNS is the service that performs this resolution of fully qualified domain names (hierarchical “dotted” names like URLs), at this point we can be fairly certain that there is either a problem with the computer’s DNS settings or (if other computers that use the same DNS server are having the same problem) with the DNS server itself.
7: Try the Easy Way First Most of us have heard it said of someone, usually in a whispered voice accompanied by a frown, “He always has to do things the hard way.” The same critics may then turn their disapproval on someone else with the indictment that “he always takes the easy way out.” Did you ever wonder how both of those philosophies could be wrong? Or was the latter criticism tinged with a hint of jealousy? In troubleshooting connectivity problems, it certainly pays to at least try the easy way first. How many times have you been able to correct a problem simply by rebooting the machine? It may not work every time, but it never hurts to try simple solutions before implementing the more complex ones. In fact, you should make it a practice to always evaluate all the possible solutions to a problem, and then try those that are easiest, quickest, and/or least expensive, leaving the difficult, time-consuming, and costly fixes as last-resort alternatives. If you have two machines that won’t “talk” to one another on the network, you would not be advised to first try rewiring the building just in case it’s a cable problem.
8: Docum ent What You Do It may seem like a lot to ask, after you’ve endured all that blood, sweat, and tears to finally get the problem solved and get the network back up and running, but documenting your troubleshooting activities is vitally important. Putting down on paper the steps you go through, as you perform them, serves several purposes. First, it helps you to stay organized and perform those steps methodically. If you’re writing it down, you’re less likely to skip steps, because it’s all there in front of you, in visual form. You don’t have to wonder, “Did I test that cable segment?” or “Did I check the default gateway setting?” Documenting your actions also provides a valuable record if you end up having to call in an outside consultation or otherwise request someone else’s assistance with the problem. Time, and often money, will be saved if you can provide detailed information about what you tried, how you
Window s 2000 TCP/IP Troubleshooting Guidelines • Chapter 3
proceeded, and what the results were. Many network administrators lull themselves into a state of complacency about not documenting their behavior, because they see the documentation process as too time-consuming. However, if a mistake occurs because of a failure to document what you’ve done, or what you were planning to do, the amount of time lost far exceeds the time you would have spent actually writing things down in the first place. Unfortunately, in the corporate world, you may also sometimes find your documentation necessary for “CYA” purposes. A network outage that lasts for a significant amount of time can, in some businesses, cause a huge loss of profit, even threaten the company’s position in the industry or—in extreme cases—put a business out of business. Luckily, the consequences aren’t usually that dire, but you’d better believe that many firms are heavily dependent on their network communications. If your job description makes you responsible for the welfare of the network, you’re less likely to get caught in the scapegoat-hunting process if you have detailed documentation of your efforts to address the problem. Finally, you should document the troubleshooting and problem resolution process for a very practical reason: History tends to repeat itself, and human memory is imperfect. As you wipe the perspiration off your brow and breathe a silent sigh of relief at having finally tracked down and solved your connectivity problem, you may think that there is no way you will ever, ever forget what you did to fix it—not after going through all that agony. But a year later, when the same thing occurs again, it’s likely you’ll remember only, “This happened before and I fixed it … somehow.” The details tend to get lost, unless you write them down. One last caveat on documentation: It’s great to have a nice, neatlytyped (and maybe even illustrated) troubleshooting log, but if you do your record-keeping on the computer instead of manually, it’s a good idea not only to back it up to tape, floppy, writable CD, or other media, but also to print out a hard copy. It should be a given, but sometimes folks forget that when the computers go down, computerized documents may be inaccessible.
9: Practice the Art of Patience Patience is a virtue, so hurry up and develop this characteristic! Whether or not you aspire to be virtuous, patience is an asset in any sort of investigative work, and that’s what network troubleshooting is. This means being patient enough to go over each configuration setting in each machine, to test each cable segment, to try one solution and, if it doesn’t work, to keep trying new ideas until one does work. Finding the source of a connectivity problem is often like looking for needles in
97
98
Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
haystacks; you must have a “system” and you must implement it systematically. This also requires that you be patient with users, even when they seem to be the bane of your existence. Remember, users are also one of the big reasons for your job’s existence—you’re there to support them, as well as the computers to which they’re “attached.” Finally, you must be patient with yourself. It’s easy to get exasperated when the network is down, the pressure is on, and nothing you do seems to help (or your best efforts seem to make the problem worse). If users are one of the reasons your expertise is needed, there’s an even bigger reason: problems. A network that ran smoothly all the time, one in which the server never mysteriously went offline and computers never suddenly stopped “talking” to one another for no apparent reason and communications never got strangely garbled, would be a network with no need for an administrator. So, when you hear about a problem coming your way, take an “attitude of gratitude” and thank your lucky stars that you have one! Trouble is what you live for—or should be! A good network administrator doesn’t see problems as something to fear or curse, but as challenges and learning experiences. Continuous learning is what the job is all about, and you’d better love learning new things if you intend to lead a happy life as an IT professional. There’s one thing that’s a certainty in this business: You can never learn it all. And if you did, there would be a brand new and different technology ready to take the place of the one you’d just mastered.
10: Seek Help from Others Network admin types tend to have some common personal characteristics: they’re bright, they’re self-starters, they’re just a bit (okay, maybe more than just a bit) more comfortable when they’re in control, and they have a lot of pride. Taking pride in doing a good job is an admirable trait, but that pride can also make it hard for you to admit that a problem has you “bumfuzzled,” as my grandmother used to say (meaning you’ve tried everything you can think of and the answer—sometimes even the question—still eludes you). Don’t be so proud that you can’t bring yourself, when necessary, to ask for help. Asking for help after you’ve exhausted all your ideas is not an admission of defeat; it’s just a step in the troubleshooting process. Using your resources is smart, and those resources include product documentation, books, Web sites, newsgroups, mailing lists, and other working professionals in the field.
Window s 2000 TCP/IP Troubleshooting Guidelines • Chapter 3
Remember that the term “networking” has another meaning: getting acquainted with people in your profession who can be beneficial to your career. Someone you know may have struggled with the very same problem that is vexing you now. Why reinvent the wheel? Ask for help. How do you find knowledgeable, experienced IT pros whose brains you can pick when you have a problem? There are many ways to make contacts: attend seminars, join Internet discussion groups devoted to networking topics, stay in touch with classmates and instructors from the training courses you attend. There is a corollary to this commandment. Be available to share your own expertise with others when they need your help. The best networking methods, after all, are full duplex and use two-way communications.
NOTE Most p eop le are flattered to b e asked to share their hard -earned knowled ge—as long as you d on’t ab use the p rivilege. Calling good old George every coup le of m onths with a q uick q uestion is likely to m ake him feel that you resp ect his exp ertise. Calling him every week with a com p licated p rob lem that you need solved “right away” will cause him to feel that you d on’t resp ect his p ersonal sp ace, and will q uickly m ake you “p ersona non grata” in his b ook.
Window s 2000 Troubleshooting Resources Even if you’re determined to solve the problem yourself, if you’ve sworn that this time you’re not going to bother George (or he has abandoned you to go off on a month-long vacation to Tahiti and isn’t available), there are still many troubleshooting resources at your disposal. Windows 2000 endured more beta testing—with more users at all levels working with the operating system before it was even released for sale—than any other software product in history. There is a great deal of documentation available, both “official” and not.
Microsoft Docum entation Microsoft has published an enormous amount of support documentation for Windows 2000 itself, its networking services in general, and its TCP/IP implementation in particular. Despite the fact that Windows 2000 has only been available to the public for a short time, when it comes to information about the operating system, “It’s out there.”
99
100 Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
This creates a problem in itself; sometimes the sheer volume of documentation available makes it difficult to find what you want. The Microsoft Web site, although full of excellent technical support data, is not particularly easy to navigate, especially for the uninitiated. Let’s look at a few of the resources Microsoft has provided in support of Windows 2000.
Help Files Those who have worked with Windows NT for a long time may be laughing uproariously as they read this. “Help files as a source of actual help?” you may ask. The NT help files are, to be generous, somewhat sparse. However, the Windows 2000 online Help is better—much better. For example, in NT 4.0 if you go to the Help index and type “DNS,” you get the box shown in Figure 3.1. Figure 3.1 A typ ical Help wind ow in NT 4.0.
On the other hand, if you access the Help index in Windows 2000 and type “DNS,” you’ll see the much more helpful list of specific topics shown in Figure 3.2. Each of the articles listed has links to related topics, “how to” topics list step-by-step procedures, and the search engine operates in a logical and intuitive fashion so that you can find the information you need quickly and easily. If you’ve gotten out of the habit of even bothering to look at the online help, as many NT administrators have, reacquaint yourself with this convenient, free feature in Windows 2000. The Help files will become your first line of defense in troubleshooting situations, and in some cases, the only reference you’ll need to solve your problem.
Window s 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 101
Figure 3.2 The new and im p roved Wind ows 2000 Help system .
NOTE Note: If you find it d ifficult to read long Help files online, you’ll also b e p leasantly surp rised b y the m uch im p roved p rinting cap ab ilities in the Wind ows 2000 Help files.
Resource Kits Microsoft’s Resource Kits serve as the “official source of technical background information” about their products. There is a wealth of troubleshooting information in the Windows 2000 Resource Kit, much of which comes directly from the product development team. You are, in essence, getting a briefing on how the operating system works straight
102 Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
from “the horses’ mouths,” from the people who wrote the code and worked with the operating system from its earliest stages. The online documentation is only a small part of the Resource Kit. Also included are a variety of software utilities that can be used in troubleshooting and administration (see Figure 3.3). Figure 3.3 The Wind ows 2000 Resource Kit contains online d ocum entation and utilities.
The CD that comes with the printed Resource Kit includes the books in electronic format, over 200 diagnostic and management tools and documentation for each, and information on error messages, Registry settings, and performance counters.
NOTE Web -b ased versions of the Microsoft Resource Kits are availab le to b e d ownload ed b y sub scrip tion, at the Resource Link Web site located at http ://m sp ress.m icrosoft.com /reslink/.
White Papers Microsoft’s Web site contains many informative “white papers” that address various aspects of the Windows 2000 operating system and its components.
Window s 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 103
It’s easy to search the site for these topic-specific articles with the search engine provided on the Microsoft “front page” and each subsequent level of the site. A simple search for white papers addressing the TCP protocol yields many articles. You can narrow the search further by using the “Search within results” feature, and you can sort the search results according to different criteria.
TechNet One of the primary benefits of obtaining Microsoft’s MCSE certification has been the free or reduced-price subscription to TechNet. A series of CDs is issued monthly, with updated product information, news releases, and the popular Knowledge Base. The latter contains articles addressing “known issues” and problems encountered by users working with Microsoft products, and the fixes or workarounds. (See Figure 3.4.) Figure 3.4 Microsoft’s TechNet is an invaluab le source of troub leshooting inform ation.
Microsoft has made most of the TechNet information, including the Knowledge Base, available free on their support Web site at www.microsoft.com/technet/support/default.htm. There are still benefits to owning the CD version, and it is available by subscription at www.microsoft.com/technet/subscription/about.htm. With the CD version, you get a more powerful search engine that can be customized, you can mark frequently-used articles or annotate them with
104 Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
your own notes, and of course, you aren’t dependent on having an Internet connection to access the information. When you subscribe to TechNet, you initially receive over 20 CDs (including service packs, utilities, and tools, and other documentation in addition to TechNet itself). Each month’s updates include three to five CDs. Microsoft estimates that approximately 2000 pages of new content are added to TechNet each month, and at least 20 percent of the existing content is revised.
NOTE TechNet Plus is a higher sub scrip tion level that includ es cop ies of b eta software for training/evaluation p urp oses.
New sgroups Microsoft also hosts a large number of technical discussion newsgroups on their news servers. The public news server at msnews.microsoft.com includes newsgroups devoted to almost every Microsoft product imaginable, in many different languages, and subtopics such as Windows 2000 networking. (See Figure 3.5.) Figure 3.5 A sm all sam p ling of the newsgroup s hosted on Microsoft’s p ub lic news server.
Window s 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 105
There are over 1000 newsgroups available on the public news server. Microsoft also hosts a large number of private newsgroups, which require a username and password to access. These include groups for certified trainers, groups for participants in the corporate preview programs, groups for MSDN members, and others. The newsgroups are an often-overlooked source of free advice and tips. You can “meet” many fellow IT professionals through the groups, and Microsoft personnel monitor some of the groups and post “official” support information as well.
Third -Party Docum entation Although Microsoft has attempted to be comprehensive in documenting Windows 2000, and provides you with some great troubleshooting resources, you are certainly not limited to their materials when problems occur. There are many independent IT professionals who have already encountered some of the same problems you might run up against, and who have shared their experiences in many forums.
NOTE Even if you’re alread y Microsoft-certified , or not interested in vend or certification, d on’t overlook the troub leshooting inform ation that is availab le in som e of the MCSE stud y guid es, such as the Wind ows 2000 certification series p ub lished b y Syngress.
There are some excellent books available on various aspects of Windows 2000 networking. Check your local computer stores, larger book stores such as Barnes and Noble, or online booksellers like Amazon. Some monthly publications that can be highly beneficial include NT/Windows 2000 Magazine and for Microsoft certified professionals, MCP Magazine. Both frequently contain articles full of troubleshooting tips.
Internet M ailing Lists Up until a couple of years ago, it was easy to host a mailing list. Anyone who had a machine connected to the Internet that ran list server software could do it. Now it’s much easier—there are numerous free Web-based list-hosting services, such as ONElist at www.onelist.com, that are easy to set up and administer. Because of this, Internet discussion lists have proliferated.
106 Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
There are hundreds of lists devoted to Windows 2000 and/or TCP/IP issues. Some are restricted lists, where membership is by invitation or limited to those who meet certain qualification criteria. Others are public, and open to any and everyone. Some are populated by small groups of highly professional members, and others are huge “melting pots” with high noise-to-bandwidth ratios (a large volume of low-quality messages sprinkled with messages that contain valuable tips and tricks). Some generate perhaps two or three messages per day, while others may flood your inbox with literally hundreds of messages at a time.
TIP Inform ation ab out Wind ows NT and Wind ows 2000 p ub lic m ailing lists can b e found at the following Web sites: www.saluki.com /m aillist.htm —the Saluki MCSE lists www.swynk.com —com p rehensive system ad m inistrators’ site www.tacteam .net—our own MCSEnow and Win2000now lists
The benefits of mailing lists are similar to those of newsgroups.
Usenet New sgroups Just as Microsoft Corporation hosts newsgroups, other companies and organizations host groups that focus on Microsoft products. Most ISPs run news servers that make some or all of the available public Usenet newsgroups accessible to their users.
Web Resources There are thousands of excellent (and not so excellent) resources available on the Web. If you want to use the Web effectively as a troubleshooting tool, it is important that you use a good search engine, and that you know how to use it for best results. Too many experienced computer pros haven’t taken the time to learn which of the many search engines fit their needs. Nor have they explored all the features of the one(s) they’ve chosen. It’s not enough to go to Yahoo! and type in a couple of keywords that vaguely describe your problem. On many occasions, I’ve been asked about technical issues by students or other network admins who prefaced their question with, “I tried looking it up on the Web but I couldn’t find anything.” I’ve then sat down at the keyboard, pulled up my browser, spent three minutes with Infoseek or Alta Vista, and solved the problem or acquired the information, which I copied, pasted and returned to them.
Window s 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 107
They think I’m really smart (which is okay with me—good PR never hurts), but the truth is: I’ve found a couple of good search sites and more importantly, I’ve practiced using them enough to get good at it. I chose Infoseek because it allows me to do a “search within results” so I can continuously narrow my search criteria, and I know that if I want to search for a whole phrase, I need to put quotation marks around it, and I know that if I choose the “advanced” feature, Alta Vista will let me do a Boolean query using operators like AND and NOT. Try different search engines, pick one that has the features you want and need, read all its online documentation so you’ll know the syntax for proper queries, and you’ll notice a world of difference in the effectiveness (and speed) of your Web searches.
NOTE Check out the following search engines: www.infoseek.com —allows you to “search within these results” www.altavista.com —allows for “ad vanced ” search using Boolean op erators www.hotb ot.com —allows you to search the full text of p ages rather than just keyword s, allows ad vanced filtering of search results
Once you’ve learned the fine art of searching, you’ll find that the Web has numerous sites posted by companies, professional organizations, user groups and hobbyist clubs, and individuals, detailing others’ experiences with Windows 2000, their trials and tribulations, and how they solved the problems they encountered.
General Troubleshooting M odels Regardless of the field, most professions exist for the purpose of anticipating, preventing, and/or solving problems. Physicians address medical problems, attorneys deal with legal problems, police officers confront problems involving criminal behavior, and network professionals are faced with connectivity and computer communications problems. Troubleshooting models have been developed and adopted and are used in the formal training in various occupations. These models describe a procedure, or a step-by-step process, that can be applied to most problem-solving situations regardless of the type of problem. Because the networking field is newer, training is less regimented and curricula haven’t been standardized throughout the industry. There is no
108 Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
“official” network-troubleshooting model. However, we can borrow popular problem-solving models that are in widespread use in other professions and apply their principles to the problems IT personnel are likely to come up against.
Differential Diagnosis Mod el When a medical doctor sees a new patient who complains of symptoms, whether vague (“I don’t feel well.”) or more specific (“I have a sharp pain that comes and goes in my lower-right side.”), the physician follows a step-by-step procedure to ascertain the cause of the problem and attempt to alleviate it. Generally, these steps fit the categories of: Examination, Diagnosis, Treatment, and Follow-up. A network administrator can follow the same steps when confronted by an “unhealthy” network.
Examination The first step involves gathering information. The doctor does this in several ways: Direct observation. He first assesses the patient’s general state of well-being based on things like demeanor, facial expression, skin coloration, whether the person is energetic or lethargic, whether the eyes are bright or dull, whether the person is over or underweight, voice, muscle tone, and so on. A network troubleshooter can also use observation skills, noticing if a cable is pinched or the lights on the NIC or hub are not lit as usual. Asking questions. The doctor will interview the patient, and ask her to fill out a medical history questionnaire. He will want to know such things as when the pain first appeared, what, if any, self-treatments she’s tried, whether there were any changes in her diet or activities, or if she was involved in an accident or otherwise injured just prior to the symptom’s appearance. The network professional asks very similar questions of the network users who are experiencing the problem. You need to know when the “symptom,” such as inability to connect to the network, began. You also will want to know if the user did anything to attempt to fix the problem, and whether anything on the computer or on that network segment was changed just prior to the loss of connectivity. Conducting tests. Even if the physician is able to establish a tentative diagnosis based on his observations and the answers to his questions, he will often order lab tests to provide objective confirmation. A network administrator who is trying to track down
Window s 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 109
the source of a connectivity problem can also perform objective tests using software utilities and monitoring and diagnostic devices.
Diagnosis After the information has been gathered, the doctor puts this specific information about this patient together with the general knowledge acquired through his years of training and experience, to arrive at a diagnosis. This is defined as an opinion as to the nature and cause of the disease or injury based on the evaluation of patient history, examination, and review of laboratory data. The network troubleshooting process requires that you formulate an opinion as to the nature of the connectivity problem based on your evaluation of the history of the network (and the specific computer and user involved), your examination of the physical aspects like cabling, and your review of the data collected via cable testers, network monitors, protocol analyzers, and other tools.
Treatment The patient is usually less interested in having the doctor tell her why she feels lousy than in having him do something to make her feel good again. Likewise, the company’s management and the network’s users may not really care why the network is down—they just want you to get it up and running. The diagnosis is of academic interest, but the treatment is of practical concern. Your training and experience are important in this phase, too. But, like a doctor who isn’t expected to have encountered or memorized the treatments for every possible illness, neither can you be expected to know how to fix every possible connectivity problem, even after you’ve figured out the cause. This is where your research ability comes in; you must have resources that contain information on the “fixes” for common problems and you must know how to use them. You must be able to develop a treatment plan aimed at clearing up the symptom (loss of connectivity) and preventing it from happening again.
Follow -Up In the follow-up phase, the doctor has the patient return for a check-up, even though she may feel fine, to ensure that everything really is functioning normally and that there were no harmful side effects from the treatment he prescribed. You will want to do the same, assessing the results of your treatment, making sure that in fixing the original problem, you didn’t “break” something else.
110 Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
NOTE Another m od el used in m ed ical circles is known as SOAPR: Sub jective, Ob jective, Assessm ent, Plan, Review Results. This m od el uses b asically the sam e step s, b reaking the Exam ination p hase into two p arts: collection of sub jective d ata (such as the p atient’s statem ent that she feels “out of sorts all the tim e,” or the d octor’s ob servation that the p atient seem s “less resp onsive than usual”), and ob jective d ata (the “num b ers” like b lood p ressure read ings or white cell count). Otherwise, the step s are the sam e, with d ifferent nam es.
SARA Mod el Let’s look at a completely different profession and see how its model can be adapted to the network-troubleshooting world. SARA is a problem-solving technique widely accepted in the law enforcement community in recent years. The acronym stands for the steps in the problem-solving process: ■ ■ ■ ■
Scan Analyze Respond Assess
Although this model was designed to help the police do their work more effectively, it is equally applicable to tracking down the culprit that’s responsible for your network going down. See Figure 3.6 for an illustration of how the process works. This model can be applied to almost any type of problem solving. If we examine each of the SARA components, we’ll see that it is strikingly similar to the medical profession’s Diagnostic model.
Scanning This means that upon observing or being informed that a problem exists, the first thing you should do is scan, or take in the “big picture.” This is an important step and one that is often ignored, both by eager police officers who rush into a scene focused only on the area that appears to be the source of the trouble, and by network administrators, who likewise make assumptions and fall prey to a similar type of tunnel vision that prevents them from noticing important “clues.”
Window s 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 111
Figure 3.6 The SARA p rob lem -solving p rocess.
S
SCAN Observe, Question, Collect data
A
ANALYZE Sort, Organize, Hypothesize
R
RESPOND Formulate and apply "treatment"
A
ASSESS M onitor results of "treatment"
Analysis After taking a moment to get an overview of the situation, the second step is to analyze the information available. A police officer on the street may have only a split second to perform this analysis. A network troubleshooter, even when under pressure from angry hoards of Internet-addicted users, generally has a bit more time to consider the possibilities and arrive at a logical course of action—which brings us to the next step.
Response In the preceding stage, you may have formulated several educated guesses as to the true source of the problem. Each of these hypotheses may in turn suggest several possible responses. Just as a police officer’s response to a combative subject could range from trying to “talk him down,” to using of physical force, your response to a computer that won’t communicate on the network could range from changing network configuration settings (talking it down), to reinstalling the operating system (shooting it).
112 Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
There are two important points regarding the response phase: ■
■
It is usually best to begin with the less drastic responses and “escalate” from there. Always be prepared for an unexpected response to your response.
Emergency services personnel know the importance of being ready for any contingency. Like them, even when you’ve made your decision as to how to handle the situation, you should have a backup plan.
Assessment After taking action, it’s time to step back and assess the effect of your action. Did it bring about the desired change? Did it make the situation worse? Did it have no effect at all? This assessment will determine what you do next: pack up and go back to your office (and send a bill for your high-dollar rescue operation), or start the whole process all over—once again scanning, perhaps a bit more carefully this time, to catch details you may have missed before.
Putting the Mod els to Work for You You can use one of these or any other similar problem-solving model to guide you through the troubleshooting process. The important thing is to develop a routine when you go into problem-solving mode, and follow the steps in the same order each time. This will help you to organize your thoughts and keep you from overlooking or discounting vital information. Regardless of which model you use, the steps it proposes will usually fall into the following categories: information gathering, problem isolation, taking corrective measures, and monitoring results.
The Information-Gathering Phase This is the Examination phase in a doctor’s Differential Diagnosis method, or the Scanning phase if you’re following SARA guidelines. In any event, it involves getting all the available data regarding the problem. There are several ways to gather data: we can ask questions of others, we can consult the computer’s log files, or we can bring in the “big guns,” diagnostic devices and software tools.
Questions to Ask The first step in responding to a report of connection problems should be to ask questions of the person reporting the problem, and anyone else who observed the problem. Our objective, in trying to determine what
Window s 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 113
caused the problem, is to determine exactly how the problem manifested itself. The user who experienced the problem is in the best position to give us this information. Unfortunately, he or she may not always know how to tell us what we need to know. Remember the user we discussed earlier, who thought he was being specific when he reported that he “couldn’t get on the Internet?” You’ll find that many of the people who use the network, even those who consider themselves knowledgeable about computers, will suddenly draw a blank when they attempt to describe the problem to you. “I don’t know, it just doesn’t work,” is a common refrain. Police officers know that even when they’re lucky enough to have a perfect eye-witness to a crime, just because the person was there and saw it doesn’t mean he or she will be able to give a logical, chronological report of what happened that contains the information needed to solve the case—at least, not without some help. That’s why, for an investigator in any venue, questioning skills are so important. You are much more likely to get useful answers from your users if you ask the right kinds of questions.
Question Format There are no “good questions” and “bad questions.” There are appropriate and inappropriate questions, given the situation and the personality and knowledge level of the questionee. Open-ended questions, like “What happened?” may be useful as an opening, to get the person talking, or with a technically savvy user who is able to remember and has the vocabulary to describe what prompted him to call you for help. More often, though, open-ended questions will get broad, vague responses that aren’t very helpful. Asking more specific questions will result in more specific (and therefore more useful) answers. Some good questions to ask include: Exactly what task were you trying to perform when the problem occurred? Was he attempting to transfer a file, to access a Web page, to download e-mail, to dial up a remote connection with a modem? Exactly where in the process did the problem occur? For instance, if the user was trying to get his mail and got an error message, did this happen when he tried to connect to the ISP, after establishing the ISP connection when he tried to connect to the mail server, or was he able to download a few messages and then got disconnected? Were you doing anything else in addition to this primary task when the problem occurred? What other programs were open in the background? Was a virus checker or disk defragmenter or
114 Chapter 3 • Window s 2000 TCP/IP Troubleshooting Guidelines
other utility running? Was anyone else accessing data on his computer across the network? Was it time for any scheduled tasks to start? What error messages (if any) did the computer display? Error messages can be a great source of information in troubleshooting—if your user can remember what they said. More often, this question will elicit the response, “It gave me some sort of error message, but I don’t remember what it said.” Instead of following your natural impulses and wringing the user’s neck at this point, there are several things you can do. Sometimes you can ask questions that are more specific: Was the error message on a blue screen or was it in a small text box? Did it say anything about a page fault with a bunch of funny numbers and letters? Was there anything in the message about a file not being found? The best thing to do in this situation is to try to recreate the error yourself. If you can’t, try asking the user to do exactly what he did before when the error message appeared, and see if he can reproduce the error. (Watching the user go through the steps without any guidance or directions from you can sometimes produce one of those “Eureka!” moments, when you realize that he’s trying to “browse the local network” using Netscape, or uncover some other equally amusing—if only it hadn’t wasted two hours of your valuable time—misunderstanding). Even if you’re lucky enough to have users who faithfully record every error message, or to see them with your own eyes, it’s a sad fact of life in the IT field that some error messages are more helpful than others. An error message that says “MOST_IMPORTANT_FILE.DLL cannot be found at
Right-click the connection and choose Properties, then highlight TCP/IP, select Properties, and click ADVANCED. Click ADD under IP addresses and enter the new address, as shown in Figure 4.7. DHCP servers and DNS servers can be multihomed machines, although there may be some special configuration considerations. Figure 4.7 Multip le IP ad d resses assigned to a single NIC.
Problems Related to M ultihoming You may encounter some of the following common problems with multihomed computers on a Windows 2000 TCP/IP network.
Networks Linked b y RAS If a multihomed computer has IP addresses on two networks that are linked by a remote access connection, because the networks are not aware of one another there may be problems with routing. In this case, the solution is to create static routes. This can be done by manually adding the routes to the routing table.
Window s 2000 TCP/IP Internals • Chapter 4 169
Multip le Default Gateways If a multihomed computer has addresses on two networks that are unaware of one another, and you configure it with different default gateways on the different networks, you may experience an inability to connect or other connectivity problems. The solution is to configure only one default gateway. This should be the one on the larger or primary network. You can then create static routes in the routing table to get to the computers on the smaller network.
NOTE Only one d efault gateway can b e active at a given tim e, regard less of how m any a com p uter is configured to use.
Multihom ing and WINS There is potential for numerous problems when WINS servers or clients are multihomed machines. See Chapter 6, “Troubleshooting Windows 2000 NetBIOS Name Resolution Problems,” for more information.
IP Multicasting Multicasting means sending data to multiple destinations on the network at the same time, using a single multicast address. This differs from a broadcast in that computers belong to a multicast group, and only those that are designated as members of the group receive the multicast messages. Messages sent to the broadcast address, on the other hand, are sent to every computer on the subnet. The Internet Group Management Protocol (IGMP) is used for managing multicast membership. Computers can join or leave multicast groups by sending an IGMP message (computers that are not members of the group can still send multicast messages to the group). A computer can also belong to multiple multicast groups simultaneously. When a computer wishes to join a multicast group, it will send a message called an IGMP host membership report. With this message, it declares itself a member of a particular multicast group. The same message is used when a multicast router issues a query requesting group information. There are two types of multicast groups: ■ ■
Permanent multicast group Transient multicast group
170 Chapter 4 • Window s 2000 TCP/IP Internals
NOTE “Perm anent” or “transient” refers to the group ad d ress. Mem b ership in a p erm anent group is still d ynam ic; com p uters can join and leave at any tim e. A p erm anent group has a reserved IP ad d ress, and it continues to exist even if all com p uters leave the group . A transient group ceases to exist if its m em b ership d rop s to zero, and its ad d ress is returned to the p ool availab le for assignm ent to another group in the future.
A group can have members that belong to different networks as long as the routers between the networks support multicasting.
M ulticast Address Range Windows 2000 complies with RFC 1112 level-2 standards for IP multicasting and uses the following class D addresses. The multicast addresses are in the range 224.0.0.0 through 239.255.255.255, shown in Table 4.1. These addresses are reserved for multicast transmissions with the Internet Assigned Name Authority (IANA). Table 4.1 Multicast Ad d resses Address
Purpose
224.0.0.0
Base ad d ress (reserved ).
224.0.0.1
The All Hosts m ulticast group (includ es all system s on the sam e network segm ent).
224.0.0.2
The All Routers m ulticast group (includ es all routers on the sam e network segm ent).
224.0.0.5
The Op en Shortest Path First (OSPF) AllSPFRouters ad d ress.
224.0.0.6
The OSPF AllDRouters ad d ress.
224.0.0.9
The RIP Version 2 group ad d ress.
224.0.1.24
WINS server group ad d ress.
NOTE For m ore inform ation on reserved m ulticast ad d resses, see www.isi.ed u/ in-notes/iana/assignm ents/m ulticast-ad d resses.
Window s 2000 TCP/IP Internals • Chapter 4 171
Troubleshooting IP M ulticasting Windows 2000 includes several multicasting utilities that can be useful in troubleshooting problems with multicast transmissions.
Com m and -Line Utility: m rinfo The command-line utility mrinfo displays the configuration of a multicast router. The information returned by the mrinfo command includes version number, the list of interfaces and the neighbors on each interface, metrics, Time to Live (TTL) thresholds, and flags.
Com m and -Line Utility: netsh routing ip m ib show m fe The command-line utility netsh routing ip mib show mfe can be used to display the entries in the Multicast Forwarding Table. (The Multicast Forwarding Table can also be accessed through the Routing and Remote Access console).
Com m and -Line Utility: netsh routing ip m ib show m festats The command-line utility netsh routing ip mib show mfestats is used to display packet statistics and input and output interface information for multicast forwarding entries in the Multicast Forwarding Table. (The Multicast Statistics table can also be accessed through the Routing and Remote Access console).
Com m and -Line Utility: netsh routing ip m ib show joins The command-line utility netsh routing ip mib show joins is used to display the list of multicast groups that are locally joined on each interface.
Dup licate IP Ad d ress Detection Because IP addresses must be unique on the network, there must be some mechanism in place to detect duplicate addresses. Unlike the MAC addresses, which are hard-coded into the chip on the interface card by the manufacturer, IP addresses are assigned by the network administrator. If addresses are assigned manually instead of by a DHCP server, it is very easy to make the mistake of assigning the same IP address to two machines. Having two machines on the network with the same address can obviously cause problems with delivery of data packets. If you have a common name like John Smith, you may have had the experience of having someone else with the same name at your workplace or in a class at school. You know how confusing it is when the name “John Smith” is called, and neither of you knows for whom the message is intended. You may have
172 Chapter 4 • Window s 2000 TCP/IP Internals
received memos or correspondence that should have gone to the other John Smith. Networks try to avoid this type of “mistaken identity” situation. If a computer is configured with the same IP address as another computer on the network, when it comes online and broadcasts an ARP message for its own address (sometimes called a “gratuitous ARP broadcast”), the computer that is already using that address will reply. This will cause an error message, and the computer that just came online will not be able to use the IP address; IP will be disabled and an entry will be made in the System log. The computer that “got there first” will still be able to communicate via IP, but will also display an error message to notify you that there was an address conflict.
NOTE The com p uter with the d up licate ad d ress m ay still b e ab le to com m unicate with other com p uters on the network if another com m on p rotocol is installed (NetBEUI or IPX).
Inside the Window s 2000 Transport Protocols (TCP and UDP) The Transport (host-to-host) layer protocols, TCP and UDP, handle flow control and provide for reliable end-to-end communications. For more information about what takes place at this level and how it fits into the OSI and DOD models, see Chapter 1. We will discuss some of the features included in the Windows 2000 TCP/IP stack’s Transport layer protocols. Knowledge of these features can be useful in unraveling connectivity problems that originate at this level.
Transm ission Control Protocol We will first look at TCP, the connection-oriented member of the pair. TCP is used in Microsoft networks to handle important one-to-one communications such as logons, file and printer sharing, and replication between Windows 2000 domain controllers.
Window s 2000 TCP/IP Internals • Chapter 4 173
Dead Gatew ay Detection The Dead Gateway Detection feature in Windows 2000 makes TCP aware when the IP address configured to be the default gateway fails. This allows for a process called triggered reselection to take place, so that another default gateway can be chosen and implemented, and routed communications can continue. Here’s how it works: TCP attempts to send a packet to its default gateway and does not receive a response. It will keep trying, up to one-half the value set in the Registry key TcpMaxDataRetransmissions. If there is still no response from that gateway, TCP will try the next default gateway. The Route Cache Entry for the destination IP address on that packet will be changed to the new default gateway. If the gateway is dead, the same thing will happen to subsequent communications. If this continues to the point that 25 percent of the TCP connections have given up on the first gateway and moved on to use the second, IP will change the computer’s default gateway setting to the new gateway that the 25 percent are using. If the second gateway should also fail, the same process will occur and the next one on the list will be tried. If all gateways in the list are attempted and the last one fails, TCP will start over with the first default gateway listed. In this way, Windows 2000 maximizes the possibility of finding a gateway through which the packets destined for remote network segments can be routed.
Delayed Acknow ledgments TCP is able to maintain reliable communications because it uses acknowledgments (ACKs) to keep the sending computer “in the know” about the packets that have and haven’t arrived at the receiving computer. However, the acknowledgment messages themselves take bandwidth and can slow the communication process and cause congestion on the cable. Microsoft addresses this problem by implementing Delayed ACKs according to the specifications in RFC 1122. This reduces the number of packets on the wire and helps prevent a congested condition. Using Delayed ACKs, TCP will send back an acknowledgment if one of two circumstances exists: 1) if there was no acknowledgment sent for the previous packet that was received, or 2) if another packet doesn’t arrive within 200 milliseconds after a packet arrives. This results in an ACK being sent for every other received packet instead of one ACK for every packet, thereby effectively cutting in half the number of ACK messages sent back over the cable.
174 Chapter 4 • Window s 2000 TCP/IP Internals
TCP Keep-Alives As discussed earlier, a TCP connection normally stays open until a FIN message is sent and acknowledged to disconnect. Some mechanism is needed, then, to determine whether the computer on the other end is still “there” when no packets have been received for a long period of time. TCP uses keep-alive packets to verify that a computer on the other end of a TCP connection is “still alive and kicking” (that the remote computer is still available). By default, a keep-alive message is sent every two hours (expressed as 7,200,000 milliseconds). This value can be changed by editing the Tcpip\Parameters value KeepAliveTime. A keep-alive message is only sent if no other packets have been sent for the time period. The keep-alive message is actually an acknowledgment, but with a sequence number that is the current sequence number minus one. If the computer on the other end responds to the keep-alive packet, the keep-alive timer will be reset, and if another two hours goes by without communications over the connection, the process will occur again. If the computer on the other end does not respond, 10 attempts will be made. If there is still no response after 10 tries, the connection will be terminated.
NOTE TCP keep -alive m essages are not enab led b y d efault. To enab le them for Winsock ap p lications, ed it the SetSockOp t value. TCP keep -alives generally are not sent on NetBIOS connections.
Avoiding the Silly Window Syndrome The Silly Window Syndrome, discussed in RFCs 813 and 1122, may have a silly name, but it can become a problem in TCP/IP networks, slowing down TCP communications. SWS occurs when the receiving computer slides its TCP window to the right when it has additional space available, and the sending computer uses this very small window to send correspondingly small data segments. In this situation, you end up with tiny segments of data being sent despite the fact that both computers have much more buffer space. The Silly Window Syndrome may be caused by either the client or the server. For example, the client might send data so fast that the server’s buffer fills up, and it then reduces its Receive window size to 1. This causes the client to send data in 1-byte increments, and the server responds by acknowledging only 1 byte at a time. Now, if the client stops
Window s 2000 TCP/IP Internals • Chapter 4 175
sending data, the buffers will clear and the window size will increase, but if the client keeps sending one byte at a time, performance will slow drastically. To avoid this situation, Windows 2000’s implementation of TCP/IP will not send additional segments until the receiving computer advertises a large enough window size to be able to receive a full segment. Additionally, if Windows 2000 is running on the receiving computer, TCP will not open the Receive window except in increments of a full segment. The Silly Window Syndrome can cause such drastic performance hits, so SWS avoidance is an important feature in Windows 2000.
User Datagram Protocol The User Datagram Protocol, UDP, is a connectionless Transport layer protocol that is used for broadcast and multicast transmissions and other situations where guaranteed delivery is not required. UDP works with IP, similarly to TCP, but UDP doesn’t break up the messages into smaller chunks (packets) and then reassemble the packets on the receiving end, as TCP does. There is no sequencing information in the UDP header. It’s up to the application to ensure that all the data arrived and to put it into the correct order. Like TCP, UDP provides for ports to differentiate between multiple connections. Therefore, if two applications are using UDP to communicate, using the same network interface, they will be assigned different port numbers. The advantage of UDP is speed—because it does not send acknowledgments and perform the other functions that make the TCP protocol more reliable, it also doesn’t have as much overhead.
NOTE The sp ecifications for the User Datagram Protocol are d iscussed in RFC 768.
Understanding TCP/IP Registry Settings TCP/IP gets its information (such as whether to obtain an IP address and other information automatically, or the specific manually, configured information) from the Windows 2000 Registry. The Registry, as you will recall, is the centralized hierarchical database that took the place of multiple initialization (.ini) files in early versions of Windows operating systems. When the protocols initialize, they look to the Registry for their configuration settings.
176 Chapter 4 • Window s 2000 TCP/IP Internals
When you configure the TCP/IP protocol settings in your network connection properties sheet, you are indirectly making changes or additions to the Windows 2000 Registry. The configuration information you enter in the dialog boxes will become values in the Tcpip\Parameters key, which is located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. There are a great many values contained in this subkey that were entered into the Registry at the time TCP/IP was set up on the computer. There are additional values that don’t appear by default, which you can add to optimize or change the behavior of the TCP/IP protocol driver.
NOTE The d river that im p lem ents the TCP/IP p rotocols in Wind ows 2000 is Tcp ip .sys.
It is always better, if possible, to make changes to the Registry through the graphical user interface. For instance, if you wish to change the IP address of your computer, you should make that Registry change by entering the information in the TCP/IP property sheet. However, the GUI contains only a limited number of changes that can be made. There are many more specifications that can be made only by directly editing the Registry keys. We will discuss a few of these changes, and how to make them, in this section.
WARNING Microsoft always stresses the im p ortance of caution in m aking d irect changes to the Wind ows Registry. If you im p lem ent any of these changes, b e sure to follow d irections exactly. Of course, it’s always a good id ea to first b ack up the Registry b efore m aking any changes.
Using the Registry Ed iting Tools Windows 2000, like NT, provides two Registry editing tools, regedit and regedt32. Regedit.exe is the registry editor that is also included in Windows 95. It is a powerful tool, but has some limitations. For instance, you cannot change security settings in the Registry using this application. Perhaps more importantly, regedit does not include a “read only” mode, as does its
Window s 2000 TCP/IP Internals • Chapter 4 177
cousin, regedt32. This means it is easier to mistakenly make changes that can affect the stability or even the bootability of your system. Why then would you ever use regedit? It does have one advantage over regedt32 in that its search engine is more powerful. If you need to do a detailed search, you might want to choose this tool. Another difference between the two is their appearance. Regedit, shown in Figure 4.8, resembles Windows Explorer. Figure 4.8 The Reged it.exe interface.
Regedt32.exe is the tool you will most commonly use when you already know the key and value you want to edit and don’t need the more sophisticated search features. Regedt32 will allow you to invoke “read only” mode so that you can look at your settings with no fear of accidentally making changes.
NOTE In b oth Registry ed itors, there is no “save changes” function. Changes that you m ake to the values take effect im m ed iately.
Regedt32 also looks a bit different; as you can see in Figure 4.9, its interface shows each Registry hive key in a separate window instead of one hierarchical structure. Either tool can be used for editing the TCP/IP settings. Open the chosen Registry editor by typing either regedit or regedt32 at the command prompt or in the Run box from the Start menu.
178 Chapter 4 • Window s 2000 TCP/IP Internals
Figure 4.9 Reged t32 p resents the Registry inform ation as sep arate wind ows for each key.
NOTE Notice that the “i” is om itted from “reged t32.” A com m on m istake is typ ing the com m and with the “i,” resulting in a File Not Found m essage.
Configuring TCP/IP Behavior through the Registry All of the values we will discuss will be found under the same Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters. Remember that TCP/IP can be bound to more than one NIC, and can be configured differently for each NIC to which it is bound. For values that are specific to an adapter, you will find a subkey for each NIC that contains its individual settings. The network interface subkeys are found
Window s 2000 TCP/IP Internals • Chapter 4 179
under “Adapters,” and each interface is represented as a hexadecimal number, as shown in Figure 4.10. Most of the parameters that we will discuss will not already be present in the Registry by default. In order to modify the protocol settings using the parameters that you don’t find already present, you must create the new value. Figure 4.10 Each NIC has a sep arate sub key for its settings.
Creating a New Value To create a new value in the Registry using the regedt32 tool, from the Edit menu, choose “New value.” You will see a dialog box as shown in Figure 4.11, which allows you to enter a name for the value, and select the data type from a drop-down box. Figure 4.11 You can ad d a new value to the Registry if it d oes not alread y exist.
The value can be one of five data types: ■
■ ■
REG_DWORD Hexadecimal data with a maximum limit of 4 bytes REG_EXPAND_SZ An expandable string REG_MULTI_SZ A multiple string
180 Chapter 4 • Window s 2000 TCP/IP Internals ■
■
REG_SZ A single data string (group of characters handled as one entity) REG_BINARY Zeros and ones (“machine language”)
Be sure you select the correct data type, as given in the instructions, when creating a new value.
Editing Common TCP/IP Registry Values We will discuss only a few of the many Registry settings that can be edited to change TCP/IP behavior. For a complete list, see the Microsoft TechNet article “MS Windows 2000 TCP/IP Implementation Details.”
Changing the Tim eout for the ARP Cache You can change the timeout value of the ARP cache from the defaults (2 minutes for unused entries and 10 minutes for those that have been used) by creating a new value in the Tcpip\Parameters subkey called ArpCacheLife. The value type is REG_DWORD, and the value should be set as the number of seconds for timeout, in hexadecimal (0 – 0xffffffff).
Changing the Num b er of ARP Retries Another configuration setting you might want to change to speed initialization is the number of times the computer will send a “gratuitous” ARP broadcast for its own IP address, to determine if the address is already being used on the network. Once again, you must create a value of REG_DWORD type and enter the number of ARP retries desired. The default is 3, which is also the maximum. You can change this to either 1 or 2.
Changing the Default TTL You can change the number in the outgoing IP headers that represents the maximum amount of time the packet can remain “alive.” If it does not reach its destination by the time set, it will be dropped. What this does is limit how many routers the packet can “hop” through before it “dies.” This will also be a new REG_DWORD value called DefaultTTL, set to the number of seconds/hops, and can be from 1 to 0xff (255 in decimal notation). The default is 128.
Enab ling or Disab ling Dead Gateway Detection By default, dead gateway detection is enabled. You can disable it (or reenable it after it’s been disabled) by editing the EnableDeadGWDetect value. The value type is REG_DWORD (Boolean), and the only valid settings are 0, which disables dead gateway detection, or 1, which enables it.
Window s 2000 TCP/IP Internals • Chapter 4 181
Enab ling Multicast Forward ing In Windows 2000, IP multicast forwarding is not enabled by default. However, it can be enabled by creating a Registry value called EnableMulticastForwarding of the REG_DWORD (Boolean) type, and setting it to 1, for True.
Enab ling IP Ad d ress Autoconfiguration Automatic configuration of IP address is enabled in Windows 2000 by default. Although this feature is often useful, it can be disabled by setting the IPAutoconfigurationEnabled value for the specific interface to a value of 0. You can reenable it by setting the value to 1.
Changing the Interval b etween TCP Keep -Alive Transm issions By default, keep-alive messages will be sent every 1000 milliseconds (one second) until a reply is received. You can edit the KeepAliveInterval value to change this to a different time (in milliseconds). This is a REG_DWORD data type.
Changing the Maxim um Transm ission Unit (MTU) By editing the MTU value for the specific interface, you can set a limit on the packet size (in bytes) that will be transmitted over the network. This value is set as a REG_DWORD type, specifying the number of bytes. This value cannot be less than 68. If you set it to a number that is less than 68, the MTU will be 68.
Registry Settings that Should Not Be Ed ited Some settings are configured by the services, such as DHCP, and should not be changed via editing the Registry. Others can, and should, be changed via the GUI instead of by editing the Registry directly. Below is a partial list: ■ ■ ■ ■ ■
■
IPAutoconfigurationAddress DHCP Default gateway Can be set in TCP/IP properties box in the GUI EnableDhcp Can be set in TCP/IP properties box in the GUI IPAddress Can be set in TCP/IP properties box in the GUI IPEnableRouter Can be set in TCP/IP properties (Advanced) in the GUI IPEnableRouterBackup Set by setup and should not be changed manually
182 Chapter 4 • Window s 2000 TCP/IP Internals ■
■
DhcpDefaultGateway Written by the DHCP client service and should not be changed DhcpIPAddress Configured by DHCP (Note: None of the DHCP assigned values should be changed manually.)
Summary In this chapter, we discussed how TCP/IP works, its “internals” or the components of its architecture as implemented in Windows 2000. We got an overview of the enhancements that Microsoft has made to its TCP/IP stack. We learned a little about Internet Requests for Comments (RFCs), and discussed in detail some of the RFCs with which Microsoft’s newest operating system complies. In particular, we examined some of the more significant RFCs such as: RFC 1323, which provides for scalable (and larger-sized) TCP windows, a feature that can optimize performance on highbandwidth networks. We explained the purpose and function of sliding windows, how the TCP three-way handshake works and how it establishes the window size, and how sliding windows provide for flow control in TCP communications. We looked at how the scaling factor is negotiated and how you can determine what the current scaling factor is by examining the packets that created the connection. Then we looked at another TCP extension specified in RFC 1323, timestamping, and how it can solve instability problems that are caused by bad estimates of Roundtrip Time (RTT) that result from other methods of measuring RTT. RFC 2018, which deals with TCP selective acknowledgments. We saw how SACK can enhance network performance when large window sizes are being used. We also discussed how to disable SACK by editing the Windows 2000 Registry. RFC 1577, which lays out specifications for running an IP network over ATM. We discussed some of the advantages of Asynchronous Transfer Mode networks, such as their connection orientation, lack of inherent limits on speed, and Quality of Service. We talked about the use of an ARP server in ATM networks for resolution of IP addresses to physical addresses, since ATM is a nonbroadcast network. We also briefly touched on LAN emulation (LANE), which allows you to use traditional LAN software and hardware for an ATM network.
Window s 2000 TCP/IP Internals • Chapter 4 183
RFC 2001, which gives the specs for TCP Fast Retransmit, a feature that provides for faster performance by allowing TCP to resend data before the specified retransmission time has expired. RFCs 2211 and 2212, defining QoS, or Quality of Service, a new feature in Windows 2000 that lets the network reserve bandwidth between client and server to ensure that a high-bandwidth application will have sufficient bandwidth. RFC 2205, which gives specifications for another new feature, the Resource Reservation Protocol, also known as RSVP. We talked about how RSVP works with general Quality of Service (GQoS) to reserve bandwidth, using functioning as a control protocol similarly to ICMP. In this chapter, we also looked at IP Security (IPSec) and how it provides for greater protection of data sent over an IP network. We looked at the two IPSec Security options: AH, or Authentication Header security, and ESP (Encapsulating Security Payload), which encrypts the data itself. We talked about how IPSec is configured and the predefined IPSec policies included with Windows 2000: ■ ■ ■
Client (Respond Only) Server (Request Security) Secure Server (Require Security)
We went a little further, to discuss definitions of custom policies and setting of filtering on inbound and outgoing traffic. Then we looked at several IPSec troubleshooting scenarios, including the failure of RAS secured connections, the failure of LAN secured connections, and broken policy links. We discussed how to use the IPSec monitor to gather statistical information such as: ■ ■ ■ ■
Number of active security associations Types of active security associations Number of master and session keys generated Number of ESP or AH bytes sent and received
We also looked at how to use the Windows 2000 Event Viewer and the Network Monitor to troubleshoot IPSec problems. We talked about what to do when IPSec files are missing or corrupted, how to deal with problems with multihomed machines, and how to address performance slowdowns when using IP Security. Then we turned our attention to NDIS 5, the latest version of the Network Driver Interface Specification, and the changes between NDIS 4 and 5.
184 Chapter 4 • Window s 2000 TCP/IP Internals
Next, we examined IP, the Internet Protocol that operates at the Internetwork layer of the DoD model. We talked about CIDR, Classless Inter-Domain Routing, which is beginning to replace the old and inefficient way of allocating IP addresses in blocks defined as class A, B, and C networks. We discussed multihoming, the practice of assigning more than one IP address to a single computer, either by installing multiple physical network interfaces or by creating virtual interfaces for one network card. We addressed some of the problems that arise with multihomed machines, particularly when networks are linked by Remote Access Services, when multiple default gateways are assigned, and how multihoming and WINS interact. We then moved to IP multicasting, defining a multicast transmission as the sending of data to multiple computers using only one IP address, called a multicast address. We discussed the multicast address range, and how computers can join two kinds of multicast groups: permanent and transient. We looked at some of the problems that can occur with multicasting, and how to troubleshoot those problems using tools like mrinfo, and other command-line utilities included with Windows 2000. We discussed duplicate IP address detection and how Windows 2000 attempts to avoid this situation. We also examined some characteristics of the Transport layer protocols, TCP and UDP. We talked about TCP dead gateway detection and how Windows 2000 maximizes the possibility that the packets destined for a remote network segment will be routed even if a gateway fails. We looked at the delayed acknowledgments feature, and how, using Delayed ACKs, TCP will send back an acknowledgment if one of two circumstances exists: 1) if there was no acknowledgment sent for the previous packet that was received, or 2) if another packet doesn’t arrive within 200 milliseconds after a packet arrives. This results in an ACK being sent for every other received packet instead of one ACK for every packet, thereby effectively cutting in half the number of ACK messages sent back over the cable. We talked about TCP keep-alive messages, sent every two hours to verify that the remote computer is still available. We also discussed the Silly Window Syndrome (SWS), and how Windows 2000’s TCP/IP stack was designed to avoid this problem. Then we discussed User Datagram Protocol (UDP), the connectionless transport protocol used for broadcasts and other messages that don’t require acknowledgments, sequencing, and the other high-overhead features of TCP. Finally, we looked at how the TCP/IP settings are implemented in the Windows 2000 Registry, which contains all of the protocol’s initialization
Window s 2000 TCP/IP Internals • Chapter 4 185
parameters. We looked at how to edit selected Registry setting to enhance performance, and also listed some Registry settings that should never be edited manually.
FAQs Q: What are the three ways in which TCP/IP information can be configured in Windows 2000? A: 1) Manual configuration, where the administrator enters the IP address, subnet mask, default gateway, and other configuration information directly into the TCP/IP properties box for each NIC on each computer individually; 2) Dynamic configuration, in which the computer is configured to contact a DHCP server to obtain a leased IP address, along with other TCP/IP configuration information; and 3) Automatic configuration, in which the computer that is unable to contact a DHCP server assigns itself an address from the APIPA (Automatic Private IP Addressing) range for temporary use until a DHCP server can be contacted. Q: Can I have more than one default gateway configured on a computer? A: Sort of. If you have two network adapters, you can configure a different default gateway for each, but only the default gateway of the first adapter will be used. The only time the second adapter’s gateway will be used is if the first becomes unavailable. Q: What is a default gateway, anyway? A: The default gateway is the “way out of the network.” In a TCP/IP network, the default gateway serves an important purpose. It is the route that will be used when a host wants to communicate with any other host that is not on its local subnet. The IP address of the default gateway is the IP address of the subnet’s router (which can be a dedicated device or an NT or Windows 2000 machine with IP forwarding enabled, functioning as a router). Q: We know that IANA and InterNIC assign IP addresses. Where do the hardware addresses on the network cards come from?
186 Chapter 4 • Window s 2000 TCP/IP Internals
A: The physical addresses, burned into a chip on the network card, are known as Media Access Control (MAC) addresses in Ethernet and Token Ring network cards. Registration of MAC addresses is overseen by the IEEE, the Institute of Electrical and Electronics Engineers. The IEEE assigns the first three bytes of a MAC address to each company that manufactures network cards, and the manufacturer assigns the last three bytes to individual network adapters. Q: What is the difference between “connectionless” and “unreliable” in the discussion of network protocols? A: The term connectionless refers to a communication in which no session is established prior to the commencement of the transmission of data. Unreliable, on the other hand, means that delivery of the packets is not guaranteed. Unreliable protocols make a “best-effort” attempt to deliver each data packet. If a packet is lost, duplicated, or delayed, the unreliable protocol does not “care.” IP is an “unreliable” protocol, which is why TCP (a reliable protocol) handles acknowledgments and error recovery at the Transport layer. Q: What is the difference between TCP ports and UDP ports? What are some of the “well-known ports?” A: TCP ports are more complex and they operate differently from UDP ports, although both are used for the purpose of identifying a packet’s destination more specifically within an IP address. A UDP port operates as a single message queue. The UDP port is the endpoint for UDP communications. Each TCP port, on the other hand, is identified by dual endpoints (one address/port pairing for each connected host). Well-known ports include TCP ports 20 and 21 (FTP), 23 (Telnet), 53 (DNS zone transfer), 80 (Web server), and 139 (NetBIOS session). Wellknown UDP ports include 69 (TFTP), 137 (NetBIOS name service), 138 (NetBIOS datagram service), 161 (SNMP), and 520 (RIP).
Chapter 5
Using Netw ork M onitoring and Troubleshooting Tools in Window s 2000
Solut ions in t his chap t er: ■
Window s 2000 M onitoring Tools: Performance, NetM on
■
TCP/IP Utilities: SNM P, ping, tracert, ipconfig, nbtstat, netstat
■
Netw ork M anagement Tools: SM S, NetXray, Tivoli
■
Cable Testers, Protocol Analyzers, Sniffers
187
188 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
Introduction In this chapter, we will examine a host of tools and utilities that you can use to monitor, assess, and diagnose your network. One of the great advantages of using TCP/IP as your network protocol of choice is the vast array of tools available for troubleshooting. We’ll first look at some tools that allow you to monitor network activity, such as the Network Monitor, Event Viewer, and the Performance Console. These are all GUI-based tools you can use to gather statistics and information, allowing greater insight into the behavior of the network “under the hood.” After looking at the monitoring tools, we’ll dive into some of the TCP/IP command-line tools such as PING, PATHPING, IPCONFIG, and more. We will see how each tool works, and then apply each to a specific troubleshooting scenario, which will give you some context to see how they work in actual practice.
Window s 2000 M onitoring Tools Microsoft has included two powerful network-monitoring tools with Windows 2000: The Performance Console and the Network Monitor. With these tools, you can monitor the health of your network from a single location, and you can listen in on network activity in real time. Both of these utilities allow you as the administrator to have more control over the health and efficiency of your network. Before diving into the tools, let’s talk first about some basic monitoring guidelines that will help optimize your use of the tools discussed in this chapter.
Basic Monitoring Guid elines When monitoring aspects of your network, you need to have a good idea of what it is that you’re looking for. Are you looking for clues for login validation errors? Are you looking for reasons for complaints of network sluggishness from your users? Are you looking for possible security leaks? Are you just obtaining baseline measures so that you have something to compare to when the network is acting abnormally?
Baselining Baselining is the process of collecting information on a network when everything is working the way you want it to work. It would make no sense to collect baseline information when your network is “acting up,” or is the subject of complaint and ridicule. With this in mind, you definitely do not want to collect baseline information about network performance
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 189
and behavior soon after the implementation of a new network or network segment. There is always a “shakedown” period when you are going to have to “fix” the things that weren’t done correctly the first time, and to fine-tune those aspects of the network implementation that were correctly implemented. After the network has “settled down” for a period of several weeks, and no one is complaining and you are not aware of any problems, then you should start a network baseline collection procedure. You may want to use some or all of the tools discussed in this chapter to obtain your network baseline.
Documentation The key to your success in network monitoring and maintenance is good and organized documentation. You must have a system in place that allows you to quickly and efficiently return to previous measurements, and to measure trends that may be extant in the measurements you have taken. Whether you are using Network Monitor, System Monitor, netdiag, netstat, ipconfig, or whatever, have a location on your hard disk to keep the information that you have collected, and keep all your information in this location.
Backing Up It is important that you back up this information to multiple locations for fault tolerance reasons. If you have multiple backups, it is unlikely that any of them will fail, but if you have a single backup, there is a good chance that it will be corrupt. Think of this as an extension of Murphy’s Law.
Analysis After you have decided on a location to keep your precious data, you need a system to collate it and bring it together so that you can spot trends. Most of the tools that we will work with in the chapter allow you to save data in some kind of delimited text file.
NOTE A delimited text file is a text-b ased d atab ase file form at with d ata that is sep arated b y either com m as or tab s. Sp read sheet or d atab ase p rogram s such as Microsoft Excel or Microsoft Access allow you to easily im p ort this d elim ited text inform ation into a d atab ase form at, which m akes it easier to sp ot trend s. Both p rogram s have sop histicated charting and grap hing cap ab ilities that allow you to visually d ep ict im p ortant inform ation.
190 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
If you work for a larger organization, you may have available more sophisticated programs that perform network analysis for you and provide detailed reporting capabilities. Programs such as Network Associates’ Network Informant, Computer Associates’ Unicenter TNG, and Microsoft Systems Management Server all provide built-in reporting facilities that are both simple to use and extremely sophisticated in their reporting capabilities. Whatever tools you decide to use, keep in mind that your monitoring efforts are done for several reasons: ■ ■ ■
To find network faults To obtain baseline measurement To provide documentation you might need in order to obtain the equipment you desire to improve your network’s functionality
With this in mind, let’s look at some of the tools available to us to monitor and investigate network functionality.
Perform ance Logs and Alerts The application formerly known as “Performance Monitor” has undergone a name change and a minor overhaul in its appearance in Windows 2000. In fact, it appears to have a couple of different names, depending on the Microsoft documentation you read. It is called either “Performance” or the “System Monitor.” For our purposes, we’ll refer to it as the “Performance Console” or “System Monitor.” You can use the Performance Console to obtain real-time data on network performance parameters such as TCP, Web, FTP, and Proxy server statistics. This information can be saved in a log file for later analysis, and it can even be replayed. To open the Performance Console, go to the Administrative Tools and click Performance, as shown in Figure 5.1. Note that there are two panes in the Performance Console. On the left, you see entries for the System Monitor, and then several options for Performance Logs and Alerts. The System Monitor is the counterpart of the Windows NT 4.0 Performance Monitor. There are three views available in the System Monitor: ■ ■ ■
Chart view Histogram view Report view.
When working with the Chart view, note that it will display up to 100 units of time. You select the unit of time for which measurements are taken by right-clicking anywhere on the chart area itself, and selecting Properties, as seen in Figure 5.2.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 191
Figure 5.1 The Perform ance Console.
NOTE The old “Log View” has b een m oved away from the System Monitor area into its own area und er the “Perform ance Logs and Alerts” section.
Notice where it says “Update automatically every:” and then a number of seconds. You can enter the number of seconds you want the chart updated, and the entire chart will contain data for up to 100 update intervals. If we left this as it is, with the update taking place every 1 second, then we could see up to 100 seconds of activity on the chart, which is equal to 1 minute and 20 seconds.
TIP If you would like to see an entire d ay’s worth of activity on one chart screen, you could d ivid e the num b er of second s in one d ay b y 100, or 86400/100 = 864 second s. By setting the chart interval to 864 second s, you’ll b e ab le to see an entire d ay’s worth of d ata on a single chart screen.
192 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
Figure 5.2 The Prop erties d ialog b ox in the Chart view.
Counters There are a great variety of network-related counters you can add to the System Monitor. A noncomprehensive list of these counters includes IP, IIS Global, ICMP Browser, FTP Server, UDP, TCP Redirector, SMTP Server, RAS Port RAS Total, NNTP Server, NNTP Commands, and Network Interface. One of the nice things about the System Monitor application in Windows 2000 is that when you populate the Chart view with a number of counters, you don’t have to repopulate the Report view. For example, let’s say that I want to add all the counters for the Network Interface Performance Object. I click on the “+” sign on the toolbar and the Add Counters dialog box appears, as shown in Figure 5.3. To select all counters from a performance object, all you need to do is select the “All counters” option button, and it adds all the counters to the list. Then click ADD and they all appear in the chart. After the counters are added to the Chart view, you can see statistics gathered from those counters in both the Report and the Histogram views. Figure 5.4 shows all the counters in the Report view.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 193
Figure 5.3 The Ad d Counters d ialog b ox.
Notice that all the counters are carried over to the Chart view, which is a real convenience. The same is true for the Histogram view, which you can see in Figure 5.5. Figure 5.4 The Network Interface counters in Rep ort view.
194 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
Figure 5.5 The Histogram view carries over the counters selected in the Chart view.
If you would like to create a log file so that you can come back to the information that you’ve gathered at a later time, click the Counter Logs object and then right-click in the right pane and select New Log Settings. You will first encounter the New Log Settings dialog box where you put in the name of the log. Make it something meaningful and descriptive so you can find the information later. You will then be faced with a three-tabbed dialog box, such as that seen in Figure 5.6. The first tab is the General tab, and this is where you begin to add new counters to the log file. Click ADD and add counters as you did in the Chart view. After adding the counters, they will populate the area labeled “Counters.” When you click the Log Files tab, you will see what appears in Figure 5.7. Note the location and name of the log file.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 195
Figure 5.6 The Log File d ialog b ox.
Figure 5.7 The Log Files tab in the Log File d ialog b ox.
196 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
Log File Format In the “Log file type:” drop-down list box, you can choose what format you want the log file to be saved in. The main choices are binary format and delimited text formats. If you save the logs in delimited text formats, you can import the data into an Excel or Access database. Regardless of the format you choose, you can still bring the information back to the System Monitor Console for later analysis in the same way you were able to open log files for later viewing using the Windows NT 4.0 Performance Monitor.
Alerts To create an alert, you click the Alerts object in the left pane and then right-click in the right pane and select New Alert Settings from the context menu. Enter the name of the alert and click OK. You will see what appears in Figure 5.8. Figure 5.8 The General tab in the Alert d ialog b ox.
You add counters for which you want to be alerted by clicking ADD; in this example, we have selected the Pages/sec counter in the Memory object. After selecting the counter, you need to set parameters that will trigger the alert. In this case, we want to be alerted if the number of pages/sec exceeds 20 per second. The sample interval is every 5 seconds by default. Click the Action tab and you will see what appears in Figure 5.9.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 197
Figure 5.9 The Action tab in the Alert d ialog b ox.
You set what actions should take place after an alert is triggered. In this case, we have configured the alert to be sent to the Application log and a network message to be sent to the administrator’s workstation. This is a NetBIOS name, and NetBIOS must be enabled on both the machine generating the alert and the machine receiving an alert as a network message in order for this to work. This is something to keep in mind when you feel that your network has reached a point where you can completely disable NetBIOS. If you do reach that point, you must reenable NetBIOS on the source and destination machines, at least temporarily, in order for alerts to be sent via network messages. You also have the choice of starting a log that you have already created after an alert condition has been met. We might want to create a log that tracks other memory-related parameters if the number of pages/sec exceeds 20. In that case, we would choose to “Start performance data log” and select the name of the log from the drop-down list. You could also choose to start a program after the alert condition parameters have been met. Click the Schedule tab and you will see what appears in Figure 5.10. Here you can schedule when you want to the system to look for alert conditions. In this instance, we have selected the date and time when the system should start looking for the alert condition, and set that the system should stop looking after one day. You can see from the dialog box the other options you have when scheduling alerts.
198 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
Figure 5.10 The Sched ule tab in the Alert d ialog b ox.
Network Monitor The Microsoft Network Monitor is a software protocol analyzer that allows you to capture and analyze traffic on your network. The version of Network Monitor that comes with the Windows 2000 server family is limited in its scope because it does not allow you to place the network adapter in what is known as “promiscuous mode.” When an adapter is placed in promiscuous mode, it is able to listen to all the traffic on the segment, even if that traffic is not destined for the machine running the Network Monitor software. However, one of the disadvantages of this state of affairs is that promiscuous mode capturing can potentially overtax your computer’s processor. Even with these limitations, the Network Monitor is a very useful tool for assessing the activity on the network. You can use the tool to collect network data and analyze it on the spot, or save your recording activities for a later time. Network Monitor allows you to monitor network activity and set triggers for when certain events or data cross the wire. This could be useful, for instance, if you are looking for certain “key words” in e-mail communications moving through the network (we’ll look at an example of how to do this later in this section).
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 199
NOTE A m ore full-featured version of Network Monitor that allows for p rom iscuous m od e is includ ed with Microsoft System Managem ent Server (SMS).
Filtering The Network Monitor program allows you to capture only those frames that you are interested in, based on protocol or source or destination computer. You can apply even more detailed and exacting filters to data that you have finished collecting, which allows you to pinpoint the precise elements you might be looking for in the captured data. We’ll discuss how to filter what data you want to capture, and how to fine-tune the captured data after you’ve collected it.
Security Issues The Network Monitor program is a network sniffer. Any person with administrative privileges can install it on a Windows 2000 server family computer and start “listening” to activity on the wire. If you feel this is a cause for concern, you are correct. This easy availability of such a powerful tool should lead to even further consideration of the security implications when you give someone administrative rights. Fortunately, the Network Monitor is able to detect when someone else on the segment is using Network Monitor, and provide you with his or her location. However, don’t stake your career on this working correctly, because we have had very rare success at it actually identifying all computers running Network Monitor on the same segment.
Installation Network Monitor is not installed by default. If it isn’t installed on your computer, you can install it via the Add/Remove Programs applet in the Control Panel.
Using the Program After you have installed the program, go to the Administrative Tools menu and click Network Monitor; you will see what appears in Figure 5.11. This Capture Window is the starting point on your adventure of network monitoring. Note that there are four panes to this window.
200 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
Figure 5.11 The Network Monitor Cap ture Wind ow.
Capture Window Panes The top left pane is in the “gas gauge” type format, which provides information on percent network utilization, broadcasts per second, and other parameters in real time. Just under that is a pane that provides information about individual sessions as they are established, showing who established a session with whom, and how much data was transferred between the two. The right pane is the local machine’s session statistics pane, and provides detailed summary (is that an oxymoron?) information about the current capturing session. The bottom pane provides information about each detected host on the segment, and statistics gathered on the host’s behavior.
Extra Tools Before we get into the details of a capture, let’s look at some of the extra tools available with Network Monitor.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 201
First, select the Tools menu, and then click Identify Network Monitor Users. You will see the Identify Network Monitor Users dialog box as it appears in Figure 5.12. Figure 5.12 The Id entify Network Monitor Users d ialog b ox.
NOTE This d ialog b ox p rovid es you with the usernam e and NetBIOS nam e of the m achine or m achines currently running Network Monitor.
As mentioned earlier, you might not always get accurate readings right away when running this utility. The Microsoft documentation regarding how it finds other Network Monitor users is not clear on how the identification process takes place. Machines running either the Network Monitor Application or Agent are supposed to register NetBIOS names with the service identifier of [BFh] and [BEh], respectively, but if you look at the following, you will be led to think otherwise: Local Area Connection: Node IpAddress: [192.168.1.186] Scope Id: [] NetBIOS Local Name Table Name - - - EXETER
Type - - - UNIQUE
Status - - - Registered
202 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
TACTEAM EXETER EXETER TACTEAM INet~Services IS~EXETER ADMINISTRATOR
GROUP UNIQUE UNIQUE GROUP GROUP UNIQUE UNIQUE
Registered Registered Registered Registered Registered Registered Registered
Local Area Connection: Node IpAddress: [192.168.1.3] Scope Id: [] NetBIOS Local Name Table Name - - - DAEDALUS TACTEAM DAEDALUS DAEDALUS TACTEAM TSHINDER INet~Services IS~DAEDALUS DAEDALUS
Type - - - UNIQUE
GROUP
UNIQUE
UNIQUE
GROUP
UNIQUE
GROUP
UNIQUE
UNIQUE
Status - - - Registered Registered Registered Registered Registered Registered Registered Registered Registered
These are the printouts of the nbtstat –n commands run on two of the Windows 2000 computers identified by Network Monitor as running Network Monitor. Neither of them has registered NetBIOS names indicating that they are running either the Network Monitor Agent or Application. The WINS database on this network also contains no entries to this effect. The moral of this story? Take advantage of this application, but take a couple of precautions: 1) Let it run for an hour or so before concluding that no other Network Monitor users are on the network, and 2) Don’t bet your job on it!
Buffers Now click the Capture command and click Buffer Settings. You’ll see what appears in Figure 5.13. The buffer size, in megabytes, determines the amount of data you can capture in a single recording session.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 203
Figure 5.13 The Cap ture Buffer Settings d ialog b ox.
TIP The d efault value is 1MB, b ut you can choose up to 1024MB (1GB). However, since this d ata is stored in m em ory d uring the record ing p hase, your p ractical lim it is the am ount of availab le RAM.
Even if you are running Network Monitor on a machine with a gigabyte of RAM, you still need to be careful because it needs to write this information to disk. You need the equivalent amount of free disk space as well. You can also choose how much of each frame you want to capture. Typically, you’ll choose Full to maximize your ability to find the things you’re looking for. Select the Options menu, and then click the Change Temporary Capture Directory command. You’ll see a scary message like the one in Figure 5.14. Figure 5.14 A scary m essage ab out changing the Tem p orary Cap ture Directory.
The whole program is for advanced users only! We’re still trying to figure out what the danger is that they want to communicate regarding changing the
204 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
location of the temporary folder, which is the temporary folder location defined in the system environment variable. Click OK and you can then choose another folder to contain the temporary capture files. You might want to do this if you’ve chosen a buffer size that is larger than the amount of disk space you have available on the partition that contains your temp directory.
Collecting Data Now that we’re finished with the preliminaries, let’s get to the job of collecting some data. The first thing you should try out is to start a capture without filters, just to get a feel for how the capture process works.
NOTE There are a coup le of ways to get the cap ture started : You can select the Cap ture m enu, and then click Start, or you can click the little right-p ointing arrow in the toolb ar. Either one will b egin the cap ture. When it is running, you’ll see the gas gauges m oving, and the statistics b eing collected on the record ing session.
After letting the capture run for a little bit, or after the % Buffer Used value is 100, click the button that has the eyeglasses next to a square (the stop and view button). This stops the capturing process and allows you to see the frames that have been captured. You’ll see the Capture Summary window as seen in Figure 5.15. This window provides a list of all the frames that were captured during the session. If you scroll to the bottom of the list, you’ll note that there is a summary frame that contains statistics about the current capture. Take note of the column headers, which all should be self-explanatory. Notice something unusual about the data in Figure 5.15? How about the information that appears in the “Src MAC Addr” and “Dst MAC Addr” fields? Those don’t look like MAC addresses to me. If you did notice this seeming anomaly, congratulations! MAC addresses aren’t much fun to look at, so we took advantage of another utility that translates the MAC addresses to Machine Names. Select the Display menu, and then click the Find All Names command. It will search for names and then inform you of its results, and transform the fields containing MAC addresses to NetBIOS names if it can find this information. Now, double-click one of the frames, and you will see the display transform into a tripane view as seen in Figure 5.16.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 205
Figure 5.15 The Cap ture Sum m ary wind ow.
The top pane is just like the one you just saw. The middle pane contains translated information from the captured frame that provides details of the frame headers and protocol information. The bottom pane shows the raw Hex and translations of the collected frame data. At the very bottom of the windows, in the status bar area, there is a description of the frame selected in the top pane (which in this case is Ethernet/802.3 MAC Layer), the frame number out of the total number of frames, and an “offset” value for the selected character in the bottom pane. In the preceding example, we selected frame number 244, which is an ARP broadcast frame. Notice in the middle pane some of the details. It indicates the hardware type and speed, and the source and destination IP and hardware address. Note that the destination hardware address is the Ethernet broadcast address [FFFFFFFFFFFF] because the whole purpose of the ARP broadcast is to resolve the IP address to a hardware address. The capture was taken from EXETER. The ARP broadcast was issued by CONSTELLATION for DAEDALUS, which is the machine with the IP address of 192.168.1.3. Do you think we would find the ARP reply later in the capture? The answer is no. That is because the reply will not be sent
206 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
Figure 5.16 Trip ane view in the Cap ture Sum m ary wind ow.
to the hardware broadcast address, but to CONSTELLATION’s hardware address; therefore, the Network Monitor on EXETER will not be able to capture that conversation. The only reason we were able to see the ARP Request is because it was directed to the hardware broadcast address, which means that every machine on the segment had to evaluate the request to see if it was for them. The bottom pane in this instance isn’t very exciting. It shows the Hex data on the left and an ASCII translation on the right. However, it can get interesting, as shown in Figure 5.17. Looking at the ASCII translation in this case, we see that we have a problem user on the network, perhaps an overly enthusiastic Linux fan. We are able to actively search for text strings in captured data in order to find out about the existence of just this kind of communication. In this case, the offensive text string was found embedded in an SMB packet transmitting a Microsoft Mail message from the e-mail server to the destination computer. Other frames in the capture indicate the source of the message.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 207
Figure 5.17 Cap ture file with revealing ASCII d ata.
Filtered Captures The capture we did earlier was an unfiltered capture. The advantage of doing an unfiltered capture is that you can gather data on every communication into and out of the computer doing the capture, so you can be sure that you’re not missing anything. However, you could end up collecting a whole lot of information that you don’t need, and the extra information only serves to obscure the data that you’re actually looking for. Perhaps you’re only interested in the information exchange taking place between your computer and one other computer, or two other computers. You can limit the frames that are captured by creating a capture filter.
NOTE A capture filter is one of the two typ es of filters you’ll b e working with, the other b eing the display filter , which we’ll exp lore in a little b it.
208 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
The purpose of the capture filter is to limit the frames that are actually saved in the capture buffer. This allows you to make better use of your buffer space, because the limited amount of buffer you have can be devoted to looking at the precise targets of interest. It also reduces the amount of “extraneous” information that could cause you to overlook something important during your investigations. To create a capture filter, select the Capture menu, and click Filter. First you’ll see a warning that tells you that for “security” reasons, you can only capture traffic moving to and from the machine running Network Monitor. Click OK to move away from that dialog box, and you’ll see what appears in Figure 5.18. Figure 5.18 The Cap ture Filter d ialog b ox.
There are two ways you can filter the capture information: ■ ■
By machine address pairs By a specified pattern in the frames that is examined during the capture sequence
Filtering b y Ad d ress Pairs Let’s first see how we filter via address pairs. We can define up to four address pairs to filter. For example, suppose there are 30 computers on the segment that’s running Network Monitor, and we don’t want to capture information destined to and coming from all 30 of those machines, just four of them. We can do that.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 209
To start adding address pairs, double-click the [AND] (Address Pairs) statement. You should see what appears in Figure 5.19. Take a close look at the elements of this dialog box. Near the top are two option buttons for Include and Exclude. Any address pair that you select for Include will be included in the capture. Any address pair that you set for Exclude will be excluded from the capture. For example, if you choose to include *Any (which indicates all frames coming to and leaving this computer), you could choose to exclude a pair of computers so that you can ignore messages being sent to and arriving from that machine. Figure 5.19 The Ad d ress Exp ression d ialog b ox.
Under the Include and Exclude options are three panes: Station 1, Direction, and Station 2. Station 1 and Station 2 will define the computers named in the address pairs that will be included or excluded from the filter, with Station 1 always being the machine running the Network Monitor application. The Direction arrows allow you to filter based on the direction of the traffic. The "# symbol represents traffic leaving Station 1 to Station 2 and arriving from Station 2 to Station 1, the # represents traffic leaving Station 1 to Station 2, and the " represents traffic arriving from Station 2 to Station 1.
NOTE If we were using the full version of Network Monitor that com es with Microsoft System s Managem ent Server, Station 1 could b e any com p uter on the network and not just the local m achine.
210 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
The chance is good that the machine you want to designate as Station 2 is not included on the list. To add the machine of interest to the list, click EDIT ADDRESSES. You will see what appears in Figure 5.20. Figure 5.20 The Ad d resses Datab ase d ialog b ox.
This shows the Addresses Database in its current state on the machine running the Network Monitor. The first column gives the machine’s NetBIOS name, the second column the machine’s addresses, the third column denotes the type of address included in the second column, and the fourth column includes a comment about the entry in the database. What we want to do is add an entry, so therefore we need to click ADD. You will see what appears in Figure 5.21. Figure 5.21 The Ad d Ad d ress Inform ation d ialog b ox.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 211
In the Add Address Information dialog box you enter the name of the machine, whether this is a permanent name for the machine, the address, the type of address you are entering, and an optional comment.
TIP A hint here is that b efore you enter the ad d ress, you m ust choose what typ e of ad d ress you wish to enter. The d ialog b ox d efaults to a MAC ad d ress, and if you try to enter an IP ad d ress when it says “ETHERNET” in the typ e b ox, it won’t work.
Click OK and the address is entered into the database. These addresses will only stay in the database for the time that you have Network Monitor open. If you find that you’ve created a lot of addresses for machines on your network, you certainly don’t want to have to do that again. To prevent such a waste of time, you can save these addresses. To do so, click SAVE, choose a location and a name for the file, and these addresses will be saved so that you can load them on a subsequent monitoring session. Click CLOSE, which returns you to the Address Expression dialog box that you were at previously. I’m going to select EXETER for Station 1, CONSTELLATION for Station 2, and choose the double arrow for the direction of traffic. After doing so, the screen looks like it does in Figure 5.22. Figure 5.22 The com p leted Cap ture Filter.
212 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
With this capture filter in place, only traffic between EXETER and CONSTELLATION will be retained in the capture filter, and all other packets will be rejected. This implies that all packets continue to be examined by the application, and that is true.
TIP The filtering p rocess can b e p rocessor-intensive, esp ecially if you have set up com p lex filters. Keep this in m ind b efore running an extend ed cap ture session on a m achine that is alread y heavily taxed .
Now we’re ready to start the capture session. Click OK in the Capture Filter dialog box to remove it from sight. To start the capture, we’ll click the right-pointing arrow in the toolbar. After letting the capture run for a very short period of time, you can click the “stop and view” button on the toolbar. The collected data appear in Figure 5.23. Figure 5.23 The results of a filtered d ata collection.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 213
Disp lay Filters Now that we have some captured data, we’ll look at a second type of filter, known as a display filter. The display filter allows us to look for very specific elements of the captured data, and allows for a much more refined filtering than we can accomplish with the capture filter.
NOTE A d isp lay filter can b e used as a d atab ase search tool, where the cap tured fram es are the d ata in our d atab ase.
Imagine that we had captured this data because we wanted to see what types of messages were being passed around the network regarding Windows 2000. First, we’d have to decide what kind of messages we want to look for. In this case, let’s assume that we want to see if users have been using the net send command to exchange ideas or opinions regarding Windows 2000. To get started, select the Display menu, and click Filter. You should see what appears in Figure 5.24. Figure 5.24 The Disp lay Filter d ialog b ox.
What we want to do is filter out everything except the protocol of interest, and then identify a key phrase contained within the protocol of
214 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
interest. Since we’re looking at net send messages being sent between the users, we know that they use the SMB protocol. That’s where we’ll start. Double-click the line that says “Protocol==Any”. You will see the Expression dialog box as it appears in Figure 5.25. Figure 5.25 The Exp ression d ialog b ox.
Notice that the Protocol tab is where we are located. By default, all protocols are enabled, which means that the filter is letting frames from all protocols appear. Our goal is to allow only frames from the SMB protocol to appear, so we can sift through just those frames to find what our users are saying about Windows 2000. The first step is to disable all the protocols by clicking DISABLE ALL. After clicking DISABLE ALL, all the protocols are moved to the right side, into the Disabled Protocols section. Now, scroll through the list of disabled protocols and find the SMB protocol. Click on the SMB protocol and then click ENABLE. Your screen should appear as it does in Figure 5.26. When the display filter is enabled, we will see only the SMB frames. However, we don’t want to see all the SMB frames, we just want to see those that have the term “Windows 2000” in them. In order to drill down to just those frames, click the Property tab. After clicking the Property tab, scroll down the list of protocols until you find the SMB protocol. Double-click the protocol to see all the SMB frame properties. Then scroll down the list of SMB frame properties until you find the Data property. You should see what appears in Figure 5.27.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 215
Figure 5.26 The SMB p rotocol is now the only enab led p rotocol.
In Figure 5.27, we have selected the “contains” option in the Relation text box, and then entered the value “Windows 2000.” This will filter out any SMB frames that do not contain the text string “Windows 2000.” Note toward the bottom of this dialog box there are two option buttons, Hex and ASCII, and that ASCII is selected. Figure 5.27 The SMB p rotocol Prop erties d ialog b ox.
Click OK, then click OK again, and we see a single frame that contains a reference to Windows 2000, as it appears in Figure 5.28.
216 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
Figure 5.28 The result of the d isp lay filter.
Apparently, our rollout of Windows 2000 on the network is being well received!
Event Viewer The Event Viewer can be used to check on the status of a number of network services. Windows 2000 systems are configured to report significant fault situations to the Event Viewer. You should make it a regular practice, perhaps the first thing you do every day, to check out the Event Viewer on all of your primary servers to see if any of the Windows 2000 services running on these servers are reporting error conditions (see Figure 5.29). Normal status events are reported with a blue “i”; hence the phrase, “may your Event Viewer always show blue.” Red and white “Xs” indicate an error condition serious enough to warrant investigation. In this example, we can see that two important network services, the DHCPServer and WINS, are both reporting error conditions.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 217
Figure 5.29 The Wind ows 2000 Event Viewer.
NOTE We are viewing the System Log in this case. Most of the networking services will rep ort fault cond itions to the System Log; however, you should investigate the Ap p lication Log as well.
To find out the nature of the problem, double-click one of the errors to see the details of the problem (see Figure 5.30). The Event Viewer reports that the Jet Database returned error number 1032. Now, how do we figure out what Event 1032 might be? The key is the Windows 2000 Resource Kit.
Interp reting Error Messages The Resource Kit contains a section called “Error and Event Messages Help,” which provides a comprehensive list of error messages that you might encounter in the Event Viewer. We can’t guarantee that all the
218 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
Figure 5.30 Details of a DHCPServer error.
errors you encounter will be found here, but this one was. When we did a search for this error, we came up with the following: Event Message: The DHCP service encountered the following error when backing up the registry configuration: code Event Source Log Event ID Event Type DhcpServer 1032 Explanation: An internal error occurred in the Dynamic Host Configuration Protocol (DHCP) service. User Action: Look up the indicated error in the event log in Event Viewer, and take appropriate action. If this message appears often, you might want to restore an earlier version of your DHCP database from backup, or reinstall DHCP.
In this case, we have to take a leap of faith, since it recommends that we look in the Event Viewer, which is where we found the error in the first place. However, it does sound like our DHCP database might be damaged, and we are given a couple of options: either restore the DHCP Server database from a backup, or reinstall the DHCP server service—not very encouraging.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 219
DNS Log The Event Log does contain an added feature in addition to what was not found in Windows NT: the DNS log. Because of the added importance of DNS in the normal functioning of domain-related activity, Microsoft deemed the DNS service important enough to warrant its own log in the Event Viewer. If you are experiencing any DNS-related problems, you should check here first before getting into more involved DNS monitoring (such as DNS trace logs).
Using TCP/IP Utilities The group of command-line TCP/IP utilities included with Windows 2000 is similar to those available in Windows NT 4.0. We have the familiar set of TCP/IP tools such as: ■ ■ ■ ■ ■ ■ ■
PING NSLOOKUP TRACERT ARP IPCONFIG NBTSTAT NETSTAT
These basic TCP/IP command-line tools have either the same or enhanced functionality compared to what they could do in Windows NT 4.0. In addition to these tools, Windows 2000 offers some new commandline TCP/IP tools, including PATHPING and NETDIAG. We will see what each of these tools can do, and then look at some examples of how to apply their functionality to investigate a particular problem.
PING The PING (Packet INternet Groper) command uses ICMP echo messages to communicate with destination computers. The PING command is used most often to test basic TCP/IP connectivity. You can ping a computer by IP address or by host name. The PING command has the following switches: -t
Ping the specified host until stopped. To see statistics and continue - type Control-Break
220 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
-a -n -l -f -i -v -r -s -j -k
count size TTL TOS count count host-list host-list
-w timeout
To stop - type Control-C. Resolve addresses to hostnames. Number of echo requests to send. Send buffer size. Set Don’t Fragment flag in packet. Time To Live. Type Of Service. Record route for count hops. Timestamp for count hops. Loose source route along host-list. Strict source route along host-list. Timeout in milliseconds to wait for each reply.
-t Sw itch The –t switch is useful when you want to continuously monitor a connection. For example, you want to restart a machine remotely, and then want to know when the machine is up again so you can reestablish your remote connection. Use the ping –t command and watch when the destination computer begins to respond, and then reestablish the connection.
-n Sw itch If you don’t want to continuously ping a remote host, you can specify the name of echo request messages sent to the destination by using the –n switch. For example, if we want to ping constellation.tacteam.net 10 times, we would type at the command prompt: ping constellation.tacteam.net –n 10
It would then ping 10 times and stop after the tenth attempt.
-r Sw itch The –r command shows you the routes taken with each ping attempt. For example, if we type: ping shinder.net -n 3 -r 9
we get the following output: Pinging shinder.net [204.215.60.153] with 32 bytes of data: Reply from 204.215.60.153: bytes=32 time=100ms TTL=252 Route: 209.44.40.10 -> 209.44.40.69 -> 204.215.60.1 -> 204.215.60.153 ->
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 221
209.44.40.70 -> 209.44.40.9 -> 209.44.40.10 Reply from 204.215.60.153: bytes=32 time=100ms TTL=252 Route: 209.44.40.54 -> 209.44.40.69 -> 204.215.60.1 -> 204.215.60.153 -> 209.44.40.70 -> 209.44.40.9 -> 209.44.40.10 Reply from 204.215.60.153: bytes=32 time=150ms TTL=252 Route: 209.44.40.10 -> 209.44.40.69 -> 204.215.60.1 -> 204.215.60.153 -> 209.44.40.70 -> 209.44.40.9 -> 209.44.40.10 Ping statistics for 204.215.60.153: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 90ms, Maximum =
150ms, Average =
110ms
Notice how the path changes with each ping? Think of this as a quickand-dirty way to investigate your routing configuration.
-i Sw itch The default Time To Live (TTL) set on the ICMP echo messages is 252, but you can change that value by setting the –i switch.
-w Sw itch Use the –w switch to configure a custom time out period on your requests. The default time out is 1000 milliseconds. If you don’t want to wait that long for a time out, change the value using the –w switch.
Using PING Now let’s look at a common situation where we would use PING to investigate a connectivity problem. You are called by your junior assistant regarding a connectivity problem between Computer A with an IP address of 192.168.1.1 and subnet mask of 255.255.255.0, and Computer B with an IP address of 192.168.2.5 and a subnet mask of 255.255.255.0. She tells you that they
222 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
were able to connect to each other yesterday, but since they’ve been “playing with the network,” the machines haven’t been able to connect. The first thing you should do is go to Computer A and check it out for yourself. Ping 192.168.2.5 and confirm that there is indeed no network connectivity. Far too many users and neophyte administrators consider the inability to browse a destination computer as a sign of lost network connectivity. Remember, Microsoft did not put the browser service into place as a network diagnostic tool! If you fail to get a response from Computer B, ping the loopback address, 127.0.0.1, to assess whether TCP/IP was installed correctly. Then trying pinging another machine on the same segment, such as 192.168.1.2. If you get a response from that machine, you know that the problem isn’t related to errors in the local machine’s protocol stack itself. Now, ping the default gateway, which had better be on the same segment as Computer A! You might try pinging the default gateway before pinging another machine on the same segment, if you’re in a hurry. Now ping the far side of the default gateway. In this case, you should know what interface the router table uses to forward packets to the destination network ID 192.168.2.0. Be sure that you ping that interface.
NOTE If you p ing an interface on the router that d oesn’t route p ackets to your d estination host, you aren’t getting the inform ation you need . If the router has m ultip le interfaces, the interface you are interested in could b e d own, while the other ones are up . This m eans you m ay need to check out the routing tab les on the router itself.
If the far side of the gateway responds, try pinging another host on the same segment as the machine that is failing to respond. If you get a response, you know that there are no problems related to the segment itself, such as excessive traffic that might cause the pings to time-out. In our present case, everything worked fine except pinging the destination host, Computer B. When we went to Computer B, we found that it was a Linux box that had the default gateway misconfigured. We corrected the problem by removing Linux and upgrading the machine to Windows 2000. Another happy ending. (Another solution might have been to correct the configuration of the default gateway on the Linux machine—but why miss a golden opportunity?)
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 223
nslookup The nslookup command is the tool you use to investigate problems with your DNS server and zone databases. You can use the nslookup tool to probe the contents of your zone database files, and investigate problems with host name resolution. We will cover this tool in detail in Chapter 7, “Troubleshooting Windows 2000 DNS Problems.”
PATHPING Think of the PATHPING utility as the PING utility on steroids. The PATHPING utility sends ICMP echo request messages to each router along the path to the destination host and calculates how long it takes the roundtrip from request to reply. The default number of hops is 30, period 250 milliseconds, and queries to each router 100.
NOTE The PATHPING tool com b ines the cap ab ilities of b oth TRACERT and PING, and gives you ad d itional inform ation that you can’t get easily from using either tool ind ivid ually. PATHPING will calculate round -trip tim es, p ercent of req uests that were lost at each router, and p ercent of req uests lost b etween the routers.
PATHPING provides some interesting statistics because it gives you information regarding where the packet loss is taking place, and the level of stress a particular router may be experiencing. For example, when I type in the command: pathping shinder.net
I get the following output: Tracing route to shinder.net [204.215.60.153] over a maximum of 30 hops: 0 DAEDALUS.tacteam.net [192.168.1.3] 1 stablazer.tacteam.net [192.168.1.16] 2 tnt-dal.dallas.net [209.44.40.10] 3 grf-dal-ge002.dallas.net [209.44.40.9] 4 dal-net70.dallas.net [209.44.40.70] 5 aux153.plano.net [204.215.60.153] Computing statistics for 125 seconds... Source to Here This Node/Link Hop RTT Lost/Sent = Pct Lost/Sent = Pct
Address
224 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
0 1
0ms 0/ 100 =
0
0/ 100 =
0%
2
79ms 0/ 100 =
0% 0/ 100 =
0%
3
78ms 1/ 100 =
1% 0/ 100 =
0%
4
99ms 1/ 100 =
1% 0/ 100 =
0%
5
94ms 2/ 100 =
2% 0/ 100 =
0%
DAEDALUS.tacteam.net [192.168.1.3] 0/ 100 = 0% | starblazer.tacteam.net [192.168.1.16] 0/ 100 = 0% | tnt-dal.dallas.net [209.44.40.10] 1/ 100 = 1% | grf-dal-ge002.dallas.net [209.44.40.9] 0/ 100 = 0% | dal-net70.dallas.net [209.44.40.70] 1/ 100 = 1% | aux153.plano.net [204.215.60.153]
Trace complete.
Note that PATHPING first does a tracert and identifies all the routers in the path to the destination, and provides a list of those routers in the first section. Then, PATHPING provides statistics about each router and each link between routers. From this information, you can assess whether a router is being “overloaded,” or whether there is congestion in the link between the routers. The last two columns provide the most useful information when troubleshooting routers and links. Notice in the last column the name of the router, the IP address, and the percentage to the left of the router. If there is a high number of lost pings to a router, that is an indication that the router itself may be overloaded. Just under the name of the router you see a | character. This represents the link between the router and the next-hop router. When there is a large percentage of lost pings for the link, it indicates congestion on the network between hops. In this case, you would want to investigate problems with network congestion rather than with the router itself.
NOTE The PATHPING algorithm takes ad vantage of the fact that there are two p aths the p ing req uest can take: the “fast p ath” and the “slow p ath.” The fast p ath is that taken when a router just p asses the p acket to the next hop , without actually d oing any “work” on that p acket. This is in contrast to the slow p ath, where the router is the recip ient of the ICMP echo req uest and m ust use p rocessing resources to resp ond to the req uest b y issuing an ICMP echo rep ly.
Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000 • Chapter 5 225
tracert The tracert utility allows you to trace the path of routers to a destination host. You can use the tracert utility to assess whether a router or link on the path to the destination host may be congested. The tracert utility sends a series of ICMP echo requests, with each request having a incrementally higher TTL value. The first echo request has a TTL of 1. When the first router receives the message, it will decrease the TTL by 1. Since the TTL on the request was 1, it now is 0, and the router will return a “Time Exceeded” message to the requesting computer. The tracert utility then increases the TTL to 2 on the ICMP echo request message. When the message hits the first router, the TTL is decreased by 1, and when it hits the second router, it is decreased by 1 again. The second router then sends a “Time Exceeded” message to the source host. The process continues until the all routers have been traversed to the destination host. Figure 5.31 demonstrates how the tracert utility works. Figure 5.31 How the tracert utility works. Tracert TTL= 1
Tracert increments the TTL on the ICMP Echo Request with each
Time Exceeded
attempt. When the TTL reaches zero, the destination router returns a "Time Exceeded" message.
Message
TTL= 2
TTL= 1
Time Exceeded Message
TTL= 3
Time Exceeded Message
TTL= 2
TTL= 1
226 Chapter 5 • Using Netw ork Monitoring and Troubleshooting Tools in Window s 2000
For example, when we type tracert www.digitalthink.com
at the command prompt, we get the following output: C:\>tracert www.digitalthink.com Tracing route to www.digitalthink.com [216.35.144.147] over a maximum of 30 hops: 1
Notice that we get thrown back to the command prompt following the returned information. If you plan on doing a number of lookups, you would use interactive mode. To enter interactive mode, just type nslookup at the command prompt; your output should look like this: C:\>nslookup Default Server: constellation.tacteam.net Address: 192.168.1.185 >
Troubleshooting Window s 2000 DNS Problems • Chapter 7 381
Notice that you are not returned to the command prompt, but to the nslookup command’s interactive prompt. Once you enter interactive mode, you can use the “set” commands to determine the nature of your queries. Some of the “set” commands are included in Table 7.1. When you’re ready to leave the interactive mode and return to the command prompt, just type exit. Table 7.1 List of Set Com m and s that Can Be Used in nslookup Interactive Mod e Command
Description
all
Prints out a list of current op tions and server p aram eters
[no]d eb ug
Prints out d etailed inform ation from the lookup
[no]d 2
Prints out "exhaustive" d eb ugging inform ation
[no]d efnam e
Ap p end s a sp ecific d om ain nam e to each q uery
[no]recurse
Ask for recursion for the q uery
[no]search
Uses the d om ain suffix search list
[no]vc
Always use a virtual circuit
d om ain= NAME
Allows you to set a d efault d om ain nam e for the lookup
root= NAME
Define the nam e of the root server to use for lookup
retry= X
Define the num b er of retries for the lookup
tim eout= X
Define the tim eout for the lookup
typ e= X
Defines the q uery typ e For exam p le: ANY, CNAME, MX, NS, PTR, SOA, SRV
The d2 option gives you the most information about the query you’re performing. If you don’t want to stay in interactive mode, and you want to perform a single quick lookup and still get the benefits of the debug mode, you can issue an nslookup using the –ds switch. For example, type the command: nslookup –ds www.microsoft.com.
You get detailed information about the query with the –ds switch.
TIP When you d o an nslookup , b e aware that the m ost likely reason that you m ight receive a nonauthoritative answer to a q uery is b ecause your DNS server is answering from cache.
382 Chapter 7 • Troubleshooting Window s 2000 DNS Problems
Throughout this chapter we have been working with nslookup to check on the behavior of our queries and the integrity of the zone database. We highly recommend that you practice doing many nslookups using the –ds switch or the debug/d2 set command in order to get familiar with how the utility works and the information returned to you.
ip config You probably have been using the ipconfig command for years if you’re an experienced Windows NT professional. The command has been improved in Windows 2000, and has some new switches that increase its usefulness as a tool for getting IP addressing information about your machines. Three ipconfig command switches are of particular interest when working with our DNS servers: ipconfig /flushdns The flushdns switch allows you to clear the local machine’s DNS cache. When you make zone changes or machine IP address configuration changes and then do an nslookup, you may receive information that doesn’t reflect the changes you thought you made. This is because the information is being retrieved from cache rather than from the DNS server itself. Use the flushdns switch to clear the cache, and then repeat the nslookup you were doing before. ipconfig /displaydns The displaydns switch prints out the local DNS cache. This is particularly helpful to use after you have completed the flushdns command, to confirm that the cache is indeed empty. The displaydns switch allows you to see the entries in the HOSTS file loaded into the cache. ipconfig /registerdns The /registerdns switch will renew a DHCP client’s lease and reregister the DNS client’s address information with a DNS server. This is sometimes helpful in “reminding” the DNS server of the DNS client’s addressing information. The ipconfig command has definitely been “souped up,” and you’ll find yourself using it even more now than you did in Windows NT 4.0.
Event Viewer The Windows 2000 Event Viewer has a dedicated container for DNS information. The Event Viewer can provide information on when zone transfers are taking place, if there was a problem with a zone transfer, when changes have taken place within the zone, or even if too many changes are happening in the zone.
Troubleshooting Window s 2000 DNS Problems • Chapter 7 383
Since the Event Viewer is easy to access and doesn’t require configuration changes on your part, it is often wise to start here first and see if it supplies any clues to what the problem might be.
Network Monitor The Network Monitor supplied with Windows 2000 Server products allows you to analyze packets coming into, and out of, the server running Network Monitor.
NOTE If you want a “full-fled ged ” version of Network Monitor that allows you to listen to all traffic on the segm ent, you can p urchase Microsoft System s Managem ent Server 2.0.
Network Monitor will allow you to identify problems with network communications, including malformed packets, jitter causing “garbage” packets, and details of the packets sent and received for DNS queries. Figure 7.29 displays the Network Monitor screen after a capture of DNS packets has been done. Figure 7.29 Cap ture of DNS p ackets in Microsoft Network Monitor.
384 Chapter 7 • Troubleshooting Window s 2000 DNS Problems
Something to note when analyzing a DNS message is the message identifier, which is the first thing you see on the Description line. For example, look at frames 376 and 377. Each of those has at the beginning of the description line “0x174E,” which is the query identifier. You can use this number to track related queries and responses. If there is a packet of particular interest (for example, a failure message is returned by the server), you can select the frame in the top pane and then click the Edit menu and then Copy. Open Notepad or another text editor and paste the contents of the frame into the application. For example, after copying packet 377, we get this: 377 23.543854 LOCAL 0050DA62684E DNS 0x174E:Std Qry Resp. for www.dallasnews.com. of type Canonical name on class INET addr. CONSTELLATION DAEDALUS IP Frame: Base frame properties Frame: Time of capture = 1/1/2000 11:48:18.587 Frame: Time delta from previous physical frame: 0 microseconds Frame: Frame number: 377 Frame: Total frame length: 108 bytes Frame: Capture frame length: 108 bytes Frame: Frame data: Number of data bytes remaining = 108 (0x006C) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 0050DA62684E ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 0050DA0DF52D ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 108 (0x006C) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 94 (0x005E) IP: ID = 0x6A65; Proto = UDP; Len: 94 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 94 (0x5E) IP: Identification = 27237 (0x6A65) IP: Flags Summary = 0 (0x0) IP: .......0 = Last fragment in datagram IP: ......0. = May fragment datagram if necessary IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80)
Troubleshooting Window s 2000 DNS Problems • Chapter 7 385
IP: Protocol = UDP - User Datagram IP: Checksum = 0x4C1D IP: Source Address = 192.168.1.185 IP: Destination Address = 192.168.1.3 IP: Data: Number of data bytes remaining = 74 (0x004A) UDP: Src Port: DNS, (53); Dst Port: Unknown (1068); Length = 74 (0x4A) UDP: Source Port = DNS UDP: Destination Port = 0x042C UDP: Total length = 74 (0x4A) bytes UDP: UDP Checksum = 0x23D4 UDP: Data: Number of data bytes remaining = 66 (0x0042) DNS: 0x174E:Std Qry Resp. for www.dallasnews.com. of type Canonical name on class INET addr. DNS: Query Identifier = 5966 (0x174E) DNS: DNS Flags = Response, OpCode - Std Qry, RD RA Bits Set, RCode - No error DNS: 1............... = Response DNS: .0000........... = Standard Query DNS: .....0.......... = Server not authority for domain DNS: ......0......... = Message complete DNS: .......1........ = Recursive query desired DNS: ........1....... = Recursive queries supported by server DNS: .........000.... = Reserved DNS: ............0000 = No error DNS: Question Entry Count = 1 (0x1) DNS: Answer Entry Count = 2 (0x2) DNS: Name Server Count = 0 (0x0) DNS: Additional Records Count = 0 (0x0) DNS: Question Section: www.dallasnews.com. of type Host Addr on class INET addr. DNS: Question Name: www.dallasnews.com. DNS: Question Type = Host Address DNS: Question Class = Internet address class DNS: Answer section: www.dallasnews.com. of type Canonical name on class INET addr.(2 records present) DNS: Resource Record: www.dallasnews.com. of type Canonical name on class INET addr. DNS: Resource Name: www.dallasnews.com. DNS: Resource Type = Canonical name for alias DNS: Resource Class = Internet address class DNS: Time To Live = 10493 (0x28FD) DNS: Resource Data Length = 2 (0x2) DNS: Owner primary name: dallasnews.com.
386 Chapter 7 • Troubleshooting Window s 2000 DNS Problems
DNS: Resource Record: dallasnews.com. of type Host Addr on class INET addr. DNS: Resource Name: dallasnews.com. DNS: Resource Type = Host Address DNS: Resource Class = Internet address class DNS: Time To Live = 10493 (0x28FD) DNS: Resource Data Length = 4 (0x4) DNS: IP address = 207.238.232.133 00000: 00 50 DA 62 68 4E 00 50 DA 0D F5 2D 08 00 45 00 .PÚbhN.PÚ.õ-..E. 00010: 00 5E 6A 65 00 00 80 11 4C 1D C0 A8 01 B9 C0 A8 .^je.. .L.À¨.?À¨ 00020: 01 03 00 35 04 2C 00 4A 23 D4 17 4E 81 80 00 01 ...5.,.J#Ô.N∞ .. 00030: 00 02 00 00 00 00 03 77 77 77 0A 64 61 6C 6C 61 .......www.dalla 00040: 73 6E 65 77 73 03 63 6F 6D 00 00 01 00 01 C0 0C snews.com.....À. 00050: 00 05 00 01 00 00 28 FD 00 02 C0 10 C0 30 00 01 ......(?..À.À0.. 00060: 00 01 00 00 28 FD 00 04 CF EE E8 85
....(?..Ïîè…
You get all the details of Ethernet, IP, and UDP protocols, and it allows you to find any anomalies that are present. See Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000,” for more details on how to use Network Monitor and how to create network captures with capture and display filters.
DNS Trace Logs If you want to get really “down and dirty” and know everything the DNS server has been doing, you can enable trace logging on the DNS server. A trace log reports in detail about the queries the server has processed. While you can get similar information from doing nslookup queries, you are only aware of the questions and answers you send when performing those. A trace log will track queries received and answered by the DNS server. To enable trace logging, right-click the server name in the DNS management console and click Properties. Click the Logging tab, and you will see a dialog box similar to that in Figure 7.30.
WARNING Trace logging can b e a very p rocessor- and d isk-intensive p roced ure, so b e jud icious in your use of this feature.
The logs are stored in a plain text file located at: %system_root%\system32\dns\dns.log
Troubleshooting Window s 2000 DNS Problems • Chapter 7 387
Figure 7.30 Configuring trace logging for the DNS server.
We have had some difficulty getting reliable trace logging for the Query, Questions, and Answers options. Hopefully, this bug will be fixed by the time the final release product becomes available.
Perform ance The Windows 2000 DNS server includes a large number of counters you can use to monitor the behavior and performance of your DNS server. Many new counters have been added to the Windows 2000 DNS Object counter list. Table 7.2 lists these counters and their functions. The Performance Monitoring tool gives you comprehensive monitoring capabilities of you DNS server. For more information on how to use the Performance management console, see Chapter 5. Table 7.2 DNS Perform ance Counters
Counter
Description
AXFR Req uest Received
Total full zone transfer req uests received b y the Master DNS server Total full zone transfer req uests sent b y the Second ary DNS server
AXFR Req uest Sent
388 Chapter 7 • Troubleshooting Window s 2000 DNS Problems
Counter
Description
AXFR Req uest Received
Total full zone transfer req uests received b y the Master DNS server AXFR Req uest Sent Total full zone transfer req uests sent b y the Second ary DNS server AXFR Resp onse Total full zone transfer resp onses received b y the Received Second ary DNS server AXFR Success Received Total successful full zone transfers received b y the Second ary DNS server AXFR Success Sent Total successful full zone transfers of the Master DNS server Caching Mem ory Total am ount of caching m em ory used b y the DNS server Datab ase Nod e Mem ory Total d atab ase nod e m em ory used b y the DNS server Dynam ic Up d ate Total num b er No-op eration/em p ty d ynam ic up d ate NoOp eration req uests received b y the DNS server Dynam ic Up d ate Rate at which No-op eration/em p ty d ynam ic NoOp eration/sec up d ate req uests are received b y the DNS server Dynam ic Up d ate Total d ynam ic up d ates that are q ueued b y the Queued DNS server Dynam ic Up d ate Received Dynam ic Up d ate Received /sec Dynam ic Up d ate Rejected Dynam ic Up d ate Tim eOuts Dynam ic Up d ate Written to Datab ase Dynam ic Up d ate Written to Datab ase/sec IXFR Req uest Received IXFR Req uest Sent IXFR Resp onse Received
Total d ynam ic up d ate req uests that are received b y the DNS server Rate at which d ynam ic up d ate req uests are received b y the DNS server Total dynam ic updates rejected by the DNS server Total dynam ic update tim eouts of the DNS server Total d ynam ic up d ates written to the d atab ase b y the DNS server Rate at which d ynam ic up d ates are written to the d atab ase b y the DNS server Total of increm ental zone transfer req uests received b y the Master DNS server Total of increm ental zone transfer req uests sent b y the Second ary DNS server. Total increm ental zone transfer resp onses received b y the Second ary DNS server Continued
Troubleshooting Window s 2000 DNS Problems • Chapter 7 389
Counter
Description
IXFR Success Received
Total successful increm ental zone transfers received b y the Second ary DNS server Total successful increm ental zone transfers of the Master DNS server Total successful TCP increm ental zone transfers received b y the Second ary DNS server Total successful UDP increm ental zone transfers received b y the Second ary DNS server Total Nb stat m em ory used b y the DNS server Total notifies received b y the Second ary DNS server
IXFR Success Sent IXFR TCP Success Received IXFR UDP Success Received Nb stat Mem ory Notify Received Record Flow Mem ory Recursive Queries Recursive Queries/sec Recursive Query Failure
Total record flow m em ory used by the DNS server Total recursive queries received by the DNS server Rate at which recursive q ueries are received b y the DNS server Total of recursive q uery failures
Recursive Query Failure/sec
Rate of recursive q uery failures
Recursive Send Tim eOuts Recursive Tim eOut/sec Secure Up d ate Failure Secure Up d ate Received
Total of recursive q uery send ing tim eouts
Rate recursive q uery send ing tim eouts Total secure up d ate failures of the DNS server Total secure up d ate req uests received b y the DNS server Secure Up d ate Rate at which secure up d ate req uests are received Received /sec b y the DNS server TCP Message Mem ory Total TCP m essage m em ory used b y the DNS server TCP Query Received Total TCP q ueries received b y the DNS server TCP Query Received /sec Rate TCP q ueries are received b y the DNS server TCP Resp onse Sent Total TCP resp onses sent b y the DNS server TCP Resp onse Sent/sec Rate TCP resp onses are sent b y the DNS server Total Query Received Total q ueries received b y the DNS server Total Query Received /sec Rate at which q ueries are received b y the DNS server Total Resp onse Sent Total Resp onses sent b y the DNS Server Total Resp onse Sent/sec Rate at which responses are sent by the DNS server Continued
390 Chapter 7 • Troubleshooting Window s 2000 DNS Problems
Counter
Description
UDP Message Mem ory
Total UDP m essage m em ory used b y the DNS server UDP Query Received Total UDP q ueries received b y the DNS server UDP Query Received /sec Rate UDP queries are received by the DNS server UDP Resp onse Sent Total UDP resp onses sent b y the DNS server UDP Resp onse Sent/sec Rate at which UDP resp onses are sent b y the DNS server WINS Lookup Received Total WINS lookup req uests received b y the DNS server WINS Lookup Rate at which WINS lookup req uests are received Received /sec b y the DNS server WINS Resp onse Sent Total WINS lookup resp onses sent b y the DNS server WINS Resp onse Sent/sec Rate at which WINS lookup resp onses are sent b y the server WINS Reverse Lookup Received WINS Reverse Lookup Received /sec
Total WINS reverse lookup req uests received b y the DNS server Rate at which WINS reverse lookup req uests are received b y the DNS server
WINS Reverse Sent WINS Reverse Sent/sec Zone Transfer Zone Transfer Received Zone Transfer Req uest Sent
Total WINS reverse lookup resp onses sent b y the DNS server Rate at which WINS reverse lookup resp onses are sent b y the server Total failed zone transfers of the Master DNS server Total zone transfer req uests received b y the Master DNS server Total zone transfer Start of Authority (SOA) req uests sent b y the second ary DNS server
Resp onse Resp onse Failure Req uest SOA
Summary The Microsoft Windows 2000 DNS is a standards-based Domain Name System server that represents a tremendous forward stride over the DNS server provided with Windows NT 4.0. With DNS becoming the mechanism for authentication for Windows 2000 networks, DNS no longer is the “add-on” product it was considered as in Windows NT 4.0 networks. Applications written to the NetBIOS interface use the destination NetBIOS name as the endpoint of network communication. WinSock
Troubleshooting Window s 2000 DNS Problems • Chapter 7 391
applications, which were written specifically for the TCP/IP protocol, are not dependent on computer names, and use the destination IP address as the endpoint of communication. NetBIOS applications require a mechanism to allow NetBIOS names to be translated to IP addresses in order to work on TCP/IP-based networks. NetBIOS name resolution is the process of translating NetBIOS names to IP addresses that can be passed down the TCP/IP protocol stack for network communications between two NetBIOS applications. WinSock applications do not rely on computer names, and only require the destination machine’s IP address to establish a session with the destination host. However, people find it a lot easier to remember names, rather than IP addresses. Therefore, a system of naming machines on a TCP/IP network was developed to aid our failing memories. The Domain Name System was developed in order to accommodate a world-wide network of computers where there was little central authority of the naming of the machines participating on the Internet. The Domain Naming System is a hierarchical name system, which allows a multiplicity of computers throughout the world to have the same computer name, as long as those computers belong to different domains. The Domain concept allowed for distribution of responsibility over who will maintain the world-wide database of host names and IP addresses associated with those host names. The only centralized aspects of the naming system are in the maintenance of the root, top, and second-level domains on the Internet. Maintaining the DNS database below these levels is the responsibility of the administrators for each individual domain. The Windows 2000 DNS server allows you to keep a database of host names and IP addresses. The Windows 2000 DNS also allows for the dynamic update of host names and IP addresses in a manner very similar to how WINS servers function. Dynamic DNS is a new feature in the Windows 2000 DNS server and was not available in the Windows NT 4.0 DNS server. DNS clients can resolve a host name to an IP address in several ways. The DNS client service features a caching resolver, which keeps a list of recently resolved host names and IP addresses. If a sought-after mapping is not in the resolver cache, the DNS clients will query a DNS server. If the DNS cannot resolve the host name, the DNS client will go through the NetBIOS name resolution sequence and attempt to resolve the name by using WINS server, broadcasts, or LMHOSTS files. When a DNS client needs to resolve a host name to an IP address, it will query a DNS server. DNS servers themselves can be DNS clients. There are two basic types of queries: recursive and iterative. When a DNS client requests recursion, it is essentially putting the responsibility on the
392 Chapter 7 • Troubleshooting Window s 2000 DNS Problems
DNS server to take over the job of resolving a host name to an IP address. The DNS client that requests recursion expects a definitive answer, and will not accept referrals to other machines that may help it resolve a query. An iterative query is issued when a DNS server attempts to complete recursion for the DNS client. It will issue iterative queries and accept referrals from other DNS servers that point it to the DNS server that can resolve the request. A fully qualified domain name (FQDN) includes the host name, which lies to the left of the leftmost period in an FQDN, and the host’s domain membership. A fully qualified query must end with a period, although most applications will automatically include the period before sending it out for resolution. If the request is not fully qualified, the DNS request is known as an “unqualified” request. The DNS client service must formulate a query based on an FQDN. By default, the domain membership of the machine issuing the query will be appended to the request. A list of other domain suffixes can be configured to be appended to unqualified requests, if you choose to create one. When an organization has an intranet and a presence on the Internet, you must choose whether you will use the same domain name on both. The advantage of using the same domain name is that it is easier on users in terms of remembering the names of clients, and they don’t have to worry if the corporate resource is on the intranet or the Internet. The drawback is that you will have to mirror your servers internally, and DNS clients will not access external corporate host resources. It is typically easier to use different domain names for intranet and Internet resources. You do not need to mirror servers, and there is no chance for confusion as to what is an internal resource and what is an external resource. The Internet domain name must be registered, but it is optional whether you register the intranet domain name. It is a good idea to register the internal domain name to prevent confusion. You would not want your boss to try to show off some intranet resource from his home (by mistake) using the internal domain name, and have some competitor’s site show up instead! While domains represent a conceptual framework, the actual domains and hosts are contained in files called zone files. Zone files are database files that contain resource records, which track the resources contained in a domain. The Windows 2000 DNS server supports standard and Active Directory integrated zones. Standard zones are characterized by having a single Primary DNS server, and multiple Secondary DNS servers. The Primary DNS server has the only read/write copy of the zone database, and this database is copied to Secondary DNS servers. Secondary DNS servers provide for fault tolerance, load balancing, and faster lookups for local hosts.
Troubleshooting Window s 2000 DNS Problems • Chapter 7 393
Standard zones are copied from Primary to Secondary DNS server via a process called zone transfer. Zone transfer is a pull operation, where the Secondary DNS server requests from the Primary the zone database if there are any updates. The Windows 2000 DNS server supports both the AXFR and the IXFR zone request. Downlevel DNS servers, such as the Windows NT 4.0 DNS server, can only send an AXFR query for zone transfer; therefore, whenever a change takes place in a zone, the entire zone file is sent to the Secondary. The Windows 2000 DNS server supports the IXFR, which allows for incremental zone transfers. The incremental transport only sends records that have changed since the previous zone transfer. A reverse lookup zone allows DNS clients to issue reverse queries. A reverse query is when the IP address is sent to the DNS server for resolution to a host name. The reverse lookup zone is useful when you have security and diagnostic software that depends on reverse lookups. Although the reverse lookup zone is not required, it will help you avoid certain error messages when you create a new zone. Active Directory integrated zones offer several advantages over standard zones. The Active Directory integrated zone has multiple masters, and each domain controller becomes a Primary DNS server. You do not have to worry about maintaining separate Active Directory and DNS replication topologies. Active Directory integrated zones allow for per-property zone transfer, rather than having to send the entire record, which saves bandwidth. Active Directory integrated zones allow for secure dynamic updates. A delegation is a means to assign responsibility or “authority” to a machine for a zone. Secondary DNS server have a copy of the zone database file, and therefore are able to deliver authoritative answers based on the contents of the zone files they contain. You create NS records on DNS servers to indicate to clients the host name of a server that is authoritative for a particular zone. You want your DNS servers to avoid contact with DNS servers over the Internet to prevent hackers from intercepting DNS communications and potentially damaging your network. One popular way to do this is by using a combination of slave and forwarder DNS servers. A slave DNS server does not perform recursion, and sends all DNS queries for zones that it is not authoritative for to another DNS server, called a forwarder. The forwarder is typically a caching-only DNS server and does not contain any zone database files. The forwarder performs recursion for the slave DNS server and returns to the slave the results of its queries, which the slave in turn returns to the DNS client that made the initial request. While the Windows 2000 DNS server is standards based, there are some interoperability issues. If you have existing BIND DNS servers on
394 Chapter 7 • Troubleshooting Window s 2000 DNS Problems
your network, they will not support zone transfer for WINS and WINS-R records. They also do not support the fast transfer method of zone transfer where several records can be included in a single packet. You can easily upgrade your BIND servers to Windows 2000 DNS by transferring the BIND zone over to the Windows 2000 server and then changing it to a Primary zone. There are a number of tools you can use to investigate problems with your DNS server. These tools include nslookup, a new and improve version of ipconfig that allows you to view and clear the local DNS cache, Event Viewer, Network Monitor, trace logging, and a supercharged Performance Monitor that includes many new counters to allow you to get a fine bead on the health and performance of your DNS server.
FAQs Q: Do my NT and Win9x clients have to be upgraded to Windows 2000 to have their address information automatically entered into a Windows 2000 DNS server? A: You do not need to upgrade your downlevel clients—including Windows NT Workstation, Windows NT Servers, and Win 9x clients—in order to have their addresses added automatically to the Dynamic DNS zone database files. However, since these clients cannot update their own records, you will need to make your downlevel clients Windows 2000 DHCP clients. The Windows 2000 DHCP server will act as a “proxy” and update address information for them on the DDNS server. Q: I keep getting error messages when I use the nslookup command on my new DNS installation. Is there anything I can do to fix this? A: The most common reason for receiving this kind of message, after ensuring that you’ve done everything else correctly, is the absence of a reverse lookup zone. Create a reverse lookup zone for the network ID that the DNS server belongs to. Then, create an A Host resource record for that DNS server. Check to see if a pointer record was created for the DNS server after you create the host record. If one was not created, make one manually. This should correct problems you have with error messages related to “DNS server not found.” Q: What is a CNAME record? How can I use it in my organization?
Troubleshooting Window s 2000 DNS Problems • Chapter 7 395
A: The CNAME resource record allows you to create aliases for a machine that already has an A Host resource record in the DNS database. For example, you already have a machine by the name of bigboy .mydomain.com. You want to run Web services and FTP services on that machine, and you want DNS queries for www.mydomain.com and ftp.mydomain.com to resolve to the same IP address that is owned by bigboy in the DNS database. To do this, you create CNAME records for www and ftp that point to bigboy. Be sure that whenever you create a CNAME record, it points to a machine that already has a host addresses record; otherwise, it won’t work. Q: What is that DNSUpdateProxy Group for again? A: You are referring to the DNSUpdateProxy Group. The DNSUpdateProxy Group allows a DHCP server to make entries in the DNS zone database files without becoming the owner of those entries in the zone database. This solves the problems you might encounter if a particular DHCP server registers entries in the zone database and then goes offline. Since the offline DHCP server owns the record, neither a backup DHCP server nor the client itself will be able to update the record if the zone has secure dynamic updates enabled. The solution is to make the DHCP server a member of the DNSUpdateProxy Group, so it will be able to create entries without “security” information attached to them. The next machine to “touch” the record (for example, if the host itself, or another DHCP server that is not a member of the DNSUpdateProxy Group, tries to update the record) will become the owner of the DNS zone database entry. The drawback is that there is no security; therefore, any machine claiming a particular name can update the record after it is created by the DHCP server that is a member of the DNSUpdateProxy Group. Never install DHCP services on a domain controller if you choose this solution. Q: My NT 4.0 DNS server doesn’t let me add SRV records. What’s wrong? A: The Windows NT 4.0 DNS server that comes “out of the box” with NT does not support SRV records. If you want your NT DNS server to able to participate in the domain locator services, you must update it to Service Pack 4 or later, and then manually enter the SRV resource records that are contained in the domain controller’s netlogon.dns file. Q: What’s the cache.dns file for? Where can I get a new one?
396 Chapter 7 • Troubleshooting Window s 2000 DNS Problems
A: The cache.dns file contains what are sometimes called root hints. The file has the names and IP addresses of the root DNS servers, which are used when iterative queries are issued to resolve Internet host names. To get the latest version of this file, go to ftp://ftp.rs.internic.net/domain/named.root. Note that when you check that site out, you’ll find that they don’t update the file very frequently. The last update was August 27, 1997. Q: I want to upgrade my BIND server to Windows 2000, but I don’t want to lose my zone database files. Is there an easy way to do this? A: The easiest way to do this is to create the same zone on an existing Windows 2000 DNS server. Make the zone a secondary zone, and initiate a zone transfer from the BIND DNS server. Change the zone type to a Primary zone by right-clicking the zone and clicking CHANGE beside the word “Type.” Take down the BIND server and upgrade it to Windows 2000. After the upgrade, create the same zone on the new Windows 2000 DNS server, and make it a secondary zone. Initiate a zone transfer from the previous DNS server. Now change the zone type to Primary on the new DNS server, and to Secondary on the old one. Q: I’m running a DNS server using standard zones. My Primary DNS server died about 36 hours ago. My users cannot get answers to their DNS queries! I thought the Secondary DNS servers would add fault tolerance to my host name resolution system. Why didn’t they? A: This is probably because the Secondary DNS servers are no longer answering queries for the zone. If a Secondary DNS server cannot contact a Primary DNS server from which it receives zone transfers, for over the period of time defined in the “Expires by” text box in the SOA Record, it will no longer answer queries for that zone. One solution to this problem is to change the zone type to a Primary zone and configure delegations on the new Primary DNS server for all of your Secondaries.
Chapter 8
Troubleshooting Window s 2000 IP Addressing Problems
Solut ions in t his chap t er: ■
Subnetting Problems
■
DHCP Configuration Problems
■
APIPA
397
398 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Introduction One of TCP/IP’s great strengths, and a primary reason that it has become the standard for large networks, including the Internet, is its scalable addressing scheme that can accommodate networks of all sizes. In Chapter 1, “TCP/IP Overview,” we discussed some of the limitations of the current IP addressing system, called IPv4, which uses 32-bit addresses, unique to every network interface, to specify the network and individual host identification. Although IPv6 is expected to solve the anticipated problem of running out of unique addresses at some point in the near future, it’s safe to say the addressing scheme will be around for some time to come. Many problems with TCP/IP connectivity turn out to be IP addressing problems. Although manually assigning IP addresses to each computer increases the likelihood of human error (mistyping or transposing numbers, forgetting that an address has already been assigned and assigning it to a second machine, etc.), using the Dynamic Host Configuration Protocol (DHCP) or allowing Automatic Private IP Addressing (APIPA) to assign addresses on your network will not absolutely guarantee troublefree address assignment. Configuration problems can cause address conflicts to occur with the automatic addressing services, too. In this chapter, we will briefly recap how IP addressing works and what distinguishes the Internetwork-layer IP address from the physical address (which actually is addressed at the Data Link layer of the OSI model). We will take a look at the practice of assigning addresses manually, and discuss when this is appropriate, as well as common problems that arise. Then we will discuss the automatic addressing services, DHCP and APIPA (the latter is new to Windows 98 and Windows 2000). We’ll examine some of the configuration problems that are commonly encountered when utilizing these services. We will discuss how the IP address is used in the process of network communication, and we’ll look at the differences between private and public addresses and how not knowing when to use which can cause a network administrator a world of headaches. Finally, we will address some specific troubleshooting scenarios, including those involving duplicate IP addresses, those that stem from using invalid addresses, the most common DHCP configuration problems, APIPA and Internet Connection Sharing (ICS), and how to troubleshoot IP subnetting problems.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 399
How IP Ad d ressing Works Under the current IP addressing system, IPv4, there are “only” a little over 4 billion possible IP addresses (4,294,967,296 or 232 for those who like to be precise). In the beginning (the early 1980s), this seemed to be more than enough for the foreseeable future. At that time, when IP specifications became standardized, a two-level hierarchical addressing structure was imposed, consisting of the network ID (sometimes called the network prefix) and the Host ID. Networks were divided into “classes” A, B, and C (as well as D and E, but these two were not allocated to networks but rather reserved for special purposes). This is referred to as “classful” addressing. A newer method of identifying networks via an “IP prefix” is called Classless Inter-Domain Routing (CIDR), which we discussed briefly in Chapter 4, “Windows 2000 TCP/IP Internals.” Instead of designating networks as class A, B, or C, a network is referred to as a /16, /24, etc. depending on the number of bits used for the network ID portion of the address.
Logical IP Addresses versus Physical M AC Addresses The IP address is a “logical” address, assigned by the network administrator. It bears no direct relation to the network interface card’s (NIC) “physical” address (often referred to as the MAC address because it is used at the Media Access Control sublayer of the OSI’s Data Link layer). Changing a computer’s (or more precisely, an individual NIC’s) IP address is a software function. If you have administrative privileges, it’s as simple as clicking the mouse a few times to open the proper dialog box and typing in a new number (the hardest part is knowing what number to type in). The MAC address, on the other hand, is hard-coded into the chip on the network card in the typical Ethernet network. Some network cards provide for a way to change the MAC address via jumper settings or software configuration, but this is not usual and you are limited to only a few possible settings. An Ethernet MAC address is a 48-bit number represented in hexadecimal, so it will look something like this: 00-80-C8-6A-FA-00. You can find out the physical address of your Ethernet card by typing ipconfig /all at the command line, which will give you the information shown in Figure 8.1.
400 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Figure 8.1 Determ ining your network card ’s p hysical (MAC) ad d ress using the ip config com m and .
As you can see in the screenshot, the IP and MAC addresses are in two very different formats and have no logical relationship to one another. The Address Resolution Protocol (ARP), discussed in Chapter 11, “Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level,” is responsible for “keeping tabs” on which IP addresses match up with which physical addresses, and relaying that information so computers can communicate at the physical (network interface) level.
What an IP Address Represents In order to communicate over the network using the TCP/IP protocols, a computer must have an IP address that is unique on that network. A network administrator can manually assign the IP address, or it can be automatically assigned by an addressing service such as DHCP, APIPA, or ICS autoaddressing. In any event, there will be no IP communication without an address. If you don’t know what IP address is being used, you can find that information the same way you accessed the physical address, using the ipconfig command. In fact, the /all switch is not necessary to display the IP address, as shown in Figure 8.2. The IP address is usually represented as shown, in “dotted decimal” (also called “dotted quad”) notation with four sections, called octets, separated by dots. This decimal notation is merely a “user friendly” way to express the binary number used by the computers to communicate. The octets are called that because each represents eight binary digits.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 401
Figure 8.2 Determ ining the com p uter’s IP ad d ress using the ip config com m and .
The Language of 1s and 0s For a true understanding of IP addressing, subnetting, supernetting, and related topics, it is essential that you learn to work with the underlying binary. Although the base two numbering system, into which all data is converted by the machines, may seem confusing and a little frightening at first, it is actually pretty simple, and it will save you many hours of pulling out your hair as you try to make sense of the decimal representations (which, taken alone, don’t make sense). Let’s look at how IP addresses look at the binary level and maybe we’ll take some of the mystery out of “machine language” while we’re at it. The IP address shown in Figure 8.2 in dotted decimal, 192.168.1.185, really represents the following binary number: 11000000.10101000.00000001.10111001
If you look closely, you’ll see that this number is indeed made up of four groups of eight binary digits. But how do you know that 192 in decimal equals 11000000 in binary? Well, there are a couple of ways to find out. The easy way to convert decimal to binary, or vice versa, is to use the Windows calculator in scientific mode (choose Scientific from the View menu). Just check the “dec” radio button and enter the number in decimal, then click on the “bin” radio button and tada! As if by magic, you have the binary equivalent (see Figure 8.3). That’s the easiest way and the fastest way, but not necessarily the best way. If you don’t really understand how binary is converted to decimal, you may be confused by the calculator’s results. For instance, when you convert the decimal 1 to binary, the result is 1. You know that an octet has eight digits, but the calculator only displays one. Do you put seven 0s before or after the 1? If you know how to do the conversion manually, it’s obvious.
402 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Figure 8.3 Using the Wind ows calculator in scientific m od e to convert d ecim al to b inary.
Here’s how to convert a binary octet to decimal without a calculator: We have eight binary digits, and each of them represents a decimal value, beginning with the rightmost digit and working our way back to the leftmost.
NOTE The rightm ost d igits are som etim es referred to as the low ord er b its, and the leftm ost as the high ord er b its.
Each bit that is “turned on” (that is, shows a 1 instead of a 0) represents the value of that bit as shown in Figure 8.4. As you can see, the value increases by a power of 2 as you move from right to left. A bit that is “off” (represented by a 0) counts as 0. All we have to do then is add up the values of the bits that are “on.” Figure 8.4 Calculating the value of each b inary d igit in an octet. Bits
1
1
1
1
1
128
64
32
16
8
Values
1 4
1 2
1 1
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 403
Using this simple formula, to convert an octet in binary form, such as 10111001, to decimal, we start at the right and look at which digits are on. We see that the bits represented by 1s have decimal values of 1, 8, 16, 32, and 128. If we add up those values, we get a total of 185 for the octet, which matches the value we get when we use the scientific calculator to convert 10111001 to decimal. Another way of seeing how this is done when you’re first learning how to convert to binary is to “line” up the numbers in three columns like this: 128x1= 128 64x0= 0 32x1= 32 16x1= 16 8x1= 8 4x0= 0 2x0= 0 1x1= 1
Then add up the number in the last column, which in this case is 185. If all bits in an octet are “off,” the decimal value is 0, and if all are “on,” the value (total of 1, 2, 4, 8, 16, 32, 64, and 128) is 255.
Subnet M asking An IP address is divided into two parts: a designated number of bits on the left represent the network identification, and the bits to the right of that represent the host identification. Most network administrators are familiar with the purpose of the subnet mask, a 32-bit binary number (usually represented in “dotted decimal” like the IP address) that indicates which portion of an IP address identifies the network and which part identifies the individual host computer. Most also know the default subnet masks, shown in Table 8.1. Table 8.1 Default Sub net Masks Address Class
Default Subnet M ask (Decimal)
Default Subnet M ask (Binary)
Class A
255.0.0.0
11111111 00000000 00000000 00000000
Class B
255.255.0.0
11111111 11111111 00000000 00000000
Class C
255.255.255.0
11111111 11111111 11111111 00000000
These are called the default masks because they apply to networks that have not been subnetted (the dividing of one network into additional
404 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
subnetworks) or supernetted (combining of several class C networks into a single logical network). This means the subnet mask of 255.255.0.0 when applied to a class B network indicates an unsubnetted network. However, the same mask of 255.255.0.0, if applied to a class A network, would be a subnetted network. (In the next section, we will show you how to determine the address class).
NOTE It is im p ortant to rem em b er that a sub net m ask b y itself has no class—it m ust b e com b ined with a network ID to have m eaning. That is b ecause of the p ractices of variab le sub netting and sup ernetting, which will b e d iscussed in som e d etail in the section Troubleshooting Subnetting Problems.
Understanding the default masks is simple. Those octets designated by 255 (all 1s in binary), represent the network ID, and those that are 0s (also 0 in binary) represent host computers. In binary, a class C default subnet mask would like this: 11111111 11111111 11111111 00000000
Remember that all computers on the same network (subnet) must have the same network ID, and that no two computers on the same network can have the same Host ID. To understand variable length subnet masks, which indicate that the network is divided into subnets, you must once again go to the binary or you will probably end up hopelessly confused. Variable length subnet masks are created by “stealing” (or borrowing, if you don’t like the connotation of the other) bits from the portion of the IP address normally used for the Host ID and using them for the network (or subnet) ID. For instance, if you borrow four bits from the host portion of a class C network address, your subnet mask will look like this: 11111111 11111111 11111111 11110000 or, in d ecim al: 255 255 255 240
This technique allows us to divide our class C network into 16 subnets with 14 hosts on each subnet, using the following formulae: Number of subnets = 2x, where x = the number of bits borrowed from the Host ID. Number of hosts = 2x – 2, where x = the number of unmasked Host ID bits remaining.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 405
NOTE The form ula given for d eterm ining num b er of sub nets assum es that using all 0s and all 1s for the Sub net ID is allowed . RFC 1878 sp ecifications allow for sub nets using all 0s and all 1s, although Microsoft generally recom m end s against it and som e routers will not sup p ort it. If you wish to follow the m ore conservative p olicy of d isallowing all 0s and all 1s, the p reced ing exam p le would result in 14 sub nets with 14 hosts each.
Subnetting and using variable length subnet masks will be discussed in detail in the section Troubleshooting Subnetting Problems later in this chapter.
Determining Address Class Never try to use the subnet mask, as networking “rookies” sometimes do, to reliably determine which class of network you’re dealing with. Although 255.255.255.0 is the default class C mask, it could also be used on a subnetted class B network. Instead, the network classes are identified by the “high order” bits, or the leftmost bits in the binary notation. In simple English, this means you can tell the class of a network by its first octet. Let’s look at that idea in relation to each of the network classes.
Class A Ad d resses: 1–126 If we look at the class A default subnet mask, 255.0.0.0, we see that only one octet is being used to identify the network, and the remaining three are used for hosts. This means there are over 16 million possible Host IDs per class A network, which is a tremendous number of computers. The downside is that this leaves only 128 values left for the network ID (two of which are reserved for other purposes), so the number of class A networks is severely limited. In fact, the class A network IDs were all used up long ago. They are assigned to the largest networks, such as IBM. A class A address, like a huge gorilla lumbering down the street, is easy to recognize. Class A addresses always have the first (leftmost) bit set to 0. When you convert this to decimal notation, it means the first octet in a class A address will fall into the range of 0 to 127. Since 0 is not used as a network ID and 127 is assigned as a “loopback” address (which we will discuss in the section Troubleshooting Subnetting Problems later in this chapter), that leaves only 126 actual network addresses.
406 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
NOTE The ad d ress range for class A is 1.0.0.0 to 126.255.255.255.
Class B Ad d resses: 128–191 Class B addresses are the “middle siblings.” You can see from the default mask of 255.255.0.0 that they use about half the bits for the network ID and the other half for Host IDs. Thus, there are many more possible class B networks than class A, over 16,000. On the other hand, each is limited to far fewer hosts: about 65,000. Class B networks are large, but not of the colossal proportions that mark a class A. Microsoft’s network is an example of a class B network. Class B networks are identified by their two high order bits, which are always “10” in the W octet. Again translating this to decimal, since that’s the way we normally express IP addresses, this puts the first octet of a class B address in the 128 to 191 range.
NOTE The ad d ress range for class B is 128.0.0.0 to 191.255.255.255.
Class C Ad d resses: 192–223 Class C addresses are assigned to the “little guys.” Compared to a class A, these networks seem tiny; each can have only 254 host computers. This is because the first three octets are traditionally used to identify the network, and only the last, lone octet is available for Host IDs. Ah, but that also means there are lots more class C network addresses to go around: more than 2 million. Class C networks are assigned to small companies or, more recently, are assigned to Internet Service Providers (ISPs), who then sell blocks of addresses to other organizations. Class C addresses have the three high-order bits in the “W” octet set to 110 in binary, which is represented as 192 to 223 for the first octet in decimal.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 407
NOTE The ad d ress range for class C is 192.0.0.0 to 223.255.255.255.
Class D Ad d resses: 224–239 Following the logical progression we started earlier, you would think class D addresses would be for tiny little networks, of which there could be gazillions. But it doesn’t quite work that way, and if you think about it, you’ll see that the only subnet mask left for a class D network would be 255.255.255.255. Hmmm . . . that indicates that all the bits would be used for the network ID, leaving none at all for the host. Thus a class D network could have no computers on it. It would be a little difficult to run a network like that, wouldn’t it? Maybe that’s why the Powers That Be, in designating the address classes, decided to do something different with class D addresses. Class D addresses are used for multicast groups. Earlier in the book, we discussed Windows 2000’s support for multicasting, the sending of a message to multiple computers using only one IP address that represents the entire group. That group address comes from the class D range, in which the four leftmost bits are set to 1110, making for a first octet in the 224 to 239 range.
NOTE See Chap ter 4 for m ore inform ation on how m ulticasting works.
Class E Ad d resses: 240–247 And you thought there were only three address classes? If you’ve never heard of class E IP addresses, there’s a good reason: They aren’t generally used for anything. Class E is actually designated as “reserved for future use,” although it’s likely that IPv6 and classless addressing will replace the present system, making the point moot. Class E is also often referred to as an “experimental” address class. This seems sensible; if someone is going to be out there conducting experiments on IP addresses, it certainly
408 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
seems preferable that he or she use an otherwise unused class of addresses rather than those on which the Internet and our private networks run. The class E address range has its five leftmost bits set to (you guessed it!) 11110, and its first octet will range from 240 to 247. And with that, we have covered all of the designated address classes. Now we’ll talk about how the network addresses are assigned, and why all of this “class stuff” will likely mean absolutely nothing in the not-too-distant future.
How Netw ork IDs Are Assigned The network ID designates either a logical or physical network, and that network ID must be unique on any internetwork to which the network is connected. Because most networks today are connected to the global Internet (or expect to be in the future), it is vital that there not be duplicate network numbers. This would result in confusion for the routers responsible for getting data packets to their destinations. This means there must be some world-wide authority given the responsibility for allocating unique network numbers for IP networks and ensuring that those IDs are valid and duplicates do not occur. The Internet Assigned Numbers Authority (IANA) oversees the management of the IP address spaces, which are allocated through NSI (Network Solutions, Inc., formerly referred to as InterNIC) and other authorized registrars.
NOTE A “stand -alone” network, which is not connected to the Internet or any other internetwork, can b e configured to use any network ID you choose. However, it is b est p ractice to use the so-called “p rivate” (or nonregistered ) network ad d resses, which are sp ecifically d esignated b y the IANA for that p urp ose. We d iscuss p rivate versus p ub lic ad d resses in the section IP Addressing Configuration Errors later in this chap ter.
Remember that once you have been assigned a network ID and block of IP addresses, you can also subnet your network to divide it into two or more in order to cut down on broadcast traffic, isolate geographically or politically separate parts of the network, and so forth.
How Host IDs Are Assigned w ithin the Netw ork Within the network, the administrator can assign IP addresses from the appropriate range to individual computers. This can be done on an individual basis (manual address assignment) or by entering a scope of
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 409
addresses into a DHCP server’s configuration. Alternately, Windows 2000 can use APIPA if no DHCP server is available or, if Internet Connection Sharing is being used, addresses can be assigned to the ICS client computers by the ICS host using autoaddressing.
Manual Ad d ress Assignm ent The most straightforward way to assign IP addresses to the computers on your network (but also the method most prone to error) is manual assignment. A specific address is typed directly into the IP address section of the TCP/IP properties box for the particular network connection. See Figure 8.5. Figure 8.5 Manually assigning an IP ad d ress in the Wind ows 2000 TCP/IP Prop erties b ox.
When you manually assign an address, you must also enter the correct subnet mask, and if the network is routed, the IP address of the default gateway (router or computer performing routing functions). Although manual addressing is more time consuming if you have more than a few computers, and it is easy to make errors in entering the data which could result in loss of connectivity or odd network behavior, there are sometimes good reasons to manually assign addresses. If there is no DHCP server on the network, then obviously the addresses will need to be assigned manually. There are also certain systems, such as domain controllers and DNS and WINS servers, that need to have static
410 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
addresses. You may wish to assign their addresses manually (although you could alternately assign reserved addresses to them in DHCP configuration). Finally, the DHCP server itself cannot be a DHCP client, so it will require a manually configured IP address.
DHCP The Dynamic Host Configuration Protocol (DHCP) can be a network administrator’s best friend—unless he or she fails to configure it properly, in which case it can be a source of nightmares. DHCP’s purpose is to assign IP addresses dynamically, as computers come onto the network. Each computer only has to be set up in TCP/IP properties to get an IP address (and other TCP/IP configuration information) from a DHCP server, and the service does the rest. This has several advantages: Time saved. Network administrators don’t have to tediously enter the IP address, subnet mask, DNS and WINS server addresses, and other information over and over for every machine on the network. Likewise, if the IP address for the network’s DNS server changes, the change does not have to be made on every machine; the change is made in the DHCP server’s configuration and the new address is automatically disseminated to client computers when they obtain an address. Better accuracy. The possibility of mistyping an address in one of the machines is eliminated. A scope of addresses is defined only once, on the DHCP server, and the server manages the addresses. There is no possibility of the server “forgetting” that a particular address was already assigned to another machine and duplicating the address. More efficient use of addresses. If the number of available addresses is limited, DHCP optimizes their use since it only “leases” the addresses to computers for a predetermined period of time, instead of assigning them permanently as with manual assignment. When a computer goes offline, its address can be released so that it can then be assigned to a different system. In Windows 2000, configuring a computer to obtain an address from a DHCP server is simple. In the TCP/IP properties box, simply check the radio button option to “Obtain an IP address automatically” as shown in Figure 8.6.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 411
Figure 8.6 Configuring a com p uter to ob tain an IP ad d ress from a DHCP server.
As you can see in Figure 8.6, you have several options. You can choose to have all IP addressing information assigned by the DHCP server, including the DNS server addresses, or you can manually assign a DNS server and have the other IP addressing information assigned automatically.
NOTE A new feature in Wind ows 2000 is the integration of DHCP with DNS. DHCP server and clients can now register with Dynam ic DNS for nam e resolution.
We will further examine how DHCP works in the section Automatic Addressing later in the chapter.
APIPA and ICS Autoad d ressing Two new services in Windows 2000, APIPA and ICS, also automatically assign IP addresses to computers under specific circumstances.
412 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Automatic Private IP Addressing
APIPA was included in Windows 2000 to make TCP/IP configuration easier and to help ensure that a computer would be able to communicate on a small (unsubnetted) TCP/IP network that does not have a DHCP server. In past versions of Microsoft’s operating systems, prior to the release of Windows 98 and then Windows 2000, if a computer did not have a manually entered address or an expired DHCP IP address lease and was not able to contact a DHCP server when it came online, it would not be able to join the TCP/IP network. With APIPA, the computer will first attempt to reach a DHCP server and negotiate a lease for an IP address. However, if this fails, it will then take the initiative and assign itself an address from the reserved APIPA range of 169.254.0.1 through 169.254.255.254 with a subnet mask of 255.255.0.0. This allows it to communicate on the network, using the APIPA address temporarily until a DHCP server can be reached. Internet Connection Sharing
ICS is another new feature in Windows 2000. ICS is used to allow multiple computers to access the Internet or another outside connection via a single public IP address. ICS is a part of Windows 2000 Network and Dialup Connections and can be enabled on a Windows 2000 Professional or Server computer that has a dial-up connection to the Internet, thereby allowing other computers on the local area network to share that connection. ICS works by means of Network Address Translation (NAT), which will be discussed in more detail in Chapter 9, “Troubleshooting Remote Access in a Windows 2000 TCP/IP Network.” The ICS component that is of interest in the context of this chapter is the ability of the ICS host computer to automatically assign IP addresses to the ICS clients. When you enable ICS, the host machine that is sharing its connection will be configured with an IP address of 192.168.0.1 with a subnet mask of 255.255.255.0. You may recognize this as an address from the range of class C addresses designated as private or nonregistered addresses by IANA. We will discuss private versus public addresses later in this chapter. The ICS computer also becomes a DHCP allocator. This role differs from that of a full-fledged DHCP server in that the computer does not have to be running a server operating system. A Windows 2000 Professional computer can share its connection and act as a DHCP allocator. The DHCP allocator has a predefined scope of IP addresses that it can hand out to the client computers sharing its Internet connection. These addresses fall into the private class C address range, the 192.168.0.0 network.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 413
Although these services generally function as intended, there are situations in which the automatic addressing can result in problems or conflicts, as we will discuss later in this chapter in the section IP Address Configuration Problems later in this chapter.
NOTE See Chap ter 9 for m ore inform ation on ICS and NAT.
Private versus Pub lic Ad d resses Public IP addresses are those addresses that are valid for connection to the Internet. These are also sometimes called “registered” addresses because they must be assigned by and registered with IANA/InterNIC. A public IP address, used for a direct connection to the Internet, must not be duplicated anywhere else on the public network. Without a proxy or NAT software, every computer on a LAN that needs to be connected to the Internet must have a separate public IP address. This is one of the reasons for the shortage of available IP addresses, which was a driving force in the development of inexpensive and easy-to-implement NAT solutions. With NAT, only one public IP is necessary (used by the computer with the direct connection to the Internet). However, the other computers on the LAN still must be assigned IP addresses to communicate with each other and with the NAT server via TCP/IP. This creates a need for some method of “recycling” IP addresses. Since local area networks behind the NAT (or proxy) computer will not be visible to the Internet, they don’t have to have unique addresses. In actuality, you could use any IP address range for your LAN. However, this could lead to problems if one of the computers did connect directly to the Internet and was using a public address already allocated to someone else. Thus IANA/InterNIC specified a range of network IDs in each address class that would never be used on the Internet. These addresses can be used safely by anyone on any private network (on computers not directly connected to the Internet). The reserved address ranges are shown in Table 8.2. The private address will not route through the Internet, so even if a computer from the private network had a direct physical link to the Internet, the address would not cause a conflict.
414 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Table 8.2 Private IP Ad d ress Ranges Private Address Class or Type
Range of Valid Private Addresses
Class C p rivate network
192.168.0.1 to 192.168.255.254
Class B p rivate network
172.16.0.1 to 172.31.255.254
Class A p rivate network
10.0.0.1 to 10.255.255.254
APIPA reserved ad d resses
169.254.0.1 to 169.254.255.254
Thousands of different organizations can use the very same addresses from this range on their internal networks. They do not have to be (in fact, cannot be) registered with any name/number authority. Proper use of private addresses can save a corporation a great deal of money, and preserves the diminishing pool of public addresses for assignment to ISPs. Using NAT/proxy services to provide Internet access to internal computers also provides additional security for the local network.
NOTE See RFC 1597 for m ore inform ation ab out the assignm ent of the p rivate network ad d resses.
How IP Addresses Are Used in Netw ork Communications Once IP addresses have been assigned to all computers on the network, the addresses are used to identify both the network (or subnet) and the individual host, in the same way your home address can be used to identify both the street you live on and the individual house. A computer across the office or across the world can send a packet intended for your computer, just as a friend down the street or in another country can mail a letter intended to reach your post office address. In the latter case, the postal service is responsible for delivering the letter to the correct house. IP, working at the Internetwork layer, is responsible for getting the packet to the right computer interface. When it arrives there, IP’s job is done just as the mail carrier’s duty has been fulfilled when the letter goes into your mailbox. Before the letter can be “processed” or the packet can perform its function, there is another step. In many cases, more than one person resides at the same
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 415
address and more than one application is using TCP/IP communications. Getting the letter to the intended recipient requires another designation, your name. Getting the packet to the right application also requires another designation, in this case a TCP or UDP port number. Just as the mail carrier hands off the responsibility for getting the letter to the right person in the house to whomever checks the mailbox, the Internetwork layer hands off the task of getting the packet to the right port to the Transport (host-to-host) layer. The data is then passed on up the protocol stack to the application (such as an e-mail client) that can use it.
A Map for the Mail Carrier Wait a minute. The preceding scenario sounds good, but there’s still something missing. How does the mail carrier know where “1539 Indigo Road” is physically located? The bad thing about street addresses (at least, from the perspective of the mail carrier) is the fact that they can change. Cities are always renaming a thoroughfare to honor some favorite son, or houses get renumbered to accommodate new construction when large plots of land are subdivided. Even if the addressing scheme in your town remains stable, a new mail carrier won’t necessarily know where Indigo Street is. That’s when it comes in handy to have a map.
Getting from the Logical to the Physical Your street address is a “logical” address, as is an IP address. Using that logical address to arrive physically at the correct location requires some sort of mechanism that will translate the logical address to a physical one. A map does this by providing a “view” of where the property is located, and a very precise map will supply the geographic coordinates (latitude and longitude). You can think of ARP, the Address Resolution Protocol, as a sort of map for IP packets. If you know the IP address, ARP can tell you where to actually go on the network to get there. It does this by maintaining a table of IP addresses matched to physical (MAC) addresses. The physical address could be compared to the geographic coordinates that pinpoint where your house actually sits. Even if your street name or number changes, the physical location will remain the same, and this is also (generally) true of the NIC’s physical address.
How ARP Works ARP is designated as a required specification for TCP/IP by RFC 826. This is because, without some means of resolving IP addresses to physical hardware addresses, packets cannot reach their destinations. ARP uses
416 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
broadcasts to determine which physical addresses match up with which logical (IP) addresses. This information is then cached so that it will remain available. Caching the information reduces network traffic by eliminating redundant broadcasts. The cached information stays in the cache for up to 10 minutes. When an IP/physical address pair is entered into the cache, a timer is started. If two minutes pass and the entry is not used again, ARP removes it from the cache. If it is used within that time, the timer is reset and it gets another two minutes. If it continues to be used, its life will be extended every two minutes, up to 10 minutes. These are called dynamic ARP entries. You can also add static entries to the ARP cache, which will stay in the cache until you shut down or reboot your computer. To add a static entry, at the command line type arp –s followed by the IP address and then the physical address. For example, to add an ARP cache entry that matches IP address 192.168.1.24 with MAC address 00-34-d4-32-c6-27, you would type the following command: arp –s 192.168.1.24 00-34-d4-c6-27
NOTE When ad d ing an ARP entry, the IP ad d ress is entered in d ecim al and the p hysical ad d ress in hexad ecim al, with hyp hens sep arating the two-d igit b ytes.
You can also use the arp command-line utility to view the current ARP cache, as shown in Figure 8.7, by typing arp –a. Figure 8.7 You can view the ARP cache b y typ ing arp –a at the com m and p rom p t.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 417
If you have multiple network interface cards (NICs) on your Windows 2000 computer, there will be a separate ARP cache for each adapter.
NOTE RARP (Reverse Ad d ress Resolution Protocol) is a TCP/IP utility that p erform s som ewhat the op p osite function of ARP; instead of p rovid ing a hard ware ad d ress when given an IP ad d ress, it p rovid es an IP ad d ress from a gateway server’s ARP cache, when a RARP client p rovid es its p hysical ad d ress. RARP is not includ ed in Wind ows 2000.
Putting It All Together We discussed name resolution and the services that perform it (WINS and DNS) in Chapters 6 and 7. When NetBIOS or fully qualified domain names (FQDNs) are used by a client to make a request to a server, the first step in establishing the connection is to resolve the “user-friendly” name to a more computer-friendly number. In TCP/IP communications, this means an IP address that, together with a subnet mask, will identify both the network on which the computer resides and the specific network interface on that network with which we want to communicate. If the destination computer is on the same subnet as the sending system (which we can determine through a procedure called anding, a calculation applied to the IP addresses of the two computers), the process is relatively straightforward.
IP Communications on a Nonrouted Netw ork (w ithin the Subnet) When a computer wishes to communicate with another computer on the same subnet, IP determines, based on the IP addresses of both along with the subnet mask, that the destination computer is on the local subnet. The sending computer checks the ARP cache for a MAC address that matches the destination computer’s IP address. If no match is found in the cache, the sending computer will send an ARP broadcast message to all computers on the local subnet. This message essentially asks, “What is the physical address associated with ?” The sending computer’s own IP and MAC addresses are included in the ARP message. All computers on the local subnet receive the message. Those whose IP addresses don’t match the one in the message ignore it. The computer
418 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
whose IP does match the one in the ARP message first puts the sending computer’s IP/MAC address information in its own ARP cache, then sends a response to the sending computer with the information about its MAC address. When the sending computer gets the response, it adds the destination computer’s IP/MAC address information to its cache, and can now send data to the destination computer.
IP Communications on a Routed Netw ork (to a Remote Subnet) If the destination computer is not on the same local subnet, it works slightly differently. In this case, ARP will resolve the remote IP address to the physical address of the router that can forward the message on to the subnet on which the destination computer resides. The IP protocol again checks the IP addresses and subnet mask and this time determines that the destination computer is not on the local subnet. IP determines the IP address of the default gateway (router), and the sending computer checks the ARP cache for a physical address that matches the router’s IP address.
For IT Professionals
IP Ad d resses and the Internet As we all know b y now, TCP/IP is the p rotocol suite used for com m unications over the vast glob al network of networks that we call the Internet. We also know that in ord er for com m unications to take p lace on a TCP/IP network, every network ID on the internetwork m ust b e uniq ue, and every Host ID m ust b e uniq ue to that network. In theory, this m eans that of the m illions of com p uters connected to the Internet, there should b e no two with the sam e IP ad d ress. In p ractice, however, this is not strictly true. Due to the shortage of availab le IP ad d resses, and also b ecause registering m ultip le ad d resses ad d s to the cost of running a network, m any com p anies and hom e networks use som e m ethod of connecting m any com p uters to the Internet through a single IP ad d ress. There are two p op ular typ es of software d esigned to accom p lish this: Network Ad d ress Translation (NAT) and Proxy Services. Netw ork Address Translation (NAT). This is a m eans of configuring one com p uter, which has a d ial-up or d ed icated connection to Continued
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 419
the Internet through an ISP, to serve as a gateway through which other com p uters on the LAN can ob tain Internet access without b eing assigned sep arate “p ub lic” ad d resses. With NAT, these client com p uters use “internal” ad d resses from the p rivate ad d ress range, which are not visib le to system s outsid e the local network. To the Internet, there ap p ears to b e only one com p uter connected —and ind eed , only the “gateway” com p uter (som etim es called the NAT or ICS host com p uter) is actually connected to the Internet. There are third -p arty software im p lem entations of NAT, such as Sygate and NAT32. A new feature in Wind ows 2000 is b uilt-in sup p ort for NAT. Wind ows 2000 Professional includ es Internet Connection Sharing, which is a som ewhat lim ited form of NAT that is sim p le to configure and ad m inister. Wind ows 2000 Server includ es ICS too, b ut it also p rovid es for a m ore flexib le form of NAT through RRAS (Routing and Rem ote Access Service), which allows for changing the IP ad d ress range, use of m ultip le p ub lic ad d resses, and m ultip le LAN interfaces. ICS d oes not sup p ort these ad vanced features. Both ICS and NAT includ e com p onents for ad d ress assignm ent, translation of the p rivate internal ad d resses to the p ub lic external ad d ress(es), and nam e resolution services. Proxy Services. A p roxy server is a m ore sop histicated m eans of p rovid ing a shared connection to the Internet, which p rovid es for greater security through com p lex filtering. Proxy software, such as Microsoft Proxy Server or Winp roxy, req uires a higher level of configuration and contains other features in ad d ition to ad d ress translat io n . Fo r exa m p le, p ro xy servers ca n b e set u p t o ca ch e often-accessed Web sites so that p erform ance will b e op tim ized and less actual access to the Internet is req uired . Generally, however, p roxy servers use the sam e ad d ress translation techniq ue as NAT— req uests for Internet access go through the server, which m ap s each clients’ internal IP ad d ress and the ap p lication m aking the req uest to a p ort on the server. The p roxy then p resents the req uest to the “outsid e world ” as if it cam e d irectly from the server itself, and the internal m achines’ ad d resses are hid d en from the Internet. The result is that there are m any, m any m ore ind ivid ual com p uters “on the Net” than it would ap p ear from the num b er of p ub lic IP ad d resses visib le to the outsid e network. What ap p ears to b e one com p uter, with one IP ad d ress, m ay b e a NAT host or p roxy server that is forward ing req uests and resp onses for d ozens or even hund red s of com p uters on its local network.
420 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
If it doesn’t find one, it broadcasts an ARP message to find the router’s physical address, using the same process as in the previous example. When the router, which is attached to the local subnet, receives the ARP message and determines the IP matches its own, it responds with its physical address after putting the sender’s IP/MAC information into its cache. The sender updates its own cache with the router’s information, and now will send any messages addressed to the remote destination computer through the router. The router will forward the message to the destination computer (or another router, if it is not directly connection to the destination computer’s subnet) using the same process.
Overview : IP Addressing Configuration Errors A large percentage of TCP/IP connectivity problems can be traced to IP addressing configuration errors. Thus, one of the first things you should check, if your TCP/IP-based computer is not able to communicate on the network, is the TCP/IP Properties sheet. Ensure that if you have manually assigned the IP address, it is a valid address for the subnet. Also check the address of the default gateway, DNS and WINS servers, and the subnet mask. Simply making this quick check can eliminate many problems. Common errors include transposing two digits within an address and switching two addresses between fields (such as entering the computer’s address in the default gateway field, and vice versa). It sounds elementary, but remember one important rule of troubleshooting is to always check the “simple stuff” first.
NOTE Microsoft d ocum entation attrib utes the m ajority of TCP/IP connectivity p rob lem s to incorrectly entered IP ad d ress inform ation. This is one case where typ os do count.
Dup licate IP Ad d resses Duplicate addresses can be a problem in a network where some or all of the IP addresses are manually assigned, especially if there is more than one administrator or other personnel are responsible for configuring TCP/IP properties on computers.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 421
If this happens, the following situation may occur: When a Windows 2000 computer comes online (or when its IP address is changed), and its TCP/IP stack is initialized, it sends a “gratuitous” ARP message, requesting the hardware address associated with its own IP address. If another computer responds, thus claiming the IP address as its own, the newly initialized computer will stop using IP. If there is another network protocol installed, it may be able to continue communicating on the network using the other protocol. If TCP/IP is the only network protocol installed, it will not be able to communicate on the network. Windows 2000 tries to prevent duplicate address errors in several ways. If you change the TCP/IP settings and enter an IP address that is already in use on the network, you will get a message indicating the address is taken and instructing you to change your settings. If you change the settings while offline and then come back onto the network, you will receive a message informing you that there is an IP address conflict. The computer that is already using the address will also display an error message (see Figure 8.8) indicating that there is an address conflict, although it will be able to continue communicating via TCP/IP using the address. Figure 8.8 Wind ows 2000 d isp lays an error m essage when a d up licate ad d ress is d etected .
One way to track down this problem is by checking the System Log in the Windows 2000 Event Viewer. An error message will appear, indicating that the system detected an IP address conflict.
Locating the Other Computer that Is Using the Address There are several ways to locate which other computer on the network is using the address. If it is a Windows 2000 or NT computer, there will be an event entered in its System Log reporting the conflict, although the computer that “got there first” will be able to go on using the address. You can also use the tracert command on the address to find out the name of the computer using it, or you can use arp –a to find out the physical address of the computer using the IP address, as long as the other computer is on your local subnet.
422 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
TIP There is third -p arty IP m anagem ent software that will d o sop histicated tracking and aud iting of IP ad d ress inform ation. One such p rod uct that is com p atib le with Wind ows 2000 is Meta IP. For m ore inform ation, see www.m etainfo.com /p rod ucts/m etaip .cfm .
Address Conflicts w ith Computers Using DHCP If you receive a message that you have an IP address conflict at bootup and the machine is using DHCP, you can release the address so the DHCP server will assign a new address. To release the address, use the ipconfig /release command.
Invalid IP Ad d resses If the computer is given an IP address that is “illegal” or just invalid for use on that particular network, it will not be able to communicate with other computers over TCP/IP. As mentioned earlier, if you are running a private network that has no connection to the “cloud” (as many books and illustrations represent the Internet), you can use any IP addresses you wish, including those that have already been assigned for public use. This will not cause a problem—unless you later decide to connect your network to the Internet without changing the addressing scheme. At that point, your addresses may conflict with those of another organization that has registered that address space. Packets intended for computers on your network will be routed to the “legal” holder of the addresses. An invalid address may not be illegal, but does not “fit” into the local network’s addressing scheme. If the LAN is using the network ID of 192.168.1.0 with a subnet mask of 255.255.255.0, then the computers that are on that network must have IP addresses that use 192.168.1 for the first three octets. If you assign one of the computers an address that is not on that network (or if it is assigned an address with a different network ID by APIPA because a DHCP server could not be contacted), when IP attempts to contact another computer on the same segment it will identify the address as belonging to a remote host and will send the packet to its default gateway. Also remember that Host IDs of all 0s or all 1s are not valid for assignment as a computer’s IP address. A Host ID of all 0s is used to
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 423
identify the network, and a Host ID of all 1s is used as the broadcast address, for messages to be sent to all computers on the network. Thus, on a class B network using the default subnet mask of 255.255.0.0, both the addresses 138.21.0.0 and 138.21.255.255 would be unavailable for Host IDs. On a class C network using the default subnet mask of 255.255.255.0, the same would be true of the addresses 201.45.3.0 and 201.45.3.255.
DHCP Configuration Prob lem s The Dynamic Host Configuration Protocol runs on a Windows 2000 Server and automatically assigns IP addresses to computers configured to be DHCP clients. DHCP originated as a derivative of BOOTP, the Bootstrap Protocol used in earlier networks to assign IP addresses dynamically, usually in the context of booting diskless workstations from the network.
NOTE The sp ecifications for BOOTP are d efined in RFCs 951 and 1084.
How DHCP Works: Condensed Version Most network administrators are familiar with DHCP and aware of the four-step process required for a DHCP client to obtain a “lease” on an IP address. We will briefly review those steps to identify the points in the process where things can go wrong.
NOTE DHCP is not a Microsoft-sp ecific feature. UNIX, NetWare, and other network op erating system s (server software p rogram s) also use DHCP.
The four steps in the lease process involve the sending of four special messages between the DHCP client and a DHCP server. These messages are called: ■ ■
DHCP Discover DHCP Offer
424 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems ■ ■
DHCP Request DHCP Acknowledgment
The process is relatively simple.
DHCP Discover When a computer that is configured to be a DHCP client comes online and its TCP/IP stack is initialized, it accesses the Registry settings pertaining to TCP/IP parameters and recognizes that it must obtain an IP address from a DHCP server. It does not, however, know how to reach a DHCP server. Unlike DNS and WINS servers addresses, the IP address of a DHCP server is not entered in the TCP/IP configuration properties. That means the computer must broadcast for a DHCP server. The client sends a broadcast message (addressed to the broadcast address 255.255.255.255) called a DHCP Discover message, which essentially asks DHCP to come to its aid and assign it an IP address.
NOTE Since the client d oes not have an IP ad d ress at this p oint, it uses the ad d ress 0.0.0.0 as its source ad d ress. The server would not b e ab le to id entify the client that sent the req uest from this ad d ress, so the m essage also includ es the client com p uter’s nam e and its p hysical MAC ad d ress.
DHCP Offer If there is an authorized DHCP server on the network, it hears the client’s plea for help and responds with a message called a DHCP Offer. This message contains an IP address from its predefined scope of addresses that can be allocated, as well as other information such as duration of the lease. This message is also sent as a broadcast, since the client computer doesn’t yet have an IP address to which the server can send the message directly. The Offer message includes the IP address that is available (and the server temporarily reserves it during the extension of the offer), a subnet mask, a lease duration (which is specified by the administrator in configuring DHCP), and the server’s IP address.
DHCP Req uest The client will receive “offers” from more than one source if there are multiple DHCP servers on the network that have available addresses. The client will accept the first offer that arrives, and will send back a message
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 425
called a DHCP Request. This is also a broadcast—so the other servers who made offers will know that they’ve been “rejected” and will release the addresses they had temporarily reserved for the client—which we might think of as a formal acceptance of the first server’s offer. It includes the IP address of the server whose offer is being accepted.
DHCP Acknowled gm ent The final message, the one that “clinches the deal,” comes from the DHCP server. It acknowledges the acceptance of its offer and assigns the IP address to the client for it to use for the duration of the lease period. It also includes other TCP/IP configuration information, such as the default gateway and subnet mask, and the addresses of DNS and WINS servers, if the client is configured to get this information through DHCP. After receiving this message, the client will be able to use the IP address for TCP/IP communications over the network. This last message is called an ACK. If the server is for some reason unable to complete the transaction, it sends instead a NACK, or negative acknowledgment.
NOTE A NACK occurs when a client attem p ts to lease an IP ad d ress it held p reviously, which has b ecom e unavailab le, or if the client has relocated to a d ifferent sub net and the ad d ress it is trying to lease is now invalid .
Com m on DHCP Prob lem s Next, we will look at some of the problems that can occur as this scenario plays out.
NOTE Wind ows 2000 Pro cannot b e a DHCP server, although it can serve as a DHCP allocator, p erform ing som ewhat the sam e function, when set up to share its Internet connection as an ICS host.
Traditionally, most problems with DHCP fall into a few broad categories: ■ ■
Server configuration problems Client configuration problems
426 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems ■ ■
Unauthorized DHCP servers Unavailable DHCP server
We will discuss each of these, how Windows 2000’s TCP/IP enhancements help to reduce the frequency of these problems, and best practices for optimizing DHCP performance and decreasing the chances of problems.
Server Configuration Problems As might be expected, the majority of DHCP problems stem from incorrect initial configuration or failure to update the configuration on the DHCP server(s).
TIP Rem em b er that the DHCP server itself cannot b e a DHCP client; it m ust b e m anually configured with a static IP ad d ress and other TCP/IP configuration inform ation.
In Windows 2000, Microsoft has incorporated the management of the DHCP server services into the Microsoft Management Console (MMC), providing a new, more standardized look and feel for administrators. See Figure 8.9 for an example of the DHCP management console snap-in. Figure 8.9 The DHCP server is configured from the MMC.
You can access the DHCP MMC via Start | Programs | Administrative Tools | DHCP on the server. If DHCP is not performing as expected across the network, the first thing you should check is the configuration on the DHCP server.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 427
NOTE If DHCP is not functioning at all, one thing to check is whether the DHCP service has b een stop p ed . Wind ows NT ad m inistrators are used to stop p ing and starting services from the Services ap p let in Control Panel, b ut you won’t find that ap p let in Wind ows 2000 Server. Instead , right-click My Com p uter, choose Manage, and navigate d own the tree in the left p anel to exp and Services and Ap p lications. Select DHCP, right-click (or choose the Action m enu), and select All Tasks. Here you can start, stop , p ause, resum e, or restart the service, as shown in Figure 8.10. Figure 8.10 Starting and stop p ing the DHCP service via the Com p uter Managem ent MMC.
As you can see in Figure 8.10, you can perform configuration tasks such as creating new scopes, reconciling scopes, defining classes from the Computer Management snap-in, and starting or stopping the service.
428 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
These tasks can also be performed from the DHCP MMC accessed through Administrative Tools; this can be confusing when you first start working with Windows 2000.
Scop es and Ad d ress Pools In the context of DHCP, a scope is a group of consecutive IP addresses that can be allocated to clients on a subnet. For example, a scope might be defined as 192.168.1.140 through 192.168.1.160. Note that these addresses are contiguous. To define a scope, simply click DHCP in Computer Management, and on the Action menu, select New Scope. This will start the New Scope Wizard, which walks you painlessly through the process. A scope must have a name, a range of IP addresses, and a subnet mask. You can also define the lease duration, reserve certain addresses for certain DHCP clients, and define options.
NOTE After you d efine the scop e, you m ust activate it b efore it will b e used b y DHCP.
In some cases, you may want to exclude certain addresses within the scope’s range from being offered to DHCP clients, such as those used by routers or computers with manually configured static addresses. For instance, if you have three DNS servers on the network with manually configured IP addresses that fall within the scope, you would exclude those addresses (another option is to reserve addresses for those computers, so that DHCP will assign them the same addresses each time they request a lease, as we will discuss a little later in the chapter). Suppose the manually assigned IP addresses of the three DNS servers are: 192.168.1.150 192.168.1.151 192.168.1.152
You don’t want DHCP handing out those addresses to its clients, or you will end up with an IP address conflict. You can define an exclusion range of 192.168.1.150 through 192.168.1.152, and those addresses will be excluded from the DHCP scope. You can choose to exclude a range of addresses during the creation of the scope, using the New Scope Wizard. To exclude a range of addresses after the scope has been created, simply expand the Scope object in the left panel of the MMC, and right-click
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 429
Address Pool. Choose New Exclusion Range, as shown in Figure 8.11, and the Exclusion Range dialog box will be displayed. Enter the first and last address in the range of addresses that you wish to exclude, or to exclude just one address, enter it in the Start field (not in both fields). Figure 8.11 You can exclud e a range of IP ad d resses from the DHCP scop e.
Com m on Prob lem s Associated with Scop es and Ad d ress Pools Common problems that arise in relation to DHCP scopes include: ■
■ ■
■
Not excluding the addresses within the scope range that have been assigned to routers, network print devices, or computers whose IP addresses were configured manually. Specifying an incorrect subnet mask. Defining too small a scope so that the DHCP server does not have enough IP addresses to assign to all requesting DHCP clients. Not activating the scope after defining it. To activate the scope, right-click the scope you want to activate under DHCP in Computer Management, and select Activate, as shown in Figure 8.12.
430 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Note in Figure 8.12 that Windows 2000 places a warning icon by the scope name to notify you that it has not yet been activated. Figure 8.12 After creating the scope, you m ust activate it before DHCP can use it.
Sup erscop es When a single physical network segment consists of more than one logical IP subnet, and when two DHCP servers are tasked with managing separate logical subnets on the same physical network, Microsoft recommends that you implement a superscope. This allows DHCP servers to assign addresses from more than one scope to the same subnet. Without superscopes, this situation may cause DHCP clients to receive NACKS when they come online and attempt to renew their previous leases, and/or when a new address is obtained, it might put the client on a different subnet from the one for which it had been configured before. Superscopes prevent these problems by allowing each of the two DHCP servers to recognize and “respect” addresses assigned by the other. To configure superscopes, all of the DHCP servers on the segment are set up to recognize all subnets on the segment. Exclusion ranges are used on each server to prevent their address ranges from overlapping. In other words, you configure each server so that its superscope includes all the
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 431
subnets, including those whose addresses are allocated by other DHCP servers. You then set up exclusion ranges for the addresses that are allocated by the other servers. This way, each server will recognize all the addresses in the superscope as valid, but will only allocate those addresses that are not excluded in its configuration.
Lease Duration As we already learned, when a DHCP server allocates an IP address to a client, it does not grant permission to use that address permanently. Instead, it “leases” the use of the address for a specified period of time, called the lease duration. During the creation of a new scope, the Windows 2000 New Scope Wizard allows you to change the default lease duration of eight days, as shown in Figure 8.13. Figure 8.13 The New Scop e Wizard allows you to change the d uration of DHCP leases.
You are not, however, stuck with the lease duration that is set during the scope creation. You can change the duration of leases handed out by the server at any time, by editing the Properties page for the scope. Right-click the name of the scope for which you wish to change the lease duration, and select Properties. You will see the dialog box shown in Figure 8.14. As you can see, the duration can be set to the number of days, hours, and minutes desired, just as could be done during the creation of the
432 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Figure 8.14 You can change the lease d uration for DHCP clients through the Scop e Prop erties sheet.
scope. Another option you have, which was not given by the New Scope Wizard, is to choose not to limit the duration of the DHCP leases. In that case, clients will retain their leases until the lease is manually released.
WARNING It is usually not d esirab le to set the lease d uration to unlim ited , b ecause this m eans that even if the com p uter hold ing the lease goes offline forever, that IP ad d ress cannot b e reused until or unless the lease is m anually released .
If a DHCP client goes down, the administrator can force the lease to be released by right-clicking Address Leases under the Scope name in the console, selecting the IP address/computer name combination for the lease to be released in the right pane, right-clicking and selecting Delete, as shown in Figure 8.15. This will free the IP address to be allocated to another DHCP client.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 433
Figure 8.15 You can m anually force a DHCP to b e released b y d eleting the lease in the m anagem ent console.
NOTE If you find that all of the IP ad d resses in the scop e are b eing used even though you have fewer com p uters on the network than the num b er of ad d resses to b e allocated , check the Ad d ress Leases to d eterm ine if RRAS is assigning m ultip le DHCP ad d resses to the sam e com p uter(s). In Figure 8.15, those IP ad d ress leases that have icons showing a telep hone b esid e the com p uter are assigned b y RRAS.
The Lease Renewal Process If you sign a one-year lease for a house, and you wish continue living on the property, you probably will not wait until the day the lease is up to negotiate a renewal of the lease with the landlord. If you did, you might find yourself out on the streets with no place to live. Similarly, DHCP clients “think ahead” to ensure that they aren’t left high and dry without an IP address when their leases expire.
434 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
When the lease period, as set in the lease duration configuration, is halfway expired, the DHCP client will send a message to the DHCP server requesting a renewal of the lease (as you can see, DHCP clients plan further ahead than do most residential tenants). Normally, the DHCP server then renews the lease. But what if the server from which the lease was obtained has gone down? The client will try again when 87.5 percent of the lease has expired. The first renewal attempt is made by sending a DHCP Request directly to the DHCP server holding the lease. If no response is received, the client tries to obtain a lease from any available DHCP server, broadcasting a DHCP Request. If the client doesn’t get a response from any DHCP server (or if it gets a negative response) before the expiration time is up, it cannot continue to use the address. At that point, it must start all over with the leasing process in order to be assigned a new IP address.
TIP You can force the client to m anually req uest a renewal of its lease at any tim e b y using the ip config /renew com m and .
Com m on Prob lem s Associated with Lease Duration The network problems commonly associated with lease duration can be solved or reduced by taking advantage of Windows 2000’s option to change the duration as shown in the foregoing section. These problems include: Network slowdown caused by excessive lease renewal traffic. Looking back at the process for obtaining and renewing DHCP leases, you can see how DHCP is capable of adding a lot of network traffic. This is especially true if the network is large, with many DHCP clients. You can alleviate some of the congestion by extending the lease period beyond the default if there are plenty of IP addresses available and the clients are stable. In this case, you might consider increasing lease duration to 21 or even 30 days. Inefficient use of DHCP addresses resulting in server(s) not having enough addresses for all requesting clients. This problem can occur when there is a limited number of IP addresses in the DHCP scope and you have an unstable client situation; that is, computers configured to use DHCP that move on and off the network, as with laptop/notebook systems. DHCP client computers running Microsoft operating systems do not release their leases when they shut down, so if laptops are removed from the network,
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 435
their leases will still be assigned to them for the duration of the lease even though they are not being used. If this happens, you may find it beneficial to decrease the lease duration to a shorter period than the default, so addresses will be more quickly returned to the pool of available addresses to be assigned to other clients.
Reserved Ad d resses Some computers—primarily servers—need to always have the same IP address. One way to accomplish this is to manually configure their TCP/IP properties, but this means that if other TCP/IP configuration information changes (for instance, the address of the WINS server), they will all have to be manually changed. There’s a way to allow these computers to enjoy the benefits of DHCP, such as the ability to make those changes on the DHCP server and have it automatically disseminated to the clients, and still ensure that the computers that need to always have the same address can. This is accomplished by assigning reserved addresses to those computers. Adding a reserved address is easy in Windows 2000. Right-click Reservations under the Scope in the MMC, and select New Reservation. You will see a dialog box, as shown in Figure 8.16. Figure 8.16 You can m ake an ad d ress reservation for a client that need s to always have the sam e ad d ress.
436 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
1. Type in a name for the reservation, the IP address to be reserved, and the physical (MAC) address of the computer for which you are reserving the address. 2. The Description field is optional. 3. You must choose the allowed client type (DHCP, BOOTP, or both). 4. Click ADD to enter the new reservation into the DHCP database.
WARNING The MAC ad d ress m ust b e entered correctly or the DHCP server will not assign the reserved ad d ress to the com p uter. Although the reservation nam e can b e the nam e of the client com p uter, the DHCP server uses the hard ware ad d ress to recognize the com p uter for which an ad d ress reservation is m ad e. Unlike when you enter the MAC ad d ress to configure a static arp cache entry, you m ust NOT p ut d ashes in the MAC ad d ress when you configure a client reservation at the DHCP server.
Determ ining the Physical Ad d ress of a Com p uter To find the hardware address of a computer while sitting at the computer itself, type ipconfig /all at the command line. To find the hardware address of another computer on the network, first ping the computer name if you don’t know its IP address. When you have the IP address, type arp –a at the command line to find its physical address. If you have the Windows 2000 Resource Kit, you can use the getmac utility.
NOTE Although the MAC ad d ress is d isp layed in the ip config and arp utilities with d ashes b etween each p air of hexad ecim al d igits, d o not use d ashes when you enter the MAC ad d ress in the New Reservation d ialog b ox.
DHCP Op tions There are four types of DHCP scope options, in increasing order of specificity: ■ ■
Server options Scope options
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 437 ■ ■
Client options Class options
Server options. These are the default options that are applied to all scopes configured on a particular DHCP server. You can use them to define configuration information used by all the client computers, such as the address of the WINS or DNS server. Scope options. As the name implies, these apply only to clients whose addresses are leased from the specified scope. This allows you to set information specific to a particular subnet (when there is a separate scope for each subnet) such as the default gateway address. Client options. In some cases, you may need to define options that apply only to a specific client or clients. These are used for clients with reserved addresses. Class options. When you use the Server, Scope, or Client Options dialog boxes, you can use the Advanced tab to configure and enable options for clients that are members of a specified user or vendor class. Only the DHCP clients that identify themselves according to the criteria for the selected class will be given the options data you have set up for that class.
How to Configure Op tions To configure the Server options, right-click Server Options in the left pane of the console, and select Configure Options. To configure Scope options, right-click Scope Options and do the same. Configuration of client options is a little trickier. First, you must have a client reservation. Expand the Reservations container, select the client reservation for which you wish to configure client options, right-click it, and select Configure Options (shown in Figure 8.17).
NOTE Som e Microsoft d ocum entation refers to the Server op tions as “Glob al” op tions.
Class options are new to Windows 2000. Microsoft provides three predefined classes: a default user class, the Microsoft Dynamic BOOTP class, and the Microsoft RRAS class, as shown in Figure 8.18. Options are applied in the following order of priority: 1. Specific client options are used before scope or global options. 2. Scope options are used before Server options.
438 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
3. Class options can override values assigned and set at the same context (server, scope, or client options) or the values that are inherited from options at a higher context. Class options are divided into two types: user class and vendor class. The most commonly used options include: Figure 8.17 Client op tions can only b e configured for clients with ad d ress reservations.
■ ■ ■ ■ ■
IP addresses of routers. IP addresses of DNS servers. DNS domain name. NetBIOS node type. IP addresses of WINS server.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 439
Figure 8.18 Class op tions ap p ly only to m em b ers of sp ecified classes.
NOTE Class-b ased op tions only ap p ly to DHCP clients that are id entified as m em b ers of the sp ecified user or vend or class.
Monitoring the DHCP Server Another improvement that Microsoft has made in Windows 2000 includes enhancements to the ability to monitor and provide statistical information for the DHCP server(s). A common DHCP-related problem is the depletion of available IP addresses, so Windows 2000 allows you to set up a predefined point at which an alert will be sent informing you that the specified percentage of available IP addresses has been used (you can also configure a second notice to be sent when the addresses are all gone). The Windows 2000 DHCP management tool supports the Simple Network Management Protocol (SNMP), as discussed in Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000,” for
440 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
monitoring of DHCP-related statistics. There is a great deal of useful information available via the DHCP manager, including the number of DHCP Discover, Offer, Request, and ACK/NACK messages that have been sent since the server last started (see Figure 8.19). Figure 8.19 The DHCP m anagem ent ad m inistrative tool d isp lays statistical inform ation.
To access the statistical information, go to Start | Programs | Administrative Tools | DHCP. In the DHCP Manager, right-click the DHCP server name, and select Display Statistics. As you can see, the statistical summary provides you with the number of scopes configured, total addresses allocated for assignment, how many of those are in use, and how many are still available.
NOTE Another source of inform ation ab out DHCP activities is the Event Viewer, which logs inform ational, warning, and error m essages, and DHCP aud it logs if you have logging enab led .
The DHCP Datab ase The DHCP database can become corrupt, or data might be accidentally deleted or destroyed due to hardware problems, power problems, viruses, or other reasons.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 441
The database files are stored in \System32\DHCP and include the following files: ■ ■ ■ ■
Dhcp.mdb Dhcp.tmp J50.log and J50#####.log J50.chk
NOTE Do not rem ove or alter these files. You m ay b e accustom ed to d eleting tem p files to free d isk sp ace; however, the Dhcp .tm p file is used as a swap file, and Microsoft d ocum entation warns that it should not b e d eleted .
Windows 2000 backs up the DHCP database by default at one-hour intervals. You can edit the Registry to change the backup interval. To do so, use a Registry editor to open the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP \Parameters
WARNING Always b ack up the Registry b efore m aking changes. Ed iting the Registry should always b e d one with care, as incorrect entries could cause the system to b ecom e unb ootab le.
Edit the value BackupInterval by entering the number of minutes desired between database backups, as shown in Figure 8.20. By default, the value is shown in hexadecimal, but you can convert it to decimal by selecting the appropriate radio button.
NOTE The DHCP d atab ase b ackup files are stored on the DHCP server in the < system root> \System 32\DHCP\Backup \Jet d irectory. A cop y of the DCHP\Param eters sub key of the Registry is stored in the Backup d irectory with the file nam e DHCPCFG.
442 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Figure 8.20 Ed it the Registry to change the interval b etween DHCP d atab ase b ackup s.
If the operating system detects that the DHCP database has become corrupt, it will automatically restore from backup when the service restarts. To manually restore the database from the backup files, you must edit the Registry. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\DHCPServer\Parameters and set the RestoreFlag value to 1.
NOTE It is not necessary to ed it the Registry again to reset the RestoreFlag entry. After the d atab ase is restored , the server will autom atically return the value to 0.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 443
If you are unable to edit the Registry entry, another way to restore the database is by copying the \System32\DHCP\Backup\Jet folder to \System32\DHCP. Be sure you stop the DHCP service before copying the files. After you have copied the files, restart the DHCP service to restore the database.
Client Configuration Problems A number of problems can affect a DHCP client’s ability to use the service. If other DHCP clients on the subnet are having no problems obtaining and using IP addresses, and if you have checked and determined that the server’s address allocation has not been depleted, this indicates the problem is related to the configuration or operation of the client computer.
Client Cannot Ob tain an IP Ad d ress This indicates that the client machine was not able to reach a DHCP server. There could be many causes for this, including a hardware problem. Be sure the client has a network connection to the server by pinging the server from the client computer. If you cannot, check cables, NICs, and other hardware devices. If you can ping the server from other computers on the same subnet, check the client computer’s protocol configuration. Be sure TCP/IP is installed and functioning by pinging the loopback address (127.0.0.1).
TIP If you are using a DHCP Relay Agent, m ake sure that the m achine is functioning and that its IP configuration p aram eters are correct. A com m on error is ad d ing the DHCP Relay Agent service and then failing to configure a DHCP server for it to contact.
Client Has an Invalid IP Ad d ress If the client is unable to communicate with other computers on the network, and ipconfig indicates that the client is using an address that is invalid for the subnet (from the 169.254.0.1 through 169.254.255.254 range), this indicates that the client was unable to contact a DHCP server and assigned itself an address via APIPA. Try to ping the server. If you are able to do so, try manually renewing the lease. To disable APIPA, see the section Automatic Private IP Addressing earlier in this chapter.
444 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Client Is Missing Configuration Inform ation If the client was assigned an IP address by the DHCP server but did not properly receive additional configuration information, such as the DNS server address, ensure that the client supports the options and that the options have been properly configured at the server.
Multip le Clients Are Sud d enly Unab le to Ob tain IP Ad d resses If many clients become unable to obtain leases for IP addresses, check the following: ■
■
■
■
Ensure that the DHCP server is up, and that its IP address has not been changed. Ensure that the DHCP server’s IP address is in the same network range as the scope it is servicing. Be sure that you don’t configure multiple DHCP servers on the same subnet with overlapping scopes. If you are using Active Directory domains, be sure that the DHCP server has been authorized in the Active Directory.
NOTE If one of the DHCP servers is running Microsoft Sm all Business Server, b e aware that the DHCP Server service in the SBS will autom atically stop if it d etects that there is another DHCP server on the local sub net.
Other Common DHCP Problems Most of the time, DHCP works well, saving administrators a lot of time and headaches. However, as with any other service, things can go wrong. Microsoft has attempted to address and prevent potential problems as much as possible in Windows 2000, but you should be aware of some of the common DHCP-related problems that can occur.
Unauthorized (“Rogue”) DHCP Servers Problems can occur on a network when there are unauthorized DHCP servers. Perhaps someone configured a server as a DHCP server by mistake, or in order to practice with the service. The “rogue” server could begin handing out IP addresses—perhaps in a range that is invalid for the subnet—when DHCP clients broadcast a Discover message. This would result in those clients being unable to communicate with other clients on the subnet whose addresses were allocated by the authorized server.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 445
Windows 2000 attempts to prevent this situation by building in a feature to disallow address allocation by DHCP servers that have not been authorized by an administrator in the Active Directory. No responses will be returned to DHCP inform messages sent by unauthorized servers. When a Windows 2000 DHCP server comes online, it attempts to check the Directory to determine if it is authorized. If not, it does not respond to DHCP client requests.
NOTE Unfortunately, this d etection/p revention of “rogue” DHCP servers only works with Wind ows 2000 servers. A Wind ows NT 4.0 DHCP server will not b e d etected as a “rogue.”
DHCP Clients and Server on Different Sub nets In order for a DHCP server to provide IP addresses to clients across a router, the router must be able to act as a DHCP relay agent, or there must be a machine that is running the DHCP relay service on the client subnet. A Windows NT 4.0 or Windows 2000 server can be configured to run as a DHCP relay agent. However, most modern routers are able to support DHCP/BOOTP relay.
NOTE DHCP/BOOTP relay agent sp ecifications are d escrib ed in RFC 1542.
Multip le DHCP Servers The Microsoft documentation suggests that if you have multiple DHCP servers, you should put them on different subnets for fault-tolerance purposes. The servers should not have common IP addresses in their scopes (each server should have a unique pool of addresses). With the routers configured for relay or a DHCP relay agent on each subnet, if the DHCP server on the local subnet goes down, requests will be relayed to a remote subnet. Then, the DHCP server on the remote subnet can respond to DHCP requests—if it contains a scope of IP addresses that are valid for the requesting subnet.
446 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
WARNING If the rem ote server d oes not have a scop e d efined for the req uesting sub net, it won’t b e ab le to p rovid e IP ad d resses to the req uesting clients even if it has ad d resses availab le for other scop es.
By configuring each DHCP server with a pool of addresses for each subnet, each will be able to provide IP addresses for remote clients whose own DHCP server is offline.
Autom atic Ad d ressing (APIPA) The automatic addressing feature in Windows 2000 (first introduced in Windows 98) was designed to solve a common problem with DHCP: In earlier Microsoft operating systems, when a computer that was configured to be a DHCP client came online and no DHCP server was available, it had no way of obtaining an IP address and thus could not communicate using IP. APIPA circumvents this situation by giving DHCP clients a “contingency plan.” When the computer comes online, it will first attempt to reach a DHCP server to obtain an address, but if it fails to do so, using APIPA it can assign itself a temporary IP address to use until the DHCP server is back up. This is all well and good, but not always as useful as it sounds. The problem is that the addresses assigned by APIPA come from a range reserved for that purpose, the class B 169.254.0.0 network with a subnet mask of 255.255.0.0. This means the computer will only be able to communicate with other computers whose addresses were also assigned by APIPA, or that were manually configured to use 169.254.x.x addresses. Assuming your network uses a different network ID, the APIPA computer won’t be able to communicate over IP with the rest of your network, and automatic addressing serves little purpose.
NOTE Use the ip config com m and to d eterm ine whether a com p uter is using an APIPA ad d ress. If the IP ad d ress b eing used b y the com p uter is in the 169.254.x.x range, an APIPA-assigned ad d ress is b eing used .
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 447
You may wish to disable APIPA, especially if your network uses routers, and/or the computers on your network are all connected directly to the Internet without going through a proxy server or a NAT gateway. See the following section for instructions.
NOTE APIPA can also b e used d uring the Wind ows 2000 setup p rocess to autom atically assign tem p orary ad d resses in ord er to get the servers up and running q uickly. This is an op tion in the Networking Settings d ialog b ox when you select Typ ical settings.
How to Disable APIPA To disable automatic address configuration, you have to edit the Registry. 1. Use a Windows 2000 registry editor (Regedt32 or Regedit) to open the Registry. 2. Locate the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ Parameters\Interfaces\adapter_name
3. You must create a new value of the REG_DWORD type. Name the new value as follows: IPAutoconfigurationEnabled
4. Now double-click the new value name when it appears in the right pane, and assign it a value of 0 (“False”) to turn off APIPA. You can reenable APIPA at a later time by editing the key and changing this value to 1, or by deleting the IPAutoconfigurationEnabled entry (if it does not exist, the default value of 1 is in effect).
WARNING You should always b ack up the Registry b efore m aking any changes.
448 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
NOTE If you have m ore than one network ad ap ter and you wish to d isab le APIPA on all of them , you d on’t have to ind ivid ually ed it each ad ap ter’s p aram eters. Instead , you d o it in one fell swoop b y creating the IPAutoconfigurationEnab led entry and setting it to 0 in the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcp ip \Param eters
Hard ware Ad d ress Prob lem s The ARP command-line utility is your best starting place for troubleshooting problems related to hardware addresses. Use the arp –a command to view the current ARP cache. If IP addresses have been reassigned, it is possible that the cache contains the old IP-to-MAC address mapping. Although dynamic entries are cleared from the cache within 10 minutes, this problem would be more likely to occur if a static entry had been made, since it would then remain in the cache until the computer was rebooted.
TIP If you want to rem ove a static entry from the arp cache, use the arp –d < ip _ad d ress> com m and .
Duplicate M AC Addresses In theory, this problem should never occur. Each network card manufacturer is allocated a range of hardware addresses to be assigned to the computers it manufactures, and there should be no two NICs in the world with the same hardware address. However, like IP addresses, MAC addresses have become less plentiful, and some manufacturers have started to reuse addresses. Additionally, errors do occur in the manufacturing process, and cards have shipped accidentally with duplicate addresses. This is not a problem if the two NICs with identical addresses end up on separate networks.
Troubleshooting Subnetting Problems Let’s now delve into the subject of subnet masking. We are going to use the principle of reserving or masking bits as we did with the Net ID
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 449
portion of the address earlier, but this is going to be a little more complicated. Subnetting a network means dividing it into two or more smaller networks (called, appropriately enough, subnets). There are several reasons why you might want to subnet your network ID. When you receive a group of IP addresses to use on the Internet, you are assigned a network ID and a subnet mask. Of course, most people get their IP addresses from their ISPs, who have already assigned you a subnet mask for the group. Assignment of public IP addresses to internal network clients isn’t as big an issue for medium to large companies now as it once was, because most of them are using proxy servers and NAT. But whether you are using private or public IP addresses, the principles we discuss in this section will apply; they just are not as stringent when working with private IP address classes.
Why Divid e the Network? A network ID is typically subnetted to allow for multiple physical segments. Each physical segment should have its own network ID. If you have 10,000 computers and are given the network ID 12.0.0.0 with a subnet mask of 255.0.0.0, this would work—in theory. However, all the machines would be on the same physical network, and it is likely that the broadcast traffic would be so intense that no communication could take place. If you were given a class B network ID of 169.254.0.0 and a subnet mask of 255.255.0.0, you could likewise put all your hosts on the same network ID, but then again, the amount of broadcast traffic that would be generated makes this a bad idea.. Even if you only have 120 clients and are given the class C network ID of 206.136.88.0 and a subnet mask of 255.255.255.0, you still would end up with all 120 clients on the same network. Because of the nature of Ethernet and Windows networking’s NetBIOS traffic, that is still too many for good performance. The maximum number of clients on a single segment is optimally less than 50. Networks that use private address classes don’t have as much of a problem, since they are free to use whatever private network IDs they want. If you choose to use the private address class 192.168.0.0 with a subnet mask of 255.255.255, you could theoretically create 256 networks with 256 clients each, which would be the same as a single class B network. You just configure your routing tables to accommodate each network. Those using public IP addresses don’t have this luxury, though, and they have to learn how to subnet the network IDs they are provided with by either IANA or their ISP.
450 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Subnetting Scenario 1 Let’s say we were given a class C Net ID. How many Host IDs are available in a class C network? How many bits are used for the Net ID? A class C Net ID uses the first three octets, so it uses 24 bits, leaving only 8 bits for Host IDs. How many Host IDs for each class C Network then? The answer is 28=256, and then subtract two for the all 0s and all 1s, which gives us 254 Host IDs per class C network. We certainly don’t want 256 hosts on a single network for our business. Also, we might want to have some hosts on a network in another state. What we could do is “split” up the Net ID in such a manner that we can have some of our hosts on a different physical network in another state, and some in our local office. Breaking up a Net ID into multiple “subnetworks” is called “subnetting.”
Subnetting Scenario 2 Let’s look at another example: What if we got a class B Net ID? How many Host IDs are there on a class B Network? How many bits are available for a class B Host ID? Well, the Net ID is going to take the first two octets, so that’s 16 we have to take away from the total of 32 available. That leaves us with 16 bits to use for Host IDs. How many Host IDs can we have? 216=65536 and then subtract two for the all 0s and all 1s, which gives us 65,534. Now, if the InterNIC gives us a class B Net ID, do we really want all 65,000 hosts on the same subnet? The broadcast traffic would be so bad that no useful network activity could take place. So, we definitely have to break up those Net IDs into smaller chunks so that we can get a reasonable number of hosts on each physical segment, or subnet.
Sub nets Remember that IP determines whether a message is for the local or remote host. If the destination is local, IP will have ARP broadcast for the destination host’s MAC address. If it is remote, IP will ARP broadcast for the default gateway, and then send the message to the default gateway. So, IP is like the post office employee, who first checks the ZIP code to see if it is local before bothering to check the house number and street address. Each subnet is like a different ZIP code within the same city. If the Net ID represents the city, then each neighborhood has its own ZIP code, or subnet.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 451
Sub net Masks How does IP figure out what your Net ID and Host ID are? Well, IP isn’t as smart as we are, because it doesn’t know about the rules regarding the high order bits and their connection to the IP address class. Rather, IP has to use something called a subnet mask to tell it which part of the IP address is the Net ID and which part is the Host ID. The subnet mask “masks” the Net ID portion of the IP address. It does this by covering up with 1s the Net ID and leaving “open” the Host ID with 0s. The default subnet masks are: Class A: Class B: Class C:
255.0.0.0 255.255.0.0 255.255.255.0
Or in binary: Class A: Class B: Class C:
11111111.00000000.00000000.00000000 11111111.11111111.00000000.00000000 11111111.11111111.11111111.00000000
How does IP use the subnet mask? All IP really cares about is whether the destination IP address is local or remote, so that it will know whether to broadcast or send the request to the default gateway.
ANDing The process that IP uses to determine whether the destination host is local or remote is called bitwise ANDing. In bitwise ANDing, the rules are: 1 AND 1 = 1 1 AND 0 = 0 0 AND 0 = 0
This is how it’s done: IP Ad d ress: 192.168.1.1 Subnet Mask: 255.255.255.0
In binary: IP Ad d ress: Sub net Mask: ANDed :
11000000.10101000.00000001.00000001 11111111.11111111.11111111.00000000 11000000.10101000.00000001.00000000
This will be the ANDed result of the machine originating a message. Let’s suppose this computer wants to send a message to: IP Ad d ress: 192.168.3.1 Sub net Mask: 255.255.255.0
452 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
In binary: IP Ad d ress: Sub net Mask: ANDed :
11000000.10101000.00000011.00000001 11111111.11111111.11111111.00000000 11000000.10101000.00000011.00000000
Now, we compare the ANDed results of the originating and destination hosts: Send er: Destination:
11000000.10101000.00000001.00000000 11000000.10101000.00000011.00000000
If the results are the same, IP will use a local subnet ARP broadcast because the two computers are on the same subnet. If the results are different, it will forward the request to the default gateway. In the preceding example, the ANDed results are different. IP will forward the message to the default gateway.
Tricking IP It is by manipulating the subnet mask that we can “trick” IP into thinking that there are more digits in the Net ID than the default number of digits defined by each class. Remember the default number of binary digits for the Net ID in each IP address class? Class A: 8 Class B: 16 Class C: 24
By manipulating the subnet mask, we can allow for more digits to be used for the Net ID by stealing some digits from the Host ID portion of the IP address. We can use the subnet mask to break up a Net ID into several subnetworks, and in that way trick IP into sending the message to the router so that it can get to the destination subnet. The routers will have the routing information to guide the packet to its correct location.
Making the Mask When we use a subnet mask other than the default subnet mask, it is often called a custom or variable-length subnet mask.
Subnet M asking for a Class A Netw ork Let’s look at the example of a class A network. The Net ID will be 75.0.0.0 and we’ll use the default subnet mask of 255.0.0.0. In binary:
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 453
NetID: Mask:
01001011.00000000.00000000.00000000 11111111.00000000.00000000.00000000
How could we break up this giant network into two separate subnetworks? Well, in binary, the number 2 is represented as 10. Therefore, it takes two bits to get the number 2. What we’ll do in order to get those two subnets we want is “steal” two bits from the Host ID portion of the IP address. So now, the subnet mask will look like this: Mask:
11111111.(11)000000.00000000.00000000
We could use any combination for those two bits we stole from the Host ID. Looking only at the second octet (the subnetted octet) of the IP address, what are the numbers that could comprise the second octet? (The masked bits are in parentheses.) 1. 2. 3. 4.
(01)000000 (10)000000 (11)000000 (00)000000
to to to to
(01)111111 (10)111111 (11)111111 (00)111111
However, we have to view the Subnet ID in isolation. The Subnet ID includes those bits reserved by the subnet mask to be used for the network ID that have been “stolen” from the Host ID. The Subnet ID must comply with the same rules as the Net ID and the Host ID: No all 0s or all 1s. So, we have to cross out the last two ranges because their Subnet ID is all 0s or 1s. So, range 1 in decimal is: 64 –127
and range 2 in decimal is: 128 –191
For the subnet mask itself, the second octet would be: (11)000000 = 192
indicating that we are taking two bits from the Host ID portion in the second octet. The all 0s or all 1s rule doesn’t apply to the subnet mask, since the 1s in the subnet mask just represent which bits in the IP address will represent the Net ID. We have broken up the entire network into two subnetworks, one with the Subnet ID of 64 and one with the Subnet ID of 128. How many Host IDs can we have on each subnet? How many bits are available for Host IDs after we’ve stolen two of them for the Net ID? Before
454 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
subnetting we had 24, but now we only have 22 after losing two of them to the subnet mask. That would be 222, which is 4,194,304, and then subtract 2 for the all 0s and all 1s, and that gives us 4,194,302 per subnet. Hey! What happened? If I use all the Host IDs for both subnets I created, I’ll have: 4,194,302 x 2 = 8,388,608 Host IDs
If I hadn’t subnetted my network, I would have had: 2 24 = 16,777,216
The moral of the story? The more subnets you create, the more Host IDs you’re going to lose. So, for our class A network with a Net ID of 75.0.0.0 and subnet mask of 255.192.0.0, our two subnet address ranges are: From : To:
01001011.(01)000000.00000000.00000001 (75.64.0.1) 01001011.(01)111111.11111111.11111110 (75.127.255.254)
And the second range: From : To:
01001011.(10)000000.00000000.00000001 (75.128.0.1) 01001011.(10)111111.11111111.11111110 (75.192.255.254)
NOTE Rem em b er that the m ore sub nets you create, the fewer hosts you will b e ab le to have on the networks.
By using the custom subnet mask of 255.192 on the class A network, we see that we stole two bits from the second octet to give to the Net ID, and that those two digits actually represent something called the subnet ID. What is the significance of 192? 192 in binary is 11000000, which indicates that two digits will be used for the Net ID that would have otherwise been used for the Host ID. What if our subnet mask were 224? What is 224 in binary? (111)00000
A subnet mask of 224 would indicate that we would be taking three digits from the Host ID portion and giving them to the Net ID. How many subnets could we create with a subnet mask of 224? What is the number of possible combinations that we can create from three bits?
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 455
000 001 010 011 100 101 110 111 (the
(0) (32) (64) (96) (128) (160) (192) (224) num b ers in p arentheses rep resent the Sub net ID in d ecim al).
Did you notice something about the progression of Subnet IDs? In this case, it is 32, which just happens to be the value of the last position in the Subnet ID (for example, Subnet ID 64 is 010xxxxx; that makes it the 6th position from the right in the octet, which has the value of 32). The value is called the block value. Each subnet represents a block of IP addresses. Remember that our Subnet ID can’t be all 0s or all 1s. Therefore, we have to throw out the first and last Subnet IDs listed above. That would give us six subnets that we could use if we have a subnet mask of 224. Another way to figure this out is 23 = 8, and then subtract 2 for the all 0s and all 1s, and that gives us six subnets. What if we stole four digits from the Host ID to give to the Net ID? We can use the formula! 24 = 16, and then subtract 2 for the all 0s and all 1s, and that gives us a total of 14 subnets when we steal four bits from the Host ID. What would that subnet mask octet be? 11110000 = 240. So, if we want to break up a network into 14 useable subnets, we could use the subnet mask of 240. What do you think the block value would be in this case? We are stealing four digits from the Host ID. Therefore, a possible octet value could be 0110xxxx (the xs represent the Host ID portion of the octet). The rightmost digit of the Net ID portion is the 5th digit of the octet, and the 5th digit’s binary value is 16. Thus, the block value is 16 when your subnet mask is 224.
Subnet M asking for a Class B Netw ork Let’s take another example from a class B network address. Our Net ID is 144.17.0.0. Using the information we’ve just learned, how could we create six subnets outs of this class B network? How many binary digits would be required to come up with 6? One won’t be enough, because 21 = 2. Two won’t be enough, because 22 = 4. How about three? 23 = 8, and then remember to subtract 2 for the all 0s and all 1s Subnet IDs. That will give us a total of six subnets if we steal three digits from the Host ID. On a
456 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
class B network, octets y and z are used for the Host ID, so we’ll steal two digits from the y octet in order to create our six subnets. What will the subnet mask be in this case? (111)00000 = 224 These are the valid IP address ranges in this case: Range 1 10010000.00010001.(001)00000.00000001 (144.17.32.1)
to 10010000.00010001.(001)11111.11111110 (144.17.63.254)
Range 2 10010000.00010001.(010)00000.00000001 (144.17.64.1)
to 10010000.00010001.(010)11111.11111110 (144.17.95.254)
Range 3 10010000.00010001.(011)00000.00000001 (144.17.96.1)
to 10010000.00010001.(011)11111.11111110 (144.17.127.254)
Range 4 10010000.00010001.(100)00000.00000001 (144.17.128.1)
to 10010000.00010001.(100)11111.11111110 (144.17.159.254)
Range 5 10010000.00010001.(101)00000.00000001 (144.17.160.1)
to 10010000.00010001.(101)11111.11111110 (144.17.191.254)
Range 6 10010000.00010001.(110)00000.00000001 (144.17.192.1)
to 10010000.00010001.(110)11111.11111110 (144.17.223.254)
(The Subnet ID portion is in parentheses within the binary IP addresses.) What address ranges did we lose here? What Subnet IDs are illegal when we are using three bits for our Subnet ID?
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 457
000 111
Remember, the all 0s and all 1s won’t work! 10010000.00010001.(000)00000.00000001 (141.17.0.1)
to 10010000.00010001.(000)11111.11111110 (144.17.31.254)
10010000.00010001.(111)00000.00000001 (144.17.224.1)
to 10010000.00010001.(111)11111.11111110 (144.17.255.254)
In effect, we lose the first and the last blocks. What is the block size in this example? What is the rightmost digit in the Subnet ID? It is digit 6 in the octet, so that block value is: 32. Thus we see that Subnet IDs 0 (0–31) and 224 (224–255) are lost!
TIP The first and last b lock values will always b e lost when we calculate our ranges of legal IP ad d resses.
Subnet M asking for a Class C Netw ork The last example is that of a class C address. Let’s say that we have a class C Net ID of 211.40.88.0 and we want to break it into 14 subnets. How many binary digits does it take to create 14 subnets? Three will only create 6 (8–2), so that won’t be enough. If we use four binary digits, that will give us 24 = 16, and then we subtract 2 for the all 0s and all 1s, and we get 14 valid Subnet IDs. 211.40.88.17 to 211.40.88.30 211.40.88.33 to 211.40.88.46 211.40.88.49 to 211.40.88.62 211.40.88.65 to 211.40.88.78 211.40.88.81 to 211.40.88.94 211.40.88.97 to 211.40.88.110 211.40.88.113 to 211.40.88.126 211.40.88.129 to 211.40.88.142 211.40.88.145 to 211.40.88.158
458 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
211.40.88.161 211.40.88.177 211.40.88.193 211.40.88.209 211.40.88.225
to to to to to
211.40.88.174 211.40.88.190 211.40.88.206 211.40.88.222 211.40.88.238
What is the block size in this case? With a 4-bit subnet mask, the rightmost digit in the mask is digit 5 in the octet. The 5th digit in the octet’s binary value is 16, so the block size is 16. That explains why the first and last blocks are missing. 211.40.88.1 to 211.40.88.16
and 211.40.88.239 to 211.40.88.254
But look at the gaps in the other IP address. What happened to 211.40.88.31 and 211.40.88.32? Look at the last octet of those two IP addresses: (0001)1111 (0010)0000
NOTE In b oth cases, we have an illegal Host ID num b er, b eing either all 0s or all 1s. You will find that to b e the case for all the m issing IP ad d resses. The Host ID or the Sub net ID will b e illegal. Rem em b er, the first and last m em b er of the b lock is always illegal. So, in this case, with a class C ad d ress and a b lock size of 16, we will only have 14 legal IP ad d resses p er sub net. Note: Be aware that this is the trad itional ap p roach to sub net m asking as taught in the Microsoft Wind ows NT 4.0 official training curriculum . In fact, in the field you will see that the Sub net ID p ortion of the network ID is not restricted to the “no all 0s and 1s” rule, and that the Sub net ID is incorp orated into the network ID as a single entity. The sam e rules ap p ly regard ing the Host ID not b eing all 0s or 1s, and the network ID should not b e all 0s or 1s either. Of course, if you are configuring your own routers, you have a lot of latitud e regard ing what ad d resses the router should consid er legal and illegal.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 459
Errors in Sub net Masking Let’s look at a common error and see what happens when it occurs. The most common error is when one of the clients on the segment has been configured with the wrong subnet mask. This is most likely done when a machine has a manually configured IP address, and the technician entered a wrong digit in the subnet mask text boxes. For example, a machine is configured with the IP address 192.168.1.33 and a subnet mask of 255.255.255.224. The rest of the machines on the network are configured with IP addresses of 192.168.1.x with a subnet mask of 255.255.255.240, with the default gateway for that network having an IP address of 192.168.1.17. What happens when the client tries to contact another computer on the same segment? If the machine is able to obtain the IP address of another computer on the same segment, it will recognize the other computer’s IP address as being on a different subnet, and will send the message to the default gateway. Why would the client assess that any other computer on the segment would be on a different subnet? Our incorrectly configured client is configured to be on Subnet ID 32, or network ID 192.168.1.32/27. All the clients on the segment are configured on Subnet ID 16, or network ID 192.168.1.16/28. The valid range of IP addresses on the misconfigured client’s subnet is 192.168.1.33 to 192.168.1.62. The valid range of IP addresses for the other machines on the segment is 192.168.1.17 to 192.168.1.30. Let’s look at this in the binary: Miconfigured client’s IP information: 192.168.1.(001)00001 255.255.255.(111)00000
The first and last valid IP addresses on the misconfigured client’s subnet are: 192.168.1.00100001 = 192.168.1.33 192.168.1.00111110 = 192.168.1.62
IP information for all other clients on the subnet: 192.168.1.(xxxx)xxxx 255.255.255.(1111)0000
Since we know that the default gateway is located at 192.168.17, we can figure out the Subnet ID of the segment: 192.168.1.(0001)0001 255.255.255.(1111)0000
460 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Sub net ID = 16 or (0001)0000 or Network ID = 192.168.1.16/28
What is the legal range of IP addresses contained on the default gateway’s subnet? 192.168.1.(0001)0001 = 192.168.1.17 192.168.1.(0001)1110 = 192.168.1.30
Therefore, when the misconfigured client attempts to send a message to any machine whose IP address is in the legal range for the subnet, IP will recognize that other machine’s address as being on a remote network, and will send it to the default gateway. However, we have another problem now: The default gateway is seen as being on another subnet. Therefore, the packet will go nowhere. If you test this out on your own by doing a ping of the out-of-range addresses, you’ll see an error regarding a “bad IP address.”
NOTE RFC 1878 d iscusses the stand ard s and sp ecifications for variab le-length sub net m asking.
Summary In this chapter, we have examined how IP addressing works, and how the logical addresses assigned during the TCP/IP configuration/initialization process relate to the network interface card’s (NIC) physical, or hardware address (called the MAC address in Ethernet networks). We learned how to determine a NIC’s IP and hardware address(es) for troubleshooting purposes using common TCP/IP utilities. We then looked at what “all those numbers” in the IP addresses really mean. We dissected the sections or octets that make up an IP address, and delved into how to convert the “easy on the eyes” dotted decimal notation used by humans into the 1s and 0s that the machines actually process. We briefly discussed subnet masking, and the default subnet masks for each IP address class. This led to a discussion of address classification and so-called “classful” addressing and its more modern replacement, Classless Inter-Domain Routing, or CIDR (sometimes just referred to as “classless addressing”). We learned how to determine which class an IP address belongs to based on its high order bits, and how to extrapolate
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 461
the binary into its decimal translation. We also discussed the class D multicast addresses, and the “experimental” class E. Next, we examined how network IDs and Host IDs are assigned, and discussed the pros and cons of manual address assignment and automatic addressing. We identified the characteristics of the Dynamic Host Configuration Protocol (DHCP), Automatic Private IP Addressing (APIPA), and how Internet Connection Sharing’s autoaddressing function works. We defined the differences between public and private addresses, and then looked at how IP addresses are actually used for communication on a network. We talked about the Address Resolution Protocol (ARP), which maps IP addresses to physical (MAC) addresses, and stepped through the IP communication process as it applies to both nonrouted and routed networks. Then we talked about specific IP addressing problems. We discussed how to detect and correct such situations as duplicate IP addresses, “illegal” addresses, and addresses that are invalid for the subnet. We made a detailed study of DHCP: how to configure the client and server, the process used by a DHCP client to obtain an address, and some common DHCP troubleshooting scenarios. We learned about the messages used by the DHCP service: DHCP Discover, DHCP Offer, DHCP Request, and DHCP Acknowledgment (ACK) and Negative Acknowledgment (NACK). After that, we turned to discussion of common DHCP server configuration problems, how and why they occur, and what to do about them. We reviewed some basic settings that should be checked: ■
■ ■
■
■
Ensuring that the DHCP server itself has a static manually configured IP address Making sure that the DHCP service is started Ascertaining that a scope of addresses has been defined and activated Excluding addresses within the scope that have been manually assigned to routers or computers Specifying the correct subnet mask
We discussed using superscopes to allow DHCP servers to assign addresses to more than one logical subnet on the same physical network. Next, we took a close look at how DHCP lease duration can affect network performance, and situations in which changing the duration can solve problems or optimize the speed of network communications. We saw how to set lease duration during the creation of a new scope, and how to change the lease duration after a scope has already been created and activated. We talked about the ramifications of granting clients unlimited lease periods.
462 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Then we discussed how to reserve addresses for computers that need to have the same address all the time but still want to take advantage of the benefits of being a DHCP client. We talked about DHCP Server, scope, Client, and Class options, and how to configure each in the DHCP management console. We learned how to use DHCP monitoring tools to gather statistical information about the performance of the DHCP services, such as the number of Discover, Offer, Request, and ACK/NACK messages sent; length of time the server has been up; how many scopes are configured; how many addresses are allocated to DHCP; how many are assigned and how many are still available. We examined the components of the DHCP database, which is stored in the \System32\DHCP directory on the DHCP server. We talked about the files that make up the database: Dhcp.mdb, Dhcp.tmp, J50.log, and J50.chk. We discussed how to edit the Registry to change the backup interval from the default of 60 minutes, and how to restore the DHCP database from backup in one of two ways: ■ ■
Setting the RestoreFlag value to 1 Copying the \System32\DHCP\Backup\Jet folder to \System32\DHCP and restarting the service
Then we talked about some common client configuration problems, and what to do about them. We discussed DHCP clients’ inability to obtain an IP address due to not being able to reach the server, and clients operating with addresses that are invalid for the subnet due to an APIPA assignment. We talked about what to do if the client can obtain an address but is missing some configuration information, and discussed the possible causes of multiple clients on a network being unable to obtain addresses from the DHCP server. Next we took on the problem of “rogue” (unauthorized) DHCP servers and what Microsoft has done in Windows 2000 to address this potential source of trouble. We discussed how to handle multiple DHCP servers on a network and made recommendations for locating them on separate subnets to increase fault tolerance. We talked about using a DHCP relay agent or router configured to support BOOTP relay so the DHCP server(s) can assign addresses across subnets. We then discussed Automatic Private IP Addressing (APIPA), which uses the reserved address range 169.254.0.0 to 169.254.255.254 with a subnet mask of 255.255.0.0, so that if a DHCP client is unable to contact a DHCP server, it can still communicate via TCP/IP by assigning itself an address from this range. We also learned how to disable APIPA on our computers by editing the Registry.
Troubleshooting Window s 2000 IP Addressing Problems • Chapter 8 463
After a brief look at hardware address problems, we discussed how to troubleshoot subnetting problems, and how to use variable-length subnet masking. We then examined the concept of supernetting and how Classless Inter-Domain Routing (CIDR) is used to help alleviate the problems caused by classful addressing. IP addressing is the foundation of TCP/IP communications. It’s a complex subject, and there is much that can go wrong if addresses are configured improperly. This chapter in no way attempts to cover every possible addressing configuration problem, but we have provided an overview of the most common addressing problems and the tools that can be used to diagnose and correct them.
FAQs Q: The DHCP server log shows NACKs being returned to DHCP clients requesting leases, and I have tried to renew the client’s lease manually but am unable to do so. What is the problem, and how do I solve it? A: This situation will occur if the IP address range configured for the DHCP server is conflicting with (overlapping) the range that some other DHCP server on the network is offering. Change the address pool for the scopes on one or both servers so that they do not overlap. Add exclusions if needed. You can also enable address conflict detection on the server by right-clicking it in the management console, selecting Properties | Advanced, and setting the value for Conflict Detection Attempts to a number greater than 0. Q: How can I manually release or renew a DHCP lease? A: At the command prompt, type ipconfig /release to release the address, or ipconfig /renew to renew the lease. Q: When should I deactivate a superscope on a DHCP server? How do I do so? A: Use the Deactivate command only if you want to retire all scopes that are members of the superscope and delete the superscope itself from the server. You should not use this command to merely pause the superscope, and you should not reactivate a superscope after you have deactivated it. If deactivation is still desired, click the superscope in the DHCP management console tree, open the Action menu, and select Deactivate.
464 Chapter 8 • Troubleshooting Window s 2000 IP Addressing Problems
Q: What is a DHCP scope? A: A scope is a group of computers on a subnet that use DHCP to obtain IP addresses, which defines the parameters used by the clients. A scope includes the IP address range used for DHCP lease offers and any excluded ranges, a subnet mask that signifies the subnet, a name (which is assigned to the scope when it is created), and the lease duration period that applies to leases offered to DHCP clients when they receive IP addresses. Q: What are the similarities and differences between BOOTP and DHCP? A: BOOTP is the predecessor to DHCP, used to automatically assign IP addresses, which was traditionally used for booting diskless workstations over the network. DHCP adds enhancements to BOOTP that make it the automatic address assignment protocol of choice today. Both protocols use the same type of request and reply messages, which consist of UDP datagrams 576 bytes in length. The message headers are almost the same for both protocols; the only difference is that the last field is called the vendor-specific field in BOOTP and can only be 64 octets, whereas in DHCP, the last field is called the options field and can be up to 312 octets in size. Both use UDP port 67 to listen for and receive client messages, and clients use port 68 to accept replies from the server. BOOTP normally reserves an address permanently in its database for each client computer, while DHCP leases the addresses and reserves them temporarily in its database. Q: What are the two types of class options, and what are the differences between them? A: The class options are divided into user classes and vendor classes. User class identifications are configured with the ipconfig command, while the vendor class IDs are set by the vendor (for example, Microsoft). You create user classes in order to identify all the DHCP clients that have something in common for which you wish to assign options. For instance, you could create a user class to identify all the clients in a particular site, or all the clients that are mobile computers. The vendor classes are created to take advantage of vendor-specific functions. Clients using products of other vendors will not receive DHCP options from other vendors.
Chapter 9
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Solut ions in t his chap t er: ■
RAS and RRAS Configuration Problems
■
General Internet Connectivity Problems
■
NAT and ICS Configuration Problems
■
Virtual Private Netw orking Problems
465
466 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Introduction From one perspective, this could be a very short chapter (but don’t get your hopes up). Windows 2000 TCP/IP networking over a remote access connection is, in most respects, the same as participating on a cabled or wireless LAN. Once properly connected through the telephone lines or VPN and logged on to and authenticated by the domain controller, a RAS client can do virtually anything on the network that a local client can do (provided the appropriate access permissions have been granted). However, there are some special factors to consider when troubleshooting TCP/IP problems involving remote access. Windows 2000 Routing and Remote Access Service (RRAS), combined with dial-up networking, has made it easy to set up a connection over the Public Switched Telephone Network (PSTN) analog lines, ISDN, DSL, X.25, and other remote links. From dialing in to an Internet Service Provider (ISP) or online service with a 56K modem to establishing a dedicated high-speed WAN link, remote access becomes easier and less expensive with each passing year. There are still some challenges involved in getting computers miles or even continents apart to “talk” to each other. In this chapter, we will focus on how Windows 2000 RRAS works, how to configure the service for various connection scenarios, and common configuration problems that can arise. Because such a large number of remote access connections today are for the purpose of accessing the global Internet, we will discuss Internet connectivity. We’ll also look at how your organization can save money and reduce the “hassle factor” of giving multiple computers access to the Internet or another remote network, using Windows 2000’s built-in Internet Connection Services and Network Address Translation. We will talk about virtual private networking, which is growing in popularity due to its ability to provide for a secure connection to a private network by “tunneling” through the Internet. We’ll take some time to examine how VPNs work, how to configure Windows 2000 machines as VPN clients and servers, and the two tunneling protocols supported by Windows 2000: Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). We will address VPN security problems, and come back to the subject of IPSec (which was introduced in Chapter 4, “Windows 2000 TCP/IP Internals”), along with Microsoft Point to Point Encryption (MPPE), in the context of virtual private networking.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 467
Today’s business world is moving toward a time when much of the work will be done offsite, in order to reduce company overhead and increase the flexibility and job satisfaction of workers who can be as productive (maybe more so) when telecommuting from home as when stationed in an office cubicle in corporate headquarters. As the marketplace becomes more international, executives, salespeople, and others spend much of their time traveling, and need to do their networking “on the go.” TCP/IP is still the protocol on which most of this remote connectivity is based, and knowing how to configure and manage remote connections will be even more important to network administrators in the future than it is today.
Overview of Window s 2000 Remote Access Services Remote access is provided by Windows 2000 as part of RRAS.
Typ es of Rem ote Access Dial-up and virtual private networking are the two types of remote access supported by Windows 2000 RRAS. Although there are similarities between the two, in terms of TCP/IP communications and connectivity, each has its advantages—and its problems. Dial-up access: Using the telephone lines (either regular analog lines or high-speed digital lines), a remote client creates a temporary link (called a virtual circuit) to a remote access server, over which configuration parameters are negotiated and data packets are exchanged. See Figure 9.1. VPN: A virtual private networking connection is made using an internetwork to which both the client and server are separately connected (such as the global Internet). A point-to-point link is made by creating a “tunnel” through the larger internetwork using a tunneling protocol (PPTP or L2TP). Data packets are encapsulated and encrypted within this tunnel. See Figure 9.2. With both types of remote access, once the connection to the server has been established, the client can communicate with the server (and, with the proper permissions, with other computers connected to the server on the LAN) via any local area network protocol that is used on the private LAN. This means that you are not limited to TCP/IP communications; in the case of virtual private networking, NetBEUI or IPX/SPX (NWLink) packets can actually be encapsulated inside the TCP/IP link that is used to connect to the Internet.
468 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Figure 9.1 A d ial-up connection involves d ialing d irectly in to the rem ote access server.
Remote client Modem
k t lin oi n o- p s nt -t p oi line ne ect Di r ph o t el e via
Dial-up Connection Modem
Remote access server
Distinguishing betw een Remote Access and Remote Control It is important to understand the difference between a remote access connection and another popular means of connecting computers remotely, called remote control. On the surface, the two appear to be the same: in both cases, you can establish a link over a dial-up or dedicated telephone line or through the Internet. However, there are important differences.
Rem ote Access: How It Works When you establish a remote access connection by using a modem to dial in to a remote server, or by creating a VPN link, the remote access client becomes a true node on the remote network. From it, you can log on to the domain, access shares on the server and other nodes for which you have permissions, print to shared printers, and do anything you would be able to do as a local node on the network. Other computers with shared resources that are on your subnet will show up in your Network Places window. The only significant difference to the user between participating on the network from a remote node and being cabled to the network as a local node is speed. Telephone lines are inherently much slower than the slowest LAN cable.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 469
Figure 9.2 A VPN connection involves creating a “tunnel” through the Internet.
Internet Service Provider
Modem
t Vi r
Remote Client
ua l Tu nn el
Internet
t Vi r ua l Tu nn el
Internet Service Provider Dedicated link Remote server
NOTE Wind ows 2000 includ es rem ote access client and server software. When we d iscuss rem ote access servers in this chap ter, we will b e referring to a Wind ows 2000 Server com p uter configured to accep t rem ote connections via RRAS. However, a Wind ows 2000 Professional workstation can also function as a d ial-up server and accep t incom ing calls.
Rem ote Control: How It Works Remote control is a different concept and is used for different purposes. Remote control requires special software on the client and server. Thirdparty programs such as PCAnywhere, ControlIT, Remotely Possible, and LapLink can be used to establish a remote control session with another computer. In a remote control session, the remote computer actually takes over the desktop of the host computer and has complete control of
470 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
it. Sitting at the remote computer, you see on your screen an exact replica of the host computer’s display screen. You can make configuration changes, run applications, and so forth on the remote machine (assuming you’re logged on to it with the proper permissions). If someone is sitting in front of the host machine, he will see the cursor move as you move your mouse from the remote location. Remote control doesn’t just allow you to access shares on the host; it’s “the next best thing to being there.” Remote control is useful for troubleshooting or performing administrative duties from home or when on the road, or on a computer that is located offsite. Remote access, then, is used to connect to the network and participate as a node on the network. Remote control is used—generally by administrative personnel—to take control of a server or other computer and operate it from a remote location.
NOTE You can also rem otely control a server using Wind ows 2000 term inal services in rem ote ad m inistration m od e.
Estab lishing a Rem ote Access Connection In order to anticipate and prevent problems involving remote access, it is important to understand the components of remote access networking and how they work together.
Softw are Needed for a Remote Access Connection In order to be a remote access client, a Windows 2000 computer must have Routing and Remote Access installed and configured properly. We will look at configuration problems and how to properly set up RRAS a little later in this chapter. In addition to RRAS, Windows 2000 uses the Dial-up Networking component to create a link over the telephone lines. The remote access server uses RRAS components to accept dial-up connections from clients and forward data between the remote clients and other computers on the local network. On a stand-alone Windows 2000 computer, you can configure the computer to accept incoming dial-up connections using the New Connection Wizard that is accessed from the following:
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 471
Start | Settings | Network and Dialup Connections | Make New Connection
If the Windows 2000 computer is a server that belongs to or controls a domain (including a member server), you will not be able to configure incoming dial-up services this way. When you attempt to do so, you will see a dialog box as shown in Figure 9.3. Figure 9.3 Incom ing connections m ust b e configured through RRAS for Wind ows 2000 servers that b elong to a d om ain.
It is necessary to use the RRAS management console to configure a server in a domain to accept incoming remote connections. We will look at how RRAS is configured for a remote server in a later section of this chapter.
NOTE The sam e Wind ows 2000 com p uter can function as b oth a d ial-up client and a d ial-up server. It can even d o b oth at the sam e tim e, p rovid ed it has two m od em s installed with sep arate p hone lines connected to them .
The WAN Link Remote access requires some kind of physical link between the computers. Most commonly, this is a dial-up or dedicated telephone line of some sort. When troubleshooting remote access problems, you must always keep in mind the possibility that the problem is with the line itself (just as many LAN problems can be attributed to damaged, unplugged, or incorrectly installed cable).
NOTE One way to think of a rem ote access connection is that, logically, it is the sam e as a local cab led connection, while p hysically, the m od em takes the p lace of the network interface card (NIC) and the p hone line takes the p lace of the Ethernet cab le.
472 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
At the physical level, the starting point for a remote access connection is the wide area networking link over which it is made. This can be the public switched telephone network, a dial-up or dedicated digital line like ISDN, a line using the newer DSL technology, or an X.25 network. See Table 9.1 for a summary of common WAN technologies. Table 9.1 Com m on Wid e Area Networking Technologies WAN Link Type
Speed
Characteristics
PSTN (analog p hone system )
56K (53K legal lim it in U.S.)
Often unab le to reach top sp eed s d ue to “noise.”
ISDN
64K (1 channel) 128K (BRI) 1.544M (PRI)
“Clean” d igital connection p rovid es fast connect, top sp eed s attainab le in p ractice.
DSL
256K to 6M (ADSL) Up to 50M (VDSL)
Low cost, high sp eed . Not availab le in all areas.
T-carrier
1.544M (T1) 6.312M (T2) 44.736M (T3) 274.176M (T4)
Ded icated leased line; guaranteed b and wid th. Very exp ensive.
X.25
64K (typ ical)
Packet switched network; very high reliab ility.
NOTE Other WAN technologies, such as Fram e Relay, ATM, and SONET are used for wid e area networking, and are b eyond the scop e of this chap ter, which d eals with those links m ost com m only used with Wind ows 2000 rem ote access services. T-carrier lines are d ed icated leased lines and are includ ed here for sp eed com p arison p urp oses.
Und erstand ing PSTN Connections The public switched telephone network is “formally” known as PSTN, but in the telecommunications industry is often referred to as POTS, which stands for “plain old telephone service.” These are the analog telephone lines that are available in almost every part of the United States.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 473
NOTE In m any Europ ean countries, ISDN is now used routinely to p rovid e regular telep hone service.
The biggest advantage of the public telephone system is its omnipresence—telephone lines reach to even isolated areas, and service can be established relatively easily and quickly. Another advantage is cost; in most cases, a POTS line will be less expensive than digital links.
NOTE With the ad vent of Digital Sub scrib er Line (DSL) technology, the cost d ifferential b etween analog and d igital is not as great as it was a few years ago.
Analog modems are cheap, plentiful, and fairly easy to set up and use. Windows 2000 and other modern operating systems support a wide variety of modems, and plug-and-play technology makes installation and configuration straightforward and simple in most cases. To make a dial-up connection, you merely install the modem (or connect an external modem via a serial port), install the drivers, plug in a phone line, and set up dial-up networking to dial the number of a phone line connected to a modem that is installed on the stand-alone computer or network to which you want to connect. The modem translates the digital signaling used by the computer into analog so it can travel along the telephone line, and a modem at the other end converts it back to digital form so it can be “understood” by the receiving computer.
TIP The p rocess of converting from analog to d igital signaling and b ack is called mod ulation and dem od ulation; hence the nam e “m od em .”
PSTN has some significant disadvantages when it comes to remote computing, however. The traditional telephone network was designed for voice communication, not as a data link. Performance (speed of transfer) rates that work fine for voice seem slow when we use the lines to transmit
474 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
large data files. Those of us who remember the venerable 900 baud modems of the early days of remote networking have a lot of respect for today’s 56K modems, but the brave new world of Internet communications has made us all impatient. The sad truth is that analog technology is approaching its practical “speed limit.” Even with compression, telecom experts say we are not going to be able to squeeze much higher data transfer rates out of our old phone lines. Yet most travelers on the Information Autobahn—replete with huge software downloads, large graphics, and sound files, streaming audio and video, Java-scripted and Active-X’d Web sites and other highbandwidth demands—need (or think we need) more speed. When our remote network activities are mission-critical, we may also need more reliability than poor old POTS can provide. That’s where digital WAN links come in.
Und erstand ing ISDN Most telephone companies offer, in addition to standard analog service (and usually at a higher cost), Integrated Services Digital Network (ISDN) lines. ISDN uses multiple channel digital lines to provide a connection that is faster, more reliable, and suffers less from noise interference and other problems common to analog connections. ISDN was originally developed with the intent that it would eventually replace PSTN. In some countries this has been achieved, although in the United States—due to tariffs, cost, early installation nightmares, and thus low public demand—ISDN is not universally used in business telephone systems and is still rather uncommon for residential service.
NOTE An ISDN connection req uires a sp ecial p iece of eq uip m ent that is som etim es referred to as an ISDN m od em . Technically, it is not a m od em b ecause there is no m od ulation and d em od ulation req uired since ISDN signaling is d igital. However, the d evice—which is p rop erly called an ISDN term inal ad ap ter— p erform s b asically the sam e function as an analog m od em in term s of d ialing and estab lishing the connection with the com p uter on the other end .
ISDN does, however, have some important advantages over PSTN, and a substantial, though not overwhelming, number of businesses do use ISDN for their voice communications and their organization’s connection
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 475
to an ISP or to other branch offices within the company network. Some ways in which ISDN is superior to analog service include: Faster connection. ISPs offer both dial-up and dedicated ISDN accounts. With a dedicated account, you essentially dial the ISP when you set up the line and then never have to hang up. The line is always connected so that the computer with the ISDN connection is online 24 hours a day, 7 days a week. There is no need to dial up the ISP each time you want to connect to the Internet, or dial up the remote access server at another site each time you want to connect to the branch office. With a dial-up account, you hang up when you finish accessing the Internet and then dial again when you want to go back online. Even so, because ISDN is digital, there is not the delay of waiting for the phone to ring and be answered that is experienced with analog phone lines and modems. The connection is established so quickly that, in most cases, it is almost indistinguishable from a dedicated connection. Faster data transfer. ISDN service is generally offered by the telephone service in one of two options: Basic Rate ISDN (BRI) and Primary Rate ISDN (PRI). With BRI service, you get one 16 Kbps channel used for control signaling (called a D channel), and two channels over which data can be transferred, (called B channels). Each operates at 64 Kbps and can be multilinked to provide a 128 Kbps connection. In normal practice, each B channel is a separate phone line and is assigned two different telephone numbers (although some phone companies will assign the same phone number to both lines, if you desire). These lines can also be used for voice communications; in fact, with most ISDN adapters, you can plug one or two analog phones into the adapter (which contains a component that converts the digital signal to analog) and hold a voice conversation on one of the channels while you are transferring data on the other. With PRI service, you get 23 64 Kbps B channels and one 64 Kbps D channel, for a total speed of 1.544 Mbps (T1 speed). A “cleaner” connection. Digital lines are less prone to interference and “noise,” which is a problem that often results in analog lines being able to connect at only a fraction of the speed of the modem being used. This means that the 64 Kbps or 128 Kbps speed of a BRI link lets you actually connect at that speed, unlike 56 Kbps analog modems that rarely connect at more than 50 Kbps (and in some areas, may never get above 40 Kbps).
476 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Disadvantages of ISDN include: Higher cost than analog lines. Some telephone companies charge by the minute or by the amount of data transferred. Others that offer flat rate ISDN often charge twice as much for a Basic Rate ISDN line as the rate for a standard analog line—although you should keep in mind that with BRI you are actually getting two telephone lines. Installation difficulties. Traditionally, ISDN “modems” have been more difficult to configure than analog modems, although modern models have gone a long way toward alleviating that problem. In some cases, getting the line itself installed proves to be a major undertaking. Phone company technicians in some areas are not nearly as familiar with ISDN installation, and long waits for installation or difficulties caused by improper installation are not uncommon, although this has improved in recent years in most locations. Less widespread availability. ISDN is not available in all areas where POTS can be had. The telephone CO, or central switching office, must have equipment that can handle digital signaling. Although most COs in urban areas have been updated to include this, some outlying areas still do not have the physical capability to offer ISDN service to customers. ISDN is a viable, medium-cost solution in areas where DSL service has not yet been implemented. However, its popularity has dropped as telephone companies have “rolled out” the newest, fastest, and leastexpensive digital technology.
Tip s for Troub leshooting ISDN Connections Connection problems with ISDN, assuming the line itself is in working order, can be due to one of several problems: ■
■
■
Ensure that the ISDN “modem” or adapter has updated and properly installed software drivers. Ensure that the com port being used is configured to support the desired data transfer rate. If you are only able to connect with one channel on a twochannel ISDN line (thus connecting at 64 Kbps instead of 128 Kbps), ensure that your connection is configured to use multilink and that your ISP or remote access server also supports it.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 477
Und erstand ing DSL In the late 1990s, telephone companies in the United States began to offer a new type of digital service called DSL, or Digital Subscriber Line. DSL comes in several flavors: ■
■
■ ■
■
ADSL (Asymmetric Digital Subscriber Line) Downstream speed is higher than upstream (optimized for most consumer use, where much more data is downloaded from the server than uploaded to the server). SDSL (Symmetric Digital Subscriber Line) Downstream and upstream speed are the same. HDSL (High-speed DSL) Requires two lines. VDSL (Very high-speed DSL [up to 50 Mbps]) Could also be called Very expensive DSL; not in common use. IDSL: DSL technology over ISDN lines.
Currently, most telephone companies offer ADSL. DSL is usually implemented as an “always on” technology; that is, you stay connected all the time. DSL transmission is implemented over regular copper wires, and a “splitter” is installed on the line so that it can be used for both data and voice at the same time. Since two different frequencies are used, you can actually talk over the phone at the same time you are using the line for the data connection. Special equipment is required; a DSL “modem” (actually a ATU-R, which stands for ADSL Terminal Unit – Remote) is plugged into a NIC in the computer. As with ISDN, the telephone company CO that services your location must be equipped to handle DSL. Major advantages of DSL over ISDN include: High Speed. ADSL speeds vary from 256 Kbps up to about 6 Mbps, the typical speed being 1.544, the same as a T1 line. This is considerably faster than Basic Rate ISDN. Low cost. ADSL cost varies with the telephone company, but in most areas is significantly lower than ISDN despite the fact that it is from two to over 10 times faster. “Always on.” A dedicated ISDN connection generally costs several times more than a dial-up connection. All ADSL connections are dedicated (full time). As might be expected, DSL has its drawbacks, too. Some of which are: Availability. DSL only began to be offered by major U.S. phone companies in the mid-to-late 1990s. It is not yet nearly as widely available as ISDN, although many telcos are rolling out DSL in
478 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
metropolitan and suburban areas at a furious pace. It may be a while before DSL is available in more outlying areas. Equipment. DSL modems are not commonly stocked at computer outlets like analog and ISDN equipment. In many cases, you must purchase the equipment from the telephone company, and pay whatever price they set. Distance limitations. Unfortunately, using current technology DSL only works within a specified distance of a CO. The telephone company will not install DSL if your location is beyond that limit, which is usually set at 17,500 feet. Many believe these disadvantages are only temporary, and that DSL and other broadband technology (such as the cable modem) are the future of the Internet. You might wonder, if DSL attains speeds of 1.544 Mbps and beyond, the same speeds as T-carrier lines, why anyone would pay several thousand dollars per month for a T1 line when DSL typically costs less than a hundred dollars per month. The answer is simple: guaranteed bandwidth, also sometimes referred to as CIR or Committed Information Rate (although this term is more frequently associated with Frame Relay technology). With a T1 line, you are assured that you will have the full 1.544 Mbps bandwidth, while a 1.544 DSL line only means that you can get up to that speed; your actual “mileage may vary.” (Some telcos provide a minimum rate, such as 384 Kbps for a connection that tops out at 1.544). Another reason is that, as mentioned, DSL availability is limited due to the newness of the technology and the required proximity to a CO. If you need a guaranteed, reliable high-speed line for mission-critical work, and/or your location doesn’t qualify for DSL, it may be worth it to pay extra for a T1 connection.
Tip s for Troub leshooting DSL Connections Problems with DSL connections usually fall into one of two categories: inability to connect, or a slow link. Troubleshoot connection problems in the same way you would troubleshoot any TCP/IP connectivity problem, using PING, IPCONFIG, and the TCP/IP utilities to determine the extent of your ability (or inability) to connect. When performance is the issue, this is often due to packet drops. If there is a bad router on the WAN somewhere that is causing packets to be lost, TCP/IP will assume the loss is due to overloading and will slow down (even if this is not the case). In most cases, these problems will need to be addressed with your telco and/or ISP.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 479
Und erstand ing X.25 Windows 2000 supports remote access via an X.25 network. X.25 is a Consultative Committee for International Telegraph and Telephone (CCITT) standard that defines a method of transmitting data across a public packet switching network. An X.25 connection uses a PAD (Packet Assembler/Disassembler), which is an asynchronous terminal concentrator that lets several terminals share a single network line. The user calls the X.25 PAD through a modem, and the call is processed by a digital modem and forwarded to the terminal server. The terminal server, using the password that has been designated in the caller’s connection profile, then authenticates the call. When authentication is successful, the session is established. Windows 2000 supports the X.25 protocol in two ways: ■
■
The Windows 2000 RRAS client and server software both allow for the use of X.25 smart cards. The cards connect to the X.25 network, and send and receive data using the X.25 protocol. The Windows 2000 client software allows for use of smart cards and also allows a user to dial in to a PAD.
See Figure 9.4 for an illustration of how an X.25 connection works. Figure 9.4 A rem ote access client can d ial in to a PAD to connect to an X.25 network.
Modem Remote client
PST N
PAD
X.25 Smart Card Remote Access Server
X.25
480 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Windows 2000 Remote Access Services don’t differentiate between types of media, so RAS does not “know” whether it is running over an X.25 network or the public phone lines. The only difference in configuring an X.25 connection is that you must specify the PAD type and the X.121 address for the RAS server. Windows 2000 allows you to do this easily by editing the Options tab on the Properties sheet of your dial-up connection. See Figure 9.5. Figure 9.5 On the Op tions tab of the connection Prop erties, select the X.25 b utton.
You can select a PAD type from the drop-down box, and enter an X.121 address in the text box, as shown in Figure 9.6. There is also a provision for entering optional user and/or facilities data.
NOTE “Sm art card ” in this context d oes not refer to the sm art card s used for secure authentication. An X.25 sm art card is an X.25 ad ap ter used to connect to an X.25 network.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 481
Figure 9.6 You can set X.25 p aram eters b y configuring the p rop erties of a d ialup connection.
It is important that these parameters be configured properly for your X.25 connection to work. If you are having problems connecting to an X.25 network, check these settings.
TIP One of the m ost com m on p rob lem sources with X.25 is related to the p aram eter settings on the X.25 p rovid er’s network.
Tip s for Troub leshooting X.25 Connection Prob lem s When you are having trouble establishing a remote connection via X.25, first ensure that the RAS client is able to make a PSTN connection with the RAS server, to confirm that the RAS software on the server and client is working properly. If you have problems with the PSTN connection as well, test the modem, and make sure that the serial port and cable are not defective and are configured correctly.
482 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
If you are able to connect with no problems over PSTN, you will know that the problem is with the X.25 network or with the X.25 configuration on the RAS server. Set the X.25 network software to the default settings.
NOTE Eicon is one of the m ost com m on p rovid ers of X.25 network hard ware and software. Others sup p orted b y Wind ows 2000 includ e Sp rintNet, InfoNet, and Alascom /Tym net/MCI.
Try using a terminal program such as Hyperterminal to communicate between the client and server to check their connectivity. If this works but the RAS connection doesn’t, your problem may reside in the parameter settings. Verify that the X.25 provider has properly configured the network according to Microsoft’s specifications.
The Rem ote Access Protocols Remote access communications use a WAN (wide area network) protocol to establish the link across the phone lines in conjunction with the LAN protocol(s) used for transferring data between the two distant computers. Over a remote link, two computers can communicate using standard local area networking protocols like TCP/IP, IPX/SPX or NetBEUI. However, these protocols are actually wrapped inside the “outer” WAN protocol to make the journey across the WAN link. This wrapping process is called encapsulation. Many network administrators are already familiar with the two popular WAN protocols used for dial-up communications to ISPs or remote access servers: ■ ■
Serial Line Internet Protocol (SLIP) Point-to-Point Protocol (PPP)
The latter is more commonly used today, as it supports encryption and compression (SLIP does not). There are still some UNIX servers, however, that require the connection be established using SLIP. Windows 2000, like Windows NT 4.0, supports both PPP and SLIP as dial-out WAN protocols. The Windows 2000 Remote Access Server services, however, supports only PPP for dial-in connections.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 483
For IT Professionals
Xs and Oh! Even if your network uses X.25 technology, you m ay find the literature ab out it confusing. You’ll see d iscussions of X.28 PADs, X.21, X.3 stand ard s, X.121 ad d resses, and X.29 som ething-or-another. What d o all those Xs p ertain to, anyway? We’ll try to answer a few of those q uestions. Th e “X n u m b ers” a re st a n d a rd s o r sp ecifica t io n s o f t h e International Telecom m unications Union, form erly known as the Consultative Com m ittee for International Telegrap h and Telep hone (CCITT). This organization is the p rim ary international entity d evoted to d evelop ing and m aintaining coop erative stand ard s for telecom m unications eq uip m ent and system s. X.25 and the others m entioned earlier relate to a p articular typ e of wid e area networking p acket switching technology. X.25 is actually the Network (or internetwork, in DoD term inology) layer p rotocol. It uses an ad d ressing schem e called channel addressing , sim ilar to the logical ad d ressing used b y IP, excep t that there is an ad d ress m aintained for each connection. The ad d resses are called X.121 addresses. X.21 is a Physical layer interface that is p art of the X.25 p rotocol suite. X.28 and X.29 are PAD sp ecifications. X.28 d efines the DTE/DCE interface for start-stop m od e DTE accessing the PAD in a p ub lic d ata network, and X.29 d efines the p roced ures for the exchange of PAD co n t ro l in fo rm a t io n a n d u ser d a t a . X.3 d efin es t h e Pa cket Assem b ly/Disassem b ly (PAD) facility in a p ub lic d ata network. In the com m and m od e, a user issues X.3 com m and s to the PAD. X.25 is generally slower than TCP/IP b ecause it is sub ject to d elays caused b y its store-and -forward m echanism , a switching techniq ue where fram es, p ackets, or m essages are tem p orarily received and b uffered at interm ed iate p oints b etween the source and d estination. However, X.25 p rovid es for error checking from one nod e to the next, instead of just end -to-end error checking like TCP/IP. In fact, its high reliab ility and extensive error-checking cap ab ilities are d istinguishing characteristics of the X.25 suite.
484 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
NOTE Wind ows 2000 rem ote access also sup p orts the Ap p leTalk Rem ote Access Protocol (ARAP) for Macintosh clients, and Asynchronous NetBEUI (also referred to as AsyBEUI) for clients that are running old er Microsoft op erating system s such as Wind ows for Workgroup s, MS-DOS, and Wind ows NT 3.1.
Let’s take a closer look at the two most common WAN protocols.
Serial Line Internet Protocol The Serial Line Internet Protocol, SLIP, is an older protocol that provides basic connectivity over a serial link, but does not have the advantages of error detection and both synchronous and asynchronous support that PPP offers.
NOTE To use SLIP, your ISP or server ad m inistrator m ust p rovid e you with a static IP ad d ress to enter in the configuration b ox. While PPP sup p orts d ynam ic assignm ent of IP ad d resses, SLIP cannot.
The Point-to-Point Protocol PPP has become the standard WAN link protocol used by most ISPs on their servers, as well as corporate Windows NT and Windows 2000 remote access servers. PPP works at the Data Link layer, and in the context of TCP/IP communications it works in conjunction with IP at the Network layer. PPP encapsulates, or packages, the TCP/IP packets and forwards them to the ISP’s server.
NOTE For m ore inform ation ab out PPP, see RFC 1171.
Advantages of PPP over SLIP include:
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 485 ■
■ ■ ■ ■
The ability to encapsulate more than one protocol within a session Supports encryption and compression Uses Link Control Protocol (LCP) to verify line quality Supports dynamic IP address assignment Uses a Cyclical Redundancy Check (CRC) for error checking
The Anatom y of a PPP Connection A PPP connection has four parts, which must occur in sequence: 1. Configuration: During this initial phase, the choice of parameters, multilink options, and negotiation of which authentication protocol will be used take place. 2. Authentication: The authentication method negotiation in step 1 is implemented. 3. Callback: If callback security has been configured, the PPP client and server hang up and the remote server calls back to reestablish the connection. 4. Protocol configuration: LAN protocols are negotiated.
NOTE PPP authentication methods include Password Authentication Protocol (PAP), Shiva (SPAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft’s MS-CHAP (versions 1 and 2), and Extensible Authentication Protocol (EAP), including EAP-RADIUS. PPP can also provide unauthenticated connections.
Troub leshooting Loss of PPP Connection Most commonly, the termination of a PPP connection can be attributed to one of the following causes: ■ ■ ■ ■
Authentication failure Inadequate link/line quality Loss of carrier Timeout
Be sure to verify that the correct authentication method is enabled, as this is a common source of inability to establish a PPP connection. The rest of these problems primarily lie at the carrier’s end, and you should address them with your service provider.
486 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Preventing Prob lem s Related to the WAN Protocol Proper configuration is your primary protection against problems related to PPP or SLIP. When you set up dial-up networking in Windows 2000, you can configure which of the WAN protocols to use in the Networking tab of the Dial-up Connection properties box, as shown in Figure 9.7. Figure 9.7 A PPP or SLIP connection is d esignated in the Dial-Up Connection p rop erties.
It is very important that, if you are dialing into an NT or Windows 2000 server (or other server using PPP for its dial-in connections), the selection for PPP be checked. If you are unable to connect to your ISP or NT/Windows 2000 Remote Access Server, be sure to check that the server type is properly identified.
Und erstand ing Encap sulation We mentioned that the packets destined for the remote LAN are encapsulated inside the PPP (or SLIP) Data Link layer protocol. Let’s look in a little more detail at how this works. When a message is sent over a remote access connection, after being passed down the stack from the Application layer, the LAN adapter passes
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 487
a frame to the appropriate LAN miniport driver. This is done using the Network Device Interface Specification, or NDIS (see Chapter 4, “Windows 2000 TCP/IP Internals,” for more information on NDIS and Windows 2000 networking architecture). The LAN miniport driver then hands off the IP datagram to the TCP/IP protocol driver. The datagram is sent to the WAN adapter by TCP/IP, using NDISWAN, which adds the PPP header and trailer (this is where the encapsulation or wrapping takes place). Finally, the WAN miniport driver sends the datagram to the WAN adapter through NDIS. When the TCP/IP (or other LAN protocol) packet is encapsulated inside the WAN protocol, it is “invisible” as it travels over the WAN link.
Tools for Troub leshooting PPP Connections Windows 2000 provides two important tools to allow you to gather data about your PPP connections.
Using Netw ork M onitor for PPP Analysis Network Monitor can be used to capture PPP packets. This is useful for troubleshooting the process of connection establishment and for ensuring that encryption and compression are being implemented. To see the data structure inside the PPP encapsulation, you have to disable compression and encryption, since Network Monitor does not interpret compressed/encrypted data. The data captured by Network Monitor can be saved as a file, so that you can examine it later or send it to Microsoft tech support for analysis.
Enabling PPP Event Logging The RRAS components in Windows 2000 provide for logging of PPP events in the System Log. To enable PPP logging, follow these steps: 1. In the RRAS management console snap-in, select the remote access server. 2. Right-click and choose Properties. 3. Select the Event Logging tab, and click Enable Point-to-Point (PPP) Logging (see Figure 9.8).
Enabling PPP Tracing The PPP log in Windows NT 4.0 has been replaced by the tracing function. To duplicate the PPP log, you need to enable file tracing for the PPP key. By default, the PPP log is stored as ppp.log in the \Tracing folder.
488 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Figure 9.8 Enab ling PPP logging will cause PPP connection inform ation to b e record ed in a log file.
Tracing can be enabled for each routing protocol. To do this, you can configure the following registry value entries for each protocol key:
NOTE Tracing consum es system resources and should b e used sp aringly to help id entify network p rob lem s. After the trace is cap tured or the p rob lem is id entified , you should im m ed iately d isab le tracing.
EnableFileTracing REG_DWORD 1 Enable logging tracing information to a file by setting EnableFileTracing to 1. The default value is 0. FileDirectory REG_EXPAND_SZ Path You can change the default location of the tracing files by setting FileDirectory to the path you want.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 489
NOTE You cannot use PPP tracing to view user d ata.
Troubleshooting Remote Access Configuration Problems Now that we have a general idea of how remote access works, and an understanding of the hardware and software components involved in different wide area networking links, we can discuss the most common source of problems affecting remote connectivity over which administrators can exert some control: configuration of the server and client computers.
Rem ote Access Server Prob lem s One common cause of remote access connectivity problems is misconfiguration of the Remote Access Server. We will look at how to prevent or resolve problems related to server settings.
Inability to Establish a Remote Access Connection w ith the Server If a connection with the Remote Access Server cannot be established by any client, check the following: ■
■
Ensure that the server’s modem or ISDN adapter is functioning properly. Ensure that the RRAS service is started on the server.
To check on the status of the RRAS service, open the Routing and Remote Access Administrative tool. In the console tree in the left pane of the RRAS snap-in, double-click Routing and Remote Access, and click Server Status. To start the RRAS service, right-click the name of the remote server in the right pane of the console, select All Tasks, and choose Start, as shown in Figure 9.9. You will note that there is a red warning icon notifying you when the service is stopped. Ensure that the server’s ports are configured for remote access.
490 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Figure 9.9 If rem ote access connections cannot b e estab lished , ensure that RRAS is started .
To configure ports to accept inbound remote connections, open the RRAS console, click the name of the remote server in the left panel, and click Ports in the right panel. Select Properties, and choose Configure. You will see a dialog box, as shown in Figure 9.10. Check the check box for “Remote access connections (inbound only)” to set up the remote server to accept incoming calls, and click OK. Ensure that the Properties for IP (or IPX, NetBEUI, AppleTalk—whatever LAN protocol you wish to use for the connection) are configured to allow remote access. To configure the protocol to allow remote access, right-click the name of the remote server in the left panel of the RRAS console, select Properties, and choose the tab for the protocol you want to configure. You will see a dialog box similar to the one in Figure 9.11. Check the check box to “Allow IP-based remote access and demanddial connections,” and click OK. Check the status of the server’s remote ports to ensure that they are not all in use.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 491
Figure 9.10 The rem ote server p ort m ust b e configured to accep t inb ound connections.
Figure 9.11 IP-b ased rem ote access connections m ust b e enab led on the IP Prop erties sheet.
492 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
To check the status of the ports, select the remote access server in the right pane of the RRAS console and double-click Ports in the right panel. You will see a display similar to Figure 9.12, informing you which ports are active and which are inactive. Figure 9.12 Check the status of the rem ote server p orts for activity.
Ensure there are sufficient IP addresses in the static address pool of addresses assigned by RRAS to dial-in clients if the server is configured with a static address pool. To add addresses to the static pool, right-click the server name in the left pane of the RRAS console, select Properties, select the IP tab, and click ADD.
Inability to Aggregate the Bandw idth of M ultiple Telephone Lines If you have multiple telephone lines (for instance, two ISDN channels) and are unable to aggregate the bandwidth of the two lines, check the following: ■
Ensure that your ISDN adapter supports multiple lines, or that you have two functional modems, each attached to a separate working telephone line.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 493 ■
Ensure that the Remote Access Server’s PPP options are configured to support multilink.
On the Remote Access Server, PPP configuration options are set in the RRAS console’s Properties sheet for the remote access server, as shown in Figure 9.13. Figure 9.13 Wind ows 2000 RRAS allows you to configure PPP op tions on the rem ote server.
Here, you can select the following PPP options to be used by the server: ■
■
■
■
Select whether multilink connections are allowed. Multilink is a way of aggregating two or more phone lines for greater bandwidth. If multilink is enabled, you can select whether to use the Bandwidth Allocation Protocols (BAP and BACP) to allow multilink to adapt to changing bandwidth demands. Choose to enable the Link Control Protocol (LCP) extensions. For information about LCP options, see RFC 1661. Enable software compression for greater throughput.
494 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Inability to Access the Entire Netw ork If the client is able to establish a remote connection but cannot access the resources of any computer other than the remote server, ensure that IP routing has been enabled on the server. Check the Enable IP Routing check box on the IP Properties sheet for the server (refer back to Figure 9.11 to see this Properties sheet). Also, check to see that packet filtering has not been configured to prevent TCP/IP packets from being sent. If a static address pool has been configured instead of using DHCP, ensure that the routes to the address range(s) of the static IP address pool can be reached by the hosts and routers on the network. You may have to add routes to your routers via a static routing entry, or use a dynamic routing protocol like RIP or OSPF.
NOTE If you have set up the rem ote access server to use DHCP for IP ad d ress allocation, and the DHCP server is not availab le, APIPA ad d resses (169.254.0.1 through 169.254.255.254) will b e used . Unless your network com p uters are using ad d resses from this range, the rem ote clients will not b e ab le to com m unicate over IP with them .
Client Configuration Prob lem s Although there is much more that can be misconfigured on the server, if only one client is having connection problems, and there is no physical reason (bad cable, NIC, etc.), chances are good that the client machine is not configured properly to make the remote connection.
Inability to Establish a Remote Connection ■
■
Ensure that the client is configured to use the same authentication method as the remote server. Ensure that the client is configured to use the same encryption strength as the remote server.
To check (and change) the authentication method on the client machine, right-click the connection name after clicking Start | Settings | Network and Dial-up Connections, and select Properties. On the Security tab, choose ADVANCED, and you will see a dialog box similar to the one in Figure 9.14.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 495
Figure 9.14 The authentication m ethod and encryp tion are set in Ad vanced Security settings.
The client and server must both use a common authentication and encryption method. Ensure that the user account is configured to allow dial-in access. To do so, from the Active Directory Users and Computers administrative tool on a domain controller, expand the domain in the left pane of the console and right-click the user’s name in the right pane. Select Properties, and then select the Dial-in tab, shown in Figure 9.15. The Allow Access radio button must be checked for the user account to be able to make a remote connection. ■
NOTE The user Prop erties Dial-in sheet also allows you to configure callb ack security req uirem ents, assign a static IP ad d ress for rem ote connections, or ap p ly static routes.
496 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Figure 9.15 Rem ote access p erm ission m ust b e granted in the user Prop erties sheet.
Troub leshooting Rem ote Access Policy Prob lem s Remote access policies consist of conditions and parameters placed on the incoming connection. Windows 2000 allows you to set policies to control client access based on such things as day of the week or time of the day, group membership, connection type (VPN or dial-in), and set limits on duration of connection, idle time after which the connection is disconnected, and security parameters. Figure 9.16 shows some of the limitations that can be placed on dial-in access. When a user attempts to make a remote connection, the characteristics of the connection attempt are compared with the authentication information, user dial-in properties, and remote access policies. When the connection attempt doesn’t match any of the remote access policies, access will be denied. Multiple remote access policies can be in place, but this makes troubleshooting connection denials more complex.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 497
Figure 9.16 Rem ote access p olicies let you p lace restrictions on d ial-in access.
Determining Which M ultiple Policy Is Causing the Problem Microsoft recommends that one way to verify which policy is causing the denial is to create a new remote access policy called Troubleshooter and configure it to grant remote access permission for all days/times. Then, move this policy to the top of the list so it will be processed first. If the connection is denied, the problem is either with the Troubleshooter test policy itself, or more likely, with the user account’s dial-in Properties settings. If the connection succeeds, move the test policy down one level and attempt to connect again. If this connection fails, the problem is most likely with the policy just above the Troubleshooter policy. If it succeeds, keep moving the test policy down the hierarchy until a connection is denied, and then examine the properties of the policy that is causing the denial.
498 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Troubleshooting NAT and ICS Configuration Problems Windows 2000 makes it easy to share a single public IP address for access to the Internet by using Internet Connection Sharing (ICS) on a Windows 2000 Professional computer or a choice of ICS or Network Address Translation (NAT) on a Windows 2000 Server.
The Difference b etween ICS and NAT ICS is available on both Windows 2000 Professional and Server, while NAT is only available on the Server family of operating systems. This statement in itself could be a little confusing, since ICS actually is a form of NAT. You can think of Internet Connection Sharing as NAT Lite—it uses NAT to map internal network IP addresses and ports to a single external IP address, but it is not as flexible and configurable as the fullfledged form of NAT that comes with Windows 2000 Server.
Com m on NAT Configuration Prob lem s If you are having problems with the NAT computer not properly performing translation, so that packets don’t get delivered to the internal computer (NAT client) for which they are intended, check the configuration of the NAT interfaces. The NAT routing protocol must have both public and private interfaces. To check this, in the RRAS console, under the server name, expand IP Routing and select Network Address Translation. You should see a public and a private interface listed, as shown in Figure 9.17. The public interface connects to the ISP, and the private interface connects to the LAN. Ensure that the public interface is configured for address translation, as shown in Figure 9.18. Right-click the interface name and select Properties. The radio button for “Public interface connected to the Internet” must be selected. You should also check the Translate TCP/UDP headers check box to allow NAT clients to send and receive data through the interface. Now, ensure that the private interface is also properly configured. Right-click the private interface’s name, and select Properties. The same configuration box will appear, only in this case the “Private interface connected to private network” radio button should be checked.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 499
For M anagers
Which Connection Sharing Solution Is Right for My Network? If you have a sm all network that need s access to the Internet, and only one p ub lic IP ad d ress, Wind ows 2000 Server gives you the choice of using ICS or NAT to p rovid e Internet access to the entire network through a single com p uter’s Internet connection. Either of these solutions will save the cost of ad d itional p hone lines, m od em s, and ISP accounts for connecting ad d itional com p uters to the Net, as well as the tim e and work involved in setting them all up for Internet access and the d ifficulty of m aintaining and m onitoring their access. Which one, then, should you use to connect your network? ICS and NAT work in a sim ilar fashion, b ut NAT is the m ore sop histicated of the two. ICS is configured b y right-clicking the connection’s icon in Network and Dial-up Connections and selecting Sharing. It is q uick and easy to configure and suitab le for m any sm all, sim p le networks. ICS assum es that this is the only com p uter on the network that is connected to the Internet, and it sets up all the internal network ad d resses. By selecting Enab le Internet Connection Sharing for this Connection, you m ake the com p uter an ICS host. This com p uter will assign IP ad d resses to its ICS clients as a DHCP allocator. ICS is ap p rop riate if you d on’t have DNS servers, DHCP servers, Wind ows 2000 d om ain controllers, or system s using static IP ad d resses. That lim its its use to sm all p eer-to-p eer networks. For larger or m ore com p lex networks, sharing of an Internet connection can b e accom p lished via NAT, which is configured as p art of RRAS. To use it, you m ust install and configure the Routing and Rem ote Access Service (if it is not alread y installed ). NAT req uires m ore configuration b y the ad m inistrator, b ut also allows you to sp ecify or change the IP ad d ress range assigned to NAT clients, and can b e used on Wind ows 2000 d om ain networks or those connected to gateways or routers. So, if you have a sm all p eer-to-p eer workgroup am ong which you wish to share an Internet connection, and d on’t need control over the IP ad d ress range, ICS will b e the sim p lest solution. In m ost b usiness networks, you will need the m ore sop histicated features of NAT.
500 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Figure 9.17 NAT req uires b oth a p ub lic and a p rivate interface.
Incorrect Public Address Range Another problem that can occur with NAT configuration is incorrect configuration of the public addresses when you have multiple public IP addresses. Ensure that the addresses are entered in the Properties sheet of the public interface, under the Address Pool tab. All addresses entered here should be addresses that were assigned to you by your ISP.
NOTE NAT can p rovid e ad d ress translation using m ultip le p ub lic IP ad d resses; ICS cannot.
Incompatible Application Programs The packets of some programs will not work through NAT. If a program runs from the NAT host computer but you cannot run it from a NAT client, it may be because the program uses a protocol that is not translatable by NAT. Windows 2000 NAT includes NAT editors for the following common protocols: FTP, ICMP, PPTP, and NetBIOS over TCP/IP. Additionally, some protocols such as HTTP do not require a NAT editor.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 501
Figure 9.18 The p ub lic interface m ust b e configured for ad d ress translation.
NOTE A related p rob lem , and a m ajor lim itation of NAT, is the inab ility to use it with IPSec for host-to-host security (som etim es called end -to-end ). This is b ecause IPSec hid es the IP head ers req uired b y NAT for translation. You can, however, use NAT if you are using IPSec for a gateway-to-gateway solution.
Other NAT Problems If none of the solutions just discussed uncovers the culprit, ensure that IP packet filtering is not configured to prevent sending and receiving IP traffic. If the problem is related to name resolution, ensure that NAT name resolution has been enabled on the private interface. Troubleshoot Internet name resolution problems as outlined in Chapter 7, “Troubleshooting Windows 2000 DNS Problems.”
502 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Troubleshooting VPN Connectivity Problems Virtual Private Networking (VPN) is a popular solution for those who need a secure, yet inexpensive way to connect from a remote computer to a LAN when dialing in directly either isn’t possible or is costly due to long distance charges. Using encapsulation and encryption, a VPN allows you to establish a private “tunnel” through a public network such as the Internet, using the client’s and server’s Internet connections.
NOTE A d etailed exp lanation of how VPN works is b eyond the scop e of this b ook, b ut if you are interested in the b asic “how-to’s” of setting up a VPN, see “Managing Wind ows 2000 Network Services,” p ub lished b y Syngress.
The Tunneling Protocols Windows 2000 supports VPN connections using either Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP).
PPTP: Point-to-Point Tunneling Protocol PPTP is an industry standard tunneling protocol. It was in Windows NT 4.0 and is also supported in Windows 2000. PPTP is an extension of the Point-to-Point Protocol (PPP) and uses the authentication, compression, and encryption mechanisms of PPP.
L2TP: Layer 2 Tunneling Protocol The Layer Two Tunneling Protocol (L2TP) supports multiprotocol VPNs that allow remote users to access corporate networks securely across the Internet. It is similar to PPTP in that it can be used for tunneled end-toend Internet connections through the Internet or other remote access media. However, unlike PPTP, L2TP doesn’t depend on vendor-specific encryption technologies to establish a fully secured and successful implementation. L2TP utilizes the benefits of IPSec, and will likely eventually replace PPTP as the “tunneling protocol of choice.”
Troub leshooting VPN Connections Troubleshooting a remote VPN connection is similar to troubleshooting other remote access connections, with a bit of added complexity.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 503
Inability to Connect to the Remote Access Server There are many causes for this problem. As usual, you should begin with the most basic and simplest possibilities: ■ ■ ■
■
■ ■
■
■
Ensure that the RRAS service is started on the VPN server. Ensure that RRAS is installed and enabled on the VPN server. Ensure that PPTP or L2TP ports are enabled for inbound remote access traffic. Ensure that LAN protocol(s) used by the VPN client are enabled on the VPN server. Ensure that all PPTP or L2TP ports are not already in use. Ensure that the VPN client and server are configured with a common authentication method and a common encryption method. Ensure that the user account has the proper dial-in permissions granted. Ensure that remote access policies are not causing a denial of the connection.
As you can see, most of these problems are related to the same configuration considerations we discussed earlier concerning general RRAS troubleshooting.
Summary In this chapter, we have provided some basic information about how Windows 2000’s Routing and Remote Access Services, hand-in-hand with the dial-up networking component, make it easy for users to connect to a remote server and for administrators to provide dial-in access to those on their networks. We looked at the differences between a remote access connection to the company network and participating as a local (cabled) node on the network, and concluded that the only practical difference is the speed of the connection. Data transfer speed is limited to the media over which the connection is made, and we saw that typical wide area networking links provide for speeds from 56 Kbps or less (analog modems) to about 6 Mbps (high-speed ADSL). We examined the differences between remote access and remote control, and learned that the latter is usually used by administrators to take over control of the server from a remote location. This is often done to troubleshoot problems or administer the server services when the administrator is offsite. We saw that remote access is used to connect to the
504 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
network and access shared files, print to shared printers, or otherwise participate as another node on the network. We then discussed the elements of different available wide area networking technologies over which our remote access sessions can be established. We provided an overview of remote networking using the analog phone lines on the Public Switched Telephone Network (PSTN). We then looked at a faster and “cleaner” technology, Integrated Services Digital Network (ISDN). We learned that ISDN is usually provisioned in one of two forms: Basic Rate ISDN (BRI), which provides two 64 Kbps data channels, and Primary Rate ISDN (PRI), which provides for up to 23 64 Kbps data channels for a total throughput of 1.544 Mbps. Next we talked about the newest “kid on the block,” Asymmetric Digital Subscriber Line (ADSL), and how its cost advantage and “always on” technology make it a popular alternative to ISDN—if your location is within 17,500 feet of a telephone company Central Office (CO). After that, we looked at how Windows 2000 supports connection to an X.25 network, which uses a Packet Assembler/Disassembler (PAD) and provides for data transfer over a public packet switched network. Then we discussed the WAN protocols used for remote access networking: SLIP and PPP. We learned that SLIP is used on some UNIX servers, but Windows 2000, like NT 4.0, supports only PPP for dial-in connections. We talked about the four steps involved in making a PPP connection: configuration, authentication, callback (optional), and configuration. Then we moved on to some specific tips for troubleshooting PPP problems, which include authentication failures, inadequate link/line quality, loss of carrier, and timeouts. We looked at how to configure a dial-up connection to use PPP, and we gained an understanding of encapsulation, the method by which TCP/IP or other LAN protocol packets are wrapped inside the PPP or SLIP protocol headers. Next we saw how we could use Network Monitor and PPP trace logging for gathering information about a PPP connection. We then focused on troubleshooting configuration problems. We looked at common configuration problems involving the remote access server, including inability to establish a remote connection, inability to aggregate the bandwidth of multiple phone lines, and the inability to access the rest of the network even though a connection with the server is established. After that, we looked at client configuration problems, and the importance of ensuring that the remote client uses the same authentication and encryption methods as the remote server.
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 505
We talked about remote access policies, and some of the common problems that arise in using them. We also learned a method of determining which of multiple policies is causing a connection denial problem, by creating a test policy and manipulating its position in the order of application. Next we looked at Internet Connection Sharing (ICS) and Network Address Translation (NAT), and discussed common configuration and implementation problems that can occur when you share an Internet connection with a network through one ICS/NAT host. We learned that ICS is configured through Network and Dialup Connections, while NAT is configured via the RRAS console. We also found out that NAT requires both a public interface (connected to the ISP) and a private interface (connected to the LAN), and that each must be configured according to its role. We discussed the ramifications of entering the wrong public IP address range in NAT properties, incompatible application programs whose protocols cannot be translated, and the importance of ensuring that IP packet filtering is not configured to prevent IP traffic from getting through. Finally, we took a brief look at virtual private networking (VPN), the two tunneling protocols supported by Windows 2000 (PPTP and L2TP), and how to troubleshoot VPN connectivity problems. Remote access gets easier to configure with each new Microsoft operating system, but there are still many things that can go wrong with a remote connection. These problems benefit from a methodical, organized approach to troubleshooting—keeping in mind that a remote access connection in many ways is no different from a cabled network connection, except for the added layer of the WAN link used to achieve it.
FAQs Q: How can I use caller ID with RRAS to enhance dial-in security? A: If the phone system(s) used by the caller and the remote access server support the caller ID feature, you can use the caller ID feature when you set dial-in security. You can specify the phone number from which the user must dial in. If the user calls from a different phone number, the connection will not be successful. Be careful in using this feature, because if you do configure dial-in security with a specified caller ID phone number for the user and the system does not support caller ID, the connection will be denied. Note that if the connection is a VPN connection, the caller ID number will be the IP address of the client.
506 Chapter 9 • Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork
Q: Does Windows 2000 work with modem-pooling equipment? A: Yes, as long as the modem-pooling device generates and accepts command strings equivalent to one of the supported modem types listed in the Install New Modem wizard. In that case, you connect the equipment to the COM ports and configure the ports for remote access using RRAS. Microsoft recommends that you configure modem-pooling devices to behave like a Hayes-compatible modem since that is a commonly used standard. Q: Does the Windows 2000 remote access server support callback security on an X.25 network? A: No, Microsoft advises that callback is not currently supported on X.25 connections. Q: In what way is Windows 2000’s remote access component more configurable in terms of security than Windows NT 4.0? A: In NT 4.0, a user’s authorization to dial in to the network was dependent on one simple check box to grant dial-in permission to user, set in User Manager or the Remote Access Administrative Tool. Windows 2000 allows you to grant or deny remote access to a user in the user’s property sheet in Active Directory Users and Computers, and also allows you to further restrict dial-in permissions based on remote access policies, which can be applied to members of specific groups, to specific connection types, and other more broad-based criteria. Q: What is BAP, and how does it work? A: The Bandwidth Allocation Protocol (BAP) is used to increase the efficient use of the network bandwidth by adding or dropping additional links according to changes in traffic flow, on a dynamic basis. To do this, BAP works in conjunction with Multilink PPP in Windows 2000. BAP policies can be set through the remote access policy feature to make it easy for administrators to control connection costs and still provide for optimum bandwidth for users. Q: What are NAT editors, and why might I need one? A: NAT editors are software components that are added to NAT in order to make modifications to the IP packet beyond the translation of the IP address in the IP header, TCP port in the TCP header, and UDP port in
Troubleshooting Remote Access in a Window s 2000 TCP/IP Netw ork • Chapter 9 507
the UDP header. This additional translation is required with certain protocols that store the IP address, TCP port, or UDP port in the payload (for instance, FTP). Windows 2000 includes NAT editors already built-in for FTP, ICMP, and PPTP. Windows 2000 doesn’t include editors to translate SNMP, LDAP, Microsoft COM, or RPC.
Chapter 10
Troubleshooting Window s 2000 Connectivity Problems at the Netw ork Interface Level
Solut ions in t his chap t er: ■
NICs
■
Cable
■
Hubs and Repeaters
■
Bridges
509
510 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Introduction Now that we have discussed some of the protocols and services related to TCP/IP, and know how to use the built-in utilities and add-on monitoring and troubleshooting tools, we’ll take a look at connectivity problems from the ground up—or perhaps we should say “from the bottom up.” That’s the bottom of the OSI and DoD networking models we’re referring to, of course. You’ll recall that the Network Interface layer in the DoD model is roughly equivalent to the Physical and Data Link layers of OSI. In this chapter, we will examine some of the things that can go wrong at this level, and how to address them. The Network Interface layer involves physical problems—network interface cards (NICs), cable, and network connectivity devices such as hubs, repeaters, and bridges. The differences between these various Network Interface layer devices, and how they compare to higher layer devices such as Layer 3 switches, routers, and gateways, is sometimes a source of confusion even for IT professionals. For that reason, we will look at how the various connectivity devices work, and some of the reasons they don’t always work properly. Because the DoD Network Interface layer also encompasses the OSI Data Link layer, it also involves software drivers for the hardware. We will discuss the importance of updated and properly configured NIC drivers in making it possible for the TCP/IP protocol suite (or any other) to send data across the network. We will not spend a lot of time discussing the details of how to install and configure networking hardware. In this chapter, we will be pointing out those areas in which Network Interface layer problems, such as those related to physical devices or software drivers, can affect TCP/IP connectivity and even mimic protocol configuration problems.
Problems w ith Netw ork Interface Card Configuration Configuration of the NIC at the physical level is the first step in achieving a TCP/IP connection. Although an improperly configured card is not a protocol-specific issue, it may be mistaken for one, and much time can be lost in trying to troubleshoot TCP/IP when the problem lies elsewhere. Thus, it is important for an administrator to know how to determine when the connection is failing due to a lower-level problem. One easy way to determine that the problem lies in the lower layers is to attempt to establish a connection using a different protocol. If your computer is unable to communicate with others on the network using TCP/IP, but can make the connection when NetBEUI or NWLink is
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 511
installed on the machines, you know to start troubleshooting the protocol configuration. If you still have no luck in making a connection with other network transport protocols, it is likely that you have a problem with the hardware or the hardware drivers. This simple test can save you much time and effort.
The Role of the NIC The NIC (also sometimes called the network adapter, or just the network card) plays an essential role in TCP/IP and other network communications. The NIC is the device that physically joins the computer and the cable or other network media, but its function is more complex than that. The data cannot just flow through the network card and out onto the cable (or from the cable through the NIC into the computer’s memory) because the form in which the computer processes the data is different from the format necessary to send it out over the cable. The NIC must convert outgoing data from a parallel format, in which bits of information are sent in multiple lines or paths, as takes place inside the computer, to serial format, where the bits move in “single file” on the cable. Network cards also have memory chips, called buffers, in which information is stored so that if the data comes in or goes out too quickly, it can “rest” there while the bottleneck clears and there is room for it to pass onto the cable or up into the computer’s components.
Typ es of NICs Of course, it is essential that you ensure that the NIC installed in the computer is the proper type for both the media and architecture used by your network. For instance, Ethernet and Token Ring require different types of NICs. This is because of the different ways in which the media access methods function. And, of course, the card must have the proper connector for the cable type being used. These are basic, relatively straightforward issues, but don’t overlook them when troubleshooting connectivity problems.
NOTE Be sure to check the Wind ows 2000 Hard ware Com p atib ility List (HCL) to ensure that your card is sup p orted . The list can b e accessed from the Microsoft Web site at www.m icrosoft.com /hcl. Although d evices not listed m ay still work with Wind ows 2000, if your card is on the list you can b e confid ent that it has b een tested and is com p atib le with the op erating system .
512 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Driver Issues Like other hardware devices, the NIC requires a software driver to provide the interface between the operating system and the card. Be sure the driver that is designated for your specific model of NIC is installed, and that it is the latest incarnation. Experienced administrators know that simply installing an updated NIC driver can solve countless connection problems.
NOTE Wind ows 2000 sup p orts a large num b er of com m on b rand s and m od els of NICs, and the d rivers are includ ed on the Wind ows 2000 CD. However, these m ay not b e the latest versions. Always check the m anufacturer’s Web site for a d ownload area where you can ob tain the latest d rivers.
Since Windows 2000, unlike NT 4.0, is a plug-and-play operating system, supported cards are more likely to be automatically detected and the drivers installed from the Windows 2000 installation files (or you will be prompted to supply the disk or network location). Be cautioned again, however, that the drivers installed by the operating system may be outdated.
NOTE Wind ows NT d id have the cap ab ility to d etect som e network card s with its lim ited p lug-and -p lay cap ab ility.
Updating Drivers NIC drivers (and drivers for other hardware devices) can be updated through the Device Manager. To do so, click Start | Settings | Control Panel | System. Select the Hardware tab and click DEVICE MANAGER. The list of installed devices will be displayed, as shown in Figure 10.1. You can select the card you wish to configure or update and doubleclick it, then select the Driver tab. This interface makes it easy for you to update the files, as shown in Figure 10.2, and also makes available useful information about the resources being used by the device, any conflicts, and troubleshooting tools. A handy feature is the Hardware Troubleshooter, which can be accessed from the General tab.
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 513
Figure 10.1 Use Device Manager to configure and up d ate d rivers for the NIC.
Figure 10.2 The p rop erties sheet for the d evice p rovid es valuab le inform ation ab out the d river.
514 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
WARNING In ord er to access the Device Manager and install or up d ate d evice d rivers, you m ust b e logged on to an account with the ap p rop riate p erm issions. Be aware that network p olicy settings (Group Policy, IPSec, and other security settings) m ay also p revent you from p erform ing these tasks.
Problems w ith Cable and Other Netw ork M edia Another type of problem that can mimic TCP/IP protocol configuration problems is damaged, defective or improperly installed cable or other network media. Broken or shorted cables can be detected with a cable tester or TDR (time domain reflectometer). Some of the more sophisticated (and more expensive) LAN testers will even pinpoint the exact location of the break. As a network administrator, you may have other personnel who handle hardware and cabling. It is important, however, that you are able to recognize the symptoms of Physical layer problems so that you will know when to call in the technicians, rather than spend your time attempting to “fix what isn’t broken.” Damage to the media is not the only factor when considering Physical layer problems. All network architectures—for example, Ethernet, Token Ring, AppleTalk—include specifications that must be met concerning networking equipment and media. If those rules are ignored, connectivity may be lost completely, or you may experience intermittent problems. Common areas of noncompliance, which can result in difficulties in establishing or maintaining a connection, include cable type and grade, and the limitations on the allowable segment length for various network/cable types.
Network Cab le Sp ecifications Be sure that the cabling for your network meets specifications for the particular architecture. For instance, a 10Base2 network requires not just thin coaxial cable, but a particular type of thin coax: RG-58 A/U (the cable grade is usually indicated on the side of the cable itself). Don’t try
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 515
to substitute something else that is “close” or looks similar; you will be setting yourself up for connectivity problems if you do. It is not an unknown occurrence for a cable technician (or perhaps more likely, a net admin with little hardware experience) to attempt to replace a broken or bad length of thin coax cable with RG-58 U or even RG-59 (the cable used for cable TV). Therefore, in checking the Physical layer for the source of a connectivity problem, ascertain not only that the cable is connected and appears to be undamaged, but that the cable type meets specifications. Another example of improper cable type would be substituting category 3 twisted pair for cat 5, when running a 100 Mbps (100BaseT) network.
NOTE Cab le typ e is generally ind icated on the cab le itself. If it is not, you can id entify the cab le typ e b y counting the wire p airs or m easuring the ohm rating.
Cab le Length Issues You undoubtedly are also aware that because of the susceptibility of copper cabling to attenuation, or signal loss over distance, network specifications place limits on the acceptable length of a segment of cable, depending on the architecture and cable type. A cable segment is generally defined as the length of cable between repeaters. A repeater (or other connectivity devices that perform boosting of the signal) allows you to increase the distance of your network. We will discuss these devices in the next section of this chapter. Violating the length specifications may be tempting, especially if you only need to go “a tiny bit further” in order to get the cable to a specific office or other location. You might get away with it—the cable does not just automatically stop working when you exceed the specified distance. But going beyond these limitations can cause you to have connectivity problems that you might easily mistake for software/protocol problems when the real trouble is at the physical level. Table 10.1 shows common network/cable types and the maximum cable segment length for acceptable performance.
516 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Ta b l e 1 0 . 1 Cab le Length Lim itations Netw ork Type
Cable Type
Distance Limitation per Segment
10Base2
RG-58 A/U Thin coax
185 m eters (607 feet)
10Base5
RG-8 or RG-11 Thick coax
500 m eters (1640 feet)
10BaseT 100BaseTX
Category 5 UTP
100 m eters (328 feet)
The Role of Netw ork Connectivity Devices We call them “network connectivity devices” for the obvious reason: They are used to connect networks (also called network segments or subnets). But why are there so many different types, and how do we know when to use which on our TCP/IP networks? Let’s first think about the characteristics of the TCP/IP suite. One of its strong suits—in fact, the number-one reason it is the protocol of choice for so many networks today, as well as the protocol of the global Internet—is its routing capability. Routing refers to transferring data from one network or subnetwork to another. Thus, it makes sense that connectivity devices are common in TCP/IP networks. Usually the type of device we associate with an internetwork is the router, which works at the DoD’s Internetwork layer (Network layer in the OSI model). We will briefly discuss routers in this chapter, in the context of how they differ from the Network Interface layer devices, and we will devote an entire chapter (Chapter 11, “Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level”) to routing problems and other Internetwork layer troubleshooting. But we also should remember that there are other, lower-level devices that can be used for such purposes as: ■ ■
■
Extending the distance limitations of network cable Connecting network segments that use different media types (for instance, thin coax and UTP) Segmenting the network to reduce traffic without dividing the network into separate IP subnets
Although a large percentage of network connectivity problems occur at the Network Interface level, it is often overlooked in the troubleshooting process. That is, until you discover, after spending an entire afternoon completely reconfiguring both your server and your client, that your inability to connect or your loss of data packets was caused by a physical problem with your repeater or bridge.
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 517
Und erstand ing Layer 1 and 2 Connectivity Devices There are three basic types of network connectivity devices that operate at the Network Interface level. In OSI terminology, this means Layers 1 (Physical layer) and 2 (Data Link layer). These are: ■ ■ ■ ■
Repeaters Hubs Switches Bridges
We will discuss each of these device types, its advantages and disadvantages, and how each one behaves in passing TCP/IP packets. Networking hardware technology is constantly advancing, and new devices are appearing on the market all the time. In addition, different manufacturers, perhaps out of a misunderstanding of the terminology or perhaps in the effort to make their own products stand out in a crowd, will sometimes give their equipment a name that confuses the issue further, in terms of exactly what the device does and at which layer of the standard networking models it functions.
NOTE Som e b ooks refer to com p onents such as BNC b arrel connectors as connectivity d evices. Strictly sp eaking, since they d o ind eed connect two lengths of cab le, this would b e correct. In this chap ter, when we sp eak of connectivity d evices, we are referring to active d evices, not m ere connection p oints. See the d iscussion of active vs. p assive hub s for m ore inform ation on this.
How and Why Repeaters and Hubs Are Used We will discuss repeaters and hubs together because, in many cases, they are the same thing. In fact, you will hear hubs referred to as “multiport repeaters.” All that means is that the hub does what a repeater does: boosts the signal before passing it on from one segment of cable on which it came in, to another on which it goes out. Hubs are different from basic repeaters, however, in that the latter generally has only two ports. The repeater is used to extend the usable length of a given type of cable. For instance, a 10Base5 Ethernet network, using thick coax cable, has a maximum cable segment length of 500 meters, or 1640 feet. At that distance, attenuation (signal loss due to distance) begins to take place. But when you place a repeater at the end of
518 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
the cable and attach another length to the repeater’s second port, the signal is boosted and the data can travel further without damage or loss. See Figure 10.3. Figure 10.3 A rep eater is used to ad d ress attenuation p rob lem s.
500 meters
500 meters
Repeater
Repeaters extend distance limits
Data loss or complete loss of connectivity may occur if a network is constructed with a segment length greater than that designated in the IEEE specifications for the architecture/cable type, and no connectivity device is used to boost the signal. Remember to always check for physical problems rather than assume software/networking protocol configuration is at fault when packets are lost.
What’s the Difference b etween Rep eaters, Am p lifiers, and Hub s? A repeater boosts the signal traveling across an Ethernet cable in much the same way an amplifier boosts the signal input from an old radio tuner. The difference between a repeater and an amplifier lies not in what they do, but in what kind of signals they do it to. While amplifiers boost analog signals (such as those used in the public telephone network or in older home stereo systems), a repeater boosts the digital signals used in most computer communications. The typical Ethernet hub is also a kind of repeater, a multiport repeater that allows for 5, 8, 12, 16, 24 or more connections. While a
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 519
standard repeater is more often associated with 10Base2 and 10Base5 (coax) networks, hubs are used with 10BaseT and other UTP-based networks.
NOTE Rep eaters are not very “sm art” d evices; they sim p ly b oost whatever signal they receive—not d istinguishing b etween d ata and noise—and p ass it on. They also aren’t very “p olite.” They d on’t follow the usual CSMA/CD p rocess that NICs use, listening for traffic on the network b efore transm itting. A rep eater just goes ahead and transm its even if another nod e is in the m id d le of a transm ission. This, of course, results in a d ata collision, which m eans d ata m ust b e re-sent, and network p erform ance is negatively im p acted . This is the reason for the Ethernet (coax) 5-4-3 Rule: The total length of the network cab le m ust b e lim ited so that all com p uters on the network will b e ab le to m onitor all segm ents b efore they transm it, since the rep eater won’t d o it for them .
Using a Rep eater in Troub leshooting A repeater can be of use in troubleshooting situations, in that it allows you to isolate a segment when there is a failure or fault condition. You can disconnect one side of a repeater to effectively isolate the associated segment(s) from the rest of the network. You can then perform troubleshooting functions without any impact on the rest of your production network.
NOTE Rep eaters d o not logically segm ent or sub net the network and d o no filtering of traffic, nor d o they d ivid e the network into collision d om ains. You cannot red uce the traffic load or increase availab le network b and wid th b y using rep eaters; you can only am p lify the signal and extend the m axim um length of the cab le. The rep eater d ivid es the network into “segm ents” only in relation to m axim um segm ent length for p urp oses of avoid ing attenuation p rob lem s.
520 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Typ es of Hub s The multiport repeater we are talking about here accepts the incoming signal, boosts it, and then sends it back out over all the ports to the rest of the computers that are attached to the hub (or other hubs that are uplinked to it).
NOTE Many hub s includ e an up link p ort, which is wired so that the transm it and receive p airs in the cab le are reversed . This p ort is used to connect two hub s together. The up link p ort of one hub is connected to a regular p ort on the other (if you connected two up link p orts to each other, you would d efeat the p urp ose, and the hub s would not b e ab le to com m unicate with one another). If your hub s d on’t have up link p orts, you can connect two hub s’ regular p orts via a crossover cab le to achieve the sam e result. This is a twisted -p air Ethernet cab le with the transm it and receive wires crossed .
This type of hub, which boosts the signal before sending it back out, requires electric power and is also sometimes called an active hub. There are several other types of hubs, as summarized in Table 10.2. Table 10.2 Basic Hub Typ es Type of Hub
Characteristics
Active hub
Req uires electric p ower; b oosts the incom ing signal b efore send ing it b ack out all p orts.
Passive hub
Does not req uire electric p ower; serves as a connection p oint, send ing the signal b ack out on all p orts without b oosting it.
Intelligent hub (also known as "m anaged hub ")
Includ es a p rocessor chip with d iagnostic features that allow you to troub leshoot ind ivid ual p ort p rob lem s. This is help ful when you need to troub leshoot p orts rem otely and cannot just look at the lights on the hub .
Switching hub (also known as "switch")
Send s the signal out the p ort to which the d estination com p uter is connected only.
Switching hubs, or switches, are becoming more and more popular (and becoming less expensive, which contributes to the popularity). Let’s examine this connectivity device a little more closely.
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 521
NOTE Another typ e of hub , called a concentrator , is a sop histicated d evice that offers the ab ility to p rovid e each client with exclusive access to the full b and wid th of the m ed ia. Each workstation p lugs into a sep arate p ort, and there is no connection. These hub s also allow for b uffering and filtering of p ackets so that unwanted p ackets are d iscard ed . Another feature of these hub s is sup p ort for SNMP (Sim p le Network Managem ent Protocol) to configure and ad m inister the hub . The term concentrator is m ost often associated with Token Ring hub s (also called Multistation Access Units, or MAUs). A rem ote access hub that hand les incom ing d ial-up calls for an Internet (or other network) p oint-of-p resence and p erform s other services is referred to as a concentrator (or aggregator ).
How and Why Sw itches Are Used Layer 2 switches, or switching hubs, work at the Data Link layer, and they are installed in place of the active hubs that traditionally have been used to connect computers on a UTP-cabled network. Replacing hubs with switches will cost a bit more, but offers several important advantages.
Ad vantages of Switches over Hub s A switch combines the characteristics of hubs and bridges (we’ll discuss bridges in the next section). Like a bridge, a switch constructs a table of MAC addresses. The switch knows which computer network interface (identified by its physical address) is attached to which of its ports. It can then determine the destination address for a particular packet and route it only to the port to which that NIC is attached. Obviously, this cuts down a great deal on unnecessary bandwidth usage since the packet is not sent out to the other ports, where it will be disregarded when those computers determine that it is not intended for them. See Figure 10.4. Using switches instead of hubs creates individual “collision domains” for each segment. This means a particular computer receives only the packets addressed to it, to a multicast address to which it belongs, or to the broadcast address. You increase potential bandwidth in this way by the number of devices connected to the switch, because each can send and receive at the same time another node is doing so.
522 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Figure 10.4 A switch red uces traffic b y send ing d ata only out the p ort with which the d estination MAC ad d ress is associated .
B
A
fo
P r F ack ' s et d M AC est i a d n ed dr es s
C
Switch consults table, sends out port connected
Sw itch
D
to Computer F only
E
F
Ad vantage of Switches over Brid ges Switches can forward data frames more quickly than bridges, because instead of reading the entire incoming Ethernet frame before forwarding it to the destination segment, the switch typically only reads the destination address in the frame, and then retransmits it to the correct segment. This is why switches can offer fewer and shorter delays throughout the network, resulting in better performance. Bridges normally have only two ports, dividing the network into two parts, while switches have multiple ports, each of which may connect directly to a host computer (or alternately can connect to a hub or another switch).
Switching Mod es Switches generally use one of two methods of forwarding data: cutthrough or store-and-forward. Cut-through mode. Switches that use cut-through mode read only the first few bytes of the packet to determine the source and
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 523
destination addresses, and then pass the packets through to the destination segment. The rest of the packet is not checked for errors. This means invalid packets can still be passed on to other segments, but there is the advantage of speed; there is very little delay involved in packet throughput with this mode. Store-and-forward mode. Switches using store-and-forward could be thought of as careful and methodical, but not speedy. They buffer and examine the entire packet, and filter out any bad packets that are detected. The good packets are then forwarded to the correct segment. This results in some delay in throughput, but fewer errors get through to other segments.
When to Switch to a Switch Replacing hubs with switches is a good idea when there is a great deal of point-to-point network traffic. Switches won’t cut down on network congestion problems caused by broadcasts, since broadcast messages will still be sent out all ports. This is another way in which they are similar to bridges. Switches offer the following benefits: ■
■
■
■
Switches eliminate contention (one of the major disadvantages of Ethernet), and therefore allow each port to use the full bandwidth. A switch can be used to divide an overloaded network into segments, creating separate collision domains and increasing performance. Switches offer low latency, which improves the efficiency and performance of the network. Switches can be used to create virtual networks, or VLANs.
How and Why Bridges Are Used A bridge builds a MAC table like a switch, but like the repeater, it is a two-port device rather than a multiport device like a hub or switch. The bridge is used to segment a network to reduce traffic and collisions. It also boosts the signals that it passes across.
How Brid ges Red uce Network Traffic A bridge monitors the data frames it receives to construct its MAC address table, using the source addresses on the frames. This is a simple table that tells the bridge on which side a particular address resides. The bridge can then look at the destination address on a frame, and if it is in the table, determine whether to let it cross the bridge (if the address is on
524 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
the other side) or not (if the address is on the side from which it was received). In this way, there is less unnecessary traffic, because when a computer on side A sends a message to another computer that is also on side A, the signal goes only to those computers on side A. Those on side B, on the other side of the bridge, go blithely on with their business and never have to deal with it. See Figure 10.5. Figure 10.5 A b rid ge segm ents the network to red uce traffic.
Side A
Bridge recognizes destination MAC address and does not send to Side B
Side B
Bridge
Data is transmitted from a computer on Side A to another computer on Side A
Using a bridge can, in effect, double the available bandwidth since there can be two “conversations” between computers going on simultaneously, on opposite sides of the bridge, without data collision.
What Is a Translation Brid ge? Bridges can be used not only to segment a network, but also to connect two network segments that use different types of media. For instance, you can use an AUX/BNC bridge to connect one segment running on thick coax cable (10Base5) to another segment running on thin coax (10Base2).
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 525
A translation bridge is a type of bridge that can go a step further, and not only connect two different media types, but can connect segments using two different media access methods. The translation bridge “translates” between the two access methods, typically Ethernet and Token Ring.
NOTE Translation b rid ges d o not translate b etween p rotocols. Brid ges are unaware of and not d ep end ent on which network/transp ort p rotocols are used for com m unication. Brid ges can use only the MAC ad d resses. Because b rid ges d o not look at the up p er-layer p rotocols (such as IP), they cannot m ake d ecisions ab out where to send d ata fram es b ased on the IP ad d ress.
In most cases, a better solution for connecting Ethernet and Token Ring, when both are using TCP/IP, is a router, which is capable of complex routing based on protocols and the logical network address.
Ad vantages and Disad vantages of Brid ges Bridges enjoy several advantages over other connectivity devices: ■ ■
■
■
■
Bridges are less expensive than routers and brouters. Bridges allow you to add more computers and segments to the network. Bridges are transparent to higher-level protocols like TCP/IP because they operate at the Data Link layer of the OSI model. Bridges can be used with nonroutable protocols like NETBEUI (which will not cross a router). Bridges localize network traffic and thus can increase network performance.
Some disadvantages of bridges include their propensity to cause broadcast storms because they pass broadcast messages across the bridge, and the fact that the bridge is not “smart” enough to evaluate and use the most efficient path for each transmission as a router does. Bridges are not very efficient for use in large, complex networks. If your network fits that description, you may need to consider a router, which works at a higher layer of the OSI model.
526 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Und erstand ing Up p er-Layer Connectivity Devices Like hubs and switches, routers are multiport connectivity devices. Unlike hubs and switches, routers are appropriate for use on large, complex networks because they are able to use the logical IP address to determine where packets need to go.
How Routers Work How does using the IP address help to simplify the routing process? You will recall that an IP address is divided into two parts: the network ID and the Host ID. The network ID is the key here, as it “narrows down” the location of the particular destination computer by acting somewhat like the zip code does for the post office.
Using the Network ID to “Narrow the Search” In a small town, all streets may share the same zip code, so that a letter addressed to 100 Hall Street, Seagoville TX doesn’t really need a zip code. It will reach its destination because there is only one Seagoville post office, and it can easily keep up with where all the streets in town are located. In a big city, however, a letter addressed to 100 Hall Street, Dallas TX will have more difficulty reaching its destination. That’s because there are several post offices in Dallas, each designed to serve only a designated part of the city. The zip code identifies which of these post office stations will handle the delivery of the letter, much as the network ID identifies which subnet, or part of the network, a destination computer is on. In order to use this information, though, the post office must be zip code-aware. That is, the employees there who sort the mail must understand what the zip codes mean. If we had employees performing this task who came from the era before the advent of zip codes, they would see the series of numbers at the end of the address and, not understanding their significance, disregard it. Like those postal employees from a former time, bridges and other lower-layer devices don’t recognize IP addresses or utilize them in making decisions about where to send the data. Routers, however, working at the Network layer where IP operates, can understand and use IP addresses. A router keeps a table, too, but unlike a bridge or switch, which only deals in MAC addresses, the routing table tells the router how to get to other known networks (or subnets) based on the network ID. Then, when a packet reaches the appropriate network, the Host ID is used to get it to the particular computer for which it is destined.
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 527
The Routing Tab le Where does the router get this information? Routes can be entered into its routing table manually (this is necessary when static routing protocols are used), or the router can “learn” routes from other routers with which it communicates, using dynamic routing protocols (such as RIP and OSPF, both supported by Windows 2000).
The Routing Process A packet is routed across multiple subnets using a complex process of stripping off and replacing the header information as it goes from one network to the next. This is necessary because the source and destination address change for each network it goes through. In other words, the process works something like this: 1. Computer A with IP address 192.168.1.4 sends a message to Computer B with IP address 201.234.1.12. Both have a subnet mask of 255.255.255.0. 2. Because IP recognizes that the destination address is not on the same subnet as the source address, it sends the message to Router 1, which is Computer A’s default gateway. 3. Router 1 is connected to the 192.168.1.0 network and the 210.45.9.0 network. It is not connected to the 201.234.1.0 network, but it has an entry in its routing table telling it that the way to get there is via Router 2. 4. Router 1 replaces the original source address (Computer A’s) with its own, and sends the packet to Router 2. 5. Router 2 is connected to both the 210.45.9.0 network and the 201.234.1.0 network. It replaces the source address with its own and routes the packet to the destination computer (Computer B), which with an address of 201.234.1.12, is on its subnet. 6. Now when Computer B replies, it will send the packet back to Router 2, which will forward it to Router 1, which will return the response to Computer A. See Figure 10.6 for an illustration of this process. Routers must understand the network protocol being used, thus they are called protocol-specific devices. A bridge isn’t concerned with protocols, but a router must support the protocol(s) used by your network.
528 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Figure 10.6 Packets are forward ed from one router to the next across m ultip le sub nets.
Computer A 192.168.1.4 192.168.1.4 Router 210.45.9.1
210.45.9.2 Router 201.234.1.1
Computer B 201.234.1.12
How and Why Routers Are Used Routers are used to handle complex routing tasks. Routers also reduce network congestion by confining broadcast messages to a single subnet.
NOTE A router can either b e a d ed icated d evice (such as those m ad e b y Cisco) or a com p uter running an op erating system that is cap ab le of acting as a router. Wind ows 2000, like Wind ows NT, can function as a router when two network card s are installed and IP forward ing is enab led .
Routers are capable of filtering, so that you can, for instance, block inbound traffic. This allows the router to act as a firewall, creating a barrier that prevents undesirable packets from either entering or leaving a particular designated area of the network.
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 529
WARNING The m ore filtering a router is configured to d o, the slower the p erform ance.
Okay, if routers are so great, is there any reason not to use one? Why bother with any of the other connectivity devices? Routers have a few disadvantages: ■
■
Cost Routers cost significantly more than lower-layer connectivity devices. If you don’t need the router’s sophisticated capabilities, you should use a less expensive bridge or switch to reduce network traffic. Performance All that complexity involved in communicating with other routers and building routing tables and making routing decisions comes with higher overhead than the simpler devices. Thus, a router can slow performance somewhat—although that may be balanced by the reduction of congestion.
How and Why Brouters Are Used Although its name may sound like the weird result of some recombinant DNA experiment, the brouter is a device that attempts to combine the features of bridges and routers into a “best of both worlds” solution. This may be useful when some nodes on the network are running unroutable protocols, such as NetBEUI, while others use protocols that can benefit from routing. The brouter functions like a router, using IP addresses to make routing decisions, when packets are sent using a routable protocol like TCP/IP. If a nonroutable protocol is used, the brouter will use the MAC address to function as a bridge.
NOTE Because it p erform s the functions of b oth a router and a b rid ge, b routers op erate at b oth the Data Link and the Network layers of the OSI m od el.
530 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
How and Why Layer 3 Sw itches Are Used Recently, a type of switch that operates at the Network layer, or Layer 3 of the OSI model, has become a popular connectivity option. Layer 3 switches are sometimes referred to as switch routers. Although a Layer 2 switch (switching hub) is unable to distinguish between protocols, a Layer 3 switch actually performs some of the functions of a router. A Layer 3 switch can filter the packets of a particular protocol to allow you to further reduce network traffic. Layer 3 switches perform the same tasks as routers and can be deployed in the same locations that a router would traditionally be used. Yet the Layer 3 switch overcomes the performance disadvantage of routers, layering routing on top of switching technology. The Layer 3 switch, manufactured by such companies as Cisco (one of the most well-known makers of traditional routers), is quickly becoming the solution of choice for enterprise network connectivity.
How and Why Gatew ays Are Used Gateways are usually not implemented as “devices,” but rather as software programs running on servers. However, because they are also used to connect disparate networks, we will touch briefly on what they are, and why you might implement them in your network. Gateways normally operate at higher levels of the OSI model—typically at the Application layer—and can be used to connect two networks using entirely different protocols. For instance, an SNA (System Network Architecture) gateway will allow personal computers running Windows operating systems to communicate with an IBM mainframe computer, even though the two systems are truly “alien” to one another. Another type of gateway is used to allow Windows NT or 2000 machines, which use the SMB file-sharing protocol, to “talk” to a file server that runs the NetWare NOS and uses NCP, the Netware Core Protocol. There are many other different types of gateways, such as e-mail gateways that translate between different e-mail protocols.
WARNING Don’t confuse these ap p lication gateways with the use of the term default gatew ay, which id entifies the IP ad d ress of the router on a network that is connected to an internetwork.
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 531
Troubleshooting Layer 1 and 2 Connectivity Devices Because repeaters and hubs operate at the Physical layer, problems affecting these devices will be physical problems, or hardware problems. This layer is not concerned with high-level protocols like TCP and IP, and problems with these devices will interfere with communications regardless of the network transport protocols being used. However, Physical layer device problems can mimic TCP/IP protocol configuration problems. Always consider the Physical layer when troubleshooting connectivity problems. If the hardware doesn’t work, all the software reconfiguration in the world won’t solve the problem.
Prob lem s with Rep eaters and Hub s If you are unable to establish a connection between computers, you need to first verify that TCP/IP is properly installed (by pinging the loopback address as discussed in Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000”), check the configuration and operability of the NIC (as discussed earlier in this chapter), and confirm that there are no shorts, breaks, or other problems with the cable (also discussed in a preceding section of this chapter). If you still are unable to connect, look at your connectivity devices such as repeaters and hubs: ■ ■
■
Ensure that the device has power. Ensure that the computers’ NICs are communicating with the device (by checking status lights). Ensure that devices are installed in accordance with the IEEE specifications for the particular network architecture.
The last includes compliance with any distance limitations for the media being used and, for coax networks, the restrictions imposed by the 5-4-3 Rule.
The 5-4-3 Rule This rule states that on a 10Base2 or 10Base5 network (using coax cable and a bus configuration), you should have no more than five segments, connected by no more than four repeaters, and that only three of those segments should be populated. A populated node is one that has nodes (computers or other network devices) attached to it.
532 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
NOTE In this context, a network “segm ent” is the length of the cab le b etween rep eaters.
Passive, Active, and Intelligent Hub s Troubleshooting the hubs that connect a 10BaseT network will depend in part on the type of hub being used.
Problems w ith Passive Hubs Passive hubs are simply connection points and give you few clues as to whether they are operating correctly. Fortunately, because it is a simple, nonpowered device, not much can go wrong with a passive hub. The pins and wiring inside the hub or a damaged female RJ-45 jack could create connection problems. This can be prevented by ensuring that the hubs are handled properly, since most such damage is caused by human mistreatment.
Problems w ith Active Hubs An active hub (multiport repeater) does give you a few clues to help you in troubleshooting connectivity problems. The pretty flashing lights that indicate network communication (or collisions) on each port are a starting point. By observing the status lights, you can ascertain if one port is “dead,” indicating either a problem with the jack or cable at that port, or a problem originating with the computer attached to it.
Problems w ith “Intelligent” Hubs The intelligent or “smart” hub (also called a managed hub) is a bit more helpful. This type of hub runs software with which you can communicate with the hub from a terminal or across the network. In this case, the software program will provide information about port status, and in some cases will run diagnostic applications to assist you in troubleshooting connectivity problems.
Problems w ith Bridges Bridges are useful devices for segmenting a network and controlling the amount of traffic. However, bridges introduce an extra layer of complexity and thus the potential for several different types of problems.
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 533
Perform ance Prob lem s The primary reason for using a bridge to divide your network is to increase network performance. However, it is possible that bridging can have the opposite effect if it is not implemented correctly.
Bridge Latency You will find that bridging the network, while cutting down on overall traffic, will also slightly increase latency for those communications that must cross the bridge. This term refers to delays in transmission of the data in route to the destination computer. The reason for this is the way in which the bridge decides whether to forward traffic across the bridge; it must first analyze the header information in the data frame to find out the destination computer’s MAC address, and then it must look up that address in its routing table. This takes some time, although in most cases the performance hit will not be significant, and will be offset by the overall reduction in network traffic. By adhering to accepted guidelines, you prevent noticeable performance degradation.
The 80/20 Rule One popular networking guideline pertaining to the use of bridges states that 80 percent of network traffic should be “local” (same side of the bridge), and no more than 20 percent should cross the bridge. For best performance, ensure that those computers that communicate with one another most often are on the same side of the bridge. Frequently accessed file or print servers should be placed on the same side of the bridge as those clients that use them most often. Before implementing a bridging solution, carefully analyze the normal flow of network traffic and try to group nodes so that most communication, and especially transfer of large amounts of data, takes place without the need to cross the bridge.
Bridge Looping Bridge looping can occur when there is more than one active bridge on a network. In a bridge loop, when the bridges don’t know the location of a destination computer, they send the data frame across the bridge. This results in multiple copies of the same data frame on the network, causing unnecessary congestion—but it’s worse than that. As each bridge detects the frame sent by the other bridge, it passes the frame back across to the other side. The frames coming from the other bridge cause each bridge to make incorrect entries in its routing table for the destination computer, and this in turn prevents the destina-
534 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
tion computer from receiving data intermittently. The problem is intermittent because the bridges keep resetting the entries in the routing table based on where the data frames are coming from. This can go on forever in an endless loop, hence the name “bridge looping.” See Figure 10.7 for an example of how this can happen. Figure 10.7 When two b rid ges are connected in p arallel, b rid ging loop s can form .
A
B
Hub 1 C
D Bridge 1
E
G
Bridge 2
Hub 2
F
H
In the scenario shown, if Computer B sends a message to Computer A, both bridges would detect the data frame. Neither bridge knows where Computer A is located, so both bridges would transmit the frame to the other segment. They would put an entry in the routing tables identifying Computer B as being off the left-side port. Two copies of the data frame have now been transmitted onto the right-side bridge port. Now each bridge will also detect the copy of the data frame sent by the other bridge on the right-side port. They see the source address and think this is Computer B sending Computer A another frame. They will now pass the frame back to the left-side port. Assuming Computer B is now on the right-side port, they change the table to reflect that status.
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 535
This can go on forever, with both bridges detecting each other’s transmitted frames and passing them across, then changing Computer B’s status in the table from the right- to the left-side port over and over again. When the table is incorrectly set, Computer B will not be able to receive any data. When the table changes again and Computer B is identified as being on the correct bridge port, it will be able to receive data, but only until the tables are changed once more. The problem here is that a bridge looks at the source and destination addresses, but cannot identify duplicate frames. This does not mean that you can’t have two bridges on a network. In fact, redundancy is a good idea, in case one bridge “dies.” So how do you prevent the looping behavior?
The Sp anning Tree Algorithm One solution to the problem of bridging loops is the Spanning Tree Protocol. If your bridge supports and is configured to use this protocol, it will be able to communicate with other bridges on the network. The two bridges will then work cooperatively, with one functioning in active mode and the other on standby unless or until it detects a failure of the first bridge. At that point, the second bridge will take over passing data frames. With only a single pathway available at any given time, there is no possibility of a loop.
For IT Professionals
Transp arent Brid ges and the Sp anning Tree Protocol A transp arent b rid ge is generally used on Ethernet networks. Another typ e of b rid ge, called the Source Route b rid ge, is used with Token Ring. The b rid ge is called “transp arent” b ecause the b rid ge is not visib le to the host com p uters on the network. At the Network layer of the OSI m od el, IP d oes not “see” the b rid ge, and for its p urp oses, all the networks that are connected b y a b rid ge m ight as well b e p hysically connected . This typ e of b rid ge b asically configures itself, constructing its routing tab le after it autom atically initializes. It m akes routing d ecisions b ased on the inform ation in its routing tab le. This works fine with a sim p le network using only one b rid ge. It gets m ore com p licated if you ad d b rid ges to the network. Continued
536 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Multip le b rid ges on the network norm ally are unaware of one another’s p resence. They op erate as sep arate entities. When there are m ultip le b rid ges, red und ant p aths to a d estination exist, and this is what causes loop ing b ehavior to occur. The solution d efined b y IEEE 802.1D is the “Sp anning Tree Algorithm .” The ob jective of the Sp anning Tree Algorithm (or Sp anning Tree Protocol) is to find these red und ant p aths and elim inate them . Here’s how it works: One of the b rid ges on the network is d esignated as the Root (d on’t confuse this with the root account, which is the m aster ad m inistrative account on a UNIX system ). The b rid ge with the lowest b rid ge ID is selected as the root. If there is d up lication in b rid ge IDs, the b rid ge with the lowest MAC ad d ress will b e chosen. On all other b rid ges on the network, the p ort with the lowest cost p ath to the Root b rid ge will b e d esignated as that b rid ge’s root p ort. This p ort will b e used to com m unicate with the Root b rid ge. This Root b rid ge will send a m essage at regular intervals, which is called a Brid ge Protocol Data Unit (BPDU). All of the b rid ges attached to the Root will receive the m essage and p ass it on, until it reaches the segm ents of the network that have no m ore b rid ges. This creates the “sp anning tree.” A d esignated b rid ge and p ort is selected for each LAN. Ob viously, if there is only one b rid ge connected to a LAN, it m ust b e the d esignated b rid ge for that LAN. If there is m ore than one, the b rid ge with the lowest cost p ath to the Root b rid ge will b e d esignated . Now, each p ort on each b rid ge will have one of the following as its status: 1. It is the Root p ort, 2. It is the d esignated p ort for one of the LANs, or 3. It is b locked . When you p ower up the b rid ge, it will assum e it is the Root b rid ge and will send a configuration BPDU. This m essage includ es the b rid ge ID. When a b rid ge receives a configuration BPDU that has a lower b rid ge ID than the ID of the b rid ge it assum es is Root, it up d ates its tab les. In this way, the b rid ges will id entify the Root b rid ge and create the sp anning tree.
Network Monitoring Prob lem s Bridges can interfere with your ability to effectively use network monitoring and protocol analysis tools, because the bridge isolates traffic that is
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 537
“local” to one side of the network. This can prevent you from seeing the entire network, because you will typically only be able to monitor the traffic on the side of the bridge on which the monitoring device or software is located. This means you may have to put a protocol analyzer on each side of the bridge in order to monitor all the traffic on the network, unless the bridge incorporates a special port to allow monitoring of both sides.
Selecting a Connectivity Device Because the network connectivity devices perform similar but different functions, it is sometimes difficult to know which is the best choice in a given situation. Table 10.3 will help you in the decision-making process. Table 10.3 Com p arison of Connectivity Device Features Repeater
Hub
Bridge
Sw itch (Layer 2) Router
Use to lengthen the overall d istance sp anned b y the network m ed ia.
Use to connect com p uters in a LAN using UTP cab le. Choose an active hub , or m ultip ort rep eater, to b oost the signal.
Use to red uce network traffic b y segm enting the network into two sid es, so that d ata intend ed for a com p uter on the sam e sid e d oes not go to those on the other sid e. Forward s b road cast traffic.
Use to red uce network traffic b y creating a two-nod e collision d om ain, so that d ata is only sent out the p ort attached to the d estination com p uter.
Use to red uce network traffic b y sep arating the network into sub nets and isolating b road cast traffic to each ind ivid ual sub net instead of send ing it to the entire network.
Boosts signal and p asses it on; d oesn't d istinguish b etween typ es of traffic (d ata vs. noise).
Send s signal Recognizes MAC b ack out all ad d ress, and p orts. either send s d ata across to the other sid e or contains it on one sid e b ased on the ad d ress.
Recognizes MAC ad d ress, and send s d ata only to the com p uter for which it is d estined .
Recognizes IP ad d resses and routes d ata b ased on network ID.
Op erates at Op erates at the OSI the OSI Physical layer. Physical layer.
Op erates at the OSI Data Link layer.
Op erates at the OSI Data Link layer.
Op erates at the OSI Network layer.
Least exp ensive.
Relatively inexp ensive.
Mod erately exp ensive.
Most exp ensive.
Relatively inexp ensive.
538 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Summary In this chapter, we have taken a brief look at some of the common connectivity problems that can occur at the Network Interface level. This layer of the DoD model maps to OSI’s Physical and Data Link layers, and includes such issues as compatibility, functionality, and configuration of network interface cards (NICs); cable media; IEEE specifications for popular networking architectures; and network connectivity devices. We discussed the role of the NIC in TCP/IP and other network communications, and the importance of having the correct, properly installed, configured and updated device drivers. We then looked at media issues, and how cable type and length can impact connectivity. Then we examined the roles of the different connectivity devices. We learned the differences between a repeater and a hub, and how to distinguish passive, active, and intelligent hubs. We gave special attention to the so-called switching hub, also commonly referred to as a Layer 2 switch. We talked about bridges and how they can be useful in reducing network traffic by segmenting the network into two parts. We provided a brief overview of routing and routers, and how a dedicated routing device or a Windows NT or 2000 computer configured to enable IP forwarding can be used to reduce network traffic by blocking broadcasts and other selected traffic. We then discussed advantages and disadvantages of each of the connectivity devices, and how to determine which is best for your network. In summary, we concluded that: ■
■
■
■
Repeaters are inexpensive and useful for boosting a signal that has degraded due to distance, thus extending the length of the network. Hubs are central connection points for networks that use unshielded twisted-pair cabling, and active hubs function as multiport repeaters, boosting incoming signals before sending them back out over all ports to all attached computers. Intelligent hubs include small processors and run diagnostic software. Repeaters and hubs pass on all network traffic. Layer 2 switches are a type of hub that can read MAC addresses and build a table matching those addresses to ports, allowing the switch to send a data frame out only on the port attached to the computer whose MAC address is shown as the destination in the frame header. Switches pass specifically addressed traffic only to the destination, but send broadcasts out over all ports. Bridges are used to segment a network into two parts, using the MAC address in a data frame to determine whether to pass the
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 539
■
■
frame across the bridge to the rest of the network. Bridges pass on broadcast traffic. Routers use the IP address to determine what network (or subnet) the destination computer is on, and then route the data to that subnet by the most efficient path. Routers can use dynamic routing protocols that allow them to communicate with each other and learn the routes to distant networks from one another. Brouters combine the functions of bridges and routers into two devices, acting like a bridge when a nonroutable protocol is used for communication, or like a router when a routable protocol such as TCP/IP is used.
We further examined specific problems that can occur with each of the connectivity device types, such as bridge latency, bridging loops, and monitoring limitations caused by segmentation of the network. In the next chapter, we will build on this discussion by going one layer higher, to the Internetwork layer of the DoD model where routing takes place. We will look at some of the problems that can occur in a routed TCP/IP network, how to prevent them or—failing that—how to deal with them.
FAQs Q: How does a bridge improve network performance if it still passes broadcast traffic? A: In an Ethernet network in particular, a bridge can have a significant impact on performance. By dividing the network into two parts (segments), the bridge creates a situation where computers only have to contend or compete with the other machines on the same segment. This way, two NICs on opposite sides of the bridge can actually be transmitting at the same time, without causing a collision. Q: How does a bridge affect the maximum cable length for an Ethernet network? A: The bridge effectively doubles the length limitation by acting as a node on each segment. That is, before the bridge transmits traffic that it is passing over from the other side, it listens to the cable to ensure that it is clear first (as an Ethernet NIC does).
540 Chapter 10 • Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Q: Which network connectivity device offers the best performance? A: In general, switches are faster than either bridges or routers. This is because switches direct the data frames across the different network segments in a both a faster and a more efficient way, by using onboard logic and Application-Specific Integrated Circuits (ASICs). Q: What is the difference between segment switching and port switching? A: A segment switch has an entire network connected to each of its ports. This means you can connect more computers with fewer switches (or a switch with fewer ports). This gives you some flexibility, in that you could place just one machine on a port and have a single node segment so that you can give high-use machines such as servers their own dedicated path. The port switch is what we refer to as a switching hub. In this case, there is one machine or device per port. Port switching is more expensive because it requires more switches and/or ports as well as more cable. Both switch types will increase network performance. Q: What is a VLAN? A: A Virtual Local Area Network, or VLAN, involves establishing multiple logical networks on one larger physical network, using a switch to restrict which computers or network segments will have access to which parts of the network. VLANs are used to increase network performance and also to increase security. The data from selected hosts or segments can be filtered out; for instance, you may wish to filter out packets from the busy parts of the network to avoid slowdowns on a particular virtual LAN. Q: What are some reasons to subnet a network with a router? A: Reasons for dividing the network into subnets include 1) diminishing bandwidth as the network grows, 2) performance slowdowns caused by excess broadcast traffic, 3) need for better manageability of the network, and 4) network security. Creating subnetworks will address all of these issues, while still allowing computers on different subnets to communicate with one another by using a routable protocol such as TCP/IP, which can be forwarded from one subnet to another by a router.
Chapter 11
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Solut ions in t his chap t er: ■
Router Problems
■
Router Configuration
■
Window s 2000 as an IP Router
■
ARP / RARP Problems
541
542 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Introduction The Internetwork layer of the DoD model, where the Internet Protocol (IP) operates, could be thought of as the heart of TCP/IP communications. Without it, computers would be unable to “talk” to one another. After all, this is the layer responsible for routing; in other words, for actually getting the data to its destination. Troubleshooting problems at the Internetwork layer actually involves both IP addressing problems, which we discussed in Chapter 8, “Troubleshooting Windows 2000 IP Addressing Problems,” and routing decisions, which we will look at in this chapter. Networks are growing larger and larger, and most networks today are routed networks. A routed network is generally defined as a network that is connected to other networks, or subnets, via a gateway. The gateway is either a dedicated device called a router or a computer running an operating system (such as Windows NT or Windows 2000) that allows it to function as the router/gateway. In Windows 2000 Server, the Routing and Remote Access Service (RRAS) is a full-featured software router and provides an open platform for routing and internetworking. RRAS is fully integrated with the operating system and can be extended with application programming interfaces (APIs) that allow developers to construct customized networking solutions.
NOTE In this chap ter, in the context of troub leshooting TCP/IP p rob lem s, we will b e d iscussing routing of IP p ackets. Wind ows 2000 is also cap ab le of IPX routing.
Distinguishing characteristics of the gateway device or computer are: ■
■
It must be running software that makes it capable of performing IP forwarding. It must have a network interface to more than one network (sides of the gateway). When a computer is acting as a router, it must have multiple network interface cards (NICs), or a NIC and a wide area network (WAN) interface, such as a modem.
IP routing involves discovering a pathway from the sending computer (or forwarding router) to the destination computer whose address is designated in the IP header. In concept, this is not unlike what you would do when planning a trip from your home to a distant location. To navigate a
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 543
course, you would sit down with a map and plot out the best route based on several factors. Distance, simplicity, and congestion might be some things you would consider when deciding which roads to take.
A Routing Exam p le As an example, let’s envision a road trip from Dallas, Texas to a street address in Memphis, Tennessee. You would focus first not on the specific area of Memphis in which the destination address was located; your initial goal is to get to the correct city. Comparing this to network routing, we can understand that the first concern is to get the packet to the proper network (or subnet); we’ll worry about getting it to the specific host later. Thus, if our data is “traveling” from sending computer 192.168.1.32 to destination computer 201.12.115.7, our “navigator” (IP) will look at the network IDs and concern itself with how best to get from the 192.168.1.0 network (Dallas) to the 201.12.115.0 network (Memphis). Unfortunately, no interstate highway goes directly from Dallas to Memphis. However, we can get there by going through Little Rock, Arkansas. We would drive from our home in Dallas to the Dallas gateway, Interstate 30 North. Our routing table tells us this is the road to take to eventually end up in Memphis, even though it doesn’t go there itself. When we reach Little Rock, we find that the interstate highway system comes together there, providing a connection between the “Dallas” network that we reached via I-30 and the “Memphis” network that we can reach via I-40. The I-30 gateway is like a router that is connected to the 192.168.1.0 network (Dallas) and the 214.40.2.0 network (Little Rock). From Little Rock, we travel the second leg of our trip: to Memphis. The router on the 214.40.2.0 network (Little Rock) is also connected to the 201.12.115.0 network (Memphis). See Figure 11.1 for an illustration of this process. Once we reach Memphis, then we become concerned with the specific street address, and once the packet reaches the destination network, then IP becomes concerned with the Host ID to get the packet to the specific computer. This is a simplistic example, but it serves to illustrate how routing works, whether it’s taking place on the nation’s roadways or across the cables and wireless connections of computer networks. In our example, we took the straightest and presumably the fastest path between cities, the interstate highways. However, if we happened to know that Interstate 30 was shut down or heavily congested at some point between Dallas and Little Rock, we might have diverted our course to take Interstate 20 from Dallas to Jackson, Mississippi, and then take
544 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Interstate 55 from Jackson to Memphis. The distance would be longer, but based on the road conditions this could prove to be a more efficient route. Figure 11.1 The trip from Dallas to Mem p his involves two “hop s.”
Dallas
M emphis
Little Rock
Hop 2
Hop 1
IP routers are also capable of making such assessments and choosing alternate routes. This is made possible by the use of dynamic routing protocols, which we will discuss a little later in the chapter. In routing parlance, each “leg” of our trip (Dallas to Little Rock, Little Rock to Memphis) is called a hop. The hop count is one of the factors that a routing protocol takes into account when calculating the cost of choosing a particular route to the destination. As we go through this chapter, we will look at how the different routing protocols perform all these tasks, what can go wrong along the way, and what we can do about problems when they arise.
IP Routing Overview IP is the Network layer component of the TCP/IP protocol suite. IP handles Network layer addressing and routing of packets, and can be used across any group of physically connected networks in which the computers are running the IP protocol.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 545
IP routing refers to the forwarding of packets from the source computer to the destination computer by going through routers that support IP routing. The distance traveled from one router to the next is called a hop, and at each router, the destination IP address on the packet is compared to the routing table, and the best route is used to decide the endpoint of the next hop.
Routing Fund am entals Computers on an internetwork send packets to one another in one of two ways: directly (if the source and destination computers are on the same subnet), or indirectly (if the source and destination computers are on different subnets) by forwarding the packets to a router.
Direct Routing The term direct routing is sometimes used to describe the process of routing data to a destination computer that is on the same network (subnet) as the sending computer. When IP reads the network ID portion of the source and destination addresses and determines that they are the same, the packet can be sent directly to the destination address without going through a gateway. No forwarding is necessary. See Figure 11.2 for an example of direct routing. Figure 11.2 Direct routing is used when the source and d estination network IDs are the sam e.
Source address: 192.168.1.2 Destination address: 192.168.1.6 Da t
192.168.1.2
aP ac ke
t
192.168.1.5 192.168.1.3
192.168.1.6 192.168.1.4
546 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
When only direct routing is needed (all computers that share a physical connection have the same network ID), the network may be called an unrouted network.
Indirect Routing When we speak of a routed network, we are really talking about indirect routing. Indirect routing occurs when the network ID portion of the IP address is not the same for the source address as in the destination address. Indirect routing involves forwarding of the IP packet from one network (subnet) to another, through a gateway (the router) that has an entry in its routing table telling it how to reach the destination network. We will talk about how routes are added to the routing table later in this chapter. An illustration of indirect routing is shown in Figure 11.3. Figure 11.3 Ind irect routing is used when the source and d estination network IDs are d ifferent.
Source address: 192.168.1.4 Destination address: 201.12.121.8 192.168.1.4 Data Packet
192.168.1.1 Router
201.12.121.1
Data Packet Gateway
201.12.121.8
You can see in Figure 11.3 that the network ID portions of the source and destination computers are different. Therefore, the source computer sends the packet to a gateway (in this case, the router that has an
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 547
interface on the source’s network, 192.168.1.1). The packet is then forwarded across the gateway to its second interface (201.12.121.1), which connects to the destination computer’s network. From there, the packet can be directly routed.
The Default Gatew ay It would be impossible for a computer’s routing table to contain routes to every possible destination. For that reason, a TCP/IP computer that will be connected to an internetwork is set up with a default gateway. This is the IP address to which all “foreign” packets (those whose destination address is located on a network other than the local subnet) should be sent when no specific route to the destination address exists in the routing table. The default gateway is a very important concept in TCP/IP networking because without it, communications are limited to the local subnet. The router that is designated as the subnet’s default gateway will be configured with routing information for how to reach remote networks that are connected to the internetwork. This improves the efficiency of operation, because instead of requiring all computers to maintain extensive routing tables, the default gateway takes on that chore.
Multip le Gateways Windows 2000 allows you to specify multiple default gateways for a network interface when configuring the TCP/IP protocol. However, only one default gateway can be active at a time. The primary gateway is used unless it fails; then the secondary gateway will be used instead.
NOTE If the com p uter has two NICs, each configured with a d ifferent d efault gateway, the gateway on the first NIC will b e used . The gateway for the second NIC will b e a b ackup , used if the first card ’s gateway fails.
Prop er Configuration of the Gateway A common problem related to the Internetworking layer is improper configuration of the default gateway (or failure to configure a gateway at all). This will result in the inability of the computer to communicate with computers on remote networks. If the computer is able to send data to computers on its own subnet but cannot successfully send to computers whose network IDs are different from its own, suspect a problem either with configuration of the gateway or a failure of the gateway device itself.
548 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Figure 11.4 shows the TCP/IP Properties sheet where the default gateway setting is configured. Figure 11.4 The d efault gateway is configured in the TCP/IP Prop erties sheet.
The TCP/IP Properties sheet is accessed by selecting Start | Settings | Network and Dialup Connections, double-clicking the local area connection, and then clicking PROPERTIES. Next, select Internet Protocol (TCP/IP) in the list and click PROPERTIES. The default gateway address must be the IP address of a router or a computer that has IP forwarding enabled to allow it to function as a router.
TIP The IP ad d ress entered for the d efault gateway m ust b e on the sam e network as the IP ad d ress assigned to the NIC. If the network is sub netted , ensure that accord ing to the sub net m ask sp ecified , the IP ad d ress setting and the d efault gateway setting are m em b ers of the sam e sub net.
If you do wish to enter additional gateway addresses, you can do so by clicking ADVANCED, which will display the dialog box shown in Figure 11.5.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 549
Figure 11.5 Setting m ultip le gateways in the Ad vanced TCP/IP Settings b ox.
When you add or edit a gateway’s settings, you can specify a metric, or “cost,” which is a number representing the number of hops it takes to reach the destination. This can be specified for both the gateway and the network interface. The default metric is 1.
Routing Interfaces Typically, a router is connected to two or more networks or subnets. The router, a dedicated device or a computer acting as a router, is said to have an interface to each network to which it is connected. The router’s interface can connect to a LAN or to a WAN. The WAN interface can be a modem, an ISDN terminal adapter, or other WAN media connection device. The LAN interface is a network adapter card. Each interface must have an IP address with a network ID appropriate for the network to which it is connected. The router functions at the Internetwork layer of the DoD networking model (the Network layer of the OSI model).
550 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Routing Tab les Each Windows 2000 computer that functions as a router has a routing table, a database that contains the routes designating the location of network IDs on the internetwork. Host computers (nonrouters) can also have routing tables, which they use to decide upon the best route for sending data. Three types of routes can be entered in the routing table: ■
■
■
Network route This is a route to a particular network based on the network ID in the IP address. Host route This entry has information about the route to a specific computer, based on the network and Host IDs in the IP address. Default route This route is used when there is no other route available for the destination IP address.
Understanding the IP routing table is important for troubleshooting Internetwork layer problems on a routed TCP/IP network. The routing table is the basis for routing decisions made by computers using the TCP/IP protocols, and the information in the routing table can be the starting point for diagnosing routing problems.
View ing the Routing Table Windows 2000 provides two ways to view the table: you can use the command line, or the graphical interface.
Viewing the Tab le via the Com m and Line To view the routing table, use the ROUTE PRINT command, as shown in Figure 11.6. You will note that no persistent routes have been defined in the routing table shown in Figure 11.6. A persistent route is one that remains in the table after the computer is rebooted. Normally, the routes you add are not retained when you restart the system.
Viewing the Tab le via the GUI Windows 2000 provides a more user-friendly way to view the routing table, using the graphical interface of the Microsoft Management Console (MMC). To access the table this way, open the RRAS MMC by selecting Start | Programs | Administrative Tools | Routing and Remote Access. In the console tree in the left pane, under the RRAS server name, expand IP Routing. Then right-click Static Routes and select Show IP Routing Table, as shown in Figure 11.7.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 551
Figure 11.6 Use the ROUTE PRINT com m and to view the static routing tab le.
Figure 11.7 To view the routing tab le via the grap hical interface, use the RRAS MMC.
552 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Selecting this option will display the routing table as shown in Figure 11.8. Figure 11.8 The routing tab le as d isp layed in the grap hical interface.
You can also view the multicast forwarding table, if you are using multicast, by right-clicking IP Routing | General, and selecting Show Multicast Forwarding Table.
Understanding the Routing Table Table 11.1 summarizes the information that is provided in the Windows 2000 graphical version of the IP routing table. Table 11.1 Inform ation Contained in the Wind ows 2000 IP Routing Tab le Column Heading
Description of Information
Destination
This colum n shows the d estination host, sub net ad d ress, or network ad d ress. It can also show the d efault route, which is 0.0.0.0.
Network Mask
The network m ask is used along with the d estination IP ad d ress, to d eterm ine the route to b e used . If the m ask is 255.255.255.255, this m eans that only an exact m atch of the d estination uses this route. A host route will have a m ask of 255.255.255.255. A m ask of 0.0.0.0 m eans the route can b e used b y any d estination; no m atch is req uired . A m ask b etween these two ind icates how m uch of the d estination ad d ress m ust m atch in ord er to use the route. For exam p le, if the m ask is 255.255.248.0, and the IP ad d ress of the d estination is 172.16.8.0, the first two octets and the first five b its of the third octet m ust m atch.
Gateway
This colum n shows the IP ad d ress of the next router on the route to which the p acket should b e forward ed . The gateway m ust b e within d irect reach of this router. Continued
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 553
Column Heading
Description of Information
Interface
This colum n shows the nam e of the interface, such as the Local Area Connection, that is used to reach the next router.
Metric
This num b er ind icates the "cost" of using this route to reach the d estination, shown in hop count (num b er of routers that m ust b e crossed ).
Protocol
The last colum n shows any routing p rotocol b eing used (OSPF, RIP, etc.). Local ind icates that no routing p rotocol is b eing used .
Sim p le Routing Scenario In the simplest routing scenario, two LANs (subnets) are joined by an IP router. The router has an interface connected to each subnet, configured as a member of that subnet. The computers on each subnet have the router’s “near side” interface set as their default gateway.
NOTE The “near sid e of the router” refers to the IP ad d ress of the interface that is connected to the local sub net. The interface(s) connected to a rem ote sub net is called the “far sid e of the router.”
See Figure 11.9 for a graphical illustration of this simple routing setup. Note that in this situation, it is not necessary to use routing protocols. This is because the router is connected to all subnets to which packets will be routed, and there is no need to propagate routing table information.
The Window s 2000 Router Microsoft refers to a computer that is running RRAS and providing local or wide area networking routing services as a Windows 2000 router. Some of the features of the Windows 2000 router include: ■ ■
■
Multiprotocol routing (IP, IPX, and AppleTalk are supported) Support for standard dynamic routing protocols (OSPF and RIP, versions 1 and 2) Packet filtering
554 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level ■ ■ ■
Router advertisement and discovery (via ICMP) Multicast services (IGMP) Unicast routing
Figure 11.9 A sim p le scenario with a router connecting two sub nets.
192.168.1.23
192.168.1.45
192.168.1.71
Network 192.168.1.0 Subnet mask 255.255.255.0 Default gateway 192.168.1.1 Router Interface A 192.168.1.1 Router Router Interface B 201.212.21.1 Network 201.212.21.0 Subnet mask 255.255.255.0 Default gateway 201.212.21.1
201.212.21.4
201.212.21.18
201.212.21.34
NOTE Unicast routing is d efined as forward ing p ackets ad d ressed to a single d estination over an internetwork, using routers to connect sub networks together b ased on network IDs. Multicast routing refers to com m unicating m ulticast inform ation from one router to another. Multicasting involves send ing p ackets to a group of d estination ad d resses.
Multicast routing requires the use of special multicast routing protocols. Although Windows 2000 does not include any built-in multicast routing protocols, it does include APIs that allow vendors to extend the platform to add multicast protocols.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 555
Routing Protocols Routing comes in two basic “flavors,” static and dynamic. With static IP routing, the routing table must be constructed manually; an administrator must enter the IP addresses defining the routes to remote networks one by one. Using a dynamic routing protocol, the table is configured and maintained automatically, because the dynamic router can communicate with and “learn” from other routers on the network. This saves the administrator a great deal of time. Dynamic routing requires a separate protocol, such as the Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).
NOTE Static and d ynam ic routing can coexist; they are not m utually exclusive. It is p ossib le to p lace a d ynam ic router in a network that uses static routing, to allow the static network to com m unicate with a d ynam ic one. The static router req uires m anual configuration as usual. The d ynam ic router will req uire that som e static routes b e entered into its routing tab le, to allow it to com m unicate with the static router.
Next we will look at how routing works with a static routing table, and then we’ll discuss the popular dynamic routing protocols.
How Static Routing Works To build a static routing table with Windows 2000, you can use the Route command-line utility. (You can also use the GUI). See Figure 11.10 for the available options. As you can see in Figure 11.10, there are several switches and commands that can be used with the Route command to invoke optional behavior. These are summarized in Table 11.2.
NOTE With the PRINT and DELETE com m and s, you can use a wild card (rep resented b y an asterisk) for the d estination or gateway value.
556 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Figure 11.10 Op tions availab le with the Wind ows 2000 Route com m and .
Table 11.2 Wind ows 2000 Route Com m and Switches and Com m and s Sw itch or Command
Action
-f
Clears all gateway entries Can b e used with other from the routing tab le. com m and s to clear the tab le b efore invoking the action of the other com m and .
-p
Creates a p ersistent route.
PRINT
Prints the route.
ADD
Ad d s a route to the tab le.
DELETE
Rem oves a route from the tab le.
CHANGE
Allows you to m od ify a route that is alread y in the tab le.
Comments
Is used with the ADD com m and . Causes the entry to stay in the tab le when the com p uter is restarted .
Continued
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 557
Sw itch or Command
Action
d estination
Id entifies the host com p uter that is the d estination ad d ress.
MASK
Signals the netm ask value as the next entry.
netm ask
Id entifies the sub net m ask.
gateway
Id entifies the IP ad d ress of the gateway.
interface
Id entifies the interface num b er for the route.
METRIC
Sets the cost for the d estination.
Comments
Default is 255.255.255.255.
By d efault, cost p er hop is 1, b ut this can b e m od ified .
Characteristics of Static Routing Static routing not only requires that you painstakingly set up the routing table, you also must manually enter every change, addition, and deletion that occurs. This reprogramming of the routers each time a change is made can be time-consuming and tedious. Why would anyone ever use static routing? Actually, most networks don’t, but static routing does have a couple of advantages: ■
■
■
Static routing can be implemented with a minimum of equipment. No dedicated routing device is needed; you can set up a multihomed Windows NT or Windows 2000 computer to be a static router. A multihomed computer is one that has two (or more) network interfaces. The initial cost of implementing static routing is less than dynamic routing, because of the cost of routing devices. You have more specific control over routes used in a static routing situation since you enter the routes into the table manually. You can delete or change routes and ensure that packets use the desired route.
These benefits are not enough, however, to make static routing an attractive solution to most network administrators, due to its many disadvantages: ■
There is no real fault tolerance in a static routing environment. If one of the routers becomes unavailable, others cannot detect
558 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
■
■
its absence. Since a static-routed internetwork will generally be a single-path environment (only one path available between any two endpoints), this can result in the inability of some hosts to communicate with others on the network. A great deal of administrative maintenance is required to keep routing tables updated on a static network if new routes need to be added or removed. Static routing is appropriate only for small internetworks (those having from two to 10 networks). Beyond this, administration becomes unmanageable.
The Dynam ic Routing Protocols Routers running dynamic routing protocols can automatically build their routing tables and make modifications when the network changes. These changes are propagated throughout the network as the dynamic routers communicate with one another. Windows 2000 includes built-in support for the two most popular dynamic routing protocols, RIP and OSPF.
RIP for IP The Routing Information Protocol (RIP) has been used for many years and works well with small and medium-sized networks, although it does not scale well to large internetworks. RIP is a distance vector protocol (for more information, see the sidebar For IT Professionals in this chapter) with a maximum hop count of 15. For practical purposes, this means that if it takes more than 15 hops to reach another network (subnet), RIP interprets it as “destination unreachable.” RIP’s usefulness is enhanced by the fact that it is a standard implemented by many vendors. RIP is implemented as an Interior Gateway Protocol (IGP) within individual networks that make up the internetwork. EGP, the Exterior Gateway Protocol, is used to provide communications between these individual, autonomous networks.
NOTE RFC 1058 d efines stand ard s for the Routing Inform ation Protocol.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 559
How RIP Prop agates Routing Tab le Inform ation RIP for IP works by sending an announcement message at regular intervals that contains the information in its routing table. Other RIP routers receive this message and add the information to their own tables. In this way, route information spreads throughout the network. RIP routers also use triggered updates to spread their information. An update is triggered by a change in the network, such as the failure of a gateway. When a router detects the failure, it updates its own table and then sends out the new information immediately instead of waiting for the next scheduled update period.
NOTE Version 1 of RIP send s its announcem ents via b road cast p ackets. Version 2 can also send announcem ents via b road cast p ackets, b ut can also use m ulticast p ackets.
Wind ows 2000 RIP Features The Windows 2000 router supports the following features designed to avoid some of RIP’s traditional problems, such as routing loops and slow recovery: Split horizon. This is an algorithm used by routers for learning route information that prohibits advertising messages from going back out on the same port to which the information came in, thus preventing routing loops. The “simple split horizon” scheme omits routes learned from one neighboring router in updates that are sent to that neighbor. Poison reverse. This is an algorithm used in conjunction with split horizon, sometimes called “split horizon with poison reverse,” that improves RIP information convergence by advertising all network IDs. Poison reverse is safer than simple split horizon. If two routers on the network have routes pointing at one another, reverse routes are advertised with a metric of 16. This will break the loop immediately because the route will be marked as unreachable due to RIP’s hop count limit. If the reverse routes were not advertised, the erroneous routes would not be eliminated until a timeout occurred.
560 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Triggered updates. Even though split horizon and poison reverse prevent routing loops when only two routers are involved, it is still possible for looping to occur if there are three or more gateways. Triggered update algorithms invoke a rule that says when a gateway changes the metric for a route, it must send update messages almost immediately, even if it is not yet time for the regular update announcement to be sent. This speeds the convergence of information and corrects more complex looping problems.
NOTE In the b est of all p ossib le world s, the network would b e frozen in p lace while the cascad e of triggered up d ates is hap p ening. If this were p ossib le, b ad routes would always b e rem oved im m ed iately, and routing loop s could never occur. In the real world , however, regular up d ates m ay b e hap p ening at the sam e tim e the triggered up d ates are b eing sent. Routers that haven’t received the triggered up d ate will still send out inform ation b ased on the b ad route that no longer exists. The p rob lem occurs when a router has alread y received the triggered up d ate, then afterward receives a regular up d ate from a router that hasn’t yet received the triggered up d ate. This would reestab lish the b ad route. The key is m aking the triggered up d ates occur q uickly enough to p revent this situation.
RIP Listening (Silent RIP) The Windows 2000 router also supports “RIP listening.” You will find this referred to in RFC 1058 as “silent RIP processes.” The RFC defines a silent process as one that normally does not send out any messages, but listens to messages sent by others. Hosts that do not act as gateways themselves, but wish to keep their internal routing tables up to date, can use silent RIP to do so. This service can also be useful in some dial-up network situations, for instance if the computer is operating as a remote access client over a dial-up connection to a corporate network. Before you can use RIP listening in Windows 2000, it must be enabled. You do this by installing the RIP Listener in the Networking Services properties sheet of Add/Remove Windows Components, accessed through the Add/Remove Programs applet in Control Panel. This is done on a TCP/IP host computer; this component will not be available on a server computer that has RRAS installed. See Figure 11.11.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 561
Figure 11.11 Enab ling RIP listening on a TCP/IP host com p uter.
NOTE Although Wind ows 2000 RRAS sup p orts b oth versions 1 and 2 of RIP, RIP listening only “hears” and up d ates route inform ation sent b y routers using RIP, version 1. When Wind ows 2000 is configured to unicast routing inform ation to neighb oring routers, silent hosts will not b e ab le to receive the announcem ents.
RIP Im p lem entation Both hosts and gateways may implement RIP. The protocol is used to convey information about routes to destinations. A destination can be an individual host, a network, or a special destination that is used to identify a default route. Note that a host that uses RIP is assumed to have interfaces to one or more networks, and is assumed to have a routing table that contains an entry for every destination that is reachable on the network. The metric is the most important piece of information in each entry, because RIP uses that information to determine the “cost” of the route, or to mark a network unreachable because that cost exceeds the maximum hop count of 15.
562 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
NOTE RIP uses the UDP transp ort p rotocol to send and receive announcem ent and up d ate m essages on UDP p ort 520.
Preventing Troub le b y Using Multip hased Im p lem entation Microsoft recommends that you deploy a RIP network in stages in order to make troubleshooting easier. Under this strategy, you would first set up basic RIP (version 1) and ensure that it is working properly. Then, add advanced features one at a time, testing each before adding more.
Ad vantages and Disad vantages of RIP The biggest advantages of RIP are its history as an industry standard (and thus wide support by routing devices) and its relative simplicity to set up. Its disadvantages include: ■
■
■
■
A hop count limitation of 15, which renders any subnet 16 or more hops away as unreachable. Excessive network traffic caused by RIP announcements, especially as the network grows larger. High convergence time, requiring up to several minutes for changes to propagate throughout the network. Possibility of routing loops while the routers are reconfiguring themselves after changes, which can cause data to be lost.
Com m on RIP Prob lem s Common problems with RIP routing include convergence problems, routing loops, and the “count to infinity” problem. Convergence problems. Because RIP is a distance vector protocol, it announces routing information without synchronization or acknowledgments, which can lead to convergence problems. It takes a certain amount of time for updates to propagate throughout the network. It is possible to modify the announcement algorithms to reduce the convergence time, although this may not work in all situations. Routing loops. Loops occur when a routing table has inaccurate entries. In this case, a path may be created through the network that loops back on itself. For example, if the routing table on
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 563
Router A says the best route to Network 3 is via Router B, and the routing table on Router B says the best route to Network 3 is via Router C, and the routing table on Router C says the best route to Network 3 is via Router A, you have a routing loop. Count-to-infinity. The “count-to-infinity” problem results from the lack of synchronized convergence. RIP routers add new routes to the tables based on routes advertised by other routers. When they do this, they retain only the lowest-cost route. A low-cost route is normally not updated with a higher-cost one. If a router goes down, unless every other router knows that it is down, count-toinfinity can occur. If a network becomes inaccessible, all the immediately neighboring routers will time out and set the metric to that network to 16 (which is considered “infinity”). All the other routers in the system will converge to new routes that go through one of those routers with a direct but unavailable connection. When convergence takes place, all the routers will have metrics of 16 for the vanished network. Since 16 indicates infinity, all routers then regard the network as unreachable. Rogue RIP routers. When using Windows 2000 RIP, version 1, be aware that there is no protection provided from “rogue” RIP routers. This means that regardless of the source of the RIPv1 announcement, it will be processed. This allows for the RIP routers to be overwhelmed with false or inaccurate routes by someone who wishes to disrupt the network communications.
NOTE RIPv2 sup p orts p assword authentication so the origin of RIP announcem ents can b e confirm ed .
OSPF To overcome some of the limitations imposed by RIP, Windows 2000 offers another choice of dynamic routing protocols: Open Shortest Path First (OSPF). OSPF was designed to handle the types of networks that RIP doesn’t handle well: large, complex internetworks.
NOTE OSPF stand ard s are d efined in RFCs 1247 and 1583 (OSPF, version 2).
564 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
OSPF is efficient; it does not require much overhead. This is especially important in the large internetwork environments for which it is designed. Further, OSPF’s Shortest Path First (SPF) algorithm is not vulnerable to routing loops that can plague RIP routes. SPF calculates the shortest path between the router and remote networks by creating and maintaining a map of the internetwork. The map is called a link state database, and OSPF is referred to as a link state protocol.
For IT Professionals
Distance Vector versus Link State Algorithm s One of the significant ways in which RIP and OSPF d iffer is in the algorithm s used to calculate routing d ecisions. RIP is a distance vector protocol , while OSPF is a link state protocol . Distance Vector Algorithms Distance vector algorithm s are also called Bellm an-Ford or Ford Fulkerson algorithm s. The latter authors were the first to d ocum ent the d istance vector algorithm class, which is b ased on “Bellm an’s eq uation” that form s the found ation of d ynam ic p rogram m ing. The d istance vector algorithm s are a long-stand ing stand ard , used for network routing calculations in glob al networking’s infancy in the 1960s, in the ARPANET that was the p red ecessor of tod ay’s Internet. The d istance vector algorithm s allow gateways (routers) to share and exchange routing tab le inform ation. This p rovid es a huge b enefit over static routing, which req uire tab les to b e constructed and m aintained m anually. RIP d escend ed from the Xerox networking p rotocols, and the nam e “Routing Inform ation Protocol” was first used in conjunction with XNS. Another variation is “Berkeley’s Routed .” Distance vector algorithm s, although a vast im p rovem ent over static routing, suffer from several lim itations. The m axim um p ath length is 15 hop s, and they are vulnerab le to routing loop s, caused b y a b ehavior called “count to infinity.” RIP and the other d istance vector p rotocols were d esigned for use in m od erately sized networks, not for an internetwork as vast as the Internet. That’s why they are im p lem ented as Interior Gateway Protocols. Continued
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 565
This b rings us to the need for another typ e of routing p rotocol that can b etter hand le routing over enorm ous, d isp arate networks. Link State Algorithms The link state p rotocol used b y OSPF m ap s the network and up d ates the m ap p ing d atab ase (called the link state database) whenever any changes are m ad e to the network. Link state p rotocols are also referred to as Shortest Path First (SPF) or d istrib uted d atab ase p rotocols. The first link state p rotocol was d esigned for use in the ARPANET. Later, m od ifications were m ad e to red uce traffic overhead and ad d fault tolerance. A link state routing p rotocol b uild s a consistent view of the network b y m ap p ing the network top ology. Each router b road casts (or m ulticasts) d ata ab out the cost of the p ath to each of its neighb oring routers. This inform ation is d issem inated to all nod es on the network. Link state p rotocols are m ore efficient b ut m ore com p lex than d istance vector p rotocols. As the link state d atab ase grows, m em ory and p rocessor req uirem ents and the tim e req uired to calculate routes increase. In ord er to ad d ress this p rob lem with link state p rotocols, OSPF d ivid es the internetwork into areas (these are group s of contiguous networks) that are connected to each other through a b ackb one area. Each router then keep s a link state d atab ase only for those areas that are connected to the router. Link state p rotocols use TCP d irected p ackets to com m unicate with other routers d irectly in an area, thus red ucing b road cast traffic on the network. With link state p rotocols, convergence occurs as soon as the d atab ases are up d ated , avoid ing the slow convergence p rob lem s of d istance vector algorithm s. Link state routing p rotocols also allow for security of the record up d ate m essages. The d atab ase up d ate p ackets are transm itted in a secure m anner and p rotected b y a checksum . Link state record s are also p rotected b y tim ers that rem ove them from the d atab ase if a refresh p acket d oesn’t arrive within the tim eout sp ecified . For even m ore security, the m essages can b e p assword authenticated .
In an OSPF network, the database is synchronized between the OSPF routers, which use it to calculate routes in the routing table. OSPF supports load balancing and multipath routing, and can be used with both broadcast networks (such as Ethernet) or nonbroadcast
566 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
networks (such as ATM or X.25). OSPF has different protocols for broadcast and multicast network types.
NOTE OSPF uses the Dijkstra algorithm , which com es from the b ranch of m athem atics known as grap h theory, to calculate the lowest-cost p ath to a d estination from a given source.
OSPF on a Broad cast Network On a broadcast network, OSPF uses a packet called a Hello protocol message, which is a broadcast message by which routers locate one another. A router is selected to be the Designated Router (DR), and all the other routers exchange routing information with the DR. Then, the DR updates neighboring routers. The DR is elected by an exchange of Hello packets. Each packet includes the current DR, the sending router’s router ID, and its router priority (which can be set during configuration of OSPF). The router with the highest priority is selected to be the DR. If more than one router has the same priority, the one that has the highest router ID will become the DR. A backup DR is also elected for multiaccess networks, so if the DR becomes unavailable, connectivity will not be lost.
WARNING Configuring an OSPF router with a p riority of 0 m eans it cannot b ecom e a DR. There m ust b e at least one router on the m ultiaccess network that has a p riority of 1 or ab ove. Otherwise, no router can b ecom e DR and the link state d atab ase cannot b e synchronized , resulting in no traffic b eing p assed across that network.
OSPF on a Nonb road cast Network On a network using a nonbroadcast architecture, such as ATM, OSPF has to be initially configured manually with the addresses of neighboring routers. A DR is also used, but rather than sending the routing information via broadcast or multicast, it is sent point to point, between the DR and the other routers. This means a greater number of virtual
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 567
connections are required for complete connectivity, making it more complex and more resource-intensive than a broadcast network implementation.
OSPF on a Point-to-Point Network OSPF can also be used on a dedicated point-to-point network such as T-1 leased lines, connecting only two routers. IP multicast addresses are used for the OSPF messages.
OSPF’s Hierarchical Routing Structure The routing tables used by a distance vector protocol like RIP have a flat structure, and every RIP router on the internetwork must contain an entry for every network. The networks are not divided into areas or groups; all are seen as individual entities—thus the “flat” description. Link state protocols like OSPF create a hierarchical structure by dividing the internetwork into areas. Every OSPF router belongs to an area, identified by a 32-bit number, expressed in dotted decimal called the area number. This greatly reduces the size of the routing table for each router, since it only has to keep entries for its area.
NOTE Although the area ad d ress is in the sam e form at as an IP ad d ress, it is an entirely d ifferent num b er, assigned b y the ad m inistrator. It has no relationship to the network ID, although if the networks in an area are all in one sub netted network ID, you could , for convenience, use the network ID as the Area ID. Wind ows 2000 allows you to configure up to 16 areas for an interface.
There is also a backbone area designated as area 0.0.0.0. The router that connects an area to the backbone area is called an Area Border Router (ABR). This router is a member of its area and contains routing information for that area, but also is a member of area 0.0.0.0 and can route between the two areas. See Figure 11.12 for an illustration of this. The ABR has a separate link state database for each area to which it belongs, and SPF calculations are performed independently for each area.
568 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Figure 11.12 The hierarchical structure of OSPF routing architecture.
Router
Router
Router
Area 0.0..0.1
Router
Router
Area 0.0.1.0
ABR
ABR
Router
ABR
Router
Area 0.0.0.0 (The backbone area)
Router
ABR
Area 0.0.1.1
Router
Router
Area 0.1.0.0
Router
Router
OSPF Areas An area can consist of one or more networks or subnets. The advantage of splitting the internetwork into areas is that you reduce the bandwidth used for routing so that it is proportionate to the size of the area rather than the size of the internetwork as a whole. ABRs can summarize the routes within their areas. Route summarization means that each ABR communicates a single route for its area to the backbone router. Thus, the Area 0.0.0.0 routing table contains only the number of routes that correspond to the number of areas, rather than all routes for each area. In Figure 11.12, Area 0.0.0.0’s database would be required to contain only four routes, regardless of how many routers and routes exist within each of the four areas. Route summarization also decreases recalculations of routes. Whenever a network is added or removed, each OSPF router must recalculate the database. By using areas, if a new network is added to Area 0.0.1.1, the routers in other areas will not be required to recalculate since the summarized route is still valid.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 569
OSPF Router Classifications OSPF routers on the internetwork are designed as one of the following: ■
■ ■ ■
ABR Area Border Router (routes between the area to which it belongs and the backbone area). IR Internal Router (routes within its area). BR Backbone Router (Area 0.0.0.0 router). ASBR Autonomous System Border Router (used on global internetworks, such as the Internet, to add another layer of the hierarchy. An Autonomous System, or AS, represents an entire enterprise network within the global internetwork).
NOTE AS num b ers are allocated b y the Internet Assigned Num b ers Authority (IANA), as they m ust b e glob ally-uniq ue.
OSPF uses 32-bit router identification numbers (router IDs) rather than the routers’ IP addresses to keep track of individual routers on the internetwork. This is because each router will have more than one IP address.
TIP The ad m inistrator assigns the router ID. It is com m on p ractice, although in no way req uired , to use the router’s lowest IP ad d ress for its router ID.
The Protocols Used b y OSPF The following protocols are used within OSPF: Common header protocol. The common header used for OSPF messages includes the version number, type, packet length, the router ID, Area ID, a checksum, and an authentication field (messages can be sent with password authentication or no authentication). Hello protocol. The Hello protocol is used on broadcast networks to discover the identities and routes of neighboring routers.
570 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Exchange protocol. The Exchange protocol uses database description packets in a master-slave relationship. The master sends the database description packets, and the slave sends an acknowledgment. Flooding protocol. The Flooding protocol is used when a link changes state, as when the link between two routers goes down. The router that is responsible for the changed link issues the new link state information, and the updated information is sent in regular intervals until an acknowledgment is received. Aging Link State Records protocol. The Aging Link State Records protocol is used to remove old, outdated records from the database. When the record is originally issued, its age is set as 0. It is incremented by 1 every second and on each hop, and when its age matches the designated maximum, the router removes it and informs neighboring routers of the change.
Ad vantages of OSPF Despite the fact that it is much more complex and requires more technical expertise to implement properly, OSPF has many advantages over RIP and other distance vector protocols: ■ ■ ■ ■ ■ ■ ■ ■
More efficient calculation of routes Faster convergence Support for load balancing Low bandwidth utilization No routing loops or count-to-infinity problems Hierarchical structure isolates instability within an area More scalability, appropriate for larger networks Secure password authenticated transmission of update messages
Window s 2000 as an IP Router A Windows 2000 multihomed host computer is configured as an IP router to provide packet forwarding for other TCP/IP computers by enabling the RRAS service and setting up a routed IP network. This can be a static routed network, a RIP for IP routed internetwork, or an OSPF routed internetwork. For more information about installing RRAS, see Chapter 9, “Troubleshooting Remote Access in a Windows 2000 TCP/IP Network.” The Windows 2000 router supports both RIP (versions 1 and 2) and OSPF dynamic routing protocols.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 571
Installing Routing Protocols The Windows 2000 router supports dynamic routing, using RIP or OSPF. To install the RIP or OSPF protocol, open the RRAS management console. In the left console pane, expand the name of the RRAS server, expand IP Routing, and right-click General. Select New Routing Protocol, as shown in Figure 11.13. Figure 11.13 Ad d ing a d ynam ic routing p rotocol to the Wind ows 2000 router.
You will be given a choice to select either RIP or OSPF. Make the appropriate choice, and the protocol will be added. You can now configure it by right-clicking on its name, which will show up in the left console pane under IP Routing.
572 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Wind ows 2000 Router Managem ent Tools Windows 2000 provides built-in router management tools for the administration of the static, RIP, or OSPF router. A Windows 2000 router can be administered locally or remotely from another Windows 2000 computer running RRAS.
Remote Router Administration Windows 2000 allows you to administer a remote Windows 2000 router via the RRAS management console. To do so, open the RRAS MMC, and in the left pane of the console tree, right-click Server Status, then Add Server. A dialog box as shown in Figure 11.14 will appear. Figure 11.14 Use the Ad d Server d ialog b ox to select the com p uter(s) to ad m inister rem otely.
As you can see, you can select “The following computer:” and type in the name of the Windows 2000 router computer, you can select to administer all RRAS computers in a designated domain, or you can browse the Active Directory to find the computer to be administered. If you choose to browse the Directory, you will see a dialog box like the one displayed in Figure 11.15. If you elect to administer all RRAS servers in the domain, the names of all Windows 2000 computers in the domain running RRAS will be displayed in the left console of the MMC, as shown in Figure 11.16. You may notice in Figure 11.16 that there are three Windows 2000 computers running RRAS in the tacteam domain. One of them, DS2000, is marked with a red and white “X” to indicate that this computer is not a router or RRAS server and cannot be administered remotely (DS2000 is a Windows 2000 Professional workstation).
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 573
Figure 11.15 You can b rowse the Directory to find Wind ows 2000 routers or RAS servers.
You can now add new interfaces and routing protocols, and manage the routing components on the remote Windows 2000 router computer just as you could locally. Figure 11.16 Wind ows 2000 RRAS com p uters that can b e rem otely ad m inistered are d isp layed .
574 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Using ICM P Router Discovery You can use the Internet Control Message Protocol (ICMP), a TCP/IP utility, to configure IP host computers with the IP addresses of local routers (and establish a method for the hosts to detect that a router is down). To do so, implement router solicitation and advertisement.
NOTE ICMP router d iscovery m essages are d iscussed in RFC 1256.
Here’s how it works: 1. Host computers send router solicitation messages to discover the routers on their networks. 2. Routers send router advertisement messages in response to the solicitations. The routers also send advertisements on a regular basis (unsolicited) to inform the host computers that the routers are still up and available. To enable ICMP router discovery, open the RRAS console, and in the left pane of the console tree, under the Windows 2000 router on which you wish to enable discovery messages, click General under IP Routing. In the right console pane, right-click the name of the router interface you wish to enable for ICMP, then click Properties. Select the General tab, as shown in Figure 11.17, and check the “Enable router discovery advertisements” check box. Here, you can set the lifetime of the advertisement (the time after which a router will be considered to be down or unavailable) in minutes. You can also set the minimum and maximum rates for sending of ICMP advertisements by the router. “Level of preference” refers to the level of preference for this Windows 2000 router to be the default gateway for host computers on the network.
Using the Netshell Utility (NETSH) NETSH is a command-line utility included with Windows 2000, with which you can configure routes, interfaces, and routing protocols on Windows 2000 RRAS routers. The NETSH utility will allow you to display the configuration of routers that are running on Windows 2000 RRAS computers, and supports scripting so that you can run commands as batch files for a particular router.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 575
Figure 11.17 Enab ling router d iscovery ad vertisem ent m essages.
NETSH is used for management of other services, such as DHCP and WINS. To change the NETSH context to routing, use the routing command within NETSH, as shown in Figure 11.18. Figure 11.18 Use the NETSH com m and to d isp lay routing inform ation.
576 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Table 11.3 lists some of the commands available in the IP routing context. Table 11.3 Netshell IP Routing Com m and s Command
Description
ad d
Ad d s a configuration entry to a tab le
d elete
Deletes a configuration entry from a tab le
d um p
Dum p s a configuration scrip t
igm p
Changes to 'routing ip igm p ' context
nat
Changes to 'routing ip nat' context
osp f
Changes to 'routing ip osp f' context
relay
Changes to 'routing ip relay' context
reset
Resets IP routing to clean state
rip
Changes to 'routing ip rip ' context
routerd iscovery
Changes to 'routing ip routerd iscovery' context
set
Sets configuration inform ation
show
Disp lays inform ation
Up d ate
Up d ates autostatic routes on an interface
?
Disp lays help
Standard TCP/IP tools, such as PING, TRACERT, and PATHPING, are the common starting point for troubleshooting an IP routing problem. See Chapter 4, “Windows 2000 TCP/IP Internals,” for more information on how to use these command-line utilities.
Router Configuration Proper configuration of the router(s) will prevent many problems. Configuring Windows 2000 as an IP router, for either static routing or using RIP or OSPF, is a relatively painless procedure, but it is important that you follow the steps exactly and don’t change settings unless you know what effect it will have.
Preconfiguration Check List Remember that before installing and configuring IP routing, you must ensure that the following have been done:
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 577 ■
■ ■
■
■
Install the proper hardware (the Windows 2000 computer acting as a router must have two network interfaces) and the drivers for the hardware. Check the Windows 2000 HCL to ensure compatibility of the hardware. TCP/IP must, of course, be installed and configured. The RRAS service must also be enabled and configured (see Chapter 9 for more information on proper installation of RRAS). Determine whether you will set up the Windows 2000 router for static or dynamic routing. Determine which routing protocols will be used on the network.
Configuring Wind ows 2000 Static IP Routing Deployment of static routing on a Windows 2000 router is relatively simple. You should first analyze the internetwork topology, to determine where each network is and where routers and TCP/IP host computers are located on the networks. Then, a unique network ID is assigned to each IP network, and IP addresses are assigned to each router interface.
TIP Com m on p ractice is to give the lowest IP ad d resses for the network ID to the routers. Thus, for network 192.168.1.0 (a class C network d efined b y a sub net m ask of 255.255.255.0), the router (d efault gateway) ad d ress that would b e assigned is 192.168.1.1. This is not req uired , b ut is an ind ustry trad ition.
Default routes can be configured on peripheral routers, although this is not required. A default route is used for sending packets to a destination for which there is no route available in the routing table. Nonperipheral routers (internal routers) should have routes to remote networks added to their routing tables as static routes. Each route should include the following: ■ ■ ■ ■
■
Destination network ID Subnet mask Gateway address Metric (number of hops required to get to the destination network) Interface that is to be used to send data to the destination network
578 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
These static routes should be entered in the routing tables of each nonperipheral router.
TIP Routes are ad d ed using the com m and -line ROUTE utility. To m ake a route p ersistent across system reb oots, use the –p op tion.
Troubleshooting Static Routing Configuration If the router is not forwarding data properly in a static routing environment, you should do the following: 1. First, confirm that IP routing is enabled on the Windows 2000 router, by checking the RRAS management console. 2. Use IPCONFIG at the command line to ensure that the TCP/IP configuration for the interface is correct. Use standard TCP/IP tools such as PING to verify connection to hosts on the network segment. 3. Ensure that the default route is configured correctly. The default route is used for sending packets to destinations that are unknown to the router. Be sure that the route set as the gateway for the route is reachable and is on the same network as the interface.
NOTE Routers should b e configured to use a static IP ad d ress, instead of getting an IP ad d ress via DHCP.
Configuring RIP for IP Remember that RIP is most appropriately used for medium-sized internetworks (those consisting of 10 to 50 networks). RIP can be used with multipath networks, where there is more than one pathway a packet could take between two endpoints on the network. RIP will also work in an environment where the network topology changes, and networks are added and removed.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 579
In designing the RIP network, keep in mind the maximum hop count limitation of 15. This limits the number of routers through which a packet must go to reach any destination from any source, for practical purposes, to 14 (called the maximum physical router diameter). As in deploying static routing, you should first analyze the internetwork, assign network IDs, and assign IP addresses, following the same basic rules discussed earlier. Then, decide whether to use RIPv1 or RIPv2 on each Windows 2000 computer functioning as a router. Add the appropriate RIP protocol to each Windows 2000 router interface, as shown in Figure 11.19. Figure 11.19 Ad d ing the RIP p rotocol to a router interface.
Once the protocol has been added, right-click the Interface name in the right console pane of the MMC, and select Properties to configure it (see Figure 11.20). To configure RIPv2, do the following: 1. In Outgoing Packet Protocol on the General tab of the Properties sheet: a) select RIPv2 broadcast if there are version 1 RIP
580 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
routers on this network, or b) select RIPv2 multicast if all RIP routers on the network are version 2 routers. 2. In Incoming Packet Protocol, select RIP, version 1 and 2 if it is a mixed RIP environment, and RIP, version 2 only if there are only RIPv2 routers on this network. Figure 11.20 RIP Prop erties d ialog b ox.
Troubleshooting RIP Configuration Some of the more common RIP configuration problems include incorrect routes in the mixed RIP (version 1 and 2) environment, silent hosts not getting route updates, auto-static updates not working properly, and host routes and/or default routes not being propagated to other routers.
Prob lem s with Mixed RIP Versions When a network includes some routers running RIPv1 and others running RIPv2, the version 2 routers must be configured to send broadcasts if you want the version 1 routers to receive their announcements. If you have this problem, ensure that your RIPv2 router interfaces are all set to broadcast their announcements, not multicast.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 581
Prob lem s with Silent Hosts RIP listeners (silent hosts) cannot receive multicast announcements. If you have silent RIP hosts that fail to receive announcements, confirm that the silent hosts are using RIPv1 and that the RIPv2 routers on the network are set to send broadcast, not multicast, announcements.
Prob lem s with Autostatic Up d ates If you have demand-dial routing interfaces using auto-static updates (see Chapter 9 for more information about RRAS demand dial), the demanddial interfaces need to be set to broadcast announcement messages instead of multicasting. Autostatic updates are used with demand-dial routing over a remote access link. The “auto” in the term refers to the automatic adding of the requested routes as static routes in the routing table upon an explicit request via RRAS or the NETSH utility. The demand-dial link must be connected. If an autostatic request is made, existing autostatic routes that are in the table are deleted. Then, the update is requested from other routers. This can lead to problems: If other routers don’t response to the update request, the router cannot replace the routes it has deleted. This could cause loss of connectivity to remote networks.
Prob lem s with Prop agation of Host and Default Routes RIP does not propagate host and default routes by default. You must specifically enable propagation, which can be done by right-clicking the Interface name in the right console pane of the RRAS MMC, selecting Properties, and then selecting Advanced. See Figure 11.21. The RIP Properties box is also used to set Security on the update announcement messages and to specify RIP neighbors and determine the router’s behavior in regard to those neighbors.
Configuring OSPF The OSPF dynamic routing protocol is installed similarly to RIP, via the New Protocol selection, when you right-click the General tab under IP Routing in the RRAS management console. Once the protocol is enabled, configure it by following these steps: 1. Click on OSPF in the left pane console tree. 2. In the right pane, right-click the interface you want to configure, and choose Properties.
582 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Figure 11.21 Setting RIP to p rop agate host and d efault routes in the Ad vanced Prop erties b ox.
3. Select the “Enable OSPF for this address” check box on the General tab. Where it says Area ID, click the ID of the area to which this interface belongs. 4. Set the priority of the router over the interface in “Router priority.” 5. Use the scroll arrows to set the cost of sending a packet over the interface under Cost. 6. Type in a password, if password protection is enabled for that area. 7. Select the OSPF interface type under Network type.
TIP If this interface has m ore than one IP ad d ress configured , select the IP Ad d ress b ox on the General tab and configure OSPF for each ad d ress.
The OSPF Interface Properties dialog box appears in Figure 11.22.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 583
Figure 11.22 The OSPF Interface d ialog b ox showing the contents of the General tab .
OSPF Passw ord Protection All OSPF routers in the Area must use the same password. To set the password, click OSPF in the left pane of the console tree, and select Properties. On the General tab, type the correct password in the Password box. Remember that OSPF passwords are case-sensitive.
Window s 2000 Router Logging You can enable router logging for the Windows 2000 router to assist you in troubleshooting routing problems. You can either enable event logging, to log router events in the system log in Event Viewer, or enable trace logging, which will log information to a file (or you can do both).
Using Event Logging You can enable event logging on the Event Logging tab on the Properties sheet of a remote access server. Choose the RRAS server, right-click and select Properties, then select the Event Logging tab, as shown in Figure 11.23.
584 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
Figure 11.23 You can select from four levels of event logging in the RRAS server Prop erties sheet.
You can choose the level of information you wish to be logged to the system log. There are four levels: logging of errors only, logging of errors and warning messages, logging of the maximum possible amount of information, or no logging (disabled).
NOTE The d efault setting is logging of errors and warning m essages.
Remember that logging uses a great deal of system resources and should be used only when necessary and disabled when the problem has been addressed.
Using the Tracing Function The Windows 2000 router supports tracing, a feature that can be used for troubleshooting complex network routing problems. When you enable tracing in Windows 2000 Server, the tracing information will be logged to files.
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 585
To enable the tracing feature, it is necessary to edit the Windows 2000 Registry.
WARNING Ed iting the Wind ows 2000 Registry incorrectly can cause serious d am age to the op erating system , includ ing m aking your com p uter unb ootab le. Always b ack up im p ortant d ata b efore you m ake changes to the Registry.
To enable tracing, open the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
Tracing is enabled separately for each routing protocol, by setting the appropriate Registry values. Each of the routing protocols appears as a subkey in the Registry, under the Tracing key. Select the protocol for which you wish to enable tracing (for example, OSPF).
TIP Tracing can b e enab led or d isab led while the router is running.
Configure the following Registry value entries for each protocol key to enable tracing for that protocol: ■
■
■
■
EnableFileTracing (value type is REG_DWORD) Set EnableFileTracing to 1 (the default value is 0) to enable logging tracing information to a file. FileDirectory (value type is REG_EXPAND_SZ ) To change the default location of the tracing files, set the FileDirectory value to the desired path. The filename for the log file is the name of the component for which tracing is enabled. Tracomg log files are placed in the systemroot\Tracing folder by default. FileTracingMask (value type is REG_DWORD) This setting indicates how much tracing information is logged to the file. MaxFileSize (value type is REG_DWORD) Set this value to change the size of the log file. The default value is 10000 (64K).
586 Chapter 11 • Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level
TIP Tracing uses a significant am ount of system resources. Use it sp aringly for id entification of network p rob lem s. After you cap ture the trace, d isab le tracing. Never leave tracing enab led on m ultip rocessor system s.
Troubleshooting Common Window s 2000 Routing Problems Now that we have discussed how IP routing works in a static, RIP, or OSPF environment, let’s look at some of the common problems that arise with Windows 2000 computers configured to perform IP routing.
Troub leshooting Static Routing Because static routing is much less complex than dynamic routing, troubleshooting is in some ways simplified. The standard TCP/IP commandline utilities can be used for many troubleshooting tasks. Remember that static routing is appropriate for small, simple internetworks (no more than 10 subnetworks). For best results, there should be only one path available between any two endpoints, and the internetwork topology should not change often.
Using PING and TRACERT Test connectivity between the host computers using the TCP/IP utilities PING and TRACERT (as discussed in Chapter 4, “Windows 2000 TCP/IP Internals”) to ensure that routing paths are accessible.
Using the ROUTE Command As discussed earlier, static entries are made to the routing table using the ROUTE command and its options. You can also modify or delete routes, and make routes persistent over reboots.
Static Routing and Routing Loops A problem that can occur in a network using static routing happens when you configure two routers with default routes that point to one another. A default route is used for data packets addressed to destinations that reside on remote networks (networks not directly connected to the router). If two neighboring routers have default routes that point to one another,
Troubleshooting Window s 2000 Connectivity Problems at the Internetw ork Level • Chapter 11 587
this can create a routing loop when packets are sent to unreachable destinations. To prevent this problem, don’t configure neighboring routers with default routes pointing to each other. The following shows what a router loop might look like after doing a tracert: C:\>tracert 199.70.51.234 Tracing route to 199.70.51.234 over a maximum of 30 hops 1 2 3 4 5 ] 6 7