91_FP.qx
11/28/00
4:09 PM
Page 1
TROUBLESHOOTING
WINDOWS 2000
T C P/I P
“This book is an important ally in keeping your Windows 2000 TCP/IP network running smoothly.” —Excerpt from Foreword by Ted Rohling, Chief Technical Officer Decision Networks, Inc.
FREE Monthly Technology Updates One-year Vendor Product Upgrade Protection Plan FREE Membership to Access.Globalknowledge
Debra Littlejohn Shinder, MCSE, MCP+I, MCT Thomas W. Shinder, M.D., MCSE, MCP+I, MCT
91_tcpip_FM.qx
2/28/00
10:58 AM
Page i
[email protected] With over 1,000,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally. By listening, we've learned what you like and dislike about typical computer books. The most requested item has been for a web-based service that keeps you current on the topic of the book and related technologies. In response, we have created
[email protected], a service that includes the following features: ■
A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades. We will provide regular web updates for affected chapters.
■
Monthly mailings that respond to customer FAQs and provide detailed explanations of the most difficult topics, written by content experts exclusively for
[email protected].
■
Regularly updated links to sites that our editors have determined offer valuable additional information on key topics.
■
Access to “Ask the Author”™ customer query forms that allow readers to post questions to be addressed by our authors and editors.
Once you've purchased this book, browse to www.syngress.com/solutions.
To register, you will need to have the book handy to verify your purchase. Thank you for giving us the opportunity to serve you.
91_tcpip_FM.qx
2/28/00
10:58 AM
Page ii
91_tcpip_FM.qx
2/28/00
10:58 AM
Page iii
TROUBLESHOOTING
WINDOWS 2000
TCP/IP
91_tcpip_FM.qx
2/28/00
10:58 AM
Page iv
Syngress Media, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through Skill Enhancement™” is a trademark of Syngress Media, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010
SERIAL NUMBER MBN123WER6 BUT432GHPL VTR987EDXA LKN567YTG7 QQWZA2BNM9 183ABC7891 VCRTED1984 CRTY1534XX MNPPP19875 XXCVB98345
PUBLISHED BY Syngress Media, Inc. 800 Hingham Street Rockland, MA 02370 Troubleshooting Windows 2000 TCP/IP Copyright © 2000 by Syngress Media, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-11-3 Copy edit by: Beth Roberts Technical edit by: Thomas W. Shinder, M.D. Index by: Robert Saigh Project Editor: Julie Smalley Distributed by Publishers Group West
Proofreading by: James Melkonian Page Layout and Art by: Emily Eagar and Vesna Williams Co-Publisher: Richard Kristof
91_tcpip_FM.qx
2/28/00
10:58 AM
Page v
Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin Murray, Dale Leatherwood, Shelley Everett, Laurie Hedrick, Rhonda Harmon, Lisa Lavallee, and Robert Sanregret of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe and the team at Rt. 1 Solutions for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Michael Ruggiero, Kevin Votel, Brittin Clark, Sarah Schaffer, Luke Kreinberg, Ellen Lafferty and Sarah MacLachlan of Publishers Group West for sharing their incredible marketing experience and expertise. Peter Hoenigsberg, Mary Ging, Caroline Hird, Simon Beale, Julia Oldknow, Kelly Burrows, Jonathan Bunkell, Catherine Anderson, Peet Kruger, Pia Rasmussen, Denelise L'Ecluse, Rosanna Ramacciotti, Marek Lewinson, Marc Appels, Paul Chrystal, Femi Otesanya, and Tracey Alcock of Harcourt International for making certain that our vision remains worldwide in scope. Special thanks to the professionals at Osborne with whom we are proud to publish the best-selling Global Knowledge Certification Press series.
v
91_tcpip_FM.qx
2/28/00
10:58 AM
Page vi
From Global Knowledge At Global Knowledge we strive to support the multiplicity of learning styles required by our students to achieve success as technical professionals. As the world's largest IT training company, Global Knowledge is uniquely positioned to offer these books. The expertise gained each year from providing instructor-led training to hundreds of thousands of students worldwide has been captured in book form to enhance your learning experience. We hope that the quality of these books demonstrates our commitment to your lifelong learning success. Whether you choose to learn through the written word, computer based training, Web delivery, or instructor-led training, Global Knowledge is committed to providing you with the very best in each of these categories. For those of you who know Global Knowledge, or those of you who have just found us for the first time, our goal is to be your lifelong competency partner. Thank your for the opportunity to serve you. We look forward to serving your needs again in the future. Warmest regards,
Duncan Anderson President and Chief Executive Officer, Global Knowledge
vi
91_tcpip_FM.qx
2/28/00
10:58 AM
Page vii
Contributors Debra Littlejohn Shinder (MCSE, MCP+I, MCT) is an instructor in the AATP program at Eastfield College, Dallas County Community College District, where she has taught since 1992. She is Webmaster for the cities of Seagoville and Sunnyvale, TX, as well as the family Web site at www.shinder.net. She and her husband, Dr. Thomas W. Shinder, provide consulting and technical support services to Dallas area organizations. She is also the proud mother of daughter, Kristen, who is currently serving in the U.S. Navy in Italy, and son, Kris, who is a high school chess champion. Deb has been a writer for most her life, and has published numerous articles in both technical and non-technical fields. She can be contacted at
[email protected]. Thomas W. Shinder, M.D. (MCSE, MCP+I, MCT) is a technology trainer and consultant in the Dallas-Ft. Worth metroplex. Dr. Shinder has consulted with major firms including Xerox, Lucent Technologies and FINA Oil, assisting in the development and implementation of IP-based communications strategies. Dr. Shinder attended Medical School at the University of Illinois in Chicago, and trained in Neurology at the Oregon Health Sciences Center in Portland, Oregon. His fascination with interneuronal communication ultimately melded with his interest in internetworking and led him to focus on Systems Engineering. Tom works passionately with his beloved wife, Deb Shinder, to design elegant and cost-efficient solutions for smalland medium-sized businesses based on Windows NT/2000 platforms.
vii
91_tcpip_FM.qx
2/28/00
10:58 AM
Page viii
Foreword When facing a new operating environment such as Windows 2000, resources such as this book are essential to your success. Here you will find all the information you need to understand the new TCP/IP administration tools available in the Windows 2000 environment. Rather than looking through countless CDs and volumes of documentation, you can look here. You will find the helpful hints you need to locate and troubleshoot the problems you will inevitably face. Experience and knowledge work together to help you do your job. This book is an important ally in keeping your Windows 2000 TCP/IP network running smoothly. Our success as network analysts is often judged by our ability to find and fix problems. In the past, the process was often a hit-or-miss proposition made worse by difficult-to-use vendor documentation. I have spent countless hours with co-workers just trying to find clues to the nature of a problem because not enough good information was available. Hopefully this book will save you from the hit-or-miss approach, immediately increasing your value as a Windows 2000 network analyst. Read, highlight, dog-ear, tab, use sticky notes; in short, make the book yours! —Ted Rohling, MCP, CCNA, CCDA Mr. Rohling is the Chief Technical Officer of Decision Networks, Inc., a computer networks consulting and training company in San Antonio, Texas. Ted has over 33 years of experience in the computer and networking field.
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page ix
Contents Preface Chapter 1: TCP/IP Overview Introduction TCP/IP’s “Net” Worth More Power, More Flexibility—and More Potential for Problems What’s Ahead in This Chapter TCP/IP: Where It Came From, and Where It’s Going History of the TCP/IP Protocols The Role of the U.S. Department of Defense From ARPAnet to the Internet Another Contender for the Title: The OSI Protocol Suite The Future of TCP/IP Looking Ahead to IPv6 Networking Models The Purpose of the Models Why Use Layered Models? The ISO OSI Model Seven Layers of the Networking World Layer 7: The Application Layer Layer 6: The Presentation Layer Layer 5: The Session Layer Layer 4: The Transport Layer Layer 3: The Network Layer Layer 2: The Data Link Layer Layer 1: The Physical Layer The DoD Model The Application/Process Layer The Host-to-Host (Transport) Layer The Internetworking Layer The Network Interface Layer The Microsoft Windows 2000 Networking Model The Application and User Mode Services Component The API Boundary Layer The File System Drivers The TDI Boundary Layer The Network Transport Protocol Component The NDIS Boundary Layer The NDIS Wrapper A Family of Protocols: The TCP/IP Suite Application Layer Protocols FTP SNMP
xxv 1 2 2 4 4 5 5 6 7 8 10 10 14 15 15 16 16 18 19 20 21 24 25 29 33 34 34 34 34 34 35 36 37 37 38 38 38 38 38 39 39
ix
91_TCPIP_TOC.qx
x
2/25/00
6:21 PM
Page x
Troubleshooting Windows 2000 TCP/IP • Contents
Telnet SMTP HTTP NNTP Transport Layer Protocols TCP UDP Network Layer Protocols IP ARP and RARP ICMP IGMP TCP/IP Utilities Basic Network Design Planning as Preventative Medicine Testing and Implementation Prototyping Pilot Programs Rollout Summary FAQs
Chapter 2: Setting Up a Windows 2000 TCP/IP Network Introduction Designing a New Windows 2000 TCP/IP Network The Planning Team Planning the Hardware Configurations Planning the Physical Layout Diagramming the Network Layout Planning for Sites What Is an Active Directory Site? Planning the Namespace Planning the Addressing Scheme Installing and Configuring Windows 2000 TCP/IP Installing TCP/IP on a Windows 2000 Computer The Protocol Installation Process Configuring TCP/IP Upgrading to Windows 2000 from Windows NT 4.0 The Windows NT Domain Models Single Domain Single Master Domain Multiple Master Domains Complete Trust
40 40 41 41 42 42 42 42 42 42 43 43 43 44 44 44 44 45 46 47 48
51 52 52 53 53 54 55 56 56 59 60 61 62 63 66 68 68 69 69 71 72
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xi
Windows 2000 Configuration Wizards • Contents
Which Model Is Easiest to Upgrade? Other Pre-Upgrade Issues Windows 32-Bit Applications DOS Applications Windows 16-Bit Applications OS/2 and POSIX Application Support in Windows 2000 Application Support Summary Common Upgrade Problems Migrating to Windows 2000 from Novell NetWare Understanding the NetWare Implementation of TCP/IP Premigration Issues Using the Directory Services Migration Tool Common Migration Problems Migrating to Windows 2000 from UNIX Understanding the UNIX Implementation of TCP/IP Summoning the Daemons UNIX TCP/IP Utilities Peaceful Coexistence: The Hybrid Network Environment NetWare Interoperability Client Services for NetWare (CSNW) Gateway Services for NetWare (GSNW) NetWare Protocol Support File and Print Services for NetWare Troubleshooter UNIX Interoperability Interoperability with IBM Mainframe Networks Summary FAQs
Chapter 3: General Windows 2000 TCP/IP Troubleshooting Guidelines Introduction The Ten Commandments of Troubleshooting 1: Know Thy Network 2: Use the Tools of the Trade 3: Take It One Change at a Time 4: Isolate the Problem 5: Recreate the Problem 6: Don’t Overlook the Obvious 7: Try the Easy Way First 8: Document What You Do 9: Practice the Art of Patience 10: Seek Help from Others Windows 2000 Troubleshooting Resources Microsoft Documentation
73 75 75 75 76 76 77 78 78 79 80 80 82 82 83 83 83 84 84 85 85 85 85 86 86 86 87 88
91 92 92 92 93 93 94 95 95 96 96 97 98 99 99
xi
91_TCPIP_TOC.qx
xii
2/25/00
6:21 PM
Page xii
Troubleshooting Windows 2000 TCP/IP • Contents
Help Files Resource Kits White Papers TechNet Newsgroups Third-Party Documentation Internet Mailing Lists Usenet Newsgroups Web Resources General Troubleshooting Models Differential Diagnosis Model Examination Diagnosis Treatment Follow-Up SARA Model Scanning Analysis Response Assessment Putting the Models to Work for You The Information-Gathering Phase Questions to Ask Question Format Log Files Application Log System Log Security Log Tools of the Trade The Problem Isolation Phase Organizing and Analyzing the Information Setting Priorities Prioritizing the Problems Prioritizing the Solutions Taking Corrective Measures One Change at a Time Order of Implementation Monitoring Results Using Forms and Check lists Summary FAQs
Chapter 4: Windows 2000 TCP/IP Internals Introduction RFC Compliance Enhancements to the TCP/IP Stack in Windows 2000 RFC 1323: TCP Extensions for High Performance
100 101 102 103 104 105 105 106 106 107 108 108 109 109 109 110 110 111 111 112 112 112 112 113 117 117 117 120 122 122 123 125 126 126 127 127 127 127 128 131 133
135 136 136 138 140
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xiii
Windows 2000 Configuration Wizards • Contents
Scalable TCP Window Size TCP Timestamps RFC 2018: SACK (Selective Acknowledgment) RFC 1577: IP over ATM RFC 2001: TCP Fast Retransmit RFCs 2211 and 2212: Quality of Service RFC 2205: Resource Reservation Protocol IPSec Purpose and Uses of IPSec IP Security Options IPSec Configuration IPSec Troubleshooting NDIS 5.0 Inside the Windows 2000 Internet Protocol (IP) Classless Inter-Domain Routing Multihoming Problems Related to Multihoming IP Multicasting Multicast Address Range Troubleshooting IP Multicasting Duplicate IP Address Detection Inside the Windows 2000 Transport Protocols (TCP and UDP) Transmission Control Protocol Dead Gateway Detection Delayed Acknowledgments TCP Keep-Alives Avoiding the Silly Window Syndrome User Datagram Protocol Understanding TCP/IP Registry Settings Using the Registry Editing Tools Configuring TCP/IP Behavior through the Registry Creating a New Value Editing Common TCP/IP Registry Values Registry Settings that Should Not Be Edited Summary FAQs
Chapter 5: Using Network Monitoring and Troubleshooting Tools in Windows 2000 Introduction Windows 2000 Monitoring Tools Basic Monitoring Guidelines Baselining Documentation Backing Up Analysis
140 150 152 153 155 156 157 158 158 159 160 161 164 165 166 167 168 169 170 171 171 172 172 173 173 174 174 175 175 176 178 179 180 181 182 185
187 188 188 188 188 189 189 189
xiii
91_TCPIP_TOC.qx
xiv
2/25/00
6:21 PM
Page xiv
Troubleshooting Windows 2000 TCP/IP • Contents
Performance Logs and Alerts Counters Log File Format Alerts Network Monitor Filtering Security Issues Installation Using the Program Capture Window Panes Extra Tools Buffers Collecting Data Filtered Captures Event Viewer Using TCP/IP Utilities PING -t Switch -n Switch -r Switch -i Switch -w Switch Using PING nslookup PATHPING tracert ARP Using ARP Static ARP Cache Entries ipconfig netstat and nbtstat netdiag Using netdiag SNMP What SNMP Does Installing the Agent Using IPSec Encryption Network Management Programs Microsoft Systems Management Server NTManage Summary FAQs
Chapter 6: Troubleshooting Windows 2000 NetBIOS Name Resolution Problems Introduction to Name Resolution Services NetBIOS Name Resolution
190 192 196 196 198 199 199 199 199 200 200 202 204 207 216 219 219 220 220 220 221 221 221 223 223 225 227 227 227 228 233 238 239 242 242 244 250 250 250 251 251 252
257 258 258
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xv
Troubleshooting Windows 2000 TCP/IP • Contents
Windows 2000 Methods of NetBIOS Name Resolution NetBIOS Name Cache NetBIOS Name Server Broadcast LMHOSTS HOSTS DNS Server The Order of NetBIOS Resolution B-Node P-Node M-Node H-Node The Windows 2000 Windows Internet Name Service (WINS) NetBIOS Name Registration NetBIOS Name Query Request NetBIOS Name Release Multihomed Computers and WINS WINS Proxy Agents WINS Configuration Issues Static Mappings WINS Replication Partnership Agreements WINS Partner Autodiscovery WINS Network Topologies Spoke and Hub topology Push and Pull Partnerships Backing Up the WINS Database Scavenging the Database Interactions with DNS Servers Pointing WINS Servers to Themselves The Browser Service, WINS and Multihomed Masters Windows 2000 WINS Enhancements Persistent Connections Manual Tombstoning Is WINS Ever Going to Go Away? Troubleshooting Common NetBIOS Communication Problems Summary Don’t Multihome Your WINS Server Use a WINS Proxy Agent on Segments with non-WINS Clients Avoid Static Records in the WINS Database Define Replication Partners Based on Link Factors Avoid Split Registration Use the Hub and Spoke Model in Multisite Environments Configure DNS Servers to Resolve NetBIOS Names Don’t Multihome Master Browsers Use Manual Tombstoning Instead of Deleting Records Consider the Ramifications before Disabling NetBT FAQs
261 261 262 263 263 265 266 266 266 267 267 268 271 271 273 274 274 275 276 276 277 278 281 282 283 283 288 290 290 296 299 302 302 302 305 306 309 309 310 310 310 311 311 311 311 312 312 313
xv
91_TCPIP_TOC.qx
xvi
2/25/00
6:21 PM
Page xvi
Troubleshooting Windows 2000 TCP/IP • Contents
Chapter 7: Troubleshooting Windows 2000 DNS Problems Introduction The Difference between NetBIOS Names and Host Names Flat versus Hierarchical Namespace NetBIOS on a TCP/IP Network Characteristics of Host Names The Need for a Name Resolution Service Domains: The “Family Name” The Domain Name System A Hierarchical Naming System Domain Levels Fully Qualified Domain Names Host Name Resolution Name Resolution Sequence The Caching Resolver Using the HOSTS File for Name Resolution Sending the DNS Query to a DNS Server The Recursion Process UNC Paths and DNS Queries Connecting over the Internet via UNC Qualified versus Unqualified Names Appending DNS Suffixes Host Name Resolution via WINS Lookups Multiple DNS Zones and WINs Naming Conventions and Issues Windows 2000 Support for RFC 2181 The Controversial Underscore Character Integrity Check Extended Character Set and Zone Transfers Lowercase Only Domain Naming Schemes and Implementation Problems Same Intranet and Internet Domain Name Solution: Separate DNS Zone Databases Different Intranet and Internet Domain Names Advantages of Using Different Internal and External Domain Names Proxy Configuration Corporate Mergers and Domain Management The Problem: Corporate Merger Proposed Solution Testing the Solution DNS Zone Design and Troubleshooting Standard Zones Zone Transfer Refresh Interval
317 318 319 319 320 321 321 321 322 322 323 324 329 329 329 331 332 333 335 335 336 338 338 338 339 339 340 340 342 342 342 343 343 345 345 345 345 346 347 348 350 352 358 360
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xvii
Troubleshooting Windows 2000 TCP/IP • Contents xvii
DNS Notify Request for Information Query Fast Transfer Reverse Lookup Zones The in-addr.arpa Domain Pointer Records Active Directory Integrated Zones Common Problems with Integrated DNS Zones Advantages of Active Directory Integration Zone Delegations Troubleshooting Delegation Problems Special Troubleshooting Issues with Windows 2000 DDNS Servers DNS Security and Internet Intruders Tracking Down the Problem The Solution: Forwarders and Slaves Solving WINS Client Ambiguity with WINS Lookup Zones Setting Up a Dedicated Zone for WINS Referrals Interoperability Problems WINS and WINS-R Incompatibility with BIND Servers DHCP and Resource Record Updates Troubleshooting Tools for Windows 2000 DDNS Servers nslookup ipconfig Event Viewer Network Monitor DNS Trace Logs Performance Summary FAQs
Chapter 8: Troubleshooting Windows 2000 IP Addressing Problems Introduction How IP Addressing Works Logical IP Addresses versus Physical MAC Addresses What an IP Address Represents Subnet Masking Determining Address Class How Network IDs Are Assigned How Host IDs Are Assigned within the Network Private versus Public Addresses How IP Addresses Are Used in Network Communications A Map for the Mail Carrier Getting from the Logical to the Physical Putting It All Together IP Communications on a Nonrouted Network (within the Subnet) IP Communications on a Routed Network (to a Remote Subnet)
361 362 362 363 364 364 366 366 367 369 370 371 371 372 372 373 374 376 377 379 380 380 382 382 383 386 387 390 394
397 398 399 399 400 403 405 408 408 413 414 415 415 417 417 418
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xviii
xviii Troubleshooting Windows 2000 TCP/IP • Contents
Overview: IP Addressing Configuration Errors Duplicate IP Addresses Locating the Other Computer that Is Using the Address Address Conflicts with Computers Using DHCP Invalid IP Addresses DHCP Configuration Problems How DHCP Works: Condensed Version Common DHCP Problems Server Configuration Problems Client Configuration Problems Other Common DHCP Problems Automatic Addressing (APIPA) How to Disable APIPA Hardware Address Problems Duplicate MAC Addresses Troubleshooting Subnetting Problems Why Divide the Network? Subnetting Scenario 1 Subnetting Scenario 2 Subnets Subnet Masks ANDing Tricking IP Making the Mask Subnet Masking for a Class A Network Subnet Masking for a Class B Network Subnet Masking for a Class C Network Errors in Subnet Masking Summary FAQs
Chapter 9: Troubleshooting Remote Access in a Windows 2000 TCP/IP Network Introduction Overview of Windows 2000 Remote Access Services Types of Remote Access Distinguishing between Remote Access and Remote Control Establishing a Remote Access Connection Software Needed for a Remote Access Connection The WAN Link The Remote Access Protocols Serial Line Internet Protocol The Point-to-Point Protocol Preventing Problems Related to the WAN Protocol Understanding Encapsulation Tools for Troubleshooting PPP Connections Using Network Monitor for PPP Analysis
420 420 421 422 422 423 423 425 426 443 444 446 447 448 448 448 449 450 450 450 451 451 452 452 452 455 457 459 460 463
465 466 467 467 468 470 470 471 482 484 484 486 486 487 487
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xix
Troubleshooting Windows 2000 TCP/IP • Contents
Enabling PPP Event Logging Enabling PPP Tracing Troubleshooting Remote Access Configuration Problems Remote Access Server Problems Inability to Establish a Remote Access Connection with the Server Inability to Aggregate the Bandwidth of Multiple Telephone Lines Inability to Access the Entire Network Client Configuration Problems Inability to Establish a Remote Connection Troubleshooting Remote Access Policy Problems Determining Which Multiple Policy Is Causing the Problem Troubleshooting NAT and ICS Configuration Problems The Difference between ICS and NAT Common NAT Configuration Problems Incorrect Public Address Range Incompatible Application Programs Other NAT Problems Troubleshooting VPN Connectivity Problems The Tunneling Protocols PPTP: Point-to-Point Tunneling Protocol L2TP: Layer 2 Tunneling Protocol Troubleshooting VPN Connections Inability to Connect to the Remote Access Server Summary FAQs
Chapter 10: Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level Introduction Problems with Network Interface Card Configuration The Role of the NIC Types of NICs Driver Issues Updating Drivers Problems with Cable and Other Network Media Network Cable Specifications Cable Length Issues The Role of Network Connectivity Devices Understanding Layer 1 and 2 Connectivity Devices How and Why Repeaters and Hubs Are Used How and Why Switches Are Used How and Why Bridges Are Used Understanding Upper-Layer Connectivity Devices
487 487 489 489 489 492 494 494 494 496 497 498 498 498 500 500 501 502 502 502 502 502 503 503 505
509 510 510 511 511 512 512 514 514 515 516 517 517 521 523 526
xix
91_TCPIP_TOC.qx
xx
2/25/00
6:21 PM
Page xx
Troubleshooting Windows 2000 TCP/IP • Contents
How Routers Work How and Why Routers Are Used How and Why Brouters Are Used How and Why Layer 3 Switches Are Used How and Why Gateways Are Used Troubleshooting Layer 1 and 2 Connectivity Devices Problems with Repeaters and Hubs The 5-4-3 Rule Passive, Active, and Intelligent Hubs Problems with Passive Hubs Problems with Active Hubs Problems with “Intelligent” Hubs Problems with Bridges Performance Problems Bridge Latency Bridge Looping Network Monitoring Problems Selecting a Connectivity Device Summary FAQs
Chapter 11: Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level Introduction A Routing Example IP Routing Overview Routing Fundamentals Direct Routing Indirect Routing The Default Gateway Routing Interfaces Routing Tables Viewing the Routing Table Understanding the Routing Table Simple Routing Scenario The Windows 2000 Router Routing Protocols How Static Routing Works Characteristics of Static Routing The Dynamic Routing Protocols RIP for IP OSPF Windows 2000 as an IP Router Installing Routing Protocols Windows 2000 Router Management Tools Remote Router Administration Using ICMP Router Discovery
526 528 529 530 530 531 531 531 532 532 532 532 532 533 533 533 536 537 538 539
541 542 543 544 545 545 546 547 549 550 550 552 553 553 555 555 557 558 558 563 570 571 572 572 574
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xxi
Troubleshooting Windows 2000 TCP/IP • Contents
Using the Netshell Utility (NETSH) Router Configuration Preconfiguration Check List Configuring Windows 2000 Static IP Routing Troubleshooting Static Routing Configuration Configuring RIP for IP Troubleshooting RIP Configuration Configuring OSPF OSPF Password Protection Windows 2000 Router Logging Using Event Logging Using the Tracing Function Troubleshooting Common Windows 2000 Routing Problems Troubleshooting Static Routing Using PING and TRACERT Using the ROUTE Command Static Routing and Routing Loops Troubleshooting RIP for IP Viewing RIP Neighbors Viewing the Routing Table Summary: Common RIP Problems Troubleshooting OSPF Resetting the Windows 2000 Router Summary FAQs
Chapter 12: Troubleshooting Selected Services on a Windows 2000 TCP/IP Network Introduction Troubleshooting IIS Problems Log Files Enabling Site Logging Log File Formats Logging Problems Troubleshooting Web Server Problems Performance Problems Problems with Site Name Resolution Inaccessible Virtual Directories Problems with Hosting Multiple Sites on a Windows 2000 Server Some Clients Unable to Access Site Changing IIS Properties Troubleshooting FTP Server Problems End-User Problems New Connections Not Being Accepted Users Prompted for Username and Password Connection Limit Exceeded Troubleshooting NNTP Server Problems
574 576 576 577 578 578 580 581 583 583 583 584 586 586 586 586 586 588 588 589 589 590 591 591 595
599 600 600 602 602 604 608 609 609 611 612 613 614 616 617 617 617 619 620 621
xxi
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xxii
xxii Troubleshooting Windows 2000 TCP/IP • Contents
Using Event Viewer for NNTP Troubleshooting Common NNTP Problems Summary FAQs
Chapter 13: Windows 2000 TCP/IP Fast Track Introduction TCP/IP: What It Is (and Isn’t) TCP/IP History and Future in a Nutshell Where TCP/IP Fits into the Networking Models The Members of the Suite Network Design and Planning Issues Design and Setup of a Windows 2000 Network Special Considerations for Windows 2000 Networks Active Directory Sites Active Directory Namespace IP Addressing Scheme Network Design Check List Installing and Configuring the TCP/IP Protocol Special Considerations when Upgrading from NT 4.0 Upgrading the Single Domain Model Upgrading the Single Master Domain Model Upgrading the Multiple Master Domain Model Upgrading the Complete Trust Model Upgrade Tools Special Considerations when Migrating from NetWare Migration Problems Special Considerations when Migrating from UNIX Hybrid Networks General Troubleshooting Guidelines Troubleshooting Resources Troubleshooting Models Differential Diagnosis Model SARA Model Information-Gathering Tips Questions to Ask Log Files Organizing Information Forms and Check Lists Inside TCP/IP Windows 2000 Enhancements Inside IP CIDR Support Multihoming IP Multicasting Duplicate Address Detection Inside TCP and UDP
621 622 626 628
631 632 632 632 633 634 635 635 636 636 636 636 637 637 637 637 637 638 638 638 639 639 639 639 640 640 641 641 641 641 641 642 642 642 643 643 643 643 643 644 644 644
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xxiii
Troubleshooting Windows 2000 TCP/IP • Contents xxiii
TCP UDP TCP/IP Registry Settings Network Monitoring Tools Monitoring Guidelines Baselining Documentation Performance Logs and Alerts Network Monitor Capture Filters Display Filters Event Viewer TCP/IP Utilities Name Resolution Problems WINS and NetBIOS Name Resolution DNS and Host Name Resolution Resolving Host Names to IP Addresses Planning the DNS Namespace Zones Tools IP Addressing Issues The IP Address How IP Addresses Are Assigned ARP Common IP Addressing Errors DHCP Subnetting Problems Remote Access Connectivity Remote Access versus Remote Control Remote Access Links Remote Access Protocols RRAS Configuration Problems Server Configuration Client Configuration Multilink Network Access Remote Access Policy NAT and ICS NAT Configuration Virtual Private Networking (VPN) The Network Interface Level Connectivity Devices Repeaters Hubs Switches Bridges The 5-4-3 Rule The 80/20 Rule
644 644 645 645 645 645 645 645 646 646 646 647 647 647 648 649 649 649 650 650 650 650 651 651 652 652 653 653 653 654 654 654 654 655 655 655 655 655 656 656 657 657 657 657 657 657 658 658
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xxiv
xxiv Troubleshooting Windows 2000 TCP/IP • Contents
Looping The Internetwork Level Routing Tables Features of the Windows 2000 Router Routing Protocols RIP Features OSPF Features Windows 2000 Router Logging Selected Services Site Logging Web Server FTP Server NNTP Server Summary
Appendix A: TCP/IP Troubleshooting Secrets Lesser-Known Shortcuts Finding the Consoles Control the Index Server Windows 2000 Telnet Client and Server Telnet Server Under-Documented Features and Functions The FTP Command Set The nslookup Utility Using ipconfig Switches For Experts Only The Future of IP Communications IP Telephony TAPI 3.0 and H.323 Telephony and Active Directory Planning the Transition to IPv6 How Is IPv6 Different? The Scary Part How to Prepare for the Transition Securing IP: IPSec End-to-End Security IPSec Functions Security Troubleshooting Tunnel Mode IPSec and NAT
Index
658 658 659 659 659 660 660 661 661 662 662 662 663 663
665 666 666 666 667 668 670 670 671 672 674 674 674 675 675 676 676 676 677 677 677 678 678 678 679
681
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xxv
Preface and Acknowledgements There are few people today who "don’t do Windows." The Microsoft operating systems – Windows 3.x, Windows 95, Windows 98, Windows NT – have populated the desktops of millions. And over the last several years, Windows NT 4.0 has gained a large and increasing portion of the server market with almost 40 million installations throughout the world. At the same time, the popularity of networking in general and Internet connectivity in particular has increased exponentially. Now, with the release of Windows 2000, networking and internetworking have come into their own. And the default local area network (LAN) protocol for Windows 2000 is TCP/IP, which not coincidentally, is the protocol stack on which the global Internet is built. Many books have been written about TCP/IP, and there will be many written about Windows 2000. We have worked with both for a long time and find them to be a very stable combination. TCP/IP was originally designed with reliability as a first priority, and the Windows 2000 operating system is, by far, the most reliable and robust Microsoft operating system ever released. Even so, the sheer complexity of both means problems will occur from time to time. This book was written for those times. We have not attempted to make this book an all-encompassing guide to Windows 2000 or the TCP/IP protocol suite. What we have attempted to do is provide a foundation of useful information for network administrators and others responsible for setting up and maintaining a Windows 2000 TCP/IP network. That means this book is for you. Virtually all networks will run TCP/IP as their primary transport protocol due to the need to connect to the Internet. We have included some background on how TCP/IP communications work, as well as the specifics of Microsoft’s implementation of the protocols in Windows 2000, but our focus is on what can go wrong, and how to fix it when it does. This book is not a regurgitation of the Microsoft documentation and Internet Requests For Comments (RFCs), although we refer to those resources on occasion. Much of the information is based on our own experiences in working with TCP/IP in Windows 2000, both in the classroom/lab and in the field. We have also drawn on the experiences of fellow consultants and instructors who, like us, have been working with Windows 2000 since the early beta versions. Microsoft has provided a tremendous amount of documentation: comprehensive articles in TechNet, Help Files that (unlike in earlier versions) actually help, and numerous white papers and Knowledge Base entries. Even so, there are a number of “little things,” tips and tricks and required ways of doing things that aren’t fully and/or clearly documented. We have included a liberal sprinkling of notes, tips and warnings throughout the text to advise you of those little stumbling blocks and to document the xxv
91_TCPIP_TOC.qx
2/25/00
6:21 PM
Page xxvi
xxvi Troubleshooting Windows 2000 TCP/IP • Preface
"Eureka!" moments we experienced in learning to work with—and love—the new operating system. Another thing this book is not is a study guide. Although we both teach Microsoft certification classes and have written other books aimed specifically at those seeking their MCP or MCSE, the primary audience for this book is the administrator running Windows 2000 who needs help with TCP/IP-related problems now, not in theory, but in fact. On the other hand, in order to make the material relevant to new administrators as well as those with many years of experience, we have provided a fair amount of explanatory information, analogies, and anecdotes that might be helpful in some aspects of studying for the Windows 2000 exams. Troubleshooting Windows 2000 TCP/IP was not just another tech writing project for us. It started out as a challenge and an opportunity. The challenge was to adequately cover a very complex and technical topic that has been addressed by many before us, some of whom have been recognized experts in the field for decades. The opportunity was to take material that is complex and technical, and present it in a way that is understandable, useful, and maybe even at times enjoyable to read. That became our goal, the one that turned this project into a true labor of love. This book would not have been possible without the help and support of a large number of people, and we would like to recognize them here. First, we both want to thank everyone at Syngress, especially Matt Pedersen, who believed in our ability and gave us this chance, and Julie Smalley, who suffered with us each step of the way. Deb particularly wants to thank Neal Wilson at Eastfield College, who encouraged her to expand her horizons and leave the nest when the time came; her children, Kris and Kristen, who always made it easier to accomplish great things in other areas of life because she could count on her great kids to be there; her mom, Sue Harris; and, posthumously, her dad, Tommie Harris, who she misses every day. Tom especially wants to thank his own mom, Eleanora Shinder, and his brothers Rich and Dee, along with fellow Microsoft professionals Jim Truscott and Doyal Alexander, whose experiences contributed to this book. Both of us want to extend a special thank you to Thomas Lee, our tech writing role model, and to Brian Miller, who made our first time fun instead of painful. Most of all, we want to thank each other. The writing and tech editing of this book was a partnership effort, like our marriage. We argued some of the fine points, nit-picked one another’s wording, questioned each other’s facts and conclusions, and in so doing, made this a better book. We worked together, struggled together to meet the deadlines, shared the frustrations and the profound gratification, and now celebrate together the birth of this "baby." We look forward to doing it again. Debra Littlejohn Shinder Dr. Thomas W. Shinder
91_tcpip_01.qx
2/25/00
12:26 PM
Page 1
Chapter 1
TCP/IP Overview
Solutions in this chapter: ■
History of TCP/IP (ARPAnet); The Future of TCP/IP (IPv6)
■
The TCP/IP Protocol Suite
■
The OSI, DoD, and Windows Networking Models
■
Basic Network Design Issues
1
91_tcpip_01.qx
2
2/25/00
12:26 PM
Page 2
Chapter 1 • TCP/IP Overview
Introduction The Transmission Control Protocol/Internet Protocol (also referred to as the TCP/IP protocol stack, or just plain TCP/IP) is a familiar—if poorly understood—networking component to most modern network administrators and Information Technology (IT) professionals. If you work in any but the smallest networked environment, chances are you’ve encountered TCP/IP. However, it wasn’t always that way. Just a few short years ago, TCP/IP was regarded as a somewhat sluggish, difficult-to-configure protocol used primarily by university or government networks participating in an exotic wide area networking project called ARPAnet. It was considered too slow and complex to be an appropriate choice for most private organizations’ local area networks (LANs). Microsoft and IBM workgroups ran fine on NetBEUI, a fast and simple transport protocol that could be set up easily and quickly by someone without a great deal of expertise. Novell NetWare LANs used the IPX/SPX stack, which was routable and thus could be used with larger serverbased networks. Few business networks had any need for a powerful but high-overhead set of protocols like TCP/IP. Then something happened: the Internet.
NOTE Administrators and users may also be familiar with the higher-level protocols used on the Internet, such as File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), and Telnet. These, along with other protocols, are often packaged with TCP/IP as part of the “suite.”
TCP/IP’s “Net” Worth The obscure worldwide network of networks had formerly been used by only a handful of elite groups until it was discovered by the corporate world—and then by individual computer users. An online population explosion erupted. Everyone rushed to get connected to the global Net, and TCP/IP, on which it was based, catapulted to the top of the protocol popularity polls. There have been occasional attempts to usurp its position at the top. The Open Systems Interconnection protocol suite, based on the famous (or infamous) seven-layer OSI networking model, was conceived with the idea of unseating the incumbent and replacing TCP/IP as a universal standard for internetworking communications. In fact, in the late 1980s
91_tcpip_01.qx
2/25/00
12:26 PM
Page 3
TCP/IP Overview• Chapter 1
the U.S. government, which had played an important part in creating and developing TCP/IP, made plans to phase it out in favor of the OSI suite. It didn’t quite work out that way. TCP/IP turned out to be the protocol stack that refused to go quietly into that good night.
NOTE Request for Comments (RFC) 1180, available on the Web, provides an authoritative tutorial on the TCP/IP protocol suite.
In fact, TCP/IP has flourished. It is available as a standard protocol included with all Windows operating systems and is installed by default in Windows 2000.
NOTE Although TCP/IP is a “universal” protocol stack, which allows communication between machines running different operating systems or even running on different platforms, be aware that different vendors’ implementations of the protocols may differ slightly. This book focuses on Microsoft’s implementation of TCP/IP in Windows 2000, although we also discuss interoperability with NetWare and UNIX networks.
UNIX machines, the original cornerstones of Internet communication, have been running on TCP/IP since the early days of its development, and TCP/IP support is a part of every popular Linux distribution. Apple Macintosh computers and IBM’s AS/400 machines use TCP/IP. Even NetWare, long a holdout for its Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX) stack, has finally come over to the TCP/IP camp; NetWare 5 is the first version designed to run on “pure” IP. On the other hand, as you scroll through the list of protocols that can be installed from the Windows 2000, NT, or 9x CD-ROM, you won’t see “OSI protocol suite” among them. The OSI model is an accepted standard for networking implementation, and the OSI suite mapped to the model more elegantly than other protocol sets already in use, However, TCP/IP was too firmly engrained to be easily dethroned as king of the internetworking world. It was as if someone announced that he had discovered a replacement for dirt and suggested that we uproot all the trees and plants and then “reinstall” them in the new, superior substance. Restructuring the huge,
3
91_tcpip_01.qx
4
2/25/00
12:26 PM
Page 4
Chapter 1 • TCP/IP Overview
sprawling global Internet to plant it in a different protocol environment— regardless of any advantages that new environment might offer—is just too overwhelming an undertaking. TCP/IP may have to adapt as computer communications continue to evolve (the expected transition to IPv6 is one example), but it is likely to be around for some time to come.
More Power, More Flexibility—and More Potential for Problems TCP/IP had to be good to survive the challenges and attain the position it occupies today in computer networking, but that doesn’t mean its implementation is always free of problems. On the contrary, the complexity that makes it so flexible and capable of connecting large, diverse networks also makes it prone to configuration errors and difficult to troubleshoot. Luckily for network administrators, necessity being the mother of invention resulted in the development of many tools and utilities for troubleshooting TCP/IP connectivity problems. Many of these are free, and several are included as part of Windows 2000’s implementation of the TCP/IP protocol suite. Administrators of TCP/IP networks will also find the documentation of the TCP/IP protocol far more extensive than that for any other network/transport protocol. Because it is used on such a widespread basis, books, articles, courses, and Web resources for troubleshooting IP connectivity problems are plentiful.
What’s Ahead in This Chapter In this chapter, we will look at both the history and the future of the TCP/IP suite, to better help us understand what it is and how it works today. We’ll examine in some depth the more generic OSI networking model and TCP/IP’s own model, often referred to as the Department of Defense (DoD) model. We will break down the components of the so-called “suite” of protocols that have taken up residence with the original TCP and IP stack. We’ll also examine how common connectivity devices, such as repeaters, bridges, routers, and switches, are used to expand or segment TCP/IP networks. Finally, we’ll discuss some general guidelines for planning, testing, and implementing a big change such as the setup or migration of a Windows 2000 TCP/IP network. Just as a physician is better able to treat a sick patient if he knows the person’s background, characteristics, and how the patient normally behaves when not ill, network administrators confronted with “sick” dysfunctioning networks will be at a big advantage if they know the network’s “anatomy” or components well. The protocol on
91_tcpip_01.qx
2/25/00
12:26 PM
Page 5
TCP/IP Overview• Chapter 1
which the network depends for communication is one of its most important “body parts.” The objective of this chapter is to give you a detailed patient history and a quick review of TCP/IP physiology that will allow you to recognize symptoms, diagnose its illnesses, and select the most effective treatment. We know that a healthy network makes for a happy network administrator.
TCP/IP: Where It Came From, and Where It’s Going Acronyms abound in the computer industry, and network administrators may think of TCP/IP as just another collection of mysterious letters used to refer to some obscure concept whose name they’ve long forgotten. If pressed, most could tell you that it’s a protocol—and some even know that a protocol is a set of standardized rules for communicating. Maybe one or two could even tell you that the word comes from the Greek word protocollon, which referred to a leaf of paper glued to a manuscript volume that described the volume’s contents. But any basic networking text lists dozens or even hundreds of protocols: hardware protocols, routing protocols, remote access protocols, printing protocols, LAN and WAN protocols, encapsulation protocols. Why should we get all excited about TCP/IP? What makes it so special? For the answer to that question, let’s consider the origins of the TCP/IP protocol suite, and what it’s used for today.
History of the TCP/IP Protocols “The subject of history is the gradual realization of all that is practically necessary.” (Friedrich Schlegel, 1772–1829, German philosopher). Practical necessity is the driving force behind most important inventions and developments, and the need for a reliable set of communications protocols suitable for connecting large networks led to the creation of the TCP/IP stack. In the 1960s, computer networking was in its infancy. The benefits of connecting computers together so they could share resources were only beginning to become apparent. The equipment was expensive, and products from different manufacturers were, for the most part, incompatible. Few business entities had the money or inclination to bother with creating local networks, much less attempt to get their computers to “talk” to distant systems.
5
91_tcpip_01.qx
6
2/25/00
12:26 PM
Page 6
Chapter 1 • TCP/IP Overview
The Role of the U.S. Department of Defense The U.S. Department of Defense recognized the value of establishing electronic communications links between major military installations. (Grim as it may seem, a primary motivation was the desire to maintain communication capabilities in the event of the mass destruction that would come with nuclear war.) Major universities were also involved in networking projects. The DoD funded research sites throughout the United States, and in 1968, the Advanced Research Projects Agency (ARPA) contracted with a company called BNN to build a network based on packet-switching technology.
For IT Professionals
Tech Talk
Many people easily confuse the terms packet switching and circuit switching. Even experienced network administrators, if they haven’t had much exposure to the conceptual and hardware sides of WAN technology, find them a little mysterious. They sound like the same thing, but they’re not. Circuit switching technology is something we use all the time, whether we’re aware of it or not. The public telephone system (which is formally called PSTN, or Public Switched Telephone Network) is the more familiar example of switched-circuit communication. An end-toend communication link is established when you place a telephone call, and that same physical path from one end (your telephone) to the other (Aunt Mary’s telephone in Boise, Idaho, for example) is maintained for the duration of that call. The path is reserved until you break the connection by hanging up. If you call Aunt Mary again next week, the pathway (also called the “circuit”) used may be completely different. That’s where the “switching” comes in, and that explains why sometimes when you talk to Aunt Mary, the connection is clear, while other times there’s so much noise and static on the line that you have to ask her to repeat herself when she tells you whose quilt won first prize at this year’s county fair. Packet switching is different in that there is no dedicated pathway or circuit established. It is known as a “connectionless” technology for that reason. If you send data from your computer to your company’s national headquarters in New York over a packet-switched Continued
91_tcpip_01.qx
2/25/00
12:26 PM
Page 7
TCP/IP Overview• Chapter 1
network, each individual packet, or chunk of data, can take a different physical route to get there. Most traffic sent across the Internet uses packet switching. A type of digital packet switching network called X.25 can also support virtual circuits, in which a logical connection is established for two parties on a dedicated basis for a certain duration (a Permanent Virtual Circuit, or PVC, is an ongoing, dedicated logical connection, but the physical circuit can be shared by more than one logical connection).
In1969 the ARPAnet was born when its first node, or connection point, was installed at the University of California at Los Angeles. Within three years, the network had spread across the United States, and two years after that, to the European continent. Remember that ARPAnet’s original purpose was to provide a network capable of surviving a devastating war. This meant redundancy and reliability took precedence over other considerations (like data transmission speed). Consequently, the first links were slow by today’s standards (56k leased lines).
NOTE An excellent detailed history of the creation of ARPAnet and its evolution into today’s Internet is available at the Web site of the international organization called the Internet Society (ISOC) at www.isoc.org/internet/ history/brief.html.
It was important that the networking protocols be reliable and scalable to accommodate multiple redundant sites and anticipated growth (although no one at that time expected the rate of growth that was to come). Perhaps following the timeworn advice that “if you want it done right, you have to do it yourself,” the developers of the ARPAnet designed a new group of protocols that fit the bill. Their first attempt was the Network Control Protocol, but it proved to be unsuitable as traffic increased. By the mid-1970s, necessity had mothered invention again, and the TCP/IP protocol suite was implemented.
From ARPAnet to the Internet The “network” continued to grow in population and popularity. It eventually split into two parts, with the military calling its part of the
7
91_tcpip_01.qx
8
2/25/00
12:26 PM
Page 8
Chapter 1 • TCP/IP Overview
internetwork Milnet, with ARPAnet still being used to describe the network that connected research and university sites. In the 1980s, ARPAnet was replaced by the Defense Data Network (a separate military network) and NSFNet, a network of scientific and academic sites funded by the National Science Foundation. In the 1990s, the global network (now called the Internet) went commercial in a big way. Corporations realized the advertising and marketing potential of a medium that spanned the whole world. Smaller businesses began to see the light—and the dollar signs—as well. Individuals wanted access to the vast amount of information (and entertainment) available on the World Wide Web. Internet Service Providers (ISPs) sprang up like weeds to satisfy the demand for connectivity.
NOTE Estimates vary, but according to the Internet Software Consortium, by July 1999 there were over 50 million host computers connected to the Internet.
As the year 2000 begins, the impact of the Internet on the computer industry and on lifestyles in general is being felt across the planet. We have, to a large extent, networked the world. The Internet, still running on the TCP/IP protocol suite, has made it possible to do things that could not have been imagined by the average person just a decade ago. School children have the equivalent of large libraries at their fingertips; business executives stay on top of what’s going on at the office from thousands of miles away; telecommuters do a full day’s work without ever leaving home. We can play the stock market via computer, do our banking online, or chat casually with close friends we’ve never met in places we might have never known existed except for the Net. Few of those whose lives have been changed by the rapid development of computer networking technology realize that they owe it all (well, at least a lot of it) to TCP/IP.
Another Contender for the Title: The OSI Protocol Suite The OSI protocol suite was intended to be TCP/IP’s replacement. In fact, a few years ago, it was an accepted “fact” in many parts of the computer industry that the future of networking would be built on the OSI suite. It seemed like a good idea at the time. The OSI suite consisted of a set of protocols that would map directly to the popular OSI networking model, and which would—at least in theory—make for less confusion and easier standardization of networking products among multiple vendors. The TCP/IP stack had been designed on the less finely tuned DoD networking model.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 9
TCP/IP Overview• Chapter 1
The OSI protocol suite was developed under the umbrella of a body called the ISO—making for an interesting conglomeration of initials. As if it weren’t already confusing enough, the full official name of the ISO is the International Organization for Standardization, which would seem to call for an acronym of IOS (which would be further confused with Cisco’s Internetworking Operating System, or IOS, used to command its fleet of routers). The organization is quick to point out that its short name— ISO—is not an acronym but a word, derived from the Greek isos, meaning “equal.” The ISO is, according to its own accounts, a worldwide federation of national standards bodies from 130 countries whose stated mission is the promotion of the development of standardization and related activities throughout the world. The ISO’s role in establishing standards is not confined to the computer industry. For years, photographers have been familiar with the ISO film speed codes used by manufacturers of photographic film. The ISO, headquartered in Geneva, Switzerland, has been instrumental in developing standards for the format of telephone and banking cards, so that the cards can be used in different countries throughout the world. The international country and currency codes are another example of an ISO standard.
NOTE For more information about the organizational structure and mission of the International Organization for Standardization (ISO), visit its Web site at www.iso.ch/.
The idea of a carefully planned and implemented new set of protocols for connecting to the global Internet that could be standardized throughout the world was an attractive proposition. A great deal of work went into development of the OSI protocol suite, hailed as the heir to the Internet protocol crown. But it turned out that the reports of TCP/IP’s death had been greatly exaggerated.
Survival of the Fittest? In the late 1980s, the Department of Defense decreed that by August 1990 all its computer communications would use OSI protocols, and the U.S. federal government formed a set of specifications called GOSIP (Government OSI Profile) that defined standards for these protocols. The federal government had, in effect, planned the death of the TCP/IP suite. TCP/IP was now considered a temporary solution to the problem of providing reliable internetworking protocols. The new proposed Internet standards included X.400 (for e-mail) and X.500 (for directory services).
9
91_tcpip_01.qx
10
2/25/00
12:26 PM
Page 10
Chapter 1 • TCP/IP Overview
The computer industry was gearing up to make the transition, but not everyone welcomed the change. So in 1990, the ISO Development Environment (ISODE) was created. The ISODE software allowed OSI applications to run over TCP/IP. The TCP/IP suite was already in wide use and was not going away as planned, so it was decided that GOSIP would incorporate TCP and IP, loosening its original “only OSI protocols” requirements. The current goals of OSI proponents seem to be less ambitious, now focused on a convergence of TCP and OSI Transport Protocol Class 4, which would support both OSI applications and applications from the Internet Protocol Suite. IPv6 (sometimes called IPng for IP “next generation”) is expected to be the big protocol player at the IP layer.
The Future of TCP/IP Although the TCP/IP suite has proven its endurance and is likely to be with us for a while, it will undoubtedly undergo some changes. For protocols, as for people, a long life usually requires the ability to adapt to changing conditions. As the Internet continues to grow, the most pressing need is a way to overcome the limitations of the current version of IP in terms of the number of IP addresses available. At the time IP’s 32-bit addressing scheme was designed, computers were still expensive devices used primarily by large companies. Many businesses were not yet computerized, and the idea of an individual owning a computer—much less setting up a home network—bordered on absurdity. It must have seemed that there would never be any danger of running out of addresses (and consequently, many usable addresses were “wasted” by the assignment method), but then at that time it was also inconceivable that computers would ever be as powerful and as inexpensive as they are today. When it comes to making predictions about technological progress, the one constant has been a tendency to underestimate. After all, Thomas Watson, former chairman of IBM, is best remembered for the following statement, made in 1949: “I think there is a world market for maybe five computers.”
Looking Ahead to IPv6 IPv6, or IPng (the “ng” stands for “next generation”), is the new version of the Internet Protocol (IP). The Internet Engineering Task Force (IETF) designed it as the next step up from IPv4. It builds on IPv4 and is a natural progression. It is compatible with IPv4, which is currently used on the Internet and other TCP/IP networks. The specific intent of IPv6 is to work efficiently in high-performance networks such as ATM (Asynchronous Transfer Mode), while still working efficiently over low-bandwidth networks (which would include many of the wireless technologies).
91_tcpip_01.qx
2/25/00
12:26 PM
Page 11
TCP/IP Overview• Chapter 1
Next Generation IP: A Luxury or a Necessity? Why do we need a “next generation” of IP? The answer can be summed up in one word: growth. Internet connectivity has exploded, and it shows no sign of slowing anytime soon. Technology gurus predict that in the future, even our household appliances will be wired to the Internet so we can communicate with them from afar. (This conjures up images of typing in a few commands and sending them off to your microwave oven, instructing it to have dinner ready when you get home—an idea that may become reality sooner than you think.) If we are to be prepared to assign an IP address to every refrigerator and toaster, we must think big in planning the next version of the protocol that will be used to accomplish these addressing feats. Perhaps the most important lesson to be learned from our experience with IPv4 is that the addressing and routing capabilities of the next generation’s Internet Protocol must be able to handle scenarios that may currently seem unlikely, based on seemingly exaggerated estimates of future growth.
How Many IP Addresses Are Enough? IPv4 uses IP addresses that are 32-bit binary numbers (usually expressed in dotted decimal for convenience). Each IP address consists of two parts that identify the network ID and the host ID. This provides for approximately 4 billion individual unique addresses—at least, mathematically and theoretically, it works out to that number. If there were actually this many usable addresses, we might not have to worry about running out anytime soon. Unfortunately, that’s not the case. Internet authorities do not assign IP addresses one at a time; rather, they are allocated as class A, B, or C networks, which consist of blocks of addresses of varying sizes. There are 126 usable class A networks, and each can have approximately 16 million hosts. There are far more class B networks: about 16 thousand, but each is limited to fewer hosts, about 65,000. As for class C networks, there can be around 2 million of them; however, they can have a maximum of 254 hosts. In the early days of the Internet, IP addresses were plentiful, and many were handed out with abandon. For instance, the entire Class A Network ID 127.0.0.0 was reserved for use as a “loopback” address (more about that later) used to test the integrity of a computer’s TCP/IP stack. This resulted in 16,777,216 wasted addresses! Class A and B networks were given to organizations that had nowhere near the number of allowed hosts, wasting more addresses. They weren’t missed, because there were plenty more where those came from; the mentality was the same sort that led to current environmental problems, shortages of once-plentiful natural resources and near-extinction of some animal species.
11
91_tcpip_01.qx
12
2/25/00
12:26 PM
Page 12
Chapter 1 • TCP/IP Overview
In 1991, there were a little over 1 million hosts on the global Internet. By 1997, there were over 16 million. Today, according to the Internet Society, there is an estimated 50 million. If growth continues at this rate, the prospect of using up all the available addresses will become very real. One way to solve the problem is to implement a new version of IP that uses a larger address space. IPv6 is based on 128-bit addresses. This provides for a total number of IP addresses which, represented exponentially, is 2 to the 128th power. The actual number would take up an entire line of space; it’s safe to say it definitely adds up to “a lot.” However, IPv6 does more than provide for a greater number of IP addresses. It also adds several improvements to IPv4, which will make routing and network autoconfiguration easier. Another concern in creating the new version of IP is to use a more flexible way of organizing addresses that are not dependent on the class structure. Classless InterDomain Routing (CIDR, pronounced “cider”) can be used to overcome some of the problems encountered with the old method of network/ address assignment.
The Market for IP Today IPv4 today serves what some have called the “computer market.” This market has driven the stupendous growth of the Internet over the last decade. It is based on the enormous number of private and public networks that have come into being, including computers of all types: business workstations and servers, home PCs, traditional mobile (laptop and notebook) computers, mini-mainframes, all the way up to supercomputers. This market has grown at an exponential rate, and continues to do so. However, industry experts predict that it will not necessarily be the driving force behind the next phase of growth, and it is that phase for which the next generation of IP must prepare us.
The IP Marketplace of the Future The computer market described previously is by no means going to disappear. It is logical to assume, however, that it will eventually reach a saturation point, and growth in that sector of the marketplace will stabilize. It is just as likely that other kinds of markets will develop, some of which we might not have imagined a few years ago. These new markets could fall into several categories. The potential offered by new high-speed, low-cost connectivity technologies such as DSL and cable makes it feasible to envision innovations in the near future that were the stuff of science fiction in the recent past. The set-top box, combining television with the Internet, is already a reality. “Smart homes,” with components strategically wired to the Net and capable of being managed from afar, can be built (albeit at a cost too high for the
91_tcpip_01.qx
2/25/00
12:26 PM
Page 13
TCP/IP Overview• Chapter 1
average homebuyer) today. Wireless Internet access via cellular technology is here already. Automobiles that incorporate networked computers are reportedly just around the corner. As impossible as it might seem today, it may be that 20 years from now, we’ll look back at the 1990s as a time when the Internet was small, “only” doubling in number of hosts every year. A new version of IP that will meet this challenge seems more and more of a necessity as we consider the possibilities.
Making the Transition Don’t worry; it’s not likely you’ll wake up one day and suddenly see an announcement that on a particular date, at a particular time, the Internet is switching to IPv6. The new version is expected to replace IPv4 gradually, and the two will coexist for a number of years as the transition occurs. Meanwhile, the groundwork is being laid. All Winsock 2.0-compliant applications will automatically support the IPv6 protocol stack. Microsoft is hard at work developing an implementation of IPv6. Cisco is building routers that will take advantage of the next generation of IP.
NOTE Microsoft Research (MSR) is working on an IPv6 implementation based on the Windows NT/2000 platform. An alpha version of this implementation is publicly available in both source and binary forms. For more information, see www.research.microsoft.com/msripv6/.
For IT Professionals
The 6to4 Protocol The IETF has created a new protocol called 6to4, the purpose of which is to encapsulate IPv6 packets inside IPv4 packets. This will allow networks that migrate to IPv6 early to be able to send their data across the Internet, even if the ISPs they use don’t yet support the new version of IP. Many ISPs are now using Network Address Translation (NAT) to allow for the translation of multiple private IP addresses, which don’t have to be registered, to a lesser number of public assigned addresses. For this reason, those ISPs have not been in a hurry to implement Continued
13
91_tcpip_01.qx
14
2/25/00
12:26 PM
Page 14
Chapter 1 • TCP/IP Overview
IPv6 support. Reconfiguring all of their equipment to use IPv6 addresses would be a big project, requiring a great deal of time and effort. The recent popularity of NAT devices and software implementations of NAT (along with inexpensive proxy software) has taken the edge off the urgency of upgrading, at least for some companies. NAT is built into Windows 2000 Server products, and a simple, “lighter” version of NAT called Internet Connection Sharing (ICS) is included in the Windows 2000 and Windows 98SE operating systems. Using one of these, all of the computers on a network can access the Internet using just one public registered IP address. The new 6to4 protocol will solve the compatibility problem for those corporate networks that do wish to adopt IPv6 sooner rather than later, and may make migration more attractive to others, too. The 6to4 protocol is installed on a router that serves as a gateway from the IPv6 network to the Internet. It works by automatically assigning a prefix to each IPv6 address, which identifies it as a 6to4 address. It then establishes a tunnel over IPv6 network.
Change is inevitable (except perhaps from vending machines), and network administrators may as well get ready to greet IPv6 with open arms. Like any major transition, there is sure to be some pain involved. The IETF has designed a migration strategy that defines IPv4 and IPv6 as two different protocols with two separate protocol stacks, and IPv6 was designed for compatibility with the older version so the upgrade could be done over time. DNS and DHCP servers will require updating, and the management of coexisting 32-bit and 128-bit addresses is expected to produce some problems. Resistance is futile; the next generation is upon us.
Networking Models As a network administrator, you are familiar with the common networking models You may have heard of both the OSI model and the DoD model (at the very least, you’ve seen references to them earlier in this chapter). You may even be able to recite from memory the seven layers of the OSI model, or tell how the four layers of the DoD model correspond to them. But do you really understand what the models represent? And do you know the functions of those layers you named? If not, keep reading. We will briefly visit the hallowed halls of Basic Networking Concepts 101 (or, in Microsoft parlance, Networking Essentials) and look at where the models fit into real-life network administration.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 15
TCP/IP Overview• Chapter 1
The Purpose of the Models A network protocol is a set of rules used by computers to communicate. Protocols had to be developed so that two computers attempting to transfer data back and forth would be able to “understand” one another. Some describe protocols as “languages,” but this isn’t entirely accurate and can cause confusion since computer languages are an entirely different concept. A protocol is more like the syntax of the language (the order in which the words are put together) than the language itself.
NOTE The words "data" and "information” are sometimes used interchangeably, but technically, they are two different things. In computer communications, data is the series of electrical charges arranged in patterns that represent information. The “data" is not the information itself; it is the encoded form of the information. “Information” is the data in usable form, the decoded form of the data that can be displayed as a word processing document or an e-mail message or used to make a calculation in a spreadsheet.
The first networking protocols were proprietary; that is, each vendor of networking products developed its own set of rules. Computers using a specific vendor’s protocol would be able to communicate with each other, but not with computers that were using the networking product of a different vendor. This had the effect of locking a business in; the business would always need to use the same vendor to maintain compatibility. The solution to this problem was the development of protocols based on open standards. Organizations such as the ISO were charged with overseeing the definition and control of these standards and publishing them so they would be available to any vendor that wanted to create products that adhered to them. The advantage to the consumer is that no longer is he forced to patronize a single vendor. The advantage to the vendor is that its products are more widely compatible and thus can be used in networks that started out using a different vendor’s products. A model provides an easy-to-understand description of the networking architecture and serves as the framework for the standards. The OSI model has become a common reference point for discussion of network protocols and connection devices.
Why Use Layered Models? As we look at each of the popular networking models, you’ll see that all use layers to represent areas of functionality. In OSI terms, each of the
15
91_tcpip_01.qx
16
2/25/00
12:26 PM
Page 16
Chapter 1 • TCP/IP Overview
layered specifications uses the services of the layer below to build an “enriched service.” The layered approach provides a logical division of responsibility, where each layer handles prescribed functions. This can be compared to the teamwork exhibited by a good assembly-line crew in building an automobile. One worker may be responsible for fitting a wheel onto the axis, another for inserting and tightening the screws, and so forth. There are several advantages to this type of working model: ■
■
■
■
Each worker only needs to be concerned with his or her own area of responsibility. Each worker becomes extremely proficient, through constant repetition, at his or her particular job. Working together in sequence, the team of workers is able to produce the final product much more quickly and efficiently than one person could, or than a group of people with no assigned responsibilities could. If something goes wrong (for instance, if a particular part was put on incorrectly), the supervisor knows who to blame for the problem.
Likewise, when the networking protocols are divided into layers, communication generally flows more smoothly, and when it doesn’t, troubleshooting is easier because you are better able to narrow down the source of the problem to a specific layer. We will examine three networking models: the ISO’s OSI model, the Department of Defense (DoD) TCP/IP model, and Microsoft’s Windows NT model. We’ll start with the most generic and work our way toward the more specific.
The ISO OSI Model The OSI model is used as a broad guideline for describing the network communications process. Not all protocol implementations map directly to the OSI model, but it serves as a good starting point for gaining a general understanding of how data is transferred across a network.
Seven Layers of the Networking World The OSI model consists of seven layers. The number seven carries many historical connotations; it is thought by some to signify perfect balance, or even divinity. Whether or not this was a factor when the designers of the model decided how to break down the functional layers, it’s safe to say that within the technical community, the Seven Layers of the OSI Model are at least as legendary as the Seven Deadly Sins and the Seven Wonders of the World.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 17
TCP/IP Overview• Chapter 1
The data is passed from one layer to the next lower layer at the sending computer, until the Physical layer finally puts it out onto the network cable. At the receiving end, it travels back up in reverse order. Although the data travels down the layers on one side and up the layers on the other, the logical communication link is between each layer and its matching counterpart, as shown in Figure 1.1. Figure 1.1 Communication takes place between corresponding layers. Sending Computer
Receiving Computer
Application
Application
Presentation
Presentation
Session
Session
Transport
Transport
Network
Network
Data Link
Data Link
Physical
Physical
Network Media
Here’s how it works: As the data goes down through the layers, it is encapsulated, or enclosed within a larger unit as each layer adds its own header information. When it reaches the receiving computer, the process occurs in reverse; the information is passed upward through each layer, and as it does so, the encapsulation information is evaluated and then stripped off one layer at a time. The information added by the Network layer, for example, will be read and processed by the Network layer on the receiving side. After processing, each layer removes the header information that was added by its corresponding layer on the sending side. It is finally presented to the Application layer, and then to the user’s application at the receiving computer. At this point, the data is in the form it was in when sent by the user application at the originating
17
91_tcpip_01.qx
18
2/25/00
12:26 PM
Page 18
Chapter 1 • TCP/IP Overview
machine. Figure 1.2 illustrates how the header information is added to the data as it progresses down through the layers. Note that in the foregoing example, the header information that is added by the Application layer is called a “link header,” as is that added by the Data Link layer. These headers mark the first and last headers to be added. The Data Link layer also adds a Link Trailer. Many books teach the OSI layers “upside down”; that is, starting with the bottom layer. In fact, the Physical layer is often referred to as Layer 1, the Data Link as Layer 2, and so on. Other descriptions start (seemingly logically) at the topmost layer. Which way you look at it depends not on which hemisphere you live in, but on whether you’re addressing the communication process from the viewpoint of the sending or the receiving computer. We will examine the process from the top down, as the data is prepared by the sending computer to go out over the cable or other media. We will, however, stick with the standard numbering convention. Figure 1.2 Each OSI layer except the Physical layer adds header information to the data.
Link Trailer
Data
Link Hdr
Data
Link Hdr
Pres Hdr
Data
Link Hdr
Pres Hdr
Ses Hdr
Data
Link Hdr
Pres Hdr
Ses Hdr
Transp Hdr
Data
Link Hdr
Pres Hdr
Ses Hdr
Transp Hdr
Net Hdr
Data
Link Hdr
Pres Hdr
Ses Hdr
Transp Hdr
Net Hdr
Application
Presentation Session
Transport
Network Link Hdr
Data Link
Layer 7: The Application Layer Keep in mind that the model describes only the networking components. If you remember that, you won’t make the common mistake of thinking the Application layer represents the user application software. What the
91_tcpip_01.qx
2/25/00
12:26 PM
Page 19
TCP/IP Overview• Chapter 1
Application layer really does is provide the interface and govern the interaction between that user application and the network protocols. The Application layer protocols accept user data for network transport. The data is created by the user application, above the networking layers. For instance, if you want to send an e-mail message, your user application might be Microsoft Outlook (the user program is sometimes referred to as the “user agent”). The user sees only the application interface. You type your letter to Cousin Mary, perhaps you attach graphics files containing photos of the grizzly bear who almost ate Uncle Joe from your last family outing to Yellowstone National Park and click SEND. Assuming you typed the correct email address in the “to” field, you have the software configured properly, your hardware is working, your phone lines aren’t down, and your ISP is on the ball (quite a lot of assumptions, to be sure), the message goes through and lands in Mary’s virtual mailbox. Neither you nor Cousin Mary has to know anything about what the networking components of your respective operating systems are doing in order to communicate via e-mail. That’s because the application itself (Outlook) sends the data (the message you typed) to the Application layer, which takes it from there. The Application layer adds header information, which will be used by the Application layer on the receiving end, and passes it down to the next layer.
Layer 6: The Presentation Layer No, the Presentation layer doesn’t turn the data into PowerPoint slides. However, as the name suggests, it is responsible for the way in which the data is presented, or formatted. The Presentation layer handles such things as encryption (presenting the data in such a way as to keep it from being readable by unauthorized persons) and compression (packaging the data in such a way as to get more of it through at a time). On the receiving side, the Presentation layer is responsible for translating the data into a format understandable by the application and presenting it to the Application layer. Since the Presentation layer handles the very important task of protocol translation, this layer is where many gateways operate. Remember how we said earlier that in order to “talk” to one another, computers need to be running the same protocol? Well, a gateway lets you circumvent this rule. It acts as a translator and allows computers using different protocols to communicate with one another. Examples include: E-mail gateway This software translates the messages from diverse, noncompatible e-mail systems into a common Internet format such as the Simple Mail Transfer Protocol (SMTP). Thus,
19
91_tcpip_01.qx
20
2/25/00
12:26 PM
Page 20
Chapter 1 • TCP/IP Overview
Cousin Mary is able to read your letter even though you were using Microsoft Outlook with an Exchange server and she is on a NetWare network using Groupwise mail. SNA gateway Systems Network Architecture (SNA) is a proprietary IBM architecture used in mainframe computer systems such as the AS/400. An SNA gateway allows personal computers on a local area network to access files and applications on the mainframe computer. Gateway Services for NetWare (GSNW) This software is included with Windows 2000 (and Windows NT) Server operating systems to allow the Windows server’s clients to access files on a Novell NetWare server. It translates between the SMB (Server Message Block) file sharing protocol used on Microsoft networks and NCP (NetWare Core Protocol), the file sharing protocol used by the NetWare networks.
NOTE Although many gateways operate in the Presentation layer, different gateways operate at different layers. A gateway can perform functions seen in any layer of the OSI model.
There are almost as many gateway products available as there are different protocol combinations, and more are being developed all the time as interoperability becomes increasingly important in our connectivityobsessed world.
Layer 5: The Session Layer The Session layer handles the task of establishing a one-to-one session between the sending and the receiving computers. The Session layer sets up and tears down application-to-application dialogs, and provides for checkpointing to synchronize the data flow for the applications. The Session layer also controls whether a transmission is established as half or full duplex. Full duplex is bidirectional communication in which both sides can send and receive simultaneously. Half duplex is also bidirectional communication, but the signals can flow in only one direction at a time. To illustrate the difference, think of how a telephone conversation works. Both parties can talk at the same time, and you can still hear the other person’s voice while you’re talking. That’s full duplex. With most two-way radios, when you key the microphone to speak, you can’t hear
91_tcpip_01.qx
2/25/00
12:26 PM
Page 21
TCP/IP Overview• Chapter 1
anything the other person might be saying while you’re speaking. Only one of you can broadcast over the channel at a time. That’s half duplex.
NOTE When the communication can only flow in one direction, and can never flow back the other way (unidirectional), it’s called simplex.
Another important responsibility of the Session layer is to define the rules for data exchange between the applications. In this respect, you might think of the Session layer as a referee or mediator who makes sure both parties (the sending and receiving computers) are aware of and agree to follow the “rules of the game” for that particular session. When two family members are at odds and seek counseling to help them communicate with one another, a good counselor or mediator will start the visit by getting both people to agree to certain rules. These might include who gets to talk first, and for how long, as well as the “format” of the communication (i.e., no yelling, screaming, or name-calling). Although computers aren’t known for getting emotional, before they can communicate effectively they also must negotiate communications guidelines. Otherwise, they may bombard each other with too much data to be processed, or both try to “talk” at the same time. The Session layer controls this flow of conversation so that the message will get through clearly. In this way, the Session layer provides for flow control. This usually works quite well. Family counselors undoubtedly wish their jobs were as easy as that of the Session layer protocols. Other duties of the Session layer include providing for data expedition, class of service, and reporting of problems occurring in the Session layer and those above it.
Layer 4: The Transport Layer The Transport layer’s primary responsibility is reliability. It must verify that the data sent arrives at the intended destination, in good condition. It also must have a way to differentiate between the communications that may be coming to the same network address (the IP address) from or to different applications.
Port Numbers Thanks to the multitasking capabilities of Windows 2000 and other modern operating systems, you can use more than one network application simultaneously. For example, you can use your Web browser to access
21
91_tcpip_01.qx
22
2/25/00
12:26 PM
Page 22
Chapter 1 • TCP/IP Overview
your company’s homepage at the same time your e-mail software is downloading your e-mail. You probably know that TCP/IP uses an IP address to identify your computer on the network, and get the messages to the correct system, but how does it separate the response to your browser’s request from your incoming mail when both arrive at the same IP address? That’s where ports come in. The two parts of an IP address that represent the network identification and the host (individual computer) identification are somewhat like a street name and an individual street number. In this analogy, the port number would identify the specific apartment or suite within the building. TCP and UDP, the Transport layer protocols, assign port numbers to each application so the data intended for the Web browser in Apartment A doesn’t get sent to the e-mail program living in Apartment B.
Connection Service Types Two types of connection services are used at the Transport layer: connection-oriented and connectionless. Which is most appropriate for sending a given message depends on whether reliability or speed is of highest priority.
NOTE In TCP/IP communications, data is sent over the network as a sequence of datagrams. A datagram is a collection of data sent as a single message. Each datagram is sent across the network individually.
A connection-oriented protocol such as TCP offers better error control, but its higher overhead means a loss of performance. A connectionless protocol such as UDP, on the other hand, suffers in the reliability department but, unhampered by error-checking duties, is faster. Connection-Oriented Services. As a provider of connection-oriented services, TCP first establishes a virtual connection between the sending and receiving computers. This is done through the use of acknowledgments and response messages.
NOTE An acknowledgment message is sometimes referred to as an “ACK.”
91_tcpip_01.qx
2/25/00
12:26 PM
Page 23
TCP/IP Overview• Chapter 1
The most commonly used analogy for differentiating between connection-oriented and connectionless communications compares different services available from the post office. If you need to send an important report to the manager of your company’s branch office in El Paso, you could put it in an envelope, affix the required amount of postage, and drop it in the corner mailbox. This would be the easiest, quickest way to take care of the task, but you would have no idea whether or when the report reached its destination. On the other hand, you could go to the post office and fill out a card to send the report via registered, certified mail, with a return receipt requested. It would cost more and it would take more time and effort on your part, but it would be a more reliable form of communication. You would get back an acknowledgment when the package was delivered, showing that it was indeed received by the person to whom it was addressed. Connection-oriented services are more like the second example, although they actually go one step further: They establish the connection before sending the data. This would be as if, before you sent your certified mail, you first got on the telephone with the El Paso manager and let him know the report was coming so he could be on the lookout for its arrival. If you’re really detail-minded (or paranoid), you could even ask that he call you back when it gets there, and let you know that all the pages are there in sequence and it wasn’t damaged along the way. You’ve taken pains to make sure your communication is as reliable as possible, but at a cost in time (and long distance charges) to both you and the intended recipient. Connectionless Services A connectionless transport protocol like the User Datagram Protocol (UDP) doesn’t provide the same acknowledgment of receipt process as the connection-oriented TCP does. Since UDP doesn't sequence the packets that the data arrives in, an application program that uses UDP has to be able to make sure that the entire message has arrived and is in the right order. To save processing time, network applications that have very small data units to exchange, and thus very little message reassembling to do, may use UDP instead of TCP. For example, DNS hostname lookup messages that will always fit in a single datagram can effectively use UDP. For these very short queries, you don't need all the complexity of TCP; if you don't receive an answer after a few seconds, you can just ask again. UDP doesn't split data into multiple datagrams, as TCP does. It doesn't keep track of what it has sent. Data can be resent if needed, and UDP doesn’t guarantee delivery or protect against duplication. However, it is not completely irresponsible: It does provide for a checksum capability, to
23
91_tcpip_01.qx
24
2/25/00
12:26 PM
Page 24
Chapter 1 • TCP/IP Overview
ensure that data arrives intact, and it provides port numbers to distinguish between the requests sent by different user applications.
NOTE Examples of applications that use UDP for communication include Trivial File Transfer Protocol (TFTP), Routing Information Protocol (RIP), RADIUS accounting, and some implementations of Kerberos authentication. The UDP header is shorter and simpler than the TCP header. It has the source and destination port numbers and a checksum, but it doesn’t include a sequence number, since UDP doesn’t do any sequencing.
Layer 3: The Network Layer Both TCP and UDP, operating at the Transport layer, rely on IP, the Network layer protocol, to actually get the data from the sending to the receiving computer. If you’ve studied the OSI model, you’ve probably heard hundreds of times that routing takes place at the Network layer. Routing is all about recognizing addresses and mapping out the most efficient way to get from one address to another.
The Routing Function You would be performing a function similar to that of the Network layer if you took on the job of navigator on a cross-country automobile trip. Just as TCP and IP, working together, have different responsibilities, you and the driver could divide the duties so that the journey goes more smoothly. It’s the driver’s job to get the car to the destination safely and all in one piece (somewhat like the Transport layer protocols). It’s the job of the navigator to consult a map, determine exactly which highways will take you there, where to turn off one road and onto another, and to consider such factors as the size of each thoroughfare, known areas of congestion, and anything else that might make one route more desirable than another. Likewise, this layer is responsible for finding a path through the network to the destination computer. It is also responsible for translating logical addresses (the IP addresses assigned by an administrator or a DHCP server) and names (like the destination computer’s NetBIOS name “EXCALIBUR”) into physical addresses. The physical, or Media Access Control (MAC), address is burned into a chip on the network interface card by its manufacturer. IP routes messages based on the network number of the destination address. Every computer has a table of network numbers, known as a routing table. If there is a an entry in the routing table for the destination
91_tcpip_01.qx
2/25/00
12:26 PM
Page 25
TCP/IP Overview• Chapter 1
network ID, the computer sends it to a “gateway” address, which represents the first router in the path to the destination. A default gateway address is included in the routing table to send packets to when a specific route to the destination network ID isn’t found in the routing table. The default gateway must be on the same network as the source computer. Each gateway, or router, that the message must go through is called a hop. You might say a journey of a thousand hops begins with a single step: the gateway address listed in the routing table for a particular network number.
Dynamic Routing It’s easy to map out a route to a friend’s house four blocks away. However, if you’re trying to get to the home of a relative who lives in the backwoods in another state, you may need more than a good map. You may need to call ahead and get directions from someone who has traveled there recently. As networks become larger and more complex, it becomes more difficult to manually maintain routing tables. When this happens, you will want to use a dynamic routing protocol. Dynamic routing protocols automatically update routes on all routers on the network. We will discuss various routing protocols, such as RIP and OSPF, in a later chapter. Routers (whether dedicated devices or Windows NT or 2000 servers acting with IP routing enabled) work at the Network layer.
The X.25 Standard Although IP is the best known protocol of the Network layer, another important inhabitant of this layer is the ITU X.25 standard, which specifies the interface for connecting computers on different networks through the use of an intermediate connection made through a packet-switched network. X.25 protocols also correspond to the Data Link and Physical layers of the OSI model.
Layer 2: The Data Link Layer The Data Link layer takes the datagram passed down to it from the Network layer and repackages it into a unit called a frame. The frame includes error-checking information, which is processed by the Data Link layer at the receiving end. This layer is responsible for error-free delivery of the data frames. Figure 1.3 shows how a frame might be structured. The Data Link layer is responsible for maintaining the reliability of the physical link, which is established at Layer One just below it. This is the only layer of the OSI model that is divided into sublayers: the LLC (Logical Link Control) and the MAC sublayers. We will look at each of these individually.
25
91_tcpip_01.qx
26
2/25/00
12:26 PM
Page 26
Chapter 1 • TCP/IP Overview
Figure 1.3 The Data Link layer adds a Cyclic Redundancy Check (CRC) for errorchecking.
Destination Address
Source Address
Control Information
Data
CRC
The Logical Link Control Sublayer The LLC sublayer is charged with ensuring the reliability of the link, or connection. IEEE 802.2 is an LLC standard that operates with the CSMA/CD (Carrier Sense Multiple Access/Collision Detection) and the Token Ring media access standards. Point-to-Point Protocol (PPP) also operates at the LLC level.
The Media Access Control Sublayer The MAC sublayer deals with the logical topology of the network. This may or may not be the same as the physical topology, or layout. For instance, IBM Token Ring networks are physical stars, as all computers connect to a central hub (called an MSAU, or MultiStation Access Unit). However, the logical topology is a ring, because inside the MSAU, the wiring is such that the data travels in a circle. A 10BaseT network connecting to an Ethernet hub, on the other hand, is logically a bus (which is why it is sometimes called a star bus). Access Control Methods MAC-level protocols govern the access control method, or how the data accesses the transmission media. The popular methods are grouped in three categories: contention methods, token passing, and polling methods. Contention methods include CSMA/CD, used in Ethernet networks; and Carrier Sense Multiple Access Collision Avoidance (CSMA/CA), used in AppleTalk networks. In both cases, computers that wish to transmit data on the network must compete for the use of the wire or other media. A collision occurs if two stations attempt to send at the same time. CSMA/CD and CSMA/CA differ in their ways of addressing this collision problem. With CSMA/CD, data collisions are detected and the data is sent again after a random amount of time. With CSMA/CA, an “intent to transmit” message is put out as a “feeler” before the computer transmits the actual data.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 27
TCP/IP Overview• Chapter 1
Token passing methods eliminate the possibility of collision by using a circulating signal called a token to determine which computer can transmit. A computer on a token passing network is more polite. Rather than blurting out its transmission whenever it has something to say, it waits patiently for its turn (when the token gets around to it) and sends data only when it “has the floor.” Polling methods are similar in some ways to token passing, except that instead of the group of computers policing themselves by passing around a token, there is a central unit that acts as a “chairperson.” This “presiding” unit asks members of the “committee” in turn whether they have something to say. Since the computers follow these “rules of parliamentary procedure,” data transmission proceeds in an orderly fashion. MAC Addressing. Although the permanent address burned into the NIC is sometimes called the “physical address,” its proper name is Media Access Control address. The MAC sublayer of the Data Link layer also handles MAC addressing functions.
NOTE MAC addresses on Ethernet cards are expressed as 12-digit hexadecimal numbers, which represent 4- bit (6-byte) binary numbers. The first three bytes contain a manufacturer code, which is assigned by the Institute of Electrical and Electronics Engineers (IEEE). The last three bytes are assigned by the manufacturer and represent that particular card.
Each computer must have a MAC address that is unique on the network. Higher-level protocols translate IP addresses (also called logical addresses) to the MAC address, which can be thought of as the real network location. Lower-level protocols cannot recognize or use IP addresses. Think of it this way: A city or county may assign a street name and house number to a structure, but this is really only a “logical” address. Logical addresses can be more easily changed. A neighborhood group will petition to have a street renamed, or the city council will change the numbering scheme to facilitate emergency response or to accommodate new construction. The location where the building stands also has a “physical” address: its geographic coordinates. When the land is surveyed, it will be identified by degrees of longitude and latitude, and these will
27
91_tcpip_01.qx
28
2/25/00
12:26 PM
Page 28
Chapter 1 • TCP/IP Overview
remain constant regardless of changes to the street name and number. That physical address is like the NIC’s MAC address; it will (almost always) remain the same.
NOTE Some network card manufacturers have made NICs that allow you to change the MAC address by “flashing” the card with a special software program. This is a precaution in case you have duplicate MAC addresses on a network because those manufacturers have begun to “recycle” their addresses.
Data Link Layer Devices There is some confusion among network administrators about the network connectivity devices called bridges that operate at the Data Link layer of the OSI model. Bridges can separate a network into segments, but they don’t subnet the network as routers do. In other words, if you use a bridge to physically separate two areas of the network, it will still appear to be all one network to higher-level protocols. Bridges can cut down on network congestion because they can do some basic filtering of data traffic based on the MAC address of the destination computer. When a transmission reaches the bridge, it will not pass it across to the other side of the network if the MAC address of the destination computer is known to be on the same side of the network as the sending computer. The bridge builds tables indicating which addresses are on which side, and uses them to determine whether to let the transmission across. The confusion comes in because there are different types of bridges. Although all work at the Data Link layer, some operate at the lower MAC sublayer and others at the higher LLC sublayer. There are some important differences. One practical question is whether you can use a bridge to connect network segments that use different media access methods (for instance, an Ethernet segment and a Token Ring segment). The answer is yes or no, depending on which type of bridge you’re referring to. A bridge that operates at the Logical Link Control sublayer, sometimes called a translation bridge, can connect segments using different access methods. However, a lower-level bridge (one that operates at the MAC sublayer) cannot. Either type can connect segments using different physical media (that is, a segment cabled with thin coax and a segment running on unshielded twisted pair).
91_tcpip_01.qx
2/25/00
12:26 PM
Page 29
TCP/IP Overview• Chapter 1
Another device that operates at the Data Link layer is the common switch, or switching hub, which has become very popular on Ethernet networks.
NOTE The switched hub is also called a Layer 2 switch. There are more sophisticated switches made by companies such as Cisco Systems that operate at the Network layer and can perform basic routing functions in addition to the type of switching described here.
Like hubs, these switches are central multiport units into which all the computers are connected. Like bridges, the switch keeps a table of MAC addresses, showing which computer is connected to which port. When data comes in, instead of sending it back out to all the computers as the hub does, the switch examines the destination address in the header, consults the table, and sends it only out the port to which the corresponding computer is attached. This cuts down overall network traffic considerably, and helps to prevent collisions.
Layer 1: The Physical Layer To many, the Physical layer is the easiest to understand because it deals with devices and concepts that are more tangible. The Physical layer deals with such things as the type of signal transmission used, the cable type, and the actual layout or path of the network wiring. These are things we can see, touch, or at least easily represent with a drawing or diagram. The functions of the Physical layer devices (NICs, cables, connectors, hubs, and repeaters) are also relatively easy to understand.
Physical Layer Devices Physical layer devices are the stuff of which a networking equipment catalog is made. The basics are deceptively simple: You insert a network card into an expansion slot on each computer, plug a piece of cable into each network card, and plug the other end of each cable into a hub. But leafing through the catalog will reveal that Physical layer issues are a little more complex. Some cable manufacturers offer literally thousands of different cables, and the variety of available network cards and connectivity
29
91_tcpip_01.qx
30
2/25/00
12:26 PM
Page 30
Chapter 1 • TCP/IP Overview
devices is just as overwhelming. Getting a network up and running at the Physical level requires a good bit of knowledge about what works with what, and which hardware type is best for your particular situation. The Network Interface Card (NIC) is the hardware device most essential to establishing communication between computers. Although there are ways to connect computers without a NIC (by modem over the phone lines, or via a serial “null modem” cable, for instance), in most cases where there is a network, there is a NIC (or more accurately, at least one NIC for each participating computer). Bottom line: The NIC must match the bus type for which you have an open slot in the computer, it must be of the correct media access type, it must have the correct connector for the cable your network uses, and it must be rated to transfer data at the proper speed (Ethernet normally transmits at either 10 or 100 Mbps, and Token Ring runs at 4 or 16 Mbps). The Network Media is the cable or wireless technology on which the signal is sent. Cable types include thin and thick coaxial cable (similar to cable TV cable), twisted pair (such as used for modern telephone lines, available in both shielded and unshielded types), or fiber optic (which sends pulses of light through thin strands of glass or plastic for fast, reliable communication, but is expensive and difficult to work with). Wireless media include radio waves, laser, infrared, and microwave. Hubs and Repeaters are connection devices. Repeaters connect two network segments (usually thin or thick coax) and boost the signal so the distance of the cabling can be extended past the normal limits at which attenuation, or weakening, interferes with the reliable transmission of the data. Hubs are generally used with Ethernet twisted pair cable, and most modern hubs are repeaters with multiple ports. Hubs also strengthen the signal before passing it back out to the computers attached to it. Hubs can be categorized as follows: ■
■
Active hubs are the type just described. They serve as both a connection point and a signal booster. Data that comes in is passed back out on all ports. Passive hubs serve as connection points only; they do not boost the signal. Passive hubs do not require electricity and thus won’t have a power cord as active hubs do.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 31
TCP/IP Overview• Chapter 1 ■
Intelligent or “smart” hubs include a microprocessor chip with diagnostic capabilities, so you can monitor the transmission on individual ports.
Recall that there is another type of hub, a switching hub, but it operates at the Data Link Layer rather than the Physical layer.
NOTE The NIC is responsible for preparing the data to be sent out over the network media. Exactly how that preparation is done depends on what media is being used. A Token Ring NIC is different from an Ethernet NIC, for example. It logically would have to be, since they use different access methods. And even though 10Base2, 10Base5 and 10BaseT Ethernet networks all use CSMA/CD as their access method, they use different cable and connector types; however, it is possible to get a “combo” card that has connectors for all three.
Signal Transmission Computers, at the machine level, are amazingly simple; they “think” only in binary, performing rapid calculations on combinations of 0s and 1s. Transferring these binary digits across network media requires a way of representing these 0s and 1s. Luckily, there are many ways to do this. An electrical signal or a pulse of light can indicate 1 when it’s on and 0 when it’s off. This is known as discrete state technology, and digital signaling works this way. Another consideration at the Physical layer is whether the signaling method will use the entire bandwidth of the cable to transmit the data, or will only use one frequency. When all frequencies are used, the transmission method is called baseband. If only part of the bandwidth is used (thus allowing other signals to share the bandwidth), it is referred to as broadband. Traditionally, baseband transmission has been associated with digital signaling, and broadband with analog, but this does not always hold true. For instance, Digital Subscriber Line (DSL) is a high-speed technology offered by many telephone companies for Internet connectivity. DSL is a broadband technology, because it uses only a part of the wire to transmit data. Voice communication can take place simultaneously on the same cable, using a different frequency than is being used by the data communications. Cable television is another example of broadband transmission, bringing dozens of different channels into your home on just one coax cable.
31
91_tcpip_01.qx
32
2/25/00
12:26 PM
Page 32
Chapter 1 • TCP/IP Overview
NOTE Analog signaling—the type used by common telephone lines—transmits by adding signals of varying frequency or amplitude to carrier waves of a particular frequency of alternating electromagnetic current. Unlike the absolute on/off state, it is represented by a waveform. When data is sent over regular phone lines, a modem must convert the computer’s digital signal to analog and back again at the receiving end.
Physical Topologies Another important Physical layer issue is the layout, or topology, of the network. This refers to whether the cables are arranged in a line going directly from computer to computer (bus), in a circle going from computer to computer with the last connecting back to the first (ring), or in a spoke-like fashion with each connecting directly to a central hub (star). A fourth topology, the mesh, is used when every computer is connected to every other computer, creating redundant data pathways and high fault tolerance, at the cost of increasing complexity as the network grows. Wireless communications can use a cellular topology such as is widely used for wireless telephone networks. In this case, an area is divided into slightly overlapping cells, representing connection points. The physical layout of the network will influence other factors, such as what media access method (and thus what cable type) is used. All the Physical layer factors (cable type, access method, topology, etc.), when considered together, define the architecture of the network. Popular network architectures include Ethernet, ARCnet, Token Ring, and AppleTalk.
The IEEE802 Standards The Institute of Electrical and Electronics Engineers, like the ISO, develops standards. The IEEE 802 specifications address various Physical and Data Link layer issues. Those most pertinent for the average network administrator are: ■
■
■
802.2 Establishes standards for the implementation of the LLC sublayer of the Data Link layer. 802.3 Sets specifications for an Ethernet network using CSMA/CD, a linear or star bus topology, and baseband transmission. 802.5 Sets standards for a token passing network using a physical star/logical ring topology; i.e., Token Ring.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 33
TCP/IP Overview• Chapter 1 ■
■
■
802.7 Establishes criteria for networks using broadband transmission. 802.8 Sets specifications for using fiber optic as a network medium. 802.11 Establishes standards for wireless networking.
The 802 Project was named after the year and month that the original committee met: February 1980.
The DoD Model The Department of Defense networking model is older than the OSI, and was developed in conjunction with TCP/IP itself. It is sometimes called the TCP/IP model, but more often referred to as the DoD model. It consists of only four layers, but they can be roughly mapped to the seven layers of the OSI model. The DoD model is illustrated in Figure 1.4. The various protocols in the TCP/IP suite fit nicely into the layers of the DoD model. Remember that the DoD model was designed in the 1970s. The OSI model came along a decade later, with the goal of more specifically defining the layers of functionality for the network components. Figure 1.4 The four layers of the DoD model map roughly to the seven OSI layers. DOD Model
OSI Model Application Layer
Application/ Process Layer
Presentation Layer Session Layer
Host-to-Host Layer Internetwork Layer
Network Interface Layer
Transport Layer Network Layer
Data Link Layer Physical Layer
33
91_tcpip_01.qx
34
2/25/00
12:26 PM
Page 34
Chapter 1 • TCP/IP Overview
The Application/Process Layer The top layer of the DoD model encompasses all three OSI upper layers: Application, Presentation, and Session. Thus, when referring to TCP/IP, you may read that encryption of data or checkpointing and dialog control take place at the Application layer. Remember that this does not mean the OSI Application layer and you’ll avoid confusion.
The Host-to-Host (Transport) Layer The Host-to-Host layer is sometimes labeled the Transport layer, even on four-layer DoD diagrams, and it maps to the Transport layer on the OSI model. TCP, UDP, and DNS operate here.
The Internetworking Layer This layer corresponds closely to the OSI Network layer. IP, ICMP, and ARP function at this layer. As we discussed earlier, IP deals with routing based on logical IP addresses. ARP (Address Resolution Protocol) translates logical addresses to MAC addresses. This translation is necessary because the lower layers can process only the MAC addresses.
The Network Interface Layer The Network Interface layer maps to OSI’s Data Link and Physical layers. The TCP/IP suite itself has no protocols that operate at these lower layers, but uses the standard Ethernet and Token Ring Data Link and Physical layer protocols.
The Microsoft Windows 2000 Networking Model While it’s easy to show the relationships between the OSI and DoD layers, the Microsoft implementation of the TCP/IP networking model is a bit different. It includes a new type of layer, a boundary layer, which interfaces between the actual networking component layers. The boundary layers are open specifications, while the component layers in between are operating system-specific. Figure 1.5 shows the Windows 2000 Networking Model. As you can see, a boundary layer acts as an interface between each pair of component layers. It’s no coincidence that the name of each boundary layer ends with the word “interface.” The three boundary layers are: Application Programming Interface ■ Transport Driver Interface ■ Network Device Interface Specification Let’s discuss each of the component and boundary layers in a little more detail. ■
91_tcpip_01.qx
2/25/00
12:26 PM
Page 35
TCP/IP Overview• Chapter 1
Figure 1.5 The Microsoft Windows Networking Model uses boundary layers. Applications and User Mode Services NetBIOS RPC Win32 Winsock
API Boundary Layer File System Drivers Named Pipes Mailslots Redirectors
TDI Boundary Layer Network Transport Protocols TCP UDP ICMP IP IGMP ARP
NDIS Boundary Layer NDIS Wrapper NDIS WAN Miniport Wrapper PPTP X.25 Asynch ISDN
X.25
Frame Relay
Token Ring
ATM
Ethernet
FDDI
The Application and User Mode Services Component This layer contains the supported types of user applications and services, including NetBIOS (Network Basic Input Output System), Remote Procedure Calls, Win32 and its subsystems, and Windows Sockets applications.
NetBIOS NetBIOS specifies a group of network function calls that lets applications on different computers communicate with each other within a local area network. It was originally developed by IBM, then adopted by Microsoft, and has been the basis for Microsoft networking. NetBIOS communications use a destination name (called, appropriately enough, a NetBIOS name) and a message location to get the data to the correct destination. NetBIOS supports a session mode for establishing a connection and transfer of large messages, and a datagram mode for connectionless transmissions such as broadcast messages.
35
91_tcpip_01.qx
36
2/25/00
12:26 PM
Page 36
Chapter 1 • TCP/IP Overview
NOTE Windows 2000 is the first Microsoft operating system that allows for disabling of NetBIOS, although this is feasible only on a network that has fully migrated to Windows 2000 and uses no NetBIOS network-enabled applications. A hybrid network containing computers running older Microsoft operating systems or NetBIOS applications will still need to use NetBIOS.
Winsock A Winsock program handles input/output requests for Internet applications in a Windows operating system, using the sockets convention for connecting with and exchanging data between two Application layer processes. Winsock runs as a .dll file (dynamic link library). A .dll file is a collection of small programs, any of which can be loaded when an application needs to use it but isn’t required to be included as part of the application.
NOTE A socket, in TCP/IP communications, is the combination of an IP address and a port number, along with a protocol.
The API Boundary Layer The API boundary layer is where the Application Programming Interface (API) operates. An API is the specific method that is set by a computer operating system or an application, allowing a developer, when writing a program, to make requests of the operating system or application.
RPC Remote Procedure Call is what it sounds like: RPC provides a service to application developers to allow for transparent use of a server to provide some action on behalf of the application. Remote procedure calls provide the programmer with a way of hiding an underlying message passing protocol. The RPC protocol was designed to work with IP, but in a way that’s different from TCP. The TCP protocol is used to transfer large data streams (for example, file downloads). RPC was designed for writing network programs, to allow a program to make a subroutine call on a remote machine.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 37
TCP/IP Overview• Chapter 1
NOTE The RPC protocol is documented in RFC 1831, which can be accessed on the Web at www.freesoft.org/CIE/RFC/1831.
Win32 API The Win32 API is a set of predefined Windows functions that are used to control the appearance and behavior of Windows elements. The API functions are stored as .dll files in the Windows system directory (in Windows 2000, the default system directory is /winnt).
The File System Drivers In the Windows NT architecture, on which Windows 2000 is based, network redirectors are implemented as file system drivers. A redirector is a software component that does what its name implies: redirects a request (in this case, from the local machine out over the network). The Server service and the Workstation service are examples of redirectors. Named pipes and mailslots are also network redirectors. Named pipes is used for connection-oriented communication, and mailslots for connectionless data transfer. The network redirectors allow all file systems to appear the same when accessed across the network, hiding their differences from the user. This is why a Windows 95 machine can read and manipulate files through a network share that are stored on an NTFS partition, even though the Windows 95 operating system does not include an NTFS file system driver and thus cannot itself read an NTFS file.
The TDI Boundary Layer The Transport Driver Interface is another boundary layer. The primary purpose of TDI is to define a standard application programming interface for the transport protocol stacks. That is, the low-level kernel-mode driver implementation of protocols such as TCP/IP and NetBEUI TDI provides for standard methods of protocol addressing, sending and receiving datagrams, and other related actions. TDI is an open specification, and programmers can develop TDI drivers written to the specification, which will make it possible for them to work within the Windows networking architecture.
37
91_tcpip_01.qx
38
2/25/00
12:26 PM
Page 38
Chapter 1 • TCP/IP Overview
The Network Transport Protocol Component The Network Transport Protocol layer is easy to understand and to map to the other networking models. This is similar to a combination of the Network and Transport layers in the OSI model (or the Internetwork and Host-to-Host layers in the DoD model). TCP, UDP, IP, ICMP, IGMP, and ARP operate here.
The NDIS Boundary Layer NDIS (Network Driver Interface Specification) is intended to define a standard API for NICs. All NICs made to be used with the same media access type (such as Ethernet or Token Ring) can be accessed using a common programming interface. The MAC device driver that hides the specifics of the hardware implementation is what makes this possible.
The NDIS Wrapper NDIS includes a library of functions (a wrapper) that can be used by MAC drivers and higher-level protocol drivers (such as TCP/IP). The wrapper functions make it easier to develop MAC and protocol drivers and to hide dependencies on a computer platform. The NDIS wrapper allows the higher-level protocols to work with such Data Link and Physical layer protocols as Ethernet, Token Ring, Frame Relay, FDDI, ATM, and X.25. There is also an NDIS WAN miniport wrapper that interfaces with wide area networking protocols like PPTP and ISDN.
A Family of Protocols: The TCP/IP Suite Although TCP and IP make up the protocol “stack” that gets the messages there, and ensures that they get there reliably, an entire suite of protocols has come to be associated with the name and are included in most vendors’ implementations. Some of these are used to provide additional services, while others are useful primarily as information-gathering or troubleshooting tools. As we address various types of TCP/IP connectivity problems throughout this book, we will be using many of these. The following is just an overview of some additional protocols included with Windows 2000 TCP/IP.
Application Layer Protocols The TCP/IP suite provides several protocols that operate at the Application layer to provide services such as news, mail and file transfer, and monitoring/diagnostics capability.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 39
TCP/IP Overview• Chapter 1
FTP The File Transfer Protocol is used for copying files from one computer to another. Windows 2000 includes both a command-line FTP client program (see Figure 1.6) and the FTP server service that is installed as part of Internet Information Server 5.0. FTP will be available at the command line only if the TCP/IP transport protocol is installed. Figure 1.6 Using the Windows 2000 command-line FTP client program to transfer files.
SNMP The Simple Network Management Protocol provides a way to gather statistical information. An SNMP management system makes requests of an SNMP agent, and the information is stored in a Management Information Base (MIB). The MIB is a database that holds information about a networked computer (for example, how much hard disk space is available).
WARNING You must be logged on as a member of the Administrators group to install the SNMP service.
The SNMP agent software is installed as a Windows Component and runs as a service. SNMP management software is not currently included with Windows 2000.
39
91_tcpip_01.qx
40
2/25/00
12:26 PM
Page 40
Chapter 1 • TCP/IP Overview
Telnet Telnet is a TCP/IP-based service that allows users to log on, run character-mode applications, and view files on a remote computer. Windows 2000 Server includes both Telnet server and Telnet client software. See Figure 1.7 for an example of a Windows 2000 Telnet session. Telnet differs from FTP in that you cannot transfer files from one computer to another (upload or download). Telnet is often used to access a UNIX shell account on an ISP’s server and delete e-mail messages directly from the server without downloading them to the local machine. The Telnet protocol itself is used to establish the initial connection to FTP and SMTP servers from the host’s user agent. Figure 1.7 Using Windows 2000’s Telnet client to connect to the iris.irs.ustreas.gov Telnet server.
SMTP The Simple Mail Transfer Protocol is used for sending e-mail on the Internet. SMTP is a simple ASCII protocol and is not vendor-specific.
NOTE For more information about SMTP, see RFC 821 at www.cis.ohiostate.edu/htbin/rfc/rfc821.html.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 41
TCP/IP Overview• Chapter 1
Because SMTP has limited capability in queuing messages at the receiving end, most e-mail client programs use SMTP for sending e-mail, and either POP3 or IMAP for receiving the messages that come in and are stored on a server.
HTTP The HyperText Transfer Protocol is perhaps the most familiar of the Application layer protocols because it is used on the World Wide Web, the most popular Internet service. HTTP allows computers to exchange files in various format (text, graphic images, sound, video, and other multimedia files) via client software called a Web browser. A computer running a Web server program, such as Microsoft’s Internet Information Server, stores files in HyperText Markup Language (HTML) format that can be accessed by the client browser. These HTML “pages” often contain hyperlinks for quickly and automatically connecting to other files on the Internet, on an intranet, or on the local machine. The current version is HTTP 1.1, which was developed by a committee of the IETF. It contains enhancements that allow for faster transfer of information.
NOTE The specifications for HTTP 1.1 are defined in proposed RFC 2068, which can be accessed on the Web at www.ics.uci.edu/pub/ietf/http/rfc2068.txt.
NNTP Network News Transfer Protocol is used for managing messages posted to private and public newsgroups. NNTP servers provide for storage of newsgroup posts, which can be downloaded by client software called a newsreader. Windows 2000 Server includes an NNTP server with IIS. Outlook Explorer, version 5, which is part of the Internet Explorer software included with Windows 2000, provides both an e-mail client and a newsreader.
41
91_tcpip_01.qx
42
2/25/00
12:26 PM
Page 42
Chapter 1 • TCP/IP Overview
Transport Layer Protocols The TCP/IP suite includes two Transport layer protocols, the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).
TCP As already discussed, TCP is the connection-oriented protocol that should be used when error control is of high priority. TCP provides highly reliable, full-duplex transport services, and supports sequence numbering so that large messages can be broken down and then reassembled at the receiving end.
UDP UDP performs the same basic function as TCP—transport of datagrams— but does so in a “bare bones” manner. It does not acknowledge receipt of the messages, nor does it sequence the datagrams. UDP should be used when speed is a high priority and assured delivery of the messages is less critical.
Network Layer Protocols The suite includes several protocols that operate at the Network layer of the OSI model, including one of the two “lead singers” of the suite: IP.
IP The Internet Protocol handles addressing and routing at the Network level, relying on logical (IP) addresses. It can use packet-switching methods to route different packets, which are all part of the same message, via different pathways. It can use dynamic routing protocols to determine the most efficient routes on a per-packet basis. IP is a connectionless protocol; it depends on TCP at the Transport layer above it to provide a connection, if necessary. However, it is able to use number sequencing to break down and reassemble messages, and uses a checksum to perform error-checking on the IP header.
ARP and RARP The Address Resolution Protocol (ARP) translates the logical IP addresses to physical MAC addresses. ARP discovers this information by way of broadcasts, and keeps a table of IP-to-MAC entries. This table is referred to as the ARP cache. Reverse Address Resolution Protocol (RARP) is a similar protocol that does just the opposite: Instead of starting with an IP address and finding the matching MAC address, it uses the MAC address to find the IP address, somewhat like a “criss-cross” telephone directory.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 43
TCP/IP Overview• Chapter 1
ICMP The Internet Control Message Protocol is known as a “maintenance” protocol and is required in TCP/IP implementations. It lets two computers on an IP network share IP status and error information. ICMP is used by the Ping utility discussed in Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000.”
NOTE The standards for ICMP are defined in RFC 792.
Computers and routers using IP can report errors and exchange control and status information via ICMP.
IGMP The Internet Group Management Protocol (IGMP) allows host computers on the Internet to participate in IP multicasting. A multicast address identifies a transmission session, instead of a particular physical destination. This allows for sending a message to a large number of recipients without the necessity for the source computer to know the addresses of all the recipients. The network routers translate the multicast address into host addresses.
NOTE IGMP was originally defined in RFC 1112. Extensions have been developed and are included in IGMP, version 2, addressed in RFC 2236.
A computer uses IGMP to report its multicast group memberships to multicast routers. IGMPv2 allows group membership terminations to be reported promptly to the routing protocol. IGMP is required to be used in host computers that wish to participate in multicasting.
TCP/IP Utilities In Chapter 4, we will be looking in detail at the following utilities, which are also included in the TCP/IP suite: ■
IPCONFIG
43
91_tcpip_01.qx
44
2/25/00
12:26 PM
Page 44
Chapter 1 • TCP/IP Overview ■ ■ ■ ■ ■ ■
NETSTAT NBTSTAT NSLOOKUP ROUTE TRACERT PING and PATHPING
Basic Network Design This book focuses on troubleshooting issues, and is not meant to be a comprehensive guide to designing a network. However, the best way to deal with trouble is to avoid it in the first place; thus, we will briefly discuss how thoughtful design can make your Windows 2000 TCP/IP network less prone to problems.
Planning as Preventative Medicine Whether you are setting up a brand new network or migrating to Windows 2000 from an earlier Windows NOS or a non-Microsoft NOS, putting some extra time into planning and preparation is likely to pay off in a reduction in time (and frustration) expended on troubleshooting later. Some common problems are specific to particular migration scenarios, and are discussed in Chapter 2, “Setting Up a Windows 2000 TCP/IP Network.” Some general network design issues apply, however, regardless of your situation and individual network characteristics. Let’s take a look at a few of those now.
Testing and Implementation Before you make significant changes to your production network, it is extremely important that you test those changes in a controlled environment. This is true whether you are merely trying out a new TCP/IP-based application or rolling out a whole new Windows 2000 network. Prototyping is also the first step in troubleshooting networking problems. This refers to creating a test environment in which you recreate the problem and can try various solutions without fear that the “cure will be worse than the disease” and cause loss of data or network downtime on your “real” network.
Prototyping Setting up a prototype environment, or test lab, can be your best troubleshooting tool. In this situation, you can test different installation procedures and options before deploying Windows 2000 to your production
91_tcpip_01.qx
2/25/00
12:26 PM
Page 45
TCP/IP Overview• Chapter 1
machines. This will help you to accurately predict any problems that may occur and find solutions to them. The key to the prototype environment is that it should be: ■ ■
Completely independent of your company LAN As identical as possible to the company LAN environment
To create a realistic test environment, you should have a server running the same operating system and other software as your production server(s), and one or more client computers using the same operating system as your network desktop systems, again with all the same software installed. The hardware for the prototype and production machines should also be as identical as possible. Prototyping allows you to uncover problems that might occur in an actual installation scenario, and address them beforehand. This prevents the loss of productivity and inconvenience to employees that would be a result of encountering “surprise” problems during the actual installation. The test lab is useful long after you’ve completed the deployment of Windows 2000. It can be used for troubleshooting problems that occur later, in a controlled and “safe” environment that won’t affect the network’s productivity. It can also be used to plan future upgrades, and as a training ground where administrators can familiarize themselves with the new software
Pilot Programs After you have tested the new operating system in a prototype environment that is isolated from all of your production machines, you may still wish to implement the change on a limited basis first. This will allow you to evaluate the transition in a realistic setting, with actual network users, and uncover problems that may not have manifested themselves in the more controlled test lab. In that case, a pilot program will add another layer of protection before you expose the entire network to potential upgrade problems. It may be best to choose a specific department, or you may find it more beneficial to upgrade the machines of selected users throughout the organization. It is probably best not to do so on a random basis. You will want to consider several factors when deciding which machines to upgrade: ■
One strategy is to choose a department or group that is not involved in mission-critical work, or one that is in a “slow period.” You would not want to select the Tax department for your pilot group if an important filing deadline is just around the corner, or if the company is currently being audited by the IRS.
45
91_tcpip_01.qx
46
2/25/00
12:26 PM
Page 46
Chapter 1 • TCP/IP Overview ■
An alternate method is to compile a pilot group made up of users from different departments who are considered “power users”; that is, those who are more computer-savvy and thus unlikely to panic if problems arise. A group of users with some technical knowledge may also be better able to document problems they encounter and more accurately report them to you.
Rollout Sooner or later, regardless of how little or how much testing you do, you must implement the new operating system throughout the organization. In a large company, you will probably want to do so in phases, and there may even be some users who, by choice or due to budget considerations or other factors, won’t be in the rollout list at all. However you do it, you can anticipate that there will be some problems involved in upgrading any network that has more than a few computers. Things will go more smoothly if you follow a few basic guidelines: Users should be trained prior to the implementation of the new operating system. This can be done through formal sessions in a classroom on-site or by sending them outside the company to classes in using the new operating system. Don’t deploy a brand new operating system that your users have never had an opportunity to use. Plan the rollout to create as little disruption as possible. The actual upgrade could take place on the weekend or during a time when the offices are closed, or when fewer employees are working if the office is occupied around the clock every day. If you can avoid interfering with users’ attempts to get work done, your job will go more smoothly. Always inform users of the upgrade schedule. As a rule, people don’t like suprises. Even those who are looking forward to the upgrade may not be happy to come in to work one Monday morning and find that their operating system has been replaced, without any prior notice or the chance for them to prepare psychologically for the change. Proper planning is always worth the time it requires. By mapping out your installation or upgrade strategy beforehand, and anticipating problems before they happen, you may find that they needn’t occur at all.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 47
TCP/IP Overview• Chapter 1
Summary In the computer industry, time moves at a pace that’s different from the rest of the world. By those standards, the TCP/IP protocol suite has a (relatively) long and venerable history. We can expect it to stay with us for years to come. TCP/IP is the protocol stack of the global Internet. Until that changes, its “job security” is assured. But IP must undergo changes to keep up with the extraordinary growth in the number of computers and networks that has been a hallmark of the 1990s, and is expected to continue well into the next millennium. One problem that must be addressed is the very practical one of providing for enough available IP addresses to ensure that we won’t run out anytime in the near future. IPv6, the “next generation” of the Internet Protocol, was designed with this goal in mind. It is already being implemented in some quarters, and is likely to enjoy a gradual but steady “takeover” until it finally replaces the current implementation, IPv4. TCP/IP as we know it today consists of an entire suite of protocols. To understand how various protocols in the suite work together, we can use one of the popular networking models as a reference point. Models give us a way to graphically represent and better understand the process of communication between computers that share their resources with one another. The Open Systems Interconnection (OSI) model is the current recognized standard. It was developed by the International Organization for Standardization and provides a set of common specifications to which networking components can be designed. Compliance with the standard ensures that products made by different manufacturers will still be able to interoperate. The Department of Defense (DoD) model is the one on which TCP/IP was originally based. It is an older model, and functions are not as finely divided as in the OSI model, but its layers can easily be mapped to those of the OSI model. Microsoft uses a different model, the Windows networking model, which includes a concept that isn’t encountered in the others: boundary layers. Boundary layers are interfaces that are open specifications, and act as “glue” between the component layers of the network operating system software. Understanding the networking models make it easier for administrators to troubleshoot problems with TCP/IP connectivity by helping to narrow down possible sources of the malfunction. The Windows 2000 TCP/IP suite also includes a virtual “toolkit” of utilities, which an administrator can use to gather information and test connections. The first step in troubleshooting is practicing “preventative medicine”; that is, ensuring that the setup of a new network or the migration to a
47
91_tcpip_01.qx
48
2/25/00
12:26 PM
Page 48
Chapter 1 • TCP/IP Overview
new operating system is done in a well-organized fashion. Testing and prototyping, pilot programs, and a thoughtfully-planned rollout strategy will go a long way toward reducing the incidence of troubleshooting that will be required later on.
FAQs Q: Why do some books specify that certain software components, such as redirectors, operate at the Application layer, while others say that redirectors work at the Presentation layer? A: There are a few reasons for the discrepancy. First, there are many different types of network redirectors, some of which are part of the operating system, and others (such as the Novell Client 32 software for connecting a Windows machine to a NetWare network) made by third parties. Additionally, some books reference the OSI networking model, which consists of seven layers, while others are basing their statements on the DoD model, which only has four. A component that operates at the Presentation layer of the OSI model would be operating at the Application (or Application/Process) layer of the DoD model. Q: It’s called TCP/IP. What are all those other protocols, and what are they for? A: TCP and IP are the “core” protocols (sometimes called the “protocol stack”), but an entire suite of useful protocols has grown up around them. Some of these provide for basic functionality in performing such common network tasks as transferring files between two computers (FTP) or running applications on a remote computer (Telnet). Others are used for information gathering (SNMP, NETSTAT, IPCONFIG), and many are troubleshooting tools that also allow you to perform basic configuration tasks (ARP, ROUTE). Q: What is the difference between TCP and UDP if they both operate at the Transport layer? A: Although both TCP and UDP are Transport layer protocols and provide the same basic function, TCP is a connection-oriented protocol, which means a session is established before data is transmitted, and acknowledgments are sent back to the sending computer to verify that the data did arrive and was accurate and complete. UDP is connectionless; no session or one-to-one connection is established prior to data transmission. This makes UDP the faster of the two, and TCP the more reliable.
91_tcpip_01.qx
2/25/00
12:26 PM
Page 49
TCP/IP Overview• Chapter 1
Q: What is the purpose of a networking model? How will knowing this theoretical stuff help me in administering my TCP/IP network? A: The models give us a way to understand the process that takes place when computers communicate with each other across the network, the order in which tasks are processed, and which protocols are responsible for handling which duties. Understanding the models will help you to narrow down the source of your TCP/IP connectivity problems. For example, if you know that the data is being sent but is not arriving at the correct destination, you will know to start troubleshooting by examining what is happening at the Network layer, since that’s where addressing and routing takes place. Q: Why do we need three different networking models? Why can’t everyone use the same one? A: Actually, that was the plan when the ISO developed the Open Systems Interconnection model. It was to be the common standard used by all vendors and software developers in describing the network communication process. The DoD model actually predates the OSI, and the seven-layer OSI model builds on (and further breaks down) the components of the DoD model. However, individual vendors such as Microsoft still use their own models, which map more closely to their software (such as the Windows NT/2000 model), although they also use the OSI model as a guideline. Q: What is a gateway, and why would I need one? A: The word gateway has many different meanings in the IT world. A protocol translating gateway translates between different protocols. Think of it as the United Nations interpreter of the networking world. If the president of the United States needs to exchange information with the president of France, but neither speaks the other’s language, they can call in someone who is fluent in both to help them get their messages across. Similarly, if a mainframe system and a Windows 2000 computer need to communicate with one another—perhaps the mainframe has important files that need to be accessed by the PC— but they don’t know how to “talk” to each other, you can install a gateway to clear up the confusion. The gateway is even more skilled than the interpreter is; it actually fools the mainframe into believing it’s communicating with another mainframe, and makes the PC think it is having a “conversation” with a fellow PC. Gateway is also the term used to refer to the address of a router that connects your network to another, acting as the gateway to the “outside world.”
49
91_tcpip_01.qx
2/25/00
12:26 PM
Page 50
91_tcpip_02.qx
2/25/00
12:30 PM
Page 51
Chapter 2
Setting Up a Windows 2000 TCP/IP Network
Solutions in this chapter: ■
Designing the Network
■
Migrating from Windows NT 4.0
■
Migrating from Novell NetWare
■
Setting Up a Windows 2000 TCP/IP Network from Scratch
51
91_tcpip_02.qx
52
2/25/00
12:30 PM
Page 52
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Introduction The process of setting up a new TCP/IP-based Windows 2000 network can be relatively simple or hopelessly complex. Whether you’re building a brand new network from scratch or migrating to Windows 2000 from another operating system(s), planning is the key. No set formula works in every situation. You may encounter issues in upgrading your NT 4.0 network that will be completely different from those involved in migrating from NetWare or UNIX. If you’re starting at ground zero, constructing a new network where there was none before, you’ll have more options, but that can make your job more challenging instead of less. Fortunately, even though every case is different, there are some general guidelines that are common to all, and design checklists to get you started. Migrating or creating a network is a massive undertaking. A TCP/IP network will usually require more planning than one that runs on IPX or NetBEUI, due to the potential complexity of IP addressing issues. Likewise, planning a Windows 2000 network may require more (or a different type of) planning than one based on NT servers due to the greater complexity of the directory services structure. If a functioning network is already in place and is running a different protocol stack or network operating system, you will face special challenges. Each migration scenario presents its own unique problems and opportunities. In this chapter, we will examine some of the more common situations you may encounter in setting up a new Windows 2000 TCP/IP network, either “from the ground up” or making the switch from another popular network operating system.
Designing a New Windows 2000 TCP/IP Network Good network design is key in preventing later problems. As a network administrator, you may have come to the job too late to have much (or any) input into the design process. If the network infrastructure was already in place when you took on the position, you inherited the problems of your predecessor. Your network may have been carefully and thoughtfully planned, with future upgrades in mind. If so, count yourself lucky. All too often, a network just “grows that way.” As the computing and connectivity needs of the organization expand, a server is added here, a router is installed there, and systems are upgraded in some departments but not in others. The result is a diversity of hardware and software configurations in place
91_tcpip_02.qx
2/25/00
12:30 PM
Page 53
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
throughout the network. This can make for many administrative headaches. In building a new network, you face a lot of hard work, but you have the chance to learn from past mistakes (both yours and those of others who came before you) and do it right. Patience is a virtue, and this is never truer than when planning the design of a new Windows 2000 TCP/IP network.
The Planning Team Two or more heads are often better than one when it comes to putting together an upgrade plan. In all but the smallest organizations, you should first gather a planning team to share the multiplicity of tasks involved and to lend different perspectives in the important early design stages. Your team members should be well versed in the company’s unique needs, the Windows 2000 operating system, and how TCP/IP communication works. In some cases, it may be beneficial to hire outside consultants who are experienced in network design. However, those who will ultimately be responsible for administering the network should be heavily involved in the planning process from the beginning. Some companies make the mistake of asking for a “turn key operation,” thinking this means that no one on staff has to bother with design and setup issues. You pay someone else (usually quite handsomely) to do it all, and a few months later they hand you a complete, ready-to-go-online enterprise-level network. The idea sounds attractive, but it can turn into a nightmare later on. Those who will be working with the hardware and software on a daily basis can give valuable input during the planning stages, which may prevent many common post-deployment problems. Whether you recruit and lead a planning team from within the organization or work closely with an outside group, it’s important that you, the network administrator, be aware of some of the issues involved in establishing a new Windows 2000 network.
Planning the Hardware Configurations One of the strengths of the TCP/IP protocol stack is that it will run on almost any hardware platform. However, the Windows 2000 operating system has minimum hardware requirements that must be considered in planning any new installation, upgrade, or migration. Hardware-related problems can be mistaken for TCP/IP connectivity problems, so in order to reduce the time spent troubleshooting communication problems, start with the proper hardware.
53
91_tcpip_02.qx
54
2/25/00
12:30 PM
Page 54
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
You can avoid many problems by ensuring that your systems and their components meet the minimum requirements. Check the Hardware Compatibility List (HCL) on Microsoft’s Web site before implementing Windows 2000 on your network. Plan to upgrade hardware that does not meet the requirements, or alternately, to run so-called “down-level” operating systems on those computers (Windows NT or Windows 9x) until they can be upgraded or replaced.
NOTE Hardware Compatibility Lists for all current Windows operating systems can be found at www.microsoft.com/hwtest/hcl/.
In general, Microsoft’s published minimum system requirements to run Windows 2000 include: ■ ■
■ ■
Pentium 133 or equivalent processor 64MB RAM for Windows 2000 Professional; 128MB RAM for Windows 2000 Server/Advanced Server Approximately 1GB hard disk space VGA or better display; keyboard (mouse optional)
These should be taken as absolute minimums, not as recommendations. Optimum performance will require more memory and faster processor(s), especially for heavily-used servers. A Windows 2000 server acting as a domain controller (DC), due to the high overhead required for the Active Directory, realistically requires a minimum of 128 to 256MB of RAM for minimally acceptable performance. Disk space requirements vary widely depending on whether you are installing to a clean drive or upgrading a previous operating system, what file system is being used, and other factors. It is important that you assess your needs carefully, in accordance with budgetary and other considerations.
Planning the Physical Layout The physical layout, or topology, of the network will directly or indirectly influence such things as the type of cabling to be used, the media access control method, the limitations on cable distance, number of nodes per segment, and other “rules and regulations” with which you must comply to meet standard specifications for Ethernet, Token Ring, or other network types.
91_tcpip_02.qx
2/25/00
12:30 PM
Page 55
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
Numerous excellent resources offer guidance in the implementation of the popular network topologies and architectures. In some cases, the network administrator will be directly involved in selecting cable types and choosing individual pieces of network hardware. In a large network environment, an outside firm may be hired and given an overall “mission,” and granted the authority to make most such decisions. Either way, it is important to ensure that the final implementation complies with ISO, IEEE, and other industry standards, and building codes and other local regulations.
Diagramming the Network Layout One of your most important tasks in planning the physical layout is to diagram the network. There are many excellent software tools, such as Visio, that you can use to visually represent the layout and show the connections of servers, hubs, routers, workstations, and other network devices. See Figure 2.1 for an example of a Visio drawing using the network diagramming templates included with the software. Figure 2.1 A simplified sample network diagram.
Wkst1
Wkst2
Wkst3
Hub tacteam.net dev.tacteam.net Router
Proxy Server
federation.tacteam.net Hub Internet WkstA
WkstB
WkstC
55
91_tcpip_02.qx
56
2/25/00
12:30 PM
Page 56
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Whether you use diagramming software to construct a professionallooking diagram or simply sketch the network layout manually, how you do it is less important than getting it done. You may be tempted to skip this step if you’re on a tight schedule, thinking you can always come back and create this documentation after the fact. However, the network diagram, properly used, is more than just a record of the network’s design. It is also a planning tool. It is much easier to move devices around and reroute cabling on paper (or on the screen) than it is to lug those heavy pieces of equipment from place to place or manipulate lengths of twisted pair through crawlspaces to “try out” different configurations in the corporeal world. You can save much time, effort, and aggravation by considering different options during the diagramming stage. Remember that later changes to the infrastructure will be expensive and time-consuming, and may result in high indirect costs due to downtime. The physical aspects of the network are its foundation, so get that right from the beginning and you will automatically reduce the chances of problems in the future.
TIP Visio 2000 Enterprise edition will even discover and draw out the network for you! For more information, see www.visio.com/visio2000/enterprise/.
Planning for Sites If you built or worked with wide area networks (WANs) based on NT 4.0 servers, you probably thought of each separate geographic location, such as a branch office, as a “site.” In Windows 2000 TCP/IP networking, the term “site” has a new and specific meaning, and site planning has taken on a new importance.
What Is an Active Directory Site? According to Microsoft, in Windows 2000 a site is defined as “one or more well-connected (highly reliable and fast) TCP/IP subnets that allows administrators to configure Active Directory access and replication topology quickly and easily to take advantage of the physical network.” Sites are published to the Active Directory, which uses the site information in performing replication and responding to service requests. The goal is to improve the efficiency and performance of the WAN.
91_tcpip_02.qx
2/25/00
12:30 PM
Page 57
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
Note that creating a site is a way of grouping together computers that have a fast connection. A site does not necessarily represent a group of computers that are at the same physical location. The site concept is independent of domain configuration. A site can span multiple domains, or one domain may include computers at different sites. In general, computers in the same TCP/IP subnet will share a fast connection (Microsoft documentation refers to them as “well connected”). Thus when you set up a new Windows 2000 network, subnetting decisions and site planning will go together. Sites are created and configured using the Sites and Services MMC. To access the MMC: Start | Programs | Administrative Tools | Active Directory Sites and Services. Figure 2.2 shows how a new site is created with this tool. Figure 2.2 Using the AD Sites and Services MMC to create a new site.
With this tool, you can establish links between two or more sites, set up replication frequency, configure site link cost, create subnets and associate them with sites, force replication over a connection, and perform many other tasks involved in using Active Directory sites.
57
91_tcpip_02.qx
58
2/25/00
12:30 PM
Page 58
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
NOTE Site link costs are defined by the administrator, using relative numbers. The cost of the replication over the link is based on the speed of the connection, in relation to other links. For example, if two sites A and B are connected with a high-speed T1 connection, and sites A and C are connected by a 56K modem connection, the “cost” value assigned to the AC link would be higher than that assigned to A-B.
How Sites Are Used in Windows 2000 Networks Once sites are set up, Windows 2000 and the Active Directory use them for three primary purposes: ■ ■ ■
To optimize logon authentication To optimize Active Directory replication To optimize Active Directory enabled services
Optimizing Logon Authentication Sites are used during domain logon, to optimize the logon authentication process. When a computer initiates logon to the domain, the global catalog (GC) will be searched for a domain controller that belongs to the same site as the computer that is logging on. This minimizes the possibility of computers using a slow WAN link to log on.
Optimizing Active Directory Replication The Active Directory uses Windows 2000 site information in determining how and when to replicate directory information between domain controllers. In Windows NT 4.0 networks, only the primary domain controller (PDC) has a writable copy of the security accounts database, and readonly copies are replicated to backup domain controllers (BDCs) on a regular basis. In Windows 2000 networks, all domain controllers have a complete read/write copy of the Active Directory partition, which contains the security database and other directory information. Since changes can be made to any of these domain controllers, it is important that those changes be replicated to other domain controllers throughout the network to keep each up to date. Replication traffic can become a problem on a heavily-used network, so Microsoft uses the site concept to attempt to achieve a balance and reduce “traffic jams” caused by frequent replication across low-bandwidth links.
91_tcpip_02.qx
2/25/00
12:30 PM
Page 59
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
Windows 2000 allows the administrator to customize the replication schedule between sites by creating site links. Replication between domain controllers within a site (intrasite replication) can take place at shorter intervals, while replication to domain controllers at remote sites can be scheduled less frequently, and/or configured to occur at low-usage times of the day.
Optimizing Active Directory Enabled Services Services that use the Active Directory for distribution of information will also show increased performance when AD sites are properly planned and implemented. In a Windows 2000 network, the Active Directory can be used to publish what Microsoft calls “service-centric” configurations to make a service more accessible and easier to manage. When the service is published to the Active Directory, applications can access the directory for information that they can use to access the servers’ services. The advantage is that the client doesn’t have to know which server a resource resides on in order to access it. The request for services is made to the Active Directory itself, which is always located on a domain controller.
TIP The Services node is not displayed by default in Active Directory Sites and Services. To show it, you must open the Sites and Services administrative tool and choose “Show services node” on the View menu.
What type of service information would you want to publish to the Active Directory? Most commonly, this would include configuration information. This information is then accessed by the client applications so that less manual configuration of applications is required of users and administrators.
Planning the Namespace An integral part of a Windows 2000 TCP/IP network is the Active Directory namespace. Unlike a Windows NT network, the Windows 2000 namespace is hierarchical. That is, domains are structured in trees, which start with a root domain under which subdomains (called “child domains”) exist, with each child domain incorporating the parent domain’s name as part of its own. Separate trees can be combined into forests in which each tree has a unique namespace, but within which the root domains of all the trees share a transitive trust relationship. Figure 2.3 demonstrates the domain relationships in a Windows 2000 network.
59
91_tcpip_02.qx
60
2/25/00
12:30 PM
Page 60
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Figure 2.3 Two domain trees in a Windows 2000 forest. shinder.net tree
tacteam.net tree root domains tacteam. net
dev. tacteam. net
shinder. net
fed. tacteam. net
training. shinder. net
efc. training. shinder.net
You will notice that the hierarchical namespace used by Active Directory is patterned after the Domain Name System (DNS) namespace used on the Internet. In fact, DNS (or Windows 2000’s dynamic implementation, called Dynamic DNS, or DDNS) is a required service on a Windows 2000 network using Microsoft’s new directory services. You will want to plan the namespace carefully, considering such factors as: ■ ■ ■
■
Geographic divisions of the company Divisions of administrative responsibility Special needs requiring different domain policies (language and currency differences, for instance) Potential replication traffic
Creation of the namespace should be done in conjunction with the creation of IP subnets and Active Directory sites.
Planning the Addressing Scheme Another important aspect of planning the new network is giving some thought to your IP addressing scheme. For TCP/IP communication to take place, each network interface (which includes each network card in each computer, and each router interface) must be assigned an IP address that
91_tcpip_02.qx
2/25/00
12:30 PM
Page 61
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
is correct for the network segment to which it is attached. In configuring the TCP/IP protocol, it is mandatory that you either enter an address manually or set up the computer to get an address automatically from a DHCP server. You also must configure each TCP/IP computer with a subnet mask, which is used to determine what portion of its IP address represents the network identification and what part represents the particular host computer on that network. If your class A, B, or C network is divided into subnets, the subnet mask must be calculated based on the desired number of network IDs and the desired number of hosts per subnet. For more detailed information on IP subnetting, see Chapter 8, “Troubleshooting Windows 2000 NetBIOS Name Resolution Problems.”
NOTE If your network is not subnetted, you can use the default subnet mask for that network class. In decimal form, the default subnet masks are as follows: Class A: 255.0.0.0 Class B: 255.255.0.0 Class C: 255.255.255.0
In planning your IP addressing scheme, you need to consider whether you will reserve a block of public addresses so that each computer can access the Internet via a registered address, or whether you will use a proxy server or Network Address Translation (NAT) to provide Internet access to multiple computers through one registered address. Will you assign IP addresses manually, via a DHCP server, or a combination of the two? You must decide whether to divide the network into subnets. Unless it is a very small organization, it’s likely that you will need to do so in order to optimize performance. It will also be necessary to consider the best placement of routers, domain controllers, DNS, WINS, and DHCP servers.
Installing and Configuring Windows 2000 TCP/IP The first step in preventing problems with TCP/IP connectivity is to ensure that the protocols are installed and configured properly. Windows 2000 makes it easy; in fact, TCP/IP is the default networking protocol and is normally installed when you install the operating system. If it was not, or if it has been removed, installing the TCP/IP suite is a straightforward process.
61
91_tcpip_02.qx
62
2/25/00
12:30 PM
Page 62
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Network Design Checklist ❏ Put together a planning team of persons who are ■ ■ ■
Knowledgeable about how a TCP/IP network works Knowledgeable about the Windows 2000 operating system Knowledgeable about the company’s unique needs
❏ Assess hardware ■ ■
Check the Hardware Compatibility List Upgrade if necessary
❏ Plan the physical layout of the network ■ ■
■
Select the topology Check requirements for compliance with standards and regulations Diagram the network
❏ Plan Active Directory sites ❏ Plan the Active Directory namespace ❏ Plan the IP addressing scheme
Installing TCP/IP on a Windows 2000 Computer Before beginning the installation process, be sure you have the information that will be needed as you go through the steps. First, you must know whether your network uses a DHCP server or manual IP address assignment. If you are going to assign an address manually, you will need to have the following information: ■
■ ■
■
A valid address for the network segment on which the computer will reside, not currently in use by another computer A valid subnet mask The IP addresses of the DNS and WINS servers that the computer will use for name resolution The IP address of the default gateway (router) for your network segment, if applicable
You should write this information down and keep it with other documentation for the computer, so that if the settings are lost and must be reconfigured at a later time, you will have it at hand.
91_tcpip_02.qx
2/25/00
12:30 PM
Page 63
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
NOTE If your network is not routed, the default gateway parameter is left blank.
When you have all of the required information, you can proceed with installing the protocols. You will need to configure TCP/IP for each network adapter card that will use the protocol.
TIP The easiest way to find the subnet mask, gateway, and name resolution server information is to look at the TCP/IP configuration screen on another computer that is successfully connected on the same network segment.
The Protocol Installation Process Those who are familiar with installing networking components in Windows NT will find that the interface has changed in Windows 2000. To install TCP/IP (or other protocols), open the Network and Dialup Connections applet: Start | Settings | Network and Dialup Connections You can then select the icon for the network connection over which you wish to use TCP/IP (or click the Make New Connection icon to create one). In our example, this is our local area network connection (see Figure 2.4). Double-click the connection’s icon and click PROPERTIES. This will open a screen similar to the one shown in Figure 2.5. The Properties sheet will list those protocols and components already installed, and allow you to install, uninstall, and configure the properties of networking components.
WARNING If you uninstall a protocol, it will be uninstalled for all network connections on your computer that use this adapter, not just the connection associated with the Properties sheet from which you uninstall it. For example, if you uninstall TCP/IP in the VPN connection Properties sheet, it will no longer be available for your local area connection. There is no warning message informing you of this, so be careful when uninstalling protocols.
63
91_tcpip_02.qx
64
2/25/00
12:30 PM
Page 64
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Figure 2.4 Select a network connection for which you wish to install TCP/IP.
To install the TCP/IP protocol, click INSTALL. You will see the screen shown in Figure 2.6. Select Protocol from the list of component types, and click ADD. You will be shown a list of the protocols available for installation, as in Figure 2.7. Click Internet Protocol (TCP/IP), and click OK. The protocol stack will be installed on your computer, and will now show up in the list of protocols on the Properties sheet for the connection.
TIP Unlike Windows NT, Windows 2000 will not display TCP/IP (or other components) in the list of available protocols to be installed if it is already installed, so you cannot install multiple instances of the protocol.
91_tcpip_02.qx
2/25/00
12:30 PM
Page 65
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
65
Figure 2.5 The Properties sheet for the local area connection shows which components and protocols are installed for this network adapter.
Figure 2.6 The Select Network Component Type dialog box allows you to add client software, a network service, or a networking protocol.
91_tcpip_02.qx
66
2/25/00
12:30 PM
Page 66
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Figure 2.7 Select TCP/IP from the list of available networking protocols.
Configuring TCP/IP The next step is to configure TCP/IP’s properties. To do so, select it on the Network Components Properties sheet (the same one shown previously in Figure 2.5) and click PROPERTIES. You will see the TCP/IP Properties sheet shown in Figure 2.8. If there is a DHCP server on your network that this computer will use to obtain an IP address, select the radio button to obtain an IP address automatically. Otherwise, you will need to manually configure the IP address, subnet mask, default gateway, and DNS server address(es).
NOTE Even if your network uses a DHCP server, some computers—because of their roles and functions—may need to be assigned static addresses manually. In general, domain controllers, DNS and WINS servers, and the DHCP server itself should not use dynamic addresses.
By clicking ADVANCED, you can add multiple IP addresses and gateways, fine-tune DNS and WINS settings, and enable and configure IP Security (IPSec) and TCP/IP filtering. These issues will be discussed in later chapters in conjunction with troubleshooting addressing, name resolution, and security problems.
91_tcpip_02.qx
2/25/00
12:30 PM
Page 67
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
Figure 2.8 Use the TCP/IP Properties sheet to assign addressing information.
TIP After installing and configuring TCP/IP, you may need to reboot the computer in order to log on to your Windows 2000 domain.
TCP/IP Installation and Configuration Checklist ❏ Gather needed information ■ ■
DHCP server address or IP address to be manually entered, DNS and WINS server addresses, subnet mask, and default gateway (if applicable)
❏ Install the TCP/IP protocol ❏ Configure the TCP/IP protocol
67
91_tcpip_02.qx
68
2/25/00
12:30 PM
Page 68
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Upgrading to Windows 2000 from Windows NT 4.0 Microsoft designed Windows 2000 as the successor to Windows NT 4.0, thus some thought and planning were given to providing a viable upgrade path. You may find, however, that restructuring your NT 4.0 network prior to the upgrade will make the transition to Windows 2000 go more smoothly. There are several NT domain models, and some will be easier to upgrade than others. In particular, you may find it expedient to combine several NT domains into one before the upgrade. A Windows 2000 network generally requires fewer domains than NT networks. This is because in Windows NT networks, the domain was the smallest security entity. If you wished to decentralize administrative authority, you needed to create separate domains. Windows 2000 allows for more granular assignment of administrative privileges. Organizational units (OUs) can be created and control over different OUs given to different persons without making them administrators over the entire domain. Another reason for creating new domains in an NT network was the limitation on the number of security principals (user and group accounts) that could exist in a domain. Since Microsoft recommended that the Security Accounts Database not exceed 40MB in size, for practical purposes an NT domain could only contain about 40,000 accounts, which represented the total of user, computer, global group, and local group accounts. With Windows 2000, security information is kept in the Active Directory, which can hold literally millions of security objects.
NOTE Compaq Corporation has been able to run successful simulations of Windows 2000 Advanced Server with up to 16 million security principles!
The Windows NT Domain Models In Microsoft networking, a domain is a basic security unit, with a unique name, which provides access to the centralized user accounts and group accounts maintained by the administrator of the domain. Each domain has its own security policies and security relationships (called trust relationships) with other domains. Domains can span multiple physical locations.
2/25/00
12:30 PM
Page 69
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
Four basic domain models are recognized in NT server-based networking: ■ ■ ■ ■
Single domain Single master domain Multiple master domains Complete trust
Let’s look at each of these in the context of preparing for an upgrade to Windows 2000.
Single Domain The single domain model is simple. As the name implies, the network consists of one domain to which all user accounts and resources belong. See Figure 2.9 for an illustration of a simple single domain network. Figure 2.9 In the single domain model, all users log on to one domain, and all resources are located in the same domain.
User Accounts Single Domain Resources on
Log
Log
on
Logon
91_tcpip_02.qx
User
User
User
Obviously, no combining of domains is necessary in this situation.
Single Master Domain In the single master domain model, the network is structured into two or more domains, with all user accounts placed in one domain, called the master domain. All users log on to the master domain. Other domains,
69
91_tcpip_02.qx
70
2/25/00
12:30 PM
Page 70
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
which can hold computer accounts, shared files, printers, and other network resources, are called resource domains. Figure 2.10 shows the relationships of domains in the single master model. Figure 2.10 In the single master domain model, all user accounts are in the master domain, and resource domains trust the master domain.
User1
Log
on
User2
User3
User4 on
Log
Master Domain
Resource Domain 1
Resource Domain 2
Solid black arrows indicate trust relationships. In this illustration, the resource domains are shown trusting the master domain, which means users in the master domain can access shared files, printers, and so on in the resource domains.
NOTE In NT, the trust relationship is one-way. In a master domain model, resource domains do not have access to shares in the master domain.
The advantage of this model is that user accounts can be managed centrally, while departments or divisions can still manage their own resources.
2/25/00
12:30 PM
Page 71
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
Multiple Master Domains The multiple master domain model is an extension of the single master model. In this case, there are two or more master domains into which the user accounts are placed. This is a way of scaling the master domain concept to a large enterprise network, in which there are too many user accounts to fit into a single master domain. An example of the multiple master domain model is shown in Figure 2.11. Figure 2.11 In the multiple master domain model, user accounts reside in master domains, which trust each other, and each resource domain trusts all master domains.
User
User Logon
on
Log
Master Domain 1
Resource Domain 1
User Logon
User
Logon
91_tcpip_02.qx
Master Domain 2
Resource Domain 2
Resource Domain 3
Another reason for creating multiple master domains is to delegate administrative authority over the user accounts to different administrators. For example, a company has two distinct divisions, and each wants to maintain exclusive control over its user accounts. The company also wants all users from both divisions to be able to access resources throughout the parent company. The multiple master domain model would be appropriate in this situation.
71
91_tcpip_02.qx
72
2/25/00
12:30 PM
Page 72
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Complete Trust The complete trust domain model certainly sounds good. After all, trust is the foundation of every good relationship, right? In this case, it turns out to be another one of those things that seems better in theory than in practice. The complete trust domain model usually ends up being an administrative nightmare. This is because, unlike the master and multiple master models, there is no hierarchical organization to the complete trust. Every domain has two one-way trust relationships with every other domain in the network. User accounts can be located in any domain, as can resources. As the number of domains increases, this model becomes more and more unwieldy and difficult to manage. There is no centralized control. Instead, each domain contains its own security groups and administrators. See Figure 2.12 for an illustration of how a complete trust works. Figure 2.12 In the complete trust domain model, all domains can contain both users and resources, and there are two one-way trust relationships between every domain and every other domain.
Users
Users
Domain 1
Domain 2
Resources
Resources
Domain 3
Users
Resources
The complete trust is used less often than the other domain models. As you can see from the illustration, the number of trusts will expand exponentially as additional domains are added to the network. Even with only three domains, six trusts must be created and managed. Adding just one more domain, for a total of four, will increase the required number of trusts to 12.
91_tcpip_02.qx
2/25/00
12:30 PM
Page 73
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
TIP To calculate the number of trusts created based on the number of domains, you can use the equation N2 – N, where N represents the number of domains.
Which Model Is Easiest to Upgrade? In regard to planning for the upgrade of a Windows NT network to Windows 2000, Microsoft’s recommendations focus on the benefits of having fewer (but larger) domains. These domains should also fit into the hierarchical structure of the Active Directory domain tree(s) that you plan to implement. Remember that the AD namespace is based on DNS naming, and in that respect is very different from the NT domain model’s flat namespace. The ideal domain model, then, would correlate exactly to the structure of your DNS and Active Directory design. The single domain network will generally be the easiest to upgrade, but it may not be possible to achieve in a large organization. You can, however, look at the possibility of reducing the number of domains necessary in light of Windows 2000’s new administrative features. If your present network consists of more domains than is ideal for the Windows 2000 network you are planning, there are ways to combine multiple domains into one and restructure the network, either before or after the operating system upgrade.
Combining Domains before the Upgrade In most cases, you will find it easier to wait until after the upgrade to combine domains. However, if you have a very large number of domains to be combined, there may be benefits to starting the project before the new operating system is rolled out. You can expect greatly increased demands on the IT department’s time after the upgrade, so doing some of this work beforehand could offset some of the burden later. Remember that if you choose to combine domains before upgrading, you are still limited by NT’s restrictions on the size of the security accounts database. Be sure the combined domain(s) will not exceed the 40MB recommended maximum. When you combine NT domains, this involves moving the user and group accounts, updating permissions, rights, and group memberships, moving computer accounts and resources, and shutting down and
73
91_tcpip_02.qx
74
2/25/00
12:30 PM
Page 74
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
decommissioning the domain controllers in the abandoned domain. There are NT 4.0 resource kit utilities to help you accomplish these steps: ■
■
■
ADDUSERS.EXE can be used to move user accounts to another domain by speeding the process of creating a new user account in the domain to which the users are moving for each user from the domain to which they originally belonged. This tool can also be used to move global groups and to update the memberships for local groups in the new domain. NETDOM.EXE and SHUTDOWN.EXE can be used to move computer accounts. NTRIGHTS.EXE can be used to update user rights.
The easiest way (which still can’t really be called “easy”) to combine NT domains is to move everything from the domain to be eliminated into the domain that will remain (and absorb the resources of the other). Combining more than two domains into one is more complex. Essentially, it should be handled as a series of two-into-one combinations (that is, if you wish to combine Domains 1, 2, and 3, you would first combine Domains 1 and 2, and then combine the resulting domain with Domain 3).
Combining Domains after the Upgrade If you choose to wait until after the Windows 2000 upgrade to combine domains and restructure your network, your goal will be to fit your new domain structure to your Active Directory namespace. You may wish to create a domain tree, with some of your old domains becoming child domains under the tree’s “root.” Or, you may want to combine resource domains or collapse them into other domains. This can be done by placing their resources into OUs within a single domain, and assigning administrative authority for the OUs. You then have the same administrative delegation that was formerly accomplished by putting resources into separate domains. The Windows 2000 resource kit contains the following tools to help you perform these tasks: ■
■
SHOWACCS.EXE and SIDWALK.EXE can be used to update permissions. Security Migration Editor is a snap-in for the MMC console that works in conjunction with SHOWACCS.EXE and SIDWALK.EXE.
If you want to move a subtree of objects (OUs and their contents) from one Windows 2000 domain to another, you can use the MOVETREE command-line utility to do so. You will need to use NETDOM to join computer accounts to the new domain.
91_tcpip_02.qx
2/25/00
12:30 PM
Page 75
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
NOTE There are third-party utilities available that are designed specifically to help you reconfigure your domains. Fastlane Technologies’ DM/Administrator, Simac Enterprise Suite, and Aelita’s Domain Reconfiguration Wizard are just a few of the many tools available to ease the task of splitting, consolidating, or reconfiguring domains.
Other Pre-Upgrade Issues Another important (and sometimes overlooked) consideration when you upgrade to Windows 2000 is to ensure that all needed applications are compatible with the new operating system. Even if your hardware meets or exceeds all system requirements, and every component is on the Hardware Compatibility List, this only means you will be able to install the operating system itself. However, it’s the application programs that allow you to actually do the work, so the nice new operating system won’t do you much good if the applications your users need won’t run on it.
Windows 32-Bit Applications Most Windows 32-bit applications work on both Windows 9x and Windows NT. However, not all programs that run on Windows 9x will work with NT. Although both use the Win32 API, there are differences in implementation. Don’t assume that just because an application works with Windows NT, it will also work with Windows 2000. Although a large number of such applications will run with no problems, some will not. This is especially likely in the case of proprietary programs that are specific to a particular industry or special purpose. Some popular third-party programs will not recognize Windows 2000 and will refuse to install altogether. Others will go through the installation process but then will not open. Still others will appear to install properly, but will lock up or cause errors.
DOS Applications Many businesses still use DOS applications, often written to serve a very specific purpose. Many DOS applications will work correctly with Windows 2000. However, those that try to access the hardware directly, or that require the FAT file system, may not be usable on Windows 2000 computers. Upgrading the operating system may present a good opportunity to assess the viability of some of these older programs with a look
75
91_tcpip_02.qx
76
2/25/00
12:30 PM
Page 76
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
toward upgrading or replacing them. This is especially true in light of Y2K compliance issues, since many DOS applications use the two-digit date system and may encounter problems with the year 2000.
Windows 16-Bit Applications Since Windows 16-bit applications were designed to run on the Windows 3.x shell on top of the DOS operating system, you may encounter some of the same problems that can be expected with DOS applications. Win 16 applications that require virtual device drivers will not be able to run on Windows 2000. Another problem with 16-bit applications stems from the cooperative multitasking method used by Windows 3.x, in which the applications share a memory space. This can cause lock-ups and other problems if you run several 16-bit programs simultaneously, since by default in Windows 2000, they will all run in one virtual machine. Luckily, Windows 2000 provides a way for you to work around this problem by opening each Win 16 application in its own separate memory space.
OS/2 and POSIX Application Support in Windows 2000 Windows NT included support for both OS/2 version 1.x programs and POSIX-compliant applications. Windows 2000 also provides limited support for these applications; however, in most cases, it would be beneficial to upgrade or replace such programs, since they are not able to take advantage of the Windows 2000 environment.
The Windows 2000 OS/2 Subsystem The OS/2 subsystem can be configured using an OS/2 editor to add config.sys commands to the c:\Config.sys file. These commands only affect the OS/2 subsystem. Remember that Windows 2000’s OS/2 application support, like NT’s, is limited to version 1.x programs only. These are textmode programs. Applications written for OS/2 1.x that require the Presentation Manager graphical user interface are not supported.
The Windows 2000 POSIX Subsystem The Portable Operating System Interface standards (POSIX) were designed to provide a set of criteria that would allow applications developers to build applications that could be easily ported to other systems. The POSIX compliance requirements, such as support for case-sensitive file names and hard links, are based on UNIX. Many government agencies adopted software specifications that required adherence to the POSIX standards, which is the reason Microsoft included the subsystem in its operating systems. As with OS/2 applications and many DOS and Win 16
91_tcpip_02.qx
2/25/00
12:30 PM
Page 77
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
applications, you will probably find it beneficial to upgrade such software or replace it with a more modern application that accomplishes the purpose.
For IT Professionals
What in the Heck Is a Hard Link, Anyway? The concept of “hard links” is a mystery to many network administrators who have studied and worked primarily with Microsoft products. Unless you have UNIX experience, you may wonder what the term means and how these links differ from regular old shortcuts in the Windows operating systems. Hard links are usually associated with UNIX, which also has something called “soft links.” The soft link is also referred to as a symbolic link, or alias, and the Windows shortcut is more like the soft link. A hard link is a real alternate name rather than an alias. If a hard link exists, removing the original directory doesn’t free up the disk space, because it still exists along the alternate path created through the hard link. Every file in UNIX has something called an “inode” identifying it. A directory entry maps a filename to its inode. Creating a hard link to a file adds another directory entry pointing to the file’s inode. A file can have one or more names pointing to it, and there is no difference between earlier or later links. When you delete a file, you are actually only deleting one link to a file. A file is only truly deleted on the system when it has no links to it. On the other hand, if you delete the original file that an NT shortcut points to, the shortcut becomes invalid.
Application Support Summary The only ways to be certain that your mission-critical applications will work with Windows 2000 are: ■ ■
Run only applications that have earned the Microsoft logo, or Test the applications thoroughly and completely in a prototype environment before installing them on Windows 2000 production machines.
77
91_tcpip_02.qx
78
2/25/00
12:30 PM
Page 78
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
It is also a good idea to check out the Web site or call the manufacturer of the software to find out if there are any known compatibility issues. Some vendors may provide update patches and “fixes” that will address these problems.
Common Upgrade Problems There are many benefits to upgrading an existing operating system instead of starting over with a fresh installation. If all goes well, an upgrade will take less time because your original settings will be preserved and you won’t, for instance, have to configure your TCP/IP properties and reinstall and configure your programs. The downside of upgrading is that any problems in the original operating system are likely to be carried over (and maybe magnified) in the new one. If there are compatibility problems, you may find that trying to untangle and fix them results in the upgrade taking far more time than a clean installation and reconfiguration would have taken. Tuning and thoroughly cleaning out extraneous files on the system before the upgrade can prevent many upgrade problems. Address any applications or operating system problems before deploying the upgrade, rather than just hoping the upgrade itself will repair them.
Windows NT to 2000 Upgrade Checklist ❏ Assess the current Windows NT domain model ❏ Determine if any domains can be combined ❏ Combine resource domains prior to the upgrade ❏ Upgrade the operating system ❏ Combine domains after the upgrade ❏ Assess current user applications and upgrade or replace if necessary
Migrating to Windows 2000 from Novell NetWare For many years, Novell NetWare dominated the PC network operating system market, and many current NT networks still have NetWare file and
91_tcpip_02.qx
2/25/00
12:30 PM
Page 79
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
print servers as part of the network. You may find yourself in the position of migrating an entire NetWare network or a number of NetWare servers to Windows 2000. The first step is to determine whether you will migrate all of your NetWare accounts to Windows 2000, or continue to use NetWare servers on the network in a “hybrid” environment. (See the section “Peaceful Coexistence: The Hybrid Network Environment,” later in this chapter for tips on how to accomplish the latter.) If you wish to implement a pure Windows 2000 environment, you can use the Directory Services Migration Tool, included with Windows 2000 Server, to transfer user and group accounts, permissions, and files from a NetWare server to your Active Directory (see Figure 2.13). The Migration Tool includes a wizard to walk you through the process of selecting objects to be migrated. We will look at how the tool is used later in this chapter. Figure 2.13 The Directory Service Migration Tool is used to transfer accounts, permissions, and files from a NetWare Server to the Active Directory.
Understanding the NetWare Implementation of TCP/IP The TCP/IP protocol stack is a standard which works with a large variety of operating systems and platforms. However, each vendor implements the protocols in a slightly different way. Although Novell included limited TCP/IP support in NetWare as early as version 3.0, NetWare networks traditionally ran on the IPX/SPX protocol stack. This had advantages; in many ways, IPX/SPX seems to be the ideal protocol choice. It is faster and more streamlined than TCP/IP, and
79
91_tcpip_02.qx
80
2/25/00
12:30 PM
Page 80
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
considerably easier to configure. Yet, unlike NetBEUI, it can be used in routed networks. Unfortunately for IPX/SPX, it lacks one of TCP/IP’s most important characteristics: Internet connectivity. Novell came to the realization that resistance was futile, and incorporated better support for TCP/IP. NetWare 5 is the first version that allows for a “pure IP” environment; IPX/SPX is not required. The architecture of the typical NetWare LAN maps loosely to the OSI model (remember that TCP/IP is based on the DOD model). TCP/IP is run on a NetWare server via the TCPIP.NLM (NetWare Loadable Module), which must be loaded and configured. NetWare 5 includes Novell’s implementation of the Simple Network Management Protocol (SNMP), and the TCPCON utility for monitoring and managing SNMP agents and gathering TCP/IP information. You may want to copy down the TCP/IP configuration information from your NetWare server, for reference in setting up the new Windows 2000 server. You can use TCPCON and NetWare’s CONFIG command at the server console to obtain information about the NetWare machine’s TCP/IP configuration.
Premigration Issues There is, of course, no “upgrade” path from NetWare to Windows 2000. It would be nice if we could install Windows 2000 over NetWare and retain network settings, applications, and so on, but it’s not (and likely never will be) that easy. If your NetWare servers are only file servers, the task of switching over to a pure Windows 2000 network will be less of a chore. The migration tool will help you in moving your security accounts and files to the new Windows 2000 server.
Using the Directory Services Migration Tool The Directory Services Migration Tool (DSMT) replaces the NetWare conversion utility (NWCONV.EXE) that was used with earlier versions of NT. DSMT is an MMC snap-in that is used to migrate bindery or NDS information, or both, to a Windows 2000 Active Directory. With the DSMT, you can migrate user accounts, group accounts, permissions/rights, files, and container structure. You can perform the migration on a project-by-project basis, so that one department or one object type (such as files) can be migrated now, and another project implemented later. Thus, the migration can be completed in phases. The migration tool gives you several options in moving the accounts or files. For instance, when migrating user accounts, you can choose to have a unique password randomly generated for each user, to have no
91_tcpip_02.qx
2/25/00
12:30 PM
Page 81
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
passwords assigned, to have each user’s logon name set as the password for the account, or to assign each user the same custom password. These choices are easy to make in the Options Property sheet for each project (see Figure 2.14). Figure 2.14 The Directory Services Migration Tool Property sheet lets you select migration options.
Other options include how to handle duplicate directories and files (a directory or file that is being migrated from the NetWare server already exists on the Windows 2000 Server), verification of the NDS tree metrics, and how to merge properties of existing objects. The migration tool works by letting you select the objects to be migrated, then create an offline database, and finally export the offline database into the Active Directory.
NOTE Third-party utilities such as OnePoint EA’s Domain Administrator tool, by Mission Critical Software (MCS) in Houston, TX, are designed to automate the migration from NetWare to Windows 2000. For more information, see www.missioncritical.com.
81
91_tcpip_02.qx
82
2/25/00
12:30 PM
Page 82
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Common Migration Problems In a perfect world, every migration would go smoothly and quickly, and all information would be transferred completely and accurately. The migration tool works well most of the time, but there are a few common problems you may encounter. For example, if naming conventions differ between the NDS and Active Directory trees, you may have to “fine-tune” the data while you’re in the offline mode before you export the database into the Active Directory. In the offline database, you can right-click any of the objects and add, delete, or modify the object’s properties.
NetWare to Windows 2000 Migration Checklist ❏ Determine whether to migrate all NetWare accounts to Windows 2000 or maintain a hybrid network
❏ Use the Directory Services Migration Tool to migrate NDS or bindery information to the Active Directory
❏ Migrate files from the NetWare server to the Windows 2000 server
Migrating to Windows 2000 from UNIX UNIX is a much older operating system than Windows or NetWare. It is considered to be more stable, although somewhat more difficult to learn and use. UNIX has been the operating system of choice for very large networks, as it has been more scalable than the newer network operating systems (NOSs). However, UNIX is not without its disadvantages. Although there are graphical interfaces available, it does not have the sophisticated “pointand-click” ease of operation found in the Windows server family. Cost can be a factor as well. Although some versions, such as Linux and Free BSD, are available at no cost, other implementations, such as Sun Solaris, IBM’s AIX, and Hewlett-Packard’s HP/UX, can be quite expensive to deploy and support. But perhaps the greatest drawback to UNIX is what some consider its biggest strength: open source code. Open source has led to many similar, but different, “flavors” of the operating system, which are not necessarily compatible with one another. Microsoft has positioned Windows 2000 as a more cost-effective and easier-to-use NOS that, with the enhancements that Windows 2000
91_tcpip_02.qx
2/25/00
12:30 PM
Page 83
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
brings to its support of enterprise networking, can be a viable alternative to UNIX for large organizations with complex networks. Migrating from a UNIX to a Windows 2000 environment will present many challenges, and is probably best done in phases for all but the smallest networks.
Understanding the UNIX Implementation of TCP/IP UNIX is the native platform of the TCP/IP protocol suite. When TCP/IP was developed in the 1960s to be the protocol of the ARPAnet, that network was comprised of university and government computers running the UNIX operating system. In fact, the University of California at Berkeley, which developed the BSD version of UNIX, played a big role in the development of TCP/IP. You might say the two grew up together.
Summoning the Daemons In UNIX, daemons are programs that run all the time, and service requests from all computers. A daemon can also forward requests to other programs if necessary. Daemons are comparable to Windows NT/2000 “services.” An example of a daemon is LPD, the line printer daemon that runs on a UNIX print server. The bootpd daemon is the UNIX bootp program, and the bootpgw daemon is used to set up a UNIX computer as a bootp relay agent. UNIX supports BIND-based DNS, and DHCP programs are available for various UNIX versions. The /etc/services file is used by UNIX to map port names to numbers and determine what daemons run on which ports.
UNIX TCP/IP Utilities Each of the different UNIX versions implements the TCP/IP stack in a slightly different way, but in most cases, the commands are the same. Many of the TCP/IP utilities that originated with UNIX have been ported to the Windows and NetWare operating systems’ implementations of the protocol. You will also see some TCP/IP tools and commands in various flavors of UNIX that you may not be familiar with if your only exposure to TCP/IP has been with Microsoft and Novell products. Following are some of the “extras” you’ll find on UNIX systems: ■
snoop This command is found in Sun Solaris, and acts somewhat like a protocol analyzer, allowing you to see information about Internet packets that are going across the network cable in real time.
83
91_tcpip_02.qx
84
2/25/00
12:30 PM
Page 84
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network ■
■ ■
tcpdump Similar to snoop, but found on BSD versions of UNIX and some versions of Linux. dig A tool for troubleshooting DNS problems. ripquery Used to obtain information about RIP packets.
UNIX to Windows 2000 Migration Checklist ❏ Install Windows 2000 domain controller(s) ❏ Gather information from UNIX servers to be used in recreating accounts
❏ Recreate user accounts in Windows 2000 domain(s) ❏ Install user applications ❏ Determine Windows 2000 services to take over functionality of UNIX daemons
❏ Implement Windows 2000 services (DNS servers, DHCP servers)
❏ Migrate files to Windows 2000 servers
Peaceful Coexistence: The Hybrid Network Environment Some people (and companies) find it difficult or impossible to “forsake all others” and make a commitment to a ”one and only”; in this case, to one NOS. It may be a budgetary consideration or there may be special factors, such as an application that runs only on a particular operating system. Whatever the reasons, many networks will continue to be “hybrid environments,” with different server types existing (peacefully or otherwise) on the same network. Microsoft has provided several interoperability tools with Windows 2000 that make it easier to connect to servers running other NOSs, as well as services to allow client machines running “foreign” operating systems to access the Windows 2000 network.
NetWare Interoperability Because Novell NetWare still has a strong presence in many LANs, and because many companies will wish to keep their NetWare file and print
91_tcpip_02.qx
2/25/00
12:30 PM
Page 85
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
servers even when upgrading their NT servers to Windows 2000, Microsoft included a number of features for connectivity with NetWare networks.
Client Services for NetWare (CSNW) Like Windows NT, Windows 2000 includes a network redirector that can be installed on Windows 2000 Professional computers to allow them to connect directly to NetWare versions 2.x, 3.x, 4.x, or 5.x servers. CSNW is 32-bit NetWare client software that can be used in place of Novell’s Client 32 to allow access to NetWare files and printers. A user accessing a NetWare server via CSNW must have a valid user account set up on the NetWare server, with appropriate permissions assigned.
WARNING CSNW and Client32 will not peacefully coexist on the same computer; you must make a choice to use one or the other. If you install CSNW on a Windows 2000 machine, ensure first that any other NetWare clients have been removed.
Gateway Services for NetWare (GSNW) Members of the Windows 2000 Server family include Gateway Services for NetWare (GSNW). When installed on the Windows 2000 Server, GSNW allows the Windows 2000 server’s clients to go through the “gateway” to access a NetWare server without installing any NetWare client software on the client machines. The “catch” is that all the clients going through GSNW will have the same permissions, as they all use the same NetWare user account.
NetWare Protocol Support Windows 2000 includes NWLink, which is Microsoft’s IPX/SPX-compatible transport. IPX/SPX was required for NetWare networking prior to NetWare, version 5. Windows 2000 remote access servers are also capable of IPX routing and can act as SAP (Service Advertising Protocol) agents.
File and Print Services for NetWare Windows 2000 servers can run FPNW (File and Print Services for NetWare) to allow a NetWare server’s clients access to resources on the Windows 2000 Server. No Microsoft client software is required to be installed on the client computers. This software is not included with Windows 2000 Server, but may be purchased separately from Microsoft.
85
91_tcpip_02.qx
86
2/25/00
12:30 PM
Page 86
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Troubleshooter Windows 2000 includes a CSNW/NetWare connectivity troubleshooting tool that helps you to pinpoint and find solutions to problems involving access to NetWare servers and NDS objects, NetWare printers, and using NetWare login scripts.
NOTE Microsoft Directory Synchronization Services (MDSS) is an add-on product that provides important interoperability technology for hybrid networks. MDSS helps you more easily integrate Windows 2000 Active Directory with Novell’s NDS, and consolidates management of the network’s directory services. It includes two-way synchronization, so administrators can manage shared data from either directory. For more information, see www.microsoft.com/presspass/press/1999/oct99/NewWinPR.htm.
UNIX Interoperability Windows 2000 includes the Microsoft Print Services for UNIX, which includes a Line Printer Remote (LPR) service and a Line Printer Daemon (LPD). The LPR service is used to send a print job to a print server, and the daemon runs on the print server that receives the print job. LPRMON is installed on a Windows 2000 machine and used to send print jobs to LPD services on UNIX print servers. LPDSVC is installed on a Windows 2000 print server, and allows it to receive documents to be printed from LPR utilities running on UNIX client computers.
NOTE Microsoft Windows Services for UNIX is designed to provide interoperability options for integrating Windows 2000 (and Windows NT) into existing UNIX network environments. For more information, see www.microsoft.com/windows/server/Deploy/interoperability/sfu.asp.
Interoperability with IBM Mainframe Networks Windows 2000 can use Microsoft’s SNA (Systems Network Architecture) Server with IBM mainframe and AS/400 computer networks running TCP/IP or SNA protocols. Windows 2000 clients can then access the data and applications on the IBM host from the Windows desktop interface.
91_tcpip_02.qx
2/25/00
12:30 PM
Page 87
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
Summary In this chapter, we looked at the importance of planning the deployment of your Windows 2000 network as a means of preventing TCP/IP connectivity problems. We discussed general planning concepts, such as creating a planning team, hardware considerations, planning and diagramming the physical layout of the network, planning the Active Directory structure and domain namespace, planning the site structure, and planning the most effective IP addressing scheme. We walked through the steps of installing and configuring the TCP/IP protocol stack on Windows 2000 computers, and explored some of the options Microsoft gives us in setting up a system to use TCP/IP communications. Common deployment scenarios were discussed, including: ■ ■ ■ ■ ■
Installation of a new Windows 2000 network from the ground up Upgrade of a Windows NT 4.0 network to Windows 2000 Migration of a NetWare network to Windows 2000 Migration of a UNIX network to Windows 2000 Deploying Windows 2000 in a hybrid environment
We examined in some detail the traditional NT domain models, how they differ from the Windows 2000 domain structure, and factors to be considered in upgrading. You learned about the tools included with Windows 2000 to help you ease the upgrade process and move users, groups, and computers from your NT domains to the new Windows 2000 domains. The chapter also discussed how accounts and files on NetWare servers can be migrated to Windows 2000, and the Directory Services Migration Tool designed for that purpose. We provided a brief overview of how NetWare’s TCP/IP implementation differs from Microsoft’s. We also looked at the UNIX operating system, and how the various “flavors” of UNIX implement TCP/IP. Finally, we talked about the interoperability of Windows 2000 with other operating systems in a hybrid environment, and how it can peacefully coexist with other NOSs on a large, complex TCP/IP-based network. Parts of this chapter may, at first glance, seem to have little to do with troubleshooting TCP/IP problems. However, many of the communications problems that result from poor planning or deployment that is not well thought out can mimic IP connectivity problems. Much time and effort could be wasted if you try to apply the techniques outlined in later chapters, when the real culprit is an incorrect configuration or an unsuccessful migration.
87
91_tcpip_02.qx
88
2/25/00
12:30 PM
Page 88
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
The objective of this chapter, then, is to set up your Windows 2000 network correctly from the beginning, so that when trouble does appear (and it will), it will make a far easier target for you to “shoot.”
FAQs Q: Why would my company’s network require fewer domains in Windows 2000 than we were using in our Windows NT 4.0 network? A: The domain model for Windows 2000 is very different from the NT model(s). In Windows NT networks, the domain was the smallest administrative boundary. You could not give someone administrative privileges with giving them those privileges for the entire domain. In Windows 2000, using Active Directory security, it is possible to create smaller areas of administrative authority called Organizational Units (OUs) and assign administrative privileges to one or more OUs without granting administrative authority throughout the entire domain. This means there is no longer a need to create a separate domain just to separate the administrative responsibilities. Q: Why is the recommended minimum amount of memory so much greater for Windows 2000 Server than for Windows 2000 Professional? A: Windows 2000 Professional will run adequately with Microsoft’s stated minimum of 64MB RAM unless it is used for heavy multitasking or running memory-intensive applications such as 3-D rendering programs. On the other hand, a Windows 2000 server acting as a domain controller (DC) will not generally perform at all satisfactorily with the stated minimum of 128MB RAM. To get acceptable performance from a Windows 2000 domain controller, 256MB RAM is more realistic. This is not due to the Server operating system itself, it is because the Active Directory requires heavy memory usage. In fact, a Windows 2000 member server, which does not participate in authentication and does not have a copy of the Active Directory, will actually perform acceptably (though not optimally) with only 64MB RAM. Q: What is SAP? Is that something I need in my Windows 2000 network? A: SAP is Service Advertising Protocol, used by NWLink to find the closest server at startup. It can also locate services. A Windows 2000 computer with RRAS installed uses SAP to listen for SAP advertisements and to make SAP advertisements on a regular basis. This allows it to maintain a table of available network services. The
91_tcpip_02.qx
2/25/00
12:30 PM
Page 89
Setting Up a Windows 2000 TCP/IP Network • Chapter 2
SAP Agent is the network service that allows a Windows 2000 computer’s services to advertise themselves. You need to install SAP if your network has NetWare clients, or if your Windows computers are running just the NWLink protocol; for instance, if you have configured your internal network to communicate using NWLink in order to protect it from Internet intruders running TCP/IP. Q: Do my Active Directory and DNS namespaces have to be identical? A: No. There are two ways to approach planning of the Active Directory namespace. The first, and in some ways easiest, is to create an Active Directory domain structure that uses as its root domain your registered DNS name. In this case, the internal network namespace and the external namespace, accessible via the Internet, will be the same. However, you can create two different namespaces for internal and external use. For instance, if mycompany.com is your registered domain name, your internal namespace might be myco.com. Having a different namespace will provide a security advantage, but requires that you register two domain names. Q: Can I still use my Windows 95 and Windows 3.1 clients and take advantage of Active Directory? A: Yes and no. Windows 95 and 98 computers can run the Active Directory client software available on the Windows 2000 Server CD in the “Clients” folder. Windows 3.1 computers cannot be Active Directory clients. To computers that are not running Active Directory client software, the directory will appear to be a Windows NT directory. There is a way to still utilize old machines that may be running Windows 3.x because they do not have the processor and memory resources to run Microsoft’s 32-bit operating systems. A Windows 2000 server can be configured as a terminal server, and older Windows operating systems can run terminal services software to allow them to function as “thin clients,” actually running the Windows 2000 desktop on the Windows 3.x operating system. In this way, users running those operating systems can still take advantage of Active Directory’s features. Q: Is there something I can tell my boss that will convince him that everyone needs to be running Windows 2000 machines?
89
91_tcpip_02.qx
90
2/25/00
12:30 PM
Page 90
Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
A: Although Windows 9x and NT Workstation computers can be client computers in a Windows 2000 domain, those downlevel operating systems cannot take full advantage of the features of a Windows 2000 network. For instance, Group Policy, a powerful administrative tool for controlling users’ desktops and configurations, can be used only with Windows 2000 computers. You can tell your boss how Windows 2000 combines the reliability of NT with the plug-and-play ease of use of Windows 9x, and you can explain the security benefits of such Windows 2000 features as EFS (encrypting filesystem) and IPSec. You can talk up the advantages of Intellimirror technology, and you might mention its excellent support for terminal services, virtual private networking using the new L2TP protocol, and ATM connectivity. You might also be able to impress your boss with the increased stability of Windows 2000. The best way to do this is to set him up with a Windows 2000 Professional system of his own, and let him experience the difference.
91_03.qx
2/25/00
10:59 AM
Page 91
Chapter 3
General Windows 2000 TCP/IP Troubleshooting Guidelines
Solutions in this chapter: ■
General Troubleshooting Guidelines and Models
■
Information Gathering
■
Problem Isolation
■
Corrective Measures
■
Monitoring Results
91
91_03.qx
92
2/25/00
10:59 AM
Page 92
Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
Introduction Problems: We’ve all had them, all our lives. It’s the human condition, they say, but problems aren’t confined to people. It seems to be the nature of everything that does anything—humans, animals, mechanical devices, electronic components—to malfunction now and then. Even stars eventually burn out (although we hope it will be a long time before you, the star of your company’s IT department, do the same). The first step in solving a problem is recognizing that one exists. Sometimes, it’s impossible not to notice; some problems explode in our faces. When you come in to work Monday morning and already have 22 voicemail messages all screaming, “My e-mail isn’t working!” you have a problem you can’t overlook or ignore. Other problems manifest themselves in a more subtle way. Maybe network communication is gradually slowing down, and users are beginning to get frustrated but may not say anything about it for quite some time. It’s easy to brush these types of problems aside. After all, it’s still working, it’s just not working quite as efficiently. These problems are more insidious. Like a case of the sniffles that turns into a cold that starts to feel more like flu that ends up being pneumonia, you can find yourself in serious trouble before you know it. It’s usually easier to nip the “little” problems in the bud instead of pretending they don’t exist and hoping they’ll go away.
The Ten Commandments of Troubleshooting Regardless of the nature of your problem, there are some general troubleshooting guidelines that will help you to organize your thoughts and speed up the process.
1: Know Thy Network When trouble hits, you’re already one step ahead of the game if you’ve taken the time—when things were running smoothly—to get acquainted with your network. You should not wait until a network outage or slowdown occurs to start examining your network’s performance. Get out the protocol analyzer, fire up the network monitor, and get to know how your “net” works, while it is working properly. In Chapter 5, “Using Network Monitoring and Troubleshooting Tools,” we’ll show you how to use all those fascinating gadgets and software tools, both in establishing a baseline for a “healthy” network and in diagnosing and planning the treatment of a “sick” one.
91_03.qx
2/25/00
10:59 AM
Page 93
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3
One of the benefits of planning and designing a network from scratch, as discussed in Chapter 2, “Setting Up a Windows 2000 TCP/IP Network,” is having known your network ”all its life.” You’ve watched it grow, seen it through minor and major crises, and learned what was normal and what was not in terms of its operation and performance. Even if you “adopt” a network that’s been around for a while, a good way to get to know it is to do a complete diagram and inventory. This will require that you find out what equipment you have, where it is, and how it works.
2: Use the Tools of the Trade Having access to and knowing how to use the troubleshooting “tools of the trade” are essential elements in successfully resolving TCP/IP problems. Your training and experience are your first, albeit intangible, important pieces of “equipment”—but it’s not always enough. A doctor, despite long years spent studying and practicing medicine, is often unable to diagnose a patient’s illness if he or she doesn’t have access to basic “tools” like a stethoscope, X-ray or other imaging machine, sphygmomanometer (blood pressure cuff), and all those other mysterious instruments used to measure or better observe various bodily functions. In troubleshooting connectivity problems, you too will often require help, in the form of hardware devices or software tools. You will use these to confirm (or negate) your initial suspicions or to give you a starting point in your investigation. At the very least, you should have access to diagnostic utilities, network monitoring and protocol analyzer software, and LAN testing devices for tracking down cable and other physical layer problems. Of course, having the tools is only half the battle; you also need to know how to use them properly. A great deal of information can be gathered using just the utilities built into most vendors’ implementations of the TCP/IP suite, but many network administrators have only a vague idea of what they do and how to use them. In Chapter 5, we will discuss in detail how to make the familiar PING, TRACERT, ARP, and other included utilities work more effectively for you.
3: Take It One Change at a Time Modern computers are good at multitasking. They can have several entirely separate and distinct processes going on simultaneously, because their “brains” (microprocessors) are able to use “time slicing” to allocate time to one problem after another in rapid succession, switching back and forth so quickly that it appears both tasks are being performed continuously.
93
91_03.qx
94
2/25/00
10:59 AM
Page 94
Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
People don’t perform multiple simultaneous activities nearly as well. That’s why it’s important, when troubleshooting network problems, that you make changes one at a time and evaluate the effect before making another. When you have a problem such as an inability to connect to the server from a workstation, the tendency is to try everything you can think of that might fix the problem. An administrator in a hurry might uninstall, reinstall, and reconfigure the protocol, unplug the Ethernet cable and plug it back in, then reboot the computer and try logging on with a different account. If he’s able to connect this time, that’s great—but which action actually caused the difference? By trying only one “fix” at a time, you’re able to pinpoint what works, and what doesn’t.
4: Isolate the Problem Problem isolation is another important step in troubleshooting. More often than you might think, problems hang out in groups. And even if the original problem had a single source, attempts to correct it (by you or by the user who called you) may have created new “companion” problems. When we have multiple problems, we will probably need to address each one separately in order to get the network running smoothly again. Isolating the problem also means defining the specific nature of the problem. You will find it as hard to address a general problem like “I can’t get on the Internet” as a doctor would have in treating a patient who only reported “I don’t feel well.” It’s important to pinpoint the specific problem.
NOTE “Specific” is a relative term. If a user initially reports a problem as “my computer’s not working,” he may think he is being specific when he then tells you that he can’t get on the Internet. Specificity may have to be accomplished in steps.
Users often have as much trouble describing their connection problems with specificity as sick people have in telling their physicians exactly what their physical symptoms are. Good questioning may help overcome this to an extent (we’ll talk about how to get information from your users a little later in this chapter), but you can’t always rely on others’ descriptions to be accurate and complete. You’ll have to use your own observation skills as well, which brings us to the next step.
91_03.qx
2/25/00
10:59 AM
Page 95
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3
5: Recreate the Problem It’s no coincidence that this is listed as the fifth commandment out of 10. When you are able to reliably reproduce the problem, you’re half way home on the road to solving it. If you know that the user is able to send and receive e-mail, but receives a “404: File not found” error every time she tries to access the Web site of your company’s main competitor, you already have a lot of good information that will prevent you from wasting your time checking proxy settings or gateway configuration errors. Once you’ve narrowed down the problem, from “I can’t get on the Internet” to “I can’t access the Web site at www.thoseotherguys.com,” and you’ve verified that the problem can be reproduced by trying again to connect to the URL and getting the same message, you can consider what might cause this particular problem. In this case, there are several possibilities. One way to narrow it down further is to attempt to reproduce the problem again, from a different computer. If you type www.thoseotherguys.com into the browser on another machine, and you get the same error message, you’ve gained a valuable clue: The problem probably is not caused by an incorrect configuration on the first system; it’s more likely the problem is at the server end, or possibly a problem with the DNS server on your network.
6: Don’t Overlook the Obvious In the preceding example, an unaware troubleshooter could have spent hours attempting to “fix” the computer that “can’t get on the Internet,” uninstalling and reinstalling its TCP/IP stack, reconfiguring its DNS settings, or releasing and renewing its DHCP lease, only to overlook the most obvious answer: The file was not found because the file is not there. Sometimes it’s really that simple. On the other hand, if you try to reproduce the problem at another machine and find that you can access the site from there, you know there is most likely a problem with the first machine’s configuration. Then, it’s time to focus your investigation on that particular computer. Perhaps the first thing to check is whether you can access other Web sites or if it’s only this one that’s giving you problems. If our original complainant/user was right and “The Internet isn’t working,” or rather, the Web doesn’t seem to be working—but other Internet applications like e-mail are—our next step would be to determine whether we actually have a connectivity problem or just a name resolution problem. To do that, we can try connecting to a Web site using its IP address.
95
91_03.qx
96
2/25/00
10:59 AM
Page 96
Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
If you type http://www.microsoft.com into the browser’s address box and get nothing, but the Microsoft homepage comes up fine when you type in http://207.46.131.30, you know the “friendly” name is not being translated into the format that the computer understands, the IP address. Since you know DNS is the service that performs this resolution of fully qualified domain names (hierarchical “dotted” names like URLs), at this point we can be fairly certain that there is either a problem with the computer’s DNS settings or (if other computers that use the same DNS server are having the same problem) with the DNS server itself.
7: Try the Easy Way First Most of us have heard it said of someone, usually in a whispered voice accompanied by a frown, “He always has to do things the hard way.” The same critics may then turn their disapproval on someone else with the indictment that “he always takes the easy way out.” Did you ever wonder how both of those philosophies could be wrong? Or was the latter criticism tinged with a hint of jealousy? In troubleshooting connectivity problems, it certainly pays to at least try the easy way first. How many times have you been able to correct a problem simply by rebooting the machine? It may not work every time, but it never hurts to try simple solutions before implementing the more complex ones. In fact, you should make it a practice to always evaluate all the possible solutions to a problem, and then try those that are easiest, quickest, and/or least expensive, leaving the difficult, time-consuming, and costly fixes as last-resort alternatives. If you have two machines that won’t “talk” to one another on the network, you would not be advised to first try rewiring the building just in case it’s a cable problem.
8: Document What You Do It may seem like a lot to ask, after you’ve endured all that blood, sweat, and tears to finally get the problem solved and get the network back up and running, but documenting your troubleshooting activities is vitally important. Putting down on paper the steps you go through, as you perform them, serves several purposes. First, it helps you to stay organized and perform those steps methodically. If you’re writing it down, you’re less likely to skip steps, because it’s all there in front of you, in visual form. You don’t have to wonder, “Did I test that cable segment?” or “Did I check the default gateway setting?” Documenting your actions also provides a valuable record if you end up having to call in an outside consultation or otherwise request someone else’s assistance with the problem. Time, and often money, will be saved if you can provide detailed information about what you tried, how you
91_03.qx
2/25/00
10:59 AM
Page 97
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3
proceeded, and what the results were. Many network administrators lull themselves into a state of complacency about not documenting their behavior, because they see the documentation process as too time-consuming. However, if a mistake occurs because of a failure to document what you’ve done, or what you were planning to do, the amount of time lost far exceeds the time you would have spent actually writing things down in the first place. Unfortunately, in the corporate world, you may also sometimes find your documentation necessary for “CYA” purposes. A network outage that lasts for a significant amount of time can, in some businesses, cause a huge loss of profit, even threaten the company’s position in the industry or—in extreme cases—put a business out of business. Luckily, the consequences aren’t usually that dire, but you’d better believe that many firms are heavily dependent on their network communications. If your job description makes you responsible for the welfare of the network, you’re less likely to get caught in the scapegoat-hunting process if you have detailed documentation of your efforts to address the problem. Finally, you should document the troubleshooting and problem resolution process for a very practical reason: History tends to repeat itself, and human memory is imperfect. As you wipe the perspiration off your brow and breathe a silent sigh of relief at having finally tracked down and solved your connectivity problem, you may think that there is no way you will ever, ever forget what you did to fix it—not after going through all that agony. But a year later, when the same thing occurs again, it’s likely you’ll remember only, “This happened before and I fixed it … somehow.” The details tend to get lost, unless you write them down. One last caveat on documentation: It’s great to have a nice, neatlytyped (and maybe even illustrated) troubleshooting log, but if you do your record-keeping on the computer instead of manually, it’s a good idea not only to back it up to tape, floppy, writable CD, or other media, but also to print out a hard copy. It should be a given, but sometimes folks forget that when the computers go down, computerized documents may be inaccessible.
9: Practice the Art of Patience Patience is a virtue, so hurry up and develop this characteristic! Whether or not you aspire to be virtuous, patience is an asset in any sort of investigative work, and that’s what network troubleshooting is. This means being patient enough to go over each configuration setting in each machine, to test each cable segment, to try one solution and, if it doesn’t work, to keep trying new ideas until one does work. Finding the source of a connectivity problem is often like looking for needles in
97
91_03.qx
98
2/25/00
10:59 AM
Page 98
Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
haystacks; you must have a “system” and you must implement it systematically. This also requires that you be patient with users, even when they seem to be the bane of your existence. Remember, users are also one of the big reasons for your job’s existence—you’re there to support them, as well as the computers to which they’re “attached.” Finally, you must be patient with yourself. It’s easy to get exasperated when the network is down, the pressure is on, and nothing you do seems to help (or your best efforts seem to make the problem worse). If users are one of the reasons your expertise is needed, there’s an even bigger reason: problems. A network that ran smoothly all the time, one in which the server never mysteriously went offline and computers never suddenly stopped “talking” to one another for no apparent reason and communications never got strangely garbled, would be a network with no need for an administrator. So, when you hear about a problem coming your way, take an “attitude of gratitude” and thank your lucky stars that you have one! Trouble is what you live for—or should be! A good network administrator doesn’t see problems as something to fear or curse, but as challenges and learning experiences. Continuous learning is what the job is all about, and you’d better love learning new things if you intend to lead a happy life as an IT professional. There’s one thing that’s a certainty in this business: You can never learn it all. And if you did, there would be a brand new and different technology ready to take the place of the one you’d just mastered.
10: Seek Help from Others Network admin types tend to have some common personal characteristics: they’re bright, they’re self-starters, they’re just a bit (okay, maybe more than just a bit) more comfortable when they’re in control, and they have a lot of pride. Taking pride in doing a good job is an admirable trait, but that pride can also make it hard for you to admit that a problem has you “bumfuzzled,” as my grandmother used to say (meaning you’ve tried everything you can think of and the answer—sometimes even the question—still eludes you). Don’t be so proud that you can’t bring yourself, when necessary, to ask for help. Asking for help after you’ve exhausted all your ideas is not an admission of defeat; it’s just a step in the troubleshooting process. Using your resources is smart, and those resources include product documentation, books, Web sites, newsgroups, mailing lists, and other working professionals in the field.
91_03.qx
2/25/00
10:59 AM
Page 99
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3
Remember that the term “networking” has another meaning: getting acquainted with people in your profession who can be beneficial to your career. Someone you know may have struggled with the very same problem that is vexing you now. Why reinvent the wheel? Ask for help. How do you find knowledgeable, experienced IT pros whose brains you can pick when you have a problem? There are many ways to make contacts: attend seminars, join Internet discussion groups devoted to networking topics, stay in touch with classmates and instructors from the training courses you attend. There is a corollary to this commandment. Be available to share your own expertise with others when they need your help. The best networking methods, after all, are full duplex and use two-way communications.
NOTE Most people are flattered to be asked to share their hard-earned knowledge—as long as you don’t abuse the privilege. Calling good old George every couple of months with a quick question is likely to make him feel that you respect his expertise. Calling him every week with a complicated problem that you need solved “right away” will cause him to feel that you don’t respect his personal space, and will quickly make you “persona non grata” in his book.
Windows 2000 Troubleshooting Resources Even if you’re determined to solve the problem yourself, if you’ve sworn that this time you’re not going to bother George (or he has abandoned you to go off on a month-long vacation to Tahiti and isn’t available), there are still many troubleshooting resources at your disposal. Windows 2000 endured more beta testing—with more users at all levels working with the operating system before it was even released for sale—than any other software product in history. There is a great deal of documentation available, both “official” and not.
Microsoft Documentation Microsoft has published an enormous amount of support documentation for Windows 2000 itself, its networking services in general, and its TCP/IP implementation in particular. Despite the fact that Windows 2000 has only been available to the public for a short time, when it comes to information about the operating system, “It’s out there.”
99
91_03.qx
2/25/00
10:59 AM
Page 100
100 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
This creates a problem in itself; sometimes the sheer volume of documentation available makes it difficult to find what you want. The Microsoft Web site, although full of excellent technical support data, is not particularly easy to navigate, especially for the uninitiated. Let’s look at a few of the resources Microsoft has provided in support of Windows 2000.
Help Files Those who have worked with Windows NT for a long time may be laughing uproariously as they read this. “Help files as a source of actual help?” you may ask. The NT help files are, to be generous, somewhat sparse. However, the Windows 2000 online Help is better—much better. For example, in NT 4.0 if you go to the Help index and type “DNS,” you get the box shown in Figure 3.1. Figure 3.1 A typical Help window in NT 4.0.
On the other hand, if you access the Help index in Windows 2000 and type “DNS,” you’ll see the much more helpful list of specific topics shown in Figure 3.2. Each of the articles listed has links to related topics, “how to” topics list step-by-step procedures, and the search engine operates in a logical and intuitive fashion so that you can find the information you need quickly and easily. If you’ve gotten out of the habit of even bothering to look at the online help, as many NT administrators have, reacquaint yourself with this convenient, free feature in Windows 2000. The Help files will become your first line of defense in troubleshooting situations, and in some cases, the only reference you’ll need to solve your problem.
91_03.qx
2/25/00
10:59 AM
Page 101
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 101
Figure 3.2 The new and improved Windows 2000 Help system.
NOTE Note: If you find it difficult to read long Help files online, you’ll also be pleasantly surprised by the much improved printing capabilities in the Windows 2000 Help files.
Resource Kits Microsoft’s Resource Kits serve as the “official source of technical background information” about their products. There is a wealth of troubleshooting information in the Windows 2000 Resource Kit, much of which comes directly from the product development team. You are, in essence, getting a briefing on how the operating system works straight
91_03.qx
2/25/00
10:59 AM
Page 102
102 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
from “the horses’ mouths,” from the people who wrote the code and worked with the operating system from its earliest stages. The online documentation is only a small part of the Resource Kit. Also included are a variety of software utilities that can be used in troubleshooting and administration (see Figure 3.3). Figure 3.3 The Windows 2000 Resource Kit contains online documentation and utilities.
The CD that comes with the printed Resource Kit includes the books in electronic format, over 200 diagnostic and management tools and documentation for each, and information on error messages, Registry settings, and performance counters.
NOTE Web-based versions of the Microsoft Resource Kits are available to be downloaded by subscription, at the Resource Link Web site located at http://mspress.microsoft.com/reslink/.
White Papers Microsoft’s Web site contains many informative “white papers” that address various aspects of the Windows 2000 operating system and its components.
91_03.qx
2/25/00
10:59 AM
Page 103
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 103
It’s easy to search the site for these topic-specific articles with the search engine provided on the Microsoft “front page” and each subsequent level of the site. A simple search for white papers addressing the TCP protocol yields many articles. You can narrow the search further by using the “Search within results” feature, and you can sort the search results according to different criteria.
TechNet One of the primary benefits of obtaining Microsoft’s MCSE certification has been the free or reduced-price subscription to TechNet. A series of CDs is issued monthly, with updated product information, news releases, and the popular Knowledge Base. The latter contains articles addressing “known issues” and problems encountered by users working with Microsoft products, and the fixes or workarounds. (See Figure 3.4.) Figure 3.4 Microsoft’s TechNet is an invaluable source of troubleshooting information.
Microsoft has made most of the TechNet information, including the Knowledge Base, available free on their support Web site at www.microsoft.com/technet/support/default.htm. There are still benefits to owning the CD version, and it is available by subscription at www.microsoft.com/technet/subscription/about.htm. With the CD version, you get a more powerful search engine that can be customized, you can mark frequently-used articles or annotate them with
91_03.qx
2/25/00
10:59 AM
Page 104
104 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
your own notes, and of course, you aren’t dependent on having an Internet connection to access the information. When you subscribe to TechNet, you initially receive over 20 CDs (including service packs, utilities, and tools, and other documentation in addition to TechNet itself). Each month’s updates include three to five CDs. Microsoft estimates that approximately 2000 pages of new content are added to TechNet each month, and at least 20 percent of the existing content is revised.
NOTE TechNet Plus is a higher subscription level that includes copies of beta software for training/evaluation purposes.
Newsgroups Microsoft also hosts a large number of technical discussion newsgroups on their news servers. The public news server at msnews.microsoft.com includes newsgroups devoted to almost every Microsoft product imaginable, in many different languages, and subtopics such as Windows 2000 networking. (See Figure 3.5.) Figure 3.5 A small sampling of the newsgroups hosted on Microsoft’s public news server.
91_03.qx
2/25/00
10:59 AM
Page 105
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 105
There are over 1000 newsgroups available on the public news server. Microsoft also hosts a large number of private newsgroups, which require a username and password to access. These include groups for certified trainers, groups for participants in the corporate preview programs, groups for MSDN members, and others. The newsgroups are an often-overlooked source of free advice and tips. You can “meet” many fellow IT professionals through the groups, and Microsoft personnel monitor some of the groups and post “official” support information as well.
Third-Party Documentation Although Microsoft has attempted to be comprehensive in documenting Windows 2000, and provides you with some great troubleshooting resources, you are certainly not limited to their materials when problems occur. There are many independent IT professionals who have already encountered some of the same problems you might run up against, and who have shared their experiences in many forums.
NOTE Even if you’re already Microsoft-certified, or not interested in vendor certification, don’t overlook the troubleshooting information that is available in some of the MCSE study guides, such as the Windows 2000 certification series published by Syngress.
There are some excellent books available on various aspects of Windows 2000 networking. Check your local computer stores, larger book stores such as Barnes and Noble, or online booksellers like Amazon. Some monthly publications that can be highly beneficial include NT/Windows 2000 Magazine and for Microsoft certified professionals, MCP Magazine. Both frequently contain articles full of troubleshooting tips.
Internet Mailing Lists Up until a couple of years ago, it was easy to host a mailing list. Anyone who had a machine connected to the Internet that ran list server software could do it. Now it’s much easier—there are numerous free Web-based list-hosting services, such as ONElist at www.onelist.com, that are easy to set up and administer. Because of this, Internet discussion lists have proliferated.
91_03.qx
2/25/00
10:59 AM
Page 106
106 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
There are hundreds of lists devoted to Windows 2000 and/or TCP/IP issues. Some are restricted lists, where membership is by invitation or limited to those who meet certain qualification criteria. Others are public, and open to any and everyone. Some are populated by small groups of highly professional members, and others are huge “melting pots” with high noise-to-bandwidth ratios (a large volume of low-quality messages sprinkled with messages that contain valuable tips and tricks). Some generate perhaps two or three messages per day, while others may flood your inbox with literally hundreds of messages at a time.
TIP Information about Windows NT and Windows 2000 public mailing lists can be found at the following Web sites: www.saluki.com/maillist.htm—the Saluki MCSE lists www.swynk.com—comprehensive system administrators’ site www.tacteam.net—our own MCSEnow and Win2000now lists
The benefits of mailing lists are similar to those of newsgroups.
Usenet Newsgroups Just as Microsoft Corporation hosts newsgroups, other companies and organizations host groups that focus on Microsoft products. Most ISPs run news servers that make some or all of the available public Usenet newsgroups accessible to their users.
Web Resources There are thousands of excellent (and not so excellent) resources available on the Web. If you want to use the Web effectively as a troubleshooting tool, it is important that you use a good search engine, and that you know how to use it for best results. Too many experienced computer pros haven’t taken the time to learn which of the many search engines fit their needs. Nor have they explored all the features of the one(s) they’ve chosen. It’s not enough to go to Yahoo! and type in a couple of keywords that vaguely describe your problem. On many occasions, I’ve been asked about technical issues by students or other network admins who prefaced their question with, “I tried looking it up on the Web but I couldn’t find anything.” I’ve then sat down at the keyboard, pulled up my browser, spent three minutes with Infoseek or Alta Vista, and solved the problem or acquired the information, which I copied, pasted and returned to them.
91_03.qx
2/25/00
10:59 AM
Page 107
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 107
They think I’m really smart (which is okay with me—good PR never hurts), but the truth is: I’ve found a couple of good search sites and more importantly, I’ve practiced using them enough to get good at it. I chose Infoseek because it allows me to do a “search within results” so I can continuously narrow my search criteria, and I know that if I want to search for a whole phrase, I need to put quotation marks around it, and I know that if I choose the “advanced” feature, Alta Vista will let me do a Boolean query using operators like AND and NOT. Try different search engines, pick one that has the features you want and need, read all its online documentation so you’ll know the syntax for proper queries, and you’ll notice a world of difference in the effectiveness (and speed) of your Web searches.
NOTE Check out the following search engines: www.infoseek.com—allows you to “search within these results” www.altavista.com—allows for “advanced” search using Boolean operators www.hotbot.com—allows you to search the full text of pages rather than just keywords, allows advanced filtering of search results
Once you’ve learned the fine art of searching, you’ll find that the Web has numerous sites posted by companies, professional organizations, user groups and hobbyist clubs, and individuals, detailing others’ experiences with Windows 2000, their trials and tribulations, and how they solved the problems they encountered.
General Troubleshooting Models Regardless of the field, most professions exist for the purpose of anticipating, preventing, and/or solving problems. Physicians address medical problems, attorneys deal with legal problems, police officers confront problems involving criminal behavior, and network professionals are faced with connectivity and computer communications problems. Troubleshooting models have been developed and adopted and are used in the formal training in various occupations. These models describe a procedure, or a step-by-step process, that can be applied to most problem-solving situations regardless of the type of problem. Because the networking field is newer, training is less regimented and curricula haven’t been standardized throughout the industry. There is no
91_03.qx
2/25/00
10:59 AM
Page 108
108 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
“official” network-troubleshooting model. However, we can borrow popular problem-solving models that are in widespread use in other professions and apply their principles to the problems IT personnel are likely to come up against.
Differential Diagnosis Model When a medical doctor sees a new patient who complains of symptoms, whether vague (“I don’t feel well.”) or more specific (“I have a sharp pain that comes and goes in my lower-right side.”), the physician follows a step-by-step procedure to ascertain the cause of the problem and attempt to alleviate it. Generally, these steps fit the categories of: Examination, Diagnosis, Treatment, and Follow-up. A network administrator can follow the same steps when confronted by an “unhealthy” network.
Examination The first step involves gathering information. The doctor does this in several ways: Direct observation. He first assesses the patient’s general state of well-being based on things like demeanor, facial expression, skin coloration, whether the person is energetic or lethargic, whether the eyes are bright or dull, whether the person is over or underweight, voice, muscle tone, and so on. A network troubleshooter can also use observation skills, noticing if a cable is pinched or the lights on the NIC or hub are not lit as usual. Asking questions. The doctor will interview the patient, and ask her to fill out a medical history questionnaire. He will want to know such things as when the pain first appeared, what, if any, self-treatments she’s tried, whether there were any changes in her diet or activities, or if she was involved in an accident or otherwise injured just prior to the symptom’s appearance. The network professional asks very similar questions of the network users who are experiencing the problem. You need to know when the “symptom,” such as inability to connect to the network, began. You also will want to know if the user did anything to attempt to fix the problem, and whether anything on the computer or on that network segment was changed just prior to the loss of connectivity. Conducting tests. Even if the physician is able to establish a tentative diagnosis based on his observations and the answers to his questions, he will often order lab tests to provide objective confirmation. A network administrator who is trying to track down
91_03.qx
2/25/00
10:59 AM
Page 109
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 109
the source of a connectivity problem can also perform objective tests using software utilities and monitoring and diagnostic devices.
Diagnosis After the information has been gathered, the doctor puts this specific information about this patient together with the general knowledge acquired through his years of training and experience, to arrive at a diagnosis. This is defined as an opinion as to the nature and cause of the disease or injury based on the evaluation of patient history, examination, and review of laboratory data. The network troubleshooting process requires that you formulate an opinion as to the nature of the connectivity problem based on your evaluation of the history of the network (and the specific computer and user involved), your examination of the physical aspects like cabling, and your review of the data collected via cable testers, network monitors, protocol analyzers, and other tools.
Treatment The patient is usually less interested in having the doctor tell her why she feels lousy than in having him do something to make her feel good again. Likewise, the company’s management and the network’s users may not really care why the network is down—they just want you to get it up and running. The diagnosis is of academic interest, but the treatment is of practical concern. Your training and experience are important in this phase, too. But, like a doctor who isn’t expected to have encountered or memorized the treatments for every possible illness, neither can you be expected to know how to fix every possible connectivity problem, even after you’ve figured out the cause. This is where your research ability comes in; you must have resources that contain information on the “fixes” for common problems and you must know how to use them. You must be able to develop a treatment plan aimed at clearing up the symptom (loss of connectivity) and preventing it from happening again.
Follow-Up In the follow-up phase, the doctor has the patient return for a check-up, even though she may feel fine, to ensure that everything really is functioning normally and that there were no harmful side effects from the treatment he prescribed. You will want to do the same, assessing the results of your treatment, making sure that in fixing the original problem, you didn’t “break” something else.
91_03.qx
2/25/00
10:59 AM
Page 110
110 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
NOTE Another model used in medical circles is known as SOAPR: Subjective, Objective, Assessment, Plan, Review Results. This model uses basically the same steps, breaking the Examination phase into two parts: collection of subjective data (such as the patient’s statement that she feels “out of sorts all the time,” or the doctor’s observation that the patient seems “less responsive than usual”), and objective data (the “numbers” like blood pressure readings or white cell count). Otherwise, the steps are the same, with different names.
SARA Model Let’s look at a completely different profession and see how its model can be adapted to the network-troubleshooting world. SARA is a problem-solving technique widely accepted in the law enforcement community in recent years. The acronym stands for the steps in the problem-solving process: ■ ■ ■ ■
Scan Analyze Respond Assess
Although this model was designed to help the police do their work more effectively, it is equally applicable to tracking down the culprit that’s responsible for your network going down. See Figure 3.6 for an illustration of how the process works. This model can be applied to almost any type of problem solving. If we examine each of the SARA components, we’ll see that it is strikingly similar to the medical profession’s Diagnostic model.
Scanning This means that upon observing or being informed that a problem exists, the first thing you should do is scan, or take in the “big picture.” This is an important step and one that is often ignored, both by eager police officers who rush into a scene focused only on the area that appears to be the source of the trouble, and by network administrators, who likewise make assumptions and fall prey to a similar type of tunnel vision that prevents them from noticing important “clues.”
91_03.qx
2/25/00
10:59 AM
Page 111
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 111
Figure 3.6 The SARA problem-solving process.
S
SCAN Observe, Question, Collect data
A
ANALYZE Sort, Organize, Hypothesize
R
RESPOND Formulate and apply "treatment"
A
ASSESS Monitor results of "treatment"
Analysis After taking a moment to get an overview of the situation, the second step is to analyze the information available. A police officer on the street may have only a split second to perform this analysis. A network troubleshooter, even when under pressure from angry hoards of Internet-addicted users, generally has a bit more time to consider the possibilities and arrive at a logical course of action—which brings us to the next step.
Response In the preceding stage, you may have formulated several educated guesses as to the true source of the problem. Each of these hypotheses may in turn suggest several possible responses. Just as a police officer’s response to a combative subject could range from trying to “talk him down,” to using of physical force, your response to a computer that won’t communicate on the network could range from changing network configuration settings (talking it down), to reinstalling the operating system (shooting it).
91_03.qx
2/25/00
10:59 AM
Page 112
112 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
There are two important points regarding the response phase: ■
■
It is usually best to begin with the less drastic responses and “escalate” from there. Always be prepared for an unexpected response to your response.
Emergency services personnel know the importance of being ready for any contingency. Like them, even when you’ve made your decision as to how to handle the situation, you should have a backup plan.
Assessment After taking action, it’s time to step back and assess the effect of your action. Did it bring about the desired change? Did it make the situation worse? Did it have no effect at all? This assessment will determine what you do next: pack up and go back to your office (and send a bill for your high-dollar rescue operation), or start the whole process all over—once again scanning, perhaps a bit more carefully this time, to catch details you may have missed before.
Putting the Models to Work for You You can use one of these or any other similar problem-solving model to guide you through the troubleshooting process. The important thing is to develop a routine when you go into problem-solving mode, and follow the steps in the same order each time. This will help you to organize your thoughts and keep you from overlooking or discounting vital information. Regardless of which model you use, the steps it proposes will usually fall into the following categories: information gathering, problem isolation, taking corrective measures, and monitoring results.
The Information-Gathering Phase This is the Examination phase in a doctor’s Differential Diagnosis method, or the Scanning phase if you’re following SARA guidelines. In any event, it involves getting all the available data regarding the problem. There are several ways to gather data: we can ask questions of others, we can consult the computer’s log files, or we can bring in the “big guns,” diagnostic devices and software tools.
Questions to Ask The first step in responding to a report of connection problems should be to ask questions of the person reporting the problem, and anyone else who observed the problem. Our objective, in trying to determine what
91_03.qx
2/25/00
10:59 AM
Page 113
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 113
caused the problem, is to determine exactly how the problem manifested itself. The user who experienced the problem is in the best position to give us this information. Unfortunately, he or she may not always know how to tell us what we need to know. Remember the user we discussed earlier, who thought he was being specific when he reported that he “couldn’t get on the Internet?” You’ll find that many of the people who use the network, even those who consider themselves knowledgeable about computers, will suddenly draw a blank when they attempt to describe the problem to you. “I don’t know, it just doesn’t work,” is a common refrain. Police officers know that even when they’re lucky enough to have a perfect eye-witness to a crime, just because the person was there and saw it doesn’t mean he or she will be able to give a logical, chronological report of what happened that contains the information needed to solve the case—at least, not without some help. That’s why, for an investigator in any venue, questioning skills are so important. You are much more likely to get useful answers from your users if you ask the right kinds of questions.
Question Format There are no “good questions” and “bad questions.” There are appropriate and inappropriate questions, given the situation and the personality and knowledge level of the questionee. Open-ended questions, like “What happened?” may be useful as an opening, to get the person talking, or with a technically savvy user who is able to remember and has the vocabulary to describe what prompted him to call you for help. More often, though, open-ended questions will get broad, vague responses that aren’t very helpful. Asking more specific questions will result in more specific (and therefore more useful) answers. Some good questions to ask include: Exactly what task were you trying to perform when the problem occurred? Was he attempting to transfer a file, to access a Web page, to download e-mail, to dial up a remote connection with a modem? Exactly where in the process did the problem occur? For instance, if the user was trying to get his mail and got an error message, did this happen when he tried to connect to the ISP, after establishing the ISP connection when he tried to connect to the mail server, or was he able to download a few messages and then got disconnected? Were you doing anything else in addition to this primary task when the problem occurred? What other programs were open in the background? Was a virus checker or disk defragmenter or
91_03.qx
2/25/00
10:59 AM
Page 114
114 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
other utility running? Was anyone else accessing data on his computer across the network? Was it time for any scheduled tasks to start? What error messages (if any) did the computer display? Error messages can be a great source of information in troubleshooting—if your user can remember what they said. More often, this question will elicit the response, “It gave me some sort of error message, but I don’t remember what it said.” Instead of following your natural impulses and wringing the user’s neck at this point, there are several things you can do. Sometimes you can ask questions that are more specific: Was the error message on a blue screen or was it in a small text box? Did it say anything about a page fault with a bunch of funny numbers and letters? Was there anything in the message about a file not being found? The best thing to do in this situation is to try to recreate the error yourself. If you can’t, try asking the user to do exactly what he did before when the error message appeared, and see if he can reproduce the error. (Watching the user go through the steps without any guidance or directions from you can sometimes produce one of those “Eureka!” moments, when you realize that he’s trying to “browse the local network” using Netscape, or uncover some other equally amusing—if only it hadn’t wasted two hours of your valuable time—misunderstanding). Even if you’re lucky enough to have users who faithfully record every error message, or to see them with your own eyes, it’s a sad fact of life in the IT field that some error messages are more helpful than others. An error message that says “MOST_IMPORTANT_FILE.DLL cannot be found at <systemroot\ system32\important_files\” might be a good starting point for addressing the problem. A message box that says “The operating system will now shut down” doesn’t help much. Nonetheless, even an error message that seems almost completely indecipherable may give you a clue as to whether the problem is network-related, system-related, or both. Is anyone else experiencing the same problem? This is an important question for helping you to determine whether the network is involved. Have the user perform the same task on a different computer, in the same way. Does it work? If he has the
91_03.qx
2/25/00
10:59 AM
Page 115
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 115
same problem, you know it’s not related to the configuration or hardware of the original computer; rather, it has to do with the way he’s performing the steps, or it involves the server or other network equipment. Have you ever been able to perform this task on this computer? Don’t overlook the possibility that the system is not capable of doing what the user is trying to do, either because the hardware doesn’t meet requirements, the necessary software isn’t installed, the operating system or application hasn’t been configured, or the user’s account permissions, or the security policies on the network, don’t allow it. Sometimes, reported “network problems” are not really problems at all—it’s just the security system doing what it’s supposed to do (or what it thought it was supposed to do). You’ll save yourself a lot of time if you remember to ask this question before you spend a lot of time trying to “fix” something that never got broken because it never worked in the first place. If the answer to this question is yes, then you need to question further: When was the last time you were able to perform this task on this computer? Was he able to connect to the server yesterday, but found himself unable to do so when he came in to work this morning? Was she able to surf the Web this morning, but after rebooting the operating system, every URL she typed in returned a “404 error?” Did he have sound prior to installing that new office suite add-on? Try to pinpoint as exactly as possible when the problem first showed itself.
NOTE One way to make the troubleshooting job a little easier in the future is to train your users to write down any error messages they encounter. Take them into the fold, make them a party to the investigation, and impress upon them the vital importance of preserving this piece of “evidence” until you arrive. Some users will always greet you with, “Sorry, I forgot to write it down, and I thought maybe if I restarted the computer that would fix it.” But many of them will be more than happy to help you if you make them feel they’re contributing something valuable.
91_03.qx
2/25/00
10:59 AM
Page 116
116 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
What changes have occurred since the last time you were able to perform this task? Has he deleted any files? “Housecleaning,” or removing “extra, unneeded” files to clear up hard disk space, is a common cause of all sorts of computer malfunctions. Perhaps an important networking component was inadvertently thrown out with the trash. Has she run any utility programs? Some of these, especially third-party products, may attempt to “repair” a system by resetting configurations to the defaults. For instance, I’ve had the experience of installing new application software and finding that my DNS server entries in TCP/IP properties were removed, making it impossible for me to access a Web site using the fully qualified domain name. Has he installed new hardware, or removed any hardware peripherals? New device drivers can conflict with already-existing devices (such as the network card), or the problem may be caused by the operating system “looking” for a piece of hardware that is no longer attached to the computer. Has she opened any Word documents that use macros, or accessed any Web sites that run Active-X or Java scripts? Macros, scripts, and other executables can include intentionally malicious or badly written code or viruses that can affect connectivity, cause general instability, or bring down the entire system. Remember that if you ask the general question (“What changes have occurred?”) you may or may not get a useful answer. Most users will say something like, “Nothing, really.” You must ask about each specific possible change that could have been made to get the real story.
NOTE Don’t assume that just because the computers on your network are running antivirus software, they’re safe. New viruses are being written every day, and your protection is only as good as the latest updates to the virus definition files. Just as some folks get a tetanus shot and then never worry about it again—until they step on a rusty nail 25 years later—some people install Norton or McAfee antivirus programs and then proceed with a false sense of security, even though they haven’t downloaded the update files in months.
91_03.qx
2/25/00
10:59 AM
Page 117
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 117
Log Files Another source of information that you’ll want to consult during the datagathering phase are the Windows 2000 log files. These files are accessed via the Event Viewer, in the Administrative Tools menu. The Windows 2000 Event Viewer, like Windows NT, provides the following log files: ■ ■ ■
Application System Security
NOTE A Windows 2000 Server, depending on its configuration, may also contain additional event logs in Event Viewer, such as the Directory Service log, the DNS Server log, and the File Replication Service log. In addition, many services such as DHCP, RAS, DNS, and WINS maintain text-based log files in their own directories. You can configure these text log files within the Management Console of each respective service.
Application Log The Application log contains errors and events logged by application programs. What events, if any, are logged is determined by the application developer and written into the program code.
NOTE If there is binary data included in the event details, you can save it by saving the log with the .EVT extension. You can also save the logs in text or comma-delimited text format (.TXT or .CSV), but this does not preserve the binary data. The binary data is shown in hexadecimal, and generally will be useful only to a programmer. Some programs don’t generate binary data.
System Log The System log may prove to be more useful, as it contains events logged by the Windows 2000 operating system. If a service fails to initialize during the bootup of the operating system, for instance, Windows 2000 will enter an event in the System log. You will also see a message displayed
91_03.qx
2/25/00
10:59 AM
Page 118
118 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
telling you that one or more services failed to start and advising you to check the System log for more information. See Figure 3.7 for an example of the Windows 2000 System log. Figure 3.7 The Windows 2000 Event Viewer allows you to access log files.
You will note that in the illustration, three types of messages are shown: Information, Warning, and Error messages. ■
■
An Information message announces that an event occurred, such as the message shown in Figure 3.8, informing you that the DHCP service has cleaned up the database for unicast IP addresses and telling you how many leases were recovered and how many records were removed from the database. A Warning message pertains to an event that could indicate the potential for a problem in the future, but is not currently of enough significance to result in an error message. An example of a Warning message is shown in Figure 3.9, advising that the time service has not been able to find a domain controller with which it could synchronize. Warning messages are indicated in the log by a yellow triangular icon with an exclamation point.
91_03.qx
2/25/00
10:59 AM
Page 119
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 119
Figure 3.8 The details of an informational message in the System log.
Figure 3.9 An example of a Warning message in the Windows 2000 System log.
91_03.qx
2/25/00
10:59 AM
Page 120
120 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines ■
Error messages are the most serious of the three message types, and are used to denote significant problems that already have or could result in data loss, performance degradation, or functionality. An example of an error message is shown in Figure 3.10, advising that a remote WINS server aborted the attempt to connect, and replication did not take place. Error messages are represented in the log by red circles with a white “X” through the middle.
Figure 3.10 An example of an Error message in the Windows 2000 System log.
Security Log The Security log is used to record security-related events such as access to resources, successful or failed logon attempts, or exercise of user rights. When an administrator enables auditing (via the Group Policy settings) and specifies the events to be audited, the results will be displayed in the Security log.
NOTE You must be logged on with administrative privileges to access the Group Policy settings and enable auditing.
91_03.qx
2/25/00
10:59 AM
Page 121
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 121
Working with the Log Files in the Event Viewer A handy feature in the Windows 2000 Event Viewer is the ability to copy the contents of the message detail to the clipboard simply by clicking a button (marked by an icon showing two sheets of paper with the corners turned down, the third button in the previous figures). You can archive an event log by selecting the log you wish to save in the Event Viewer console tree, clicking the Action menu, then clicking the Tasks command, and choosing Save As.
TIP Archiving a log does not clear the contents of the log; to do that, you must choose Clear All Events from the Action menu.
You can specify logging options by clicking Properties on the Action menu and choosing the desired options on the General tab, as shown in Figure 3.11 Figure 3.11 Setting logging options in the Log Properties dialog box.
91_03.qx
2/25/00
10:59 AM
Page 122
122 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
This is where you configure the maximum amount of disk space the log can occupy, and what should occur when the limit is reached. You can also clear the log here, with the click of a button. You can also filter the events in a specified log. When you archive the log, however, the entire log will be saved regardless of filtering.
NOTE You must be an administrator in order to set logging options.
Tools of the Trade Chapter 4 will look in detail at some of the tools you can use to assist in your “diagnosis” and plan a “cure” for the problem. Perhaps the most important tool for a network troubleshooter is a good protocol analyzer. To really learn what’s going on with the network, you have to examine the packets themselves. This requires not only that you have a good analyzer, but that you learn how to use it. There are many types available, from stand-alone and handheld devices to software-only solutions. Microsoft’s Network Monitor (often referred to as ”NetMon”) is a good tool for analyzing Windows-based networks. A big advantage is that a basic version of NetMon is included with the Windows 2000 Server operating systems (see Figure 3.12). This free version of NetMon will only capture packets that are sent from or to the server on which it is installed. If you want to capture packets for the entire network, you need the enhanced version of Network Monitor, which is part of Microsoft’s System Management Server. In Chapter 4, we will discuss in detail how to use NetMon and other network analysis tools. When we have finally gathered as much data as possible, we can move on to the next phase in the troubleshooting process.
The Problem Isolation Phase This is the Diagnostic, or Analysis phase. This is where you take the large amount of information gathered from your investigative sources (results of monitoring and analysis equipment, users’ answers to questions, and your own personal observations), determine which bits are relevant and which can be discarded (in any thorough investigation, there will always be much more “data” than useful “information”), and use the rest to put together the pieces of the puzzle and solve the mystery.
91_03.qx
2/25/00
10:59 AM
Page 123
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 123
Figure 3.12 The Microsoft Network Monitor included with Windows 2000 Server.
One of your objectives during this phase is to look for patterns. Has this problem occurred here before? Do the “symptoms” match something you’ve heard about or read about? The first step in analyzing the information is to organize it in a fashion that will allow you to notice trends and pick out the key facts.
Organizing and Analyzing the Information This step may be done on paper, on screen, or in your head, but it is important that you sort through all the random facts and numbers you’ve gathered to determine which facts support which theories (and which would tend to negate which theories, too). In its simplest form, the process would work like this: Your user reports that the network file server, BIGSERVER, is “gone” from the network. (BIGSERVER is a Windows 2000 member server in a mixed-mode domain).
91_03.qx
2/25/00
10:59 AM
Page 124
124 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
Given that information, what are some scenarios that could cause the problem? It’s possible, although unlikely, that BIGSERVER has crashed. Since the machine itself sits a few feet away from your own workstation, you use your visual observation skills to confirm that BIGSERVER is up and running. You’ve eliminated one possibility. Another is that BIGSERVER’s network card has malfunctioned, a cable has loosened, or something else has caused the server to become disconnected from the network. You continue your investigation by trying to access BIGSERVER from your own workstation. You are able to ping the server with no problem using its IP address. You have eliminated another possibility: you now know that BIGSERVER is connected to the network. And since you can ping him successfully, you know his TCP/IP configuration is okay. You now consider the possibility of a name resolution problem. Perhaps the network’s DNS server is down. You try pinging BIGSERVER by name, and get a response. The DNS server is working properly. Could the problem be with the network’s browser service? You check “My Network Places” and find that BIGSERVER is listed in the domain. Perhaps there’s a problem with NetBIOS name resolution. The user didn’t say what application he was using that made BIGSERVER disappear, so maybe its not a host name problem, but a NetBIOS name problem. You double-click BIGSERVER in the My Network Places windows, and you see all of BIGSERVER’s network shares. At this point, you’ve narrowed the problem down considerably, and decided that it must be specific to the complaining user’s workstation. You go to that computer, which is running NT Workstation, and question the user further. What exactly does he mean when he says BIGSERVER is “gone?” The user tells you that he has tried to FTP to BIGSERVER and is unable to do so. He also opens up My Network Places and clicks on BIGSERVER’s name. Nothing happens. At this point you suspect a problem with the workstation’s configurations, but don’t know whether it’s a browse issue, a name resolution issue, or a TCP/IP connectivity issue. You ask if he tried to ping BIGSERVER and he replies that he did, using the server’s IP address, but received “some kind of error message.” Now you’re hot on the trail of the problem! You know it’s not a name resolution problem, since that wouldn’t affect your ability to ping by IP address. You know the server’s IP address is configured and working properly because you were able to ping from your own workstation. Now you open a command prompt, attempting to ping BIGSERVER and reproduce the problem. When you type “ping 192.168.1.2” at the command line, you receive the message shown in Figure 3.13.
91_03.qx
2/25/00
10:59 AM
Page 125
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 125
Figure 3.13 Ping error message.
This error indicates that something is wrong with the TCP/IP stack. You get the same message when you attempt to ping the loopback address, 127.0.0.1. That convinces you that TCP/IP is not working. You open the local area connection’s Properties box and discover that TCP/IP is not installed on the machine. Upon further questioning, the user tells you that he uninstalled the protocol from “another connection.” He points to the connection icon for the VPN, assuring you that he didn’t change anything on the local area connection. You sigh and explain that uninstalling the protocol from one connection removes it from all of them that use that network card, and you reinstall and reconfigure TCP/IP. BIGSERVER magically reappears. The user asks you why he was still able to “see” the other servers, and you show him that the NetBEUI protocol was still installed after he removed TCP/IP. The servers he was still able to connect to were on his local network segment and were running NetBEUI. Since BIGSERVER’s only networking protocol is TCP/IP and the workstation’s only protocol was NetBEUI, they had no common protocol over which they could communicate. You go back to your station to reassess the company’s practice of allowing users to be administrators of their own workstations.
Setting Priorities Since troubles tend to come in threes (or even bigger “gangs”), an important step in troubleshooting is to first prioritize the problems themselves, and then prioritize the factors that affect your efforts to solve them.
91_03.qx
2/25/00
10:59 AM
Page 126
126 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
Prioritizing the Problems In categorizing problems, priorities are usually set based on one of two criteria (or a combination of both): ■ ■
Productivity factors Political factors
The first is easy to understand, and prioritizing problems based on their effect on productivity is fairly easy to do. It’s obvious that, in general: 1. Problems that affect the entire network are higher priority than those that affect only a few users. 2. Problems that affect mission-critical activities (such as on-time delivery of time-sensitive material) are higher priority than those that affect less urgent activities (such as routine archiving of data). 3. Problems that are ongoing and worsen with time are higher priority than those that occur only occasionally and then clear up on their own. The second prioritization factor is a bit subtler, and may not be talked about or even acknowledged. In fact, the “unwritten rules” may be in direct conflict with the company’s stated policies. Every organization has its “pecking order” and its internal politics. It might seem that a problem affecting a whole department of clerks’ ability to access word processing documents is clearly a higher priority than a problem that prevents one user from surfing the Web. However, if that one user happens to be the CEO, who is addicted to his daily dose of online stock market reports and is in the throes of withdrawal, logical methods of prioritizing may not be applicable.
Prioritizing the Solutions When developing possible solutions, you will want to decide what factors are most important to your company in general, and in this particular instance. Factors to consider: Cost. Don’t forget that the immediate monetary outlay to implement the solution doesn’t tell the whole story in terms of total cost. You must also consider ongoing associated costs, and intangibles, just as the time of those who will do the work and the time lost by those who are unable to work while the network is down. Time. This is closely related to cost, and is a potentially high cost due to loss in productivity. Sometimes the (seemingly) more
91_03.qx
2/25/00
10:59 AM
Page 127
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 127
expensive solution, if it fixes the problem more quickly, is more cost-effective in the long run. Longevity. Do you need a long-lasting solution that will solve the problem permanently, or are you planning to reconfigure the entire network and install all new equipment three months from now and you only need a “fix” that will last until then? Performance. If a more expensive solution also improves overall performance at the same time it fixes the problem, it may be well worth the extra expense. Sometimes problems present perfect upgrade opportunities.
Taking Corrective Measures Sometimes there will be several available solutions; which one you implement will depend on many factors, including the priorities you’ve set. In some cases, the decision will be determined by budgetary restrictions. For instance, if too many users log on the domain at the same time when they start work each morning and cause a network slowdown, one solution is to buy additional servers to act as domain controllers. Another, less expensive answer might be to stagger the times at which employees’ workdays begin in 15-minute increments. In other cases, performance or time is the top priority, regardless of cost.
One Change at a Time Remember the third commandment: Only implement one change at a time and assess the effects of that change before trying something else. This will save you much grief in the long run.
Order of Implementation It makes sense to try the easiest solutions, the least time-consuming ones, the less expensive ones, and the least invasive ones first. If a patient complains of a minor headache, a doctor is likely to have him try taking a couple of aspirin to see if that relieves the symptom, rather than starting out with a more drastic treatment, like brain surgery.
Monitoring Results The last official step in troubleshooting is to assess the results of your actions, determine whether your “fix” worked, whether it was
91_03.qx
2/25/00
10:59 AM
Page 128
128 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
only a temporary workaround or actually solved the problem, and what can be done to prevent the problem from recurring in the future. The assessment and follow-up stage should also include developing a succinct summarization of the problem and solution, which may be disseminated to any or all of the following: Superiors within the company: If the problem had significant or ongoing impact on the operation of the network, you may need to submit a report to your supervisors or management personnel. The affected user(s): One way to prevent problems in the future is to make them a learning experience for the users (as well as for you). Educate the users about what happened, inform them of anything they can do to prevent it from happening, or failing that, the best course of action for them to take if it does happen. The hardware or software vendor(s): If the problem indicates a failure of network hardware or a bug in a software component, you may want to notify the vendor. Submitting a formal report makes it more likely the problem and its solutions may be incorporated into the vendor’s own documentation, such as the Microsoft Knowledge Base. Your permanent records: Don’t forget to record the details in your log or journal, so that if the problem arises again—even if you’ve been promoted to a high-level upper-management jet-setting position and are not on hand when it happens—all the information will be there and time won’t be spent researching or engaging in the same trial-and-error experimentation all over again.
Using Forms and Check lists Forms serve a useful purpose by helping you to organize your information at the same time you’re collecting it. A form that incorporates check lists can serve as a guideline for your queries, and helps ensure that you don’t forget something important. It can also speed up the troubleshooting process. Finally, the form itself can serve as the permanent record of what happened and how it was addressed. You can develop your own forms that contain fields specific to your company and its network, using the following sample form as a starting point.
91_03.qx
2/25/00
10:59 AM
Page 129
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 129
Network Troubleshooting Information Form Date:
Time:
Person reporting problem: Name/location of computer displaying problem:
Briefly describe the nature of the problem as specifically as possible:
History–former occurrences of this problem:
Exactly what was being done on the computer when the problem occurred?
What programs and processes were running when the problem occurred?
What error messages (if any) were displayed?
Was the computer restarted? ❏ restarted by operator
❏ automatic restart
If the computer was restarted, did it boot into the operating system normally?
If no, describe any problems, freezes, error messages, or unusual behavior upon reboot.
Operating system: Domain/workgroup:
Version
91_03.qx
2/25/00
10:59 AM
Page 130
130 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
Network Protocols installed (in order of binding):
Network connectivity check: ❏ Network accessible via browse list ❏ Can connect to other computers via UNC path ❏ Can ping loopback ❏ Can ping local host ❏ Can ping another computer on same segment ❏ Can ping near side of router ❏ Can ping far side of router ❏ Can ping host on a remote segment Error messages encountered in PING attempts:
TCP/IP Configuration check list: ❏ DHCP client ❏ IP address ❏ Subnet mask ❏ Default gateway ❏ DNS primary ❏ WINS primary ❏ Advanced TCP/IP settings: ❏ MAC address ❏ Protocol Analysis: Tool Used
Secondary Secondary
Results:
Hardware/Physical environment check list: ❏ NIC ❏ Hub(s) ❏ Router(s) ❏ Cables ❏ Power ❏ Temperature ❏ Humidity ❏ EMI/RFI/ESD
91_03.qx
2/25/00
10:59 AM
Page 131
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 131
Antivirus: Virus check run:
Updated
Event Logs: significant entries:
Narrative (in chronological order, describe your response to the problem):
Diagnosis:
Solution:
Recommended follow-up:
Summary In this chapter, we covered some general principles of troubleshooting and problem-solving and discussed ways of applying them to our jobs as network support professionals. We discussed the Ten Commandments of Troubleshooting: 1. Know thy network. 2. Use the tools of the trade. 3. Take it one change at a time. 4. Isolate the problem. 5. Recreate the problem. 6. Don’t overlook the obvious. 7. Try the easy way first.
91_03.qx
2/25/00
10:59 AM
Page 132
132 Chapter 3 • Windows 2000 TCP/IP Troubleshooting Guidelines
8. Document what you do. 9. Practice the art of patience. 10. Seek help from others. We discussed the many sources of troubleshooting documentation available for Windows 2000 administrators, both from Microsoft and from third parties. We looked at the new and vastly improved Help file system, and the printed material, online books, and utilities included in the Microsoft Resource Kits. We talked about MS Press publications, and how to use both the Web-based and the CD versions of TechNet. We also looked at the many newsgroups and mailing lists, hosted by Microsoft and others, that allow Windows 2000 administrators and users to share their experiences and pool their knowledge. Then we talked about how to use the World Wide Web as a troubleshooting resource, including ways of conducting an effective search and how to sort through this huge global repository of information. We examined a couple of widely popular problem-solving models, the Differential Diagnosis model used in medicine and the SARA (Scan, Analyze, Respond, Assess) model that has become a standard in modern law enforcement agencies. We discussed the steps involved in the problem-solving process, and how to apply the principles to network troubleshooting. We broke each step down into its basic components: 1. Information gathering 2. Problem isolation 3. Taking corrective measures 4. Monitoring results. We looked at some of the useful troubleshooting tools built into or included with Windows 2000, such as the System, Application, and Security logs, and the basic Network Monitor software. Finally, we discussed the ways in which forms and check lists can speed up the troubleshooting process and increase our efficiency, and provided a sample form that network administrators can customize for use in their own companies.
91_03.qx
2/25/00
10:59 AM
Page 133
Windows 2000 TCP/IP Troubleshooting Guidelines • Chapter 3 133
FAQs Q: Why is it important to follow a model or set of steps in troubleshooting? A: Adopting a problem-solving model and proceeding through the steps in a methodical manner, in the same order each time, offers several advantages: ■ It forces you to organize your thoughts. ■ It guides you in asking questions and gathering information. ■ It prevents you from forgetting important steps. Q: How and why should I attempt to reproduce the problem? A: You should attempt to reproduce the same problem on the same machine and on a different machine. This will help you determine whether the problem is user-specific, machine-specific, or a networkwide problem. Q: What are some troubleshooting resources provided by Microsoft for Windows 2000 and its components? A: Help files and readme files, online documentation on the Microsoft Web site (white papers, TechNet and the Knowledge Base, Resource Link), the Resource Kits, other MS Press publications, and finally public and private newsgroups. Q: What are the four basic steps common to all problem-solving models? A: Information gathering (also called Scanning or Examination); problem isolation (also referred to as Analysis or Diagnosis); taking corrective measures (also called Response or Treatment); and monitoring results (also known as Assessment or Follow-up). Q: What is a protocol analyzer and why do I need one? A: A protocol analyzer is a software tool or dedicated hardware device that actually examines the contents of the packets that travel over the network. Windows 2000 includes a “light” version of the Network Monitor software. The fully functional version, which can capture packets not only from the machine on which it’s installed but also those sent to and from other machines on the network, is part of Microsoft’s Systems Management Server.
91_03.qx
2/25/00
10:59 AM
Page 134
91_tcpip_04.qx
2/25/00
10:57 AM
Page 135
Chapter 4
Windows 2000 TCP/IP Internals
Solutions in this chapter: ■
Windows 2000 Enhancements to the TCP/IP Stack
■
Windows 2000 TCP/IP Architecture
■
IP in Windows 2000
■
TCP and UDP in Windows 2000
■
IPSec
■
TCP/IP Registry Settings
135
91_tcpip_04.qx
2/25/00
10:57 AM
Page 136
136 Chapter 4 • Windows 2000 TCP/IP Internals
Introduction Microsoft has rewritten and enhanced its TCP/IP stack on several occasions. The protocols that were extensively redesigned for NT 3.5 have evolved with each improvement to the corporate operating system, and many new and exciting features have been added in the Windows 2000 implementation. The focus in Windows 2000 has been on creating a TCP/IP stack that is scalable, in keeping with Windows 2000’s intended use in enterprise networks, and one that is versatile, easy to administer, and performs well. Windows 2000 still supports the features that made the Windows NT TCP/IP stack easy to work with, such as IP routing and Internet Group Management Protocol (IGMP), version 2, which supports IP multicasting. Microsoft has also added new features to make Windows 2000 their most TCP/IP-friendly operating system yet. TCP/IP is the native network/transport protocol for Windows 2000 and is installed by default when you install the operating system.
RFC Compliance The Windows 2000 implementation of Microsoft TCP/IP supports a large number of RFCs (Requests for Comments) that define various aspects of how the protocols work. RFCs are used to describe Internet standards, and go through a formal approval process before being adopted. Microsoft states that Windows 2000 TCP/IP supports the following RFCs: 768 783 791 792 793 816 826 854 862 863 864 865 867 894
User Datagram Protocol (UDP) Trivial File Transfer Protocol (TFTP) Internet Protocol (IP) Internet Control Message Protocol (ICMP) Transmission Control Protocol (TCP) Fault Isolation and Recovery Address Resolution Protocol (ARP) Telnet Protocol (TELNET) Echo Protocol (ECHO) Discard Protocol (DISCARD) Character Generator Protocol (CHARGEN) Quote of the Day Protocol (QUOTE) Daytime Protocol (DAYTIME) IP over Ethernet
91_tcpip_04.qx
2/25/00
10:57 AM
Page 137
Windows 2000 TCP/IP Internals • Chapter 4 137
919, 922 IP Broadcast Datagrams (broadcasting with subnets) 950 Internet Standard Subnetting Procedure 959 File Transfer Protocol (FTP) 1001, 1002 NetBIOS Service Protocols 1009 Requirements for Internet Gateways 1034, 1035 Domain Name System (DNS) 1042 IP over Token Ring 1055 Transmission of IP over Serial Lines (IP-SLIP) 1112 Internet Group Management Protocol (IGMP) 1122, 1123 Host Requirements (communications and applications) 1134 Point-to-Point Protocol (PPP) 1144 Compressing TCP/IP Headers for Low-Speed Serial Links 1157 Simple Network Management Protocol (SNMP) 1179 Line Printer Daemon Protocol 1188 IP over FDDI 1191 Path MTU Discovery 1201 IP over ARCNET 1231 IEEE 802.5 Token Ring MIB (MIB-II) 1256 ICMP Router Discovery Messages 1323 TCP Extensions for High Performance 1332 PPP Internet Protocol Control Protocol (IPCP) 1334 PPP Authentication Protocols 1518 An Architecture for IP Address Allocation with CIDR 1519 Classless Inter-Domain Routing (CIDR): An Address Assignment and Aggregation Strategy 1533 DHCP Options and BOOTP Vendor Extensions 1534 Interoperation Between DHCP and BOOTP 1541 Dynamic Host Configuration Protocol (DHCP) 1542 Clarifications and Extensions for the Bootstrap Protocol 1547 Requirements for Point-to-Point Protocol (PPP) 1548 Point-to-Point Protocol (PPP) 1549 PPP in High-level Data Link Control (HDLC) Framing 1552 PPP Internetwork Packet Exchange Control Protocol (IPXCP)
91_tcpip_04.qx
2/25/00
10:57 AM
Page 138
138 Chapter 4 • Windows 2000 TCP/IP Internals
1825 1826 1827 1828 1829 1851 1852 2014 2085 2136 2205 2236
Security Architecture for the Internet Protocol IP Authentication Header (AH) IP Encapsulating Security Payload (ESP) IP Authentication using Keyed MD5 ESP DES-CBC Transform The ESP Triple DES-CBC Transform IP Authentication using Keyed SHA HMAC: Keyed Hashing for Message Authentication HMAC-MD5 IP Authentication with Replay Prevention Dynamic Updates in the Domain Name System (DNS UPDATE) Resource ReSerVation Protocol (RSVP), Version 1 Functional Specification Internet Group Management Protocol, Version 2
New standards are, of course, being approved on an ongoing basis, and we can expect Microsoft to incorporate new RFC specifications into the TCP/IP stack with subsequent updates. In this chapter, we will examine more closely some of the RFCs listed and how they are implemented in Windows 2000. Of special interest are RFC 1323, TCP Extensions for High Performance, which discusses scalable TCP window sizes; and 1519, which addresses Classless Inter-Domain Routing (CIDR). We will also look at the architecture of the Windows 2000 TCP/IP stack, and how the boundary layers function with the TCP/IP protocols. We will examine the internals of IP, TCP, and UDP, and then we’ll look at one of Windows 2000’s most interesting new features: IP Security. Finally, we’ll talk about how to solve connectivity problems and enhance performance by making changes to Windows 2000 Registry.
Enhancements to the TCP/IP Stack in Windows 2000 The most important enhancements that Microsoft has made to the TCP/IP protocol stack in Windows 2000 have to do with increasing performance. We will look at the operating system’s support for the following, and how you can use these changes to benefit your TCP/IP network: ■
■
RFC 1323 TCP extensions: scalable TCP window size and timestamping Selective Acknowledgments (also called SACK) in accordance with RFC 2018
91_tcpip_04.qx
2/25/00
10:57 AM
Page 139
Windows 2000 TCP/IP Internals • Chapter 4 139 ■
■ ■ ■ ■ ■
Support for IP over ATM (Asynchronous Transfer Mode) as detailed in RFC 1577 TCP Fast Retransmit Quality of Service (QoS) Resource Reservation Protocol (often referred to as RSVP) IPSecurity (IPSec) The Network Driver Interface Specification, version 5.0
For IT Professionals
How an RFC Becomes an Internet Standard RFCs are submitted by any interested party and assigned an RFC number. Not all RFCs describe standards, but if a document is to become a standard, it goes through three stages: Proposed Standard Draft Standard Internet Standard RFC 2226, “Instructions to Authors,” contains information on how to write and format a draft (called an Internet Draft, or I-D). The Internet Engineering Steering Group (IESG) then reviews the document, which is a part of the Internet Engineering Task Force (IETF). The IETF’s working groups (WGs) create a large number of the I-Ds. For more detailed information, see www.ietf.org/home.html. After review and approval, the document is edited and published. The RFC editor, employed by the Internet Society, maintains and publishes a master list of RFCs, and is also responsible for final editing of the documents. The RFC editor’s homepage is located at www.rfceditor.org/. Technical experts and/or an appointed task force classify each RFC as one of the following: Required Status—Must be implemented. Recommended Status—Encouraged. Elective Status—May be implemented, but not required. Limited Use Status—Not intended for general implementation. Not Recommended Status—Implementation is discouraged. Continued
91_tcpip_04.qx
2/25/00
10:57 AM
Page 140
140 Chapter 4 • Windows 2000 TCP/IP Internals
For more information about the RFC submission and approval process, see RFC 2026 at ftp://ftp.isi.edu/in-notes/rfc2026.txt. The RFC editor also provides a search engine at www.rfc-editor.org/rfcsearch.html, where you can search the master RFC database, download the entire collection of RFCs, and vote for your favorite RFC.
RFC 1323: TCP Extensions for High Performance RFC 1323, which is available on the Web for you to view at http://freesoft.org/CIE/RFC/1323/index.htm, discusses the specifications for extensions to TCP, the connection-oriented Transport layer protocol, which will give better performance over high-speed links. Scalable TCP windows, which allow for much larger packets than in the past, and TCP timestamps options are two RFC 1323 features supported by Windows 2000 that we will look at more closely.
TIP You may notice that at this layer, the packets or “chunks” of data are often called segments. TCP doesn’t recognize messages as complete units; it sends a group of bytes, not a complete “message.”
Scalable TCP Window Size NT administrators are familiar with the concept of sliding windows, the method used by the TCP protocol to control the flow of data. The sliding “window,” which is really a buffer, is the amount of data that can be buffered during a TCP communication.
NOTE A buffer is a holding place in memory for data, which allows a device or process to operate at different speeds or with different rules or priorities without one being “held back” by the other.
To really understand how sliding windows work, we must look at the process of establishing a TCP communication with another computer.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 141
Windows 2000 TCP/IP Internals • Chapter 4 141
The Three-Way Handshake Computers using TCP to communicate have both a Send window and a Receive window. At the beginning of a TCP communication, the protocol uses a three-way handshake to establish the session between the two computers. Because TCP (unlike its Transport layer “sibling,” UDP) is connection-oriented, a session, or direct one-to-one communication link, must be created prior to the sending and receiving of data. The client computer initiates the communication with the server (the computer whose resources it wants to access). The “handshake” includes the following steps: 1. Sending of a SYN (synchronization request) segment by the client machine. An initial sequence number, sometimes just referred to as the ISN, is generated by the client and sent to the server along with the port number the client is requesting to connect to on the server. 2. Sending of an ACK message and a SYN message back to the client from the server. The ACK segment is the client’s original ISN plus 1, and the server’s SYN is an unrelated number generated by the server itself. The ACK acknowledges the client’s SYN request, and the server’s SYN indicates the intent to establish a session with the client. The client and server machines must synchronize one another’s sequence numbers. 3. Sending of an ACK from the client back to the server, acknowledging the server’s request for synchronization. This ACK from the client is, as you might have guessed, the server’s ISN plus 1. When both machines have acknowledged each other’s requests by returning ACK messages, the handshake has been successfully completed and a connection is established between the two. See Figure 4.1 for an illustration of how this process works. For example, in Figure 4.1 the client wishes to establish an SMTP session with the server. The client sends a SYN segment that includes an ISN of 8261457 and the port number 25, which is the well-known port for Simple Mail Transfer Protocol (SMTP).
NOTE The SYN segment’s TCP header will also contain the source port to be used by the client, and TCP options such as the maximum segment length.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 142
142 Chapter 4 • Windows 2000 TCP/IP Internals
Figure 4.1 The TCP “three-way handshake” that establishes a communication session.
Step 1
SYN segment Client
Server
ACK message
Step 2
SYN segment Client
Step 3
Server
ACK message Server
Client
Connection Established!
In the second step, the server receives the SYN segment. It sends back an ACK message of 8261458. It also sends its own SYN message, with its own ISN of 2118922. The client receives the ACK and SYN. It increments the server’s ISN by 1 and returns an ACK of 2118923. At that point, the handshake is complete and the two are ready to “talk.” In case the concept is still a little muddy, here’s an analogy to help you understand the process: If you want to establish a one-to-one session (conversation) over the telephone with your best friend to tell him that you just got a big promotion and pay raise, you would not just dial up his number and then announce, “I got the Regional Manager job!” as soon as someone picked up on the other end. Instead, when the telephone was answered with “Hello?” you would ask, “Is this Jeff?” Jeff would then send you an acknowledgment: “Yes,” and a request of his own, “Mutt, is that you?” Once you replied in the affirmative, acknowledging Jeff’s message, the real “session” would be established and you can now send your information (“I got the job!”) over this “reliable connection.”
91_tcpip_04.qx
2/25/00
10:57 AM
Page 143
Windows 2000 TCP/IP Internals • Chapter 4 143
One point to remember is that TCP options are sent only in SYN segments, thus the final step in the handshake (the ACK from the client for the server’s SYN message).
NOTE A similar process occurs when the connection is terminated (sometimes referred to as session “tear down”). However, it actually requires the sending of more packets to end the connection than are required to establish it. Four packets must be sent in order to terminate the connection. This is because it is a two-way (full duplex) connection and it must be terminated for each direction separately. The client and server must each initiate a sequence to close the flow of data originating from its side. The request to close the connection is called a FIN message. The process works like this: (1) The client sends a FIN to the server, (2) the server sends an ACK to the client, (3) the server sends a FIN to the client, and (4) the client responds with an ACK back to the server. This is sometimes called “four-way disconnect.” Unlike the opening of the session, the server’s FIN is a separate transmission that is not part of its ACK of the client’s FIN.
Window Size Negotiation During the handshake, information is also sent to negotiate the size of the TCP window, or buffer. The usual procedure is to set the Send window to the same size as the other computer’s Receive window (the exception is when the Send window is smaller than the other computer’s Receive window). The destination computer first “advertises” a window size, and the sending computer adjusts its window size to match and sends the data. If the receiving computer is not able to process the data as quickly as the other computer sends it, the receiver will acknowledge the data and then reduce its window size, which signals the sender that it still has data in the buffer. Once the receiver “catches up,” it will advertise a larger window size again. Thus the TCP window size is dynamic, changing throughout the session. The size of the TCP Receive window on the destination computer limits how much data the sending computer can transmit before it has to stop and wait for an acknowledgment from the destination computer. In other words, the Receive window size (on the destination computer) refers to the amount of data that is buffered.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 144
144 Chapter 4 • Windows 2000 TCP/IP Internals
One change in Windows 2000 is default window sizes, which have been increased for better performance. Here’s how the process works: 1. A Maximum Segment Size (MSS) is negotiated between the sending and receiving computers during the three-way handshake that establishes the connection. The Maximum Segment Size is the maximum number of bytes that can be sent per TCP transmission (a unit of data that is acknowledged). In general, a larger MSS will result in faster performance—up to the point that fragmentation (breaking up of the segment) occurs. 2. TCP adjusts its Receive window size, instead of using a hardcoded default size. This is based on even increments of the MSS.
NOTE The default segment size is 536 bytes. This is the size used if there is no MSS set in the TCP options in the SYN message. The MSS can only be as large as the Maximum Transfer Unit (MTU) for the sending network interface. If the network is an Ethernet network, the MTU would be up to 1460 bytes. Commonly, the MSS is expressed as a multiple of 512, so it would be 1024 in most Ethernet-based TCP communications.
When a Windows 2000 computer sends a request for a TCP connection to another computer, it advertises a 16K Receive window. Then, when the connection is made, that size gets rounded upward to an even increment of the MSS. This means that on an Ethernet network, the window will ordinarily be 17,520 bytes, because that is 16K rounded upward to 12 1460-byte segments.
NOTE You can adjust the size of the Receive window to a particular value by editing the Windows 2000 Registry.
How the Windows Work In a TCP communication, each packet must be acknowledged. That way, if a packet fails to arrive at its destination (and thus the receiving computer does not send back an acknowledgment for it), it will be sent again. That’s why TCP is considered a reliable communication protocol.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 145
Windows 2000 TCP/IP Internals • Chapter 4 145
TCP must provide some method of controlling the “flow” of data transmission when multiple TCP connections have to share a busy link. Flow control is necessary so that the receiving computer doesn’t get “overwhelmed” by a sending computer that deluges it with data faster than it can be processed, or alternately, so that the receiver doesn’t sit around waiting for the data to “trickle” in. Flow control is the process of matching the outflow of data from the sending computer to the receiving computer’s inflow. This is done by setting a limit on the number of packets that can be sent before acknowledgment is required, which signals the sender to slow down (or stop and wait) if data is “piling up” in the receiver’s buffer. If the buffer overflows, data will be lost and must be retransmitted. Think of flow control as the effective management of the data flow between devices in a network so that the data can be handled at an efficient pace. A real-world example of flow control is the timing of the conveyor belt in a factory that uses an assembly line. It must be adjusted so that the outflow at the beginning of the line corresponds to the amount of time it takes the worker at each station to perform his or her task on each object before it moves on. In the TCP communication process, the “window” is those bytes of data that could be considered active. That is, they’re ready to be sent, or they have been sent and are awaiting acknowledgment. As acknowledgments are received, the window “slides” past those bytes, to send additional bytes. See Figure 4.2 for an illustration of this concept. A sequence number is added to the data in the Send window by TCP. The data is passed “down” the protocol stack to IP in the Internetwork layer, where addressing and routing takes place. There, the TCP segments are encapsulated in IP datagrams. A retransmit timer is added to each segment as it is sent. This indicates how long TCP should wait for an acknowledgment before resending the packet.
NOTE The sliding window protocol determines how much data is being transmitted based on actual bytes, rather than segments. When the packets reach the destination computer and enter its Receive window, they are put back into proper order based on the sequence number. When an acknowledgment is received by the sending computer, the Send window slides past those bytes. If no acknowledgment is received before the time set in the retransmit timer expires, the sending computer will send the unacknowledged bytes again.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 146
146 Chapter 4 • Windows 2000 TCP/IP Internals
Figure 4.2 How the TCP windows “slide” as bytes are sent, received, and acknowledged.
Send Window Acknowledged 1
2
3
4
5
6
7
3
2
1
TCP sliding "window"
Receive Window
7
6
5
4
The Receive window moves as the acknowledgments are received. The bytes within the Send window do not, however, have to be sent immediately A delayed-ACK timer is started when a destination computer gets the packets out of sequence. TCP doesn’t always send an acknowledgment the instant it receives a packet. The ACK can be delayed for up to 200 milliseconds. If the packets that are missing from the sequence aren’t received before the delayed-ACK timer expires, an acknowledgment will be sent for the first packet but not the rest of the packets received. This means that if the retransmit timer is not set to a value greater than the delayed-ACK timer, there will be unnecessary retransmitting of packets. Here is an example of how it works: If packets 1 and 3 are received but packet 2 is missing, TCP will wait, anticipating the arrival of packet 2. If it does not arrive before the timer expires, TCP will send an ACK for packet 1 only. If packet 2 still does not arrive, this may cause both packets 2 and 3 to be retransmitted. As you can see, resending packets adds to the amount of traffic on the network. Larger TCP windows will increase network performance on a fast link. In Windows NT, an acknowledgment is sent after every two sequenced packets are received. With Windows 2000, with RFC 1323 options enabled, the window size is scalable and larger windows can be utilized to increase network performance on a high-bandwidth link. This
91_tcpip_04.qx
2/25/00
10:57 AM
Page 147
Windows 2000 TCP/IP Internals • Chapter 4 147
speeds up the transfer of data on networks that are built on fast media and can take advantage of the feature.
NOTE The delayed ACK timer is set and used by the destination computer. The sending computer uses something called a retransmission timer when it is anticipating an ACK. At the time it sends the TCP segment, the sending computer starts a retransmit timer based on the Roundtrip Time (RTT). This is not a set time, but varies depending on the speed of the connection and other factors. If no ACK is sent back before the retransmit timer expires, the data will be re-sent. With all of these safeguards in place to ensure that every segment sent arrives at the destination computer, you can begin to see why TCP is called a “reliable” protocol.
How Flow Control Works For best performance, a large number of unacknowledged packets would be allowed to remain outstanding—as long as the number is not so large that some packets are dropped by the routers because of the overcrowding. When packets are dropped, they will be re-sent, increasing the overall traffic on the network and resulting in a performance hit. TCP handles this by starting with a smaller window size, then if no packets are lost, increasing the size until there is some loss of packets detected, and “scaling back” the size of the Send window to balance speed of transfer with amount of available bandwidth. At first, the Send window size will be set to equal one Maximum Segment Size. If an acknowledgment is received, the next transmission will be equal to two MSS, and will be increased by one MSS per acknowledged segment, each time the transmission is acknowledged. So, if the two MSS transmission is acknowledged, the next will be four MSS, and so on. As long as the acknowledgments keep coming back and the window does not exceed the maximum allowed window size (set in the Registry’s TcpWindowSize parameter as we will discuss a little later in this chapter), the process will continue. As you can see, the size of the window increases exponentially. This goes on until the maximum window threshold is reached. When that happens, the window will continue to grow as long as acknowledgments are received, but it will grow at a linear rate instead of an exponential one. After the threshold is reached, the window will
91_tcpip_04.qx
2/25/00
10:57 AM
Page 148
148 Chapter 4 • Windows 2000 TCP/IP Internals
increase by one in each RTT for which a whole window’s worth of acknowledgements is received. At some point, the transmission rate becomes so fast that the link becomes congested somewhere along the way and a timeout will finally occur. The sender will not receive the acknowledgment before the timer expires, and when this happens, TCP will adjust the threshold value to one-half the size of the window at that time. The window size itself will be reset to one MSS. The sending computer will start over again with the process of increasing the window size as acknowledgments are received, and the whole process will repeat itself.
Negotiating Scaling Factors Windows 2000 supports scalable TCP windows, in accordance with RFC 1323. By “scalable,” we mean the window size can be larger on networks that use high-speed links; thus, TCP windows can adjust to best fit the particular network’s needs. When this support is implemented, the TCP protocol can negotiate a scaling factor during the three-way handshake. The Window Scale option is sent in the SYN segment, and tells the receiving computer that the sending computer will support scaling. This does not automatically mean window scaling will occur. The receiving computer must also return a Window Scale option in its SYN segment. Window scaling is enabled only if both computers send Window Scale options—scaling is an all-or-nothing proposition (i.e., scaling is either enabled in both directions or not at all).
NOTE The Window Scale option can be sent in the SYN segment sent by a computer that is originating a TCP connection. It can be sent in the acknowledgment segment returned by the receiving computer that includes its own SYN bit, but only if the original SYN segment it is responding to included a Window Scale option.
Finding the Scale Factor To find out what the scale factor is, you can examine the packets that created the connection (the three-way handshake) in Network Monitor or a similar protocol analysis tool. This will appear as “TCP Option Type = Window Scale” with the option length and the scale factor shown after. If the TcpWindowSize value in the Registry, which sets the limit on the maximum TCP Receive window size that will be offered, is specified as
91_tcpip_04.qx
2/25/00
10:57 AM
Page 149
Windows 2000 TCP/IP Internals • Chapter 4 149
more than 64K, Windows 2000 will normally use window scaling (unless you specifically disable it). This setting is found at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interface \
See Figure 4.3 for an illustration of the new Registry value. Figure 4.3 Create a new DWORD type value and set it to the number of bytes to specify the maximum TCP Receive window size.
Remember that this setting should be an even increment of the MSS, as discussed previously. This setting controls only the specific network interface selected. You can also set a global value, for all interfaces, by creating a value called GlobalMaxTcpWindowSize. However, if an interface has a specific setting, it will override the global one. Even if a value of more than 64K is set, it will only be used when connecting to another system that also is capable of and configured to support the RFC 1323 options.
TIP This parameter is not visible by default. You must create it. The value is of the REG_DWORD type, and the value should be entered as a number in bytes.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 150
150 Chapter 4 • Windows 2000 TCP/IP Internals
Disabling Scaling in Windows 2000 To disable scaling, you must create and set the value for another Registry key, Tcp1323Opts. As with the TcpWindowSize key, you must use a Registry Editor such as regedt32 and navigate to the same Tcp\Parameters subkey. Create a new REG_DWORD value called Tcp1323Opts and set the value to 0 or 2, according to the following: 0 1 2 3
= = = =
disables both RFC 1323 options (window scaling and timestamping) enables window scaling only enables timestamping only enables both RFC 1323 options
If you disable window scaling, the maximum TCP window size will be limited to 64K.
TCP Timestamps Timestamping is another RFC 1323 option supported by Windows 2000, and is used for measurement of the RTT. The RTT is defined as the amount of time that it takes for a packet to travel from the client to the server and then for the acknowledgment to arrive back to the client. This does not include the time used for transmission of the packet, but does include delays between the two end systems as well as the time required for processing at the two end systems. Timestamping is especially useful when TCP connections are using large windows, to help TCP determine the RTT. This information is needed so the protocol can adjust timeout times for the retransmission timer, which optimizes. The reason timestamping is more important in communications that use the large window size is because the traditional way of measuring the RTT, which involves sampling of only one packet per window, gives a reasonable approximation when the window size is small, but the more packets there are in the buffer, the larger the margin of error becomes. Consequently, a more accurate method of measurement is needed.
How Timestamping Works Using the RFC 1323 option of timestamping, the sending computer puts a timestamp in the header of the TCP packets. This header is 10 bytes long and includes a 1-byte field designating the “kind,” (that is, showing that this header is a timestamp), a 1-byte field showing length, and two 4-byte timestamp fields: Timestamp Value (which shows the present value indicated by the sending computer’s clock at the time of sending) and
91_tcpip_04.qx
2/25/00
10:57 AM
Page 151
Windows 2000 TCP/IP Internals • Chapter 4 151
Timestamp Echo Reply (the value indicated by the receiving computer’s clock when it sends the acknowledgment). See Figure 4.4 for an illustration of the TCP timestamps option header. Figure 4.4 A TCP header showing the fields used to indicate the timestamp value. Present value shown by sender's clock
Kind = 8
10
TS Value (TSVal)
Present value shown by receiver's clock
TS Echo Reply (TSecr)
Valid only if the TCP segment is an ACK
In Figure 4.4, the first field with the value of 8 tells us this is a timestamp header; the second field shows a value of 10, indicating the total length of the header; and the next two fields show us the values of the sender’s and receiver’s clocks, respectively. The value of the receiver’s clock is shown only in an ACK message. The receiving computer reflects the timestamps back when it sends an acknowledgment. The sending computer can then subtract the value in its original header from the value in the acknowledgment segment, and this provides an accurate RTT for every ACK. The timestamp values are obtained from a virtual clock referred to as the timestamp clock.
TIP RFC 1323 specifies that timestamping should always be used when large window sizes (more than 64K) are used, and timestamps should be sent and echoed in both directions.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 152
152 Chapter 4 • Windows 2000 TCP/IP Internals
If a large window size is used, ensuring that timestamping is enabled will solve TCP instability problems caused by inaccurate RTT estimates, which can lead to a condition called congestion collapse. This occurs when there are a great many undelivered packets on a busy TCP/IP network, and connections timeout. Timestamping is enabled in Windows 2000 by default, although it can be disabled as shown by setting the Registry value Tcp1323Opts to 0 or 1.
RFC 2018: SACK (Selective Acknowledgment) Selective Acknowledgment, also called SACK, is another feature that will enhance performance when large window sizes are used. With Windows 2000, Microsoft introduces support for this feature, which is discussed in RFC 2018. As with timestamping, SACK uses TCP headers, which are sent in a SYN segment. In standard TCP transmission, if several packets are lost from one window’s worth of data, the sending computer only finds out about one lost packet per RTT. This means the lost packets will be slow to be retransmitted. Alternately, if the sender is aggressive about resending, it may resend packets that have actually been received and don’t need to be retransmitted, thus adding unnecessary network traffic. The purpose of the SACK option is to send additional acknowledgment information in a SACK option that is included in a segment from the receiving computer, about dropped packets or out-of-sequence packets. This information tells the sending computer exactly which packets were received and which are missing. When the connection is established, a “SACK permitted” option must be included in the SYN message to enable this feature. The benefit of SACK is that it allows the sending machine to resend only the data that was not received, and avoids congesting the network with unnecessary retransmittal of packets that were already received. If SACK has been enabled in the SYN message, SACK options will be included in all ACKs that don’t acknowledge the highest sequence number that is in the receiving computer’s buffer. This situation indicates that data has been lost or was received out of sequence, and the receiving computer is missing some segments. You will recall that normally, this situation causes both the missing segment and those following it to be retransmitted. SACK is called “Selective” because it allows the sending computer to retransmit only the selected segments that were not received. SACK is enabled by default in Windows 2000. It can, however, be disabled by editing the Tcpip\Parameters\SackOpts value in the Registry.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 153
Windows 2000 TCP/IP Internals • Chapter 4 153
This is a DWORD Boolean value type, which is set to 0 to disable SACK support or 1 to enable it. SACK can be very useful in solving performance slowdowns caused by lost packets or duplicate sending of packets on connections using large TCP windows.
NOTE The SACK header can be sent only on SYN (synchronization) segments. You should never find it on non-SYN segments.
RFC 1577: IP over ATM Another new feature in Windows 2000 is its support for the standards set forth in RFC 1577, which discusses operation of the Internet Protocol (IP) on a network based on Asynchronous Transfer Mode (ATM) technology. ATM has several advantages, including its ability to work well on very high-speed networks, and its flexibility, allowing the client to control the accuracy and speed of the data transfer. Other characteristics of ATM include: ■
■
■
Connection-oriented transmission Ethernet and Token Ring are connectionless technologies that depend on protocols in the higher layers to provide synchronization, acknowledgment, etc. No inherent limits on speed of transmission As speed increases in an Ethernet network, maximum segment length decreases, thereby effectively placing a cap on realistic attainable speeds that may be higher or lower depending on the media used. Quality of service The end points in an ATM communication negotiate a “contract” that specifies a guaranteed quality of service; this is not done in traditional technologies such as Ethernet and Token Ring.
Because of the high bandwidth that is possible using ATM, it is emerging as a popular technology. However, ATM networks differ from more traditional LAN technologies, like Ethernet, in that ATM is a nonbroadcast technology. This presents a challenge in regard to physical address resolution. In a broadcast-based network, clients use ARP broadcasts to resolve IP addresses to the physical addresses (called MAC addresses in Ethernet and Token Ring networks).
91_tcpip_04.qx
2/25/00
10:57 AM
Page 154
154 Chapter 4 • Windows 2000 TCP/IP Internals
When IP is run over ATM technology, there must be some means of resolving those IP addresses to ATM (physical) addresses. The solution is to set up an Address Resolution server (or ARP server) with special ARP server software, to which clients connect by being configured with the ATM address of the server. This works a little like WINS does in resolving IP addresses to NetBIOS names in that when a client computer comes online, it connects to its ARP server and sends its IP address and ATM address to be entered into the server’s database. Then, when the client wants to connect to another ARP client, it can query the ARP server for the other client’s ATM address.
NOTE ATM switching technology provides a dedicated connection, breaking up data into fixed-length packets that are called cells and are always exactly 53 bytes. ATM uses digital signaling and can achieve high transmission speeds (currently 155.520 Mbps or 622.080 Mbps; however up to 10 Gbps is possible). Windows 2000 supports this means of address resolution, and Windows 2000 machines can be configured as ATM ARP clients or ATM ARP servers via the Registry. The ARP client parameters are found in the network interface’s TCP/IP parameters. By editing the values in the AtmArpC subkey, you can specify such settings as the timeout for ATM address resolution, maximum number of resolution attempts, how long the client will wait after a negative response from the ARP server before trying again, and other specifications. To edit this value, use a Registry editing tool to set the parameters in the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters\Interfaces\\AtmArpC. ATM is implemented via hardware, as a replacement for Ethernet or Token Ring, and the components in an ATM network must support ATM. This makes ATM expensive, which is the primary reason it has not yet been implemented more widely.
NOTE ATM can use LANE (LAN emulation) software to provide support for traditional LAN applications and protocols. LANE causes the ATM network to appear as an Ethernet LAN to the higher-level protocols and applications. This is a way to increase performance of TCP/IP, but doesn’t give you the full benefits of ATM, such as Quality of Service guarantees.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 155
Windows 2000 TCP/IP Internals • Chapter 4 155
RFC 2001: TCP Fast Retransmit You will remember that the TCP protocol is connection-oriented and depends on an acknowledgment from the receiving computer to verify that all packets arrived at their destination—if no ACK is received, the computer that originally sent the data will retransmit it. At the time the packet is handed down to the IP protocol at the Network layer, a retransmission timer is started, and when the time expires, if no ACK has come back, TCP resends that packet. However, this can lead to long periods in which no data is transmitted because TCP is waiting for the retransmission timer to expire. Windows 2000 supports a feature called fast retransmit, discussed in RFC 2001, which allows TCP to resend the data before the specified retransmission time has expired. Here’s how and why that happens: If a packet arrives at the destination computer with an out-of-order sequence number (for instance, the next expected packet would be number 7, but the computer receives number 8), the receiver will send an ACK for the missing packet number 7, as well as for the packet number 8 that was received. If number 9 then arrives next, the receiving computer sends another ACK for number 7 as well as for packet 9. This continues as long as higher-sequenced packets arrive and number 7 is still missing, and the acknowledgments are called Duplicate ACKs. Normally, of course, only one ACK is sent per packet. So when the computer that originally sent the data starts receiving multiple acknowledgments for packet number 7, this tells it that packet 7 must have been lost. Then, the sending computer will resend packet number 7, even if the retransmission timer has not yet expired for that packet. See Figure 4.5 for a graphical representation of how this works. Of course, fast retransmit doesn’t replace the use of retransmission timers; it merely supplements them, enhancing TCP performance.
NOTE TCP on the sending side has no way of knowing whether a duplicate ACK was sent because of a lost segment or if the segments just got out of order. To resend in the latter case would add to network congestion, so TCP waits until several duplicate ACKs have been received. In Windows 2000’s implementation of TCP, the maximum number of duplicate acknowledgments is set to 3 by default (as specified in RFC 2001), so whenever a sending computer receives the third ACK for the same sequence number, and that number is lower than the number of the packet it last sent, it will retransmit the packet that is “missing in action.” You can change this value by specifying a different number in the TcpMaxDupAcks value in the Tcpip\parameters Registry key.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 156
156 Chapter 4 • Windows 2000 TCP/IP Internals
Figure 4.5 With fast retransmit, a packet is resent after three duplicate ACKS are received. packet 6 ACK 6
packet 8 ACK 7
ACK 8 Receiver
Sender packet 9 ACK 9
ACK 7
Sender
Sender packet 10 ACK 10
ACK 7
Sender
Receiver
packet 7 Sender
Receiver
It is estimated that on the average network, fast retransmit can improve throughput by up to 20 percent. Remember that in order for it to work, both the sending and receiving computers must support this feature.
RFCs 2211 and 2212: Quality of Service QoS, or Quality of Service, is another feature supported by Windows 2000 that was not supported by NT 4.0. A way that network applications can reserve bandwidth between the client and server is by using an extension to the Winsock API called General Quality of Service, or GQOS. What it does is provide an application interface to the Resource Reservation Protocol (RSVP), which is discussed in the next section. Together, QoS and RSVP are used by the application to deliver a flow of data from client to server, with the assurance that necessary bandwidth will be available. Obviously, this is useful for high-bandwidth applications such as video or high-quality audio. If a certain amount of bandwidth is necessary to maintain quality that is acceptable (for instance, if you need to be able to rely on having 1.5
91_tcpip_04.qx
2/25/00
10:57 AM
Page 157
Windows 2000 TCP/IP Internals • Chapter 4 157
Mbps in order to transmit video that is not jerky or otherwise unsatisfactory), the application can send a “flow specification” both for sending and receiving at the time it is initialized. This can be specified as “guaranteed,” or a lower level of assurance such as “best effort.” The specifications are sent to GQOS, which then works in conjunction with RSVP to make a “reservation.”
NOTE RFC 2211 discusses controlled-load service, and specifications for guaranteed QoS are addressed in RFC 2212. Clients that request controlledload service provide an estimate of the amount of data traffic they will generate. Acceptance of a request for controlled-load service is defined to imply a commitment by the network element to provide the requestor with service closely equivalent to that provided to uncontrolled (best-effort) traffic under lightly-loaded conditions.
RFC 2205: Resource Reservation Protocol After the flow specification parameters, which include latency limits, delay variations, and peak bandwidth, go to GQOS, RSVP is invoked via an API call. It sends special “path messages” to the destination IP address (the one to which the data will be sent). These messages signal the routers along the path, and they assess their available resources and decide whether they can accept the “reservation.” If all routers respond positively, the application is assured of having the needed bandwidth for the connection. RSVP functions as an Internet control protocol (like ICMP). It is also similar to a routing protocol in that it executes in the background. However, it is not a routing protocol itself, but works in conjunction with routing protocols. The routing protocols specify where the packets go, while RSVP only addresses the QoS of the packets. RSVP resides on top of IP, and will work with both IPv4 and IPv6. It also works with both unicast and multicast transmissions.
NOTE An RSVP request reserves bandwidth resources in only one direction.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 158
158 Chapter 4 • Windows 2000 TCP/IP Internals
IPSec The Internet Protocol Security protocol (IPSec) is yet another of Windows 2000’s new features, and one that Microsoft has made a big “selling point” for the new operating system. Security has become a major concern for more and more network professionals, as once-private networks have become joined by their connections to the global Internet. It is beyond the scope of this chapter to fully discuss the intricacies of IPSec, but for more information, see the book Configuring Windows 2000 Server Security, published by Syngress Media.
TIP Microsoft provides a great deal of documentation for the Windows 2000 implementation of IPSec. An excellent general overview is available in the Internet Protocol Security technical notes article published in TechNet. Also see the Windows 2000 Server Resource Kit for further information.
Purpose and Uses of IPSec The purpose of IPSec is to protect an IP-based network from eavesdropping, IP spoofing, denial of service and other “hack attacks.” IPSec offers protection of individual IP packets, and provides a general first line of defense against security breaches. It is especially useful with virtual private networking protocols (Point-to-Point Tunneling Protocol and Layer Two Tunneling Protocol, supported by Windows 2000), allowing for endto-end security.
NOTE End-to-end security methods are those in which it is necessary only for the “endpoint” computers (the machine from which the data originates and the final destination computer) to be aware of and support the IPSec protocols. The assumption is that the link connecting the two is not secure, thus the sender and receiver both handle security at their ends. The advantage of this is that IPSec can be implemented in a variety of scenarios without the requirement that systems along the data path be IPSecenabled.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 159
Windows 2000 TCP/IP Internals • Chapter 4 159
IPSec can provide for security protection at the Internetwork layer so that applications and protocols at higher levels are protected transparently. One major benefit of using IPSec is that, unlike more traditional Application Layer security protocols, it can be implemented without the necessity for making changes to individual client computers or installing extra software.
IP Security Options With IPSec, you have two options: Authentication Header (AH) provides for authentication of the sender of the data, and Encapsulating Security Payload (ESP) both authenticates the sender and encrypts the data itself. IPSec uses a header that follows the IP packet header to convey the information associated with each of these services. You can also select separate key protocols, such as ISAKMP/Oakley. IPSec establishes cryptographic keys for each security relationship. Windows 2000’s implementation of IPSec can also use the popular Data Encryption Standard (DES) for encrypting data.
For IT Professionals
About DES Data Encryption You will recall that IPSec gives you two choices: to only authenticate the sender, or to also encrypt the data. In a network environment where sensitive data is stored (confidential medical or legal records, trade secrets and formulae, and similar information), it becomes important not only to protect the network via authentication of users, but also to add another layer of protection by encrypting the data. Encryption involves translating data into another, encoded form, which is called a cipher. Ciphers work by applying a particular algorithm or formula to the bits (the binary form of the data), which rearranges them so they cannot easily be reassembled by someone who lacks the key (the unlocking algorithm). The decryption key will effectively undo what was done by the encryption key and put the data back into useable form. DES is a widely used encryption algorithm developed in the 1970s by IBM (and known then as “Lucifer”) that uses a 56-bit key— which actually appears at first glance to be 64 bits; however, one bit per byte (or 8 bits total) is used for parity. DES uses a randomization process to generate different key values. There are said to be 72 Continued
91_tcpip_04.qx
2/25/00
10:57 AM
Page 160
160 Chapter 4 • Windows 2000 TCP/IP Internals
quadrillion possible keys. DES is known as a private or secret key algorithm, because the sender and receiver must both know and use the same key to encrypt and then decrypt the data. DES is known as a “strong encryption” method, and the U.S. government restricted the exportation of DES to other countries. An even stronger version is called triple DES because it applies three different keys, one after another. The Advanced Encryption Standard (AES) is expected to replace DES, since the National Institute of Standards and Technology (NIST) has declined to recertify DES. AES is said to be an encryption method that will provide more reliable security. The DES algorithms have been broken, although this required a concerted, exhaustive attack that involves approximately 255 steps. However, there have been many attempts to crack DES, and the Electronic Frontier Foundation (EFF) developed a project called "Deep Crack," which used a specially designed supercomputer together with a worldwide network of nearly 100,000 PCs on the Internet, to crack a DES encryption in a record-breaking 22 hours and 15 minutes. You can read about the AES development effort on the AES homepage at www.nist.gov/aes. RSA Laboratories’ security Web site provides a FAQ with much useful information on DES and other cryptography methods at www.rsasecurity.com/rsalabs/faq/.
IPSec Configuration Windows 2000 lets you configure the AH or ESP services by using IPSec policies, either locally or via Group Policy in the Active Directory. To make it easier for administrators to implement IP Security, Microsoft included with Windows 2000 a group of predefined IPSec policies, which include the following: ■
■
■
Client (Respond Only) For computers such as intranet clients that don’t usually need to use IPSec. The computer will be able to respond to requests for secure communications, but otherwise will not use IP Security. Server (Request Security) For computers that generally will transmit data that should be secured. The computer can accept nonsecured transmissions, but will request security from the sender. Secure Server (Require Security) For computers whose data should always be secured, without exception. Unsecured
91_tcpip_04.qx
2/25/00
10:57 AM
Page 161
Windows 2000 TCP/IP Internals • Chapter 4 161
communications will not be accepted, and outgoing transmissions will always be secured. You can also define custom policies and rules and set IP filtering on inbound or outbound traffic, or both. IP packet filtering will identify transmissions from a particular computer, identified by its IP address, and apply a rule (such as blocking the traffic, negotiating security, or allowing the packets to pass through unsecured).
IPSec Troubleshooting In some cases, what appears to be a connectivity problem may in fact be a matter of misconfigured security policies; thus, it is important that you be familiar with how IPSec and other security features work, and keep this possibility in mind when troubleshooting.
Failure of RAS Secured Communications When secured communications fail but unsecured communications go through without problems on remote access connections, you should check the authentication method selected for the RAS connection. Another possibility is that the RAS server with which you are attempting to communicate does not support the security method.
Failure of Internal (LAN) Secured Communications When you are unable to connect to another computer on your internal network (intranet), and you have verified that the computer is not offline, check your IP filter settings and ascertain that the list of acceptable security methods is correct. Restarting the IPSec policy agent will clear old security associations that could be causing conflicts. To restart the policy agent, from the System Service Management console, double-click the IPSec Policy Agent in the results pane and click Restart (this will restart the IPSec driver as well).
Broken Policy Links When more than one administrator is editing IPSec policies, links between the policy components could become broken due to the fact that the Active Directory assumes that whatever information is saved last is the current information. This is rare, but could occur if two administrators create rules that both use the same filter and then save the changes at the same time. Windows 2000 protects against this problem by providing a way to check the integrity of the IPSec policies. To do so, from the IP Security Management console, click the Action menu, select Task, and then click
91_tcpip_04.qx
2/25/00
10:57 AM
Page 162
162 Chapter 4 • Windows 2000 TCP/IP Internals
“Policy integrity check.” This will verify the validity of filters and settings and display an error message if any are found to be invalid.
Using the IPSec Monitor Windows 2000 includes the IPSec monitoring tool, which displays active security associations on local or remote systems. This will help you to recognize patterns and trends of failed security associations, failed authentications, or other indicators of bad policy settings. To use the IPSec monitor, click Start | Run, and type: ipsecmon
You should see an entry for every security association that is active, showing the policy name, the filter action, and the IP filter details. The tunnel endpoint will be shown, if applicable. Other statistical information that can be provided by IPSec Mon includes: ■ ■ ■ ■
Number of active security associations Types of active security associations Number of master and session keys generated Number of ESP or AH bytes sent and received
Using the IPSec monitor, you can determine whether your secured communications were transmitted successfully.
NOTE By default, the IPSec monitor’s information will be updated every 15 seconds. You can change the refresh rate by clicking OPTIONS. See Figure 4.6.
Using Event Viewer to Troubleshoot IPSec Problems The Windows 2000 Event Viewer can be used to troubleshoot IPSec, since the IPSec policy agent writes to the System log in several instances. For example, you can see in the Event Viewer whether local or Active Directory policy is being used, since the policy source is entered in the Event log. You can also view the Security log for entries pertaining to failures of secured communications or informational messages pertaining to the Oakley protocol. The Application log may also contain messages from ISAKMP/Oakley.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 163
Windows 2000 TCP/IP Internals • Chapter 4 163
Figure 4.6 The IPSec monitor can be accessed from the Windows 2000 command prompt.
Using Network Monitor to Troubleshoot IPSec Problems The Network monitor included with Windows 2000 (or the enhanced version that comes with System Management Server) can be used to view the AH and ESP transmissions. AH-secured packets will be indicated as TCP, UDP, or ICMP packets, but you will see the AH header when you open the packet. ESP packets are easier to spot, as they are marked as ESP packets. Because it is encrypted, however, you won’t be able to read the data itself when you open the ESP packet.
IPSec Files Missing IPSec is installed as part of the installation of TCP/IP. If problems occur due to files that are needed for IPSec being deleted or corrupted, you reinstall IPSec by removing and then reinstalling the TCP/IP protocol (see Chapter 1, “TCP/IP Overview,” for instructions).
Problems with Multihomed Computers If a computer has multiple default routes, as is likely to be the case with a multihomed system, this can cause problems with secured communications. To correct the problem, define a default route as follows: Select Run | Start | cmd
91_tcpip_04.qx
2/25/00
10:57 AM
Page 164
164 Chapter 4 • Windows 2000 TCP/IP Internals
At the prompt, type route print
Press ENTER. You will see a list of routes that make up the computer’s routing table. If one has a destination 0.0.0.0, or if there is more than one with a metric of 1 (or the lowest metric if none are shown as 1), take one of the following actions: ■ ■
Delete one of the default routes Ensure that one of the default routes has a lower metric value than all of the rest
Performance Slowdown When Using IPSec You should also be aware of the fact that implementing IPSec data encryption may slow the network; this is to be expected due to the overhead involved in processing the encryption algorithms. There are ways to alleviate this; for instance, NDIS 5.0 (discussed in the next section) allows for offloading of tasks. This means the encryption duties could be offloaded to the hardware so that the NIC would handle that task. Of course, offloading requires a NIC that is designed to support IPSec hardware offloading.
NDIS 5.0 NT administrators will be familiar with the Network Driver Interface Specification (NDIS), which is Microsoft’s means of allowing communication between the networking protocols and the network interface card (NIC). NDIS is implemented as a boundary layer in the NT/Windows 2000 networking model. Windows 2000 supports NDIS, version 5.0, which includes all the features and functions of NDIS 4.0, as well as the following additional specifications: ■ ■ ■ ■
■ ■ ■
■
Support for NDIS power management Support for Plug and Play Support for Windows Management Instrumentation Support for a new standardized .INF format that will be used by both Windows 9x and Windows 2000 operating systems Improved miniport performance Task offload support Support for ATM, ADSL, and network streaming (connectionoriented NDIS) QoS support
91_tcpip_04.qx
2/25/00
10:57 AM
Page 165
Windows 2000 TCP/IP Internals • Chapter 4 165
Because Windows 2000 is designed to provide better functionality on laptop and notebook computers than Windows NT, power management support is an important factor. NDIS 5.0 supports Network Power Management and Wake On LAN (assuming the NIC also supports these features). An important function of the NDIS interface is the ability to bind multiple protocols to one network card, and/or bind a protocol to multiple NICs. Windows 2000 TCP/IP supports Ethernet, FDDI, Token Ring, ATM, ARCnet, and WAN protocols such as ISDN and X.25. Windows 2000 also supports LAN emulation with ATM adapters that are designed to use LANE.
NOTE Network Power Management is supported only when using the Microsoft TCP/IP protocol stack.
Inside the Windows 2000 Internet Protocol (IP) IP operates at the Internetwork layer of the Department of Defense’s TCP/IP networking model, with responsibility for routing; that is, getting packets to their destination based on their IP addresses. Remember that at the sending computer, the data travels down from the Transport (Host-to-Host) layer to the Internetwork layer, so IP receives the TCP segment (or UDP for connectionless communications such as broadcasts) and then passes it down to the Network Interface layer. Before handing it down, however, IP performs an important function: It looks at the destination IP address on the packet and then consults its local routing table to determine what to do with the packet. It can pass the data to the network card (or if it is a multihomed system, determine which of the attached network cards to pass it to), or it can discard it. When a Windows 2000 computer starts, the routing table is constructed. Certain entries, such as the addresses for the loopback, the local network, and the default gateway (if configured in TCP/IP properties) are added automatically. Other routes can be added by ICMP messages from the gateway, by dynamic routing protocols (RIP or OSPF), or you can manually add routes using the route command at the command prompt. Windows 2000 also includes Routing and Remote Access (RRAS) and can be configured to act as a router for IP or IPX traffic.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 166
166 Chapter 4 • Windows 2000 TCP/IP Internals
NOTE Packets are often referred to as datagrams at this level. These datagrams contain the source and destination IP addresses, which will be translated to MAC (physical) addresses at a lower layer.
Classless Inter-Domain Routing As we’ve discussed, in the early days of IP networking, it was believed that there was a more than adequate number of IP addresses, and address blocks were allocated liberally; those practices resulted in many “wasted” addresses. At that time, networks were divided into class A, B, and C types based on the number of host addresses (along with class D, used for multicasts, and class E, reserved for experimental purposes). Again, because of the lack of planning and the way in which the network IDs were initially distributed, all of the class A addresses and most of the class B addresses were soon taken. However, with the growth and popularity of the Internet, more and more organizations had a need for public IP addresses, and many of these networks were larger than the limits of a class C network, which was the only type left to be assigned. For this reason, in the mid-1990s a new concept was developed to allow for allocation of network numbers without regard to the A, B, and C classifications. This is called Classless Inter-Domain Routing, or CIDR (pronounced like “cider”). Routes are aggregated, and what were once designated as class C networks can be combined through “supernetting” to create larger networks by “stealing bits” from the network portion of the IP address, which is the direct opposite of the way a large network can be subnetted into smaller networks by borrowing bits from the host portion to represent the network ID. Benefits of CIDR include: ■ ■ ■ ■
Smaller Internet routing tables Less updating of external routes required More efficient allocation of address space Increase in number of available Internet addresses
CIDR addresses contain network prefixes which are part of the IP address and vary in length according to how many bits are actually needed, instead of being forced into the class A, B, or C specifications. CIDR addresses also contain a slash followed by the number of bits that represent the network ID, so a CIDR address looks like the following:
91_tcpip_04.qx
2/25/00
10:57 AM
Page 167
Windows 2000 TCP/IP Internals • Chapter 4 167
192.204.76.0/14 The “/14” indicates that the first 14 bits identify the network, and the remaining 18 bits identify the host. RFCs 1517 through 1520 all document aspects of specifications for Classless Inter-Domain Routing. RFC 1817 discusses CIDR and so-called “Classful” (traditional) routing.
NOTE The CIDR FAQ at www.ibm.net.il/~hank/cidr.html is a useful source of questions and answers about Classless Inter-Domain Routing, maintained by Hank Nussbacher of Tel Aviv University and IBM Israel.
Multihoming Microsoft refers to a computer that has multiple IP addresses as a multihomed host. This doesn’t necessarily mean the computer has multiple NICs, although the term is often understood that way.
NOTE You can assign more than one address to the same physical NIC, creating virtual interfaces. To the Internetwork layer and the IP protocol, they are separate interfaces.
Windows 2000 supports both types of multihoming. If there are multiple physical network cards, they can be assigned addresses on the same network (or subnet), or there can be a card assigned to each network. In the latter case, Windows 2000 can act as an IP router, passing transmissions from one subnet to another.
NOTE When TCP/IP is bound to multiple IP addresses on one NIC, NetBIOS over TCP/IP (NetBT) can only be bound to one of the IP addresses. The address listed first in the TCP/IP advanced properties box will be used for NetBIOS name registration.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 168
168 Chapter 4 • Windows 2000 TCP/IP Internals
To assign multiple IP addresses to a NIC, select: Start | Settings | Network and Dialup Connections | Right-click the connection and choose Properties, then highlight TCP/IP, select Properties, and click ADVANCED. Click ADD under IP addresses and enter the new address, as shown in Figure 4.7. DHCP servers and DNS servers can be multihomed machines, although there may be some special configuration considerations. Figure 4.7 Multiple IP addresses assigned to a single NIC.
Problems Related to Multihoming You may encounter some of the following common problems with multihomed computers on a Windows 2000 TCP/IP network.
Networks Linked by RAS If a multihomed computer has IP addresses on two networks that are linked by a remote access connection, because the networks are not aware of one another there may be problems with routing. In this case, the solution is to create static routes. This can be done by manually adding the routes to the routing table.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 169
Windows 2000 TCP/IP Internals • Chapter 4 169
Multiple Default Gateways If a multihomed computer has addresses on two networks that are unaware of one another, and you configure it with different default gateways on the different networks, you may experience an inability to connect or other connectivity problems. The solution is to configure only one default gateway. This should be the one on the larger or primary network. You can then create static routes in the routing table to get to the computers on the smaller network.
NOTE Only one default gateway can be active at a given time, regardless of how many a computer is configured to use.
Multihoming and WINS There is potential for numerous problems when WINS servers or clients are multihomed machines. See Chapter 6, “Troubleshooting Windows 2000 NetBIOS Name Resolution Problems,” for more information.
IP Multicasting Multicasting means sending data to multiple destinations on the network at the same time, using a single multicast address. This differs from a broadcast in that computers belong to a multicast group, and only those that are designated as members of the group receive the multicast messages. Messages sent to the broadcast address, on the other hand, are sent to every computer on the subnet. The Internet Group Management Protocol (IGMP) is used for managing multicast membership. Computers can join or leave multicast groups by sending an IGMP message (computers that are not members of the group can still send multicast messages to the group). A computer can also belong to multiple multicast groups simultaneously. When a computer wishes to join a multicast group, it will send a message called an IGMP host membership report. With this message, it declares itself a member of a particular multicast group. The same message is used when a multicast router issues a query requesting group information. There are two types of multicast groups: ■ ■
Permanent multicast group Transient multicast group
91_tcpip_04.qx
2/25/00
10:57 AM
Page 170
170 Chapter 4 • Windows 2000 TCP/IP Internals
NOTE “Permanent” or “transient” refers to the group address. Membership in a permanent group is still dynamic; computers can join and leave at any time. A permanent group has a reserved IP address, and it continues to exist even if all computers leave the group. A transient group ceases to exist if its membership drops to zero, and its address is returned to the pool available for assignment to another group in the future.
A group can have members that belong to different networks as long as the routers between the networks support multicasting.
Multicast Address Range Windows 2000 complies with RFC 1112 level-2 standards for IP multicasting and uses the following class D addresses. The multicast addresses are in the range 224.0.0.0 through 239.255.255.255, shown in Table 4.1. These addresses are reserved for multicast transmissions with the Internet Assigned Name Authority (IANA). Table 4.1 Multicast Addresses Address
Purpose
224.0.0.0
Base address (reserved).
224.0.0.1
The All Hosts multicast group (includes all systems on the same network segment).
224.0.0.2
The All Routers multicast group (includes all routers on the same network segment).
224.0.0.5
The Open Shortest Path First (OSPF) AllSPFRouters address.
224.0.0.6
The OSPF AllDRouters address.
224.0.0.9
The RIP Version 2 group address.
224.0.1.24
WINS server group address.
NOTE For more information on reserved multicast addresses, see www.isi.edu/ in-notes/iana/assignments/multicast-addresses.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 171
Windows 2000 TCP/IP Internals • Chapter 4 171
Troubleshooting IP Multicasting Windows 2000 includes several multicasting utilities that can be useful in troubleshooting problems with multicast transmissions.
Command-Line Utility: mrinfo The command-line utility mrinfo displays the configuration of a multicast router. The information returned by the mrinfo command includes version number, the list of interfaces and the neighbors on each interface, metrics, Time to Live (TTL) thresholds, and flags.
Command-Line Utility: netsh routing ip mib show mfe The command-line utility netsh routing ip mib show mfe can be used to display the entries in the Multicast Forwarding Table. (The Multicast Forwarding Table can also be accessed through the Routing and Remote Access console).
Command-Line Utility: netsh routing ip mib show mfestats The command-line utility netsh routing ip mib show mfestats is used to display packet statistics and input and output interface information for multicast forwarding entries in the Multicast Forwarding Table. (The Multicast Statistics table can also be accessed through the Routing and Remote Access console).
Command-Line Utility: netsh routing ip mib show joins The command-line utility netsh routing ip mib show joins is used to display the list of multicast groups that are locally joined on each interface.
Duplicate IP Address Detection Because IP addresses must be unique on the network, there must be some mechanism in place to detect duplicate addresses. Unlike the MAC addresses, which are hard-coded into the chip on the interface card by the manufacturer, IP addresses are assigned by the network administrator. If addresses are assigned manually instead of by a DHCP server, it is very easy to make the mistake of assigning the same IP address to two machines. Having two machines on the network with the same address can obviously cause problems with delivery of data packets. If you have a common name like John Smith, you may have had the experience of having someone else with the same name at your workplace or in a class at school. You know how confusing it is when the name “John Smith” is called, and neither of you knows for whom the message is intended. You may have
91_tcpip_04.qx
2/25/00
10:57 AM
Page 172
172 Chapter 4 • Windows 2000 TCP/IP Internals
received memos or correspondence that should have gone to the other John Smith. Networks try to avoid this type of “mistaken identity” situation. If a computer is configured with the same IP address as another computer on the network, when it comes online and broadcasts an ARP message for its own address (sometimes called a “gratuitous ARP broadcast”), the computer that is already using that address will reply. This will cause an error message, and the computer that just came online will not be able to use the IP address; IP will be disabled and an entry will be made in the System log. The computer that “got there first” will still be able to communicate via IP, but will also display an error message to notify you that there was an address conflict.
NOTE The computer with the duplicate address may still be able to communicate with other computers on the network if another common protocol is installed (NetBEUI or IPX).
Inside the Windows 2000 Transport Protocols (TCP and UDP) The Transport (host-to-host) layer protocols, TCP and UDP, handle flow control and provide for reliable end-to-end communications. For more information about what takes place at this level and how it fits into the OSI and DOD models, see Chapter 1. We will discuss some of the features included in the Windows 2000 TCP/IP stack’s Transport layer protocols. Knowledge of these features can be useful in unraveling connectivity problems that originate at this level.
Transmission Control Protocol We will first look at TCP, the connection-oriented member of the pair. TCP is used in Microsoft networks to handle important one-to-one communications such as logons, file and printer sharing, and replication between Windows 2000 domain controllers.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 173
Windows 2000 TCP/IP Internals • Chapter 4 173
Dead Gateway Detection The Dead Gateway Detection feature in Windows 2000 makes TCP aware when the IP address configured to be the default gateway fails. This allows for a process called triggered reselection to take place, so that another default gateway can be chosen and implemented, and routed communications can continue. Here’s how it works: TCP attempts to send a packet to its default gateway and does not receive a response. It will keep trying, up to one-half the value set in the Registry key TcpMaxDataRetransmissions. If there is still no response from that gateway, TCP will try the next default gateway. The Route Cache Entry for the destination IP address on that packet will be changed to the new default gateway. If the gateway is dead, the same thing will happen to subsequent communications. If this continues to the point that 25 percent of the TCP connections have given up on the first gateway and moved on to use the second, IP will change the computer’s default gateway setting to the new gateway that the 25 percent are using. If the second gateway should also fail, the same process will occur and the next one on the list will be tried. If all gateways in the list are attempted and the last one fails, TCP will start over with the first default gateway listed. In this way, Windows 2000 maximizes the possibility of finding a gateway through which the packets destined for remote network segments can be routed.
Delayed Acknowledgments TCP is able to maintain reliable communications because it uses acknowledgments (ACKs) to keep the sending computer “in the know” about the packets that have and haven’t arrived at the receiving computer. However, the acknowledgment messages themselves take bandwidth and can slow the communication process and cause congestion on the cable. Microsoft addresses this problem by implementing Delayed ACKs according to the specifications in RFC 1122. This reduces the number of packets on the wire and helps prevent a congested condition. Using Delayed ACKs, TCP will send back an acknowledgment if one of two circumstances exists: 1) if there was no acknowledgment sent for the previous packet that was received, or 2) if another packet doesn’t arrive within 200 milliseconds after a packet arrives. This results in an ACK being sent for every other received packet instead of one ACK for every packet, thereby effectively cutting in half the number of ACK messages sent back over the cable.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 174
174 Chapter 4 • Windows 2000 TCP/IP Internals
TCP Keep-Alives As discussed earlier, a TCP connection normally stays open until a FIN message is sent and acknowledged to disconnect. Some mechanism is needed, then, to determine whether the computer on the other end is still “there” when no packets have been received for a long period of time. TCP uses keep-alive packets to verify that a computer on the other end of a TCP connection is “still alive and kicking” (that the remote computer is still available). By default, a keep-alive message is sent every two hours (expressed as 7,200,000 milliseconds). This value can be changed by editing the Tcpip\Parameters value KeepAliveTime. A keep-alive message is only sent if no other packets have been sent for the time period. The keep-alive message is actually an acknowledgment, but with a sequence number that is the current sequence number minus one. If the computer on the other end responds to the keep-alive packet, the keep-alive timer will be reset, and if another two hours goes by without communications over the connection, the process will occur again. If the computer on the other end does not respond, 10 attempts will be made. If there is still no response after 10 tries, the connection will be terminated.
NOTE TCP keep-alive messages are not enabled by default. To enable them for Winsock applications, edit the SetSockOpt value. TCP keep-alives generally are not sent on NetBIOS connections.
Avoiding the Silly Window Syndrome The Silly Window Syndrome, discussed in RFCs 813 and 1122, may have a silly name, but it can become a problem in TCP/IP networks, slowing down TCP communications. SWS occurs when the receiving computer slides its TCP window to the right when it has additional space available, and the sending computer uses this very small window to send correspondingly small data segments. In this situation, you end up with tiny segments of data being sent despite the fact that both computers have much more buffer space. The Silly Window Syndrome may be caused by either the client or the server. For example, the client might send data so fast that the server’s buffer fills up, and it then reduces its Receive window size to 1. This causes the client to send data in 1-byte increments, and the server responds by acknowledging only 1 byte at a time. Now, if the client stops
91_tcpip_04.qx
2/25/00
10:57 AM
Page 175
Windows 2000 TCP/IP Internals • Chapter 4 175
sending data, the buffers will clear and the window size will increase, but if the client keeps sending one byte at a time, performance will slow drastically. To avoid this situation, Windows 2000’s implementation of TCP/IP will not send additional segments until the receiving computer advertises a large enough window size to be able to receive a full segment. Additionally, if Windows 2000 is running on the receiving computer, TCP will not open the Receive window except in increments of a full segment. The Silly Window Syndrome can cause such drastic performance hits, so SWS avoidance is an important feature in Windows 2000.
User Datagram Protocol The User Datagram Protocol, UDP, is a connectionless Transport layer protocol that is used for broadcast and multicast transmissions and other situations where guaranteed delivery is not required. UDP works with IP, similarly to TCP, but UDP doesn’t break up the messages into smaller chunks (packets) and then reassemble the packets on the receiving end, as TCP does. There is no sequencing information in the UDP header. It’s up to the application to ensure that all the data arrived and to put it into the correct order. Like TCP, UDP provides for ports to differentiate between multiple connections. Therefore, if two applications are using UDP to communicate, using the same network interface, they will be assigned different port numbers. The advantage of UDP is speed—because it does not send acknowledgments and perform the other functions that make the TCP protocol more reliable, it also doesn’t have as much overhead.
NOTE The specifications for the User Datagram Protocol are discussed in RFC 768.
Understanding TCP/IP Registry Settings TCP/IP gets its information (such as whether to obtain an IP address and other information automatically, or the specific manually, configured information) from the Windows 2000 Registry. The Registry, as you will recall, is the centralized hierarchical database that took the place of multiple initialization (.ini) files in early versions of Windows operating systems. When the protocols initialize, they look to the Registry for their configuration settings.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 176
176 Chapter 4 • Windows 2000 TCP/IP Internals
When you configure the TCP/IP protocol settings in your network connection properties sheet, you are indirectly making changes or additions to the Windows 2000 Registry. The configuration information you enter in the dialog boxes will become values in the Tcpip\Parameters key, which is located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. There are a great many values contained in this subkey that were entered into the Registry at the time TCP/IP was set up on the computer. There are additional values that don’t appear by default, which you can add to optimize or change the behavior of the TCP/IP protocol driver.
NOTE The driver that implements the TCP/IP protocols in Windows 2000 is Tcpip.sys.
It is always better, if possible, to make changes to the Registry through the graphical user interface. For instance, if you wish to change the IP address of your computer, you should make that Registry change by entering the information in the TCP/IP property sheet. However, the GUI contains only a limited number of changes that can be made. There are many more specifications that can be made only by directly editing the Registry keys. We will discuss a few of these changes, and how to make them, in this section.
WARNING Microsoft always stresses the importance of caution in making direct changes to the Windows Registry. If you implement any of these changes, be sure to follow directions exactly. Of course, it’s always a good idea to first back up the Registry before making any changes.
Using the Registry Editing Tools Windows 2000, like NT, provides two Registry editing tools, regedit and regedt32. Regedit.exe is the registry editor that is also included in Windows 95. It is a powerful tool, but has some limitations. For instance, you cannot change security settings in the Registry using this application. Perhaps more importantly, regedit does not include a “read only” mode, as does its
91_tcpip_04.qx
2/25/00
10:57 AM
Page 177
Windows 2000 TCP/IP Internals • Chapter 4 177
cousin, regedt32. This means it is easier to mistakenly make changes that can affect the stability or even the bootability of your system. Why then would you ever use regedit? It does have one advantage over regedt32 in that its search engine is more powerful. If you need to do a detailed search, you might want to choose this tool. Another difference between the two is their appearance. Regedit, shown in Figure 4.8, resembles Windows Explorer. Figure 4.8 The Regedit.exe interface.
Regedt32.exe is the tool you will most commonly use when you already know the key and value you want to edit and don’t need the more sophisticated search features. Regedt32 will allow you to invoke “read only” mode so that you can look at your settings with no fear of accidentally making changes.
NOTE In both Registry editors, there is no “save changes” function. Changes that you make to the values take effect immediately.
Regedt32 also looks a bit different; as you can see in Figure 4.9, its interface shows each Registry hive key in a separate window instead of one hierarchical structure. Either tool can be used for editing the TCP/IP settings. Open the chosen Registry editor by typing either regedit or regedt32 at the command prompt or in the Run box from the Start menu.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 178
178 Chapter 4 • Windows 2000 TCP/IP Internals
Figure 4.9 Regedt32 presents the Registry information as separate windows for each key.
NOTE Notice that the “i” is omitted from “regedt32.” A common mistake is typing the command with the “i,” resulting in a File Not Found message.
Configuring TCP/IP Behavior through the Registry All of the values we will discuss will be found under the same Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters. Remember that TCP/IP can be bound to more than one NIC, and can be configured differently for each NIC to which it is bound. For values that are specific to an adapter, you will find a subkey for each NIC that contains its individual settings. The network interface subkeys are found
91_tcpip_04.qx
2/25/00
10:57 AM
Page 179
Windows 2000 TCP/IP Internals • Chapter 4 179
under “Adapters,” and each interface is represented as a hexadecimal number, as shown in Figure 4.10. Most of the parameters that we will discuss will not already be present in the Registry by default. In order to modify the protocol settings using the parameters that you don’t find already present, you must create the new value. Figure 4.10 Each NIC has a separate subkey for its settings.
Creating a New Value To create a new value in the Registry using the regedt32 tool, from the Edit menu, choose “New value.” You will see a dialog box as shown in Figure 4.11, which allows you to enter a name for the value, and select the data type from a drop-down box. Figure 4.11 You can add a new value to the Registry if it does not already exist.
The value can be one of five data types: ■
■ ■
REG_DWORD Hexadecimal data with a maximum limit of 4 bytes REG_EXPAND_SZ An expandable string REG_MULTI_SZ A multiple string
91_tcpip_04.qx
2/25/00
10:57 AM
Page 180
180 Chapter 4 • Windows 2000 TCP/IP Internals ■
■
REG_SZ A single data string (group of characters handled as one entity) REG_BINARY Zeros and ones (“machine language”)
Be sure you select the correct data type, as given in the instructions, when creating a new value.
Editing Common TCP/IP Registry Values We will discuss only a few of the many Registry settings that can be edited to change TCP/IP behavior. For a complete list, see the Microsoft TechNet article “MS Windows 2000 TCP/IP Implementation Details.”
Changing the Timeout for the ARP Cache You can change the timeout value of the ARP cache from the defaults (2 minutes for unused entries and 10 minutes for those that have been used) by creating a new value in the Tcpip\Parameters subkey called ArpCacheLife. The value type is REG_DWORD, and the value should be set as the number of seconds for timeout, in hexadecimal (0 – 0xffffffff).
Changing the Number of ARP Retries Another configuration setting you might want to change to speed initialization is the number of times the computer will send a “gratuitous” ARP broadcast for its own IP address, to determine if the address is already being used on the network. Once again, you must create a value of REG_DWORD type and enter the number of ARP retries desired. The default is 3, which is also the maximum. You can change this to either 1 or 2.
Changing the Default TTL You can change the number in the outgoing IP headers that represents the maximum amount of time the packet can remain “alive.” If it does not reach its destination by the time set, it will be dropped. What this does is limit how many routers the packet can “hop” through before it “dies.” This will also be a new REG_DWORD value called DefaultTTL, set to the number of seconds/hops, and can be from 1 to 0xff (255 in decimal notation). The default is 128.
Enabling or Disabling Dead Gateway Detection By default, dead gateway detection is enabled. You can disable it (or reenable it after it’s been disabled) by editing the EnableDeadGWDetect value. The value type is REG_DWORD (Boolean), and the only valid settings are 0, which disables dead gateway detection, or 1, which enables it.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 181
Windows 2000 TCP/IP Internals • Chapter 4 181
Enabling Multicast Forwarding In Windows 2000, IP multicast forwarding is not enabled by default. However, it can be enabled by creating a Registry value called EnableMulticastForwarding of the REG_DWORD (Boolean) type, and setting it to 1, for True.
Enabling IP Address Autoconfiguration Automatic configuration of IP address is enabled in Windows 2000 by default. Although this feature is often useful, it can be disabled by setting the IPAutoconfigurationEnabled value for the specific interface to a value of 0. You can reenable it by setting the value to 1.
Changing the Interval between TCP Keep-Alive Transmissions By default, keep-alive messages will be sent every 1000 milliseconds (one second) until a reply is received. You can edit the KeepAliveInterval value to change this to a different time (in milliseconds). This is a REG_DWORD data type.
Changing the Maximum Transmission Unit (MTU) By editing the MTU value for the specific interface, you can set a limit on the packet size (in bytes) that will be transmitted over the network. This value is set as a REG_DWORD type, specifying the number of bytes. This value cannot be less than 68. If you set it to a number that is less than 68, the MTU will be 68.
Registry Settings that Should Not Be Edited Some settings are configured by the services, such as DHCP, and should not be changed via editing the Registry. Others can, and should, be changed via the GUI instead of by editing the Registry directly. Below is a partial list: ■ ■ ■ ■ ■
■
IPAutoconfigurationAddress DHCP Default gateway Can be set in TCP/IP properties box in the GUI EnableDhcp Can be set in TCP/IP properties box in the GUI IPAddress Can be set in TCP/IP properties box in the GUI IPEnableRouter Can be set in TCP/IP properties (Advanced) in the GUI IPEnableRouterBackup Set by setup and should not be changed manually
91_tcpip_04.qx
2/25/00
10:57 AM
Page 182
182 Chapter 4 • Windows 2000 TCP/IP Internals ■
■
DhcpDefaultGateway Written by the DHCP client service and should not be changed DhcpIPAddress Configured by DHCP (Note: None of the DHCP assigned values should be changed manually.)
Summary In this chapter, we discussed how TCP/IP works, its “internals” or the components of its architecture as implemented in Windows 2000. We got an overview of the enhancements that Microsoft has made to its TCP/IP stack. We learned a little about Internet Requests for Comments (RFCs), and discussed in detail some of the RFCs with which Microsoft’s newest operating system complies. In particular, we examined some of the more significant RFCs such as: RFC 1323, which provides for scalable (and larger-sized) TCP windows, a feature that can optimize performance on highbandwidth networks. We explained the purpose and function of sliding windows, how the TCP three-way handshake works and how it establishes the window size, and how sliding windows provide for flow control in TCP communications. We looked at how the scaling factor is negotiated and how you can determine what the current scaling factor is by examining the packets that created the connection. Then we looked at another TCP extension specified in RFC 1323, timestamping, and how it can solve instability problems that are caused by bad estimates of Roundtrip Time (RTT) that result from other methods of measuring RTT. RFC 2018, which deals with TCP selective acknowledgments. We saw how SACK can enhance network performance when large window sizes are being used. We also discussed how to disable SACK by editing the Windows 2000 Registry. RFC 1577, which lays out specifications for running an IP network over ATM. We discussed some of the advantages of Asynchronous Transfer Mode networks, such as their connection orientation, lack of inherent limits on speed, and Quality of Service. We talked about the use of an ARP server in ATM networks for resolution of IP addresses to physical addresses, since ATM is a nonbroadcast network. We also briefly touched on LAN emulation (LANE), which allows you to use traditional LAN software and hardware for an ATM network.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 183
Windows 2000 TCP/IP Internals • Chapter 4 183
RFC 2001, which gives the specs for TCP Fast Retransmit, a feature that provides for faster performance by allowing TCP to resend data before the specified retransmission time has expired. RFCs 2211 and 2212, defining QoS, or Quality of Service, a new feature in Windows 2000 that lets the network reserve bandwidth between client and server to ensure that a high-bandwidth application will have sufficient bandwidth. RFC 2205, which gives specifications for another new feature, the Resource Reservation Protocol, also known as RSVP. We talked about how RSVP works with general Quality of Service (GQoS) to reserve bandwidth, using functioning as a control protocol similarly to ICMP. In this chapter, we also looked at IP Security (IPSec) and how it provides for greater protection of data sent over an IP network. We looked at the two IPSec Security options: AH, or Authentication Header security, and ESP (Encapsulating Security Payload), which encrypts the data itself. We talked about how IPSec is configured and the predefined IPSec policies included with Windows 2000: ■ ■ ■
Client (Respond Only) Server (Request Security) Secure Server (Require Security)
We went a little further, to discuss definitions of custom policies and setting of filtering on inbound and outgoing traffic. Then we looked at several IPSec troubleshooting scenarios, including the failure of RAS secured connections, the failure of LAN secured connections, and broken policy links. We discussed how to use the IPSec monitor to gather statistical information such as: ■ ■ ■ ■
Number of active security associations Types of active security associations Number of master and session keys generated Number of ESP or AH bytes sent and received
We also looked at how to use the Windows 2000 Event Viewer and the Network Monitor to troubleshoot IPSec problems. We talked about what to do when IPSec files are missing or corrupted, how to deal with problems with multihomed machines, and how to address performance slowdowns when using IP Security. Then we turned our attention to NDIS 5, the latest version of the Network Driver Interface Specification, and the changes between NDIS 4 and 5.
91_tcpip_04.qx
2/25/00
10:57 AM
Page 184
184 Chapter 4 • Windows 2000 TCP/IP Internals
Next, we examined IP, the Internet Protocol that operates at the Internetwork layer of the DoD model. We talked about CIDR, Classless Inter-Domain Routing, which is beginning to replace the old and inefficient way of allocating IP addresses in blocks defined as class A, B, and C networks. We discussed multihoming, the practice of assigning more than one IP address to a single computer, either by installing multiple physical network interfaces or by creating virtual interfaces for one network card. We addressed some of the problems that arise with multihomed machines, particularly when networks are linked by Remote Access Services, when multiple default gateways are assigned, and how multihoming and WINS interact. We then moved to IP multicasting, defining a multicast transmission as the sending of data to multiple computers using only one IP address, called a multicast address. We discussed the multicast address range, and how computers can join two kinds of multicast groups: permanent and transient. We looked at some of the problems that can occur with multicasting, and how to troubleshoot those problems using tools like mrinfo, and other command-line utilities included with Windows 2000. We discussed duplicate IP address detection and how Windows 2000 attempts to avoid this situation. We also examined some characteristics of the Transport layer protocols, TCP and UDP. We talked about TCP dead gateway detection and how Windows 2000 maximizes the possibility that the packets destined for a remote network segment will be routed even if a gateway fails. We looked at the delayed acknowledgments feature, and how, using Delayed ACKs, TCP will send back an acknowledgment if one of two circumstances exists: 1) if there was no acknowledgment sent for the previous packet that was received, or 2) if another packet doesn’t arrive within 200 milliseconds after a packet arrives. This results in an ACK being sent for every other received packet instead of one ACK for every packet, thereby effectively cutting in half the number of ACK messages sent back over the cable. We talked about TCP keep-alive messages, sent every two hours to verify that the remote computer is still available. We also discussed the Silly Window Syndrome (SWS), and how Windows 2000’s TCP/IP stack was designed to avoid this problem. Then we discussed User Datagram Protocol (UDP), the connectionless transport protocol used for broadcasts and other messages that don’t require acknowledgments, sequencing, and the other high-overhead features of TCP. Finally, we looked at how the TCP/IP settings are implemented in the Windows 2000 Registry, which contains all of the protocol’s initialization
91_tcpip_04.qx
2/25/00
10:57 AM
Page 185
Windows 2000 TCP/IP Internals • Chapter 4 185
parameters. We looked at how to edit selected Registry setting to enhance performance, and also listed some Registry settings that should never be edited manually.
FAQs Q: What are the three ways in which TCP/IP information can be configured in Windows 2000? A: 1) Manual configuration, where the administrator enters the IP address, subnet mask, default gateway, and other configuration information directly into the TCP/IP properties box for each NIC on each computer individually; 2) Dynamic configuration, in which the computer is configured to contact a DHCP server to obtain a leased IP address, along with other TCP/IP configuration information; and 3) Automatic configuration, in which the computer that is unable to contact a DHCP server assigns itself an address from the APIPA (Automatic Private IP Addressing) range for temporary use until a DHCP server can be contacted. Q: Can I have more than one default gateway configured on a computer? A: Sort of. If you have two network adapters, you can configure a different default gateway for each, but only the default gateway of the first adapter will be used. The only time the second adapter’s gateway will be used is if the first becomes unavailable. Q: What is a default gateway, anyway? A: The default gateway is the “way out of the network.” In a TCP/IP network, the default gateway serves an important purpose. It is the route that will be used when a host wants to communicate with any other host that is not on its local subnet. The IP address of the default gateway is the IP address of the subnet’s router (which can be a dedicated device or an NT or Windows 2000 machine with IP forwarding enabled, functioning as a router). Q: We know that IANA and InterNIC assign IP addresses. Where do the hardware addresses on the network cards come from?
91_tcpip_04.qx
2/25/00
10:57 AM
Page 186
186 Chapter 4 • Windows 2000 TCP/IP Internals
A: The physical addresses, burned into a chip on the network card, are known as Media Access Control (MAC) addresses in Ethernet and Token Ring network cards. Registration of MAC addresses is overseen by the IEEE, the Institute of Electrical and Electronics Engineers. The IEEE assigns the first three bytes of a MAC address to each company that manufactures network cards, and the manufacturer assigns the last three bytes to individual network adapters. Q: What is the difference between “connectionless” and “unreliable” in the discussion of network protocols? A: The term connectionless refers to a communication in which no session is established prior to the commencement of the transmission of data. Unreliable, on the other hand, means that delivery of the packets is not guaranteed. Unreliable protocols make a “best-effort” attempt to deliver each data packet. If a packet is lost, duplicated, or delayed, the unreliable protocol does not “care.” IP is an “unreliable” protocol, which is why TCP (a reliable protocol) handles acknowledgments and error recovery at the Transport layer. Q: What is the difference between TCP ports and UDP ports? What are some of the “well-known ports?” A: TCP ports are more complex and they operate differently from UDP ports, although both are used for the purpose of identifying a packet’s destination more specifically within an IP address. A UDP port operates as a single message queue. The UDP port is the endpoint for UDP communications. Each TCP port, on the other hand, is identified by dual endpoints (one address/port pairing for each connected host). Well-known ports include TCP ports 20 and 21 (FTP), 23 (Telnet), 53 (DNS zone transfer), 80 (Web server), and 139 (NetBIOS session). Wellknown UDP ports include 69 (TFTP), 137 (NetBIOS name service), 138 (NetBIOS datagram service), 161 (SNMP), and 520 (RIP).
91_tcpip_05.qx
2/25/00
12:49 PM
Page 187
Chapter 5
Using Network Monitoring and Troubleshooting Tools in Windows 2000
Solutions in this chapter: ■
Windows 2000 Monitoring Tools: Performance, NetMon
■
TCP/IP Utilities: SNMP, ping, tracert, ipconfig, nbtstat, netstat
■
Network Management Tools: SMS, NetXray, Tivoli
■
Cable Testers, Protocol Analyzers, Sniffers
187
91_tcpip_05.qx
2/25/00
12:49 PM
Page 188
188 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
Introduction In this chapter, we will examine a host of tools and utilities that you can use to monitor, assess, and diagnose your network. One of the great advantages of using TCP/IP as your network protocol of choice is the vast array of tools available for troubleshooting. We’ll first look at some tools that allow you to monitor network activity, such as the Network Monitor, Event Viewer, and the Performance Console. These are all GUI-based tools you can use to gather statistics and information, allowing greater insight into the behavior of the network “under the hood.” After looking at the monitoring tools, we’ll dive into some of the TCP/IP command-line tools such as PING, PATHPING, IPCONFIG, and more. We will see how each tool works, and then apply each to a specific troubleshooting scenario, which will give you some context to see how they work in actual practice.
Windows 2000 Monitoring Tools Microsoft has included two powerful network-monitoring tools with Windows 2000: The Performance Console and the Network Monitor. With these tools, you can monitor the health of your network from a single location, and you can listen in on network activity in real time. Both of these utilities allow you as the administrator to have more control over the health and efficiency of your network. Before diving into the tools, let’s talk first about some basic monitoring guidelines that will help optimize your use of the tools discussed in this chapter.
Basic Monitoring Guidelines When monitoring aspects of your network, you need to have a good idea of what it is that you’re looking for. Are you looking for clues for login validation errors? Are you looking for reasons for complaints of network sluggishness from your users? Are you looking for possible security leaks? Are you just obtaining baseline measures so that you have something to compare to when the network is acting abnormally?
Baselining Baselining is the process of collecting information on a network when everything is working the way you want it to work. It would make no sense to collect baseline information when your network is “acting up,” or is the subject of complaint and ridicule. With this in mind, you definitely do not want to collect baseline information about network performance
91_tcpip_05.qx
2/25/00
12:49 PM
Page 189
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 189
and behavior soon after the implementation of a new network or network segment. There is always a “shakedown” period when you are going to have to “fix” the things that weren’t done correctly the first time, and to fine-tune those aspects of the network implementation that were correctly implemented. After the network has “settled down” for a period of several weeks, and no one is complaining and you are not aware of any problems, then you should start a network baseline collection procedure. You may want to use some or all of the tools discussed in this chapter to obtain your network baseline.
Documentation The key to your success in network monitoring and maintenance is good and organized documentation. You must have a system in place that allows you to quickly and efficiently return to previous measurements, and to measure trends that may be extant in the measurements you have taken. Whether you are using Network Monitor, System Monitor, netdiag, netstat, ipconfig, or whatever, have a location on your hard disk to keep the information that you have collected, and keep all your information in this location.
Backing Up It is important that you back up this information to multiple locations for fault tolerance reasons. If you have multiple backups, it is unlikely that any of them will fail, but if you have a single backup, there is a good chance that it will be corrupt. Think of this as an extension of Murphy’s Law.
Analysis After you have decided on a location to keep your precious data, you need a system to collate it and bring it together so that you can spot trends. Most of the tools that we will work with in the chapter allow you to save data in some kind of delimited text file.
NOTE A delimited text file is a text-based database file format with data that is separated by either commas or tabs. Spreadsheet or database programs such as Microsoft Excel or Microsoft Access allow you to easily import this delimited text information into a database format, which makes it easier to spot trends. Both programs have sophisticated charting and graphing capabilities that allow you to visually depict important information.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 190
190 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
If you work for a larger organization, you may have available more sophisticated programs that perform network analysis for you and provide detailed reporting capabilities. Programs such as Network Associates’ Network Informant, Computer Associates’ Unicenter TNG, and Microsoft Systems Management Server all provide built-in reporting facilities that are both simple to use and extremely sophisticated in their reporting capabilities. Whatever tools you decide to use, keep in mind that your monitoring efforts are done for several reasons: ■ ■ ■
To find network faults To obtain baseline measurement To provide documentation you might need in order to obtain the equipment you desire to improve your network’s functionality
With this in mind, let’s look at some of the tools available to us to monitor and investigate network functionality.
Performance Logs and Alerts The application formerly known as “Performance Monitor” has undergone a name change and a minor overhaul in its appearance in Windows 2000. In fact, it appears to have a couple of different names, depending on the Microsoft documentation you read. It is called either “Performance” or the “System Monitor.” For our purposes, we’ll refer to it as the “Performance Console” or “System Monitor.” You can use the Performance Console to obtain real-time data on network performance parameters such as TCP, Web, FTP, and Proxy server statistics. This information can be saved in a log file for later analysis, and it can even be replayed. To open the Performance Console, go to the Administrative Tools and click Performance, as shown in Figure 5.1. Note that there are two panes in the Performance Console. On the left, you see entries for the System Monitor, and then several options for Performance Logs and Alerts. The System Monitor is the counterpart of the Windows NT 4.0 Performance Monitor. There are three views available in the System Monitor: ■ ■ ■
Chart view Histogram view Report view.
When working with the Chart view, note that it will display up to 100 units of time. You select the unit of time for which measurements are taken by right-clicking anywhere on the chart area itself, and selecting Properties, as seen in Figure 5.2.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 191
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 191
Figure 5.1 The Performance Console.
NOTE The old “Log View” has been moved away from the System Monitor area into its own area under the “Performance Logs and Alerts” section.
Notice where it says “Update automatically every:” and then a number of seconds. You can enter the number of seconds you want the chart updated, and the entire chart will contain data for up to 100 update intervals. If we left this as it is, with the update taking place every 1 second, then we could see up to 100 seconds of activity on the chart, which is equal to 1 minute and 20 seconds.
TIP If you would like to see an entire day’s worth of activity on one chart screen, you could divide the number of seconds in one day by 100, or 86400/100 = 864 seconds. By setting the chart interval to 864 seconds, you’ll be able to see an entire day’s worth of data on a single chart screen.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 192
192 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
Figure 5.2 The Properties dialog box in the Chart view.
Counters There are a great variety of network-related counters you can add to the System Monitor. A noncomprehensive list of these counters includes IP, IIS Global, ICMP Browser, FTP Server, UDP, TCP Redirector, SMTP Server, RAS Port RAS Total, NNTP Server, NNTP Commands, and Network Interface. One of the nice things about the System Monitor application in Windows 2000 is that when you populate the Chart view with a number of counters, you don’t have to repopulate the Report view. For example, let’s say that I want to add all the counters for the Network Interface Performance Object. I click on the “+” sign on the toolbar and the Add Counters dialog box appears, as shown in Figure 5.3. To select all counters from a performance object, all you need to do is select the “All counters” option button, and it adds all the counters to the list. Then click ADD and they all appear in the chart. After the counters are added to the Chart view, you can see statistics gathered from those counters in both the Report and the Histogram views. Figure 5.4 shows all the counters in the Report view.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 193
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 193
Figure 5.3 The Add Counters dialog box.
Notice that all the counters are carried over to the Chart view, which is a real convenience. The same is true for the Histogram view, which you can see in Figure 5.5. Figure 5.4 The Network Interface counters in Report view.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 194
194 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
Figure 5.5 The Histogram view carries over the counters selected in the Chart view.
If you would like to create a log file so that you can come back to the information that you’ve gathered at a later time, click the Counter Logs object and then right-click in the right pane and select New Log Settings. You will first encounter the New Log Settings dialog box where you put in the name of the log. Make it something meaningful and descriptive so you can find the information later. You will then be faced with a three-tabbed dialog box, such as that seen in Figure 5.6. The first tab is the General tab, and this is where you begin to add new counters to the log file. Click ADD and add counters as you did in the Chart view. After adding the counters, they will populate the area labeled “Counters.” When you click the Log Files tab, you will see what appears in Figure 5.7. Note the location and name of the log file.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 195
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 195
Figure 5.6 The Log File dialog box.
Figure 5.7 The Log Files tab in the Log File dialog box.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 196
196 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
Log File Format In the “Log file type:” drop-down list box, you can choose what format you want the log file to be saved in. The main choices are binary format and delimited text formats. If you save the logs in delimited text formats, you can import the data into an Excel or Access database. Regardless of the format you choose, you can still bring the information back to the System Monitor Console for later analysis in the same way you were able to open log files for later viewing using the Windows NT 4.0 Performance Monitor.
Alerts To create an alert, you click the Alerts object in the left pane and then right-click in the right pane and select New Alert Settings from the context menu. Enter the name of the alert and click OK. You will see what appears in Figure 5.8. Figure 5.8 The General tab in the Alert dialog box.
You add counters for which you want to be alerted by clicking ADD; in this example, we have selected the Pages/sec counter in the Memory object. After selecting the counter, you need to set parameters that will trigger the alert. In this case, we want to be alerted if the number of pages/sec exceeds 20 per second. The sample interval is every 5 seconds by default. Click the Action tab and you will see what appears in Figure 5.9.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 197
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 197
Figure 5.9 The Action tab in the Alert dialog box.
You set what actions should take place after an alert is triggered. In this case, we have configured the alert to be sent to the Application log and a network message to be sent to the administrator’s workstation. This is a NetBIOS name, and NetBIOS must be enabled on both the machine generating the alert and the machine receiving an alert as a network message in order for this to work. This is something to keep in mind when you feel that your network has reached a point where you can completely disable NetBIOS. If you do reach that point, you must reenable NetBIOS on the source and destination machines, at least temporarily, in order for alerts to be sent via network messages. You also have the choice of starting a log that you have already created after an alert condition has been met. We might want to create a log that tracks other memory-related parameters if the number of pages/sec exceeds 20. In that case, we would choose to “Start performance data log” and select the name of the log from the drop-down list. You could also choose to start a program after the alert condition parameters have been met. Click the Schedule tab and you will see what appears in Figure 5.10. Here you can schedule when you want to the system to look for alert conditions. In this instance, we have selected the date and time when the system should start looking for the alert condition, and set that the system should stop looking after one day. You can see from the dialog box the other options you have when scheduling alerts.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 198
198 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
Figure 5.10 The Schedule tab in the Alert dialog box.
Network Monitor The Microsoft Network Monitor is a software protocol analyzer that allows you to capture and analyze traffic on your network. The version of Network Monitor that comes with the Windows 2000 server family is limited in its scope because it does not allow you to place the network adapter in what is known as “promiscuous mode.” When an adapter is placed in promiscuous mode, it is able to listen to all the traffic on the segment, even if that traffic is not destined for the machine running the Network Monitor software. However, one of the disadvantages of this state of affairs is that promiscuous mode capturing can potentially overtax your computer’s processor. Even with these limitations, the Network Monitor is a very useful tool for assessing the activity on the network. You can use the tool to collect network data and analyze it on the spot, or save your recording activities for a later time. Network Monitor allows you to monitor network activity and set triggers for when certain events or data cross the wire. This could be useful, for instance, if you are looking for certain “key words” in e-mail communications moving through the network (we’ll look at an example of how to do this later in this section).
91_tcpip_05.qx
2/25/00
12:49 PM
Page 199
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 199
NOTE A more full-featured version of Network Monitor that allows for promiscuous mode is included with Microsoft System Management Server (SMS).
Filtering The Network Monitor program allows you to capture only those frames that you are interested in, based on protocol or source or destination computer. You can apply even more detailed and exacting filters to data that you have finished collecting, which allows you to pinpoint the precise elements you might be looking for in the captured data. We’ll discuss how to filter what data you want to capture, and how to fine-tune the captured data after you’ve collected it.
Security Issues The Network Monitor program is a network sniffer. Any person with administrative privileges can install it on a Windows 2000 server family computer and start “listening” to activity on the wire. If you feel this is a cause for concern, you are correct. This easy availability of such a powerful tool should lead to even further consideration of the security implications when you give someone administrative rights. Fortunately, the Network Monitor is able to detect when someone else on the segment is using Network Monitor, and provide you with his or her location. However, don’t stake your career on this working correctly, because we have had very rare success at it actually identifying all computers running Network Monitor on the same segment.
Installation Network Monitor is not installed by default. If it isn’t installed on your computer, you can install it via the Add/Remove Programs applet in the Control Panel.
Using the Program After you have installed the program, go to the Administrative Tools menu and click Network Monitor; you will see what appears in Figure 5.11. This Capture Window is the starting point on your adventure of network monitoring. Note that there are four panes to this window.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 200
200 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
Figure 5.11 The Network Monitor Capture Window.
Capture Window Panes The top left pane is in the “gas gauge” type format, which provides information on percent network utilization, broadcasts per second, and other parameters in real time. Just under that is a pane that provides information about individual sessions as they are established, showing who established a session with whom, and how much data was transferred between the two. The right pane is the local machine’s session statistics pane, and provides detailed summary (is that an oxymoron?) information about the current capturing session. The bottom pane provides information about each detected host on the segment, and statistics gathered on the host’s behavior.
Extra Tools Before we get into the details of a capture, let’s look at some of the extra tools available with Network Monitor.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 201
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 201
First, select the Tools menu, and then click Identify Network Monitor Users. You will see the Identify Network Monitor Users dialog box as it appears in Figure 5.12. Figure 5.12 The Identify Network Monitor Users dialog box.
NOTE This dialog box provides you with the username and NetBIOS name of the machine or machines currently running Network Monitor.
As mentioned earlier, you might not always get accurate readings right away when running this utility. The Microsoft documentation regarding how it finds other Network Monitor users is not clear on how the identification process takes place. Machines running either the Network Monitor Application or Agent are supposed to register NetBIOS names with the service identifier of [BFh] and [BEh], respectively, but if you look at the following, you will be led to think otherwise: Local Area Connection: Node IpAddress: [192.168.1.186] Scope Id: [] NetBIOS Local Name Table Name - - - EXETER
Type - - - UNIQUE
Status - - - Registered
91_tcpip_05.qx
2/25/00
12:49 PM
Page 202
202 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 TACTEAM EXETER EXETER TACTEAM INet~Services IS~EXETER ADMINISTRATOR
GROUP UNIQUE UNIQUE GROUP GROUP UNIQUE UNIQUE
Registered Registered Registered Registered Registered Registered Registered
Local Area Connection: Node IpAddress: [192.168.1.3] Scope Id: [] NetBIOS Local Name Table Name - - - DAEDALUS TACTEAM DAEDALUS DAEDALUS TACTEAM TSHINDER INet~Services IS~DAEDALUS DAEDALUS
Type - - - UNIQUE GROUP UNIQUE UNIQUE GROUP UNIQUE GROUP UNIQUE
UNIQUE
Status - - - Registered Registered Registered Registered Registered Registered Registered Registered Registered
These are the printouts of the nbtstat –n commands run on two of the Windows 2000 computers identified by Network Monitor as running Network Monitor. Neither of them has registered NetBIOS names indicating that they are running either the Network Monitor Agent or Application. The WINS database on this network also contains no entries to this effect. The moral of this story? Take advantage of this application, but take a couple of precautions: 1) Let it run for an hour or so before concluding that no other Network Monitor users are on the network, and 2) Don’t bet your job on it!
Buffers Now click the Capture command and click Buffer Settings. You’ll see what appears in Figure 5.13. The buffer size, in megabytes, determines the amount of data you can capture in a single recording session.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 203
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 203
Figure 5.13 The Capture Buffer Settings dialog box.
TIP The default value is 1MB, but you can choose up to 1024MB (1GB). However, since this data is stored in memory during the recording phase, your practical limit is the amount of available RAM.
Even if you are running Network Monitor on a machine with a gigabyte of RAM, you still need to be careful because it needs to write this information to disk. You need the equivalent amount of free disk space as well. You can also choose how much of each frame you want to capture. Typically, you’ll choose Full to maximize your ability to find the things you’re looking for. Select the Options menu, and then click the Change Temporary Capture Directory command. You’ll see a scary message like the one in Figure 5.14. Figure 5.14 A scary message about changing the Temporary Capture Directory.
The whole program is for advanced users only! We’re still trying to figure out what the danger is that they want to communicate regarding changing the
91_tcpip_05.qx
2/25/00
12:49 PM
Page 204
204 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
location of the temporary folder, which is the temporary folder location defined in the system environment variable. Click OK and you can then choose another folder to contain the temporary capture files. You might want to do this if you’ve chosen a buffer size that is larger than the amount of disk space you have available on the partition that contains your temp directory.
Collecting Data Now that we’re finished with the preliminaries, let’s get to the job of collecting some data. The first thing you should try out is to start a capture without filters, just to get a feel for how the capture process works.
NOTE There are a couple of ways to get the capture started: You can select the Capture menu, and then click Start, or you can click the little right-pointing arrow in the toolbar. Either one will begin the capture. When it is running, you’ll see the gas gauges moving, and the statistics being collected on the recording session.
After letting the capture run for a little bit, or after the % Buffer Used value is 100, click the button that has the eyeglasses next to a square (the stop and view button). This stops the capturing process and allows you to see the frames that have been captured. You’ll see the Capture Summary window as seen in Figure 5.15. This window provides a list of all the frames that were captured during the session. If you scroll to the bottom of the list, you’ll note that there is a summary frame that contains statistics about the current capture. Take note of the column headers, which all should be self-explanatory. Notice something unusual about the data in Figure 5.15? How about the information that appears in the “Src MAC Addr” and “Dst MAC Addr” fields? Those don’t look like MAC addresses to me. If you did notice this seeming anomaly, congratulations! MAC addresses aren’t much fun to look at, so we took advantage of another utility that translates the MAC addresses to Machine Names. Select the Display menu, and then click the Find All Names command. It will search for names and then inform you of its results, and transform the fields containing MAC addresses to NetBIOS names if it can find this information. Now, double-click one of the frames, and you will see the display transform into a tripane view as seen in Figure 5.16.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 205
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 205
Figure 5.15 The Capture Summary window.
The top pane is just like the one you just saw. The middle pane contains translated information from the captured frame that provides details of the frame headers and protocol information. The bottom pane shows the raw Hex and translations of the collected frame data. At the very bottom of the windows, in the status bar area, there is a description of the frame selected in the top pane (which in this case is Ethernet/802.3 MAC Layer), the frame number out of the total number of frames, and an “offset” value for the selected character in the bottom pane. In the preceding example, we selected frame number 244, which is an ARP broadcast frame. Notice in the middle pane some of the details. It indicates the hardware type and speed, and the source and destination IP and hardware address. Note that the destination hardware address is the Ethernet broadcast address [FFFFFFFFFFFF] because the whole purpose of the ARP broadcast is to resolve the IP address to a hardware address. The capture was taken from EXETER. The ARP broadcast was issued by CONSTELLATION for DAEDALUS, which is the machine with the IP address of 192.168.1.3. Do you think we would find the ARP reply later in the capture? The answer is no. That is because the reply will not be sent
91_tcpip_05.qx
2/25/00
12:49 PM
Page 206
206 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
Figure 5.16 Tripane view in the Capture Summary window.
to the hardware broadcast address, but to CONSTELLATION’s hardware address; therefore, the Network Monitor on EXETER will not be able to capture that conversation. The only reason we were able to see the ARP Request is because it was directed to the hardware broadcast address, which means that every machine on the segment had to evaluate the request to see if it was for them. The bottom pane in this instance isn’t very exciting. It shows the Hex data on the left and an ASCII translation on the right. However, it can get interesting, as shown in Figure 5.17. Looking at the ASCII translation in this case, we see that we have a problem user on the network, perhaps an overly enthusiastic Linux fan. We are able to actively search for text strings in captured data in order to find out about the existence of just this kind of communication. In this case, the offensive text string was found embedded in an SMB packet transmitting a Microsoft Mail message from the e-mail server to the destination computer. Other frames in the capture indicate the source of the message.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 207
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 207
Figure 5.17 Capture file with revealing ASCII data.
Filtered Captures The capture we did earlier was an unfiltered capture. The advantage of doing an unfiltered capture is that you can gather data on every communication into and out of the computer doing the capture, so you can be sure that you’re not missing anything. However, you could end up collecting a whole lot of information that you don’t need, and the extra information only serves to obscure the data that you’re actually looking for. Perhaps you’re only interested in the information exchange taking place between your computer and one other computer, or two other computers. You can limit the frames that are captured by creating a capture filter.
NOTE A capture filter is one of the two types of filters you’ll be working with, the other being the display filter, which we’ll explore in a little bit.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 208
208 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
The purpose of the capture filter is to limit the frames that are actually saved in the capture buffer. This allows you to make better use of your buffer space, because the limited amount of buffer you have can be devoted to looking at the precise targets of interest. It also reduces the amount of “extraneous” information that could cause you to overlook something important during your investigations. To create a capture filter, select the Capture menu, and click Filter. First you’ll see a warning that tells you that for “security” reasons, you can only capture traffic moving to and from the machine running Network Monitor. Click OK to move away from that dialog box, and you’ll see what appears in Figure 5.18. Figure 5.18 The Capture Filter dialog box.
There are two ways you can filter the capture information: ■ ■
By machine address pairs By a specified pattern in the frames that is examined during the capture sequence
Filtering by Address Pairs Let’s first see how we filter via address pairs. We can define up to four address pairs to filter. For example, suppose there are 30 computers on the segment that’s running Network Monitor, and we don’t want to capture information destined to and coming from all 30 of those machines, just four of them. We can do that.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 209
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 209
To start adding address pairs, double-click the [AND] (Address Pairs) statement. You should see what appears in Figure 5.19. Take a close look at the elements of this dialog box. Near the top are two option buttons for Include and Exclude. Any address pair that you select for Include will be included in the capture. Any address pair that you set for Exclude will be excluded from the capture. For example, if you choose to include *Any (which indicates all frames coming to and leaving this computer), you could choose to exclude a pair of computers so that you can ignore messages being sent to and arriving from that machine. Figure 5.19 The Address Expression dialog box.
Under the Include and Exclude options are three panes: Station 1, Direction, and Station 2. Station 1 and Station 2 will define the computers named in the address pairs that will be included or excluded from the filter, with Station 1 always being the machine running the Network Monitor application. The Direction arrows allow you to filter based on the direction of the traffic. The "# symbol represents traffic leaving Station 1 to Station 2 and arriving from Station 2 to Station 1, the # represents traffic leaving Station 1 to Station 2, and the " represents traffic arriving from Station 2 to Station 1.
NOTE If we were using the full version of Network Monitor that comes with Microsoft Systems Management Server, Station 1 could be any computer on the network and not just the local machine.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 210
210 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
The chance is good that the machine you want to designate as Station 2 is not included on the list. To add the machine of interest to the list, click EDIT ADDRESSES. You will see what appears in Figure 5.20. Figure 5.20 The Addresses Database dialog box.
This shows the Addresses Database in its current state on the machine running the Network Monitor. The first column gives the machine’s NetBIOS name, the second column the machine’s addresses, the third column denotes the type of address included in the second column, and the fourth column includes a comment about the entry in the database. What we want to do is add an entry, so therefore we need to click ADD. You will see what appears in Figure 5.21. Figure 5.21 The Add Address Information dialog box.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 211
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 211
In the Add Address Information dialog box you enter the name of the machine, whether this is a permanent name for the machine, the address, the type of address you are entering, and an optional comment.
TIP A hint here is that before you enter the address, you must choose what type of address you wish to enter. The dialog box defaults to a MAC address, and if you try to enter an IP address when it says “ETHERNET” in the type box, it won’t work.
Click OK and the address is entered into the database. These addresses will only stay in the database for the time that you have Network Monitor open. If you find that you’ve created a lot of addresses for machines on your network, you certainly don’t want to have to do that again. To prevent such a waste of time, you can save these addresses. To do so, click SAVE, choose a location and a name for the file, and these addresses will be saved so that you can load them on a subsequent monitoring session. Click CLOSE, which returns you to the Address Expression dialog box that you were at previously. I’m going to select EXETER for Station 1, CONSTELLATION for Station 2, and choose the double arrow for the direction of traffic. After doing so, the screen looks like it does in Figure 5.22. Figure 5.22 The completed Capture Filter.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 212
212 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
With this capture filter in place, only traffic between EXETER and CONSTELLATION will be retained in the capture filter, and all other packets will be rejected. This implies that all packets continue to be examined by the application, and that is true.
TIP The filtering process can be processor-intensive, especially if you have set up complex filters. Keep this in mind before running an extended capture session on a machine that is already heavily taxed.
Now we’re ready to start the capture session. Click OK in the Capture Filter dialog box to remove it from sight. To start the capture, we’ll click the right-pointing arrow in the toolbar. After letting the capture run for a very short period of time, you can click the “stop and view” button on the toolbar. The collected data appear in Figure 5.23. Figure 5.23 The results of a filtered data collection.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 213
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 213
Display Filters Now that we have some captured data, we’ll look at a second type of filter, known as a display filter. The display filter allows us to look for very specific elements of the captured data, and allows for a much more refined filtering than we can accomplish with the capture filter.
NOTE A display filter can be used as a database search tool, where the captured frames are the data in our database.
Imagine that we had captured this data because we wanted to see what types of messages were being passed around the network regarding Windows 2000. First, we’d have to decide what kind of messages we want to look for. In this case, let’s assume that we want to see if users have been using the net send command to exchange ideas or opinions regarding Windows 2000. To get started, select the Display menu, and click Filter. You should see what appears in Figure 5.24. Figure 5.24 The Display Filter dialog box.
What we want to do is filter out everything except the protocol of interest, and then identify a key phrase contained within the protocol of
91_tcpip_05.qx
2/25/00
12:49 PM
Page 214
214 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
interest. Since we’re looking at net send messages being sent between the users, we know that they use the SMB protocol. That’s where we’ll start. Double-click the line that says “Protocol==Any”. You will see the Expression dialog box as it appears in Figure 5.25. Figure 5.25 The Expression dialog box.
Notice that the Protocol tab is where we are located. By default, all protocols are enabled, which means that the filter is letting frames from all protocols appear. Our goal is to allow only frames from the SMB protocol to appear, so we can sift through just those frames to find what our users are saying about Windows 2000. The first step is to disable all the protocols by clicking DISABLE ALL. After clicking DISABLE ALL, all the protocols are moved to the right side, into the Disabled Protocols section. Now, scroll through the list of disabled protocols and find the SMB protocol. Click on the SMB protocol and then click ENABLE. Your screen should appear as it does in Figure 5.26. When the display filter is enabled, we will see only the SMB frames. However, we don’t want to see all the SMB frames, we just want to see those that have the term “Windows 2000” in them. In order to drill down to just those frames, click the Property tab. After clicking the Property tab, scroll down the list of protocols until you find the SMB protocol. Double-click the protocol to see all the SMB frame properties. Then scroll down the list of SMB frame properties until you find the Data property. You should see what appears in Figure 5.27.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 215
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 215
Figure 5.26 The SMB protocol is now the only enabled protocol.
In Figure 5.27, we have selected the “contains” option in the Relation text box, and then entered the value “Windows 2000.” This will filter out any SMB frames that do not contain the text string “Windows 2000.” Note toward the bottom of this dialog box there are two option buttons, Hex and ASCII, and that ASCII is selected. Figure 5.27 The SMB protocol Properties dialog box.
Click OK, then click OK again, and we see a single frame that contains a reference to Windows 2000, as it appears in Figure 5.28.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 216
216 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
Figure 5.28 The result of the display filter.
Apparently, our rollout of Windows 2000 on the network is being well received!
Event Viewer The Event Viewer can be used to check on the status of a number of network services. Windows 2000 systems are configured to report significant fault situations to the Event Viewer. You should make it a regular practice, perhaps the first thing you do every day, to check out the Event Viewer on all of your primary servers to see if any of the Windows 2000 services running on these servers are reporting error conditions (see Figure 5.29). Normal status events are reported with a blue “i”; hence the phrase, “may your Event Viewer always show blue.” Red and white “Xs” indicate an error condition serious enough to warrant investigation. In this example, we can see that two important network services, the DHCPServer and WINS, are both reporting error conditions.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 217
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 217
Figure 5.29 The Windows 2000 Event Viewer.
NOTE We are viewing the System Log in this case. Most of the networking services will report fault conditions to the System Log; however, you should investigate the Application Log as well.
To find out the nature of the problem, double-click one of the errors to see the details of the problem (see Figure 5.30). The Event Viewer reports that the Jet Database returned error number 1032. Now, how do we figure out what Event 1032 might be? The key is the Windows 2000 Resource Kit.
Interpreting Error Messages The Resource Kit contains a section called “Error and Event Messages Help,” which provides a comprehensive list of error messages that you might encounter in the Event Viewer. We can’t guarantee that all the
91_tcpip_05.qx
2/25/00
12:49 PM
Page 218
218 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
Figure 5.30 Details of a DHCPServer error.
errors you encounter will be found here, but this one was. When we did a search for this error, we came up with the following: Event Message: The DHCP service encountered the following error when backing up the registry configuration: code Event Source Log Event ID Event Type DhcpServer 1032 Explanation: An internal error occurred in the Dynamic Host Configuration Protocol (DHCP) service. User Action: Look up the indicated error in the event log in Event Viewer, and take appropriate action. If this message appears often, you might want to restore an earlier version of your DHCP database from backup, or reinstall DHCP.
In this case, we have to take a leap of faith, since it recommends that we look in the Event Viewer, which is where we found the error in the first place. However, it does sound like our DHCP database might be damaged, and we are given a couple of options: either restore the DHCP Server database from a backup, or reinstall the DHCP server service—not very encouraging.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 219
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 219
DNS Log The Event Log does contain an added feature in addition to what was not found in Windows NT: the DNS log. Because of the added importance of DNS in the normal functioning of domain-related activity, Microsoft deemed the DNS service important enough to warrant its own log in the Event Viewer. If you are experiencing any DNS-related problems, you should check here first before getting into more involved DNS monitoring (such as DNS trace logs).
Using TCP/IP Utilities The group of command-line TCP/IP utilities included with Windows 2000 is similar to those available in Windows NT 4.0. We have the familiar set of TCP/IP tools such as: ■ ■ ■ ■ ■ ■ ■
PING NSLOOKUP TRACERT ARP IPCONFIG NBTSTAT NETSTAT
These basic TCP/IP command-line tools have either the same or enhanced functionality compared to what they could do in Windows NT 4.0. In addition to these tools, Windows 2000 offers some new commandline TCP/IP tools, including PATHPING and NETDIAG. We will see what each of these tools can do, and then look at some examples of how to apply their functionality to investigate a particular problem.
PING The PING (Packet INternet Groper) command uses ICMP echo messages to communicate with destination computers. The PING command is used most often to test basic TCP/IP connectivity. You can ping a computer by IP address or by host name. The PING command has the following switches: -t
Ping the specified host until stopped. To see statistics and continue - type Control-Break
91_tcpip_05.qx
2/25/00
12:49 PM
Page 220
220 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
-a -n -l -f -i -v -r -s -j -k
count size TTL TOS count count host-list host-list
-w timeout
To stop - type Control-C. Resolve addresses to hostnames. Number of echo requests to send. Send buffer size. Set Don’t Fragment flag in packet. Time To Live. Type Of Service. Record route for count hops. Timestamp for count hops. Loose source route along host-list. Strict source route along host-list. Timeout in milliseconds to wait for each reply.
-t Switch The –t switch is useful when you want to continuously monitor a connection. For example, you want to restart a machine remotely, and then want to know when the machine is up again so you can reestablish your remote connection. Use the ping –t command and watch when the destination computer begins to respond, and then reestablish the connection.
-n Switch If you don’t want to continuously ping a remote host, you can specify the name of echo request messages sent to the destination by using the –n switch. For example, if we want to ping constellation.tacteam.net 10 times, we would type at the command prompt: ping constellation.tacteam.net –n 10
It would then ping 10 times and stop after the tenth attempt.
-r Switch The –r command shows you the routes taken with each ping attempt. For example, if we type: ping shinder.net -n 3 -r 9
we get the following output: Pinging shinder.net [204.215.60.153] with 32 bytes of data: Reply from 204.215.60.153: bytes=32 time=100ms TTL=252 Route: 209.44.40.10 -> 209.44.40.69 -> 204.215.60.1 -> 204.215.60.153 ->
91_tcpip_05.qx
2/25/00
12:49 PM
Page 221
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 221 209.44.40.70 -> 209.44.40.9 -> 209.44.40.10 Reply from 204.215.60.153: bytes=32 time=100ms TTL=252 Route: 209.44.40.54 -> 209.44.40.69 -> 204.215.60.1 -> 204.215.60.153 -> 209.44.40.70 -> 209.44.40.9 -> 209.44.40.10 Reply from 204.215.60.153: bytes=32 time=150ms TTL=252 Route: 209.44.40.10 -> 209.44.40.69 -> 204.215.60.1 -> 204.215.60.153 -> 209.44.40.70 -> 209.44.40.9 -> 209.44.40.10 Ping statistics for 204.215.60.153: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 90ms, Maximum =
150ms, Average =
110ms
Notice how the path changes with each ping? Think of this as a quickand-dirty way to investigate your routing configuration.
-i Switch The default Time To Live (TTL) set on the ICMP echo messages is 252, but you can change that value by setting the –i switch.
-w Switch Use the –w switch to configure a custom time out period on your requests. The default time out is 1000 milliseconds. If you don’t want to wait that long for a time out, change the value using the –w switch.
Using PING Now let’s look at a common situation where we would use PING to investigate a connectivity problem. You are called by your junior assistant regarding a connectivity problem between Computer A with an IP address of 192.168.1.1 and subnet mask of 255.255.255.0, and Computer B with an IP address of 192.168.2.5 and a subnet mask of 255.255.255.0. She tells you that they
91_tcpip_05.qx
2/25/00
12:49 PM
Page 222
222 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
were able to connect to each other yesterday, but since they’ve been “playing with the network,” the machines haven’t been able to connect. The first thing you should do is go to Computer A and check it out for yourself. Ping 192.168.2.5 and confirm that there is indeed no network connectivity. Far too many users and neophyte administrators consider the inability to browse a destination computer as a sign of lost network connectivity. Remember, Microsoft did not put the browser service into place as a network diagnostic tool! If you fail to get a response from Computer B, ping the loopback address, 127.0.0.1, to assess whether TCP/IP was installed correctly. Then trying pinging another machine on the same segment, such as 192.168.1.2. If you get a response from that machine, you know that the problem isn’t related to errors in the local machine’s protocol stack itself. Now, ping the default gateway, which had better be on the same segment as Computer A! You might try pinging the default gateway before pinging another machine on the same segment, if you’re in a hurry. Now ping the far side of the default gateway. In this case, you should know what interface the router table uses to forward packets to the destination network ID 192.168.2.0. Be sure that you ping that interface.
NOTE If you ping an interface on the router that doesn’t route packets to your destination host, you aren’t getting the information you need. If the router has multiple interfaces, the interface you are interested in could be down, while the other ones are up. This means you may need to check out the routing tables on the router itself.
If the far side of the gateway responds, try pinging another host on the same segment as the machine that is failing to respond. If you get a response, you know that there are no problems related to the segment itself, such as excessive traffic that might cause the pings to time-out. In our present case, everything worked fine except pinging the destination host, Computer B. When we went to Computer B, we found that it was a Linux box that had the default gateway misconfigured. We corrected the problem by removing Linux and upgrading the machine to Windows 2000. Another happy ending. (Another solution might have been to correct the configuration of the default gateway on the Linux machine—but why miss a golden opportunity?)
91_tcpip_05.qx
2/25/00
12:49 PM
Page 223
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 223
nslookup The nslookup command is the tool you use to investigate problems with your DNS server and zone databases. You can use the nslookup tool to probe the contents of your zone database files, and investigate problems with host name resolution. We will cover this tool in detail in Chapter 7, “Troubleshooting Windows 2000 DNS Problems.”
PATHPING Think of the PATHPING utility as the PING utility on steroids. The PATHPING utility sends ICMP echo request messages to each router along the path to the destination host and calculates how long it takes the roundtrip from request to reply. The default number of hops is 30, period 250 milliseconds, and queries to each router 100.
NOTE The PATHPING tool combines the capabilities of both TRACERT and PING, and gives you additional information that you can’t get easily from using either tool individually. PATHPING will calculate round-trip times, percent of requests that were lost at each router, and percent of requests lost between the routers.
PATHPING provides some interesting statistics because it gives you information regarding where the packet loss is taking place, and the level of stress a particular router may be experiencing. For example, when I type in the command: pathping shinder.net
I get the following output: Tracing route to shinder.net [204.215.60.153] over a maximum of 30 hops: 0 DAEDALUS.tacteam.net [192.168.1.3] 1 stablazer.tacteam.net [192.168.1.16] 2 tnt-dal.dallas.net [209.44.40.10] 3 grf-dal-ge002.dallas.net [209.44.40.9] 4 dal-net70.dallas.net [209.44.40.70] 5 aux153.plano.net [204.215.60.153] Computing statistics for 125 seconds... Source to Here This Node/Link Hop RTT Lost/Sent = Pct Lost/Sent = Pct
Address
91_tcpip_05.qx
2/25/00
12:49 PM
Page 224
224 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 0 1
0ms 0/ 100 =
0
0/ 100 =
0%
2
79ms 0/ 100 =
0% 0/ 100 =
0%
3
78ms 1/ 100 =
1% 0/ 100 =
0%
4
99ms 1/ 100 =
1% 0/ 100 =
0%
5
94ms 2/ 100 =
2% 0/ 100 =
0%
DAEDALUS.tacteam.net [192.168.1.3] 0/ 100 = 0% | starblazer.tacteam.net [192.168.1.16] 0/ 100 = 0% | tnt-dal.dallas.net [209.44.40.10] 1/ 100 = 1% | grf-dal-ge002.dallas.net [209.44.40.9] 0/ 100 = 0% | dal-net70.dallas.net [209.44.40.70] 1/ 100 = 1% | aux153.plano.net [204.215.60.153]
Trace complete.
Note that PATHPING first does a tracert and identifies all the routers in the path to the destination, and provides a list of those routers in the first section. Then, PATHPING provides statistics about each router and each link between routers. From this information, you can assess whether a router is being “overloaded,” or whether there is congestion in the link between the routers. The last two columns provide the most useful information when troubleshooting routers and links. Notice in the last column the name of the router, the IP address, and the percentage to the left of the router. If there is a high number of lost pings to a router, that is an indication that the router itself may be overloaded. Just under the name of the router you see a | character. This represents the link between the router and the next-hop router. When there is a large percentage of lost pings for the link, it indicates congestion on the network between hops. In this case, you would want to investigate problems with network congestion rather than with the router itself.
NOTE The PATHPING algorithm takes advantage of the fact that there are two paths the ping request can take: the “fast path” and the “slow path.” The fast path is that taken when a router just passes the packet to the next hop, without actually doing any “work” on that packet. This is in contrast to the slow path, where the router is the recipient of the ICMP echo request and must use processing resources to respond to the request by issuing an ICMP echo reply.
91_tcpip_05.qx
2/25/00
12:49 PM
Page 225
Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 225
tracert The tracert utility allows you to trace the path of routers to a destination host. You can use the tracert utility to assess whether a router or link on the path to the destination host may be congested. The tracert utility sends a series of ICMP echo requests, with each request having a incrementally higher TTL value. The first echo request has a TTL of 1. When the first router receives the message, it will decrease the TTL by 1. Since the TTL on the request was 1, it now is 0, and the router will return a “Time Exceeded” message to the requesting computer. The tracert utility then increases the TTL to 2 on the ICMP echo request message. When the message hits the first router, the TTL is decreased by 1, and when it hits the second router, it is decreased by 1 again. The second router then sends a “Time Exceeded” message to the source host. The process continues until the all routers have been traversed to the destination host. Figure 5.31 demonstrates how the tracert utility works. Figure 5.31 How the tracert utility works. Tracert Tracert increments the TTL on the ICMP Echo Request with each attempt. When the TTL reaches zero, the destination router returns a "Time Exceeded" message.
TTL=1 Time Exceeded Message
TTL=2
TTL=1
Time Exceeded Message
TTL=3 Time Exceeded Message
TTL=2
TTL=1
91_tcpip_05.qx
2/25/00
12:49 PM
Page 226
226 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000
For example, when we type tracert www.digitalthink.com
at the command prompt, we get the following output: C:\>tracert www.digitalthink.com Tracing route to www.digitalthink.com [216.35.144.147] over a maximum of 30 hops: 1
Notice that we get thrown back to the command prompt following the returned information. If you plan on doing a number of lookups, you would use interactive mode. To enter interactive mode, just type nslookup at the command prompt; your output should look like this: C:\>nslookup Default Server: constellation.tacteam.net Address: 192.168.1.185 >
91_tcpip_07.qx
2/25/00
11:08 AM
Page 381
Troubleshooting Windows 2000 DNS Problems • Chapter 7 381
Notice that you are not returned to the command prompt, but to the nslookup command’s interactive prompt. Once you enter interactive mode, you can use the “set” commands to determine the nature of your queries. Some of the “set” commands are included in Table 7.1. When you’re ready to leave the interactive mode and return to the command prompt, just type exit. Table 7.1 List of Set Commands that Can Be Used in nslookup Interactive Mode Command
Description
all
Prints out a list of current options and server parameters
[no]debug
Prints out detailed information from the lookup
[no]d2
Prints out "exhaustive" debugging information
[no]defname
Appends a specific domain name to each query
[no]recurse
Ask for recursion for the query
[no]search
Uses the domain suffix search list
[no]vc
Always use a virtual circuit
domain=NAME
Allows you to set a default domain name for the lookup
root=NAME
Define the name of the root server to use for lookup
retry=X
Define the number of retries for the lookup
timeout=X
Define the timeout for the lookup
type=X
Defines the query type For example: ANY, CNAME, MX, NS, PTR, SOA, SRV
The d2 option gives you the most information about the query you’re performing. If you don’t want to stay in interactive mode, and you want to perform a single quick lookup and still get the benefits of the debug mode, you can issue an nslookup using the –ds switch. For example, type the command: nslookup –ds www.microsoft.com.
You get detailed information about the query with the –ds switch.
TIP When you do an nslookup, be aware that the most likely reason that you might receive a nonauthoritative answer to a query is because your DNS server is answering from cache.
91_tcpip_07.qx
2/25/00
11:08 AM
Page 382
382 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
Throughout this chapter we have been working with nslookup to check on the behavior of our queries and the integrity of the zone database. We highly recommend that you practice doing many nslookups using the –ds switch or the debug/d2 set command in order to get familiar with how the utility works and the information returned to you.
ipconfig You probably have been using the ipconfig command for years if you’re an experienced Windows NT professional. The command has been improved in Windows 2000, and has some new switches that increase its usefulness as a tool for getting IP addressing information about your machines. Three ipconfig command switches are of particular interest when working with our DNS servers: ipconfig /flushdns The flushdns switch allows you to clear the local machine’s DNS cache. When you make zone changes or machine IP address configuration changes and then do an nslookup, you may receive information that doesn’t reflect the changes you thought you made. This is because the information is being retrieved from cache rather than from the DNS server itself. Use the flushdns switch to clear the cache, and then repeat the nslookup you were doing before. ipconfig /displaydns The displaydns switch prints out the local DNS cache. This is particularly helpful to use after you have completed the flushdns command, to confirm that the cache is indeed empty. The displaydns switch allows you to see the entries in the HOSTS file loaded into the cache. ipconfig /registerdns The /registerdns switch will renew a DHCP client’s lease and reregister the DNS client’s address information with a DNS server. This is sometimes helpful in “reminding” the DNS server of the DNS client’s addressing information. The ipconfig command has definitely been “souped up,” and you’ll find yourself using it even more now than you did in Windows NT 4.0.
Event Viewer The Windows 2000 Event Viewer has a dedicated container for DNS information. The Event Viewer can provide information on when zone transfers are taking place, if there was a problem with a zone transfer, when changes have taken place within the zone, or even if too many changes are happening in the zone.
91_tcpip_07.qx
2/25/00
11:08 AM
Page 383
Troubleshooting Windows 2000 DNS Problems • Chapter 7 383
Since the Event Viewer is easy to access and doesn’t require configuration changes on your part, it is often wise to start here first and see if it supplies any clues to what the problem might be.
Network Monitor The Network Monitor supplied with Windows 2000 Server products allows you to analyze packets coming into, and out of, the server running Network Monitor.
NOTE If you want a “full-fledged” version of Network Monitor that allows you to listen to all traffic on the segment, you can purchase Microsoft Systems Management Server 2.0.
Network Monitor will allow you to identify problems with network communications, including malformed packets, jitter causing “garbage” packets, and details of the packets sent and received for DNS queries. Figure 7.29 displays the Network Monitor screen after a capture of DNS packets has been done. Figure 7.29 Capture of DNS packets in Microsoft Network Monitor.
91_tcpip_07.qx
2/25/00
11:08 AM
Page 384
384 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
Something to note when analyzing a DNS message is the message identifier, which is the first thing you see on the Description line. For example, look at frames 376 and 377. Each of those has at the beginning of the description line “0x174E,” which is the query identifier. You can use this number to track related queries and responses. If there is a packet of particular interest (for example, a failure message is returned by the server), you can select the frame in the top pane and then click the Edit menu and then Copy. Open Notepad or another text editor and paste the contents of the frame into the application. For example, after copying packet 377, we get this: 377 23.543854 LOCAL 0050DA62684E DNS 0x174E:Std Qry Resp. for www.dallasnews.com. of type Canonical name on class INET addr. CONSTELLATION DAEDALUS IP Frame: Base frame properties Frame: Time of capture = 1/1/2000 11:48:18.587 Frame: Time delta from previous physical frame: 0 microseconds Frame: Frame number: 377 Frame: Total frame length: 108 bytes Frame: Capture frame length: 108 bytes Frame: Frame data: Number of data bytes remaining = 108 (0x006C) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 0050DA62684E ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 0050DA0DF52D ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 108 (0x006C) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 94 (0x005E) IP: ID = 0x6A65; Proto = UDP; Len: 94 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 94 (0x5E) IP: Identification = 27237 (0x6A65) IP: Flags Summary = 0 (0x0) IP: .......0 = Last fragment in datagram IP: ......0. = May fragment datagram if necessary IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80)
91_tcpip_07.qx
2/25/00
11:08 AM
Page 385
Troubleshooting Windows 2000 DNS Problems • Chapter 7 385 IP: Protocol = UDP - User Datagram IP: Checksum = 0x4C1D IP: Source Address = 192.168.1.185 IP: Destination Address = 192.168.1.3 IP: Data: Number of data bytes remaining = 74 (0x004A) UDP: Src Port: DNS, (53); Dst Port: Unknown (1068); Length = 74 (0x4A) UDP: Source Port = DNS UDP: Destination Port = 0x042C UDP: Total length = 74 (0x4A) bytes UDP: UDP Checksum = 0x23D4 UDP: Data: Number of data bytes remaining = 66 (0x0042) DNS: 0x174E:Std Qry Resp. for www.dallasnews.com. of type Canonical name on class INET addr. DNS: Query Identifier = 5966 (0x174E) DNS: DNS Flags = Response, OpCode - Std Qry, RD RA Bits Set, RCode - No error DNS: 1............... = Response DNS: .0000........... = Standard Query DNS: .....0.......... = Server not authority for domain DNS: ......0......... = Message complete DNS: .......1........ = Recursive query desired DNS: ........1....... = Recursive queries supported by server DNS: .........000.... = Reserved DNS: ............0000 = No error DNS: Question Entry Count = 1 (0x1) DNS: Answer Entry Count = 2 (0x2) DNS: Name Server Count = 0 (0x0) DNS: Additional Records Count = 0 (0x0) DNS: Question Section: www.dallasnews.com. of type Host Addr on class INET addr. DNS: Question Name: www.dallasnews.com. DNS: Question Type = Host Address DNS: Question Class = Internet address class DNS: Answer section: www.dallasnews.com. of type Canonical name on class INET addr.(2 records present) DNS: Resource Record: www.dallasnews.com. of type Canonical name on class INET addr. DNS: Resource Name: www.dallasnews.com. DNS: Resource Type = Canonical name for alias DNS: Resource Class = Internet address class DNS: Time To Live = 10493 (0x28FD) DNS: Resource Data Length = 2 (0x2) DNS: Owner primary name: dallasnews.com.
91_tcpip_07.qx
2/25/00
11:08 AM
Page 386
386 Chapter 7 • Troubleshooting Windows 2000 DNS Problems DNS: Resource Record: dallasnews.com. of type Host Addr on class INET addr. DNS: Resource Name: dallasnews.com. DNS: Resource Type = Host Address DNS: Resource Class = Internet address class DNS: Time To Live = 10493 (0x28FD) DNS: Resource Data Length = 4 (0x4) DNS: IP address = 207.238.232.133 00000: 00 50 DA 62 68 4E 00 50 DA 0D F5 2D 08 00 45 00 .PÚbhN.PÚ.õ-..E. 00010: 00 5E 6A 65 00 00 80 11 4C 1D C0 A8 01 B9 C0 A8 .^je.. .L.À¨.?À¨ 00020: 01 03 00 35 04 2C 00 4A 23 D4 17 4E 81 80 00 01 ...5.,.J#Ô.N∞ .. 00030: 00 02 00 00 00 00 03 77 77 77 0A 64 61 6C 6C 61 .......www.dalla 00040: 73 6E 65 77 73 03 63 6F 6D 00 00 01 00 01 C0 0C snews.com.....À. 00050: 00 05 00 01 00 00 28 FD 00 02 C0 10 C0 30 00 01 ......(?..À.À0.. 00060: 00 01 00 00 28 FD 00 04 CF EE E8 85
....(?..Ïîè…
You get all the details of Ethernet, IP, and UDP protocols, and it allows you to find any anomalies that are present. See Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000,” for more details on how to use Network Monitor and how to create network captures with capture and display filters.
DNS Trace Logs If you want to get really “down and dirty” and know everything the DNS server has been doing, you can enable trace logging on the DNS server. A trace log reports in detail about the queries the server has processed. While you can get similar information from doing nslookup queries, you are only aware of the questions and answers you send when performing those. A trace log will track queries received and answered by the DNS server. To enable trace logging, right-click the server name in the DNS management console and click Properties. Click the Logging tab, and you will see a dialog box similar to that in Figure 7.30.
WARNING Trace logging can be a very processor- and disk-intensive procedure, so be judicious in your use of this feature.
The logs are stored in a plain text file located at: %system_root%\system32\dns\dns.log
91_tcpip_07.qx
2/25/00
11:08 AM
Page 387
Troubleshooting Windows 2000 DNS Problems • Chapter 7 387
Figure 7.30 Configuring trace logging for the DNS server.
We have had some difficulty getting reliable trace logging for the Query, Questions, and Answers options. Hopefully, this bug will be fixed by the time the final release product becomes available.
Performance The Windows 2000 DNS server includes a large number of counters you can use to monitor the behavior and performance of your DNS server. Many new counters have been added to the Windows 2000 DNS Object counter list. Table 7.2 lists these counters and their functions. The Performance Monitoring tool gives you comprehensive monitoring capabilities of you DNS server. For more information on how to use the Performance management console, see Chapter 5. Table 7.2 DNS Performance Counters
Counter
Description
AXFR Request Received
Total full zone transfer requests received by the Master DNS server Total full zone transfer requests sent by the Secondary DNS server
AXFR Request Sent
91_tcpip_07.qx
2/25/00
11:08 AM
Page 388
388 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
Counter
Description
AXFR Request Received
Total full zone transfer requests received by the Master DNS server AXFR Request Sent Total full zone transfer requests sent by the Secondary DNS server AXFR Response Total full zone transfer responses received by the Received Secondary DNS server AXFR Success Received Total successful full zone transfers received by the Secondary DNS server AXFR Success Sent Total successful full zone transfers of the Master DNS server Caching Memory Total amount of caching memory used by the DNS server Database Node Memory Total database node memory used by the DNS server Dynamic Update Total number No-operation/empty dynamic update NoOperation requests received by the DNS server Dynamic Update Rate at which No-operation/empty dynamic NoOperation/sec update requests are received by the DNS server Dynamic Update Total dynamic updates that are queued by the Queued DNS server Dynamic Update Received Dynamic Update Received/sec Dynamic Update Rejected Dynamic Update TimeOuts Dynamic Update Written to Database Dynamic Update Written to Database/sec IXFR Request Received IXFR Request Sent IXFR Response Received
Total dynamic update requests that are received by the DNS server Rate at which dynamic update requests are received by the DNS server Total dynamic updates rejected by the DNS server Total dynamic update timeouts of the DNS server Total dynamic updates written to the database by the DNS server Rate at which dynamic updates are written to the database by the DNS server Total of incremental zone transfer requests received by the Master DNS server Total of incremental zone transfer requests sent by the Secondary DNS server. Total incremental zone transfer responses received by the Secondary DNS server Continued
91_tcpip_07.qx
2/25/00
11:08 AM
Page 389
Troubleshooting Windows 2000 DNS Problems • Chapter 7 389
Counter
Description
IXFR Success Received
Total successful incremental zone transfers received by the Secondary DNS server Total successful incremental zone transfers of the Master DNS server Total successful TCP incremental zone transfers received by the Secondary DNS server Total successful UDP incremental zone transfers received by the Secondary DNS server Total Nbstat memory used by the DNS server Total notifies received by the Secondary DNS server
IXFR Success Sent IXFR TCP Success Received IXFR UDP Success Received Nbstat Memory Notify Received Record Flow Memory Recursive Queries Recursive Queries/sec Recursive Query Failure
Total record flow memory used by the DNS server Total recursive queries received by the DNS server Rate at which recursive queries are received by the DNS server Total of recursive query failures
Recursive Query Failure/sec
Rate of recursive query failures
Recursive Send TimeOuts Recursive TimeOut/sec Secure Update Failure Secure Update Received
Total of recursive query sending timeouts
Rate recursive query sending timeouts Total secure update failures of the DNS server Total secure update requests received by the DNS server Secure Update Rate at which secure update requests are received Received/sec by the DNS server TCP Message Memory Total TCP message memory used by the DNS server TCP Query Received Total TCP queries received by the DNS server TCP Query Received/sec Rate TCP queries are received by the DNS server TCP Response Sent Total TCP responses sent by the DNS server TCP Response Sent/sec Rate TCP responses are sent by the DNS server Total Query Received Total queries received by the DNS server Total Query Received/sec Rate at which queries are received by the DNS server Total Response Sent Total Responses sent by the DNS Server Total Response Sent/sec Rate at which responses are sent by the DNS server Continued
91_tcpip_07.qx
2/25/00
11:08 AM
Page 390
390 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
Counter
Description
UDP Message Memory
Total UDP message memory used by the DNS server UDP Query Received Total UDP queries received by the DNS server UDP Query Received/sec Rate UDP queries are received by the DNS server UDP Response Sent Total UDP responses sent by the DNS server UDP Response Sent/sec Rate at which UDP responses are sent by the DNS server WINS Lookup Received Total WINS lookup requests received by the DNS server WINS Lookup Rate at which WINS lookup requests are received Received/sec by the DNS server WINS Response Sent Total WINS lookup responses sent by the DNS server WINS Response Sent/sec Rate at which WINS lookup responses are sent by the server WINS Reverse Lookup Received WINS Reverse Lookup Received/sec
Total WINS reverse lookup requests received by the DNS server Rate at which WINS reverse lookup requests are received by the DNS server
WINS Reverse Response Sent WINS Reverse Response Sent/sec Zone Transfer Failure Zone Transfer Request Received Zone Transfer SOA Request Sent
Total WINS reverse lookup responses sent by the DNS server Rate at which WINS reverse lookup responses are sent by the server Total failed zone transfers of the Master DNS server Total zone transfer requests received by the Master DNS server Total zone transfer Start of Authority (SOA) requests sent by the secondary DNS server
Summary The Microsoft Windows 2000 DNS is a standards-based Domain Name System server that represents a tremendous forward stride over the DNS server provided with Windows NT 4.0. With DNS becoming the mechanism for authentication for Windows 2000 networks, DNS no longer is the “add-on” product it was considered as in Windows NT 4.0 networks. Applications written to the NetBIOS interface use the destination NetBIOS name as the endpoint of network communication. WinSock
91_tcpip_07.qx
2/25/00
11:08 AM
Page 391
Troubleshooting Windows 2000 DNS Problems • Chapter 7 391
applications, which were written specifically for the TCP/IP protocol, are not dependent on computer names, and use the destination IP address as the endpoint of communication. NetBIOS applications require a mechanism to allow NetBIOS names to be translated to IP addresses in order to work on TCP/IP-based networks. NetBIOS name resolution is the process of translating NetBIOS names to IP addresses that can be passed down the TCP/IP protocol stack for network communications between two NetBIOS applications. WinSock applications do not rely on computer names, and only require the destination machine’s IP address to establish a session with the destination host. However, people find it a lot easier to remember names, rather than IP addresses. Therefore, a system of naming machines on a TCP/IP network was developed to aid our failing memories. The Domain Name System was developed in order to accommodate a world-wide network of computers where there was little central authority of the naming of the machines participating on the Internet. The Domain Naming System is a hierarchical name system, which allows a multiplicity of computers throughout the world to have the same computer name, as long as those computers belong to different domains. The Domain concept allowed for distribution of responsibility over who will maintain the world-wide database of host names and IP addresses associated with those host names. The only centralized aspects of the naming system are in the maintenance of the root, top, and second-level domains on the Internet. Maintaining the DNS database below these levels is the responsibility of the administrators for each individual domain. The Windows 2000 DNS server allows you to keep a database of host names and IP addresses. The Windows 2000 DNS also allows for the dynamic update of host names and IP addresses in a manner very similar to how WINS servers function. Dynamic DNS is a new feature in the Windows 2000 DNS server and was not available in the Windows NT 4.0 DNS server. DNS clients can resolve a host name to an IP address in several ways. The DNS client service features a caching resolver, which keeps a list of recently resolved host names and IP addresses. If a sought-after mapping is not in the resolver cache, the DNS clients will query a DNS server. If the DNS cannot resolve the host name, the DNS client will go through the NetBIOS name resolution sequence and attempt to resolve the name by using WINS server, broadcasts, or LMHOSTS files. When a DNS client needs to resolve a host name to an IP address, it will query a DNS server. DNS servers themselves can be DNS clients. There are two basic types of queries: recursive and iterative. When a DNS client requests recursion, it is essentially putting the responsibility on the
91_tcpip_07.qx
2/25/00
11:08 AM
Page 392
392 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
DNS server to take over the job of resolving a host name to an IP address. The DNS client that requests recursion expects a definitive answer, and will not accept referrals to other machines that may help it resolve a query. An iterative query is issued when a DNS server attempts to complete recursion for the DNS client. It will issue iterative queries and accept referrals from other DNS servers that point it to the DNS server that can resolve the request. A fully qualified domain name (FQDN) includes the host name, which lies to the left of the leftmost period in an FQDN, and the host’s domain membership. A fully qualified query must end with a period, although most applications will automatically include the period before sending it out for resolution. If the request is not fully qualified, the DNS request is known as an “unqualified” request. The DNS client service must formulate a query based on an FQDN. By default, the domain membership of the machine issuing the query will be appended to the request. A list of other domain suffixes can be configured to be appended to unqualified requests, if you choose to create one. When an organization has an intranet and a presence on the Internet, you must choose whether you will use the same domain name on both. The advantage of using the same domain name is that it is easier on users in terms of remembering the names of clients, and they don’t have to worry if the corporate resource is on the intranet or the Internet. The drawback is that you will have to mirror your servers internally, and DNS clients will not access external corporate host resources. It is typically easier to use different domain names for intranet and Internet resources. You do not need to mirror servers, and there is no chance for confusion as to what is an internal resource and what is an external resource. The Internet domain name must be registered, but it is optional whether you register the intranet domain name. It is a good idea to register the internal domain name to prevent confusion. You would not want your boss to try to show off some intranet resource from his home (by mistake) using the internal domain name, and have some competitor’s site show up instead! While domains represent a conceptual framework, the actual domains and hosts are contained in files called zone files. Zone files are database files that contain resource records, which track the resources contained in a domain. The Windows 2000 DNS server supports standard and Active Directory integrated zones. Standard zones are characterized by having a single Primary DNS server, and multiple Secondary DNS servers. The Primary DNS server has the only read/write copy of the zone database, and this database is copied to Secondary DNS servers. Secondary DNS servers provide for fault tolerance, load balancing, and faster lookups for local hosts.
91_tcpip_07.qx
2/25/00
11:08 AM
Page 393
Troubleshooting Windows 2000 DNS Problems • Chapter 7 393
Standard zones are copied from Primary to Secondary DNS server via a process called zone transfer. Zone transfer is a pull operation, where the Secondary DNS server requests from the Primary the zone database if there are any updates. The Windows 2000 DNS server supports both the AXFR and the IXFR zone request. Downlevel DNS servers, such as the Windows NT 4.0 DNS server, can only send an AXFR query for zone transfer; therefore, whenever a change takes place in a zone, the entire zone file is sent to the Secondary. The Windows 2000 DNS server supports the IXFR, which allows for incremental zone transfers. The incremental transport only sends records that have changed since the previous zone transfer. A reverse lookup zone allows DNS clients to issue reverse queries. A reverse query is when the IP address is sent to the DNS server for resolution to a host name. The reverse lookup zone is useful when you have security and diagnostic software that depends on reverse lookups. Although the reverse lookup zone is not required, it will help you avoid certain error messages when you create a new zone. Active Directory integrated zones offer several advantages over standard zones. The Active Directory integrated zone has multiple masters, and each domain controller becomes a Primary DNS server. You do not have to worry about maintaining separate Active Directory and DNS replication topologies. Active Directory integrated zones allow for per-property zone transfer, rather than having to send the entire record, which saves bandwidth. Active Directory integrated zones allow for secure dynamic updates. A delegation is a means to assign responsibility or “authority” to a machine for a zone. Secondary DNS server have a copy of the zone database file, and therefore are able to deliver authoritative answers based on the contents of the zone files they contain. You create NS records on DNS servers to indicate to clients the host name of a server that is authoritative for a particular zone. You want your DNS servers to avoid contact with DNS servers over the Internet to prevent hackers from intercepting DNS communications and potentially damaging your network. One popular way to do this is by using a combination of slave and forwarder DNS servers. A slave DNS server does not perform recursion, and sends all DNS queries for zones that it is not authoritative for to another DNS server, called a forwarder. The forwarder is typically a caching-only DNS server and does not contain any zone database files. The forwarder performs recursion for the slave DNS server and returns to the slave the results of its queries, which the slave in turn returns to the DNS client that made the initial request. While the Windows 2000 DNS server is standards based, there are some interoperability issues. If you have existing BIND DNS servers on
91_tcpip_07.qx
2/25/00
11:08 AM
Page 394
394 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
your network, they will not support zone transfer for WINS and WINS-R records. They also do not support the fast transfer method of zone transfer where several records can be included in a single packet. You can easily upgrade your BIND servers to Windows 2000 DNS by transferring the BIND zone over to the Windows 2000 server and then changing it to a Primary zone. There are a number of tools you can use to investigate problems with your DNS server. These tools include nslookup, a new and improve version of ipconfig that allows you to view and clear the local DNS cache, Event Viewer, Network Monitor, trace logging, and a supercharged Performance Monitor that includes many new counters to allow you to get a fine bead on the health and performance of your DNS server.
FAQs Q: Do my NT and Win9x clients have to be upgraded to Windows 2000 to have their address information automatically entered into a Windows 2000 DNS server? A: You do not need to upgrade your downlevel clients—including Windows NT Workstation, Windows NT Servers, and Win 9x clients—in order to have their addresses added automatically to the Dynamic DNS zone database files. However, since these clients cannot update their own records, you will need to make your downlevel clients Windows 2000 DHCP clients. The Windows 2000 DHCP server will act as a “proxy” and update address information for them on the DDNS server. Q: I keep getting error messages when I use the nslookup command on my new DNS installation. Is there anything I can do to fix this? A: The most common reason for receiving this kind of message, after ensuring that you’ve done everything else correctly, is the absence of a reverse lookup zone. Create a reverse lookup zone for the network ID that the DNS server belongs to. Then, create an A Host resource record for that DNS server. Check to see if a pointer record was created for the DNS server after you create the host record. If one was not created, make one manually. This should correct problems you have with error messages related to “DNS server not found.” Q: What is a CNAME record? How can I use it in my organization?
91_tcpip_07.qx
2/25/00
11:08 AM
Page 395
Troubleshooting Windows 2000 DNS Problems • Chapter 7 395
A: The CNAME resource record allows you to create aliases for a machine that already has an A Host resource record in the DNS database. For example, you already have a machine by the name of bigboy .mydomain.com. You want to run Web services and FTP services on that machine, and you want DNS queries for www.mydomain.com and ftp.mydomain.com to resolve to the same IP address that is owned by bigboy in the DNS database. To do this, you create CNAME records for www and ftp that point to bigboy. Be sure that whenever you create a CNAME record, it points to a machine that already has a host addresses record; otherwise, it won’t work. Q: What is that DNSUpdateProxy Group for again? A: You are referring to the DNSUpdateProxy Group. The DNSUpdateProxy Group allows a DHCP server to make entries in the DNS zone database files without becoming the owner of those entries in the zone database. This solves the problems you might encounter if a particular DHCP server registers entries in the zone database and then goes offline. Since the offline DHCP server owns the record, neither a backup DHCP server nor the client itself will be able to update the record if the zone has secure dynamic updates enabled. The solution is to make the DHCP server a member of the DNSUpdateProxy Group, so it will be able to create entries without “security” information attached to them. The next machine to “touch” the record (for example, if the host itself, or another DHCP server that is not a member of the DNSUpdateProxy Group, tries to update the record) will become the owner of the DNS zone database entry. The drawback is that there is no security; therefore, any machine claiming a particular name can update the record after it is created by the DHCP server that is a member of the DNSUpdateProxy Group. Never install DHCP services on a domain controller if you choose this solution. Q: My NT 4.0 DNS server doesn’t let me add SRV records. What’s wrong? A: The Windows NT 4.0 DNS server that comes “out of the box” with NT does not support SRV records. If you want your NT DNS server to able to participate in the domain locator services, you must update it to Service Pack 4 or later, and then manually enter the SRV resource records that are contained in the domain controller’s netlogon.dns file. Q: What’s the cache.dns file for? Where can I get a new one?
91_tcpip_07.qx
2/25/00
11:08 AM
Page 396
396 Chapter 7 • Troubleshooting Windows 2000 DNS Problems
A: The cache.dns file contains what are sometimes called root hints. The file has the names and IP addresses of the root DNS servers, which are used when iterative queries are issued to resolve Internet host names. To get the latest version of this file, go to ftp://ftp.rs.internic.net/domain/named.root. Note that when you check that site out, you’ll find that they don’t update the file very frequently. The last update was August 27, 1997. Q: I want to upgrade my BIND server to Windows 2000, but I don’t want to lose my zone database files. Is there an easy way to do this? A: The easiest way to do this is to create the same zone on an existing Windows 2000 DNS server. Make the zone a secondary zone, and initiate a zone transfer from the BIND DNS server. Change the zone type to a Primary zone by right-clicking the zone and clicking CHANGE beside the word “Type.” Take down the BIND server and upgrade it to Windows 2000. After the upgrade, create the same zone on the new Windows 2000 DNS server, and make it a secondary zone. Initiate a zone transfer from the previous DNS server. Now change the zone type to Primary on the new DNS server, and to Secondary on the old one. Q: I’m running a DNS server using standard zones. My Primary DNS server died about 36 hours ago. My users cannot get answers to their DNS queries! I thought the Secondary DNS servers would add fault tolerance to my host name resolution system. Why didn’t they? A: This is probably because the Secondary DNS servers are no longer answering queries for the zone. If a Secondary DNS server cannot contact a Primary DNS server from which it receives zone transfers, for over the period of time defined in the “Expires by” text box in the SOA Record, it will no longer answer queries for that zone. One solution to this problem is to change the zone type to a Primary zone and configure delegations on the new Primary DNS server for all of your Secondaries.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 397
Chapter 8
Troubleshooting Windows 2000 IP Addressing Problems
Solutions in this chapter: ■
Subnetting Problems
■
DHCP Configuration Problems
■
APIPA
397
91_tcpip_08.qx
2/25/00
11:10 AM
Page 398
398 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Introduction One of TCP/IP’s great strengths, and a primary reason that it has become the standard for large networks, including the Internet, is its scalable addressing scheme that can accommodate networks of all sizes. In Chapter 1, “TCP/IP Overview,” we discussed some of the limitations of the current IP addressing system, called IPv4, which uses 32-bit addresses, unique to every network interface, to specify the network and individual host identification. Although IPv6 is expected to solve the anticipated problem of running out of unique addresses at some point in the near future, it’s safe to say the addressing scheme will be around for some time to come. Many problems with TCP/IP connectivity turn out to be IP addressing problems. Although manually assigning IP addresses to each computer increases the likelihood of human error (mistyping or transposing numbers, forgetting that an address has already been assigned and assigning it to a second machine, etc.), using the Dynamic Host Configuration Protocol (DHCP) or allowing Automatic Private IP Addressing (APIPA) to assign addresses on your network will not absolutely guarantee troublefree address assignment. Configuration problems can cause address conflicts to occur with the automatic addressing services, too. In this chapter, we will briefly recap how IP addressing works and what distinguishes the Internetwork-layer IP address from the physical address (which actually is addressed at the Data Link layer of the OSI model). We will take a look at the practice of assigning addresses manually, and discuss when this is appropriate, as well as common problems that arise. Then we will discuss the automatic addressing services, DHCP and APIPA (the latter is new to Windows 98 and Windows 2000). We’ll examine some of the configuration problems that are commonly encountered when utilizing these services. We will discuss how the IP address is used in the process of network communication, and we’ll look at the differences between private and public addresses and how not knowing when to use which can cause a network administrator a world of headaches. Finally, we will address some specific troubleshooting scenarios, including those involving duplicate IP addresses, those that stem from using invalid addresses, the most common DHCP configuration problems, APIPA and Internet Connection Sharing (ICS), and how to troubleshoot IP subnetting problems.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 399
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 399
How IP Addressing Works Under the current IP addressing system, IPv4, there are “only” a little over 4 billion possible IP addresses (4,294,967,296 or 232 for those who like to be precise). In the beginning (the early 1980s), this seemed to be more than enough for the foreseeable future. At that time, when IP specifications became standardized, a two-level hierarchical addressing structure was imposed, consisting of the network ID (sometimes called the network prefix) and the Host ID. Networks were divided into “classes” A, B, and C (as well as D and E, but these two were not allocated to networks but rather reserved for special purposes). This is referred to as “classful” addressing. A newer method of identifying networks via an “IP prefix” is called Classless Inter-Domain Routing (CIDR), which we discussed briefly in Chapter 4, “Windows 2000 TCP/IP Internals.” Instead of designating networks as class A, B, or C, a network is referred to as a /16, /24, etc. depending on the number of bits used for the network ID portion of the address.
Logical IP Addresses versus Physical MAC Addresses The IP address is a “logical” address, assigned by the network administrator. It bears no direct relation to the network interface card’s (NIC) “physical” address (often referred to as the MAC address because it is used at the Media Access Control sublayer of the OSI’s Data Link layer). Changing a computer’s (or more precisely, an individual NIC’s) IP address is a software function. If you have administrative privileges, it’s as simple as clicking the mouse a few times to open the proper dialog box and typing in a new number (the hardest part is knowing what number to type in). The MAC address, on the other hand, is hard-coded into the chip on the network card in the typical Ethernet network. Some network cards provide for a way to change the MAC address via jumper settings or software configuration, but this is not usual and you are limited to only a few possible settings. An Ethernet MAC address is a 48-bit number represented in hexadecimal, so it will look something like this: 00-80-C8-6A-FA-00. You can find out the physical address of your Ethernet card by typing ipconfig /all at the command line, which will give you the information shown in Figure 8.1.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 400
400 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Figure 8.1 Determining your network card’s physical (MAC) address using the ipconfig command.
As you can see in the screenshot, the IP and MAC addresses are in two very different formats and have no logical relationship to one another. The Address Resolution Protocol (ARP), discussed in Chapter 11, “Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level,” is responsible for “keeping tabs” on which IP addresses match up with which physical addresses, and relaying that information so computers can communicate at the physical (network interface) level.
What an IP Address Represents In order to communicate over the network using the TCP/IP protocols, a computer must have an IP address that is unique on that network. A network administrator can manually assign the IP address, or it can be automatically assigned by an addressing service such as DHCP, APIPA, or ICS autoaddressing. In any event, there will be no IP communication without an address. If you don’t know what IP address is being used, you can find that information the same way you accessed the physical address, using the ipconfig command. In fact, the /all switch is not necessary to display the IP address, as shown in Figure 8.2. The IP address is usually represented as shown, in “dotted decimal” (also called “dotted quad”) notation with four sections, called octets, separated by dots. This decimal notation is merely a “user friendly” way to express the binary number used by the computers to communicate. The octets are called that because each represents eight binary digits.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 401
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 401
Figure 8.2 Determining the computer’s IP address using the ipconfig command.
The Language of 1s and 0s For a true understanding of IP addressing, subnetting, supernetting, and related topics, it is essential that you learn to work with the underlying binary. Although the base two numbering system, into which all data is converted by the machines, may seem confusing and a little frightening at first, it is actually pretty simple, and it will save you many hours of pulling out your hair as you try to make sense of the decimal representations (which, taken alone, don’t make sense). Let’s look at how IP addresses look at the binary level and maybe we’ll take some of the mystery out of “machine language” while we’re at it. The IP address shown in Figure 8.2 in dotted decimal, 192.168.1.185, really represents the following binary number: 11000000.10101000.00000001.10111001
If you look closely, you’ll see that this number is indeed made up of four groups of eight binary digits. But how do you know that 192 in decimal equals 11000000 in binary? Well, there are a couple of ways to find out. The easy way to convert decimal to binary, or vice versa, is to use the Windows calculator in scientific mode (choose Scientific from the View menu). Just check the “dec” radio button and enter the number in decimal, then click on the “bin” radio button and tada! As if by magic, you have the binary equivalent (see Figure 8.3). That’s the easiest way and the fastest way, but not necessarily the best way. If you don’t really understand how binary is converted to decimal, you may be confused by the calculator’s results. For instance, when you convert the decimal 1 to binary, the result is 1. You know that an octet has eight digits, but the calculator only displays one. Do you put seven 0s before or after the 1? If you know how to do the conversion manually, it’s obvious.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 402
402 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Figure 8.3 Using the Windows calculator in scientific mode to convert decimal to binary.
Here’s how to convert a binary octet to decimal without a calculator: We have eight binary digits, and each of them represents a decimal value, beginning with the rightmost digit and working our way back to the leftmost.
NOTE The rightmost digits are sometimes referred to as the low order bits, and the leftmost as the high order bits.
Each bit that is “turned on” (that is, shows a 1 instead of a 0) represents the value of that bit as shown in Figure 8.4. As you can see, the value increases by a power of 2 as you move from right to left. A bit that is “off” (represented by a 0) counts as 0. All we have to do then is add up the values of the bits that are “on.” Figure 8.4 Calculating the value of each binary digit in an octet.
Bits 1
1
1
128 64 32
1
1
1
1
1
16 8 Values
4
2
1
91_tcpip_08.qx
2/25/00
11:10 AM
Page 403
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 403
Using this simple formula, to convert an octet in binary form, such as 10111001, to decimal, we start at the right and look at which digits are on. We see that the bits represented by 1s have decimal values of 1, 8, 16, 32, and 128. If we add up those values, we get a total of 185 for the octet, which matches the value we get when we use the scientific calculator to convert 10111001 to decimal. Another way of seeing how this is done when you’re first learning how to convert to binary is to “line” up the numbers in three columns like this: 128x1=128 64x0=0 32x1=32 16x1=16 8x1=8 4x0=0 2x0=0 1x1=1 Then add up the number in the last column, which in this case is 185. If all bits in an octet are “off,” the decimal value is 0, and if all are “on,” the value (total of 1, 2, 4, 8, 16, 32, 64, and 128) is 255.
Subnet Masking An IP address is divided into two parts: a designated number of bits on the left represent the network identification, and the bits to the right of that represent the host identification. Most network administrators are familiar with the purpose of the subnet mask, a 32-bit binary number (usually represented in “dotted decimal” like the IP address) that indicates which portion of an IP address identifies the network and which part identifies the individual host computer. Most also know the default subnet masks, shown in Table 8.1. Table 8.1 Default Subnet Masks Address Class
Default Subnet Mask (Decimal)
Default Subnet Mask (Binary)
Class A
255.0.0.0
11111111 00000000 00000000 00000000
Class B
255.255.0.0
11111111 11111111 00000000 00000000
Class C
255.255.255.0
11111111 11111111 11111111 00000000
These are called the default masks because they apply to networks that have not been subnetted (the dividing of one network into additional
91_tcpip_08.qx
2/25/00
11:10 AM
Page 404
404 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
subnetworks) or supernetted (combining of several class C networks into a single logical network). This means the subnet mask of 255.255.0.0 when applied to a class B network indicates an unsubnetted network. However, the same mask of 255.255.0.0, if applied to a class A network, would be a subnetted network. (In the next section, we will show you how to determine the address class).
NOTE It is important to remember that a subnet mask by itself has no class—it must be combined with a network ID to have meaning. That is because of the practices of variable subnetting and supernetting, which will be discussed in some detail in the section Troubleshooting Subnetting Problems.
Understanding the default masks is simple. Those octets designated by 255 (all 1s in binary), represent the network ID, and those that are 0s (also 0 in binary) represent host computers. In binary, a class C default subnet mask would like this: 11111111 11111111 11111111 00000000 Remember that all computers on the same network (subnet) must have the same network ID, and that no two computers on the same network can have the same Host ID. To understand variable length subnet masks, which indicate that the network is divided into subnets, you must once again go to the binary or you will probably end up hopelessly confused. Variable length subnet masks are created by “stealing” (or borrowing, if you don’t like the connotation of the other) bits from the portion of the IP address normally used for the Host ID and using them for the network (or subnet) ID. For instance, if you borrow four bits from the host portion of a class C network address, your subnet mask will look like this: 11111111 11111111 11111111 11110000 or, in decimal: 255 255 255 240 This technique allows us to divide our class C network into 16 subnets with 14 hosts on each subnet, using the following formulae: Number of subnets = 2x, where x = the number of bits borrowed from the Host ID. Number of hosts = 2x – 2, where x = the number of unmasked Host ID bits remaining.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 405
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 405
NOTE The formula given for determining number of subnets assumes that using all 0s and all 1s for the Subnet ID is allowed. RFC 1878 specifications allow for subnets using all 0s and all 1s, although Microsoft generally recommends against it and some routers will not support it. If you wish to follow the more conservative policy of disallowing all 0s and all 1s, the preceding example would result in 14 subnets with 14 hosts each.
Subnetting and using variable length subnet masks will be discussed in detail in the section Troubleshooting Subnetting Problems later in this chapter.
Determining Address Class Never try to use the subnet mask, as networking “rookies” sometimes do, to reliably determine which class of network you’re dealing with. Although 255.255.255.0 is the default class C mask, it could also be used on a subnetted class B network. Instead, the network classes are identified by the “high order” bits, or the leftmost bits in the binary notation. In simple English, this means you can tell the class of a network by its first octet. Let’s look at that idea in relation to each of the network classes.
Class A Addresses: 1–126 If we look at the class A default subnet mask, 255.0.0.0, we see that only one octet is being used to identify the network, and the remaining three are used for hosts. This means there are over 16 million possible Host IDs per class A network, which is a tremendous number of computers. The downside is that this leaves only 128 values left for the network ID (two of which are reserved for other purposes), so the number of class A networks is severely limited. In fact, the class A network IDs were all used up long ago. They are assigned to the largest networks, such as IBM. A class A address, like a huge gorilla lumbering down the street, is easy to recognize. Class A addresses always have the first (leftmost) bit set to 0. When you convert this to decimal notation, it means the first octet in a class A address will fall into the range of 0 to 127. Since 0 is not used as a network ID and 127 is assigned as a “loopback” address (which we will discuss in the section Troubleshooting Subnetting Problems later in this chapter), that leaves only 126 actual network addresses.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 406
406 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
NOTE The address range for class A is 1.0.0.0 to 126.255.255.255.
Class B Addresses: 128–191 Class B addresses are the “middle siblings.” You can see from the default mask of 255.255.0.0 that they use about half the bits for the network ID and the other half for Host IDs. Thus, there are many more possible class B networks than class A, over 16,000. On the other hand, each is limited to far fewer hosts: about 65,000. Class B networks are large, but not of the colossal proportions that mark a class A. Microsoft’s network is an example of a class B network. Class B networks are identified by their two high order bits, which are always “10” in the W octet. Again translating this to decimal, since that’s the way we normally express IP addresses, this puts the first octet of a class B address in the 128 to 191 range.
NOTE The address range for class B is 128.0.0.0 to 191.255.255.255.
Class C Addresses: 192–223 Class C addresses are assigned to the “little guys.” Compared to a class A, these networks seem tiny; each can have only 254 host computers. This is because the first three octets are traditionally used to identify the network, and only the last, lone octet is available for Host IDs. Ah, but that also means there are lots more class C network addresses to go around: more than 2 million. Class C networks are assigned to small companies or, more recently, are assigned to Internet Service Providers (ISPs), who then sell blocks of addresses to other organizations. Class C addresses have the three high-order bits in the “W” octet set to 110 in binary, which is represented as 192 to 223 for the first octet in decimal.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 407
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 407
NOTE The address range for class C is 192.0.0.0 to 223.255.255.255.
Class D Addresses: 224–239 Following the logical progression we started earlier, you would think class D addresses would be for tiny little networks, of which there could be gazillions. But it doesn’t quite work that way, and if you think about it, you’ll see that the only subnet mask left for a class D network would be 255.255.255.255. Hmmm . . . that indicates that all the bits would be used for the network ID, leaving none at all for the host. Thus a class D network could have no computers on it. It would be a little difficult to run a network like that, wouldn’t it? Maybe that’s why the Powers That Be, in designating the address classes, decided to do something different with class D addresses. Class D addresses are used for multicast groups. Earlier in the book, we discussed Windows 2000’s support for multicasting, the sending of a message to multiple computers using only one IP address that represents the entire group. That group address comes from the class D range, in which the four leftmost bits are set to 1110, making for a first octet in the 224 to 239 range.
NOTE See Chapter 4 for more information on how multicasting works.
Class E Addresses: 240–247 And you thought there were only three address classes? If you’ve never heard of class E IP addresses, there’s a good reason: They aren’t generally used for anything. Class E is actually designated as “reserved for future use,” although it’s likely that IPv6 and classless addressing will replace the present system, making the point moot. Class E is also often referred to as an “experimental” address class. This seems sensible; if someone is going to be out there conducting experiments on IP addresses, it certainly
91_tcpip_08.qx
2/25/00
11:10 AM
Page 408
408 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
seems preferable that he or she use an otherwise unused class of addresses rather than those on which the Internet and our private networks run. The class E address range has its five leftmost bits set to (you guessed it!) 11110, and its first octet will range from 240 to 247. And with that, we have covered all of the designated address classes. Now we’ll talk about how the network addresses are assigned, and why all of this “class stuff” will likely mean absolutely nothing in the not-too-distant future.
How Network IDs Are Assigned The network ID designates either a logical or physical network, and that network ID must be unique on any internetwork to which the network is connected. Because most networks today are connected to the global Internet (or expect to be in the future), it is vital that there not be duplicate network numbers. This would result in confusion for the routers responsible for getting data packets to their destinations. This means there must be some world-wide authority given the responsibility for allocating unique network numbers for IP networks and ensuring that those IDs are valid and duplicates do not occur. The Internet Assigned Numbers Authority (IANA) oversees the management of the IP address spaces, which are allocated through NSI (Network Solutions, Inc., formerly referred to as InterNIC) and other authorized registrars.
NOTE A “stand-alone” network, which is not connected to the Internet or any other internetwork, can be configured to use any network ID you choose. However, it is best practice to use the so-called “private” (or nonregistered) network addresses, which are specifically designated by the IANA for that purpose. We discuss private versus public addresses in the section IP Addressing Configuration Errors later in this chapter.
Remember that once you have been assigned a network ID and block of IP addresses, you can also subnet your network to divide it into two or more in order to cut down on broadcast traffic, isolate geographically or politically separate parts of the network, and so forth.
How Host IDs Are Assigned within the Network Within the network, the administrator can assign IP addresses from the appropriate range to individual computers. This can be done on an individual basis (manual address assignment) or by entering a scope of
91_tcpip_08.qx
2/25/00
11:10 AM
Page 409
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 409
addresses into a DHCP server’s configuration. Alternately, Windows 2000 can use APIPA if no DHCP server is available or, if Internet Connection Sharing is being used, addresses can be assigned to the ICS client computers by the ICS host using autoaddressing.
Manual Address Assignment The most straightforward way to assign IP addresses to the computers on your network (but also the method most prone to error) is manual assignment. A specific address is typed directly into the IP address section of the TCP/IP properties box for the particular network connection. See Figure 8.5. Figure 8.5 Manually assigning an IP address in the Windows 2000 TCP/IP Properties box.
When you manually assign an address, you must also enter the correct subnet mask, and if the network is routed, the IP address of the default gateway (router or computer performing routing functions). Although manual addressing is more time consuming if you have more than a few computers, and it is easy to make errors in entering the data which could result in loss of connectivity or odd network behavior, there are sometimes good reasons to manually assign addresses. If there is no DHCP server on the network, then obviously the addresses will need to be assigned manually. There are also certain systems, such as domain controllers and DNS and WINS servers, that need to have static
91_tcpip_08.qx
2/25/00
11:10 AM
Page 410
410 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
addresses. You may wish to assign their addresses manually (although you could alternately assign reserved addresses to them in DHCP configuration). Finally, the DHCP server itself cannot be a DHCP client, so it will require a manually configured IP address.
DHCP The Dynamic Host Configuration Protocol (DHCP) can be a network administrator’s best friend—unless he or she fails to configure it properly, in which case it can be a source of nightmares. DHCP’s purpose is to assign IP addresses dynamically, as computers come onto the network. Each computer only has to be set up in TCP/IP properties to get an IP address (and other TCP/IP configuration information) from a DHCP server, and the service does the rest. This has several advantages: Time saved. Network administrators don’t have to tediously enter the IP address, subnet mask, DNS and WINS server addresses, and other information over and over for every machine on the network. Likewise, if the IP address for the network’s DNS server changes, the change does not have to be made on every machine; the change is made in the DHCP server’s configuration and the new address is automatically disseminated to client computers when they obtain an address. Better accuracy. The possibility of mistyping an address in one of the machines is eliminated. A scope of addresses is defined only once, on the DHCP server, and the server manages the addresses. There is no possibility of the server “forgetting” that a particular address was already assigned to another machine and duplicating the address. More efficient use of addresses. If the number of available addresses is limited, DHCP optimizes their use since it only “leases” the addresses to computers for a predetermined period of time, instead of assigning them permanently as with manual assignment. When a computer goes offline, its address can be released so that it can then be assigned to a different system. In Windows 2000, configuring a computer to obtain an address from a DHCP server is simple. In the TCP/IP properties box, simply check the radio button option to “Obtain an IP address automatically” as shown in Figure 8.6.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 411
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 411
Figure 8.6 Configuring a computer to obtain an IP address from a DHCP server.
As you can see in Figure 8.6, you have several options. You can choose to have all IP addressing information assigned by the DHCP server, including the DNS server addresses, or you can manually assign a DNS server and have the other IP addressing information assigned automatically.
NOTE A new feature in Windows 2000 is the integration of DHCP with DNS. DHCP server and clients can now register with Dynamic DNS for name resolution.
We will further examine how DHCP works in the section Automatic Addressing later in the chapter.
APIPA and ICS Autoaddressing Two new services in Windows 2000, APIPA and ICS, also automatically assign IP addresses to computers under specific circumstances.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 412
412 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Automatic Private IP Addressing APIPA was included in Windows 2000 to make TCP/IP configuration easier and to help ensure that a computer would be able to communicate on a small (unsubnetted) TCP/IP network that does not have a DHCP server. In past versions of Microsoft’s operating systems, prior to the release of Windows 98 and then Windows 2000, if a computer did not have a manually entered address or an expired DHCP IP address lease and was not able to contact a DHCP server when it came online, it would not be able to join the TCP/IP network. With APIPA, the computer will first attempt to reach a DHCP server and negotiate a lease for an IP address. However, if this fails, it will then take the initiative and assign itself an address from the reserved APIPA range of 169.254.0.1 through 169.254.255.254 with a subnet mask of 255.255.0.0. This allows it to communicate on the network, using the APIPA address temporarily until a DHCP server can be reached. Internet Connection Sharing ICS is another new feature in Windows 2000. ICS is used to allow multiple computers to access the Internet or another outside connection via a single public IP address. ICS is a part of Windows 2000 Network and Dialup Connections and can be enabled on a Windows 2000 Professional or Server computer that has a dial-up connection to the Internet, thereby allowing other computers on the local area network to share that connection. ICS works by means of Network Address Translation (NAT), which will be discussed in more detail in Chapter 9, “Troubleshooting Remote Access in a Windows 2000 TCP/IP Network.” The ICS component that is of interest in the context of this chapter is the ability of the ICS host computer to automatically assign IP addresses to the ICS clients. When you enable ICS, the host machine that is sharing its connection will be configured with an IP address of 192.168.0.1 with a subnet mask of 255.255.255.0. You may recognize this as an address from the range of class C addresses designated as private or nonregistered addresses by IANA. We will discuss private versus public addresses later in this chapter. The ICS computer also becomes a DHCP allocator. This role differs from that of a full-fledged DHCP server in that the computer does not have to be running a server operating system. A Windows 2000 Professional computer can share its connection and act as a DHCP allocator. The DHCP allocator has a predefined scope of IP addresses that it can hand out to the client computers sharing its Internet connection. These addresses fall into the private class C address range, the 192.168.0.0 network.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 413
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 413
Although these services generally function as intended, there are situations in which the automatic addressing can result in problems or conflicts, as we will discuss later in this chapter in the section IP Address Configuration Problems later in this chapter.
NOTE See Chapter 9 for more information on ICS and NAT.
Private versus Public Addresses Public IP addresses are those addresses that are valid for connection to the Internet. These are also sometimes called “registered” addresses because they must be assigned by and registered with IANA/InterNIC. A public IP address, used for a direct connection to the Internet, must not be duplicated anywhere else on the public network. Without a proxy or NAT software, every computer on a LAN that needs to be connected to the Internet must have a separate public IP address. This is one of the reasons for the shortage of available IP addresses, which was a driving force in the development of inexpensive and easy-to-implement NAT solutions. With NAT, only one public IP is necessary (used by the computer with the direct connection to the Internet). However, the other computers on the LAN still must be assigned IP addresses to communicate with each other and with the NAT server via TCP/IP. This creates a need for some method of “recycling” IP addresses. Since local area networks behind the NAT (or proxy) computer will not be visible to the Internet, they don’t have to have unique addresses. In actuality, you could use any IP address range for your LAN. However, this could lead to problems if one of the computers did connect directly to the Internet and was using a public address already allocated to someone else. Thus IANA/InterNIC specified a range of network IDs in each address class that would never be used on the Internet. These addresses can be used safely by anyone on any private network (on computers not directly connected to the Internet). The reserved address ranges are shown in Table 8.2. The private address will not route through the Internet, so even if a computer from the private network had a direct physical link to the Internet, the address would not cause a conflict.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 414
414 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Table 8.2 Private IP Address Ranges Private Address Class or Type
Range of Valid Private Addresses
Class C private network
192.168.0.1 to 192.168.255.254
Class B private network
172.16.0.1 to 172.31.255.254
Class A private network
10.0.0.1 to 10.255.255.254
APIPA reserved addresses
169.254.0.1 to 169.254.255.254
Thousands of different organizations can use the very same addresses from this range on their internal networks. They do not have to be (in fact, cannot be) registered with any name/number authority. Proper use of private addresses can save a corporation a great deal of money, and preserves the diminishing pool of public addresses for assignment to ISPs. Using NAT/proxy services to provide Internet access to internal computers also provides additional security for the local network.
NOTE See RFC 1597 for more information about the assignment of the private network addresses.
How IP Addresses Are Used in Network Communications Once IP addresses have been assigned to all computers on the network, the addresses are used to identify both the network (or subnet) and the individual host, in the same way your home address can be used to identify both the street you live on and the individual house. A computer across the office or across the world can send a packet intended for your computer, just as a friend down the street or in another country can mail a letter intended to reach your post office address. In the latter case, the postal service is responsible for delivering the letter to the correct house. IP, working at the Internetwork layer, is responsible for getting the packet to the right computer interface. When it arrives there, IP’s job is done just as the mail carrier’s duty has been fulfilled when the letter goes into your mailbox. Before the letter can be “processed” or the packet can perform its function, there is another step. In many cases, more than one person resides at the same
91_tcpip_08.qx
2/25/00
11:10 AM
Page 415
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 415
address and more than one application is using TCP/IP communications. Getting the letter to the intended recipient requires another designation, your name. Getting the packet to the right application also requires another designation, in this case a TCP or UDP port number. Just as the mail carrier hands off the responsibility for getting the letter to the right person in the house to whomever checks the mailbox, the Internetwork layer hands off the task of getting the packet to the right port to the Transport (host-to-host) layer. The data is then passed on up the protocol stack to the application (such as an e-mail client) that can use it.
A Map for the Mail Carrier Wait a minute. The preceding scenario sounds good, but there’s still something missing. How does the mail carrier know where “1539 Indigo Road” is physically located? The bad thing about street addresses (at least, from the perspective of the mail carrier) is the fact that they can change. Cities are always renaming a thoroughfare to honor some favorite son, or houses get renumbered to accommodate new construction when large plots of land are subdivided. Even if the addressing scheme in your town remains stable, a new mail carrier won’t necessarily know where Indigo Street is. That’s when it comes in handy to have a map.
Getting from the Logical to the Physical Your street address is a “logical” address, as is an IP address. Using that logical address to arrive physically at the correct location requires some sort of mechanism that will translate the logical address to a physical one. A map does this by providing a “view” of where the property is located, and a very precise map will supply the geographic coordinates (latitude and longitude). You can think of ARP, the Address Resolution Protocol, as a sort of map for IP packets. If you know the IP address, ARP can tell you where to actually go on the network to get there. It does this by maintaining a table of IP addresses matched to physical (MAC) addresses. The physical address could be compared to the geographic coordinates that pinpoint where your house actually sits. Even if your street name or number changes, the physical location will remain the same, and this is also (generally) true of the NIC’s physical address.
How ARP Works ARP is designated as a required specification for TCP/IP by RFC 826. This is because, without some means of resolving IP addresses to physical hardware addresses, packets cannot reach their destinations. ARP uses
91_tcpip_08.qx
2/25/00
11:10 AM
Page 416
416 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
broadcasts to determine which physical addresses match up with which logical (IP) addresses. This information is then cached so that it will remain available. Caching the information reduces network traffic by eliminating redundant broadcasts. The cached information stays in the cache for up to 10 minutes. When an IP/physical address pair is entered into the cache, a timer is started. If two minutes pass and the entry is not used again, ARP removes it from the cache. If it is used within that time, the timer is reset and it gets another two minutes. If it continues to be used, its life will be extended every two minutes, up to 10 minutes. These are called dynamic ARP entries. You can also add static entries to the ARP cache, which will stay in the cache until you shut down or reboot your computer. To add a static entry, at the command line type arp –s followed by the IP address and then the physical address. For example, to add an ARP cache entry that matches IP address 192.168.1.24 with MAC address 00-34-d4-32-c6-27, you would type the following command: arp –s 192.168.1.24 00-34-d4-c6-27
NOTE When adding an ARP entry, the IP address is entered in decimal and the physical address in hexadecimal, with hyphens separating the two-digit bytes.
You can also use the arp command-line utility to view the current ARP cache, as shown in Figure 8.7, by typing arp –a. Figure 8.7 You can view the ARP cache by typing arp –a at the command prompt.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 417
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 417
If you have multiple network interface cards (NICs) on your Windows 2000 computer, there will be a separate ARP cache for each adapter.
NOTE RARP (Reverse Address Resolution Protocol) is a TCP/IP utility that performs somewhat the opposite function of ARP; instead of providing a hardware address when given an IP address, it provides an IP address from a gateway server’s ARP cache, when a RARP client provides its physical address. RARP is not included in Windows 2000.
Putting It All Together We discussed name resolution and the services that perform it (WINS and DNS) in Chapters 6 and 7. When NetBIOS or fully qualified domain names (FQDNs) are used by a client to make a request to a server, the first step in establishing the connection is to resolve the “user-friendly” name to a more computer-friendly number. In TCP/IP communications, this means an IP address that, together with a subnet mask, will identify both the network on which the computer resides and the specific network interface on that network with which we want to communicate. If the destination computer is on the same subnet as the sending system (which we can determine through a procedure called anding, a calculation applied to the IP addresses of the two computers), the process is relatively straightforward.
IP Communications on a Nonrouted Network (within the Subnet) When a computer wishes to communicate with another computer on the same subnet, IP determines, based on the IP addresses of both along with the subnet mask, that the destination computer is on the local subnet. The sending computer checks the ARP cache for a MAC address that matches the destination computer’s IP address. If no match is found in the cache, the sending computer will send an ARP broadcast message to all computers on the local subnet. This message essentially asks, “What is the physical address associated with ?” The sending computer’s own IP and MAC addresses are included in the ARP message. All computers on the local subnet receive the message. Those whose IP addresses don’t match the one in the message ignore it. The computer
91_tcpip_08.qx
2/25/00
11:10 AM
Page 418
418 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
whose IP does match the one in the ARP message first puts the sending computer’s IP/MAC address information in its own ARP cache, then sends a response to the sending computer with the information about its MAC address. When the sending computer gets the response, it adds the destination computer’s IP/MAC address information to its cache, and can now send data to the destination computer.
IP Communications on a Routed Network (to a Remote Subnet) If the destination computer is not on the same local subnet, it works slightly differently. In this case, ARP will resolve the remote IP address to the physical address of the router that can forward the message on to the subnet on which the destination computer resides. The IP protocol again checks the IP addresses and subnet mask and this time determines that the destination computer is not on the local subnet. IP determines the IP address of the default gateway (router), and the sending computer checks the ARP cache for a physical address that matches the router’s IP address.
For IT Professionals
IP Addresses and the Internet As we all know by now, TCP/IP is the protocol suite used for communications over the vast global network of networks that we call the Internet. We also know that in order for communications to take place on a TCP/IP network, every network ID on the internetwork must be unique, and every Host ID must be unique to that network. In theory, this means that of the millions of computers connected to the Internet, there should be no two with the same IP address. In practice, however, this is not strictly true. Due to the shortage of available IP addresses, and also because registering multiple addresses adds to the cost of running a network, many companies and home networks use some method of connecting many computers to the Internet through a single IP address. There are two popular types of software designed to accomplish this: Network Address Translation (NAT) and Proxy Services. Network Address Translation (NAT). This is a means of configuring one computer, which has a dial-up or dedicated connection to Continued
91_tcpip_08.qx
2/25/00
11:10 AM
Page 419
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 419
the Internet through an ISP, to serve as a gateway through which other computers on the LAN can obtain Internet access without being assigned separate “public” addresses. With NAT, these client computers use “internal” addresses from the private address range, which are not visible to systems outside the local network. To the Internet, there appears to be only one computer connected—and indeed, only the “gateway” computer (sometimes called the NAT or ICS host computer) is actually connected to the Internet. There are third-party software implementations of NAT, such as Sygate and NAT32. A new feature in Windows 2000 is built-in support for NAT. Windows 2000 Professional includes Internet Connection Sharing, which is a somewhat limited form of NAT that is simple to configure and administer. Windows 2000 Server includes ICS too, but it also provides for a more flexible form of NAT through RRAS (Routing and Remote Access Service), which allows for changing the IP address range, use of multiple public addresses, and multiple LAN interfaces. ICS does not support these advanced features. Both ICS and NAT include components for address assignment, translation of the private internal addresses to the public external address(es), and name resolution services. Proxy Services. A proxy server is a more sophisticated means of providing a shared connection to the Internet, which provides for greater security through complex filtering. Proxy software, such as Microsoft Proxy Server or Winproxy, requires a higher level of configuration and contains other features in addition to address translation. For example, proxy servers can be set up to cache often-accessed Web sites so that performance will be optimized and less actual access to the Internet is required. Generally, however, proxy servers use the same address translation technique as NAT— requests for Internet access go through the server, which maps each clients’ internal IP address and the application making the request to a port on the server. The proxy then presents the request to the “outside world” as if it came directly from the server itself, and the internal machines’ addresses are hidden from the Internet. The result is that there are many, many more individual computers “on the Net” than it would appear from the number of public IP addresses visible to the outside network. What appears to be one computer, with one IP address, may be a NAT host or proxy server that is forwarding requests and responses for dozens or even hundreds of computers on its local network.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 420
420 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
If it doesn’t find one, it broadcasts an ARP message to find the router’s physical address, using the same process as in the previous example. When the router, which is attached to the local subnet, receives the ARP message and determines the IP matches its own, it responds with its physical address after putting the sender’s IP/MAC information into its cache. The sender updates its own cache with the router’s information, and now will send any messages addressed to the remote destination computer through the router. The router will forward the message to the destination computer (or another router, if it is not directly connection to the destination computer’s subnet) using the same process.
Overview: IP Addressing Configuration Errors A large percentage of TCP/IP connectivity problems can be traced to IP addressing configuration errors. Thus, one of the first things you should check, if your TCP/IP-based computer is not able to communicate on the network, is the TCP/IP Properties sheet. Ensure that if you have manually assigned the IP address, it is a valid address for the subnet. Also check the address of the default gateway, DNS and WINS servers, and the subnet mask. Simply making this quick check can eliminate many problems. Common errors include transposing two digits within an address and switching two addresses between fields (such as entering the computer’s address in the default gateway field, and vice versa). It sounds elementary, but remember one important rule of troubleshooting is to always check the “simple stuff” first.
NOTE Microsoft documentation attributes the majority of TCP/IP connectivity problems to incorrectly entered IP address information. This is one case where typos do count.
Duplicate IP Addresses Duplicate addresses can be a problem in a network where some or all of the IP addresses are manually assigned, especially if there is more than one administrator or other personnel are responsible for configuring TCP/IP properties on computers.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 421
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 421
If this happens, the following situation may occur: When a Windows 2000 computer comes online (or when its IP address is changed), and its TCP/IP stack is initialized, it sends a “gratuitous” ARP message, requesting the hardware address associated with its own IP address. If another computer responds, thus claiming the IP address as its own, the newly initialized computer will stop using IP. If there is another network protocol installed, it may be able to continue communicating on the network using the other protocol. If TCP/IP is the only network protocol installed, it will not be able to communicate on the network. Windows 2000 tries to prevent duplicate address errors in several ways. If you change the TCP/IP settings and enter an IP address that is already in use on the network, you will get a message indicating the address is taken and instructing you to change your settings. If you change the settings while offline and then come back onto the network, you will receive a message informing you that there is an IP address conflict. The computer that is already using the address will also display an error message (see Figure 8.8) indicating that there is an address conflict, although it will be able to continue communicating via TCP/IP using the address. Figure 8.8 Windows 2000 displays an error message when a duplicate address is detected.
One way to track down this problem is by checking the System Log in the Windows 2000 Event Viewer. An error message will appear, indicating that the system detected an IP address conflict.
Locating the Other Computer that Is Using the Address There are several ways to locate which other computer on the network is using the address. If it is a Windows 2000 or NT computer, there will be an event entered in its System Log reporting the conflict, although the computer that “got there first” will be able to go on using the address. You can also use the tracert command on the address to find out the name of the computer using it, or you can use arp –a to find out the physical address of the computer using the IP address, as long as the other computer is on your local subnet.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 422
422 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
TIP There is third-party IP management software that will do sophisticated tracking and auditing of IP address information. One such product that is compatible with Windows 2000 is Meta IP. For more information, see www.metainfo.com/products/metaip.cfm.
Address Conflicts with Computers Using DHCP If you receive a message that you have an IP address conflict at bootup and the machine is using DHCP, you can release the address so the DHCP server will assign a new address. To release the address, use the ipconfig /release command.
Invalid IP Addresses If the computer is given an IP address that is “illegal” or just invalid for use on that particular network, it will not be able to communicate with other computers over TCP/IP. As mentioned earlier, if you are running a private network that has no connection to the “cloud” (as many books and illustrations represent the Internet), you can use any IP addresses you wish, including those that have already been assigned for public use. This will not cause a problem—unless you later decide to connect your network to the Internet without changing the addressing scheme. At that point, your addresses may conflict with those of another organization that has registered that address space. Packets intended for computers on your network will be routed to the “legal” holder of the addresses. An invalid address may not be illegal, but does not “fit” into the local network’s addressing scheme. If the LAN is using the network ID of 192.168.1.0 with a subnet mask of 255.255.255.0, then the computers that are on that network must have IP addresses that use 192.168.1 for the first three octets. If you assign one of the computers an address that is not on that network (or if it is assigned an address with a different network ID by APIPA because a DHCP server could not be contacted), when IP attempts to contact another computer on the same segment it will identify the address as belonging to a remote host and will send the packet to its default gateway. Also remember that Host IDs of all 0s or all 1s are not valid for assignment as a computer’s IP address. A Host ID of all 0s is used to
91_tcpip_08.qx
2/25/00
11:10 AM
Page 423
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 423
identify the network, and a Host ID of all 1s is used as the broadcast address, for messages to be sent to all computers on the network. Thus, on a class B network using the default subnet mask of 255.255.0.0, both the addresses 138.21.0.0 and 138.21.255.255 would be unavailable for Host IDs. On a class C network using the default subnet mask of 255.255.255.0, the same would be true of the addresses 201.45.3.0 and 201.45.3.255.
DHCP Configuration Problems The Dynamic Host Configuration Protocol runs on a Windows 2000 Server and automatically assigns IP addresses to computers configured to be DHCP clients. DHCP originated as a derivative of BOOTP, the Bootstrap Protocol used in earlier networks to assign IP addresses dynamically, usually in the context of booting diskless workstations from the network.
NOTE The specifications for BOOTP are defined in RFCs 951 and 1084.
How DHCP Works: Condensed Version Most network administrators are familiar with DHCP and aware of the four-step process required for a DHCP client to obtain a “lease” on an IP address. We will briefly review those steps to identify the points in the process where things can go wrong.
NOTE DHCP is not a Microsoft-specific feature. UNIX, NetWare, and other network operating systems (server software programs) also use DHCP.
The four steps in the lease process involve the sending of four special messages between the DHCP client and a DHCP server. These messages are called: ■ ■
DHCP Discover DHCP Offer
91_tcpip_08.qx
2/25/00
11:10 AM
Page 424
424 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems ■ ■
DHCP Request DHCP Acknowledgment
The process is relatively simple.
DHCP Discover When a computer that is configured to be a DHCP client comes online and its TCP/IP stack is initialized, it accesses the Registry settings pertaining to TCP/IP parameters and recognizes that it must obtain an IP address from a DHCP server. It does not, however, know how to reach a DHCP server. Unlike DNS and WINS servers addresses, the IP address of a DHCP server is not entered in the TCP/IP configuration properties. That means the computer must broadcast for a DHCP server. The client sends a broadcast message (addressed to the broadcast address 255.255.255.255) called a DHCP Discover message, which essentially asks DHCP to come to its aid and assign it an IP address.
NOTE Since the client does not have an IP address at this point, it uses the address 0.0.0.0 as its source address. The server would not be able to identify the client that sent the request from this address, so the message also includes the client computer’s name and its physical MAC address.
DHCP Offer If there is an authorized DHCP server on the network, it hears the client’s plea for help and responds with a message called a DHCP Offer. This message contains an IP address from its predefined scope of addresses that can be allocated, as well as other information such as duration of the lease. This message is also sent as a broadcast, since the client computer doesn’t yet have an IP address to which the server can send the message directly. The Offer message includes the IP address that is available (and the server temporarily reserves it during the extension of the offer), a subnet mask, a lease duration (which is specified by the administrator in configuring DHCP), and the server’s IP address.
DHCP Request The client will receive “offers” from more than one source if there are multiple DHCP servers on the network that have available addresses. The client will accept the first offer that arrives, and will send back a message
91_tcpip_08.qx
2/25/00
11:10 AM
Page 425
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 425
called a DHCP Request. This is also a broadcast—so the other servers who made offers will know that they’ve been “rejected” and will release the addresses they had temporarily reserved for the client—which we might think of as a formal acceptance of the first server’s offer. It includes the IP address of the server whose offer is being accepted.
DHCP Acknowledgment The final message, the one that “clinches the deal,” comes from the DHCP server. It acknowledges the acceptance of its offer and assigns the IP address to the client for it to use for the duration of the lease period. It also includes other TCP/IP configuration information, such as the default gateway and subnet mask, and the addresses of DNS and WINS servers, if the client is configured to get this information through DHCP. After receiving this message, the client will be able to use the IP address for TCP/IP communications over the network. This last message is called an ACK. If the server is for some reason unable to complete the transaction, it sends instead a NACK, or negative acknowledgment.
NOTE A NACK occurs when a client attempts to lease an IP address it held previously, which has become unavailable, or if the client has relocated to a different subnet and the address it is trying to lease is now invalid.
Common DHCP Problems Next, we will look at some of the problems that can occur as this scenario plays out.
NOTE Windows 2000 Pro cannot be a DHCP server, although it can serve as a DHCP allocator, performing somewhat the same function, when set up to share its Internet connection as an ICS host.
Traditionally, most problems with DHCP fall into a few broad categories: ■ ■
Server configuration problems Client configuration problems
91_tcpip_08.qx
2/25/00
11:10 AM
Page 426
426 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems ■ ■
Unauthorized DHCP servers Unavailable DHCP server
We will discuss each of these, how Windows 2000’s TCP/IP enhancements help to reduce the frequency of these problems, and best practices for optimizing DHCP performance and decreasing the chances of problems.
Server Configuration Problems As might be expected, the majority of DHCP problems stem from incorrect initial configuration or failure to update the configuration on the DHCP server(s).
TIP Remember that the DHCP server itself cannot be a DHCP client; it must be manually configured with a static IP address and other TCP/IP configuration information.
In Windows 2000, Microsoft has incorporated the management of the DHCP server services into the Microsoft Management Console (MMC), providing a new, more standardized look and feel for administrators. See Figure 8.9 for an example of the DHCP management console snap-in. Figure 8.9 The DHCP server is configured from the MMC.
You can access the DHCP MMC via Start | Programs | Administrative Tools | DHCP on the server. If DHCP is not performing as expected across the network, the first thing you should check is the configuration on the DHCP server.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 427
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 427
NOTE If DHCP is not functioning at all, one thing to check is whether the DHCP service has been stopped. Windows NT administrators are used to stopping and starting services from the Services applet in Control Panel, but you won’t find that applet in Windows 2000 Server. Instead, right-click My Computer, choose Manage, and navigate down the tree in the left panel to expand Services and Applications. Select DHCP, right-click (or choose the Action menu), and select All Tasks. Here you can start, stop, pause, resume, or restart the service, as shown in Figure 8.10. Figure 8.10 Starting and stopping the DHCP service via the Computer Management MMC.
As you can see in Figure 8.10, you can perform configuration tasks such as creating new scopes, reconciling scopes, defining classes from the Computer Management snap-in, and starting or stopping the service.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 428
428 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
These tasks can also be performed from the DHCP MMC accessed through Administrative Tools; this can be confusing when you first start working with Windows 2000.
Scopes and Address Pools In the context of DHCP, a scope is a group of consecutive IP addresses that can be allocated to clients on a subnet. For example, a scope might be defined as 192.168.1.140 through 192.168.1.160. Note that these addresses are contiguous. To define a scope, simply click DHCP in Computer Management, and on the Action menu, select New Scope. This will start the New Scope Wizard, which walks you painlessly through the process. A scope must have a name, a range of IP addresses, and a subnet mask. You can also define the lease duration, reserve certain addresses for certain DHCP clients, and define options.
NOTE After you define the scope, you must activate it before it will be used by DHCP.
In some cases, you may want to exclude certain addresses within the scope’s range from being offered to DHCP clients, such as those used by routers or computers with manually configured static addresses. For instance, if you have three DNS servers on the network with manually configured IP addresses that fall within the scope, you would exclude those addresses (another option is to reserve addresses for those computers, so that DHCP will assign them the same addresses each time they request a lease, as we will discuss a little later in the chapter). Suppose the manually assigned IP addresses of the three DNS servers are: 192.168.1.150 192.168.1.151 192.168.1.152 You don’t want DHCP handing out those addresses to its clients, or you will end up with an IP address conflict. You can define an exclusion range of 192.168.1.150 through 192.168.1.152, and those addresses will be excluded from the DHCP scope. You can choose to exclude a range of addresses during the creation of the scope, using the New Scope Wizard. To exclude a range of addresses after the scope has been created, simply expand the Scope object in the left panel of the MMC, and right-click
91_tcpip_08.qx
2/25/00
11:10 AM
Page 429
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 429
Address Pool. Choose New Exclusion Range, as shown in Figure 8.11, and the Exclusion Range dialog box will be displayed. Enter the first and last address in the range of addresses that you wish to exclude, or to exclude just one address, enter it in the Start field (not in both fields). Figure 8.11 You can exclude a range of IP addresses from the DHCP scope.
Common Problems Associated with Scopes and Address Pools Common problems that arise in relation to DHCP scopes include: ■
■ ■
■
Not excluding the addresses within the scope range that have been assigned to routers, network print devices, or computers whose IP addresses were configured manually. Specifying an incorrect subnet mask. Defining too small a scope so that the DHCP server does not have enough IP addresses to assign to all requesting DHCP clients. Not activating the scope after defining it. To activate the scope, right-click the scope you want to activate under DHCP in Computer Management, and select Activate, as shown in Figure 8.12.
91_tcpip_08.qx
2/25/00
11:10 AM
Page 430
430 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Note in Figure 8.12 that Windows 2000 places a warning icon by the scope name to notify you that it has not yet been activated. Figure 8.12 After creating the scope, you must activate it before DHCP can use it.
Superscopes When a single physical network segment consists of more than one logical IP subnet, and when two DHCP servers are tasked with managing separate logical subnets on the same physical network, Microsoft recommends that you implement a superscope. This allows DHCP servers to assign addresses from more than one scope to the same subnet. Without superscopes, this situation may cause DHCP clients to receive NACKS when they come online and attempt to renew their previous leases, and/or when a new address is obtained, it might put the client on a different subnet from the one for which it had been configured before. Superscopes prevent these problems by allowing each of the two DHCP servers to recognize and “respect” addresses assigned by the other. To configure superscopes, all of the DHCP servers on the segment are set up to recognize all subnets on the segment. Exclusion ranges are used on each server to prevent their address ranges from overlapping. In other words, you configure each server so that its superscope includes all the
91_tcpip_08.qx
2/25/00
11:10 AM
Page 431
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 431
subnets, including those whose addresses are allocated by other DHCP servers. You then set up exclusion ranges for the addresses that are allocated by the other servers. This way, each server will recognize all the addresses in the superscope as valid, but will only allocate those addresses that are not excluded in its configuration.
Lease Duration As we already learned, when a DHCP server allocates an IP address to a client, it does not grant permission to use that address permanently. Instead, it “leases” the use of the address for a specified period of time, called the lease duration. During the creation of a new scope, the Windows 2000 New Scope Wizard allows you to change the default lease duration of eight days, as shown in Figure 8.13. Figure 8.13 The New Scope Wizard allows you to change the duration of DHCP leases.
You are not, however, stuck with the lease duration that is set during the scope creation. You can change the duration of leases handed out by the server at any time, by editing the Properties page for the scope. Right-click the name of the scope for which you wish to change the lease duration, and select Properties. You will see the dialog box shown in Figure 8.14. As you can see, the duration can be set to the number of days, hours, and minutes desired, just as could be done during the creation of the
91_tcpip_08.qx
2/25/00
11:10 AM
Page 432
432 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Figure 8.14 You can change the lease duration for DHCP clients through the Scope Properties sheet.
scope. Another option you have, which was not given by the New Scope Wizard, is to choose not to limit the duration of the DHCP leases. In that case, clients will retain their leases until the lease is manually released.
WARNING It is usually not desirable to set the lease duration to unlimited, because this means that even if the computer holding the lease goes offline forever, that IP address cannot be reused until or unless the lease is manually released.
If a DHCP client goes down, the administrator can force the lease to be released by right-clicking Address Leases under the Scope name in the console, selecting the IP address/computer name combination for the lease to be released in the right pane, right-clicking and selecting Delete, as shown in Figure 8.15. This will free the IP address to be allocated to another DHCP client.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 433
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 433
Figure 8.15 You can manually force a DHCP to be released by deleting the lease in the management console.
NOTE If you find that all of the IP addresses in the scope are being used even though you have fewer computers on the network than the number of addresses to be allocated, check the Address Leases to determine if RRAS is assigning multiple DHCP addresses to the same computer(s). In Figure 8.15, those IP address leases that have icons showing a telephone beside the computer are assigned by RRAS.
The Lease Renewal Process If you sign a one-year lease for a house, and you wish continue living on the property, you probably will not wait until the day the lease is up to negotiate a renewal of the lease with the landlord. If you did, you might find yourself out on the streets with no place to live. Similarly, DHCP clients “think ahead” to ensure that they aren’t left high and dry without an IP address when their leases expire.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 434
434 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
When the lease period, as set in the lease duration configuration, is halfway expired, the DHCP client will send a message to the DHCP server requesting a renewal of the lease (as you can see, DHCP clients plan further ahead than do most residential tenants). Normally, the DHCP server then renews the lease. But what if the server from which the lease was obtained has gone down? The client will try again when 87.5 percent of the lease has expired. The first renewal attempt is made by sending a DHCP Request directly to the DHCP server holding the lease. If no response is received, the client tries to obtain a lease from any available DHCP server, broadcasting a DHCP Request. If the client doesn’t get a response from any DHCP server (or if it gets a negative response) before the expiration time is up, it cannot continue to use the address. At that point, it must start all over with the leasing process in order to be assigned a new IP address.
TIP You can force the client to manually request a renewal of its lease at any time by using the ipconfig /renew command.
Common Problems Associated with Lease Duration The network problems commonly associated with lease duration can be solved or reduced by taking advantage of Windows 2000’s option to change the duration as shown in the foregoing section. These problems include: Network slowdown caused by excessive lease renewal traffic. Looking back at the process for obtaining and renewing DHCP leases, you can see how DHCP is capable of adding a lot of network traffic. This is especially true if the network is large, with many DHCP clients. You can alleviate some of the congestion by extending the lease period beyond the default if there are plenty of IP addresses available and the clients are stable. In this case, you might consider increasing lease duration to 21 or even 30 days. Inefficient use of DHCP addresses resulting in server(s) not having enough addresses for all requesting clients. This problem can occur when there is a limited number of IP addresses in the DHCP scope and you have an unstable client situation; that is, computers configured to use DHCP that move on and off the network, as with laptop/notebook systems. DHCP client computers running Microsoft operating systems do not release their leases when they shut down, so if laptops are removed from the network,
91_tcpip_08.qx
2/25/00
11:11 AM
Page 435
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 435
their leases will still be assigned to them for the duration of the lease even though they are not being used. If this happens, you may find it beneficial to decrease the lease duration to a shorter period than the default, so addresses will be more quickly returned to the pool of available addresses to be assigned to other clients.
Reserved Addresses Some computers—primarily servers—need to always have the same IP address. One way to accomplish this is to manually configure their TCP/IP properties, but this means that if other TCP/IP configuration information changes (for instance, the address of the WINS server), they will all have to be manually changed. There’s a way to allow these computers to enjoy the benefits of DHCP, such as the ability to make those changes on the DHCP server and have it automatically disseminated to the clients, and still ensure that the computers that need to always have the same address can. This is accomplished by assigning reserved addresses to those computers. Adding a reserved address is easy in Windows 2000. Right-click Reservations under the Scope in the MMC, and select New Reservation. You will see a dialog box, as shown in Figure 8.16. Figure 8.16 You can make an address reservation for a client that needs to always have the same address.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 436
436 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
1. Type in a name for the reservation, the IP address to be reserved, and the physical (MAC) address of the computer for which you are reserving the address. 2. The Description field is optional. 3. You must choose the allowed client type (DHCP, BOOTP, or both). 4. Click ADD to enter the new reservation into the DHCP database.
WARNING The MAC address must be entered correctly or the DHCP server will not assign the reserved address to the computer. Although the reservation name can be the name of the client computer, the DHCP server uses the hardware address to recognize the computer for which an address reservation is made. Unlike when you enter the MAC address to configure a static arp cache entry, you must NOT put dashes in the MAC address when you configure a client reservation at the DHCP server.
Determining the Physical Address of a Computer To find the hardware address of a computer while sitting at the computer itself, type ipconfig /all at the command line. To find the hardware address of another computer on the network, first ping the computer name if you don’t know its IP address. When you have the IP address, type arp –a at the command line to find its physical address. If you have the Windows 2000 Resource Kit, you can use the getmac utility.
NOTE Although the MAC address is displayed in the ipconfig and arp utilities with dashes between each pair of hexadecimal digits, do not use dashes when you enter the MAC address in the New Reservation dialog box.
DHCP Options There are four types of DHCP scope options, in increasing order of specificity: ■ ■
Server options Scope options
91_tcpip_08.qx
2/25/00
11:11 AM
Page 437
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 437 ■ ■
Client options Class options
Server options. These are the default options that are applied to all scopes configured on a particular DHCP server. You can use them to define configuration information used by all the client computers, such as the address of the WINS or DNS server. Scope options. As the name implies, these apply only to clients whose addresses are leased from the specified scope. This allows you to set information specific to a particular subnet (when there is a separate scope for each subnet) such as the default gateway address. Client options. In some cases, you may need to define options that apply only to a specific client or clients. These are used for clients with reserved addresses. Class options. When you use the Server, Scope, or Client Options dialog boxes, you can use the Advanced tab to configure and enable options for clients that are members of a specified user or vendor class. Only the DHCP clients that identify themselves according to the criteria for the selected class will be given the options data you have set up for that class.
How to Configure Options To configure the Server options, right-click Server Options in the left pane of the console, and select Configure Options. To configure Scope options, right-click Scope Options and do the same. Configuration of client options is a little trickier. First, you must have a client reservation. Expand the Reservations container, select the client reservation for which you wish to configure client options, right-click it, and select Configure Options (shown in Figure 8.17).
NOTE Some Microsoft documentation refers to the Server options as “Global” options. Class options are new to Windows 2000. Microsoft provides three predefined classes: a default user class, the Microsoft Dynamic BOOTP class, and the Microsoft RRAS class, as shown in Figure 8.18. Options are applied in the following order of priority: 1. Specific client options are used before scope or global options. 2. Scope options are used before Server options.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 438
438 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
3. Class options can override values assigned and set at the same context (server, scope, or client options) or the values that are inherited from options at a higher context. Class options are divided into two types: user class and vendor class. The most commonly used options include: Figure 8.17 Client options can only be configured for clients with address reservations.
■ ■ ■ ■ ■
IP addresses of routers. IP addresses of DNS servers. DNS domain name. NetBIOS node type. IP addresses of WINS server.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 439
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 439
Figure 8.18 Class options apply only to members of specified classes.
NOTE Class-based options only apply to DHCP clients that are identified as members of the specified user or vendor class.
Monitoring the DHCP Server Another improvement that Microsoft has made in Windows 2000 includes enhancements to the ability to monitor and provide statistical information for the DHCP server(s). A common DHCP-related problem is the depletion of available IP addresses, so Windows 2000 allows you to set up a predefined point at which an alert will be sent informing you that the specified percentage of available IP addresses has been used (you can also configure a second notice to be sent when the addresses are all gone). The Windows 2000 DHCP management tool supports the Simple Network Management Protocol (SNMP), as discussed in Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000,” for
91_tcpip_08.qx
2/25/00
11:11 AM
Page 440
440 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
monitoring of DHCP-related statistics. There is a great deal of useful information available via the DHCP manager, including the number of DHCP Discover, Offer, Request, and ACK/NACK messages that have been sent since the server last started (see Figure 8.19). Figure 8.19 The DHCP management administrative tool displays statistical information.
To access the statistical information, go to Start | Programs | Administrative Tools | DHCP. In the DHCP Manager, right-click the DHCP server name, and select Display Statistics. As you can see, the statistical summary provides you with the number of scopes configured, total addresses allocated for assignment, how many of those are in use, and how many are still available.
NOTE Another source of information about DHCP activities is the Event Viewer, which logs informational, warning, and error messages, and DHCP audit logs if you have logging enabled.
The DHCP Database The DHCP database can become corrupt, or data might be accidentally deleted or destroyed due to hardware problems, power problems, viruses, or other reasons.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 441
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 441
The database files are stored in <systemroot>\System32\DHCP and include the following files: ■ ■ ■ ■
Dhcp.mdb Dhcp.tmp J50.log and J50#####.log J50.chk
NOTE Do not remove or alter these files. You may be accustomed to deleting temp files to free disk space; however, the Dhcp.tmp file is used as a swap file, and Microsoft documentation warns that it should not be deleted.
Windows 2000 backs up the DHCP database by default at one-hour intervals. You can edit the Registry to change the backup interval. To do so, use a Registry editor to open the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP \Parameters
WARNING Always back up the Registry before making changes. Editing the Registry should always be done with care, as incorrect entries could cause the system to become unbootable.
Edit the value BackupInterval by entering the number of minutes desired between database backups, as shown in Figure 8.20. By default, the value is shown in hexadecimal, but you can convert it to decimal by selecting the appropriate radio button.
NOTE The DHCP database backup files are stored on the DHCP server in the <systemroot>\System32\DHCP\Backup\Jet directory. A copy of the DCHP\Parameters subkey of the Registry is stored in the Backup directory with the file name DHCPCFG.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 442
442 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Figure 8.20 Edit the Registry to change the interval between DHCP database backups.
If the operating system detects that the DHCP database has become corrupt, it will automatically restore from backup when the service restarts. To manually restore the database from the backup files, you must edit the Registry. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\DHCPServer\Parameters and set the RestoreFlag value to 1.
NOTE It is not necessary to edit the Registry again to reset the RestoreFlag entry. After the database is restored, the server will automatically return the value to 0.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 443
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 443
If you are unable to edit the Registry entry, another way to restore the database is by copying the <systemroot>\System32\DHCP\Backup\Jet folder to <systemroot>\System32\DHCP. Be sure you stop the DHCP service before copying the files. After you have copied the files, restart the DHCP service to restore the database.
Client Configuration Problems A number of problems can affect a DHCP client’s ability to use the service. If other DHCP clients on the subnet are having no problems obtaining and using IP addresses, and if you have checked and determined that the server’s address allocation has not been depleted, this indicates the problem is related to the configuration or operation of the client computer.
Client Cannot Obtain an IP Address This indicates that the client machine was not able to reach a DHCP server. There could be many causes for this, including a hardware problem. Be sure the client has a network connection to the server by pinging the server from the client computer. If you cannot, check cables, NICs, and other hardware devices. If you can ping the server from other computers on the same subnet, check the client computer’s protocol configuration. Be sure TCP/IP is installed and functioning by pinging the loopback address (127.0.0.1).
TIP If you are using a DHCP Relay Agent, make sure that the machine is functioning and that its IP configuration parameters are correct. A common error is adding the DHCP Relay Agent service and then failing to configure a DHCP server for it to contact.
Client Has an Invalid IP Address If the client is unable to communicate with other computers on the network, and ipconfig indicates that the client is using an address that is invalid for the subnet (from the 169.254.0.1 through 169.254.255.254 range), this indicates that the client was unable to contact a DHCP server and assigned itself an address via APIPA. Try to ping the server. If you are able to do so, try manually renewing the lease. To disable APIPA, see the section Automatic Private IP Addressing earlier in this chapter.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 444
444 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Client Is Missing Configuration Information If the client was assigned an IP address by the DHCP server but did not properly receive additional configuration information, such as the DNS server address, ensure that the client supports the options and that the options have been properly configured at the server.
Multiple Clients Are Suddenly Unable to Obtain IP Addresses If many clients become unable to obtain leases for IP addresses, check the following: ■
■
■
■
Ensure that the DHCP server is up, and that its IP address has not been changed. Ensure that the DHCP server’s IP address is in the same network range as the scope it is servicing. Be sure that you don’t configure multiple DHCP servers on the same subnet with overlapping scopes. If you are using Active Directory domains, be sure that the DHCP server has been authorized in the Active Directory.
NOTE If one of the DHCP servers is running Microsoft Small Business Server, be aware that the DHCP Server service in the SBS will automatically stop if it detects that there is another DHCP server on the local subnet.
Other Common DHCP Problems Most of the time, DHCP works well, saving administrators a lot of time and headaches. However, as with any other service, things can go wrong. Microsoft has attempted to address and prevent potential problems as much as possible in Windows 2000, but you should be aware of some of the common DHCP-related problems that can occur.
Unauthorized (“Rogue”) DHCP Servers Problems can occur on a network when there are unauthorized DHCP servers. Perhaps someone configured a server as a DHCP server by mistake, or in order to practice with the service. The “rogue” server could begin handing out IP addresses—perhaps in a range that is invalid for the subnet—when DHCP clients broadcast a Discover message. This would result in those clients being unable to communicate with other clients on the subnet whose addresses were allocated by the authorized server.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 445
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 445
Windows 2000 attempts to prevent this situation by building in a feature to disallow address allocation by DHCP servers that have not been authorized by an administrator in the Active Directory. No responses will be returned to DHCP inform messages sent by unauthorized servers. When a Windows 2000 DHCP server comes online, it attempts to check the Directory to determine if it is authorized. If not, it does not respond to DHCP client requests.
NOTE Unfortunately, this detection/prevention of “rogue” DHCP servers only works with Windows 2000 servers. A Windows NT 4.0 DHCP server will not be detected as a “rogue.”
DHCP Clients and Server on Different Subnets In order for a DHCP server to provide IP addresses to clients across a router, the router must be able to act as a DHCP relay agent, or there must be a machine that is running the DHCP relay service on the client subnet. A Windows NT 4.0 or Windows 2000 server can be configured to run as a DHCP relay agent. However, most modern routers are able to support DHCP/BOOTP relay.
NOTE DHCP/BOOTP relay agent specifications are described in RFC 1542.
Multiple DHCP Servers The Microsoft documentation suggests that if you have multiple DHCP servers, you should put them on different subnets for fault-tolerance purposes. The servers should not have common IP addresses in their scopes (each server should have a unique pool of addresses). With the routers configured for relay or a DHCP relay agent on each subnet, if the DHCP server on the local subnet goes down, requests will be relayed to a remote subnet. Then, the DHCP server on the remote subnet can respond to DHCP requests—if it contains a scope of IP addresses that are valid for the requesting subnet.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 446
446 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
WARNING If the remote server does not have a scope defined for the requesting subnet, it won’t be able to provide IP addresses to the requesting clients even if it has addresses available for other scopes.
By configuring each DHCP server with a pool of addresses for each subnet, each will be able to provide IP addresses for remote clients whose own DHCP server is offline.
Automatic Addressing (APIPA) The automatic addressing feature in Windows 2000 (first introduced in Windows 98) was designed to solve a common problem with DHCP: In earlier Microsoft operating systems, when a computer that was configured to be a DHCP client came online and no DHCP server was available, it had no way of obtaining an IP address and thus could not communicate using IP. APIPA circumvents this situation by giving DHCP clients a “contingency plan.” When the computer comes online, it will first attempt to reach a DHCP server to obtain an address, but if it fails to do so, using APIPA it can assign itself a temporary IP address to use until the DHCP server is back up. This is all well and good, but not always as useful as it sounds. The problem is that the addresses assigned by APIPA come from a range reserved for that purpose, the class B 169.254.0.0 network with a subnet mask of 255.255.0.0. This means the computer will only be able to communicate with other computers whose addresses were also assigned by APIPA, or that were manually configured to use 169.254.x.x addresses. Assuming your network uses a different network ID, the APIPA computer won’t be able to communicate over IP with the rest of your network, and automatic addressing serves little purpose.
NOTE Use the ipconfig command to determine whether a computer is using an APIPA address. If the IP address being used by the computer is in the 169.254.x.x range, an APIPA-assigned address is being used.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 447
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 447
You may wish to disable APIPA, especially if your network uses routers, and/or the computers on your network are all connected directly to the Internet without going through a proxy server or a NAT gateway. See the following section for instructions.
NOTE APIPA can also be used during the Windows 2000 setup process to automatically assign temporary addresses in order to get the servers up and running quickly. This is an option in the Networking Settings dialog box when you select Typical settings.
How to Disable APIPA To disable automatic address configuration, you have to edit the Registry. 1. Use a Windows 2000 registry editor (Regedt32 or Regedit) to open the Registry. 2. Locate the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ Parameters\Interfaces\adapter_name
3. You must create a new value of the REG_DWORD type. Name the new value as follows: IPAutoconfigurationEnabled
4. Now double-click the new value name when it appears in the right pane, and assign it a value of 0 (“False”) to turn off APIPA. You can reenable APIPA at a later time by editing the key and changing this value to 1, or by deleting the IPAutoconfigurationEnabled entry (if it does not exist, the default value of 1 is in effect).
WARNING You should always back up the Registry before making any changes.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 448
448 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
NOTE If you have more than one network adapter and you wish to disable APIPA on all of them, you don’t have to individually edit each adapter’s parameters. Instead, you do it in one fell swoop by creating the IPAutoconfigurationEnabled entry and setting it to 0 in the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters
Hardware Address Problems The ARP command-line utility is your best starting place for troubleshooting problems related to hardware addresses. Use the arp –a command to view the current ARP cache. If IP addresses have been reassigned, it is possible that the cache contains the old IP-to-MAC address mapping. Although dynamic entries are cleared from the cache within 10 minutes, this problem would be more likely to occur if a static entry had been made, since it would then remain in the cache until the computer was rebooted.
TIP If you want to remove a static entry from the arp cache, use the arp –d command.
Duplicate MAC Addresses In theory, this problem should never occur. Each network card manufacturer is allocated a range of hardware addresses to be assigned to the computers it manufactures, and there should be no two NICs in the world with the same hardware address. However, like IP addresses, MAC addresses have become less plentiful, and some manufacturers have started to reuse addresses. Additionally, errors do occur in the manufacturing process, and cards have shipped accidentally with duplicate addresses. This is not a problem if the two NICs with identical addresses end up on separate networks.
Troubleshooting Subnetting Problems Let’s now delve into the subject of subnet masking. We are going to use the principle of reserving or masking bits as we did with the Net ID
91_tcpip_08.qx
2/25/00
11:11 AM
Page 449
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 449
portion of the address earlier, but this is going to be a little more complicated. Subnetting a network means dividing it into two or more smaller networks (called, appropriately enough, subnets). There are several reasons why you might want to subnet your network ID. When you receive a group of IP addresses to use on the Internet, you are assigned a network ID and a subnet mask. Of course, most people get their IP addresses from their ISPs, who have already assigned you a subnet mask for the group. Assignment of public IP addresses to internal network clients isn’t as big an issue for medium to large companies now as it once was, because most of them are using proxy servers and NAT. But whether you are using private or public IP addresses, the principles we discuss in this section will apply; they just are not as stringent when working with private IP address classes.
Why Divide the Network? A network ID is typically subnetted to allow for multiple physical segments. Each physical segment should have its own network ID. If you have 10,000 computers and are given the network ID 12.0.0.0 with a subnet mask of 255.0.0.0, this would work—in theory. However, all the machines would be on the same physical network, and it is likely that the broadcast traffic would be so intense that no communication could take place. If you were given a class B network ID of 169.254.0.0 and a subnet mask of 255.255.0.0, you could likewise put all your hosts on the same network ID, but then again, the amount of broadcast traffic that would be generated makes this a bad idea.. Even if you only have 120 clients and are given the class C network ID of 206.136.88.0 and a subnet mask of 255.255.255.0, you still would end up with all 120 clients on the same network. Because of the nature of Ethernet and Windows networking’s NetBIOS traffic, that is still too many for good performance. The maximum number of clients on a single segment is optimally less than 50. Networks that use private address classes don’t have as much of a problem, since they are free to use whatever private network IDs they want. If you choose to use the private address class 192.168.0.0 with a subnet mask of 255.255.255, you could theoretically create 256 networks with 256 clients each, which would be the same as a single class B network. You just configure your routing tables to accommodate each network. Those using public IP addresses don’t have this luxury, though, and they have to learn how to subnet the network IDs they are provided with by either IANA or their ISP.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 450
450 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Subnetting Scenario 1 Let’s say we were given a class C Net ID. How many Host IDs are available in a class C network? How many bits are used for the Net ID? A class C Net ID uses the first three octets, so it uses 24 bits, leaving only 8 bits for Host IDs. How many Host IDs for each class C Network then? The answer is 28=256, and then subtract two for the all 0s and all 1s, which gives us 254 Host IDs per class C network. We certainly don’t want 256 hosts on a single network for our business. Also, we might want to have some hosts on a network in another state. What we could do is “split” up the Net ID in such a manner that we can have some of our hosts on a different physical network in another state, and some in our local office. Breaking up a Net ID into multiple “subnetworks” is called “subnetting.”
Subnetting Scenario 2 Let’s look at another example: What if we got a class B Net ID? How many Host IDs are there on a class B Network? How many bits are available for a class B Host ID? Well, the Net ID is going to take the first two octets, so that’s 16 we have to take away from the total of 32 available. That leaves us with 16 bits to use for Host IDs. How many Host IDs can we have? 216=65536 and then subtract two for the all 0s and all 1s, which gives us 65,534. Now, if the InterNIC gives us a class B Net ID, do we really want all 65,000 hosts on the same subnet? The broadcast traffic would be so bad that no useful network activity could take place. So, we definitely have to break up those Net IDs into smaller chunks so that we can get a reasonable number of hosts on each physical segment, or subnet.
Subnets Remember that IP determines whether a message is for the local or remote host. If the destination is local, IP will have ARP broadcast for the destination host’s MAC address. If it is remote, IP will ARP broadcast for the default gateway, and then send the message to the default gateway. So, IP is like the post office employee, who first checks the ZIP code to see if it is local before bothering to check the house number and street address. Each subnet is like a different ZIP code within the same city. If the Net ID represents the city, then each neighborhood has its own ZIP code, or subnet.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 451
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 451
Subnet Masks How does IP figure out what your Net ID and Host ID are? Well, IP isn’t as smart as we are, because it doesn’t know about the rules regarding the high order bits and their connection to the IP address class. Rather, IP has to use something called a subnet mask to tell it which part of the IP address is the Net ID and which part is the Host ID. The subnet mask “masks” the Net ID portion of the IP address. It does this by covering up with 1s the Net ID and leaving “open” the Host ID with 0s. The default subnet masks are: Class A: Class B: Class C:
255.0.0.0 255.255.0.0 255.255.255.0
Or in binary: Class A: Class B: Class C:
11111111.00000000.00000000.00000000 11111111.11111111.00000000.00000000 11111111.11111111.11111111.00000000
How does IP use the subnet mask? All IP really cares about is whether the destination IP address is local or remote, so that it will know whether to broadcast or send the request to the default gateway.
ANDing The process that IP uses to determine whether the destination host is local or remote is called bitwise ANDing. In bitwise ANDing, the rules are: 1 AND 1 = 1 1 AND 0 = 0 0 AND 0 = 0 This is how it’s done: IP Address: 192.168.1.1 Subnet Mask: 255.255.255.0 In binary: IP Address: Subnet Mask: ANDed:
11000000.10101000.00000001.00000001 11111111.11111111.11111111.00000000 11000000.10101000.00000001.00000000
This will be the ANDed result of the machine originating a message. Let’s suppose this computer wants to send a message to: IP Address: 192.168.3.1 Subnet Mask: 255.255.255.0
91_tcpip_08.qx
2/25/00
11:11 AM
Page 452
452 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
In binary: IP Address: Subnet Mask: ANDed:
11000000.10101000.00000011.00000001 11111111.11111111.11111111.00000000 11000000.10101000.00000011.00000000
Now, we compare the ANDed results of the originating and destination hosts: Sender: Destination:
11000000.10101000.00000001.00000000 11000000.10101000.00000011.00000000
If the results are the same, IP will use a local subnet ARP broadcast because the two computers are on the same subnet. If the results are different, it will forward the request to the default gateway. In the preceding example, the ANDed results are different. IP will forward the message to the default gateway.
Tricking IP It is by manipulating the subnet mask that we can “trick” IP into thinking that there are more digits in the Net ID than the default number of digits defined by each class. Remember the default number of binary digits for the Net ID in each IP address class? Class A: 8 Class B: 16 Class C: 24 By manipulating the subnet mask, we can allow for more digits to be used for the Net ID by stealing some digits from the Host ID portion of the IP address. We can use the subnet mask to break up a Net ID into several subnetworks, and in that way trick IP into sending the message to the router so that it can get to the destination subnet. The routers will have the routing information to guide the packet to its correct location.
Making the Mask When we use a subnet mask other than the default subnet mask, it is often called a custom or variable-length subnet mask.
Subnet Masking for a Class A Network Let’s look at the example of a class A network. The Net ID will be 75.0.0.0 and we’ll use the default subnet mask of 255.0.0.0. In binary:
91_tcpip_08.qx
2/25/00
11:11 AM
Page 453
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 453
NetID: Mask:
01001011.00000000.00000000.00000000 11111111.00000000.00000000.00000000
How could we break up this giant network into two separate subnetworks? Well, in binary, the number 2 is represented as 10. Therefore, it takes two bits to get the number 2. What we’ll do in order to get those two subnets we want is “steal” two bits from the Host ID portion of the IP address. So now, the subnet mask will look like this: Mask:
11111111.(11)000000.00000000.00000000
We could use any combination for those two bits we stole from the Host ID. Looking only at the second octet (the subnetted octet) of the IP address, what are the numbers that could comprise the second octet? (The masked bits are in parentheses.) 1. 2. 3. 4.
(01)000000 (10)000000 (11)000000 (00)000000
to to to to
(01)111111 (10)111111 (11)111111 (00)111111
However, we have to view the Subnet ID in isolation. The Subnet ID includes those bits reserved by the subnet mask to be used for the network ID that have been “stolen” from the Host ID. The Subnet ID must comply with the same rules as the Net ID and the Host ID: No all 0s or all 1s. So, we have to cross out the last two ranges because their Subnet ID is all 0s or 1s. So, range 1 in decimal is: 64–127 and range 2 in decimal is: 128–191 For the subnet mask itself, the second octet would be: (11)000000 = 192 indicating that we are taking two bits from the Host ID portion in the second octet. The all 0s or all 1s rule doesn’t apply to the subnet mask, since the 1s in the subnet mask just represent which bits in the IP address will represent the Net ID. We have broken up the entire network into two subnetworks, one with the Subnet ID of 64 and one with the Subnet ID of 128. How many Host IDs can we have on each subnet? How many bits are available for Host IDs after we’ve stolen two of them for the Net ID? Before
91_tcpip_08.qx
2/25/00
11:11 AM
Page 454
454 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
subnetting we had 24, but now we only have 22 after losing two of them to the subnet mask. That would be 222, which is 4,194,304, and then subtract 2 for the all 0s and all 1s, and that gives us 4,194,302 per subnet. Hey! What happened? If I use all the Host IDs for both subnets I created, I’ll have: 4,194,302 x 2 = 8,388,608 Host IDs If I hadn’t subnetted my network, I would have had: 224 = 16,777,216 The moral of the story? The more subnets you create, the more Host IDs you’re going to lose. So, for our class A network with a Net ID of 75.0.0.0 and subnet mask of 255.192.0.0, our two subnet address ranges are: From: To:
01001011.(01)000000.00000000.00000001 (75.64.0.1) 01001011.(01)111111.11111111.11111110 (75.127.255.254)
And the second range: From: To:
01001011.(10)000000.00000000.00000001 (75.128.0.1) 01001011.(10)111111.11111111.11111110 (75.192.255.254)
NOTE Remember that the more subnets you create, the fewer hosts you will be able to have on the networks.
By using the custom subnet mask of 255.192 on the class A network, we see that we stole two bits from the second octet to give to the Net ID, and that those two digits actually represent something called the subnet ID. What is the significance of 192? 192 in binary is 11000000, which indicates that two digits will be used for the Net ID that would have otherwise been used for the Host ID. What if our subnet mask were 224? What is 224 in binary? (111)00000 A subnet mask of 224 would indicate that we would be taking three digits from the Host ID portion and giving them to the Net ID. How many subnets could we create with a subnet mask of 224? What is the number of possible combinations that we can create from three bits?
91_tcpip_08.qx
2/25/00
11:11 AM
Page 455
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 455
000 (0) 001 (32) 010 (64) 011 (96) 100 (128) 101 (160) 110 (192) 111 (224) (the numbers in parentheses represent the Subnet ID in decimal). Did you notice something about the progression of Subnet IDs? In this case, it is 32, which just happens to be the value of the last position in the Subnet ID (for example, Subnet ID 64 is 010xxxxx; that makes it the 6th position from the right in the octet, which has the value of 32). The value is called the block value. Each subnet represents a block of IP addresses. Remember that our Subnet ID can’t be all 0s or all 1s. Therefore, we have to throw out the first and last Subnet IDs listed above. That would give us six subnets that we could use if we have a subnet mask of 224. Another way to figure this out is 23 = 8, and then subtract 2 for the all 0s and all 1s, and that gives us six subnets. What if we stole four digits from the Host ID to give to the Net ID? We can use the formula! 24 = 16, and then subtract 2 for the all 0s and all 1s, and that gives us a total of 14 subnets when we steal four bits from the Host ID. What would that subnet mask octet be? 11110000 = 240. So, if we want to break up a network into 14 useable subnets, we could use the subnet mask of 240. What do you think the block value would be in this case? We are stealing four digits from the Host ID. Therefore, a possible octet value could be 0110xxxx (the xs represent the Host ID portion of the octet). The rightmost digit of the Net ID portion is the 5th digit of the octet, and the 5th digit’s binary value is 16. Thus, the block value is 16 when your subnet mask is 224.
Subnet Masking for a Class B Network Let’s take another example from a class B network address. Our Net ID is 144.17.0.0. Using the information we’ve just learned, how could we create six subnets outs of this class B network? How many binary digits would be required to come up with 6? One won’t be enough, because 21 = 2. Two won’t be enough, because 22 = 4. How about three? 23 = 8, and then remember to subtract 2 for the all 0s and all 1s Subnet IDs. That will give us a total of six subnets if we steal three digits from the Host ID. On a
91_tcpip_08.qx
2/25/00
11:11 AM
Page 456
456 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
class B network, octets y and z are used for the Host ID, so we’ll steal two digits from the y octet in order to create our six subnets. What will the subnet mask be in this case? (111)00000 = 224 These are the valid IP address ranges in this case: Range 1 10010000.00010001.(001)00000.00000001 (144.17.32.1) to 10010000.00010001.(001)11111.11111110 (144.17.63.254) Range 2 10010000.00010001.(010)00000.00000001 (144.17.64.1) to 10010000.00010001.(010)11111.11111110 (144.17.95.254) Range 3 10010000.00010001.(011)00000.00000001 (144.17.96.1) to 10010000.00010001.(011)11111.11111110 (144.17.127.254) Range 4 10010000.00010001.(100)00000.00000001 (144.17.128.1) to 10010000.00010001.(100)11111.11111110 (144.17.159.254) Range 5 10010000.00010001.(101)00000.00000001 (144.17.160.1) to 10010000.00010001.(101)11111.11111110 (144.17.191.254) Range 6 10010000.00010001.(110)00000.00000001 (144.17.192.1) to 10010000.00010001.(110)11111.11111110 (144.17.223.254) (The Subnet ID portion is in parentheses within the binary IP addresses.) What address ranges did we lose here? What Subnet IDs are illegal when we are using three bits for our Subnet ID?
91_tcpip_08.qx
2/25/00
11:11 AM
Page 457
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 457
000 111 Remember, the all 0s and all 1s won’t work! 10010000.00010001.(000)00000.00000001 (141.17.0.1) to 10010000.00010001.(000)11111.11111110 (144.17.31.254) 10010000.00010001.(111)00000.00000001 (144.17.224.1) to 10010000.00010001.(111)11111.11111110 (144.17.255.254) In effect, we lose the first and the last blocks. What is the block size in this example? What is the rightmost digit in the Subnet ID? It is digit 6 in the octet, so that block value is: 32. Thus we see that Subnet IDs 0 (0–31) and 224 (224–255) are lost!
TIP The first and last block values will always be lost when we calculate our ranges of legal IP addresses.
Subnet Masking for a Class C Network The last example is that of a class C address. Let’s say that we have a class C Net ID of 211.40.88.0 and we want to break it into 14 subnets. How many binary digits does it take to create 14 subnets? Three will only create 6 (8–2), so that won’t be enough. If we use four binary digits, that will give us 24 = 16, and then we subtract 2 for the all 0s and all 1s, and we get 14 valid Subnet IDs. 211.40.88.17 to 211.40.88.30 211.40.88.33 to 211.40.88.46 211.40.88.49 to 211.40.88.62 211.40.88.65 to 211.40.88.78 211.40.88.81 to 211.40.88.94 211.40.88.97 to 211.40.88.110 211.40.88.113 to 211.40.88.126 211.40.88.129 to 211.40.88.142 211.40.88.145 to 211.40.88.158
91_tcpip_08.qx
2/25/00
11:11 AM
Page 458
458 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
211.40.88.161 211.40.88.177 211.40.88.193 211.40.88.209 211.40.88.225
to to to to to
211.40.88.174 211.40.88.190 211.40.88.206 211.40.88.222 211.40.88.238
What is the block size in this case? With a 4-bit subnet mask, the rightmost digit in the mask is digit 5 in the octet. The 5th digit in the octet’s binary value is 16, so the block size is 16. That explains why the first and last blocks are missing. 211.40.88.1 to 211.40.88.16 and 211.40.88.239 to 211.40.88.254 But look at the gaps in the other IP address. What happened to 211.40.88.31 and 211.40.88.32? Look at the last octet of those two IP addresses: (0001)1111 (0010)0000
NOTE In both cases, we have an illegal Host ID number, being either all 0s or all 1s. You will find that to be the case for all the missing IP addresses. The Host ID or the Subnet ID will be illegal. Remember, the first and last member of the block is always illegal. So, in this case, with a class C address and a block size of 16, we will only have 14 legal IP addresses per subnet. Note: Be aware that this is the traditional approach to subnet masking as taught in the Microsoft Windows NT 4.0 official training curriculum. In fact, in the field you will see that the Subnet ID portion of the network ID is not restricted to the “no all 0s and 1s” rule, and that the Subnet ID is incorporated into the network ID as a single entity. The same rules apply regarding the Host ID not being all 0s or 1s, and the network ID should not be all 0s or 1s either. Of course, if you are configuring your own routers, you have a lot of latitude regarding what addresses the router should consider legal and illegal.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 459
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 459
Errors in Subnet Masking Let’s look at a common error and see what happens when it occurs. The most common error is when one of the clients on the segment has been configured with the wrong subnet mask. This is most likely done when a machine has a manually configured IP address, and the technician entered a wrong digit in the subnet mask text boxes. For example, a machine is configured with the IP address 192.168.1.33 and a subnet mask of 255.255.255.224. The rest of the machines on the network are configured with IP addresses of 192.168.1.x with a subnet mask of 255.255.255.240, with the default gateway for that network having an IP address of 192.168.1.17. What happens when the client tries to contact another computer on the same segment? If the machine is able to obtain the IP address of another computer on the same segment, it will recognize the other computer’s IP address as being on a different subnet, and will send the message to the default gateway. Why would the client assess that any other computer on the segment would be on a different subnet? Our incorrectly configured client is configured to be on Subnet ID 32, or network ID 192.168.1.32/27. All the clients on the segment are configured on Subnet ID 16, or network ID 192.168.1.16/28. The valid range of IP addresses on the misconfigured client’s subnet is 192.168.1.33 to 192.168.1.62. The valid range of IP addresses for the other machines on the segment is 192.168.1.17 to 192.168.1.30. Let’s look at this in the binary: Miconfigured client’s IP information: 192.168.1.(001)00001 255.255.255.(111)00000 The first and last valid IP addresses on the misconfigured client’s subnet are: 192.168.1.00100001 = 192.168.1.33 192.168.1.00111110 = 192.168.1.62 IP information for all other clients on the subnet: 192.168.1.(xxxx)xxxx 255.255.255.(1111)0000 Since we know that the default gateway is located at 192.168.17, we can figure out the Subnet ID of the segment: 192.168.1.(0001)0001 255.255.255.(1111)0000
91_tcpip_08.qx
2/25/00
11:11 AM
Page 460
460 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Subnet ID = 16 or (0001)0000 or Network ID = 192.168.1.16/28 What is the legal range of IP addresses contained on the default gateway’s subnet? 192.168.1.(0001)0001 = 192.168.1.17 192.168.1.(0001)1110 = 192.168.1.30 Therefore, when the misconfigured client attempts to send a message to any machine whose IP address is in the legal range for the subnet, IP will recognize that other machine’s address as being on a remote network, and will send it to the default gateway. However, we have another problem now: The default gateway is seen as being on another subnet. Therefore, the packet will go nowhere. If you test this out on your own by doing a ping of the out-of-range addresses, you’ll see an error regarding a “bad IP address.”
NOTE RFC 1878 discusses the standards and specifications for variable-length subnet masking.
Summary In this chapter, we have examined how IP addressing works, and how the logical addresses assigned during the TCP/IP configuration/initialization process relate to the network interface card’s (NIC) physical, or hardware address (called the MAC address in Ethernet networks). We learned how to determine a NIC’s IP and hardware address(es) for troubleshooting purposes using common TCP/IP utilities. We then looked at what “all those numbers” in the IP addresses really mean. We dissected the sections or octets that make up an IP address, and delved into how to convert the “easy on the eyes” dotted decimal notation used by humans into the 1s and 0s that the machines actually process. We briefly discussed subnet masking, and the default subnet masks for each IP address class. This led to a discussion of address classification and so-called “classful” addressing and its more modern replacement, Classless Inter-Domain Routing, or CIDR (sometimes just referred to as “classless addressing”). We learned how to determine which class an IP address belongs to based on its high order bits, and how to extrapolate
91_tcpip_08.qx
2/25/00
11:11 AM
Page 461
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 461
the binary into its decimal translation. We also discussed the class D multicast addresses, and the “experimental” class E. Next, we examined how network IDs and Host IDs are assigned, and discussed the pros and cons of manual address assignment and automatic addressing. We identified the characteristics of the Dynamic Host Configuration Protocol (DHCP), Automatic Private IP Addressing (APIPA), and how Internet Connection Sharing’s autoaddressing function works. We defined the differences between public and private addresses, and then looked at how IP addresses are actually used for communication on a network. We talked about the Address Resolution Protocol (ARP), which maps IP addresses to physical (MAC) addresses, and stepped through the IP communication process as it applies to both nonrouted and routed networks. Then we talked about specific IP addressing problems. We discussed how to detect and correct such situations as duplicate IP addresses, “illegal” addresses, and addresses that are invalid for the subnet. We made a detailed study of DHCP: how to configure the client and server, the process used by a DHCP client to obtain an address, and some common DHCP troubleshooting scenarios. We learned about the messages used by the DHCP service: DHCP Discover, DHCP Offer, DHCP Request, and DHCP Acknowledgment (ACK) and Negative Acknowledgment (NACK). After that, we turned to discussion of common DHCP server configuration problems, how and why they occur, and what to do about them. We reviewed some basic settings that should be checked: ■
■ ■
■
■
Ensuring that the DHCP server itself has a static manually configured IP address Making sure that the DHCP service is started Ascertaining that a scope of addresses has been defined and activated Excluding addresses within the scope that have been manually assigned to routers or computers Specifying the correct subnet mask
We discussed using superscopes to allow DHCP servers to assign addresses to more than one logical subnet on the same physical network. Next, we took a close look at how DHCP lease duration can affect network performance, and situations in which changing the duration can solve problems or optimize the speed of network communications. We saw how to set lease duration during the creation of a new scope, and how to change the lease duration after a scope has already been created and activated. We talked about the ramifications of granting clients unlimited lease periods.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 462
462 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Then we discussed how to reserve addresses for computers that need to have the same address all the time but still want to take advantage of the benefits of being a DHCP client. We talked about DHCP Server, scope, Client, and Class options, and how to configure each in the DHCP management console. We learned how to use DHCP monitoring tools to gather statistical information about the performance of the DHCP services, such as the number of Discover, Offer, Request, and ACK/NACK messages sent; length of time the server has been up; how many scopes are configured; how many addresses are allocated to DHCP; how many are assigned and how many are still available. We examined the components of the DHCP database, which is stored in the <systemroot>\System32\DHCP directory on the DHCP server. We talked about the files that make up the database: Dhcp.mdb, Dhcp.tmp, J50.log, and J50.chk. We discussed how to edit the Registry to change the backup interval from the default of 60 minutes, and how to restore the DHCP database from backup in one of two ways: ■ ■
Setting the RestoreFlag value to 1 Copying the <systemroot>\System32\DHCP\Backup\Jet folder to <systemroot>\System32\DHCP and restarting the service
Then we talked about some common client configuration problems, and what to do about them. We discussed DHCP clients’ inability to obtain an IP address due to not being able to reach the server, and clients operating with addresses that are invalid for the subnet due to an APIPA assignment. We talked about what to do if the client can obtain an address but is missing some configuration information, and discussed the possible causes of multiple clients on a network being unable to obtain addresses from the DHCP server. Next we took on the problem of “rogue” (unauthorized) DHCP servers and what Microsoft has done in Windows 2000 to address this potential source of trouble. We discussed how to handle multiple DHCP servers on a network and made recommendations for locating them on separate subnets to increase fault tolerance. We talked about using a DHCP relay agent or router configured to support BOOTP relay so the DHCP server(s) can assign addresses across subnets. We then discussed Automatic Private IP Addressing (APIPA), which uses the reserved address range 169.254.0.0 to 169.254.255.254 with a subnet mask of 255.255.0.0, so that if a DHCP client is unable to contact a DHCP server, it can still communicate via TCP/IP by assigning itself an address from this range. We also learned how to disable APIPA on our computers by editing the Registry.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 463
Troubleshooting Windows 2000 IP Addressing Problems • Chapter 8 463
After a brief look at hardware address problems, we discussed how to troubleshoot subnetting problems, and how to use variable-length subnet masking. We then examined the concept of supernetting and how Classless Inter-Domain Routing (CIDR) is used to help alleviate the problems caused by classful addressing. IP addressing is the foundation of TCP/IP communications. It’s a complex subject, and there is much that can go wrong if addresses are configured improperly. This chapter in no way attempts to cover every possible addressing configuration problem, but we have provided an overview of the most common addressing problems and the tools that can be used to diagnose and correct them.
FAQs Q: The DHCP server log shows NACKs being returned to DHCP clients requesting leases, and I have tried to renew the client’s lease manually but am unable to do so. What is the problem, and how do I solve it? A: This situation will occur if the IP address range configured for the DHCP server is conflicting with (overlapping) the range that some other DHCP server on the network is offering. Change the address pool for the scopes on one or both servers so that they do not overlap. Add exclusions if needed. You can also enable address conflict detection on the server by right-clicking it in the management console, selecting Properties | Advanced, and setting the value for Conflict Detection Attempts to a number greater than 0. Q: How can I manually release or renew a DHCP lease? A: At the command prompt, type ipconfig /release to release the address, or ipconfig /renew to renew the lease. Q: When should I deactivate a superscope on a DHCP server? How do I do so? A: Use the Deactivate command only if you want to retire all scopes that are members of the superscope and delete the superscope itself from the server. You should not use this command to merely pause the superscope, and you should not reactivate a superscope after you have deactivated it. If deactivation is still desired, click the superscope in the DHCP management console tree, open the Action menu, and select Deactivate.
91_tcpip_08.qx
2/25/00
11:11 AM
Page 464
464 Chapter 8 • Troubleshooting Windows 2000 IP Addressing Problems
Q: What is a DHCP scope? A: A scope is a group of computers on a subnet that use DHCP to obtain IP addresses, which defines the parameters used by the clients. A scope includes the IP address range used for DHCP lease offers and any excluded ranges, a subnet mask that signifies the subnet, a name (which is assigned to the scope when it is created), and the lease duration period that applies to leases offered to DHCP clients when they receive IP addresses. Q: What are the similarities and differences between BOOTP and DHCP? A: BOOTP is the predecessor to DHCP, used to automatically assign IP addresses, which was traditionally used for booting diskless workstations over the network. DHCP adds enhancements to BOOTP that make it the automatic address assignment protocol of choice today. Both protocols use the same type of request and reply messages, which consist of UDP datagrams 576 bytes in length. The message headers are almost the same for both protocols; the only difference is that the last field is called the vendor-specific field in BOOTP and can only be 64 octets, whereas in DHCP, the last field is called the options field and can be up to 312 octets in size. Both use UDP port 67 to listen for and receive client messages, and clients use port 68 to accept replies from the server. BOOTP normally reserves an address permanently in its database for each client computer, while DHCP leases the addresses and reserves them temporarily in its database. Q: What are the two types of class options, and what are the differences between them? A: The class options are divided into user classes and vendor classes. User class identifications are configured with the ipconfig command, while the vendor class IDs are set by the vendor (for example, Microsoft). You create user classes in order to identify all the DHCP clients that have something in common for which you wish to assign options. For instance, you could create a user class to identify all the clients in a particular site, or all the clients that are mobile computers. The vendor classes are created to take advantage of vendor-specific functions. Clients using products of other vendors will not receive DHCP options from other vendors.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 465
Chapter 9
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Solutions in this chapter: ■
RAS and RRAS Configuration Problems
■
General Internet Connectivity Problems
■
NAT and ICS Configuration Problems
■
Virtual Private Networking Problems
465
91_tcpip_09.qx
2/25/00
11:13 AM
Page 466
466 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Introduction From one perspective, this could be a very short chapter (but don’t get your hopes up). Windows 2000 TCP/IP networking over a remote access connection is, in most respects, the same as participating on a cabled or wireless LAN. Once properly connected through the telephone lines or VPN and logged on to and authenticated by the domain controller, a RAS client can do virtually anything on the network that a local client can do (provided the appropriate access permissions have been granted). However, there are some special factors to consider when troubleshooting TCP/IP problems involving remote access. Windows 2000 Routing and Remote Access Service (RRAS), combined with dial-up networking, has made it easy to set up a connection over the Public Switched Telephone Network (PSTN) analog lines, ISDN, DSL, X.25, and other remote links. From dialing in to an Internet Service Provider (ISP) or online service with a 56K modem to establishing a dedicated high-speed WAN link, remote access becomes easier and less expensive with each passing year. There are still some challenges involved in getting computers miles or even continents apart to “talk” to each other. In this chapter, we will focus on how Windows 2000 RRAS works, how to configure the service for various connection scenarios, and common configuration problems that can arise. Because such a large number of remote access connections today are for the purpose of accessing the global Internet, we will discuss Internet connectivity. We’ll also look at how your organization can save money and reduce the “hassle factor” of giving multiple computers access to the Internet or another remote network, using Windows 2000’s built-in Internet Connection Services and Network Address Translation. We will talk about virtual private networking, which is growing in popularity due to its ability to provide for a secure connection to a private network by “tunneling” through the Internet. We’ll take some time to examine how VPNs work, how to configure Windows 2000 machines as VPN clients and servers, and the two tunneling protocols supported by Windows 2000: Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). We will address VPN security problems, and come back to the subject of IPSec (which was introduced in Chapter 4, “Windows 2000 TCP/IP Internals”), along with Microsoft Point to Point Encryption (MPPE), in the context of virtual private networking.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 467
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 467
Today’s business world is moving toward a time when much of the work will be done offsite, in order to reduce company overhead and increase the flexibility and job satisfaction of workers who can be as productive (maybe more so) when telecommuting from home as when stationed in an office cubicle in corporate headquarters. As the marketplace becomes more international, executives, salespeople, and others spend much of their time traveling, and need to do their networking “on the go.” TCP/IP is still the protocol on which most of this remote connectivity is based, and knowing how to configure and manage remote connections will be even more important to network administrators in the future than it is today.
Overview of Windows 2000 Remote Access Services Remote access is provided by Windows 2000 as part of RRAS.
Types of Remote Access Dial-up and virtual private networking are the two types of remote access supported by Windows 2000 RRAS. Although there are similarities between the two, in terms of TCP/IP communications and connectivity, each has its advantages—and its problems. Dial-up access: Using the telephone lines (either regular analog lines or high-speed digital lines), a remote client creates a temporary link (called a virtual circuit) to a remote access server, over which configuration parameters are negotiated and data packets are exchanged. See Figure 9.1. VPN: A virtual private networking connection is made using an internetwork to which both the client and server are separately connected (such as the global Internet). A point-to-point link is made by creating a “tunnel” through the larger internetwork using a tunneling protocol (PPTP or L2TP). Data packets are encapsulated and encrypted within this tunnel. See Figure 9.2. With both types of remote access, once the connection to the server has been established, the client can communicate with the server (and, with the proper permissions, with other computers connected to the server on the LAN) via any local area network protocol that is used on the private LAN. This means that you are not limited to TCP/IP communications; in the case of virtual private networking, NetBEUI or IPX/SPX (NWLink) packets can actually be encapsulated inside the TCP/IP link that is used to connect to the Internet.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 468
468 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Figure 9.1 A dial-up connection involves dialing directly in to the remote access server.
Remote client Modem
ct Dire k t lin poin t-toines poin ne l pho tele
via
Dial-up Connection
Modem
Remote access server
Distinguishing between Remote Access and Remote Control It is important to understand the difference between a remote access connection and another popular means of connecting computers remotely, called remote control. On the surface, the two appear to be the same: in both cases, you can establish a link over a dial-up or dedicated telephone line or through the Internet. However, there are important differences.
Remote Access: How It Works When you establish a remote access connection by using a modem to dial in to a remote server, or by creating a VPN link, the remote access client becomes a true node on the remote network. From it, you can log on to the domain, access shares on the server and other nodes for which you have permissions, print to shared printers, and do anything you would be able to do as a local node on the network. Other computers with shared resources that are on your subnet will show up in your Network Places window. The only significant difference to the user between participating on the network from a remote node and being cabled to the network as a local node is speed. Telephone lines are inherently much slower than the slowest LAN cable.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 469
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 469
Figure 9.2 A VPN connection involves creating a “tunnel” through the Internet.
Internet Service Provider
Modem
ne Tun ual
Virt
Remote Client
l
Internet
ual
Virt el
n Tun
Internet Service Provider
Dedicated link Remote server
NOTE Windows 2000 includes remote access client and server software. When we discuss remote access servers in this chapter, we will be referring to a Windows 2000 Server computer configured to accept remote connections via RRAS. However, a Windows 2000 Professional workstation can also function as a dial-up server and accept incoming calls.
Remote Control: How It Works Remote control is a different concept and is used for different purposes. Remote control requires special software on the client and server. Thirdparty programs such as PCAnywhere, ControlIT, Remotely Possible, and LapLink can be used to establish a remote control session with another computer. In a remote control session, the remote computer actually takes over the desktop of the host computer and has complete control of
91_tcpip_09.qx
2/25/00
11:13 AM
Page 470
470 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
it. Sitting at the remote computer, you see on your screen an exact replica of the host computer’s display screen. You can make configuration changes, run applications, and so forth on the remote machine (assuming you’re logged on to it with the proper permissions). If someone is sitting in front of the host machine, he will see the cursor move as you move your mouse from the remote location. Remote control doesn’t just allow you to access shares on the host; it’s “the next best thing to being there.” Remote control is useful for troubleshooting or performing administrative duties from home or when on the road, or on a computer that is located offsite. Remote access, then, is used to connect to the network and participate as a node on the network. Remote control is used—generally by administrative personnel—to take control of a server or other computer and operate it from a remote location.
NOTE You can also remotely control a server using Windows 2000 terminal services in remote administration mode.
Establishing a Remote Access Connection In order to anticipate and prevent problems involving remote access, it is important to understand the components of remote access networking and how they work together.
Software Needed for a Remote Access Connection In order to be a remote access client, a Windows 2000 computer must have Routing and Remote Access installed and configured properly. We will look at configuration problems and how to properly set up RRAS a little later in this chapter. In addition to RRAS, Windows 2000 uses the Dial-up Networking component to create a link over the telephone lines. The remote access server uses RRAS components to accept dial-up connections from clients and forward data between the remote clients and other computers on the local network. On a stand-alone Windows 2000 computer, you can configure the computer to accept incoming dial-up connections using the New Connection Wizard that is accessed from the following:
91_tcpip_09.qx
2/25/00
11:13 AM
Page 471
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 471
Start | Settings | Network and Dialup Connections | Make New Connection If the Windows 2000 computer is a server that belongs to or controls a domain (including a member server), you will not be able to configure incoming dial-up services this way. When you attempt to do so, you will see a dialog box as shown in Figure 9.3. Figure 9.3 Incoming connections must be configured through RRAS for Windows 2000 servers that belong to a domain.
It is necessary to use the RRAS management console to configure a server in a domain to accept incoming remote connections. We will look at how RRAS is configured for a remote server in a later section of this chapter.
NOTE The same Windows 2000 computer can function as both a dial-up client and a dial-up server. It can even do both at the same time, provided it has two modems installed with separate phone lines connected to them.
The WAN Link Remote access requires some kind of physical link between the computers. Most commonly, this is a dial-up or dedicated telephone line of some sort. When troubleshooting remote access problems, you must always keep in mind the possibility that the problem is with the line itself (just as many LAN problems can be attributed to damaged, unplugged, or incorrectly installed cable).
NOTE One way to think of a remote access connection is that, logically, it is the same as a local cabled connection, while physically, the modem takes the place of the network interface card (NIC) and the phone line takes the place of the Ethernet cable.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 472
472 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
At the physical level, the starting point for a remote access connection is the wide area networking link over which it is made. This can be the public switched telephone network, a dial-up or dedicated digital line like ISDN, a line using the newer DSL technology, or an X.25 network. See Table 9.1 for a summary of common WAN technologies. Table 9.1 Common Wide Area Networking Technologies WAN Link Type
Speed
Characteristics
PSTN (analog phone system)
56K (53K legal limit in U.S.)
Often unable to reach top speeds due to “noise.”
ISDN
64K (1 channel) 128K (BRI) 1.544M (PRI)
“Clean” digital connection provides fast connect, top speeds attainable in practice.
DSL
256K to 6M (ADSL) Up to 50M (VDSL)
Low cost, high speed. Not available in all areas.
T-carrier
1.544M (T1) 6.312M (T2) 44.736M (T3) 274.176M (T4)
Dedicated leased line; guaranteed bandwidth. Very expensive.
X.25
64K (typical)
Packet switched network; very high reliability.
NOTE Other WAN technologies, such as Frame Relay, ATM, and SONET are used for wide area networking, and are beyond the scope of this chapter, which deals with those links most commonly used with Windows 2000 remote access services. T-carrier lines are dedicated leased lines and are included here for speed comparison purposes.
Understanding PSTN Connections The public switched telephone network is “formally” known as PSTN, but in the telecommunications industry is often referred to as POTS, which stands for “plain old telephone service.” These are the analog telephone lines that are available in almost every part of the United States.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 473
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 473
NOTE In many European countries, ISDN is now used routinely to provide regular telephone service.
The biggest advantage of the public telephone system is its omnipresence—telephone lines reach to even isolated areas, and service can be established relatively easily and quickly. Another advantage is cost; in most cases, a POTS line will be less expensive than digital links.
NOTE With the advent of Digital Subscriber Line (DSL) technology, the cost differential between analog and digital is not as great as it was a few years ago.
Analog modems are cheap, plentiful, and fairly easy to set up and use. Windows 2000 and other modern operating systems support a wide variety of modems, and plug-and-play technology makes installation and configuration straightforward and simple in most cases. To make a dial-up connection, you merely install the modem (or connect an external modem via a serial port), install the drivers, plug in a phone line, and set up dial-up networking to dial the number of a phone line connected to a modem that is installed on the stand-alone computer or network to which you want to connect. The modem translates the digital signaling used by the computer into analog so it can travel along the telephone line, and a modem at the other end converts it back to digital form so it can be “understood” by the receiving computer.
TIP The process of converting from analog to digital signaling and back is called modulation and demodulation; hence the name “modem.”
PSTN has some significant disadvantages when it comes to remote computing, however. The traditional telephone network was designed for voice communication, not as a data link. Performance (speed of transfer) rates that work fine for voice seem slow when we use the lines to transmit
91_tcpip_09.qx
2/25/00
11:13 AM
Page 474
474 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
large data files. Those of us who remember the venerable 900 baud modems of the early days of remote networking have a lot of respect for today’s 56K modems, but the brave new world of Internet communications has made us all impatient. The sad truth is that analog technology is approaching its practical “speed limit.” Even with compression, telecom experts say we are not going to be able to squeeze much higher data transfer rates out of our old phone lines. Yet most travelers on the Information Autobahn—replete with huge software downloads, large graphics, and sound files, streaming audio and video, Java-scripted and Active-X’d Web sites and other highbandwidth demands—need (or think we need) more speed. When our remote network activities are mission-critical, we may also need more reliability than poor old POTS can provide. That’s where digital WAN links come in.
Understanding ISDN Most telephone companies offer, in addition to standard analog service (and usually at a higher cost), Integrated Services Digital Network (ISDN) lines. ISDN uses multiple channel digital lines to provide a connection that is faster, more reliable, and suffers less from noise interference and other problems common to analog connections. ISDN was originally developed with the intent that it would eventually replace PSTN. In some countries this has been achieved, although in the United States—due to tariffs, cost, early installation nightmares, and thus low public demand—ISDN is not universally used in business telephone systems and is still rather uncommon for residential service.
NOTE An ISDN connection requires a special piece of equipment that is sometimes referred to as an ISDN modem. Technically, it is not a modem because there is no modulation and demodulation required since ISDN signaling is digital. However, the device—which is properly called an ISDN terminal adapter— performs basically the same function as an analog modem in terms of dialing and establishing the connection with the computer on the other end.
ISDN does, however, have some important advantages over PSTN, and a substantial, though not overwhelming, number of businesses do use ISDN for their voice communications and their organization’s connection
91_tcpip_09.qx
2/25/00
11:13 AM
Page 475
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 475
to an ISP or to other branch offices within the company network. Some ways in which ISDN is superior to analog service include: Faster connection. ISPs offer both dial-up and dedicated ISDN accounts. With a dedicated account, you essentially dial the ISP when you set up the line and then never have to hang up. The line is always connected so that the computer with the ISDN connection is online 24 hours a day, 7 days a week. There is no need to dial up the ISP each time you want to connect to the Internet, or dial up the remote access server at another site each time you want to connect to the branch office. With a dial-up account, you hang up when you finish accessing the Internet and then dial again when you want to go back online. Even so, because ISDN is digital, there is not the delay of waiting for the phone to ring and be answered that is experienced with analog phone lines and modems. The connection is established so quickly that, in most cases, it is almost indistinguishable from a dedicated connection. Faster data transfer. ISDN service is generally offered by the telephone service in one of two options: Basic Rate ISDN (BRI) and Primary Rate ISDN (PRI). With BRI service, you get one 16 Kbps channel used for control signaling (called a D channel), and two channels over which data can be transferred, (called B channels). Each operates at 64 Kbps and can be multilinked to provide a 128 Kbps connection. In normal practice, each B channel is a separate phone line and is assigned two different telephone numbers (although some phone companies will assign the same phone number to both lines, if you desire). These lines can also be used for voice communications; in fact, with most ISDN adapters, you can plug one or two analog phones into the adapter (which contains a component that converts the digital signal to analog) and hold a voice conversation on one of the channels while you are transferring data on the other. With PRI service, you get 23 64 Kbps B channels and one 64 Kbps D channel, for a total speed of 1.544 Mbps (T1 speed). A “cleaner” connection. Digital lines are less prone to interference and “noise,” which is a problem that often results in analog lines being able to connect at only a fraction of the speed of the modem being used. This means that the 64 Kbps or 128 Kbps speed of a BRI link lets you actually connect at that speed, unlike 56 Kbps analog modems that rarely connect at more than 50 Kbps (and in some areas, may never get above 40 Kbps).
91_tcpip_09.qx
2/25/00
11:13 AM
Page 476
476 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Disadvantages of ISDN include: Higher cost than analog lines. Some telephone companies charge by the minute or by the amount of data transferred. Others that offer flat rate ISDN often charge twice as much for a Basic Rate ISDN line as the rate for a standard analog line—although you should keep in mind that with BRI you are actually getting two telephone lines. Installation difficulties. Traditionally, ISDN “modems” have been more difficult to configure than analog modems, although modern models have gone a long way toward alleviating that problem. In some cases, getting the line itself installed proves to be a major undertaking. Phone company technicians in some areas are not nearly as familiar with ISDN installation, and long waits for installation or difficulties caused by improper installation are not uncommon, although this has improved in recent years in most locations. Less widespread availability. ISDN is not available in all areas where POTS can be had. The telephone CO, or central switching office, must have equipment that can handle digital signaling. Although most COs in urban areas have been updated to include this, some outlying areas still do not have the physical capability to offer ISDN service to customers. ISDN is a viable, medium-cost solution in areas where DSL service has not yet been implemented. However, its popularity has dropped as telephone companies have “rolled out” the newest, fastest, and leastexpensive digital technology.
Tips for Troubleshooting ISDN Connections Connection problems with ISDN, assuming the line itself is in working order, can be due to one of several problems: ■
■
■
Ensure that the ISDN “modem” or adapter has updated and properly installed software drivers. Ensure that the com port being used is configured to support the desired data transfer rate. If you are only able to connect with one channel on a twochannel ISDN line (thus connecting at 64 Kbps instead of 128 Kbps), ensure that your connection is configured to use multilink and that your ISP or remote access server also supports it.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 477
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 477
Understanding DSL In the late 1990s, telephone companies in the United States began to offer a new type of digital service called DSL, or Digital Subscriber Line. DSL comes in several flavors: ■
■
■ ■
■
ADSL (Asymmetric Digital Subscriber Line) Downstream speed is higher than upstream (optimized for most consumer use, where much more data is downloaded from the server than uploaded to the server). SDSL (Symmetric Digital Subscriber Line) Downstream and upstream speed are the same. HDSL (High-speed DSL) Requires two lines. VDSL (Very high-speed DSL [up to 50 Mbps]) Could also be called Very expensive DSL; not in common use. IDSL: DSL technology over ISDN lines.
Currently, most telephone companies offer ADSL. DSL is usually implemented as an “always on” technology; that is, you stay connected all the time. DSL transmission is implemented over regular copper wires, and a “splitter” is installed on the line so that it can be used for both data and voice at the same time. Since two different frequencies are used, you can actually talk over the phone at the same time you are using the line for the data connection. Special equipment is required; a DSL “modem” (actually a ATU-R, which stands for ADSL Terminal Unit – Remote) is plugged into a NIC in the computer. As with ISDN, the telephone company CO that services your location must be equipped to handle DSL. Major advantages of DSL over ISDN include: High Speed. ADSL speeds vary from 256 Kbps up to about 6 Mbps, the typical speed being 1.544, the same as a T1 line. This is considerably faster than Basic Rate ISDN. Low cost. ADSL cost varies with the telephone company, but in most areas is significantly lower than ISDN despite the fact that it is from two to over 10 times faster. “Always on.” A dedicated ISDN connection generally costs several times more than a dial-up connection. All ADSL connections are dedicated (full time). As might be expected, DSL has its drawbacks, too. Some of which are: Availability. DSL only began to be offered by major U.S. phone companies in the mid-to-late 1990s. It is not yet nearly as widely available as ISDN, although many telcos are rolling out DSL in
91_tcpip_09.qx
2/25/00
11:13 AM
Page 478
478 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
metropolitan and suburban areas at a furious pace. It may be a while before DSL is available in more outlying areas. Equipment. DSL modems are not commonly stocked at computer outlets like analog and ISDN equipment. In many cases, you must purchase the equipment from the telephone company, and pay whatever price they set. Distance limitations. Unfortunately, using current technology DSL only works within a specified distance of a CO. The telephone company will not install DSL if your location is beyond that limit, which is usually set at 17,500 feet. Many believe these disadvantages are only temporary, and that DSL and other broadband technology (such as the cable modem) are the future of the Internet. You might wonder, if DSL attains speeds of 1.544 Mbps and beyond, the same speeds as T-carrier lines, why anyone would pay several thousand dollars per month for a T1 line when DSL typically costs less than a hundred dollars per month. The answer is simple: guaranteed bandwidth, also sometimes referred to as CIR or Committed Information Rate (although this term is more frequently associated with Frame Relay technology). With a T1 line, you are assured that you will have the full 1.544 Mbps bandwidth, while a 1.544 DSL line only means that you can get up to that speed; your actual “mileage may vary.” (Some telcos provide a minimum rate, such as 384 Kbps for a connection that tops out at 1.544). Another reason is that, as mentioned, DSL availability is limited due to the newness of the technology and the required proximity to a CO. If you need a guaranteed, reliable high-speed line for mission-critical work, and/or your location doesn’t qualify for DSL, it may be worth it to pay extra for a T1 connection.
Tips for Troubleshooting DSL Connections Problems with DSL connections usually fall into one of two categories: inability to connect, or a slow link. Troubleshoot connection problems in the same way you would troubleshoot any TCP/IP connectivity problem, using PING, IPCONFIG, and the TCP/IP utilities to determine the extent of your ability (or inability) to connect. When performance is the issue, this is often due to packet drops. If there is a bad router on the WAN somewhere that is causing packets to be lost, TCP/IP will assume the loss is due to overloading and will slow down (even if this is not the case). In most cases, these problems will need to be addressed with your telco and/or ISP.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 479
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 479
Understanding X.25 Windows 2000 supports remote access via an X.25 network. X.25 is a Consultative Committee for International Telegraph and Telephone (CCITT) standard that defines a method of transmitting data across a public packet switching network. An X.25 connection uses a PAD (Packet Assembler/Disassembler), which is an asynchronous terminal concentrator that lets several terminals share a single network line. The user calls the X.25 PAD through a modem, and the call is processed by a digital modem and forwarded to the terminal server. The terminal server, using the password that has been designated in the caller’s connection profile, then authenticates the call. When authentication is successful, the session is established. Windows 2000 supports the X.25 protocol in two ways: ■
■
The Windows 2000 RRAS client and server software both allow for the use of X.25 smart cards. The cards connect to the X.25 network, and send and receive data using the X.25 protocol. The Windows 2000 client software allows for use of smart cards and also allows a user to dial in to a PAD.
See Figure 9.4 for an illustration of how an X.25 connection works. Figure 9.4 A remote access client can dial in to a PAD to connect to an X.25 network.
Remote client
Modem
PSTN
PAD
X.25 Smart Card Remote Access Server
X.25
91_tcpip_09.qx
2/25/00
11:13 AM
Page 480
480 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Windows 2000 Remote Access Services don’t differentiate between types of media, so RAS does not “know” whether it is running over an X.25 network or the public phone lines. The only difference in configuring an X.25 connection is that you must specify the PAD type and the X.121 address for the RAS server. Windows 2000 allows you to do this easily by editing the Options tab on the Properties sheet of your dial-up connection. See Figure 9.5. Figure 9.5 On the Options tab of the connection Properties, select the X.25 button.
You can select a PAD type from the drop-down box, and enter an X.121 address in the text box, as shown in Figure 9.6. There is also a provision for entering optional user and/or facilities data.
NOTE “Smart card” in this context does not refer to the smart cards used for secure authentication. An X.25 smart card is an X.25 adapter used to connect to an X.25 network.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 481
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 481
Figure 9.6 You can set X.25 parameters by configuring the properties of a dialup connection.
It is important that these parameters be configured properly for your X.25 connection to work. If you are having problems connecting to an X.25 network, check these settings.
TIP One of the most common problem sources with X.25 is related to the parameter settings on the X.25 provider’s network.
Tips for Troubleshooting X.25 Connection Problems When you are having trouble establishing a remote connection via X.25, first ensure that the RAS client is able to make a PSTN connection with the RAS server, to confirm that the RAS software on the server and client is working properly. If you have problems with the PSTN connection as well, test the modem, and make sure that the serial port and cable are not defective and are configured correctly.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 482
482 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
If you are able to connect with no problems over PSTN, you will know that the problem is with the X.25 network or with the X.25 configuration on the RAS server. Set the X.25 network software to the default settings.
NOTE Eicon is one of the most common providers of X.25 network hardware and software. Others supported by Windows 2000 include SprintNet, InfoNet, and Alascom/Tymnet/MCI.
Try using a terminal program such as Hyperterminal to communicate between the client and server to check their connectivity. If this works but the RAS connection doesn’t, your problem may reside in the parameter settings. Verify that the X.25 provider has properly configured the network according to Microsoft’s specifications.
The Remote Access Protocols Remote access communications use a WAN (wide area network) protocol to establish the link across the phone lines in conjunction with the LAN protocol(s) used for transferring data between the two distant computers. Over a remote link, two computers can communicate using standard local area networking protocols like TCP/IP, IPX/SPX or NetBEUI. However, these protocols are actually wrapped inside the “outer” WAN protocol to make the journey across the WAN link. This wrapping process is called encapsulation. Many network administrators are already familiar with the two popular WAN protocols used for dial-up communications to ISPs or remote access servers: ■ ■
Serial Line Internet Protocol (SLIP) Point-to-Point Protocol (PPP)
The latter is more commonly used today, as it supports encryption and compression (SLIP does not). There are still some UNIX servers, however, that require the connection be established using SLIP. Windows 2000, like Windows NT 4.0, supports both PPP and SLIP as dial-out WAN protocols. The Windows 2000 Remote Access Server services, however, supports only PPP for dial-in connections.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 483
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 483
For IT Professionals
Xs and Oh! Even if your network uses X.25 technology, you may find the literature about it confusing. You’ll see discussions of X.28 PADs, X.21, X.3 standards, X.121 addresses, and X.29 something-or-another. What do all those Xs pertain to, anyway? We’ll try to answer a few of those questions. The “X numbers” are standards or specifications of the International Telecommunications Union, formerly known as the Consultative Committee for International Telegraph and Telephone (CCITT). This organization is the primary international entity devoted to developing and maintaining cooperative standards for telecommunications equipment and systems. X.25 and the others mentioned earlier relate to a particular type of wide area networking packet switching technology. X.25 is actually the Network (or internetwork, in DoD terminology) layer protocol. It uses an addressing scheme called channel addressing, similar to the logical addressing used by IP, except that there is an address maintained for each connection. The addresses are called X.121 addresses. X.21 is a Physical layer interface that is part of the X.25 protocol suite. X.28 and X.29 are PAD specifications. X.28 defines the DTE/DCE interface for start-stop mode DTE accessing the PAD in a public data network, and X.29 defines the procedures for the exchange of PAD control information and user data. X.3 defines the Packet Assembly/Disassembly (PAD) facility in a public data network. In the command mode, a user issues X.3 commands to the PAD. X.25 is generally slower than TCP/IP because it is subject to delays caused by its store-and-forward mechanism, a switching technique where frames, packets, or messages are temporarily received and buffered at intermediate points between the source and destination. However, X.25 provides for error checking from one node to the next, instead of just end-to-end error checking like TCP/IP. In fact, its high reliability and extensive error-checking capabilities are distinguishing characteristics of the X.25 suite.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 484
484 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
NOTE Windows 2000 remote access also supports the AppleTalk Remote Access Protocol (ARAP) for Macintosh clients, and Asynchronous NetBEUI (also referred to as AsyBEUI) for clients that are running older Microsoft operating systems such as Windows for Workgroups, MS-DOS, and Windows NT 3.1.
Let’s take a closer look at the two most common WAN protocols.
Serial Line Internet Protocol The Serial Line Internet Protocol, SLIP, is an older protocol that provides basic connectivity over a serial link, but does not have the advantages of error detection and both synchronous and asynchronous support that PPP offers.
NOTE To use SLIP, your ISP or server administrator must provide you with a static IP address to enter in the configuration box. While PPP supports dynamic assignment of IP addresses, SLIP cannot.
The Point-to-Point Protocol PPP has become the standard WAN link protocol used by most ISPs on their servers, as well as corporate Windows NT and Windows 2000 remote access servers. PPP works at the Data Link layer, and in the context of TCP/IP communications it works in conjunction with IP at the Network layer. PPP encapsulates, or packages, the TCP/IP packets and forwards them to the ISP’s server.
NOTE For more information about PPP, see RFC 1171.
Advantages of PPP over SLIP include:
91_tcpip_09.qx
2/25/00
11:13 AM
Page 485
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 485 ■
■ ■ ■ ■
The ability to encapsulate more than one protocol within a session Supports encryption and compression Uses Link Control Protocol (LCP) to verify line quality Supports dynamic IP address assignment Uses a Cyclical Redundancy Check (CRC) for error checking
The Anatomy of a PPP Connection A PPP connection has four parts, which must occur in sequence: 1. Configuration: During this initial phase, the choice of parameters, multilink options, and negotiation of which authentication protocol will be used take place. 2. Authentication: The authentication method negotiation in step 1 is implemented. 3. Callback: If callback security has been configured, the PPP client and server hang up and the remote server calls back to reestablish the connection. 4. Protocol configuration: LAN protocols are negotiated.
NOTE PPP authentication methods include Password Authentication Protocol (PAP), Shiva (SPAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft’s MS-CHAP (versions 1 and 2), and Extensible Authentication Protocol (EAP), including EAP-RADIUS. PPP can also provide unauthenticated connections.
Troubleshooting Loss of PPP Connection Most commonly, the termination of a PPP connection can be attributed to one of the following causes: ■ ■ ■ ■
Authentication failure Inadequate link/line quality Loss of carrier Timeout
Be sure to verify that the correct authentication method is enabled, as this is a common source of inability to establish a PPP connection. The rest of these problems primarily lie at the carrier’s end, and you should address them with your service provider.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 486
486 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Preventing Problems Related to the WAN Protocol Proper configuration is your primary protection against problems related to PPP or SLIP. When you set up dial-up networking in Windows 2000, you can configure which of the WAN protocols to use in the Networking tab of the Dial-up Connection properties box, as shown in Figure 9.7. Figure 9.7 A PPP or SLIP connection is designated in the Dial-Up Connection properties.
It is very important that, if you are dialing into an NT or Windows 2000 server (or other server using PPP for its dial-in connections), the selection for PPP be checked. If you are unable to connect to your ISP or NT/Windows 2000 Remote Access Server, be sure to check that the server type is properly identified.
Understanding Encapsulation We mentioned that the packets destined for the remote LAN are encapsulated inside the PPP (or SLIP) Data Link layer protocol. Let’s look in a little more detail at how this works. When a message is sent over a remote access connection, after being passed down the stack from the Application layer, the LAN adapter passes
91_tcpip_09.qx
2/25/00
11:13 AM
Page 487
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 487
a frame to the appropriate LAN miniport driver. This is done using the Network Device Interface Specification, or NDIS (see Chapter 4, “Windows 2000 TCP/IP Internals,” for more information on NDIS and Windows 2000 networking architecture). The LAN miniport driver then hands off the IP datagram to the TCP/IP protocol driver. The datagram is sent to the WAN adapter by TCP/IP, using NDISWAN, which adds the PPP header and trailer (this is where the encapsulation or wrapping takes place). Finally, the WAN miniport driver sends the datagram to the WAN adapter through NDIS. When the TCP/IP (or other LAN protocol) packet is encapsulated inside the WAN protocol, it is “invisible” as it travels over the WAN link.
Tools for Troubleshooting PPP Connections Windows 2000 provides two important tools to allow you to gather data about your PPP connections.
Using Network Monitor for PPP Analysis Network Monitor can be used to capture PPP packets. This is useful for troubleshooting the process of connection establishment and for ensuring that encryption and compression are being implemented. To see the data structure inside the PPP encapsulation, you have to disable compression and encryption, since Network Monitor does not interpret compressed/encrypted data. The data captured by Network Monitor can be saved as a file, so that you can examine it later or send it to Microsoft tech support for analysis.
Enabling PPP Event Logging The RRAS components in Windows 2000 provide for logging of PPP events in the System Log. To enable PPP logging, follow these steps: 1. In the RRAS management console snap-in, select the remote access server. 2. Right-click and choose Properties. 3. Select the Event Logging tab, and click Enable Point-to-Point (PPP) Logging (see Figure 9.8).
Enabling PPP Tracing The PPP log in Windows NT 4.0 has been replaced by the tracing function. To duplicate the PPP log, you need to enable file tracing for the PPP key. By default, the PPP log is stored as ppp.log in the <systemroot>\Tracing folder.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 488
488 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Figure 9.8 Enabling PPP logging will cause PPP connection information to be recorded in a log file.
Tracing can be enabled for each routing protocol. To do this, you can configure the following registry value entries for each protocol key:
NOTE Tracing consumes system resources and should be used sparingly to help identify network problems. After the trace is captured or the problem is identified, you should immediately disable tracing.
EnableFileTracing REG_DWORD 1 Enable logging tracing information to a file by setting EnableFileTracing to 1. The default value is 0. FileDirectory REG_EXPAND_SZ Path You can change the default location of the tracing files by setting FileDirectory to the path you want.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 489
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 489
NOTE You cannot use PPP tracing to view user data.
Troubleshooting Remote Access Configuration Problems Now that we have a general idea of how remote access works, and an understanding of the hardware and software components involved in different wide area networking links, we can discuss the most common source of problems affecting remote connectivity over which administrators can exert some control: configuration of the server and client computers.
Remote Access Server Problems One common cause of remote access connectivity problems is misconfiguration of the Remote Access Server. We will look at how to prevent or resolve problems related to server settings.
Inability to Establish a Remote Access Connection with the Server If a connection with the Remote Access Server cannot be established by any client, check the following: ■
■
Ensure that the server’s modem or ISDN adapter is functioning properly. Ensure that the RRAS service is started on the server.
To check on the status of the RRAS service, open the Routing and Remote Access Administrative tool. In the console tree in the left pane of the RRAS snap-in, double-click Routing and Remote Access, and click Server Status. To start the RRAS service, right-click the name of the remote server in the right pane of the console, select All Tasks, and choose Start, as shown in Figure 9.9. You will note that there is a red warning icon notifying you when the service is stopped. Ensure that the server’s ports are configured for remote access.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 490
490 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Figure 9.9 If remote access connections cannot be established, ensure that RRAS is started.
To configure ports to accept inbound remote connections, open the RRAS console, click the name of the remote server in the left panel, and click Ports in the right panel. Select Properties, and choose Configure. You will see a dialog box, as shown in Figure 9.10. Check the check box for “Remote access connections (inbound only)” to set up the remote server to accept incoming calls, and click OK. Ensure that the Properties for IP (or IPX, NetBEUI, AppleTalk—whatever LAN protocol you wish to use for the connection) are configured to allow remote access. To configure the protocol to allow remote access, right-click the name of the remote server in the left panel of the RRAS console, select Properties, and choose the tab for the protocol you want to configure. You will see a dialog box similar to the one in Figure 9.11. Check the check box to “Allow IP-based remote access and demanddial connections,” and click OK. Check the status of the server’s remote ports to ensure that they are not all in use.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 491
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 491
Figure 9.10 The remote server port must be configured to accept inbound connections.
Figure 9.11 IP-based remote access connections must be enabled on the IP Properties sheet.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 492
492 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
To check the status of the ports, select the remote access server in the right pane of the RRAS console and double-click Ports in the right panel. You will see a display similar to Figure 9.12, informing you which ports are active and which are inactive. Figure 9.12 Check the status of the remote server ports for activity.
Ensure there are sufficient IP addresses in the static address pool of addresses assigned by RRAS to dial-in clients if the server is configured with a static address pool. To add addresses to the static pool, right-click the server name in the left pane of the RRAS console, select Properties, select the IP tab, and click ADD.
Inability to Aggregate the Bandwidth of Multiple Telephone Lines If you have multiple telephone lines (for instance, two ISDN channels) and are unable to aggregate the bandwidth of the two lines, check the following: ■
Ensure that your ISDN adapter supports multiple lines, or that you have two functional modems, each attached to a separate working telephone line.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 493
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 493 ■
Ensure that the Remote Access Server’s PPP options are configured to support multilink.
On the Remote Access Server, PPP configuration options are set in the RRAS console’s Properties sheet for the remote access server, as shown in Figure 9.13. Figure 9.13 Windows 2000 RRAS allows you to configure PPP options on the remote server.
Here, you can select the following PPP options to be used by the server: ■
■
■
■
Select whether multilink connections are allowed. Multilink is a way of aggregating two or more phone lines for greater bandwidth. If multilink is enabled, you can select whether to use the Bandwidth Allocation Protocols (BAP and BACP) to allow multilink to adapt to changing bandwidth demands. Choose to enable the Link Control Protocol (LCP) extensions. For information about LCP options, see RFC 1661. Enable software compression for greater throughput.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 494
494 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Inability to Access the Entire Network If the client is able to establish a remote connection but cannot access the resources of any computer other than the remote server, ensure that IP routing has been enabled on the server. Check the Enable IP Routing check box on the IP Properties sheet for the server (refer back to Figure 9.11 to see this Properties sheet). Also, check to see that packet filtering has not been configured to prevent TCP/IP packets from being sent. If a static address pool has been configured instead of using DHCP, ensure that the routes to the address range(s) of the static IP address pool can be reached by the hosts and routers on the network. You may have to add routes to your routers via a static routing entry, or use a dynamic routing protocol like RIP or OSPF.
NOTE If you have set up the remote access server to use DHCP for IP address allocation, and the DHCP server is not available, APIPA addresses (169.254.0.1 through 169.254.255.254) will be used. Unless your network computers are using addresses from this range, the remote clients will not be able to communicate over IP with them.
Client Configuration Problems Although there is much more that can be misconfigured on the server, if only one client is having connection problems, and there is no physical reason (bad cable, NIC, etc.), chances are good that the client machine is not configured properly to make the remote connection.
Inability to Establish a Remote Connection ■
■
Ensure that the client is configured to use the same authentication method as the remote server. Ensure that the client is configured to use the same encryption strength as the remote server.
To check (and change) the authentication method on the client machine, right-click the connection name after clicking Start | Settings | Network and Dial-up Connections, and select Properties. On the Security tab, choose ADVANCED, and you will see a dialog box similar to the one in Figure 9.14.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 495
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 495
Figure 9.14 The authentication method and encryption are set in Advanced Security settings.
The client and server must both use a common authentication and encryption method. Ensure that the user account is configured to allow dial-in access. To do so, from the Active Directory Users and Computers administrative tool on a domain controller, expand the domain in the left pane of the console and right-click the user’s name in the right pane. Select Properties, and then select the Dial-in tab, shown in Figure 9.15. The Allow Access radio button must be checked for the user account to be able to make a remote connection. ■
NOTE The user Properties Dial-in sheet also allows you to configure callback security requirements, assign a static IP address for remote connections, or apply static routes.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 496
496 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Figure 9.15 Remote access permission must be granted in the user Properties sheet.
Troubleshooting Remote Access Policy Problems Remote access policies consist of conditions and parameters placed on the incoming connection. Windows 2000 allows you to set policies to control client access based on such things as day of the week or time of the day, group membership, connection type (VPN or dial-in), and set limits on duration of connection, idle time after which the connection is disconnected, and security parameters. Figure 9.16 shows some of the limitations that can be placed on dial-in access. When a user attempts to make a remote connection, the characteristics of the connection attempt are compared with the authentication information, user dial-in properties, and remote access policies. When the connection attempt doesn’t match any of the remote access policies, access will be denied. Multiple remote access policies can be in place, but this makes troubleshooting connection denials more complex.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 497
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 497
Figure 9.16 Remote access policies let you place restrictions on dial-in access.
Determining Which Multiple Policy Is Causing the Problem Microsoft recommends that one way to verify which policy is causing the denial is to create a new remote access policy called Troubleshooter and configure it to grant remote access permission for all days/times. Then, move this policy to the top of the list so it will be processed first. If the connection is denied, the problem is either with the Troubleshooter test policy itself, or more likely, with the user account’s dial-in Properties settings. If the connection succeeds, move the test policy down one level and attempt to connect again. If this connection fails, the problem is most likely with the policy just above the Troubleshooter policy. If it succeeds, keep moving the test policy down the hierarchy until a connection is denied, and then examine the properties of the policy that is causing the denial.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 498
498 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Troubleshooting NAT and ICS Configuration Problems Windows 2000 makes it easy to share a single public IP address for access to the Internet by using Internet Connection Sharing (ICS) on a Windows 2000 Professional computer or a choice of ICS or Network Address Translation (NAT) on a Windows 2000 Server.
The Difference between ICS and NAT ICS is available on both Windows 2000 Professional and Server, while NAT is only available on the Server family of operating systems. This statement in itself could be a little confusing, since ICS actually is a form of NAT. You can think of Internet Connection Sharing as NAT Lite—it uses NAT to map internal network IP addresses and ports to a single external IP address, but it is not as flexible and configurable as the fullfledged form of NAT that comes with Windows 2000 Server.
Common NAT Configuration Problems If you are having problems with the NAT computer not properly performing translation, so that packets don’t get delivered to the internal computer (NAT client) for which they are intended, check the configuration of the NAT interfaces. The NAT routing protocol must have both public and private interfaces. To check this, in the RRAS console, under the server name, expand IP Routing and select Network Address Translation. You should see a public and a private interface listed, as shown in Figure 9.17. The public interface connects to the ISP, and the private interface connects to the LAN. Ensure that the public interface is configured for address translation, as shown in Figure 9.18. Right-click the interface name and select Properties. The radio button for “Public interface connected to the Internet” must be selected. You should also check the Translate TCP/UDP headers check box to allow NAT clients to send and receive data through the interface. Now, ensure that the private interface is also properly configured. Right-click the private interface’s name, and select Properties. The same configuration box will appear, only in this case the “Private interface connected to private network” radio button should be checked.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 499
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 499
For Managers
Which Connection Sharing Solution Is Right for My Network? If you have a small network that needs access to the Internet, and only one public IP address, Windows 2000 Server gives you the choice of using ICS or NAT to provide Internet access to the entire network through a single computer’s Internet connection. Either of these solutions will save the cost of additional phone lines, modems, and ISP accounts for connecting additional computers to the Net, as well as the time and work involved in setting them all up for Internet access and the difficulty of maintaining and monitoring their access. Which one, then, should you use to connect your network? ICS and NAT work in a similar fashion, but NAT is the more sophisticated of the two. ICS is configured by right-clicking the connection’s icon in Network and Dial-up Connections and selecting Sharing. It is quick and easy to configure and suitable for many small, simple networks. ICS assumes that this is the only computer on the network that is connected to the Internet, and it sets up all the internal network addresses. By selecting Enable Internet Connection Sharing for this Connection, you make the computer an ICS host. This computer will assign IP addresses to its ICS clients as a DHCP allocator. ICS is appropriate if you don’t have DNS servers, DHCP servers, Windows 2000 domain controllers, or systems using static IP addresses. That limits its use to small peer-to-peer networks. For larger or more complex networks, sharing of an Internet connection can be accomplished via NAT, which is configured as part of RRAS. To use it, you must install and configure the Routing and Remote Access Service (if it is not already installed). NAT requires more configuration by the administrator, but also allows you to specify or change the IP address range assigned to NAT clients, and can be used on Windows 2000 domain networks or those connected to gateways or routers. So, if you have a small peer-to-peer workgroup among which you wish to share an Internet connection, and don’t need control over the IP address range, ICS will be the simplest solution. In most business networks, you will need the more sophisticated features of NAT.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 500
500 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Figure 9.17 NAT requires both a public and a private interface.
Incorrect Public Address Range Another problem that can occur with NAT configuration is incorrect configuration of the public addresses when you have multiple public IP addresses. Ensure that the addresses are entered in the Properties sheet of the public interface, under the Address Pool tab. All addresses entered here should be addresses that were assigned to you by your ISP.
NOTE NAT can provide address translation using multiple public IP addresses; ICS cannot.
Incompatible Application Programs The packets of some programs will not work through NAT. If a program runs from the NAT host computer but you cannot run it from a NAT client, it may be because the program uses a protocol that is not translatable by NAT. Windows 2000 NAT includes NAT editors for the following common protocols: FTP, ICMP, PPTP, and NetBIOS over TCP/IP. Additionally, some protocols such as HTTP do not require a NAT editor.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 501
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 501
Figure 9.18 The public interface must be configured for address translation.
NOTE A related problem, and a major limitation of NAT, is the inability to use it with IPSec for host-to-host security (sometimes called end-to-end). This is because IPSec hides the IP headers required by NAT for translation. You can, however, use NAT if you are using IPSec for a gateway-to-gateway solution.
Other NAT Problems If none of the solutions just discussed uncovers the culprit, ensure that IP packet filtering is not configured to prevent sending and receiving IP traffic. If the problem is related to name resolution, ensure that NAT name resolution has been enabled on the private interface. Troubleshoot Internet name resolution problems as outlined in Chapter 7, “Troubleshooting Windows 2000 DNS Problems.”
91_tcpip_09.qx
2/25/00
11:13 AM
Page 502
502 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Troubleshooting VPN Connectivity Problems Virtual Private Networking (VPN) is a popular solution for those who need a secure, yet inexpensive way to connect from a remote computer to a LAN when dialing in directly either isn’t possible or is costly due to long distance charges. Using encapsulation and encryption, a VPN allows you to establish a private “tunnel” through a public network such as the Internet, using the client’s and server’s Internet connections.
NOTE A detailed explanation of how VPN works is beyond the scope of this book, but if you are interested in the basic “how-to’s” of setting up a VPN, see “Managing Windows 2000 Network Services,” published by Syngress.
The Tunneling Protocols Windows 2000 supports VPN connections using either Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP).
PPTP: Point-to-Point Tunneling Protocol PPTP is an industry standard tunneling protocol. It was in Windows NT 4.0 and is also supported in Windows 2000. PPTP is an extension of the Point-to-Point Protocol (PPP) and uses the authentication, compression, and encryption mechanisms of PPP.
L2TP: Layer 2 Tunneling Protocol The Layer Two Tunneling Protocol (L2TP) supports multiprotocol VPNs that allow remote users to access corporate networks securely across the Internet. It is similar to PPTP in that it can be used for tunneled end-toend Internet connections through the Internet or other remote access media. However, unlike PPTP, L2TP doesn’t depend on vendor-specific encryption technologies to establish a fully secured and successful implementation. L2TP utilizes the benefits of IPSec, and will likely eventually replace PPTP as the “tunneling protocol of choice.”
Troubleshooting VPN Connections Troubleshooting a remote VPN connection is similar to troubleshooting other remote access connections, with a bit of added complexity.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 503
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 503
Inability to Connect to the Remote Access Server There are many causes for this problem. As usual, you should begin with the most basic and simplest possibilities: ■ ■ ■
■
■ ■
■
■
Ensure that the RRAS service is started on the VPN server. Ensure that RRAS is installed and enabled on the VPN server. Ensure that PPTP or L2TP ports are enabled for inbound remote access traffic. Ensure that LAN protocol(s) used by the VPN client are enabled on the VPN server. Ensure that all PPTP or L2TP ports are not already in use. Ensure that the VPN client and server are configured with a common authentication method and a common encryption method. Ensure that the user account has the proper dial-in permissions granted. Ensure that remote access policies are not causing a denial of the connection.
As you can see, most of these problems are related to the same configuration considerations we discussed earlier concerning general RRAS troubleshooting.
Summary In this chapter, we have provided some basic information about how Windows 2000’s Routing and Remote Access Services, hand-in-hand with the dial-up networking component, make it easy for users to connect to a remote server and for administrators to provide dial-in access to those on their networks. We looked at the differences between a remote access connection to the company network and participating as a local (cabled) node on the network, and concluded that the only practical difference is the speed of the connection. Data transfer speed is limited to the media over which the connection is made, and we saw that typical wide area networking links provide for speeds from 56 Kbps or less (analog modems) to about 6 Mbps (high-speed ADSL). We examined the differences between remote access and remote control, and learned that the latter is usually used by administrators to take over control of the server from a remote location. This is often done to troubleshoot problems or administer the server services when the administrator is offsite. We saw that remote access is used to connect to the
91_tcpip_09.qx
2/25/00
11:13 AM
Page 504
504 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
network and access shared files, print to shared printers, or otherwise participate as another node on the network. We then discussed the elements of different available wide area networking technologies over which our remote access sessions can be established. We provided an overview of remote networking using the analog phone lines on the Public Switched Telephone Network (PSTN). We then looked at a faster and “cleaner” technology, Integrated Services Digital Network (ISDN). We learned that ISDN is usually provisioned in one of two forms: Basic Rate ISDN (BRI), which provides two 64 Kbps data channels, and Primary Rate ISDN (PRI), which provides for up to 23 64 Kbps data channels for a total throughput of 1.544 Mbps. Next we talked about the newest “kid on the block,” Asymmetric Digital Subscriber Line (ADSL), and how its cost advantage and “always on” technology make it a popular alternative to ISDN—if your location is within 17,500 feet of a telephone company Central Office (CO). After that, we looked at how Windows 2000 supports connection to an X.25 network, which uses a Packet Assembler/Disassembler (PAD) and provides for data transfer over a public packet switched network. Then we discussed the WAN protocols used for remote access networking: SLIP and PPP. We learned that SLIP is used on some UNIX servers, but Windows 2000, like NT 4.0, supports only PPP for dial-in connections. We talked about the four steps involved in making a PPP connection: configuration, authentication, callback (optional), and configuration. Then we moved on to some specific tips for troubleshooting PPP problems, which include authentication failures, inadequate link/line quality, loss of carrier, and timeouts. We looked at how to configure a dial-up connection to use PPP, and we gained an understanding of encapsulation, the method by which TCP/IP or other LAN protocol packets are wrapped inside the PPP or SLIP protocol headers. Next we saw how we could use Network Monitor and PPP trace logging for gathering information about a PPP connection. We then focused on troubleshooting configuration problems. We looked at common configuration problems involving the remote access server, including inability to establish a remote connection, inability to aggregate the bandwidth of multiple phone lines, and the inability to access the rest of the network even though a connection with the server is established. After that, we looked at client configuration problems, and the importance of ensuring that the remote client uses the same authentication and encryption methods as the remote server.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 505
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 505
We talked about remote access policies, and some of the common problems that arise in using them. We also learned a method of determining which of multiple policies is causing a connection denial problem, by creating a test policy and manipulating its position in the order of application. Next we looked at Internet Connection Sharing (ICS) and Network Address Translation (NAT), and discussed common configuration and implementation problems that can occur when you share an Internet connection with a network through one ICS/NAT host. We learned that ICS is configured through Network and Dialup Connections, while NAT is configured via the RRAS console. We also found out that NAT requires both a public interface (connected to the ISP) and a private interface (connected to the LAN), and that each must be configured according to its role. We discussed the ramifications of entering the wrong public IP address range in NAT properties, incompatible application programs whose protocols cannot be translated, and the importance of ensuring that IP packet filtering is not configured to prevent IP traffic from getting through. Finally, we took a brief look at virtual private networking (VPN), the two tunneling protocols supported by Windows 2000 (PPTP and L2TP), and how to troubleshoot VPN connectivity problems. Remote access gets easier to configure with each new Microsoft operating system, but there are still many things that can go wrong with a remote connection. These problems benefit from a methodical, organized approach to troubleshooting—keeping in mind that a remote access connection in many ways is no different from a cabled network connection, except for the added layer of the WAN link used to achieve it.
FAQs Q: How can I use caller ID with RRAS to enhance dial-in security? A: If the phone system(s) used by the caller and the remote access server support the caller ID feature, you can use the caller ID feature when you set dial-in security. You can specify the phone number from which the user must dial in. If the user calls from a different phone number, the connection will not be successful. Be careful in using this feature, because if you do configure dial-in security with a specified caller ID phone number for the user and the system does not support caller ID, the connection will be denied. Note that if the connection is a VPN connection, the caller ID number will be the IP address of the client.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 506
506 Chapter 9 • Troubleshooting Remote Access in a Windows 2000 TCP/IP Network
Q: Does Windows 2000 work with modem-pooling equipment? A: Yes, as long as the modem-pooling device generates and accepts command strings equivalent to one of the supported modem types listed in the Install New Modem wizard. In that case, you connect the equipment to the COM ports and configure the ports for remote access using RRAS. Microsoft recommends that you configure modem-pooling devices to behave like a Hayes-compatible modem since that is a commonly used standard. Q: Does the Windows 2000 remote access server support callback security on an X.25 network? A: No, Microsoft advises that callback is not currently supported on X.25 connections. Q: In what way is Windows 2000’s remote access component more configurable in terms of security than Windows NT 4.0? A: In NT 4.0, a user’s authorization to dial in to the network was dependent on one simple check box to grant dial-in permission to user, set in User Manager or the Remote Access Administrative Tool. Windows 2000 allows you to grant or deny remote access to a user in the user’s property sheet in Active Directory Users and Computers, and also allows you to further restrict dial-in permissions based on remote access policies, which can be applied to members of specific groups, to specific connection types, and other more broad-based criteria. Q: What is BAP, and how does it work? A: The Bandwidth Allocation Protocol (BAP) is used to increase the efficient use of the network bandwidth by adding or dropping additional links according to changes in traffic flow, on a dynamic basis. To do this, BAP works in conjunction with Multilink PPP in Windows 2000. BAP policies can be set through the remote access policy feature to make it easy for administrators to control connection costs and still provide for optimum bandwidth for users. Q: What are NAT editors, and why might I need one? A: NAT editors are software components that are added to NAT in order to make modifications to the IP packet beyond the translation of the IP address in the IP header, TCP port in the TCP header, and UDP port in
91_tcpip_09.qx
2/25/00
11:13 AM
Page 507
Troubleshooting Remote Access in a Windows 2000 TCP/IP Network • Chapter 9 507
the UDP header. This additional translation is required with certain protocols that store the IP address, TCP port, or UDP port in the payload (for instance, FTP). Windows 2000 includes NAT editors already built-in for FTP, ICMP, and PPTP. Windows 2000 doesn’t include editors to translate SNMP, LDAP, Microsoft COM, or RPC.
91_tcpip_09.qx
2/25/00
11:13 AM
Page 508
91_tcpip_10.qx
2/25/00
11:15 AM
Page 509
Chapter 10
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level Solutions in this chapter: ■
NICs
■
Cable
■
Hubs and Repeaters
■
Bridges
509
91_tcpip_10.qx
2/25/00
11:15 AM
Page 510
510 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Introduction Now that we have discussed some of the protocols and services related to TCP/IP, and know how to use the built-in utilities and add-on monitoring and troubleshooting tools, we’ll take a look at connectivity problems from the ground up—or perhaps we should say “from the bottom up.” That’s the bottom of the OSI and DoD networking models we’re referring to, of course. You’ll recall that the Network Interface layer in the DoD model is roughly equivalent to the Physical and Data Link layers of OSI. In this chapter, we will examine some of the things that can go wrong at this level, and how to address them. The Network Interface layer involves physical problems—network interface cards (NICs), cable, and network connectivity devices such as hubs, repeaters, and bridges. The differences between these various Network Interface layer devices, and how they compare to higher layer devices such as Layer 3 switches, routers, and gateways, is sometimes a source of confusion even for IT professionals. For that reason, we will look at how the various connectivity devices work, and some of the reasons they don’t always work properly. Because the DoD Network Interface layer also encompasses the OSI Data Link layer, it also involves software drivers for the hardware. We will discuss the importance of updated and properly configured NIC drivers in making it possible for the TCP/IP protocol suite (or any other) to send data across the network. We will not spend a lot of time discussing the details of how to install and configure networking hardware. In this chapter, we will be pointing out those areas in which Network Interface layer problems, such as those related to physical devices or software drivers, can affect TCP/IP connectivity and even mimic protocol configuration problems.
Problems with Network Interface Card Configuration Configuration of the NIC at the physical level is the first step in achieving a TCP/IP connection. Although an improperly configured card is not a protocol-specific issue, it may be mistaken for one, and much time can be lost in trying to troubleshoot TCP/IP when the problem lies elsewhere. Thus, it is important for an administrator to know how to determine when the connection is failing due to a lower-level problem. One easy way to determine that the problem lies in the lower layers is to attempt to establish a connection using a different protocol. If your computer is unable to communicate with others on the network using TCP/IP, but can make the connection when NetBEUI or NWLink is
91_tcpip_10.qx
2/25/00
11:15 AM
Page 511
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 511
installed on the machines, you know to start troubleshooting the protocol configuration. If you still have no luck in making a connection with other network transport protocols, it is likely that you have a problem with the hardware or the hardware drivers. This simple test can save you much time and effort.
The Role of the NIC The NIC (also sometimes called the network adapter, or just the network card) plays an essential role in TCP/IP and other network communications. The NIC is the device that physically joins the computer and the cable or other network media, but its function is more complex than that. The data cannot just flow through the network card and out onto the cable (or from the cable through the NIC into the computer’s memory) because the form in which the computer processes the data is different from the format necessary to send it out over the cable. The NIC must convert outgoing data from a parallel format, in which bits of information are sent in multiple lines or paths, as takes place inside the computer, to serial format, where the bits move in “single file” on the cable. Network cards also have memory chips, called buffers, in which information is stored so that if the data comes in or goes out too quickly, it can “rest” there while the bottleneck clears and there is room for it to pass onto the cable or up into the computer’s components.
Types of NICs Of course, it is essential that you ensure that the NIC installed in the computer is the proper type for both the media and architecture used by your network. For instance, Ethernet and Token Ring require different types of NICs. This is because of the different ways in which the media access methods function. And, of course, the card must have the proper connector for the cable type being used. These are basic, relatively straightforward issues, but don’t overlook them when troubleshooting connectivity problems.
NOTE Be sure to check the Windows 2000 Hardware Compatibility List (HCL) to ensure that your card is supported. The list can be accessed from the Microsoft Web site at www.microsoft.com/hcl. Although devices not listed may still work with Windows 2000, if your card is on the list you can be confident that it has been tested and is compatible with the operating system.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 512
512 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Driver Issues Like other hardware devices, the NIC requires a software driver to provide the interface between the operating system and the card. Be sure the driver that is designated for your specific model of NIC is installed, and that it is the latest incarnation. Experienced administrators know that simply installing an updated NIC driver can solve countless connection problems.
NOTE Windows 2000 supports a large number of common brands and models of NICs, and the drivers are included on the Windows 2000 CD. However, these may not be the latest versions. Always check the manufacturer’s Web site for a download area where you can obtain the latest drivers.
Since Windows 2000, unlike NT 4.0, is a plug-and-play operating system, supported cards are more likely to be automatically detected and the drivers installed from the Windows 2000 installation files (or you will be prompted to supply the disk or network location). Be cautioned again, however, that the drivers installed by the operating system may be outdated.
NOTE Windows NT did have the capability to detect some network cards with its limited plug-and-play capability.
Updating Drivers NIC drivers (and drivers for other hardware devices) can be updated through the Device Manager. To do so, click Start | Settings | Control Panel | System. Select the Hardware tab and click DEVICE MANAGER. The list of installed devices will be displayed, as shown in Figure 10.1. You can select the card you wish to configure or update and doubleclick it, then select the Driver tab. This interface makes it easy for you to update the files, as shown in Figure 10.2, and also makes available useful information about the resources being used by the device, any conflicts, and troubleshooting tools. A handy feature is the Hardware Troubleshooter, which can be accessed from the General tab.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 513
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 513
Figure 10.1 Use Device Manager to configure and update drivers for the NIC.
Figure 10.2 The properties sheet for the device provides valuable information about the driver.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 514
514 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
WARNING In order to access the Device Manager and install or update device drivers, you must be logged on to an account with the appropriate permissions. Be aware that network policy settings (Group Policy, IPSec, and other security settings) may also prevent you from performing these tasks.
Problems with Cable and Other Network Media Another type of problem that can mimic TCP/IP protocol configuration problems is damaged, defective or improperly installed cable or other network media. Broken or shorted cables can be detected with a cable tester or TDR (time domain reflectometer). Some of the more sophisticated (and more expensive) LAN testers will even pinpoint the exact location of the break. As a network administrator, you may have other personnel who handle hardware and cabling. It is important, however, that you are able to recognize the symptoms of Physical layer problems so that you will know when to call in the technicians, rather than spend your time attempting to “fix what isn’t broken.” Damage to the media is not the only factor when considering Physical layer problems. All network architectures—for example, Ethernet, Token Ring, AppleTalk—include specifications that must be met concerning networking equipment and media. If those rules are ignored, connectivity may be lost completely, or you may experience intermittent problems. Common areas of noncompliance, which can result in difficulties in establishing or maintaining a connection, include cable type and grade, and the limitations on the allowable segment length for various network/cable types.
Network Cable Specifications Be sure that the cabling for your network meets specifications for the particular architecture. For instance, a 10Base2 network requires not just thin coaxial cable, but a particular type of thin coax: RG-58 A/U (the cable grade is usually indicated on the side of the cable itself). Don’t try
91_tcpip_10.qx
2/25/00
11:15 AM
Page 515
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 515
to substitute something else that is “close” or looks similar; you will be setting yourself up for connectivity problems if you do. It is not an unknown occurrence for a cable technician (or perhaps more likely, a net admin with little hardware experience) to attempt to replace a broken or bad length of thin coax cable with RG-58 U or even RG-59 (the cable used for cable TV). Therefore, in checking the Physical layer for the source of a connectivity problem, ascertain not only that the cable is connected and appears to be undamaged, but that the cable type meets specifications. Another example of improper cable type would be substituting category 3 twisted pair for cat 5, when running a 100 Mbps (100BaseT) network.
NOTE Cable type is generally indicated on the cable itself. If it is not, you can identify the cable type by counting the wire pairs or measuring the ohm rating.
Cable Length Issues You undoubtedly are also aware that because of the susceptibility of copper cabling to attenuation, or signal loss over distance, network specifications place limits on the acceptable length of a segment of cable, depending on the architecture and cable type. A cable segment is generally defined as the length of cable between repeaters. A repeater (or other connectivity devices that perform boosting of the signal) allows you to increase the distance of your network. We will discuss these devices in the next section of this chapter. Violating the length specifications may be tempting, especially if you only need to go “a tiny bit further” in order to get the cable to a specific office or other location. You might get away with it—the cable does not just automatically stop working when you exceed the specified distance. But going beyond these limitations can cause you to have connectivity problems that you might easily mistake for software/protocol problems when the real trouble is at the physical level. Table 10.1 shows common network/cable types and the maximum cable segment length for acceptable performance.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 516
516 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Table 10.1 Cable Length Limitations Network Type
Cable Type
Distance Limitation per Segment
10Base2
RG-58 A/U Thin coax
185 meters (607 feet)
10Base5
RG-8 or RG-11 Thick coax
500 meters (1640 feet)
10BaseT 100BaseTX
Category 5 UTP
100 meters (328 feet)
The Role of Network Connectivity Devices We call them “network connectivity devices” for the obvious reason: They are used to connect networks (also called network segments or subnets). But why are there so many different types, and how do we know when to use which on our TCP/IP networks? Let’s first think about the characteristics of the TCP/IP suite. One of its strong suits—in fact, the number-one reason it is the protocol of choice for so many networks today, as well as the protocol of the global Internet—is its routing capability. Routing refers to transferring data from one network or subnetwork to another. Thus, it makes sense that connectivity devices are common in TCP/IP networks. Usually the type of device we associate with an internetwork is the router, which works at the DoD’s Internetwork layer (Network layer in the OSI model). We will briefly discuss routers in this chapter, in the context of how they differ from the Network Interface layer devices, and we will devote an entire chapter (Chapter 11, “Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level”) to routing problems and other Internetwork layer troubleshooting. But we also should remember that there are other, lower-level devices that can be used for such purposes as: ■ ■
■
Extending the distance limitations of network cable Connecting network segments that use different media types (for instance, thin coax and UTP) Segmenting the network to reduce traffic without dividing the network into separate IP subnets
Although a large percentage of network connectivity problems occur at the Network Interface level, it is often overlooked in the troubleshooting process. That is, until you discover, after spending an entire afternoon completely reconfiguring both your server and your client, that your inability to connect or your loss of data packets was caused by a physical problem with your repeater or bridge.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 517
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 517
Understanding Layer 1 and 2 Connectivity Devices There are three basic types of network connectivity devices that operate at the Network Interface level. In OSI terminology, this means Layers 1 (Physical layer) and 2 (Data Link layer). These are: ■ ■ ■ ■
Repeaters Hubs Switches Bridges
We will discuss each of these device types, its advantages and disadvantages, and how each one behaves in passing TCP/IP packets. Networking hardware technology is constantly advancing, and new devices are appearing on the market all the time. In addition, different manufacturers, perhaps out of a misunderstanding of the terminology or perhaps in the effort to make their own products stand out in a crowd, will sometimes give their equipment a name that confuses the issue further, in terms of exactly what the device does and at which layer of the standard networking models it functions.
NOTE Some books refer to components such as BNC barrel connectors as connectivity devices. Strictly speaking, since they do indeed connect two lengths of cable, this would be correct. In this chapter, when we speak of connectivity devices, we are referring to active devices, not mere connection points. See the discussion of active vs. passive hubs for more information on this.
How and Why Repeaters and Hubs Are Used We will discuss repeaters and hubs together because, in many cases, they are the same thing. In fact, you will hear hubs referred to as “multiport repeaters.” All that means is that the hub does what a repeater does: boosts the signal before passing it on from one segment of cable on which it came in, to another on which it goes out. Hubs are different from basic repeaters, however, in that the latter generally has only two ports. The repeater is used to extend the usable length of a given type of cable. For instance, a 10Base5 Ethernet network, using thick coax cable, has a maximum cable segment length of 500 meters, or 1640 feet. At that distance, attenuation (signal loss due to distance) begins to take place. But when you place a repeater at the end of
91_tcpip_10.qx
2/25/00
11:15 AM
Page 518
518 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
the cable and attach another length to the repeater’s second port, the signal is boosted and the data can travel further without damage or loss. See Figure 10.3. Figure 10.3 A repeater is used to address attenuation problems.
500 meters
500 meters
Repeater
Repeaters extend distance limits
Data loss or complete loss of connectivity may occur if a network is constructed with a segment length greater than that designated in the IEEE specifications for the architecture/cable type, and no connectivity device is used to boost the signal. Remember to always check for physical problems rather than assume software/networking protocol configuration is at fault when packets are lost.
What’s the Difference between Repeaters, Amplifiers, and Hubs? A repeater boosts the signal traveling across an Ethernet cable in much the same way an amplifier boosts the signal input from an old radio tuner. The difference between a repeater and an amplifier lies not in what they do, but in what kind of signals they do it to. While amplifiers boost analog signals (such as those used in the public telephone network or in older home stereo systems), a repeater boosts the digital signals used in most computer communications. The typical Ethernet hub is also a kind of repeater, a multiport repeater that allows for 5, 8, 12, 16, 24 or more connections. While a
91_tcpip_10.qx
2/25/00
11:15 AM
Page 519
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 519
standard repeater is more often associated with 10Base2 and 10Base5 (coax) networks, hubs are used with 10BaseT and other UTP-based networks.
NOTE Repeaters are not very “smart” devices; they simply boost whatever signal they receive—not distinguishing between data and noise—and pass it on. They also aren’t very “polite.” They don’t follow the usual CSMA/CD process that NICs use, listening for traffic on the network before transmitting. A repeater just goes ahead and transmits even if another node is in the middle of a transmission. This, of course, results in a data collision, which means data must be re-sent, and network performance is negatively impacted. This is the reason for the Ethernet (coax) 5-4-3 Rule: The total length of the network cable must be limited so that all computers on the network will be able to monitor all segments before they transmit, since the repeater won’t do it for them.
Using a Repeater in Troubleshooting A repeater can be of use in troubleshooting situations, in that it allows you to isolate a segment when there is a failure or fault condition. You can disconnect one side of a repeater to effectively isolate the associated segment(s) from the rest of the network. You can then perform troubleshooting functions without any impact on the rest of your production network.
NOTE Repeaters do not logically segment or subnet the network and do no filtering of traffic, nor do they divide the network into collision domains. You cannot reduce the traffic load or increase available network bandwidth by using repeaters; you can only amplify the signal and extend the maximum length of the cable. The repeater divides the network into “segments” only in relation to maximum segment length for purposes of avoiding attenuation problems.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 520
520 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Types of Hubs The multiport repeater we are talking about here accepts the incoming signal, boosts it, and then sends it back out over all the ports to the rest of the computers that are attached to the hub (or other hubs that are uplinked to it).
NOTE Many hubs include an uplink port, which is wired so that the transmit and receive pairs in the cable are reversed. This port is used to connect two hubs together. The uplink port of one hub is connected to a regular port on the other (if you connected two uplink ports to each other, you would defeat the purpose, and the hubs would not be able to communicate with one another). If your hubs don’t have uplink ports, you can connect two hubs’ regular ports via a crossover cable to achieve the same result. This is a twisted-pair Ethernet cable with the transmit and receive wires crossed.
This type of hub, which boosts the signal before sending it back out, requires electric power and is also sometimes called an active hub. There are several other types of hubs, as summarized in Table 10.2. Table 10.2 Basic Hub Types Type of Hub
Characteristics
Active hub
Requires electric power; boosts the incoming signal before sending it back out all ports.
Passive hub
Does not require electric power; serves as a connection point, sending the signal back out on all ports without boosting it.
Intelligent hub (also known as "managed hub")
Includes a processor chip with diagnostic features that allow you to troubleshoot individual port problems. This is helpful when you need to troubleshoot ports remotely and cannot just look at the lights on the hub.
Switching hub (also known as "switch")
Sends the signal out the port to which the destination computer is connected only.
Switching hubs, or switches, are becoming more and more popular (and becoming less expensive, which contributes to the popularity). Let’s examine this connectivity device a little more closely.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 521
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 521
NOTE Another type of hub, called a concentrator, is a sophisticated device that offers the ability to provide each client with exclusive access to the full bandwidth of the media. Each workstation plugs into a separate port, and there is no connection. These hubs also allow for buffering and filtering of packets so that unwanted packets are discarded. Another feature of these hubs is support for SNMP (Simple Network Management Protocol) to configure and administer the hub. The term concentrator is most often associated with Token Ring hubs (also called Multistation Access Units, or MAUs). A remote access hub that handles incoming dial-up calls for an Internet (or other network) point-of-presence and performs other services is referred to as a concentrator (or aggregator).
How and Why Switches Are Used Layer 2 switches, or switching hubs, work at the Data Link layer, and they are installed in place of the active hubs that traditionally have been used to connect computers on a UTP-cabled network. Replacing hubs with switches will cost a bit more, but offers several important advantages.
Advantages of Switches over Hubs A switch combines the characteristics of hubs and bridges (we’ll discuss bridges in the next section). Like a bridge, a switch constructs a table of MAC addresses. The switch knows which computer network interface (identified by its physical address) is attached to which of its ports. It can then determine the destination address for a particular packet and route it only to the port to which that NIC is attached. Obviously, this cuts down a great deal on unnecessary bandwidth usage since the packet is not sent out to the other ports, where it will be disregarded when those computers determine that it is not intended for them. See Figure 10.4. Using switches instead of hubs creates individual “collision domains” for each segment. This means a particular computer receives only the packets addressed to it, to a multicast address to which it belongs, or to the broadcast address. You increase potential bandwidth in this way by the number of devices connected to the switch, because each can send and receive at the same time another node is doing so.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 522
522 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Figure 10.4 A switch reduces traffic by sending data only out the port with which the destination MAC address is associated.
B
A
for Pac F's ket MA des C a tine dd d res s
Switch consults table, sends out port connected to Computer F only
Switch
D
C
E
F
Advantage of Switches over Bridges Switches can forward data frames more quickly than bridges, because instead of reading the entire incoming Ethernet frame before forwarding it to the destination segment, the switch typically only reads the destination address in the frame, and then retransmits it to the correct segment. This is why switches can offer fewer and shorter delays throughout the network, resulting in better performance. Bridges normally have only two ports, dividing the network into two parts, while switches have multiple ports, each of which may connect directly to a host computer (or alternately can connect to a hub or another switch).
Switching Modes Switches generally use one of two methods of forwarding data: cutthrough or store-and-forward. Cut-through mode. Switches that use cut-through mode read only the first few bytes of the packet to determine the source and
91_tcpip_10.qx
2/25/00
11:15 AM
Page 523
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 523
destination addresses, and then pass the packets through to the destination segment. The rest of the packet is not checked for errors. This means invalid packets can still be passed on to other segments, but there is the advantage of speed; there is very little delay involved in packet throughput with this mode. Store-and-forward mode. Switches using store-and-forward could be thought of as careful and methodical, but not speedy. They buffer and examine the entire packet, and filter out any bad packets that are detected. The good packets are then forwarded to the correct segment. This results in some delay in throughput, but fewer errors get through to other segments.
When to Switch to a Switch Replacing hubs with switches is a good idea when there is a great deal of point-to-point network traffic. Switches won’t cut down on network congestion problems caused by broadcasts, since broadcast messages will still be sent out all ports. This is another way in which they are similar to bridges. Switches offer the following benefits: ■
■
■
■
Switches eliminate contention (one of the major disadvantages of Ethernet), and therefore allow each port to use the full bandwidth. A switch can be used to divide an overloaded network into segments, creating separate collision domains and increasing performance. Switches offer low latency, which improves the efficiency and performance of the network. Switches can be used to create virtual networks, or VLANs.
How and Why Bridges Are Used A bridge builds a MAC table like a switch, but like the repeater, it is a two-port device rather than a multiport device like a hub or switch. The bridge is used to segment a network to reduce traffic and collisions. It also boosts the signals that it passes across.
How Bridges Reduce Network Traffic A bridge monitors the data frames it receives to construct its MAC address table, using the source addresses on the frames. This is a simple table that tells the bridge on which side a particular address resides. The bridge can then look at the destination address on a frame, and if it is in the table, determine whether to let it cross the bridge (if the address is on
91_tcpip_10.qx
2/25/00
11:15 AM
Page 524
524 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
the other side) or not (if the address is on the side from which it was received). In this way, there is less unnecessary traffic, because when a computer on side A sends a message to another computer that is also on side A, the signal goes only to those computers on side A. Those on side B, on the other side of the bridge, go blithely on with their business and never have to deal with it. See Figure 10.5. Figure 10.5 A bridge segments the network to reduce traffic.
Side A
Bridge recognizes destination MAC address and does not send to Side B
Side B
Bridge
Data is transmitted from a computer on Side A to another computer on Side A
Using a bridge can, in effect, double the available bandwidth since there can be two “conversations” between computers going on simultaneously, on opposite sides of the bridge, without data collision.
What Is a Translation Bridge? Bridges can be used not only to segment a network, but also to connect two network segments that use different types of media. For instance, you can use an AUX/BNC bridge to connect one segment running on thick coax cable (10Base5) to another segment running on thin coax (10Base2).
91_tcpip_10.qx
2/25/00
11:15 AM
Page 525
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 525
A translation bridge is a type of bridge that can go a step further, and not only connect two different media types, but can connect segments using two different media access methods. The translation bridge “translates” between the two access methods, typically Ethernet and Token Ring.
NOTE Translation bridges do not translate between protocols. Bridges are unaware of and not dependent on which network/transport protocols are used for communication. Bridges can use only the MAC addresses. Because bridges do not look at the upper-layer protocols (such as IP), they cannot make decisions about where to send data frames based on the IP address.
In most cases, a better solution for connecting Ethernet and Token Ring, when both are using TCP/IP, is a router, which is capable of complex routing based on protocols and the logical network address.
Advantages and Disadvantages of Bridges Bridges enjoy several advantages over other connectivity devices: ■ ■
■
■
■
Bridges are less expensive than routers and brouters. Bridges allow you to add more computers and segments to the network. Bridges are transparent to higher-level protocols like TCP/IP because they operate at the Data Link layer of the OSI model. Bridges can be used with nonroutable protocols like NETBEUI (which will not cross a router). Bridges localize network traffic and thus can increase network performance.
Some disadvantages of bridges include their propensity to cause broadcast storms because they pass broadcast messages across the bridge, and the fact that the bridge is not “smart” enough to evaluate and use the most efficient path for each transmission as a router does. Bridges are not very efficient for use in large, complex networks. If your network fits that description, you may need to consider a router, which works at a higher layer of the OSI model.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 526
526 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Understanding Upper-Layer Connectivity Devices Like hubs and switches, routers are multiport connectivity devices. Unlike hubs and switches, routers are appropriate for use on large, complex networks because they are able to use the logical IP address to determine where packets need to go.
How Routers Work How does using the IP address help to simplify the routing process? You will recall that an IP address is divided into two parts: the network ID and the Host ID. The network ID is the key here, as it “narrows down” the location of the particular destination computer by acting somewhat like the zip code does for the post office.
Using the Network ID to “Narrow the Search” In a small town, all streets may share the same zip code, so that a letter addressed to 100 Hall Street, Seagoville TX doesn’t really need a zip code. It will reach its destination because there is only one Seagoville post office, and it can easily keep up with where all the streets in town are located. In a big city, however, a letter addressed to 100 Hall Street, Dallas TX will have more difficulty reaching its destination. That’s because there are several post offices in Dallas, each designed to serve only a designated part of the city. The zip code identifies which of these post office stations will handle the delivery of the letter, much as the network ID identifies which subnet, or part of the network, a destination computer is on. In order to use this information, though, the post office must be zip code-aware. That is, the employees there who sort the mail must understand what the zip codes mean. If we had employees performing this task who came from the era before the advent of zip codes, they would see the series of numbers at the end of the address and, not understanding their significance, disregard it. Like those postal employees from a former time, bridges and other lower-layer devices don’t recognize IP addresses or utilize them in making decisions about where to send the data. Routers, however, working at the Network layer where IP operates, can understand and use IP addresses. A router keeps a table, too, but unlike a bridge or switch, which only deals in MAC addresses, the routing table tells the router how to get to other known networks (or subnets) based on the network ID. Then, when a packet reaches the appropriate network, the Host ID is used to get it to the particular computer for which it is destined.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 527
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 527
The Routing Table Where does the router get this information? Routes can be entered into its routing table manually (this is necessary when static routing protocols are used), or the router can “learn” routes from other routers with which it communicates, using dynamic routing protocols (such as RIP and OSPF, both supported by Windows 2000).
The Routing Process A packet is routed across multiple subnets using a complex process of stripping off and replacing the header information as it goes from one network to the next. This is necessary because the source and destination address change for each network it goes through. In other words, the process works something like this: 1. Computer A with IP address 192.168.1.4 sends a message to Computer B with IP address 201.234.1.12. Both have a subnet mask of 255.255.255.0. 2. Because IP recognizes that the destination address is not on the same subnet as the source address, it sends the message to Router 1, which is Computer A’s default gateway. 3. Router 1 is connected to the 192.168.1.0 network and the 210.45.9.0 network. It is not connected to the 201.234.1.0 network, but it has an entry in its routing table telling it that the way to get there is via Router 2. 4. Router 1 replaces the original source address (Computer A’s) with its own, and sends the packet to Router 2. 5. Router 2 is connected to both the 210.45.9.0 network and the 201.234.1.0 network. It replaces the source address with its own and routes the packet to the destination computer (Computer B), which with an address of 201.234.1.12, is on its subnet. 6. Now when Computer B replies, it will send the packet back to Router 2, which will forward it to Router 1, which will return the response to Computer A. See Figure 10.6 for an illustration of this process. Routers must understand the network protocol being used, thus they are called protocol-specific devices. A bridge isn’t concerned with protocols, but a router must support the protocol(s) used by your network.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 528
528 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Figure 10.6 Packets are forwarded from one router to the next across multiple subnets.
Computer A 192.168.1.4 192.168.1.4 Router 210.45.9.1
210.45.9.2 Router 201.234.1.1
Computer B 201.234.1.12
How and Why Routers Are Used Routers are used to handle complex routing tasks. Routers also reduce network congestion by confining broadcast messages to a single subnet.
NOTE A router can either be a dedicated device (such as those made by Cisco) or a computer running an operating system that is capable of acting as a router. Windows 2000, like Windows NT, can function as a router when two network cards are installed and IP forwarding is enabled.
Routers are capable of filtering, so that you can, for instance, block inbound traffic. This allows the router to act as a firewall, creating a barrier that prevents undesirable packets from either entering or leaving a particular designated area of the network.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 529
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 529
WARNING The more filtering a router is configured to do, the slower the performance.
Okay, if routers are so great, is there any reason not to use one? Why bother with any of the other connectivity devices? Routers have a few disadvantages: ■
■
Cost Routers cost significantly more than lower-layer connectivity devices. If you don’t need the router’s sophisticated capabilities, you should use a less expensive bridge or switch to reduce network traffic. Performance All that complexity involved in communicating with other routers and building routing tables and making routing decisions comes with higher overhead than the simpler devices. Thus, a router can slow performance somewhat—although that may be balanced by the reduction of congestion.
How and Why Brouters Are Used Although its name may sound like the weird result of some recombinant DNA experiment, the brouter is a device that attempts to combine the features of bridges and routers into a “best of both worlds” solution. This may be useful when some nodes on the network are running unroutable protocols, such as NetBEUI, while others use protocols that can benefit from routing. The brouter functions like a router, using IP addresses to make routing decisions, when packets are sent using a routable protocol like TCP/IP. If a nonroutable protocol is used, the brouter will use the MAC address to function as a bridge.
NOTE Because it performs the functions of both a router and a bridge, brouters operate at both the Data Link and the Network layers of the OSI model.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 530
530 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
How and Why Layer 3 Switches Are Used Recently, a type of switch that operates at the Network layer, or Layer 3 of the OSI model, has become a popular connectivity option. Layer 3 switches are sometimes referred to as switch routers. Although a Layer 2 switch (switching hub) is unable to distinguish between protocols, a Layer 3 switch actually performs some of the functions of a router. A Layer 3 switch can filter the packets of a particular protocol to allow you to further reduce network traffic. Layer 3 switches perform the same tasks as routers and can be deployed in the same locations that a router would traditionally be used. Yet the Layer 3 switch overcomes the performance disadvantage of routers, layering routing on top of switching technology. The Layer 3 switch, manufactured by such companies as Cisco (one of the most well-known makers of traditional routers), is quickly becoming the solution of choice for enterprise network connectivity.
How and Why Gateways Are Used Gateways are usually not implemented as “devices,” but rather as software programs running on servers. However, because they are also used to connect disparate networks, we will touch briefly on what they are, and why you might implement them in your network. Gateways normally operate at higher levels of the OSI model—typically at the Application layer—and can be used to connect two networks using entirely different protocols. For instance, an SNA (System Network Architecture) gateway will allow personal computers running Windows operating systems to communicate with an IBM mainframe computer, even though the two systems are truly “alien” to one another. Another type of gateway is used to allow Windows NT or 2000 machines, which use the SMB file-sharing protocol, to “talk” to a file server that runs the NetWare NOS and uses NCP, the Netware Core Protocol. There are many other different types of gateways, such as e-mail gateways that translate between different e-mail protocols.
WARNING Don’t confuse these application gateways with the use of the term default gateway, which identifies the IP address of the router on a network that is connected to an internetwork.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 531
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 531
Troubleshooting Layer 1 and 2 Connectivity Devices Because repeaters and hubs operate at the Physical layer, problems affecting these devices will be physical problems, or hardware problems. This layer is not concerned with high-level protocols like TCP and IP, and problems with these devices will interfere with communications regardless of the network transport protocols being used. However, Physical layer device problems can mimic TCP/IP protocol configuration problems. Always consider the Physical layer when troubleshooting connectivity problems. If the hardware doesn’t work, all the software reconfiguration in the world won’t solve the problem.
Problems with Repeaters and Hubs If you are unable to establish a connection between computers, you need to first verify that TCP/IP is properly installed (by pinging the loopback address as discussed in Chapter 5, “Using Network Monitoring and Troubleshooting Tools in Windows 2000”), check the configuration and operability of the NIC (as discussed earlier in this chapter), and confirm that there are no shorts, breaks, or other problems with the cable (also discussed in a preceding section of this chapter). If you still are unable to connect, look at your connectivity devices such as repeaters and hubs: ■ ■
■
Ensure that the device has power. Ensure that the computers’ NICs are communicating with the device (by checking status lights). Ensure that devices are installed in accordance with the IEEE specifications for the particular network architecture.
The last includes compliance with any distance limitations for the media being used and, for coax networks, the restrictions imposed by the 5-4-3 Rule.
The 5-4-3 Rule This rule states that on a 10Base2 or 10Base5 network (using coax cable and a bus configuration), you should have no more than five segments, connected by no more than four repeaters, and that only three of those segments should be populated. A populated node is one that has nodes (computers or other network devices) attached to it.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 532
532 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
NOTE In this context, a network “segment” is the length of the cable between repeaters.
Passive, Active, and Intelligent Hubs Troubleshooting the hubs that connect a 10BaseT network will depend in part on the type of hub being used.
Problems with Passive Hubs Passive hubs are simply connection points and give you few clues as to whether they are operating correctly. Fortunately, because it is a simple, nonpowered device, not much can go wrong with a passive hub. The pins and wiring inside the hub or a damaged female RJ-45 jack could create connection problems. This can be prevented by ensuring that the hubs are handled properly, since most such damage is caused by human mistreatment.
Problems with Active Hubs An active hub (multiport repeater) does give you a few clues to help you in troubleshooting connectivity problems. The pretty flashing lights that indicate network communication (or collisions) on each port are a starting point. By observing the status lights, you can ascertain if one port is “dead,” indicating either a problem with the jack or cable at that port, or a problem originating with the computer attached to it.
Problems with “Intelligent” Hubs The intelligent or “smart” hub (also called a managed hub) is a bit more helpful. This type of hub runs software with which you can communicate with the hub from a terminal or across the network. In this case, the software program will provide information about port status, and in some cases will run diagnostic applications to assist you in troubleshooting connectivity problems.
Problems with Bridges Bridges are useful devices for segmenting a network and controlling the amount of traffic. However, bridges introduce an extra layer of complexity and thus the potential for several different types of problems.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 533
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 533
Performance Problems The primary reason for using a bridge to divide your network is to increase network performance. However, it is possible that bridging can have the opposite effect if it is not implemented correctly.
Bridge Latency You will find that bridging the network, while cutting down on overall traffic, will also slightly increase latency for those communications that must cross the bridge. This term refers to delays in transmission of the data in route to the destination computer. The reason for this is the way in which the bridge decides whether to forward traffic across the bridge; it must first analyze the header information in the data frame to find out the destination computer’s MAC address, and then it must look up that address in its routing table. This takes some time, although in most cases the performance hit will not be significant, and will be offset by the overall reduction in network traffic. By adhering to accepted guidelines, you prevent noticeable performance degradation.
The 80/20 Rule One popular networking guideline pertaining to the use of bridges states that 80 percent of network traffic should be “local” (same side of the bridge), and no more than 20 percent should cross the bridge. For best performance, ensure that those computers that communicate with one another most often are on the same side of the bridge. Frequently accessed file or print servers should be placed on the same side of the bridge as those clients that use them most often. Before implementing a bridging solution, carefully analyze the normal flow of network traffic and try to group nodes so that most communication, and especially transfer of large amounts of data, takes place without the need to cross the bridge.
Bridge Looping Bridge looping can occur when there is more than one active bridge on a network. In a bridge loop, when the bridges don’t know the location of a destination computer, they send the data frame across the bridge. This results in multiple copies of the same data frame on the network, causing unnecessary congestion—but it’s worse than that. As each bridge detects the frame sent by the other bridge, it passes the frame back across to the other side. The frames coming from the other bridge cause each bridge to make incorrect entries in its routing table for the destination computer, and this in turn prevents the destina-
91_tcpip_10.qx
2/25/00
11:15 AM
Page 534
534 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
tion computer from receiving data intermittently. The problem is intermittent because the bridges keep resetting the entries in the routing table based on where the data frames are coming from. This can go on forever in an endless loop, hence the name “bridge looping.” See Figure 10.7 for an example of how this can happen. Figure 10.7 When two bridges are connected in parallel, bridging loops can form.
A
B
Hub 1 C
D Bridge 1
E
G
Bridge 2
Hub 2
F
H
In the scenario shown, if Computer B sends a message to Computer A, both bridges would detect the data frame. Neither bridge knows where Computer A is located, so both bridges would transmit the frame to the other segment. They would put an entry in the routing tables identifying Computer B as being off the left-side port. Two copies of the data frame have now been transmitted onto the right-side bridge port. Now each bridge will also detect the copy of the data frame sent by the other bridge on the right-side port. They see the source address and think this is Computer B sending Computer A another frame. They will now pass the frame back to the left-side port. Assuming Computer B is now on the right-side port, they change the table to reflect that status.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 535
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 535
This can go on forever, with both bridges detecting each other’s transmitted frames and passing them across, then changing Computer B’s status in the table from the right- to the left-side port over and over again. When the table is incorrectly set, Computer B will not be able to receive any data. When the table changes again and Computer B is identified as being on the correct bridge port, it will be able to receive data, but only until the tables are changed once more. The problem here is that a bridge looks at the source and destination addresses, but cannot identify duplicate frames. This does not mean that you can’t have two bridges on a network. In fact, redundancy is a good idea, in case one bridge “dies.” So how do you prevent the looping behavior?
The Spanning Tree Algorithm One solution to the problem of bridging loops is the Spanning Tree Protocol. If your bridge supports and is configured to use this protocol, it will be able to communicate with other bridges on the network. The two bridges will then work cooperatively, with one functioning in active mode and the other on standby unless or until it detects a failure of the first bridge. At that point, the second bridge will take over passing data frames. With only a single pathway available at any given time, there is no possibility of a loop.
For IT Professionals
Transparent Bridges and the Spanning Tree Protocol A transparent bridge is generally used on Ethernet networks. Another type of bridge, called the Source Route bridge, is used with Token Ring. The bridge is called “transparent” because the bridge is not visible to the host computers on the network. At the Network layer of the OSI model, IP does not “see” the bridge, and for its purposes, all the networks that are connected by a bridge might as well be physically connected. This type of bridge basically configures itself, constructing its routing table after it automatically initializes. It makes routing decisions based on the information in its routing table. This works fine with a simple network using only one bridge. It gets more complicated if you add bridges to the network. Continued
91_tcpip_10.qx
2/25/00
11:15 AM
Page 536
536 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Multiple bridges on the network normally are unaware of one another’s presence. They operate as separate entities. When there are multiple bridges, redundant paths to a destination exist, and this is what causes looping behavior to occur. The solution defined by IEEE 802.1D is the “Spanning Tree Algorithm.” The objective of the Spanning Tree Algorithm (or Spanning Tree Protocol) is to find these redundant paths and eliminate them. Here’s how it works: One of the bridges on the network is designated as the Root (don’t confuse this with the root account, which is the master administrative account on a UNIX system). The bridge with the lowest bridge ID is selected as the root. If there is duplication in bridge IDs, the bridge with the lowest MAC address will be chosen. On all other bridges on the network, the port with the lowest cost path to the Root bridge will be designated as that bridge’s root port. This port will be used to communicate with the Root bridge. This Root bridge will send a message at regular intervals, which is called a Bridge Protocol Data Unit (BPDU). All of the bridges attached to the Root will receive the message and pass it on, until it reaches the segments of the network that have no more bridges. This creates the “spanning tree.” A designated bridge and port is selected for each LAN. Obviously, if there is only one bridge connected to a LAN, it must be the designated bridge for that LAN. If there is more than one, the bridge with the lowest cost path to the Root bridge will be designated. Now, each port on each bridge will have one of the following as its status: 1. It is the Root port, 2. It is the designated port for one of the LANs, or 3. It is blocked. When you power up the bridge, it will assume it is the Root bridge and will send a configuration BPDU. This message includes the bridge ID. When a bridge receives a configuration BPDU that has a lower bridge ID than the ID of the bridge it assumes is Root, it updates its tables. In this way, the bridges will identify the Root bridge and create the spanning tree.
Network Monitoring Problems Bridges can interfere with your ability to effectively use network monitoring and protocol analysis tools, because the bridge isolates traffic that is
91_tcpip_10.qx
2/25/00
11:15 AM
Page 537
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 537
“local” to one side of the network. This can prevent you from seeing the entire network, because you will typically only be able to monitor the traffic on the side of the bridge on which the monitoring device or software is located. This means you may have to put a protocol analyzer on each side of the bridge in order to monitor all the traffic on the network, unless the bridge incorporates a special port to allow monitoring of both sides.
Selecting a Connectivity Device Because the network connectivity devices perform similar but different functions, it is sometimes difficult to know which is the best choice in a given situation. Table 10.3 will help you in the decision-making process. Table 10.3 Comparison of Connectivity Device Features Repeater
Hub
Bridge
Switch (Layer 2) Router
Use to lengthen the overall distance spanned by the network media.
Use to connect computers in a LAN using UTP cable. Choose an active hub, or multiport repeater, to boost the signal.
Use to reduce network traffic by segmenting the network into two sides, so that data intended for a computer on the same side does not go to those on the other side. Forwards broadcast traffic.
Use to reduce network traffic by creating a two-node collision domain, so that data is only sent out the port attached to the destination computer.
Use to reduce network traffic by separating the network into subnets and isolating broadcast traffic to each individual subnet instead of sending it to the entire network.
Boosts signal and passes it on; doesn't distinguish between types of traffic (data vs. noise).
Sends signal Recognizes MAC back out all address, and ports. either sends data across to the other side or contains it on one side based on the address.
Recognizes MAC address, and sends data only to the computer for which it is destined.
Recognizes IP addresses and routes data based on network ID.
Operates at the OSI Data Link layer.
Operates at the OSI Network layer.
Moderately expensive.
Most expensive.
Operates at Operates at the OSI the OSI Physical layer. Physical layer. Least expensive.
Operates at the OSI Data Link layer.
Relatively Relatively inexpensive. inexpensive.
91_tcpip_10.qx
2/25/00
11:15 AM
Page 538
538 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Summary In this chapter, we have taken a brief look at some of the common connectivity problems that can occur at the Network Interface level. This layer of the DoD model maps to OSI’s Physical and Data Link layers, and includes such issues as compatibility, functionality, and configuration of network interface cards (NICs); cable media; IEEE specifications for popular networking architectures; and network connectivity devices. We discussed the role of the NIC in TCP/IP and other network communications, and the importance of having the correct, properly installed, configured and updated device drivers. We then looked at media issues, and how cable type and length can impact connectivity. Then we examined the roles of the different connectivity devices. We learned the differences between a repeater and a hub, and how to distinguish passive, active, and intelligent hubs. We gave special attention to the so-called switching hub, also commonly referred to as a Layer 2 switch. We talked about bridges and how they can be useful in reducing network traffic by segmenting the network into two parts. We provided a brief overview of routing and routers, and how a dedicated routing device or a Windows NT or 2000 computer configured to enable IP forwarding can be used to reduce network traffic by blocking broadcasts and other selected traffic. We then discussed advantages and disadvantages of each of the connectivity devices, and how to determine which is best for your network. In summary, we concluded that: ■
■
■
■
Repeaters are inexpensive and useful for boosting a signal that has degraded due to distance, thus extending the length of the network. Hubs are central connection points for networks that use unshielded twisted-pair cabling, and active hubs function as multiport repeaters, boosting incoming signals before sending them back out over all ports to all attached computers. Intelligent hubs include small processors and run diagnostic software. Repeaters and hubs pass on all network traffic. Layer 2 switches are a type of hub that can read MAC addresses and build a table matching those addresses to ports, allowing the switch to send a data frame out only on the port attached to the computer whose MAC address is shown as the destination in the frame header. Switches pass specifically addressed traffic only to the destination, but send broadcasts out over all ports. Bridges are used to segment a network into two parts, using the MAC address in a data frame to determine whether to pass the
91_tcpip_10.qx
2/25/00
11:15 AM
Page 539
Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level • Chapter 10 539
■
■
frame across the bridge to the rest of the network. Bridges pass on broadcast traffic. Routers use the IP address to determine what network (or subnet) the destination computer is on, and then route the data to that subnet by the most efficient path. Routers can use dynamic routing protocols that allow them to communicate with each other and learn the routes to distant networks from one another. Brouters combine the functions of bridges and routers into two devices, acting like a bridge when a nonroutable protocol is used for communication, or like a router when a routable protocol such as TCP/IP is used.
We further examined specific problems that can occur with each of the connectivity device types, such as bridge latency, bridging loops, and monitoring limitations caused by segmentation of the network. In the next chapter, we will build on this discussion by going one layer higher, to the Internetwork layer of the DoD model where routing takes place. We will look at some of the problems that can occur in a routed TCP/IP network, how to prevent them or—failing that—how to deal with them.
FAQs Q: How does a bridge improve network performance if it still passes broadcast traffic? A: In an Ethernet network in particular, a bridge can have a significant impact on performance. By dividing the network into two parts (segments), the bridge creates a situation where computers only have to contend or compete with the other machines on the same segment. This way, two NICs on opposite sides of the bridge can actually be transmitting at the same time, without causing a collision. Q: How does a bridge affect the maximum cable length for an Ethernet network? A: The bridge effectively doubles the length limitation by acting as a node on each segment. That is, before the bridge transmits traffic that it is passing over from the other side, it listens to the cable to ensure that it is clear first (as an Ethernet NIC does).
91_tcpip_10.qx
2/25/00
11:15 AM
Page 540
540 Chapter 10 •Troubleshooting Windows 2000 Connectivity Problems at the Network Interface Level
Q: Which network connectivity device offers the best performance? A: In general, switches are faster than either bridges or routers. This is because switches direct the data frames across the different network segments in a both a faster and a more efficient way, by using onboard logic and Application-Specific Integrated Circuits (ASICs). Q: What is the difference between segment switching and port switching? A: A segment switch has an entire network connected to each of its ports. This means you can connect more computers with fewer switches (or a switch with fewer ports). This gives you some flexibility, in that you could place just one machine on a port and have a single node segment so that you can give high-use machines such as servers their own dedicated path. The port switch is what we refer to as a switching hub. In this case, there is one machine or device per port. Port switching is more expensive because it requires more switches and/or ports as well as more cable. Both switch types will increase network performance. Q: What is a VLAN? A: A Virtual Local Area Network, or VLAN, involves establishing multiple logical networks on one larger physical network, using a switch to restrict which computers or network segments will have access to which parts of the network. VLANs are used to increase network performance and also to increase security. The data from selected hosts or segments can be filtered out; for instance, you may wish to filter out packets from the busy parts of the network to avoid slowdowns on a particular virtual LAN. Q: What are some reasons to subnet a network with a router? A: Reasons for dividing the network into subnets include 1) diminishing bandwidth as the network grows, 2) performance slowdowns caused by excess broadcast traffic, 3) need for better manageability of the network, and 4) network security. Creating subnetworks will address all of these issues, while still allowing computers on different subnets to communicate with one another by using a routable protocol such as TCP/IP, which can be forwarded from one subnet to another by a router.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 541
Chapter 11
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Solutions in this chapter: ■
Router Problems
■
Router Configuration
■
Windows 2000 as an IP Router
■
ARP / RARP Problems
541
91_tcpip_11.qx
2/25/00
11:17 AM
Page 542
542 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Introduction The Internetwork layer of the DoD model, where the Internet Protocol (IP) operates, could be thought of as the heart of TCP/IP communications. Without it, computers would be unable to “talk” to one another. After all, this is the layer responsible for routing; in other words, for actually getting the data to its destination. Troubleshooting problems at the Internetwork layer actually involves both IP addressing problems, which we discussed in Chapter 8, “Troubleshooting Windows 2000 IP Addressing Problems,” and routing decisions, which we will look at in this chapter. Networks are growing larger and larger, and most networks today are routed networks. A routed network is generally defined as a network that is connected to other networks, or subnets, via a gateway. The gateway is either a dedicated device called a router or a computer running an operating system (such as Windows NT or Windows 2000) that allows it to function as the router/gateway. In Windows 2000 Server, the Routing and Remote Access Service (RRAS) is a full-featured software router and provides an open platform for routing and internetworking. RRAS is fully integrated with the operating system and can be extended with application programming interfaces (APIs) that allow developers to construct customized networking solutions.
NOTE In this chapter, in the context of troubleshooting TCP/IP problems, we will be discussing routing of IP packets. Windows 2000 is also capable of IPX routing.
Distinguishing characteristics of the gateway device or computer are: ■
■
It must be running software that makes it capable of performing IP forwarding. It must have a network interface to more than one network (sides of the gateway). When a computer is acting as a router, it must have multiple network interface cards (NICs), or a NIC and a wide area network (WAN) interface, such as a modem.
IP routing involves discovering a pathway from the sending computer (or forwarding router) to the destination computer whose address is designated in the IP header. In concept, this is not unlike what you would do when planning a trip from your home to a distant location. To navigate a
91_tcpip_11.qx
2/25/00
11:17 AM
Page 543
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 543
course, you would sit down with a map and plot out the best route based on several factors. Distance, simplicity, and congestion might be some things you would consider when deciding which roads to take.
A Routing Example As an example, let’s envision a road trip from Dallas, Texas to a street address in Memphis, Tennessee. You would focus first not on the specific area of Memphis in which the destination address was located; your initial goal is to get to the correct city. Comparing this to network routing, we can understand that the first concern is to get the packet to the proper network (or subnet); we’ll worry about getting it to the specific host later. Thus, if our data is “traveling” from sending computer 192.168.1.32 to destination computer 201.12.115.7, our “navigator” (IP) will look at the network IDs and concern itself with how best to get from the 192.168.1.0 network (Dallas) to the 201.12.115.0 network (Memphis). Unfortunately, no interstate highway goes directly from Dallas to Memphis. However, we can get there by going through Little Rock, Arkansas. We would drive from our home in Dallas to the Dallas gateway, Interstate 30 North. Our routing table tells us this is the road to take to eventually end up in Memphis, even though it doesn’t go there itself. When we reach Little Rock, we find that the interstate highway system comes together there, providing a connection between the “Dallas” network that we reached via I-30 and the “Memphis” network that we can reach via I-40. The I-30 gateway is like a router that is connected to the 192.168.1.0 network (Dallas) and the 214.40.2.0 network (Little Rock). From Little Rock, we travel the second leg of our trip: to Memphis. The router on the 214.40.2.0 network (Little Rock) is also connected to the 201.12.115.0 network (Memphis). See Figure 11.1 for an illustration of this process. Once we reach Memphis, then we become concerned with the specific street address, and once the packet reaches the destination network, then IP becomes concerned with the Host ID to get the packet to the specific computer. This is a simplistic example, but it serves to illustrate how routing works, whether it’s taking place on the nation’s roadways or across the cables and wireless connections of computer networks. In our example, we took the straightest and presumably the fastest path between cities, the interstate highways. However, if we happened to know that Interstate 30 was shut down or heavily congested at some point between Dallas and Little Rock, we might have diverted our course to take Interstate 20 from Dallas to Jackson, Mississippi, and then take
91_tcpip_11.qx
2/25/00
11:17 AM
Page 544
544 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Interstate 55 from Jackson to Memphis. The distance would be longer, but based on the road conditions this could prove to be a more efficient route. Figure 11.1 The trip from Dallas to Memphis involves two “hops.”
Dallas
Memphis
Little Rock
Hop 2
Hop 1
IP routers are also capable of making such assessments and choosing alternate routes. This is made possible by the use of dynamic routing protocols, which we will discuss a little later in the chapter. In routing parlance, each “leg” of our trip (Dallas to Little Rock, Little Rock to Memphis) is called a hop. The hop count is one of the factors that a routing protocol takes into account when calculating the cost of choosing a particular route to the destination. As we go through this chapter, we will look at how the different routing protocols perform all these tasks, what can go wrong along the way, and what we can do about problems when they arise.
IP Routing Overview IP is the Network layer component of the TCP/IP protocol suite. IP handles Network layer addressing and routing of packets, and can be used across any group of physically connected networks in which the computers are running the IP protocol.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 545
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 545
IP routing refers to the forwarding of packets from the source computer to the destination computer by going through routers that support IP routing. The distance traveled from one router to the next is called a hop, and at each router, the destination IP address on the packet is compared to the routing table, and the best route is used to decide the endpoint of the next hop.
Routing Fundamentals Computers on an internetwork send packets to one another in one of two ways: directly (if the source and destination computers are on the same subnet), or indirectly (if the source and destination computers are on different subnets) by forwarding the packets to a router.
Direct Routing The term direct routing is sometimes used to describe the process of routing data to a destination computer that is on the same network (subnet) as the sending computer. When IP reads the network ID portion of the source and destination addresses and determines that they are the same, the packet can be sent directly to the destination address without going through a gateway. No forwarding is necessary. See Figure 11.2 for an example of direct routing. Figure 11.2 Direct routing is used when the source and destination network IDs are the same.
Source address: 192.168.1.2 Destination address: 192.168.1.6 Da
ta
192.168.1.2
Pa
cke
t
192.168.1.5 192.168.1.3
192.168.1.6 192.168.1.4
91_tcpip_11.qx
2/25/00
11:17 AM
Page 546
546 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
When only direct routing is needed (all computers that share a physical connection have the same network ID), the network may be called an unrouted network.
Indirect Routing When we speak of a routed network, we are really talking about indirect routing. Indirect routing occurs when the network ID portion of the IP address is not the same for the source address as in the destination address. Indirect routing involves forwarding of the IP packet from one network (subnet) to another, through a gateway (the router) that has an entry in its routing table telling it how to reach the destination network. We will talk about how routes are added to the routing table later in this chapter. An illustration of indirect routing is shown in Figure 11.3. Figure 11.3 Indirect routing is used when the source and destination network IDs are different. Source address: 192.168.1.4 Destination address: 201.12.121.8
192.168.1.4 Data Packet
192.168.1.1 Router
201.12.121.1
Data Packet Gateway
201.12.121.8
You can see in Figure 11.3 that the network ID portions of the source and destination computers are different. Therefore, the source computer sends the packet to a gateway (in this case, the router that has an
91_tcpip_11.qx
2/25/00
11:17 AM
Page 547
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 547
interface on the source’s network, 192.168.1.1). The packet is then forwarded across the gateway to its second interface (201.12.121.1), which connects to the destination computer’s network. From there, the packet can be directly routed.
The Default Gateway It would be impossible for a computer’s routing table to contain routes to every possible destination. For that reason, a TCP/IP computer that will be connected to an internetwork is set up with a default gateway. This is the IP address to which all “foreign” packets (those whose destination address is located on a network other than the local subnet) should be sent when no specific route to the destination address exists in the routing table. The default gateway is a very important concept in TCP/IP networking because without it, communications are limited to the local subnet. The router that is designated as the subnet’s default gateway will be configured with routing information for how to reach remote networks that are connected to the internetwork. This improves the efficiency of operation, because instead of requiring all computers to maintain extensive routing tables, the default gateway takes on that chore.
Multiple Gateways Windows 2000 allows you to specify multiple default gateways for a network interface when configuring the TCP/IP protocol. However, only one default gateway can be active at a time. The primary gateway is used unless it fails; then the secondary gateway will be used instead.
NOTE If the computer has two NICs, each configured with a different default gateway, the gateway on the first NIC will be used. The gateway for the second NIC will be a backup, used if the first card’s gateway fails.
Proper Configuration of the Gateway A common problem related to the Internetworking layer is improper configuration of the default gateway (or failure to configure a gateway at all). This will result in the inability of the computer to communicate with computers on remote networks. If the computer is able to send data to computers on its own subnet but cannot successfully send to computers whose network IDs are different from its own, suspect a problem either with configuration of the gateway or a failure of the gateway device itself.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 548
548 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Figure 11.4 shows the TCP/IP Properties sheet where the default gateway setting is configured. Figure 11.4 The default gateway is configured in the TCP/IP Properties sheet.
The TCP/IP Properties sheet is accessed by selecting Start | Settings | Network and Dialup Connections, double-clicking the local area connection, and then clicking PROPERTIES. Next, select Internet Protocol (TCP/IP) in the list and click PROPERTIES. The default gateway address must be the IP address of a router or a computer that has IP forwarding enabled to allow it to function as a router.
TIP The IP address entered for the default gateway must be on the same network as the IP address assigned to the NIC. If the network is subnetted, ensure that according to the subnet mask specified, the IP address setting and the default gateway setting are members of the same subnet.
If you do wish to enter additional gateway addresses, you can do so by clicking ADVANCED, which will display the dialog box shown in Figure 11.5.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 549
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 549
Figure 11.5 Setting multiple gateways in the Advanced TCP/IP Settings box.
When you add or edit a gateway’s settings, you can specify a metric, or “cost,” which is a number representing the number of hops it takes to reach the destination. This can be specified for both the gateway and the network interface. The default metric is 1.
Routing Interfaces Typically, a router is connected to two or more networks or subnets. The router, a dedicated device or a computer acting as a router, is said to have an interface to each network to which it is connected. The router’s interface can connect to a LAN or to a WAN. The WAN interface can be a modem, an ISDN terminal adapter, or other WAN media connection device. The LAN interface is a network adapter card. Each interface must have an IP address with a network ID appropriate for the network to which it is connected. The router functions at the Internetwork layer of the DoD networking model (the Network layer of the OSI model).
91_tcpip_11.qx
2/25/00
11:17 AM
Page 550
550 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Routing Tables Each Windows 2000 computer that functions as a router has a routing table, a database that contains the routes designating the location of network IDs on the internetwork. Host computers (nonrouters) can also have routing tables, which they use to decide upon the best route for sending data. Three types of routes can be entered in the routing table: ■
■
■
Network route This is a route to a particular network based on the network ID in the IP address. Host route This entry has information about the route to a specific computer, based on the network and Host IDs in the IP address. Default route This route is used when there is no other route available for the destination IP address.
Understanding the IP routing table is important for troubleshooting Internetwork layer problems on a routed TCP/IP network. The routing table is the basis for routing decisions made by computers using the TCP/IP protocols, and the information in the routing table can be the starting point for diagnosing routing problems.
Viewing the Routing Table Windows 2000 provides two ways to view the table: you can use the command line, or the graphical interface.
Viewing the Table via the Command Line To view the routing table, use the ROUTE PRINT command, as shown in Figure 11.6. You will note that no persistent routes have been defined in the routing table shown in Figure 11.6. A persistent route is one that remains in the table after the computer is rebooted. Normally, the routes you add are not retained when you restart the system.
Viewing the Table via the GUI Windows 2000 provides a more user-friendly way to view the routing table, using the graphical interface of the Microsoft Management Console (MMC). To access the table this way, open the RRAS MMC by selecting Start | Programs | Administrative Tools | Routing and Remote Access. In the console tree in the left pane, under the RRAS server name, expand IP Routing. Then right-click Static Routes and select Show IP Routing Table, as shown in Figure 11.7.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 551
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 551
Figure 11.6 Use the ROUTE PRINT command to view the static routing table.
Figure 11.7 To view the routing table via the graphical interface, use the RRAS MMC.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 552
552 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Selecting this option will display the routing table as shown in Figure 11.8. Figure 11.8 The routing table as displayed in the graphical interface.
You can also view the multicast forwarding table, if you are using multicast, by right-clicking IP Routing | General, and selecting Show Multicast Forwarding Table.
Understanding the Routing Table Table 11.1 summarizes the information that is provided in the Windows 2000 graphical version of the IP routing table. Table 11.1 Information Contained in the Windows 2000 IP Routing Table Column Heading
Description of Information
Destination
This column shows the destination host, subnet address, or network address. It can also show the default route, which is 0.0.0.0.
Network Mask
The network mask is used along with the destination IP address, to determine the route to be used. If the mask is 255.255.255.255, this means that only an exact match of the destination uses this route. A host route will have a mask of 255.255.255.255. A mask of 0.0.0.0 means the route can be used by any destination; no match is required. A mask between these two indicates how much of the destination address must match in order to use the route. For example, if the mask is 255.255.248.0, and the IP address of the destination is 172.16.8.0, the first two octets and the first five bits of the third octet must match.
Gateway
This column shows the IP address of the next router on the route to which the packet should be forwarded. The gateway must be within direct reach of this router. Continued
91_tcpip_11.qx
2/25/00
11:17 AM
Page 553
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 553
Column Heading
Description of Information
Interface
This column shows the name of the interface, such as the Local Area Connection, that is used to reach the next router.
Metric
This number indicates the "cost" of using this route to reach the destination, shown in hop count (number of routers that must be crossed).
Protocol
The last column shows any routing protocol being used (OSPF, RIP, etc.). Local indicates that no routing protocol is being used.
Simple Routing Scenario In the simplest routing scenario, two LANs (subnets) are joined by an IP router. The router has an interface connected to each subnet, configured as a member of that subnet. The computers on each subnet have the router’s “near side” interface set as their default gateway.
NOTE The “near side of the router” refers to the IP address of the interface that is connected to the local subnet. The interface(s) connected to a remote subnet is called the “far side of the router.”
See Figure 11.9 for a graphical illustration of this simple routing setup. Note that in this situation, it is not necessary to use routing protocols. This is because the router is connected to all subnets to which packets will be routed, and there is no need to propagate routing table information.
The Windows 2000 Router Microsoft refers to a computer that is running RRAS and providing local or wide area networking routing services as a Windows 2000 router. Some of the features of the Windows 2000 router include: ■ ■
■
Multiprotocol routing (IP, IPX, and AppleTalk are supported) Support for standard dynamic routing protocols (OSPF and RIP, versions 1 and 2) Packet filtering
91_tcpip_11.qx
2/25/00
11:17 AM
Page 554
554 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level ■ ■ ■
Router advertisement and discovery (via ICMP) Multicast services (IGMP) Unicast routing
Figure 11.9 A simple scenario with a router connecting two subnets.
192.168.1.23
192.168.1.45
192.168.1.71
Network 192.168.1.0 Subnet mask 255.255.255.0 Default gateway 192.168.1.1 Router Interface A 192.168.1.1 Router Router Interface B 201.212.21.1 Network 201.212.21.0 Subnet mask 255.255.255.0 Default gateway 201.212.21.1
201.212.21.4
201.212.21.18
201.212.21.34
NOTE Unicast routing is defined as forwarding packets addressed to a single destination over an internetwork, using routers to connect subnetworks together based on network IDs. Multicast routing refers to communicating multicast information from one router to another. Multicasting involves sending packets to a group of destination addresses.
Multicast routing requires the use of special multicast routing protocols. Although Windows 2000 does not include any built-in multicast routing protocols, it does include APIs that allow vendors to extend the platform to add multicast protocols.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 555
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 555
Routing Protocols Routing comes in two basic “flavors,” static and dynamic. With static IP routing, the routing table must be constructed manually; an administrator must enter the IP addresses defining the routes to remote networks one by one. Using a dynamic routing protocol, the table is configured and maintained automatically, because the dynamic router can communicate with and “learn” from other routers on the network. This saves the administrator a great deal of time. Dynamic routing requires a separate protocol, such as the Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).
NOTE Static and dynamic routing can coexist; they are not mutually exclusive. It is possible to place a dynamic router in a network that uses static routing, to allow the static network to communicate with a dynamic one. The static router requires manual configuration as usual. The dynamic router will require that some static routes be entered into its routing table, to allow it to communicate with the static router.
Next we will look at how routing works with a static routing table, and then we’ll discuss the popular dynamic routing protocols.
How Static Routing Works To build a static routing table with Windows 2000, you can use the Route command-line utility. (You can also use the GUI). See Figure 11.10 for the available options. As you can see in Figure 11.10, there are several switches and commands that can be used with the Route command to invoke optional behavior. These are summarized in Table 11.2.
NOTE With the PRINT and DELETE commands, you can use a wildcard (represented by an asterisk) for the destination or gateway value.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 556
556 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Figure 11.10 Options available with the Windows 2000 Route command.
Table 11.2 Windows 2000 Route Command Switches and Commands Switch or Command
Action
-f
Clears all gateway entries Can be used with other from the routing table. commands to clear the table before invoking the action of the other command.
-p
Creates a persistent route.
PRINT
Prints the route.
ADD
Adds a route to the table.
DELETE
Removes a route from the table.
CHANGE
Allows you to modify a route that is already in the table.
Comments
Is used with the ADD command. Causes the entry to stay in the table when the computer is restarted.
Continued
91_tcpip_11.qx
2/25/00
11:17 AM
Page 557
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 557
Switch or Command
Action
destination
Identifies the host computer that is the destination address.
MASK
Signals the netmask value as the next entry.
netmask
Identifies the subnet mask.
gateway
Identifies the IP address of the gateway.
interface
Identifies the interface number for the route.
METRIC
Sets the cost for the destination.
Comments
Default is 255.255.255.255.
By default, cost per hop is 1, but this can be modified.
Characteristics of Static Routing Static routing not only requires that you painstakingly set up the routing table, you also must manually enter every change, addition, and deletion that occurs. This reprogramming of the routers each time a change is made can be time-consuming and tedious. Why would anyone ever use static routing? Actually, most networks don’t, but static routing does have a couple of advantages: ■
■
■
Static routing can be implemented with a minimum of equipment. No dedicated routing device is needed; you can set up a multihomed Windows NT or Windows 2000 computer to be a static router. A multihomed computer is one that has two (or more) network interfaces. The initial cost of implementing static routing is less than dynamic routing, because of the cost of routing devices. You have more specific control over routes used in a static routing situation since you enter the routes into the table manually. You can delete or change routes and ensure that packets use the desired route.
These benefits are not enough, however, to make static routing an attractive solution to most network administrators, due to its many disadvantages: ■
There is no real fault tolerance in a static routing environment. If one of the routers becomes unavailable, others cannot detect
91_tcpip_11.qx
2/25/00
11:17 AM
Page 558
558 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
■
■
its absence. Since a static-routed internetwork will generally be a single-path environment (only one path available between any two endpoints), this can result in the inability of some hosts to communicate with others on the network. A great deal of administrative maintenance is required to keep routing tables updated on a static network if new routes need to be added or removed. Static routing is appropriate only for small internetworks (those having from two to 10 networks). Beyond this, administration becomes unmanageable.
The Dynamic Routing Protocols Routers running dynamic routing protocols can automatically build their routing tables and make modifications when the network changes. These changes are propagated throughout the network as the dynamic routers communicate with one another. Windows 2000 includes built-in support for the two most popular dynamic routing protocols, RIP and OSPF.
RIP for IP The Routing Information Protocol (RIP) has been used for many years and works well with small and medium-sized networks, although it does not scale well to large internetworks. RIP is a distance vector protocol (for more information, see the sidebar For IT Professionals in this chapter) with a maximum hop count of 15. For practical purposes, this means that if it takes more than 15 hops to reach another network (subnet), RIP interprets it as “destination unreachable.” RIP’s usefulness is enhanced by the fact that it is a standard implemented by many vendors. RIP is implemented as an Interior Gateway Protocol (IGP) within individual networks that make up the internetwork. EGP, the Exterior Gateway Protocol, is used to provide communications between these individual, autonomous networks.
NOTE RFC 1058 defines standards for the Routing Information Protocol.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 559
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 559
How RIP Propagates Routing Table Information RIP for IP works by sending an announcement message at regular intervals that contains the information in its routing table. Other RIP routers receive this message and add the information to their own tables. In this way, route information spreads throughout the network. RIP routers also use triggered updates to spread their information. An update is triggered by a change in the network, such as the failure of a gateway. When a router detects the failure, it updates its own table and then sends out the new information immediately instead of waiting for the next scheduled update period.
NOTE Version 1 of RIP sends its announcements via broadcast packets. Version 2 can also send announcements via broadcast packets, but can also use multicast packets.
Windows 2000 RIP Features The Windows 2000 router supports the following features designed to avoid some of RIP’s traditional problems, such as routing loops and slow recovery: Split horizon. This is an algorithm used by routers for learning route information that prohibits advertising messages from going back out on the same port to which the information came in, thus preventing routing loops. The “simple split horizon” scheme omits routes learned from one neighboring router in updates that are sent to that neighbor. Poison reverse. This is an algorithm used in conjunction with split horizon, sometimes called “split horizon with poison reverse,” that improves RIP information convergence by advertising all network IDs. Poison reverse is safer than simple split horizon. If two routers on the network have routes pointing at one another, reverse routes are advertised with a metric of 16. This will break the loop immediately because the route will be marked as unreachable due to RIP’s hop count limit. If the reverse routes were not advertised, the erroneous routes would not be eliminated until a timeout occurred.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 560
560 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Triggered updates. Even though split horizon and poison reverse prevent routing loops when only two routers are involved, it is still possible for looping to occur if there are three or more gateways. Triggered update algorithms invoke a rule that says when a gateway changes the metric for a route, it must send update messages almost immediately, even if it is not yet time for the regular update announcement to be sent. This speeds the convergence of information and corrects more complex looping problems.
NOTE In the best of all possible worlds, the network would be frozen in place while the cascade of triggered updates is happening. If this were possible, bad routes would always be removed immediately, and routing loops could never occur. In the real world, however, regular updates may be happening at the same time the triggered updates are being sent. Routers that haven’t received the triggered update will still send out information based on the bad route that no longer exists. The problem occurs when a router has already received the triggered update, then afterward receives a regular update from a router that hasn’t yet received the triggered update. This would reestablish the bad route. The key is making the triggered updates occur quickly enough to prevent this situation.
RIP Listening (Silent RIP) The Windows 2000 router also supports “RIP listening.” You will find this referred to in RFC 1058 as “silent RIP processes.” The RFC defines a silent process as one that normally does not send out any messages, but listens to messages sent by others. Hosts that do not act as gateways themselves, but wish to keep their internal routing tables up to date, can use silent RIP to do so. This service can also be useful in some dial-up network situations, for instance if the computer is operating as a remote access client over a dial-up connection to a corporate network. Before you can use RIP listening in Windows 2000, it must be enabled. You do this by installing the RIP Listener in the Networking Services properties sheet of Add/Remove Windows Components, accessed through the Add/Remove Programs applet in Control Panel. This is done on a TCP/IP host computer; this component will not be available on a server computer that has RRAS installed. See Figure 11.11.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 561
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 561
Figure 11.11 Enabling RIP listening on a TCP/IP host computer.
NOTE Although Windows 2000 RRAS supports both versions 1 and 2 of RIP, RIP listening only “hears” and updates route information sent by routers using RIP, version 1. When Windows 2000 is configured to unicast routing information to neighboring routers, silent hosts will not be able to receive the announcements.
RIP Implementation Both hosts and gateways may implement RIP. The protocol is used to convey information about routes to destinations. A destination can be an individual host, a network, or a special destination that is used to identify a default route. Note that a host that uses RIP is assumed to have interfaces to one or more networks, and is assumed to have a routing table that contains an entry for every destination that is reachable on the network. The metric is the most important piece of information in each entry, because RIP uses that information to determine the “cost” of the route, or to mark a network unreachable because that cost exceeds the maximum hop count of 15.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 562
562 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
NOTE RIP uses the UDP transport protocol to send and receive announcement and update messages on UDP port 520.
Preventing Trouble by Using Multiphased Implementation Microsoft recommends that you deploy a RIP network in stages in order to make troubleshooting easier. Under this strategy, you would first set up basic RIP (version 1) and ensure that it is working properly. Then, add advanced features one at a time, testing each before adding more.
Advantages and Disadvantages of RIP The biggest advantages of RIP are its history as an industry standard (and thus wide support by routing devices) and its relative simplicity to set up. Its disadvantages include: ■
■
■
■
A hop count limitation of 15, which renders any subnet 16 or more hops away as unreachable. Excessive network traffic caused by RIP announcements, especially as the network grows larger. High convergence time, requiring up to several minutes for changes to propagate throughout the network. Possibility of routing loops while the routers are reconfiguring themselves after changes, which can cause data to be lost.
Common RIP Problems Common problems with RIP routing include convergence problems, routing loops, and the “count to infinity” problem. Convergence problems. Because RIP is a distance vector protocol, it announces routing information without synchronization or acknowledgments, which can lead to convergence problems. It takes a certain amount of time for updates to propagate throughout the network. It is possible to modify the announcement algorithms to reduce the convergence time, although this may not work in all situations. Routing loops. Loops occur when a routing table has inaccurate entries. In this case, a path may be created through the network that loops back on itself. For example, if the routing table on
91_tcpip_11.qx
2/25/00
11:17 AM
Page 563
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 563
Router A says the best route to Network 3 is via Router B, and the routing table on Router B says the best route to Network 3 is via Router C, and the routing table on Router C says the best route to Network 3 is via Router A, you have a routing loop. Count-to-infinity. The “count-to-infinity” problem results from the lack of synchronized convergence. RIP routers add new routes to the tables based on routes advertised by other routers. When they do this, they retain only the lowest-cost route. A low-cost route is normally not updated with a higher-cost one. If a router goes down, unless every other router knows that it is down, count-toinfinity can occur. If a network becomes inaccessible, all the immediately neighboring routers will time out and set the metric to that network to 16 (which is considered “infinity”). All the other routers in the system will converge to new routes that go through one of those routers with a direct but unavailable connection. When convergence takes place, all the routers will have metrics of 16 for the vanished network. Since 16 indicates infinity, all routers then regard the network as unreachable. Rogue RIP routers. When using Windows 2000 RIP, version 1, be aware that there is no protection provided from “rogue” RIP routers. This means that regardless of the source of the RIPv1 announcement, it will be processed. This allows for the RIP routers to be overwhelmed with false or inaccurate routes by someone who wishes to disrupt the network communications.
NOTE RIPv2 supports password authentication so the origin of RIP announcements can be confirmed.
OSPF To overcome some of the limitations imposed by RIP, Windows 2000 offers another choice of dynamic routing protocols: Open Shortest Path First (OSPF). OSPF was designed to handle the types of networks that RIP doesn’t handle well: large, complex internetworks.
NOTE OSPF standards are defined in RFCs 1247 and 1583 (OSPF, version 2).
91_tcpip_11.qx
2/25/00
11:17 AM
Page 564
564 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
OSPF is efficient; it does not require much overhead. This is especially important in the large internetwork environments for which it is designed. Further, OSPF’s Shortest Path First (SPF) algorithm is not vulnerable to routing loops that can plague RIP routes. SPF calculates the shortest path between the router and remote networks by creating and maintaining a map of the internetwork. The map is called a link state database, and OSPF is referred to as a link state protocol.
For IT Professionals
Distance Vector versus Link State Algorithms One of the significant ways in which RIP and OSPF differ is in the algorithms used to calculate routing decisions. RIP is a distance vector protocol, while OSPF is a link state protocol. Distance Vector Algorithms Distance vector algorithms are also called Bellman-Ford or FordFulkerson algorithms. The latter authors were the first to document the distance vector algorithm class, which is based on “Bellman’s equation” that forms the foundation of dynamic programming. The distance vector algorithms are a long-standing standard, used for network routing calculations in global networking’s infancy in the 1960s, in the ARPANET that was the predecessor of today’s Internet. The distance vector algorithms allow gateways (routers) to share and exchange routing table information. This provides a huge benefit over static routing, which require tables to be constructed and maintained manually. RIP descended from the Xerox networking protocols, and the name “Routing Information Protocol” was first used in conjunction with XNS. Another variation is “Berkeley’s Routed.” Distance vector algorithms, although a vast improvement over static routing, suffer from several limitations. The maximum path length is 15 hops, and they are vulnerable to routing loops, caused by a behavior called “count to infinity.” RIP and the other distance vector protocols were designed for use in moderately sized networks, not for an internetwork as vast as the Internet. That’s why they are implemented as Interior Gateway Protocols. Continued
91_tcpip_11.qx
2/25/00
11:17 AM
Page 565
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 565
This brings us to the need for another type of routing protocol that can better handle routing over enormous, disparate networks. Link State Algorithms The link state protocol used by OSPF maps the network and updates the mapping database (called the link state database) whenever any changes are made to the network. Link state protocols are also referred to as Shortest Path First (SPF) or distributed database protocols. The first link state protocol was designed for use in the ARPANET. Later, modifications were made to reduce traffic overhead and add fault tolerance. A link state routing protocol builds a consistent view of the network by mapping the network topology. Each router broadcasts (or multicasts) data about the cost of the path to each of its neighboring routers. This information is disseminated to all nodes on the network. Link state protocols are more efficient but more complex than distance vector protocols. As the link state database grows, memory and processor requirements and the time required to calculate routes increase. In order to address this problem with link state protocols, OSPF divides the internetwork into areas (these are groups of contiguous networks) that are connected to each other through a backbone area. Each router then keeps a link state database only for those areas that are connected to the router. Link state protocols use TCP directed packets to communicate with other routers directly in an area, thus reducing broadcast traffic on the network. With link state protocols, convergence occurs as soon as the databases are updated, avoiding the slow convergence problems of distance vector algorithms. Link state routing protocols also allow for security of the record update messages. The database update packets are transmitted in a secure manner and protected by a checksum. Link state records are also protected by timers that remove them from the database if a refresh packet doesn’t arrive within the timeout specified. For even more security, the messages can be passwordauthenticated.
In an OSPF network, the database is synchronized between the OSPF routers, which use it to calculate routes in the routing table. OSPF supports load balancing and multipath routing, and can be used with both broadcast networks (such as Ethernet) or nonbroadcast
91_tcpip_11.qx
2/25/00
11:17 AM
Page 566
566 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
networks (such as ATM or X.25). OSPF has different protocols for broadcast and multicast network types.
NOTE OSPF uses the Dijkstra algorithm, which comes from the branch of mathematics known as graph theory, to calculate the lowest-cost path to a destination from a given source.
OSPF on a Broadcast Network On a broadcast network, OSPF uses a packet called a Hello protocol message, which is a broadcast message by which routers locate one another. A router is selected to be the Designated Router (DR), and all the other routers exchange routing information with the DR. Then, the DR updates neighboring routers. The DR is elected by an exchange of Hello packets. Each packet includes the current DR, the sending router’s router ID, and its router priority (which can be set during configuration of OSPF). The router with the highest priority is selected to be the DR. If more than one router has the same priority, the one that has the highest router ID will become the DR. A backup DR is also elected for multiaccess networks, so if the DR becomes unavailable, connectivity will not be lost.
WARNING Configuring an OSPF router with a priority of 0 means it cannot become a DR. There must be at least one router on the multiaccess network that has a priority of 1 or above. Otherwise, no router can become DR and the link state database cannot be synchronized, resulting in no traffic being passed across that network.
OSPF on a Nonbroadcast Network On a network using a nonbroadcast architecture, such as ATM, OSPF has to be initially configured manually with the addresses of neighboring routers. A DR is also used, but rather than sending the routing information via broadcast or multicast, it is sent point to point, between the DR and the other routers. This means a greater number of virtual
91_tcpip_11.qx
2/25/00
11:17 AM
Page 567
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 567
connections are required for complete connectivity, making it more complex and more resource-intensive than a broadcast network implementation.
OSPF on a Point-to-Point Network OSPF can also be used on a dedicated point-to-point network such as T-1 leased lines, connecting only two routers. IP multicast addresses are used for the OSPF messages.
OSPF’s Hierarchical Routing Structure The routing tables used by a distance vector protocol like RIP have a flat structure, and every RIP router on the internetwork must contain an entry for every network. The networks are not divided into areas or groups; all are seen as individual entities—thus the “flat” description. Link state protocols like OSPF create a hierarchical structure by dividing the internetwork into areas. Every OSPF router belongs to an area, identified by a 32-bit number, expressed in dotted decimal called the area number. This greatly reduces the size of the routing table for each router, since it only has to keep entries for its area.
NOTE Although the area address is in the same format as an IP address, it is an entirely different number, assigned by the administrator. It has no relationship to the network ID, although if the networks in an area are all in one subnetted network ID, you could, for convenience, use the network ID as the Area ID. Windows 2000 allows you to configure up to 16 areas for an interface.
There is also a backbone area designated as area 0.0.0.0. The router that connects an area to the backbone area is called an Area Border Router (ABR). This router is a member of its area and contains routing information for that area, but also is a member of area 0.0.0.0 and can route between the two areas. See Figure 11.12 for an illustration of this. The ABR has a separate link state database for each area to which it belongs, and SPF calculations are performed independently for each area.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 568
568 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Figure 11.12 The hierarchical structure of OSPF routing architecture. Router
Router
Router
Area 0.0..0.1 Router
Router Area 0.0.1.0
ABR
ABR
Router
ABR
Router
Area 0.0.0.0 (The backbone area)
Router
ABR Area 0.0.1.1
Router
Router
Area 0.1.0.0 Router
Router
OSPF Areas An area can consist of one or more networks or subnets. The advantage of splitting the internetwork into areas is that you reduce the bandwidth used for routing so that it is proportionate to the size of the area rather than the size of the internetwork as a whole. ABRs can summarize the routes within their areas. Route summarization means that each ABR communicates a single route for its area to the backbone router. Thus, the Area 0.0.0.0 routing table contains only the number of routes that correspond to the number of areas, rather than all routes for each area. In Figure 11.12, Area 0.0.0.0’s database would be required to contain only four routes, regardless of how many routers and routes exist within each of the four areas. Route summarization also decreases recalculations of routes. Whenever a network is added or removed, each OSPF router must recalculate the database. By using areas, if a new network is added to Area 0.0.1.1, the routers in other areas will not be required to recalculate since the summarized route is still valid.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 569
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 569
OSPF Router Classifications OSPF routers on the internetwork are designed as one of the following: ■
■ ■ ■
ABR Area Border Router (routes between the area to which it belongs and the backbone area). IR Internal Router (routes within its area). BR Backbone Router (Area 0.0.0.0 router). ASBR Autonomous System Border Router (used on global internetworks, such as the Internet, to add another layer of the hierarchy. An Autonomous System, or AS, represents an entire enterprise network within the global internetwork).
NOTE AS numbers are allocated by the Internet Assigned Numbers Authority (IANA), as they must be globally-unique.
OSPF uses 32-bit router identification numbers (router IDs) rather than the routers’ IP addresses to keep track of individual routers on the internetwork. This is because each router will have more than one IP address.
TIP The administrator assigns the router ID. It is common practice, although in no way required, to use the router’s lowest IP address for its router ID.
The Protocols Used by OSPF The following protocols are used within OSPF: Common header protocol. The common header used for OSPF messages includes the version number, type, packet length, the router ID, Area ID, a checksum, and an authentication field (messages can be sent with password authentication or no authentication). Hello protocol. The Hello protocol is used on broadcast networks to discover the identities and routes of neighboring routers.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 570
570 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Exchange protocol. The Exchange protocol uses database description packets in a master-slave relationship. The master sends the database description packets, and the slave sends an acknowledgment. Flooding protocol. The Flooding protocol is used when a link changes state, as when the link between two routers goes down. The router that is responsible for the changed link issues the new link state information, and the updated information is sent in regular intervals until an acknowledgment is received. Aging Link State Records protocol. The Aging Link State Records protocol is used to remove old, outdated records from the database. When the record is originally issued, its age is set as 0. It is incremented by 1 every second and on each hop, and when its age matches the designated maximum, the router removes it and informs neighboring routers of the change.
Advantages of OSPF Despite the fact that it is much more complex and requires more technical expertise to implement properly, OSPF has many advantages over RIP and other distance vector protocols: ■ ■ ■ ■ ■ ■ ■ ■
More efficient calculation of routes Faster convergence Support for load balancing Low bandwidth utilization No routing loops or count-to-infinity problems Hierarchical structure isolates instability within an area More scalability, appropriate for larger networks Secure password authenticated transmission of update messages
Windows 2000 as an IP Router A Windows 2000 multihomed host computer is configured as an IP router to provide packet forwarding for other TCP/IP computers by enabling the RRAS service and setting up a routed IP network. This can be a static routed network, a RIP for IP routed internetwork, or an OSPF routed internetwork. For more information about installing RRAS, see Chapter 9, “Troubleshooting Remote Access in a Windows 2000 TCP/IP Network.” The Windows 2000 router supports both RIP (versions 1 and 2) and OSPF dynamic routing protocols.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 571
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 571
Installing Routing Protocols The Windows 2000 router supports dynamic routing, using RIP or OSPF. To install the RIP or OSPF protocol, open the RRAS management console. In the left console pane, expand the name of the RRAS server, expand IP Routing, and right-click General. Select New Routing Protocol, as shown in Figure 11.13. Figure 11.13 Adding a dynamic routing protocol to the Windows 2000 router.
You will be given a choice to select either RIP or OSPF. Make the appropriate choice, and the protocol will be added. You can now configure it by right-clicking on its name, which will show up in the left console pane under IP Routing.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 572
572 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Windows 2000 Router Management Tools Windows 2000 provides built-in router management tools for the administration of the static, RIP, or OSPF router. A Windows 2000 router can be administered locally or remotely from another Windows 2000 computer running RRAS.
Remote Router Administration Windows 2000 allows you to administer a remote Windows 2000 router via the RRAS management console. To do so, open the RRAS MMC, and in the left pane of the console tree, right-click Server Status, then Add Server. A dialog box as shown in Figure 11.14 will appear. Figure 11.14 Use the Add Server dialog box to select the computer(s) to administer remotely.
As you can see, you can select “The following computer:” and type in the name of the Windows 2000 router computer, you can select to administer all RRAS computers in a designated domain, or you can browse the Active Directory to find the computer to be administered. If you choose to browse the Directory, you will see a dialog box like the one displayed in Figure 11.15. If you elect to administer all RRAS servers in the domain, the names of all Windows 2000 computers in the domain running RRAS will be displayed in the left console of the MMC, as shown in Figure 11.16. You may notice in Figure 11.16 that there are three Windows 2000 computers running RRAS in the tacteam domain. One of them, DS2000, is marked with a red and white “X” to indicate that this computer is not a router or RRAS server and cannot be administered remotely (DS2000 is a Windows 2000 Professional workstation).
91_tcpip_11.qx
2/25/00
11:17 AM
Page 573
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 573
Figure 11.15 You can browse the Directory to find Windows 2000 routers or RAS servers.
You can now add new interfaces and routing protocols, and manage the routing components on the remote Windows 2000 router computer just as you could locally. Figure 11.16 Windows 2000 RRAS computers that can be remotely administered are displayed.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 574
574 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Using ICMP Router Discovery You can use the Internet Control Message Protocol (ICMP), a TCP/IP utility, to configure IP host computers with the IP addresses of local routers (and establish a method for the hosts to detect that a router is down). To do so, implement router solicitation and advertisement.
NOTE ICMP router discovery messages are discussed in RFC 1256.
Here’s how it works: 1. Host computers send router solicitation messages to discover the routers on their networks. 2. Routers send router advertisement messages in response to the solicitations. The routers also send advertisements on a regular basis (unsolicited) to inform the host computers that the routers are still up and available. To enable ICMP router discovery, open the RRAS console, and in the left pane of the console tree, under the Windows 2000 router on which you wish to enable discovery messages, click General under IP Routing. In the right console pane, right-click the name of the router interface you wish to enable for ICMP, then click Properties. Select the General tab, as shown in Figure 11.17, and check the “Enable router discovery advertisements” check box. Here, you can set the lifetime of the advertisement (the time after which a router will be considered to be down or unavailable) in minutes. You can also set the minimum and maximum rates for sending of ICMP advertisements by the router. “Level of preference” refers to the level of preference for this Windows 2000 router to be the default gateway for host computers on the network.
Using the Netshell Utility (NETSH) NETSH is a command-line utility included with Windows 2000, with which you can configure routes, interfaces, and routing protocols on Windows 2000 RRAS routers. The NETSH utility will allow you to display the configuration of routers that are running on Windows 2000 RRAS computers, and supports scripting so that you can run commands as batch files for a particular router.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 575
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 575
Figure 11.17 Enabling router discovery advertisement messages.
NETSH is used for management of other services, such as DHCP and WINS. To change the NETSH context to routing, use the routing command within NETSH, as shown in Figure 11.18. Figure 11.18 Use the NETSH command to display routing information.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 576
576 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Table 11.3 lists some of the commands available in the IP routing context. Table 11.3 Netshell IP Routing Commands Command
Description
add
Adds a configuration entry to a table
delete
Deletes a configuration entry from a table
dump
Dumps a configuration script
igmp
Changes to 'routing ip igmp' context
nat
Changes to 'routing ip nat' context
ospf
Changes to 'routing ip ospf' context
relay
Changes to 'routing ip relay' context
reset
Resets IP routing to clean state
rip
Changes to 'routing ip rip' context
routerdiscovery
Changes to 'routing ip routerdiscovery' context
set
Sets configuration information
show
Displays information
Update
Updates autostatic routes on an interface
?
Displays help
Standard TCP/IP tools, such as PING, TRACERT, and PATHPING, are the common starting point for troubleshooting an IP routing problem. See Chapter 4, “Windows 2000 TCP/IP Internals,” for more information on how to use these command-line utilities.
Router Configuration Proper configuration of the router(s) will prevent many problems. Configuring Windows 2000 as an IP router, for either static routing or using RIP or OSPF, is a relatively painless procedure, but it is important that you follow the steps exactly and don’t change settings unless you know what effect it will have.
Preconfiguration Check List Remember that before installing and configuring IP routing, you must ensure that the following have been done:
91_tcpip_11.qx
2/25/00
11:17 AM
Page 577
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 577 ■
■ ■
■
■
Install the proper hardware (the Windows 2000 computer acting as a router must have two network interfaces) and the drivers for the hardware. Check the Windows 2000 HCL to ensure compatibility of the hardware. TCP/IP must, of course, be installed and configured. The RRAS service must also be enabled and configured (see Chapter 9 for more information on proper installation of RRAS). Determine whether you will set up the Windows 2000 router for static or dynamic routing. Determine which routing protocols will be used on the network.
Configuring Windows 2000 Static IP Routing Deployment of static routing on a Windows 2000 router is relatively simple. You should first analyze the internetwork topology, to determine where each network is and where routers and TCP/IP host computers are located on the networks. Then, a unique network ID is assigned to each IP network, and IP addresses are assigned to each router interface.
TIP Common practice is to give the lowest IP addresses for the network ID to the routers. Thus, for network 192.168.1.0 (a class C network defined by a subnet mask of 255.255.255.0), the router (default gateway) address that would be assigned is 192.168.1.1. This is not required, but is an industry tradition.
Default routes can be configured on peripheral routers, although this is not required. A default route is used for sending packets to a destination for which there is no route available in the routing table. Nonperipheral routers (internal routers) should have routes to remote networks added to their routing tables as static routes. Each route should include the following: ■ ■ ■ ■
■
Destination network ID Subnet mask Gateway address Metric (number of hops required to get to the destination network) Interface that is to be used to send data to the destination network
91_tcpip_11.qx
2/25/00
11:17 AM
Page 578
578 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
These static routes should be entered in the routing tables of each nonperipheral router.
TIP Routes are added using the command-line ROUTE utility. To make a route persistent across system reboots, use the –p option.
Troubleshooting Static Routing Configuration If the router is not forwarding data properly in a static routing environment, you should do the following: 1. First, confirm that IP routing is enabled on the Windows 2000 router, by checking the RRAS management console. 2. Use IPCONFIG at the command line to ensure that the TCP/IP configuration for the interface is correct. Use standard TCP/IP tools such as PING to verify connection to hosts on the network segment. 3. Ensure that the default route is configured correctly. The default route is used for sending packets to destinations that are unknown to the router. Be sure that the route set as the gateway for the route is reachable and is on the same network as the interface.
NOTE Routers should be configured to use a static IP address, instead of getting an IP address via DHCP.
Configuring RIP for IP Remember that RIP is most appropriately used for medium-sized internetworks (those consisting of 10 to 50 networks). RIP can be used with multipath networks, where there is more than one pathway a packet could take between two endpoints on the network. RIP will also work in an environment where the network topology changes, and networks are added and removed.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 579
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 579
In designing the RIP network, keep in mind the maximum hop count limitation of 15. This limits the number of routers through which a packet must go to reach any destination from any source, for practical purposes, to 14 (called the maximum physical router diameter). As in deploying static routing, you should first analyze the internetwork, assign network IDs, and assign IP addresses, following the same basic rules discussed earlier. Then, decide whether to use RIPv1 or RIPv2 on each Windows 2000 computer functioning as a router. Add the appropriate RIP protocol to each Windows 2000 router interface, as shown in Figure 11.19. Figure 11.19 Adding the RIP protocol to a router interface.
Once the protocol has been added, right-click the Interface name in the right console pane of the MMC, and select Properties to configure it (see Figure 11.20). To configure RIPv2, do the following: 1. In Outgoing Packet Protocol on the General tab of the Properties sheet: a) select RIPv2 broadcast if there are version 1 RIP
91_tcpip_11.qx
2/25/00
11:17 AM
Page 580
580 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
routers on this network, or b) select RIPv2 multicast if all RIP routers on the network are version 2 routers. 2. In Incoming Packet Protocol, select RIP, version 1 and 2 if it is a mixed RIP environment, and RIP, version 2 only if there are only RIPv2 routers on this network. Figure 11.20 RIP Properties dialog box.
Troubleshooting RIP Configuration Some of the more common RIP configuration problems include incorrect routes in the mixed RIP (version 1 and 2) environment, silent hosts not getting route updates, auto-static updates not working properly, and host routes and/or default routes not being propagated to other routers.
Problems with Mixed RIP Versions When a network includes some routers running RIPv1 and others running RIPv2, the version 2 routers must be configured to send broadcasts if you want the version 1 routers to receive their announcements. If you have this problem, ensure that your RIPv2 router interfaces are all set to broadcast their announcements, not multicast.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 581
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 581
Problems with Silent Hosts RIP listeners (silent hosts) cannot receive multicast announcements. If you have silent RIP hosts that fail to receive announcements, confirm that the silent hosts are using RIPv1 and that the RIPv2 routers on the network are set to send broadcast, not multicast, announcements.
Problems with Autostatic Updates If you have demand-dial routing interfaces using auto-static updates (see Chapter 9 for more information about RRAS demand dial), the demanddial interfaces need to be set to broadcast announcement messages instead of multicasting. Autostatic updates are used with demand-dial routing over a remote access link. The “auto” in the term refers to the automatic adding of the requested routes as static routes in the routing table upon an explicit request via RRAS or the NETSH utility. The demand-dial link must be connected. If an autostatic request is made, existing autostatic routes that are in the table are deleted. Then, the update is requested from other routers. This can lead to problems: If other routers don’t response to the update request, the router cannot replace the routes it has deleted. This could cause loss of connectivity to remote networks.
Problems with Propagation of Host and Default Routes RIP does not propagate host and default routes by default. You must specifically enable propagation, which can be done by right-clicking the Interface name in the right console pane of the RRAS MMC, selecting Properties, and then selecting Advanced. See Figure 11.21. The RIP Properties box is also used to set Security on the update announcement messages and to specify RIP neighbors and determine the router’s behavior in regard to those neighbors.
Configuring OSPF The OSPF dynamic routing protocol is installed similarly to RIP, via the New Protocol selection, when you right-click the General tab under IP Routing in the RRAS management console. Once the protocol is enabled, configure it by following these steps: 1. Click on OSPF in the left pane console tree. 2. In the right pane, right-click the interface you want to configure, and choose Properties.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 582
582 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Figure 11.21 Setting RIP to propagate host and default routes in the Advanced Properties box.
3. Select the “Enable OSPF for this address” check box on the General tab. Where it says Area ID, click the ID of the area to which this interface belongs. 4. Set the priority of the router over the interface in “Router priority.” 5. Use the scroll arrows to set the cost of sending a packet over the interface under Cost. 6. Type in a password, if password protection is enabled for that area. 7. Select the OSPF interface type under Network type.
TIP If this interface has more than one IP address configured, select the IP Address box on the General tab and configure OSPF for each address.
The OSPF Interface Properties dialog box appears in Figure 11.22.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 583
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 583
Figure 11.22 The OSPF Interface dialog box showing the contents of the General tab.
OSPF Password Protection All OSPF routers in the Area must use the same password. To set the password, click OSPF in the left pane of the console tree, and select Properties. On the General tab, type the correct password in the Password box. Remember that OSPF passwords are case-sensitive.
Windows 2000 Router Logging You can enable router logging for the Windows 2000 router to assist you in troubleshooting routing problems. You can either enable event logging, to log router events in the system log in Event Viewer, or enable trace logging, which will log information to a file (or you can do both).
Using Event Logging You can enable event logging on the Event Logging tab on the Properties sheet of a remote access server. Choose the RRAS server, right-click and select Properties, then select the Event Logging tab, as shown in Figure 11.23.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 584
584 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
Figure 11.23 You can select from four levels of event logging in the RRAS server Properties sheet.
You can choose the level of information you wish to be logged to the system log. There are four levels: logging of errors only, logging of errors and warning messages, logging of the maximum possible amount of information, or no logging (disabled).
NOTE The default setting is logging of errors and warning messages.
Remember that logging uses a great deal of system resources and should be used only when necessary and disabled when the problem has been addressed.
Using the Tracing Function The Windows 2000 router supports tracing, a feature that can be used for troubleshooting complex network routing problems. When you enable tracing in Windows 2000 Server, the tracing information will be logged to files.
91_tcpip_11.qx
2/25/00
11:17 AM
Page 585
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 585
To enable the tracing feature, it is necessary to edit the Windows 2000 Registry.
WARNING Editing the Windows 2000 Registry incorrectly can cause serious damage to the operating system, including making your computer unbootable. Always back up important data before you make changes to the Registry.
To enable tracing, open the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
Tracing is enabled separately for each routing protocol, by setting the appropriate Registry values. Each of the routing protocols appears as a subkey in the Registry, under the Tracing key. Select the protocol for which you wish to enable tracing (for example, OSPF).
TIP Tracing can be enabled or disabled while the router is running.
Configure the following Registry value entries for each protocol key to enable tracing for that protocol: ■
■
■
■
EnableFileTracing (value type is REG_DWORD) Set EnableFileTracing to 1 (the default value is 0) to enable logging tracing information to a file. FileDirectory (value type is REG_EXPAND_SZ ) To change the default location of the tracing files, set the FileDirectory value to the desired path. The filename for the log file is the name of the component for which tracing is enabled. Tracomg log files are placed in the systemroot\Tracing folder by default. FileTracingMask (value type is REG_DWORD) This setting indicates how much tracing information is logged to the file. MaxFileSize (value type is REG_DWORD) Set this value to change the size of the log file. The default value is 10000 (64K).
91_tcpip_11.qx
2/25/00
11:17 AM
Page 586
586 Chapter 11 • Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level
TIP Tracing uses a significant amount of system resources. Use it sparingly for identification of network problems. After you capture the trace, disable tracing. Never leave tracing enabled on multiprocessor systems.
Troubleshooting Common Windows 2000 Routing Problems Now that we have discussed how IP routing works in a static, RIP, or OSPF environment, let’s look at some of the common problems that arise with Windows 2000 computers configured to perform IP routing.
Troubleshooting Static Routing Because static routing is much less complex than dynamic routing, troubleshooting is in some ways simplified. The standard TCP/IP commandline utilities can be used for many troubleshooting tasks. Remember that static routing is appropriate for small, simple internetworks (no more than 10 subnetworks). For best results, there should be only one path available between any two endpoints, and the internetwork topology should not change often.
Using PING and TRACERT Test connectivity between the host computers using the TCP/IP utilities PING and TRACERT (as discussed in Chapter 4, “Windows 2000 TCP/IP Internals”) to ensure that routing paths are accessible.
Using the ROUTE Command As discussed earlier, static entries are made to the routing table using the ROUTE command and its options. You can also modify or delete routes, and make routes persistent over reboots.
Static Routing and Routing Loops A problem that can occur in a network using static routing happens when you configure two routers with default routes that point to one another. A default route is used for data packets addressed to destinations that reside on remote networks (networks not directly connected to the router). If two neighboring routers have default routes that point to one another,
91_tcpip_11.qx
2/25/00
11:17 AM
Page 587
Troubleshooting Windows 2000 Connectivity Problems at the Internetwork Level • Chapter 11 587
this can create a routing loop when packets are sent to unreachable destinations. To prevent this problem, don’t configure neighboring routers with default routes pointing to each other. The following shows what a router loop might look like after doing a tracert: C:\>tracert 199.70.51.234 Tracing route to 199.70.51.234 over a maximum of 30 hops 1 2 3 4 5 ] 6 7