c4cd[1].pdf

C4 CD: Networking with Windows 98and Window NT

Rakesh Ranjan

Contents

Chapter 1. Introduction .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 11.1. History .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 11.2. Architecture Independence .. .. .. .. .. .. .. .. .. .. .. .. .. 11.3. Multiple Processor Support .. .. .. .. .. .. .. .. .. .. .. .. .. 11.4. Multi-Threaded Multitasking .. .. .. .. .. .. .. .. .. .. .. .. .. 21.5. Massive Memory Space .. .. .. .. .. .. .. .. .. .. .. .. .. .. 21.6. Internet and TCP/IP Compatibility .. .. .. .. .. .. .. .. .. .. .. 21.7. Event and Account Logging .. .. .. .. .. .. .. .. .. .. .. .. .. 31.8. Remote Access Service .. .. .. .. .. .. .. .. .. .. .. .. .. .. 31.9. Domains .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 31.10. Fault Tolerance and RAID Support .. .. .. .. .. .. .. .. .. .. .. 31.11. Graphical User Interface .. .. .. .. .. .. .. .. .. .. .. .. .. 4

Chapter 2. NT Server Installation .. .. .. .. .. .. .. .. .. .. .. .. .. .. 52.1. Planning the NT Installation .. .. .. .. .. .. .. .. .. .. .. .. .. 52.2. Primary Domain Controller .. .. .. .. .. .. .. .. .. .. .. .. .. 62.3. Starting NT Install Program .. .. .. .. .. .. .. .. .. .. .. .. .. 62.4. Creating NT Boot Disk .. .. .. .. .. .. .. .. .. .. .. .. .. .. 9

Chapter 3. NT Domains .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 103.1. Understanding Domain Model .. .. .. .. .. .. .. .. .. .. .. .. 103.2. Trust Relationship .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 113.3. Creating Trust Relationship .. .. .. .. .. .. .. .. .. .. .. .. .. 11

3.3.1. Setting up a Domain to Trust Another .. .. .. .. .. .. .. .. 113.3.2. Completing the Trust Relationship .. .. .. .. .. .. .. .. .. 12

3.4. Removing a Trust Relationship .. .. .. .. .. .. .. .. .. .. .. .. 13

Chapter 4. Managing User Accounts .. .. .. .. .. .. .. .. .. .. .. .. .. 144.1. User Accounts .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 14

4.1.1. Administrator Account .. .. .. .. .. .. .. .. .. .. .. .. 144.1.2. Guest Account .. .. .. .. .. .. .. .. .. .. .. .. .. .. 15

4.2. Creating User Accounts .. .. .. .. .. .. .. .. .. .. .. .. .. .. 154.3. Creating Groups .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 17

4.3.1. Using Local Groups .. .. .. .. .. .. .. .. .. .. .. .. .. 184.3.2. Using Global Groups .. .. .. .. .. .. .. .. .. .. .. .. 194.3.3. Special Groups .. .. .. .. .. .. .. .. .. .. .. .. .. .. 19

Chapter 5. Directory Shares .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 215.1. FAT and NTFS .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 21

5.2. Creating Directory Share .. .. .. .. .. .. .. .. .. .. .. .. .. .. 225.3. Sharing of folders using Windows NT Explorer .. .. .. .. .. .. .. .. 225.4. Hidden Share .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 225.5. File and Directory permissions .. .. .. .. .. .. .. .. .. .. .. .. 235.6. Taking Ownership of Files .. .. .. .. .. .. .. .. .. .. .. .. .. 235.7. Permissions .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 245.8. Assigning File Permissions .. .. .. .. .. .. .. .. .. .. .. .. .. 25

Chapter 6. TCP/IP on WinNT .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 266.1. What is TCP/IP? .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 266.2. Installing TCP/IP on Windows NT Server .. .. .. .. .. .. .. .. .. 266.3. TCP/IP Diagnostic and Connectivity Utilities .. .. .. .. .. .. .. .. 28

6.3.1. IPCONFIG .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 286.3.2. NETSTAT .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 296.3.3. PING .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 29

6.4. DNS .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 296.4.1. Configuring NT for Existing DNS Servers .. .. .. .. .. .. .. 30

6.5. DHCP .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 306.5.1. How DHCP Works .. .. .. .. .. .. .. .. .. .. .. .. .. 316.5.2. Leasing an IP address .. .. .. .. .. .. .. .. .. .. .. .. 316.5.3. Renewing IP Address Leases .. .. .. .. .. .. .. .. .. .. 316.5.4. Installing DHCP Server .. .. .. .. .. .. .. .. .. .. .. .. 326.5.5. Understanding DHCP Scopes .. .. .. .. .. .. .. .. .. .. 326.5.6. Configuring DHCP Options .. .. .. .. .. .. .. .. .. .. .. 34

Index .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 36

iii

List of Figures3.1. The Trust Relationship Dailog Box. .. .. .. .. .. .. .. .. .. .. .. .. .. 124.1. User Manager for Domains. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 164.2. New User Dialog Box. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 166.1. The Network Dialog Box. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 266.2. All the available network protocols. .. .. .. .. .. .. .. .. .. .. .. .. .. 276.3. TCP/IP appears in the protocol list. .. .. .. .. .. .. .. .. .. .. .. .. .. 276.4. The TCP/IP configuration dialog box. .. .. .. .. .. .. .. .. .. .. .. .. 286.5. Using the ipconfig command. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 286.6. The DNS configuration option dialog box. .. .. .. .. .. .. .. .. .. .. .. 306.7. The Select Network Service dialog box. .. .. .. .. .. .. .. .. .. .. .. 326.8. The Create Scope dialog box. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 33

List of Tables4.1. The NET USER Parameter. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 174.2. The NET USER Command options. .. .. .. .. .. .. .. .. .. .. .. .. .. 174.3. New User Options .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 184.4. Domain Global groups on Windows NT Server .. .. .. .. .. .. .. .. .. .. 194.5. Predefine Local Groups. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 204.6. Domain Global groups on Windows NT Server .. .. .. .. .. .. .. .. .. .. 205.1. File and Directory permissions type. .. .. .. .. .. .. .. .. .. .. .. .. 24

Chapter 1. Introduction

ObjectivesThis chapter introduces Windows NT to you. You will learn about the various features ofWindows NT.

Windows NT Server is the network OS adopted in Railnet. It has its strengths and itsweaknesses. Here, let us see a few of the strengths of NT Server.

1.1. History

Early on, Bill Gates knew that networking was the key to capturing the computer business.Microsoft introduced MS-NET on April 15, 1985 along with DOS 3.10. This was a simple DOSbased software that allowed simple resource sharing like files and printers. From 1985 to 1988Microsoft worked on the next generation of networking software.Lan Manager was made duringthis time.

In 1988, work earnestly started on Windows NT. In August 1993, Windows NT 3.1 wasreleased.No, there were no previous versions.Microsoft, the marketing strategist,did the versionnumbering so that it looks like the next release of Lan Manager, although they have little incommon. Windows NT 3.5 was released in September 1994 and Windows NT 4.0, in 1996.

1.2. Architecture Independence

Operating system designers, when designing an OS tend to target it for a particularmicroprocessor. This makes the OS tied to the underlying hardware in terms of word size, pagesize, word representation1 etc. When NT was written, Microsoft first made it for MIPS R50002.It was then ported to x86 platform. This made the parts of NT that are machine dependent allsegregated into a relatively small piece of NT (when compared with the overall size of NT). Thissmall piece is made of HAL3, the kernel and the network and device drivers.

Thus, a large part of NT is architecture independent. This makes it portable across a largenumber of platforms.

1.3. Multiple Processor Support

NT has a support for a maximum of 32 processors. This means that if a computer employs32 processor,NT can use all of them to enhance its performance.But the version that is normallyshipped has a support for two or four processor. In case, support for more number of processors

1Big endian or small endian2An RISC processor from MIPS3Hardware Abstraction Layer

1

2 Chapter 1. Introduction

is sought, an appropriate HAL is required. NT can then use all these processors and speed upthe overall computer system running NT.

Among multi processing systems, a computer is said to be symmetric or asymmetricmultiprocessor. An asymmetric multiprocessor system has more than one processor, but eachone of them has a different, specially defined job. A symmetric multiprocessor system, onthe other hand, has processors that can take over for one other without skipping a beat. Eachprocessor has a complete access to all hardware, bus, memory actions etc. NT servers musthave symmetric processor system in order to use multiprocessor capabilities.

NT can split its task among various processors and thus increase the throughput ofthe system.

1.4. Multi-Threaded Multitasking

Multitaskingmeans that a singlecomputer canrunseveraldifferent programs simultaneous-ly. These programs use different data space in memory. Hence they do not interfere with eachother. A program is normally single tasking within itself. It means that a program is a single unitand does the whole work as a single process.

A program may be multi-threaded. This means that there will be different smaller programsthat will cooperate to produce the desired result. This is advantageous if there are more thanone processor. Each of this small programs, called a thread, can execute itself on a differentprocessor. NT is multi-threaded so that it supports a multi-threaded application.

It does not mean that the multi-threaded application runs only on a computer with multipleprocessor. In fact, NT gives you an abstraction. If there are multiple processors, then these areused. Otherwise, NT schedules these threads on the single processor. The software developerneed not be bothered about the underlying architecture of the computer. NT guarantees that themulti-threaded application will run.

The difference between a task and a thread is that the different threads of the program usethe same data space. It means that if one thread changes a data, the change is seen by all theother threads as well. Tasks invariably use different data space. This means that each of thetasks have a personal copy of each of the data items and the changes done by one is not seenby the other.

1.5. Massive Memory Space

The NT architecture supports a RAM1 of up to 4GB2. This means that NT applications doesnot need to worry about the memory. The amount of memory is only limited by the amount ofactual physical memory of the computer.

1.6. Internet and TCP/IP Compatibility

Nowadays, most network speak the language of the Internet, a protocol called TCP/IP3. NTsupports most of the protocols of the Internet.So it is possible to build our ownenterprise intranetbased on Windows NT.

1Random Access memory2Giga-Bytes3Transmission Control Protocol/Internet Protocol

1.7. Event and Account Logging 3

1.7. Event and Account Logging

NT Server provides the capability for logging various events. This logging helps the admin-istrator sort out various activities.NT also provides the facility of full loggingof user activities.Thishelps the administrator to know what the user has been doing in case of problems. This loggingfacility is one of the most useful feature when it comes to administration.

1.8. Remote Access ServiceNT Server has remote access capability built right into it. His allows a person to use the

network/NT server resource from his home using a modem. The RAS1 shipped with NT is theserver end of the software.

Also included in RAS are two powerful TCP/IP protocols: Point to Point Tunneling protocol(PPTP) and Multi-link PPP. The first allows you to use the entire Internet as router, so to speak ,to communicate with your office network. Multi-link PPP lets you take several slower speed com-munication link and blend them into just one link. This increases the speed of communication.

1.9. Domains

Domains are groups of machines. NT allows a group of machines to use central location,a single server for user authentication. So, NT server acts as the central Security AccountsManager database. In this role NT is called a Primary Domain Controller or a PDC. The PDCsmain job is to log2 people onto the domain.

Domains offer better manageability and security. A Network user using Windows-95/98/Meetc. can use the PDC as an authentication server to make the network resources available to theuser logging in. The Domain controller model of Microsoft networking offers a lot of flexibility.We will discuss it in details later.

1.10. Fault Tolerance and RAID Support

Security normally means keeping people from data that they are not supposed to haveaccess to. An important part of securitys function includes keeping safe the data that peoplehave entrusted to the network. NT has many features that support fault tolerance:

Directory Replication makes it possible to designate a directory on a particular serverand then create a backup server whose job it is to match, on a minute-to-minute basis, thecontents of that directory.

Hot Fixes are a feature on any NT server whose disk has been formatted under the NTFSfile system. NTFS constantly monitors the disk area that it is using , and if it finds that onehas become damaged, it takes the bad area out of service and moves the data on that areato another, safer area automatically.

RAID (Redundant Array of Independent Disks) is a six level method for combining severaldisks drives into what appears to the system to be a single disk drive. RAID improves upona single disk drive answer in that it offers better speed and data redundancy.

1Remote Access Service2Logging in means an authorization after which the network resources are made available

4 Chapter 1. Introduction

Level 0, or disk stripping, improves only the speed. It creates what appears to be onedisk out of several separate physical disk drives. Areas that appear to be cylinder or atrack on a logical disk drive are actually spread across two or more physical disk drives.The benefit is realized when accessing data; when reading a block of data, the readoperation can actually become several simultaneous separate disk reads of severalphysical disks.

Level 1 is a straight forward disk mirroring system. You get two disk drives and tell NTto make one a mirror image of the other. Its fast and fault tolerant.

Level 2, 3, 4 are not supported by NT Server.

Level 5 is very much like level 0, in that data is stripped across several separate physicaldrives. It differs, however, in that it adds redundant information called parity that allowsdamaged data to be reconstructed.

The different level of RAID do not get better as they rise in number; they are just differentoptions.NT Server has software RAID support.This means that we need not invest in costlyRAID boxes.

1.11. Graphical User Interface

Windows NT has a simple GUI1 that is easy to use and resembles that of the Win95GUI. This makes the learning easier. All the administration functionality is available throughthis GUI.

1Graphical User Interface.

Chapter 2. NT Server Installation

ObjectivesThis chapter explains how to install Windows NT on a computer. It introduces the PrimaryDomain Controller for its installation.

2.1. Planning the NT Installation

Before starting the NT Installation it is necessary to plan. A hardware survey of the serverhas to be done for many things. A few of them are the following:

What kind of network you have.

What kind of disk adapter you have.

How much is the disk drive capacity etc.

This survey is important in case NT refuses to recognize the hardware device.Then to setupthe device, these information comes in handy. The list may be as exhaustive as possible. Thereis no harm in learning about the hardware as much as possible.

NT server can be installed as a primary domain controller, backup domain controller or asan ordinary file/application server. This planning is necessary because once configured duringinstall, it cannot be changed without a reinstall.

NT server should be installed as a primary domain controller only if you are creating anew domain.

If an NT server is installed as a backup domain controller,a PDC must already be setup,andthe machine you are installing NT on must be on the same network as the PDC. NT will refuse toget installed as a backup domain controller if it cannot see the primary domain controller on thesame network.

The name of the NT server must be decided now. A name should be so chosen that looksappropriate. Avoid using names like pc1, pc2 etc. One must also know/decide the followingbefore starting an install if a TCP/IP network1 is to be installed.

IP address

Subnet mask

Default gateway(s) DNS Server(s)

1Railnet runs TCP/IP.

5

6 Chapter 2. NT Server Installation

Domain Name

2.2. Primary Domain Controller

Windows NT machine canbe installedas a primary domaincontroller,a backup domaincon-troller or a server only machine.Let us see what these are.NT gives a lot of emphasis onsecurity.It was one its design goals.One of the main building blocks of this security is the authenticationofusers. In a Windows NT network, the job of authentication is done by one machine that controlsthe domain. In this role, this machine is called the Primary Domain Controller(PDC). It maintainsthe basic database of the users and their rights and authenticates a uesr that wants to use theresources of the network.

This means that in an NT network the PDC is of primary importance. Without its permissionno one is allowed to use the network. This puts on a great necessacity to keep the server avail-able. For such time the server is not available,we install another Windows NT Server configuredas Backup Domain Controller(BDC). For installing a BDC, a PDC should already exists in thenetwork and should be working.The BDC keeps talking to the PDC and also updates itself aboutthe network users and their rights from the PDC. When the PDC goes down, the BDC takes therole of the PDC and starts authenticating users. When the PDC is back in service, the BDC re-gresses.

At times, we may not want the domain setup proposed by network. Maybe, we are onlyinteresed in hosting a web site on NT. In such cases, Microsoft provides us with the serveronly installation of Window NT. This works as any other server and is not taking part in anydomain activity.

2.3. Starting NT Install Program

Windows NT comes with three install floppy disks. We will discuss the install that uses thesefloppy disks. These disks re labeled "Windows NT Setup boot disk", "NT Disk 2" and "NT disk3." These floppies dont contain all of NT; they contain enough software to kick off the installationprocess so that NT installation CD can take over.

Pop the "Setup boot disk" into A: drive and reboot the machine. NT then runs the NTDE-TECT.COM, which figures out what kind of hardware you have on your system. You see amessage that says, "Windows NT Setup/Setup is inspecting your computers hardware con-figuration."

Next you see the following blue screen with white letters:Windows NT SetupAnd on the bottom of the screen:Setup is loading files (Windows NT Executive)

NT next loads the HAL1, after which you are prompted to insert Setup disk #2 and press En-ter. You see some messages on the bottom of the screen about what is loading, including

"NT config data "

1Hardware Abstraction Layer

2.3. Starting NT Install Program 7

Fonts

Locale-specific database Windows NT setup

PCMCIA support

SCSI port drivers

Video drivers

Floppy disk drivers

Keyboard driver

FAT1 file system

The next screen that comes up is a welcome screen with the following choices.

To learn more, press F1.

To setup Windows NT now, press Enter

To repair a damaged installation, press R

To quit, press F3

Press Enter, insert Setup disk #3, and press Enter Again. Setup goes into device detection.

Setup auto detects any SCSIadapters in your system. If the adapter wasnt recognized,youcan tell NT to use a device support disk.

Next NT offers you with a message whether you want to upgrade or do a fresh install. If NTwas already loaded on the hard disk you get an upgrade option. If it is a newly formattedhard-disk then, the upgrade option is not given.

NT Setup then tell you what it thinks you have in terms of:

Basic PC type

Video systems

Keyboard

Country layout for keyboard

Mouse

The list is usually correct.At times a powerful video card may be detected as a less powerfulVGA card. Nothing to worry, it can be reconfigured to its maximum capacity after the BasicNT install.

Next, NT Setup shows you the partitions on your system and asks which one you wantto install NT on. Select the partition that you want NT to install and press Enter. You next

1File Allocation Table

8 Chapter 2. NT Server Installation

choose how you want to format the partition, if you want to format it at all. Your choices are

Wipe the disk, formatting to a FAT system.

Wipe the disk, formatting to an NTFS system.

Convert an existing FAT system to NTFS.

Leave current file system and data alone.

It is recommended that on an NT Server you use an NTFS partitionon the data drives unlessyou have very good reasons not to do so.

The main features that NTFS offers include:

Directories that are automatically sorted.

Support for upper and lowercase letters in names.

Support of Unicode in file names.

Allow permissions to be set on directories and files.

Faster access to large sequential access file.

Faster access to random access files.

File and directories names up to 254 characters.

Long names are automatically converted to the 8+3 format when accessed by aDOS workstation.

NTFS uses the disk space more sparingly than does FAT. Under FAT, the minimum sizethat a file actually uses on a disk is 2048 bytes, and as disk partitions get larger, thatminimum size also gets larger: on the 1700MB disk, this minimum size would be 32768bytes! Under NTFS, that same hard-disk supports files so that no file actually takesmore than 512 bytes of space.

Now choose an install directory. Normally \WINNT is chosen. This is the default shownas well.

NT reboots itself and enters the graphical setup.

Now NT asks you to personalize your Software by Entering your name and the companyname. Enter them and click Continue.

Now you have to make the licensing choice. There are two options:

Per Seat Per-seat licensing means that you need a license for every workstationthat will ever log onto domain. Per seat licensing has a few advantages. If you countthe number of people that log onto the domain, you have the number of licenses thatyou need.

Per server Per-server licensing means that you need a license for every simultaneousNT server connection. It means that if a user logs onto the server, he uses one license.

2.3. Starting NT Install Program 9

In this way every one logging in or using a service uses one license. If this licensing ischosen then the number of client licenses obtained are to be given. This must be atleast one or else the File and Print services will refuse to start.

NT now allows you to choose the name of the computer.

Now specify whether the NT is to be a domain controller or a server.

NT now prompts you to create an emergency repair disk. Please make it. This isnt abootable disk. It is just a disk that contains the data necessary to reconstruct a configurationif your NT system in no longer able to boot.

NT then goes into actually setting up the system, copying data from the CD to the hard diskdrive, configuring the work space etc.

Windows NT is now installed on the computer.

2.4. Creating NT Boot Disk

At times you may need to start NT from a floppy. Here we outline the procedure for creatinga generic NT boot boot floppy.

Format a floppy under either NT explorer or from a command line under NT. Do not use aDOS-formatted floppy, or this wont work. A DOS-formatted floppy looks for the DOS bootfiles IO.SYS and MSDOS.SYS; an NT formatted floppy looks for the NT boot file NTLDR.(From explorer, just right-click on the drive and choose Format.)

You are going to copy a bunch of files from the root directory of your server to the floppyin the A: drive. The files are hidden, however, so you have to tell the Explorer to show youhidden files. To do that, click View, then By File Type, and then check the "Show All Files"radio button.

Looking in your servers root directory, copy the following files from the servers root to thefloppy disk:

NTLDR

NTDETECT.COM

BOOT.INI

NTBOOTDD.SYS (if your server boots from a SCSI hard disk; if not this file wontbe there.)

When you are finished, you have a floppy that essentially "jump starts" your system.

Chapter 3. NT Domains

ObjectivesThis chapter explains NT Domains. We see the various schemes of NT implementation.We also examine NT trust model as well as the way the trust relationships are establishedand removed.

Domains are groups of NT machines.These must be either NT Workstations or NT Servers.No other client operating system, as Win 95, Win 98 etc. can join the domain, although all thesemachines can can access resources and login. Domains provide a single entity to manage andto use for signing in, regardless of the number of machines in the domain.

NT helps by enabling you to setup domains, or groups of machines. After a domain isregistered, users sign on once to obtain the services of any machine on the domain that theyare authorized to use. The domain relegates certain functions to certain servers, telling the otherservers when it is okay to allow access.

A domain really takes on that function within NT only when one or more of the machines inthe domain are in control.NT calls such a machine domain controller . On each network,we needa machine called a Primary Domain Controller . This machine maintains the central databasecontaining all the accounts, passwords, and access control list that are a part of NT security.

3.1. Understanding Domain Model

Microsoft allows four basic methods for combining servers and workstations:

1. The Single domain.

2. A Master domain.

3. Multiple master domains.

4. The compete trust models.

The Single domain model is the simplest. If there are only a few servers and a few users, thismodel is what one should go for. It contains just one domain and all the resources are managedthrough it.

In the master domain, there are many domains. On domain is set up as the master domainfor controlling all the user accounts and any number of resource domains. The resource domaincontains only servers, and NT workstation machine accounts no users. These resource do-mains, can contain print server, file servers and application servers. Trust relationship with mas-ter and all the resource domains are setup, completing the arrangement. No trust relationship isneeded between the resource domains.

If there are a large number of users,a single master domain may not be appropriate.Hence,

10

3.1. Understanding Domain Model 11

Microsoft created the multiple domain master model. Many master domain are created here.Then all these master domains trust each other.All the resource domains now should trust eachof the master domains.

As the size of the network grows, so does the complexity. Maintenance of these trust rela-tionship are time consuming and trying to figure out all the permutations can be frustrating. Thegood news is that this disappears withWindows 2000 Server,and multiple machine managementis greatly enhanced.

3.2. Trust Relationship

What is a trust relationship? In NT, security is a major component of the system, and onedomain cannot talk to another domain, in any fashion, unless the two domains are told thatdoing so is okay. This relationship extends to the workstation level. if Rakesh tries to use an NTworkstation on domain B where he does not have an account, he gets nowhere. The manner inwhich a domain is told to acknowledge another domain is called the trust relationship.

Trust relationship can be one-way or two-way.Domain A might trust domain B in a aone-wayrelationship. users in domain B, therefore, can access resources in domain A using the accountsand passwords originally set up for them in their home domain (in this example, B.) users indomain A cannot use the resources of domain B, however, because the relationship goes in onlyone direction.

3.3. Creating Trust Relationship

Nt is very security consious.Hence,before a trust can be established,both the domain mustallow this trust to occur. The domain that is to be trusted, say A, must approve the possibility;then the domain that wants to trust it, say B, must perform action to validate the trust of theother domain.

3.3.1. Setting up a Domain to Trust Another

Let us say that we have two domains viz. A & B. To establish a trust relationship so that Btrusts A, follow the following steps:

1. Log into the domain A using an account with Administrative privileges.

2. Open the user manager for Domain by choosing Start | Programs | Administrative Tools(Common) | user Manager for Domain.

3. Choose Policies | Trust Relationships. Figure 3.1 shows the dialog box that appears. Thisdialog shows all the domains that are currently trusted or permitted to be trusted. The twomain windows are called Trusted Domain and Trusting Domain.

4. Click the Add button beside the Trusting Domains Window.

5. In the box that appears, type the name fo the domain in whichyou want to allow trust to occur.In our example you will type B here.

6. You can use a password by entering one in the place that is provided. Using a passwordreally isnt necessary as long as you continue the trust process and finish it. The passwordapplies to the time between allowing a trust with B and and the time at which B sets up and

12 Chapter 3. NT Domains

Figure 3.1. The Trust Relationship Dailog Box.

completes the relationship.

7. Click Ok when you are ready to continue. You will see B appears in the Trusting Domainswindow.

8. Click the Close button in the upper-right corner of the dialog box to complete the task.

By setting the trusting portion of the relationship, we are halfway to establishing a one-waytrust relationship.

3.3.2. Completing the Trust Relationship

here we actually allow the domain B to start trusting A. A has already ready to allow B trustit as we saw in Section 3.3.1. For this purpose follow these steps.

1. Log on to domain B using an account with Administrative privileges.Obtain the special Trustpassword that the domain A administrator used when the trust relationship was started (ifone was used.)


3. Choose Policies | Trust Relationships. You see the two main windows called TrustedDomains and trusting Domains.

4. Click the Add button against the Trusted Domains Window.

5. In the Add Trusted Domain dialog box, type the name of the domain that you want to trust.

3.3. Creating Trust Relationship 13

In this example A. Then enter the password supplied by the domain A administrator. If nopassword was used, leave the password field blank.

6. Click OK when you are ready to continue. After some activity by the machine, the domainA will appear in the Trusted Domain windows. B now trusts A.

7. Click the Close button in the upper-right corner to complete the task.

3.4. Removing a Trust Relationship

Having established a trust relationship, let us see how we can remove one. For this followthe following steps.

1. Logon to domain B using an account with Administrative privileges.



4. Select the domain A from the Trusted Domain window, and then click Remove. Click Yeswhen a confirmation is asked.

5. Click the Close button on the upper-right corner of the dialog box to complete the task.

6. Log on to domain A using an account with Administrative privileges.



9. Select the domain A from the Trusting Domain window, and then click Remove. Click Yeswhen a confirmation is asked.

10. Click the Close button on the upper-right corner of the dialog box to complete the task.

Chapter 4. Managing User Accounts

ObjectivesThis chapter explains the user management of Windows NT. It introduces the user accountand the group account. You will learn how to create a user, a group and how to allot a group toa user. Also explained is the concept of Local and Global groups.

4.1. User AccountsUser accounts are the building blocks of NT security. In any system, identification and au-

thentication of the people using the system is of primary importance; this is the role of user ac-counts. Username is simply a method of referring to those user accounts. You assign usernameand passwords for each domain. In addition, you can specify the times the user can log on, andcontrol where the user can log on. You can also set a minimum character limit for the passwordlength and the limit to the amount of time that the passwords can be kept. These controls reducethe chances that an unauthorized user can guess the password.

Usernames can be anywhere between 1to 20 characters in length. You can use upper- orlowercase charaters, numbers and underscores for making a username. the charaters =,>,

4.1. User Accounts 15

Assign operators.

Create and modify logon scripts.

Set default account policies.

Set and change passwords.

Manage auditing and security logs.

Not be deleted.

The Administrator account is omnipotent. You need to control its use tightly.

4.1.2. Guest AccountThis is also created when you install Windows NT. A Guest is anyone that the domain

doesnt recognize. BY default the guest account remains disabled and must be left so.

4.2. Creating User Accounts

We will explore two methods of creating user account. The first is by using the "UserManager for Domain",and the other is to user the NET command.The User manager for Domaincan be used to perform the floowing tasks:

Create, modify and delete user accounts.

Assign logon scripts to user accounts.

Create and manage groups.

Manage the domains security policies.

Establish trust relationships.

Let us see how to create a user account. For this follow the following steps:

1. Log on to the Windows NT Server a Administrator.

2. Choose Start|Programs|Administrative Tools (Common)|User manager for Domains. Youwill see the window shown in Figure 4.1.

3. Choose User|New USer.The new user dialog box appears as shown in Figure 4.2.4. Type the new user account name, say iriset, in the Username box. Press Tab to move to the

next field.

5. Type the users fullname in the Full Name box.Press Tab to move to the next field.

6. Enter a comment in the User Description box. Press Tab to move to the next field.

7. Enter a password from 1 to 14 characters in length for the user. Press Tab to move to thenext field.

16 Chapter 4. Managing User Accounts

Figure 4.1. User Manager for Domains.

Figure 4.2. New User Dialog Box.

Windows NT Server displays the password that you entered as asterixs to protect itsconfidentiality as you enter is.

4.2. Creating User Accounts 17

8. Confirm the password by retyping the password.

9. Click the Add button.

10. Click Close button.

In the New User Dialog shown in Figure 4.2, there are a few more option at the bottom to controland set other properties of the account. Table 4.3 list the various options and their descriptions.

We can also add a user by the command NET. To add a user account, enter the followingNET USER username [Password *] [/ADD] [Options] [/DOMAIN]

To modify an existing user, enter the followingNET USER username [Password *] [Options] [/DOMAIN]

To delete an existing user, enter the followingNET USER username [Password *] [/DELETE] [Options] [/DOMAIN]

The various options of this command is shown in Table 4.1. The command has many options

Parameter DescriptionUsername Specifies the name of the acccount that you want to create, change or delete.Password Specifies the password for the username. Alternatively, you can use *; the system

prompts you for the password and masks the character that you enter./DOMAIN Specified the action applies to the Primary Domain Contrioller.Options Specifies one or more options as shown in Table 4.2. You must separate your

options with at least one space.

Table 4.1. The NET USER Parameter.

Option Description/ACTIVE:{YES NO} Enables or disables the account. The default is to enable

the acount/COMMENT:"User description" Provides the maximum length 48 characters descriptive

account about the user./PASSWORDCHG:{YES NO} Specifies whether the user can change the password.

Table 4.2. The NET USER Command options.

but the most used ones have been listed in Table 4.2.

4.3. Creating Groups

You can create groups and then add users to them. Groups simplify administration becausethey allow you to assign rights at the group level.A group is a name, similar to the usernameof auser account, that can be used to refer to one or more users.Using groups provides a convenientway to give and control access to users who perform similar tasks.


Option Default DescriptionUser Must Change Password at nextLogon.

ON Selecting this option forces users tochange the password when they lo-gon the first time. Selecting this optionis a good idea so that the administratordoesnt continue to know the users pass-word (because they are forced to changeit.)

User cannot change Password. OFF Selecting this option prevents users fromchanging the password. Selecting it isnot a good idea, especially when theusers have acces to confidential and crit-ical data.

Password never expires. OFF Selecting this option bypasses the Max-imum Password Age account policy.Again, selecting it is not a good idea be-cause the password doen not changeand becomes easier to guess with time.

Account Disabled OFF Selecting this option creates an inactiveaccount. You can use this feature whenyou are creating accounts for future use,or when you think that the account is be-ing used by some intruders.

Table 4.3. New User Options

Two types of groups exist in NT environment: local groups and global groups.The term localgroup and global group do not refer to the contents of the group, but to the scope of the groupsaccessibility. Local groups are local to the security system where they were created. Domainlocal groups rights and permission on a single domain.

A local group is available only on the domain controllers within the domain where you createthe group, whereas a global group is available within its own domain and trusting domains.Microsoft likes calling local groups as import groups and global groups export groups. A fewthings that should be kept in mind is itemized below.

Local groups on domain controllers have rights only on the domain on which they were cre-ated.

Local groups on Windows NT Workstation and member servers (non Domain Controllers)have rights only on the computer that they were created.

Local groups cannot contain other local groups; they can contain only users accounts orglobal groups from the same domain or other domain.

4.3.1. Using Local Groups

Local groups define permissions to resources onlt within the domain where the local groupexists. Hence, the term local defines the scope of the resource permission granted to users

4.3. Creating Groups 19

within the group.Windows NT automatically creates severaldefault localandglobalgroups during installation.

A few of them are listed in Table 4.5.

4.3.2. Using Global Groups

A global group, available on Windows NT Server domains, contain only individual useraccounts (no groups) from the domain where it was created.After you create a global group,youcan assign it permisssions and rights, either in its own domain or in any trusting domain.

Using a global group is good way to export a group of users as a single unit to anotherdomain. In atrusting domain, for example, you can grant identical permissions to a particular fileto a global group; these permissions then pertain to all individual members of that group. Globalgroups defined in a domain can be exported to Windows NT workstations because domainWindows NT workstation support local groups; they can, therefore, make use of a global groupsdefined in either the workstations own domain or other domain.

In fact, this is how NT sets up control so that Administrator can controll all NT servers andworkstations in a domain. By plaing the Domain Administrator group into the machines LocalAdministrator group, the Domain Administrators can own that machine.

By using trust relationships, uers within a global group can access resources outside theirlocally defined domain.

A local group and global group can share the same name. They are still different.Table 4.4 shows the default global groups created by Windows NT.

Name DescriptionDomain Admins Members can fully administer the home domain, the workstation of the

domain, and any other trusted domains that added this group to the localAdministrators group. These members are added automatically to the localAdministrators group.

Domain Guests Mmebers canaccess the guest account,andcanpotentially access resiurcesaccross domains. members are added automatically to the guest groups.

Domain Users members have normal access to the domain and any NT workstation in thedomain. The group contains all domain users, and its members are addedautomatically to the local Users group.

Table 4.4. Domain Global groups on Windows NT Server

4.3.3. Special Groups

Besides the local and global groups Windows NT has a few special groups with nomembers. The name special does not refer to the privilege level of users but rather to access tocomputer resources. These groups have no members because they apply to any account usingthe computer in a specified way. You do not see these groups listed in the User manager forDomain for Domain windows; however they might appear when you are assigning permission todirectories, files, shared directories, or printers.

Table 4.6 shows some of the special groups of Windows NT Server.


Name DescriptionAdministrators Members are fully administer the local computer and any domain re-

sources. The group is the most powerful. Within the Administrators groupis a built-in account that you cannot delete. Because you cannot disablethe Administrator account, you might want to create a backup Administra-tor account for emergencies.

Account Operators members can use User Manager for Domains to manage domain userand group accounts. An Account operator cannot change or delete thedomain Admins, Account Operators, BAckup operators, Print operators,or Server operators groups. Also, an Account Operator cannot changeor delete administrator user accounts or administer security policies.

Backup Operators Members can perform backups and restores,and can bypass the securityrestriction on directories and files to back them up.

Guests Members canaccess the server fromthe network but cannot log on localy.The built in Guest account is automatically a member of this group.

Print Operators Members can administer the domain printers. They can create, manage,and delete printer shares.

Power Users Members can do everything that members of the Users group can do.In addition, these members can create user account, modify the useraccounts they created,put any user accounts on the computer into PowerUsers, Users, and Guests built in groups, share and stop sharing files anddirectories and printers located at the computer, and set the computersinternal clock.

Replicator Members can manage replication services. They are granted appropriatepriviledges to replicate files in the domain. use this group only to supportthe Directory Replication Services.

Server operators Members can manage the servers in the domain. Tasks include loggingon locally, restarting the server, and shutting down the server.

Users Members can access the server from the network but cannot log onlocally. They are normal users of the domain and have limited accessto the domain and their computers. They can make some configurationchanges to their environment but have limited functionality. They cannotcreate new shared directories, for example, or start and stop services.

Table 4.5. Predefine Local Groups.

Name DescriptionInteractive Users Users who log on to the local computer. Interactive users access resources

on the machine at which they are sitting.Network Users users who log on to a network or remote computer using their account or

an enabled Guest account.Everyone all users who access a computer whether locally or remotely. This group

includes both interactive and network users.

Table 4.6. Domain Global groups on Windows NT Server

Chapter 5. Directory Shares

ObjectivesThis chapter will explainyouabout how to share a folder to make it available to all network users.We will also discuss about the variuos permissions that can be set on Files and Folders.

5.1. FAT and NTFSFAT1 was the file system that was being used in DOS and Win 95/98 OS2. As this was

supported by DOS base systems, it should be used if backward compatibility is required. Ifyou want to boot from a boot floppy and read the hard disk, FAT should be used. If no suchrequirement is there, NTFS3 should be used.

The main features that NTFS offers include :

Directories that are automatically sorted.

Support for upper- and lowercase letters in names.

Allows permissions to be set on directories and files.

faster access to large (over 0.5MB ) sequential files. Faster access to all random access files.

File and directory names up to 254 characters.

Long names are automatically converted to 8+3 naming convention when accessed by aDOS based workstation.

NTFS uses disk space more sparingly than does FAT. Under FAT the minimum size that afile actually uses on a disk is 2048 bytes,and as disk partitions get larger, that minimum sizealso gets larger. On a 1700MB disk, this minimum size would be a whooping 32768 bytes.Under NTFS the same hard disk - and any hard disk in fact - supports files so that no fileactually takes more than 512 bytes of space.4

1File Allocation Table2Operating System3NT File System4The hard disk space is allocated to files in chunks of fixed size bytes.For FAT File System this fixed size chunk becomeslarger as the hard disk size increases. So for a 1700MB harddisk, even if the file contains only 1 byte, the disk spaceallocated to it will be 32768 bytes. This means that to save any information of less that 32768 bytes, FAT will allocate32768 bytes and no less. This wastes a lot of space and hence the disk space utilization is very poor. NTFS, on the otherhand uses 512 bytes chunks for any size of hard disk. This File system thus offers better disk space utilization.

21

22 Chapter 5. Directory Shares

5.2. Creating Directory Share

Most servers on network function as repositories for files and directories that must beaccessible to the network users. Files and directories, on a server running NT Server must firstbe shared before network users can access them. Merely setting up a server will not do as theserver will just announce itself by saying , "Hi, I am a server, but I am not sharing anything."

To share a directory,you must log on as a member of the Administrators or Server Operatorsgroup. Creating a share is easiest if you are physically logged on to the server. This is therecommended method.

NT can only share directories, not files; it is not possible to pick just one file and ask NT toshare it. A whole directory must be shared1.

5.3. Sharing of folders using Windows NT Explorer

To share a folder using Windows NT Explorer the following may be done.

1. Log on to your system using an Administrative account.

2. Go to Start, Program, Windows NT Explorer.

3. Select the Folder you want to share and then right-click on the folder to see the dropdown menu.

4. Select the Sharing option.NT server shows you the Properties window with sharing options.The windows default is Not Shared.

5. Click the Shared As button and fill in the details as needed to set up a share. For example,type the new share name you want users to see, and type a description of the files in theshare. Set up the maximum number of users as needed.

6. Click the Permissions Button. You then see the permissions dialog box. Add and removeaccess as needed by using the Add and Remove buttons. These allow you to select usersand type of access you want them to have. Double-click on the groups you want, and selectthe type of access.Click OK.Return to this screen a few times as needed to add any numberof groups and access levels. Click OK on the Access Through Share Permissions windowwhen you are finished.

7. Click OK to complete the sharing task.

5.4. Hidden ShareNT allows you to set up shares and hide them so that casual browsers cannot find them.

You do this by adding a $ character to the end of the share name. These shares are then notdisplayed.The purpose of this facility is to allow administrators to hide certain shares to minimisethe clutter when users browse the server2.

How sharing works with file and directory permissions? Sharing never allows more than

1Of course, one can always put a file in a folder and can share it, in effect, achieving sharing of a single file2It should not be misunderstood that hiding is a security feature. One can access the shares if one knows the names.Moreover, it is only to reduce the clutter in the browser. The NET program will show it directly.

5.4. Hidden Share 23

file and directory permissions do. Sharing can reduce the level of access provided by file anddirectory permissions. Share restrictions apply even to members of Administrators group. If yourestrict access to a directory to read-only, you will not be able to add or remove any files, even ifyou are an administrator.

5.5. File and Directory permissions

One of the main strengths of NTFS is provide access-level restrictions down to the filelevel. It means that access can be restricted for a file. Before we delve into the various types ofpermissions let us see what File Ownership is.

Every file in NT is owned by some account1. NT assigns ownership of a file to the accountthat creates the file. By default, ownership is granted to the creator of the file, and it cannot begiven away. It can be taken away, however, and there is a distinction between the two terms.

File ownership is important because the creator of the file is provided with the ability todo anything to the file, even delete it. The creator has full control. In NT full control means theability to read, modify, and delete the file, as well as change the access to grant someone elsefull control rights.

Let us summarise. If you create a new file, you own it and gain full control access to the file.If you copy a file, you become the owner of the copy, with the same rights. As the file, owner youcan remove everyones ability even administrators to access the file.

Ensuring that files are appropriately owned and managed is one of the keys to effectivesecurity with NT Server 4.

5.6. Taking Ownership of Files

To take the ownership of a file the following should be done.

1. Log on to your system by using an Administrator account.

2. Choose Start, Program, Windows NT Explorer. Open the directory the file resides in.

3. Select the file you want to reassign by left-clicking one on the file name.

4. Using the reight mouse button, click on the mouse to see the drop down menu.

5. Select Properties.

6. Select the Security frame to see three options.

Permissions.

Auditing.

Ownership.

7. Select Permissions. Grant the user account that needs ownership full control over the fileby using the Add button. Click OK when finished.

1The user

24 Chapter 5. Directory Shares

8. Log off. Log in again with the user account that needs to take over the ownership.

9. Open Explorer and find the file. Select it and then right-click and Select Properties. Selectsecurity. Note that this tab is shown only when you are accessing a file on NTFS partition.

10. Select the ownership option near the bottom of the screen.

11. You se a small dialog box offering the next option,Take ownership.Click the take ownershipbutton. Click OK to finish the task.

12. Log off. The user account now owns the file.

Being an owner does not automatically grant you the permission to use the file. Of course,being the owner, you can give permissions to yourself. Only, it does not happen automatically.You can also set up permission that deny you the access of file1.

5.7. Permissions

What are the various permissions that you can set for a file in NTFS? Table 5.1 gives thedetail of the the various permissons and their meaning when applied to file or a directory.

Individual Permission When applied to a Directory/FileChange Permission To a directory: Allows changes to the directorys permission.

To a file: Allows changes to the files permission.Delete To a directory: Allows deletion of the directory.

To a file: Allows deletion of the file.Execute To a directory: Allows display of attributes, permissions and owner;

allows changing to subdirectories.To a file: Allows running of program files and display of attributes, per-missions, and owner. (Note that it does not include Read permission).

Read To a directory: Allows display of filenames within the directory andtheir attrributes; permissions and owner of the directory.To a file: Allows display of files data, permissions, attributes, andowner.

Take Ownership To a directory: Allows changes to the directorys ownership.To a file: Allows changes to the files ownership.

Write To a directory: Read permission;plus allows creationod subdirectoriesand files within the directories, and changes to attributes.To a file: Read permissions; plus allows changes to file data andattributes.

Table 5.1. File and Directory permissions type.

1I use it only when a file is very important and I think I may accidently delete it. I deny permission to myself.

5.8. Assigning File Permissions 25

5.8. Assigning File Permissions

Here we will see how file permissions may be assigned.

1. Log on your system using an Administrative account.

2. Go to Start, Program, Windows NT Explorer. Open the directory containing the files.

3. Select the file or files you want to reassign by left clicking once on the file name. If you holdthe Shift key while dragging the cursor over the list of files, you can select a group of files.

4. Using the right mouse button, click on the file(s) to see the drop down menu.5. Select Properties.

6. Select the security frame.

7. Select Permissions. If some groups are already showing (The Everyone group is probablyshowing),select those groups and click the Remove button.This action removes all unneed-ed users from the list. Be careful not to leave the list blank or no one will have access. Clickthe Add button to add new groups or user accounts for which you want to provide accessfrom the list provided, and double click to select them. Set the desired access at the bottomof the screen, and when you are ready click OK.

8. Click OK on the File permissions window to complete the task.

The permissions can be set using the command line program CACLS as well.

Chapter 6. TCP/IP on WinNT

ObjectivesThis chapter will show you the TCP/IP configuration of a Window NT Server. We will alsodiscuss a few services viz. DNS, DHCP etc.

6.1. What is TCP/IP?TCP/IP stands for Transmission Control Protocol/Internet Protocol. You can think of it

as a collection of tools used originally by the US Department of Defence (DoD) to facilitatecommunication among the many kinds of computer the DoD had in use.

Protocol is a set of rules and formalities used by various computers to pass messages toeach other.One set of protocols may not be sufficient and you often find various protocols in use,layered on top of each other. TCP/IP actually consists of two protocols: the Transmission ControlProtocol and Internet Protocol.

The original goal of TCP/IP consisted of providing providing solid failure recovery, acapability to handle high error rates, and mchine and vendor independence. It was, after all,designed primarily by the military as a defence network.

For more information about TCP/IP network kindly See the IRISET note C4AE.

6.2. Installing TCP/IP on Windows NT Server

Here we will see how do we install the TCP/IP on Nt Server.

1. Log in your server as an Administrator. Next, Open the control panel and double click theNetwork icon. The network dialog box appears as shown in Figure 6.1

Figure 6.1. The Network Dialog Box.

26

6.2. Installing TCP/IP on Windows NT Server 27

2. Click the protocols Tab. Any protocol that you have already installed will be shown inthe list.

3. Click the Add button to add a new protocol. NT builds a list of all the protocols it supportsand provides this to you. The dialog presented is shown in Figure 6.2.

Figure 6.2. All the available network protocols.

4. Select the TCP/IP protocol from the list, and Click the OK button. NT asks whether thereis a DHCP server on your network and whether you want to use that server to obtain youraddress. For the time being say no.

5. You might be asked to provide the address of your installation files. Place the NT InstallCDROM in the drive, and enter its path. Click OK when you are ready. NT copies a bunch offiles to the local NT system directory. If RAS1 is installed, the installation asks you whetheryou want RAS configured to use TCP/IP. Choose an appropriate answer to continue. Thiswill mostly be Yes.

6. When the installation finishes,you will see the TCP/IP protocol displayed in the protocols tabof your Network Protocols Dialog box. You can see it in Figure 6.3.

Figure 6.3. TCP/IP appears in the protocol list.

1Remote Access Server

28 Chapter 6. TCP/IP on WinNT

7. Click the close button. NT goes through various binding processes before displaying theMicrosoft TCP/IP dialog box (Figure 6.4.)

Figure 6.4. The TCP/IP configuration dialog box.

TCP/IP offers various setup options. The first option enables you to specify that IPaddresses will come from the DHCP server. The next option enables you to predefine astatic IP address, subnet mask and default gateway.

8. Enter the necessary IP address for your network. Click OK when you are finished. NTcompletes the process and tells you to reboot the server, after which the TCP/IP servicesare available.

6.3. TCP/IP Diagnostic and Connectivity Utilities

NT provides several utilities that are common to UNIX system. These are all automaticallyinstalled when you install TCP/IP. Given below is a brief description of a few of them.

6.3.1. IPCONFIGThe ipconfig command provides you with a systems TCP/IP configuration data.

Figure 6.5 shows this command in action. Following is the syntax for this command.

Figure 6.5. Using the ipconfig command.

6.3. TCP/IP Diagnostic and Connectivity Utilities 29

ipconfig [/all]

/all: This switch causes the command to return additional IP information for all networkadapters running TCP/IP. THis includes the hostname, all the DNS servers, the node type, thestate of IP routing on your system etc. You also get the physical address of all adapter usingTCP/IP, the IP address of the adapter and its subnet mask as well as the default gateway.

6.3.2. NETSTATThe netstat command displays the statistics for all TCP, UDP and IP connections. The

syntax consists of

netstat switches

Here switches can be any of the following option:

-a Displays all current connection and listening ports.-e Displays all ethernet statistics. Can be combined with -s switch.-n Displays addresses and port numbers numerically.-p protocol Displays the connection for the protocol specified. The protocol can be TCP, UDP,

or IP used with the -s switch.-s Displays all protocol statistics.interval Redisplays the selected statistics using the number of seconds indicated by

interval parameter as the intervening pause. Ctrl+C stops the display.

6.3.3. PINGThe ping command send small packets to a host to verify whether the host is active. It is a

very commmon troubleshooting command. The syntax consists of

ping switches

In this case, the most common values for the switches are listed below.

-n number Specifies the number of packets to be sent.-l size Specifies the length of the packet. The default is 64 bytes and the maximum is

8192 bytes.-t Ping the host until interrupted.

6.4. DNSDNS1 is a service that takes the website address like www.iriset.ac.in and translate it

into actual IP address. DNS is really only a list of IP addresses and an associated name for eachaddress. You might think of it as a table with two entries in the form of IP address - name. Forexample, you might see and entry such as this:

210.212.217.130 - www.iriset.ac.in

1Domain Name Service


So who controls all these names and addresses? The central authority for DNS is the InterNICRegistration Services. This organisation ensures that your name is unique and that a current IPaddress is associated with it.

6.4.1. Configuring NT for Existing DNS Servers

What the NT server will do when it has to translate an address like www.iriset.ac.ininto IP address? It will take help from another machine that is running the Domain Name Server.So, whenever NT has to get the IP address corresponding to the name www.iriset.ac.in, aprocess called resolving the name, it will query the Domain Name Server. The Domain NameServer will then return the IP address of the name.

Let us see how to set up NT to use an existing Domain Name Server.

1. Log on the server using an Administrator account. Select the NT Control Panel and double-click the Network icon. Click the Protocols tab, and then double click the TCP/IP protocol.

2. Next, Click the DNS tab. This tab displays the configuration options as shown in Figure 6.6.

Figure 6.6. The DNS configuration option dialog box.

3. Enter the DNS domain name in the box titled Domain. By default, your computers NTregistered name is shown in the Host Name box.

4. Click the Add button to add a DNS server already existing on your network. You can specifythree servers and change the order in which they are tried by using the up and down arrows.If the first server fails to resolve a name, NT tries the next server and then the third.

5. Finally, you assign default domain suffixes in the box called Domain Suffix Search Order byusing the Add button shown. NT allows six additional domain suffixes. Again,use the up anddown arrows to tell NT in what order they are to be searched.

6. Click OK to finish the setup. Your NT machine is now set to use the DNS specified.

6.5. DHCPEvery computer running TCP/IP needs specific information to identify itself.The DHCP1was

designed to dynamically configure computers with IP addresses and related TCP/IP information.

6.5. DHCP 31

The server handles the task of assigning unique IP addresses dynamically.DHCP is a boon for administrators. It takes away the concern from him of keeping record

of all the IP addresses to avoid an IP clash2. The DHCP server takes care and assigns uniqueaddresses to the computers. It also configures the full TCP/IP settings for the system. Whenevrsome changes in the configuration has to be done, it can be done in the server and the clientswill update themselves automatically.

6.5.1. How DHCP WorksDHCP was designed as an extension to the Bootstrap Protocol (BOOTP)3, originally used

to boot and configure diskless workstations across the network.BOOTPs capability to hand out IP address from a central location is terrific, but its not

dynamic.The network administrator musk know beforehand the MAC addresses of the Ethernetcards on the network. This isnt impossible information to obtain, but its not fun. Furthermore,there is no provision for handling out temporary IP addresses, such as an IP address for a laptopused by consultant.

DHCP improves upon BOOTP because you give it a range of IP addresses that its allowedto hand out, and it just gives them out first-come, first-served to whatever computers requestthem. If, on the other hand, you want to maintain full BOOTP-like behaviour, you can; its possiblewith DHCP to pre-assign addresses to particular MAC addresses, as with BOOTP.

6.5.2. Leasing an IP address

A DHCP client geta and IP addresss from a DHCP server in four steps.

1. Initializing State A DHCPDISCOVER broadcasts a request to all DHCP Servers,requesting an IP address.

2. Selecting States The servers respond with DHCPOFFER of IP address and lease time.

3. Requesting State The client chooses the offer that sounds most appealing and broad-casts back a DHCPREQUEST to confirm the IP address.

4. Bound State The server handing out the IP address finishes the procedure by returningwith a DHCPACK, an acknowledge of the request.

6.5.3. Renewing IP Address Leases

DHCP client leases their IP addresses from a DHCP Server. When that lease expires,they can no longer use that IP address. Therefore, DHCP Clients must renew their leases on IPaddresses, preferably before the lease has expired or is about to expire. Once again, during theprocess of renewing its lease, a DHCP Client passes through the stages listed below:

1Dynamic Host Configuration Protocol2IP clash is when two machines are assigned the same IP number.3The BOOTP protocol was originally defined in RFC 952. The latest BOOTP RFC is RFC 1542, which includes supportfor DHCP. THe major advantage of using the same message format as BOOTP is that an existing router can act as anRFC 1542 (BOOTP) relay agent to relay the DHCP messages between subnets. Therefore, with a router acting as anRFC 1542 relay agent between two subnets, it is possible to have a single DHCP server providing IP addresses andconfiguration information for systems on both subnets.


1. Renewing State By default, a DHCP Client first tries to renew its lease when 50% ofits lease time has expired. To renew its lease, a DHCP Client sends a directed DHCPRE-QUEST message to the DHCP server from which it obtained the lease.

When permistted, the DHCP server automatically renews the lease by respondingwith a DHCPACK message. This DHCPACK message contains the new lease as wellas any configuration parameters so that the DHCP Client can update its settings in casethe administrator updated and settings on the DHCP servers. After the DHCP client hasrenewed its lease, it returns to the bound state.

2. RebindingState If a DHCP client attemts to renew its lease onan IP address and for somereason cant contact a DHCP server, the DHCP client displays a message saying do.

6.5.4. Installing DHCP Server

You install the DHCP server during the install process, or you can add it manually by addingthe service. Let us see how we do it.

1. Log in as an Administrator. Double-click the Network icon in the control panel. When theNetwork dialog box appears, click the Services tab, and then click Add to display the SelectNetwork Service dialog box. (See Figure 6.7.)

Figure 6.7. The Select Network Service dialog box.

2. From the Network Service list, highlight Microsoft DHCP Server, and the click OK.

3. Windows NT Setup displays a message asking for the full path to the Windows NT Serverdistribution files. Provide the appropriate location and click Continue button. All necessaryfiles are copied to your hard disk.

4. Complete all the required procedures for amnually configuring TCP/IP as described inSection 6.2.

6.5.5. Understanding DHCP Scopes

For DHCP to give out IT addresses, it must know the range of IP addresses it can giveout. How does it find out the addresses? You tell it with a scope. A scope is simply a range of IP

6.5. DHCP 33

addresses, or pool of addresses, to draw on. You create a scope for each subnet on the networkto define parameters for that subnet.

When DHCP server is installed, the DHCP Manager icon is added to the Network Admistra-tive Tools group under Programs in the Start menu. You use DHCP Manager for the following:

Create on or more scopes to begin providing DHCP services.

Define properties for the scope, including the leases duration and IP address ranges fordistribution to potential DHCP clients in the scope.

Define default values for options (like default gateway, DNS server etc.) to be assignedtogether with n IP address.

Add any custom option.

Let us see how we create DHCP scopes.

1. In the DHCP Servers list in the DHCP Manager window, select the server where you wantto create a scope.

2. Choose Scope|Create. The Create Scope dialig bos is displayed as shown in Figure 6.8.

Figure 6.8. The Create Scope dialog box.

3. To define the available range of IP address for this scope, type the begining and the endingIP addresses for the range in the Start Address and End Address boxes. The IP addressrange includes the Start and End values. You must supply this information in order for thesystem to activate this scope.

4. In the Subnet Mask box, DHCP Manager proposes a subnet mask based on the IP addressof the Start and End addresses. Accept the proposed values unless you know that adifferent value is required.

5. To define excluded addresses within the IP address pool range, use the Exclusive Rangecontrols as detailed here:

Type the first IP address that is part of the excluded range in the Start Address box, andtype the last number in the End Address box. Click the Add button. Continue to define


any other excluded range in the same way.

To exclude a single IP address, type the number in the Start Address box. Leave theEnd Address box empty and then click Add button.

To remove an IP address or range from the excluded range, select it in the ExcludedAddresses box, and then click the Remove button.

6. To specify the lease duration for IP addresses in this scope, select Limited To. Type valuesdefining the number of days, hours, and minutes for the length of the address lease. Ig youdo not want IP address leases in this scope to expire, slect the Unlimited option (this isnot recommended.)

7. In the Name box, type a scope nam,e. Although this is optional, its probably a good idea toname each scope for later reference.Use any name that describe the subnet.The name caninclude any combination of letters, numbers, and hyphens. Blank spaces and underscorescharacters are also allowed.

8. Optionally, in the Comment box, type and string to describe this scope, and then click OK.

9. When you finish creating scope, a message reminds you that the scope has not beenactivated and enables you to choose Yes to activate the scope immediately. Do not activatea new scope, however, until you have defined the DHCP options for this scope.

6.5.6. Configuring DHCP Options

Besides the IP addressing information, you must configure other DHCP configurationoptions pertaining to DHCP Clients for each scope. Let us see how se do it.

1. In the DHCP Servers list in the DHCP Manager window, select the scope that you wantto configure.

2. From the DHCP Options menu, choose the Global or Scope command, depending onwhether you want to define options for all scopes on the currently selected server or for thescope currently selected in the DHCP Manager window. The DHCP Options: Scope dialogbox appears.

3. In the Unused Options list in the DHCP Option: Scope dialog box, select the name of theDHCP option you want to apply.Click the Add button to move the name of the Active Optionslist. This list shows predefined options and any custom options you added.

4. To define the value for an active option, select its name in the Active Options box and clickthe Values button. Then click the Edit button and edit the information in the Current Valuebox, depending on the data type for the options, as described here:

For an IP address, type the assigned address for the selected option.

For a number, type an appropriate decimal or hexadecimal value for the option.

For a string, type an appropriate ASCII string containing letters and numbers forthe options.

6.5. DHCP 35

IndexAbstraction, 2Multi-Threaded, 2Multitasking, 2Operating System, 1Single Tasking, 2symmetric processor system, 2Task, 2Thread, 2

36

Date post:	07-Jan-2016
Category:	Documents
Upload:	srdsosonpur
View:	13 times
Download:	0 times

c4cd[1].pdf

Documents