As an administrator, you enable networked computers to communicate by using the basic networking protocols built into Microsoft Windows Server 2003. The key protocol you’ll use is Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP is actually a collection of protocols and services used for communicating over a network. It’s the primary protocol used for internetwork communications. Compared to configuring other networking protocols, configuring TCP/IP communications is fairly complicated, but TCP/IP is the most versatile protocol available.
In this chapter, you’ll learn about configuring and managing TCP/IP networking. Whenever you work with TCP/IP networking, you must tell the computer about the network. You do this by telling the computer how to route information on the network and how to access other computers. After you configure TCP/IP, you also need to make the computer a member of the network so it can access network resources.
Note
Group policy settings can affect your ability to install and manage TCP/IP networking. Key policies you’ll want to examine are those in User ConfigurationAdministrative TemplatesNetworkNetwork Connections and Computer ConfigurationAdministrative TemplatesSystemGroup Policy. Group policy is discussed in Chapter 4.
TCP/IP networking relies on network adapters and the TCP/IP protocol. To access the network using TCP/IP, you need to install one or more network adapters on the computer and then set up the TCP/IP protocol.
Network interface cards (NICs), also known as network adapters, are hardware devices that are used to communicate on networks. You can install and configure NICs by completing the following steps:
Configure the NIC following the manufacturer’s instructions. For example, you might need to modify the card’s Interrupt setting or Port setting by using the software provided by the manufacturer.
Disconnect the computer from the network, turn it off, unplug it, and then install the adapter in the appropriate slot on the computer. When you’re finished, boot the system.
Windows Server 2003 should detect the new adapter during startup. If you have a separate driver disk for the adapter, you should insert it now. Otherwise, you might be prompted to insert a driver disk.
If Windows Server 2003 doesn’t detect the adapter automatically, follow the installation instructions in the section entitled "Managing Hardware Devices and Drivers" in Chapter 2.
If networking services aren’t installed on the system, install them as described in the next section.
TCP/IP networking is normally installed during Windows Server 2003 installation. You can also install TCP/IP networking through Network Connections. If you’re installing TCP/IP after installing Windows Server 2003, log on to the computer using an account with Administrator privileges and then follow these steps:
Access Network Connections in Control Panel.
Select or double-click the connection you want to work with.
Note
Local area network (LAN) connections are created automatically if the computer has a network adapter and is connected to a network. If a computer has multiple adapter cards and is connected to a network, you’ll see one LAN connection for each adapter card. If no network connection is available, you should connect the computer to the network or create a different type of connection, as explained in the section of this chapter entitled "Managing Network Connections."
In the Status dialog box, click Properties. This displays the Local Area Connection Properties dialog box shown in Figure 16-1. If Internet Protocol (TCP/IP) isn’t shown in the list of installed components, you’ll need to install it. Click Install, select Protocol, and then click Add. In the Select Network Protocol dialog box, select Internet Protocol (TCP/IP), and then click OK.
In the Local Area Connection Properties dialog box, make sure that the Internet Protocol (TCP/IP) check box is selected, and then click OK.
As necessary, follow the instructions in the next section for configuring TCP/IP for the computer.
Computers use IP addresses to communicate over TCP/IP. Windows Server 2003 provides several ways to configure IP addressing:
Manually. IP addresses that are assigned manually are called static IP addresses. Static IP addresses are fixed and don’t change unless you change them. You’ll usually assign static IP addresses to servers running Windows Server 2003, and when you do this, you’ll need to configure additional information to help the server navigate the network.
Dynamically. A Dynamic Host Configuration Protocol (DHCP) server (if one is installed on the network) assigns dynamic IP addresses at startup, and the addresses might change over time. Dynamic IP addressing is the default configuration and in most cases is set up automatically on Windows workstations.
Alternatively. When a computer is configured to use DHCP and no DHCP server is available, Windows Server 2003 assigns an alternate private IP address automatically. This alternate IP address is referred to as an Automatic Private IP Address (APIPA). By default, this address is in the range from 169.254.0.1 to 169.254.255.254 with a subnet mask of 255.255.0.0. You can also specify a user-configured alternate IP address, which is particularly useful for laptop users who need one IP configuration in the office and another at home.
When you assign a static IP address, you need to tell the computer the IP address you want to use, the subnet mask for this IP address, and, if necessary, the default gateway to use for internetwork communications. An IP address is a numeric identifier for a computer. IP addressing schemes vary according to how your network is configured, but they’re normally assigned from a range of addresses for a particular network segment. For example, if you’re working with a computer on the network segment 192.168.10.0, the address range you have available for computers is usually from 192.168.10.1 to 192.168.10.254. The address 192.168.10.255 normally is reserved for network broadcasts.
If the network is connected directly to the Internet and you’ve reserved a range of IP addresses, you can use the IP addresses you’ve been assigned. If you’re on a private network that’s indirectly connected to the Internet, you should use private IP addresses. Private network addresses are summarized in Table 16-1.
Table 16-1. Private Network Addresses
Private Network ID | Subnet Mask | IP Address Range |
|---|---|---|
10.0.0.0 | 255.0.0.0 | 10.0.0.1 – 10.255.255.254 |
172.16.0.0 | 255.240.0.0 | 172.16.0.1 – 172.31.255.254 |
192.168.0.0 | 255.255.0.0 | 192.168.0.1 – 192.168.255.254 |
All other network addresses are public and must be leased or purchased.
Before you assign a static IP address, you should make sure that the address isn’t already in use or reserved for use with DHCP. You can use the Ping utility to find out if an address is in use. Open a command prompt and type ping, followed by the IP address you want to check. To test the IP address 192.168.10.12, you would use the following command:
ping 192.168.10.12
If you receive a successful reply from the ping test, the IP address is in use and you should try another IP address. If the request times out for all ping attempts, the IP address isn’t active on the network at this time and probably isn’t in use. Your company’s network administrator would be able to confirm this for you as well.
You assign a static IP address by doing the following:
Access Network Connections in Control Panel.
Select or double-click the connection with which you want to work.
Click Properties and then open the Internet Protocol (TCP/IP) Properties dialog box shown in Figure 16-2 by double-clicking Internet Protocol (TCP/IP). Or select Internet Protocol (TCP/IP) and then click Properties.
Figure 16-2. Use the Internet Protocol (TCP/IP) Properties dialog box to configure dynamic and static IP addressing.
Note
LAN connections are created automatically when you start a computer that’s attached to a network; you don’t need to create a connection. One LAN connection is shown for each network adapter installed. If you use a dial-up or other type of connection, you must create the connection as described in the "Managing Network Connections" section of this chapter.
Select Use The Following IP Address, and then type the IP address in the IP Address field. The IP address you assign to the computer must not be used anywhere else on the network.
The Subnet Mask field ensures that the computer communicates over the network properly. Windows Server 2003 should insert a default value for the subnet mask into the Subnet Mask field. If the network doesn’t use subnets, the default value should suffice. But if it does use subnets, you’ll need to change this value as appropriate for your network.
If the computer needs to access other TCP/IP networks, the Internet, or other subnets, you must specify a default gateway. Type the IP address of the network’s default router in the Default Gateway field.
Domain name services are needed for domain name resolution. Type a preferred and alternate Domain Name System (DNS) server address in the fields provided.
When you’re finished, click OK. Repeat this process for other network adapters you want to configure. Keep in mind that each network adapter must have a unique IP address.
Configure Windows Internet Name Service (WINS) as necessary. You might also need to set advanced options for DNS.
DHCP gives you centralized control over IP addressing and TCP/IP default settings. If the network has a DHCP server, you can assign a dynamic IP address to any of the network adapter cards on a computer. Afterward, you rely on the DHCP server to supply the basic information necessary for TCP/IP networking. Because the dynamic IP address can change, you shouldn’t use a dynamic IP address for servers running Windows Server 2003. You configure dynamic IP addressing by completing the following steps:
Access Network Connections in Control Panel, and then select or double-click the connection with which you want to work.
Click Properties and then open the Internet Protocol (TCP/IP) Properties dialog box by double-clicking Internet Protocol (TCP/IP). Or you could select Internet Protocol (TCP/IP) and then click Properties.
Select Obtain An IP Address Automatically. If desired, select Obtain DNS Server Address Automatically. Or select Use The Following DNS Server Addresses and then type a preferred and alternate DNS server address in the text boxes provided.
When you’re finished, click OK. Afterward, configure alternate private IP addresses, DNS, and WINS as necessary.
When you use DHCP, don’t forget that Windows Server 2003 automatically assigns an alternate IP address when it can’t reach the DHCP server during startup or when the current IP address lease expires. By default, the alternate IP address is in the range from 169.254.0.1 to 169.254.255.254 with a subnet mask of 255.255.0.0. Because the automatic private IP address configuration doesn’t include default gateway, DNS, or WINS server settings, a computer using the alternate IP addressing is essentially isolated on its own network segment.
If you want to ensure that a computer uses a specific IP address when no DHCP server is available, you need to specify an alternate configuration manually. One of the key reasons for setting an alternate configuration is to accommodate portable computer users who take their computers home. In this way, the user’s portable computer could be configured to use a dynamically assigned IP address at work and an alternate IP address configuration at home.
You can specify an alternate private IP address by completing the following steps:
Access Network Connections in Control Panel and then select or double-click the connection with which you want to work.
Click Properties and then open the Internet Protocol (TCP/IP) Properties dialog box by double-clicking Internet Protocol (TCP/IP). Or you could select Internet Protocol (TCP/IP) and then click Properties.
Provided that you’ve already configured the adapter to obtain an IP address automatically, you should be able to click the Alternate Configuration tab shown in Figure 16-3.
Select User Configured in the Alternate Configuration tab and then type the IP address you want to use in the IP Address text box. The IP address you assign to the computer should be a private IP address as shown in Table 16-1, and it must not be in use anywhere else at the time the settings are applied.
The Subnet Mask text box ensures that the computer communicates over the network properly. Windows Server 2003 should insert a default value for the subnet mask into the Subnet Mask text box. If the network doesn’t use subnets, the default value should suffice. But if it does use subnets, you’ll need to change this value as appropriate for your network.
If the computer needs to access other TCP/IP networks, the Internet, or other subnets, you must specify a default gateway address. Type the IP address of the network’s default router in the Default Gateway text box.
Domain name services are needed for domain name resolution. Type a preferred and alternate DNS server address in the text boxes provided.
If you use WINS on the network for backward compatibility with previous versions of Windows, configure a preferred and alternate WINS server using the text boxes provided. When you’re finished, click OK.
Computers running Windows Server 2003 can have multiple IP addresses–even if the computers only have a single network adapter card. Multiple IP addresses are useful in several situations:
You want a single computer to appear to be several computers. For example, if you’re installing an intranet server, you might also want the server to provide Web, File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP) services. You can use a different IP address for each service, and you can use different IP addresses for the intranet and the FTP services.
If your network is divided into multiple logical IP networks (subnets), and the computer needs access to these subnets to route information or provide other internetworking services, you might want a single network adapter card to have multiple IP addresses. For example, the address 192.168.10.8 could be used for workstations accessing a server from the 192.168.10.0 subnet, and the address 192.168.11.8 could be used for workstations accessing a server from the 192.168.11.0 subnet.
When you use a single network adapter, IP addresses must be assigned to the same network segment or segments that are part of a single logical network. If your network is divided into multiple physical networks, you must use multiple network adapters, with each network adapter being assigned an IP address in a different physical network segment.
Real World
If you’re looking for a simple cost-effective solution for connecting multiple networks, you might want to take advantage of the IP routing or network bridging features of Windows Server 2003. With IP routing, you configure a server with two adapters (one configured for one network and another configured for another network) to route traffic between the networks. You use Routing And Remote Access Services to configure routing using an appropriate routing protocol, such as RIP Version 2 for Internet Protocol. IP routing is designed for medium and large enterprises and is fairly complex to configure. With network bridging, you create a logical bridge between two networks that’s managed by Windows. Bridges are designed for small enterprises and are available only on Windows Server 2003. You won’t find this feature in the Windows Server 2003 Advanced Server or Datacenter Server editions.
If you’ve configured a computer with a static IP address, each network adapter installed on the computer can have one or more IP addresses. You can associate both static and dynamic IP addresses with one or more default gateways. You assign multiple IP addresses and gateways to a single network adapter card by doing the following:
Access Network Connections in Control Panel and then select or double-click the connection you want to work with.
Click Properties and then open the Internet Protocol (TCP/IP) Properties dialog box by double-clicking Internet Protocol (TCP/IP). Or you could select Internet Protocol (TCP/IP) and then click Properties.
Click Advanced to open the dialog box shown in Figure 16-4.
In the IP Settings tab, click Add in the IP Addresses area, and then type the IP address in the IP Address text box and the subnet mask in the Subnet Mask text box. Repeat this step for each IP address you want to add to the network adapter card.
You can enter additional default gateways, as necessary. Click Add and then type the gateway address in the Gateway text box.
The gateway metric indicates the relative cost of using a gateway. If multiple default routes are available for a particular IP address, Windows Server 2003 uses the gateway with the lowest cost first. If the computer can’t communicate with the initial gateway, Windows Server 2003 tries to use the gateway with the next lowest metric. By default, Windows Server 2003 automatically assigns a metric to the gateway. You can assign the metric manually, however. To do this, clear the Automatic Metric check box and then enter a metric in the text box provided.
Click Add and then repeat Steps 5–6 for each gateway you want to add.
DNS is a host name resolution service. You use DNS to determine a computer’s IP address from its host name. This allows users to work with host names, such as http://www.msn.com or http://www.microsoft.com, rather than an IP address, such as 192.168.5.102 or 192.168.12.68. DNS is the primary name service for Windows Server 2003 and the Internet.
Tip
In order for DNS to function properly, a DNS server must be installed on the network (or be available to the network). Managing DNS servers is covered in Chapter 20.
You can configure basic DNS settings by completing the following steps:
Access Network Connections in Control Panel. Afterward, select or double-click the connection with which you want to work.
Click Properties and then open the Internet Protocol (TCP/IP) Properties dialog box by double-clicking Internet Protocol (TCP/IP). Or you could select Internet Protocol (TCP/IP) and then click Properties.
If the computer is using DHCP and you want DHCP to specify the DNS server address, select Obtain DNS Server Address Automatically. Otherwise, select Use The Following DNS Server Addresses and then type a primary and alternate DNS server address in the text boxes provided.
You configure advanced DNS settings by using the DNS tab in the Advanced TCP/IP Settings dialog box shown in Figure 16-5. You use the fields of the DNS tab as follows:
DNS Server Addresses, In Order Of Use. Use this area to specify the IP address of the DNS servers that are used for domain name resolution. Use the Add button to add a server IP address to the list. Use the Remove button to remove a server from the list. Use the Edit button to edit the selected entry. You can specify multiple servers to use for DNS resolution. These servers are used in priority order. If the first server isn’t available to respond to a host name resolution request, the next DNS server on the list is accessed, and so on. It’s important to note that TCP/IP doesn’t go to the next server if the first server can’t resolve the name, only if the first server doesn’t respond. To change the position of a server in the list box, click it and then use the Up or Down arrow button.
Append Primary And Connection Specific DNS Suffixes. Select this option to resolve unqualified computer names in the primary domain. For example, if the computer name "Rage" were used and the parent domain were microsoft.com, the computer name would resolve to rage.microsoft.com. If the fully qualified computer name doesn’t exist in the parent domain, the query fails. The parent domain used is the one set in the Network Identification tab of the System Properties dialog box. Normally, this option is selected by default.
Append Parent Suffixes Of The Primary DNS Suffix. Select this option to resolve unqualified computer names using the parent-child domain hierarchy. If a query fails in the immediate parent domain, the suffix for the parent of the parent domain is used to try to resolve the query. This process continues until the top of the DNS domain hierarchy is reached. For example, if the computer name "Rage" were used in the dev.microsoft.com domain, DNS would attempt to resolve the computer name to rage.dev.microsoft.com. If this didn’t work, DNS would attempt to resolve the computer name to rage.microsoft.com. Normally, this option is selected by default.
Append These DNS Suffixes (In Order). Select this option to set specific DNS suffixes to use rather than resolving through the parent domain. Use the Add button to add a domain suffix to the list. Use the Remove button to remove a domain suffix from the list. Use the Edit button to edit the selected entry. You can specify multiple domain suffixes. These suffixes are used in priority order. If the first suffix doesn’t resolve properly, DNS attempts to use the next suffix in the list. If this fails, the next suffix is used, and so on. To change the order of the domain suffixes, select the suffix, and then use the Up or Down arrow buttons to change its position.
DNS Suffix For This Connection. Sets a specific DNS suffix for the connection that overrides DNS names already configured for use on this connection. You’ll usually want to set the DNS domain name through the Network Identification tab in the System Properties dialog box instead.
Register This Connection’s Addresses In DNS. Select this option if you want all IP addresses for this connection to be registered in DNS under the computer’s fully qualified domain name. This option is selected by default.
Use This Connection’s DNS Suffix In DNS Registration. Select this option if you want all IP addresses for this connection to be registered in DNS under the parent domain.
You use WINS to resolve NetBIOS computer names to IP addresses. You can use WINS to help computers on a network determine the addresses of other computers on the network. If a WINS server is installed on the network, you can use the server to resolve computer names. Although WINS is supported on all versions of Windows, Windows Server 2003 uses WINS primarily for backward compatibility.
You can also configure computers running Windows Server 2003 to use the local file LMHOSTS to resolve NetBIOS computer names. However, LMHOSTS is consulted only if normal name resolution methods fail. In a properly configured network, these files are rarely used. Thus, the preferred method of NetBIOS computer name resolution is WINS in conjunction with a WINS server.
You can configure WINS by completing the following steps:
Access the Advanced TCP/IP Settings dialog box, and then click the WINS tab. This displays the dialog box shown in Figure 16-6.
The box named WINS Addresses, In Order Of Use allows you to specify the IP address of the WINS servers that are used for NetBIOS name resolution. Use the Add button to add a server IP address to the list. Use the Remove button to remove a server from the list. Use the Edit button to edit the selected entry.
You can specify multiple servers to use for WINS resolution. These servers are used in priority order. If the first server isn’t available to respond to a NetBIOS name resolution request, the computer accesses the next WINS server on the list, and so on. It’s important to note that TCP/IP doesn’t go to the next server if the first server can’t resolve the name, only if the first server doesn’t respond. To change the position of a server in the list box, select it and then use the Up or Down arrow button to move the server in this list.
To enable LMHOSTS lookups, select the Enable LMHOSTS Lookup check box. If you want the computer to use an existing LMHOSTS file defined somewhere on the network, retrieve this file with the Import LMHOSTS button. You generally use LMHOSTS only when other name resolution methods fail.
Best Practices
LMHOSTS files are maintained locally on a computer-by-computer basis, which can eventually make them unreliable. Rather than relying on LMHOSTS, ensure that your DNS and WINS servers are configured properly and are accessible to the network. This way, you can ensure centralized administration of name resolution services.
NetBIOS Over TCP/IP services are required for WINS name resolution. Choose one of the following options to configure WINS name resolution using NetBIOS:
If you use DHCP and dynamic addressing, you can get the NetBIOS setting from the DHCP server. Select Default, Use NetBIOS Setting From The DHCP Server.
If you use static IP addressing or the DHCP server doesn’t provide NetBIOS settings, select Enable NetBIOS Over TCP/IP.
If WINS and NetBIOS aren’t used on the network, select Disable NetBIOS Over TCP/IP. This eliminates the NetBIOS broadcasts that the computer would otherwise send.
Repeat this process for other network adapters, as necessary.
You can configure Windows Server 2003 systems to use additional networking clients, services, and protocols. You install these networking components through the Network Connection Properties dialog box or through the Windows Optional Networking Components Wizard. Each one offers different components.
You use the Network Connection Properties dialog box to install networking clients, services, and protocols. Table 16-2 provides a brief overview of the various network components you can install using this dialog box.
Table 16-2. Network Components Available on Windows Server 2003
Component | Description |
|---|---|
AppleTalk Protocol | Allows other computers to communicate with the computer through the AppleTalk protocol. Allows servers running Windows Server 2003 to be AppleTalk routers. |
Client For Microsoft Networks | Allows the computer to access resources on Windows networks. |
Client Service For NetWare | Allows the computer to access NetWare networks. |
File And Printer Sharing For Microsoft Networks | Allows other computers to access resources on the computer. |
Microsoft TCP/IP V6 | Provides network layer protocols that support IP version 6 (IPv6). IPv6 provides a 128-bit address space and is the next generation of IP addressing. You should have a thorough understanding of IPv6 before trying to install or use this protocol. |
Network Load Balancing | Provides TCP/IP load balancing functions for the server. |
Network Monitor Driver | Driver that allows Netmon to capture network packets. Netmon is the network monitor utility. |
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol | Enables the computer to communicate with NetWare Servers running Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX). |
QoS Packet Scheduler | Quality of Service packet scheduler, which provides network traffic control services. |
Reliable Multicast Protocol | Allows the computer to be configured for multicast broadcasting. With multicasting, transmissions are broadcast to multiple clients in a single data stream. For example, QoS Admission Control hosts send multicast broadcasts notifying clients that the host is active and ready to receive requests. |
Service Advertising Protocol | Installs Service Advertising Protocol Agent, which advertises servers and addresses on the network. Netware servers running IPX/SPX to locate servers and services use this protocol. |
You install and uninstall these network components by completing the following steps:
Access Network Connections in Control Panel. Afterward, select or double-click the connection with which you want to work.
Click Properties.
The Local Area Connection Properties dialog box shows a list of components currently installed. You can perform the following actions:
Disable Component. To disable a component, clear its related check box.
Uninstall Component. To uninstall a component, select it, and then click Uninstall. Confirm the action by clicking Yes when prompted.
Install Component. To install additional components, click Install. This displays the Select Network Component Type dialog box. Select the type of network component by choosing Client, Protocol, or Service and then clicking Add. Select the component to add.
You can install additional networking components through the Windows Optional Networking Components Wizard. When you install these components, Windows Server 2003 might also install utilities that the components need in order to operate. These utilities are installed in the Administrative Tools (Common) folder.
Table 16-3 provides a brief overview of optional network components you can install. The component package is the name of the component shown in the Windows Components dialog box. The individual component names are the components you can select individually through the Details button.
Table 16-3. Optional Network Components Available on Windows Server 2003
Component Package | Individual Component Name | Description |
|---|---|---|
Management and Monitoring Tools | Connection Manager Administration Kit | Installs tool for creating custom remote access connections that can be distributed to users |
Connection Point Services | Installs the Phone Book Service, which allows you to distribute phone books | |
Network Monitor Tools | Installs network monitoring tools for analyzing network traffic | |
Simple Network Management Protocol (SNMP) | Installs SNMP and SNMP agents | |
WMI Providers And Components | Components used to access Windows Management Instrumentation (WMI) | |
Networking Services | Domain Name System (DNS) | Allows the computer to be configured as a DNS server |
Dynamic Host Configuration Protocol (DHCP) | Allows the computer to be configured as a DHCP server | |
Internet Authentication Service | Allows authentication, authorization, and accounting of dial-up and virtual private network (VPN) users | |
Remote Procedure Call (RPC) Over HTTP Proxy | Allows distributed COM objects to travel over Hypertext Transfer Protocol (HTTP) | |
Simple TCP/IP Services | Installs the basic TCP/IP services Character Generator, Daytime, Discard, Echo, and Quote of the Day | |
Windows Internet Name Service (WINS) | Allows the computer to be configured as a WINS server | |
Other Network File and Print Services | File Services For Macintosh | Enables Macintosh users to work with files on a server running Windows Server 2003 |
Print Services For Macintosh | Enables Macintosh users to send print jobs to a print spooler on a server running Windows Server 2003 | |
Print Services For Unix | Enables Unix users to send print jobs to a print spooler on a server running Windows Server 2003 |
To install optional networking components, complete the following steps:
Select or double-click Add Or Remove Programs in Control Panel.
Click Add/Remove Windows Components. This starts the Windows Components Wizard.
As shown in Figure 16-7, you can now select component packages to install. The networking components with which you might want to work are found within Management And Monitoring Tools, Networking Services, or Other Network File And Print Services.
To select or cancel individual components, select a component category and then click Details. Then, select or clear the check boxes for the individual components you want to install or remove from the computer.
Click OK and then click Next. The selected components are then installed.
Network connections make it possible for computers to access remote resources. This section examines techniques you can use to create and manage network connections. Keep in mind that local area connections are created automatically when you start a computer that’s attached to a network; you don’t need to create this type of connection.
You can configure many types of network connections. You create connections by completing the following steps:
Access Network Connections in Control Panel. Afterward, click New Connection Wizard or select New Connection from the File menu.
Click Next and then select the type of connection you want to make (see Figure 16-8). The available options are:
Connect To The Internet. Enables a computer to connect to the Internet over a dial-up or high-speed connection. After you set up a connection to an Internet service provider (ISP), you can share the connection, which allows one computer to provide access for other computers.
Connect To The Network At My Workplace. Enables a computer to connect to a corporate network over the Internet. The connection can be a standard dial-up connection or a VPN connection. The advantage of a VPN connection over a standard connection is that the data transferred over the connection is encrypted.
Set Up An Advanced Connection. Enables a computer to connect directly to another computer through a serial, parallel, or infrared port. This type of link is commonly used to synchronize a handheld computer with a PC. It can also enable a computer to access incoming calls through remote access services. If a computer accepts VPN, direct, or dial-up connections, you need to configure incoming connections as well.
The dialog boxes you see depend on the type of connection you select. Follow the onscreen prompts. When you’re done, click Finish and the connection is created.
Sometimes you’ll need to configure servers so that they can access networks at branch offices or other distant locations. Any time you configure a server for this type of access, you’ll want to ensure that the identities used are validated using a secure authentication technique. Secure authentication ensures that the logon password and other vital information aren’t passed as clear text and are instead encrypted using public key encryption or another technique. With remote access connections, you can validate the logon information for connections using the following options:
Allow Unsecured Password. Allows the logon information to be passed in clear text over the connection. You can think of this as basic authentication.
Require Secured Password. Forces Windows Server 2003 to attempt to pass logon information using a secure technique, such as Windows Authentication, rather than clear text.
Use Smart Card. Tells Windows Server 2003 to validate the logon using a smart card.
With dial-up and broadband connections you can use any of these options. With VPN connections, you can use only the secure techniques. When you require a secured password, you can also automatically pass the Windows logon name, password, and domain specified in the configuration. Passing the Windows logon information automatically is useful when users connect to the office and must be authenticated in the Windows domain.
With both secure validation techniques you can also require data encryption and force Windows Server 2003 to disconnect if data encryption can’t be used. This setting protects the data sent over the remote connection so that it can’t be monitored.
To configure security for remote connections, follow these steps:
Access Network Connections in Control Panel. Afterward, right-click the icon for the remote connection you want to work with and then select Properties. This displays a properties dialog box.
Click the Security tab.
In the Security Options panel, you can select typical or advanced validation options. The typical options are Allow Unsecured Password (excluding VPN connections), Require Secure Password, and Use Smart Card.
If you require secure passwords, you can also set automatic logon and require data encryption. Both options are useful when logging on to a Windows domain. However, the settings must be supported. If they aren’t, users won’t be able to validate their logons and connections will fail.
If you use smart cards, you should require data encryption. Data encryption is essential to ensuring the integrity and security of the data passed between the smart card and the authenticating computer.
To check the status of a local area connection, access Network Connections in Control Panel, right-click the connection, and then select Status. This displays the Local Area Connection Status dialog box. If the connection is disabled or the media is unplugged, you won’t be able to access this dialog box. Enable the connection or connect the network cable to resolve the problem and then try to display the status dialog box again.
The General tab of this dialog box, shown in Figure 16-9, provides useful information regarding the following:
Status. The current connection state. You’ll typically see the status as Connected because if the state should change, Windows Server 2003 usually closes the status dialog box.
Duration. The amount of time the connection has been established. If the duration is fairly short, the user either recently connected to the network or the connection was recently reset.
Speed. The speed of the connection. This should read 10.0 Mbps for 10-Mbps connections and 100.0 Mbps for 100-Mbps connections. An incorrect setting can affect the user’s performance.
Packets. The number of TCP/IP packets sent and received by the connection. As the computer sends or receives packets, you’ll see the computer icons light up to indicate the flow of traffic.
In Windows Server 2003, you can view the current configuration for network adapters in several ways. To view configuration settings using the Local Area Connection Status dialog box, follow these steps:
Access Network Connections in Control Panel. Afterward, right-click the connection you want to examine and then select Status.
Click the Support tab, shown in Figure 16-10. The fields of the Internet Protocol (TCP/IP) panel provide basic information about the connection, including address type (Manually Configured, Assigned By DHCP, or Autoconfigured), IP address, subnet mask, and default gateway.
For more detailed information, click Details. This displays the Network Connection Details dialog box in which you’ll find the basic information fields and the following information:
Physical Address. The machine or Media Access Control (MAC) address of the network adapter. This address is unique for each network adapter.
DHCP Server. The IP address of the DHCP server from which the current lease was obtained.
DNS Servers. The DNS server IP addresses.
Primary WINS Server. The IP address for the primary WINS server.
Secondary WINS Server. The IP address for the secondary WINS server.
Lease Obtained. A date and time stamp for when the DHCP lease was obtained.
Lease Expires. A date and time stamp for when the DHCP lease expires.
You can also use the Ipconfig command-line utility to view detailed configuration settings. To do so, follow these steps:
Before you make changes that might invalidate a connection, you might want to create a copy of the existing connection. Right-click the connection and then select Create Copy. You can create copies only of connections you create and not LAN connections.
Windows Server 2003 creates and connects LAN connections automatically. If you want to disconnect from the network or start another connection, you can complete the following steps:
If they aren’t needed anymore, you can delete network connections that you created. To do that, follow these steps:
Windows Server 2003 assigns default names for local area connections initially. You can rename the connections at any time by right-clicking the connection, selecting Rename, and then typing a new connection name in the Rename text box. If a computer has multiple local area connections, proper naming can help users better understand the purpose of a particular connection.
Occasionally, network cables can get unplugged or the network adapter might experience a problem that temporarily prevents it from working. After you plug the cable back in to solve the adapter problem, the connection should automatically reconnect. If it doesn’t, right-click the connection and select Repair. Repairing the connection can sometimes resolve connection problems.
Note
If the repair operation doesn’t work, see the next section of this chapter, "Troubleshooting and Testing Network Settings."
Windows Server 2003 includes many tools for troubleshooting and testing TCP/IP connectivity. This section looks at a few basic tests that you should perform every time you install or modify a computer’s network settings. It then goes on to examine techniques for performing more thorough troubleshooting.
Whenever you install a new computer or make configuration changes to the computer’s network settings, you should test the configuration. The most basic TCP/IP test is to use the Ping utility to test the computer’s connection to the network. Ping is a command-line utility and is used as follows:
ping host
where host is the host computer you’re trying to reach.
On Windows Server 2003, there are several ways to test the configuration using Ping:
Try to ping IP addresses. If the computer is configured correctly and the host you’re trying to reach is accessible to the network, Ping should receive a reply. If it can’t reach the host, Ping will time out.
On domains that use WINS, try to ping NetBIOS computer names. If NetBIOS computer names are resolved correctly, the NetBIOS facilities, such as WINS, are correctly configured for the computer.
On domains that use DNS, try to ping DNS host names. If fully qualified DNS host names are resolved correctly, DNS name resolution is configured properly.
You might also want to test network browsing for the computer. If the computer is a member of a Windows Server 2003 domain and computer browsing is enabled throughout the domain, log on to the computer and then use the Windows Explorer or My Network Places to browse other computers in the domain. Afterward, log on to a different computer in the domain and try to browse the computer you just configured. These tests tell you if the DNS resolution is being handled properly in the local environment. If you can’t browse, check the configuration of the DNS services and protocols.
DHCP servers can assign many network configuration settings automatically. These include IP addresses, default gateways, primary and secondary DNS servers, primary and secondary WINS servers, and more. When computers use dynamic addressing, they’re assigned a lease on a specific IP address. This lease is good for a specific time period and must be renewed periodically. When the lease needs to be renewed, the computer contacts the DHCP server that provided the lease. If the server is available, the lease is renewed and a new lease period is granted. You can also renew leases manually as necessary on individual computers or using the DHCP server itself.
Problems can occur during the lease assignment and renewal process that prevent network communications. If the server isn’t available and can’t be reached before a lease expires, the IP address can become invalid. If this happens, the computer might use the alternate IP address configuration to set an alternate address, which usually has settings that are inappropriate and prevent proper communications. To resolve this problem, you’ll need to release and then renew the DHCP lease.
Another type of problem occurs when users move around to various offices and subnets within the organization. While moving from location to location, their computers might obtain DHCP settings from the wrong server. When the users return to their offices, the computer might seem sluggish or might perform incorrectly due to the settings assigned by the DHCP server at another location. If this happens, you’ll need to release and then renew the DHCP lease.
You can use the Ipconfig command-line utility to renew and release settings by following these steps:
Click Start and select Run. Type cmd in the Open text box of the Run dialog box and then click OK. This starts a command prompt.
To release the current settings, type ipconfig /release at the command line. Then renew the lease by typing ipconfig /renew.
To renew a DHCP lease, type ipconfig /renew at the command line.
You can check the updated settings by typing ipconfig /all at the command line.
The DNS resolver cache maintains a history of DNS lookups that have been performed when a user accesses network resources using TCP/IP. This cache contains forward lookups, which provide host name to IP address resolution, and reverse lookups, which provide IP address to host name resolution. Once a DNS entry is stored in the resolver cache for a particular DNS host, the local computer no longer has to query external servers for DNS information on that host. This allows the computer to resolve DNS requests locally, which provides a quicker response.
How long entries are stored in the resolver cache depends on the Time to Live (TTL) value assigned to the record by the originating server. To view current records and see the remaining TTL value for each record, type ipconfig /displaydns at the command line. These values are given as the number of seconds that a particular record can remain in the cache before it expires. The local computer is continually counting down these values. When the TTL value reaches zero, the record expires and is removed from the resolver cache.
Occasionally, you’ll find that the resolver cache needs to be cleared out to remove old entries and allow computers to check for updated DNS entries before the normal expiration and purging process takes place. Typically, this happens because server IP addresses have changed and the current entries in the resolver cache point to the old addresses rather than the new ones. Sometimes the resolver cache itself can get out of sync, particularly when DHCP has been misconfigured.
Real World
Skilled administrators know that they should start to decrease the TTL values for DNS records that are going to be changed several weeks in advance of the actual change. Typically, this means reducing the TTL from a number of days (or weeks) to a number of hours, which allows for quicker propagation of the changes to computers that have cached the related DNS records. Once the change is completed, administrators should restore the original TTL value to reduce renewal requests.
You can usually resolve problems with the DNS resolver cache by either flushing the cache or reregistering DNS. When you flush the resolver cache, all DNS entries are cleared out of the cache and new entries aren’t created until the next time the computer performs a DNS lookup on a particular host or IP address. When you reregister DNS, Windows Server 2003 attempts to refresh all current DHCP leases and then performs a lookup on each DNS entry in the resolver cache. By looking up each host or IP address again, the entries are renewed and reregistered in the resolver cache. You’ll generally want to flush the cache completely and allow the computer to perform lookups as needed. Reregister DNS only when you suspect that there are problems with DHCP and the DNS resolver cache.
To flush or register DNS entries using Ipconfig, complete the following tasks:
Click Start and select Run. Type cmd in the Open text box of the Run dialog box and then click OK. This starts a command prompt.
To clear out the resolver cache, type ipconfig /flushdns at the command line.
To renew DHCP leases and reregister entries, type ipconfig /registerdns at the command line.
When the tasks are complete, you can check your work by typing ipconfig/displaydns at the command line.
Few things are more complicated than trying to troubleshoot network problems. Because there are so many interdependencies between services, protocols, and configuration settings, finding the problem area can be difficult. Fortunately, Windows Server 2003 includes a powerful network diagnostics toolkit for pinpointing network problems that relate to the following:
General network connectivity problems
Internet service settings for e-mail, newsgroups, and proxies
Settings for modems, network clients, and network adapters
DNS, DHCP, and WINS configuration
Default gateways and IP addresses
You can, for example, use the network diagnostics toolkit to find out quickly that a network adapter has failed or that another computer is using the IP address you’ve configured for the current system. To run the diagnostics tests using the default setup, follow these steps:
Click Start and then select Help And Support. This starts the Help And Support Center.
Under Support Tasks, click Tools. Afterward, in the left pane, expand the Help And Support Center Tools node and then select Network Diagnostics.
Click Scan Your System to start the testing.
During testing, the Help And Support Services console is displayed with a progress bar showing the progress and status of the diagnostics tests. Default tests that are conducted include:
Ping tests to determine if the network is reachable
Connectivity tests over the configured modems and network adapters
Internet service tests for e-mail, newsgroups, and proxies
The tests also return information about the computer system, operating system configuration, and operating system version.
When complete, you’ll see the results of the testing, as shown in Figure 16-11. As you examine the results, look for items that are labeled Not Configured or Failed, as these might point to problem areas. If you see items with these or other labels that indicate problems, click the plus sign (+) to the left of the entry to examine the related diagnostics information.
Continue to navigate through the information provided until you find the problem area. For example, on a test system, the DNS server entries were misconfigured and the servers were unreachable. The failure to ping the DNS servers showed up as a failure of the primary network adapter. When I expanded the adapter entry, the DNSServerSearchOrder entry was flagged as Failed. By continuing to expand the entries, I found that the computer was unable to send packets to the DNS servers because the primary and secondary DNS server IP addresses were set incorrectly on the DHCP server. After updating the settings on the DHCP server and renewing the DHCP lease, the computer was again able to resolve DNS properly.
If you want to conduct more extensive testing, click Set Scanning Options and then select the check boxes for additional test actions and categories, such as Domain Name System, Dynamic Host Configuration Protocol, and Default Gateways. Then rerun the diagnostics tests by clicking Start. Note any problems and resolve them as necessary. At a command line, you can use NETSH DIAG to get detailed diagnostic output of the networking configuration as well. Be sure to use the /V parameter and redirect the output to a file for easy review as shown here:
netsh diag show all /v > netconfig.txt
When troubleshooting networking configurations of domain controllers, I also recommended running DCDIAG, a tool for diagnosing a variety of common problems on domain controllers. This tool is available when you install the Windows Support tools on a computer. To run this tool from a command prompt while logged on to the domain controller you are troubleshooting, simply type dcdiag.