255_70_293_ch02.qxd 9/10/03 10:58 AM Page 59 Planning Server Roles and Server Security • Chapter EXAM WARNING A server without AD installed on it can still deliver a variety of services, file storage, and access to other resources However, until AD is installed, the server cannot authenticate domain users or provide the other functions of a domain controller Once AD is installed, the member server ceases to be a member server and becomes a domain controller A Windows Server 2003 computer can be changed into a domain controller by using the Configure Your Server Wizard or by using the Active Directory Installation Wizard (DCPROMO) DCPROMO is a tool that promotes a member server to domain controller status During the installation, a writable copy of the AD database is placed on the server’s hard disk.The file used to store directory information is called NTDS.dit and, by default, is located in %systemroot%\NTDS.When changes are made to the directory, they are saved to this file Each domain controller retains its own copy of the directory, containing information about the domain in which it is located If one domain controller becomes unavailable, users and computers can still access the AD data store on another domain controller in that domain.This allows users to continue logging on to the network, even though the domain controller that is normally used is unavailable It also allows computers and applications that require directory information to continue functioning while one of these servers is down Because a domain can have more than one domain controller, changes made to the directory on one domain controller must be updated on others.The process of copying these updates is called replication, which is used to synchronize information in the directory Without replication, features in AD would fail to function properly For example, if you added a user on one domain controller, the new account would be added to the directory store on that server.This would allow the user to log on to that domain controller, but he or she still could not log on to other domain controllers until the account was replicated When a change is made on one domain controller, the changes need to be replicated, so that every domain controller continues to have an accurate copy of AD.This type of replication is called multi-master, because each domain controller contains a full read/write copy of the AD database Operations Master Roles By default, all domain controllers are relatively equal However, there are still some operations that need to be performed by a single domain controller in the domain or forest.To address these, Microsoft created the concept of operations masters Operations masters serve many purposes Some control where components of AD can be modified; others store specific information that is key to the healthy function of AD at the domain level Because only one domain controller in a domain or forest fulfills a given role, these roles are also referred to as Flexible Single Master of Operations (FSMO) roles www.syngress.com 59 255_70_293_ch02.qxd 60 9/10/03 10:58 AM Page 60 Chapter • Planning Server Roles and Server Security Some FSMO roles are unique to each domain; others are unique to the forest A forest is one or more domain trees that share a common schema, Global Catalog, and configuration information.The schema is used to define which types of objects (classes) and attributes can be used in AD.Without it, AD would have no way of knowing what objects can exist in the directory or what attributes apply to each object.The Global Catalog is a subset of information from AD It stores a copy of all objects in its host domain, as well as a partial copy of objects in all of the other domains in the forest There are five different types of master roles, each serving a specific purpose.Two of these master roles are applied at the forest level (forest-wide roles), and the others are applied at the domain level (domain-wide roles).The following are the forest-wide operations master roles: I Schema master A domain controller that is in charge of all changes to the AD schema As mentioned, the schema determines which object classes and attributes are used within the forest If additional object classes or attributes need to be added, the schema is modified to accommodate these changes.The schema master is used to write to the directory’s schema, which is then replicated to other domain controllers in the forest Updates to the schema can be performed only on the domain controller acting in this role I Domain naming master A domain controller that is in charge of adding new domains and removing unneeded ones from the forest It is responsible for any changes to the domain namespace.This role prevents naming conflicts, because such changes can be performed only if the domain naming master is online In addition to the two forest-wide master roles, there are three domain-wide master roles: relative ID (RID) master, primary domain controller (PDC) emulator, and infrastructure master.These roles are described in the following sections Relative ID Master The relative ID master is responsible for allocating sequences of numbers (called relative IDs, or RIDs) that are used in creating new security principles in the domain Security principles are user, group, and computer accounts.These numbers are issued to all domain controllers in the domain.When an object is created, a number that uniquely identifies the object is assigned to it.This number consists of two parts: a domain security ID (or computer SID if a local user or group account is being created) and an RID.Together, the domain SID and RID combine to form the object’s unique SID.The domain security ID is the same for all objects in that domain.The RID is unique to each object Instead of using the name of a user, computer, or group,Windows uses the SID to identify and reference security principles.To avoid potential conflicts of domain controllers issuing the same number to an object, only one RID master exists in a domain.This controls the allocation of RID numbers to each domain controller.The domain controller can then assign the RIDs to objects when they are created www.syngress.com 255_70_293_ch02.qxd 9/10/03 10:58 AM Page 61 Planning Server Roles and Server Security • Chapter PDC Emulator The primary domain Controller (PDC) emulator is designed to act like a Windows NT PDC when the domain is in Windows 2000 mixed mode.This is necessary if Windows NT backup domain controllers (BDCs) still exist on the network Clients earlier than Windows 2000 also use the PDC emulator for processing password changes, though installation of the AD client software on these systems enables them to change their password on any domain controller in the domain to which they authenticate.The PDC emulator also synchronizes the time on all domain controllers the domain For replication accuracy, it is critical for all domain controllers to have synchronized time Even if you not have any servers running as BDCs on the network, the PDC emulator still serves a critical purpose in each domain.The PDC emulator receives preferred replication of all password changes performed on other domain controllers within the domain.When a password is changed on a domain controller, it is sent to the PDC emulator If a user changes his or her password on one domain controller, and then attempts to log on to another, the second domain controller may still have old password information Because this domain controller considers it a bad password, it forwards the authentication request to the PDC emulator to determine whether the password is actually valid In addition, the PDC emulator initiates urgent replication so that the password change can propagate as soon as possible Urgent replication is also used for other security-sensitive replication traffic, such as account lockouts This operations master is by far the most critical at the domain level Because of this, you should ensure that it is carefully placed on your network and housed on a high-availability, high-capacity server Infrastructure Master The infrastructure master is in charge of updating changes that are made to group memberships.When a user moves to a different domain and his or her group membership changes, it may take time for these changes to be reflected in the group.To remedy this, the infrastructure master is used to update such changes in its domain.The domain controller in the infrastructure master role compares its data to the Global Catalog, which is a subset of directory information for all domains in the forest and contains information on groups.The Global Catalog stores information on universal group memberships, in which users from any domain can be added and allowed access to any domain, and maps the memberships users have to specific groups.When changes occur to group membership, the infrastructure master updates its group-to-user references and replicates these changes to other domain controllers in the domain www.syngress.com 61 255_70_293_ch02.qxd 62 9/10/03 10:58 AM Page 62 Chapter • Planning Server Roles and Server Security TEST DAY TIP FSMO roles are an important part of a domain controller’s function on a network FSMO roles that are unique to a forest affect all domains within that forest FSMO roles that are unique to a domain apply only to that domain There is only one schema master and one domain naming master in a forest There is only one RID master, PDC emulator, and infrastructure master in a domain File and Print Servers Two of the basic functions in a network are saving files in a central location on the network and printing the contents of files to shared printers Each of these functions is vital to most environments Most organizations require users to be able to save their work to a shared location on the network and to print hard copies of it for others to review and/or retain.When file server or print server roles are configured in Windows Server 2003, additional functions become available that make using and managing the server more effective Print Servers Print servers are used provide access to printers across the network A benefit of print servers for administrators is that they provide an added level of manageability for network printing Print servers allow you to control when print devices can be used by allowing you to schedule the availability of printers, set priority for print jobs, and configure printer properties Using a browser, an administrator can also view, pause, resume, and/or delete print jobs By configuring Windows Server 2003 in the role of a print server, you can manage printers remotely through the GUI and by using Windows Management Instrumentation (WMI).WMI is a management application program interface (API) that allows you to monitor and control printing Using WMI, an administrator can manage components like print servers and print devices from a command line Print servers also provide alternative methods of printing to specific print devices Users working at machines running Windows XP can print to specific printers by using a Uniform Resource Locator (URL) If you’ve used the Internet, you’re probably already familiar with URLs A URL is the address that is entered to access a Web site Using URLs, other resources can also be accessed from remote locations, such as printers offered by Windows Server 2003 print servers File Servers File servers are used to provide access to files that are stored on the server’s hard disks Users are able to store files in a centralized location, rather than to their local hard disks, and share them with other users.When a file is saved to a volume on a file server, clients who have access to the directory in which the file was saved can access it remotely from the server This type of server is also important when multiple employees use network-accessible www.syngress.com 255_70_293_ch02.qxd 9/10/03 10:58 AM Page 63 Planning Server Roles and Server Security • Chapter applications In such cases, data may need to be saved from the application to a shared database, spreadsheet, or other type of file Administrators benefit from file servers by being able to manage disk space, control access, and limit the amount of space that is made available to individual users If NTFS volumes are used, disk quotas can be set to limit the amount of space available to each user This prevents users from filling the hard disk with superfluous data or older information that may no longer be needed In addition to these features, a file server also provides other functionality that offers security and availability of data File servers with NTFS volumes have the Encrypted File System (EFS) enabled, so that any data can be encrypted using a public key system.This makes it difficult for unauthorized users to access data, while being transparent to authorized users.To make it easier for users to access shared files, the Distributed File Service (DFS) can be used, which allows data that is located on servers throughout the enterprise to be accessible from a single shared folder.When DFS is used, files stored on different volumes, shares, or servers appear as if they reside in the same location.This makes it easier for users to find the data they need, because they not need to search through multiple locations to access the files they are permitted to use DHCP, DNS, and WINS Servers The roles of DHCP, DNS, and WINS servers are used for uniquely identifying computers and finding them on the network A DHCP server issues a unique number called an IP address to a computer DNS and WINS servers resolve this number to and from userfriendly names that are easier for users to deal with.With Windows Server 2003 acting as a DHCP, DNS, and/or WINS server, clients can be automatically issued a number that distinguishes them on the network, and find other machines and devices more effectively DHCP Servers DHCP is the Dynamic Host Configuration Protocol, and it is used to issue IP addresses to clients on networks using the Transmission Control Protocol/Internet Protocol (TCP/IP) An IP address is a number that uniquely identifies a client when sending or receiving packets of data.When information is sent across the network, the data is broken up into smaller packets, which are reassembled by the receiver Each packet contains the IP address of who is sending the data and who should receive it.This is similar to a letter with an address of who should receive the message and a return address of who sent it Because no two computers on a network can have the same IP address at the same time, assigning these addresses to clients is an important responsibility IP addresses can be assigned statically, so that each computer always uses the same IP address Allocating addresses in this way can result in mistakes and is difficult to consistently track Many enterprises use static IP addresses only for their servers and network infrastructure equipment (switches, routers, and so on) Dynamic addresses are used for all clients Dynamic addresses are assigned using DHCP.When an IP address is dynamically assigned, the client contacts www.syngress.com 63 255_70_293_ch02.qxd 64 9/10/03 10:58 AM Page 64 Chapter • Planning Server Roles and Server Security the DHCP server for an IP address.The DHCP server responds by issuing an IP address from a pool of available addresses stored in a database, as well as any configuration information (such as the IP addresses of the default gateway, DNS server, and WINS server) that is needed by the client When a DHCP server allocates an IP address to the client, it is for a limited amount of time Because there are only so many IP addresses available in a pool, they are often recycled between computers.This can happen if a client is shut off for an extended period of time, or if it is a laptop that is assigned to a user who is typically on the road and away from the office For this reason, when a DHCP lease expires, the DHCP server is free to issue the IP address to other clients DNS Servers Because remembering a series of numbers can be difficult, methods have been created to resolve IP addresses to user-friendly names and vice versa Imagine trying to remember what Web site or computer the IP address 192.168.10.250 represented on a network, in addition to all the other IP addresses you would need to remember for other sites and computers.To remedy this situation, name resolution is used, so users can enter a name that is translated to a corresponding IP address The Domain Name System (DNS) is a popular method of name resolution that is used on the Internet and other TCP/IP networks AD is integrated with DNS, and it uses DNS servers to allow users, computers, applications, and other elements of the network to easily find domain controllers and other resources on the network DNS is a hierarchical, distributed database that maps user-friendly domain names (like syngress.com) to IP addresses When a user enters a DNS name into a browser or other application, it is sent to a DNS server, which looks up the IP address for that domain.This IP address is sent back to the client, which uses the numeric address to locate and communicate with the computer at this address Figure 2.4 illustrates name resolution using DNS In this example, a user wants to connect with the syngress.com domain As shown in step of this figure, because machines use IP addresses to locate and communicate with each other on a TCP/IP network, the client contacts the DNS server and requests the IP address of syngress.com In step 2, the DNS server checks its database to find the IP address that maps to this particular domain name After finding it, step is performed, and the DNS server sends the information back to the client, informing it that the IP address of syngress.com is 209.164.15.58 Now that the client has this information, the client performs step 4, by connecting to syngress.com using the numeric address www.syngress.com 255_70_293_ch02.qxd 9/10/03 10:58 AM Page 65 Planning Server Roles and Server Security • Chapter Figure 2.4 Name Resolution Using DNS Data Step 1: Client requests IP address of syngress.com Client DNS Server Step : DNS Server returns that syngress.com = 209.164.15.58 Step : DNS Server checks its database of IP addresses, and finds an IP address that maps to syngress.com Step : Client establishes communication with the IP address 209.164.15.58 syngress.com WINS Servers The Windows Internet Name Service (WINS) is another method of name resolution that resolves IP addresses to NetBIOS names, and vice versa NetBIOS names are used by preWindows 2000 servers and clients, and they allow users of those operating systems to log on to Windows Server 2003 domains.They are supported in Windows Server 2003 for backward-compatibility with these older systems By implementing a WINS server, you allow clients to search for computers and other resources by computer name, rather than by IP address WINS is similar to DNS in that user-friendly names are mapped to IP addresses within a database.When clients attempt to connect to a computer or resource using its NetBIOS name, they can send a request to a WINS server to provide the IP address of that resource The WINS server searches its database for the name-to-address mapping and returns the IP address to the requesting client Once the client has this address, it can connect to and communicate with the computer or resource Web Servers Web servers allow organizations to host their own Web sites on the Internet or a local intranet An intranet is a local area Network (LAN) that uses the same technologies that are used on the Internet, so that users can access Web pages and other resources using Web www.syngress.com 65 255_70_293_ch02.qxd 66 9/10/03 10:58 AM Page 66 Chapter • Planning Server Roles and Server Security browsers and other Web-enabled applications Implementing a Web server in an organization allows users to benefit by accessing information, downloading files, and using Webbased applications Web Server Protocols Microsoft’s Windows Server 2003 Web server product is Internet Information Services (IIS) 6.0, which is included with Windows Server 2003 IIS allows users to access information using a number of protocols that are part of the TCP/IP suite, including the following: I Hypertext Transfer Protocol (HTTP) Used by the World Wide Web Publishing service in IIS Allows users to access Web pages using a Web browser like Internet Explorer or other Web-enabled applications By connecting to sites created on your Web server, users can view and work with Web pages written in the Hypertext Markup Language (HTML), Active Server Pages (ASP), and Extensible Markup Language (XML).This allows users to not only view static information, but also to benefit from Web-based programs I File Transfer Protocol (FTP) Used for transferring files between clients and servers Using this service, clients can copy files to and from FTP sites using a Web browser like Internet Explorer or other FTP client software By using such software, clients can browse through any folders they have access to on the FTP site, and they can access any files they have permissions to use I Network News Transfer Protocol (NNTP) Used for newsgroups, which are also called discussion groups.The NNTP service in IIS allows users to post news messages Other users can browse through messages stored on the server, respond to existing messages, and post new ones using a newsreader program For example, a group of users could have a discussion group that deals with a certain project, so that members of the team can exchange ideas and discuss problems in a forum that can be viewed by all members of the group Another group could also be created that allows employees to post messages regarding items for sale, charitable events, or other things that you might see on a typical bulletin board NNTP allows organizations to incorporate such message groups into the way that employees exchange information with one another I Simple Mail Transfer Protocol (SMTP) Used to provides e-mail capabilities (as described in the discussion of the mail server role later in this chapter).The SMTP service that is installed with IIS isn’t a full e-mail service, but provides limited services for transferring e-mail messages Using this service,Web developers can collect information from users of a Web site, such as having them fill out a form online Rather than storing the results of the form locally in a file, the information can be e-mailed using this service www.syngress.com 255_70_293_ch02.qxd 9/10/03 10:58 AM Page 67 Planning Server Roles and Server Security • Chapter Web Server Configuration Although a Web server can facilitate a company’s ability to disseminate information, it isn’t an actual role that is configured using the Configure Your Server Wizard It is installed as part of the application server role, which we’ll discuss later in this chapter.The Configure Your Server Wizard provides an easy, step-by-step method of configuring Web servers through the application server role; however, it isn’t the only way to install IIS.You can also install IIS through the Add or Remove Programs applet in the Windows Control Panel Using Add or Remove Programs to install IIS takes a few extra steps, but it allows you to perform the installation without installing other services and features available through the application server role.To use Add or Remove Programs to install IIS, follow these steps: Select Start | Control Panel | Add or Remove Programs Click the Add/Remove Windows Components icon to display the Windows Components Wizard, which provides a listing of available components to install In the list, select Application Server and click the Details button to view the Application Server dialog box, shown in Figure 2.5 Figure 2.5 Installing IIS through the Application Server Dialog Box in the Windows Components Wizard The Application Server dialog box contains a number of subcomponents.To install IIS, select the check box for Internet Information Services (IIS), and either click OK to install the default components or click Details to view even more subcomponents that can be installed within IIS When you’ve made your selections, click OK to return to the Windows Components Wizard www.syngress.com 67 255_70_293_ch02.qxd 68 9/10/03 10:58 AM Page 68 Chapter • Planning Server Roles and Server Security Click Next to have Windows make the configuration changes you requested from your selection Once the Wizard has finished copying the necessary files and changing system settings, click Finish to complete the installation process and exit the Wizard Database Servers Database servers are used to store and manage databases that are stored on the server and to provide data access for authorized users.This type of server keeps the data in a central location that can be regularly backed up It also allows users and applications to centrally access the data across the network A large number of the databases used in your organization can be kept on one server or a group of servers that are specifically configured to protect data and service client requests The Configure Your Server Wizard does not include a configurable role for database servers A database server is any server that runs a network database application and maintains database files, such as Microsoft SQL Server or Oracle SQL Server is a high-performance database management system It is used for data storage and analysis, and it provides users with the ability to access vast amounts of data quickly over the network Because SQL Server provides additional measures of security that would not otherwise be available (as discussed in the “Securing Database Servers” section later in this chapter) and processing occurs on the server, transactions can occur securely and rapidly Data stored in database management systems is generally accessed through user interfaces that are developed by an organization or third parties For example, a company might create custom applications in Visual Basic (or some other programming language), or use ASP on the Web server to display information that is stored in a database.While the user interacts with the data through the user interface, the data is actually stored in the SQL Server or Oracle database located on a database server Mail Servers Mail servers enable users to send and receive e-mail messages Users send e-mail to other users through at least one mail server.When the message arrives, the destination mail server stores the message until it is retrieved by the user If the mail server does not handle the email account for an intended recipient, it will transfer the message to a mail server that does In this way, mail servers will work together to ensure a message reaches its intended audience When a server is configured to be a mail server, two protocols are enabled: SMTP and Post Office Protocol (POP3) As shown in Figure 2.6, SMTP is used by clients and mail servers to send e-mail POP3 is used by clients when retrieving e-mail from their mail server Each of these protocols is part of the TCP/IP protocol suite and installed when TCP/IP is installed on a computer However, even if TCP/IP is installed on Windows www.syngress.com 255_70_293_ch03.qxd 9/10/03 11:56 AM Page 157 Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter Figure 3.2 Local Area Connection Properties Click Internet Protocol (TCP/IP), and then click Properties to open the Internet Protocol (TCP/IP) Properties dialog box, shown in Figure 3.3 Figure 3.3 Internet Protocol (TCP/IP) Properties www.syngress.com 157 255_70_293_ch03.qxd 158 9/10/03 11:56 AM Page 158 Chapter • Planning, Implementing, and Maintaining the TCP/IP Infrastructure Click the Use the following IP address radio button and provide the IP address, Subnet mask, and Default gateway, as shown in Figure 3.4 Figure 3.4 Internet Protocol (TCP/IP) Properties after Manual Configuration Click the Use the following DNS server addresses radio button in the Internet Protocol (TCP/IP) Properties dialog box and provide at least one DNS server IP address (see Figure 3.4) Click Advanced to open the Advanced TCP/IP Settings dialog box, as shown in Figure 3.5 Notice the new Automatic metric option Note that it is the default for all Default gateways Click OK www.syngress.com 255_70_293_ch03.qxd 9/10/03 11:56 AM Page 159 Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter New & Noteworthy Figure 3.5 Advanced TCP/IP Settings Internet Control Message Protocol (ICMP) Router Discovery ICMP is a maintenance protocol that is part of the IP layer in the Microsoft TCP/IP stack Its functions include providing diagnostics, leveraging the use of the PING utility, and managing flow control of data to prevent traffic from saturating network links or routers It also provides the facility that builds and maintains the routing tables, as well as determines the size of the packets that will be sent to a destination RRAS on Windows Server 2003 supports a new feature called ICMP router discovery ICMP router discovery uses ICMP messages to “discover” the routers on the current subnet and select one to act as the default gateway This allows DHCP clients to find a default gateway when one is not specified by the DHCP server This feature is disabled by default on Windows Server 2003 and Windows XP machines In order to enable a DHCP client to perform router discovery, the client must receive a “perform router discovery” option from a DHCP server This will enable the host to broadcast the request to all available routers You must also set the option to Enable router discovery announcements on the General tab of the Windows Server 2003 RRAS Properties dialog box in order for the router to send the router advertisements www.syngress.com 159 255_70_293_ch03.qxd 160 9/10/03 11:56 AM Page 160 Chapter • Planning, Implementing, and Maintaining the TCP/IP Infrastructure To view your current IP configuration, you can run ipconfig from the command line For more detailed information, use ipconfig /all If you want to release your DHCPassigned IP addresses from all adapters, use ipconfig /release You can obtain a new lease with ipconfig /renew For the release and renew commands, you can also specify the name of a specific adapter Reviewing TCP/IP Basics TCP/IP on Windows Server 2003 provides a scalable, robust client/server platform that is built on industry-standard, routable, and full-featured protocols.Virtually every network operating system supports the TCP/IP protocol stack, and this allows Windows Server 2003 to integrate dissimilar systems on the network.The various protocols that make up the TCP/IP stack work together to provide network communications.These network communications provide the architecture that the Windows Server 2003 TCP/IP suite uses to leverage services such name resolution, file transfers, and Internet access Every implementation of TCP/IP must follow the guidelines that are governed and managed by several agencies such as the Internet Architecture Board (IAB) and the Internet Engineering Task Force (IETF).The IAB is also responsible for managing several other groups, such as the Internet Society (ISOC), Internet Assigned Numbers Authority (IANA), and Internet Corporation for Assigned Names and Numbers (ICANN).These agencies work together to maintain an open standard using a process known as Request for Comments (RFCs) and provide the maintenance, distribution, and administrative handling of the RFCs For information on RFCs, access the IETF Web site at www.ietf.org Virtually all network protocols can be mapped to the ISO’s OSI reference model.The OSI model is intended to provide a general direction for developers for designing network drivers and protocols.The design intends for different components involved with network communication to be managed in a series of layers, with each layer built on top of another, having a specific set of functionality, and communicating with the adjacent layers.The layers allow for a hardware manufacturer to design a network card without regard to the operating system or applications that will be using the network card to communicate A developer can design a client/server network application without concern for the protocols used to communicate with other machines EXAM WARNING ISO is the organization that defines the standards for the OSI model The IAB is responsible for facilitating the rules and the processes for the standards that define the Internet The standards for the Internet are maintained by the IETF and are called RFCs TCP/IP uses a slightly less complex networking model that was developed by DARPA Since the model is less complex than the OSI model, it is easier to implement and has www.syngress.com 255_70_293_ch03.qxd 9/10/03 11:56 AM Page 161 Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter better performance characteristics.The DARPA model and the TCP/IP suite of protocols were designed by DARPA before the development of the OSI model.The Windows implementation of the TCP/IP protocol stack relates to the seven layers of the OSI model The layers in the TCP/IP model span several layers of the OSI model As shown in Figure 3.6, the Application, Presentation, and Session layers of the OSI model are incorporated into the Application layer of the TCP/IP model Some of the components of the TCP/IP protocol suite that operate in this layer are FTP,Telnet, HTTP, and DNS.The Application layer provides the access to the network for many applications, such as Microsoft Internet Explorer At this layer, presentation issues such as compression and encryption are handled, and sessions are established (if applicable).Then the sending computer passes the data down to next layer, the Transport layer Figure 3.6 OSI Model versus TCP/IP model Application Presentation Session Transport Network Data Link Application Transport Internet Network Interface Physical OSI Model TCP/IP Model The Transport layer coordinates the applications’ communication sessions with other interconnected machines.The key protocols that operate at this layer are TCP and User Datagram Protocol (UDP).TCP differs from UDP in two key ways.The first distinguishing difference is that TCP is connection-oriented and UDP is connectionless.TCP expects acknowledgment from the other host for each packet of data transmitted.This is ideal for large data transfers over very large networks FTP uses TCP ports 20 and 21 to transfer data Because UDP is connectionless, it doesn’t guarantee the delivery of the data; it just makes its best effort to deliver the packets intact.This type of data transfer is ideal for lightweight, small data transfers on a well-connected network.Trivial File Transfer Protocol (TFTP) uses UDP port 69 to initiate a connection, and the server will then dynamically www.syngress.com 161 255_70_293_ch03.qxd 162 9/10/03 11:56 AM Page 162 Chapter • Planning, Implementing, and Maintaining the TCP/IP Infrastructure select a port number to return data from.Then the two machines continue to communicate using the new port numbers Since TFTP uses UDP, it is well-suited for small files, such as short text files, and is faster than using FTP over TCP, since there is less overhead TEST DAY TIP UDP and TCP both use the IP protocol TCP is directed to the destination and ensures the delivery of packets by receiving acknowledgments of data delivery UDP attempts a best-effort delivery of the datagram and does not guarantee delivery UDP has less overhead, so it is much faster, but it is not as reliable as TCP Both TCP and UDP use ports to differentiate between communications to and from different applications On a sending computer, the Transport layer passes the data down to the Internet layer The Internet layer, which maps to the OSI model’s Network layer, is responsible for addressing and routing communications over the network IP operates here, and it is responsible for determining whether the address of the destination computer is on the same subnet as the address of the sending computer In order to physically locate another host on the network, Address Resolution Protocol (ARP) is used for IP address-to-Media Access Control (MAC) address resolution Other protocols that operate at this layer are ICMP, IGMP, and IPSec.The Internet layer continues the communication process by passing data to the Network Interface layer EXAM WARNING ICMP provides diagnostics and error reporting The PING utility uses ICMP to send and receive a standard packet to determine if the data delivery was timely and successful ARP determines the physical address, or MAC address, of the destination host IP determines whether the address is local or remote If the address is local, it will direct ARP either to refer to its local cache or broadcast on the local subnet to resolve the MAC address If it is determined by IP that the address is not local, ARP will resolve the MAC address of the default gateway to allow the traffic to be routed to the appropriate network If you are using Internet Connection Firewall (ICF) or any other firewall software, you may prevent PING from functioning if you have defined any settings or filters that block ICMP traffic By default, ICMP traffic is disabled when you enable ICF The last layer (when data is being sent) is the Network Interface layer.This layer maps to the Physical and Data Link layers of the OSI model It is responsible for the software driver-to-hardware translation and complying with the hardware communication standards such as Ethernet, ATM, and Token Ring.The Network Interface layer is isolated from the www.syngress.com 255_70_293_ch03.qxd 9/10/03 11:56 AM Page 163 Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter hardware on Windows 2003 Servers by NDIS, which is a boundary layer implemented in the Microsoft networking model.This allows the protocols to function independently of the network hardware.The MAC address is part of this layer The Microsoft networking model corresponds to different services in the Windows architecture, to provide similar ways to access data independently of the mechanism For instance, using Windows Explorer to access files using IPX/SPX does not seem any different to the user than accessing files using TCP/IP Network-aware applications and network service providers operate as User mode services at the Application layer and the top of the Presentation layer The Presentation layer transitions data back and forth from User mode to Kernel mode.The Executive services provide Session support and transition data to the I/O Manager.The Server and Redirector (Workstation) services operate at the Session layer and are separated from the transport protocols by the Transport Driver Interface (TDI) boundary layer, which traverses the Session and Transport layers The transport protocols, such as TCP/IP and IPX/SPX, transition from the Transport layer, over the Network layer and down to the Network Interface or Data Link layer.The Data Link layer is where NDIS accesses the network adapter drivers before passing the data to the Physical layer, which allows the different protocols to be bound to different network adapters, using different physical connections Figure 3.7 illustrates the TCP/IP protocol suite in the TCP/IP model NOTE Although we started “at the top” in describing the layers of the TCP/IP (DoD) model, it is important to remember that when they are numbered, they are referred to in reverse order (as in the OSI model) The Network Interface layer is layer 1, the Internetwork layer is layer 2, and so forth www.syngress.com 163 255_70_293_ch03.qxd 164 9/10/03 11:56 AM Page 164 Chapter • Planning, Implementing, and Maintaining the TCP/IP Infrastructure Figure 3.7 TCP/IP Protocol Suite and the TCP/IP Network Model Application Layer DNS FTP HTTP RIP SNMP SMTP Telnet Transport Layer TCP UDP Internet Layer IP ARP ICMP IGMP IPSEC X.25 Frame Relay Network Interface Layer Ethernet Token Ring FDDI Each layer in the protocol stack provides a translation or some form of communication with the next layer As data is passed down through the stack, each layer adds its necessary headers and protocol-specific data, and encapsulates the data from the previous layer In some instances, the layer will establish a session with the destination host at the same layer Once the data reaches the destination, each layer in the protocol stack will validate the header that was added by its corresponding layer, and then strip the protocol-specific information from the packet and pass it up to the next layer until it reaches the destination application What’s New in TCP/IP for Windows Server 2003 There are many enhancements to the networking and communications components of Windows Server 2003.The TCP/IP protocol suite has been enhanced with some of the latest technologies, as well as improvements on existing functionality For more information about other networking and communication feature enhancements, see the white paper titled “Microsoft Windows Server 2003- Technical Overview of Networking and Communication” (www.microsoft.com/windowsserver2003/techinfo/overview/netcomm.mspx) www.syngress.com 255_70_293_ch03.qxd 9/10/03 11:56 AM Page 165 Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter IGMPv3 Typical communications over an IP-based network are directed unicast communications Unicast is basically a single, direct request sent from one host to another, and only the two hosts interact over the established route For example, when you click a hyperlink in a Web browser, you are requesting HTTP data from the host defined in the link, which, in turn, delivers the data to your browser.This is useful in the Web-browsing environments we have grown accustomed to, where there is a demand for a personal, user-controlled experience Unicast is not useful for delivering streams of audio or video to large audiences, since a single stream of audio/video data is very costly for only one user.This is where multicast communications are effective Multicast provides a single stream for multiple hosts.The hosts select the data by requesting the local routers to forward those packets of data from the host providing the multicast data to the subnet of the listening host.When the host decides to stop listening to the multicast traffic, IGMP is responsible for notifying the router that the host is no longer participating TEST DAY TIP It is not necessary to know the differences between different versions of IGMP It is important to be familiar with the purpose of IGMP, what its functions are, and where it fits in the OSI model A set of listening hosts is called a multicast group IGMP is responsible for providing the functionality necessary for hosts to join and leave those groups that receive IP multicast traffic Each of the versions of IGMP—versions 1, 2, and 3—is automatically supported by Windows Server 2003 IGMPv3 adds functionality to distribute multiple multicast sources regionally and allow the host to select the multicast source that is located closest to the host An example of this would be a situation in which you send a video stream broadcasting a speech from the president of your company and have several machines scattered across the United States providing the feed.Then IGMPv3 allows the hosts to provide an include list or an exclude list of those servers.The multicast routers would be responsible for forwarding the multicast traffic from the include list of servers and for preventing the forwarding of traffic from the excluded sources As you can see, this feature can be very useful to help reduce network bandwidth utilization IPv6 The next generation of TCP/IP is here! Previously, it was possible to experiment with IPv6, but under the covers, the protocol stack was still dependent on IPv4 calls for WinSock functions.With the release of Windows Server 2003, the IPv6 protocol stack is designed for production use www.syngress.com 165 255_70_293_ch03.qxd 11:56 AM Page 166 Chapter • Planning, Implementing, and Maintaining the TCP/IP Infrastructure IPv4 has a limited number of host addresses available (232, or about billion hosts).That might sound like a lot, but over the past 30 years, the pool of available addresses has been exhausted due to the popularity and growth of the Internet.With IPv6, the host address is 128 bits instead of 32, which means that we will have 2128 (about 340,000,000,000,000,000,000,000,000,000,000,000,000) host addresses available.That means we could have about 296 (about 75 trillion trillion, or 75,000,000,000,000, 000,000,000,000,000) addresses of our very own.That should last for at least a couple of years.We will discuss transitioning to IPv6 and its features in more detail in the “Transitioning to IPv6” section later in this chapter Alternate Configuration Automatic alternate configuration is an enhancement to TCP/IP that allows for a valid static IP address configuration on a DHCP-configured machine.Without an alternate configuration defined, a computer that is unable to obtain an IP address lease from a DHCP server will automatically receive an Automatic Private IP Addressing (APIPA) address from the 169.254.0.0/16 pool Configuring & Implementing 166 9/10/03 Using APIPA to Your Advantage APIPA can be a valuable aid in assisting you with network configuration With no effort at all, you can provide IP addressing for a TCP/IP network of Windows Server 2003 and Windows 98/2000/XP computers APIPA is service that uses a reserved class B IP address pool (169.254.0.0/16 or a subnet mask of 255.255.0.0) to automatically provide valid IP addresses to DHCP clients in the event the computer cannot obtain a DHCP lease This scheme is intended for smaller networks where there is no DHCP server deployed, but think of the potential use this has, not only as a way to assist your LAN users, but also to help you troubleshoot network problems and configure new servers One way you can help LAN users is to provide an intranet Web server that has been assigned an APIPA address That way, if a client is unable to obtain an IP address, the user will be able to connect to this Web server The Web server’s default home page should contain a series of simple troubleshooting procedures that the client could use, such as the following: I Did you receive an error message on startup? Provide a list of common errors and probable solutions I Wait minutes to see if the next DCHP request is acknowledged I Contact technical support at extension 5555 Continued www.syngress.com 255_70_293_ch03.qxd 9/10/03 11:56 AM Page 167 Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter Additionally, you could provide users with some basic information about what is happening or maintain a server status page to let them know that you are aware of the problem and what actions they should take It might also be beneficial to the Information Technology (IT) staff to maintain documentation on the Web server to aid in configuring new servers, maintaining static address pools, or initiating service requests to add new equipment to the network Automatic Determination of Interface Metric As noted in Exercise 3.01, “Configuring the TCP/IP Protocol Manually” and shown earlier in Figure 3.5, the automatic metric feature is enabled by default.The purpose of the automatic metric feature is to determine the speed of the interface for each default gateway and to assign the metric, which is the cost of using a particular route The metric is weighted by the number of hops to the destination.The number of hops to any host on the local subnet is one Every router that must be used to reach the destination is another hop.When it is determined that there are multiple routes to the same destination, the metric is evaluated to determine which is the lowest metric and this the fastest route to the destination EXERCISE 3.02 DETERMINING THE METRIC FOR THE DEFAULT GATEWAY In the following exercise, you will learn how to use the route print command to determine the metric for the default gateway on your network Open a command prompt window Type route print You will see a route table, as shown in Figure 3.8 www.syngress.com 167 255_70_293_ch03.qxd 168 9/10/03 11:56 AM Page 168 Chapter • Planning, Implementing, and Maintaining the TCP/IP Infrastructure Figure 3.8 Results of the route print Command Examine the route table Notice the Network Destination list The destinations are described in Table 3.1 The metric for the loopback adapter and the limited broadcast is always 1.The other addresses have a metric based on the cost of using that route for that network adapter.With multiple network adapters, a multihomed computer, the route table would indicate a different metric for each default route, but only one would be used.Table 3.2 shows a configuration with identical network adapters: one adapter on the 192.168.69.0/24 network and the other on the 192.168.70.0/24 network www.syngress.com Interface Metric Default route Loopback network Local network Local IP address Subnet broadcast Multicast address Limited broadcast 0.0.0.0 127.0.0.1 192.168.69.0 192.168.69.111 192.168.69.255 224.0.0.0 255.255.255.255 192.168.69.111 127.0.0.1 192.168.69.111 127.0.0.1 192.168.69.111 192.168.69.111 192.168.69.111 192.168.69.111 127.0.0.1 192.168.69.111 127.0.0.1 192.168.69.111 192.168.69.111 192.168.69.111 20 20 20 20 20 0.0.0.0 255.0.0.0 255.255.255.0 255.255.255.255 255.255.255.255 240.0.0.0 255.255.255.255 Table 3.2 Description of Routes with a Multihomed Computer www.syngress.com Description Network Destination Netmask Gateway Interface Metric Default route Default route Loopback network Local network Local IP address Local network Local IP address Subnet broadcast Multicast address Multicast address Limited broadcast Limited broadcast 0.0.0.0 0.0.0.0 127.0.0.1 192.168.69.0 192.168.69.111 192.168.70.0 192.168.70.111 192.168.69.255 224.0.0.0 224.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 255.0.0.0 255.255.255.0 255.255.255.255 255.255.255.0 255.255.255.255 255.255.255.255 240.0.0.0 240.0.0.0 255.255.255.255 255.255.255.255 192.168.69.111 192.168.70.100 127.0.0.1 192.168.69.111 127.0.0.1 192.168.70.100 127.0.0.1 192.168.69.111 192.168.69.111 192.168.70.100 192.168.69.111 192.168.70.100 192.168.69.111 192.168.70.100 127.0.0.1 192.168.69.111 127.0.0.1 192.168.70.100 127.0.0.1 192.168.69.111 192.168.69.111 192.168.70.100 192.168.69.111 192.168.70.100 20 30 20 20 30 30 20 20 20 1 Page 169 Gateway 11:56 AM Network Destination Netmask 9/10/03 Description 255_70_293_ch03.qxd Table 3.1 Description of Routes in the Route Table 255_70_293_ch03.qxd 170 9/10/03 11:56 AM Page 170 Chapter • Planning, Implementing, and Maintaining the TCP/IP Infrastructure Note that the metric for the default route for the second network, on the adapter for the 192.168.70.100 interface, is higher than the metric for the default route on the 192.168.69.111 interface.This indicates that the 192.168.69.111 network adapter is first in the binding order Since the metric for the default gateway for the second adapter is higher than the first network adapter, the second gateway is never used and is not necessary You can use the route command to add routes and change metrics.The command is route add –p Destination Mask Gateway IF Metric, where: I Destination is the network destination address I Mask is the appropriate subnet mask defined for the destination network I Gateway is the address of the router interface used to interface with the network I IF is the interface you want to associate this route to I Metric is the metric for this gateway The –p parameter specifies that you want to make this route persistent, so that it will be there if you reset the adapter or restart the machine If you not specify –p, the route is temporary and will not be saved If you want to delete a route, use the route delete Destination command to remove the destination route from the route table You can disable the automatic metric feature by accessing the properties for the desired connection, as follows: Select Internet Protocol (TCP/IP) and click Properties In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button Uncheck Automatic metric Provide an Interface metric The minimum value is Click OK Run the route print command.What changed? You will notice that all of the metric values are now You can change the values manually, which can allow you to redirect traffic over a slower interface that would normally have a higher metric TEST DAY TIP You should be familiar with the route table, know how to use the route print command, and understand how to use the information in this table to troubleshoot TCP/IP connectivity problems More details are provided in the “Creating a Subnetting Scheme” and “Troubleshooting IP Addressing” sections later in this chapter www.syngress.com 255_70_293_ch03.qxd 9/10/03 11:56 AM Page 171 Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter EXAM 70-293 OBJECTIVE Planning an IP Addressing Strategy Before you can implement an IP network infrastructure, there are many details that you 2.1 must consider Here, we will take a look at how to plan your network by identifying the 2.1.2 appropriate addressing requirements and limitations that will shape the network Understanding subnetting is a requirement to implement your addressing scheme.You will need to identify hardware requirements, decide what class of address you will need, and determine if access to the Internet is necessary for all or just some of your hosts Subnetting will allow you to create logical segments on your network that will overlay the physical topology By using a well-planned subnetting scheme, you can handle your current needs and plan for expansion for future needs.You can also make use of these segments to isolate and distribute heavy traffic, without having a major impact on other segments of your network EXAM 70-293 Analyzing Addressing Requirements OBJECTIVE Every device on a TCP/IP-based network that has a network interface is referred to as a 2.1.1 host Each host must have a unique IP address.The most common analogy used to describe an IP addressing scheme is that of a street (subnetwork) with many houses (hosts) Each house (host) must have a unique address (IP address) on its street.Visualize a situation in which you are a city planner In this analogy, the city is the entire corporate network, each street is a subnetwork, and each house is a host Our city, illustrated in Figure 3.9, needs streets for all of the houses for the current residents Additionally, we might require more houses to be built for new residents.We must design the streets in such a way that will allow for traffic flow to be regulated and to minimize congestion Also, we not want to have so many streets that we can build only a few houses on each street before we run out of room in our city.We know that it might not be an effective use of our resources if we build a major thoroughfare and a lot of apartments in an area of the city that will have only a few residents Some parts of our city need access to the “super highway”—the Internet or WAN—so the residents can get to other cities.We can use this example to get a concept of how to design and plan for a TCP/IP network www.syngress.com 171 ... for database servers A database server is any server that runs a network database application and maintains database files, such as Microsoft SQL Server or Oracle SQL Server is a high-performance... Wizard Database Servers Database servers are used to store and manage databases that are stored on the server and to provide data access for authorized users.This type of server keeps the data... FileName ] [/overwrite][/areas Area1 Area2 ] [/log FileName] [/quiet] The command’s parameters are the same as those listed in Table 2. 2, with the addition of /areas Area1 Area2.This parameter