Planning Network Traffic Management

EXAM 70-293 OBJECTIVE 2, 2.1, 2.1.1

After you decide where to place your physical equipment, users will begin accessing the services supplied by DHCP, DNS, and WINS. Other traffic comes from accessing the Internet, file sharing, and the many other network resources that will be used. You can estimate the amount of traffic at peak times by using some of the utilities provided with the operating system. The tools can be used to create baselines, identify the peak network usage areas, and identify the traffic sources.

You will also need to monitor network traffic and analyze the usage. You might be able to identify illicit network access from external sites, find Trojan horse viruses that generate broadcast storms, or just discover who is actually hogging all that Internet bandwidth. You can also determine whether your server-to-server traffic is managed well, or if it is necessary to modify the physical location of equipment.

Monitoring Network Traffic and Network Devices

EXAM 70-293 OBJECTIVE 2.4

Every network administrator should be familiar with two key utilities:

• Network Monitor Allows you to capture data, identify the source, and analyze the content and format of the message.

• System Monitor Allows you to monitor other resources and determine the performance of those resources.

Using Network Monitor

There are two versions of Network Monitor: one is part of the Windows Server 2003 operating system, and the other is part of Microsoft Systems Management Server (SMS). The version that ships with Windows Server 2003 can monitor only traffic inbound and outbound to the machine on which the utility is being run. The SMS version can monitor most network traffic from any machine to any other machine on the network, by placing the network card on the machine where it is running in promiscuous mode to capture all traffic.

Network Monitor is not installed by default. You can install it by following these steps:

1. From Control Panel, select Add/Remove Programs.

2. Click Add/Remove Windows Components.

3. Click Management and Monitoring Tools.

4. Click Details.

5. Click the check box next to Network Monitor Tools.

6. Click OK.

7. Click Finish.

After Network Monitor is installed, you can use the interface to monitor traffic, as shown Figure 3.19. When you want to view the results, you can view each frame of captured data. You can save the trace to a file, or you can start the trace over. You could then use the traces to find and filter traffic in order to analyze the data. You can also capture fragments into files for later analysis. You can even see some of the unencrypted data being transmitted on your network.

Figure 3.19: Network Monitor

Network Monitor should be run during low-usage times or for short intervals to minimize the impact on performance of capturing all that data on your machine. It is also useful to identify the type of traffic you are concerned with and use the filters to capture only the data you need.

Using System Monitor

System Monitor is a Microsoft Management Console (MMC) snap-in tool that allows you to use counters to monitor the performance of hardware, applications, and operating system components on Windows Server 2003 machines.

A counter is basically a hook into a driver or application component that allows System Monitor to gather statistics. System Monitor can capture these statistics and display them in a graph, as shown in Figure 3.20, or in a report. It can also send administrative alerts when specified conditions are met, and even launch an application to allow you to correct the situation or send an e-mail or a page to an administrator. You can save the logs to different file formats to allow you to analyze them in other applications or tools.

Figure 3.20: System Monitor

System Monitor also allows you to view more than one log file at the same time, so that you can compare baseline logs with the current data. The Performance Logs and Alerts service can gather data and store it in a Microsoft SQL Server database that can be viewed by System Monitor. You can also save portions of log files or SQL Server data to a new file. This can help save space, simplify comparisons of data, and reduce analysis time.

Determining Bandwidth Requirements

When you have captured performance statistics and viewed the network traffic during various times of the day, you can identify the different sources of traffic on your network. You will need to analyze how name resolution occurs, where the requests for name resolution initiate, and the server-to-server traffic when replicating the information.

You will need to identify the following:

• Any slow connections and the quantity of data transmitted over those connections. This will help you to identify how often servers transmit replicated data to other servers.

• The cost of one client obtaining information from these servers. You can then use that information to calculate the cost of many users.

• Broadcast traffic, so that you can isolate that to certain networks. You will be able to identify areas where clients communicate heavily with other clients, such as file servers, and locate those resources on the same segment as the heavy users.

Optimizing Network Performance

TCP traffic uses a sliding window method of transmitting data. As data is successful transmitted to the destination, the window slides over the remaining data and transmits the next packets of data. Window size is basically the maximum number of packets that can be sent without waiting for positive acknowledgment. If you transmit large amounts of TCP data, then larger TCP windows will improve TCP/IP performance. The maximum window size is limited to 64 kilobytes by default and is determined by the windows size setting of the destination host machine. It is possible to increase the size of the TCP window dynamically on Windows Server 2003 to accommodate this by enabling large TCP window support. Client computers can be set to request large windows by editing their Registries. These are then called TCP1323Opts-enabled computers. The window size is negotiated during the TCP three-way handshake process. TCP1323 is a TCP extension defined in RFC 1323.

With Windows Server 2003, it is possible to disable NetBIOS encapsulation over TCP/IP (disable NetBT). This can significantly reduce the overhead of data transfer and eliminate the need for WINS and any other NetBIOS name resolution. It will also reduce the browser master traffic. The drawback to disabling NetBIOS encapsulation is that you can no longer browse network resources. In addition, some applications depend on NetBIOS and will not work without it. If you are using NetBIOS name resolution, you should have WINS servers to allow for directed send requests for name resolution, rather than broadcasting for that information. WINS servers share data with each other at a regular intervals. You might wish to reduce that traffic by modifying the replication intervals to increase the time between synchronizations. You should minimize the number of WINS servers used on your network. It is not necessary to have a WINS server on every LAN. The more WINS servers you implement, the more network traffic is generated by WINS database replication.

The placement of other servers that provide network services is also important. DHCP servers must have an interface on the same segment as the clients that will use the DHCP server, or you must provide a means for DHCP requests to cross routers (such as a DHCP relay or using routers that allow DHCP and BOOTP requests). Place DNS servers on each LAN to minimize the amount of traffic generated when performing host name resolution. You can also designate which DNS servers can act as forwarders to control which machines can perform iterative DNS queries over the Internet.