Configuring TCP/IPObjective: Configure TCP/IP addressing on a server computer. Several important changes and improvements have been made to TCP/IP in Windows Server 2003:
Exam Alert: netsh and TCP/IP Perhaps the most likely item to appear on your exam is the fact that you will use the netsh command to reset TCP/IP back to its defaults instead of removing and reinstalling TCP/IP for troubleshooting in versions of Windows prior to Windows Server 2003. Introducing IPv6It's no secret that we're running out of IP addresses under the current IPv4 addressing system. Under IPv4, an IP address is a 32-bit number that consists of four binary octets separated from each other by periods, such as 11000000.10101000.00000000.10011010, which is 192.168.0.154 in dotted-decimal notation. This way of providing IP addresses provides for 232 (that is, 4,294,967,296) possible addresses, of which a small number is reserved for private networks and cannot be routed in the Internet. The IPv6 addressing system aims to solve this problem by making use of a 128-bit number to represent a unique IP address. Using 128 bits gives you 2128 (that is, 340,282,366,920,938,463,463,374,607,431,768,211,456, or 3.4¥1038) possible addresses. That is enough IP addresses to provide 655,570,793,348,866,943,898,599 (that is, 6.5¥1023) addresses for every square meter of the earth's surface. That should help solve the shortage of available public IP addresses. Of course, the true power of the IPv6 addressing system is that it allows multiple hierarchical levels of organization and flexibility in design. Both are currently lacking from the IPv4 Internet of today. A 128-bit IPv6 address, as you might suspect, looks different from what you are used to seeing in IPv4. An IPv6 address in binary form looks like this: 0010000111011010 0000000011010011 0000000000000000 0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010. This translates into 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A in hexadecimal format. Looks confusing, doesn't it? Well, it certainly can be if you're not accustomed to looking at IPv6 addresses. The IPv6 protocol and addressing system should all but put an end to memorizing IP addresses! Using the IPv6 protocol, IP classes and classless interdomain routing (CIDR) will be things of the past. The three commonly used private IP ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) will be replaced by one site-local address range (FEC0::/48). The familiar loopback address of 127.0.0.1 will be replaced by ::1. So what's up with the :: in IPv6? In the interest of making things easier, you can use a double colon (::) to represent contiguous strings of zero values. Therefore, the loopback address 0:0:0:0:0:0:0:1 can become simply ::1. Of course, you can use a double colon only once in an IPv6 addressfor obvious reasons. In addition, you can use leading zero suppression to remove the leading zeros within an individual 16-bit string. Thus, 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A becomes 21DA:D3:0:2F3B:2AA:FF:FE28:9C5A. Of course, the drivers within the operating system and the infrastructure hardware devices (routers, switches, and so on) will handle all these conversions automatically, and they will be invisible to you. For more information on IPv6, you can visit the official IPv6 site, located atwww.ietf.org/html.charters/ipv6-charter.html, or visit the Microsoft Web site about IPv6, located at www.microsoft.com/windowsserver2003/technologies/ipv6/default.mspx. Exam Alert: No IPv6 Don't expect to be tested on IPv6 on your exam as it is still quite some time from broad mainstream adoption. With knowledge in hand of how IP addressing works, you can now proceed to configuring a computer's network adapter with the required TCP/IP information. You can configure a Windows Server 2003 computer with an IP address in two ways. The first is through DHCP, as discussed in Chapter 2, "Implementing, Managing, and Troubleshooting DHCP." Using DHCP has many advantages, including the following:
Caution: What IP Address Should I Use? If you're working in a large network, there's probably a group of people responsible for adding and removing the IP addresses assigned to the network. You should check with these gurus before you arbitrarily add an IP address to the network. A wrong IP address on your end could mean big headaches on theirs. If you're isolated from a production environment, however, you can use whatever IP address you want. The second way to configure a Windows Server 2003 computer with an IP address is to manually assign the IP address and other TCP/IP properties on the computer. For workstations, this method is not often chosen due to the complexity and difficulty of maintaining a large number of statically assigned IP address. For servers, however, the situation is much different. Any server that offers a service to the network should have a static IP address. The following list contains some of the more common server types that offer services to clients and thus require statically assigned IP addresses:
Note: Know Your Connections The term connection refers to a network component that represents how one host connects to another host. Examples of connections include Local Area Network (LAN), Wide Area Network (WAN), or Dial-Up Networking (DUN). Step by Step 1.1 describes the process of configuring the TCP/IP properties for a Windows Server 2003 computer's network adapter. Step By Step1.1. Configuring TCP/IP
Note: DNS Servers DNS servers provide a crucial network service for networks of all sizes. DNS servers provide forward (domain name-to-IP address) and reverse (IP address-to-domain name) lookups to network clients. Using DNS allows you to remember an easy domain name, such as www.microsoft.com, instead of an IP address, such as 207.46.134.190. When you enter www.microsoft.com into a browser, one or more Internet DNS servers provide name resolution services for you, allowing you make a connection to the Microsoft Web site. The same concept applies to private networks. DNS is discussed in more detail in Chapter 3, "Implementing and Managing DNS." Exam Alert: Configuring a Gateway The discussion about whether the default gateway is a required portion of a valid IP address is an ongoing one in many circles. If you recall the fact that a default gateway is required only when a computer must route packets off its own subnet, you can say that it is not always a required portion of the TCP/IP configuration information. In some cases, you might have a very good reason not to configure a default gateway, as in the example of a server that you do not want to be able to communicate with clients outside its own subnet; not having a default gateway adds a small bit of extra security in this case. However, when you take your exam, you should always assume that a default gateway is required and should be configured on a server unless specifically told otherwise. The following section describes how to make additional configuration settings, if required. Advanced TCP/IP ConfigurationAfter you've performed the initial configuration of TCP/IP, you might still need to configure some additional settings on the protocol. On the TCP/IP Properties dialog box, you can access these settings by clicking the Advanced button, which causes the Advanced TCP/IP Settings dialog box, shown in Figure 1.6, to appear. Figure 1.6. The Advanced TCP/IP Settings dialog box is used to configure additional, advanced TCP/IP settings for a network connection.
As you can see in Figure 1.6, the IP Settings tab displays the currently configured IP address and default gateway. From this tab, you can add additional IP addresses to the network adapter. This option is rarely used for most servers; however, it might be used if the computer hosts one or more Web sites. You can assign two IP addresses to one adapter. Each IP address represents a different domain name hosted on the server. You can also specify additional default gateways, including the option to manually configure the route metric associated with each gateway. The route metric can be thought of as the "cost" of using a specific route: Each hop along the route has a specific cost that is dependent on several factors, including the actual monetary cost of the link and the speed of the link. Lower metrics typically equal faster routes and thus are preferred. Recall that Windows Server 2003 automatically assigns metrics based on the speed of the network interface. As mentioned earlier in this chapter, interfaces with a speed of 10Mbps get a metric of 30, and interfaces with a speed of 100Mbps get a metric of 20. The lower the number, the more preferred the route is. The DNS tab of the Advanced TCP/IP Settings dialog box, shown in Figure 1.7, allows you to configure additional multiple DNS servers that the network connection should use and the order in which they should be contacted. In addition, you can modify the behavior of Windows in relationship to domain name suffixes. Figure 1.7. You can specify granular configuration information on the DNS tab of the Advanced TCP/IP Settings dialog box.
Selecting the Append Primary and Connection Specific DNS Suffixes option specifies that name resolution for unqualified names that are queried on the computer is to be limited to the domain suffixes of the primary and connection-specific suffixes. For example, suppose that your primary DNS suffix is corp.quepublishing.com and you attempt to ping a computer by issuing the following command: ping filesvr042 In this case, your server will query the DNS servers for filesvr042.corp.quepublishing.com. If you have a connection-specific suffix domain name configured on an adapter, such as indianapolis.corp.quepublishing.com, your computer will also query for filesvr042. indianapolis.corp.quepublishing.com. Alternatively, you can manually specify DNS suffixes that the computer should query by selecting Append These DNS Suffixes (in Order) and adding them as appropriate. For example, suppose you have selected this option and configured the DNS suffixes sales.quepublishing.com and production.quepublishing.com. Now if you attempt to ping filesvr042, the computer will attempt to query for filesvr042.sales.quepublishing.com and filesvr042.production.quepublishing.com only. You can specify the connection-specific DNS suffix in the DNS Suffix for This Connection box. Selecting the Register This Connection's Address in DNS option specifies that the computer is to register the fully qualified domain name (FQDN) of the computer in DNS via dynamic DNS (DDNS). If you select the Use This Connection's DNS Suffix in DNS Registration option, an additional update will be made to DNS with the connection-specific information. Before DNS was king in Microsoft Windows-based networks, WINS was used to resolve NetBIOS hostnames to IP addresses on a network. Although it is no longer required in networks running all Windows 2000 or better computers, WINS still exists to support legacy systems on networks. To specify WINS servers that are to be used, you need only click the Add button seen in Figure 1.8, which opens the TCP/IP WINS Server input box shown in Figure 1.9. You can use the arrows to move them up and down as required to set them in the preferred order of usage. Windows Server 2003 follows in the footsteps of Windows 2000 Server by allowing you to add as many as 12 different WINS servers. Figure 1.8. The WINS tab of the Advanced TCP/IP Settings dialog box allows you to specify how the network adapter behaves in relationship to WINS and NetBIOS.
Figure 1.9. You can add any WINS servers, if required, by using the TCP/IP WINS Server input box.
The lmhosts file is the WINS equivalent of the DNS hosts file: It contains static mappings of NetBIOS hostnames-to-IP addresses. If you still have an lmhosts file in use, you can specify to have it used. In addition, you can opt to import the lmhosts file to the local computer. The last item you can configure on the WINS tab is whether you will allow NetBIOS over TCP/IP (NetBT). You can opt to use the DHCP server setting, to enable NetBT support, or to disable NetBT support. If you are operating in an environment where no legacy WINS clients exist, you can safely disable NetBT support. The Options tab of the Advanced TCP/IP Settings dialog box, shown in Figure 1.10, contains only one item in Windows Server 2003: TCP/IP Filtering. Windows Server 2003 allows you to control the type of TCP/IP information that is sent to a computer. You can configure a universal rule for the type of data that reaches all network connections in the server, or you can configure each connection individually. Figure 1.10. The Options tab of the Advanced TCP/IP Settings dialog box contains few options in Windows Server 2003; it allows you to configure only TCP/IP filtering.
Common TCP/IP PortsTCP provides guaranteed packet delivery. Table 1.5 lists the common TCP ports to which you can allow or deny access.
Exam Alert: Know Your Ports The list of TCP ports in Table 1.5 is a good start to those ports that you should memorize before exam day. This information will also come into play during your daily administrative tasks after you've passed your exam. User Datagram Protocol (UDP) does not provide guaranteed packet delivery; rather, it makes a best-effort attempt for delivery. Table 1.6 lists common UDP ports to which you can allow or deny access.
Note: IP Port Numbers You can get a full list of all the IP port numbers at www.iana.org/assignments/port-numbers. Common TCP/IP ProtocolsIP is composed of several different protocols. Table 1.7 lists common Internet protocol numbers to which you can allow or deny access.
Note: Internet Protocol Numbers You can get a full list of all the Internet protocol numbers at http://support.microsoft.com/default.aspx?scid=KB;en-us;289892. TCP/IP Packet FilteringTCP/IP packet filtering allows you to determine the type of TCP ports that can be accessed, the UDP ports that are accessed, and more directly, which Internet protocols can access a computer. For example, you can filter port 80, which is used by HTTP. By filtering this port, you can deny access to all Web servers. Step by Step 1.2 guides you through the process of creating an IP packet filter. Step By Step1.2. Configuring IP Filtering
Caution: Don't Rely Solely on TCP/IP Filters The TCP/IP filters provided in Windows can't ever replace a full-featured network protective device such as a firewall. Microsoft never intended TCP/IP filters to fulfill this role, and you should not either. In addition, you need to be aware that the TCP/IP filtering in Windows Server 2003 does not make any differentiation between outgoing and incoming requests, so you might get unexpected results. |