Configuring TCPIP


Configuring TCP/IP

Objective:

Configure TCP/IP addressing on a server computer.

Several important changes and improvements have been made to TCP/IP in Windows Server 2003:

  • netsh can be used to reset TCP/IP A new netsh command has been added that allows you to reset TCP/IP back to its defaults. This takes the place of being able to remove and reinstall TCP/IP for troubleshooting in versions of Windows prior to Windows Server 2003.

  • netstat can display PIDs A new option has been added to the netstat command that displays the process identifier (PID) of the process that is holding the active connection. You can use the Task Manager to associate a PID with a specific application. This ability can be extremely useful in determining what applications are putting data on the network on your servers, especially in a troubleshooting situation.

  • Internet Group Management Protocol version 3 (IGMPv3) is supported Because Windows Server 2003 has built-in IGMPv3 support, hosts can request to receive multicast traffic from a specific source or from all sources except a specific source. In addition, source-specific routing allows multicast-capable routers to prevent delivery of multicast traffic to subnets with no multicast clients.

  • TCP/IP can determine the interface speed route metric TCP/IP can now automatically determine the metric of a route, based on the speed of its interface. Interfaces with a speed of 10Mbps get a metric of 30, and interfaces with a speed of 100Mbps get a metric of 20. This allows the server to automatically treat an interface with a greater speed as preferred over one with a lower speed.

  • IPv6 is supported Support for the forthcoming IPv6 is provided in Windows Server 2003 for future compatibility and growth options.

Exam Alert: netsh and TCP/IP

Perhaps the most likely item to appear on your exam is the fact that you will use the netsh command to reset TCP/IP back to its defaults instead of removing and reinstalling TCP/IP for troubleshooting in versions of Windows prior to Windows Server 2003.


Introducing IPv6

It's no secret that we're running out of IP addresses under the current IPv4 addressing system. Under IPv4, an IP address is a 32-bit number that consists of four binary octets separated from each other by periods, such as 11000000.10101000.00000000.10011010, which is 192.168.0.154 in dotted-decimal notation. This way of providing IP addresses provides for 232 (that is, 4,294,967,296) possible addresses, of which a small number is reserved for private networks and cannot be routed in the Internet.

The IPv6 addressing system aims to solve this problem by making use of a 128-bit number to represent a unique IP address. Using 128 bits gives you 2128 (that is, 340,282,366,920,938,463,463,374,607,431,768,211,456, or 3.4¥1038) possible addresses. That is enough IP addresses to provide 655,570,793,348,866,943,898,599 (that is, 6.5¥1023) addresses for every square meter of the earth's surface. That should help solve the shortage of available public IP addresses. Of course, the true power of the IPv6 addressing system is that it allows multiple hierarchical levels of organization and flexibility in design. Both are currently lacking from the IPv4 Internet of today.

A 128-bit IPv6 address, as you might suspect, looks different from what you are used to seeing in IPv4. An IPv6 address in binary form looks like this: 0010000111011010 0000000011010011 0000000000000000 0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010. This translates into 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A in hexadecimal format.

Looks confusing, doesn't it? Well, it certainly can be if you're not accustomed to looking at IPv6 addresses. The IPv6 protocol and addressing system should all but put an end to memorizing IP addresses!

Using the IPv6 protocol, IP classes and classless interdomain routing (CIDR) will be things of the past. The three commonly used private IP ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) will be replaced by one site-local address range (FEC0::/48). The familiar loopback address of 127.0.0.1 will be replaced by ::1.

So what's up with the :: in IPv6? In the interest of making things easier, you can use a double colon (::) to represent contiguous strings of zero values. Therefore, the loopback address 0:0:0:0:0:0:0:1 can become simply ::1. Of course, you can use a double colon only once in an IPv6 addressfor obvious reasons.

In addition, you can use leading zero suppression to remove the leading zeros within an individual 16-bit string. Thus, 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A becomes 21DA:D3:0:2F3B:2AA:FF:FE28:9C5A. Of course, the drivers within the operating system and the infrastructure hardware devices (routers, switches, and so on) will handle all these conversions automatically, and they will be invisible to you.

For more information on IPv6, you can visit the official IPv6 site, located atwww.ietf.org/html.charters/ipv6-charter.html, or visit the Microsoft Web site about IPv6, located at www.microsoft.com/windowsserver2003/technologies/ipv6/default.mspx.

Exam Alert: No IPv6

Don't expect to be tested on IPv6 on your exam as it is still quite some time from broad mainstream adoption.


With knowledge in hand of how IP addressing works, you can now proceed to configuring a computer's network adapter with the required TCP/IP information. You can configure a Windows Server 2003 computer with an IP address in two ways. The first is through DHCP, as discussed in Chapter 2, "Implementing, Managing, and Troubleshooting DHCP." Using DHCP has many advantages, including the following:

  • Allows for centralized management

  • Enables you to make changes at the server rather than on each computer

  • Resolves conflicts of IP addresses

  • Resolves problems when hosts move from subnet to subnet

  • Saves time because you no longer need to visit each computer to set the IP properties

Caution: What IP Address Should I Use?

If you're working in a large network, there's probably a group of people responsible for adding and removing the IP addresses assigned to the network. You should check with these gurus before you arbitrarily add an IP address to the network. A wrong IP address on your end could mean big headaches on theirs.

If you're isolated from a production environment, however, you can use whatever IP address you want.


The second way to configure a Windows Server 2003 computer with an IP address is to manually assign the IP address and other TCP/IP properties on the computer. For workstations, this method is not often chosen due to the complexity and difficulty of maintaining a large number of statically assigned IP address. For servers, however, the situation is much different. Any server that offers a service to the network should have a static IP address. The following list contains some of the more common server types that offer services to clients and thus require statically assigned IP addresses:

  • Domain Controllers

  • DNS, DHCP or WINS servers

  • File or print servers

  • Database or Web servers

  • Exchange servers

Note: Know Your Connections

The term connection refers to a network component that represents how one host connects to another host. Examples of connections include Local Area Network (LAN), Wide Area Network (WAN), or Dial-Up Networking (DUN).


Step by Step 1.1 describes the process of configuring the TCP/IP properties for a Windows Server 2003 computer's network adapter.

Step By Step
1.1. Configuring TCP/IP

1.

Open the Network Connections window by selecting Start, Settings, Network Connections. The Network Connections window, shown in Figure 1.2, displays all configured connections on the computer.

Figure 1.2. The Network Connections window displays all configured network connections for a computer.


2.

Double-click the Local Area Connection icon to bring up the Local Area Connection Status dialog box, as shown in Figure 1.3.

Figure 1.3. The Local Area Connection Status dialog box displays general statistics about the network connection.


3.

Click the Properties button to open the Local Area Connection Properties dialog box, as shown in Figure 1.4.

Figure 1.4. The Local Area Connection Properties dialog box allows you to configure network connection properties.


4.

On the General tab, select Internet Protocol (TCP/IP) and then click Properties. The Internet Protocol (TCP/IP) Properties dialog box opens, as shown in Figure 1.5.

Figure 1.5. The Internet Protocol (TCP/IP) Properties dialog box is used to configure TCP/IP settings for a network connection.


5.

As you can see in Figure 1.5, the IP address, subnet mask, default gateway, and DNS servers are statically assigned. The server in this example is providing network services, including DNS and DHCP, to network clients and thus requires a static IP address. If you want to have the network adapter acquire its IP address information from a DHCP server, select the options Obtain an IP Address Automatically and Obtain DNS Server Address Automatically. You can also have the IP address information provided by DHCP and manually specify the DNS server addresses if you choose. After you make your selections, click OK to accept them.

6.

Click Close to close the Local Area Connection Properties dialog box.

Note: DNS Servers

DNS servers provide a crucial network service for networks of all sizes. DNS servers provide forward (domain name-to-IP address) and reverse (IP address-to-domain name) lookups to network clients. Using DNS allows you to remember an easy domain name, such as www.microsoft.com, instead of an IP address, such as 207.46.134.190. When you enter www.microsoft.com into a browser, one or more Internet DNS servers provide name resolution services for you, allowing you make a connection to the Microsoft Web site. The same concept applies to private networks. DNS is discussed in more detail in Chapter 3, "Implementing and Managing DNS."


Exam Alert: Configuring a Gateway

The discussion about whether the default gateway is a required portion of a valid IP address is an ongoing one in many circles. If you recall the fact that a default gateway is required only when a computer must route packets off its own subnet, you can say that it is not always a required portion of the TCP/IP configuration information. In some cases, you might have a very good reason not to configure a default gateway, as in the example of a server that you do not want to be able to communicate with clients outside its own subnet; not having a default gateway adds a small bit of extra security in this case. However, when you take your exam, you should always assume that a default gateway is required and should be configured on a server unless specifically told otherwise.


The following section describes how to make additional configuration settings, if required.

Advanced TCP/IP Configuration

After you've performed the initial configuration of TCP/IP, you might still need to configure some additional settings on the protocol. On the TCP/IP Properties dialog box, you can access these settings by clicking the Advanced button, which causes the Advanced TCP/IP Settings dialog box, shown in Figure 1.6, to appear.

Figure 1.6. The Advanced TCP/IP Settings dialog box is used to configure additional, advanced TCP/IP settings for a network connection.


As you can see in Figure 1.6, the IP Settings tab displays the currently configured IP address and default gateway. From this tab, you can add additional IP addresses to the network adapter. This option is rarely used for most servers; however, it might be used if the computer hosts one or more Web sites. You can assign two IP addresses to one adapter. Each IP address represents a different domain name hosted on the server.

You can also specify additional default gateways, including the option to manually configure the route metric associated with each gateway. The route metric can be thought of as the "cost" of using a specific route: Each hop along the route has a specific cost that is dependent on several factors, including the actual monetary cost of the link and the speed of the link. Lower metrics typically equal faster routes and thus are preferred. Recall that Windows Server 2003 automatically assigns metrics based on the speed of the network interface. As mentioned earlier in this chapter, interfaces with a speed of 10Mbps get a metric of 30, and interfaces with a speed of 100Mbps get a metric of 20. The lower the number, the more preferred the route is.

The DNS tab of the Advanced TCP/IP Settings dialog box, shown in Figure 1.7, allows you to configure additional multiple DNS servers that the network connection should use and the order in which they should be contacted. In addition, you can modify the behavior of Windows in relationship to domain name suffixes.

Figure 1.7. You can specify granular configuration information on the DNS tab of the Advanced TCP/IP Settings dialog box.


Selecting the Append Primary and Connection Specific DNS Suffixes option specifies that name resolution for unqualified names that are queried on the computer is to be limited to the domain suffixes of the primary and connection-specific suffixes. For example, suppose that your primary DNS suffix is corp.quepublishing.com and you attempt to ping a computer by issuing the following command:

ping filesvr042


In this case, your server will query the DNS servers for filesvr042.corp.quepublishing.com. If you have a connection-specific suffix domain name configured on an adapter, such as indianapolis.corp.quepublishing.com, your computer will also query for filesvr042. indianapolis.corp.quepublishing.com.

Alternatively, you can manually specify DNS suffixes that the computer should query by selecting Append These DNS Suffixes (in Order) and adding them as appropriate. For example, suppose you have selected this option and configured the DNS suffixes sales.quepublishing.com and production.quepublishing.com. Now if you attempt to ping filesvr042, the computer will attempt to query for filesvr042.sales.quepublishing.com and filesvr042.production.quepublishing.com only.

You can specify the connection-specific DNS suffix in the DNS Suffix for This Connection box. Selecting the Register This Connection's Address in DNS option specifies that the computer is to register the fully qualified domain name (FQDN) of the computer in DNS via dynamic DNS (DDNS). If you select the Use This Connection's DNS Suffix in DNS Registration option, an additional update will be made to DNS with the connection-specific information.

Before DNS was king in Microsoft Windows-based networks, WINS was used to resolve NetBIOS hostnames to IP addresses on a network. Although it is no longer required in networks running all Windows 2000 or better computers, WINS still exists to support legacy systems on networks.

To specify WINS servers that are to be used, you need only click the Add button seen in Figure 1.8, which opens the TCP/IP WINS Server input box shown in Figure 1.9. You can use the arrows to move them up and down as required to set them in the preferred order of usage. Windows Server 2003 follows in the footsteps of Windows 2000 Server by allowing you to add as many as 12 different WINS servers.

Figure 1.8. The WINS tab of the Advanced TCP/IP Settings dialog box allows you to specify how the network adapter behaves in relationship to WINS and NetBIOS.


Figure 1.9. You can add any WINS servers, if required, by using the TCP/IP WINS Server input box.


The lmhosts file is the WINS equivalent of the DNS hosts file: It contains static mappings of NetBIOS hostnames-to-IP addresses. If you still have an lmhosts file in use, you can specify to have it used. In addition, you can opt to import the lmhosts file to the local computer.

The last item you can configure on the WINS tab is whether you will allow NetBIOS over TCP/IP (NetBT). You can opt to use the DHCP server setting, to enable NetBT support, or to disable NetBT support. If you are operating in an environment where no legacy WINS clients exist, you can safely disable NetBT support.

The Options tab of the Advanced TCP/IP Settings dialog box, shown in Figure 1.10, contains only one item in Windows Server 2003: TCP/IP Filtering. Windows Server 2003 allows you to control the type of TCP/IP information that is sent to a computer. You can configure a universal rule for the type of data that reaches all network connections in the server, or you can configure each connection individually.

Figure 1.10. The Options tab of the Advanced TCP/IP Settings dialog box contains few options in Windows Server 2003; it allows you to configure only TCP/IP filtering.


Common TCP/IP Ports

TCP provides guaranteed packet delivery. Table 1.5 lists the common TCP ports to which you can allow or deny access.

Table 1.5. Common TCP Port Numbers

TCP Port Number

Description

20

FTP data channel

21

FTP control channel

22

SSH Remote Login Protocol

23

Telnet

25

Simple Mail Transfer Protocol (SMTP)

53

Domain Name System (DNS)

69

Trivial File Transfer Protocol (TFTP)

80

Hypertext Transfer Protocol (HTTP)

110

Post Office Protocol version 3 (POP3)

137

NetBIOS Name Service (NBNS)

138

NetBIOS Datagram Service

139

NetBIOS Session Service

161

Simple Network Management Protocol (SNMP)

389

Lightweight Directory Access Protocol (LDAP)

443

Secure HTTP using SSL/TLS (HTTPS)


Exam Alert: Know Your Ports

The list of TCP ports in Table 1.5 is a good start to those ports that you should memorize before exam day. This information will also come into play during your daily administrative tasks after you've passed your exam.


User Datagram Protocol (UDP) does not provide guaranteed packet delivery; rather, it makes a best-effort attempt for delivery. Table 1.6 lists common UDP ports to which you can allow or deny access.

Table 1.6. Common UDP Port Numbers

TCP Port Number

Description

20

FTP data channel

21

FTP control channel

22

SSH Remote Login Protocol

23

Telnet

25

SMTP

53

DNS

69

TFTP

80

HTTP

110

POP3

137

NBNS

138

NetBIOS Datagram Service

139

NetBIOS Session Service

161

SNMP

389

LDAP

443

HTTPS

520

Routing Information Protocol (RIP)


Note: IP Port Numbers

You can get a full list of all the IP port numbers at www.iana.org/assignments/port-numbers.


Common TCP/IP Protocols

IP is composed of several different protocols. Table 1.7 lists common Internet protocol numbers to which you can allow or deny access.

Table 1.7. Common Internet Protocol Numbers

Protocol Number

Protocol

1

Internet Control Message Protocol (ICMP)

2

Internet Group Management Protocol (IGMP)

3

Gateway-to-Gateway Protocol (GGP)

4

IP in IP (encapsulation)

5

Stream (ST)

6

TCP

7

Computer-base training (CBT)

8

Exterior Gateway Protocol (EGP)


Note: Internet Protocol Numbers

You can get a full list of all the Internet protocol numbers at http://support.microsoft.com/default.aspx?scid=KB;en-us;289892.


TCP/IP Packet Filtering

TCP/IP packet filtering allows you to determine the type of TCP ports that can be accessed, the UDP ports that are accessed, and more directly, which Internet protocols can access a computer. For example, you can filter port 80, which is used by HTTP. By filtering this port, you can deny access to all Web servers.

Step by Step 1.2 guides you through the process of creating an IP packet filter.

Step By Step
1.2. Configuring IP Filtering

1.

Open the Network Connections window by selecting Start, Settings, Network Connections.

2.

Double-click the Local Area Connection icon to bring up the Local Area Connection Status dialog box.

3.

Click the Properties button to open the Local Area Connection Properties dialog box.

4.

On the General tab, select Internet Protocol (TCP/IP) and then click Properties. The Internet Protocol (TCP/IP) Properties dialog box opens.

5.

From this General tab of the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button. The Advanced TCP/IP Settings dialog box opens.

6.

Click the Options tab (refer to Figure 1.9) and click the Properties button to open the TCP/IP Filtering dialog box, as shown in Figure 1.11.

Figure 1.11. You configure TCP/IP filters for a network connection from the TCP/IP Filtering dialog box.


7.

Select the Enable TCP/IP Filtering (All Adapters) option to enable TCP/IP filters.

8.

Above TCP Ports, select the Permit Only option and then click the Add button. The Add Filter dialog box opens.

9.

Specify port number 23 for Telnet sessions, and then click OK.

10.

Click Add and enter port number 80 for Web access, and then click OK.

11.

Select the Permit Only option for UDP ports and then click the Add button.

12.

Enter port number 69 for TFTP sessions, and then click OK.

13.

Click Add and enter port number 161 for SNMP, and then click OK.

14.

Click OK to approve these settings, which allow only TCP ports 23 and 80 and UDP ports 69 and 161 to be accessed on the server.

Caution: Don't Rely Solely on TCP/IP Filters

The TCP/IP filters provided in Windows can't ever replace a full-featured network protective device such as a firewall. Microsoft never intended TCP/IP filters to fulfill this role, and you should not either. In addition, you need to be aware that the TCP/IP filtering in Windows Server 2003 does not make any differentiation between outgoing and incoming requests, so you might get unexpected results.





MCSA(s)MCSE 70-291(c) Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
MCSA/MCSE 70-291: Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (Exam Prep)
ISBN: 0789736497
EAN: 2147483647
Year: 2006
Pages: 196
Authors: Will Schmied

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net