The System Administrator login ID for administering a computer running Microsoft SQL Server version 6 and configured for standard security. The SA account is the main administrator for the SQL Server environment and can be used to
Install new computers running SQL Server
Create new devices and databases
Configure servers and clients running SQL Server
Grant permissions to SQL Server users
Monitor disk space, memory, and connections
Back up and restore SQL Server databases
Move data in and out of SQL Server databases
Manage data replication
Schedule unattended operations
The SA account can access any application or database on the SQL Server system. If the server running SQL Server is configured for standard security, a password should be assigned to the SA by using the SQL Server Enterprise Manager. There are no restrictions on what the SA can do in SQL Server.
TIP
Anyone who has SA access to a server running SQL Server can also use the xp_cmdshell command to run almost any Microsoft Windows NT or Windows 2000 shell commands and change the configuration of your Windows-based server. So be careful who you grant SA access to.
TIP
In SQL Server 7, user accounts that are members of the Sysadmin fixed server role have the rights and privileges of the SA account. The SA account is provided in SQL Server 7 only for backward compatibility with earlier versions of SQL Server. Although SA can be used as a kind of back door to the system if you’re having problems with other administrator accounts, it should not be used for general-purpose administration of the server running SQL Server.
See also SQL Security Manager
See system access control list (SACL)
A mode of starting Microsoft Windows 95, Windows 98, and Windows 2000 that bypasses startup files and runs a basic set of files and drivers including mouse, keyboard, video, mass storage, and basic system services. Safe mode is used for troubleshooting Windows 95, Windows 98, and Windows 2000 when your system fails to boot properly—for example, due to a corrupt device driver or after you make an erroneous change to the registry. Safe mode bypasses the system startup files to allow you to start with a “clean” configuration.
To access safe mode while booting Windows 95 and Windows 98, press the F5 key when the screen shows the message “Starting Windows 95…” or “Starting Windows 98…” You can also start safe mode from the command prompt by typing win /d:m. You can also press F6 to access safe mode with networking support. When you are in safe mode, you are informed of this by text displayed in all four corners of the screen.
To access safe mode while booting Windows 2000, press the F8 key when you see the message “Please select the operating system to start.” You will then be presented with a list of options that includes three safe mode options: standard, networking-enabled, and safe mode with command prompt. Use the arrow keys to navigate the list. Press the Enter key to make your selection.
Graphic S-1. Safe mode.
See Security Account Manager (SAM) database
See storage area network (SAN)
See Service Advertising Protocol (SAP)
See secure attention sequence (SAS)
See Security Administrator Tool for Analyzing Networks (SATAN)
Part of the indexing process used by the Microsoft Indexing Service, an optional component of Microsoft Windows 2000 Server. In Microsoft Windows NT, scanning is made available through Microsoft Index Server. Scanning is the process of inventorying virtual directories on the server that have been configured for indexing to determine whether any new documents have been added that need to be indexed.
How It Works
Scanning can take two forms:
Full scans: Scan all documents located in the directory
Incremental scans: Scan only the documents that have been modified since the last scan
If either type of scan finds documents that need to be indexed, the documents are passed to content filters that extract indexing information to form volatile indexes called word lists. This process is called filtering.
Various conditions can trigger a scan of a virtual directory:
When a new virtual directory is created and marked for indexing, a full scan is made of the directory.
When the NTFS file system determines that a document has been added to a directory marked for indexing, an incremental scan is made of the directory.
If documents in a virtual directory are physically located on a non-Windows server such as a NetWare server, Indexing Service periodically polls the server for changes to the contents of the directory; if changes are detected, an incremental scan is triggered.
When the system reboots or when the Content Index Service is restarted, incremental scans are initiated for all directories marked to be indexed.
You can manually initiate a full scan of a directory by using the Indexing Service snap-in for Microsoft Management Console (MMC).
A utility for locating, reporting, and correcting file system errors (such as lost file fragments and cross-linked files) on disks. Scandisk was originally included in version 6.2 of the MS-DOS operating system, but there are also versions for Microsoft Windows 95 and Windows 98. Scandisk is generally preferable to chkdsk because it has better error recovery features and can perform a more exhaustive surface scan if needed.
Two versions of scandisk are included with Windows 95 and Windows 98:
Scandisk.exe: The real-mode MS-DOS version, which runs at boot time if the computer was not properly shut down. This version is included on the emergency startup disk and can also be used to repair compressed volume files.
Scandskw.exe: The Windows version, which can repair long filename corruption and can be run in the background by using the /n switch.
TIP
It is a good idea to run scandisk regularly on your system because it is easier to prevent data loss due to hard drive problems than to fix it afterwards. Scandisk creates a log called scandisk.log, which you can view to find out what problems were found and what corrective actions were performed.
Connector types that are generally used for connecting fiber-optic cabling to networking devices. Both are recognized by the Electronic Industries Alliance/Telecommunications Industry Association (EIA/TIA) 568A standard.
SC stands for subscriber connector and is a standard-duplex fiber-optic connector with a square molded plastic body and push-pull locking features. SC connectors are typically used in data communication, CATV, and telephony environments.
ST stands for straight tip, a high-performance fiber-optic connector with round ceramic ferrules and bayonet locking features. ST connectors are more common than SC connectors.
You can generally use SC and ST connectors with either single-mode or multimode fiber-optic cabling. Coupling receptacles for these connectors come in either panel-mount or free-handing designs. For narrow space installations, you can get 90-degree boot versions instead of straight versions. SC and ST connectors come in both simplex and duplex form.
Graphic S-2. SC and ST connectors.
NOTE
A third type of fiber-optic connector is the SMA connector, which has a threaded-nut locking feature. Subtypes include SMA905 and SMA906 connectors.
TIP
The best fiber-optic connectors are military-grade connectors. These connectors satisfy the MIL-C-83522 (ST) specifications and are corrosion-proof; have isolated relief boots to reduce cable strain; and are heat, shock, vibration, fungus, and salt-spray resistant.
See also fiber-optic cabling
A service in Microsoft Windows NT 4 that allows batch scripts to be scheduled and executed using the at command. The Schedule service provides the security context in which the at command can execute the batch files. If you configure the Schedule service to start up using a particular account as a security context, be sure that account is part of the Backup Operators group because the at command is typically used for scheduling backups.
In Microsoft Windows 2000, the Schedule service has been replaced by the Task Scheduler service.
TIP
You must start the Schedule service before using the at command. You can start the service by using the Services utility in Control Panel or by using the Net Start Schedule command at the command prompt. The Schedule service is dependent on the Workstation and Server services.
A set of rules for Active Directory in Microsoft Windows 2000 that defines which objects can be contained in the directory and what attributes those objects can have. The schema can be considered a formal definition of Active Directory.
Active Directory comes with a default schema that is sufficient in most instances and that defines common network objects in the directory such as users, groups, domains, and computers. You can modify the schema by using the Active Directory Schema, a snap-in for Microsoft Management Console (MMC). The schema is extensible in that new object classes and attribute types can be added to it. Members of the Schema Admins group have the necessary rights for modifying and extending the schema. The built-in Administrator account is included in this group. You can make the following types of modifications to the schema:
Create new classes and attributes
Modify existing classes and attributes
Deactivate existing classes and attributes
NOTE
Key attributes within the Active Directory schema that are prefixed with “System-” cannot be modified. This ensures consistency of the schema.
The schema is actually stored in Active Directory itself in a container under the RootDSE object.
TIP
If you modify the schema, you should wait five minutes for the modifications to be written to the system, whereupon the changes are updated in Active Directory and replicated to all domain controllers. Therefore, if you modify the schema, you should wait until the changes have replicated throughout your entire enterprise before you create new objects that use these modifications.
As a safety measure, domain controllers by default have read-only permissions on the schema. If you want to write changes to the schema, you must first modify a registry setting on the domain controller on which you plan to make modifications. (Make modifications to the schema from only one domain controller at a time.) The Schema Manager MMC snap-in offers a check box that you can use to set or clear the key. To modify the registry manually, you add the parameter Schema Update Allowed with data type REG_DWORD and a nonzero value to the following registry key:
HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \NTDS \Parameters
See DHCP scope
See Small Computer System Interface (SCSI)
See Synchronous Data Link Control (SDLC)
See Symmetric Digital Subscriber Line (SDSL)
A name server that downloads its Domain Name System (DNS) database of resource records from a master name server. The master name server can be either a primary name server or another secondary name server. Primary name servers get their resource records from local files called zone files. Secondary name servers do not maintain local zone files—they obtain their resource files over the network from master name servers via a zone transfer, which occurs when a secondary name server polls a master name server and determines that there are updates to the DNS database that need to be downloaded. This means that the DNS administrator has to maintain only a single set of DNS resource records (on the primary name server), which simplifies DNS administration.
Secondary name servers are used in the DNS to provide redundancy and load balancing for name resolution. On BIND implementations of DNS, secondary name servers are often referred to as slave name servers.
NOTE
A name server can be a primary name server for one zone and a secondary name server for a different zone. In other words, name servers are defined as primary or secondary on a per-zone basis.
TIP
On a corporate TCP/IP internetwork that uses DNS as its name resolution method, it is a good idea to have at least two name servers—a primary master name server, and a secondary name server for backup. Otherwise, if the primary goes down, users won’t be able to resolve server names on the network and therefore won’t be able to find and access any network resources.
BIND makes it possible for slave name servers to keep backup copies of zone files in case the master name server goes down. It is generally a good practice to keep such backup copies. You can also implement a list of up to 10 master name servers that can be tried successively by each slave name server in a very large DNS implementation. BIND v8 includes a feature whereby the primary notifies the slave when changes have been made to the primary’s DNS database. This notification process causes BIND v8 name servers to be more up to date with each other than with the polling procedure of earlier BIND implementations.
See also name server
One of the two rings used in Fiber Distributed Data Interface (FDDI) networks to interconnect stations on the network. FDDI is a dual-ring topology networking architecture based on a token-passing access method. The secondary ring usually sits dark (unused), except when a fault occurs on the primary ring, in which case the network reconfigures itself to make use of the secondary ring to wrap around the fault. Because the data travels on the secondary ring in the opposite direction that it was traveling on the primary ring, when it’s put to use, the secondary ring reroutes data back the way it came, thus avoiding the problem spot. The dual-ring configuration provides FDDI with a degree of fault tolerance—if a computer or cable on the primary ring goes down, the secondary ring is put to use, working in conjunction with the portion of the primary ring that isn’t broken. This feature is known as a self-healing capability and is performed when the stations on both sides of the link concentrator reconfigure themselves when a failure occurs in the link (due to a cable break, a loose connector, or some device failure).
NOTE
The FDDI specification allows the length of the two rings to reach up to 200 kilometers, with up to 1000 attached stations. However, since the secondary ring is usually used for redundancy purposes, a maximum of 500 stations is allowed on an FDDI network. Repeaters are needed every 2 kilometers around the rings.
TIP
Run the FDDI primary ring and secondary ring along different physical paths to make your FDDI network even more redundant. If an accident or disaster affects one of the rings, it might not affect the other.
See also Fiber Distributed Data Interface (FDDI), primary ring
The Ctrl+Alt+Delete keystroke combination in Microsoft Windows NT and Windows 2000, which displays the Windows Security dialog box. (Note that in Windows NT the dialog box is called Windows NT Security.) Users can press this key combination to do the following:
Log on to or log off of a Windows workstation
Lock the console or unlock a locked workstation
Change their passwords
Invoke Task Manager
Shut down, log off, or restart their systems
TIP
The secure attention sequence (SAS) offers protection against Trojan horse programs that masquerade as common system applications. For example, it is impossible to write a Trojan horse program that presents the user with a phony Windows Security dialog box in an attempt to steal a user’s credentials, because this program cannot be activated by the SAS. The most that a hacker can do is write a Trojan horse program that displays a Windows Security dialog box at random times while the user is already logged on. To guard against such an event, you should educate users to always use the SAS keystroke sequence even if the computer they are using already displays what appears to be the Windows Security dialog box.
The SAS also kills any logon scripts that are running and can be used to terminate scripts that have stopped responding.
An Internet protocol for encryption of Hypertext Transfer Protocol (HTTP) traffic. Secure Hypertext Transfer Protocol (S-HTTP) is an application-level protocol that extends the HTTP protocol by adding encryption to Web pages. It also provides mechanisms for authentication and signatures of messages. S-HTTP provides broad support for implementing different types of cryptographic algorithms and key management systems. Although S-HTTP systems can make use of digital certificates and public keys, messages can also be encrypted on a per-transaction basis using symmetric session keys. S-HTTP was proposed as a draft standard in 1996 and is still under development.
NOTE
S-HTTP is not as widely implemented as Secure Sockets Layer (SSL), which is independent of protocol and works with HTTP, Simple Mail Transfer Protocol (SMTP), Network News Transfer Protocol (NNTP), and other Internet protocols.
S-HTTP is also the name given to World Wide Web (WWW) server software that implements the S-HTTP protocol. This software was developed by Enterprise Integrations Technologies (EIT), the National Center for Supercomputing Applications (NCSA), and RSA Security.
A protocol for the secure exchange of e-mail and attached documents originally developed by RSA Security. Secure/Multipurpose Internet Mail Extensions (S/MIME) adds security to Internet e-mail based on the Simple Mail Transfer Protocol (SMTP) method and adds support for digital signatures and encryption to SMTP mail to support authentication of the sender and privacy of the communication. Note that because HTTP messages can transport MIME data, they can also use S/MIME.
How It Works
S/MIME is an extension of the widely implemented Multipurpose Internet Mail Extensions (MIME) encoding standard, which defines how the body portion of an SMTP message is structured and formatted. S/MIME uses the RSA public key cryptography algorithm along with the Data Encryption Standard (DES) or Rivest-Shamir-Adleman (RSA) encryption algorithm. In an S/MIME message, the MIME body section consists of a message in PKCS #7 format that contains an encrypted form of the MIME body parts. The MIME content type for the encrypted data is application/pkcs7-mime.
NOTE
S/MIME is gaining in popularity in the enterprise because its key management facilities are implemented as a hierarchical public key infrastructure (PKI) scheme. Version 2 of S/MIME has gained some support and is defined by Request for Comments (RFC) 2311 through 2315. An Internet Engineering Task Force (IETF) working group is currently working on version 3, which is expected to become an Internet standard when it is completed.
On the Web
•
IETF S/MIME Working Group : http://www.imc.org/ietf-smime
A handshaking protocol for communication over the Internet that provides secure authentication and data encryption. Secure Sockets Layer (SSL) was developed by Netscape Communications for the secure transmission of information over the Internet.
How It Works
SSL works between the application and transport layers on a TCP/IP host to provide encryption of data for data security and encryption of user credentials for secure authentication. SSL uses the Rivest-Shamir-Adleman (RSA) public key cryptography method and is dependent on the implementation of digital certificates and a supporting public key infrastructure (PKI). Both the client and the server must support SSL. Because SSL is application independent, it can be used to encrypt data transmission for many application-layer Internet protocols, including Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), and Network News Transfer Protocol (NNTP).
An SSL handshake begins when an SSL-enabled client requests a connection with an SSL-enabled server. The server sends the client its digital certificate and public key. The client and server then negotiate a mutually acceptable level of encryption (usually 40-bit, 56-bit, or 128-bit strength, depending on legal restrictions and availability). The client then generates a session key, encrypts it with the server’s public key, and sends the encrypted session key to the server, which decrypts the session key using its private key. From that point on, the session key is used to encrypt all data exchanged between the client and server, providing secure, private communication.
TIP
A Web site that uses SSL has a Uniform Resource Locator (URL) that begins with https:// instead of http://.
The database of user and group account information stored on a domain controller in a Microsoft Windows NT–based network. The Security Account Manager (SAM) database is also known as the domain directory database, or sometimes simply the directory database.
The SAM database occupies a portion of the Windows NT registry. All user accounts, group accounts, and resource definitions such as shares and printers have their security principals defined in the SAM database. Because the entire SAM database must reside in a domain controller’s RAM, it cannot exceed about 40 MB in Windows NT, which works out to about 40,000 user accounts, or 26,000 users and Windows NT workstations combined. (The following table lists the size of common objects in a SAM database.)
The master copy of the SAM database is stored on the primary domain controller (PDC). Periodic directory synchronization ensures that backup domain controllers (BDCs) have an accurate replica of this master database, so BDCs can also be used for logons and for pass-through authentication of users attempting to access network resources.
Object Sizes in a SAM Database
Object | Size in SAM Database |
User account | 1.0 KB |
Computer account | 0.5 KB |
Global group account | 0.5 KB plus 12 bytes per user |
Local group account | 0.5 KB plus 36 bytes per user |
NOTE
In Microsoft Windows 2000, the functions of the SAM database have been migrated to the more powerful and scalable Active Directory.
A free tool developed by Dan Farmer and Wietse Venema in 1995 for remotely analyzing the security of networks. Security Administrator Tool for Analyzing Networks (SATAN) consists of a variety of routines that probe a network for security holes in a similar way that hackers do. SATAN tests the vulnerabilities of TCP/IP hosts using common TCP/IP protocols, such as File Transfer Protocol (FTP), Network File System (NFS), and Network Information System (NIS), and analyzes how the host responds to requests based on these protocols. The results are stored in a database and can be displayed using a Web browser.
SATAN runs on machines running UNIX and needs the Perl interpreter to operate. Typically, SATAN identifies weaknesses in the setup and configuration of network software; network administrators can use it to check the configuration of their network software. SATAN can also identify the network services that are running and provide information about the types of hardware and software and the topology of the network.
TIP
Because SATAN is free and can be downloaded from numerous places on the Internet, it can be used both by network administrators and by hackers. If you are concerned about the possible misuse of SATAN against your network, you can obtain various types of free anti-SATAN software on the Internet that alert you to a SATAN attack so that you can take remedial action.
A unique header for an object stored in Active Directory of Microsoft Windows 2000. Security descriptors contain security identifiers (SIDs), which are discretionary access control lists (DACLs) or system access control lists (SACLs) that specify the access permissions for the object. Specifically, the security descriptor for an object contains the following:
The owner SID: Identifies the security principal (the owner of the object)
The group SID: Used only by Services for Macintosh and the POSIX subsystem
The DACL: Contains the access permissions and rights for the object and its attributes, along with the SIDs of the security principals who can access the object
The SACL: Contains system-wide security policies such as the auditing policy
One of two types of groups in Microsoft Windows 2000 that are created and stored in Active Directory; the other is distribution groups. Security groups are used for grouping accounts and for controlling access to resources, much in the same way that global groups and local groups are used in Microsoft Windows NT–based networks. (In other words, all groups in Windows NT are security groups.) Security groups are security principals that can contain other security principals such as user, group, and computer objects from Active Directory.
Security groups come in three types:
Domain local groups: Provide users with permissions to access resources; used only within the specific domain in which they are created
Global groups: Logically group users for administrative purposes and have visibility in the current domain and trusted domains
Universal groups: Similar to global groups but reduce global catalog replication traffic when they are used
See also distribution group
An internal number in the Security Account Manager (SAM) database of a domain controller in Microsoft Windows NT or Windows 2000 that uniquely identifies a user, group, or computer account within a domain. Security identifiers (SIDs) are used internally by Windows NT and Windows 2000 to provide user accounts with access to network resources.
How It Works
SIDs are guaranteed to be unique because they are created using a combination of user information, domain information, and time and date of account creation. The general format of a SID is a series of decimal numbers separated by dashes in the following form:
S-1-X-Y1-Y2-…
X is the value of the identifier authority, and Y1, Y2, and so on are values of subauthorities. The prefix S-1 means “SID revision 1.”
NOTE
Changing the name of a user, computer, or domain does not change the underlying SID for that account. Administrators cannot modify the SID for an account in Windows NT, and there is generally no need to know the SID assigned to a particular account. SIDs are primarily intended to be used internally by the operating system to ensure that accounts are uniquely identified to the system.
A Microsoft Windows NT and Windows 2000 log that records auditing events. You can view and manage the security log by using the administrative tool Event Viewer. Entries in the security log are either success entries, which are identified by a key symbol, or failure entries, which are identified by a padlock symbol.
You can view additional details by opening the property sheet for the particular event. You can also select events by filtering the security log. You can export the security log as a .csv file and import it into a spreadsheet or database program for further analysis.
TIP
In a high-security environment, you can enable a registry parameter named CrashOnAuditFail, which causes the system to display a Stop screen when the security log is full. This prevents unaudited system access on your server. When you restart the system, you must archive the current contents of the security log before continuing. See the Microsoft Windows NT Server Resource Kit or the Microsoft Windows 2000 Server Resource Kit (both from Microsoft Press) for more information.
See also application log, system log
An object in Active Directory of Microsoft Windows 2000 that can be assigned permissions and rights.
How It Works
Three types of security principals are used in Windows 2000 networks:
User objects: Represent individual user accounts
Group objects: Can be used to group other security principals for assigning permissions and to ease administration
Computer objects: Represent individual computers running Windows 2000 on the network
Security principals are uniquely identified by security identifiers (SIDs), which provide a unique, internal, alphanumeric identifier for the security principal.
A server or device on a network that authenticates users trying to log on or access network resources. In a Microsoft Windows NT–based or Windows 2000–based network, special servers called domain controllers act as security providers and handle tasks such as user logons and control of resource access. If all domain controllers are temporarily offline, users can still log on to their local computers and use local computer resources but cannot be authenticated for accessing resources elsewhere on the network.
Microsoft Windows 95 and Windows 98 can operate as stand-alone computing environments or as part of a Windows NT or Windows 2000 domain. If files on a computer running Windows 95 or Windows 98 will be shared by users on a Windows NT–based or Windows 2000–based network, be sure that you have configured Windows 95 or Windows 98 networking to use user-level security instead of the more common share-level security used in workgroup environments.
A component of the Microsoft Windows NT executive running in kernel mode that acts like a security watchdog, enforcing security when applications try to access system resources. The Security Reference Monitor decides whether a given process should be granted access rights to an object. It does this by comparing the access token attached to the process to the discretionary access control list (DACL) attached to the object that the process is trying to access. It compares the security identifiers (SIDs) in the DACL entry by entry to the SIDs in the access token to see what level of access the process should be granted. If any of the DACL SIDs denies the request access, the process is denied access to the object. The Security Reference Monitor also ensures that auditing takes place if auditing is configured in the local security policy.
The component of the Microsoft Windows NT and Windows 2000 operating systems that validates logons and authenticates access to network resources. Portions of the security subsystem run in kernel mode and portions run in user mode, as shown in the following diagram. The components that work together to provide security in Windows NT and Windows 2000 include the following:
Local Security Authority (LSA): Checks to see whether users have permission to access the system itself. The LSA manages the local security policy, generates access tokens, supports interactive logons, and manages auditing.
Logon processes: Display the Windows NT and Windows 2000 Security dialog boxes, in which a user can log on to the system interactively. Windows NT and Windows 2000 also include remote logon processes for pass-through authentication by remote users who want to access network resources.
Security Account Manager (SAM) database: The database in the registry that contains the user and group account credentials. The LSA uses the SAM database to determine whether to allow a user to log on to the network.
Security Reference Monitor: Checks to see whether users have permission to access a particular object, such as a file on an NTFS volume. The Security Reference Monitor enforces the access validation functions of the LSA and generates audit messages (if this feature is enabled).
Graphic S-3. Security subsystem.
A feature of Microsoft Internet Explorer that allows users to designate which intranets and portions of the Internet are trusted or distrusted. The more trusted a zone is, the broader the permissions it grants for executing scripts, Microsoft ActiveX controls, and Java applets, and for executing other potentially hazardous actions. Security settings for a zone can be high, medium, low, or custom.
Here are the zones you can configure and their default security settings:
Internet zone (medium): For sites on the Internet that are considered unsafe and for which access is restricted
Local intranet zone (medium): For internal sites that are connected to the local network
Trusted sites zone (low): For Internet sites that are considered safe for unrestricted access
Restricted sites zone (high): For sites on the Internet that have not been determined either safe or unsafe and are thus considered extremely dangerous
A fifth zone, which is defined as trusted but which cannot be configured, is the My Computer zone, which consists of the local system’s resources.
Graphic S-4. The Security tab in the Internet Options dialog box.
The process of dividing a large network into smaller, connected networks. Segmentation improves the performance of Ethernet networks by reducing the size of collision domains. Because stations on an Ethernet network use contention to try to use the networking media, fewer stations in a given network segment means less contention and better network performance. Bridges or routers are generally used to segment an Ethernet network into smaller collision domains.
The term “segmentation” also refers to the process by which routers break down oversized frames into smaller portions that are sequenced, forwarded, and then reassembled at the receiving station. Segmentation is usually a sign that the network is misconfigured because segmentation eats valuable CPU cycles on routers and produces greater latency in network communication.
A page that is printed between print jobs. In the old days, separator pages indicated when one print job finished and the next one began. In Microsoft Windows NT and Windows 2000, separator pages can have two functions:
Separating printed output in a multiuser environment so that users can more easily retrieve their print jobs
Switching a print device between different print modes (if the device has this capability)—for example, switching between Printer Control Language (PCL) mode and Postscript mode
Windows NT and Windows 2000 include three separator pages, which are located in the \Winnt\System32 directory:
Pcl.sep: Switches the printing mode to PCL printing, typically for printers made by Hewlett-Packard. A separator page is also printed.
Pscript.sep: Switches the printing mode to Postscript for supported printers. No separator page is printed.
Sysprint.sep: Functions like pscript.sep but also prints a separator page.
Windows 2000 includes a fourth separator page, sysprtj.sep, which is similar to sysprint.sep.
You can use Notepad to edit any default separator page file to create a custom separator file. You can add new lines by using printer escape codes such as those shown in the following table.
Escape Codes for Custom Separator Pages
Code | Function |
@D | Prints the date that the job was submitted. (Use Regional Settings in Control Panel to specify the format.) |
@E | Ejects the page. (Use at the end of a separator page.) |
@Fpathname | Prints the contents of the file specified by “pathname” without performing any processing of the file. |
@Hnn | Sends escape code nn to the printer (device-specific functionality). |
@I | Prints the job number. |
@L | Prints the following characters as is until the next escape code is encountered. |
@N | Prints the name of the user who submitted the job. |
@T | Prints the time that the job was submitted. |
@n | Skips n lines. |
@0 | Skips to the next line. |
TIP
If a printer can auto-switch between printing modes (by identifying the type of the rendered file sent to it), you do not need to specify a separator page.
See serial transmission
An industry standard protocol developed in 1984 for UNIX environments that supports TCP/IP networking over serial transmission lines. These serial lines are typically dial-up connections using a modem. Serial Line Internet Protocol (SLIP) can provide TCP/IP hosts with dial-up access to the Internet by using SLIP servers located at Internet service providers (ISPs).
NOTE
SLIP is an older serial line protocol that doesn’t support automatic negotiation of network configurations. It has been largely replaced by the Point-to-Point Protocol (PPP) for the following reasons:
SLIP supports only TCP/IP, while PPP is a multiprotocol encapsulation protocol that can also support Internetwork Packet Exchange (IPX) and AppleTalk. This is not an issue, however, if you are connecting to the Internet, which is strictly TCP/IP-based.
SLIP generally requires that the host’s TCP/IP parameters be configured manually, while PPP can negotiate the parameters during session establishment. These parameters include the IP address of the host, the window size, and compression.
SLIP might require the user to write a script for automating the logon process, while PPP supports both the Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP), which let you automatically forward your credentials to the PPP server for authentication.
Microsoft Windows NT and Windows 2000 can function as SLIP clients but not as SLIP servers. Windows NT Remote Access Service (RAS) and Windows 2000 Routing and Remote Access servers cannot accept connections from SLIP clients.
A form of signal transmission that sends information one bit at a time over a single data channel. Serial interfaces are generally used to connect data communications equipment (DCE) such as modems to data terminal equipment (DTE) such as computers and terminals and for connecting a DCE to a DTE. The term “interface” indicates that these specifications describe how to establish an electrical (pinning) and mechanical (connector) shared boundary between devices. An interface specifies a series of protocols, an arrangement of pins, special control signals, and other functions that enable devices to communicate with each other.
The common specifications for serial interfaces include the following:
RS-232: The most commonly used serial interface in ordinary network communication, which supports transmission over a range of 0 to 20 Kbps at distances of up to 50 feet (15.24 meters). RS-232 can use either DB9 or DB25 connectors.
RS-422: Specifies a balanced electrical interface but no specific mechanical interface for point-to-point serial communication. RS-422 typically uses either DB9 or DB37 connectors.
RS-423: Similar to RS-422, except that unbalanced lines are used instead of balanced ones.
RS-449: Specifies the mechanical interface for RS-422 and RS-423 and is used with these interfaces for high-speed serial communication with Channel Service Unit/Data Service Units (CSU/DSUs) and routers.
RS-485: Defines a balanced, multipoint interface using tristate drivers to reduce noise. The combined interface RS-422/485 allows you to daisy-chain up to 31 serial devices to a single serial port and is typically used for interfacing industrial sensors and measuring equipment to a computer.
RS-530: A successor to RS-232 and RS-449 that provides high-speed synchronous and asynchronous serial communication of up to 2 Mbps.
V.35: An International Telecommunication Union (ITU) standard for data transmission at 48 Kbps that is typically used for connecting CSU/DSUs and routers for wide area network (WAN) communication over digital data service (DDS) lines. V.35 uses a block-shaped 34-pin connector.
X.21: An ITU standard for synchronous communication between DTEs and DCEs on public X.25 packet-switched networks. X.21 typically uses a DB15 connector.
NOTE
Serial interfaces such as RS-232 are the most commonly used protocol for devices called line drivers, which enable terminals and hosts to be connected over phone lines and extend the distance over which the serial interface can function by regenerating the signal.
Related terminology includes
Serial cable: A cable used to connect pieces of DCE to pieces of DTE by using a serial interface
Serial port: A plug or connector on pieces of DTE that can use serial transmission to send and receive data
See also parallel transmission, RS-232, V.35
See Q-series protocols
A computer whose role in a network is to provide services and resources to users. Servers usually have one or more specific roles in a network:
Application servers are used as the back end in a client/server environment. An example of an application server is Microsoft Exchange Server, which functions as the back end of a client/server messaging system that includes Microsoft Outlook as the front-end user interface.
File and print servers provide users with centralized locations for storing files and accessing print devices. Microsoft Windows 2000 member servers and Windows 2000 servers running Internet Information Services (IIS) are examples of file servers.
Authentication servers or security servers validate users for logging on and accessing network resources. An example is a Windows 2000 domain controller.
Web servers can be used to host anything from static Hypertext Markup Language (HTML) pages to commercial Web applications such as online storefronts. IIS is an ideal platform for developing Web-based applications using Active Server Pages (ASP) technology.
A network in which network security and storage are managed centrally by one or more servers.
How It Works
In a server-based network, special computers called servers handle network tasks such as authenticating users, storing files, managing printers, and running applications such as database and e-mail programs. Security is generally centralized in a security provider, which allows users to have one user account for logging on to any computer in the network. Because files are stored centrally, they can be easily secured and backed up.
Server-based networks are more costly and complex to set up and administer than peer-to-peer networks, and they often require the services of a full-time network administrator. They are ideal for businesses that are concerned about security and file integrity and have more than 10 computers.
Microsoft Windows NT and Windows 2000 are ideal operating systems for server-based networks. They offer centralized network administration, networking that is easy to set up and configure, NTFS file system security, file and print sharing, user profiles that allow multiple users to share one computer or allow one user to log on to many computers, Routing and Remote Access for supporting mobile users, and Internet Information Services (IIS) for establishing an intranet or Internet presence.
See also peer-to-peer network
A digital certificate obtained for a server application such as Microsoft Internet Information Services (IIS) that the server can use to digitally sign data that it transmits. The server certificate contains the server’s identification information and public key. The client (a Web browser, for example) that communicates with the server validates the identity of the server using the CA certificate of the certificate authority (CA) issuing digital certificates for the enterprise.
NOTE
Use server certificates when it is important for clients to validate the identity of your servers—for example, when you are running an online store built around a Web server and using the Secure Sockets Layer (SSL) protocol. You must obtain your server certificate from a public, third-party certificate authority that is already recognized by the client, such as VeriSign, Inc., or have the client first install the CA certificate of your own CA server, such as Microsoft Certificate Server.
See also CA certificate, client certificate
A Microsoft Windows NT administrative tool for managing Windows NT domains and servers. You can use Server Manager to
Add a computer to a domain or remove it from a domain
View users connected to a server and disconnect them
Configure directory replication between servers
Start, stop, and pause services on servers
Synchronize domain controllers within a domain
Specify recipients of administrative alerts
View and manage directories that are shared
Graphic S-5. Server Manager.
NOTE
The administrative functions of Server Manager in Windows NT are divided among several administrative consoles in Microsoft Windows 2000. For example,
To create a computer account or add a computer to a domain, use Active Directory Users and Computers.
To remotely manage services, shares, sessions, and open files, use Computer Management.
TIP
To use Server Manager to create a new share on a remote server, you must know the exact path to the folder you want to share. To determine the exact path, map a drive to the root administrative share on the appropriate drive of the remote server (for example, \\REMOTE_SERVER\C$) and browse the folder structure or create a new folder. Return to Server Manager and choose Shared Directories from the Computer menu, click the New Share button, and enter the share name and path.
A high-level file-sharing protocol jointly developed by Microsoft, IBM, and Intel for passing data between computers on a network. Microsoft Windows and OS/2 use Server Message Block (SMB). Many UNIX operating systems also support it.
How It Works
SMB is used between clients and servers to do the following:
Open and close connections between client redirectors and shared network resources
Locate, read, and write to files shared on a server
Locate and print to print queues that are shared on a server
SMB uses four types of messages:
Session control messages: Open or close a redirector connection to a shared resource on the server. The SMB redirector packages the requests sent to remote servers in an SMB-enabled network.
File messages: Used by the redirector to gain access to files on the server.
Printer messages: Used by the redirector to send data to a print queue and get status information about the queue.
Message messages: Let applications exchange messages with another computer.
A component of Microsoft Exchange Server that you can use to verify that specific Microsoft Windows NT or Windows 2000 services are running on an Exchange server and to resynchronize clock times on the servers. If a server monitor detects a problem with a Windows NT or Windows 2000 service, it can send an alert, send an e-mail notification, or attempt to restart the service or reboot the server. One server monitor can monitor multiple servers, and you can define an escalation sequence of multiple actions when problems occur. Typical problems that trigger a server monitor to generate an alert include the following:
A downed server or one that rebooted for some reason
A service stopping unexpectedly on the Exchange server
A server whose network connectivity has failed
A server whose clock is off by a certain threshold amount
Graphic S-6. Server monitor.
TIP
Once you create a new server monitor, you must start it using the Start Monitor command on the Tools menu of the Exchange Administrator program. You can also run it from the command prompt and configure it to start when the monitoring machine is rebooted.
See network operating system (NOS)
A built-in group in Microsoft Windows NT and Windows 2000 whose members have the rights to administer servers on the network. In Windows NT, Server Operators is a local group that exists on both domain controllers and member servers. In Windows 2000, Server Operators is a domain local group. The initial membership of the group is empty.
The Server Operators group has the following preassigned rights:
Log on locally to the server console
Change the system time
Back up files and directories
Restore files and directories
Shut down the system
Force shutdown from a remote system
Server Operators can also share and manage disk resources and printers on the network and lock the server.
See also built-in group, built-in local group
A feature supported by Microsoft Proxy Server that complements and supports reverse proxying. The proxy server uses server proxying to listen for incoming packets that are destined for computers connected to the internal network behind the proxy server. When the packets are received, the proxy server forwards them to the appropriate servers. This allows Microsoft Exchange Server, for example, to sit securely on an internal network behind a computer running Proxy Server. Server proxying is a circuit layer proxy service that supports a wide variety of protocols.
Also known as LanmanServer, a component of the Microsoft Windows NT and Windows 2000 operating systems that allows a server to share file and print resources with clients over the network. When a redirector on a client requests a shared resource from a server, the Server service on the server responds and routes the resource to the client.
How It Works
The Server service is implemented as a file system driver and resides above the transport driver interface (TDI) layer, which allows it to interact independently with any installed network transport protocols on the system. The Server service responds to requests just as any other file system driver does, allowing users to read and write data to and from remote network shares.
The Server service consists of two files:
Server (or SRV): A service that runs within the general Service Control Manager (services.exe) process
Srv.sys: A file system driver that operates in kernel mode and handles all low-level functions of the Server service, such as file reads and writes
If a remote network client makes a request to the Server service on the local computer, asking to read a file from the local file system, the request is received by the network interface card (NIC) driver and passed up the protocol stack to srv.sys, which forwards the read request to the appropriate local file system driver. The file system driver calls the disk subsystem driver to read the file, and the disk subsystem driver returns the file contents to the file system driver, which passes it back to srv.sys. Srv.sys passes the information back down the protocol stack to the NIC driver, which forwards it over the network to the requesting client.
Graphic S-7. Server service.
TIP
If you cannot see a server’s shared folders and printers in Network Neighborhood, check to see whether the Server service is still running. Try stopping and starting the service by using the Windows 2000 Services snap-in or the Windows NT Services utility in Control Panel.
See also Workstation service
A background process in an operating system that provides some specific functionality. Examples include the Server service in Microsoft Windows NT and Windows 2000 and File and Printer Sharing for Microsoft Networks in Microsoft Windows 95 and Windows 98, both of which enable sharing of resources over the network.
Services for Windows NT and Windows 2000 are RPC-enabled and can be called from remote computers over the network. In Windows NT, users can add and remove services by using the Network utility in Control Panel, and they can control and configure services by using the Services utility. In Windows 2000, users can add and remove services by using the Add/Remove Windows Components option in Add/Remove Programs. They can control and configure services by using the Services snap-in, accessible from Administrative Tools. The following tables list the default services available for typical Windows 2000 Server and Windows NT 4.0 Server installations and indicates which services are normally installed and started automatically.
Common Windows 2000 Services
Service | Normally Installed | Automatically Started |
Alerter | x | x |
Application Management | x | |
Boot Information Negotiation Layer | ||
Certificate Services | x | |
ClipBook | x | |
COM+ Event System | x | |
Computer Browser | x | x |
DHCP Client | x | |
DHCP Server | x | |
Distributed File System | x | x |
Distributed Link Tracking Client | x | x |
Distributed Link Tracking Server | x | |
Distributed Transaction Coordinator | x | x |
DNS Client | x | x |
DNS Server | x | |
Event Log | x | x |
Fax Service | x | |
File Replication | x | |
File Server for Macintosh | x | |
FTP Publishing Service | x | |
IIS Admin Service | x | x |
Indexing Service | x | |
Internet Authentication Service | x | |
Internet Connection Sharing | x | |
Intersite Messaging | x | |
IPSEC Policy Agent | x | x |
Kerberos Key Distribution Center | x | |
License Logging Service | x | x |
Logical Disk Manager | x | x |
Logical Disk Manager Administrative Service | x | |
Message Queuing | x | |
Messenger | x | x |
Net Logon | x | x |
NetMeeting Remote Desktop Sharing | x | |
Network Connections | x | |
Network DDE | x | |
Network DDE DSDM | x | |
Network News Transport Protocol (NNTP) | x | |
NT LM Security Support Provider | x | |
On-line Presentation Broadcast | ||
Performance Logs and Alerts | x | |
Plug and Play | x | x |
Print Server for Macintosh | x | |
Print Spooler | x | x |
Protected Storage | x | x |
QoS Admission Control (RSVP) | x | |
QoS RSVP | x | |
Remote Access Auto Connection Manager | x | |
Remote Access Connection Manager | x | |
Remote Procedure Call (RPC) | x | x |
Remote Procedure Call (RPC) Locator | x | |
Remote Registry Service | x | x |
Remote Storage Engine | x | |
Remote Storage File | x | |
Remote Storage Media | x | |
Remote Storage Notification | ||
Removable Storage | x | x |
Routing and Remote Access | x | |
RunAs Service | x | x |
Security Accounts Manager | x | x |
Server | x | x |
Simple Mail Transport Protocol (SMTP) | x | x |
Simple TCP/IP Services | x | |
Single Instance Storage Groveler | ||
SiteServer ILS Service | x | |
Smart Card | x | |
Smart Card Helper | x | |
SNMP Service | x | |
SNMP Trap Service | ||
System Event Notification | x | x |
Task Scheduler | x | x |
TCP/IP NetBIOS Helper Service | x | x |
TCP/IP Print Server | x | |
Telephony | x | |
Telnet | ||
Terminal Services | x | |
Terminal Services Licensing | x | |
Trivial FTP Daemon | ||
Uninterruptible Power Supply | x | |
Utility Manager | x | |
Windows Installer | x | |
Windows Internet Name Service (WINS) | x | |
Windows Management Instrumentation | x | |
Windows Management Instrumentation Driver Extensions | x | |
Windows Media Monitor Service | x | |
Windows Media Program Service | x | |
Windows Media Station Service | x | |
Windows Media Unicast Service | x | |
Windows Time | x | x |
Workstation | x | x |
World Wide Web Publishing Service | x | x |
Common Windows NT Services
Service | Normally Installed | Automatically Started |
Alerter | x | x |
ClipBook Server | x | |
Computer Browser | x | x |
DHCP Client | x | |
Directory Replicator | x | |
EventLog | x | x |
File Server for Macintosh | x | |
FTP Publishing Service | x | |
Gateway Service for NetWare | x | |
Gopher Publishing Service | x | |
License Logging Service | x | x |
Messenger | x | x |
Microsoft DHCP Server | x | |
Microsoft DNS Server | x | |
Net Logon | x | x |
Network DDE | x | |
Network DDE DSDM | x | |
Network Monitor Agent | ||
NT LM Security Support Provider | x | x |
Plug and Play | x | x |
Print Server for Macintosh | x | |
Protected Storage | x | x |
Remote Access Autodial Manager | ||
Remote Access Connection Manager | ||
Remote Access Server | x | |
Remoteboot Service | ||
RIP for Internet Protocol | x | |
Remote Procedure Call (RPC) Locator | x | |
Remote Procedure Call (RPC) Service | x | x |
SAP Agent | x | |
Schedule | x | |
Server | x | x |
Simple TCP/IP Services | x | |
SNMP | x | |
SNMP Trap Service | ||
Spooler | x | x |
TCP/IP NetBIOS Helper | ||
TCP/IP Print Server | ||
Telephony Service | x | |
UPS | x | |
Windows Internet Name Service | x | |
Workstation | x | x |
World Wide Web Publishing | x |
See also daemon
A Microsoft Windows NT or Windows 2000 user account that an application uses as a security context in which to run services. Service accounts are used by products such as Microsoft Exchange Server, Microsoft SQL Server, Microsoft Systems Management Server, and Microsoft SNA Server.
To illustrate a service account, let’s consider the Exchange service account in Exchange Server 5.5. All Exchange servers in a given Exchange site must use the same service account. The servers use the service account to determine which other Exchange servers are part of the same site and have the right to use the messaging services on the server.
You should create the Exchange service account before you install the first Exchange server in a site. You can give it any name. You should not use it as an account for a user to log on to the network; instead, reserve it for use by Exchange and assign it a complex password for security reasons. Specify the service account during the installation process, and grant it the Service Account Admin role on the site object and its Configuration container within the Exchange Administrator directory hierarchy.
The Exchange service account is also granted the following system rights:
Act as part of the operating system
Log on as a service
Restore files and directories
TIP
You can change the password for an Exchange Server 5.5 service account in two places: the configuration container for the site object in the Exchange directory hierarchy (using the Exchange Administrator program) and in the Security Account Manager (SAM) database (using the administrative tool User Manager for Domains in Windows NT 4.0 or Computer Management in Windows 2000).
A Novell NetWare protocol that is used with Internetwork Packet Exchange (IPX) to enable file and print servers to advertise their availability to clients on a network.
How It Works
Service Advertising Protocol (SAP) periodically advertises the address of the server and the types of services it can provide to clients. It sends its advertisements by making frequent broadcasts to all machines on the local network. Routers generally forward the advertisements so that network services can be made available to machines throughout an IPX internetwork.
TIP
The use of SAP broadcasts on IPX internetworks creates effective limits on the size of a usable IPX internetwork. However, you can configure routers to reduce unnecessary SAP traffic by
Filtering unnecessary SAP broadcasts using access lists on routers
Using Cisco Systems IPX routers that allow SAP broadcasts to contain update information only, instead of the entire SAP table, and to forward SAP updates only when a change to the SAP table has occurred
See also NetWare protocols
A Microsoft Windows 98 networking component for interoperability with Novell NetWare 4 servers running Novell Directory Services (NDS). If a computer running Windows 98 is running Client for NetWare Networks only, in Network Neighborhood the computer can recognize only bindery-based NetWare servers on the network, such as NetWare 3 and earlier servers and NetWare 4 servers running in bindery-emulation mode. Computers running Microsoft Windows 95 and Windows 98 that are running File and Printer Sharing for NetWare Networks are also visible. If you install Service for NetWare Directory Services, the Windows 98 client can also view NDS objects in the current context in Network Neighborhood.
Service for NetWare Directory Services includes additional capabilities, including support for logon scripts on NDS servers. Administrators can also use the computer running Windows 98 to run NetWare 4 utilities that require NDS (such as the nwadmin tool or netadmin).
Use the Network utility in Control Panel to install Service for NetWare Directory Services on a computer running Windows 98.
A contractual agreement between a customer and a service provider that outlines what services will be provided and defines the acceptable range of performance and availability of those services. Service-level agreements (SLAs) also indicate the costs and penalties that will be incurred when performance and availability fall below acceptable levels. SLAs are typically used in contracts with telecommunications service providers who provide WAN links for wide area networks (WANs).
A collection of patches, fixes, and minor upgrades for a specific version of a product such as a Microsoft Windows operating system or a Microsoft BackOffice server product. A service pack is not the same as a decimal release, such as an upgrade from version 4.0 to version 4.01.
Service packs are typically identified with a number, such as Service Pack 2. Occasionally, interim releases of service packs are also issued, such as Service Pack 2a (SP2a) for Microsoft Transaction Server (MTS).
Service packs for each product are generally cumulative. For example, if you apply Service Pack 3 to a product, you normally don’t have to apply Service Packs 1 and 2 first, because Service Pack 3 includes the fixes and upgrades in Service Packs 1 and 2.
Service packs are included in Microsoft Developer Network (MSDN) TechNet subscriptions; they are also often available for download from the Microsoft Web site.
NOTE
Microsoft Office service packs are known as service releases and are numbered SR-n.
TIP
Check MSDN and TechNet for a list of current service packs and what they do for each product. Before you apply a service pack, read its documentation to determine whether you need to apply it. Occasionally, service packs must be applied in a specific order on a system that is running more than one BackOffice product. Check MSDN, TechNet, or the Microsoft Knowledge Base for information on this kind of situation.
Service packs often include new features or additional optional components for the product, in addition to bug fixes and patches. A common misconception about service packs is that while they are cumulative with respect to bug fixes and patches, they might not be cumulative with respect to new features or components. For example, Service Pack 4 for Windows NT 4.0 includes Microsoft Windows Media Player, but Service Pack 5 for Windows NT 4.0 does not include this new utility. So if you simply want to patch your product against bugs, you need only apply the most recent service pack for the product. But if you want to make use of product enhancements and new features, you might need to apply each of the service packs for the product in succession.
A text file that assigns Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers to TCP/IP protocols and services for a computer on a TCP/IP network. The entries in the services file are used for well-known service (WKS) records in Domain Name System (DNS) servers and other Windows Sockets applications. You can also use the file to quickly determine which well-known TCP or UDP port number is assigned to a specific network service or protocol.
How It Works
You will find the services file at the following location on a computer running Microsoft Windows:
Windows NT and Windows 2000: %SystemRoot%\System32\drivers\etc\services
Windows 95 and Windows 98: %WinDir%\Services
Each line in the services file contains the standard name for the service followed by the well-known port number as defined in Request for Comments (RFC) 1060, an alias, and an optional comment prefixed with a pound sign (#). The following example is a portion from the sample services file included with Windows:
# Format: # <service name> <port number>/<protocol> [aliases...] [#<comment>] ... ftp-data 20/tcp # FTP, data ftp 21/tcp # FTP. control telnet 23/tcp smtp 25/tcp mail # Simple Mail Transfer Protocol time 37/tcp timeserver time 37/udp timeserver
TIP
You can change the default port number for a TCP/IP service by editing the services file—for example, if you need to run multiple Simple Network Management Protocol (SNMP) agents or if you want to change the default File Transfer Protocol (FTP) control port to make access more private.
See also hosts file, lmhosts file, networks file, protocol file
An optional set of services and protocols in Microsoft Windows NT and Windows 2000 that enables file and print resources to be shared between Macintosh computers and computers running Windows NT or Windows 2000. This simplifies the administration of resources on heterogeneous networks containing a mix of Macintosh and Windows servers and clients. On the Windows 2000 platform, these services and protocols are collectively known under the umbrella name AppleTalk network integration.
How It Works
Services for Macintosh (or AppleTalk network integration) consists of three optional components in Windows NT or Windows 2000:
The AppleTalk protocol: Apple’s proprietary network protocol for Macintosh computers.
File Server for Macintosh (MacFile): Lets you specify which volumes on your Windows NT–based or Windows 2000–based server you want to make available to Macintosh clients as Macintosh-accessible volumes, manages differences in permissions between the two platforms, and makes sure that Macintosh file names are legal NTFS file system names.
Print Server for Macintosh (MacPrint): Enables Macintosh clients to spool their print jobs to a Windows NT or Windows 2000 print server.
Macintosh client machines can access Windows NT servers running Services for Macintosh (or Windows 2000 servers with AppleTalk network integration installed) in the same way that they access file and print resources on an AppleShare server. Services for Macintosh supports an unlimited number of client connections using the AppleTalk Filing Protocol (AFP), Apple’s presentation-layer protocol for sharing files and applications over an AppleTalk network.
You can install Services for Macintosh on a server running Windows NT by using the Network utility in Control Panel. On servers running Windows 2000, you can install File Server for Macintosh or Print Server for Macintosh by using the Windows Components Wizard from Add/Remove Programs in Control Panel, which automatically installs the AppleTalk protocol as well. You can also separately install the AppleTalk protocol by using Network and Dial-Up Connections. Services for Macintosh requires an NTFS-formatted volume in order to operate. When Services for Macintosh is first installed, a Macintosh-accessible volume called Public Files is created on the server running Windows NT or Windows 2000. You can create other Macintosh-accessible volumes later using My Computer.
Layer 5 of the Open Systems Interconnection (OSI) reference model, which enables sessions between computers on a network to be established and terminated. The session layer does not concern itself with issues such as the reliability and efficiency of data transfer between stations because these functions are provided by the first four layers of the OSI reference model. The session layer is responsible for synchronizing data exchange between computers, structuring communication sessions, and other issues directly related to conversations between networked computers. The session layer is also responsible for name recognition functions at the level of logical network names and for assigning communication ports. For example, the NetBIOS protocol is considered to run at the session level.
The session layer of the OSI reference model is not widely implemented in common local area network (LAN) protocol suites such as TCP/IP and IPX/SPX. Instead, the top three layers of the OSI model—the application layer, presentation layer, and session layer—are often thought of best as a homogeneous whole subsumed within a generalized application layer.
A tool included with Microsoft BackOffice Small Business Server that automates the job of configuring Microsoft Windows–based client computers running in a Small Business Server network. The Set Up Computer Wizard creates a setup floppy disk that allows a user with a client computer to easily connect to the server. Once a user is connected to the server, the client computer can be configured and software can be installed. This frees the user from having to configure network settings, figure out how to join a domain, find out where the server is located, install client applications, configure the e-mail client, and so on.
How It Works
Setting up and configuring client computers involves two components:
Set Up Computer Wizard, which runs on the server
Client Installation Wizard, which runs on the client
To add a new client computer to the network, an administrator runs the Set Up Computer Wizard on the server. The administrator must perform the following functions when using the Set Up Computer Wizard:
Select the user who will be using the client computer. (The user must be set up to use a logon script.)
Specify a client computer name. (The Set Up Computer Wizard provides a suggested computer name.)
Specify the operating system for the client (Windows 95, Windows 98, or Windows NT Workstation 4.0).
Specify the applications to install on the client, which might include Microsoft Fax client, Microsoft Internet Explorer, Microsoft Modem Sharing client, Microsoft Proxy client, Microsoft Office 2000 (including Microsoft Outlook), and Outlook.
When the Set Up Computer Wizard completes, it creates the following items:
A user-specific floppy disk containing the user’s client configuration information
A logon script on the server for the specified user
A set of client configuration files on the server for the specified computer
A machine account on the server for the computer
To configure the client computer, the user inserts the disk in the computer and runs the setup program, and the following client network setup occurs:
Configuration of the client’s network settings, including installing TCP/IP
Configuration of the client so that the user can connect to the Small Business Server domain
Once the client network setup has been performed, the client computer will need to be restarted. After restarting, the user should be able to log on to the Small Business Server. When the user logs on to the server, the Client Installation Wizard starts automatically. The Client Installation Wizard will install and configure the selected client applications.
TIP
The Set Up Computer Wizard can be modified to support other client applications.
In many small businesses, a single computer might have more than one user. The Set Up Computer Wizard lets administrators easily configure a single computer for multiple users.
As a verb, to make resources on a computer available to other users on the network who have suitable permissions. Resources that can be shared include disk volumes, directories, and printers.
As a noun, a share is typically another name for a folder or directory that allows users on the network who have suitable permissions to access its contents. The name of a share does not have to be the same as the local name of the object. A share usually contains such items as public data, network applications, and users’ home folders.
In Microsoft Windows 95 and Windows 98, share access can take two forms:
Share-level security: Controls access to a share using a password that is the same for all users. For example, a user who wants to connect to a share on a peer server running Windows 95 or Windows 98 that uses share-level security must know only the password for the share in order to access it. Share-level security is commonly used in small workgroups.
User-level security: Controls access to a share via user credentials and group membership. For example, one group of users can be assigned read-only access to the share, another group can be assigned full access, and a third group can be assigned custom access. In order for user-level security to work, the network must have a security provider (such as a Microsoft Windows NT or Windows 2000 domain controller).
In Windows NT and Windows 2000, shares are always based on user-level security. A network user’s access to a shared folder on an NTFS volume is governed by a combination of NTFS permissions and shared folder permissions.
TIP
Share names that do not conform to the MS-DOS 8.3 naming convention cannot be accessed by MS-DOS-based workstations.
See share
In Microsoft Windows, a set of permissions that can be assigned to a shared folder to control access by users and groups on the network. Shared folder permissions can be applied only to the entire shared folder, not to its files and subfolders. If you want to control access to individual files and subfolders within a network share, you can use the more granular NTFS permissions on Windows NT and Windows 2000. In addition, shared folder permissions are effective only when a user accesses the folder over the network. If a user can log on locally to the console of the computer where the share is located, that user can always access the contents of the shared folder regardless of the shared folder permissions set (unless the folder is on an NTFS volume and the NTFS permissions restrict the user from accessing the resource). Finally, shared folder permissions are the only way to secure network resources that are stored on FAT volumes.
If a user belongs to two or more groups, and these groups have different permissions on a given share, the user’s ability to access the folder over the network can be calculated by two rules:
The effective permission is the least restrictive (most permissive) permission, as in this example:
read + change = change permission
No access or deny access overrides all other permissions, as in this example:
read + no access = no access
How It Works
Windows 95, Windows 98, Windows NT, and Windows 2000 each have different mechanisms for assigning shared folder permissions for users and groups. The following tables show the permissions for each of these operating systems and lists what the permissions allow users to perform.
Windows 95 and Windows 98 Shared Folder Permissions
Permission | What It Allows Users to Do |
Read-Only Access Rights | List names of folders and files Browse hierarchies of folders Display the contents of folders and files Run executable files |
Full Access Rights | Create and delete folders Add files to folders Create, modify, and delete files Change file attributes (Includes read permissions) |
Custom Access Rights | Depending on the options specified, allows users to perform the following actions: Read files Write to files Create files and folders Delete files Change file attributes List files Change access control |
Graphic S-8. The Change Access Rights dialog box in Windows 95 and Windows 98.
Windows NT 4.0 Shared Folder Permissions
Permission | What It Allows Users to Do |
No Access | Connect to a share without viewing its contents |
Read | List names of folders and files Browse hierarchies of folders Display the contents of folders and files Run executable files |
Change | Create and delete folders Create, modify, and delete files Change file attributes Includes read permissions |
Full Control | Take ownership of files on NTFS volumes Change file permissions on NTFS volumes Includes read and change permissions |
Graphic S-9. The Access Through Share Permissions dialog box in Windows NT 4.0.
Windows 2000 Shared Folder Permissions
Permission | What It Allows Users to Do |
Read | List names of folders and files Browse hierarchies of folders Display the contents of folders and files Run executable files |
Change | Create and delete folders Add files to folders Create, modify, and delete files Change file attributes Includes read permissions |
Full Control | Take ownership of files on NTFS volumes Change file permissions Includes read and change permissions |
Graphic S-10. The Permissions dialog box in Windows 2000.
TIP
When you first share a folder in Windows NT and Windows 2000, the default permissions are Full Control for the Everyone group. You should remove this default permission and assign more appropriate permissions to the share, such as change permission for Domain Users and full control for Administrators.
When you assign permissions to shared folders, use group accounts instead of user accounts in order to simplify administration. Give users the most restrictive permissions that still enable them to perform the necessary tasks on the files in the share.
See also NTFS permissions (Windows 2000), NTFS permissions (Windows NT), share
An administrative snap-in for Microsoft Windows 2000 that lets you monitor and manage access to resources on the network. Shared Folders can be installed in a new console or accessed from the System Tools node in the Computer Management administrative tool.
How It Works
The function of Shared Folders is similar to that of the Server Manager administrative tool in Microsoft Windows NT. You can use Shared Folders to perform the following actions on either the local or the remote servers on the network:
View users currently connected to network resources and disconnect them from these resources
Send administrative messages to users before you disconnect them from network resources
View files currently opened by remote users and close them
Share folders on remote computers
Create, view, and configure permissions on network shares
Configure a Macintosh-accessible volume
Graphic S-11. Shared Folders.
NOTE
To use Shared Folders to manage all computers in a given domain, you must be a member of the Administrators or Server Operators group for that domain. If you want to manage only a specific member server, you must be a member of the Administrators or Power Users group for that member server.
TIP
Monitoring access to network resources with the Shared Folders administrative snap-in can help you do the following:
Plan for future system growth to satisfy current trends in resource usage
Monitor access to resources for security reasons
Notify users who will be disconnected from resources during scheduled or unscheduled system maintenance operations
There are several reasons why you might want to disconnect users from resources on the network:
The server needs to be shut down for maintenance or rebooted for some reason (such as a hardware or software upgrade).
Idle connections to the resource are preventing access by other users because the maximum number of connections to the resource has been reached.
Shared folder or NTFS permissions have been changed on the resource, and users must be disconnected so that the new permissions will apply to them.
Unauthorized users are accessing resources for which they have been accidentally granted permission.
In Microsoft Cluster Services (MSCS), a shared storage bus that attaches one or more Small Computer System Interface (SCSI) disk drives containing data that can be used by applications running on the cluster. The shared SCSI bus logically represents the total interconnection between the cluster and the shared storage devices, but in practice this consists of a number of electrically separate SCSI bus segments. Each disk on a shared SCSI bus is owned by only one of the cluster’s nodes. If the disk group fails over, ownership of the disk switches from the failed node to the other node.
TIP
Remove the internal termination of the SCSI bus and use Y-cables or trilink connectors for terminating the external bus. In this way, you can remove the device if maintenance is required without affecting other devices on the bus.
A mode of security on computers running Microsoft Windows 95 and Windows 98 that protects shared folders and printers using a password. All users use the same password to access the resource, and any user who knows the password has permission to use the resource.
How It Works
Security options for protecting a shared folder using share-level security include
Allowing read-only access, with or without a password
Allowing full access, with or without a password
Specifying one password for read-only access and another for full access
Share-level security is often used in peer-to-peer networks with computers running Windows 95 or Windows 98. Use the Network utility in Control Panel to enable share-level security.
Graphic S-12. The Sharing tab of a folder’s Properties dialog box.
See also user-level security
Another name for a user interface of an operating system. The term “shell” usually refers to the command-line interface (called the command interpreter) used by various flavors of the UNIX operating system, but on Microsoft Windows platforms the desktop graphical user interface (GUI) element can also be considered a type of shell.
How It Works
In a UNIX command-line shell, when a user types a command such as ls (list directory contents), the shell executes the associated program called ls. When the shell executes the command, it typically starts a new process for the command and goes into a sleep state until the command finishes executing, at which time the shell wakes up and issues a prompt to indicate that it is ready to receive another command. The output of shell commands is directed by default to Standard Output, which is the screen, but you can redirect command outputs to files and other applications. One advantage of using a command-line shell is that shell scripts can be written for batch execution of a series of shell commands.
Various shells are available for different UNIX platforms, each tailored to a different administration and programming environment. One commonly used shell is the Bourne Shell, which functions as both a command interpreter and a high-level programming language in which shell scripts can be used to automate groups of processes. Other UNIX shells include the C Shell of System V UNIX, which includes job control and command history mechanisms, and the Korn shell, which supports command-line editing.
NOTE
The command prompt in Windows provides similar functionality to UNIX shells, although scripting capabilities are more limited because they are based on the MS-DOS command language. The Windows Script Host (WSH) overcomes these limitations by supporting higher-level scripting languages such as Microsoft Visual Basic, Scripting Edition (VBScript), and JScript.
The term “shell” refers to the external user-accessible portion of an operating system, while the term “kernel” refers to the stuff under the hood that is normally hidden from the user.
UNIX shell scripts are called batch files in Windows programming environments. In an IBM mainframe environment, they are called EXECs.
Twisted-pair cabling with additional shielding to reduce crosstalk and other forms of electromagnetic interference (EMI). The outer insulating jacket contains an inner braided copper mesh to shield the pairs of twisted cables, which themselves are wrapped in foil. Shielded twisted-pair (STP) cabling is more expensive than unshielded twisted-pair (UTP) cabling. It has an impedance of 150 ohms, has a maximum length of 90 meters, and is used primarily in networking environments with a high amount of EMI due to motors, air conditioners, power lines, or other noisy electrical components. STP cabling is the default type of cabling for IBM Token Ring networks.
STP cabling comes in various grades or categories defined by the EIA/TIA wiring standards, as shown in the following table.
STP Cabling Categories
Category | Description |
IBM Type 1 | Token Ring transmissions on AWG #22 wire up to 20 Mbps |
IBM Type 1A | Fiber Distributed Data Interface (FDDI), Copper Distributed Data Interface (CDDI), and Asynchronous Transfer Mode (ATM) transmission up to 300 Mbps |
IBM Type 2A | Hybrid combination of STP data cable and CAT3 voice cable in one jacket |
IBM Type 6A | AWG #26 patch cables |
See also unshielded twisted-pair (UTP) cabling
Metallic material added to cabling to reduce susceptibility to noise due to electromagnetic interference (EMI). Shielding usually takes one of two forms:
A braided copper or aluminum mesh enclosing the signal-carrying wires. This type of shielding offers superior performance and should be used in industrial areas where heavy machinery generates a lot of EMI.
An aluminum foil sleeve that encloses individual wires or the entire wire bundle. This kind of shielding is more suitable for office environments to shield against noise due to air conditioners, fans, and other motors.
For best performance, you can combine both kinds of shielding. An additional uninsulated drain wire is sometimes used to terminate the shield; it runs the length of the wire in contact with the foil sleeve or mesh. Shielded cabling is generally more expensive than unshielded cabling.
See also coaxial cabling, shielded twisted-pair (STP) cabling
A condition that occurs when signal-carrying conductors make contact. The effect of a short is similar to having a break in the cable—network communication ceases. To find or isolate a short, use a cable tester or time domain reflectometer. Cable shorts can occur only in copper cables, not fiber-optic cables, although breaks can occur in fiber-optic cables.
Also called the Dijkstra algorithm, a routing algorithm in which a router computes the shortest path between each pair of nodes in the network. The Open Shortest Path First (OSPF) Protocol is based on the Shortest Path First (SPF) algorithm.
How It Works
When an OSPF router is initialized, it sends a Hello message to determine whether it has any neighbors (routers that have an interface on the same network). Neighbors respond to the initiating router by using the same Hello packets. In fact, these Hello packets also serve to tell other routers that the transmitting router is still alive (keep-alive function). If more than two OSPF routers are on the internetwork, the Hello protocol causes one of the routers to be designated as the one to send out link state advertisements (LSAs) to all other routers on the network.
Neighbors then synchronize their topological databases with each other to become “adjacent” routers. Each router periodically floods the network with cost information for its adjacent nodes in the form of LSAs, allowing them to compile complete tables of network connections and calculate the path of least cost between any two nodes. Finally, each router analyzes its own database of network topology information and uses it to determine a shortest-path tree using itself as the root; from this tree, it derives a routing table for itself.
See also Open Shortest Path First (OSPF) Protocol
A service for sending short text messages using the Global System for Mobile Communications (GSM) cellular telephone system. Short Message Service (SMS) can send short messages of up to 160 alphanumeric characters.
How It Works
SMS works as a store-and-forward service in which messages that are sent are stored at an SMS messaging center until the recipient can connect and receive them. SMS offers an advantage over paging systems in that it notifies the sender when the recipient has received the message. SMS allows messages to be sent or received simultaneously with voice, fax, or data transmission over GSM systems because it uses a separate signaling path instead of a dedicated channel. SMS thus works reliably even during peak usage periods of cellular systems.
Some SMS systems support compression to increase the amount of information that can be included in a message. You can also concatenate messages to create one message from several message fragments.
To use SMS, the user needs a subscription to a GSM bearer that supports SMS and a cell phone that supports SMS. The SMS function must be enabled for that user. (A subscription charge usually covers this.) SMS services are most widely deployed in Europe; more than 1 billion messages per month were sent in 1999.
See Secure Hypertext Transfer Protocol (S-HTTP)
To close a program or operating system in a way that ensures that no data is lost and that the system is not corrupted. To properly shut down a computer running Microsoft Windows 2000, choose Shut Down from the Start menu. Windows 2000 then performs the following actions:
Closes all open files
Saves operating system data
Prepares the system to be powered off
NOTE
If Windows 2000 is shut down improperly (through a power failure, for example), a utility called autochk.exe runs upon reboot to check and repair any volumes that are marked as dirty.
See security identifier (SID)
An electrical transmission of alternating current (AC) on network cabling that is generated by a networking component such as a network interface card (NIC). Signals are purposeful transmissions, as opposed to noise, which is an undesirable transmission from other components or the environment.
In the networking environment, all electrical signals are digital except when the following devices are used:
Modems: Convert the digital signal from the serial port of a computer to an analog signal for transmission as audible sound waves over a phone line
Digital cellular phones: Convert the analog signal of sound waves produced by human speech into digital electrical pulses by sampling the sound wave at discrete intervals
Digital signals are essentially square waves, but they must also be encoded using line code, which represents binary information using discrete voltages.
In wide area network (WAN) technologies, the process of the components at either end of the WAN link communicating with each other to establish common timing and signal-flow settings. Signaling occurs before a communication session is established and before data is actually sent over the link. Signaling also refers to the period in which control information is exchanged during an established communication session.
Session-establishment signaling between telecommunications devices generally has a certain degree of latency. That is, it takes time for sessions to be negotiated and established before data can be sent. For example, analog modems typically take 15–30 seconds from dial-up until the connection is established, and Integrated Services Digital Network (ISDN) dial-up services sometimes take only 1–2 seconds to establish a connection.
Signaling between telecommunications devices generally takes place by one of two methods:
In-band signaling: The signaling information is sent in the same communication channel as the data itself.
Out-of-band signaling: The signaling happens on a separate channel, usually a separate pair of wires.
The loss of strength of a signal as it propagates over a medium. Generally, the term refers to loss of signal strength in guided media such as copper cabling and fiber-optic cabling. Unguided media such as wireless networking technologies have signals that decrease in power per unit area primarily because of the inverse square law.
How It Works
A number of mechanisms can cause signal loss in a wire or cable:
Attenuation: Caused by resistive losses in the cable and affects only copper cabling
Absorption: Causes signal loss in fiber cabling because the glass core material is not perfectly transparent
Fractures: Can result in both attenuation and absorption of signal strength
Splices, connectors, and couplings: Involve dissimilar materials joined together and generally produce some loss
Signal loss is generally expressed in units of decibels (dB) per source of the loss. The following table shows typical signal loss values for fiber-optic cabling. These rough values are useful for estimating total signal loss, which you calculate by simply adding the loss for each element in the light path.
Signal Loss Values for Fiber-Optic Cabling
Source of Loss | Approximate Signal Loss |
Connector loss | 3 dB/termination |
Coupling loss | 2 dB/coupler |
Intrinsic loss | 6 dB/1000 meters |
Microbending loss | Increases with decreasing bend radius |
Splice loss | 4 dB/splice |
TIP
The total end-to-end signal loss of a light path through a fiber-optic cabling system is known as the optical power budget. If this value is greater than the power launch rating of your line driver, your system won’t work.
A standard application-layer protocol for delivery of e-mail over a TCP/IP internetwork such as the Internet. The basics of Simple Mail Transfer Protocol (SMTP) are defined in Request for Comments (RFC) 821 and 822.
How It Works
SMTP defines the format for messages sent between TCP/IP hosts on the Internet. SMTP uses plain 7-bit ASCII text to send e-mail messages and to issue SMTP commands to receiving hosts. Multipurpose Internet Mail Extensions (MIME) is typically used to encode multipart binary files including attachments into a form that SMTP can handle.
SMTP provides a mechanism for forwarding e-mail from one TCP/IP host to another over the Internet. SMTP services running on a TCP/IP host first establish a connection to a remote host using Transmission Control Protocol (TCP) port 25. An SMTP session is then initiated by sending a helo command and receiving an OK response. The sending computer then uses the following commands to send messages:
Mail fr: Identifies the sending host to the receiving host
Rcpt to: Identifies the targeted message recipient to the receiving host by using the Domain Name System (DNS) format user@DNSdomain
Data: Initiates the sending of the message body as a series of lines of ASCII text, ending with a single period (.) alone on a line
Quit: Closes the SMTP connection
NOTE
SMTP provides message transport only from one SMTP host to another. Support for storing messages in mailboxes is provided by Post Office Protocol version 3 (POP3) and Internet Mail Access Protocol version 4 (IMAP4).
TIP
To implement SMTP on a Microsoft Exchange Server messaging network, install and configure the Internet Mail Service. To troubleshoot problems with remote SMTP servers, use Telnet to connect to port 25, try issuing various SMTP commands (such as the ones described in this entry), and examine the results. The SMTP service on Internet Information Server (IIS) version 4 functions only as an SMTP mail delivery agent (SMTP host) and does not have any provision for creating user mailboxes.
An Internet-standard application layer (layer 7) protocol for exchanging device management information between network devices on a TCP/IP network. Simple Network Management Protocol (SNMP) is most often used for collecting statistical and configuration information about network devices such as computers, hubs, switches, routers, and even network printers. The statistical information includes the number of packets or frames sent or received per second, the number of errors per second, and so on. The configuration information includes the IP address of an interface on the device, the version of the operating system running on the device, and so on. Management systems are used to monitor network health, trap errors, perform diagnostics, and generate reports. SNMP is the most popular network management protocol in use.
How It Works
A network configured to use SNMP version 1 essentially consists of two components that work together:
SNMP agents, which are programs that run on the network devices to be managed (called managed devices) and that collect TCP/IP-related configuration information and statistics about the operation of the device. Agents do not require heavy CPU usage to run. The types of information that an agent can collect are defined in a local database called a Management Information Base (MIB). MIB databases are hierarchical and contain managed objects that have uniquely assigned identifiers issued by the International Organization for Standardization (ISO). SNMP variables are specific instances of managed objects in MIBs. Agents running on managed devices monitor specific sets of SNMP variables and temporarily store this information until the agent is polled by a management system, whereupon the agent reports the values of the stored information to the management system. Most network devices have built-in SNMP agent software and associated MIBs.
SNMP Management Systems software (also called Network Management System, or NMS, software), which runs on an administrator workstation and can display data gathered from managed devices in a user-friendly form through a graphical user interface (GUI). SNMP Management Systems software can notify the administrator when certain conditions (such as errors) occur. Most SNMP management systems can also automatically determine the topology and components of a network with SNMP-enabled computers, routers, hubs, and switches and can display network topology, traffic, and conditions in graphical format. SNMP management systems regularly poll managed devices using SNMP messages for statistical and configuration information and then store this information in a central database, which can be used to present the information in a friendly way to users.
SNMP messages contain a header and a payload called the Protocol Data Unit (PDU). The header contains information about the community being referenced. A community is a subset of agents that will be monitored using a specific management system and institutes a primitive level of security. A community name is used for purposes of authentication, and SNMP communication is performed using User Datagram Protocol (UDP) port number 161.
SNMP messages come in four types, three of which are issued by management stations and one of which is executed by agents:
Get message: Issued by the management system to an agent on a managed device to read the value of a specific variable on the device.
Getnext message: Issued by the management system to determine which SNMP variables are supported by an agent running on a managed device and to traverse a series of variables to read their values sequentially.
Set message: Issued by the management system to an agent on a managed device to write a value for a specific variable on the device.
Trap message: Issued by an agent running on a managed device when an error or alert condition occurs. The trap message is sent to the management system to alert administrators of the situation.
The management station regularly sends get, getnext, and set messages to the SNMP agent on the managed device, in effect periodically polling the agent for the status of the device. The agent verifies the community name in the message, verifies the IP address or host name of the SNMP management system, processes the request, and sends the results to the management system.
Graphic S-13. Simple Network Management Protocol (SNMP).
NOTE
SNMP version 2 adds additional security features, can be applied to network architectures other than TCP/IP, and supports additional data types. It is only partially backward compatible with SNMP 1. SNMP 2 also defines two additional types of messages:
Getbulk message: Similar to getnext but allows the retrieval of greater amounts of information in one data block
Inform message: Allows management systems to send information to other management systems using a trap-like message
Microsoft’s implementation of TCP/IP on Microsoft Windows NT and Windows 2000 includes agents and MIBs for collecting information on TCP/IP conditions and statistics.
See also Management Information Base (MIB)
In Microsoft Windows 2000, a volume created using the Disk Management portion of the Computer Management tool that is made up of one or more contiguous blocks of free disk space on a single physical disk. You can extend simple volumes to include additional free disk space from the initial drive or from other drives, forming a spanned volume. You can create simple volumes only on dynamic volumes created using Disk Management. Simple volumes have no fault tolerance but can be mirrored to form mirrored volumes.
A form of communication in which signals are sent in only one direction. This is different from duplex transmission, in which signals can simultaneously be sent and received by a station, and from half-duplex transmission, in which signals can be sent or received but not both at the same time. Simplex transmission occurs in many common communication applications, the most obvious being broadcast and cable television. It is not used in true network communication because stations on a network generally need to communicate both ways. Some forms of network communication might seem to be simplex in nature, such as streaming audio or video, but the communication actually takes place using bidirectional network traffic, usually Transmission Control Protocol (TCP) traffic. Simplex communication is not included in the V series recommendations of the International Telecommunication Union (ITU).
See also duplex, half-duplex
A domain model used in small to mid-sized Microsoft Windows NT–based networks. In the single domain model, all global users and group accounts reside in a single domain and all network resources reside in the same domain. The single domain model is simple to implement and offers centralized administration of accounts and resources. The model works for as many as 40,000 accounts, although it performs poorly with large numbers of accounts.
TIP
When you upgrade a Windows NT–based network based on the single domain model to a Microsoft Windows 2000–based network, you usually end up with a single domain in Active Directory. You can then use Active Directory to create organizational units (OUs) to organize your network and assign administrative rights and permissions.
See also complete trust model, master domain, multiple master domain model
A domain model used in enterprise-level Microsoft Windows NT–based networks. In the single master domain model, all global users and group accounts reside in a single Windows NT domain called the accounts domain. Network resources reside in other domains called resource domains. Each resource domain must have a trust relationship with the accounts domain. Users who log on to their accounts in the accounts domain can access shared network resources in any resource domain if they have the appropriate permissions. The advantages and disadvantages of using this model are shown in the following table.
Pros and Cons of the Single Master Domain Model
Pros | Cons |
Not difficult to implement—one trust per resource domain | Poor performance when the number of accounts is large |
Centralized administration of accounts | Local groups must be created in each resource domain |
Resource domains manage their own resources | |
Works for up to 40,000 accounts |
Graphic S-14. Single master domain model.
TIP
When you upgrade a Windows NT–based network based on the single master domain model to a Microsoft Windows 2000–based network, you usually perform the upgrade from the top down. You first upgrade the master domain to a Windows 2000 domain based on Active Directory. Then you upgrade resource domains to child domains within a directory tree whose root domain is the former master domain. You can move user accounts from the master domain to the domains where users actually work, because two-way transitive trusts enable users in any domain within the domain tree to access resources in any other domain.
Alternatively, companies with a centralized IT department can upgrade both the master domain and the resource domains to a single Windows 2000 domain. Organizational units (OUs) can then be created within Active Directory to mirror the administrative structure of the former master domain model. Administrative rights and permissions can be assigned to users and groups based on the new OUs. Here are the advantages of using this approach:
One domain to manage
No trust relationships to create or manage
Faster searching because all directory objects reside in a single domain
See also complete trust model, multiple master domain model, single domain model
A type of fiber-optic cabling that can carry only one signal at a time. Single-mode fiber-optic cabling uses light generated by a laser-emitting diode to carry signals. Laser light is extremely stable and uniform and can be accurately focused, making it perfect for long-distance transmission. Single-mode fiber has extremely low signal attenuation and is typically used for long cable runs because it can generally carry signals up to 50 times farther than multimode fiber, which can carry many different signals simultaneously. Single-mode fiber typically has a core that is only 5 or 10 micrometers in diameter—much smaller than the core of multimode fiber, which needs room to carry many different light signals simultaneously.
TIP
Use single-mode fiber-optic cabling for long cable runs or where extra bandwidth is required. The bandwidth of single-mode fiber is typically double that of multimode fiber. Be aware, however, that installing single-mode fiber requires more care and expertise to avoid signal loss, especially if you terminate the cable with connectors. Single-mode fiber is also more expensive than multimode because multimode systems use transmitters that have cheaper light-emitting diodes, while single-mode systems use more expensive laser-emitting diodes in their transmitters. Also, when you use single-mode fiber-optic cabling, the ancillary devices such as line drivers cost more.
See also fiber-optic cabling, multimode fiber-optic cabling
In Microsoft Site Server, a user who is responsible for building and managing the Web site infrastructure and administering the overall Web publishing process. Site administrators ensure that content has been properly submitted by content authors and approved by site editors before it is deployed to destination Web servers.
Site administrators usually stage content on one or more staging servers so that it can be thoroughly tested before final deployment to one or many destination Web servers on the corporate intranet or the Internet.
A connector in Microsoft Exchange Server that is the simplest and most efficient way to connect Exchange sites and swap messages. The Site Connector enables Exchange servers in different sites to exchange e-mail messages in their native Exchange message format. No message conversion takes place, which saves time and processing power. Messages are sent using remote procedure calls (RPCs), and no connection schedule needs to be specified. Because Site Connectors use RPCs, sites must be connected with a dedicated connection that is always on, such as a local area network (LAN) connection or leased-line wide area network (WAN) link. The Site Connector also includes automatic features for enabling load balancing and fault tolerance.
Administrators who have the Permissions Admin role can configure Site Connectors at both ends of a LAN or WAN link. When you install a Site Connector, you can specify the following:
A bridgehead server in one or both sites that acts as a fixed endpoint of the messaging link between the sites and maintains connectivity between the sites
A list of target servers that specify which servers in the remote site can have messages routed to them by the Site Connector
In Microsoft Systems Management Server (SMS), an alias for a set of sites. You use site groups to limit jobs to a specific set of sites. For example, if you want to distribute software to servers at all your sales sites, you can create a site group that contains all sales sites in your company and then use this group to limit the scope of the job to servers at only those sites. You can also use site groups to limit the scope of a query or an alert.
Two or more computers running Microsoft Exchange Server linked together by local area network (LAN) or high-speed wide area network (WAN) connections. The servers share the same directory information and work together to provide message routing and delivery services for all users in the site. Exchange sites are usually geographically determined by city, state, country, or continent, depending on the scope of the enterprise. In the Exchange directory hierarchy, the Site container contains the site Configuration container and the site Recipients container.
NOTE
The following conditions are necessary for Exchange servers to exist in the same site:
Servers in the same site must have permanent network connections between them with remote procedure call (RPC) connectivity.
Servers in the same site must run under the same service account. (They must have a common security context.)
Available network bandwidth must be sufficient for messaging and directory synchronization.
A collection of domains and computers that are managed together. A Microsoft Systems Management Server (SMS) system has one central site and a hierarchy of subsites under it. The central site can be used to manage all other sites.
There are six kinds of SMS sites in an SMS system:
Central site: A primary site at the top of the site hierarchy
Primary site: A site that locally stores system data for itself and for its subsites in a Microsoft SQL Server database
Secondary site: A site without a database that reports its information to a primary site
Parent site: Any site that includes other sites beneath it in the site hierarchy
Child site: Any site that reports its information to another site in the hierarchy
Subsite: Any site beneath another site in the site hierarchy, regardless of whether it has a parent/child relationship with that site
The central site for an SMS system is always a primary site. If you log on to an SMS database for any site to which you have network access and the appropriate permissions, you can administer that site and all its subsites. If you log on to the central site, you can administer your entire network using SMS.
A collection of computers that are grouped together to optimize the performance of domain controllers. Sites are typically defined by geographical location and are connected by slower wide area network (WAN) links. At least one domain controller must be located at each site, thus ensuring that Active Directory runs at each site. Sites generally belong to one or more Internet Protocol (IP) subnets, and computers within a site are joined by high-speed networking connections.
How It Works
You define sites to manage and reduce Active Directory logon and directory replication traffic on the network. For example, when a user tries to log on to a Microsoft Windows 2000–based network, authentication is automatically attempted first by domain controllers in the site where the user is located. To optimize logon and replication traffic, sites should be groupings of servers connected by local area network (LAN) or high-speed permanent WAN links. You can create sites to control which domain controllers a group of workstations will use for network logons.
Sites contain two types of Active Directory objects: servers and connections. These objects are used to configure Active Directory replication. You can schedule replication traffic between sites to occur at off-hours to reduce network congestion. Replication traffic within a site (intrasite replication) uses remote procedure calls (RPCs) with dynamically assigned port numbers. Replication between sites (intersite replication) can use either TCP/IP or Simple Mail Transfer Protocol (SMTP) messages.
The topology of each site is stored in Active Directory. A site can contain domain controllers from several domains, and domain controllers from a particular domain might be located in several different sites. You can create sites by using Active Directory Sites and Services, a snap-in for Microsoft Management Console (MMC). A default site is created the first time the Active Directory Installation Wizard is run to create the first (root) domain controller of your enterprise.
To create additional sites, take the following steps:
Create a new site by using Active Directory Sites and Services.
Create a subnet (or use an existing one) and associate it with the site to indicate which portion of your network is associated with the site.
Create a site link (or use an existing one) that represents a connection between your new site and existing sites. Configure the transport, sites, cost, and schedule attributes of the site link as desired.
If desired, create a site link bridge to reduce the number of site links that you need to create for your new site.
Create a connection object using the Knowledge Consistency Checker (KCC) across each site link between domain controllers in your new site and in linked sites.
Place domain controllers and global catalog servers in your new site as desired.
NOTE
Sites are not part of the Domain Name System (DNS) namespace for an Active Directory implementation.
TIP
Try to limit the number of sites you use in your enterprise. Geographically separate locations of your company that do not need domain controllers should be part of larger sites instead of separate sites. There is no real advantage to defining multiple sites at a single physical location, and there are disadvantages to doing so. For example, if all domain controllers in one site become temporarily unavailable, workstations in that site will try to be authenticated from any other domain controller in the domain, even if the domain controller is in a remote site. Once a workstation finds a domain controller that responds to it, it will continue using that domain controller for all subsequent logons. This can cause unwanted WAN traffic because Windows 2000 does not keep track of which sites are “near” a given site in regard to network connectivity and speed.
Planning a site topology for your enterprise generally involves balancing good logon traffic with good replication traffic. Be sure to take into account the available bandwidth of physical network links between locations when you plan sites.
See Microsoft Site Server Express
See service-level agreement (SLA)
See Serial Line Internet Protocol (SLIP)
See Microsoft BackOffice Small Business Server
The primary administration tool for Microsoft BackOffice Small Business Server. The Small Business Server Console provides a consistent and unified wizard-based administration interface for integrated, day-to-day management of Small Business Server users, services, and resources. By deliberately hiding advanced Microsoft Windows NT concepts such as permissions and rights, the Small Business Server administrator can focus on day-to-day administration of server resources and doesn’t need to learn those new concepts.
The Small Business Server Console facilitates task-based administration that doesn’t rely on the use of applications. For example, to create a distribution list, you simply click the console button labeled Create New Distribution List instead of using the Exchange Administrator program. You use the Task page for frequently used management tasks; you use the More Tasks page for less commonly used tasks. Some tasks are also accessible from multiple pages in the console, with hyperlinks between related tasks. This eliminates flipping between console pages and speeds common administration tasks.
Wizards throughout the console guide you through the steps required to complete a selected task. For example, if you want to add a new user, a wizard leads you through the steps of creating and configuring the new account so that you do not have to use the User Manager for Domains administrative tool. By default, new users are granted access to common shared resources such as company folders, printers, faxes, the Internet, and dial-up networking.
A hardware bus specification for connecting peripherals to a computer using a parallel transmission interface. The Small Computer System Interface (SCSI) was developed by Apple and is widely used in the PC world for high-end storage solutions. Microsoft Cluster Server (MSCS) uses a shared SCSI bus to provide failover support for two computers on which Microsoft Windows NT Server, Enterprise Edition is installed.
How It Works
To implement SCSI on a system, you use a SCSI adapter to interface with the system bus, suitable SCSI devices such as SCSI hard drives, SCSI cables to daisy-chain the devices, and SCSI terminators for the ends of the bus. Each device on a SCSI bus must have a SCSI device ID number assigned to it, allowing SCSI to be used for daisy-chaining a number of devices together on a single parallel bus. You can change SCSI IDs by using dip switches or jumpers, or by using configuration software.
SCSI devices come in two basic types:
Single-ended devices: Use one data lead and one ground lead to establish single-ended signal transmission over the bus. This type of device is more prone to the effects of noise and is less forgiving of cable lengths beyond specifications.
Differential devices: Use two data leads, neither of which are at ground potential. These devices are generally more expensive but are resistant to the effects of noise and can often function over distances that exceed the SCSI specifications.
The SCSI interface comes in several varieties, including the following:
SCSI-1: The original 1986 SCSI standard that supports transmission rates of 5 Mbps over an 8-bit bus for up to seven daisy-chained devices. SCSI-1 cables typically use Centronics 50 or Telco 50 connectors. The chained bus length must not exceed 6 meters (20 feet).
SCSI-2: Sometimes referred to as Plain SCSI, which is a common SCSI standard that supports transmission rates of 5 Mbps over an 8-bit bus for up to seven daisy-chained devices. SCSI-2 cables typically use Micro DB50 connectors. Fast SCSI is a variant that supports 10-Mbps transmission rates, while Fast Wide SCSI uses a 16-bit bus and supports 20-Mbps rates. The chained bus length must not exceed 6 meters (20 feet) for regular SCSI-2, and 3 meters (10 feet) for Fast SCSI.
SCSI-3: Also called Ultra SCSI, which is a SCSI standard that supports transmission rates of 20 to 40 Mbps over an 8-bit or 16-bit bus for up to 15 daisy-chained devices. SCSI-3 cables typically use MicroD 68-pin or Mini 68 connectors.
SCSI-5: Also called Very High Density Connector Interface (VHDCI), which is a SCSI standard similar to SCSI-3 but uses a smaller 0.8 millimeter connector.
Graphic S-15. Four varieties of SCSI interface.
NOTE
Eight-bit SCSI data paths are referred to as “narrow” paths, and 16-bit data paths are called “wide” paths.
TIP
SCSI cables must always be properly terminated in order for devices to be properly recognized; they should also use high-quality active terminators. Diagnostic terminators that help identify problems in signal quality are also available.
Always use the shortest cable possible for SCSI connections, because longer cables cause signals to weaken and are more affected by noise due to electromagnetic interference (EMI). When you calculate the total length of the SCSI bus, add the lengths of all the SCSI cable segments plus any internal SCSI cabling.
Be sure that all devices on a SCSI bus are configured for either single-ended or differential transmission—do not mix these methods on a single bus. You can connect single-ended devices to differential transmission devices only by using a signal converter. If you don’t use a signal converter, your SCSI devices might be damaged by unexpected voltages.
A Simple Mail Transfer Protocol (SMTP) host through which a company routes all its outgoing messages. The SMTP service of Internet Information Services (IIS) on Microsoft Windows 2000 can forward all outbound messages to a specified smart host. You can also configure the Internet Mail Service on Microsoft Exchange Server to forward all outgoing SMTP mail to a specific SMTP host on the Internet. Exchange Server itself can also function as a smart host for other SMTP mail servers. By using a smart host, you can offload some of the SMTP mail processing functions of your corporate SMTP mail server.
See Server Message Block (SMB)
See Switched Multimegabit Data Services (SMDS)
See Secure/Multipurpose Internet Mail Extensions (S/MIME)
See Microsoft Systems Management Server (SMS), Short Message Service (SMS)
See Systems Management Server Service Manager
See Simple Mail Transfer Protocol (SMTP)
A service installed when Internet Information Services (IIS) is installed on a computer running Microsoft Windows NT Server or Windows 2000 Server. The SMTP service is managed through a snap-in extension for the Microsoft Management Console (MMC) and is dedicated to the delivery of SMTP mail using the Simple Mail Transfer Protocol (SMTP). The SMTP service has no facility for creating user mailboxes, so it cannot function as a stand-alone mail server. One common use for this service is to enable Active Server Pages (ASP) applications to send SMTP mail in response to a form submission.
See Systems Network Architecture (SNA)
Stands for SNA Distribution Services, the e-mail messaging transport protocol for IBM’s Systems Network Architecture (SNA). SNADS is a mainframe host-based messaging system that is commonly used in SNA networking environments. Microsoft Exchange Server includes a connector for enabling messaging connectivity between SNADS mail systems and Exchange servers. You can use Microsoft SNA Server to provide the underlying network connectivity for this connector to function. The SNADS connector allows Exchange Server to leverage the functionality of existing host-based messaging systems such as AS/400 and System 3x during migration to a distributed client/server-based environment.
A component that can be loaded into the Microsoft Management Console (MMC) to provide a specific management capability in Microsoft Windows 2000 or in a Microsoft BackOffice server application. Many snap-ins are available for administering computers running Windows 2000; these include third-party snap-ins for managing installable third-party applications and services. The following table shows some of the snap-ins that come with Windows 2000. Not all of them appear in the administrative tools program group that you access from the Start menu.
Windows 2000 Snap-Ins
Snap-In | Function |
Active Directory Users and Computers | Configuring Active Directory, organizing a domain, creating user and group accounts, and configuring security for networking components |
Active Directory Schema | Modifying the schema |
Active Directory Sites and Services | Creating and managing sites |
Active Directory Domains and Trusts | Administering a domain within a domain tree |
Admission Control Services Manager | Configuring Admission Control Services |
Certificate Manager | Managing digital certificates and keys |
Computer Management | Managing a computer and creating access to other useful snap-ins such as Disk Management and Event Viewer |
Device Manager | Managing resources used by system devices |
DHCP Manager | Creating and configuring Dynamic Host Configuration Protocol (DHCP) servers |
Disk Defragmenter | Defragmenting disks |
Disk Management | Configuring disks and volumes |
DFS Manager | Configuring the Distributed file system (Dfs) for centralized management of network resources |
DNS Manager | Creating and configuring Domain Name System (DNS) servers |
Event Viewer | Viewing system, application, security, and other logs on local and remote computers |
File Service Management | Creating shares on local and remote computers and monitoring and configuring network connections |
Group Policy Editor | Creating group policy objects (GPOs) for configuring groups of computers centrally |
Index Manager | Configuring indexing of directories |
Internet Authentication Service | Configuring Internet Authentication Service (IAS) service and clients |
Internet Information Services (IIS) | Creating and configuring World Wide Web (WWW) and File Transfer Protocol (FTP) sites |
IP Security Policy Management | Configuring Internet Protocol Security (IPSec) |
Local User Manager | Managing user accounts in a workgroup |
Microsoft System Information | Viewing system component details |
Microsoft Transaction Server | Configuring Microsoft Transaction Server (MTS) |
Network Management | Managing network services and policies |
Removable Storage Management | Managing removable storage devices |
Routing and Remote Access Management | Configuring Routing and Remote Access Service (RRAS) |
Security Configuration Editor | Creating and modifying security policies |
Security Configuration Manager | Managing security policies |
System Monitor Log Manager | Managing System Monitor logs |
System Service Management | Monitoring, starting, and stopping services |
Telephony Manager | Managing Telephony API (TAPI) applications |
Snap-ins come in two types:
Stand-alone snap-ins (or simply “snap-ins”), which provide an associated set of administrative functions
Extensions, which provide additional functionality to stand-alone snap-ins
See Simple Network Management Protocol (SNMP)
The service that enables Simple Network Management Protocol (SNMP) on a computer running Microsoft Windows NT Server or Windows 2000 Server. Features of the SNMP service include the following:
Support for the Windows Sockets application programming interface (API)
Extensibility (You can add Management Information Bases through third-party dynamic-link libraries.)
Use of standard User Datagram Protocol (UDP) port 161
NOTE
An additional service called the SNMP Trap Service enables Windows NT to trap SNMP events such as error conditions.
See also Simple Network Management Protocol (SNMP)
See start of authority (SOA) record
A logical endpoint for communication between two hosts on a TCP/IP network. A socket is also an application programming interface (API) for establishing, maintaining, and tearing down communication between TCP/IP hosts. Sockets were first developed for the Berkeley UNIX platform as a way of providing support for creating virtual connections between different processes.
How It Works
Sockets provide a mechanism for building distributed network applications such as client/server applications. Two sockets form a complete bidirectional communication path between processes on two different TCP/IP hosts. Network-aware applications and services can create and destroy sockets as needed.
As an endpoint for network communication between hosts, a socket is uniquely identified by three attributes:
The host’s IP address
The type of service needed—for example, a connectionless protocol such as User Datagram Protocol (UDP) or a connection-oriented protocol such as Transmission Control Protocol (TCP)
The port number used by the application or service running on the host
For example, the following identifier would represent a socket for the Simple Mail Transfer Protocol (SMTP) mail service running on a host with the specified IP address. (Port 25 is the well-known port number for the SMTP service on a TCP/IP host.)
172.16.8.55 (TCP port 25)
NOTE
In the Win32 programming environment, sockets are implemented using a programming interface called Windows Sockets. Windows Sockets on Microsoft Windows platforms supports most Internet protocols and services, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Telnet.
See also Windows Sockets
A circuit-layer proxy protocol used in client/server networking environments. SOCKS lets hosts on each side of a proxy server communicate with each other by establishing a relay connection between the internal and external networks.
SOCKS also provides authentication functions for controlling access between networks. SOCKS is widely implemented in both proxy server and firewall software, especially for allowing hosts on a private network to access the Internet while preventing distrusted hosts on the Internet from accessing the private network. SOCKS v5 is defined in Request for Comments (RFC) 1928, 1929, and 1961.
How It Works
When a host on one side of a proxy server wants to connect to a host on the other side to access network resources, SOCKS server software running on the proxy server authenticates the host’s request, creates a circuit-level proxy connection to the target host, requests the necessary data, and relays the information back to the requesting host.
Graphic S-16. SOCKS v5.
The SOCKS client on the requesting host first negotiates an authentication method with the SOCKS server, and then sends the user’s credentials to the SOCKS server for authentication.
SOCKS v5 supports a number of authentication methods, including Challenge Handshake Authentication Protocol (CHAP) and digital certificates. Once the user is authenticated, the SOCKS client sends a request message using the SOCKS protocol to the SOCKS server (the daemon or SOCKS service running on the proxy server). This request message contains the address of the target host, such as a Web server on a corporate intranet. The SOCKS server then establishes a Transmission Control Protocol (TCP) connection with the target host that functions as a proxy circuit between the requesting and target hosts. Once this “virtual circuit” is established, the SOCKS server notifies the SOCKS client and communication can begin between the two hosts, with the SOCKS server relaying each packet sent between them.
SOCKS also supports public-key encryption for secure, encrypted transmission of data.
The previous version of the protocol, SOCKS v4, was more difficult to configure on the client side and had no support for authentication of users or encryption of data. It also did not support User Datagram Protocol (UDP) traffic. SOCKS v5 is easier to configure, supports various authentication methods and encryption algorithms, and supports connectionless UDP traffic.
NOTE
To use SOCKS, you must have SOCKS-enabled client software installed on the hosts that will be communicating over the proxy server. Using SOCKS, virtual circuits are set up and torn down between the two hosts on a session-by-session basis. SOCKS servers usually include comprehensive logging functionality to analyze the flow of traffic between the trusted and distrusted networks.
TIP
To access Microsoft NetShow servers through a firewall, you must upgrade from SOCKS v4 to SOCKS v5 because NetShow uses UDP connectionless communication. Microsoft Proxy Server supports the SOCKS protocol and can act as a secure circuit-level gateway between a private network and a distrusted public network such as the Internet.
Wire that has a single solid copper core surrounded by insulation, as opposed to stranded conductor wire, which consists of many fine strands of wire woven into a conducting bundle. Unshielded twisted-pair (UTP) cabling commonly comes in both solid and stranded forms. The following table compares the advantages of these types of wire.
Solid Conductor Wire vs. Stranded Conductor Wire
Solid Conductor | Stranded Conductor |
Less attenuation | More flexible |
Better conductivity | Less likely to break or fracture |
Easier to terminate | Longer lasting |
Cheaper |
Solid conductor wire is generally used for vertical backbone cabling between wiring closets on different floors and for horizontal runs from wiring closets to wall plates in work areas on each floor. Solid cabling is also used for permanently installed long cable runs inside and between buildings because it has less attenuation than stranded conductor wire and signals can travel farther without losing strength.
See also stranded conductor wire
See Synchronous Optical Network (SONET)
The address from which a frame or packet of data originates on a network. The source address identifies the sending host to the receiving host and is used by the receiving host as a destination address for a response packet (such as an acknowledgment). Bridges also use the source address in building their internal routing tables of media access control (MAC) addresses for determining which packets should be forwarded to other network segments.
The source address refers to one of the following:
The physical address, such as the MAC address of an Ethernet frame
The logical address, such as the IP address of an Internet Protocol (IP) packet
Source addresses always identify the specific host that transmitted the packet or frame onto the network. This is in contrast to destination addresses, which sometimes direct packets to all hosts or to a specific group of hosts on the network.
TIP
You can see the source address of a packet or frame by using a network sniffer such as Network Monitor, a tool included with Microsoft Systems Management Server (SMS). Network Monitor displays source addresses in both ASCII and hexadecimal form.
See also destination address
Files that are needed to install software and are usually on the CD supplied by the software vendor. For example, the source files for Microsoft Windows NT on an x86-based system are on the Windows NT CD in the \I386 folder, the source files for Microsoft Windows 98 are on the Windows 98 CD in the \Win98 folder, and the source files for Microsoft Windows 2000 are on the Windows 2000 CD in the \I386 folder.
TIP
By copying source files from a CD to a folder on a network server and then sharing that folder, you can create a distribution server. A network client can then connect to the distribution server and install the application or operating system without having to use a local CD-ROM drive.
Unsolicited e-mail such as chain letters and advertising for services or products. To avoid getting spam, you can do the following:
Avoid posting messages to Usenet newsgroups.
Never reply to junk mail.
Configure filters on your mail client to filter out mail containing certain keywords.
Ask your Internet service provider (ISP) to configure its mail servers to reject spam.
Spam is sometimes politely referred to as unsolicited commercial e-mail (UCE).
NOTE
To prevent abuse by spammers, the SMTP service of Internet Information Server (IIS) version 4 by default does not allow Simple Mail Transfer Protocol (SMTP) mail to be relayed through it to an outside e-mail address.
TIP
If your e-mail address somehow gets on the mailing lists of spammers, you can usually configure rules on your e-mail program’s Inbox to discard mail that comes from a specific address, uses words such as “sale” or “buy” in the subject header, or has specific words or phrases in the body of the message, but this is usually a tedious and losing game. A better solution is to use the Delete key. If the situation gets really bad, see whether your mail administrator or ISP can filter out spam.
In Microsoft Windows 2000, a volume created using the Disk Management portion of the Computer Management tool that is made up of free space from more than one physical disk. You can extend spanned volumes by adding additional free space from other physical disks. Spanned volumes must be created on dynamic disks. They are not fault tolerant and cannot be mirrored.
NOTE
The equivalent to spanned volumes in Microsoft Windows NT is volume sets.
See also dynamic volume
An algorithm implemented on bridges and some Ethernet switches that detects redundant paths in an Ethernet network and prevents traffic from endlessly looping around the network. The spanning tree algorithm (STA) allows redundant paths to be used for backup links between bridged networks to provide fault tolerance in an internetwork.
TIP
Implementing the STA on Ethernet switches can sometimes prevent clients from renewing their Dynamic Host Configuration Protocol (DHCP) lease with a DHCP server. It might take 10 or 15 seconds for the STA to check the ports on the switch for loops, and if a computer running Microsoft Windows tries to obtain a DHCP lease during this time interval, the DHCPREQUEST packet is lost. You can work around this by disabling the STA on the switch or manually releasing and renewing the computer’s IP address using ipconfig (on Windows NT and Windows 2000) or winipcfg (on Windows 95 and Windows 98).
Also sometimes known as a system group, a special group account on a computer running Microsoft Windows NT or Windows 2000 that you can use to control security and access to NTFS volumes.
How It Works
Special identities are groups whose membership is controlled by the operating system itself, not by administrators or individual users. User accounts become “members” of these special groups based on the type of system activity they participate in; you cannot modify the “membership” of these groups directly.
Special identities on Windows NT systems include the following:
Creator Owner: Consists of users who will create files or subdirectories within the current directory on an NTFS volume.
Everyone: Consists of all network users, including guests and users from distrusted domains. Granting NTFS permissions to Everyone allows anyone to access the file or directory.
Interactive: Consists of all users who log on interactively to the console of the machine or who access the NTFS file system on the machine from a local console.
Network: Consists of all users who log on to the machine from over the network or who access the NTFS file system on the machine from over the network.
System: Consists of the local operating system. System is not normally used when assigning permissions to files and directories on NTFS volumes.
Additional special identities in Windows 2000 include the following:
Authenticated Users: Consists of all users with a valid user account in the local directory database or in Active Directory. The Authenticated Users identity was also added to Windows NT 4 in Service Pack 3.
Anonymous Logon: Consists of any user accounts that Windows 2000 did not authenticate.
Dialup: Consists of any users who currently have a dial-up connection.
See Shortest Path First (SPF)
The process of attempting to breach a network’s security by altering the source addresses of packets, making them appear as though they came from a trusted user within the network rather than from a distrusted outside user. Spoofing is one of the methods by which hackers attempt to compromise a network’s security and is of particular concern when a network is connected to the Internet.
Because of limitations in the design of the current Internet Protocol (IP) standard, IPv4, spoofing of IP packets cannot be prevented, only protected against. One way to protect your network against IP address spoofing is to use the packet-filtering features of a router or firewall. Configure your packet-filtering router so that the input filter on the external router interface discards any packet coming from the external network whose source address makes it look like it originated from your own internal network. Similarly, configure the output filter on your internal router interface to discard any outgoing packets that have a source address different from that of your internal network to protect against spoofing attacks from within your own network.
See also packet filtering
The process of temporarily storing documents sent for printing on a hard disk and then sending them to the print device when it is ready (or when some other criterion has been met). The application software that performs this task is called a spooler. The spooler accepts and temporarily stores documents to be printed and then sends them to the printer according to predefined conditions such as print priority and schedule. Spooling of print jobs allows control to be returned more quickly to the application that generated the job. Spooling also allows jobs to be queued when the printer is unavailable so that the application doesn’t have to generate the jobs again.
NOTE
The term “spool” is actually an acronym for Simultaneous Peripheral Operation On Line.
A wireless networking technology originally developed by the U.S. military for secure wireless communication.
How It Works
Unlike other forms of wireless communication, spread spectrum technologies take advantage of a large portion of the electromagnetic spectrum, making it difficult for distrusted users to “listen in” on private conversations. Two basic mechanisms can be used to implement spread spectrum wireless communication: direct sequence technology and frequency-hopping technology.
Direct sequence technology takes an individual binary bit from the transmission signal and converts it to a binary string. This string is then transmitted as a single wideband signal over an adjacent set of frequencies, with each bit in the string transmitted at a different frequency. The receiving station examines the bit pattern of the binary string and determines which single bit was originally transmitted by the sending station. This technology has built-in fault tolerance because electromagnetic interference (EMI) might degrade a portion of the binary string, but if the receiving station can recognize a different portion of the string, communication is assured. A typical example of direct sequencing technology might be to assign the string 10011011 to bit 1 and its inverse 01100100 to bit 0. Transmission of the bit sequence 110 would then consist of three transmitted strings: 10011011, 10011011, and 01100100.
Frequency-hopping technology uses a continually changing carrier frequency. The pattern by which the carrier frequency is changed is programmed according to an algorithm known to both the sending and receiving stations. For communication to take place, the two stations must remain synchronized throughout the session. One station is designated the master station and the other the slave station. If particular frequencies within the spread spectrum communication band contain interference from other radio sources, frequency-hopping technology can avoid these frequencies by using adaptive techniques. To further enhance security, either station can also dynamically change the pattern of frequency hopping.
Spread spectrum technologies can have a variety of uses in networking, including point-to-point links between networks, wireless local area networks (LANs), and cellular-based roving network communication. One common use in networking environments is for connecting stations to a LAN when it is impractical or impossible to lay cabling. Communication is currently limited to speeds of about 2 Mbps. Spread spectrum networking systems generally use very low power signals in the high radio or low microwave portion of the electromagnetic spectrum.
Spread spectrum communication can take place in three portions of the electromagnetic spectrum allocated by the Federal Communications Commission (FCC) without special licensing for wireless devices:
Industrial band: 902 to 928 MHz
Scientific band: 2400 to 2483.5 MHz
Medical band: 5725 to 5850 MHz
TIP
You can also use spread spectrum wireless bridge technologies to establish point-to-point or multipoint communication between buildings on a campus. These devices usually support line-of-sight connections that function to distances of 30 kilometers or more, with speed decreasing as the distance increases. Spread spectrum devices for wireless LAN stations generally have a much shorter range, usually no more than about 200 meters.
See Structured Query Language (SQL)
A tool in Microsoft SQL Server 7 for configuring clients for connectivity to a server running SQL Server. In version 6 of SQL Server, this tool is called Client Configuration utility. Clients in this context are applications that act as front ends for accessing the back-end services of a server running SQL Server.
You use SQL Client Network utility to
Define server alias names
Manage client Net-Libraries
Configure default options for DB-Library applications
NOTE
Client Network utility is rarely needed in SQL Server 7. Usually, a client needs to specify only the network name of the server running SQL Server in order to connect to the server.
See also SQL Server tools
See SQL Enterprise Manager
See SQL Server Agent
A utility in Microsoft SQL Server 6 that can send messages through the built-in Messaging Application Programming Interface (MAPI) of Microsoft Windows NT.
SQL Mail messages can be
Short strings of text
The output of a query
An attached file
By using SQL Mail extended stored procedures, you can send messages in response to events such as the following:
SQL Server generates an alert.
A performance monitor threshold is exceeded.
A scheduled task succeeds or fails.
NOTE
SQL Server 7 uses two services for sending mail:
MSSQLServer Service: Processes mail for mail stored procedures
SQLServerAgent Service: Has its own mail capabilities that are separate from SQL Mail
A tool in Microsoft SQL Server 6 for managing SQL Server user accounts when you run Integrated Security. You can use SQL Security Manager to automatically copy Microsoft Windows NT user accounts to a server running SQL Server—a simple, one-step process for implementing integrated security on the server running SQL Server. By using this tool, an administrator can grant or revoke SQL Server rights to Windows NT users and groups.
How It Works
SQL Server can validate connection attempts by using three different security modes:
Integrated security: Lets SQL Server use Windows NT authentication methods for validating all network connections. Connections made using integrated security are called trusted connections. Authentication information is stored in the Security Account Manager (SAM) database on Windows NT domain controllers.
Standard security: Lets SQL Server use its own logon validation process to validate all network connections. Connections made using standard security are called distrusted connections. Authentication information is stored in the syslogins table on the server running SQL Server.
Mixed security: Lets SQL Server use either integrated security or standard security.
See also SQL Server tools
A collection of managers for Microsoft SQL Server 7. Called SQL Executive in version 6 of SQL Server, SQL Server Agent handles repetitive tasks and exception conditions.
SQL Server Agent allows you to
Schedule and automate administrative tasks to run at specific times or time intervals.
Send alerts to administrators when error conditions arise, such as a database running out of space. You can use e-mail or pagers for alerting purposes, or you can trigger a job to run.
Perform replication tasks that have been specified by administrators.
See also SQL Server tools
A tool for administering Microsoft SQL Server 7. Called SQL Enterprise Manager in version 6 of SQL Server, SQL Server Enterprise Manager simplifies the task of managing SQL Server and SQL Server objects across an enterprise.
You can use this tool to
Manage logons, users, and permissions
Create and manage databases and database objects such as tables, views, indexes, rules, stored procedures, and triggers
Create full-text indexes
Import and export data to files or other database management systems
Back up and restore SQL databases and their associated transaction logs
Configure alerts and e-mail notifications for events
Create scripts for automating tasks
Perform Web administration tasks
NOTE
SQL Server Enterprise Manager is installed with SQL Server by default as a server tool on computers running Microsoft Windows NT Server and Windows 2000 Server, and as a client tool on computers running Microsoft Windows 2000 Professional, Windows NT Workstation, Windows 98, and Windows 95. SQL Server Enterprise Manager is implemented as a snap-in for Microsoft Management Console (MMC).
See also SQL Server tools
An administrative tool in Microsoft SQL Server 7. Called SQL Trace in version 6 of SQL Server, SQL Server Profiler can be used to track activity on a server running SQL Server. SQL Server Profiler captures information in the form of engine events that are saved in a trace file. You can then analyze the trace file or use it to replay a series of steps that led to a problem in order to troubleshoot the exact cause of the problem. You can save the trace data to a file or to a database table for further analysis.
You typically use SQL Server Profiler to do the following:
Troubleshoot a series of Structured Query Language (SQL) statements by replaying them on a test server
Diagnose what is causing a query to execute slowly
Debug stored procedures by stepping through them
Monitor SQL Server to tune workloads
See also SQL Server tools
A graphical user interface (GUI) for creating and testing Structured Query Language (SQL) statements and scripts in Microsoft SQL Server 7. This tool corresponds to the ISQL_w tool in version 6 of SQL Server.
How It Works
SQL Server Query Analyzer includes a free-form text editor that you can use to create SQL statements and scripts, with syntax-dependent color-coding to improve readability. You can display the results of executing a SQL query in a window as free-form text or as a grid. SQL Query Analyzer can also use SHOWPLAN to graphically display the flow of logic in a query. You can use the Index Tuning Wizard to determine whether adding more indexes will improve query performance. You can start SQL Server Query Analyzer from SQL Server Enterprise Manager.
See also SQL Server tools
An administrative tool in Microsoft SQL Server 7 that lets you start, stop, and pause the various components of a server running SQL Server. These components are implemented as Microsoft Windows NT or Windows 2000 services on a server running SQL Server. Called SQL Service Manager in version 6 of SQL Server, this tool manages several services.
Microsoft Search Service, a full-text search engine
MSDTC Service, which is used to manage distributed transactions
MSSQLServer Service, the database server for SQL Server
SQLServerAgent Service, which runs scheduled administrative tasks
TIP
SQL Server Service Manager runs as a taskbar application and displays an icon in the system tray. Double-click this icon to maximize the program. Clicking the Close button does not terminate the program—it returns it minimized to the system tray. To exit the program, right-click the icon in the system tray and choose Exit from the File menu.
See also SQL Server tools
Tools in Microsoft SQL Server for administering SQL servers and databases. SQL Server 7 has replaced, renamed, or dropped some of the tools in previous versions and added new ones. The following table shows some of the most commonly used SQL Server 6 tools and their new names or replacement utilities in SQL Server 7.
SQL Server Tools
SQL Server 6 | SQL Server 7 |
ISQL_w | SQL Server Query Analyzer |
MS Query | N/A |
SQL Client Configuration | SQL Client Network utility |
SQL Enterprise Manager | SQL Server Enterprise Manager |
SQL Security Manager | N/A |
SQL Trace | SQL Server Profiler |
SQL Performance Monitor | Performance Monitor |
SQL Service Manager | SQL Server Service Manager |
SQL Setup | SQL Server Setup |
NOTE
SQL Server 7 includes the same command-line tools as those in SQL Server 6. In addition, version 7 includes a large number of wizards that simplify common SQL Server and database administration tasks. Version 7 also uses the Microsoft Management Console (MMC), while version 6 does not. The console for SQL Server 7 is SQL Server Enterprise Manager.
See SQL Server Service Manager
See SQL Server Profiler
See Secure Sockets Layer (SSL)
See spanning tree algorithm (STA)
Hubs that can be placed above one another on a rack and connected using special short cables to effectively form a single hub with a number of ports. Other devices, such as Ethernet switches, can also be stackable. Different vendors use different methods of stacking hubs, but they generally use some form of ribbon cable. This is superior to the older way of cascading hubs together using the uplink port, which tends to produce crosstalk.
TIP
If you stack several hubs, the top and bottom hubs usually have a free connection that must be terminated in order to function properly.
Graphic S-17. Stackable hubs.
See member server
See 10Base5
A networking topology in which hubs for workgroups or departmental local area networks (LANs) are connected by using a network bus to form a single network. Star bus topology is a combination of star topology superimposed on a backbone bus topology.
Graphic S-18. Star bus topology.
You can connect hubs by using one of the following:
Regular 10Base2 or 10BaseT cables with uplink ports on the hubs
Crossover cables for regular (host) ports on the hub
Special cables for stackable hubs
TIP
When you use this topology with standard Ethernet hubs, do not create an excessively large collision domain by adding too many stations. This will degrade network performance unless you segment the network by using bridges or routers.
See also bus topology, star topology
The first record in a zone file, which defines the general properties of the zone for a name server.
Here is an example of a start of authority (SOA) record:
@ IN SOA nameserver.place.dom. postmaster.place.dom. ( 1 ; serial number 3600 ; refresh [1h] 600 ; retry [10m] 86400 ; expire [1d] 3600 ) ; min TTL [1h]
This SOA record contains the following information:
The name of the subdomain over which a particular name server has authority (nameserver.place.dom)
The name of the host on which this zone file resides
The e-mail address of the person responsible for administering the subdomain (postmaster@nameserver.place.dom)
A serial number, which increases when the zone data is updated and which is used in zone transfers to determine whether the secondary name server needs a new version of the zone file
A refresh interval, in seconds, that informs the secondary name server how frequently it should check with the master name server to see whether its zone information is current
A retry interval, in seconds, that tells the secondary name server how often to contact the master name server if the initial contact is unsuccessful
An expiry interval, in seconds, that informs the secondary name server how long to keep trying to contact the master name server for a refresh of the zone data before the data expires and the secondary name server no longer responds to name queries
The Time to Live (TTL), which is a value returned by the name server to resolvers when a name is resolved, informing the resolver how long it can cache the resolved name and IP address
See also Domain Name System (DNS), resource record
A networking topology in which the components are connected by individual cables to a central unit, usually a hub. When a computer or other networking component transmits a signal to the network, the signal travels to the hub, which forwards the signal simultaneously to all other components connected to the hub.
Star topology is used to
Connect computers in a workgroup or departmental local area network (LAN) using a hub.
Connect workgroup or departmental hubs using a master hub or switch. This is a special star topology called either cascading hubs or star-wired topology.
Star topology is the most popular way to connect computers in a workgroup or departmental LAN, but it is slightly more expensive than using bus topology. One advantage of star topology is that the failure of a single computer or cable doesn’t bring down the entire LAN. This topology also centralizes networking equipment, which can reduce costs in the long run by making network management much easier.
Graphic S-19. Star topology.
TIP
If no one on a star network can access network resources, the hub might be down or overloaded. Try resetting the hub by using the reset switch, or try powering it off and then on. If a hub frequently needs to be reset, you might have a hardware malfunction or network bandwidth might be reaching capacity (which means that you should upgrade your components).
See also bus topology, mesh topology, ring topology, star bus topology
A boot menu that appears in Microsoft Windows 95 when you press the F8 function key while the screen displays the message “Starting Windows 95…” and in Microsoft Windows 98 when you hold down the Ctrl key while the system starts. The options on this menu are generally used for troubleshooting the Windows 95 or Windows 98 boot process.
The Startup menu usually offers the following options:
Normal start: Performs a normal startup of Windows.
Logged start: Creates a bootlog.txt file that logs the steps in the boot process.
Safe Mode: Bypasses the startup files and starts the system with generic mouse, keyboard, and VGA video drivers and no network support.
Safe Mode With Network Support: The same as Safe Mode but also includes network drivers and protocols.
Step-by-Step Confirmation: Allows you to confirm each step in the boot process before it is executed. This is useful if you have a problem in your configuration and want to step around that problem to test whether the system can still boot.
Command Prompt Only: Starts Windows 95 or Windows 98 but displays only a command prompt as the shell. The user can then start Windows manually by using the win.com command.
Safe Mode Command Prompt Only: Starts the system in Safe Mode but displays the command prompt as the shell.
Previous Version Of MS-DOS: Allows the user to boot to the previously installed operating system. (This option is visible only if a previously installed operating system exists.)
NOTE
A similar boot menu called the Advanced Options menu appears in Microsoft Windows 2000 when you press the F8 key at the boot prompt, “Please select the operating system to start.”
An IP address that is manually assigned to a host on a TCP/IP internetwork. Computers running Microsoft Windows support both static Internet Protocol (IP) addressing and dynamic IP addressing through the Dynamic Host Configuration Protocol (DHCP).
Static IP addresses are usually used for
Small workgroups whose machine configurations will not change often. Peer-to-peer networks that use Windows 95 or Windows 98 don’t have a DHCP server to assign IP addresses to stations on the network.
Servers on a network, which should have an IP address that does not change. An alternative is to assign a DHCP reservation to these servers so that they receive their IP addresses automatically from a DHCP server but always receive the same reserved address.
Windows NT–based and Windows 2000–based servers that are running certain services, such as DHCP, Windows Internet Name Service (WINS), or Domain Name System (DNS). Servers running these services normally require static IP addresses.
On a WINS server, a manually entered NetBIOS name to IP address mapping stored in the WINS database. WINS servers normally create mappings dynamically when a WINS client performs NetBIOS name registration upon client initialization. Non-WINS clients do not register their names, so administrators must manually create WINS database entries. Once they do this, other hosts on the network can perform NetBIOS name discovery queries to resolve the NetBIOS name of non-WINS clients into their IP addresses.
See also Windows Internet Name Service (WINS)
A routing mechanism that is handled by the Internet Protocol (IP) and that depends on manually configured routing tables. Routers that use static routing are called static routers. Static routers are generally used in smaller networks that contain only a couple of routers or when security is an issue. Each static router must be configured and maintained separately because static routers do not exchange routing information with each other.
How It Works
For a static router to function properly, the routing table must contain a route for every network in the internetwork. Hosts on a network are configured so that their default gateway address matches the IP address of the local router interface. When a host needs to send a packet to another network, it forwards the packet to the local router, which checks its routing table and determines which route to use to forward the packet.
Static routers are more difficult to administer than dynamic routers, but they can be more secure because the administrator controls the configuration of the router. Static routers are generally immune from any attempt by hackers to spoof dynamic routing protocol packets to reconfigure the router and hijack network traffic.
NOTE
You can configure a multihomed server as a static router in Microsoft Windows NT and Windows 2000. In Windows NT, select Enable IP Forwarding on the Routing tab of the TCP/IP property sheet. In Windows 2000, click the Advanced button on the TCP/IP property sheet, select the Options tab, select TCP/IP Filtering and click Properties, then select Enable TCP/IP Filtering. You can then add static routers for each remote network by using the route command.
See also dynamic routing, routing table
A multiplexing technique that allows information from a number of channels to be combined for transmission over a single channel.
How It Works
Statistical multiplexing dynamically allocates bandwidth to each channel on an as-needed basis. This is in contrast to time-division multiplexing (TDM) techniques, in which quiet devices use up a portion of the multiplexed data stream, filling it with empty packets. Statistical multiplexing allocates bandwidth only to channels that are currently transmitting. It packages the data from the active channels into packets and dynamically feeds them into the output channel, usually on a FIFO (first in, first out) basis, but it’s also able to allocate extra bandwidth to specific input channels.
Statistical multiplexing devices usually support other features, such as the following:
Store-and-forward error detection and correction capability: Identifies which channel sent each packet of data and corrects errors that occur
Data compression: Increases the amount of data that can be sent per packet
Statistical multiplexing is sometimes referred to as statistical time-division multiplexing (STDM) or statistical packet multiplexing (SPM), but the shorter term is used more often.
NOTE
A multiplexer that is capable of statistically multiplexing several data streams together is sometimes called a statmux. If you have a statmux at each end of a digital line, the receiving statmux can identify the channel of each packet sent by the sending statmux and demultiplex the data stream into its original data channels.
See SC and ST connectors
A blue screen that appears when the Microsoft Windows NT or Windows 2000 operating system experiences a fatal problem and terminates itself. The most important part of a Stop screen is the bugcheck information in the first few lines, which gives a Stop code and parameters that can help identify the source of the problem to Microsoft support technicians.
A Stop screen includes the following information:
The top of the screen shows the bugcheck information—the error code and a list of up to four developer-defined parameters.
The middle portion of the screen lists all modules that have been successfully loaded and initialized by the operating system. This information is listed in three columns: preferred memory location, link time stamp, and driver name.
The bottom portion shows the build number of the kernel and a stack dump that indicates the address range in which the driver might have failed.
The following table shows some common bugcheck codes and how to interpret them.
Common Bugcheck Codes
Code | Description |
0x9 | IRQL_NOT_GREATER_OR_EQUAL: An attempt was made to touch pageable memory at a process interrupt request level (IRQL) that was too high. This usually indicates that a driver is using improper addresses. A stack trace is usually helpful in debugging the problem. |
0xA | IRQL_NOT_LESS_OR_EQUAL: Usually indicates a bad or corrupt pointer. |
0x1E | KMODE_EXCEPTION_NOT_HANDLED: An exception (error) occurred with a driver or function. This is one of the most common bugcheck codes; you can often use the exception address to identify the driver or function involved. |
0x20 | KERNEL_APC_PENDING_DURING_EXIT: This usually indicates a problem with a third-party file system driver, such as a third-party redirector. Check with the manufacturer for an updated redirector. |
0x2E | DATA_BUS_ERROR: This usually indicates a parity error in system memory. Try installing new RAM. It can also be caused by a driver accessing an address that does not exist; if swapping memory does not solve the problem, try swapping other hardware cards or install updated drivers for them. |
0x3E | MULTIPROCESSOR_CONFIGURATION_NOT_SUPPORTED: This indicates mismatched CPUs in a symmetric multiprocessing (SMP) system. |
0x4C | FATAL_UNHANDLED_HARD_ERROR: An error prevented the Windows NT operating system from booting properly. Common causes are missing or corrupt registry hives, corrupt system dynamic-link library (DLL), corrupt device driver, or an I/O problem with the disk subsystem. |
0x51 | REGISTRY_ERROR: This could mean corruption in the registry or an I/O problem with the disk subsystem that prevents it from properly reading registry information. This error might also occur on a domain controller in which no more allocated space is available for storing the registry files. |
0x69 | IO1_INITIALIZATION_FAILED: This indicates a failure in initializing the disk subsystem and usually means that you made an incorrect configuration decision during setup or have reconfigured the disk system incorrectly. |
0x73 | CONFIG_LIST_FAILED: This indicates corruption in the SAM, SOFTWARE, or SECURITY hive. |
0x74 | BAD_SYSTEM_CONFIG_INFO: This might indicate a corrupt SYSTEM hive in the registry, or it might mean that some critical registry keys in the hive are not present. Try LastKnownGood; if that fails, try the emergency repair disk (ERD). |
0x75 | CANNOT_WRITE_CONFIGURATION: This usually indicates that there are 0 bytes of free space on the system drive, so the SYSTEM hive of the registry cannot grow in size. |
0x77 | KERNEL_STACK_INPAGE_ERROR: This is usually caused by a bad block in the paging file or a disk controller error. If the paging file is on a Small Computer System Interface (SCSI) drive, check the cabling and termination. |
0x7B | INACCESSIBLE_BOOT_DEVICE: If this occurs right after setup, it might mean that your disk controller is not supported by Windows NT. You might have to check the Windows Driver Library for a new device driver and do a custom installation. This error can also occur when you repartition the disk that contains the system partition. The solution is to edit the ARC paths in the boot.ini file. Another reason for this error is a Master Boot Record (MBR) or boot sector virus. |
0x8B | MBR_CHECKSUM_MISMATCH: This usually indicates the presence of a Master Boot Record virus. |
0x98 | END_OF_NT_EVALUATION_PERIOD: Your evaluation copy of Windows NT has expired. |
TIP
Sometimes you can compare the addresses of the parameters in the top portion of the Stop screen with the addresses of drivers in the stack dump at the bottom and identify which driver might have caused the crash, but this will not always work. For more information on bugcheck codes and how to interpret them, check Microsoft TechNet.
A general term for an architecture that uses external storage devices to provide network storage for applications running on an enterprise-level network. Typical applications that use a storage area network (SAN) are enterprise data warehousing and data mining applications, mail servers, and other high-availability applications. Using a SAN allows you to locate the mission-critical data externally and administer it separately from the applications that process that data. This type of architecture originated in mainframe computing environments.
How It Works
SANs are typically hardware/software storage arrays running on dedicated subnets that combine a variety of disk technologies, including magnetic and optical disk storage, RAID technologies such as disk mirroring and disk striping, and tape backup resources. SANs generally use high-speed Fibre Channel technologies for interconnections between the SAN and a group of computers running an application. Fibre Channel is a high-speed direct connection technology that supports data transfer rates of up to 1 Gbps. Data I/O is performed using block transfer methods and involves directly attaching the application to the storage system.
SANs are typically used to centralize storage of data in an enterprise, which simplifies administration and backup of the data. SANs are often located near legacy mainframe computing environments but are gaining importance in distributed client/server environments as well. SANs are also used as remote storage and archival facilities connected to networks by high-speed Synchronous Optical Network (SONET) or OC-3 connections.
Graphic S-20. Storage area network (SAN).
NOTE
It is easy to get confused by the various buzzwords relating to external enterprise-level storage devices because standards in this area have not been developed and ratified by standards bodies. Here are two other related storage system concepts:
Network-attached storage (NAS): Involves data storage devices connected to computers using a standard network connection such as Ethernet. This is in contrast to SAN, in which a group of computers uses multipoint Fibre Channel technology. Another difference between NAS and SAN is that NAS involves the use of file servers similar to the Network File System (NFS) used in UNIX environments (from which the concept of NAS evolved), while SAN uses block-mode I/O for applications such as clustering and database access.
Direct-attached storage (DAS): Involves a storage system connected to only a single computer using either Small Computer System Interface (SCSI) or Fibre Channel technology. DAS is usually the only solution if your servers are at different geographical locations around your enterprise or if the application that uses them can support only this form of storage—for example, Windows Clustering, which requires a shared SCSI bus.
Growth of SAN technology in the enterprise has been driven by demand but is limited by the lack of agreed-upon standards. The main body pushing for standards in this area is the Storage Networking Industry Association (SNIA), which has submitted its Simple Network Management Protocol (SNMP) Management Information Base (MIB) for SAN to the Internet Engineering Task Force (IETF) for consideration. Other groups pushing their own management interface solutions for SAN technology include Microsoft, with its Common Information Model (CIM) standard, and Sun Microsystems, with its StoreX initiative.
TIP
Use a SAN if your data can be centrally located within your enterprise and if your application needs to access data directly using block transfers instead of using shared files. Use NAS if your data needs to be shared between different operating system platforms or for file-based applications such as Web servers.
On the Web
•
SNIA : http://www.snia.org
A precompiled set of Structured Query Language (SQL) statements that can be executed on demand by Microsoft SQL Server. Stored procedures are stored in a database. They support features such as user-declared variables and conditional execution and can be run with a single call. They can accept parameters, and they can return parameters and status values. They can also call other stored procedures. You can create permanent stored procedures for global administrative tasks or temporary ones for a specific task.
How It Works
You create a stored procedure by using a series of SQL statements. SQL Server parses and analyzes the stored procedure and stores it in various system tables. When you execute it for the first time, it is loaded into memory and compiled, storing the execution plan in the procedure cache. By preparsing and prenormalizing a stored procedure, you can achieve significant performance gains compared to using a simple SQL query.
You can use stored procedures with SQL Server to
Create devices and databases
Access or update information in database tables
Perform other administrative or user actions
A trigger is a special type of stored procedure that you can use to enforce referential integrity in a database. Other types of stored procedures supported by SQL Server include the following:
Extended stored procedures: Dynamic-link libraries (DLLs) that can be loaded and run like stored procedures
Remote stored procedures: Run from a remote client
System stored procedures: Included with SQL Server to simplify common administrative tasks and to obtain information from system tables
User-defined stored procedures: Created by users for a specific database
User-defined system stored procedures: Created by users and runnable in any database
See also Structured Query Language (SQL)
See shielded twisted-pair (STP) cabling
See SC and ST connectors
Wire that has a core composed of many thin copper strands woven together and surrounded by insulation. Stranded conductor wire is generally used for drop cables between computers and wall plates and for patch cables connecting patch panels with hubs and switches. Stranded conductor wire has more attenuation than solid conductor wire and should be used only for short cable runs. Stranded conductor wire is more durable and reliable than solid conductor wire because it can be bent numerous times without fracturing or breaking, and because damage to the wire has less impact on the surface area of the wire and hence on its capacity to carry alternating current.
Stranded wire comes in two basic configuration types:
Bunch-stranded wire: Uses a number of thin wires with the same diameter and twists them together in one direction.
Concentric-stranded wire: Uses several layers of thin wires wrapped in alternating directions. These wires are generally easier to splice and terminate than bunch-stranded wires.
A technology for receiving multimedia (audio and video) content as a steady continuous data flow called a stream.
How It Works
Streaming media can be used over corporate TCP/IP networks on the Internet to provide users with low-latency audio and video information. In contrast to the traditional method of downloading audio or video files and then playing them locally, streaming media needs only a short time to buffer the initial transmission, and then it plays continuously, depending on data flow. Data is streamed across the network to clients that render the data as they receive it. For example, if audio data is streamed over a network, clients receiving it can play the content as it arrives instead of storing it in a file and playing it after receiving the entire file.
In Microsoft NetShow terminology, a stream is any multimedia or file data stream transmitted using unicasting or multicasting methods over a network. NetShow supports several types of streams:
Advanced Streaming Format (ASF): Supports video, audio, images, Uniform Resource Locators (URLs), and scripts
Real-Time Transport Protocol (RTP) Live Audio: Streams audio fed into the server’s sound card
RTP WAV Audio: Streams audio recorded as .wav files
NOTE
NetShow also supports a file transfer method called streaming file transfer, which can be used to transfer directories and files over a network. The File Transfer Service (FTS) is the NetShow component that is used to transmit files over a network using multicasting. A NetShow FTS server transmits files over a network to a Microsoft ActiveX control on a client computer.
In Microsoft Windows 2000, a volume created using the Disk Management portion of the Computer Management tool that stores its data across two or more physical disks in stripes. Striping allocates data alternately and evenly across multiple physical disks. Striped volumes must be created on dynamic disks. They are not fault tolerant and cannot be mirrored or extended. Stripe sets are the equivalent of striped volumes in Microsoft Windows NT.
See also dynamic volume
A single volume created using discontiguous free areas on two or more hard disks. Stripe sets are similar to volume sets but can give much faster read/write performance if segments reside on separately controlled drives. Use the Microsoft Windows NT administrative tool Disk Administrator to create stripe sets by combining 2–32 free areas on two or more disk drives.
NOTE
The Windows NT system partition and boot partition cannot be volume sets. Stripe sets also cannot be extended the way volume sets can.
A fault tolerance technology, whereby data is written simultaneously to two or more different disks. Parity information is distributed across the various disks so that if one disk drive fails, the lost data can be regenerated from the parity information. You can use the Microsoft Windows NT administrative tool Disk Administrator to create, delete, and regenerate stripe sets with parity. Stripe sets with parity are often used to provide fault tolerance for application and data volumes in Windows NT. In Microsoft Windows 2000, a stripe set with parity is known as a RAID-5 volume.
See also RAID
A standards-based language used by relational database management programs primarily for constructing queries. Structured Query Language (SQL) was originally developed by IBM for mainframe computing environments and is widely used in relational database management systems. The standard version of SQL is defined by the American National Standards Institute (ANSI), but many vendors have made enhancements to its syntax and command functions. The latest SQL standard is called SQL-92 but is more properly known as ANSI standard SQL X3.135-1992 or International Organization for Standardization (ISO) standard ISO/IEC 9075:1992.
How It Works
SQL includes a number of statements that can be used to perform different types of relational operations on the contents of a database, including creating databases and database objects, modifying these objects, and querying databases for information. The most basic SQL statement is the SELECT statement, which you can use to retrieve rows and columns of data from database tables and format the results set. The typical format of a SELECT statement is
SELECT <columns> FROM <tables> WHERE <rows>
where a group of columns are retrieved from a table or tables in which data values are restricted to a particular row or rows. To return all the columns from a table, you can use a wildcard (but this is generally inefficient and should be avoided):
SELECT * FROM <tables>
NOTE
Microsoft SQL Server conforms to the ANSI SQL-92 standard and enhances this standard with additional statements for certain types of applications, such as data warehousing and Internet/intranet applications.
TIP
If possible, include a WHERE clause in a SELECT statement to restrict the scope of your query and avoid unnecessary expenditure of system resources. The WHERE clause can include various comparison and logical operators, such as =, >, LIKE, BETWEEN, AND, and IS NULL.
See subnetting
A 32-bit number that is used to partition IP addresses into a network ID and a host ID. Subnet masks are used by TCP/IP services and applications to determine whether a given IP address on an internetwork is a local network address or a remote network address.
How It Works
Subnet masks are represented as four-octet dotted-decimal numbers, just as IP addresses are, except that the most common values for an octet in a subnet mask are 0 and 255. In binary notation, decimal 0 represents the octet 00000000, and decimal 255 represents 11111111. A subnet mask consists of 32 binary digits, the first n of which are 1s and the remaining of which are 0s. When the subnet mask is logically ANDed with a 32-bit IP address of a TCP/IP host, the result is the network ID of the host—the portion of the host’s IP address that identifies which network the host is on. When the inverse of the subnet mask (for example, NOT mask) is logically ANDed with the IP address of the host, the result is the host ID of the host—the portion of the host’s IP address that uniquely identifies the host on its network.
For example, consider the IP address 207.61.16.119 and the subnet mask 255.255.255.0. Converting these two numbers to binary and ANDing them gives the host’s Network ID:
Host = 11001111 00111101 00010000 01110111 Mask = 11111111 11111111 11111111 00000000 AND = 11001111 00111101 00010000 00000000 = 207.61.16.0 = network ID
Taking the logical NOT of the subnet mask and ANDing it with the host’s IP address gives the host’s Host ID:
Host = 11001111 00111101 00010000 01110111 NOT Mask = 00000000 00000000 00000000 11111111 AND = 00000000 00000000 00000000 01110111 = 0.0.0.119 = host ID
Two types of subnet masks are used in TCP/IP networking:
Default subnet masks: Partition IP addresses into their network ID and host ID portions
Custom subnet masks: Further partition the network ID into a number of separate subnets by using a process called subnetting
NOTE
The default subnet masks for IP address classes A, B, and C are shown in the following table. The table also shows how these subnet masks would partition an IP address such as w.x.y.z into a network ID and a host ID portion.
Default Subnet Masks for IP Addresses
Class | Default Subnet Mask | Network ID | Host ID |
A | 255.0.0.0 | w | x.y.z |
B | 255.255.0.0 | w.z | y.z |
C | 255.255.255.0 | w.x.y | z |
TIP
Some TCP/IP configuration programs, such as those for Ascend routers, use a different notation for specifying subnet masks. They append a suffix of the form /n to the host’s IP address to indicate the subnet mask, in which n equals the number of binary 1s in the subnet mask. Thus, for example, 207.61.16.119/24 signifies 207.61.16.119/255.255.255.0.
The process of partitioning a single TCP/IP network into a number of separate networks called subnets. These subnets are then joined using routers. Advantages of subnetting a network include the following:
Reducing network congestion by limiting the range of broadcasts using routers
Enabling different networking architectures to be joined
How It Works
To subnet a TCP/IP network, you take the assigned network ID and borrow bits from the host ID to establish a group of subnet IDs, one for each subnet. The more bits you borrow, the more subnets you produce, but the fewer the number of possible hosts for each subnet. The borrowing process also defines a unique custom subnet mask for the network.
For example, consider a class B network that uses the network ID 172.16.0.0. If this network needs to be subnetted into six subnets, you can accomplish this using a custom subnet mask of 255.255.224.0. Each subnet can be shown to support a maximum of 8190 hosts. The IP address blocks for the six subnets are as follows:
172.16.32.1 to 172.16.63.254
172.16.64.1 to 172.16.95.254
172.16.96.1 to 172.16.127.254
172.16.128.1 to 172.16.159.254
172.16.160.1 to 172.16.191.254
172.16.192.1 to 172.16.223.254
TIP
Manual calculation of custom subnet masks and subnet IDs is tedious. You can download numerous subnetting calculators from the Internet, some of them for free. To use these calculators to subnet your network, you must first determine how many subnets you need and the maximum number of hosts on each subnet.
See SC and ST connectors
A major logical section of the registry. Subtrees are the root keys of the registry, and all other registry keys are subkeys of these root keys. The following table summarizes the functions of the five subtrees of the Microsoft Windows NT and Windows 2000 registries.
Subtrees of the Windows NT and Windows 2000 Registries
Subtree | Function |
HKEY_LOCAL_MACHINE | Contains configuration information for the local machine, including all hardware and software settings |
HKEY_CLASSES_ROOT | Provides compatibility with Windows 3. x and points to the Classes subkey of HKEY_LOCAL_MACHINE |
HKEY_CURRENT_CONFIG | Provides information about the active hardware profile |
HKEY_CURRENT_USER | Contains the settings of the user who is currently logged on interactively and points to the SID_# of HKEY_USERS, in which SID_# is the security ID string of the current user |
HKEY_USERS | Contains default system settings and the settings of the user who is currently logged on interactively, plus all previously logged on users |
NOTE
In Microsoft Windows 95 and Windows 98, a sixth subtree called HKEY_DYN_DATA is generated dynamically and is used for performance measuring via System Monitor and plug and play configuration of devices. This subtree is also called the hardware tree.
TIP
Most Windows NT and Windows 2000 registry troubleshooting takes place in the HKEY_LOCAL_MACHINE\System\CurrentControlSet subkey.
The process of combining multiple consecutive network IDs of the same IP address class into a single block. Supernetting, also known as classless interdomain routing (CIDR), is the reverse of subnetting.
How It Works
Supernetting is typically used to conserve class B addresses by combining contiguous groups of class C addresses. The class C addresses must have the same high-order bits, and the subnet mask is shortened by borrowing bits from the network ID and assigning them to the host ID portion to create a custom subnet mask. For example, if a company has 2000 hosts on its TCP/IP network, it can assign IP addresses by
Using a single class B address. This approach is wasteful.
Using eight different class C addresses, which can support 8 x 254 = 2032 hosts. This means poorer routing performance because each router requires eight entries in its routing table for each of the eight networks to which frames can be forwarded.
Using supernetting to collapse a block of eight class C addresses into a single routing table entry. The router must support CIDR for this to work.
Also known as a surge suppressor, a device that protects sensitive data communications equipment (DCE) and data terminal equipment (DTE) from sudden rises in power line voltages called surges or spikes.
How It Works
Surges occur only with copper cabling such as twisted-pair cabling or coaxial cabling—they do not occur with fiber-optic cabling, which is one advantage of using this more expensive type of cabling for networking applications. Surge protectors use various technologies for absorbing or deflecting unwanted electrical current, including avalanche diodes, metal oxide varistors, and chokes or filters. One of the best electrical protection methods, especially for copper wiring runs between different buildings, is to use opto isolators, which convert electrical signals to light and then back again, thus providing true electrical isolation between the connected buildings. However, opto isolation in itself does not provide surge protection; this is the responsibility of the other components described, the most common component being the various types of diodes.
Surge protectors for computer networking come in two main types:
Data-line surge protectors: Connected to network cabling to prevent power surges from damaging networking components.
Alternating current (AC) outlet surge protectors: Connected to AC outlets that provide power for networking components. These surge protectors prevent AC power spikes from damaging networking components.
See switched virtual circuit (SVC)
Any device that can control the flow of electrical signals. A number of special-purpose switches are used in networking. For example, the following types of switches are used to control access to computers by printers, keyboards, and monitors:
Matrix switches: Have a keypad for mapping input ports to output ports and are typically used to connect several printers to several workstations
Code-operated switches: Use a data string sent by the PC to select the printer port to be used
Port-contention or scanning switches: Use several input ports but only one output port and monitor the input ports continually for data to route to the output port
KVM switches: Allow one keyboard/video-monitor/mouse to be used for several servers
NOTE
In the context of controlling data flow within a network, the term “switch” is also used to describe a data-link layer device that routes frames between connected networks. Data flow switches include
Local area network (LAN) switches: Used to route Ethernet frames over a TCP/IP internetwork; also called Ethernet switches
Asynchronous Transfer Mode (ATM) switches: Used to switch ATM cells at high speeds over an ATM network
In the context of high-speed Ethernet networks, the term “switch” usually refers to an Ethernet switch. Thus, the phrase “routers and switches” is understood to mean “routers and Ethernet switches.”
The term “switch” can also refer to a device used at a telco central office (CO) for establishing connections in circuit-switched services or for forwarding packets in packet-switched services.
A digital switched-data communication technology that provides full-duplex dial-up connections at a speed of 56 Kbps. Switched 56 is essentially the dial-up version of digital data service (DDS) and is generally cheaper than leased-line services.
How It Works
A device called a data set, which is a type of Data Service Unit (DSU), provides switched 56 services to customer premises. For a typical local area network (LAN) connection, a router on the LAN is attached to the data set by using a V.35 serial interface. The data set is then connected over the customer’s local loop twisted-pair wiring to access equipment located at the telco’s central office (CO).
Switched 56 uses the same communication channels as DS0. You can establish circuits by manually entering the destination number on a numeric keypad or (more typically) by using in-band signaling when connecting bridges or routers to the service. Depending on the wiring at the customer premises and the equipment at the CO, you can use one of three configurations for this service:
Type I service: Uses a two-pair (4-wire) connection and is supported to up to 5500 meters from the CO over standard 26-gauge copper twisted-pair wiring.
Type II service: Uses a one-pair (2-wire) connection with in-band signaling. This type is not widely implemented.
Type III service: Uses a one-pair (2-wire) connection with out-of-band signaling and is supported to up to 5500 meters from the CO on 22-gauge or 24-gauge copper twisted-pair wiring and includes forward error correction for enhanced data transmission. Although Type III service appears to be full-duplex, in reality time-compression multiplexing (TCM) rapidly switches half-duplex communication at 160 Kbps to simulate full-duplex at 56 Kbps.
Graphic S-21. Switched 56.
NOTE
Some carriers offer other higher speed versions of switched 56. For example, some carriers offer switched 56 as a 64-Kbps service under the name switched 64. Other higher dial-up services include switched 384 and switched 1536, although these are not widely offered anymore.
TIP
Switched 56 is a data-only service that is often available where Integrated Services Digital Network (ISDN) is not available. However, switched 56 does not support advanced ISDN features such as caller ID and has greater latency for establishing a connection. The cost is typically billed in the same way that ordinary telephone calls are—that is, local calls are free and long distance is billed by the minute.
Dial-up switched 56 can be a good service to use as a backup wide area network (WAN) link between two networks connected by expensive T1 lines. It is being phased out in most places in favor of ISDN.
See also telecommunications services
A connectionless, packet-switched telecommunications service with speeds ranging from 56 Kbps to 34 Mbps. Switched Multimegabit Data Services (SMDS) was designed by Bellcore in the 1980s for high-speed wide area network (WAN) communication. It was the first high-speed broadband networking technology offered to subscribers and was a precursor to Asynchronous Transfer Mode (ATM) networking. Most carriers are now phasing out SMDS.
How It Works
SMDS is based on a packet-switching technology similar to frame relay networks. A subscriber’s local area network (LAN) typically connects to the SMDS service through a router using a RS-449 interface and a Channel Service Unit/Data Service Unit (CSU/DSU) using a copper DS1 connection (1.544 Mbps) for low-speed access or a fiber DS3 connection (44.736 Mbps) to achieve the highest possible transmission speeds. This point of connection between the subscriber’s LAN and the telco’s central office (CO) is called the Subscriber Network Interface (SNI). The CO provides a gateway to the SMDS packet-switching network, which consists of high-speed switches joined by trunk lines connecting different telco COs.
Graphic S-22. Switched Multimegabit Data Services (SMDS).
An SMDS packet consists of a header with the source address, destination address, and a payload of up to 9188 bytes. The SMDS payload is large so that SMDS can easily encapsulate Ethernet, Token Ring, and Fiber Distributed Data Interface (FDDI) frames for WAN transmission. The E.164 addressing scheme uses decimal numbers up to 15 digits long and includes a country code, area code, and subscriber ID number (similar to ordinary telephone numbers). Different address classes support different data transfer speeds. The serial protocol used for communication between the customer premises equipment and SMDS equipment at the telco’s CO is called the SMDS Interface Protocol (SIP), which is based on the IEEE 802.6 standard for metropolitan area networks (MANs). The primary function of SIP is to provide encapsulation of the LAN protocol. (Internet Protocol, Internetwork Packet Exchange, AppleTalk, and just about anything else is supported.) Higher-layer protocols support processes such as address resolution and source address screening.
NOTE
SMDS supports ATM communication and is suitable for use in high-capacity mesh topology WANs. SMDS is offered by long-distance carriers such as AT&T and by some Regional Bell Operating Companies (RBOCs). SMDS is not as widely supported as frame relay even though it uses similar packet-switching technology.
A form of telecommunications service that provides a path between two nodes in a packet-switched network. The path is set up and configured at the beginning of a session and is dismantled at the end. Each new session requires a switching path to be established, and this path differs during each session depending on the available switches.
A switched virtual circuit (SVC) provides a temporary, point-to-point connection between the two nodes. SVCs offer the advantage of bandwidth on demand but suffer from some latency in establishing a connection. They are cheaper than permanent virtual circuits (PVCs) because they use whatever telco resources are available at a given time; after the session, these resources are released for other purposes. Because the actual switching path varies with each session, SVCs also suffer from inconsistent connection quality.
TIP
SVCs are best used for WAN links that have low or irregular network traffic.
A type of Digital Subscriber Line (DSL) technology in which upstream and downstream speeds are equal. Symmetric Digital Subscriber Line (SDSL) technology can provide subscribers with permanent, high-speed data connections for Internet access and other uses much more cheaply than T1 lines can. SDSL is sometimes interpreted to stand for “Single-line DSL” instead of “Symmetric DSL” because it uses a single twisted-pair copper wire.
How It Works
SDSL is based on the same DSL technology that is used in High-bit-rate Digital Subscriber Line (HDSL) and Asymmetric Digital Subscriber Line (ADSL) implementations of DSL. SDSL can deliver data at speeds of up to 2 Mbps, which is comparable to speeds achieved by HDSL circuits, although typical SDSL speeds are equal to those of a T1 line (1.544 Mbps). While HDSL needs two pairs of copper wires (four wires), SDSL requires only one pair (two wires). And unlike ADSL technology, where downstream speed greatly exceeds upstream speed, SDSL transmission speeds are the same in both directions. However, this is true only if the length of the local loop connection does not exceed 3000 meters and the quality of the phone circuit is good. Also, while ADSL allows subscribers to connect both voice (phone) and data (computers) at their customer premises, SDSL allows only a data connection over a given pair of wires.
NOTE
SDSL uses the same line coding algorithm (2B1Q) that is used in HDSL and in Integrated Services Digital Network (ISDN) circuits.
Also called SYN flooding, a form of denial of service attack directed at TCP/IP networks connected to the Internet. A SYN attack is a protocol-level attack that can make a computer’s network services unavailable to other users.
How It Works
A malicious user initiates a SYN attack by sending a Transmission Control Protocol (TCP) connection request (SYN packet) to a targeted server in a network, usually a Web server. The attacker uses spoofing to alter the source IP address in the SYN packet. When the server receives the connection request, it allocates resources for handling and tracking the new connection and responds by sending a SYN-ACK packet to the nonexistent source address. Because there is no response to the SYN-ACK packet, the server continues to retransmit SYN-ACK several times (five times in Microsoft Windows NT) at increasingly longer time intervals. Finally, after the last retransmission, the server gives up and deallocates the resources previously allocated for the connection. For servers running Windows NT, the default time for this entire process is 189 seconds. The attacker configures software to automatically send large numbers of TCP SYNs in an attempt to tie up the server’s TCP resources and prevent other users from connecting to the server.
TIP
If you are running a Web server and your Web clients are receiving messages such as “The connection has been reset by the remote host,” you might be the target of a SYN attack. If you are running Internet Information Services (IIS) as your Web server, type netstat –n –p tcp at the command prompt to examine the number of TCP connections in a SYN_RECEIVED state. A large number of SYN_RECEIVED connections might indicate that your server is under attack.
SYN attacks against private networks are simple to prevent: you configure a firewall with access lists to accept only incoming IP addresses with known addresses. However, if you are running a Web server that needs to be accessible to anyone on the Internet, it is usually more difficult to defend the server against a SYN attack because if you configure an input filter, the attacker can simply modify the source IP address in the SYN packets. Ways to defend Web servers against SYN attacks include decreasing the time-out period for the TCP three-way handshake mechanism, increasing the size of the SYN-ACK queue, and applying various vendor-supplied patches to your Web server. For more information on configuring IIS servers to withstand SYN attacks, see the Microsoft Internet Information Server Resource Kit from Microsoft Press.
See also TCP three-way handshake
See synchronous transmission
A data-link layer protocol developed in the 1970s by IBM for its Systems Network Architecture (SNA) networking environment. Synchronous Data Link Control (SDLC) is primarily used in wide area networks (WANs) that use leased lines to connect mainframe SNA hosts and remote terminals.
How It Works
SDLC was the first bit-oriented synchronous transmission protocol developed by IBM. It quickly displaced the older, less efficient, character-oriented synchronous protocols such as Bisync and DDCMP. In a serial SDLC link, data is sent as a synchronous bit stream divided into frames that contain addressing and control information in addition to the payload of data.
SDLC uses a master/slave architecture in which one station is designated as primary (master) and the remaining stations are secondary (slaves). The primary station establishes and tears down SDLC connections, manages these connections, and polls each secondary station in a specific order to determine whether any secondary station wants to transmit data. You can use SDLC in a variety of connection topologies, including direct point-to-point connections between a primary and a secondary station and multipoint connections between a primary and a group of secondary stations. Ring topologies are also possible in which a primary controls a ring of secondary stations and is itself part of the ring.
Graphic S-23. Synchronous Data Link Control (SDLC).
NOTE
A number of popular protocols have been derived from the SDLC protocol and standardized by various standards bodies. These include the following:
High-level Data Link Control (HDLC): Developed by the International Organization for Standardization (ISO) and used by Cisco Systems routers for serial communication over leased lines as an alternative to the Point-to-Point Protocol (PPP)
Link Access Procedure Balanced (LAPB): Part of the X.25 protocol stack
Logical Link Control (LLC) or IEEE 802.2: The most popular data link protocol for local area networks (LANs)
A physical layer specification for broadband synchronous transmission of voice, video, and data over long distances of fiber-optic cabling at speeds of more than 1 Gbps. Synchronous Optical Network (SONET) networks can carry voice, video, and data simultaneously and are often used by telecommunications providers to provide the underlying transport mechanism for Asynchronous Transfer Mode (ATM) networking in internal telco and long-distance carrier networks. SONET can also be used as the underlying transport for Fiber Distributed Data Interface (FDDI), Integrated Services Digital Network (ISDN), and Switched Multimegabit Data Services (SMDS) communication. SONET was developed by Bellcore in the mid-1980s and has been standardized by the American National Standards Institute (ANSI). A European version called Synchronous Digital Hierarchy (SDH), which has been standardized by the International Telecommunication Union (ITU), is essentially equivalent to SONET.
How It Works
SONET is built from multiplexed DS0, DS1, or DS3 digital signal channels using optical time-division multiplexing (TDM) to form a single Synchronous Transport Signal (STS) link for communication. The basic SONET transmission rate is 810 bytes transmitted every 125 microseconds, and frames are transmitted whether or not a payload (data) is present. A standard STS-1 SONET data path thus consists of 810 DS0 channels, of which 783 are used for data transmission and 27 are used for framing, error correction, format identification, and other forms of overhead.
SONET is usually implemented as a dual-ring topology to provide redundancy and fault tolerance. These rings are usually self-healing within 50 milliseconds of a break. SONET speeds are classified by one of the following:
Electrical signal speeds called Synchronous Transport Signal (STS)
Optical carrier line speeds called optical carrier (OC)
The following table shows the currently defined SONET speeds.
SONET Speeds
Electrical Signal | Optical Carrier | Speed |
STS-1 | OC-1 | 51.48 Mbps |
STS-3 | OC-3 | 155.52 Mbps |
STS-12 | OC-12 | 622.08 Mbps |
STS-24 | OC-24 | 1.24 Gbps |
STS-48 | OC-48 | 2.48 Gbps |
STS-192 | OC-192 | 9.95 Gbps |
A mode of serial transmission for digital modems, ISDN terminal adapters, Channel Service Unit/Data Service Units (CSU/DSUs), and other telecommunications devices.
How It Works
Synchronous transmission uses clocking circuitry at both the transmitting station and the receiving station to ensure that communication is synchronized. This is in contrast to asynchronous transmission, in which start and stop bits are added to the beginning and end of each frame.
Devices that communicate with each other synchronously use either separate clocking channels to ensure synchronization between them or some kind of special signal code embedded in the signal for self-clocking purposes. Separate clocking lines are generally used when the distance between the data terminal equipment (DTE) and data communications equipment (DCE) is fairly short. Typically, the receiving station (such as a modem, a common form of DCE) provides the clocking signal to the transmitting station (usually a computer or a terminal).
The alternative is to use signal preamble, a special group of bytes (usually 8 bytes) called a SYNC signal that alerts the receiver that data is coming, synchronizes the clocks at the two devices, and starts the transmission. Special predefined voltage transition patterns familiar to both the transmitting and receiving stations are contained within the signal and are used to maintain synchronization between the devices. The receiver must extract this embedded information from the signal and use it to maintain synchronization between it and the transmitting station.
Synchronous transmission interfaces are generally about 20 percent faster and somewhat more reliable than comparable asynchronous interfaces.
See also asynchronous transmission
A form of access control list (ACL) used by the Microsoft Windows 2000 and Windows NT operating systems for security control purposes. System access control lists (SACLs) are not to be confused with the more familiar discretionary access control lists (DACLs) used by Windows 2000 and Windows NT to control access to Active Directory and NTFS file system objects by users and groups. SACLs are used for establishing system-wide security policies for actions such as logging or auditing resource access. The SACL attached to a system, directory, or file object specifies
Which security principals (users, groups, computers) should be audited when accessing the object
Which access events should be audited for these principals
Whether a Success or Failure attribute is generated for an access event, depending on the permissions granted in the DACL for the object
TIP
In the Windows NT operating system, be sure to use the emergency repair disk (ERD) instead of the Restore utility if any system files are lost or damaged, since the Backup and Restore utilities do not copy the SACLs, but the ERD does.
See also access control, access control list (ACL), discretionary access control list (DACL)
One of the four core components of Microsoft Exchange Server. You can use the System Attendant to do the following:
Collect information about all Exchange servers in a site
Maintain the Exchange routing table (GWART)
Create and maintain message-tracking log files for services and connectors
Automatically generate e-mail addresses for new recipients
Monitor links between sites
Perform diagnostic functions
The System Attendant is implemented as a Microsoft Windows NT or Windows 2000 service; it must be running for other Exchange services to run.
TIP
To stop all Exchange services on a computer, stop the System Attendant by using Services in Control Panel. To restart the services, you must restart each service individually, starting with the System Attendant.
A Microsoft Windows 98 utility that automates routine Windows troubleshooting tasks. The System Configuration utility (msconfig.exe) replaces the sysedit.exe program in earlier versions of Windows and has the added feature of allowing you to make backups of key system files. You can use the System Configuration utility to modify startup and initialization settings in files such as system.ini and config.sys by using Windows controls instead of a text editor such as Notepad.
The System Configuration utility lets you create a clean startup environment for troubleshooting purposes and determine the source of a boot problem by the process of elimination. You can select the items in your Startup group and in the Run and RunServices keys of your registry that you want to enable or disable. You can access the System Configuration utility from the Tools menu of the System Information utility in your System Tools program group.
A Microsoft Windows 98 utility for restoring missing, corrupt, or modified operating system files. The System File Checker (sfc.exe) tracks all modifications to Windows 98 operating system files. You can also configure it to monitor the files of other applications for changes. If the System File Checker determines that a file is missing, changed, or corrupt, it prompts you to insert the Windows 98 CD to restore these files to their correct state.
The System File Checker is useful because third-party applications occasionally replace original Windows 98 shared system files with versions that are incompatible with other installed applications. You can use the System File Checker to restore your Windows 98 operating system files to their original condition. You can start the System File Checker via the Tools menu of the System Information utility in your System Tools program group.
See special identity
A Microsoft Windows 98 utility that helps technical support personnel troubleshoot the system by gathering system configuration information on the installed hardware and software.
Graphic S-24. System Information utility.
How It Works
The System Information utility gathers information from the registry, from initialization files, and from the operating system modules that are currently running. It displays the information in a hierarchical view, organized in three major categories:
Hardware Resources: Includes information about IRQ settings, I/O ports, and memory address ranges
Components: Includes information about the status of device drivers and networking and multimedia software
Software Environment: Shows a snapshot of all software currently loaded into memory, including drivers, operating system modules, running tasks, system hooks, and OLE registration information
A Microsoft Windows NT and Windows 2000 log that records events generated by the operating system. Events logged in the system log mainly consist of information about services starting, stopping, or failing and about system device drivers that fail. Administrators cannot alter the type of information logged in the system log. You can view and manage the system log by using the administrative tool Event Viewer.
The following are three types of events that can be logged to the system log:
Errors: Identified by a white “X” in a red circle; indicates a significant problem that might have caused data loss or the loss of some aspect of system functionality (for example, a service failing to start properly)
Warnings: Identified by an exclamation mark in a yellow triangle; indicates a problem that might not be critical but might have an impact later (such as low disk space)
Information: Identified by a blue letter “i” in a speech balloon; indicates a significant but harmless event such as a service starting or device driver initializing
See also application log, security log
A system tool in Microsoft Windows 95 and Windows 98 for monitoring the real-time performance of the Windows 95 or Windows 98 processor, memory, disk, and networking subsystems. System Monitor (sysmon.exe) can display information as a graph, a bar chart, or numeric values and can update information using a range of time intervals. The categories of information that you can monitor depend on which networking services are installed on your system, but they always include File System, Kernel, and Memory Manager. Other possible categories include Microsoft Network Client, Microsoft Network Server, and protocol categories. The following table shows some common troubleshooting uses for System Monitor.
Troubleshooting with System Monitor
Symptom or Problem | Category to Check |
Memory leaks by applications | Kernel: Threads will increase steadily. |
Excessive disk access | Memory Manager: Page Faults is large. This usually means that you should add more RAM. |
Slow response | Kernel: Processor Usage (%) is high, which might indicate that a runaway application needs to be terminated with Ctrl+Alt+Delete. |
NOTE
Microsoft Windows NT and Windows 2000 have a similar but more powerful tool. This is called System Monitor in Windows 2000 and Performance Monitor in Windows NT. For a fuller description, see the Performance Monitor entry elsewhere in this work.
TIP
You can use System Monitor to connect to and monitor a remote computer running Windows 95 or Windows 98 if the remote computer has the remote registry service installed, which itself requires that user-level security be enabled on the machine. This also means that a security provider such as a Windows NT domain controller must be available. Choose Connect from the File menu and type the name of the remote computer you want to monitor.
See also Performance Monitor
The partition on which Microsoft Windows NT or Windows 2000 installs hardware-specific files that are needed to start the operating system. These files include the boot loader file (ntldr), the hardware detector file (ntdetect.com), and the boot.ini file. The system partition is different from the boot partition, which contains the actual Windows NT or Windows 2000 operating system files and supporting files. During the boot process, the code in the Master Boot Record (MBR) locates the system partition by scanning the partition table.
On x86-based computers, the system partition must be on the first physical hard disk of the machine and must be an active partition (and hence a primary partition). You can format the system partition by using the file allocation table (FAT) system of MS-DOS or the NTFS file system. On a RISC system, you must format the system partition using FAT, and the system partition can be on any physical disk. In a default Windows NT or Windows 2000 installation, both the system partition and boot partition are on the C drive.
See also boot partition
A file that applies a set of rules to a computer or set of computers to restrict what users or groups of users can see and do on their workstations. System policies are included as an administrative feature on the Microsoft Windows NT operating system platform for helping administrators lock down the desktop configuration of Microsoft Windows NT Workstation, Windows 98, and Windows 95 clients. On the Microsoft Windows 2000 platform, a more advanced feature called Group Policy is implemented, which is integrated with Active Directory.
How It Works
System policies work by overwriting specific registry keys on the computers they are applied to. To apply a system policy to computers in a Windows NT domain, put the ntconfig.pol file in the NetLogon Share on the primary domain controller (PDC) and use the Directory Replicator Service to replicate the file to other domain controllers. When users log on to the network, the system policy file is downloaded and applied to their Windows NT workstations.
You can create system policy files for Windows NT Workstation clients by using the administrative tool System Policy Editor. A system policy file created this way is usually named ntconfig.pol.
NOTE
If users have Windows 95 or Windows 98 clients, use poledit.exe to create a config.pol file and place this in the NetLogon Share, as just described. System policy files created for Windows 95 and Windows 98 clients are usually named config.pol. If you have a mix of Windows NT, Windows 95, and Windows 98 clients on the network, you must create both an ntconfig.pol file and a config.pol file and store them in the NetLogon Share on the PDC.
See also group policy, Group Policy
A Microsoft Windows NT administrative tool for creating and configuring system policies for Windows NT Workstation clients.
How It Works
System Policy Editor runs in two modes:
Policy mode: Creates system policies that can be saved in the NetLogon Share of domain controllers and applied to client computers when users log on. This is the normal way of using System Policy Editor.
Registry mode: Allows direct manipulation of a subset of entries in the Windows NT registry.
NOTE
Microsoft Windows 95 and Windows 98 also include a version of System Policy Editor called poledit.exe for configuring Windows 95 and Windows 98 system policy files.
TIP
System polices have been replaced with group policies on the Microsoft Windows 2000 platform, but System Policy Editor (poledit.exe) is still included on Windows 2000 Server as an optional tool for certain downlevel administration uses such as the following:
Creating and configuring ntconfig.pol files to lock down servers and workstations running Windows NT 4
Creating and configuring config.pol files to lock down client computers running Windows 98 and Windows 95
Locking down stand-alone computers running Windows 2000, since these exist outside of Active Directory and therefore cannot be managed by using group policies
Graphic S-25. System Policy Editor.
See also system policy
See Microsoft Systems Management Server (SMS)
The main tool for administering a deployment of Microsoft Systems Management Server (SMS) in an enterprise. The SMS Administrator program provides access to the Microsoft SQL Server database that stores SMS information such as packages, jobs, and events for different sites, servers, and clients. The program also lets you create, view, or modify these objects. Specifically, you can use the SMS Administrator program to
View a list of all computers in your site and sites beneath it in the SMS hierarchy and view the inventory for each individual computer
Provide direct support to computers using the remote troubleshooting utilities
Create, modify, and delete packages and program groups
Define inventory rules for packages to enable SMS to scan for these packages and report them to the inventory database
Configure site properties for your site and sites beneath it in the SMS hierarchy
Use Network Monitor to capture network traffic from a computer in the inventory
Configure SMS to receive Simple Network Management Protocol (SNMP) traps and store these traps in the database
Use Microsoft Windows NT administrative tools to manage Windows NT–based computers in the inventory
How It Works
You can install the SMS Administrator on any computer running Windows NT. You can use the SMS Administrator to log on to the SMS hierarchy and administer the objects and properties for your site and other sites beneath it in the hierarchy. You can access the Structured Query Language (SQL) database for any SMS system in which you have appropriate permissions. If you log on to the central SMS site, you can administer the entire SMS system.
The SMS Administrator program uses multiple windows for managing objects in the SMS database. Some of the more important windows include the following:
Sites window: Displays a complete view of all domains and computers for your current site and its subsites. The site that you log on to is the top site in your Sites window, regardless of whether any parent sites are above it. Use the Sites window to view the detailed hardware and software inventory of any computer that is displayed in the window and to launch the remote management and troubleshooting utilities for that computer.
Jobs window: Lets you create, modify, cancel, and delete jobs to manage the distribution, installation, and removal of software on your network. Jobs are stored in the SMS database. SMS automatically creates system jobs for maintaining the system. Before you create a job, first create a package and any machine groups, site groups, or queries you might need if you want to limit which computers receive the package.
Packages window: Lets you create, configure, and manage packages. Packages store information about software so that the software can be identified, distributed, installed on clients, or shared from servers.
Program Groups window: Lets you create SMS network applications that are delivered to users as program items within program groups.
Queries window: Lets you search for objects in the database. You use queries to select target computers for software distribution.
Event, Alert, and SNMP Trap windows: Provide information and tools for managing network assets.
TIP
The SMS Administrator windows are not automatically refreshed. Refresh the display for each Sites window to see changes to your system.
A tool in Microsoft Systems Management Server (SMS) for managing and maintaining the SMS database. You can use the SMS Database Manager to
Delete duplicate, obsolete, or unused data from the database
Delete Group Classes, Collected Files, and Unused Records to reclaim wasted database space
Set preferences for groups shown in the Personal Computers Properties window
A tool in Microsoft Systems Management Server (SMS) for creating Management Information Format (MIF) forms for collecting custom data about computers in an SMS system. These MIF forms can be distributed to SMS client users, who can enter information about their computer by using the MIF Entry client tool. Information in the completed forms is returned to the SMS database.
A tool in Microsoft Systems Management Server (SMS) for viewing and configuring access rights to specific features in the Systems Management Server Administrator program. When a user logs on to an SMS database using the SMS Administrator program, access is granted to sites, packages, queries, and jobs based on the rights previously configured for that user by the Systems Management Server Security Manager. When SMS is first installed, only the database owner (DBO) account possesses all rights to the SMS Administrator program. You use the SMS Security Manager to assign other users rights to the SMS Administrator program.
NOTE
Dependencies between security objects might restrict the sets of rights you can assign to them. For example, a user must have rights to Queries before you can assign any rights to Alerts for that user. The templates included with the SMS Security Manager, which consist of predefined sets of rights, make it easier to assign rights to SMS users.
TIP
Access permissions for objects affect how they appear in the SMS Administrator program. For example, if you have no access to the Packages window, this window will not even appear in the SMS Administrator program.
A tool in Microsoft Systems Management Server (SMS) for managing the properties of the SMS senders. You can use the Systems Management Server Sender Manager to control the following:
Sending bandwidth (maximum transfer rate per hour)
Number of threads and concurrent sessions for each sender
Sender retry interval
Sender address properties
A tool in Microsoft Systems Management Server (SMS) for managing the SMS services and service components in an SMS site. You can use the Systems Management Server Service Manager to
Start and stop SMS services and components on the site server or on another server
Manage and configure tracing on SMS services and components of the SMS Executive
View the current run status and tracing status of components
A set of IBM mainframe networking standards and protocols introduced in 1974. Systems Network Architecture (SNA) originally defined a centralized architecture with mainframe hosts controlling terminals, but it has also been adapted for peer-to-peer communication and distributed client/server computing environments. SNA includes services for configuring and managing system resources within an IBM mainframe networking environment.
How It Works
SNA has seven protocol layers and is similar but not identical to the Open Systems Interconnection (OSI) reference model, whose development it influenced. The SNA protocol suite includes the following:
Synchronous Data Link Control (SDLC) protocol: For data-link layer control of the flow of frames within an SNA network. SNA also supports IEEE 802.5 and 802.2 token passing with Logical Link Control (LLC).
Network Control Program (NCP): For routing, segmentation, and framing functions. NCP usually runs on the host or on the front-end processor.
Virtual Telecommunications Access Method (VTAM): For sequencing, flow control, error recovery, and session management functions. You use VTAM to implement Network Accessible Units (NAUs), which control the flow of data, in an SNA network.
Advanced Peer-to-Peer Networking (APPN): Enables SNA connections between two hosts, such as a PC host accessing an application running on a mainframe host using Advanced Program-to-Program Communications (APPC) sessions. You use APPN to implement Physical Units (PUs) and Logical Units (LUs), which are forms of NAUs that control communication processes for hosts and terminals. LUs represent SNA end nodes such as connections by users or applications, and two LUs communicate by using associated PUs, which are hardware devices or terminals. A number of types of LUs and PUs are used in an SNA networking environment.
NetView: A network management program for configuring, controlling, troubleshooting, and usage accounting of SNA networks.
Before data can be transferred over SNA, a session must be established between an LU on the client and an LU on the host. For example, a Microsoft Windows NT–based or Windows 2000–based server running Microsoft SNA Server can connect to a mainframe host by using SNA. SNA Server provides connectivity between Windows and SNA environments by providing an SNA gateway running on a Windows NT–based or Windows 2000–based server. Windows clients can then connect to the SNA mainframe host by going through the SNA Server gateway. By using LU 6.2, which is a peer-to-peer protocol, the Windows NT–based server running SNA Server or the mainframe host can initiate the user session. Clients on a Windows NT–based or Windows 2000–based network can then access data stored on the host, including data stored in structured or unstructured AS/400 or Virtual Storage Access Method (VSAM) files, DB2 database tables, and transaction processing monitors.
NOTE
Non-SNA architectures such as Token Ring networks can interface with SNA networks using Service Points (SPs).
A shared directory on a domain controller on Microsoft Windows 2000–based networks that contains the server’s copy of the domain public files, such as group policy objects and scripts for the current domain and the entire enterprise. The contents of this share are replicated to all domain controllers in the Windows 2000 domain. The default path for the SYSVOL share is \%System_Root%\Sysvol\SYSVOL.
NOTE
The SYSVOL share must be on an NTFS 5 volume because Active Directory uses the journaling function of NTFS 5 to track replication updates.