Implementing, Managing, and Troubleshooting Network Protocols and Services:

TCP/IP protocol:

Miscellaneous:

• Is an industry-standard suite of protocols
• It is routable and works over most network topologies
• It is the protocol that forms the foundation of the Internet
• Installed by default in Windows 2000
• Can be used to connect dissimilar systems
• Uses Microsoft Windows Sockets interface (Winsock)
• IP addresses can be entered manually or provided automatically by a DHCP server
• DNS is used to resolve computer hostnames to IP addresses
• WINS is used to resolve a NetBIOS name to an IP address
• Subnet mask - A value that is used to distinguish the network ID portion of the IP address from the host ID.
• Default gateway - A TCP/IP address for the host (typically a router) which you would send packets for routing elsewhere on the network.

Automatic Private IP Addressing:

Windows 98 and Windows 2000 support this new feature. When "Obtain An IP Address Automatically" is enabled, but the client cannot obtain an IP address, Automatic Private IP addressing takes over:

• IP address is generated in the form of 169.254.x.y (where x.y is the computer's identifier) and a 16-bit subnet mask (255.255.0.0)
• The computer broadcasts this address to it's local subnet
• If no other computer responds to the address, the first system assigns this address to itself
• When using the Auto Private IP, it can only communicate with other computers on the same subnet that also use the 169.254.x.y range with a 16-bit mask.
• The 169.254.0.0 - 169.254.255.255 range has been set aside for this purpose by the Internet Assigned Numbers Authority

TCP/IP Server Utilities:

• Telnet server - Windows 2000 includes a telnet server service (net start tlntsvr) which is limited to a command line text interface and two concurrent users. Set security on your telnet server by running the admin tool, tlntadmn. (KB# Q225233)
• Web Server - stripped version of IIS5 Web server. Limited to 10 connections. Must be installed and service started before sharing your printers using Web printing or Internet printing. Can be managed using IIS snap-in or Personal Web Manager, a "dumbed-down" GUI for novice users.
• FTP Server - stripped version of Internet Information Server 5 (IIS5) FTP server. Limited to 10 connections but is adminstered just like the server version using IIS snap-in or the Personal Web Manager.
• FrontPage 2000 Server Extensions - extends the functionality of the Web server and included in W2K Pro for developing and testing Web sites before deploying them to a production server.
• SMTP Server - does not appear to have limitations on connections but this is most likely due to its integration with LDAP and Active Directory replication. Also works with the form handlers in FrontPage Server Extensions.

TCP/IP Client Utilities:

• Telnet client - Can be used to open a text based console on UNIX, Linux and Windows 2000 systems (run telnet servername)
• FTP client - Command line based - simple and powerful (run ftp servername)
• Internet Explorer 5 - Microsoft's powerful and thoroughly integrated Web browser (see IE5 Cramsession for details)
• Outlook Express 5 - SMTP, POP3, IMAP4, NNTP, HTTP, and LDAP complaint E-mail package.

Services for UNIX 2.0:

Miscellaneous:

• TCP/IP protocol is required for communicationg with UNIX hosts
• Windows 2000 uses CIFS (Common Internet File System) which is an enhanced version of the SMB (Server Message Block) protocol
• UNIX uses NFS (Network File System)
• FTP support has been added to Windows Explorer and to Internet Explorer 5.0 allowing users to browse FTP directories as if they were a local resource.
• Install SNMP for Network Management (HP, OpenView, Tivoli and SMS).
• Print Services for UNIX allows connectivity to UNIX controlled Printers (LPR)
• Simple TCP/IP Services provides Echo, Quote of Day, Discard, Daytime and Character Generator..

Client for NFS:

• Installs a full Network File System (NFS) client that integrates with Windows Explorer. Available for both W2K Professional and Server.
• Places a second, more powerful Telnet client on your system in the %windir%\system32\%sfudir% directory. This new client has been optimized for Windows NT Telnet server and can use NTLM authentication instead of clear text. (KB# Q250879)
• Users can browse and map drives to NFS volumes and access NFS resources through My Network Places. Microsoft recommends this over installing Samba (SMB file services for Windows clients) on your UNIX server.
• NFS shares can be accessed using standard NFS syntax (servername:/pathname) or standard UNC syntax (\\servername\pathname)
• If users' UNIX username/password differ from Windows username/password, click "Connect Using A Different User Name" option and provide new credentials.
• The following popular UNIX utilities are installed along with the Client for NFS (not a complete list):

• The nfsadmin command-line utility is used for configuration and administration of the Client for NFS. It's options are:

Server for NFS:

• Allows NFS clients (think UNIX/Linux here) to access files on a Windows 2000 Professional or Server computer.
• Integrates with Server for PCNFS or Server for NIS to provide user authentication
• Managed using the UNIX Admin Snap-in (sfumgmt.msc)

Gateway for NFS:

• Allows non-NFS Windows clients to access NFS resources by connecting thru an NFS-enabled Windows Server to NFS resources.
• Acts as a gateway/translator between the NFS protocol used by UNIX/Linux and the CIFS protocol used by Windows 2000.
• Not available on W2K Professional - Server only.

Server for PCNFS:

• Can be installed on either W2K Professional or Server
• Provides authentication services for NFS clients (UNIX) needing to access NFS files. Works with the mapping server.

Server for NIS:

• Must be installed on a Windows 2000 Server that is configured as a Domain Controller.
• Allows server to act as the NIS master for a particular UNIX domain.
• Can authenticate requests for NFS shares.

Troubleshooting: (KB# Q102908)

• Ipconfig and Ipconfig /all - displays current TCP/IP configuration
• Nbtstat - displays statistics for connections using NetBIOS over TCP/IP
• Netstat - displays statistics and connections for TCP/IP protocol
• Ping - tests connections and verifies configurations
• Tracert - check a route to a remote system
• Common TCP/IP problems are caused by incorrect subnet masks and gateways
• If an IP address works but a hostname won't check DNS settings

NWLink (IPX/SPX) and NetWare Interoperability: (KB# Q220872)

• NWLink (MS's version of the IPX/SPX protocol) is the protocol used by NT to allow Netware systems to access its resources. (KB# Q203051)
• NWLink is all that you need to run in order to allow an NT system to run client/server applications from a NetWare server.
• To allow file and print sharing between NT and a NetWare server, CSNW (Client Services for NetWare) must be installed on the NT system. In a Netware 5 environment, the Microsoft client does not support connection to a Netware Server over TCP/IP. You will have to use IPX/SPX or install the Novell NetWare client. (KB# Q235225)
• W2K Setup upgrades all Intel x86 based computers running version 4.7 or earlier of a Novell client to version 4.51. (KB# Q218158)
• Gateway Services for NetWare can be implemented on your NT Server to provide a MS client system to access your NetWare server by using the NT Server as a gateway. (KB# Q121394 & Q220872)
• Frame types for the NWLink protocol must match the computer that the NT system is trying to connect with. Unmatching frame types will cause connectivity problems between the two systems.
• When NWLink is set to autodetect the frame type, it will only detect one type and will go in this order: 802.2, 802.3, ETHERNET_II and 802.5 (Token Ring).
• Netware 3 servers uses Bindery Emulation (Preferred Server in CSNW). Netware 4.x and higher servers use NDS (Default Tree and Context.)
• There are two ways to change a password on a netware server - SETPASS.EXE and the Change Password option (from the CTRL-ALT-DEL dialog box). The Change Password option is only available to Netware 4.x  and higher servers using NDS.

Other protocols:

• DLC is a special-purpose, non-routable protocol used by Windows 2000 to talk with IBM mainframes, AS400s and Hewlett Packard printers.
• Appletalk must be installed to allow Windows 2000 Professional to communicate with Apple printers. Do not confuse this with File and Print Services for Macintosh which allow Apple Clients to use resources on a Microsoft Network (only available on Server).
• NetBEUI is used soley by Microsoft operating systems and is non-routable (it is broadcast-based)

Remote Access Services (RAS):

Authentication protocols:

• EAP - Extensible Authentication Protocol. A set of APIs in Windows for developing new security protocols as needed to accomodate new technologies. MD5-CHAP and EAP-TLS are two examples of EAP
• EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards
• MD5-CHAP - Message Digest 5 Challenge Handshake Authentication Protocol. Encrypts usernames and passwords with an MD5 algorithm
• RADIUS - Remote Authentication Dial-in User Service. Specification for vendor-independant remote user authentication. Windows 2000 Professional can act as a RADIUS client only.
• MS-CHAP (v1 and 2) - Microsoft Challenge Handshake Authentication Protocol. Encrypts entire session, not just username and password. v2 is supported in Windows 2000 and NT4 and Win 95/98 (with DUN 1.3 upgrade) for VPN connections. MS-CHAP cannot be used with non-Microsoft clients
• SPAP - Shiva Password Authentication Protocol. Used by Shiva LAN Rover clients. Encrypts password, but not data
• CHAP - Challenge Handshake Authentication Protocol - encrypts user names and passwords, but not session data. Works with non-Microsoft clients
• PAP - Password Authentication Protocol. Sends username and password in clear text

Virtual Private Networks (VPNs):

• PPTP - Point to Point Tunneling Protocol. Creates an encrypted tunnel through an untrusted network.
• L2TP - Layer Two Tunneling Protocol. Works like PPTP as it creates a tunnel, but it does not provide data encryption. Security is provided by using an encryption technology like IPSec

Multilink Support: (KB# Q235610)

• Multilinking allows you to combine two or more modems or ISDN adapters into one logical link with increased bandwidth. (KB# Q233171)
• BAP (Bandwidth Allocation Protocol) and BACP (Bandwidth Allocation Control Protocol) enhance multilinking by dynamically adding or dropping links on demand. Settings are configured through RAS policies. (KB# Q244071)
• Enabled from the PPP tab of a RAS server's Properties dialog box. (KB# Q233151)

Setting Callback Security:

• Using callback allows you to have the bill charged to your phone number instead of the number of the user calling in. Also used to increase security
• For roving users like a sales force, choose "Allow Caller to Set The Callback Number" (less secure)

Dial-up networking:

• Microsoft technical documentation generally refers to dial-up networking when describing outbound connections. Inbound connections are usually associated with Remote Access Services (RAS).
• All new connections are added using the "Make New Connection" wizard.
• To create a VPN connection, choose Dial-Up To A Private Network Through The Internet, specify whether you need to establish a connection with an ISP first, enter the host name or IP address of the computer/network you are connecting to, and select whether connection is for yourself or all users.
• Dial-up networking entries can be created for modem connections, LAN connections, direct cable connections and Infrared connections.
• PPP is generally prefered because it supports multiple protocols, encryption, and dynamic assignment of IP addresses (KB# Q124036). SLIP is an older protocol that only supports TCP/IP and is used for dialing into legacy UNIX systems.
• All network connections, inbound and outbound, are represented by separate icons under Dial-up networking and properties, protocols, addresses and services can be individually configured for each.

Using shared resources on a Microsoft Network:

The Administrators and Power Users groups can create shared folders on a Windows 2000 Professional workstation

Windows 2000 creates administrative shared folders for administrative reasons. These shares are appended with dollar sign ($) which hids the share from users browsing the computer. The system folder (Admin$), the location of the printer drivers (Print$) and the root of each volume (C$, D$, etc.) are all hidden shared folders.

Shared folder permissions apply only when the folder is accessed via the network. By default, the Everyone group is assigned Full Control for all new shared folders. Share level permissions can be applied to FAT, FAT32 and NTFS file systems.

Security levels for network access to shared folders:

When a resource has both File-Level (NTFS) and Share-Level Securities enabled, you combine the highest two securities (assuming that there is not a "no access") and use the most restrictive of the two.

Windows 2000 Professional is limited to 10 concurrent connections for file and print services.