Networking

Postal Information Technology Center (Peshawar Campus)
BASIC NETWORK CONCEPTS

Networks are an interconnection of computers. These computers can be linked together using a wide variety of different cabling types, and for a wide variety of different purposes. The basis reasons why computers are networked are

to share resources (files, printers, modems, fax machines) to share application software (MS Office) increase productivity (make it easier to share data amongst users)
Take for example a typical office scenario where a number of users in a small business require access to common information. As long as all user computers are connected via a network, they can share their files, exchange mail, schedule meetings, send faxes and print documents all from any point of the network..
It would not be necessary for users to transfer files via electronic mail or floppy disk, rather, each user could access all the information they require, thus leading to less wasted time and hence greater productivity. Imagine the benefits of a user being able to directly fax the Word document they are working on, rather than print it out, then feed it into the fax machine, dial the number etc. Small networks are often called Local Area Networks [LAN]. A LAN is a network allowing easy access to other computers or peripherals. The typical characteristics of a LAN are,

physically limited (< 2km) high bandwidth (> 1mbps) inexpensive cable media (coax or twisted pair) data and hardware sharing between users owned by the user
Instructor : Arshad Zia Siddiqui
BASIC NETWORK COMPONENTS

There are a number of components which are used to build networks. An understanding of these is essential in order to support networks. This is a discussion on some of the elements which make up a network [LAN].
Network Adapter Cards

A network adapter card plugs into the workstation, providing the connection to the network. Adapter cards come from many different manufacturers, and support a wide variety of cable media and bus types [ISA, MCA, EISA, PCI, PCMCIA]. New cards are software configurable, using a software program to configure the resources used by the card. Other cards are PNP [plug and Play], which automatically configure their resources when installed in the computer, simplifying installation. With an operating system like Windows 95, auto-detection of new hardware makes network connections simple and quick. On power-up, the computer detects the new network card, assigns the correct resources to it, and then installs the networking software required for connection to the network. All the user need do is assign the network details like computer name. For Ethernet or 10BaseT cards, each card is identified by a twelve digit hexadecimal number. This number uniquely identifies the computer. These network card numbers are used in the Medium Access [MAC] Layer to identify the destination for the data. When talking to another computer, the data you send to that computer is prefixed with the number of the card you are sending the data to. This allows intermediate devices in the network to decide in which direction the data should go, in order to transport the data to its correct destination. A typical adapter card looks like,
A PCMCIA adapter card, suitable for connecting to a portable laptop computer to a network, looks like,
Peripheral cards associated with EISA and MCA are normally self configuring. The major problem arises with cards for the ISA bus (found in the majority of AT type computers and clones). This is because the cards are configured by the user (using either jumpers or a software program). Users make mistakes, and often configure cards so that they conflict with other cards already present in this system. This causes intermittent or immediate non-operation of the computer system. For instance, a networking card that is allocated the same resources as a serial communications program may function perfectly, except when the user is logged into the network and then tries to use the serial port, at which time the machine will crash. Resources Used By Peripheral Cards We have already mentioned that resources used by ISA peripheral cards must not be shared (two cards cannot use the same). So what are the resources used by peripheral cards? Essentially, there are FOUR resources which are user configurable for peripheral cards. Some cards may only use one (a port location(s)), others may require all four. The FOUR resources are 1. Input/Output Port Address In the PC, the port numbers used by peripheral cards range from 200h to 3FFh. The I/O port address is used by the PC to communicate with the peripheral card (issue commands, read responses, and perform data transfer).
Postal Information Technology Center (Peshawar Campus) 2. Interrupt Request Line The interrupt request line is used by the card to signal the processor that the card requires the processors attention. ISA peripherals cannot share the same interrupt request line, and IRQ2 in AT/2386/486 computers should not be used (there are others which must also not be used). IRQ2 to IRQ15 appear on the ISA bus. 3. Direct Memory Request Line The DMA request line is used to transfer data between the peripheral card and the computers memory at high speed. DMA channel 0 cannot be used, as it is reserved for system use. 4. Buffer Memory Address Some peripheral cards prefer to use memory space rather than an I/O port address to transfer data to the processor. This memory space occupied by the peripheral card appears in the main system memory RAM area available to the processor (usually between C0000h to EFFFFh). Care must be taken to ensure this space is not being used for other purposes (like shadow RAM, EMS for windows, VBGA BIOS). This space is also sometimes used by a remote boot Eprom, which is used for diskless workstations which download the operating system from the server at boot time. So How Do Peripheral Cards Work? Peripheral cards require a software driver to function. This software driver provides the interface between the card and the operating system, making the services provided by the card available to the user. The software driver is normally configured to match the resource settings of the card. This is done by a configuration utility, and stored either in the executable file, or a separate file (like .ini or .cfg). It is obviously important for the configuration settings in the software driver to match those configured on the peripheral card. The resources used by the card are either set by jumpers (or slide switches). New cards can also be configured using a software program, rather than by manually setting jumpers on the card. Where cards are software configurable, the cards retain their configuration when the power is turned off.
The software driver provides the follow functions

initialization routine interrupt service routine procedures to transmit and receive data procedures for status, configuration and control
The basic operation looks something like,

card receives data card generates interrupt by asserting interrupt request line processor responds to interrupt request and jumps to service routine service routine instructs processor to read data from port location interrupt service routine releases processor to continue previous work
The major problem is assigning values of these resources which are already being used by either the system or another peripheral card. It is therefore handy to know what the resources are which are used by common peripheral devices. The following tables identify these. Common I/O Port Addresses Port Address 200-207h 210-217h 220h 278-27Fh 2E8-2EFh 2F8-2FFh 300-30Fh 320-32F 330h 378-37Fh 3A0-3A9h 3B0-3BFh 3E8-3EFh 3F0-3F7h 3F8-3FFh Peripheral Game I/O Adaptor XT Expansion Unit SoundBlaster LPT2 COM4 COM2 Color Video Adaptor XT Hard Disk SoundBlaster MIDI LPT1 IBM Synchronous Adaptor Monochrome Video COM3 Floppy Disk COM1
Common Interrupts
Postal Information Technology Center (Peshawar Campus) IRQ Line Peripheral 2 EGA/VGA 3 COM2 4 COM1 5 LPT2, Bus mouse, Network 6 Floppy Disk 7 LPT1 13 Co-Processor 14 AT Disk Controller Common Memory Addresses Address Peripheral A0000-BFFFFh EGA/VGA B0000-B7FFFh Monochrome B8000-BFFFFh CGA C8000-CFFFFh XT Disk F4000-FFFFFh AT ROM BIOS F8000-FFFFFh PC/XT ROM BIOS Common DMA Lines DMA Line Peripheral 0 Memory Circuitry 1 Spare 2 Floppy Drive
Installing A Peripheral Card

Postal Information Technology Center (Peshawar Campus) This section discusses basic techniques for installing peripheral cards. By following standardized procedures, this will help to minimize damage to the system or peripheral card, and reduce the possibility of incorrect installation. 1. Determine the resources used by the computer Use the previous tables to determine the interrupts, memory and port addresses used by the current hardware in the computer. 2. Read the install manual Check the disk for a read.me file (and read it). Read the manual and take note of the jumper switches used by the card. Identify where these are located on the card. 3. Determine resources to be used by the card Allocate resources to the card which do not conflict with existing hardware. 4. Observe electrostatic protection in handling the card Use a wrist strap and ground yourself properly before handling the card. Handle the card by the edges. Do not touch the components or edge connector. Use electrostatic bags or an electrostatic mat. 5. Configure the card jumpers Set the jumpers on the card 6. Insert the card Remove the system base unit cover and insert the card into a spare peripheral bus slot. Observe electrostatic precautions. 7. Load the software driver If the card was provided with a software driver, install the software driver. This might involve running an INSTALL program, or copying the drivers to the hard disk. It might also mean adding the driver name to the config.sys file (DEVICE=xxxxx.sys).
8. Configure the driver software
Postal Information Technology Center (Peshawar Campus) If the driver software needs to be configured (specify which resources the card is using), this information might be stored in a separate file (.ini or .cfg). Often, when installing the software, it will ask for configuration details. These must be the same as the hardware jumpers used by the card. 9. Test card (run diagnostics where provided) If the card was provided with diagnostic software, run that now to test the card and driver. This is a good way to test if the installation was done correctly. 10. Test the machine Test some of the other software packages on the system (like networking, serial communications and printing) to see if they still work. If they don't, this indicates a probable conflict of resources. In Windows 95 or NT, run the diagnostic program to check for interrupt and resource conflicts (MSD or WINMSD). Summary of Installing Network Cards in Servers and Workstations

ISA cards are a problem check what resources are already being used do not share resources between two cards interrupts can only be shared on EISA and MCA cards run the diagnostics software after installation if the computer hangs, remove one board at a time until the problem disappears
Brief Guide to BUILDING WIRING

The following is a very brief overview of the components that make up the wiring standards for commercial buildings. The objectives of such standards is to

define a generic voice and data wiring system that is multi-purpose and multivendor help minimize cost of administration simplify network maintenance and changes
A building wiring system covers a number of different elements

horizontal wiring backbone wiring
Horizontal Wiring
Postal Information Technology Center (Peshawar Campus) The horizontal wiring extends from the wall outlet to the system center (telecommunications closet). It includes the

the wall outlet the horizontal cable cables used to interconnect components [cross-connects or patch cables] in the telecommunications closet (TC)
Some general features of the horizontal wiring scheme are

uses star topology limit of 90 meters (295') from TC to wall outlet limit of 3 meters (10') to connect from wall outlet to PC patch cords and cross-connect leads are limited to 6 meters (20') minimum of two outlets per user (phone+data) standardized media, Outlet A=4pair 100ohm UTP, Outlet B=same or 2 pair 150ohm STP
Backbone Wiring The backbone wiring system interconnects telecommunication closets, equipment rooms and entrance facilities (i.e., the outside world). Some general features are

star topology maximum of two hierarchical levels interconnections between any two TC must not go through more than 3 cross connects use of recognized media adherence to distance limitations
EIA/TIA-568 WIRING STANDARD

This standard defined in July of 1991, specifies a cabling system, which is vendor independent (does not care what is attached to it) and capable of lasting ten years. The latest version is 568B, which contains some enhancements to the original standard. The standard specifies SIX subsystem components of the cable system, 1. Entrance Facility This is the area where outside cabling interfaces with the buildings cabling system. This is typically a secure room. Often this area is considered a demarcation area, where the Internet Service Provider (ISP) or Telecommunications provider's responsibility ends and the building owners begin. 2. Equipment Room
Postal Information Technology Center (Peshawar Campus) This room houses the Private Automatic Branch Exchange (PABX a system which implements a local internal telephone system for a company) unit, modems, routers, network hubs and sometimes servers. It is possible to also provide the facilities of a telecommunications closet, and also be located in the Entrance Facility. It should be secured, have adequate ventilation, power and space for equipment racks. 3. BackBone Cabling The backbone cable connects the telecommunications closets to the equipment room and entrance facility. This is wired in a star topology. The four media options for backbone cabling are, 100-ohm unshielded twisted pair (not exceeding 800 meters) 150-ohm shielded twisted pair (not exceeding 700 meters) 50-ohm coaxial cable (not exceeding 500 meters) 62.5/125um multi-mode fiber (not exceeding 2,000 meters) 4. Telecommunications Closet (TC)
o o o o
10
This is a room which houses only telecommunications cabling system equipment, such as cross-connect patch panels for the horizontal and backbone wiring system. It may also contain hubs or switches. There is often one or more TC's per floor. 5. Horizontal Cabling The horizontal cable extends from the TC to the wall outlet in the users work area. There are FOUR media options for horizontal wiring
o o o o
four pair 100-ohm UTP two pair 150-ohm STP 50-ohm coaxial cable two-fiber 62.5/125um fiber
All horizontal cabling is implemented using a star topology, and must not exceed 90 meters from the TC to the wall outlet. A minimum of TWO outlets are required per work area, one of which must be wired with four-pair 100-ohm UTP cable. The color coding of the UTP cable is,
o o o o
pair 1: white-blue and blue pair 2: white-orange and orange pair 3: white-green and green pair 4: white-brown and brown
6. Work Area
Postal Information Technology Center (Peshawar Campus) This is where the user is located. Patch cables connect the users equipment (such as phone, fax, computer) to the wall outlet. The standard also specifies the use of an eight-pin modular RJ-45 jack for wall outlets using Unshielded Twisted Pair (UTP). Categories of UTP Cabling The EIA/TIA standard specifies FIVE categories of UTP cabling
11
Category 1
uses 22 or 24 AWG (American Wire Gauge Standard) solid wire and is not suitable for data transmission
Category 2
uses 22 or 24 AWG solid wire, used for PABX and alarm systems, and has a maximum bandwidth of 1Mhz
Category 3
uses 24 AWG solid wire having an impedance of 100 ohms with a maximum bandwidth of 16Mhz
Category 4
same as Category 3 but rated to 20Mhz
Category 5
uses 22 or 24 AWG pair wire having an impedance of 100 ohms with a maximum bandwidth of 100Mhz, typically using an RJ45 connector and used to implement 10BaseT
EIA/TIA-568A Connector Specifications This is gradually being phased out in favour of EIA/TIA-568B
Postal Information Technology Center (Peshawar Campus) Label T3 R3 T2 R1 T1 R2 T4 R4 Color Code Pin Number White/Green 1 Green/White 2 White/Orange 3 Blue/White 4 White/Blue 5 Orange/White 6 White/Brown 7 Brown/White 8
12
EIA/TIA-568B and AT&T258A Connector Specifications Recommended by the IEEE for 100Base-TX and T4 operation Label T2 R2 T3 R1 T1 R3 T4 R4 Color Code Pin Number White/Orange 1 Orange/White 2 White/Green 3 Blue/White 4 White/Blue 5 Green/White 6 White/Brown 7 Brown/White 8
IEEE 10Base-T Connector Specifications Label T2 R2 T3 R1 T1 R3 T4 R4 Color Code Pin Number White/Orange 1 Orange/White 2 White/Green 3 4 5 Green/White 6 7 8
EIA/TIA-568 UTP Wiring Standard Specifications


13
Desktop to Wall Outlet: 5 Meters Wall Outlet to Wiring Closet: 90 Meters Patch Cable in Wiring Closet: 5 Meters Fiber Optic Link between Wiring Closets: 2000 Meters UTP Backbone between Wiring Closets: 800 Meters
100Base-T Wiring Standard Specifications Fast Ethernet for Category 5 UTP. This standard is based on CDDI ( FDDI over copper).

Segment Lengths: Two pairs of UTP cable with a maximum length of 100 Meters. Cable Types: As the signalling frequency is 20Mhz, the minimum is Category 3 standard UTP. Connector Types: Category 5 type RJ45 connectors.
100Base-FX Wiring Standard Specifications Fast Ethernet over Fiber Optic Cable

Cable Types: Twin strands of Multimode fiber. Connector Types: SC, MIC and ST Segment Lengths: Full Duplex links are 2000 Meters, two switches or a switch adapter is 412 Meters. Repeater segment lengths can be a maximum of 320 Meters (typically less)
100Base-T4 Wiring Standard Specifications Fast Ethernet for Category 3 UTP Cable

Cable Types: Category 3 UTP Connector Types: RJ-45 Segment Lengths: 100 Meters maximum.
Cabling
Cable is used to interconnect computers and network components together. There are THREE main cable types used today [twisted pair, coax and fiber optic]. The choice of cable depends upon a number of factors, like

14
cost distance number of computers involved speed requirements [called bandwidth] i.e., how fast data is to be transferred
Twisted Pair (Shielded Twisted Pair and Unshielded Twisted Pair)

Becoming the cable of choice for new installations, twisted pair cable is readily accepted as the preferred solution to cabling. It provides support for a range of speeds and configurations, and is widely supported by different vendors. Shielded twisted pair uses a special braided wire which surrounds all the other wires, which helps to reduce unwanted interference. The features of twisted pair cable are,

used in token ring (4 or 16MBps), 10BaseT (Ethernet 10MBps), 100BaseT (100Mbps) reasonably cheap reasonably easy to terminate [special crimp connector tools are necessary for reliable operation UTP often already installed in buildings UTP is prone to interference, which limits speed and distances low to medium capacity medium to high loss category 2 = up to 1Mbps (Telephone wiring) category 3 = up to 10Mbps (Ethernet and 10BaseT) category 5 = 100MBps (supports 10BaseT and 100BaseT)
Category 5 cable uses 8 wires. The various jack connectors used in the wiring closet look like,
The patch cord which connects the workstation to the wall jack looks like,
15
Distance limitations exist when cabling. For category 5 cabling at 100Mbps, the limitations effectively limit a workstation to wall outlet of 3 meters, and wall outlet to wiring closet of 90 meters. All workstations are wired back to a central wiring closet, where they are then patched accordingly. Within an organization, the IT department either performs this work or subcontracts it to a third party.
In 10BaseT, each PC is wired back to a central hub using its own cable. There are limits imposed on the length of drop cable from the PC network card to the wall outlet, the length of the horizontal wiring, and from the wall outlet to the wiring closet. Patch Cables Patch cables come in two varieties, straight through or reversed. One application of patch cables is for patching between modular patch panels in system centers. These are the straight through variety. Another application is to connect workstation equipment to the wall jack, and these could be either straight through or reversed depending upon the manufacturer. Reversed cables are normally used for voice systems.
How to determine the type of patch cable Align the ends of the cable side by side so that the contacts are facing you, then compare the colors from left to right.
Postal Information Technology Center (Peshawar Campus) If the colors are in the same order on both plugs, the cable is straight through. If the colors appear in the reverse order, the cable is reversed.
16
Coaxial Cable
Coaxial cable has traditionally been the cable of choice for low cost, small user networks. This has been mainly due to its ease of use and low cost. Persons with mininal network understanding can readily build a LAN using coax components, which can often be purchased in kit ready format. The general features of coaxial cable are,

medium capacity Ethernet systems (10Mbps) slighter dearer than UTP more difficult to terminate not as subject to interference as UTP care when bending and installing is needed 10Base2 uses RG-58AU (also called Thin-Net or Cheaper Net) 10Base5 uses a thicker solid core coaxial cable (also called Thick-Net)
Thin coaxial cable [RG-58AU rated at 50 ohms], as used in Ethernet LAN's, looks like
The connectors used in thin-net Ethernet LAN's are T connectors (used to join cables together and attach to workstations) and terminators (one at each end of the cable). The Tconnectors and terminators look like
Fiber Optic
Postal Information Technology Center (Peshawar Campus) Fiber optic cable is considered the default choice for connections involving high speed [large bandwidth requirements like video, large database systems], long distances and interconnecting networks. It costs more than either twisted pair or coax, and requires special connectors and jointing methods. The features of fiber-optic cable systems are,

17
expensive used for backbones [linking LANs together] or FDDI rings (100Mbps) high capacity [100Mbps] immune to electromagnetic interference low loss difficult to join connectors are expensive long distance
Fiber optic is often used to overcome distance limitations. It can be used to join two hubs together, which normally could not be connected due to distance limitations. In this instance, a UTP to Fiber transceiver [often referred to as a FOT] is necessary. Fiber optic cable looks like
In addition, fiber optic patch panels are used to interconnect fiber cables. These patch panels look like
18
OSI Model
In 1983, the International Standards Organization (ISO) developed a model which would allow the sending and receiving of data between two computers. It works on a layer approach, where each layer is responsible for performing certain functions. When we think of how to send data from one computer to another, there are many different things involved. There are network adapters, voltages and signals on the cable, how the data is packaged, error control in case something goes wrong, and many other concerns. By dividing these into separate layers, it makes the task of writing software to perform this much easier. In the Open Systems Interconnect model, which allows dissimilar computers to transfer data between themselves, there are SEVEN distinct layers. 7. Application Layer Provides Applications with acess to network services. 6. Presentation Layer Determines the format used to exchange data among networked computers. 5. Session Layer Allows two applications to establish, use and disconnect a connection between them called a session. Provides for name recognition and additional functions like security which are needed to allow applications to communicate over the network.
4. Transport Layer Ensures that data is delivered error free, in sequence and with no loss, duplications or corruption. This layer also repackages data by assembling long messages into lots of smaller messages for sending, and repackaging the smaller messages into the original larger message at the receiving end. 3. Network Layer This is responsible for addressing messages and data so they are sent to the correct destination, and for translating logical addresses and names (like a machine name FLAME) into physical addresses. This layer is also responsible for finding a path through the network to the destination computer. 2. Data-Link Layer
Postal Information Technology Center (Peshawar Campus) This layer takes the data frames or messages from the Network Layer and provides for their actual transmission. At the receiving computer, this layer receives the incoming data and sends it to the network layer for handling. The Data-Link Layer also provides error-free delivery of data between the two computers by using the physical layer. It does this by packaging the data from the Network Layer into a frame which includes error detection information. At the receiving computer, the Data-Link Layer reads the incoming frame, and generates its own error detection information based on the received frames data. After receiving all of the frame, it then compares its error detection value with that of the incoming frames, and if they match, the frame has been received correctly. A frame looks like,
19
The Data-Link Layer actually consists of two separate parts, the Medium Access Control (MAC) and Logical Link Control Layer (LLC). Example MAC layers are Ethernet 802.3 and Token Ring 802.5 Bridges are an example of devices which works at the MAC layer. 1. Physical Layer Controls the transmission of the actual data onto the network cable. It defines the electrical signals, line states and encoding of the data and the connector types used. An example is 10BaseT. Repeaters are an example of devices that work at the Physical Layer. For Ethernet 802.3, the Physical Layer can be represented as
o o o o
10Base5 10Base2 10BaseT 10BaseF
Sending Data Via the OSI Model Each layer acts as though it is communicating with its corresponding layer on the other end. In reality, data is passed from one layer down to the next lower layer at the sending computer, till it's finally transmitted onto the network cable by the Physical Layer. As the data it passed down to a lower layer, it is encapsulated into a larger unit (in effect, each layer adds its own layer information to that which it receives from a higher layer). At the
Postal Information Technology Center (Peshawar Campus) receiving end, the message is passed upwards to the desired layer, and as it passes upwards through each layer, the encapsulation information is stripped off .
20
NETWORK SEGMENTS
A network segment

is a length of cable devices can be attached to the cable has its own unique address has a limit on its length and the number of devices which can be attached to it
21
Large networks are made by combining several individual network segments together, using appropriate devices like routers and/or bridges.
In the above diagram, a bridge is used to allow traffic from one network segment to the other. Each network segment is considered unique and has its own limits of distance and the number of connections possible. When network segments are combined into a single large network, paths exist between the individual network segments. These paths are called routes, and devices like routers and bridges keep tables which define how to get to a particular computer on the network. When a packet arrives, the router/bridge will look at the destination address of the packet, and determine which network segment the packet is to be transmitted on in order to get to its destination.
22
In the above diagram, a packet arrives whose destination is segment B. The bridge forwards this incoming packet from segment A to the B segment. SPANNING TREE ALGORITHM Switches and bridges generally learn about the segments they are connected to. As packets arrive, they build up a table which lists the network address used on the various network segments. Sometimes, a loop would be created which caused the wrong packets to be sent on incorrect segments. These packets could loop around the network, being forwarded on, eventually arriving back, only to be forwarded on, etc. This quickly floods the network. The spanning tree algorithm is a software algorithm which defines how switches and bridges can communicate and avoid network loops. Packets are exchanged between bridges/switches, and they establish a single path for reaching any particular network segment. This is a continuous process, so that if a bridge/switch fails, the remaining devices can reconfigure the routing tables to allow each segment to be reached. To be effective, ensure that the bridges/switches in use in your network support this protocol. REPEATERS Repeaters EXTEND network segments. They amplify the incoming signal received from one segment and send it on to all other attached segments. This allows the distance
Postal Information Technology Center (Peshawar Campus) limitations of network cabling to be extended. There are limits on the number of repeaters which can be used. The repeater counts as a single node in the maximum node count associated with the Ethernet standard [30 for thin coax].
23
Repeaters also allow isolation of segments in the event of failures or fault conditions. Disconnecting one side of a repeater effectively isolates the associated segments from the network. Using repeaters simply allows you to extend your network distance limitations. It does not give you any more bandwidth or allow you to transmit data faster.
It should be noted that in the above diagram, the network number assigned to the main network segment and the network number assigned to the other side of the repeater are the same. In addition, the traffic generated on one segment is propagated onto the other segment. This causes a rise in the total amount of traffic, so if the network segments are already heavily loaded, it's not a good idea to use a repeater. A repeater works at the Physical Layer by simply repeating all data from one segment to another.
24
BRIDGES Bridges interconnect Ethernet segments. Most bridges today support filtering and forwarding, as well as Spanning Tree Algorithm. The IEEE 802.1D specification is the standard for bridges. During initialization, the bridge learns about the network and the routes. Packets are passed onto other network segments based on the MAC layer. Each time the bridge is presented with a frame, the source address is stored. The bridge builds up a table which identifies the segment to which the device is located on. This internal table is then used to determine which segment incoming frames should be forwarded to. The size of this table is important, especially if the network has a large number of workstations/servers. The advantages of bridges are

increase the number of attached workstations and network segments since bridges buffer frames, it is possible to interconnect different segments which use different MAC protocols since bridges work at the MAC layer, they are transparent to higher level protocols by subdividing the LAN into smaller segments, overall reliability is increased and the network becomes easier to maintain used for non routable protocols like NETBEUI which must be bridged [see also here] help localize network traffic by only forwarding data onto other segments as required (unlike repeaters)
The disadvantages of bridges are

the buffering of frames introduces network delays bridges may overload during periods of high traffic bridges which combine different MAC protocols require the frames to be modified before transmission onto the new segment. This causes delays in complex networks, data may be sent over redundant paths, and the shortest path is not always taken bridges pass on broadcasts, giving rise to broadcast storms on the network
Postal Information Technology Center (Peshawar Campus) Transparent bridges (also known as spanning tree, IEEE 802.1 D) make all routing decisions. The bridge is said to be transparent (invisible) to the workstations. The bridge will automatically initialize itself and configure its own routing information after it has been enabled. Bridges are ideally used in environments where there a number of well defined workgroups, each operating more or less independent of each other, with occasional access to servers outside of their localized workgroup or network segment. Bridges do not offer performance improvements when used in diverse or scattered workgroups, where the majority of access occurs outside of the local segment. The diagram below shows two separate network segments connected via a bridge. Note that each segment must have a unique network address number in order for the bridge to be able to forward packets from one segment to the other.
25
Ideally, if workstations on network segment A needed access to a server, the best place to locate that server is on the same segment as the workstations, as this minimizes traffic on the other segment, and avoids the delay incurred by the bridge. A bridge works at the MAC Layer by looking at the destination address and forwarding the frame to the appropriate segment upon which the destination computer resides.
Summary of Bridge features

operate at the MAC layer (layer 2 of the OSI model) can reduce traffic on other segments

26
broadcasts are forwarded to every segment most allow remote access and configuration often SNMP (Simple Network Management Protocol) enabled loops can be used (redundant paths) if using spanning tree algorithm small delays introduced fault tolerant by isolating fault segments and reconfiguring paths in the event of failure not efficient with complex networks redundant paths to other networks are not used (would be useful if the major path being used was overloaded) shortest path is not always chosen by spanning tree algorithm
ROUTERS Packets are only passed to the network segment they are destined for. They work similar to bridges and switches in that they filter out unnecessary network traffic and remove it from network segments. Routers generally work at the protocol level. Routers were devised in order to separate networks logically. For instance, a TCP/IP router can segment the network based on groups of TCP/IP addresses. Filtering at this level (on TCP/IP addresses, also known as level 3 switching) will take longer than that of a bridge or switch which only looks at the MAC layer. Most routers can also perform bridging functions. A major feature of routers, because they can filter packets at a protocol level, is to act as a firewall. This is essentially a barrier, which prevents unwanted packets either entering or leaving designated areas of the network. Typically, an organization which connects to the Internet will install a router as the main gateway link between their network and the outside world. By configuring the router with access lists (which define what protocols and what hosts have access) this enforces security by restricted (or allowing) access to either internal or external hosts. For example, an internal WWW server can be allowed IP access from external networks, but other company servers which contain sensitive data can be protected, so that external hosts outside the company are prevented access (you could even deny internal workstations access if required).
27
A router works at the Network Layer or higher, by looking at information embedded within the data field, like a TCP/IP address, then forwards the frame to the appropriate segment upon which the destination computer resides.
Summary of Router features

use dynamic routing operate at the protocol level remote administration and configuration via SNMP support complex networks the more filtering done, the lower the performance provides security segment networks logically broadcast storms can be isolated often provide bridge functions also more complex routing protocols used [such as RIP, IGRP, OSPF]
HUBS There are many types of hubs. Passive hubs are simple splitters or combiners that group workstations into a single segment, whereas active hubs include a repeater function and are thus capable of supporting many more connections. Nowadays, with the advent of 10BaseT, hub concentrators are being very popular. These are very sophisticated and offer significant features which make them radically different from the older hubs which were available during the 1980's. These 10BaseT hubs provide each client with exclusive access to the full bandwidth, unlike bus networks where the bandwidth is shared. Each workstation plugs into a
Postal Information Technology Center (Peshawar Campus) separate port, which runs at 10Mbps and is for the exclusive use of that workstation, thus there is no contention to worry about like in Ethernet. These 10BaseT hubs also include buffering of packets and filtering, so that unwanted packets (or packets which contain errors) are discarded. SNMP management is also a common feature.
28
In standard Ethernet, all stations are connected to the same network segment in bus configuration. Traffic on the bus is controlled using the CSMA (Carrier Sense Multiple Access) protocol, and all stations share the available bandwidth. 10BaseT Hubs dedicate the entire bandwidth to each port (workstation). The workstations attach to the hub using UTP. The hub provides a number of ports, which are logically combined using a single backplane, which often runs at a much higher data rate than that of the ports.
Ports can also be buffered, to allow packets to be held in case the hub or port is busy. And, because each workstation has it's own port, it does not contend with other workstations for access, having the entire bandwidth available for it's exclusive use. The ports on a hub all appear as one Ethernet segment. In addition, hubs can be stacked or cascaded (using master/slave configurations) together, to add more ports per segment. As hubs do not count as repeaters, this is a better option for adding more workstations than the use of a repeater. Hub options also include an SNMP (Simple Network Management Protocol) agent. This allows the use of network management software to remotely administer and configure the hub. Detailed statistics related to port usage and bandwidth are often available, allowing informed decisions to be made concerning the state of the network.
Postal Information Technology Center (Peshawar Campus) In summary, the advantages for these newer 10BaseT hubs are,

29
each port has exclusive access to its bandwidth (no CSMA/CD) hubs may be cascaded to add additional ports SNMP managed hubs offer good management tools and statistics utilize existing cabling and other network components becoming a low cost solution
ETHERNET SWITCHES Ethernet switches increase network performance by decreasing the amount of extraneous traffic on individual network segments attached to the switch. They also filter packets a bit like a router does. In addition, Ethernet switches work and function like bridges at the MAC layer, but instead of reading the entire incoming Ethernet frame before forwarding it to the destination segment, usually only read the destination address in the frame before retransmitting it to the correct segment. In this way, switches forward frames faster than bridges, offering less delays through the network, hence better performance. When a packet arrives, the header is checked to determine which segment the packet is destined for, and then its forwarded to that segment. If the packet is destined for the same segment that it arrives on, the packet is dropped and not retransmitted. This prevents the packet being "broadcasted" onto unnecessary segments, reducing the traffic. Nodes which inter-communicate frequently should be placed on the same segment. Switches work at the MAC layer level.
Switches divide the network into smaller collision domains [a collison domain is a group of workstations that contend for the same bandwidth]. Each segment into the switch has its own collision domain (where the bandwidth is competed for by workstations in that segment). As packets arrive at the switch, it looks at the MAC address in the header, and decides which segment to forward the packet to. Higher protocols like IPX and TCP/IP are buried deep inside the packet, so are invisible to the switch. Once the destination segment has been determined, the packet is forwarded without delay. Each segment attached to the switch is considered to be a separate collision domain. However, the segments are still part of the same broadcast domain [a broadcast domain is a group of workstations which share the same network subnet, in TCP/IP this is defined by the subnet mask]. Broadcast packets which originate on any segment will be
Postal Information Technology Center (Peshawar Campus) forwarded to all other segments (unlike a router). On some switches, it is possible to disable this broadcast traffic. Some vendors implement a broadcast throttle feature, whereby a limit is placed on the number of broadcasts forwarded by the switch over a certain time period. Once a threshold level has been reached, no additional broadcasts are forwarded till the time period has expired and a new time period begins. Cut-Through Switches

30
only the first few bytes of the packet are read to obtain the source and destination addresses the packets are then passed through to the destination segment without checking the rest of the packet for errors invalid packets can still be passed onto other segments there is little delay involved in packet throughput
Cut through switches use either a cross-bar or cell-backplane architecture.
Cross-bar switches o read the destination address then immediately forward o acts as a simple repeater once the path is established o can introduce delay: If the destination port is busy, it may need to buffer the packet Cell-backplane switches o break the frame into small fixed cell lengths o each cell is labeled with special headers which contain the addresses of the destination port o the cells are buffered at the destination port o the cells are then reassembled and transmitted o the data rate on the backplane is significantly greater than the aggregate data rate of the ports o in heavily overloaded networks, cell-backplane switching offers better performance than cross-bar switching
Store-Forward Switches

examine the entire packet each incoming packet is buffered, then examined filters out any bad packets it detects good packets are forwarded to the correct segment detect more errors than the cut-through variety impose a small delay in packet throughput
Back Pressure Switches

Postal Information Technology Center (Peshawar Campus) Switches often employ buffering of packets. This is done so when packets arrive for a busy port, the packet is temporarily stored till the port becomes free. When the buffer becomes fill, packets become lost. Back pressure switches overcome this problem by sending the overflow packets back to the workstation. This effectively slows the workstation transmission rate, and hence slows the arrival of new packets at the port. Ethernet Switching: Advantages

31
existing cabling structure and network adapters is preserved switches can be used to segment overloaded networks switches can be used to create server farms or implement backbones technology is proven, Ethernet is a widely used standard improved efficiency and faster performance due to low latency switching times each port does not contend with other ports, each having their own full bandwidth (there is no contention like there is on Ethernet)
Virtual Networking In virtual networking, workgroups can be created on demand. Users can be located anywhere on the network. Using software management, the network components (switches) are configured to recognize a number of defined workstations (by MAC address) as belonging to their own domain. Any traffic generated by these workstations can be sent to any other workstation in that domain. Workstations outside that domain are unable to see any packets (including broadcasts) that belong to the secure domain. Obviously, this has enormous implications for developing secure networks. Multiple virtual workgroups can exist, like email and www server. Users can belong to more than one virtual domain, thereby administration is centralized and security is maintained. The use of switch technology makes this possible.
NETWORK TOPOLOGY
Postal Information Technology Center (Peshawar Campus) Topology refers to the way in which the network of computers is connected. Each topology is suited to specific tasks and has its own advantages and disadvantages. The choice of topology is dependent upon

32
type and number of equipment being used planned applications and rate of data transfers required response times cost
There are FOUR major competing topologies

Bus Ring Star FDDI
Most networking software support all topologies.
Bus Topology

all workstations connect to the same cable segment commonly used for implementing Ethernet at 10mbps the cable is terminated at each end wiring is normally done point to point a faulty cable or workstation will take the entire LAN down two wire, generally implemented using coaxial cable during the 1980's
The bus cable carries the transmitted message along the cable. As the message arrives at each workstation, the workstation computer checks the destination address contained in the message to see if it matches it's own. If the address does not match, the workstation does nothing more. If the workstation address matches that contained in the message, the workstation processes the message. The message is transmitted along the cable and is visible to all computers connected to that cable. There are THREE common wiring implementations for bus networks

10Base2 (thin-net, CheaperNet) 50-ohm cable using BNC T connectors, cards provide transceiver 10Base5 (ThickNet) 50-ohm cable using 15-pin AUI D-type connectors and external transceivers 10BaseT (UTP) UTP cable using RJ45 connectors and a wiring centre
Postal Information Technology Center (Peshawar Campus) Physical Implementation Of A Bus Network
33
The above diagram shows a number of computers connected to a Bus cable, in this case, implemented as Thin Ethernet. Each computer has a network card installed, which directly attaches to the network bus cable via a T-Connector. It is becoming common to use 10BaseT (UTP) for implementing Ethernet LANS. Each workstation is wired in star fashion back to a concentrator wiring centre (hub). The hub is a multi-port device supporting up to about 32 ports. One of these ports is connected to a server, or the output of the hub can be connected to other hubs. Ethernet 802.3: Carrier Sense Multiple Access with Collision Detection (CSMA/CD) This protocol is commonly used in bus (Ethernet) implementations. Multiple access refers to the fact that in bus systems, each station has access to the common cable. Carrier sense refers to the fact that each station listens to see if no other station is transmitting before sending data. Collision detection refers to the principle of listening to see if other stations are transmitting whilst we are transmitting. In bus systems, all stations have access to the same cable medium. It is therefore possible that a station may already be transmitting when another station wants to transmit. Rule 1 is that a station must listen to determine if another station is transmitting before initiating a transmission. If the network is busy, then the station must back off and wait a random interval before trying again.
Postal Information Technology Center (Peshawar Campus) Rule 2 is that a station which is transmitting must monitor the network to see if another station has begun transmission. This is a collision, and if this occurs, both stations must back off and retry after a random time interval. As it takes a finite time for signals to travel down the cable, it is possible for more than one station to think that the network is free and both grab it at the same time. CSMA/CD models what happens in the real world. People involved in group conversation tend to obey much the same behavior. Physical Bus Cable Limits 10Base2 THIN ETHERNET NETWORK LAYOUT Limitations

34
maximum number of trunk segments = 5 maximum trunk segment length = 607 feet (185 meters) maximum network trunk cable = 3035 feet (925 meters) maximum number of stations on a trunk segment = 30 minimum distance between T connectors = 1.5 feet (0.5 meters)
Rules

each end of the trunk segment is terminated in 50-ohms one of the terminators is grounded connector splices are kept to a minimum
Cabling

BNC-T type connectors RG58-AU 50-ohm cable, 0.2"
10Base5 THICK ETHERNET NETWORK LAYOUT
Postal Information Technology Center (Peshawar Campus) Limitations

35
maximum number of trunk segments = 5 maximum trunk segment length = 1640 feet (500 meters) maximum network trunk cable = 8200 feet (2500 meters) maximum number of stations on a trunk segment = 100 minimum distance between transceivers = 8 feet (2.5 meters) maximum transceiver cable length = 165 feet (50 meters)
Rules

each end of the trunk segment is terminated in 50-ohm one of the terminators is grounded connector splices are kept to a minimum
Cabling

Transceivers 802.3 50-ohm cable RG-11 Male DIX connector
Wiring of the DIX Connector Pin 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Shell Ethernet Shield Collision presence+ Transmit+ Reserved Receive+ Power return Reserved Reserved Collision presenceTransmitReserved ReceivePower Reserved Reserved --IEEE 802.3 Control-in Control-in Data-out Data-in Data-in Voltage Control-out Control-out Control-in Data-out Data-out Data-in Voltage Voltage Control-out Protective
Shield A A Shield A common A Shield B B Shield B Shield B Ground
36
10BaseT UTP NETWORK LAYOUT Limitations

maximum segment length of 100 Meters Hub to Hub or repeater to repeater links limited to 100 Meters
Rules

star topology 4 repeater/5 segment rule of 10Base5 is retained only two nodes per segment are allowed
Cabling

RJ-45 Connectors Category 3 UTP minimum, preferably Category 5
37
Bus Network Topology Summary Advantages Disadvantages Easy to implement Limits on cable length and Workstation numbers Low Cost Difficult to isolate network faults A cable fault affects all workstations As the number of workstations increase, the speed of the network slows down
Ring Topology

workstations connect to the ring faulty workstations can be bypassed more cabling required than bus the connectors used tend to cause a lot of problems commonly used to implement token ring at 4 and 16mbps four wire, generally STP or UTP
38
Physical Implementation Of A Ring Network Each workstation is connected back to a Multiple Access Unit (MAU), which supports up to eight workstations. Additional MAU are cascaded to provide greater workstation numbers.
Wiring is performed in a physical star fashion, with cables wired directly from each workstation back to the MAU. IEEE 802.5 Token Ring This protocol is widely used in ring networks for controlling station access to the ring. A short message (called a token) is circulated around the ring, being passed from station to station (it originates from a controller or master station which inserts it onto the ring).
Postal Information Technology Center (Peshawar Campus) A station which wants to transmit waits for the token to arrive. When the token arrives, the station changes it from a token to a connector message, and appends its message. This new message is then placed on the outgoing side of the ring. Each station passes on received tokens if they have nothing to transmit. They monitor connector messages to see if the message is addressed to them. If connector messages are addressed to them, they copy the message, modify it to signify its receipt, then send it on around the ring. Connector messages which are not addressed to them are passed directly on to the next station in the ring. When the connector message travels full circle and arrives at the original sending station, it checks the message to see if it's been received. It then discards the message and replaces it with a token.
39
40
Either
Or
Postal Information Technology Center (Peshawar Campus) Physical Ring Cable Limits TOKEN RING NETWORK LAYOUT Limitations

41
maximum number of workstations = 96 maximum number of 8228 MAU's = 12 maximum patch cable distance between an 8228 MAU and a station (not including 8' adapter cable) = 150 feet (45 meters) maximum patch cable distance between two 8228's = 150 feet (45 meters) maximum patch cable connecting all 8228's = 400 feet (120 meters)
Rules

stations are connected into the jacks of the 8228 units patch cables interconnect RO to RI for 8228 units. the last RO is connected to the first RI to form a ring.
Cable

patch cables generally type 6 (26 awg) or 1 (22 awg) type 1 for lengths > 66 feet (20 meters) IBM 8310574 MIC connectors alternatively, UTP with RJ45 connectors
Ring Topology: Summary Advantages Cable failures affect limited users Equal access for all users Each workstation has full access speed to the ring As workstation numbers increase performance diminishes slightly Disadvantages Costly Wiring Difficult Connections Expensive Adaptor Cards
Star Topology

42
all wiring is done from a central point (the server or hub) has the greatest cable lengths of any topology (and thus uses the most amount of cable) generally STP or UTP, four wire
Star Topology: Summary Advantages Easy to add new workstations Centralized control Centralized network/hub monitoring Disadvantages Hub failure cripples all workstations connected to that hub Hubs are slighty more expensive than thin-Ethernet
FDDI Topology

100mbps normally implemented over fiber optic (fast-Ethernet, UTP) dual redundancy built in by use of primary and secondary ring automatic bypassing and isolation of faulty nodes
43
Fiber Distributed Data Interface FDDI is based on two counter rotating 100-Mbit/sec token-passing rings. The rings consist of point to point wiring between nodes which repeat the data as it is received. The primary ring is used for data transmission; the secondary is used for data transmission or to back up the primary ring in the event of a link or station failure. FDDI supports a sustained transfer rate of about 80Mbps, a maximum of 1000 connections (500 nodes) and a total distance of 200 kilometers end to end. There is a maximum distance of 2 kilometers between active nodes. FDDI Station Types There are two main types of stations, class A which attach directly to dual rings; or class B which attach to a station acting as a concentrator. A concentrator is a specialized workstation that attaches to the ring and has multiple ports that allow attachment of other devices in a physical star configuration. These may be cascaded.
Logical Networks versus Physical Networks

A logical network describes how the network operates. A physical network describes how the network has been cabled. It is thus possible to have a physical star, logical bus network. In other words, the network operates as a bus network, but the cabling has been implemented using star topology.
44
Introduction to Groups
There are many ways in which computers can provide services and manage users into logical groups. This section looks at some of those approaches.
Peer To Peer [Windows Workgroups]

In peer networks, each computer is considered a server, and holds its own accounts database. Each computer can share resources that it owns, like files, CD-ROM drives, printers, modems and fax machines.
The advantages of peer to peer networks are,

workstations make available their resources no centralized server required security responsibility of each workstation each station runs same software each computer has its own accounts database
45
cheap and easy to set up for small groups
When the number of workstations in the network increase, problems will arise due to the cost of administration [maintenance of security on so many workstations which have their own accounts] and security [it is easy for loop holes to develop in which unauthorized users could gain access].
Workgroups
A workgroup is a collection of computers which are logically grouped together for a common purpose. In any organization, logical workgroups exist, like sales, marketing, accounts, salaries and support. By allowing like people to share their files and resources, it assists the way in which people work and leads to increased productivity. A workgroup is a Peer to Peer network.
Resources in a workgroup
Typically, computers in a workgroup make available resources for other members of the workgroup to use. Features of resources are,

a typical resource is a file, directory or printer resources given names (share names) resources assigned permissions (like a password) permissions can be read-only or full any user knowing the password can access the resource
Both Windows 95 and Windows NT Workstation support workgroups. Each user in a workgroup can decide which resources on their computer they will share. Ideally, in a workgroup, each person has their own computer which is normally identified on the network by their first name.
Belonging to a workgroup
In Windows 95, a computer is set up to be part of a workgroup via Control Panel>Networks.
46
The primary network logon is set to Client For Microsoft Networks. Selecting the Identification tab enables the user to specify the workgroup to which the computer belongs. Please note that a computer can only belong to a single workgroup.
47
Sharing Resources
To share any resource on your computer, File and Printer Sharing must first be enabled. This is under Control Panel->Networks->File and Printer Sharing.
Once this is enabled, passwords may be assigned to each resource that is made available. Users cannot use that resource unless they know the password. To share a resource such as a directory where sales reports are kept, start Windows Explorer and right mouse click the directory that is to be shared. In the diagram below, this has been done on the sub-directory temp on drive c:.
Clicking on the Sharing property brings up the following dialog box.
Postal Information Technology Center (Peshawar Campus) This allows the user to specify a password and name to the resource. In Windows format, the name of the resource is then known on the workgroup as
\\computername\resourcename
48
For instance, if the computer name was sue, and the resource was specified as temp, then the resource is known as
\\sue\temp
This is known as the Uniform Naming Convention [UNC] for the resource.
Accessing Resources
Accessing resources is done by selecting the resource and entering in the appropriate share password for that resource. Using Network Neighborhood, a list of available computers which hold resources will appear as a list. Only those computers that have resources to share appear in the list. In the following diagram, a number of computers are shown. Each of these computers has resources which can be accessed.
Double clicking on any computer will bring up a list of resources available on that computer. For instance, selecting the computer Ice reveals the following available resources [iceflow is a shared printer].
Postal Information Technology Center (Peshawar Campus) In summary, the features of Work-groups are

49
collection of computers organized for a specific purpose (suits the needs of the group) is peer to peer no centralized administration each computer has its own accounts database and permission lists share files, printers and applications each computer identified by unique name (normally person using that computer)
Novell File and Print Service

Novell networks are based on the concept of dedicated file and print servers. Each server has its own accounts database, and assigns resources on that server to clients who access the network. Client computers login to a server using an account and password. Resources on that server are protected via permission rights, which define what the user is permitted to do. Typical permissions are read, write, execute, delete, and modify. If a user wishes to access a resource on a different server, they must have an account on that server. This leads to users having an account on each server, and in a large corporation with many servers, creates an administration problem of maintaining user accounts and security of resources. However, Novell addressed this issue with the release of version 4, implementing a service known as Network Directory Services, a feature that uses a centralized database for holding account (and other) information that servers can share.
The workstations in the network communicate only with the server and can access resources on the server if

they have a login account supply the correct password have the appropriate access permissions for the resources
50
In summary, the features of a Novell Netware network are

workstations communicate with a host computer security enforced by server requires a high end machine as a server resources on workstations (disks) not available server runs special networking software each server has its own accounts database as the number of servers increase, administration becomes more difficult
Domains
Microsoft introduced the concept of domains with the release of Windows NT Server v3. We have already covered the problems of peer to peer workgroups and Netware networks, where increases in the number of computers offering resources leads to a dramatic increase in administration associated with those resources. The domain concept attempts to solve the issues of management and security by providing a central point of logon to the network. This central point of logon validates the user as authentic, and only grants those resources to the user that have been preassigned to them. Having a single point of logon validation simplifies administration, as there is now only one place where accounts need to be updated. A domain is a logical grouping of one or more Windows NT server based computers that allow them to be managed as a single unit. Using domains, the administrator creates one account for each user. Users logon to the domain, not the individual servers in the domain. Users do not need a separate account on each server in the domain. They only need one user account in the domain. This account can then used to access any resource on any server in the domain. A domain consists of the following

one primary domain control one or more backup domain controllers resource servers participating clients like Windows 95 and Windows NT Workstation based computers
Postal Information Technology Center (Peshawar Campus) A primary domain controller

51
validates user logon to the domain centralizes user accounts and security policies into a single database provides a single administrative unit for the network
A backup domain controller

also validates user logon to the domain provides redundancy in the event of the PDC going off-line keeps a copy of the domain accounts database [replicated automatically from PDC]
A resource server

provides data storage or application software for users does not handle domain logon, so is more efficient runs applications like SQL database or Remote Access
In addition, multiple domains can be combined into larger organization units or models. One domain can utilize [trust] the accounts of another domain. This provides scalability as the organization grows. To summarize, domains

are logical groupings of Windows NT Server based computers provide a single network logon to server based resources simplify administration by providing a single point of administering user accounts and security policies provide backup systems [redundancy] to take over in the event of a PDC going off-line replicate the accounts database to backup domain controllers
A Windows NT network consists of one or more domains, and may be spread geographically over many different sites [connected via remote links]. Each domain must have at least one server running Windows NT Server, and be configured as a Primary Domain Server for that domain. The domain can also comprise other servers, configured either as Backup Domain Controllers or resource Servers, as well as workstations running Windows NT Workstation or Windows 95. The role of the computer [either as a PDC, BDC or resource Server] is determined when the computer is installed. The PDC is installed first, in order to create the domain and generate the master accounts database. Resource Servers and BDCs are then added to the domain.
Postal Information Technology Center (Peshawar Campus) Typically, each Windows NT 3.5 domain is capable of supporting as many as 40,000 user accounts. In addition, BDCs, which participate in validating user logon requests, can each handle 2,000 users. Thus, if you are implementing a network for 5,000 users, you would require 1 PDC and 2 BDC servers just to handle user logon requests. When a Windows PDC is installed, it creates a database for the domain which will hold user accounts and security information. This is stamped with a unique identifier, and when a BDC is added to the domain, the unique identifier of the database held on the PDC is used for the BDC. This means that if you want to move the BDC to a different domain, the BDC will need to be re-installed.
52
Domain User Accounts

A windows NT domain keeps user account details in a centralized database which is held by the PDC for that domain. Each user who requires access to the resources on the domain requires a user account in that domain. User accounts are created by the domain administrator. This creates a unique security identifier (SID) for the user, and is stored in the security account manager (SAM) database of the Windows NT Registry. The user account provides access to resources in the domain, even if they reside on other servers. To access servers in other domains, trust relationships between the domains must be established. At regular intervals, the user account database is copied to the BDCs in the domain. This allows BDCs to authenticate logon requests, providing quicker access to the network.
Domain Machine Accounts

When a computer is added to the domain, an account is created for the machine. This account, in the case of BDCs, is used to enable replication of the user accounts database. For PDCs, the account is used to establish trusts between the domains. It requires a user with administrative privilege to add a computer to the domain. Each computer, when installed, must be given a unique name which identifies the name of the computer in the domain. It is not possible for two computers to share the same name.
53
GROUPS
To ease the management of users in a domain, Windows NT server allows the administrator of the domain to group users together into logical groups. Assigning users to groups simplifies administration. Assigning permissions to a group also assigns those permissions to all members of the group. In a domain, users can belong to one or more groups. Windows NT Server provides a number of built-in groups, and these should be used whenever possible. Two types of groups are provided in Windows NT Server,
local groups
define permissions to resources within the current domain [or local computer] only. These groups cannot be exported to other domains. Local groups can contain global groups which have been exported from other domains, which allow users from other domains to have access to resources in the current domain. Use local groups to control access to resources in the current domain.
global groups
define groups of users which can be exported to other domains for inclusion into local groups on the other domain. They contain user accounts on the current domain which you want to export to another domain. They are well suited to large networks which have multiple domains.
Domain Models
Above, we have talked about domains trusting accounts in other domains by using global groups. This implies the use of trust relationships which have been established between the domains. We also mentioned that in large corporations, multiple domains could exist. Let's now look at the domain models (configurations) supported by Windows NT networks. A domain model is a grouping of one or more domains, with administrative and other links between those domains (called trust relationships). These links are used to provide user and resource management across the various domains.
Single Domain Model

This model comprises a single PDC. There may be one or more BDCs. Network administrators have full administrative rights on all servers in the domain. This model is suited to organizations which require centralized management of user accounts and ease of administration, and where the number of users is relatively low.
54
The Single domain model is appropriate for

small number of users network does not need to be functionally split centralized management of user accounts no requirement for access to resources in other domains
Note that it possible for an organization to have multiple single domain models. This could occur where, for security or other reasons, functional groups need to be separate.
Trust Relationships
Windows NT server domain models are like building blocks, which can be combined in various ways to build larger and larger networks. The use of trust relationships allows single domain models to be interconnected, thus sharing user accounts and resources across domains. A trust relationship is an administrative and communication link which has been created between two Windows NT server domains. Trust relationships are created using the Windows NT User Manager utility. The establishment of a trust relationship between two domains will simplify administration of the domain by allowing one domain to trust user accounts that already exist on the other domain. This means that only one user account needs to exist; there is no need to duplicate the users account in the other domain. The benefits of using trust relationships are,

all domains can be centrally administered users can log on from a domain where they do not have an account

55
users can access in another domain even when they do not have a user account in that domain allows the organization to grow and expand in a managed way
The above diagram shows a one-way trust which has been established between the domains Sales and Production. Users are placed into a global group in the domain Sales. The administrator of the Production domain can use the global group of the Sales domain and include it into a local group of the Production domain. This allows all users in the global group of Sales to access resources allocated to the local group of the Production domain. The Production domain is said to be the trusting domain. It permits user accounts and global groups of the other domain to access it resources. The Sales domain is said to be the trusted domain. It contains user accounts and global groups which can be trusted by other domains. In addition, users of the Sales domain can actually log on to the Sales domain, when located at a computer which belongs to the Production domain. They can choose this in the log on box by entering the domain they wish to log in to. If users in the Production domain wanted access to the resources in the Sales domain, then a trust relationship would need to be created the other way round. Where the two domains trust each other, this is called a two way trust. Trust Relationships do not flow on When a domain has trust relationships with two or more domains, trust relationships are not transitive. In the previous example, the Production domain trusts the Sales domain. Let's now create another domain called Support, and establish a trust relationship so that Sales trusts Support.
Postal Information Technology Center (Peshawar Campus) This means that if Production trusts Sales, and Sales trusts Support, then Production does NOT trust Support.
56
Single Master Domain Model

As the organization grows bigger, rather than having several domains with user accounts in each, it makes more sense to create an account domain, which holds user accounts. The other domains are turned into resource domains, which consist of application servers and shared resources. In a single master domain model, one domain is used to hold user accounts. All users and machines have accounts in this master domain. Resources such as applications, shared data files, printers and servers are located in other resource domains. Each resource domain is linked to the master user accounts domain via a one-way trust. This allows users in the master user accounts domain access to the resources in the resource domains. This eases administration, as all user accounts are in a single domain. The resource domains are the trusting domains, and the master user accounts domain is the trusted domain. Often, you will hear the master user accounts domain called a firsttier domain, and the resource domains called second-tier domains. The advantages of a single master domain model are

ease of administration: only one user account domain is administered, rather than each domain having it's own user accounts administer all resources or let local resource domain administrators do it administration can be centralized or delegated, depending upon the needs of the organization users only need one log on name to access any resources in the resource domains maintains security whilst still allowing ready access to resources
The single master domain model is particularly suited for:

centralizing account management decentralizing resources and their administration resources can be logically grouped according to their role into a single resource domain
The master domain model has the advantage that global groups are defined once in the master user accounts domain. If resource domains are connected via a WAN link to the master user accounts domain, a BDC for the master users account domain should be placed in each of the remotely connected resource domains. This allows local authentication of user logon; vital, if the WAN link fails.
57
Multiple Master Domain Model

This model combines two or more master domain models. Each master domain handles user accounts, with a user having an account on one of the master domains. Two way trusts are established between each master domain, so that all master domains trust each other. Resource domains provide the resources for the users in the master domains. By creating global groups in the master domains, these are then imported in the local groups in the resource domains to allow master domain users access. A user will logon to the master domain where their account resides. Because of the trust relations established between the master domains, this can occur anywhere on the network. Each master domain should contain two or more BDCs to provide redundancy and validate user logon requests [one BDC per 2000 users]. Each master domain can contain as many as 26,000 user accounts. The multiple master domain is suited for

organizations with 40,000 or more users users who need to logon at different parts of the network [mobile users] scalable networks centralized user accounts via MIS yet decentralized resource administration on a local level
58
Complete Trust Domain Model

This model consists of two or more domains, with each domain retaining administration control of its own accounts and resources. It distributes administration across domains, rather than centralizing it. This model is not suited to central MIS control, but is a good choice for organizations without a central MIS department and need only a few domains. Each domain is set up to trust every other domain in the organization. All trusts are two way [in both directions]. With a large number of domains, this would involve creating a large number of trust relationships. Reliance is passed on other domain administrators to control who is placed into global groups.
APPENDIX
The following information has been extracted from a Microsoft Document about Windows NT Domain Planning. Space requirements in the SAM

each user account requires approximately 1K each machine account requires approximately 0.5K each group account requires 4K
The practical limit for the size of the SAM file is 40MB.
Postal Information Technology Center (Peshawar Campus) Object user account machine account group account Space Used 1.0K 0.5K 4.0K
59
For a single domain, here are some examples of how objects might be distributed: Machine User Accounts Accounts (1K per account) (0.5K per account) 1 workstation per user 2 workstations per user 2 users per workstation 1 workstation per user 1 workstation per user 1 workstation per user 2,000 5,000 10,000 25,000 26,000 40,000 2,000 10,000 5,000 25,000 26,000 0
Group Accounts Total SAM (4K per account) size 30 100 150 200 250 0 3.12 MB 10.4 MB 13.1 MB 38.3 MB 40 MB 40 MB
How to select the appropriate domain model for your organization Domain Selection Matrix Single Domain X Single Master Domain x x X x x x x x Multiple Master Domain Independent Single Domains with Trust relationships
Domain Attribute Less than 40,000 users/domain More than 40,000 users/domain Centralized account management Centralized resource management Decentralized account management
Postal Information Technology Center (Peshawar Campus) Decentralized resource management Central MIS No central MIS x X x x x x x
60
Location Considerations Checklist

location where users log on ensure access to an authenticating BDC. multiple location logon requirements their account cannot be tied to that location, use a single master domain or multiple master domain model. does a user need to be able to log on if the WAN is down how fast are the WAN links
Hardware Requirements PDC/BDC Hardware Requirements SAM file size 5 MB 10 MB 15 MB 20 MB 30 MB 40 MB Number of User accounts* up to 3,000 7,500 10,000 15,000 20,000 - 30,000 30,000 - 40,000 Minimum CPU Needed 486DX/33 486DX/66 Pentium, MIPS, Alpha AXP Pentium, MIPS, Alpha AXP Pentium, MIPS, Alpha AXP Pentium, MIPS, Alpha AXP Required RAM+ 32 MB 32 MB 48 MB 64 MB 128 MB 166 MB
How Many BDCs Are Needed? Each BDC supports up to 2,000 user accounts.
Postal Information Technology Center (Peshawar Campus) Number of workstations Number of BDC servers 10 1 100 1 500 1 1,000 1 2,000 1 5,000 2 10,000 5 20,000 10 30,000 15 Perform the initial setup of all BDCs on-site or over high speed links, because each new BDC will need a full synchronization with the PDC.
61
NETWORK TROUBLE-SHOOTING:
This section covers the use of the multi-meter in checking out data cabling used in Local Area Networks. We shall use a common form of cabling known as Ethernet, which is coaxial cable of 50 ohms. Ethernet LAN's are arranged in BUS fashion, with the cable being terminated at each end with a 50 ohm resistor (called a terminator). Obtain a few pieces of Ethernet cable, T-connectors and terminator resistors from your tutor. Connect these together to form an ethernet segment.
Continuity Tests
The first test you will perform is a continuity test. This tests to ensure that there is electrical continuity (unbroken path) along the entire cable. It looks like,
62
First, remove the terminators at each end of the cable segment. Set the meter to resistance (or continuity test if it has one). Using one person to connect the meter leads to each part of the t-connector, have another person short the other t-connector using a small screw-driver. Under a continuity test, the meter sends a signal along one lead. This travels down one wire of the coaxial cable, reaching the other end. At the far end, because it is shorted to the other lead by the screwdriver, the signal travels back along the other wire of the coaxial cable. When it arrives back at the meter, the meter knows that the cable is okay. Important: In LAN's we deal with voltages (electrical signals) which are generally very small (less than 5volts peak to peak). The differences between no signal and signal can be less than 1 volt. In fact, noise voltages can even be interpreted as signals. This is one reason why the cabling media must be protected from noise sources and be free from induced noise voltages. Because a LAN comprises many components, its often difficult to decide where to start finding the problem. However, there are a few basic rules we can learn which will point us in the right direction, with the aim of minimizing downtime. Information is vital for troubleshooting. You need access to

cable layouts cable type, location of terminators, splices, repeaters etc workstation location network interface card types, settings workstation information (screen type, memory, software configurations) knowledge of basic network topologies (star, ring, bus) knowledge of basic troubleshooting procedures (good/bad measurements) past history (recent changes, is fault repeatable)
Cabling
Postal Information Technology Center (Peshawar Campus) Cable generates 90% of all LAN faults. Needless to say, cabling at installation time should be certified in writing, along with test results detailing the measurements taken. The major problems associated with cable are,

63
shorts and open circuits extraneous voltages, noise, ground loops excessive cable lengths (lets add just one more workstation) poor termination's, connectors wrong type of cable incorrectly installed to begin with
There are restrictions on cable types, distances and number of workstations attached. Thin Ethernet (coax)

30 T connectors per cable segment 300 meters per cable segment minimum distance between each T connector is 1 meter RG-58AU cable (50 ohm) 50 ohm terminator each end of the cable, ONLY ONE of which is earthed no T connector shall be earthed each T connector plugs directly into a network card installed in a PC
Ethernet systems use a BUS topology. This describes the manner in which the various hardware equipment of the LAN is interconnected.

each workstation is attached to a single cable thread each end of the cable is terminated in 50 ohms connections to PC's are made via T connectors signals are received by all workstations
However, bus systems do have drawbacks,

a cable fault will take down the entire LAN a faulty workstation will take down the entire LAN there are limits on the number of workstations there are limits on the length of cable workstations must be a minimum distance apart
Bus Topology DONT'S

64
mix different cable types mix 75 ohm and 50 ohm T connectors or terminators solder connectors run cable near power cables, or air conditioning units, or lighting earth the cable in more than one place mix different ethernet network card types exceed cable distances or workstation limits bend or trample the cable run spurs or drop cables from a T connector
Bus Topology DO'S

use a single cable type (RG58AU) one type of network card 50 ohm T connectors from a single supplier ground the cable at one end only keep the cable away from noise sources observe cable and workstation limits
LAN TEST INSTRUMENTS The basic instruments for fault finding are

multimeter (resistance, continuity and voltage) suitable when the network is NOT ALIVE time domain reflectometer TDR visual inspection software diagnostics
Where do you start?
is the entire LAN down, all users affected o scan cable, measure resistance, noise o check to see if server running, LOAD MONITOR, TRACK ON some users affected o check to see if PC can still run DOS o run NIC diagnostics o any recent changes
Postal Information Technology Center (Peshawar Campus) Any other problems are generally configuration faults, particularly in the way in which the network has been configured or managed. These are problems like

65
inability to run certain applications can't access certain files or directories
Often problems are sporadic and intermittent in nature. Faults can be linked to external activity (the cable deriving noise voltages via lift motors etc). With intermittent faults, it is important to obtain information about

which users noticed it first what were they doing when it failed has this happened before is it repeatable is there any difference between this and the last time
The trouble-shooter must know the hardware and software configurations of the various workstations and servers on the network. These details should be filled out and kept in folders. Included should be cable layouts, access points, cable distances, workstation locations etc. Remember that INFORMATION is the key. The more you know about the system, the easier your job will be. We always recommend to any new Network Manager that the first thing they do is fully document the entire LAN, both software and hardware. CATEGORIZING LAN PROBLEMS
HARDWARE o Cabling, Connectors, Cable, MAU's o Workstations, keyboards, base units, monitors, drives memory, PSU, NIC and peripherals, mice etc o Servers o Bridges/Routers o Printers o Power Supply SOFTWARE o Lan NOS and workstation shell o Application Software o Incorrect Configurations o Access rights, drive mappings o Data Integrity, backups
Postal Information Technology Center (Peshawar Campus) HANDLING LAN PROBLEMS
66
IMPLEMENT A LAYERED APPROACH o Help Desk first level of repair interacts with user to determine nature of problem uses a standard battery of questions logs details of problem initiates repair by solving problem or passing on Tracks problems passed on to experts Does not require high degree of expertise Requires access to database of problems and solutions information of users system required o Front Line Experts - Hardware and Software o On-Call Experts - Cablers, In-house Consultants o Installers/Trouble-shooters/LAN Authorized Agents
HELP DESK, TYPlCAL QUESTlONS TO ASK

Location of users machine. contact name and number Machine configuration, memory, drivers, monitor type etc DOS Version, Network NOS type and revision number What happened, time and date, can it be repeated? Are other network users affected? Can computer run DOS as standalone What were the error messages displayed? Do other users experience the same problem? Were there any recent changes to the computer or network What solutions have you tried to solve the problem? (reset, power-off/on), another machine, user account) Is this something new or have you tried this before?
CABLING PROBLEMS ARE GENERALLY

connectors and terminators crimps, splices, bends noise, voltages and ground loops shorts and open circuits exceeding cable and workstation limits
Postal Information Technology Center (Peshawar Campus) BASIC TROUBLESHOOTING HARDWARE TOOLS TO USE
67
ohm-meter o tests resistance of cable, presence of terminators, open and short circuits o limited use on live network time domain reflectometer o tests for cable imperfections, shorts and open circuits, impedance mismatches volt-meter o tests for voltage, -1.7v on ethernet means streaming NIC
CABLE TROUBLESHOOTING STRATEGY
divide and conquer split the cable segment in half, and take a measurement on both halves. This should isolate the fault into one half. Repeat the process till the fault is found.
COMMON HARDWARE PROBLEMS ARE

workstation and server hardware, screens, disks, memory, keyboards cabling, connectors network interface cards peripheral devices, mice, printers, modems, bridges, routers
The majority of PC-LAN problems occur with cabling. Cabling problems fall into the following categories

faulty connectors and terminators faulty cable, crimps, splices excess noise voltages, extraneous voltages and ground loops shorts and open circuits excessive cable lengths and workstation limits
The tools available to test cable are,

time domain reflectometer(tdr) tests for cable imperfections, terminations, open and short circuits voltmeter tests for voltage, ground loops, noise voltages, spikes ohm-meter resistance test, presence of terminators, shorts and open circuits
General Principles
know the cable type and characteristics

68
know the cabling layout/scheme, access points and numbering know what to expect for good and bad measurements visual inspection is important start with what you know is good, isolate the rest segment/divide where possible, make one big problem into several smaller ones
Voltmeter testing
The use of a voltmeter in cable testing is restricted, but necessary at times to find unusual faults.
Voltage tests
These tests can test for the normal or abnormal presence of signal activity on the cable. Ethernet 802.3 uses the following voltage levels,
o o o o
high = -.2 to -.5 low = -1.6 to -1.9 carrier sense = -.9 to -1.2 collision = -1.5 to -1.7
A streaming node (a workstation continuously sending) is easily identified by the voltage present on the cable. Cards can be tested by placing a carrier sense voltage on the bus. This should cease all network traffic. Any variation of the measured voltage indicates that one or more cards are ignoring the carrier signal.
Noise tests
Some of the newer hand held fault tools measure noise levels on the cable. This is the mean voltage read when there is no network activity. It is best to measure this on a system which is down and all workstations are turned off. Sources of noise are
o o o
computer power supplies and motherboards power surges and mains supplies large inductive loads, air conditioning, lift motors
For ethernet, noise measured should be lower than 0.04v per cable segment.
69
Current, Ground Loop Tests

The measurements relate to the difference in ground potentials between two points on the same cable. Ethernet tries to overcome this problem by specifying that only one end of the cable is to be grounded, but in practice installers tend to ignore this and wire the shield of the conductor cable to mains ground or some nearby metal. This can create differences in voltage between the various ground points. As a result, voltage travels down the cable and flows into the network cards. This either damages the card or causes intermittent faults or errors on the network. By inserting the meter into the earth shield, and measuring the current flowing (or voltage difference), this type of fault is easily identified.
There should be no voltage difference or current measured.
Resistance Tests
These are the more common tests applied to cabling systems. Resistance tests find the following faults

shorts open circuits missing terminators
Postal Information Technology Center (Peshawar Campus) A good ethernet system has two 50 ohm terminators, one at each end of the cable. These appear in parallel, thus a good system will measure 25 ohms, a shorted system less than 25 ohms, and a break, open circuit or poor connection as greater than 25 ohms. The tests are performed on a dead network (all workstations/servers turned off).
70
Shorts a shorted cable will always read less than half the resistance of a single terminator.
Open circuits, Cable breaks A cable break or open circuit will always read the value of one terminator (or greater).
Changing the point of measurement will identify in which portion of the cable segment the break occurs.
71
Resistance Tests
Missing or Faulty terminators If both terminators are missing or faulty, the resistance reading will be very high.
If one of the terminators is missing or faulty, the resistance reading will be the value of one of the terminators.
Splitting the cable segment at the point of measurement, then taking readings into both sections will reveal one segment as open, the other at 50 ohms.
72
Resistance Tests
A good Ethernet System will measure 25 ohms.
73
OPERATING SYSTEMS
This section introduces the primary Windows based operating systems. You should be familiar with the typical uses and requirements of these operating systems.
Windows 95
This operating system is designed for use as a workstation client or desktop system, primarily for the home or mobile user. It is not intended to be used a server, but can be used in simple workgroups to share resources such as printers and files. General Features of Windows 95

easier to use and learn than Windows 3.1 more reliable than Windows 3.1 supports all major networking protocols including Novell IPX and TCP/IP network clients are faster, more reliable, and use no conventional memory simplified user interface automated installation for all users and custom installations remote administration features built in supports multiple users on a single PC with customized settings for each individual pre-emptive multitasking and multi-threading plug and play support for hardware devices dial-up networking (remote access services) supports existing MS-DOS and Windows drivers and programs
System Requirements for Windows 95

486DX/25MHz or higher 8MB memory or higher 40-45MB disk space 3.5 floppy drive or CD-ROM VGA or higher resolution graphics card
Windows 98
This operating system is designed for use as a workstation client or desktop system, primarily for the home or remote user. It is not intended to be used a server, but can be used in simple workgroups to share resources such as printers and files. It is an upgraded enhanced version of Windows 95. General Features of Windows 98

74
FAT32 enhanced file system Performance enhancements Fast startup and shutdown Intelligent update Wizards System file checker New hardware support, Universal Serial Bus Integrated browser/shell
System Requirements for Windows 98

486DX/66MHz or higher 16MB memory or higher 195MB disk space CD-ROM VGA or higher resolution graphics card
Windows NT v4 Workstation
This operating system is designed for serious power users and desktop workstations, where users demand high reliability, pre-emptive multitasking of programs and support for OpenGL graphics applications. It can be used as a server in a workgroup, where the number of clients it supports is 10 or less. General Features of Windows NT v4 Workstation

complete crash protection for 16- and 32-bit applications built-in data protection supports common networks and protocols remote access service [client and/or server] support for applications designed for MS-DOS , Windows , Windows 95, and other operating systems preemptive multitasking OpenGL 3-D graphics supports a wide range hardware devices scalable [support for more than one processor] multi-platform [support more than one processor type, eg, RISC]
System Requirements for Windows NT v4 Workstation

16MB RAM 386 Processor 25MHz or higher 110 MB available hard-disk space VGA, Super VGA, or video graphics adapter (compatible with Windows NT Workstation 3.51) CD-ROM drive
75
Windows NT 4 Server
This operating system is designed for robust scalable networks based on domains. It provides accounts for users and security logon using usernames and passwords. Where servers are required to handle more than 10 clients, NT Server is the best choice of operating system. It has been especially optimized to give good performance as an application server, and has additional tools to ease network administration problems. General Features of Windows NT Server

Exceptional file and print services Support for thousands of client/server applications Built-in Security and advanced fault tolerance Runs on your choice of scaleable hardware including Intel x86, Pentium, Alpha AXP, MIPS Rx400, and PowerPC Supports MS-DOS , Windows, OS/2 , UNIX and Macintosh Integrates with NetWare, LAN Manager, UNIX, PATHWORKS, SNA, and other network systems Built-in Migration Tool for NetWare File & Print Services for NetWare Instantly accessible and up-to-date information Hardware auto-detect and CD-ROM-based Express Setup Easy-to-use graphical environment Directory service that aids in the management and control of network resources TCP/IP, Macintosh support, and Remote Access Service at no extra charge
System Requirements for Windows NT Server For Intel-based and compatible systems:

386/25 or higher processor 16 MB RAM 125MB of available hard-disk space VGA, Super VGA, or compatible video graphics adapter CD-ROM drive Network adapter card Microsoft Mouse or compatible pointing device (mouse recommended)
WINDOWS 2000 Professional

This is the replacement for Windows NT 4 workstation, designed for power users, remote users and high performance workstations. It has all the features of Windows NT 4 combined with the graphical desktop interface of Windows 98. General Features of Windows 2000 Professional
File protection Core files are protected from being overwritten by software applications

76
Microsoft Installer This service helps users install, configure, upgrade and remove software System preparation Entire computers can be cloned (copied) allowing multiple deployment of similar configurations to be done quickly and easily Personalized menus The Start menu is adapted to the preferences of the user Troubleshooters The troubleshooting wizards allow you to configure, optimize and troubleshoot Windows 2000 Encryption and Security Files can be encrypted for greater protection. The standard security model for NT applies to all files, folders and system resources. Kerberos is also supported Additional device support Support for USB, smart cards, remote notebooks (such as hot docking), IrDA, IEEE 1394, DVD and plug and plug devices Networking Supports peer-to-peer communication with Windows NT and Windows 9x networks. In addition, UNIX services allow interoperability with UNIX networks.
System Requirements for Windows 2000 Professional

133MHz Pentium compatible processor 64MB RAM 2GB Hard disk with 650MB available free space Single or dual processor systems
WINDOWS 2000 Server

Organizations can use Windows 2000 server to build reliable scalable networks that support organizational requirements, such as file and application servers, Web and Intranet servers, e-mail and remote access servers and print servers. General Features of Windows 2000 Server
Internet Information Services 5.0 This provides the functionality to easily host and manage web sites. Active Server pages allow the creation of interactive web-based applications and the media services allow the delivery of multimedia content across the Internet or corporate Intranet. Active Directory The domain database implemented in Windows NT is expanded to include additional information and provides a repository for software applications to store and retrieve information from. Terminal Services This allows users to run Windows based applications on a Terminal server, taking
Postal Information Technology Center (Peshawar Campus) advantage of the extra processing power, from a remote PC or Windows-based terminal. Remote Access Virtual Private Networks Disk Quotas This allows administrators to set limits on disk space usage per user.
77
System Requirements for Windows 2000 Server

133 MHz or higher Pentium-compatible processor 256MB RAM minimum 2GB hard disk with 1.0GB available free space Up to four processors
WINDOWS 2000 Advanced Server

Windows 2000 Advanced Server includes all the features of Windows 2000 Server. It is designed for large-scale networks requiring high reliability and for the provision of ecommerce and line-of-business applications. General Features of Windows 2000 Advanced Server Includes all the features of Windows 2000 Server plus

Support for up to eight processors Clustering Supports both hardware and software failures by mirroring servers Load Balancing The load on servers can be dynamically redistributed in the event of server failure
System Requirements for Windows 2000 Advanced Server

133 MHz or higher Pentium-compatible processor 256MB RAM minimum 2GB hard disk with 1.0 GB available free space up to eight processors
WINDOWS SERVER SERVICES

This section covers some of the basic Windows server services. These services run on a Windows server computer, and must be configured separately. All the following services rely on the TCP/IP protocol being installed on the server. These services provide functionality that is important in a TCP/IP based network.
78
Dynamic Host Configuration Protocol [DHCP]

The DHCP service dynamically assigns client TCP/IP configuration information (such as hostname, IP address and default gateway). In TCP/IP networks, each computer must have a valid TCP/IP address. This address uses four digits separated by dots, e.g. 156.59.20.1 Each digit has a value between 1 and 254 [0 and 255 are special cases, 0 defining a network, 255 defining a group of computers]. This address can be assigned to the computer either statically or dynamically. Static TCP/IP addresses are generally used for servers that do not change their location on the network. The address of the computer is entered in via Control Panel->Networks->TCP/IP Protocol->Properties A DHCP server holds a number of free IP addresses available for allocation to workstation clients. A client computer, upon startup for the first time, issues a DHCP Discover to a DHCP server by sending a broadcast on the local subnet. The server responds to the client workstation with one of the unallocated IP addresses it has to offer, called a DHCP Offer. This is accepted by the client, which issues a DHCP request to the DHCP server. The DHCP server replies to the client with a DHCP acknowledgment, then marks this IP address as in use. The DHCP server marks as allocated the IP address given to the client. This allocated IP address has a timestamp that specifies how long it is valid for. Periodically, the client will attempt to renew the leased IP address by contacting the DHCP server [occurs after 50% of the lease time has expired]. Whenever a client workstation is rebooted, it attempts to verify that the IP lease it has is valid for the subnet it is currently on. If the workstation is moved to a new subnet, any DHCP server on that subnet marks the IP address invalid, and the workstation then requests a new IP lease from any available DHCP server. The length of the lease time can be configured, and after a certain percentage of that lease time, the client workstation will contact the DHCP server to re-negotiate the IP lease. The advantages of the DHCP concept are

IP addresses can be re-used, when the lease expires they are returned to the available pool eliminates errors in configuration as subnet masks, DNS server and gateway IP addresses can be included in the lease easy to move computers to another part of the network require little or no intervention once configured [no tables to maintain]
79
setting up clients is simple [just enable it as a DHCP client], no need to know what the correct IP addresses are for things like subnet mask, gateway, wins servers or DNS servers IP addresses conflicts are eliminated
Windows Internet Name Service [WINS]

The WINS service resolves NETBIOS computer names to their corresponding TCP/IP addresses. This service was designed to eliminate the need for broadcasts to resolve NETBIOS computer names to IP addresses. Previously, to find the address of a computer, a network broadcast packet was sent to all computers on the network. This broadcast contained the name of the computer that needed to be contacted. Each computer looked at the broadcast packet. The computer that recognized the packet was destined for it responded with its IP address. The problem with this approach is that in large networks, the number of broadcasts becomes excessive and consumes the network. The name resolution has to take place, because Windows uses computer names to map drives and resources, e.g. \\ICE\WWW. The underlying protocol, TCP/IP, however, knows only IP addresses, like 156.59.21.12, so the broadcast is necessary to resolve the computer name to an IP address so that TCP/IP can establish the connection between the two computers. A WINS server maintains a database that maps computer names to IP addresses. Client workstations using WINS can query a WINS server and resolve computer names. A computer configured to use WINS as a client will register their computer name and IP address with the WINS server. This happens at boot time. When a client workstation using WINS needs to resolve a computer name to an IP address, it will send a query to the WINS server, which will respond with the desired information. Using WINS servers in a Windows NT Domain helps to reduce broadcast traffic. It also is self-maintaining, in that computers automatically add themselves to the database, and are automatically expired after a time interval when they shut down.
Domain Name Service [DNS]

The DNS service resolves computer domain names [like www.cit.ac.nz] to IP addresses [156.59.19.21] and IP addresses back to computer domain names [called a reverse lookup]. We have already covered DHCP, which is a Windows NT service which dynamically allocates IP addresses to client computers, and WINS, which allows users to connect to resources using NETBIOS computer names [like \\cscp5nts], and acts in a similar way to DNS, resolving computer names to IP addresses. The important issue here is that the Windows NT services of DHCP and WINS are dynamic.
Postal Information Technology Center (Peshawar Campus) DNS is a static service. It relies on a series of static files that specify mappings between computer names and IP addresses. There are two main lookup files, one for names to IP addresses, and the other for reverse name lookups. The Windows implementation of DNS has a graphical interface, and can be remotely administered. In addition, the DNS is integrated with DHCP and WINS and the IP addresses that are dynamically allocated by DHCP are automatically reflected into the DNS.
80
File Transfer Protocol Server [FTP]

Previous to version 4.0, Microsoft provided a separate FTP server for Windows NT. The server allows users to access files stored on the server using the FTP service. By combining NTFS security on the directory structure being used by the FTP service, a good level of security is achievable. The current trend is for Microsoft to combine this service with the IIS server being provided with Windows NT 4.0. You are recommended to run this server, rather than the separate FTP service. The FTP server portion of IIS is fully integrated with the WWW and other servers that form part of IIS.
Internet Information Server [IIS]

This is a combination of servers [WWW, FTP] that can be used to construct Internet and Intranet servers. Network administrators can use IIS (free with Windows Server) to create web sites and Intranets. Some advantages of IIS are

fully integrated into Windows NT server graphical installation combines separate servers into one package [WWW and FTP] SNMP mib provided for remote viewing of performance and statistics collection integrated into performance monitor, allowing real-time measuring of all Internet events supports virtual servers [host multiple sites] extensible API for custom server extensions support for easy integration with existing databases provides security using anonymous or NT domain accounts, or SSL
Site Server
Site server adds extra functionality to IIS that enables organizations to publish and deliver content to their employees. Authors of content are provided with a structured way in which the submission, posting and approval of content is managed. Information can be
Postal Information Technology Center (Peshawar Campus) stored in a variety of sources, including databases and Microsoft Exchange folders, located throughout the organization on different servers.
81
Site Server Commerce Edition

Commerce edition is a server for developing e-commerce solutions and interactive web sites.
WORKGROUPS AND DOMAINS

In this section we will look at Domains and Workgroups. There are many ways in which computers can provide services, and manage users into logical groups. This section looks at some of those approaches.
Workgroups: Peer To Peer Networks

A work-group is a collection of computers that are logically grouped together for a common purpose. In any organization, logical work-groups exist, like sales, marketing, accounts, salaries and support. By allowing like people to share their files and resources, it assists the way in which people work and leads to increased productivity. In peer networks, each computer is considered a server, and holds its own accounts database. Each computer can share resources that it owns, like files, CD-ROM drives, printers, modems and fax machines.
The advantages of peer-to-peer networks are,

all workstations can make available their resources no centralized server is required security is the responsibility of each workstation each computer has its own accounts database that secures the resources it provides to others it is cheap and easy to set up for small groups
When the number of workstations in the network increase, problems will arise due to the cost of administration [maintenance of security on so many workstations which have their
Postal Information Technology Center (Peshawar Campus) own accounts] and security [it is easy for loop holes to develop in which unauthorized users could gain access].
82
Resources in a Work-group
Typically, computers in a work-group make available resources for other members of the work-group to use. Features of resources are,

a typical resource is a file, directory or printer resources given names (share names) resources assigned permissions (like a password) permissions can be read-only or full any user knowing the password can access the resource
Both Windows 9x and Windows NT Workstation support workgroups. Each user in a workgroup can decide which resources on their computer they will share. Ideally, in a work-group, each person has their own computer that is normally identified on the network by their first name.
Belonging to a workgroup
To participate in a workgroup, the computer must be configured to be a member of that workgroup. In Windows 9x, a computer is setup to be part of a work-group via Control Panel->Networks. The primary network log-on is set to Client For Microsoft Networks. Selecting the Identification tab enables the user to specify the Work-group to which the computer belongs. Please note that a computer can only belong to a single work-group.
Sharing Resources in a workgroup

To share any resource on your computer, File and Printer Sharing must first be enabled. This is found under Control Panel->Networks->File and Printer Sharing. Once this is enabled, passwords may be assigned to each resource that is made available. Users cannot use that resource unless they know the password.
Postal Information Technology Center (Peshawar Campus) To share a resource such as a directory where sales reports are kept, loading Windows Explorer, and right mouse clicking the directory that is to be shared does this. In the diagram this has been done on the sub-directory temp on drive c:
83
Uniform Resource Locators

Sharing allows the user to specify a password and allocate a name to the resource. In Windows format, the name of the resource is then known on the work-group as \\computername\resourcename For instance, if the computer name was sue, and the resource was specified as temp, then the resource is known as \\sue\temp This is known as the Uniform Resource Locator [URL] for the resource.
Accessing Resources in a workgroup

To access a resource, you locate the resource, select it, and enter the appropriate share password for that resource. Using network neighborhood, a list of available computers that hold resources will appear as a list. Only those computers that have resources to share appear in the list.
Postal Information Technology Center (Peshawar Campus) In this diagram, a number of computers are shown. Each of these computers has resources that can be accessed. Double clicking on any computer will bring up a list of resources available on that computer. For instance, selecting the computer Ice reveals the following available resources [iceflow is a shared printer].
84
Summary of workgroups
In summary, the features of workgroups are

it is a collection of computers organized for a specific purpose (suits the needs of the group) it is a peer to peer network there is no centralized administration a dedicated server is not required each computer has its own accounts database and permission lists users can share files, printers and applications each computer is identified by a unique name (normally the person using that computer)
NT 4 Domains
Microsoft introduced the concept of domains with the release of Windows NT Server v3. We have already covered the problems of peer-to-peer work-groups and Netware networks, where increases in the number of computers offering resources leads to a dramatic increase in administration associated with those resources. The domain concept attempts to solve the issues of management and security, by providing a central point of log on to the network. This central point of log on validates
Postal Information Technology Center (Peshawar Campus) the user as authentic, and only grants those resources to the user that has been preassigned to them. Having a single point of log on validation simplifies administration, as there is now only one place where accounts need to be updated. A domain is a logical grouping of one or more Windows NT 4 server based computers that allow them to be managed as a single unit. Using domains, the administrator creates one account for each user. Users log on to the domain, not the individual servers in the domain. Users do not need a separate account on each server in the domain. They only need one user account in the domain. This account can then used to access any resource on any server in the domain. A domain consists of the following

85
one primary domain controller one or more backup domain controllers resource servers participating clients like Windows 9x and Windows NT 4 Workstation based computers
A primary domain controller

validates user log-on to the domain centralizes user accounts and security policies into a single database provides a single administrative unit for the network
A backup domain controller

also validates user log-on to the domain provides redundancy in the event of the PDC going off-line keeps a copy of the domain accounts database [replicated automatically from PDC]
A resource server

provides data storage or application software for users does not handle domain log-on, so is more efficient runs applications like SQL database or Remote Access
In addition, multiple domains can be combined into larger organization units or models. One domain can utilize [trust] the accounts of another domain. This provides scalability as the organization grows.
86
NT 4 Domains summary

domains are logical groupings of Windows NT Server based computers domains provide a single network log on to server based resources they simplify administration by providing a single point of administering user accounts and security policies domains provide backup systems [redundancy] to take over in the event of a PDC going off-line the accounts database is replicated to backup domain controllers
Windows NT 4 Server Network

A Windows NT 4 server network consists of one or more domains, and may be spread geographically over many different sites [connected via remote links]. Each domain must have at least one server running Windows NT 4 Server, and be configured as a Primary Domain Server for that domain. The domain can also comprise other servers, configured either as Backup Domain Controllers or resource Servers, as well as workstations running Windows NT Workstation or Windows 9x. The role of the computer [either as a PDC, BDC or resource Server] is determined when the computer is installed. The PDC is installed first, in order to create the domain and generate the master accounts database. Resource Servers and backup domain controllers are then added to the domain. Typically, each Windows NT 3.5 domain is capable of supporting as many as 40,000 user accounts. A BDC can validate user log on requests and handle 2,000 users each. Thus, if you were implementing a network for 5,000 users, you would require 1 PDC and 2 BDC servers just to handle user log on requests. When a Windows PDC is installed, it creates a database for the domain that holds user accounts and security information. This is stamped with a unique identifier, and when a BDC is added to the domain, the unique identifier of the database held on the PDC is used for the BDC. This means that if you want to move the BDC to a different domain, the BDC will need to be re-installed.
The Domain Database

The domain database is a repository that holds information related to users and resources. It is created when a PDC is installed. Changes to the database are replicated to each BDC in the network. The domain database holds user account information such as usernames and passwords. It also stores information about groups and computers, including shared resources such as files, folders and printers.
87
Domain User Accounts

A Windows NT 4 domain keeps user account details in a centralized database that is held by the PDC for that domain. Each user who requires access to the resources on the domain requires a user account in that domain. The domain administrator creates user accounts. This creates a unique security identifier (SID) for the user, and is stored in the security account manager (SAM) database of the Windows NT Registry. The user account provides access to resources in the domain, even if they reside on other servers. To access servers in other domains, trust relationships between the domains must be established. At regular intervals, the user account database is copied to every BDC in the domain. Each BDC can authenticate log-on requests, providing quicker access to the network.
Domain Machine Accounts

When a computer is added to the domain, an account is created for the machine. This account, in the case of a BDC, is used to enable replication of the user accounts database. For a PDC, the account is used to establish trusts between the domains. It requires a user with administrative privilege to add a computer to the domain. Each computer, when installed, must be given a unique name that identifies the name of the computer in the domain. It is not possible for two computers to share the same name.
Domain Group Accounts

To ease the management of users in a domain, Windows NT 4 server allows the administrator of the domain to group users together into logical groups. Assigning users to groups simplifies administration. Assigning permissions to a group also assigns those permissions to all members of the group. In a domain, users can belong to one or more groups. Windows NT 4 Server provides a number of built-in groups, and these should be used whenever possible. Two types of groups are provided in Windows NT 4 Server. Local groups These define permissions to resources within the current domain [or local computer] only. These groups cannot be exported to other domains. Local groups can contain global groups that have been exported from other domains, which allow users from other domains to have access to resources in the current domain. Use local groups to control access to resources in the current domain.
Postal Information Technology Center (Peshawar Campus) Global groups These define groups of users that can be exported to other domains for inclusion into local groups on the other domain. They contain user accounts on the current domain that you want to export to another domain. They are well suited to large networks that have multiple domains.
88
Domain Models
Above, we have talked about domains trusting accounts in other domains by using global groups. This implies the use of trust relationships that have been established between the domains. We also mentioned that in large corporations, multiple domains could exist. Lets now look at the domain models (configurations) supported by Windows NT 4 networks. A domain model is a grouping of one or more domains, with administrative and other links between those domains (called trust relationships). These links are used to provide user and resource management across the various domains.
Single Domain Model

This model comprises a single PDC. There may be one or more BDCs. Network administrators have full administrative rights on all servers in the domain. This model is suited to organizations that require centralized management of user accounts and ease of administration, and where the number of users is relatively low. Note that it possible for an organization to have multiple single domain models. This could occur where, for security or other reasons, functional groups need to be separate.
The Single domain model is appropriate for

small number of users network does not need to be functionally split centralized management of user accounts
89
no requirement for access to resources in other domains
Trust Relationships
Windows NT 4 Server domain models are like building blocks, which can be combined in various ways to build larger and larger networks. The use of trust relationships allows single domain models to be interconnected, thus sharing user accounts and resources across domains. A trust relationship is an administrative and communication link that has been created between two Windows NT 4 Server domains. Trust relationships are created using the Windows NT User Manager utility. By establishing a trust relationship between two domains, this will simplify administration of the domain, by allowing one domain to trust user accounts that already exist on the other domain. This means that only one user account needs to exist; there is no need to duplicate the users account in the other domain.
Benefits of using trusts The benefits of using trust relationships are,

all domains can be centrally administered users can log on from a domain where they do not have an account users can access in another domain even when they do not have a user account in that domain allows the organization to grow and expand in a managed way
One-Way Trusts A one-way trust is a means of using accounts and resources in one domain in another domain.
Postal Information Technology Center (Peshawar Campus) This diagram shows a one-way trust that has been established between the domains Sales and Production. Users are placed into a global group in the domain Sales. The administrator of the Production domain can use the global group of the Sales domain and include it into a local group of the Production domain. This allows all users in the global group of Sales to access resources allocated to the local group of the Production domain. The Production domain is said to be the trusting domain. It permits user accounts and global groups of the other domain to access it resources. The Sales domain is said to be the trusted domain. It contains user accounts and global groups that can be trusted by other domains. In addition, users of the Sales domain can actually log on to the Sales domain, when located at a computer that belongs to the Production domain. They can choose this in the log on box by entering the domain they wish to log in to. If users in the Production domain wanted access to the resources in the Sales domain, then a trust relationship would need to be created the other way round.
90
THE DOMAIN NAME SYSTEM (DNS)

In a TCP/IP network, each computer is uniquely identified by a TCP/IP address and a logical host name.
Domain Names
Domain names are allocated by a sole agency in each country responsible for the Domain Name System. Upon application, the agency allocates the name and corresponding range of addresses associated with that name to the requesting organization. An example of a domain name is microsoft.com used by Microsoft. There is an organizational part for the domain name, as well as a top-level identifier (in this instance
Postal Information Technology Center (Peshawar Campus) .com) that specified the type of organization (commercial). Top-level identifiers are preassigned and not subject to change. Some common top-level identifiers are
91
.com .edu .gov .org .mil .net
commercial education non-military government organizations non-profit organization military networks
Countries other than the USA have a country code as their top-level identifier. Any host computer using TCP/IP is assigned a logical host name, such as www.microsoft.com is the logical host name of the web server at Microsoft. All computers running TCP/IP must have a unique hostname and unique TCP/IP address. Generally, control of the domain is assigned to the organization that requests the domain name. So, Microsoft will be responsible for holding information related to the microsoft.com domain, such as computer hostnames and their TCP/IP addresses.
DNS Servers
A server running the DNS service accepts requests for domain name resolutions. The server constructs a table of entries for the domain that it is responsible for (this table may be static or dynamic). The table entries consist of computer host names and their TCP/IP addresses.
Computer Host Names

A computer hostname in TCP/IP is a logical name associated with a unique TCP/IP address. Logical names are used because they are easier to remember. Each computer is assigned have a unique name. An example of a computer hostname is ICE.CIT.AC.NZ This defines the computer hostname as ICE, belonging to the organization CIT, which is an educational organization (.ac) that resides in New Zealand (NZ).
Computer Host TCP/IP Addresses

TCP/IP addresses assigned to computers must be unique. They consist of a series of digits joined by dots. Each digit has a number range from 0 to 255, though some combinations
Postal Information Technology Center (Peshawar Campus) cannot be used as they are reserved. The IP address for the previous computer ICE.CIT.AC.NZ is 156.59.20.50 The following TCP/IP addresses are reserved for INTERNAL USE ONLY (they can be used by organizations to implement networks that are NOT connected to the Internet). 10.x.x.x 172.16.x.x to 172.31.x.x 192.168.0.x to 192.168.255.x
92
Resolving Names (forward lookup)

When a user types in their web browser a URL (for example http://www.microsoft.com), this is resolved to a TCP/IP by sending the computer name to a DNS server for resolution. The DNS server then queries its tables and list of known entries to resolve the name to an address. If it does not know about it, it will forward the request to other DNS servers until such time that it is resolved. The resolved TCP/IP address is then returned to the client computer.
Resolving IP Addresses (reverse lookup)

A reverse lookup is where an IP address is resolved to a computer hostname.
NSLookup
This interactive program, available on Windows NT and 2000 computers, queries a domain name server to resolve names or IP addresses. In this example, NSLookup is used to resolve the name of ice.cit.ac.nz, followed by the reverse query to resolve the name to an IP address.
93
Zones of Authority
The ZOA defines that portion of the domain namespace that a particular DNS server is responsible for. This ZOA contains at least one domain, known as the root domain. Other sub-domains may also be specified. A DNS server is configured to manage one or more zones. For instance, in this diagram the ZOA is CIT.AC.NZ with zone 1 holding the root domain. Zone 2 holds the sub-domain ee.cit.ac.nz
Primary, Secondary and Cache DNS Servers

A primary name server obtains zone information (such as computer host names and IP addresses) from local files. Adding other zones or hosts are done on a primary name server. A secondary name server obtains the data for its zones from another domain name server over the network. The transfer of the zone records from the primary domain name server to the secondary domain name server is called a zone transfer. Secondary domain name servers provide redundancy in a network. If the primary domain name server fails, hostnames and IP addresses would not be able to be resolved. The use of a secondary domain name server acts as a backup in case the primary domain name
Postal Information Technology Center (Peshawar Campus) server fails. Secondary domain name servers can also reduce the load on a primary domain name server. Caching domain name servers hold resolved queries in local cache. When first started, they contain no information and thus forward requests to a secondary or primary domain name server for resolution. The result is then cached. Using cached domain name servers eliminates the traffic that results from a zone transfer. Remote sites linked using a slow network link may employ cached domain name servers in preference to secondary name servers.
94
THE DOMAIN NAME SYSTEM (DNS) DNS Records

A DNS uses resource records to resolve host names and IP addresses. These records are stored in the DNS zone files. The following table lists some of the more common resource records. Resource Type A CNAME MX NS PTR SOA SRV Record Description Address record, associates a host name to an IP address. Used in forward lookups Canonical name record. Associates an alias with an existing host name Mail exchange record, specifies the mail server for the domain Name server record, specifies servers that can resolve names Pointer record, associates an IP address with a host name. Used in reverse lookups Start of authority record. Specifies the server that contains the zone files for the domain Service record. Specifies servers that provide special services.
When you create a DNS, some resource records will be automatically created. If client computers on the network are using DHCP, and you are using the DNS that comes with Windows 2000, these clients will have records created in the DNS automatically. Microsoft refers to this as dynamic update. Third party DNS systems that do not support dynamic updating will require you to create records for client computers and servers on your network.
Resolving a Client Request for a Computer Host Name
Postal Information Technology Center (Peshawar Campus) Each time a client needs to establish an IP connection to a host computer, the name of the host is resolved so the connection can be established. A client computer will first attempt to contact a DNS server to resolve the host computer name. If this fails, it may (if this option has been configured) try to resolve the name using a local hosts file. For instance, when a user enters a new URL into the address bar of their web browser, the client computer resolves it in the following manner. 1. The client sends the host name to the DNS server 2. The DNS server attempts to resolve the host name to an IP address. If it cannot, it may forward it to another higher level DNS server and so on until the name is resolved 3. The DNS server returns the IP address of the requested host to the client, and saves the information in its local cache 4. The client uses the IP address to establish a connection to the host computer If connection to the DNS is lost, or it goes off-line, the client computer will be unable to determine the IP address of any host, thus unable to establish any connections. This explains why a DNS is crucial in a TCP/IP network and you should always use a secondary server in case of failure.
95
ACTIVE DIRECTORY
Windows 2000 introduces the concept of Active Directory, a large database/information store. One of the problems with the Windows NT 4 domain database concept is the inability to store additional information in the database. Another problem is the locating of resources is done using Network Neighborhood, which is a slow way of locating a resource. Other problems relate to the management and administration of users and groups. These, and other issues are addressed with Active Directory in Windows 2000.
What is Active Directory?

Active directory is a scalable extensible directory service designed to meet corporate needs. It is a repository for storing user information, accounts, passwords, printers, computers, network information and other data. Microsoft calls it a namespace, where names can be resolved.
What are the general features of Active Directory?

First off, Active Directory is searchable. This means a user can perform a search on Active Directory in a similar fashion to finding files on their computers, quickly locating user and resource information.
Postal Information Technology Center (Peshawar Campus) Secondly, applications can store and retrieve information from active directory. This means applications can make use of information stored in the active directory and modify their options accordingly. For example, an application could query Active Directory and present a modify option to users that belong to the Human Resources group, whilst nonHR users would not see this menu option. Thirdly, information stored in Active Directory is arranged hierarchically, more closely matching the organizational and management structure of the organization, thus simplifying administration. Fourthly, Active Directory lets administrators assign security rights to any object or groups of objects in the directory.
96
In Active Directory, objects can be organized into classes (logical groupings of objects).Typical classes are computers and users.
What are Objects, Organizational Units, Trees and Forests?

An object is a distinct named set of attributes that represents a network resource. Typical objects are users, groups, computers and printers. Each object has a number of attributes. For example, the user object has attributes such as password, name, password length and e-mail address. Other attributes can be assigned by applications to any object. Objects are typically grouped into classes, such as groups (a number of user accounts), computers and printers. When objects are grouped together, they are placed into a container that holds the objects (its like a desk draw that holds a number of objects). An Organization Unit (OU) is a container that holds objects. All objects in an OU can be administered as a single unit, so any policies or restrictions apply across the OU. Examples of objects that can be placed into an OU are user accounts, computers, printers, groups, file shares and applications.
Postal Information Technology Center (Peshawar Campus) Typically, an organization will create organizational units that resemble their organizational structure, having an OU for each department. Applying a set of policies or restrictions to an organizational unit applies it to all objects within that organization unit. An object, placed into a new organization unit, inherits all the policies and rights associated with that organizational unit. For instance, assume that the organizational unit HR has been assigned a particular software application called PEOPLEMANAGE. When a new user is created and assigned to the organizational unit HR, the software PEOPLEMANAGE is made available to them and automatically installed on their computer. If the user leaves HR, the software will be automatically removed from their computer. A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains. A forest is a grouping or hierarchical arrangement of one or more trees. Both are namespaces where names and properties of objects can be resolved. In this diagram, the tree comprises a contiguous namespace. The name of each child object in the tree contains the name of the parent domain.The forest is a disjointed namespace because a child object name and parent object name are not directly related.
97
In this diagram, label the namespace of the tree as CIT.COM and that of the other tree (the single domain on the right as CITEC.COM. These are two distinct namespaces, but these namespaces can be joined together into a forest. Typical scenarios where an organization might use a forest is in company mergers, where the forest is made of the namespaces or domains of the separate divisions of the merged company. This allows each to retain its own administration and functions. Another feature is it allows the creation of virtual teams by creating groups that have members from the different domains in each of the trees.
Reasons to use Organizational Units

An organizational unit provides a mechanism for administrative delegation. Policies can be applied across an organizational unit, so that any member inherits the policies of that OU.
Postal Information Technology Center (Peshawar Campus) Too many organizational units result in increased administration. There are a number of ways to create organizational units for an organization.
98
As organization units are easy to create, modify and delete, restructuring organizational units is a simple task.
How does Active Directory relate to domains?

With NT Server 4, the Primary Domain Controller held the master accounts database. If the PDC was off-line, no changes could be made to the database. When changes were made, they were replicated to the other BDCs in the network. In Windows 2000, there are no primary or backup controllers, just controllers. Each controller has the active directory and changes are replicated to all other controllers as required. Domain models in Windows NT 4 Server were used to store user and computer accounts. With Windows 2000, a domain is a partition in the namespace (active directory), and all controllers in the same domain contain the entire namespace for that domain (they can resolve any name within that domain). In Windows 2000, a domain is a partition in the active directory namespace. Security policies apply across domains, so domains are considers a bounded area in which policies can be applied and administered. If there are multiple domains, then the active directory namespace consists of a hierarchy of domains that have trust relationships with each other. Domain controllers each have identical databases that define the namespace for that domain, and replicate amongst other members of the same domain. In Windows 2000, a domain can be implemented as a hierarchy of organizational units (containers that hold objects such as computers, users, printers and files). Permissions can be assigned at the OU level so that specific users or groups can create or modify objects within those organizational units. This results in improved granularity of administration compared to NT 4 domains. In summary then, domains in Windows 200 are boundaries for

security replication namespace administration
99
The Schema
The schema in Active Directory defines what objects and properties can be created in the active directory. The schema contains definitions for all the objects and attributes of objects that are installed when Windows 2000 is first installed. In addition, mechanisms are provided for applications to create new objects or extend the properties of existing objects already defined.
The Global Catalog

A new concept in Windows 2000 is the global catalog (GC). The global catalog holds all objects (and a subset of each objects properties) from all domains that are part of the Active Directory namespace. The global catalog functions a bit like a global address book, and is used for organizational wide searches. The first Windows 200 Server installed in an organization is by default a global catalog server.
The System Volume

This is a folder structure that exists on all Windows 2000 domain controllers. The system volume holds scripts and group policy objects for the domains in the active directory. The scripts and group policy objects are replicated to other controllers using the file replication service. The system volume must be stored on an NTFS partition and the default location is systemroot\Sysvol.
Sites
An active directory site is a combination of one or more IP subnets that are linked using LAN technologies (in other words there is a high speed connection between the subnets of at least 512Kbps). Sites are used for two reasons
Replication
Replication of changes between domain controllers in the same site occurs after a 10minute period (this is configurable). Active directory creates a bi-directional ring topology of domain controllers involved in replication (this is also configurable). To ensure that the topology is not broken, the Knowledge Consistency Checker (a process that runs on all domain controllers) periodically checks the topology and automatically repairs it if necessary.
Location
of
network
resources
in
close
proximity
Clients can use sites to locate the resources that are close to them, minimizing network traffic over slow WAN links. When a client logs on to the network, the client receives from the domain controller its site membership, and whether the domain controller is the
Postal Information Technology Center (Peshawar Campus) nearest to the client. If it is not the closest domain controller, the client can query for a domain controller that is closer. When a client computer is physically moved, it will use its old site information to locate a domain controller. It is then informed that the domain controller is not the closest one, so the client can then query the new site information it receives from the domain controller to locate a closer one. Sites are not part of the Active Directory namespace. They are created in order to optimize replication traffic and enable users to connect to local resources via high-speed connections. When the Active Directory is browsed, sites are not displayed.
100
LDAP (Lightweight Directory Access Protocol)

Active Directory implements a naming convention for all objects based on LDAP. DNS domain names are expanded to DC (domain component name) entries in the Active Directory. For instance, the DNS domain name of the object ICE.CIT.AC.NZ is expanded to DC=ice,DC=cit,DC=ac, DC=nz,o=Internet Clients can use LDAP to access and query objects in the Active Directory. Other protocols, such as HTTP (which allows querying of objects using a web browser) are supported by Active Directory.
Domain Modes
Windows 2000 introduces a new way of organizing and managing networks. To interoperate with previous versions, it has to support Windows NT 4 domains, as well as the ability to replace these with the new mode of operation, Active Directory. Mixed Mode When a Windows 2000 Server is installed, it defaults to mixed mode. This allows the server to work with and support Windows NT 4 domains and servers.
Native Mode To support native mode, all servers and domain controllers must be running Windows 2000. This fully implements Active Directory and all domain controllers become peers.
Trust relationships in Windows 2000

Postal Information Technology Center (Peshawar Campus) Active directory supports the old style of non-transitive trusts used in Windows NT 4 domains. A trust is a link between two domains. Windows 2000 supports the Kerberos 5 protocol for authentication and authorization. By default, two-way transitive trusts are used in Windows 2000. When a new child domain is created in Windows 2000, it automatically establishes twoway trusts with the parent domain, resulting in inheriting trust relationships will all the other existing child domains.
101
In this example, cit is the parent domain and has a two-way trust relationship with the child domain ee.Users can access resources in either domain provided they have been granted permissions. A new child domain is added, called its. This new domain now has a two-way trusts with the parent domain cit, and because trusts are transitive in Windows 2000, by implication has two-way trusts with the ee domain. Using two-way transitive trusts means users in any domain can access the resources of all other domains in the tree.
ADMINISTRATING ACTIVE DIRECTORY/1

In this section we will explore Active Directory and look at the management of user, computer and group accounts.
Group Types
Postal Information Technology Center (Peshawar Campus) In Windows 2000 Server, two main types of groups exist, Security groups and Distribution Groups. Security groups are used to assign or deny permissions to resources. Distribution groups are mainly used by applications like Microsoft Exchange Server, and cannot be used for assigning or denying permissions to resources. An administrator typically uses security groups to administer the enterprise.
102
Group Scopes
The scope of a group determines who can be a member and where that group can be used in the enterprise. The following applies to native mode only. Group Type Local Global Universal Scope User accounts, Global groups and Universal groups from any domain in the forest, as well as local groups from the same domain. User accounts and global groups from the same domain. User accounts, global groups and universal groups from any domain in the forest.
Universal groups are maintained in the global catalog and replicated to all other domain controllers. For this reason, the information in Universal groups and the number of UG should be kept to a minimum to reduce network traffic. Limit membership to other groups rather than user accounts. Administrators should consider making groups that are relatively static and widely used within the organization into Universal groups.
Strategy
for
using
groups
in
Windows
2000
Server
The recommended strategy for using groups in Windows 2000 is to use both global and domain local groups. Place users into global groups and then place the global groups into domain local groups and assign permissions to the domain local groups.
Default
Local
Security
Groups
The Active Directory is built around a number of default containers that hold objects. The default local security group containers are Container Name Account Operators Administrators Description Administer user and accounts Full unrestricted access Members group Administrator Domain Admins Enterprise Admins NetShowServices
Postal Information Technology Center (Peshawar Campus) Backup Operators Guests Backup files on servers Same access as Users group
103
Pre-Windows 2000 Access Print Operators Replicator Server Operators domain servers Users
Domain Guests Guest TSInternetUser Compatible Allows read access to all users Everyone and groups Administer printers For file replication on domains Administer General users Authenticated Users Domain Users INTERACTIVE
The default domain local security groups are Name DHCP Administrators DHCP Users DnsAdmins NetShow Administrators RAS and IAS Servers WINS Users Description Administrative access to DHCP View only access to DHCP servers DNS administrators Administrative access to Windows Media Services Servers in this group can access remote access properties of users View only access to WINS servers
The default global security groups are Name Cert Publishers DnsUpdateProxy Description Enterprise certification and renewal agents DNS clients that require to dynamically update on behalf of other clients Domain Admins Administrators of the domain Domain Computers All workstations and servers that are members of the domain Domain Controllers All domain controllers in the domain Domain Guests All domain guests Domain Users All domain users Group Policy Creator Modify group policies for the domain Owners
Postal Information Technology Center (Peshawar Campus) To support enterprise wide administration, Windows 2000 Server supports universal security groups that cross all domains and sites. The default universal groups are Name Description Enterprise Admins Administer the enterprise Schema Admins Administer the schema
104
ADMINISTRATING ACTIVE DIRECTORY/2 Active Directory Manager for Users and Computers
The tool an administrator or account manager uses to administer users and computers is Active Directory for Users and Computers. With this management tool, you can create new organizational units, user and group objects and change their properties.Policy templates (which control settings for users and software) can be applied to organizational units.
Properties
for
user
accounts
When a user account is selected, the properties that can be managed for that user can then be accessed. A delegated manager of the user can alter properties for that user. Properties such as Logon hours, password settings, scripts and policies can be applied. In active directory, the amount of information about a user is significantly enhanced compared to Windows NT 4 domains. Phone numbers, locations and organizational information can also be stored in Active Directory. This information can then be accessed by Active Directory enabled applications, such as HR and Finance/Payroll applications.
105
Group
Policies
A policy is a group of settings that can be applied to a site, domain or organizational unit. Typical settings include logon scripts, rights and desktop settings. Other parameters such as software applications can also be defined. It is possible to allocate a specific application package using a policy. When a new member logs onto the computer, they will be given access to this new software application. If the software does not currently reside on the computer, it can be automatically installed. When the user is removed from the group that the policy is applied to, the software will be removed the next time the user logs onto the computer. Group policy settings are refreshed on client computers every 90 minutes (+- 30 minutes), and on domain controllers every 5 minutes. A user must logon to a client computer for specific group policy settings to be applied (such as software installation).
Group
Policy
Extensions
There are six group policy extensions that can be applied to group policies. The Microsoft Management Console is used to define group policy settings. Group Policy Extension Administrative Description Control registry based settings, desktop settings, and system services. Configuration Configure security levels, IP security and public key policies.
Security Editor Software Installation Control software installation, updating and removal. Scripts Assign scripts for startup, logon, logoff and shutdown. Folder redirection Specify which user folders to redirect to network share folders. Remote installation Configure computer naming conventions and operating system services selections.
106
Group
Policy
Objects
A group policy object is a holder for the group policy settings. It comprises two elements. Group Policy This is an Active Directory Object that holds sub-containers for group Container policy information about users and computers. Group Policy This is a hierarchy of folders stored on domain controllers in the SysVol Template folder. It holds all group policy information about administrative templates, security, software installations , scripts and folder redirections.
Group
Policy
Priority
When a group policy object is created, it is associated with a site, domain or organizational unit. Child containers of active directory objects inherit the group policy objects of their parent containers. Group policies are inherited and are cumulative. Windows 2000 applies the group policy object associated with the highest-level object in the active directory first, proceeding down the tree to the lowest object last. Thus parent group policy objects are applied before the childs. In this way, lowest level group policy objects can override higher level ones. If a setting is applied in a parent group policy object, and that same setting is not specified in the child group policy object, then that setting is inherited by the child group policy object and applied. If a setting is applied in a parent group policy object that conflicts with the same setting in the child group policy object, then that setting is not inherited by the child group policy object and the setting for the child group policy object is applied.
Processing
of
Group
Policy
Object
Settings
The GPO settings occur in the following order 1. When the computer is turned on, the group policy settings for computers begins. 2. Startup scripts are executed next, and run one at a time till they are all completed. 3. Group policy settings for users are applied when a user logs on. 4. After a user has logged on, logon scripts are executed.
Delegating
Control
of
an
object
In Windows 2000 Server, other objects can manage objects such as users, groups, folders, and organizational units.
Postal Information Technology Center (Peshawar Campus) This means a teacher can manage student objects, giving them access to resources or resetting their passwords in event of problems. An administrator must decide on the delegation controls required for the organization and construct organizational units and groups accordingly. A lot of day to day administration work can be effectively offloaded by delegating control to other sub-managers.
107
Active
Directory
Permissions
All objects in the Active Directory such as domains, computers, users, groups, folders and organizational units have security permissions associated with them. Administrative privileges may be assigned to any user or group for any object in the Active Directory.
Windows 2000 uses a Discretionary Access Control List (DACL) to hold a list of user access permissions for each object. A DACL specifies the users that can manage the object and what actions they can perform on that object. Effective permissions A user could belong to multiple groups, each group with different rights to the managed object. The effective permissions are a combination of all the inherited rights. For example, if one group membership specifies read, and another group membership specifies write for the same object, the effective permissions are read and write. Allow and Deny Deny permissions take precedence over allow permissions. For example, Permissions if one group membership specifies read, and another group membership specifies deny for the same object, the effective permissions are deny. Standard and The standard permissions are composed of Full Control, Read, Write,
Postal Information Technology Center (Peshawar Campus) Special Permissions Create/Delete Child Objects. Special permissions can provide a more precise degree of administrative control.
108
Review
Questions
Mr. Saleem has been assigned the task of backing up the files on a domain controller. Which group should Mr. Saleem be assigned to? Mr. Jamal sits nearest the printer in reprographics. It has been decided for Susan to manage the printer. Which group should Mr. Jamal be assigned to? A special user account has been created so that files can be transferred automatically between domain controllers. Which group should this account be assigned to? Mr. Jamal is a teacher that looks after a group of students. They often forget their account passwords, and it has been decided that Mr. Jamal should be able to reset this information for the students under her control. How might this be achieved in Windows 2000?
SECURITY
AND
PERMISSIONS/1
In this section we look at sharing resources such as files and folders on the network. This involves looking at security and sharing data.
NTFS
FILE
SECURITY
This section discusses NTFS file and folder security. Windows Explorer can be used to set and modify permissions at the hard drive level on files and folders. In addition, the administrator (or a delegated user with sufficient privilege) can use the administrative tool Computer Management or Windows Explorer to create and share resources. When Windows 2000 Server is installed, the security settings (permissions) on the files are set at the root directory level as Everyone, Full Control. This gives rights to every user to perform any action on any file or folder.
Postal Information Technology Center (Peshawar Campus) When a sub-folder is created, it inherits the permission settings from the parent folder (usually Everyone, Full Control). An administrator may decide to alter the permissions for a parent folder to be more specific or exclude certain groups of users. In order to alter permissions on a file or folder, you must either have

109
full control access to the resource change permission rights ownership of the resource
NTFS
File
Permissions
These permissions define how a file can be used and accessed. The predefined file access permissions are

Deny Access Modify Read and Execute Full Control Read Write
Each of the above permissions is a grouping of a number of special permissions. The table below summarizes each of the rights associated with the file permissions defined above. Special Permissions Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions Change Permissions Take Ownership Synchronize Full Control Modify Read & Read Execute Write
Postal Information Technology Center (Peshawar Campus) When an NTFS partition is created, Windows 2000 Server assigns Full Control rights to the group Everyone. This means all users (including network users) have unrestricted access to any data stored on that partition. Network Administrators might alter these settings to provide additional security. Please note that users would be required to either have access to the local computer (and if it is a domain controller, they do not have logon rights by default), or a network share that has been created which gives the users access permissions.
110
NTFS
Folder/Directory
Permissions
Folders or directories have essentially the same permissions as files, such as Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Each of these permissions is a grouping of a number of special permissions. Setting permissions on a folder alters the existing permissions on that folder, and all the files in that folder. Subfolders are not affected (this is a selectable option). New files or sub-folders inherit the parent folders permission settings. The following table defines the permissions associated with folders. Special Permissions Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions Change
Full Control
Modify
Read & List Read Execute Folder Contents
Write
Postal Information Technology Center (Peshawar Campus) Permissions Take Ownership Synchronize
111
Folder
and
File
Auditing
Windows 2000 Server provides auditing of file and folder access on NTFS partitions. When auditing is enabled, an event detailing the type of access is written to the Security log, which can be viewed using Event Viewer. Both successful and unsuccessful attempts can be audited. It should be noted that the event logs can fill up quickly, and performance of the server can be affected if excessive auditing is done. Auditing by default is not enabled when Windows 2000 Server is installed. It must be enabled on the local computer (server or domain controller) before auditing of events can be logged. When an audit even occurs, it is written to the security log. Audit events in the security log are viewed using event viewer. The following dialog box of shows the available audit options for a file (there are similar audit options for folders). List of Possible Audit Events
data Attributes Data Data Attributes Attributes Files Permissions Permissions Traverse Folder List Folder/Read Read Create Files/Write Create Folders/Append Write Write Extended Delete Subfolders and DeleteRead Change Take Ownership
If auditing is already enabled on a directory, any new files or subdirectories created in that directory are also subject to auditing. This can be overridden using group policy settings. Auditing can also be applied to any object in Active Directory, such as users, groups, computers and organizational units. This allows an administrator to determine not only
Postal Information Technology Center (Peshawar Campus) who accesses files and folders, but also monitor changes to objects within Active Directory.
112
File Coping and File Moving

When a file is copied, it inherits the file permissions of the receiving folders file permissions. When a file is moved, it keeps the existing permissions and owner settings.
Shared
Network
Resources
An administrator uses the Computer Management tool to create and publish shared resources. System tools is used to manage shared folders. Windows Explorer can also be used to share folders.
An administrator creates a folder and stores files within that folder for public use. When the folder is shared, users can connect across the network and access the files within the folder, provided they have the correct permissions. Windows Explorer or Computer Management can be used to share folders.
Creating a shared resource
113
To create a new share, the administrator selects the option New File Share. This starts the Create Shared Folder Wizard, and here the administrator specifies the folder and location of the shared resource.
After entering the location and share name, you are prompted to set the security permissions to either allow or deny access to this resource. Using the customize option, an administrative can set permissions for specific users or groups.
Removing
shared
resource
To stop sharing a resource, an administrator can right-click on the share listed and select Stop Sharing from the list. This removes the share (the folder and files remain intact) so that it can no longer be accessed across the network.
Publishing
Shared
Network
Resources
in
Active
Directory
Windows 2000 Server based networks make it easy for users to find resources. An administrator can publish the shared network resource in Active Directory, making it easy for the user to locate the resources they need.
Postal Information Technology Center (Peshawar Campus) An administrator enters the shared folder name and its location. Once this is entered, the shared folder appears in the domain tree.
114
Finding a shared resource in Active Directory

Once an administrator has published the resource in Active Directory, a user can locate the resource quickly using the My Network Places tool.
Double-click Add Network Place to open up the Add Network place wizard and click browse.
Expand the directory icon, and keep expanding the tree till you locate the desired resource.
Distributed
File
System
Microsoft introduced Distributed File System (DFS) during the later part of Windows NT4 Server as a means of presenting network resources in a better way. Prior to DFS, a
Postal Information Technology Center (Peshawar Campus) user used to browse the network for resources. These resources were located on computers, so a user first had to locate the right computer (often from a huge list) and then the right resource. DFS displays the available network resources as a single hierarchical structure or list. The resources in the DFS tree can be located on any computer in the network. The DFS tree is made up of a root node and many child nodes, each of which can point to a shared resource. There are two types of DFS Stand Alone Information is stored on a stand alone computer Fault tolerant Information is stored in Active Directory Users can locate resources using the DFS tree. This makes the navigation and location of resources easier. From an administration view, if a server fails, the resource can be created on a new server and the DFS child node updated accordingly. There are no changes for the user as they still access the same child node in the DFS tree, it just points them to a new location.
115
NTFS
User
And
Group
Permissions
for
Folders
and
Files
Permissions for resources under Windows 2000 Server can be assigned to individual users, groups or organization units (check this statement). These permissions exist on the disk at the file level and are known as NTFS permissions. They can be managed using Windows Explorer. It is important to understand how conflicting sets of permissions interact in providing an overall set of permission rights. The following criteria is applied to permissions

user and group permissions at the file level are cumulative any permission specifying No Access results in a cumulative permission of No Access if the permissions are not explicitly specified, the result is denial of access
Consider the following table, where the user Jamal [who belongs to the group WebAdmins] has change rights to a resource that the group WebAdmins has No access to. Jamal WebAdmins Jamals Effective Rights Change No Access No Access In the next case, Jamal has explicit read access to the resource. The group WebAdmins, to which Jamal belongs, has Write access to the resource.
Postal Information Technology Center (Peshawar Campus) Jamal WebAdmins Jamals Effective Rights Read Write Read and Write
116
Local
Permissions
And
Shared
Permissions
Where permissions are assigned at the NTFS file or folder level, and that folder is shared across the network as a share point, then remote access to the resource is a generated by the permissions on the share level, and then the NTFS permissions. The permissions are based on the least permission. They are not cumulative, as in the previous example. Remember that when an NTFS partition is created, the group EVERYONE has full control rights. Any files or folders then created inherit these permissions unless explicitly changed. When assigning a new share, the default setting in Windows 2000 Server is to allocate Full Control rights to the group Everyone. This would match those default rights that exist on the NTFS file system. The administrator can restrict the permissions through the share level, without having to worry about changing those on the NTFS file system. As long as the users do not have logon rights to the computer where the resource is located [access is only across the network], the resource is secured. Consider the following table, where the user Jon has the following rights. Share Level NTFS Level Effective Rights Read Full Control Read
Taking
Ownership
of
Files
Under Windows 2000 Server, the person who creates the directory of file becomes the owner of that file or folder. The owner can grant others [but directly assign ownership rights] the right to take ownership of the files or folders that they created and own. An administrator can take ownership of a resource at any time, and if they do so, they become the new owner. The owner of the resource has permission rights to change the permissions on that resource. When an administrator takes owner of a resource like a file or folder, all the existing permissions for that resource are reset.
Security
Rights
for
Active
Directory
Objects
Just as security and permissions can be applied to files and folders, security permissions are applicable to any object in active directory. This includes organizational units, users and groups.
Postal Information Technology Center (Peshawar Campus) In this example, the security rights associated with Administrators for the organizational unit Sales indicates that administrators have the following rights

117
Read Write Create All Child Objects
Additional permissions can be applied by clicking on the Advanced button.
By applying security rights to active directory objects, you can delegate administrative control as well as restrict access to objects or specific properties of objects.
SUPPORTING
USERS/1
This section deals with the administration of users. This involves the assigning of network folders for users to store files. In addition, the creation and application of policies that determine user settings, including available software applications is discussed. Finally, the issue of limiting disk space usage by users is covered by the use of disk quotas. GROUP POLICIES A group policy is a configuration that can be applied to users, groups, organizational units and domains. Group policies are a means of enforcing standard settings and configurations across a group of users. In Windows 2000, group policies are much improved over the equivalent system policies of Windows NT 4. Group Policies allow both Computer and User configuration. The following table indicates some of the features that can be controlled. Computer Configuration Software Software Settings Installation Windows Settings Scripts Security Settings
Startup and Shutdown Account and Local Event Restricted System Registry
Policies Log Groups Services
Postal Information Technology Center (Peshawar Campus) File System Public Key and IP Security Polices Windows NetMeeting Components Internet Explorer Task Scheduler Windows Installer System Logon Disk Quotas DNS Client Group Policy Windows File Protection Network Offline files Network and Dial-Up connections Printers
118
Administrative Templates
User Configuration Software Settings Software Installation Windows Settings Internet Explorer Maintenance Scripts (Logon and Logoff) Security Settings Remote Installation Services Folder redirection
Administrative Templates
Windows Components
Application Data Desktop My Documents Start Menu NetMeeting Internet Explorer Windows Explorer Microsoft Management Console Task Scheduler Windows Installer
Start Menu and Taskbar Desktop Control Panel
Network
System
Add/Remove Programs DisplayPrinters Regional Options Offline Files Network and Dial-up Connections Logon/Logoff
Postal Information Technology Center (Peshawar Campus) Group Policy The purpose of using group policies is to ensure the correct settings (security, software and configuration) for users in the organization. In addition, setting restrictions for group policies ensures that users cannot modify specific settings or install unauthorized software, often a cause of help desk inquiries and a factor in total cost of ownership. The following screen shot illustrates some of the options that can be configured. In the example, under User Configuration, the run command has been disabled from the start menu, a logoff option has been added and the users history of recently used documents is cleared when they log off.
119
Policies can be created using Active Directory for users and computers. When the properties of a domain, organization unit or group are viewed, a group policy tab is available. To create a new group policy, click on the New button. This will then display the group policy editor where the various settings can be specified. In addition, note the Block Policy Inheritance check box. Policies apply from the highest level in the domain down. If you do not want to inherit the policies from the higher levels, enable this option.
Postal Information Technology Center (Peshawar Campus) USER HOME DIRECTORIES Often, for security or other reasons, decisions are made which provide server based file storage features for users. In Windows 2000 Server, these directories may be on any server in the network, and using Active Directory Users and Computers, it is possible to pre-connect a user to a specify directory at log on time. This is useful where users tend to use more than one computer in a network. An administrator creates a folder for a user on a network server. This folder is then shared with the appropriate security permissions. Using Active Directory Users and Computers, the users profile is changed so that a drive mapping to their network folder is automatically created when they log on. When a home directory is specified for a user using Active Directory Users and Computers, that directory with the correct permissions is automatically created [provided access is granted to perform the creation]. The home directory can reside on the local computer [choose Local Path], or reside on a server in the domain [choose Connect x: to sharename].
120
Home directories on servers allow users to store their files securely and safely. It helps reduce the cost of client computers (requires less drive space for the client computer) and is ideal for roaming users who use different computers throughout the organization (for example mobile users or students). In addition, as the files are stored on a server, they can be secured against corruption by using disk strategies such as RAID drive arrays and effective daily archival procedures. SCRIPTS The four types of scripts available are

computer startup logon logoff computer shutdown
These scripts can be applied through a group policy setting. If you want a common script to be shared by a number of users, use a group policy to do this. In addition to the four general scripts above, Windows 2000 also supports the individual log on scripts for users that were available in Windows NT 4.
Postal Information Technology Center (Peshawar Campus) In this example, the logon script Startmeup.cmd has been applied to the user Joe.Smith. The script will execute when Joe.Smith logs onto the computer. However, the script must reside in the Netlogon Share of the controller that validates the logon request (no different from Windows NT 4). Administrators must copy the script to the netlogon share.
121
The four scripts for group policies are new in Windows 2000, and you need to create a group policy in order to access them. This is done using Active Directory users and Computers. Creating a group policy was explained earlier. The Logon and Logoff scripts are under User Configuration and the Startup and Shutdown scripts are under Computer Configuration. Logon Script Variables Within scripts, a number of variables are supported. These allow script designers to take advantage of parameters rather than specific instances, such as %USERNAME% rather than Jamal.Khan. This makes the script more generic and applicable to any user, rather than having to write a script for each user. Some of the variables are %HOMEDRIVE% %HOMEPATH% %OS% %PROCESSOR% %USERDOMAIN% %USERNAME% The drive letter connected to the users home directory, if any The full path to the users home directory, if any The operating system running on the users computer The processor type of the users computer, e.g., INTEL The domain name The username of the user logging on
DISK QUOTAS New in Windows 2000 is the ability to restrict available disk space to groups of users. Disk quotas are enabled using Active Directory for Users and Computers. They are applied as part of a group policy.
Postal Information Technology Center (Peshawar Campus) Disk quotas are located under Computer Configuration, Administrative template, System, Disk Quotas. You can also specify the disk limit available and whether users reaching the limit should be logged in the event log.
122
This is one method administrators can use to restrict disk space for a group of users. This ensures that a server will not run critically low on available disk space. FOLDER REDIRECTION Another option available with group policies is the ability to redirect folders to network locations. This ensures that the documents and other settings such as start menus are always available to groups of roaming users. Folder redirection is part of group policies, and is under User Configuration, Windows Settings, Folder Redirection. The folders that can be redirected are Application Data, Desktop, My Documents and Start Menu. If you wanted all users in a particular group to have the same menu, you could create a group policy for those users and redirect their start menu to a menu stored on a server. When the users log on, the group policy would be applied and their start menu would be taken from the specified location, rather than the local computer. Folder redirection allows administrators to store roaming users documents and menu settings on the server so they are always available. In addition, a common start menu can be given to a group of users. Summary The purpose of using group policies is to ensure the correct settings (security, software and configuration) for users in the organization. In addition, setting restrictions for group
Postal Information Technology Center (Peshawar Campus) policies ensures that users cannot modify specific settings or install unauthorized software, often a cause of help desk inquiries and a factor in total cost of ownership. Home directories on servers allow users to store their files securely and safely. It helps reduce the cost of client computers (requires less drive space for the client computer) and is ideal for roaming users who use different computers throughout the organization (for example mobile users or students). In addition, as the files are stored on a server, they can be secured against corruption by using disk strategies such as RAID drive arrays and effective daily archival procedures. Disk quotas are a method administrators can use to restrict disk space for a group of users. This ensures that a server will not run critically low on available disk space. Folder redirection allows administrators to store roaming users documents and menu settings on the server so they are always available. In addition, a common start menu can be given to a group of users.
123
124
MANAGING
SOFTWARE
APPLICATIONS/1
New in Windows 2000 is the ability to manage software in the organization. Administrators can configure applications to be automatically installed when required, or removed from access by a user who no longer requires the application. The installation and removal of software applications works by using Group Polices and Active Directory. The new Microsoft Installer program uses a special .MSI file to install and remove applications. Existing packages that do not support MSI can be installed using .ZAP files.
The
Difference
Between
Assigning
and
Publishing
Software
An administrator can either assign or publish software applications. Assign Users The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application. Assign Computers The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted. Publish to users The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers. When an administrator assigns or publishes a software application using a group policy, an application assignment script (.ASS file) is generated and stored with that group policy. This script contains the advertisement information.
Requirements
for
software
installation
The software package that is being managed requires an appropriate Windows Installer package. The administrator creates a shared folder (called a software distribution point) on the network that contains the program files, packages and Windows installer file (.MSI). Users require read access to the software distribution point, as well as write access to the target location where the software will be installed.
125
Package
Modification
Files
Modification files have an .MST extension and allow different custom installations for the same application. For example, an administrator could create a number of custom installations for Microsoft Word, based on the needs of the various departments within the organization. Each of the departments would have their own group policy that specified a different MST file.
Software
installation
default
options
The software package to install is associated with a group policy. This requires accessing the group policy and selecting either the computer or user configuration sections. If everyone requires the software, it can be assigned to computers. If only selected users in the organization require access to the software, it is better assigned the software to users. To add a new software application, access the software installation option under Software Settings and select new (right-click to access the associated menu). The general tab lets you specify where the application is located. This is the .MSI file for the application. It will have already been placed on a network share to which the users will require read access. Other options allow you to assign or publish the application, and uninstall the application.
The file extensions tab allows an administrator to setup automatic installation of the application based on filename extension.
126
Publishing
non-MSI
programs
If the software application you intend to use does not have a supporting .MSI file, it can still be published. However, it can only be published to users, not computers. The application will be installed using the setup program that comes with the application. To publish a non-MSI program to users, you need to create an associated .ZAP file for the application. This zap file provides the necessary information to install the application. Users require the necessary rights to be able to install the application on the local computer. Published software cannot automatically reinstall itself in the event of a problem.
ZAP
file
format
A zap file is a simple text file (created using Notepad) and has two main sections. Section Comment Application This includes information on how to install the program. It must include the FriendlyName and SetupCommand tags. Other tags are DisplayVersion, Publisher and URL. File This section is optional and associates the application with file extensions. Extension
An
[Application] FriendlyName SetupCommand DisplayVersion Publisher URL [Ext] ZIP=
Example
ZAP
file
The following is an example ZAP file used in one of the exercises to install WINZIP. = = = = = Win Zip winzip80.exe 8.0 WinZip http://www.winzip.com
MANAGING
PRINTERS/1
Windows 2000 improves printing support compared to previous releases. Printers are integrated into Active Directory, thus are easier to manage and locate. Additional printer parameters can be monitored using Performance monitor. In addition, printers can be managed anywhere in the network using Microsoft Management Console. Added in Windows 2000 is Internet printing, giving users the ability to connect to a Printer using their web browser.
127
Printers,
Printing
Pools
and
Ports
Each physical printer requires to be connected to a printer port, the interface through which a printer communicates with the computer. In Windows 2000, the available ports are Port Local Port TCP/IP LPR USB Printer Available Printers that connect to the parallel or serial By Default interface ports, a filename, NUL, or an IR port. Printers using TCP/IP, like HP JetDirect By Default TCP/IP printers connected to a UNIX host When Print Sevices for UNIX is installed Printers that connect to the USB interface Available when a USB Plug and Play printer is attached
Jobs submitted to a printer are normally spooled before being sent to the printer port for printing. Printers can be connected physically [by attaching to a hardware port such as LPT1 or COM1], or logically [by attaching to a remote server like \\servername\printername]. A printer pool refers to multiple printing devices that are associated with a single printer. Each printer in the pool uses the same printer driver, so all the printing devices in the pool should be the same type. Submitted print jobs are sent to the first available printer in the pool. When a user accesses a shared printer on a Windows 2000 Server, from a client computer, the necessary printer drivers for that printer are downloaded and installed to the client computer. A network printer is a printer that is available for use across the network and has been shared for use. A local printer is a printer that resides on the same computer.
Network
Interface
Printing
Devices
These are printers that have network interfaces built in. Examples are the Jet-Direct cards that plug into Hewlett Packard LaserJet printers. The recommended method of supporting these printer types is to create a printer on a Windows 2000 computer and share this printer so that users can access it via the network. In this way, each user is not trying to directly print to the actual printer at once. Instead, their print requests are sent to the Server and spooled. The server then prints each spooled print job to the printer using TCP/IP. It is a good idea to enable the Job Based property setting for the printer. This ensures that the computer releases the printer connection once the print job has completed.
Postal Information Technology Center (Peshawar Campus) Printer pools allow administrators to add extra printers to the pool without modifying user configurations.
128
UNIX
Based
Printers
Windows 2000 supports the printing to printers that reside on a UNIX server. The LPR program is used to submit print requests, but requires that the client computer use the TCP/IP protocol. The UNIX computer must be running LPD for the printer you wish to print to. The syntax of the LPR command is lpr -S <ip address of unix host> -P <printer name> filename In addition, the LPQ command is used to view the status of the UNIX printing device.
Creating
Printers
This allows you to define the name, properties and location of the new printer. To create a printer requires Administrator rights.
Printers are added using the add printer wizard found under Control Panel->Printers.
When a user connects to a printer on a Windows 2000 server, the client computer downloads the printer driver from the server. One copy of the printer driver needs to be maintained, and clients get the latest driver when they connect to the printer. Printer drivers do not have to be installed on client computers, easing the task of letting users connect to printers without having to locate the required setup disks.
MANAGING PRINTERS/2 Setting the Properties and Permissions of An Existing Printer

When a printer is created, it can be shared on the network. This makes the printer accessible to other users on the network.
Postal Information Technology Center (Peshawar Campus) Each printer supports a number of settings, such as available hours of use, priority and job defaults. Administrators, Print Operators, or users assigned print management rights manage these settings.
129
Separator
Pages
Separator pages are used to separate print jobs, and are the same as banner pages. The separator page states the user that sent the document to the printer, and the date and time of printing. Windows 2000 includes three separator pages, which are text files located in the \<systemroot>\System32 folder. Separator Page Pcl.sep Pscript.sep Sysprint.sep Purpose Switches the printing mode to PCL, and prints a separator page before each document. Switches the printing mode to Postscript. Does not print a separator page before each document. Switches the printing mode to Postscript, and prints a separator page before each document.
Printer
Permissions
Printers are objects just like files and directories and so have permissions associated with them. Setting printer permissions determines what a user is allowed to do. In addition, membership of the Print Operators group permits additional rights. The levels of control associated with printers are Function Print Manage Documents Manage Printers Print Specify own job settings Pause, restart, delete own jobs Specify job settings for all
Postal Information Technology Center (Peshawar Campus) Pause, restart, delete all jobs Share printer Change properties Delete printer Change permissions By default, Power Users, Server Operators, Print Managers and Administrators have Print, Manage Documents and Manage Printers rights. The group Everyone has Print access.
130
Client
Access
to
Printers
Client access to printers in Windows 2000 has been improved. Users can set personal document settings for printers, such as paper size, that apply to all documents. Printers can also be installed using their web browser. Printers are published in Active Directory, so printers can be searched by location, name or feature. Drivers are provided for Win9x, Windows NT and Windows 2000.
Monitoring
Printers
Print jobs are now included in the system monitor. Additional counters have been added for monitoring purposes, such as bytes/sec and the maximum number of jobs spooled. These can be viewed using performance monitor.
Managing
Printers
Microsoft Management Console allows printer administration from any Windows 2000 computer.
Internet
Printing
New in Windows 2000 is the ability to install, print and manage printers across the Internet. This requires the use of Windows 2000 Server, Internet Information Server, and the Internet Printing Protocol that encapsulates the data in HTTP. IIS handles all the security requirements. The Client View Users connect to an Internet printer by accessing the /printers folder of web site. Only Windows 2000 clients are supported, and it requires the use of Internet Explorer 4.01 or greater. The printer drivers are encapsulated in .CAB file and downloaded. After driver download, the ADD printer wizard is started. The Server View Internet Information Server handles all print processing and security, including authentication of users. The server uses Active Server Pages to send data to the client via HTML.
Postal Information Technology Center (Peshawar Campus) Security Internet printing relies on Basic Authentication handled by Internet Information Server. This means that user domain accounts (usernames and passwords) are used unless Allow Anonymous is enabled.
131
SYSTEM
MANAGEMENT
AND
RECOVERY/1
This section deals with recovering from errors and system maintenance. EMERGENCY REPAIR DISK The backup utility is used to create an emergency repair disk. This is a single floppy disk that contains system files. An emergency repair disk should be created after each major change to the configuration of the server, such as installation of service packs, additional device drivers or additional hardware. If the file system becomes corrupt and cannot start, an emergency repair disk may provide a solution. Creating an Emergency Repair To create an emergency repair disk, follow the instructions below. 1. 2. 3. 4. 5. 6. Run the Backup program (start, programs, accessories, system tools, backup) On the Welcome tab, click the Emergency Repair Disk button Insert a blank formatted disk in Drive A: Check the box labeled Also Backup The Registry To The Repair Directory Click OK Remove the disk and label it Emergency repair Disk with the current date Repair Disk Disk
Using an Emergency There are two ways the emergency disk can be used.
If your system supports bootable CD-ROM, insert the Windows 2000 Server CD and boot from the CD. If your system does not support bootable CD-ROM, insert Setup disk 1 and restart the computer. You will be prompted for setup disk 2, then setup disk 3 1. Press Enter when asked if you want to install Windows 2000 Server 2. Press R to use the emergency repair diskette 3. You will be presented with a Fast or Manual option. Press F to select the Fast option 4. Press Enter to use the Emergency Repair Diskette 5. Insert the Emergency Repair Diskette and press Enter 6. Once the files have been repaired, reboot the operating system. Following the use of the emergency repair diskette, reinstall any service packs that were loaded since the original installation. During the repair process, files are sometimes copied from the CD-ROM to replace the corrupted files on the hard disk. These replaced
Postal Information Technology Center (Peshawar Campus) files will be the original release, and if you have applied a service pack since the original installation, these service packs will need to be reapplied. Before attempting to restore using a tape backup, apply the necessary service pack that was on the server when the tape backup was made. After applying the service pack, reboot the server, then run the tape backup program and restore the files. To Create the Setup Disks To create a set of disks to use instead of bootable CD-ROM for the purposes of using the emergency repair diskette, follow the instructions below. You will require four blank formatted floppy diskettes. 1. Insert the Windows 2000 Server CD-ROM into the CD drive. 2. Access the bootdisk subdirectory. 3. Run the program makeboot a: and follow the prompts. LAST KNOWN GOOD CONFIGURATION During boot time, Windows 2000 Server displays a message at the bottom of the screen to press F8 for advanced options. This last known good configuration provides a mechanism to recover from the installation of device drivers that prevent the computer from operating. For example, you may have installed a new graphics card, but selected the wrong driver. Upon restarting the computer, the screen display is garbled. To recover from this scenario, you can choose the Last Known Good Configuration at boot time. 1. 2. 3. 4. Reboot the computer. Press F8 to display the list of advanced boot options. Use the arrow keys to select Last Known Good Configuration and press enter. Follow the instructions.
132
This option will only restore registry settings. It will not replace missing or damaged files. In the event of missing or damaged files, choose the Emergency Repair option discussed earlier. AUTOMATIC SYSTEM RECOVERY This option refers to configuring Windows 2000 Server to automatically reboot in the unlikely event of a system crash. Follow the steps outlined below to enable automatic recovery.
Postal Information Technology Center (Peshawar Campus) 1. Open Control Panel and double-click the system icon. 2. Click the Startup and recovery button. 3. Enable the check box Automatically reboot, then click OK.
133
DEFRAG When Windows saves files to disk, portions of the file may be scattered in different locations. This causes access to these files to be slower. Windows 2000 Server provides a defragmentation program that relocates scattered portions of files so that the file is saved as one continuous block. Disk defragmenter is run by an administrator. It is under Programs, Accessories, System Tools. System administrators should regularly defragment the server drives. Files in use cannot be moved, so this should be when the system is not in use.
CHKDSK Occasionally, system information related to the file structure and free space tables could become invalid. The chkdsk utility allows an administrator to repair these structures. This utility should be regularly run to ensure that the file system is stable. An administrator runs chkdsk by opening a command prompt window and entering the command on the command line. The utility is invoked using the /f option, which instructs chkdsk to fix any invalid entries it finds. If the drive is in use, it will require you to reboot the server in order for chkdsk to run. Upon rebooting the server, chkdsk will verify and correct the file system. Once this is completed, the server will reboot.
Postal Information Technology Center (Peshawar Campus) BACKING UP AND RESTORING FILES Windows 2000 Server provides built-in support for backing-up and restoring files. This includes support for the registry, active directory and all system files. Backup is under Programs, Accessories, System Tools. The basic options are to backup files, restore files and create an emergency repair diskette.
134
Running the backup wizard allows you to specify all files, a selection of files, or the system state. Backup selections can be saved and scheduled to run at specific times.
DISK MANAGEMENT The Disk administrator tool present in Windows NT has been replaced. The utility is run by selecting Programs, Administrative Tools, Computer Management. Select Storage, Management. then Disk
The disk management tool allows an administrator to partition drives, format drives, create and delete logical drives and reassign drive letters.
135
Windows
Operating Systems
2000
Server
Test
1: Your department consists of about 50 users. The department requires a common shared file storage area for users to share and store documents, and a printer that all users can access. Which operating system would you choose? Windows Windows Windows Windows 2000 Server 98 CE Professional
2000
2: You own a small business of 20 users, half of which are sales people who spend a lot of time out of the office. As part of your business you have decided that all staff need access to information stored in a central area, and that this information will be stored on a web server. In addition, staff will be able to access this information remotely. Which operating system would you choose? Windows Windows Windows Windows 2000 Advanced Server 2000 2000 98 Professional Server
3: Your company is relatively small with around 15 users. There is no requirement for remote access, but users would like to share documents in a centralised location and share printer resources. It is necessary to provide some level of security between the users, as some information is sensitive and thus restricted to senior personnel only. Which operating system would you choose? Windows Windows Windows Windows 2000 Advanced Server 2000 2000 98 Professional Server
4: You have a small company of around 20 users. They require shared printer access and would like the ability to share their own files. Security is not considered an issue. The level of access is relatively light (periodic) and no remote access is planned for the near future. The computers are all Pentium 333MHz with 2GB disk and 48MB of memory. Which operating system would you choose? Windows Windows
2000
98 Professional
Postal Information Technology Center (Peshawar Campus) Windows Windows 2000 Advanced Server 2000 Server
136
5: You are to develop a small hand-help device that will provide docking abilities to a PC and allow users to edit their email, calendars and provide simple applets like a calculator and text editor. Which operating system would you choose to develop the device? Windows Windows Windows Windows 2000 Server CE 98 Professional
2000
6: A large organization of 1000 users requires secure reliable access to shared data. Which operating system would you choose? Windows Windows Windows Windows 2000 Advanced Server 2000 2000 98 Professional Server
7: You company has decided to install Windows 2000 Professional on all new purchased computers. What should you do before purchasing any new computers? Verify that the hardware meets the minimum requirements for Windows 2000 Professional Check to see if the computer is listed on the Windows 2000 hardware compatibility list Ensure the computer has a CD-ROM drive Ensure the computer is equipped with an IDE drive
Windows
2000
Server
Test
Workgroups, Domains and Services

1: A Windows NT Server 4 domain provides a centralized point of log on requires users to have accounts on each server in the domain can be implemented using Windows NT W/S requires all computers in the domain to be running Windows NT Server 2: You install Windows NT Server 4.0 on a computer, making the computer a backup domain controller in an existing NT 4 domain. After installation, you discover that you used the wrong domain name. How do you change the domain name?
Postal Information Technology Center (Peshawar Campus) Change the domain name using Control Panel Modify the domain name in the Registry Reinstall Windows NT Server Change the domain name by using the Emergency Repair disk 3: You install a Windows 2000 Server in a network running Windows 2000. You discover you added the computer to the wrong domain. Can you change the Windows 2000 Server to the new domain without reinstalling? Yes No 4: A company has a department that consists of 15 engineers. The engineers have data that needs to be accessible only to their own team. The department continually has engineers arriving and departing, and it is difficult to identify a single administrator for the department. Which Windows NT Server 4 model would be best for this situation? A master domain model, with each engineer trusting the master domain and the data stored on the server A single domain model, with all data kept on the controller for the domain A complete trust model, with each engineer's computer trusting the other engineer's computers A workgroup model, with each engineer administering his or her own computer 5: Dynamic Host Configuration Protocol (DHCP) is the same as bootp uses static allocation of IP addresses helps prevent conflicts between assigned IP addresses assigns IP addresses, which when allocated, cannot be reused 6: Windows Internet Naming Service (WINS) dynamically allocates IP addresses to client computers runs on Windows NT W/S and Windows 2000 Professional resolves NETBIOS computer names to IP addresses Increases broadcast traffic 7: This question applies to Windows NT Server 4 domains. A one-way trust relationship has been established in which the RESEARCH domain trusts the TESTING domain. The Guest account is disabled in both domains.
137
Postal Information Technology Center (Peshawar Campus) As a user belonging to a global group called Testers in the TESTING domain, you want to access a shared directory on a Windows NT Advanced Server in the RESEARCH domain. Which action would give you access? No action is necessary, as access is already available The Testers group must be assigned permissions to the shared directory on the Windows NT Advanced Server in the RESEARCH domain The Testers group must be assigned permissions to the shared directory on the Windows NT Advanced Server in the RESEARCH domain, and the user must log on to the RESEARCH domain None of the above 8: A medium size company with 11,000 employees is setting up a network. The company is made up of two departments. Each department controls their own resources. The network administrators, realizing the importance of centralized administration. want complete control over the user accounts. Which NT Server 4 model would work best for this situation? A single domain model. The departments can be placed into two global groups and all user accounts can be kept in one place A complete trust model with two domains A multiple master domain model with separate domains for each department A master domain model with a separate domain for each department and the master for the user accounts
138
Domain Name Service

1: Domain Name Service (DNS) dynamically allocates IP addresses to client computers resolves NETBIOS computer names to IP addresses assigns IP addresses, which when allocated, cannot be reused resolves host computer names to IP addresses 2: In DNS, a forward lookup resolves an IP address to a computer name tests connectivity to a specified host transfers zone information to a secondary DNS server resolves a computer name to an IP address
Postal Information Technology Center (Peshawar Campus) 3: The utility to test for correct functioning of the DNS is ping nslookup tracert ftp 4: A Zone of Authority is a list of computer names stored in Active Directory that portion of the domain namespace that a particular DNS server is responsible for An area or zone of administrative control in Active Directory, such as an Organizational Unit or Domain 5: What type of domain name server is best suited for acting as a backup system for the zone files? primary secondary caching 6: If a DNS server fails, and there is no other DNS server available, will a client be able to connect to a web site by typing in the URL in the address bar? Assume this is the first time the user is trying to access the site since logging on to the computer. Yes, the user will be able to connect as DNS is not required Yes, as the information will be held in cache No, the user will be unable to connect
139
System Recovery
1: You decided to edit the registry of a Windows 2000 Server using Regedt32 and now the server is unable to reboot. What should you do first to try and recover the server? Power on the Server, hit the F8 key and select Last Known Good Configuration Use your emergency recovery disk to boot and restore core system files Restart the computer, press F8 and start the computer in safe mode Use Backup to restore the registry 2: You have replaced the graphics card of the server with a different model. You change the display driver and can no longer view the screen. What should you do to try and revover the server? Use your emergency recovery disk to boot and restore core system files
Postal Information Technology Center (Peshawar Campus) Restart the computer, press F8 and start the computer in safe mode Power on the Server, hit the F8 key and select Last Known Good Configuration Remove the new graphics card and replace it with the old one. Restart the server 3: The computer you are trying to install Windows 2000 Server on does not have a CDROM. How can you install the product on this computer. Create a set of boot disks from the CD-ROM and use these to install the product Create a network client disk and perform a network install You cannot. It requires the computer to have a CD-ROM drive Use an emergency recovery disk at boot time 4: The Server has started to run more slowly over the last few weeks, and appears to be getting slower all the time. Users store all their files on the server, but you have checked network traffic and it is below normal levels. There is still plenty of disk space available and nothing new has been done to the server recently. What might be a possbile cause of the server running slow? the files are fragmented the page file is too small there is insufficient memory in the server the server needs replacing with a faster model, preferably with 2 or 4 processors 5: Which utility checks the integrity of the file system? disk management chkdsk defrag backup 6: A Windows 2000 Server has recently crashed, but required that the administrator physically restart it. What can an administrator do to make the server restart automatically in the unlikely event of a crash? Set the automatic boot option in the Startup/Recovery option It is not possible to do this Copy the file "autoboot.exe" to the system32 folder Place the command "autorestart=true" in the config.sys file
140

Networking

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Networking

Uploaded by

Copyright:

Available Formats

Postal Information Technology Center (Peshawar Campus)

BASIC NETWORK CONCEPTS

Instructor : Arshad Zia Siddiqui

Postal Information Technology Center (Peshawar Campus)

BASIC NETWORK COMPONENTS

Network Adapter Cards

Postal Information Technology Center (Peshawar Campus)

Instructor : Arshad Zia Siddiqui

The software driver provides the follow functions

Instructor : Arshad Zia Siddiqui

Postal Information Technology Center (Peshawar Campus)

The basic operation looks something like,

Installing A Peripheral Card

8. Configure the driver software

Instructor : Arshad Zia Siddiqui

Brief Guide to BUILDING WIRING

A building wiring system covers a number of different elements

horizontal wiring backbone wiring

Some general features of the horizontal wiring scheme are

EIA/TIA-568 WIRING STANDARD

same as Category 3 but rated to 20Mhz

EIA/TIA-568 UTP Wiring Standard Specifications

Postal Information Technology Center (Peshawar Campus)

Postal Information Technology Center (Peshawar Campus)

Twisted Pair (Shielded Twisted Pair and Unshielded Twisted Pair)

Instructor : Arshad Zia Siddiqui

Postal Information Technology Center (Peshawar Campus)

Instructor : Arshad Zia Siddiqui

Instructor : Arshad Zia Siddiqui

Postal Information Technology Center (Peshawar Campus)

10Base5 10Base2 10BaseT 10BaseF

Instructor : Arshad Zia Siddiqui

Postal Information Technology Center (Peshawar Campus)

Instructor : Arshad Zia Siddiqui

Postal Information Technology Center (Peshawar Campus)

Instructor : Arshad Zia Siddiqui

Postal Information Technology Center (Peshawar Campus)

The disadvantages of bridges are

Instructor : Arshad Zia Siddiqui

Summary of Bridge features

Instructor : Arshad Zia Siddiqui

Postal Information Technology Center (Peshawar Campus)

Instructor : Arshad Zia Siddiqui

Postal Information Technology Center (Peshawar Campus)

Summary of Router features

Cut through switches use either a cross-bar or cell-backplane architecture.

Back Pressure Switches

Instructor : Arshad Zia Siddiqui

There are FOUR major competing topologies

Bus Ring Star FDDI

Most networking software support all topologies.

Instructor : Arshad Zia Siddiqui

BNC-T type connectors RG58-AU 50-ohm cable, 0.2"

10Base5 THICK ETHERNET NETWORK LAYOUT

Instructor : Arshad Zia Siddiqui

Postal Information Technology Center (Peshawar Campus) Limitations

Transceivers 802.3 50-ohm cable RG-11 Male DIX connector

Shield A A Shield A common A Shield B B Shield B Shield B Ground

Instructor : Arshad Zia Siddiqui

Postal Information Technology Center (Peshawar Campus)

10BaseT UTP NETWORK LAYOUT Limitations

RJ-45 Connectors Category 3 UTP minimum, preferably Category 5