Writing by: Naseer Ahmad Habib
INTRODUCTION TO NETWORK
WHAT IS A NETWORK?
A network consists of two or more computers that are linked in order to share resources (such as printers and CD-ROMs), exchange files, or allow electronic communications. The computers on a network may be linked through cables, telephone lines, radio waves, satellites, or infrared light beams.
The three basic types of networks include:
· Local Area Network (LAN)
· Metropolitan Area Network (MAN)
· Wide Area Network (WAN)
LOCAL AREA NETWORK
A Local Area Network (LAN) is a network that is confined to a relatively small area. It is generally limited to a geographic area such as a lab, school, or building. The maximum distance between Computers can be of one mile.
In a typical LAN configuration, one computer is designated as the Server. It manages the whole network. Computers connected to the Server are called workstations. The workstations can be less powerful than the Server. On most LANs, cables are used to connect the network interface cards in each computer although wireless media can also be used.
METROPOLITAN AREA NETWORK
A Metropolitan Area Network (MAN) covers larger geographic areas, such as cities or school, districts. By interconnecting smaller networks within a large geographic area, information can easily shared over the network. Local libraries and government agencies often use a MAN to connect to citizens and private industries.
WIDE AREA NETWORK
Wide Area Networks (WANs) connect larger geographic areas, such as Karachi and Dubai, or the world. Satellite may be used to connect this type of network. Using a WAN, schools in Karachi can communicate with places like Dubai, without paying enormous phone bills.
ADVANTAGES OF NETWORK
· Speed:-. Networks provide a very rapid method for sharing and transferring files. Without a network, files are shared by copying them to floppy disks, then carrying or sending the disks from one computer to another.
· Security:- Files and programs on a network can be designated as "copy inhibit," so that you do not have to worry about illegal copying of programs. Also, passwords can be established for specific directories to restrict access to authorized users.
· Centralized Software Management:- One of the greatest benefits of installing a network at a school is the fact that all of the software can be loaded on one computer (the file server). This eliminates that need to spend time and energy installing updates and tracking files on independent computers throughout the building.
· Resource Sharing:- Sharing resources is another area in which a network exceeds stand-alone computers. Most schools cannot afford enough laser printers, fax machines, modems, scanners, and CD-ROM players for each computer. However, if these or similar peripherals are added to a network, they can be shared by many users.
DISADVANTAGES OF NETWORKING
· Expensive to Install:- Although a network will generally save money over time, the initial costs of installation can be prohibitive. Cables, network cards, and software are expensive, and the installation may require the services of a technician.
· Requires Administrative Time:- Proper maintenance of a network requires considerable time and expertise. Many offices have installed a network, only to find that they did not budget for the necessary administrative support.
· Cables May Break:- The Topology chapter presents information about the various configurations of cables. Some of the configurations are designed to minimize the inconvenience of a broken cable; with other configurations, one broken cable can stop the entire network.
WHAT IS NETWORK CABLING?
Cable is the medium through which information usually moves from one network device to another. There are several types of cable which are commonly used with LANs.
· Unshielded Twisted Pair (UTP) Cable
· Shielded Twisted Pair (STP) Cable
· Coaxial Cable
· Fiber Optic Cable
UNSHIELDED TWISTED PAIR (UTP) CABLE
Unshielded Twisted Pair cable is most certainly by far the most popular cable around the world. UTP cable is used not only for networking but also for the traditional telephone (UTP-Cat 1). There are 6 different types of UTP categories depending on what you want to achieve, you would need the appropriate type of cable
The characteristics of UTP are, it easy to work with, install, expand and troubleshoot and we are going to look at the different wiring schemes available for UTP. So let's have a quick look at each of the UTP categories available today:
Category 1/2/3/4/5/6 – a specification for the type of copper wire (most telephone and network wire is copper) and jacks. The number (1, 3, 5, etc) refers to the revision of the specification and in practical terms refers to the number of twists inside the wire (or the quality of connection in a jack).
Fig. Unshielded twisted pair
UNSHIELDED TWISTED PAIR CONNECTOR
The standard connector for unshielded twisted pair cabling is an RJ-45 connector. This is a plastic connector that looks like a large telephone-style connector. A slot allows the RJ-45 to be inserted only one way. RJ stands for Registered Jack.
Fig RJ-45 connector
SHIELDED TWISTED PAIR (STP) CABLE
Shielded twisted pair (STP) is suitable for environments with electrical interference. However, the extra shielding can make the cables quite bulky. Shielded twisted pair is often used on networks using Token Ring topology.
COAXIAL CABLE
Coaxial cabling has a single copper conductor at its center. A plastic layer provides insulation between the center conductor and a braided metal shield. The metal shield helps to block any outside interference from lights, motors, and other computers.
Fig Coaxial cable
Although coaxial cabling is difficult to install, it is highly resistant to signal interference. In addition, it can support greater cable lengths between network devices than twisted pair cable.
COAXIAL CABLE CONNECTORS
The most common type of connector used with coaxial cables is the Bayone-Neill-Concelman (BNC) connector. Different types of adapters are available for BNC connectors, including a T-connector and terminator.
Fig. BNC connector
FIBER OPTIC
Because of the Low loss, high bandwidth properties of fibre cables they can be used over greater distances than copper cables. In data networks this can be as much as 2km without the use of repeaters. Their light weight and small size also make them ideal for applications where running copper cables would be impractical. This is pretty impressive for a tiny glass filament. Fiber is non-conductive
Fibers also pose no threat in dangerous environments such as chemical plants where a spark could trigger an explosion. Last but not least is the security aspect, it is very, very difficult to tap into a fiber cable to read the data signals.
FIBRE CONSTRUCTION
There are many different types of fiber cable, but for the purposes of this explanation we will deal with one of the most common types, 62.5/125 micron loose tube. The numbers represent the diameters of the fiber core and cladding, these are measured in microns which are millionths of a meter.
Over the years a variety of core sizes have been produced but these days there are three main sizes that are used in data communications, these are 50/125, 62.5/125 and 8.3/125. The most famous now a day are 62.5/125.
WHAT IS A TOPOLOGY?
There are two types of topologies: Physical and Logical. The physical topology of a network refers to the layout of cables, computers and other peripherals. Try to imagine yourself in a room with a small network, you can see network cables coming out of every computer that is part of the network, then those cables plug into a hub or switch. What you're looking at is the physical topology of that network
Logical topology is the method used to pass the information between the computers. In other words, looking at that same room, if you were to try to see how the network works with all the computers talking (think of the computers generating traffic and packets of data going everywhere on the network) you would be looking at the logical part of the network. The way the computers will be talking to each other and the direction of the traffic is controlled by the various protocols (like Ethernet) or, if you like, rules. If we used token ring, then the physical topology would have to change to meet the requirements of the way the token ring protocol works (logically).
The most common types of physical topologies, which we are going to analyze, are: Bus, Hub/Star and Ring
MAIN TYPES OF PHYSICAL TOPOLOGIES
The following sections discuss the physical topologies used in networks and other related topics.
· Linear Bus
· Star
· Ring
LINEAR BUS
A linear bus topology consists of a main run of cable with a terminator at each end (See fig. 1). All nodes (file server, workstations, and peripherals) are connected to the linear cable. Ethernet network use a linear bus topology.
Fig Linear Bus topology
As you can see in the above example, all computers are attached to a continuous cable which connects them in a straight line. The arrows clearly indicate that the packet generated by Node 1 is transmitted to all computers on the network, regardless the destination of this packet.
Also, because of the way the electrical signals are transmitted over this cable, its ends must be terminated by special terminators absorbing the signal so it won't reflect back to where it came from. If the bus (the long yellow cable) is damaged anywhere in its path, then it will most certainly cause the network to stop working
STAR TOPOLOGY
A star topology is designed with each node (file server, workstations, and peripherals) connected directly to a central network Hub or Switch
Data on a star network passes through the hub or Switch before continuing to its destination. The hub manages and controls all functions of the network. It also acts as a repeater for the data flow. This configuration is common with twisted pair cable.
Fig. Star topology
The Star or Hub topology is one of the most common network topologies found in most offices and home networks. It has become very popular in contrast to the bus type, because of the cost and the ease of troubleshooting.
The advantage of the star topology is that if one computer on the star topology fails, then only the failed computer is unable to send or receive data. The remainder of the network functions normally.
The disadvantage of using this topology is that because each computer is connected to a central hub or switch, if this device fails, the entire network fails!
The protocols used with star configurations are usually Ethernet.
RING TOPOLOGY
In the ring topology, computers are connected on a single circle of cable. Unlike the bus topology, there are no terminated ends. The signals travel around the loop in one direction and pass through each computer, which acts as a repeater to boost the signal and send it to the next computer.
The method by which the data is transmitted around the ring is called token passing. IBM's token ring uses this method.
WHAT IS PROTOCOLS?
In the networking and communications area, a protocol is the formal specification that defines the procedures that must be followed when transmitting or receiving data. Protocols define the format, timing, sequence, and error checking used on the network.
In plain English, the above means that if you have 2 or more devices e.g. computers which want to communicate, then they need a common "Protocol" which is a set of rules that guide the computers on how and when to talk to each other. The most common types of protocols are as follows.
TRANSMISSION CONTROL PROTOCOLS (TCP)
The Transmission Control Protocol, is one of the most important and well-known protocols in the world on networks today. Used in every type of network world-wide, it enables millions of data transmissions to reach their destination and works as a bridge, connecting hosts with one another and allowing them to use various programs in order to exchange data.
INTERNET PROTOCOLS (IP)
I.P is one of the most famous protocols. IP gives us the ability to uniquely identify each computer in a network or on the Internet.
When a computer is connected to a network or the Internet, it is assigned a unique IP address. If you're connecting to the Internet, chances are you're given an IP automatically by your ISP, if you're connecting to your LAN then you're either given the IP automatically or you manually configure the workstation with an assigned IP.
WHAT ARE NETWORKING HARDWARES?
Networking hardware includes all computers, peripherals, interface cards and other equipment needed to perform data-processing and communications within the network.
NETWORK INTERFACE CARDS
The network interface card (NIC) provides the physical connection between the server and the workstation. Most NICs are internal; Laptop computers can now be purchased with a network interface card built-in or with network cards that slip into a PCMCIA slot.
Network interface cards are a major factor in determining the speed and performance of a network. It is a good idea to use the fastest network card available for the type of workstation you are using.
NETWORK INTERFACE CARD (NIC)
HUBS & REPEATERS
Hubs and repeaters are basically the same, so we will be using the term "Hub" to keep things simple. Hubs are common today in every network. They are the cheapest way to connect two or more computers together. Hubs are also known as Repeaters and work on the first layer of the OSI model. They are said to work on the first layer because of the function they perform.
The picture below shows a few hubs: 8 port Net gear and a D-link hub.
The computers (nodes) connect to the hub using Unshielded Twisted Pair cable (UTP). Only one node can be connected to each port of the hub. The pictured hub has a total of 8 ports, which means up to 8 computers can be networked.
SWITCHES
Switches are a lot smarter than hubs and operate on the second layer of the OSI model. What this means is that a switch won't simply receive data and transmit it throughout every port, but it will read the data and find out the packet's destination by checking the MAC address. The destination MAC address is located always at the beginning of the packet so once the switch reads it, it is forwarded to the appropriate port so no other node or computer connected to the switch will see the packet.
Below is a picture of two typical switches. Notice how they looks similar to a hubs, It's just that the difference is on the inside.
BRIDGES
Bridges are really just like switches, but there are a few differences which we will mention, but not expand upon. These are the following:
· Bridges are software based, while switches are hardware based because they use a ASICs chip to help them make filtering decisions.
· Bridges can only have up to 16 ports, while a switch can have hundreds!
That's pretty much as far as we will go with the bridges since they are pretty much old technology and you probably won't see many around.
ROUTER
Routers are very common today in every network area; this is mainly because every network these days connect to some other network, whether it's the Internet or some other remote site. Routers get their name from what they do.... which is route data from one network to another.
For example, if you had a company which had an office in Sydney and another one in Melbourne, then to connect the two you would use a leased line to which you would connect a router at each end. Any traffic which needs to travel from one site to another will be routed via the routers, while all the other unnecessary traffic is filtered, thus saving you valuable bandwidth and money. There are two types of routers:
1) Hardware routers
2) Software routers.
When people talk about routers, they usually don't use the terms "hardware" or "software" router.
Hardware routers are small boxes which run special software created by their vendors to give them the routing capability and the only thing they do is simply route data from one network to another. Most companies prefer hardware routers because they are faster and more reliable, even though their cost is considerably more when compared with a software router.
So what does a hardware router look like? Check the picture below, it displays a Cisco 1600 and 2500 series router along with a Net gear RT338 router. They look like a small box and run special software as we said.
Software routers do the same job with the above hardware routers (route data), but they don't come in small flashy boxes. A software router could be an NT server, NetWare server or Linux server. All network servers have built-in routing capabilities.
IP Addressing Schemes
IP Addressing An IP (Internet Protocol) address is a unique identifier for a node or host connection on an IP network. An IP address is a 32 bit binary number usually represented as 4 decimal values, each representing 8 bits, in the range 0 to 255 (known as octets) separated by decimal points. This is known as "dotted decimal" notation.
Example: 140.179.220.200
It is sometimes useful to view the values in their binary form. 140 .179 .220 .200 10001100.10110011.11011100.11001000
Every IP address consists of two parts, one identifying the network and one identifying the node. The Class of the address and the subnet mask determine which part belongs to the network address and which part belongs to the node address.
Address Classes
There are 5 different address classes. You can determine which class any IP address is in by examining the first 4 bits of the IP address.
· Class A addresses begin with 0xxx, or 1 to 126 decimal.
· Class B addresses begin with 10xx, or 128 to 191 decimal.
· Class C addresses begin with 110x, or 192 to 223 decimal.
· Class D addresses begin with 1110, or 224 to 239 decimal.
· Class E addresses begin with 1111, or 240 to 254 decimal.
Addresses beginning with 01111111, or 127 decimal, are reserved for loop back and for internal testing on a local machine. [You can test this: you should always be able to ping 127.0.0.1, which points to yourself] Class D addresses are reserved for multicasting. Class E addresses are reserved for future use. They should not be used for host addresses.
Now we can see how the Class determines, by default, which part of the IP address belongs to the network (N) and which part belongs to the node (n).
· Class A -- NNNNNNNN.nnnnnnnn.nnnnnnn.nnnnnnn
· Class B -- NNNNNNNN.NNNNNNNN.nnnnnnnn.nnnnnnnn
· Class C -- NNNNNNNN.NNNNNNNN.NNNNNNNN.nnnnnnnn
In the example, 140.179.220.200 is a Class B address so by default the Network part of the address (also known as the Network Address) is defined by the first two octets (140.179.x.x) and the node part is defined by the last 2 octets (x.x.220.200).
In order to specify the network address for a given IP address, the node section is set to all "0"s. In our example, 140.179.0.0 specifies the network address for 140.179.220.200. When the node section is set to all "1"s, it specifies a broadcast that is sent to all hosts on the network. 140.179.255.255 specifies the example broadcast address. Note that this is true regardless of the length of the node section.
Private Subnets
There are three IP network addresses reserved for private networks. The addresses are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. They can be used by anyone setting up internal IP networks, such as a lab or home LAN behind a NAT or proxy server or a router. It is always safe to use these because routers on the Internet will never forward packets coming from these addresses. These addresses are defined in RFC 1918.
Sub netting
Sub netting an IP Network can be done for a variety of reasons, including organization, use of different physical media (such as Ethernet, FDDI, WAN, etc.), preservation of address space, and security. The most common reason is to control network traffic. In an Ethernet network, all nodes on a segment see all the packets transmitted by all the other nodes on that segment. Performance can be adversely affected under heavy traffic loads, due to collisions and the resulting retransmissions. A router is used to connect IP networks to minimize the amount of traffic each segment must receive.
Subnet Masking
Applying a subnet mask to an IP address allows you to identify the network and node parts of the address. The network bits are represented by the 1s in the mask, and the node bits are represented by the 0s. Performing a bitwise logical AND operation between the IP address and the subnet mask results in the Network Address or Number. For example, using our test IP address and the default Class B subnet mask, we get: 10001100.10110011.11110000.11001000 140.179.240.200 Class B IP Address11111111.11111111.00000000.00000000 255.255.000.000 Default Class B Subnet Mask--------------------------------------------------------10001100.10110011.00000000.00000000 140.179.000.000 Network Address
Default subnet masks:
Class A - 255.0.0.0 - 11111111.00000000.00000000.00000000
Class B - 255.255.0.0 - 11111111.11111111.00000000.00000000
Class C - 255.255.255.0 - 11111111.11111111.11111111.00000000
More Restrictive Subnet Masks
Additional bits can be added to the default subnet mask for a given Class to further subnet, or break down, a network. When a bitwise logical AND operation is performed between the subnet mask and IP address, the result defines the Subnet Address (also called the Network Address or Network Number). There are some restrictions on the subnet address. Node addresses of all "0"s and all "1"s are reserved for specifying the local network (when a host does not know it's network address) and all hosts on the network (broadcast address), respectively. This also applies to subnets. A subnet address cannot be all "0"s or all "1"s. This also implies that a 1 bit subnet mask is not allowed. This restriction is required because older standards enforced this restriction. Recent standards that allow use of these subnets have superceded these standards, but many "legacy" devices do not support the newer standards. If you are operating in a controlled environment, such as a lab, you can safely use these restricted subnets.
To calculate the number of subnets or nodes, use the formula (2n-2) where n = number of bits in either field, and 2n represents 2 raised to the nth power. Multiplying the number of subnets by the number of nodes available per subnet gives you the total number of nodes available for your class and subnet mask. Also, note that although subnet masks with non-contiguous mask bits are allowed, they are not recommended.
Example: 10001100.10110011.11011100.11001000 140.179.220.200 IP Address11111111.11111111.11100000.00000000 255.255.224.000 Subnet Mask--------------------------------------------------------10001100.10110011.11000000.00000000 140.179.192.000 Subnet Address10001100.10110011.11011111.11111111 140.179.223.255 Broadcast Address
In this example a 3 bit subnet mask was used. There are 6 (23-2) subnets available with this size mask (remember that subnets with all 0's and all 1's are not allowed). Each subnet has 8190 (213-2) nodes. Each subnet can have nodes assigned to any address between the Subnet address and the Broadcast address. This gives a total of 49,140 nodes for the entire class B address submitted this way. Notice that this is less than the 65,534 nodes an unsubnetted class B address would have.
You can calculate the Subnet Address by performing a bitwise logical AND operation between the IP address and the subnet mask, then setting all the host bits to 0s. Similarly, you can calculate the Broadcast Address for a subnet by performing the same logical AND between the IP address and the subnet mask, then setting all the host bits to 1s. That is how these numbers are derived in the example above.
Sub netting always reduces the number of possible nodes for a given network. There are complete subnet tables available here for Class A, Class B and Class C. These tables list all the possible subnet masks for each class, along with calculations of the number of networks, nodes and total hosts for each subnet.
An Example
Here is another, more detailed, example. Say you are assigned a Class C network number of 200.133.175.0 (apologies to anyone who may actually own this domain address). You want to utilize this network across multiple small groups within an organization. You can do this by sub netting that network with a subnet address.
We will break this network into 14 subnets of 14 nodes each. This will limit us to 196 nodes on the network instead of the 254 we would have without sub netting, but gives us the advantages of traffic isolation and security. To accomplish this, we need to use a subnet mask 4 bits long. Recall that the default Class C subnet mask is 255.255.255.0 (11111111.11111111.11111111.00000000 binary)
Extending this by 4 bits yields a mask of
255.255.255.240 (11111111.11111111.11111111.11110000 binary)
This gives us 16 possible network numbers, 2 of which cannot be used:
Subnet bits
Network Number
Node Addresses
Broadcast Address
0000
200.133.175.0
Reserved
None
0001
200.133.175.16
.17 thru .30
200.133.175.31
0010
200.133.175.32
.33 thru .46
200.133.175.47
0011
200.133.175.48
.49 thru .62
200.133.175.63
0100
200.133.175.64
.65 thru .78
200.133.175.79
0101
200.133.175.80
.81 thru .94
200.133.175.95
0110
200.133.175.96
.97 thru .110
200.133.175.111
0111
200.133.175.112
.113 thru .126
200.133.175.127
1000
200.133.175.128
.129 thru .142
200.133.175.143
1001
200.133.175.144
.145 thru .158
200.133.175.159
1010
200.133.175.160
.161 thru .174
200.133.175.175
1011
200.133.175.176
.177 thru .190
200.133.175.191
1100
200.133.175.192
.193 thru .206
200.133.175.207
1101
200.133.175.208
.209 thru .222
200.133.175.223
1110
200.133.175.224
.225 thru .238
200.133.175.239
1111
200.133.175.240
Reserved
None
CIDR -- Classless InterDomain Routing
Now that you understand "classful" IP Sub netting principals, you can forget them ;). The reason is CIDR -- Classless InterDomain Routing. CIDR was invented several years ago to keep the internet from running out of IP addresses. The "classful" system of allocating IP addresses can be very wasteful; anyone who could reasonably show a need for more that 254 host addresses was given a Class B address block of 65533 host addresses. Even more wasteful were companies and organizations that were allocated Class A address blocks, which contain over 16 Million host addresses! Only a tiny percentage of the allocated Class A and Class B address space has ever been actually assigned to a host computer on the Internet.
People realized that addresses could be conserved if the class system was eliminated. By accurately allocating only the amount of address space that was actually needed, the address space crisis could be avoided for many years. This was first proposed in 1992 as a scheme called Super netting. Under super netting, the classful subnet masks are extended so that a network address and subnet mask could, for example, specify multiple Class C subnets with one address. For example, If I needed about 1000 addresses, I could super net 4 Class C networks together: 192.60.128.0 (11000000.00111100.10000000.00000000) Class C subnet address192.60.129.0 (11000000.00111100.10000001.00000000) Class C subnet address192.60.130.0 (11000000.00111100.10000010.00000000) Class C subnet address192.60.131.0 (11000000.00111100.10000011.00000000) Class C subnet address--------------------------------------------------------192.60.128.0 (11000000.00111100.10000000.00000000) Super netted Subnet address255.255.252.0 (11111111.11111111.11111100.00000000) Subnet Mask192.60.131.255 (11000000.00111100.10000011.11111111) Broadcast address
In this example, the subnet 192.60.128.0 includes all the addresses from 192.60.128.0 to 192.60.131.255. As you can see in the binary representation of the subnet mask, the Network portion of the address is 22 bits long, and the host portion is 10 bits long.
Under CIDR, the subnet mask notation is reduced to simplified shorthand. Instead of spelling out the bits of the subnet mask, it is simply listed as the number of 1s bits that start the mask. In the above example, instead of writing the address and subnet mask as 192.60.128.0, Subnet Mask 255.255.252.0
the network address would be written simply as: 192.60.128.0/22
which indicates starting address of the network, and number of 1s bits (22) in the network portion of the address. If you look at the subnet mask in binary (11111111.11111111.11111100.00000000), you can easily see how this notation works.
The use of a CIDR notated address is the same as for a Classful address. Classful addresses can easily be written in CIDR notation (Class A = /8, Class B = /16, and Class C = /24)
It is currently almost impossible for an individual or company to be allocated their own IP address blocks. You will simply be told to get them from your ISP. The reason for this is the ever-growing size of the internet routing table. Just 10 years ago, there were less than 5000 network routes in the entire Internet. Today, there are over 100,000. Using CIDR, the biggest ISPs are allocated large chunks of address space (usually with a subnet mask of /19 or even smaller); the ISP's customers (often other, smaller ISPs) are then allocated networks from the big ISP's pool. That way, all the big ISP's customers (and their customers, and so on) are accessible via 1 network route on the Internet. But I digress.
It is expected that CIDR will keep the Internet happily in IP addresses for the next few years at least. After that, IPv6, with 128 bit addresses, will be needed. Under IPv6, even sloppy address allocation would comfortably allow a billion unique IP addresses for every person on earth! The complete and gory details of CIDR are documented in RFC1519, which was released in September of 1993.
Allowed Class A Subnet and Host IP addresses
# bits
Subnet Mask
CIDR
# Subnets
# Hosts
Nets * Hosts
2
255.192.0.0
/10
2
4194302
8388604
3
255.224.0.0
/11
6
2097150
12582900
4
255.240.0.0
/12
14
1048574
14680036
5
255.248.0.0
/13
30
524286
15728580
6
255.252.0.0
/14
62
262142
16252804
7
255.254.0.0
/15
126
131070
16514820
8
255.255.0.0
/16
254
65534
16645636
9
255.255.128.0
/17
510
32766
16710660
10
255.255.192.0
/18
1022
16382
16742404
11
255.255.224.0
/19
2046
8190
16756740
12
255.255.240.0
/20
4094
4094
16760836
13
255.255.248.0
/21
8190
2046
16756740
14
255.255.252.0
/22
16382
1022
16742404
15
255.255.254.0
/23
32766
510
16710660
16
255.255.255.0
/24
65534
254
16645636
17
255.255.255.128
/25
131070
126
16514820
18
255.255.255.192
/26
262142
62
16252804
19
255.255.255.224
/27
524286
30
15728580
20
255.255.255.240
/28
1048574
14
14680036
21
255.255.255.248
/29
2097150
6
12582900
22
255.255.255.252
/30
4194302
2
8388604
Allowed Class B Subnet and Host IP addresses
# bits
Subnet Mask
CIDR
# Subnets
# Hosts
Nets * Hosts
2
255.255.192.0
/18
2
16382
32764
3
255.255.224.0
/19
6
8190
49140
4
255.255.240.0
/20
14
4094
57316
5
255.255.248.0
/21
30
2046
61380
6
255.255.252.0
/22
62
1022
63364
7
255.255.254.0
/23
126
510
64260
8
255.255.255.0
/24
254
254
64516
9
255.255.255.128
/25
510
126
64260
10
255.255.255.192
/26
1022
62
63364
11
255.255.255.224
/27
2046
30
61380
12
255.255.255.240
/28
4094
14
57316
13
255.255.255.248
/29
8190
6
49140
14
255.255.255.252
/30
16382
2
32764
Allowed Class C Subnet and Host IP addresses
# bits
Subnet Mask
CIDR
# Subnets
# Hosts
Nets * Hosts
2
255.255.255.192
/26
2
62
124
3
255.255.255.224
/27
6
30
180
4
255.255.255.240
/28
14
14
196
5
255.255.255.248
/29
30
6
180
6
255.255.255.252
/30
62
2
124
How to implements NTFS volume file and folder permissions
File and Folder Permissions
On NTFS volumes, you can set security permissions on files and folders. These permissions grant or deny access to the files and folders. You can view security permissions for files and folders by completing the following steps:
1.
In Windows Explorer, right-click the file or folder you want to work with.
2.
From the pop-up menu, select Properties, and then in the Properties dialog box click the Security tab.
3.
In the Name list box, select the user, contact, computer, or group whose permissions you want to view. If the permissions are dimmed, it means the permissions are inherited from a parent object.
Understanding File and Folder Permissions
The basic permissions you can assign to files and folders are summarized in Table 13-3. File permissions include Full Control, Modify, Read & Execute, Read, and Write. Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.
Anytime you work with file and folder permissions, you should keep the following in mind:
•
Read is the only permission needed to run scripts. Execute permission doesn't matter.
•
Read access is required to access a shortcut and its target.
•
Giving a user permission to write to a file but not to delete it doesn't prevent the user from deleting the file's contents. A user can still delete the contents.
•
If a user has full control over a folder, the user can delete files in the folder regardless of the permission on the files.
Table 13-3 File and Folder Permissions Used by Windows 2000
Permission
Meaning for Folders
Meaning for Files
Read
Permits viewing and listing of files and subfolders
Permits viewing or accessing of the file's contents
Write
Permits adding of files and subfolders
Permits writing to a file
Read & Execute
Permits viewing and listing of files and subfolders as well as executing of files; inherited by files and folders
Permits viewing and accessing of the file's contents as well as executing of the file
List Folder Contents
Permits viewing and listing of files and subfolders as well as executing of files; inherited by folders only
N/A
Modify
Permits reading and writing of files and subfolders; allows deletion of the folder
Permits reading and writing of the file; allows deletion of the file
Full Control
Permits reading, writing, changing, and deleting of files and subfolders
Permits reading, writing, changing and deleting of the file
The basic permissions are created by combining special permissions in logical groups. Table 13-4 shows special permissions used to create the basic permissions for files. Using advanced permission settings, you can assign these special permissions individually, if necessary. As you study the special permissions, keep the following in mind:
•
If no access is specifically granted or denied, the user is denied access.
•
Actions that users can perform are based on the sum of all the permissions assigned to the user and to all the groups the user is a member of. For example, if the user George has Read access and is a member of the group Techies that has Change access, George will have Change access. If Techies is in turn a member of Administrators, which has Full Control, George will have complete control over the file.
Table 13-4 Special Permissions for Files
Control
Full Modify
Execute
Read & Read
Write
Special Permissions
Traverse Folder/Execute File
X
X
X
List Folder/Read Data
X
X
X
X
Read Attributes
X
X
X
X
Read Extended Attributes
X
X
X
X
Create Files/Write Data
X
X
X
Create Folders/Append Data
X
X
X
Write Attributes
X
X
X
Write Extended Attributes
X
X
X
Delete Subfolders and Files
X
Delete
X
X
Read Permissions
X
X
X
X
X
Change Permissions
X
Take Ownership
X
Table 13-5 shows special permissions used to create the basic permissions for folders. As you study the special permissions, keep the following in mind:
•
When you set permissions for parent folders, you can force all files and subfolders within the folder to inherit the permissions. You do this by selecting Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions.
•
When you create files in folders, these files inherit certain permission settings. These permission settings are shown as the default file permissions.
Table 13-5 Special Permissions for Folders
Full Modify
Execute
Read & Contents
Folder Read
List Write
Special Permissions
Control
Traverse Folder /
X
X
X
X
Execute File
List Folder /Read Data
X
X
X
X
X
Read Attributes
X
X
X
X
X
Read Extended
X
X
X
X
X
Attributes
Create Files /
X
X
X
Write Data
Create Folders /
X
X
X
Append Data
Write Attributes
X
X
X
Write Extended
X
X
X
Attributes
Delete Subfolders
X
and Files
Delete
X
X
Read Permissions
X
X
X
X
X
X
Change Permissions
X
Take Ownership
X
Setting File and Folder Permissions
To set permissions for files and folders, follow these steps:
1.
In Windows Explorer, right-click the file or folder you want to work with.
2.
From the pop-up menu, select Properties, and then in the Properties dialog box click the Security tab, shown in Figure 13-12.
3.
Users or groups that already have access to the file or folder are listed in the Name list box. You can change permissions for these users and groups by doing the following:
•
Select the user or group you want to change.
•
Use the Permissions list box to grant or deny access permissions.
Tip Inherited permissions are shaded. If you want to override an inherited permission, select the opposite permission.
4.
To set access permissions for additional users, contacts, computers, or groups, click Add. This displays the Select Users, Computers, Or Groups dialog box shown in Figure 13-13.
Figure 13-12: Use the Security tab to configure basic permissions for the file or folder.
5.
Use the Select Users, Computers, Or Groups dialog box to select the users, computers, or groups for which you want to set access permissions. You can use the fields of this dialog box as follows:
•
Look In This drop-down list box allows you to access account names from other domains. Click Look In to see a list of the current domain, trusted domains, and other resources that you can access. Select Entire Directory to view all the account names in the folder.
•
Name This column shows the available accounts of the currently selected domain or resource.
•
Add This button adds selected names to the selection list.
•
Check Names This button validates the user, contact, and group names entered into the selection list. This is useful if you type names in manually and want to make sure they're available.
6.
In the Name list box, select the user, computer, or group you want to configure, and then use the fields in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups.
7.
Click OK when you're finished.
Figure 13-13: Select users, computers, and groups that should be granted or denied access.
Auditing System Resources
Auditing is the best way to track what's happening on your Windows 2000 systems. You can use auditing to collect information related to resource usage, such as file access, system logon, and system configuration changes. Anytime an action occurs that you've configured for auditing, the action is written to the system's security log, where it's stored for your review. The security log is accessible from Event Viewer.
Note: For most auditing changes, you'll need to be logged on using an account that is a member of the Administrators group or be granted the Manage Auditing And Security Log right in Group Policy.
Setting Auditing Policies
Auditing policies are essential to ensure the security and integrity of your systems. Just about every computer system on the network should be configured with some type of security logging. You configure auditing policies with Group Policy. Through Group Policy, you can set auditing policies for an entire site, domain, or organizational unit. You can also set policies for an individual workstation or server.
Once you access the Group Policy container you want to work with, you can set auditing policies by completing the following steps:
1.
As shown in Figure 13-14, access the Audit Policy node by working your way down through the console tree. Expand Computer Configuration, Windows Settings, Security Settings, and Local Policies. Then select Audit Policy.
2.
The auditing options are
•
Audit Account Logon Events Tracks events related to user logon and logoff.
•
Audit Account Management Tracks account management by means of Active Directory Users And Computers. Events are generated anytime user, computer, or group accounts are created, modified, or deleted.
•
Audit Directory Service Access Tracks access to the Active Directory. Events are generated any time users or computers access the directory.
•
Audit Logon Events Tracks events related to user logon, logoff, and remote connections to network systems.
•
Audit Object Access Tracks system resource usage for files, directories, shares, printers, and Active Directory objects.
•
Audit Policy Change Tracks changes to user rights, auditing, and trust relationships.
•
Audit Privilege Use Tracks the use of user rights and privileges, such as the right to back up files and directories.
Note: The Audit Privilege Use policy doesn't track system access–related events, such as the use of the right to log on interactively or the right to access the computer from the network. These events are tracked with Logon and Logoff auditing.
•
Audit Process Tracking Tracks system processes and the resources they use.
•
Audit System Events Tracks system startup, shutdown, and restart, as well as actions that affect system security or the security log.
3.
To configure an auditing policy, double-click its entry or right-click and select Security. This opens a Properties dialog box for the policy.
4.
Select Define These Policy Settings, and then select either the Success check box or the Failure check box, or both. Success logs successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts.
5.
Click OK when you're finished.
Figure 13-14: Set auditing policies using the Audit Policy node in Group Policy.
Auditing Files and Folders
If you configure a group policy to enable the Audit Object Access option, you can set the level of auditing for individual folders and files. This allows you to control precisely how folder and file usage is tracked. Auditing of this type is only available on NTFS volumes.
You can configure file and folder auditing by completing the following steps:
1.
In Windows Explorer, right-click the file or folder to be audited, and then from the pop-up menu select Properties.
2.
Choose the Security tab, and then click Advanced.
3.
In the Access Control Settings dialog box, select the Auditing tab, shown in Figure 13-15.
4.
If you want to inherit auditing settings from a parent object, ensure that Allow Inheritable Auditing Entries From Parent To Propagate To This Object is selected.
5.
If you want child objects of the current object to inherit the settings, select Reset Auditing Entries On All Child Objects And Enable Propagation Of Inheritable Auditing Entries.
Figure 13-15: Once you audit object access, you can use the Auditing tab to set auditing policies on individual files and folders.
6.
Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box, and then click Remove.
7.
To add specific accounts, click Add, and then use the Select Users, Contacts, Computers, Or Groups dialog box to select an account name to add. When you click OK, you'll see the Auditing Entry For New Folder dialog box, shown in Figure 13-16.
Note: If you want to audit actions for all users, use the special group Everyone. Otherwise, select the specific user groups or users, or both, that you want to audit.
8.
As necessary, use the Apply Onto drop-down list box to specify where objects are audited.
9.
Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as successful file reads. Failed logs failed events, such as failed file deletions. The events you can audit are the same as the special permissions listed in Table 13-5—except you can't audit synchronizing of offline files and folders.
10.
Choose OK when you're finished. Repeat this process to audit other users, groups, or computers.
Figure 13-16: Use the Auditing Entry For New Folder dialog box to set auditing entries for a user, contact, computer, or group.
Auditing Active Directory Objects
If you configure a group policy to enable the Audit Directory Service Access option, you can set the level of auditing for Active Directory objects. This allows you to control precisely how object usage is tracked.
To configure object auditing, follow these steps:
1.
In Active Directory Users And Computers, access the container for the object.
2.
Right-click the object to be audited, and then from the pop-up menu select Properties.
3.
Choose the Security tab, and then click Advanced.
4.
In the Access Control Settings dialog box, select the Auditing tab. To inherit auditing settings from a parent object, make sure that Allow Inheritable Auditing Entries From Parent To Propagate To This Object is selected.
5.
Use the Auditing Entries list box to select the users, contacts, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box, and then click Remove.
6.
To add specific accounts, click Add, and then use the Select Users, Contacts, Computers, Or Groups dialog box to select an account name to add. When you click OK, the Auditing Entry For dialog box is displayed.
7.
Use the Apply Onto drop-down list box to specify where objects are audited.
8.
Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as successful file reads. Failed logs failed events, such as failed file deletions.
9.
Choose OK when you're finished. Repeat this process to audit other users, contacts, groups, or computers.
Setting Security on a Folder
To configure folder and file security:
1.
Log on to the server by using your domain user name and password.
2.
Click Start, point to Programs, point to Accessories, and then click Windows Explorer.
3.
Expand My Computer, and then click the drive that contains the folder you want to configure. Right-click the folder you want to secure (for example, Accounting), and then click Properties.
4.
Click the Security tab, and then click to clear the Allow inheritable permissions from parent to propagate to this object check box.
5.
In the Security dialog box, click Copy.NOTE: The inherited permissions are copied directly to this folder.
6.
To add a set of permissions, in the Properties dialog box, on the Security tab, click Add. In the Select Users, Computers, or Groups dialog box, double-click the appropriate user accounts or groups. When you have selected all of the users and groups to which you want to assign permissions, click OK. The groups and users you added, along with the Everyone group, are displayed in the top half of the Security tab.
7.
In the Name list, select each user or group one at a time, and then apply the correct permissions in the Permissions list. The default Allow setting for Read, List Folder Contents and Read & Execute Permissions allows the Sales group the appropriate level of permissions. For the Accounting group, for the Modify permission, click Allow, so that members of that group can add new files to the folder or edit the files in the folder. For Fran's user account, for the Full Control permission, click Allow, which allows Fran to read, modify, delete, and change the permissions on the folder and its contents.
8.
After you set the appropriate permissions, click the Everyone group, and then click Remove.
Troubleshooting
Users Cannot Access Files and Folders That They Should Be Able to When Logged On Locally
Access permissions are combined from any permissions that are assigned directly to the user and those that are assigned to any groups of which the user is a member.The exception to this rule is if there is an explicit Deny permission on the folder or file. This occurs because Deny permissions are enumerated first when Windows 2000 is determining whether or not a particular user can perform a particular task. Therefore, you should avoid using explicit Deny permissions (that is, avoid clicking to select a check box in the Deny column) unless there is no other way to achieve the permissions mix that you need.
Users Can Access Files and Folders with Incorrect Permissions When Logged on Locally
For example, users can write instead of just read when they are logged on locally. Permissions, by default, are inherited from the folder that contains the object. If you are experiencing inappropriate permission levels, check for both inherited permissions that are incorrect for this object and for group memberships that may grant different levels of permissions than you want to have.
Users Cannot Access Files and Folders That They Should Be Able to Access Over the Network
When you access data over the network, both share permissions and file and folder permissions apply. Share access permissions are combined from any permissions that are assigned directly to the user and those assigned to any groups of which the user is a member. The exception to this is if there is an explicit Deny permission on the folder or file. This occurs because Deny permissions are enumerated first when Windows 2000 is determining whether or not a particular user can perform a particular task. Therefore, if Frank, for example, is a member of a group that has the Deny check box selected for Read in the Deny column, he is unable to read the file or folder, even if other permissions should allow him to do so.You should avoid using explicit Deny permissions (that is, avoid clicking to select a check box in the Deny column) unless there is no other way to achieve the permissions mix that you need. Check both the share permissions and the file and folder permissions for the user and any groups of which he or she is a member.
There Is No Security Tab in the Folder Properties Dialog Box
If you do not see the Security tab in the folder properties, it is likely that you are using the FAT or FAT32 file system. Windows 2000 includes a utility that can safely convert your drive to from the FAT or FAT32 file system to the NTFS file system. WARNING: Do not convert your drive if you are running both Windows 2000 and another operating system on the computer (that is, if it is a dual-boot computer) and the other operating system cannot read NTFS drives.To convert a partition to NTFS:
1.
Click Start, point to Programs, point to Accessories, and then click Command Prompt.
2.
Type convert drive: /FS: NTFS, where drive is the drive that you want to convert.For example, to convert drive D to NTFS, type the following line:
convert D: /FS:NTFS
3.
If you attempt to convert a drive while it is being accessed by Windows 2000, Windows 2000 displays a message prompting you to convert the drive when the computer is restarted. Click Yes, quit any running programs, and then restart your computer.
. The File Ownership Script tool is available in Microsoft Windows 2000 Resource Kit Supplement 1. Use this script tool to perform the following tasks:
•
Take ownership of files and folders on NTFS volumes.
•
Query the owners of files and folders on NTFS volumes.
The information that Fileowners.pl displays corresponds to the information that appears on the Owner tab of the Properties dialog box of a folder or file. To view this information, follow these steps:
1.
Start Windows Explorer.
2.
Right-click a folder or file, and then click Properties.
3.
Click the Security tab, click Advanced, and then click the Owner tab.
System Requirements for Fileowners.pl
Fileowners.pl runs on a source computer and acts on a target computer. (The target computer can be the same computer as the source computer, or it can be a different computer than the source computer). Before you can use this script tool to display or change the ownership of folders and files on NTFS volumes of local or remote computers, the requirements shown later in this article must be met.
Source Computer Requirements
•
The computer is running either Windows 2000 Professional or Windows 2000 Server.
•
Active State ActivePerl Build 521 is installed. This program is available in the Windows 2000 Resource Kit. The computer must also be correctly configured to run the Purl scripts that are included in the Windows 2000 Resource Kit Supplement 1. The Resource Kit WMI provider module, Wmi.pm, must be in the Perl Installation Folder\Site\Lib\W2rk folder. The Resource Kit Setup program typically creates the W2rk folder and copies the Wmi.pm file to this folder. If the W2rk folder is not automatically created during Setup, you can manually create it, and then configure the environment in which to run Fileowners.pl. For more information about how to do this, see the Troubleshooting section later in this article.
•
You are logged on by using a user account that is a member of the Administrators group on the target computer.
Target Computer
•
The computer is running either Windows 2000 Professional or Windows 2000 Server.
•
The computer contains volumes formatted with the NTFS file system.
Overview of Fileowners.pl
Fileowners.pl uses the following general syntax:
fileowners.pl -operation
Where -operation is one of the following commands that you can pass to the script. The following list describes each operation that you can use with Fileowners.pl:
-take own: Use this operation to take ownership of folders and files.-query: Use this operation to search for the owners of folders and files.
Each operation uses its own syntax.
Take own
The fileowners.pl -take own statement uses the following syntax:
fileowners.pl -take own Folder File [ Folder File...] [ -s Computer [ -u Domain\User -p Password]][-owner LOGONUSERADMINGROUP][-recourse]
The parameters that you can use with fileowners.pl -take own are:
•
Folder File [Folder File...]: Use this parameter to specify the folder or file that you want to take ownership of using the following format: Drive:\Folder\FileName. You can use the wildcard character (asterisk) to designate target files or folders. If you want to specify two or more folders or files, separate each item with a space. If the folder or file name contains a space, enclose the folder or file name and path with quotation marks (""). When the file or folder is on a volume that is not mapped to the local computer, use the relative path (the path as seen from the remote computer).
•
-s Computer: Use this parameter to specify the name or IP address of a remote computer. If you omit this parameter, the local computer is specified.
•
-u Domain\User: Use this parameter to specify the user account with which to run Fileowners.pl. By default, if you omit this parameter, Fileowners.pl uses system permissions. If you use this parameter, you must also use the -p parameter to provide the user's password.
•
-p Password: Use this parameter to specify the password of the user account that is specified by the -u parameter. The -p parameter is required when you use the -u parameter.
NOTE: Both the -p and -u parameters are available only when you use the -s parameter.
•
: Both the -owner LOGONUSER ADMINGROUP: Use this parameter to specify whether you are taking ownership as a user or on behalf of the Administrators group. By default, if you omit this parameter, Fileowners.pl uses LOGONUSER.
•
LOGONUSER: User this parameter to take ownership of the folder or file as a user. By default, the user who is currently logged on to the local computer takes ownership. When the -u parameter is used, the specified user account takes ownership.
•
ADMINGROUP: Use this parameter to take ownership of the folder or file on behalf of the Administrators group. By default, the Administrators group on the local computer takes ownership. When the -s parameter is used, the Administrators group on the remote computer takes ownership of the remote object.
•
: Both the -recourse: Use this parameter to extend the command to all child objects of the specified folder. By default, if you omit this parameter, you take ownership of only the specified folders and files. Subfolders and the files contained in them are not affected.
Query
The fileowners.pl -query statement uses the following syntax:
fileowners.pl Folder File [Folder File...] [ -s Computer [ -u Domain\User -p Password]][-recourse][-format table list CSV][-v[-antitype B KB MB]][-filter "FieldOperatorValue" [-filter "FieldOperatorValue"...]]
The parameters that you can use with fileowners.pl -query is the following:
•
Folder File [Folder File...]: Use this parameter to specify the folder or files whose owners are displayed by using the following format: Drive:\Folder\FileName. You can use the wildcard character (asterisk) to designate target files or folders. If you want to specify the owners of two or more folders or files, separate each item with a space. If the folder or file name contains a space, enclose the folder or file name and path with quotation marks (""). When the file or folder is on a volume that is not mapped to the local computer, use the relative path (the path as seen from the remote computer).
•
-s Computer: Use this parameter to specify the name or IP address of a remote computer. If you omit this parameter, the local computer is specified.
•
-u Domain\User: Use this parameter to specify the user account with which to run Fileowners.pl. If you omit this parameter, Fileowners.pl uses the permissions of the currently logged-on user. If you use this parameter, you must also use the -p parameter to provide the user's password.
•
-p Password: Use this parameter to specify the password of the user account that is specified by the -u parameter. The -p parameter is required when you use the -u parameter.
Both the -p and -u parameters are available only when you use the -s parameter.
•
Both the -recourse: Use this parameter to add all child objects of the specified folder to the display. If you omit this parameter, only the specified folder and files are included in the display.
•
Both the -format table list CSV: Use this parameter to specify the output format. If you omit this parameter, Fileowners.pl uses the table format, by default.
•
Both the -v: Use this parameter to add the last modified date and file size (for files only) to the display.
•
Both the -antitype BKB MB: Use this parameter to specify the unit of disk space that is used to display the file size. By default, if you omit this parameter, Fileowners.pl uses kilobytes (KB).
•
Both the -filter "FieldOperatorValue" [-filter "FieldOperatorValue"...]: Use this parameter to specify the criteria for folders and files that are included in the display. If you omit this parameter, all items that are specified in the Folder File parameter are included in the display. To establish more than one criteria, use a separate instance of -filter "FieldOperatorValue" for each criteria that you want to specify, and separate each instance with a space. Fileowners.pl displays only those files and folders that meet all of the criteria. The following table lists the operators and values that are available for each field that is used with the -filter parameter, and an example of each "FieldOperatorValue":
Field
Operator
Value
Example
OWNER
= !
User or group name in Domain\User or Computer\User format.
"owner type=domain\administrators"
OWNERTYPE
= !
group user
"owner type=group"
TYPE
= !
file directory
"type! file"
SIZE
All logical operators
Number Unit
"size>1MB"
DATETIME
All logical operators
The last modified date, where Date is in mm/dd/yyyy format or Date: Time is in mm/dd/yyyy:hh:mm:ss [am pm] format
"date time>08/01/2002:8:30:00AM"
PATH\FILE
=!
Valid paths and file names or *.
"path\file!c:winnt"
Examples
•
To run Fileowners.pl by using the User1 account to take ownership of the E:\Reports\Stats.doc file on a remote computer named Server8 in the Corp domain, type the following line at the command prompt, and then press ENTER:fileowners.pl -take own e:\reports\stats.doc -s server8 -u corp\user1 -p password
•
To take ownership of all bitmap files (.bmp) in the E:\Pictures and E:\Graphics and Images folders on behalf of the Administrators group on the local computer, type the following line at the command prompt, and then press ENTER:
fileowners.pl -take own e:\pictures\*.bmp "e:\graphics and images\*.bmp" -owner admingroup
•
To take ownership of all folders and files on volumes X and Y, type the following line at the command prompt, and then press ENTER: NOTE: You can use this method to take ownership of objects on several computers. In this example, the X drive on the local computer is mapped to the C drive of a remote computer named Server4, and the Y drive on the local computer is mapped to the C drive of a remote computer named Server10. If the remote volume is mapped to a drive on the local computer, you can specify the mapped drive letter in the file path. You do not have to use the -s parameter to indicate another computer.
fileowners.pl -take own x: y: -recourse
•
To display the owner of the Expenses.doc file in the D:\Finance folder in list format, type the following line, and then press ENTER:
fileowners.pl -query d:\finance\expenses.doc -format list
•
To display the owners of all files in the C:\Corpdocs folder and its subfolders, include the date that the file was last modified and file size in the display, and redirect the output to a file named Corpdoc.txt in the E:\Docs folder in the default table format, type the following line, and then press ENTER:
fileowners.pl -query c:\corpdocs\*.* -recourse > e:\docs\corpdoc.txt –v
Troubleshooting
When you try to run Fileowners.pl, you may receive the following error message:
ERROR: Wmi.pm is required to run the script.Copy Wmi.pm from the Resource Kit directory to /Perl/site/lib/W2RK.
This behavior may occur if the computer is not correctly configured to run the Perl scripts included in the Windows 2000 Resource Kit Supplement 1. To use Fileowners.pl, the W2rk folder must exist in the Perl Installation Folder\site\lib folder and it must contain the Wmi.pmi file. To resolve this problem, manually configure the environment in which to run Perl scripts. To do this, follow these steps:
1.
Create a folder named W2rk in the Perl Installation Folder\Site\Lib folder. NOTE: The default Perl Installation Folder is drive:\Perl, where drive is the drive on which Windows is installed.
2.
Copy the Wmi.pmi file from the folder in which the Windows 2000 Resource Kit is installed (by default, it is Program Files\Resource Kit) to the W2rk folder that you created in step 1.
Creating the Active Directory
After you have installed Windows Server 2003 on a stand-alone server, run the Active Directory Wizard to create the new Active Directory forest or domain, and then convert the Windows Server 2003 computer into the first domain controller in the forest. To convert a Windows Server 2003 computer into the first domain controller in the forest, follow these steps:
1.
Insert the Windows Server 2003 CD-ROM into your computer's CD-ROM or DVD-ROM drive.
2.
Click Start, click Run, and then type dcpromo.
3.
Click OK to start the Active Directory Installation Wizard, and then click Next.
4.
Click Domain controller for a new domain, and then click Next.
5.
Click Domain in a new forest, and then click Next.
6.
Specify the full DNS name for the new domain. Note that because this procedure is for a laboratory environment and you are not integrating this environment into your existing DNS infrastructure, you can use something generic, such as mycompany.local, for this setting. Click Next.
7.
Accept the default domain NetBIOS name (this is "my company" if you used the suggestion in step 6). Click Next.
8.
Set the database and log file location to the default setting of the c:\winnt\ntds folder, and then click Next.
9.
Set the Sysvol folder location to the default setting of the c:\winnt\sysvol folder, and then click Next.
10.
Click Install and configure the DNS server on this computer, and then click Next.
11.
Click Permissions compatible only with Windows 2000 or Windows Server 2003 servers or operating systems, and then click Next.
12.
Because this is a laboratory environment, leave the password for the Directory Services Restore Mode Administrator blank. Note that in a full production environment, this password is set by using a secure password format. Click Next.
13.
Review and confirm the options that you selected, and then click Next.
14.
The installation of Active Directory proceeds. Note that this operation may take several minutes.
15.
When you are prompted, restart the computer. After the computer restarts, confirm that the Domain Name System (DNS) service location records for the new domain controller have been created. To confirm that the DNS service location records have been created, follow these steps:
a.
Click Start, point to Administrative Tools, and then click DNS to start the DNS Administrator Console.
b.
Expand the server name, expand Forward Lookup Zones, and then expand the domain.
c.
Verify that the _msdcs, _sites, _tcp, and _udp folders are present. These folders and the service location records they contain are critical to Active Directory and Windows Server 2003 operations.
Adding Users and Computers to the Active Directory Domain
After the new Active Directory domain is established, create a user account in that domain to use as an administrative account. When that user is added to the appropriate security groups, use that account to add computers to the domain.
1.
To create a new user, follow these steps:
a. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers to start the Active Directory Users and Computers console.
b. Click the domain name that you created, and then expand the contents.
c. Right-click Users, point to New, and then click User.
d. Type the first name, last name, and user logon name of the new user, and then click Next.
e. Type a new password, confirm the password, and then click to select one of the following check boxes:
•Users must change password at next logon (recommended for most users)
•User cannot change password
•Password never expires
•Account is disabled
Click Next.
f. Review the information that you provided, and if everything is correct, click Finish.
2.
After you create the new user, give this user account membership in a group that permits that user to perform administrative tasks. Because this is a laboratory environment that you are in control of, you can give this user account full administrative access by making it a member of the Schema, Enterprise, and Domain administrators groups. To add the account to the Schema, Enterprise, and Domain administrators groups, follow these steps:
a. On the Active Directory Users and Computers console, right-click the new account that you created, and then click Properties.
b. Click the Member Of tab, and then click Add.
c. In the Select Groups dialog box, specify a group, and then click OK to add the groups that you want to the list.
d. Repeat the selection process for each group in which the user needs account membership.
e. Click OK to finish.
3.
The final step in this process is to add a member server to the domain. This process also applies to workstations. To add a computer to the domain, follow these steps:
a. Log on to the computer that you want to add to the domain.
b. Right-click My Computer, and then click Properties.
c. Click the Computer Name tab, and then click Change.
d. In the Computer Name Changes dialog box, click Domain under Member Of, and then type the domain name. Click OK.
e. When you are prompted, type the user name and password of the account that you previously created, and then click OK.A message that welcomes you to the domain is generated.
f. Click OK to return to the Computer Name tab, and then click OK to finish.
g. Restart the computer if you are prompted to do so.
Troubleshooting
You Cannot Open the Active Directory Snap-ins
After you have completed the installation of Active Directory, you may not be able to start the Active Directory Users and Computers snap-in, and you may receive an error message that indicates that no authority can be contacted for authentication. This can occur if DNS is not correctly configured. To resolve this issue, verify that the zones on your DNS server are configured correctly and that your DNS server has authority for the zone that contains the Active Directory domain name. If the zones appear to be correct and the server has authority for the domain, try to start the Active Directory Users and Computers snap-in again. If you receive the same error message, use the DCPROMO utility to remove Active Directory, restart the computer, and then reinstall Active Directory.
Windows XP
To change the computer name, to join a domain, or to add a computer description for a Windows XP-based computer, use the Computer Name tab in the System Properties dialog box. To locate this tab, use one of the following methods:
•
Click Start, right-click My Computer, and then click Properties.
•
Click Start, click Run, type sysdm.cpl, and then click OK.
•
Click Start, click Control Panel, double-click Performance and Maintenance, and then click System.
Change the computer name and join a domain or a workgroup
To change a computer name and to join a domain or a workgroup, follow these steps.Warning Before you change a computer's membership from a domain to a workgroup, be sure that you know the user name and the password for an account in the local Administrators group. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
317049 (http://support.microsoft.com/kb/317049/) You cannot log on after you remove the computer from the domain
1.
Click the Computer Name tab, and then click Change.
2.
Type the new computer name in the Computer name dialog box.
3.
Type the new domain or workgroup in either the Domain dialog box or the Workgroup dialog box.
4.
Click More to change the primary Domain Name System (DNS) suffix.Note Windows XP Home Edition is not designed to join domains. Windows XP Home Edition is only designed to join workgroups. Therefore, use Windows XP Professional to join domains.
5.
Click OK three times, and then restart the computer.
Add a computer description
To add a computer description, type a name or a description in the Computer description box on the Computer Name tab, and then click Apply.
Network ID Wizard
If you do not know how to complete these tasks, you can use the Network Identification (ID) Wizard to help you. To start the Network ID Wizard, follow these steps:
1.
In the System Properties dialog box, click Network ID.Note This wizard is new to Windows XP. With this wizard, you can add the computer to a workgroup or to a domain.
2.
Move backward and forward in the wizard by using the Back and Next buttons.
The first set of options in the Network ID Wizard is as follows:
•
Option 1"This computer is part of a business network, and I use it to connect to other computers at work."
•
Option 2"This computer is for home use and is not part of a business network."
If you select option 1, the following options appear:
•
Option 1a"My company uses a network with a domain."
•
Option 1b"My company uses a network without a domain."
If you select option 1a, a dialog box appears that requests the following information:
•
User name
•
Password
•
User account domain
•
Computer name
•
Computer domain
If you select option 1b, you can also configure the computer as a "Workgroup Member," and you can type the name of the workgroup.If you select option 2, you are prompted to click Finish to restart the computer. If you follow this step, the computer is configured as a "Workgroup Member." By default, the name of the workgroup is "Workgroup."Then, the next page requires the domain name to which the computer is to be added. Also, the next page requires the username and the password of an account that has the rights to add a computer to the domain. Additionally, the next page enables the user account from the previous page to be added to this computer. Finally, the next page enables the new user to have various rights on the local computer.The user may be added to the following built-in groups on the local computer:
•
Administrators
•
Backup operators
•
Debugger users
•
Guests
•
HelpServicesGroup
•
Network configuration operators
•
Power users
•
Remote desktop users
•
Replicator
•
Users
Note If the computer is a member of a domain, the computer also maintains a local domain that has security accounts. These security accounts only pertain to that computer. To change domains at the logon screen, press CTRL+ALT+DELETE. If the Domain box does not appear, click the Options button to display the Domain box, and then select the required domain from the menu.
Windows Server 2003
To change the computer name, to join a domain, or to add a computer description for a Windows Server 2003-based computer, use the Computer Name tab in the System Properties dialog box. To locate this tab, use one of the following methods:
•
Right-click My Computer and then click Properties.
•
Click Start, click Run, type sysdm.cpl, and then click OK.
•
Click Start, click Control Panel, and then click System.
Change a computer name and join a domain or a workgroup
To change a computer name and to join a domain or a workgroup, follow these steps:
1.
Click the Computer Name tab, and then click Change.
2.
Type the new computer name in the Computer name dialog box.
3.
Type the new domain or a workgroup in either the Domain dialog box or the Workgroup dialog box.
4.
Click More to change the primary Domain Name System (DNS) suffix.
5.
Click OK three times, and then restart the computer.
Add a computer description
Type a name or a description in the Computer description box on the Computer Name tab, and then click Apply to add a computer description.
How to configure group policy/SOP
How to Assign System Service Permissions
1.
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2.
Right-click the domain to which you want to add the organizational unit, point to New, and then click Organizational Unit.
3.
Type a name for the organizational unit in the Name box, and then click OK.The new organizational unit is listed in the console tree.
4.
Right-click the new organizational unit that you created, and then click Properties.
5.
Click the Group Policy tab, and then click New. Type a name for the new Group Policy object (for example, use the name of the organizational unit for which it is implemented), and then press ENTER.
6.
Click the new Group Policy object in the Group Policy Objects Links list (if it is not already selected), and then click Edit.
7.
Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click System Services.
8.
In the right pane, double-click the service to which you want to apply permissions.The security policy setting for that specific service is displayed.
9.
Click to select the Define this policy setting check box.
10.
Click Edit Security.
11.
Grant the appropriate permissions to the user accounts and groups that you want, and then click OK.
12.
Under Select service startup mode, click the startup mode option that you want, and then click OK.
13.
Close the Group Policy Object Editor, click OK, and then close the Active Directory Users and Computers tool.
NOTE: You must move the computer accounts that you want to manage into the organizational unit. After the computer accounts are contained in the organizational unit, the authorized user or groups can manage the service.
How to Use Group Policy to Set Advanced Settings in Internet Explorer
To customize advanced settings in Internet Explorer, make sure that Group Policy is set to Preference mode. To do this, follow these steps:
1.
Open the Group Policy Object Editor snap-in. To do this:
a.
Click Start, click Run, type mmc in the Open box, and then click OK.
b.
On the File menu, click Add/Remove Snap-in.
c.
Click Add.
d.
Click Group Policy Object Editor and then click Add.
e.
Click the target Group Policy object (GPO). The default GPO is Local Computer. Click Browse to select the GPO that you want, and then click Finish.
f.
Click Close, and then click OK.
2.
In the console tree, expand the GPO, expand User Configuration, and then expand Windows Settings.
3.
Right-click Internet Explorer Maintenance and then click Preference Mode. The Advanced folder appears under Internet Explorer Maintenance in the console tree.
If a policy is already defined, you must click Reset Browser Settings before you can put this policy in Preference mode. When you reset the browser settings, any policy settings that are specified to that Group Policy are reset.NOTE: Preference mode settings are set by an administrator. However, you can change these settings after the policy is applied (for example, your home-page setting or settings on the Advanced tab). After the policy is applied to a client computer, you can change
Hide Control Panel Tools
1.
Click Start, click Run, type mmc in the Open box, and then click OK.
2.
On the File menu, click Add/Remove Snap-in.
3.
Click Add.
4.
Click Group Policy Object Editor, and then click Add.
5.
Click the target Group Policy object (GPO). The default GPO is Local Computer. Click Browse to select the GPO that you want, and then click Finish.
6.
Click Close, and then click OK.
7.
Expand User Configuration, expand Administrative Templates, and then click Control Panel.
8.
In the right pane, double-click Hide specified Control Panel applets.
9.
Click Enabled. This setting removes Control Panel tools from the Control Panel window and the Start menu. To specify the Control Panel tools that you want to hide, click Show.
10.
In the Show Contents dialog box, click Add, type the file name of the Control Panel tool that you want to hide in the Enter the item to be added box, and then click OK. Control Panel tools use the .cpl extension and are located in the %Systemroot%\System32 folder. To find the file name of a Control Panel tool, search for .cpl files in the %Systemroot%\System32 folder. To do so:
a.
Click Start, and then click Search.
b.
Click All files and folders. In the All or part of the file name box, type *.cpl, in the Look in box, click Local Disk (drive :), where drive is the drive on which Windows is installed, and then click Search.
11.
Repeat step 10 for each Control Panel tool that you want to hide, and then click OK.
12.
Click OK, and then quit the Group Policy Object Editor snap-in.
Show Only Specific Control Panel Tools
1.
Click Start, click Run, type mmc in the Open box, and then click OK.
2.
On the File menu, click Add/Remove Snap-in.
3.
Click Add.
4.
Click Group Policy Object Editor and then click Add.
5.
Click the target GPO. The default GPO is Local Computer. Click Browse to select the GPO that you want, and then click Finish.
6.
Click Close, and then click OK.
7.
Expand User Configuration, expand Administrative Templates, and then click Control Panel.
8.
In the right pane, double-click Show only specified Control Panel applets.
9.
Click Enabled. This setting removes all Control Panel tools from the Control Panel window and the Start menu, except for the items that you specify. If you do not specify any tools or folders to display, the Control Panel window is empty. To specify the Control Panel tools that you want to display, click Show. Control Panel tools use the .cpl extension and are located in the %Systemroot%\System32 folder. To find the file name of a Control Panel tool, search for .cpl files in the %Systemroot%\System32 folder. To do so:
a.
Click Start, and then click Search.
b.
Click All files and folders. In the All or part of the file name box, type *.cpl, in the Look in box, click Local Disk (drive:), where drive is the drive on which Windows is installed, and then click Search.
10.
In the Show Contents dialog box, click Add, type the file name of the Control Panel tool that you want to display in the Enter the item to be added box, and then click OK.
11.
Repeat step 10 for each Control Panel tool that you want to display, and then click OK.
12.
Click OK, and then quit the Group Policy Object Editor snap-in.
List of .Cpl Files
The following is a list of .cpl files and the corresponding Control Panel tool. .cpl File Control Panel Tools ============== =============================== Access.cpl Accessibility Appwiz.cpl Add or Remove Program Desk.cpl Display Hdwwiz.cpl Add Hardware Inetcpl.cpl Internet Options Intl.cpl Regional and Language Options Joy.cpl Game Controllers Keymgr.cpl Stored User Names and Passwords Liccpa.cpl Licensing Maniacal Mouse Mmsys.cpl Sound and Audio Devices Ncpa.cpl Network Connections Nwc.cpl Netware client connectivity Odbccp32.cpl ODBC Data Source Administrator Powercfg.cpl Power Options Sysdm.cpl System Telephon.cpl Phone and Modem Options Time date. Cpl Date and Time Sapi.cpl Speech
MORE INFORMATION
Overviews
By setting policies, you can define and maintain a particular Office 2003 configuration on users' computers. Unlike other customizations (such as default settings that are distributed in a transform [MST file]), policies are reapplied every time that a user logs on to the network (or at some other interval set by the administrator). Users cannot edit the registry to change the policies.You can set policies that apply to the local computer (and to every user of that computer), or you can set policies that apply only to individual users. You set per-computer policies under Computer Configuration in the Group Policy snap-in. Per-computer policies are applied the first time that any user logs on to the network from that computer. You set per-user policies under User Configuration in the Group Policy snap-in. Per-user policies are applied when the specified user logs on to the network from any computer.To use an Office 2003 policy template, you must load it in the Group Policy Microsoft Management Console snap-in.
Available Office 2003 policy templates
With the policy template files in the Microsoft Office 2003 Resource Kit , you can set policies globally for users of Office on a network. By using policies, you can quickly enforce a user configuration on users' computers when users, groups, or computers log on to the network.The Office policy template files (.adm files) describe all the policy settings that you can set for Office. You use these .adm files with the Group Policy snap-in that is included with Microsoft Windows operating systems to apply policies to users' computers.The Setup program of the Microsoft Office 2003 Resource Kit installs the following policy templates in the Windows\Inf folder on your computer.
File name
Template description
Access11.adm
Microsoft Office Access 2003
Excel11.adm
Microsoft Office Excel 2003
Fp11.adm
Microsoft Office FrontPage 2003
Gal11.adm
Microsoft Clip Organizer
Inf11.adm
Microsoft Office Info Path 2003
Office11.adm
Microsoft Office 2003
Onent11.adm
Microsoft Office One Note 2003
Outlk11.adm
Microsoft Office Outlook 2003
Ppt11.adm
Microsoft Office PowerPoint 2003
Pub11.adm
Microsoft Office Publisher 2003
Visio.adm
Microsoft Office Visio 2003
Word11.adm
Microsoft Office Word 2003
How to install the Office 2003 policy templates
On the Policy Template Files Web page of the Microsoft Office 2003 Resource Kit Web site, you can install the Office 2003 policy templates, or the Visio 2003 policy templates, or both.
•
To install the Office 2003 policy templates, follow these steps:
1.
Scroll down the Policy Template Files Web page, and then click the ork.exe link.
2.
In the File Download dialog box, click Open.
3.
Click to accept the License Agreement, and then click Next.
4.
In the Type of Installation pane, click Typical Install, and then click Next.
5.
Click Install.
6.
Click OK when Setup has completed.
Note The Office 2003 policy template files are installed in the following location:
path\Windows\Inf
Note path is the drive that contains your Windows folder and Windows is the name of your Windows folder.
•
To install the Visio 2003 policy template, follow these steps:
1.
Scroll down the Policy Template Files Web page, and then click the VisioRKTools.exe link.
2.
In the File Download dialog box, click Open.
3.
Click Yes to accept the License Agreement.
4.
In the Please type the location where you want to place the extracted files box, type path:\Program Files\Orktools\Ork11\Tools\Visio, where path is the drive where your other Office 2003 Resource Kit tools are installed (such as C), and then click OK.
5.
Click Yes to create the folder that you specified in step 4.Note There is no message that indicates that the files have been installed on your computer.
6.
Right-click Start, and then click Explore.
7.
Locate the folder that you specified in step 4, and then open the folder that you specified in step 4.
8.
Copy the Visio11.adm file to the following location on your computer:
path\Windows\Inf
, where path is the drive that contains your Windows folder and Windows is the name of your Windows folder.
How to load an Office 2003 policy template in the Local Computer policy
You use the Group Policy snap-in to set Office 2003 policies from the Office policy templates (.adm files). After you set policies for a particular Group Policy object, Windows automatically implements the policies on the users' computers.To load an Office 2003 policy in the Local Computer Policy, follow these steps:
1.
Click Start, click Run, type gpedit.msc in the Open box, and then click OK.
2.
Under User Configuration, right-click Administrative Templates, point to All Tasks, and then click Add/Remove Templates.
3.
In the Add/Remove Templates dialog box, click Add.
4.
In the Policy Templates dialog box, click the Office 2003 policy template that you want to add, and then click Open.Note The Office 2003 policy templates are located in the path\Winnt\Inf folder, where path is the drive location of your Windows folder and Winn is the folder name where Windows is installed.
5.
In the Add/Remove Templates dialog box, click Close.
6.
On the Tree tab of the Group Policy window, expand Administrative Templates under User Configuration.
7.
Expand the Office 2003 policy that you added in step 5.
You are ready to set the Office 2003 user policies that you want in the Local Computer policy.
Installation and configuration of File and print server
Install File and Printer Sharing
By default, a Windows Server 2003-based computer is installed with Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks, and TCP/IP.NOTE: You can view these services in the properties for the local area connection.You can create a Windows Server 2003 file server and print server manually, or you can use the wizards that are provided in the Configure Your Server Wizard administrative tool.
How to Install a File Server on Windows Server 2003 by Using the Configure Your Server Wizard
1.
Click Start, point to Administrative Tools, and then click Configure Your Server Wizard.
2.
Click Next.
3.
Click Next.
4.
Click File server in the Server role box, and then click Next.
5.
On the "File Server Disk Quotas" page, configure any quotas you need to control disk-space usage on the server, and then click Next.
6.
On the "File Server Indexing Service" page, click the indexing configuration that is appropriate for your server, and then click Next.
7.
Click Next.
8.
Click Finish.
9.
The Share a Folder Wizard starts. Click Next.
10.
Click Browse, locate the folder that you want to share, and then click OK.
11.
Click Next.
12.
Type a share name for the folder, and then click Next.
13.
Click one of the basic permissions for the folder, or click Customize to set custom permissions on the folder. Click Finish.
14.
Click Close.
How to Manually Install a File Server on Windows Server 2003
1.
Click Start, and then click Windows Explorer.
2.
Locate the folder that you want to share.
3.
Right-click the folder, and then click Sharing and Security.
4.
Click Share this folder, and then accept the default name or type a different name for the share.
5.
Optionally, configure the number of users who can connect, configure permissions for this folder, and then configure the caching options.
6.
Click OK.
7.
A little hand is displayed in the Windows Explorer window to indicate that the folder is being shared.
8.
Quit Windows Explorer.
Install a Windows Server 2003 Print Server
How to Install a Print Server on Windows Server 2003 by Using the Configure Your Server Wizard
1.
Click Start, point to Administrative Tools, and then click Configure Your Server Wizard.
2.
Click Next.
3.
Click Next.
4.
Click Print server in the Server role box, and then click Next.
5.
On the "Printers and Printer Drivers" page, click the types of Windows clients that your print server will support, and then click Next.
6.
Click Next.
7.
On the "Add Printer Wizard Welcome" page, click Next.
8.
Click Local printer attached to this computer, click to clear the Automatically detect and install my Plug and Play printer check box, and then click Next.
9.
Click the port for your printer, and then click Next.
10.
Click the printer make and model or provide the drivers from the printer manufacturer media, and then click Next.NOTE: If you are prompted to keep or not keep your existing printer driver, either keep the existing driver or replace the existing driver. If you replace the driver, you must provide the manufacturer driver for this printer. Click Next to continue.
11.
Accept the default name of the printer or provide a different name, and then click Next.
12.
Click the Share as option, type the share name, and then click Next.NOTE: This step is optional because you can share the printer later.
13.
You may provide the location of the printer and a comment to make it easier to locate. Click Next to continue.
14.
Click the Print a test page option, click Next, and then click Finish to quit the Add Printer Wizard. Your printer appears in the Printers and Faxes folder.
How to Share a Printer
1.
Click Start, and then click Printers and Faxes.
2.
Right-click the printer that you just installed, and then click Sharing.
3.
Click Share this printer, and then type a share name for the printer.
4.
Optionally, click Additional Drivers, click the operating systems of the client computers that may attach to this printer, and then click OK. By adding drivers for these operating systems, users on client computers can connect to the print server and automatically download the appropriate drivers for this model of printer without having to configure anything.
5.
When you are prompted to do so, insert the Windows Server 2003 CD-ROM.
6.
Click OK to close the printer properties.
7.
Close the Printers and Faxes folder.
How to Manually Install a Print Server on Windows Server 2003
1.
Click Start, point to Settings, and then click Printers.
2.
Double-click Add Printer to start the Add Printer Wizard.
3.
To complete the Add Printer Wizard, repeat steps 7 through 14 in the "Install a Windows Server 2003 Print Server" section of this article.
NOTE: The only difference between the manual installation of the print server and the use of the Configure Your Server Wizard to create the print server is how you start the Add Printer Wizard
DNS server installation and configuration
1.
Open Windows Components Wizard. To do so, use the following steps:
a.
Click Start, click Control Panel, and then click Add or Remove Programs.
b.
Click Add/Remove Windows Components.
2.
In Components, select the Networking Services check box, and then click Details.
3.
In Subcomponents of Networking Services, select the Domain Name System (DNS) check box, click OK, and then click Next.
4.
If you are prompted, in Copy files from, type the full path of the distribution files, and then click OK.
Configure DNS
1.
Start the Configure Your Server Wizard. To do so, click Start, point to All Programs, point to Administrative Tools, and then click Configure Your Server Wizard.
2.
On the Server Role page, click DNS server, and then click Next.
3.
On the Summary of Selections page, view and confirm the options that you have selected. The following items should appear on this page:
•
Install DNS
•
Run the Configure a DNS Wizard to configure DNS
If the Summary of Selections page lists these two items, click Next. If the Summary of Selections page does not list these two items, click Back to return to the Server Role page, click DNS, and then click Next.
4.
When the Configure Your Server Wizard installs the DNS service, it first determines whether the IP address for this server is static or is configured automatically. If your server is currently configured to obtain its IP address automatically, the Configuring Components page of the Windows Components Wizard prompts you to configure this server with a static IP address. To do so:
a.
In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties.
b.
In the Internet Protocols (TCP/IP) Properties dialog box, click Use the following IP address, and then type the static IP address, subnet mask, and default gateway for this server.
c.
In Preferred DNS, type the IP address of this server.
d.
In Alternate DNS, type the IP address of another internal DNS server, or leave this box blank.
e.
When you finish setting up the static addresses for your DNS, click OK, and then click Close.
5.
After you click Close, the Configure a DNS Server Wizard starts. In the wizard, follow these steps:
a.
On the Select Configuration Action page, select the Create a forward lookup zone check box, and then click Next.
b.
To specify that this DNS hosts a DNS zone that contains DNS resource records for your network resources, on the Primary Server Location page, click This server maintains the zone, and then click Next.
c.
On the Zone Name page, in Zone name, specify the name of the DNS zone for your network, and then click Next. The name of the zone is the same as the name of the DNS domain for your small organization or branch office.
d.
On the Dynamic Update page, click Allow both no secure and secure dynamic updates, and then click Next. This makes sure that the DNS resource records for the resources in your network update automatically.
e.
On the Forwarders page, click Yes, it should forward queries to DNS servers with the following IP addresses, and then click Next. When you select this configuration, you forward all DNS queries for DNS names outside your network to a DNS at either your ISP or central office. Type one or more IP addresses that either your ISP or central office DNS servers use.
f.
On the Completing the Configure a DNS Wizard page of the Configure a DNS Wizard, you can click Back to change any of the settings. To apply your selections, click Finish.
After you finish the Configure a DNS Wizard, the Configure Your Server Wizard displays the This Server is Now a DNS Server page. To review all the changes that you made to your server in the Configure Your Server Wizard or to make sure that a new role was installed successfully, click Configure Your Server log. The Configure Your Server Wizard log is located at %system root%\Debug\Configure Your Server. log. To close the Configure Your Server Wizard, click Finish.
DHCP server installation and configuration
How to Install the DHCP Service
Before you can configure the DHCP service, you must install it on the server. DHCP is not installed by default during a typical installation of Windows Standard Server 2003 or Windows Enterprise Server 2003. You can install DHCP either during the initial installation of Windows Server 2003 or after the initial installation is completed.
How to Install the DHCP Service on an Existing Server
1.
Click Start, point to Control Panel, and then click Add or Remove Programs.
2.
In the Add or Remove Programs dialog box, click Add/Remove Windows Components.
3.
In the Windows Components Wizard, click Networking Services in the Components list, and then click Details.
4.
In the Networking Services dialog box, click to select the Dynamic Host Configuration Protocol (DHCP) check box, and then click OK.
5.
In the Windows Components Wizard, click Next to start Setup. Insert the Windows Server 2003 CD-ROM into the computer's CD-ROM or DVD-ROM drive if you are prompted to do so. Setup copies the DHCP server and tool files to your computer.
6.
When Setup is completed, click Finish.
How to Configure the DHCP Service
After you have installed the DHCP service and started it, you must create a scope, which is a range of valid IP addresses that are available for lease to the DHCP client computers on the network. Microsoft recommends that each DHCP server in your environment have at least one scope that does not overlap with any other DHCP server scope in your environment. In Windows Server 2003, DHCP servers in an Active Directory-based domain must be authorized to prevent rogue DHCP servers from coming online. Any Windows Server 2003 DHCP Server that determines itself to be unauthorized will not manage clients.
How to Create a New Scope
1.
Click Start, point to Programs, point to Administrative Tools, and then click DHCP.
2.
In the console tree, right-click the DHCP server on which you want to create the new DHCP scope, and then click New Scope.
3.
In the New Scope Wizard, click Next, and then type a name and description for the scope. This can be any name that you want, but it should be descriptive enough so that you can identify the purpose of the scope on your network (for example, you can use a name such as "Administration Building Client Addresses"). Click Next.
4.
Type the range of addresses that can be leased as part of this scope (for example, use a range of IP addresses from a starting IP address of 192.168.100.1 to an ending address of 192.168.100.100). Because these addresses are given to clients, they must all be valid addresses for your network and not currently in use. If you want to use a different subnet mask, type the new subnet mask. Click Next.
5.
Type any IP addresses that you want to exclude from the range that you entered. This includes any addresses in the range described in step 4 that may have already been statically assigned to various computers in your organization. Typically, domain controllers, Web servers, DHCP servers, Domain Name System (DNS) servers, and other servers, have statically assigned IP addresses. Click Next.
6.
Type the number of days, hours, and minutes before an IP address lease from this scope expires. This determines how long a client can hold a leased address without renewing it. Click Next, and then click Yes, I want to configure these options now to extend the wizard to include settings for the most common DHCP options. Click Next.
7.
Type the IP address for the default gateway that should be used by clients that obtain an IP address from this scope. Click Add to add the default gateway address in the list, and then click Next.
8.
If you are using DNS servers on your network, type your organization's domain name in the Parent domain box. Type the name of your DNS server, and then click Resolve to make sure that your DHCP server can contact the DNS server and determine its address. Click Add to include that server in the list of DNS servers that are assigned to the DHCP clients. Click Next, and then follow the same steps if you are using a Windows Internet Naming Service (WINS) server, by adding its name and IP address. Click Next.
9.
Click Yes, I want to activate this scope now to activate the scope and allow clients to obtain leases from it, and then click Next.
10.
Click Finish.
11.
In the console tree, click the server name, and then click Authorize on the Action menu.
Troubleshooting
The following sections explain how to troubleshoot some of the issues that you may experience when you try to install and configure a Windows Server 2003-based DHCP server in a workgroup.
Clients Cannot Obtain an IP Address
If a DHCP client does not have a configured IP address, this typically indicates that the client was not able to contact a DHCP server. This can be caused by a network problem, or because the DHCP server is unavailable. If the DHCP server started and other clients can obtain valid addresses, verify that the client has a valid network connection and that all the related client hardware devices (including cables and network adapters) are working properly.
The DHCP Server Is Unavailable
If a DHCP server does not provide leased addresses to clients, it is frequently because the DHCP service did not start. If this is the case, the server may not be authorized to operate on the network. If you were previously able to start the DHCP service, but it has since stopped, use Event Viewer to check the System log for any entries that may explain why you cannot start the DHCP service.To restart the DHCP service:
1.
Click Start, and then click Run.
2.
Type cmd, and then press ENTER.
3.
Type net start dhcpserver, and then press ENTER.
-or-
1.
Click Start, point to Control Panel, point to Administrative Tools, and then click Computer Management.
2.
Expand Services and Applications, and then click Services.
3.
Locate and then double-click DHCP Server.
4.
Verify that Startup is set to Automatic and that Service Status is set to Started. If not, click Start.
5.
Click OK, and then close the Computer Management window.
INTERNET CONNECTION SHARING
INFORMATION
ICS provides networked computers with the ability to share a single connection to the Internet.If you have multiple computers, you can use ICS to allow you and others on your local area network (LAN) to perform different tasks simultaneously. For example, one person can send and receive e-mail messages, while another person downloads a file, and another person browses the Internet. You can also gain access to your corporate e-mail accounts from a client computer while others on your LAN cannot. You can use Web-enabled programs (such as downloading updates) as well as Microsoft NetMeeting and other video conferencing programs.
Internet Connection Sharing Capabilities
•
Multiple users can gain access to the Internet through a single connection by using Dial-Up Networking and local networking.
•
Connected devices receive transparent network configuration by using Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) to resolve Internet names.
•
Any IP-attached device can connect, including older Windows-based clients, non-Windows-based clients, Microsoft Windows 98-based clients, and Microsoft Windows 2000-based clients, with no additional client software required.
•
Connected devices and software have comprehensive protocol support. For example, you can play Internet games without additional configuration, or you can use Point-to-Point Tunneling Protocol (PPTP) and Virtual Private Networking (VPN) to gain access to your corporate network.
Windows Support for Connection Sharing
To connect multiple computers to the Internet through a single Internet connection, one computer must be running Windows 98 Second Edition, Windows 2000, or Windows Millennium Edition (Me) with Internet Connection Sharing installed. Other computers on your LAN can then gain access to the Internet through the connection on the computer with Internet Connection Sharing.NOTE: ICS is a built-in feature of Windows 98 Second Edition, Windows 2000, and Windows Me, and is not a component available for download.
Internet Connection Sharing Components
•
DHCP Allocator - A simplified DHCP service that assigns the IP address, gateway, and name server on the local network.
•
DNS Proxy - Resolves names on behalf of local network clients and forwards queries.
•
Network Address Translation (NAT) – Maps a set of private addresses to a set of public addresses. NAT tracks private-source IP addresses and public-destination IP addresses for outbound flows. It changes the IP address information and edits the required IP header information dynamically.
•
Auto-dial - Automatically dials connections.
•
Application programming interfaces (APIs) - For configuration, status, and dial control for programs.
Setting up a Network with Internet Connect Sharing
Your ICS network is a type of local area network that relies on a single computer called a gateway, through which all other computers and TCP/IP-capable devices connect to the Internet.The hardware and software needed to set up a home network includes:
•
A primary computer, called a gateway that provides network connectivity to the Internet. This computer must be running Windows 98 Second Edition, Windows 2000, or Windows Me with Internet Connection Sharing enabled.
•
One or more computers running Windows 95, Windows 98, Microsoft Windows NT 4.0, Windows 2000, or other TCP-IP enabled client software.
•
Devices that is capable of connecting to the Internet.
•
A network connection device for each computer.
•
Cabling and hubs, depending on the type of connection devices you use.
•
A single modem (or an ISDN or ADSL line) for the entire network.
•
Internet browser software and TCP/IP drivers installed on each device that shares the connection.
You can enable Internet Connection Sharing by using the Add/Remove Programs tool in Windows 98 Second Edition or Windows Me:
1.
Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Programs.
2.
On the Windows Setup tab, double-click Internet Tools.
3.
Click to select the Internet Connection Sharing check box, and then click OK.
4.
Click OK, and then follow the instructions on the screen to run the Internet Connection Sharing wizard.
REMOTE DESKTOP SHARING
With Remote Desktop, you can connect to your work computer from home and access all of your programs, files, and network resources as though you were actually sitting in front of your computer at work.You need three things to create a remote location:
1.
Microsoft Windows XP Professional must be installed on the computer containing the files and programs that you want to access from a remote computer. The computer must also be part of a corporate network in which Remote Desktop connections are permitted. This computer is known as the host.
2.
The remote computer must be running Windows 95 or later. This computer must also have the Remote Desktop Connection client software installed. The remote computer is known as the client.
3.
Both computers must be connected to the Internet through a VPN connection.
Note: If you're not connecting to the host computer through a VPN, you'll need to use the actual IP address of the host computer instead of the computer name.
To set up the Remote Desktop, start with the host computer, which in this example is your work computer.
1.
Verify that you are signed in as the administrator.
2.
Click Start, click Control Panel, and then click Performance and Maintenance.
3.
Click System.
4.
Click the Remote tab, select the Allow users to connect remotely to this computer check box, and then click OK.
Next, make sure you have Windows Firewall set up to allow exceptions.
1.
In the Control Panel, click Security Center.
2.
Under Manage security settings for, click Windows Firewall.
3.
Make sure the Don't allow exceptions check box is not selected.
4.
Click the Exceptions tab, and verify that the Remote Desktop check box is selected.
5.
Click OK, and then close the Windows Security Center window.Your host computer is now set up to allow remote access.You will need the name of the host computer.
6.
In Control Panel, click Performance and Maintenance, click System, and then click the Computer Name tab.
7.
Write down the full computer name, and then click OK.
8.
Close Control Panel.
9.
Leave this computer running, locked, and connected to the corporate network with Internet access.
Connect your remote computer to the host computer
To connect your home computer, which is the client (or remote) computer to your work (or host) computer, follow these steps:
1.
On your home computer, click Start, point to All Programs, and then point to Accessories.
2.
In the Accessories menu, point to Communications, and then click Remote Desktop Connection.
3.
In the Computer box, type the computer name of your host computer, which you wrote down earlier.
4.
Click Connect.
5.
When the Log On to Windows dialog box appears, type your user name, password, and domain (if required), and then click OK.The Remote Desktop window opens, and you see the desktop settings, files, and programs that are on your host computer, which in this example is your work computer. Your host computer remains locked, and nobody can access it without a password. In addition, no one will be able to see the work you are doing remotely.
To end your Remote Desktop session:
1.
Click Start, and then click Log Off at the bottom of the Start menu.
2.
When prompted, click Log Off.
Thursday, December 27, 2007
Networking Note
Posted by Eng. Naseer Ahmad Habib 0 comments
Subscribe to:
Posts (Atom)