Networking Basics in a Windows Environment
Last Updated: 21 Feb 2005
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***
The following guidelines will assist you in configuring a
Windows-based (or predominantly Windows-based) network,
including Internet connectivity. This document focuses on
connectivity via Hubs or Switches, as opposed to using
cross-over cables between two systems.
Here's what you need to start:
• Two or more computers
• Network Cards for each system (wired or wireless)
• Extra NIC for gateway system (unless using Router)
• One Hub or Switch (or Router w/integrated switch)
• CAT5 for each system
• Extra CAT5 for connecting gateway device to ISP
===================
TABLE OF CONTENTS
===================
NETWORKING INFRASTRUCTURE
---------------------------------------
0. SAMPLE NETWORK DIAGRAMS
1. CHOOSING YOUR GATEWAY
2. ROUTERS, HUBS, SWITCHES
3. IP ADDRESSING CONSIDERATIONS
4. INTERNET CONNECTIVITY
5. BASIC SECURITY
6. FIREWALLS & VPNs
7. DMZ (DEMILITARIZED ZONE)
8. RUNNING NETWORK APPS THROUGH FIREWALLS
9. MAKING CABLES
WINDOWS NETWORKING
---------------------------------------
10. WINDOWS NETWORKING BASICS
11. FILE SHARING WITH NT/2000/XP/2003
12. NAME RESOLUTION
13. ACTIVE DIRECTORY
14. GETTING YOUR OWN DOMAIN
15. DETERMINE YOUR ISP-PROVIDED IP ADDRESS
TROUBLESHOOTING
---------------------------------------
20. TROUBLESHOOTING (OVERVIEW)
21. TROUBLESHOOTING (DETAILED)
=========================
SAMPLE NETWORK DIAGRAMS
=========================
Here are some sample network diagrams, covering a wide
variety of common configurations, all of which will be
addressed in greater detail later in this document:
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics.PDF
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics-Visio.PDF
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics-DMZ.PDF
• http://KB.UltraTech-llc.com/Diagrams/?File=SafeNetwork.PDF
• http://KB.UltraTech-llc.com/Diagrams/?File=MyNetwork.PDF
• http://KB.UltraTech-llc.com/Diagrams/?File=SafeNetwork.JPG
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics-XO.JPG
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics-NAT.JPG
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics-FW.JPG
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics-AD.JPG
• http://KB.UltraTech-llc.com/Diagrams/?File=AD-DNS-Split.JPG
• http://KB.UltraTech-llc.com/Diagrams/?File=AD-DNS-NAT.JPG
Here are some network diagramming tools:
• LanFlow ................ http://www.pacestar.com/lanflow/
• Network Notepad ........ http://www.networknotepad.com/
• SmartDraw .............. http://www.smartdraw.com/
Here are some sources for Visio stencils:
• http://www.mvps.org/visio/3rdparty.htm
• http://www.netzoomstencils.com/home/
=======================
CHOOSING YOUR GATEWAY
=======================
When deploying an Internet gateway for a Windows-based
network, you have at least the following options:
OPTIONS EXAMPLES
=========================================================
• NAT software ........... ICS, RRAS, WinRoute
• Proxy software ......... MSProxy, WinGate, WinProxy
• Broadband Router ....... LinkSys, SMC, Netgear, D-Link
• OS-based Firewall ...... ISA, CheckPoint, Raptor
• Hardware Appliance ..... Nokia, Netscreen, SonicWall
• Open Source FW ......... Linux/IPChains, OpenBSD/PF
Your choice of firewall or gateway equipment will depend
on a wide variety of criteria, including cost, space and
complexity.
Your basic consumer-level router/firewall appliance will
allow you to share one IP from your ISP among up to 254
internal IPs of your choosing.
However, if your ISP provides you with 2 or more external
IPs, then these low-end appliances typically don't allow
you to use any of the extra IPs.
Higher-end devices from Netscreen, SonicWall, WatchGuard
and others, allow you to share any number of external IPs
among any number of internal hosts. This can also be
accomplished with some of the higher-end software products
such as WinRoute, or any Linux/BSD solution.
The gateway options are explained in more detail here:
• http://www.giac.org/practical/gsec/Andrew_Baker_GSEC.pdf
• http://www.giac.org/practical/gsec/Mike_McCabe_GSEC.pdf
=========================
ROUTERS, HUBS, SWITCHES
=========================
Each of these devices plays a particular role in the
formation of networks.
HUBS and SWITCHES allow systems to speak to each other
and form a local area network. The difference between
a hub and a switch is that all systems connected to a
hub must share the bandwidth of the hub, and can see
traffic destined for all systems on that hub. OTOH, a
switch provides dedicated bandwidth to each system and
allows them to see only the traffic that is destined
for them.
A ROUTER is used to provide connectivity between two
separate networks -- a common example being the
connectivity between a LAN and the Internet.
A BRIDGE is a device that allows you to extend one
network to encompass other systems that would normally
be considered a separate network. As an example, most
broadband (Cable/DSL) modems extend the ISPs network
into your house -- until you stick a router/firewall
between the modem and your LAN. Another example of a
BRIDGE would be Wireless Access Points.
Windows XP has native bridging software, but there are
also 3rd party solutions for creating network bridges:
• http://www-stud.fh-fulda.de/~fd1557/WinBridge/main-uk.htm
Although not necessarily represented in any of the
provided network diagrams, many broadband routers also
have embedded hub or switch ports on them, so that you
don't need to purchase a separate switch or hub.
HUB/SWITCH ... Connects machines together to form a LAN.
ROUTER ....... Connects two different networks together.
BRIDGE ....... Allows two networks to act as a single one.
BROUTER ...... Combines BRIDGE and ROUTER functionality.
• http://www.linksys.com/faqs/?fqid=26
• http://www.webopedia.com/TERM/s/switch.html
• http://www.webopedia.com/TERM/b/bridge.html
• http://www.webopedia.com/TERM/R/router.html
• http://www.webopedia.com/TERM/b/brouter.html
• http://www.asante.com/support/routerguide/faqs/hardwared.html
• http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci213079,00.html
• http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212294,00.html
• http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212924,00.html
• http://searchsystemsmanagement.techtarget.com/sDefinition/0,,sid20_gci211707,00.html
• http://www.dalantech.com/ubbthreads/showflat.php?Cat=&Board=networking&Number=33052&page=0&view=collapsed&sb=5&o=&fpart=1
==============================
IP ADDRESSING CONSIDERATIONS
==============================
Be sure to choose your IP addressing scheme with care.
Even though it is easy to accept whatever default your
hardware vendor suggests, you should consider selecting
a different range within the acceptable private address
blocks. The reason for this is that should you ever
desire to setup a VPN, you would have problems connecting
to anyone who was using the same addressing scheme for
their local LAN. Simply put, it becomes a routing issue
when a remote network is using the same addressing scheme
as a local network, and you attempt to connect the two
via VPN.
For example, if both you and your neighbor have chosen
to use 192.168.0.0/24 as your local LAN, when you attempt
to setup a tunnel between each other's networks, how will
your routers and firewalls be able to establish where the
traffic has originated from? Most modern firewalls would
raise alarms of spoofing upon getting such packets.
Consider using addresses in the 172.16.x.x - 172.31.x.x
since these are most frequently overlooked by others.
USING DHCP
When considering DHCP, my rule is static IPs for servers
and network devices, and dynamic addresses for everything
else (with things like IP-based printers using reserved
DHCP addresses).
• Static IP .............. Network Devices, Servers
• Standard DHCP .......... Regular Client systems
• Reserved DHCP .......... Printers, special Client systems
Remember that if you're using a broadband router to
allow access to one of your internal systems from the
outside, that system will need a static address, or
DHCP will need to be controlled by a device other than
the broadband router.
• http://www.computerperformance.co.uk/dns_dhcp_wins.htm
• http://www.dhcp-handbook.com/dhcp_faq.html
• http://www.faqs.org/rfcs/rfc1925.html
• http://KB.UltraTech-llc.com/?File=ADNetwork.TXT
• http://KB.UltraTech-llc.com/Docs/?File=IPAddressing-SOHO.PDF
=======================
INTERNET CONNECTIVITY
=======================
Address translation will allow you to share one or more
IPs for all of your systems to connect to the Internet
(or another network). This can be done with hardware or
software, as appropriate.
According to RFC 1918, the following addresses are
available for private networks:
192.168.x.x
172.16.x.x - 172.31.x.x
10.x.x.x
For all of the scenarios in this document (including the
linked PDF file below), we'll work with the 172.30.50.0
network.
The basic diagram of a network using Network Address
Translation (NAT) is as follows:
************
* Internet *
************
|
| (your ISP provided IP address)
+---+---+
| GATE1 |
+---+---+
| 172.30.50.1
|
+---------------+---------------+
| | |
+---+---+ +---+---+ +---+---+
| SYS-1 | | SYS-2 | | SYS-3 |
+-------+ +-------+ +-------+
Desktop Desktop Laptop
172.30.50.11 172.30.50.12 172.30.50.13
In the above scenario, the addresses can be statically
mapped, or assigned by DHCP (my preference), with the
gateway of the internal systems set to 172.30.50.1.
The Gateway machine (GATE1), which contains two network
interfaces, should NOT have a Default Gateway configured
on the 172.30.50.x interface. There should only be a
single Default Gateway, and it should be configured on
the external network interface (provided by the ISP).
This is true whether the ISP-provided IP address is
statically configured, or assigned through DHCP.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE: The Gateway machine (or device) listed above, can
be a server or desktop running NAT/Proxy/Firewall
software, or it can be a Broadband Router, or it
can be a Firewall/VPN applicance. In any event,
it will need to have at least two distinct network
interfaces, for proper security and operation.
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics.PDF
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics-DMZ.PDF
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics-Visio.PDF
• http://KB.UltraTech-llc.com/Diagrams/?File=SafeNetwork.JPG
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the event that a Windows-based machine is being used
to provide Internet gateway services, NetBIOS should be
unbound from the public NIC (see the SECURITY section
for more details) and a firewall should be installed on
the gateway system (preferably with robust packet
filtering or stateful packet inspection, if possible).
TCP Ports 135-139 and 445 should be not be permitted to
traverse your router/firewall/gateway, unless you have
some sort of bizarre hacker deathwish.
If you're running DNS on the gateway system, all of the
internal clients should point to it using the INTERNAL
address of the gateway system. The gateway system can
configure its DNS server as a forwarder to the ISP's
DNS servers, or point to any other legitimate DNS servers
that you have access to.
The systems in the diagram above can be connected with
a Hub or a Switch, as you desire, but these days, the
price of a low-end, unmanaged Switch is far too low to
pass up, especially considering the performance advantage
you will gain over a Hub (reduced collisions). Also,
many broadband routers come with switch ports, thus
eliminating the need for a separate switch.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE: NAT is only the first level of security. It should
not be the *only* level of security deployed on
your network -- even a home network.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
• http://www.microsoft.com/windowsxp/pro/using/howto/networking/homenet/
• http://www.microsoft.com/windowsxp/home/using/howto/homenet/
• http://www.microsoft.com/TechNet/win2000/connint.asp
• http://www.practicallynetworked.com/sharing/ics/icsconfiguration.htm
• http://www.pcstats.com/articleview.cfm?articleid=1429&page=1
• http://www.homenethelp.com/ics/ics-install-arch.asp
• http://www.homenethelp.com/openbsd/bsd-firewall.asp
• http://www.giac.org/practical/gsec/Andrew_Baker_GSEC.pdf
• http://www.ositis.com/english/support/WinProxy3/sp_Cable_Modem_Connection_en.asp
• http://www.carricksolutions.com/networking.htm
• http://www.a2zcables.com/cgi-bin/wfp49345.storefront/3b34746e017e648a271dd143c8c60709/UserTemplate/83
• http://www.vicomsoft.com/knowledge/reference/nat.html
• http://www.dalantech.com/ubbthreads/postlist.php?Cat=&Board=networking&page=0&view=collapsed&sb=5&o=
• http://www.petri.co.il/adsl_home_network_config.htm
• http://KB.UltraTech-llc.com/?File=NAT.TXT
• http://KB.UltraTech-llc.com/?File=SetIP.TXT
• http://KB.UltraTech-llc.com/?File=NetTweaks.TXT
================
BASIC SECURITY
================
If you have a Windows machine as the gateway or router,
be sure that you unbind NETBIOS from the external facing
NIC (the NIC that is connected to your broadband modem,
not the NIC which has and internal IP address).
NT4 ---- Disable "WINS TCP/IP Client" from the
bindings of the appropriate network card.
Win2K -- On the WINS tab, under "Advanced TCP/IP"
properties, select "Disable NetBIOS over
TCP/IP"
WHY SECURITY?
Many people feel that security on a home network is not
that important, because they don't have *critical* data
on their systems. It is true that most home systems and
networks are not compromised for their data. They are
compromised for practice purposes, or to create remote
zombies for large-scale Distributed Denial of Service
(DDoS) attacks against other networks.
On a number of occasions, the Internet has been bogged
down through the propagation of Viruses and Worms by
unpatched systems. Remember: Security is not simply
about protecting yourself directly -- it's also about
protecting your neighbor (and the Internet) indirectly.
If your machine is ever compromised, just format it
and rebuild, restoring any necessary data from the
last clean backup. You can never be sure that you've
managed to clean out all the backdoors on such a system.
MULTIPLE PROTOCOLS
For the most part, the fewer protocols you install on
your systems, the less you will expose yourself to
certain network configuration issues. There are a few
instances, however, where it can be useful.
Without some sort of NAT or Proxy between you and your
ISP, your network is readily exposed to any of your
neighbors who has a similar configuration (which will
be many of them).
If you connect multiple machines to your ISP via a hub
or a switch, but without a firewall/router, then you
should consider installing a second protocol on your
systems (e.g. IPX or NETBEUI) and then disable all
file-sharing capabilities over TCP/IP.
In addition to disabling "NetBIOS over TCP/IP", all
Internet traffic to or from the following IP ports
should be blocked by with a personal firewall:
TCP/UDP 135, 137-139, 445
All in all, it is still better to deploy a network
router/firewall and go with a TCP/IP-only network.
PERSONAL FIREWALLS
Make use of Personal and/or Network firewalls, and be
sure to configure Auditing and File/Share level
permissions for all your resources.
Most broadband routers have firewalls that will only
protect you from unknown inbound traffic. They won't,
however, alert you to, or protect you from spyware or
other apps that you've downloaded and knowingly or
unwittingly installed. So, it is advisable that if
you're not using a high-end firewall that can regulate
traffic in both directions, that you install a
personal firewall on your system(s).
Antivirus protection is a very important part of network
security, and bears mentioning here, particularly since
worms and trojans can be spread more quickly through a
network than by stand-alone systems.
VPNs & REMOTE ACCESS
If you (or anyone else) need to have connectivity to
your network from a remote location, you should consider
the use of a VPN, rather than opening up your systems
directly to the Internet. The easier you make it for
someone to connect remotely, the easier it is for folks
with a port scanners and too much idle time on their hands.
AUDITING & LOGGING
Auditing is a very important part of security, and should
not be overlooked, even on a stand-alone, home system.
If your router software/hardware supports it, setup a
SysLog server and process the messages from your router
or firewall. It doesn't make any sense for you to have
the info if you're not looking at it and taking any
appropriate action.
Also, use strong passwords and change them frequently.
Once every 45 days is reasonable. Don't use the same
passwords on your network that you use on websites.
Periodically scan your own network with security tools
to ensure that everything you want to have protected is
still being protected adequately. If you decide to use
external parties to probe your network, be sure that you
use reputable organizations. Otherwise, they could use
what they learn to cause you grief later.
• http://www.personalfirewallday.org/why.html
• http://www.sans.org/rr/homeoffice/
• http://www.microsoft.com/technet/columns/security/essays/10imlaws.asp
• http://www.microsoft.com/technet/security/bestprac.asp
• http://www.microsoft.com/technet/security/lockdown.asp
• http://www.microsoft.com/technet/security/tools/tools.asp
• http://www.microsoft.com/TechNet/prodtechnol/windows2000serv/maintain/featusability/crusegrp.asp
• http://www.winnetmag.com/windowsnt20002003faq/Article/ArticleID/20893/windowsnt20002003faq_20893.html
• http://KB.UltraTech-llc.com/Docs/?File=Secure2000Pro.PDF
• http://KB.UltraTech-llc.com/?File=AntiVirus.TXT
• http://KB.UltraTech-llc.com/?File=Audit.TXT
• http://KB.UltraTech-llc.com/?File=SecTools.TXT
• http://KB.UltraTech-llc.com/?File=PFirewalls.TXT
• http://KB.UltraTech-llc.com/?File=SFirewalls.TXT
• http://KB.UltraTech-llc.com/?File=StrongPwd.TXT
• http://KB.UltraTech-llc.com/?File=Security.TXT
• http://KB.UltraTech-llc.com/?File=WinPopup.TXT
• http://www.dalantech.com/ubbthreads/postlist.php?Cat=&Board=networking&page=0&view=collapsed&sb=5&o=
==================
FIREWALLS & VPNs
==================
Although broadband routers are fairly popular, not to
mention very inexpensive, the true networking hobbyist
will aim for a more powerful product to protect his/her
network. The following devices can all be obtained for
less than $500, and will allow you to create REAL DMZs,
support PPTP and L2TP/IPSEC traffic, and support multiple
external IP addresses, and site-to-site VPNs among other
things.
Or, you can just build your own Linux/BSD firewall and
get most of these features/functionality as well.
• Netscreen 5XP .......... http://www.netscreen.com/
• SnapGear SME530 ........ http://www.snapgear.com/
• SonicWall SOHO3 ........ http://www.sonicwall.com/
• http://www.giac.org/practical/gsec/Andrew_Baker_GSEC.pdf
• http://www.homenethelp.com/openbsd/bsd-firewall.asp
• http://www.practicallynetworked.com/sharing/uselinux.htm
==============================
THE DMZ (DEMILITARIZED ZONE)
==============================
On a properly designed enterprise network, you will
often find a DMZ in place. The purpose of a DMZ is
to segment the network between heavily accessed,
public boxes, and sensitive internal systems. Web,
FTP, and Mail servers are commonly found in a DMZ,
while Database and Middleware servers remain in the
safety of the internal network.
A DMZ is generally separated from the Internal network
using a firewall. You can use separate, discrete
firewalls for each protected segment, or just use
different interfaces on a single firewall. Both methods
have their PROs and CONs.
Most broadband routers/firewalls have a DMZ feature
which allows you to place a single host completely
outside the protection of the firewall. This is done
for compatibility with games or other apps that might
not be appreciative of the router's NAT functionality.
This is very different from an enterprise-level DMZ,
in that (with the router) there is absolutely no
protection for the host in question.
• http://KB.UltraTech-llc.com/Diagrams/?File=SafeNetwork.JPG
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics-DMZ.PDF
• http://KB.UltraTech-llc.com/?File=SFirewalls.TXT
========================================
RUNNING NETWORK APPS THROUGH FIREWALLS
========================================
You'll also want to familiarize yourself with the ports
of various applications and services, such that you can
provide those services to machines running on your
network behind NAT or firewalls.
Generally speaking, systems behind a NAT can initiate
services of other systems with public IPs, but they
cannot be the recipient of service requests without
the use of Port Mapping or Port Forwarding. The more
robust broadband routers and firewalls use a technique
called Port Forwarding to allow a TCP or UDP port on
your Public IP to be directed to a specific machine
inside your network. This facilitates running an FTP
or Web server behind a NAT, for example.
Essentially, port forwarding works as follows: You
tell the firewall to accept traffic from specific ports
on the external IP address, and pass it through to the
same port number of a specific internal IP address.
Here's an example for allowing Remote Desktop
(or Terminal Services) traffic into your network:
68.x.x.x:3389 mapped to 172.30.50.11:3389
If you have an application that you want to map to
multiple clients on your LAN, you will need to map
multiple external ports to internal ones.
68.x.x.x:3389 mapped to 172.30.50.11:3389
68.x.x.x:3390 mapped to 172.30.50.12:3389
68.x.x.x:3391 mapped to 172.30.50.13:3389
68.x.x.x:3392 mapped to 172.30.50.14:3389
The app in question must support choosing a port from
the client side, or this won't work. Also, this type
of functionality generally requires that your router
not be handing out DHCP addresses.
IDENTIFYING PORTS
You will need to identify which ports are needed for
each application that you wish to support. For most
common services, a google search (or the vendor of the
application) will produce a fast answer.
Or, if you're feeling especially brave, you can open
up all ports and log the traffic that is generated
by the application.
• http://support.microsoft.com/?KBID=307554
• http://support.microsoft.com/?KBID=240429
• http://support.microsoft.com/?KBID=159031
• http://www.chebucto.ns.ca/~rakerman/port-table.html
• http://www.smallnetbuilder.com/FAQ-9-General-8.php
• http://www.smallnetbuilder.com/FAQ-25-Getting+applications+to+work-5.php
• http://www.microsoft.com/windowsxp/pro/techinfo/deployment/natfw/
• http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/adminra.asp
• http://KB.UltraTech-llc.com/?File=Listen.TXT
• http://KB.UltraTech-llc.com/?File=PPTP.TXT
• http://KB.UltraTech-llc.com/?File=NAT.TXT
===============
MAKING CABLES
===============
You have a choice to buy pre-made cables at your local
computer store, or make your own CAT5 cable for 10/100
connectivity. It's easier than you think, and fairly
cost effective.
RadioShack is a good source for crimping tools, although
you'll want to buy your RJ45 connectors in bulk at a
computer show, or online. Don't forget to buy a good
cable tester.
• http://www.littlewhitedog.com/reviews_other_00009.asp
• http://www.duxcw.com/digest/Howto/network/cable/
• http://KB.UltraTech-llc.com/?File=CAT5.TXT
===========================
WINDOWS NETWORKING BASICS
===========================
Let me begin by saying "DHCP is your friend". Using
DHCP makes your network much easier to manage, and will
allow you to change many settings on the fly, without
having to visit each and every client system. Also,
configuring WINS and DNS will allow you to quickly
communicate with machines on your LAN or out on the
Internet.
You will need to decide if you are setting up your
systems in a DOMAIN or a WORKGROUP. The advantage of
a DOMAIN is that it centralizes administration and
account management, but many people with only 3 or 4
machines may not want to dedicate a system to be the
server in this configuration. If you do go with a
WORKGROUP, be sure that all Windows systems on the
network use the same WORKGROUP name.
Although commonly advocated, there is no need to run
NETBEUI on your Windows network. It is a chatty, non-
routable protocol that is only useful if you don't
want to connect to the Internet. If you don't have a
network firewall in place (you're connected directly
to your ISP's network) then it can provide you with
an extra measure of security.
While NT/2000 handles multiple protocols rather nicely,
and provides a nice mechanism to ensure binding order,
Win9x is less than pleased at the additional resources
which are consumed.
NetBIOS support, which is necessary for legacy Windows
support, can be tunnelled over TCP/IP in Win95 and
later OSes.
• http://www.sans.org/rr/homeoffice/small_net.php
• http://www.wown.com/j_helmig/wxpwin9x.htm
• http://KB.UltraTech-llc.com/?File=TCPIP.TXT
• http://KB.UltraTech-llc.com/?File=Networking.TXT
• http://support.microsoft.com/?KBID=260362
• http://support.microsoft.com/?KBID=250927
• http://www.dalantech.com/ubbthreads/postlist.php?Cat=&Board=networking&page=0&view=collapsed&sb=5&o=
===================================
FILE SHARING WITH NT/2000/XP/2003
===================================
The basic overview of file/printer sharing which
involves Windows NT, 2000 or XP systems is:
• Setup Domain or Workgroup
• Assign IP Addresses
• Configure Name Resolution
• Enable File/Printer Sharing
• Create User Accounts
Win9x/ME systems in a peer-to-peer network have no
trouble connecting to each other and sharing files
because there is no real security in those systems.
However, in order to access the shares and folders
of a Windows NT, 2000 or XP system which resides on
your network, you need to do a bit of more work, in
addition to enabling "File and Printer Sharing for
Microsoft Networks":
OPTION #1 -- Undesirable Option
• Enable the Guest account on NT/2000/XP (bad option)
OPTION #2 -- Highly Preferred Option
• Create a user/pwd combo on NT/2000/XP which matches
what the Win9x/ME (or other Windows) user logs in
with locally
• Use the same workgroup or domain name for the Win9x
and NT/2000/XP systems (this is only necessary for
easy browsing via Network Neighborhood)
As an example of creating multiple accounts, let's
say that you have three machines:
Machine-A - Win2K; logon=Tarzan
Machine-B - WinXP; logon=Jane
Machine-C - Win98; logon=Cheetah
All three account/pwd combinations would need to
be created on Machines A and B, with at least USER
level permissions, in order for users of the other
machines to successfully connect to those systems
across the network.
Machine C wouldn't need any accounts created on it
in order to allow A or B to connect successfully,
because by default, Win9x/ME has no user security.
Enabling the GUEST account is a bad thing from a
security standpoint, and will lead to your machine
being exploited in short order. It is best if you
leave this disabled, despite the obvious convenience.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE: Under the covers, XP Home still uses the GUEST
account, although it is not quite as dangerous
as enabling the GUEST account in earlier
editions of Windows. This is all tied to the
"Use Simple File Sharing", and is simply another
good reason to use XP Pro over XP Home.
* http://support.microsoft.com/?KBID=304040
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remember, if File Sharing is not enabled, then that
particular box will not be visible on the network.
By default, XP systems have file sharing enabled,
but you'll want to verify that ICF (or some other
personal firewall) is not impeding the connectivity
between the systems on your LAN.
A clean install of XP Pro will default to enabling
the following setting: "Use Simple File Sharing".
Users of XP Home have no choice, as only simple file
sharing is available. However, users of XP Pro,
particularly those familiar with File Sharing options
under NT and 2000, will want to disable this setting.
These instructions will work with any combination of
Win32 clients. Likewise, if you want to restrict one
or more users from connecting to a networked resource,
ensure that the username/pwd combos for those users
do not have access to the resource in question.
• http://www.microsoft.com/windowsxp/pro/using/howto/networking/homenet/
• http://www.microsoft.com/windowsxp/home/using/howto/
• http://www.microsoft.com/windowsxp/expertzone/columns/honeycutt/august13.asp
• http://www.practicallynetworked.com/sharing/xp/filesharing.htm
• http://www.practicallynetworked.com/sharing/xp_filesharing/
• http://www.udel.edu/timmins/FileSharingXP/
• http://www.wown.com/j_helmig/wxpwin9x.htm
• http://www.jsiinc.com/subi/tip4400/rh4487.htm
• http://support.microsoft.com/?KBID=258717
• http://support.microsoft.com/?KBID=260362
• http://support.microsoft.com/?KBID=299977
• http://support.microsoft.com/?KBID=304040
• http://KB.UltraTech-llc.com/?File=NameRes.TXT
• http://KB.UltraTech-llc.com/?File=Perms.TXT
• http://KB.UltraTech-llc.com/?File=SetPerms.TXT
• http://KB.UltraTech-llc.com/?File=UserAcct.TXT
• http://www.dalantech.com/ubbthreads/postlist.php?Cat=&Board=networking&page=0&view=collapsed&sb=5&o=
=================
NAME RESOLUTION
=================
If you are unable to get Windows9x machines to talk to
each other or to NT/2000/XP systems without installing
NetBEUI, then it is very likely that you have not setup
NetBIOS Name Resolution for your client systems.
For peer-to-peer systems, the requirement of using the
same workgroup name across all machines is important if
you want to see them easily in Network Neighborhood, but
it is not important if you already know the names of the
machines you want to connect to.
In fact, if any of the machines you're trying to network
together belong to different domains, you will definitely
want to AVOID removing them from their domains unless you
have access to the Local Administrator account.
The only other thing you will want to have in place is
some name resolution system (such as DNS, WINS, HOSTS
file or LMHOSTS file). Using NETBEUI will allow you to
find machines names by broadcast, rather than with any
of the other name resolution options.
To ensure successful communication on a TCP/IP network,
you will need a way to call your systems by name and get
back the appropriate IP address. Windows systems use
the following Name Resolution facilities for mapping
Host or NetBIOS names to IP addresses:
- Host Name Resolution
HOSTS ..... Static
DNS ....... Dynamic
- NetBIOS Name Resolution
LMHOSTS ... Static
WINS ...... Dynamic
DNS ....... Dynamic*
HOSTS ..... Static (with NT/2000/XP)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE: To use DNS for resolving NetBIOS names, you must
go into the TCP/IP properties in the Control Panel
and enable "Use DNS for Windows Resolution"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In place of DNS, you can configure each machine with a
HOSTS file. In place of WINS, use an LMHOSTS file.
These files are located in the following location:
• Win9x/ME ............... %windir% (usually C:\WINDOWS)
• NT/2000/XP ............. %SystemRoot%\System32\Drivers\ETC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE: Both the "HOSTS" and "LMHOSTS" files lack any file
extensions. You can start with the HOSTS.SAM and
LMHOSTS.SAM files and save them without extension
(use quotes, if saving in Notepad).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
• http://msdn.microsoft.com/library/periodic/period00/NetBIOS.htm
• http://support.microsoft.com/?KBID=119493
• http://support.microsoft.com/?KBID=172218
• http://support.microsoft.com/?KBID=299977
• http://support.microsoft.com/?KBID=315267
• http://support.microsoft.com/?KBID=204279
• http://KB.UltraTech-llc.com/?File=NameRes.TXT
==================
ACTIVE DIRECTORY
==================
Active Directory provides a rich management environment
for computers and users, that far surpasses what NT4 has
to offer, or what can be obtained with a workgroup. For
many home environments, AD might be considered overkill,
but it can provide a excellent learning environment for
dealing with Enterprise Domain issues.
From my perspective, it is useful to deploy a domain if
centralized control of your systems is important to you,
or you want better management of network resources.
A domain is ultimately much easier to manage than a
workgroup, especially once you get above 5 or 6 client
systems. In most cases, you'll want to make a second
domain controller as a backup for all your domain
settings.
When setting up Active Directory on your home network
(or any other small network that contains a broadband
router), you should avoid the temptation to have the
router handle DNS and DHCP. You'll experience far less
trouble with your client systems if you follow these
simple guidelines:
• Disable DHCP on your Router
• Setup DNS and DCHP on your server
• Setup a reverse domain for your LAN
• Create the DHCP scope and authorize the DHCP server
• Ensure that a valid PTR record exists for the server
• Point the server to its own DNS (primary & secondary)
• Setup the DNS to use forwarders for external resolution
• Add a second domain controller for redundancy
• Point the primary DNS entry on this server to the 1st DC
• Point the secondary DNS entry on this server to itself
• Set DHCP to point all clients to your DNS server(s)
• Enable Dynamic DNS registration on the clients
The domain structure available under Windows 2000 is
much better -- and more complex -- than what was
available under NT4. Here are some resources for
setting up Active Directory:
• http://support.microsoft.com/?KBID=237675
• http://support.microsoft.com/?KBID=260362
• http://labmice.techtarget.com/ActiveDirectory/
• http://www.serverwatch.com/tutorials/article.php/1474461
• http://www.swynk.com/friends/dinicolo/adquick.asp
• http://msdn.microsoft.com/library/en-us/dnduwon/html/d5activedir.asp
• http://www.microsoft.com/windows2000/technologies/directory/ad/
• http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/manadsteps.asp
• http://KB.UltraTech-llc.com/?File=ADnetwork.TXT
• http://KB.UltraTech-llc.com/?File=ADupgrade.TXT
=========================
GETTING YOUR OWN DOMAIN
=========================
In order to set yourself up with a permanent name on
the Internet, and facilitate email and web hosting, you
can obtain your very own domain name.
• http://www.dslwebserver.com/
Verisign is probably the best known registrar (having
purchased NetworkSolutions) but they are hardly the
best. Here are some registrars which make it simple and
easy to get a domain name:
• http://www.000domains.com
• http://www.active-domain.com/
• http://www.buydomains.com/
• http://www.godaddy.com/
• http://www.register.com/
• http://www.internic.net/regist.html
========================================
DETERMINE YOUR ISP-PROVIDED IP ADDRESS
========================================
Use the following website to determine what your external
IP address is at any time:
• http://www.whatismyip.com/
If you have a dynamic ISP-provided address, yet you wish
to have an easy way to reach your systems from a remote
network, you should make use of one of the many dynamic
IP naming services:
• http://www.dhs.org/
• http://www.dyndns.org/
• http://www.dynip.com/
• http://www.dynips.com/
• http://www.no-ip.com/
• http://www.tzo.com/
• http://www.webwatchmen.com/
• http://technocage.com/~caskey/tinydyn/
• http://www.sitelutions.com/
============================
TROUBLESHOOTING (OVERVIEW)
============================
Here are the key things to check when troubleshooting
network connectivity problems:
- Cabling (including Length)
- NIC Settings (10/100, HD/FD, Auto)
- Switch Settings on managed switches
- Access Lists or Filtering on Routers and Firewalls
- Protocols and Binding Order
- IP Address(es), Subnet Mask and Default Gateway
- Routing Table
- DNS and WINS Settings
- HOSTS and LMHOSTS files
- NetBIOS issues, including SCOPE
- Computer Browser Lists
- WORKGROUP or DOMAIN names
- File Sharing Settings
- Permissions and User Rights
- Broken WinSock from uninstallation of 3rd party software
============================
TROUBLESHOOTING (DETAILED)
============================
The most common issues you're likely to face will
involve Name Resolution, Protocol Settings, cabling
issues, NIC AutoSensing, and Personal Firewalls.
If you suddenly can't reach an address by name, you
should try PING and TRACERT to the IP address in
order to rule out DNS issues. If you can ping by
IP, but not by name, then you likely have an issue
with DNS/WINS (hosts/lmhosts). Additionally, TRACERT
is better than PING at establishing *where* you are
having latency issues.
TCP/IP TROUBLESHOOTING EXAMPLES (Using Dilbert.com):
PING www.dilbert.com
PING 65.114.4.69
TRACERT www.dilbert.com
TRACERT 65.114.4.69
NSLOOKUP www.dilbert.com
NSLOOKUP 65.114.4.69
The following commands will only work in Windows XP:
FOR %V IN (ADAPTER LOOPBACK) DO NETSH DIAG PING %V
FOR /F "TOKENS=2" %V IN ('NETSH DIAG PING ^| FIND /I "PING"') DO NETSH DIAG PING %V
NOTE: See scripts available near the end of this document.
It should also be remembered that Personal Firewalls
can prevent connectivity between systems, by blocking
NetBIOS traffic, ICMP or TCP/IP in general.
AUTO-SENSING DEVICES
Some Switch/NIC combinations don't autosense properly.
While 10 or 100 is easy to do correctly, determining
Half or Full duplex is not quite as straightforward.
If in doubt, set both sides to a specific setting
(say, 100/Half) and see if the problems go away. And
don't forget the HUBS cannot support Full Duplex
communication, although SWITCHES can.
MULTIPLE PROTOCOLS
When multiple protocols are in use, try to ensure that
that bindings are configured in a similar fashion for
all systems. If a machine with TCP/IP and IPX tries
to talk to another system which has IPX as the default,
communication may not be smooth in both directions.
BROKEN WINSOCK/WINSOCK2
On occasion, the uninstallation of 3rd party networking
software, or the removal of malware products can result
in a managled WinSock. This will manifest itself in
spotty Internet connectivity whether by name or IP.
Here is a fix:
• http://cexx.org/lspfix.htm
OTHER TOOLS
Other tools like TELNET, NETDOM, NLTEST and NETSH can be
used in Windows NT/2000/XP and .NET Server to diagnose
all sorts of networking issues. Also NBLOOKUP
• http://cexx.org/lspfix.htm
• http://www.billssite.com/2000prompt.htm
• http://www.jsiinc.com/subh/tip3900/rh3928.htm
• http://ctdp.tripod.com/os/windows/wintcp/wtcptools.html
• http://www.zdnet.com.au/itmanager/technology/story/0,2000029587,20265868,00.htm
• http://www.wown.com/j_helmig/guide.htm
• http://search.support.microsoft.com/kb/psssearch.asp?FR=0&DU=C&SPR=&LPR=&D=winxpnetkb&LQ=kbnetwork&VA=&T=B&KT=BOOLEAN&T1=&S=F&A=T&sh=0&SG=&PSL=&LNG=ENG&VR=http%3A%2F%2Fsupport%2Emicrosoft%2Ecom%2Fsupport&CAT=Support&VRL=ENG&CND=1&SA=GN&H=Windows+XP+KB+Articles+About+Networking
• http://support.microsoft.com/?KBID=102908
• http://support.microsoft.com/?KBID=308007
• http://support.microsoft.com/?KBID=258495
• http://support.microsoft.com/?KBID=217769
• http://support.microsoft.com/?KBID=299977
• http://support.microsoft.com/?KBID=830578
• http://www.smartcomputing.com/editcat/SMART/NETWORKING/74/16124/
• http://KB.UltraTech-llc.com/?File=Browser.TXT
• http://KB.UltraTech-llc.com/?File=NameRes.TXT
• http://KB.UltraTech-llc.com/?File=~MoreInfo.TXT
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
SLOW NETWORK BROWSING WITH 2000/XP
• http://www.winforums.org/viewthread.php?tid=64
• http://is-it-true.org/nt/nt2000/registry/rtips48.shtml
• http://www.practicallynetworked.com/sharing/troubleshoot/slowbrowse02.htm
DNS & ACTIVE DIRECTORY
• http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/dnsbd_dns_overview.asp
• http://support.microsoft.com/default.aspx?scid=/support/win2000/dns.asp&FR=1
• http://www.arstechnica.com/reviews/004/software/windows/exchange-1-1.html
OTHER NETWORKING RESOURCES
• http://www.wown.com/j_helmig/
• http://www.dalantech.com/
• http://www.practicallynetworked.com/
• http://www.smallnetbuilder.com/
• http://cable-dsl.home.att.net/
• http://www.cablemodeminfo.com/-ssi
• http://www.sharkyextreme.com/hardware/guides/home_lan_guide/
• http://arstechnica.com/guide/networking/installation-1.html
• http://www.ntndis.com/utilities/etherbridge.htm
• http://www.ositis.com/english/featurebar/fb_homenetworking101_en.asp
• http://www.ositis.com/english/products/accessnow/pd_accessnowvbn_en.asp
• http://www.chebucto.ns.ca/~rakerman/port-table.html
WHITEPAPERS & TECH DOCUMENTS
• http://www.arstechnica.com/reviews/004/software/windows/exchange-1-1.html
• http://www.tomshardware.com/network/20030630/
• http://www.networkcomputing.com/netdesign/soho1.html
• http://www.giac.org/practical/gsec/Andrew_Baker_GSEC.pdf
• http://www.vicomsoft.com/knowledge/reference/nat.html
• http://www.ccprep.com/resources/Whitepapers.asp
• http://www.microsoft.com/TechNet/win2000/connint.asp
• http://www.microsoft.com/technet/security/bestprac.asp
• http://support.microsoft.com/?KBID=260362
• http://labmice.net/networking/networkbasics.htm
• http://www.microsoft.com/technet/prodtechnol/win98/reskit/part3/wrkc16.asp
• http://www.microsoft.com/windowsxp/pro/using/howto/networking/homenet/
• http://www.microsoft.com/windowsxp/home/using/howto/homenet/
• http://www.faqs.org/rfcs/rfc1925.html
PERSONAL NOTES
• Remember: Security is not simply about protecting
yourself directly -- it's also about protecting your
neighbor (and the Internet) indirectly.
• While you don't need to use the Network Connection
Wizard that comes with XP in order to connect your
other Windows clients over ICS, you will not gain
support for those clients for UPnP NAT traversal
unless you do so. (And you definitely need it if
you're using XP HOME)
• Although Software and Hardware recommendations were
not provided for this document, they can be found in
the other links found in this document.
• While NAT provides a measure of protection, it is
far better to have an actual firewall with excellent
stateful packet inspection (or, at the very least,
good packet filtering).
• If you're going to make a lot of cable (or even buy a
lot of cable), you should get your hands on a good
cable tester. They don't cost too much, unless you
splurge for the super-duper high-end models...
• Going completely Wireless, or adding Wireless to your
existing Wired network is pretty straightforward,
with great products from SMC, LinkSys, D-Link, Netgear
and others.
• If you have a 100% Windows 2000/XP network, with or
without AD, you do not have any need for NetBIOS or
NetBEUI and can remove them. Older clients such as
Win9x/ME and NT4, will require NetBIOS for file
sharing and certain other network connectivity.
• You can connect two machines together via Crossover
CAT5 cable, but you will not be able to add a third
in this fashion. If you do use a crossover cable,
be sure that you configure both NICs to the same
setting, or you will almost certainly have a hard
time communicating between the two systems. If all
else fails, configure them as 100 Half-Duplex.
• Avoid USB cable/dsl modems like the plague! They
make it harder for you to use NAT software/hardware.
• Use robust, brand name hardware. A bargain is a
bargain, but sometimes I $10 NIC just isn't worth
the troubleshooting, poor performance or high CPU
utilization.
• XP Home uses "Simple File Sharing" and makes use of
the GUEST account for remote user authentication by
default.
• A correctly configured DNS infrastructure is essential
to the proper operation of Active Directory.
• I continue to maintain that USB networking adapters of
any type are a bad idea. Perhaps they'll be less of
an issue when everyone is using USB v2.0, but for the
time being, the represent higher CPU utilization, and
more conflicts than PCI adapters.
• You should avoid using the default IP range that is
provided by the maker of your router/gateway/firewall
for at least two reasons:
(1) People should not be able to figure out your IP
addressing scheme, simply by knowing what device
you own.
(2) If you ever want to setup a Site-to-Site VPN
with a friend or colleague, you'll find it a
bit more challenging if you both have the same
IP Address ranges. Be creative and with your
use of the RFC 1918 addressing space.
• Mastering Windows Server 2003 by Mark Minasi is a great
book for anyone who is new to Active Directory and
Windows 2000/2003
• Added NBLOOKUP to the troubleshooting tools
RELATED SCRIPTS (ALSO IN THIS ARCHIVE)
• http://KB.UltraTech-llc.com/Scripts/?File=IPDebug.BAT
• http://KB.UltraTech-llc.com/Scripts/?File=Debug.BAT
RELATED TOPICS (ALSO IN THIS ARCHIVE)
• http://KB.UltraTech-llc.com/?File=SetIP.TXT
• http://KB.UltraTech-llc.com/?File=Browser.TXT
• http://KB.UltraTech-llc.com/?File=NameRes.TXT
• http://KB.UltraTech-llc.com/?File=OSBasics.TXT
• http://KB.UltraTech-llc.com/?File=Monitoring.TXT
• http://KB.UltraTech-llc.com/?File=NetTweaks.TXT
• http://KB.UltraTech-llc.com/?File=NewUser.TXT
• http://KB.UltraTech-llc.com/?File=NetMon.TXT
• http://KB.UltraTech-llc.com/?File=NTRights.TXT
• http://KB.UltraTech-llc.com/?File=SecTools.TXT
• http://KB.UltraTech-llc.com/?File=VPN.TXT
• http://KB.UltraTech-llc.com/?File=MobileUser.TXT
• http://KB.UltraTech-llc.com/?File=ADNetwork.TXT
• http://KB.UltraTech-llc.com/?File=Networking.TXT
• http://KB.UltraTech-llc.com/?File=Pricing.TXT
• http://KB.UltraTech-llc.com/?File=~MoreInfo.TXT