CHAPTER 1
DESIGNING A WINDOWS 2000 NETWORK
Lesson 1: Network
Services Overview
Microsoft Windows 2000 provides many network features and services that can be used by your
organization to meet your business objectives.
TCP/IP (Transmission Control Protocol/Internet Protocol)
TCP/IP protocol is the core protocol used in Windows 2000, and is the default networking protocol
installed by Windows 2000 Setup. Services such as IIS and Active Directory require TCP/IP to be
installed.
TCP/IP is a routable protocol used by WANs and the Internet. NetBEUI and NetBIOS are
designed for LAN and are not routable, or other words cannot access the Internet.
Domain Name System
Although TCP/IP uses Internet Protocol (IP) to locate and connect to hosts (computers and other
TCP/IP network devices), users typically prefer to use friendly names. For example Microsoft.com
vs. the IP address 172.16.23.55. DNS enables you to use hierarchical, friendly names to easily locate
computers and other resources on an IP network.
DNS is used on the Internet to provide a standard naming convention for locating IP-based computers.
DHCP (Dynamic Host Configuration Protocol)
DHCP simplifies administrating and managing IP addresses on a TCP/IP network by automating
address configuration for network clients. Windows 2000 provides the DHCP Server service, which
enables a computer to function as a DHCP server and configure DHCP-enabled client computers on
your network.
=====================================================================
wininf1.html PAGE
2 2002/03/08
The DHCP Server service for Windows 2000 also provides:
· Integration with the Microsoft Active Directory directory service and DNS
· Enhanced monitoring and statistical reporting
· Vendor-specific options and user-class support
· Multicast address allocation
· Rogue DHCP server detection
Every computer on a TCP/IP-based network must have a unique IP address in order to access the
network and its resources. Without DHCP, IP configuration must be done manually for new computers,
computers moving from one subnet to another, and computers removed from the network. By
deploying DHCP in a network, this entire process is automated and centrally managed.
DHCP is closely linked to WINS and DNS that network administrators will benefit from combining
all three when planning deployment. If you use DHCP servers for Microsoft network clients, you must
use a name resolution service. Windows 2000 networks use the DNS service to support Active
Directory, in addition to general name resolution. Networks supporting Windows NT 4.0 and earlier
clients must use WINS servers. Networks supporting a combination of Windows 2000 and Windows
NT 4.0 should implement both WINS and DNS.
Windows Internet Name Service (WINS)
WINS is name resolution system used for Windows NT Server 4.0 and earlier operating system.
WINS provides a distributed database for registering and querying a computer name (which is the
same as the NetBIOS name) to IP address mapping in a routed network environment. If you are
administering a routed network WINS is your best choice for NetBIOS name resolution. WINS
reduces the uses of local broadcasts for name resolution and allows users to easily locate systems
on remote networks.
In a dynamic DHCP environment, the IP addresses of the hosts can change frequently; WINS
provides a way to dynamically register the changes for computer names-to-IP addresses mapping.
NOTE: Don’t forget NetBIOS is not routable, WINS is primarily used for TCP/IP Protocol.
=====================================================================
wininf1.html PAGE
3 2002/03/08
Name Resolution
Whether you use DNS or WINS, name resolution is an essential part of network administration.
Windows 2000 primarily uses DNS, but it also still supports WINS.
Remote Access Overview
With the Windows 2000 Routing and Remote Access feature, remote clients are transparently
connected to the remote server, known as point-to-point remote access connectivity. Clients
can also be transparently connected to the network to which the routing and remote access server
is attached. This is known as point-to-LAN remote access connectivity. This transparent
connection allows clients to dial in from remote locations and access resources as if they were
physically attached to the network. There are two types of connectivity:
Dial-up remote access. A remote access client uses the telecommunciations infrastructure to create
a temporary physical circuit or a virtual circuit to a port on a remote access server.
Virtual private network remote access. With VPN, a VPN client uses an IP internetwork to create a
virtual point-to-point connection with a remote access server acting as the VPN server.
Elements of a Dial-Up Remote Access Connection
The Windows 2000 Routing and Remote Access Service accepts dial-up connections and forwards
packets between remote access clients and the network to which the remote access server is attached.
A remote connection consists of a remote access client, a WAN infrastructure, and a remote access
server. See page 5.
Remote Access Protocols
Remote access protocols control the connection establishment and transmission of data over WAN
links. The operating system and LAN protocols used on remote access clients and servers dictate
which remote access protocol your clients can use.
=====================================================================
wininf1.html PAGE
4 2002/03/08
There are three types supported by windows 2000 Routing and Remote Access:
PPP (Point-to-point) is an industry-standard set of protocols providing the best security,
multiprotocol support, and interoperability.
SLIP (Serial Line Internet Protocol) is used by legacy remote access servers.
Microsoft remote access service protocol, also known as Asynchronous NetBEUI (AsyBEUI),
is a remote access protocol used by legacy remote access clients running Microsoft operating
systems, such as Windows NT 3.1, Windows for Workgroups, MS-DOC and LAN Manager.
LAN protocols are the protocols used by the remote access client to access resources on the
network connected to the remote access server. Windows 2000 remote access support TCP/IP,
IPX, AppleTalk, and NetBEUI.
You must configure and enable RRA, you can use the Routing and Remote Access Wizard to
perform this function.
Network Address Translator
There are two types of IP addresses: public and private. Public addresses are assigned to you
by the Internet service provider (ISP) to use to connect to the Internet. To solve the addressing
problem for the internet, designers of the Internet reserved a portion of the IP address space and
named this space the private address space. An IP address in the private address space is never
assigned as a public address.
Because the IP addresses in the private address space will never be assigned by the Internet
private addresses will never exist. Private address are not reachable on the Internet. Therefore,
when using private IP addresses, you need some type of proxy or server to convert the private IP
address range(s) on your local network to a public IP address that can be routed. Another option
is to have private addresses translated into valid public addresses by a network address translator
(NAT) before it is sent on the Internet. Support for network address translation to translate private
and public addresses to allow the connection of small office or home office networks to the Internet
is on page 7.
=====================================================================
wininf1.html PAGE
5 2002/03/18
A NAT hides internally managed IP address from external networks by translating the private internal
address to a public external address. This reduces IP address registration costs by letting customers
use unregistered IP addresses internally, with translation to a small number of registered IP addresses
externally. It also hides the internal network structure, reducing risks of denial of service attacks
against internal systems.
Certificate Services
Microsoft Certificate Services is a security plan created by Windows 2000. You can deploy Microsoft
Certificate Services to create and manage Certificate Authorities (CAs) that issue digital certificates.
Digital certificates are electronic credentials that certify the online identities of individuals, organizations,
and computers. When an identification card is presented to others, they can verify the identify of its
owner because the card provides the following security benefits:
· It contains personal information to help identify and trace the owner.
· It contains the signature of the rightful owner to enable positive identification.
· It contains the information that is required to identify the contact the issuing authority.
· It is designed to be tamper resistant and difficult to counterfeit.
· It is issued by an authority that can revoke the identification card at any time
· It can be checked for revocation by contacting the issuing authority.
Digital certificates can be used in the same way to provide a variety of security functions. Some
common security functions of digital certificates include the following:
· Secure e-mail
· Secure communications between Web clients and servers.
· Code signing for executable code for distribution on public networks
· Local network and remote access logon authentication
· IPSec authentication.
=====================================================================
wininf1.html PAGE
6 2002/03/18
Lesson Summary:
resources on an IP network.
address configuration for network clients.
(which is the same as the NetBIOS Name) to IP address mapping in a routed network
environment.
access server.
Lesson 2:
Developing a Network Implementation Plan
Operating System considerations
Implement and design a system around the needs of the users. You must survey the users and see
what their current needs are and also research where they will be 5 years from now.
Windows 2000 Professional
Windows 2000 Pro is a desktop operating system that provides advanced features of Windows
T, including security and fault tolerance, with the easy-to-use features of Windows 95, including
plug and play and device support. Windows 2000 Professional can be upgraded from Windows
NT Workstation 3.51 and greater, Windows 95, or Windows 98. The minimum requirements are:
· 133 Mhz or higher Pentium CPU. 2000 Pro supports single and dual CPU systems.
· 64MB of RAM.
· 2GB of Hard disk. Min. of 650MB of free space to install Windows 2000
Professional.
Windows 2000 Server
Windows 2000 Server builds on the powerful features of the Windows NT Server 4.0 operating
system. It includes these features:
· Information Service 5.0 (IIS)
· Active Server Pages (ASP) programming environment
· XML parser
· Windows DNS 2000
· Component Object Model + (COM+)
· Multimedia platform
· Directory-enabled applications
· Web folders
· Internet Printing
=====================================================================
wininf1.html PAGE
7 2002/03/18
Windows 2000 minimum hardware requirements are:
· 133 MHz or higher Pentium-compatible CPU. Supports up to 4 Microprocessors.
· 128MB RAM. 256 MB is recommended. Move memory generally improves
responsiveness, and Windows 2000 Server supports a maximum 4 GB of RAM.
· 2GB hard disk. You must have a minimum of 1 GB free disk space to install
Windows 2000 Server.
Windows 2000 Advanced Server
Windows 2000 Advance Server is a new version of Windows NT Server 4.0, Enterprise Edition.
Windows 2000 Advanced Server is ideal for line-of-business and e-commerce applications,
where scalability and high availability demands are most critical. Hardware requirements are as
follows:
· All Windows 2000 Server features
· Network (TCP/IP) Load Balancing
· Up to 8GB main memory on Intel Page Address Extension (PAE) systems
· Support up to 8 microprocessors
Windows 2000 Datacenter Server
Datacenter Server supports 32 processors and more RAM than the other Windows 2000 Server
operating systems. Physical memory support includes:
64GB of RAM on Intel-based computers
Use this operating system if you must support intensive online transaction processing (OLTP), large
data warehouses, and large Internet and application service providers (ISPs and ASPs).
Phases of Deployment
When planning your Windows 2000 network deployment, you should follow a process, or life cycle.
The phases of this project cycle should include the following:
=====================================================================
wininf1.html PAGE
8 2002/03/18
Analysis. During the analysis phase, determine IT goals and objectives. This will help you to design a
network to support bandwidth, meet security needs, measure cost versus benefits, and provide
deliverables appropriate to your organization.
Design. During the design phase, evaluate the Windows 2000 Infrastructure design. This includes
features such as DNS, WINS, DHCP, and network protocols. Your design will be based on your
analysis, interoperability issues, and desired features.
Testing. During the testing phase, conduct a pilot project to test the Windows 2000 network you
designed in a production environment with a low number of users.
Production. The production phase if the final phase of Windows 2000 deployment. The network
has been tested using the pilot program based on your designs, and you are ready to deploy
Windows 2000 throughout your enterprise. During this phase, create a disaster recovery plan and
provide training material for user and helpdesk personnel.
Hardware Considerations
Before deploying Windows 2000, you should record hardware and software inventories of all servers
and client computers in use on your network, and include basic input/output system (BIOS) settings.
You should also record the peripherals, drivers, service packs and version numbers, and software
installed.
Make sure that network devices, such as hubs and cabling, are fast enough for your needs. If your
organization transfers voice and video over your network, the cabling and switches must be capable
of handling the bandwidth demand of those services. For example if you have users remotely using
Excel, it does not use a lot of bandwidth. Therefore, a Category 3 10-Mbps cable matched with
the same speed hubs might be acceptable for some situations, whereas Category 5 100 Mbps
devices and cabling might be required for applications generating considerably more network
traffic. Try to record available bandwidth during the course of low, normal, and high network
utilization.
Interaction with Legacy Systems
Many networks are heterogeneous, which means that there are a mix of operating systems and
network protocols. You may be running UNIX and Windows 2000.
Windows 2000 Server offers gateway services to other operating systems allowing you to access
network resources. Gateway Service for NetWare, Directory Services (NDS) hierarchies, use
Novell version 4.2 or later logon scripts, and authenticate with a Novell server.
=====================================================================
wininf1.html PAGE
9 2002/03/18
Network Protocol Considerations
Some network use a variety of protocols based on their needs. For example, a small Ethernet
network could use NetBEUI as the LAN, while using TCP/IP for Internet connectivity. NetWare
and Windows NT can use TCP/IP and IPX/SPX at the same time.
If you upgrade clients that use IPX/SPX with Windows 2000 Professional, it’s possible to eliminate
the use of IPX/SPX on your network.
Windows 2000 contains a TCP/IP protocol suite with more functionality than previous versions of
Windows. You must use TCP/IP to use Active Directory and to utilize advanced features of
Windows 2000, therefore, you should consider simplifying your network by using only TCP/IP.
You can get the protocol information in Windows NT by right-clicking My Network Places Icon/
Properties.
Lesson Summary:
You should be aware of the different operating systems within Windows 2000.
Be aware of the different phases of a project: analysis, design, testing and production.
Lesson 3:
Common Protocols Supported by Windows 2000
When planning your network, consider the connectivity requirements of your users. Network
protocols are similar to languages in the sense that languages have different words, word
patterns and punctuation. Consider the following questions:
protocol.
be routable they must use TCP/IP or NWLink.
must use the TCP/IP protocol.
=====================================================================
wininf1.html PAGE
10 2002/03/18
Also, you may need some tools installed, Active Directory, IIS, then you will need TCP/IP.
Transmission Control Protocol/Internet Protocol (TCP/IP)
TCP/IP is an industry-standard suite of protocols designed for large networks. TCP/IP is routable,
which means that data packets can be switched (routed to a different subnet) by use of the packet’s
destination address. If a network failure occurs, TCP/IP packets are transported on a different route.
Although the original purpose of TCP/IP was to provide connection between disparate networks.
TCP/IP now provides high-speed communication network links between network.
Benefits of Implementing TCP/IP
TCP/IP in Windows 2000 includes many performance improvements for high bandwidth networks.
Large Window Support. The window size in TCP-based communication is the maximum number
of packets that can be sent before the first packet must be acknowledged. The window size is
usually fixed. With large windows support, window size is dynamically recalculated and increased
if a large number of packets is exchanged during a lengthy session. Packet Default size for
TCP/IP = 567.
Selective Acknowledgments. The receiver can notify and request specific packets that were
missing or corrupted during delivery from the sender. This allows networks to recover quickly
from a state of temporary congestion or interference, because only corrupted packets are re-sent.
Round Trip Time Estimation. RTT is the amount of time it takes for a round-trip communication
between a sender and receiver on a TCP-based connection. RTT estimation is a technique of
estimating packet transit times and adjusting for the optimum retransmission time for packets.
Better timing improves performance over long round-trip network links, such as WANs, that
span large distances (for example, continent-to-continent) or use either wireless or satellite links.
IP Security (IPSec) Support. IPSec provides the ideal platform for safeguarding intranet and
Internet communications. IPSec can secure paths between two computers, two security gateways,
=====================================================================
wininf1.html PAGE
11 2002/03/18
or a host and a security gateway. IPSec policy can be configured locally on a computer, or can be
assigned through Windows 2000 Group Policy mechanisms using Active Directory. The IPSec
policy specifies the trust relationship among computers. The easiest trust relationship to use is the
Windows 2000 domain trust based on the Kerberos version 5 protocol. Predefined IPSec policies
are configured to trust computers in the same or other trusted Windows 2000 domains. At the IP
(network) layer, each incoming or outgoing packet is referred to as a datagram. Each IP datagram
bears the source IP address of the sender and the destination IP address of the intended recipient.
The IP layer can perform one of the following actions with a datagram:
Because IPSec typically encrypts the entire IP packet, capturing an IPSec datagram sent after
the security association (SA) is established reveals very little of what is actually in the datagram.
NOTE: The IPSec usually works at the Applications Layer, for most systems.
Generic Quality of Service. (GqoS) is a method by which a TCP/IP network can offer
Quality of Service guarantees for multimedia applications. Generic Quality of Service allocates
different bandwidths for each connection on an as-needed basis. The suite of QoS components
included in Windows 2000 works with the different QoS mechanisms that can exist in network
elements such as routers and switches. The following QoS components are currently included
with the Windows 2000 operating system:
The Generic Quality of Service (GqoS) application programming interface (API).
The GqoS API is a subset of the WinSock 2 API that allows applications to invoke QoS
services from the operating system without needing to understand the underlying mechanisms.
(Do not Install on Server, problems).
The QoS Service provider. This responds to requests from the GqoS API.
The Admission Control Service (ACS) service and subset bandwidth manager (SBM) protocol.
A traffic control infrastructure. This infrastructure includes a packet scheduler and marker for
providing traffic control over drivers and network cards that have no packet scheduling features
of their own.
=====================================================================
wininf1.html PAGE
12 2002/03/18
NWLink
NWLink is a Microsoft-compatible IPX/SPX protocol for Windows 2000. NWLink is useful if there
are Novell NetWare client/server programs running that use WinSock or NetBIOS over IPX/SPX
protocols. NWLink can be run on a computer running Windows 2000 Server or Windows 2000
Professional to access a NetWare server.
NWLink alone does not allow a computer running Windows 2000 to access files or printers shared on
a NetWare server, or to act as a file or print server to a NetWare client. NWLink is included with
both Windows 2000 Server and Professional, and installs automatically during Client Service for
NetWare or Gateway Service for NetWare installation.
Gateway Service for NetWare
Gateway Service for NetWare works with NWLink to provide access to NetWare file, print and
directory services by acting as a gateway through which multiple clients can access netWare
resources.
Gateway Service for NetWare supports direct access to NetWare services from the computer running
Windows 2000 Server in the same way that Client Service for NetWare supports direct access from
the client computer.
NOTE: Gateway Service for NetWare is included only with Windows 2000 Server and Windows
2000 Advanced Server.
Client Service for NetWare
Similar to Gateway Service for NetWare, Client Service for NetWare works with NWLink to provide
access to NetWare file, print, and directory services. Only included with Windows 2000 Professional.
=====================================================================
wininf1.html PAGE
13 2002/03/18
NetBEUI
NetBIOS Enhanced User Interface (NetBEUI) was originally developed as a protocol for small
departmental LANs of 20 to 200 computers. NetBEUI is not routable because it does not have a
network layer.
AppleTalk
AppleTalk is a protocol Suite developed by Apple Computer, Inc. for communication between
Apple Macintosh computers. Support is natively provided as a service for file sharing and printer
sharing.
Data Link Control (DLC)
DLC was originally developed for IBM mainframe communications. The other use of DLS is to print
Hewlett-Packard printers connected directory to networks. Only the print server communicating
directly with the printer needs the DLC protocol installed.
Infrared Data Association
Infrared Data Association (IrDA) has defined a group of short-range, high-speed bi-directional
wireless infrared protocols, generically referred to as IrDA. IrDA allows a variety of devices to
communicate with each other.
Lesson Summary:
TCP/IP is an industry-standard suite of protocols designed for large networks.
TCP/IP is routable which means that data packets can be switched by use of the packet’s destination address.
TCP/IP’s ability to be routed provides fault tolerance. Other protocols supported by Windows 2000 include:
· NWLink
· NetBEUI
· AppleTalk
· DLC DataLink Control
· Infrared Data Association