Managing IP Addressing in Nortel NetID

Transcription

1 Version 4.5 Part No. June Carling Avenue Ottawa, ON CANADA Managing IP Addressing in Nortel NetID Version 4.5 June Carling Avenue Ottawa, ON CANADA

2 2 Copyright June 2005 Nortel Networks All rights reserved. June The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Inc. The software described in this document is furnished under a license agreement and may only be used in accordance with the terms of that license. The software license agreement is included in this document. Trademarks Nortel, the Nortel logo, the Globemark, Unified Networks, Bay Networks, and Optivity are trademarks of Nortel Networks. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. Solaris is a registered trademark of Sun Microsystems, Inc. Sybase is a trademark of Sybase, Inc. Restricted Rights Legend Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR Statement of Conditions In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. Portions of the code in this software product may be Copyright 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission. SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties). Nortel Networks Inc. network management software license agreement NOTICE: Please carefully read this license agreement before copying or using the accompanying network management software or installing the hardware unit with pre-enabled network management software (each of

3 3 which is referred to as Software in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH NORTEL NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE. If you do not accept these terms and conditions, return the product, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price. 1. License grant. Nortel Networks Inc. ( Nortel Networks ) grants the end user of the Software ( Licensee ) a personal, nonexclusive license: a) to use the Software either on a single computer or, if applicable, on a single authorized device identified by host ID; b) to copy the Software solely for backup purposes in support of authorized use of the Software; and c) to use and copy the associated user manual solely in support of authorized use of the Software by Licensee. This license applies to the Software only and does not extend to Nortel Networks Agent software or other Nortel Networks software products. Nortel Networks Agent software or other Nortel Networks software products are licensed for use under the terms of the applicable Nortel Networks Inc. Software License Agreement that accompanies such software and upon payment by the end user of the applicable license fees for such software. 2. Restrictions on use; reservation of rights. The Software and user manuals are protected under copyright laws. Nortel Networks and/or its licensors retain all title and ownership in both the Software and user manuals, including any revisions made by Nortel Networks or its licensors. The copyright notice must be reproduced and included with any copy of any portion of the Software or user manuals. Licensee may not modify, translate, decompile, disassemble, use for any competitive analysis, reverse engineer, distribute, or create derivative works from the Software or user manuals or any copy, in whole or in part. Except as expressly provided in this Agreement, Licensee may not copy or transfer the Software or user manuals, in whole or in part. The Software and user manuals embody Nortel Networks and its licensors confidential and proprietary intellectual property. Licensee shall not disclose to any third party the Software, or any information about the operation, design, performance, or implementation of the Software and user manuals that is confidential to Nortel Networks and its licensors; however, Licensee may grant permission to its consultants, subcontractors, and agents to use the Software at Licensee s facility, provided they have agreed to use the Software only in accordance with the terms of this license. 3. Limited warranty. Nortel Networks warrants each item of Software, as delivered by Nortel Networks and properly installed and operated on Nortel Networks hardware or other equipment it is originally licensed for, to function substantially as described in its accompanying user manual during its warranty period, which begins on the date Software is first shipped to Licensee. If any item of Software fails to so function during its warranty period, as the sole remedy Nortel Networks will at its discretion provide a suitable fix, patch, or workaround for the problem that may be included in a future Software release. Nortel Networks further warrants to Licensee that the media on which the Software is provided will be free from defects in materials and workmanship under normal use for a period of 90 days from the date the Software is first shipped to Licensee. Nortel Networks will replace defective media at no charge if it is returned to Nortel Networks during the warranty period along with proof of the date of shipment. This warranty does not apply if the media has been damaged as a result of accident, misuse, or abuse. The Licensee assumes all responsibility for selection of the Software to achieve Licensee s intended results and for the installation, use, and results obtained from the Software. Nortel Networks does not warrant a) that the functions contained in the software will meet the Licensee s requirements, b) that the Software will operate in the hardware or software combinations that the Licensee may select, c) that the operation of the Software will be uninterrupted or error free, or d) that all defects in the operation of the Software will be corrected. Nortel Networks is not obligated to remedy any Software defect that cannot be reproduced with the latest Software release. These warranties do not apply to the Software if it has been (i) altered, except by Nortel Networks or in accordance with its instructions; (ii) used in conjunction with another vendor s product, resulting in the defect; or (iii) damaged by improper environment, abuse, misuse, accident, or negligence. THE FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL OTHER WARRANTIES EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Licensee is responsible for the security of its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files, data, or programs. Managing IP Addressing in Nortel NetID

4 4 4. Limitation of liability. IN NO EVENT WILL NORTEL NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY COST OF SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL THE LIABILITY OF NORTEL NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT EXCEED THE PRICE PAID TO NORTEL NETWORKS FOR THE SOFTWARE LICENSE. 5. Government licensees. This provision applies to all Software and documentation acquired directly or indirectly by or on behalf of the United States Government. The Software and documentation are commercial products, licensed on the open market at market prices, and were developed entirely at private expense and without the use of any U.S. Government funds. The license to the U.S. Government is granted only with restricted rights, and use, duplication, or disclosure by the U.S. Government is subject to the restrictions set forth in subparagraph (c)(1) of the Commercial Computer Software Restricted Rights clause of FAR and the limitations set out in this license for civilian agencies, and subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause of DFARS , for agencies of the Department of Defense or their successors, whichever is applicable. 6. Use of software in the European Community. This provision applies to all Software acquired for use within the European Community. If Licensee uses the Software within a country in the European Community, the Software Directive enacted by the Council of European Communities Directive dated 14 May, 1991, will apply to the examination of the Software to facilitate interoperability. Licensee agrees to notify Nortel Networks of any such intended examination of the Software and may procure support and assistance from Nortel Networks. 7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to Nortel Networks copyright in the Software and user manuals will cease being effective at the date of expiration of the Nortel Networks copyright; those restrictions relating to use and disclosure of Nortel Networks confidential information shall continue in effect. Licensee may terminate this license at any time. The license will automatically terminate if Licensee fails to comply with any of the terms and conditions of the license. Upon termination for any reason, Licensee will immediately destroy or return to Nortel Networks the Software, user manuals, and all copies. Nortel Networks is not liable to Licensee for damages in any form solely by reason of the termination of this license. 8. Export and re-export. Licensee agrees not to export, directly or indirectly, the Software or related technical data or information without first obtaining any required export licenses or other governmental approvals. Without limiting the foregoing, Licensee, on behalf of itself and its subsidiaries and affiliates, agrees that it will not, without first obtaining all export licenses and approvals required by the U.S. Government: (i) export, re-export, transfer, or divert any such Software or technical data, or any direct product thereof, to any country to which such exports or re-exports are restricted or embargoed under United States export control laws and regulations, or to any national or resident of such restricted or embargoed countries; or (ii) provide the Software or related technical data or information to any military end user or for any military end use, including the design, development, or production of any chemical, nuclear, or biological weapons. 9. General. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction, the remainder of the provisions of this Agreement shall remain in full force and effect. This Agreement will be governed by the laws of the state of California. Should you have any questions concerning this Agreement, contact Nortel Networks Inc., 2375 N. Glenville Dr., Richardson, TX LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT, UNDERSTANDS IT, AND AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS. LICENSEE FURTHER AGREES THAT THIS AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN NORTEL NETWORKS AND LICENSEE, WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS AGREEMENT. NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST NORTEL

5 5 NETWORKS UNLESS NORTEL NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT, INCLUDING AN EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT. Managing IP Addressing in Nortel NetID

6 6

7 7 Contents Preface Before you begin Text conventions Acronyms Related publications How to get help Introduction to the Management Console Setting up NetID using the Management Console Using online Help Running the Management Console Signed Java applets Logging in Changing your password Management Console interface Root objects Status bar Display Completing tasks with the Management Console Canceling a task Special keys Copying and pasting text Bookmarks Global bookmarks Creating a bookmark Creating a bookmark folder Renaming a bookmark folder Deleting a bookmark or bookmark folder Setting preferences Managing IP Addressing in Nortel NetID

8 8 Contents Setting logging preferences Setting confirmation preferences Setting the number of buckets Allowing dynamic updates Errors and warnings Viewing errors and warnings Viewing external update messages Viewing the trace log Refreshing the display Replacing the initial HTML page Session timeout Opening multiple Management Console windows Logging out of NetID Exiting from NetID Managing access privileges Managing users Evaluating users access requirements Creating a user Changing user properties Adding a user to a group Granting a user access to NetID utilities Deleting a user Setting password requirements Managing groups Creating a group Changing group properties Changing the membership of a group Granting a group access to NetID utilities Deleting a group Controlling access privileges on a per-object basis Access permission levels Granting a user or a group access to an object Granting a user or a group access to another user or group Changing a user or a group s access to an object Removing a user or a group s access to an object

9 Contents 9 Viewing which users have access to an object Enabling Secure Socket Layer functionality Creating SSL certificates Creating a certificate for Windows Creating a certificate for HPUX or Solaris Removing previous certificates Starting the Application server in SSL mode Secure management console connection The Command Line Interface Configuring Name Servers Suggested changes to DNS architecture Setting global name server alarm logging Defining a Name Server Changing a Name Server Adding a zone to a Name Server Associating a Name Server with its inverse zone Setting Name Server statements BIND statement validation is disabled by default Setting BIND statements Setting global BIND statements Applying a global BIND statement to a server-zone Setting forwarding information Assigning forwarders Assigning forward zones Supporting Windows DDNS updates Configuring a Name Server to allow DDNS updates Deleting a Name Server Managing root Name Servers Adding a root Name Server Deleting a root Name Server Managing domain names Creating a domain name Creating wildcards for reverse zones Managing IP Addressing in Nortel NetID

10 10 Contents Changing a domain name Entering domain name custom field information Adding a new resource record to a domain name Changing a resource record Creating an alias Moving a domain name Deleting a domain name Managing networks and subnets Subnetworking Network classes and CIDR Subnet mask Managing networks Adding a network Changing a network Deleting a network Managing subnets Adding a subnet Changing a subnet Enabling multinetting Entering subnet custom field information Applying subnet model information Partitioning a subnet Joining a subnet Deleting a subnet Managing host addresses Adding a host address Changing a host address Entering host custom field information Creating an alias Setting address protocol information Deleting a host address Moving hosts to another subnet Defining address ranges Creating a range of static addresses

11 Contents 11 Setting automatic naming for a static address range Creating a range of reserved addresses Creating a range of dynamic addresses Changing an address range Setting up naming for a dynamic range Setting up automatic naming for a dynamic range Accepting a label suggested by a DHCP client Accepting the FQDN suggested by a DHCP client Restricting the hosts that receive dynamic addresses Resizing address ranges Deleting an address range Managing client pools Creating a client pool Placing a host in a client pool Placing active DHCP clients in a client pool Recording the clients that use a client pool Removing a client from a client pool Renaming a client pool Deleting a client pool Configuring DHCP Servers Managing DHCP Servers Setting global DHCP Server alarm logging Defining a DHCP Server Defining a backup DHCP Server Changing a DHCP Server Deleting a DHCP Server Setting DHCP/BootP options Setting standard DHCP/BootP option type definitions Deleting standard DHCP/BootP option type definitions Adding vendor classes Adding vendor class DHCP option type definitions Deleting vendor class DHCP option type definitions Adding user classes Applying DHCP options DHCP/BootP option precedence Managing IP Addressing in Nortel NetID

12 12 Contents Applying global DHCP options Applying DHCP options for a network, subnet, range, or host Managing DNS zones Creating a zone Changing a zone Configuring DNS security on a zone Adding a DNSSEC key pair to a zone Removing a DNSSEC key pair Setting BIND statements on a zone To enable BIND statement validation To set BIND statements on a Name Server zone Creating a subzone Deleting a subzone Deleting a zone Adding a Name Server to a zone Changing a Name Server associated with a zone Setting zone transfer information Deleting a Name Server from a zone Managing custom fields Custom field definitions Defining a custom field Changing a custom field definition Deleting a custom field definition Managing templates Managing host templates Creating a host template Changing a host template Applying automatic naming to a host template Adding custom field information to a host template Deleting a host template Managing DHCP options templates Creating a DHCP options template Changing a DHCP option template

13 Contents 13 Deleting a DHCP option template Managing subnet model templates Creating a subnet model template Changing a subnet model template Deleting a subnet model template Using the CLI Starting the CLI Starting the CLI client utility Starting the CLI client utility remotely Viewing the CLI client version number CLI commands Using the CLI tool Help Add commands Delete commands Update commands Displaying NetID object information Miscellaneous commands Commands files CLI symbols Processing commands files Concealing your user ID and password Exiting from the CLI utility Sample commands file Importing files Using the Management Console or the command-line Troubleshooting import error messages Refreshing the cache Importing a DNS database file Importing a BIND DNS database file using the Management Console Importing a BIND 8.x DNS database file using the Management Console Importing a DNS database file using command-line parameters Importing BootP files Importing a BootP file using the Management Console Importing a BootP file using command-line parameters Managing IP Addressing in Nortel NetID

14 14 Contents Importing a UNIX host file Importing a UNIX host file using the Management Console Importing a UNIX host file using command-line parameters Importing custom files Identifying a key field Assigning network number as the key field Assigning subnet address as the key field Assigning host address as the key field Assigning domain name as the key field Assigning MAC address as the key field Assigning client ID as the key field Importing a custom file using the Management Console Importing a custom file using command-line parameters Reporting network and database transactions Using the Management Console or the command-line Network address utilization report Generating a network address utilization report using the Management Console 262 Generating a network address utilization report using command-line parameters 264 DHCP Server summary report Generating a DHCP Server summary report using the Management Console Generating a DHCP Server summary report using command-line parameters DHCP client history report Generating a DHCP client history report using the Management Console Generating a DHCP client history report using command-line parameters Access privileges report Generating an access privileges report using the Management Console Generating an access privileges report using command-line parameters Generating a group membership report using command-line parameters Audit report Generating an audit report using the Management Console Generating an audit report using command-line parameters Exporting files Using the Management Console or the command-line DNS database export

15 Contents 15 Exporting a DNS database using the Management Console Exporting a DNS database using command-line parameters BootP database export Exporting a BootP database using the Management Console Exporting a BootP database using command-line parameters UNIX host file export Exporting a UNIX host file using the Management Console Exporting a UNIX host file using command-line parameters Custom IP file export Exporting a custom IP file using the Management Console Exporting a custom IP file using command-line parameters Setting configuration options Setting system options Globally unique domain labels Checking for addresses that are unknown to the NetID database Setting options for deleting addresses Setting options for creating addresses Setting options for domain names Setting options for zones Customizing the autonaming index numbering Saving history information on NetID objects Setting user class delimiter characters Managing resource record types Defining a resource record type Deleting a resource record type Auditing IP addresses Using the Management Console or the command-line Running a ping audit from the Management Console Viewing and implementing ping audit results from the Management Console Running a ping audit using command-line parameters Viewing and implementing ping audit results using command-line parameters. 319 Managing alarms and object histories Viewing alarms Managing IP Addressing in Nortel NetID

16 16 Contents Viewing the history of existing objects Viewing the history of existing or deleted objects Managing log entries Viewing the total number of server alarm, DHCP history, or history log entries. 329 Trimming server alarm, DHCP history, or history logs Trimming server alarm, DHCP history, and history logs according to a schedule 331 Backing up the database Searching the database Running a search Working with an object from a search Domain Name System Dynamic Host Configuration Protocol Why DHCP? NetID DHCP Server Lease time DHCP redundancy NetID DHCP redundancy How NetID DHCP redundancy works Backup servers Client pools DHCP options MAC types Glossary Index

17 17 Figures Figure 1 Management Console interface Figure 2 IP Addresses root object Figure 3 Management Console with expanded subnet objecttree Figure 4 Partial domain name tree Figure 5 Resolvers and Name Servers Figure 6 Zones Managing IP Addressing in Nortel NetID

18 18 Figures

19 19 Tables Table 1 Access permission levels for objects Table 2 Forwarders BIND statements Table 3 Buttons in Paste Hosts dialog box Table 4 Dynamic range autonaming Table 5 Client pool client placement procedures Table 6 Name server reference modifications Table 7 Start CLI client parameters Table 8 Start CLI client parameters (remote system) Table 9 CLI tool Add commands Table 10 CLI tool Delete commands Table 11 CLI tool Update commands Table 12 CLI tool Show commands Table 13 CLI tool miscellaneous commands Table 14 CLI symbols Table 15 Set parameters Table 16 DNS database file import utility actions Table 17 DNS import command parameters Table 18 BootP File import utility actions Table 19 BootP file import command-line parameters Table 20 UNIX host file import utility actions Table 21 UNIX host file command-line parameters Table 22 Network number key field utility actions Table 23 Subnet address key field import utility actions Table 24 Host address key field import utility actions Table 25 Domain name key field import utility actions Table 26 Client ID key field import utility actions Table 27 Custom file import utility command-line parameters Table 28 Network address utilization report command-line parameters Table 29 DHCP report command-line parameters Managing IP Addressing in Nortel NetID

20 20 Tables Table 30 DHCP client history report command parameters Table 31 Access privileges report types Table 32 Access privileges report command-line parameters Table 33 Access privileges flags and parameters Table 34 Grouplist report command-line parameters Table 35 Steps for generating audit reports Table 36 Audit report command-line parameters Table 37 Audit report flag parameters Table 38 DNS database export command-line parameters Table 39 BootP export command-line parameters Table 40 UNIX host file command-line parameters Table 41 IP address export fields Table 42 Custom export command-line parameters Table 43 Ping audit command parameters Table 44 synchronization command parameters Table 45 Message types Table 46 BootP/DHCP options Table 47 CMU-Only BootP/DHCP Options Table 48 MAC types

21 21 Preface This guide describes how to use and manage the Nortel NetID product family from the NetID Management Console. This guide provides overview and procedural information for both NetID administrators and users. Administrators can perform all of the procedures described in the guide. However, NetID users typically require specific access privileges to perform the tasks described in the guide. If a procedure requires that NetID users be granted specific access privileges, the required access privileges are clearly indicated at the beginning of the procedure. Before you begin Before using this guide, you should do the following: Read the release notes and known anomalies documentation. Install and license the NetID product family (refer to Installing Nortel NetID). Managing IP Addressing in Nortel NetID

22 22 Preface Text conventions This guide uses the following text conventions: angle brackets (< >) bold text braces ({}) brackets ([ ]) Indicates that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is: ping <ip_address>, you enter: ping Indicates command names and options and text that you need to enter. Example: Enter show ip {alerts routes}. Example: Use the dinfo command. Indicates required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command. Example: If the command syntax is: show ip {alerts routes}, you must enter either: show ip alerts or show ip routes, but not both. Indicates optional elements in syntax descriptions. Do not type the brackets when entering the command. Example: If the command syntax is: show ip interfaces [-alerts], you can enter either: show ip interfaces or show ip interfaces -alerts.

23 Preface 23 italic text screen text separator ( > ) vertical line ( ) Indicates file and directory names, new terms, book titles, and variables in command syntax descriptions. Where a variable is two or more words, the words are connected by an underscore. Example: If the command syntax is: show at <valid_route> valid_route is one variable and you substitute one value for it. Indicates system output, for example, prompts and system messages. Example: Set Trap Monitor Filters Shows menu paths. Example: Protocols > IP identifies the IP option on the Protocols menu. Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is: show ip {alerts routes}, you enter either: show ip alerts or show ip routes, but not both. The Lookup button appears next to certain text fields in the NetID GUI. It opens a dialog box containing a list of predefined values, from which you can choose a value to insert into the field. The Left Arrow button appears in several dialog boxes in the NetID GUI. It moves objects between lists, usually to create associations between objects. The Right Arrow button appears in several dialog boxes in the NetID GUI. It moves objects between lists, usually to break associations between objects. Managing IP Addressing in Nortel NetID

24 24 Preface Acronyms This guide uses the following acronyms: A ARP BootP CIDR CMU CNAME DHCP DDNS DNS FTP GUI HINFO ICMP IP MAC MTU MX NIS NS NTP PTR RP RR SMDS SNMP SOA Address Address Resolution Protocol Bootstrap Protocol Classless Inter-Domain Routing Carnegie Mellon University Canonical Name Dynamic Host Configuration Protocol Dynamic Domain Name Service Domain Name Service File Transfer Protocol Graphical User Interface Host Information Internet Control Message Protocol Internet Protocol Media Access Control Maximum Transmission Unit Mail Exchanger Network Information Services Name Server Network Time Protocol Pointer (resource records) Responsible Person Resource Record Switched Multimegabit Data Service Simple Network Management Protocol Start of (Zone) Authority

25 Preface 25 SRV TCP/IP TFTP URL VLSM WKS Service Location Transmission Control Protocol/Internet Protocol Trivial File Transfer Protocol Uniform Resource Locator Variable Length Subnet Mask Well-Known Services Related publications For more information about using NetID, refer to the following publications: Installing Nortel NetID (part number Rev 00) Provides information about installing and configuring NetID software. Managing Nortel NetID Server Products (part number Rev 00) Provides overview and procedural information for which a user requires NetID administrator privileges. This user guide provides information about managing the NetID server products including starting, stopping, and managing servers. Release Notes for Nortel NetID (part number Rev 00) Contains last-minute information about NetID. You can print selected technical manuals and release notes free, directly from the Internet. Go to the URL. Find the product for which you need documentation. Then locate the specific category and model or version for your hardware or software product. Use Adobe Acrobat Reader to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to Adobe* at the URL to download a free copy of the Adobe Acrobat Reader*. Managing IP Addressing in Nortel NetID

26 26 Preface How to get help If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased a Nortel service program, please contact one of the Nortel Technical Solutions Centers. For technical support contact numbers for your region, go to An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate an ERC for your product or service, go to the URL.

27 27 Chapter 1 Introduction to the Management Console The Nortel NetID Management Console is a graphical user interface (GUI) that you can use to manage network, subnet, host, Domain Name System (DNS), and zone information. You can also use the Management Console for administrative tasks such as running NetID utilities, monitoring the status of your NetID servers, and controlling user access privileges. The Management console is a Java based application that runs on a Web browser. This chapter covers the following topics: Setting up NetID using the Management Console on page 28 Using online Help on page 29 Running the Management Console on page 29 Management Console interface on page 31 Completing tasks with the Management Console on page 34 Bookmarks on page 36 Errors and warnings on page 42 Refreshing the display on page 43 Replacing the initial HTML page on page 44 Session timeout on page 45 Opening multiple Management Console windows on page 45 Logging out of NetID on page 45 Exiting from NetID on page 46 Managing IP Addressing in Nortel NetID

28 28 Chapter 1 Introduction to the Management Console Setting up NetID using the Management Console After NetID has been installed (for instructions, refer to Installing Nortel NetID), a NetID administrator can use the NetID Management Console to populate the NetID database with network information. A NetID administrator can also delegate certain setup tasks to users by granting them the appropriate access privileges (refer to Chapter 2, Managing access privileges, on page 47). In NetID much of the network information is organized hierarchically. Therefore, when subidentifiers (such as a subnet on a network or a host on a subnet) are created, they often inherit many of the properties of their parent identifier. Although you do not need to perform setup tasks in any particular order, it is recommended that you follow these steps to make setting up Nortel NetID easier: 1 Activate the license for NetID (refer to the chapter on licensing NetID in Installing NetID). 2 Identify the roles and responsibilities of NetID users and then create your users and groups in the NetID Management Console (refer to Chapter 2, Managing access privileges, on page 47). 3 Create custom field and templates (refer to Chapter 10, Managing custom fields, on page 187 and Chapter 11, Managing templates, on page 193). 4 Import addresses, names, resource records, and custom field values from existing information sources (refer to Chapter 13, Importing files, on page 235). 5 Set configuration options (refer to Chapter 16, Setting configuration options, on page 301). 6 Add names at the top levels of your domain name space (refer to Chapter 5, Managing domain names, on page 91). You may also want to grant subdomain access privileges. 7 Add networks and subnets (refer to Chapter 6, Managing networks and subnets, on page 101). You may also want to create subnet models and grant subnet access privileges. 8 Configure DHCP Servers and Name Servers (refer to Chapter 8, Configuring DHCP Servers, on page 153 and Chapter 4, Configuring Name Servers, on page 73). You may also want to define ranges of addresses for DHCP allocation and grant range access privileges.

29 Chapter 1 Introduction to the Management Console 29 9 Add zones to Name Servers (refer to Chapter 9, Managing DNS zones, on page 171). Using online Help The NetID Management Console contains both general online Help and context-sensitive Help. For general Help, choose Contents or Index from the Help menu to view the table of contents and index. The index is fully text-searchable. For context-sensitive Help, click the Help button that appears in most of the dialog boxes. Running the Management Console The NetID Management Console is an entirely Java based program that can be run with a Java based Web browser installed on a Microsoft Windows, Solaris, or HP-UX system. For information on version numbers of compliant Web browsers, refer to Release Notes for Nortel NetID Version 4.5. Signed Java applets Nortel uses signed Java applets. Signed applets are trusted, and allow you to access many system resources. Some of the benefits of signed applets include the following: They can read and write files to the local file system They can use the operating system s clipboard feature They allow you to print To use NetID you must accept signed Java applets. You can accept Java applets the first time you log in to NetID (refer to Logging in on page 30). Managing IP Addressing in Nortel NetID

30 30 Chapter 1 Introduction to the Management Console Logging in You can log in to NetID using the user ID and password you were assigned by a NetID administrator (or by a user with Admin access to the Users And Groups object). For more information about access privileges, refer to Chapter 2, Managing access privileges, on page 47. After you initially log in, you can change your password (refer to Changing your password on page 31). If you are the primary NetID administrator, use the user ID and password you set for yourself after installing NetID (refer to the Setting a permanent administrator section in Installing Nortel NetID). To run the Management Console, follow these steps: 1 Open your Web browser. 2 In the appropriate field, type the URL for the system on which your NetID Application Server is installed. (If the Application Server is not using the default port 80, you must add a colon and a port number to the URL. For example, the Application Server at uses port 8035). The Login dialog box appears. Note: The first time you log in, a security warning appears before the Login dialog box, asking if you want to accept signed Java applets. Enable the Always Trust Content From Nortel Inc check box, and click Yes. If you choose No, you cannot use NetID. 3 In the User ID field, type your user ID. 4 In the Password field, type the password assigned to you by the NetID administrator (passwords are case-sensitive). 5 Click OK. The NetID Management Console interface appears.

31 Changing your password Chapter 1 Introduction to the Management Console 31 A NetID administrator assigns each user an initial password. For security reasons, you should change your password when you first log in to NetID. It is also recommended that you change your password on a regular basis. To change a password, follow these steps: 1 From the File menu, choose Change Password. The Change Password dialog box appears. 2 In the Old Password field, type your old password. 3 In the New Password field, type the new password. 4 In the Confirm Password field, type the new password again. 5 Click OK. If you type the incorrect password in the Old Password field, an error message appears. You cannot change your password unless you enter the correct old password. Click OK, and go back to step 2. Management Console interface When you run NetID, the Management Console interface appears (Figure 1). Managing IP Addressing in Nortel NetID

32 32 Chapter 1 Introduction to the Management Console Figure 1 Management Console interface Tool bar Root objects List area Tree area Status bar If you are a NetID user, the amount of objects and information that appears in the Management Console is determined by the access privileges granted to you by a NetID administrator (or another NetID user with Admin access to the Users And Groups object). For more information about access privileges, refer to Chapter 1, Introduction to the Management Console, on page 27.

33 Chapter 1 Introduction to the Management Console 33 Root objects A root object is the base level of a tree hierarchy. Double-clicking on an object displays a list of items that are organized under that object in the list area. For example, if you double-click the IP Addresses root object, the Management Console displays all of the IP objects (networks, subnets, ranges, and hosts) as children of the IP Addresses root object. Double-clicking on a network object displays the list of subnets on that network, and so on. A root object cannot be deleted. You can also click the plus sign that appears beside the object to view the next level of the hierarchy. If you no longer want to view the objects in the hierarchy, click the minus sign that appears beside the object. IP addressing information is organized hierarchically in the Management Console under the following root objects (depending on the access privileges you have been granted by a NetID administrator or a NetID user with Admin access, you may not be able to view all of these root objects): Global Bookmarks -- Administrator-defined shortcuts to frequently accessed NetID objects. All users can access globally-bookmarked objects, regardless of the access privileges normally required to view those objects, or of the users access privileges. This root object will appear for all users regardless of their access privileges. Bookmarks -- User-defined shortcuts to frequently accessed NetID objects. This root object will appear for all users regardless of their access privileges. IP Addresses -- IP address space information at the network, subnet, range, and hosts levels. Domain Names -- Domain, subdomain, and resource record information. Zones -- Zone, subzone, and Name Server assignment information. Name Servers -- Name server (DNS server) and zone assignment information. DHCP Client Pools -- Groups of client ID or MAC addresses that are associated with ranges of addresses. DHCP Servers -- DHCP Server information. Setup -- Setup information such as licensing; users and groups; custom fields; resource record, standard DHCP and vendor DHCP templates; DHCP user classes; filters; BIND directive definitions; templates; and system options. Managing IP Addressing in Nortel NetID

34 34 Chapter 1 Introduction to the Management Console Status bar Display A status bar at the bottom left of the Management Console displays messages that describe the item in the Management Console that you have currently selected. You can change the width of the columns that appear in the list area by clicking on the line that separates the column headers and dragging it to the position you want. You can also change the sort order of the column. Information that appears in a column is sorted either in numerical or reverse-numerical order, or in alphabetical or reverse-alphabetical order. To change the order, click in a column header, and the information will appear in the opposite order from which it was originally displayed. For example, if you click the Network Number column header, the items in the list are sorted in numerical or reverse numerical order. If you click in the Network Name column header, the items in the list are sorted in alphabetical or reverse-alphabetical order. You may also want to update the objects that are displayed in the Management Console. To do this, click the object that you want to update and choose View > Refresh. All of the information on the selected object is updated. You may need to expand the object to view items lower in the hierarchy. Completing tasks with the Management Console You can complete a task with the Management Console in any of the following ways: Select an item in the tree or list area, and click the right mouse button to display a menu from which you can choose a command. The procedures in this guide describe how to complete a task by using the right mouse button where applicable.

35 Chapter 1 Introduction to the Management Console 35 Select an item in the tree or list area, and choose a command from one of the menus that appear at the top of the Management Console. You can also choose one of the menus that appear at the top of the Management Console to see the available menu commands for that particular object. Select an item in the tree or list area, and click one of the toolbar buttons. The toolbar buttons change depending on the type of object you have selected. Canceling a task All of the procedures in this guide explain how to complete a particular task. If, at any time, you decide that you do not want to complete a task that you have started, click the Cancel button. Special keys There are a number of keys on your keyboard that allow you to perform particular functions in NetID. Some of these keys include the following: [Tab] to move between fields in a dialog box. [Shift] and click the mouse to choose a block of information from a list. [Ctrl] and click the mouse to choose a number of individual pieces of information from a list. [Enter] instead of the OK button. Copying and pasting text With the NetID signed applet feature, you can use your system s clipboard to copy text between fields in dialog boxes. For example, you can copy an IP address and paste it into the IP Address field in the New DHCP Server dialog box. Managing IP Addressing in Nortel NetID

36 36 Chapter 1 Introduction to the Management Console The copy and paste feature in NetID does not allow you to copy objects and move them to different locations. Rather, the key field information from that object is copied to the copy buffer. For example, if you click a zone object and choose Edit > Copy, only the zone name is copied to the buffer. Therefore, when you click a field in a dialog box and choose Edit > Paste, the copied text is pasted into the field. A dialog box will only allow information that is valid for each field to appear in its field. To copy text, follow these steps: 1 Highlight the text that you want to copy. 2 Press [Ctrl] + C. If you are using Netscape Navigator as your Web browser, the first time you use the copy command, a Java Security message appears to confirm the granting of additional privileges. Enable the Remember This Decision check box, and click Grant. 3 Click in the field in which you want to copy the information, and press [Ctrl] + V. Bookmarks The Bookmarks feature in NetID allows you to create a shortcut to frequently accessed IP objects. Instead of navigating down through the object hierarchy in the tree area, you can create a bookmark for an object. Since the bookmark object represents that actual object, modifying the bookmark object will also modify the actual object. The only exception is that if you delete the bookmark object, only the bookmark object will be deleted. Bookmarks are stored in the Bookmarks root object in the tree area of the Management Console. You can store your bookmarks in the root folder or you can organize your bookmarks into a series of subfolders. You can assign bookmarks to all object types, except for those under the Setup root object.

37 Chapter 1 Introduction to the Management Console 37 All users, regardless of the access privileges they have been granted, can view the Bookmarks root object. However, since bookmarks are user-defined, a user cannot set bookmarks for objects to which he or she does not have access, and a user cannot see another user s bookmarks. In addition, if a user s access privileges are changed, pre-existing bookmarks to objects that the user no longer has access to will no longer appear in that user s bookmarks folder. Global bookmarks The Global Bookmarks feature acts as an extension to the Bookmarks feature, giving all users access to certain objects in the NetID hierarchy, regardless of their access level. Global bookmarks are created in the same manner as regular bookmarks (refer to Creating a bookmark on page 37), but you must have Administrator access to NetID in order to create them. Creating a bookmark To create a bookmark or global bookmark, follow these steps: 1 In the tree area, navigate to the object for which you want to create a bookmark. 2 Right-click the object, and choose Create Bookmark from the menu. The New Bookmark dialog box opens. 3 Navigate to the folder to which you want to add the bookmark. In order to create a global bookmark, you must be logged into NetID with Administrator access rights. For information about creating a new bookmark folder, see the next procedure. 4 Click the folder, and click OK. In the tree area, an icon for the bookmarked object appears in the bookmark folder. You can also create a bookmark for an object by copying the object to the clipboard, and then pasting it to any of the existing bookmark folders. Managing IP Addressing in Nortel NetID

38 38 Chapter 1 Introduction to the Management Console Creating a bookmark folder To create a bookmark folder, follow these steps: 1 Right-click the bookmark folder under which you want to add a folder, and choose Create Bookmark Folder from the menu. The New Bookmark Folder dialog box opens. 2 In the New Folder Name box, type a name for the folder. Caution: You can enter illegal characters through the Management Console in Netscape using the Alt key and the number pad (for example, \ = Alt-0092). This is not recommended because it creates a nameless folder that cannot be removed through the Management Console. 3 Click OK. Renaming a bookmark folder To rename a bookmark folder, follow these steps: 1 Expand the Bookmarks root object, and right-click the bookmark folder you want to rename. 2 Choose Rename Bookmark Folder from the menu. The Rename Bookmark Folder dialog box appears. 3 In the New Folder Name field, type a new name. 4 Click OK. Deleting a bookmark or bookmark folder To delete a bookmark or bookmark folder and all its pointers to objects, follow these steps: 1 Expand the Bookmarks root object, and right-click the bookmark or bookmark folder you want to delete.

39 Chapter 1 Introduction to the Management Console 39 2 Choose Delete from the menu. You are prompted to confirm the deletion. 3 Click OK. Note: Deleting bookmarks or bookmark folders only deletes the shortcuts to IP objects. It does not delete the actual IP objects. Setting preferences You can set a number of personal preferences to customize the types of messages that are displayed and the appearance of the GUI. NetID allows you to set the following user-specific preferences: Logging Confirmation Buckets Dynamic updates Setting logging preferences To set the types of notification and logging messages that NetID displays, follow these steps: 1 From the Edit menu, choose Preferences. The Edit Preferences dialog box appears. 2 Enable the Allow Tracing check box to display all messages that are transferred between the Application Server and the local Management Console. Managing IP Addressing in Nortel NetID

40 40 Chapter 1 Introduction to the Management Console Log messages are displayed in the Trace Log dialog box. Note: If you want to display Java messages (in addition to the trace log messages) in your Web browser s Java Console, enable the Send Trace Data to Java Console check box. (For information on how to display the Java Console, refer to the manufacturer s documentation). 3 Click OK. To view the logging messages, you need to open the Trace Log dialog box (refer to Viewing the trace log on page 43). Setting confirmation preferences You can specify that a confirmation message is displayed whenever a task is successfully completed in NetID. By default, confirmation messages are not displayed. To set confirmation preferences, follow these steps: 1 From the Edit menu, choose Preferences. The Edit Preferences dialog box appears. 2 Enable the Show Status Dialog On Success check box. 3 Click OK. Setting the number of buckets Buckets are containers used in the Management Console to hold domain names, subnets, host addresses residing directly on a subnet (not associated with a range), and host templates in smaller, more manageable groupings. If you have a large number of objects, buckets can also improve the display performance of the Management Console. A bucket can hold a specific number of objects (sub-buckets, domain names, host templates, subnet, or host addresses). This number is determined by the bucket size.

41 Chapter 1 Introduction to the Management Console 41 For example, if you have 101 domain names and you set the bucket size to ten, 11 buckets would be created (ten buckets would hold ten domain names each, and the eleventh would hold the remaining domain name). To set the number of buckets, follow these steps: 1 From the Edit menu, choose Preferences. The Edit Preferences dialog box appears. 2 In the Bucket field, type the number of objects that each bucket can contain. (The number must be between 5 and 50,000.) Note: If you type 0, the default bucket size of 1,024 will be used. 3 Click OK. You must refresh the display to see the changes you made. To refresh the display, choose View > Refresh. Allowing dynamic updates If you are working in an environment where other users are simultaneously making changes to the same data that is displayed your Management Console, you can allow dynamic updates so that data in your Management Console is automatically refreshed. Although dynamic updates are allowed by default, dynamic updates may decrease the performance of your Management Console if you are working in an environment where other users are making changes very frequently. To allow dynamic updates, follow these steps: 1 From the Edit menu, choose Preferences. The Edit Preferences dialog box appears. 2 Enable the Allow Dynamic Updates check box. 3 Click OK. Managing IP Addressing in Nortel NetID

42 42 Chapter 1 Introduction to the Management Console Errors and warnings You can view local error and warning messages, and external notification messages, if you have turned notification on (refer to Setting logging preferences on page 39). Messages help you to monitor the changes that are happening on your network. Viewing errors and warnings To view all of the errors and warnings that NetID has generated as a result of tasks you have performed using the Management Console, follow these steps: 1 From the View menu, choose Errors and Warnings Log. The Errors And Warnings Log dialog box appears. 2 (Optional Step) Click the Clear button to delete all of the information displayed. If you click the Clear button, the next time you open the dialog box, only errors and warnings generated since the last time you opened this dialog box will appear. 3 Click the Close button. Viewing external update messages The external updates log displays all of the notification messages that NetID has generated as a result of tasks you and external users have performed using the Management Console. Before you can view these messages, you need to set the tracing preferences in the Logging dialog box (refer to Setting logging preferences on page 39). To view external notification messages, follow these steps: 1 From the View menu, choose External Updates Log. The Remote Notification Log dialog box appears.

43 Chapter 1 Introduction to the Management Console 43 2 (Optional Step) Click the Clear button to delete all of the information displayed. If you click Clear, the next time you open the dialog box, only notification logs generated since the last time you opened this dialog box will appear. 3 Click the Close button. Viewing the trace log The trace log displays all of the messages that go between the Application server and the local Management Console. Before you can view these messages, you need to set the tracing preferences in the Logging dialog box (refer to Setting logging preferences on page 39). To view trace log messages, follow these steps: 1 From the View menu, choose Trace Log. The Trace Log dialog box appears. 2 (Optional step) Click the Clear button to delete all of the information displayed. If you the Clear button, the next time you open the dialog box, only trace logs generated since the last time you opened this dialog box will appear. 3 Click the Close button. Refreshing the display The NetID Management Console displays a lot of cached database information. NetID verifies cached values when you add or update information. However, temporary inconsistencies in the cached information can occur when multiple users attempt to modify related database information at the same time, or when a user performs an import. These errors are temporary and you can eliminate them by refreshing the cached values. To refresh the cache, choose View > Refresh. All of the information on the selected object is updated. Managing IP Addressing in Nortel NetID

44 44 Chapter 1 Introduction to the Management Console You can also refresh the information displayed in the Management Console by pressing the F5 key; or by pressing your right-click mouse button, and choosing Refresh from the menu. Replacing the initial HTML page You may want to replace the initial NetID login HTML page that appears when you first run the Management Console with suited to your own organization. To replace the initial HTML page, follow these steps: 1 Go to the <NetID_home>/templates directory on the system on which your NetID Application Server is installed. 2 Open the login.html file in a text editor. 3 Copy the existing login.html file. 4 Locate the <APPLET> element (near the bottom of the file). 5 Copy the entire <APPLET> element. The <APPLET> element contains the following lines: <APPLET code="nid/windows/tbaseapplet.class" archive="nidappgui.jar" name="login" width=1 height=1 ></APPLET> 6 Paste the copied <APPLET> element into your HTML file. 7 Rename your new HTML file login.html. 8 Copy your HTML file to the <NetID_home>/templates directory on the machine on which your NetID Application Server is installed.

45 Chapter 1 Introduction to the Management Console 45 Session timeout If too much time passes after you made a change with the Management Console, the Application Server, which passes commands from the Management Console to the database, will log you out and display a dialog box to that effect. Click OK, and log into the Management Console again (refer to Logging in on page 30). The default timeout period is 30 minutes, but a NetID administrator can set a different time period. For information on setting the Management Console timeout period, refer to the Running the Application Server chapter in Managing Nortel NetID Server Products. Opening multiple Management Console windows You can open more than one Management Console window at a time. When you open a second Management Console window, you run another instance of the program. You cannot move items between the windows, but having more than one Management Console window open allows you to view information in different subtrees at the same time. To open a second Management Console window, open a new Web browser window and follow the steps from Running the Management Console on page 29. Logging out of NetID To log out of NetID, follow these steps: 1 From the File menu, choose Log out. You are prompted to confirm the logout. 2 Click Yes. The NetID Management Console window goes blank. To log back in, choose Log in from the File menu. Managing IP Addressing in Nortel NetID

46 46 Chapter 1 Introduction to the Management Console Exiting from NetID To exit from the NetID Management Console, follow these steps: 1 From the File menu, choose Exit. You are prompted to confirm the exit. 2 Click Yes. The Management Console closes and returns to the initial Web browser window. To log back in, make sure that the URL of the system on which your NetID Application Server is installed still appears in the Location or Address field of the Web browser, press Enter, and follow the steps in Logging in on page 30.

47 47 Chapter 2 Managing access privileges Each person in an organization who uses Nortel NetID must be assigned a user ID. User IDs, and the access privileges associated with them, are used to determine who is authorized to log in to NetID, what objects they can see in the Management Console, and what tasks they can perform. Individual users can also be assigned to a group with other users. When groups are created, access privileges granted or modified for the group are uniformly applied to all group members. Groups are, therefore, an effective way to reduce the amount of time spent administering users access privileges. Managing access privileges involves the following tasks: Managing users on page 47 Managing groups on page 54 Controlling access privileges on a per-object basis on page 59 Managing users There are two types of NetID users: NetID administrators, who have unlimited access to all objects in NetID; and NetID users, for whom access privileges must be set on a per-object basis by a NetID administrator or another user granted Admin access to other users and objects. The ability to grant access privileges to specific objects allows the administration of certain portions of the network to be delegated to NetID users, while maintaining an appropriate level of security for the overall network. This section covers the following topics: Evaluating users access requirements on page 48 Managing IP Addressing in Nortel NetID

48 48 Chapter 2 Managing access privileges Creating a user on page 49 Changing user properties on page 50 Adding a user to a group on page 51 Granting a user access to NetID utilities on page 52 Deleting a user on page 53 Evaluating users access requirements NetID administrators (and users with Admin access to the Users And Groups object) can create NetID users and assign access privileges to them so that the authority and responsibility for the various levels of a network can be delegated to multiple people. There are two types of users that can be created in NetID: NetID users and NetID administrators. NetID users can view and/or perform tasks only with objects that an administrator has specifically granted the user access to (the bookmark object is the only exception). This type of user is the default. For most networks, the majority of users that are created are NetID users, and these NetID users are then granted access privileges on a per-object basis. This process allows NetID administrators to carefully delegate authority and responsibility for the various levels of the network. For information on granting a NetID user access to individual objects, refer to Controlling access privileges on a per-object basis on page 59. NetID administrators are users that are granted administrator access. Administrator access gives these users unlimited access to all objects. A NetID administrator can perform all possible tasks in NetID, including granting, revoking, and updating the access privileges that NetID users have to objects. A NetID administrator cannot limit the access privileges other NetID administrators have to specific objects, but a NetID administrator can deactivate or delete other NetID administrators accounts. Administrator access can also be granted to groups. Since administrator access is similar to the super user or root access privileges used by some operating systems, for security reasons, the number of users or groups with administrator access should be kept to a minimum.

49 Chapter 2 Managing access privileges 49 When a group is created in NetID, as with a NetID user, the option of giving that group administrator access is provided. Therefore, a user who is made a member of a group can have two different levels of basic access privileges (for example, no administrator access as a user and administrator access as a group member). NetID uses a cumulative approach for such cases; therefore, users are granted the greatest combination of those privileges. In the example above, the user would have administrator access. Caution: If an existing NetID user or group is given administrator access, any access privileges to specific objects previously granted to that NetID user or group are removed from the access control list. Therefore, if the administrator access granted to the user or group is later revoked, any access privileges for specific objects will have to be manually reset. For more information about groups, refer to Managing groups on page 54. Creating a user NetID users must have Admin access to the Users And Groups object to create other NetID users. For information on granting access to objects, refer to Controlling access privileges on a per-object basis on page 59. To create a new user, follow these steps: 1 Under the Setup root object, expand the Users And Groups object. 2 Right-click the Users object, and select New User from the menu. The New User dialog box appears. 3 Type the user s last name, first name, address, and phone number in the respective fields. 4 In the User ID field, type a user ID. The user ID cannot exceed eight characters. 5 In the Password field, type a password. For security reasons, users should change their passwords after the first time they log in to NetID (refer to Changing your password on page 31). Managing IP Addressing in Nortel NetID

50 50 Chapter 2 Managing access privileges 6 In the Confirmation field, retype the password. If you later change the user s properties, the number of asterisks that appear in the password field will not reflect the number of characters in the password. 7 (Optional step) If you want to assign the user administrator access, enable the Administrator Access check box. (Only NetID administrators can grant Administrator Access). Caution: Administrator access allows a user unlimited access to all objects in the Management Console. For security reasons, it is recommended that you limit the number of NetID administrators and grant access privileges to users on a per-object basis (refer to Controlling access privileges on a per-object basis on page 59). 8 (Optional step) If you do not want the user to be able to log in to NetID, disable the Login Access check box. Although the user still appears under the Users object, the user s account is not activated, and he or she will be unable to log in to NetID. However, since access privileges in NetID are cumulative, if the user is added to a group that is granted login access (refer to Creating a group on page 55), the user will be able to log in to NetID. 9 Click OK. The user you created appears in the list. Changing user properties After you have created a user, you can change that user s properties in various ways. Changing user properties can include any of the following tasks: Changing a user s contact information, user ID, and password (refer to Creating a user on page 49) Adding a user to a group on page 51 Granting a user access to NetID utilities on page 52

51 Chapter 2 Managing access privileges 51 If you changed user properties for a user that is currently logged in, the new privileges will take effect for that user after he or she logs out of NetID. Adding a user to a group NetID users must have Admin access to the group object to which they want to add a user and at least Read access to the user object that they want to add to that group. For information on granting access to objects, refer to Controlling access privileges on a per-object basis on page 59. Before you can add a user to a group, you must create a group (refer to Creating a group on page 55). To add a user to a group, follow these steps: 1 Under the Setup root object, expand the Users And Groups object, and select the Users object. The current users appear in the list area. 2 In the list area, right-click the user you want to add to a group, and choose Properties from the menu. The User Properties dialog box appears. 3 Click the Membership tab. 4 In the Available Groups list, select the group to you want the user to belong to, and click the left arrow button. The selected group moves to the Belongs To These Groups list. 5 (Optional step) To remove the user from a group, select the group from the Belongs To These Groups list, and click the right arrow button. The selected group moves to the User Belongs To These Groups list. 6 Click OK. Managing IP Addressing in Nortel NetID

52 52 Chapter 2 Managing access privileges Granting a user access to NetID utilities By default, NetID users do not have access to NetID utilities, but you can grant a user access to any of the utilities. However, a NetID user must also be granted the appropriate access privileges to other objects to use the utilities. For example, a NetID user granted access to the export tool can only export DNS files from those Name Server objects that he or she has at least read access to (refer to Controlling access privileges on a per-object basis on page 59). NetID users must have at least Update access to a user object to grant that user access to any utilities. To grant a NetID user access to NetID utilities, follow these steps: 1 Under the Setup root object, expand the Users And Groups object, and select the Users object. 2 In the list area, right-click the user you want to give access to NetID utilities to, and choose Properties from the menu. The User Properties dialog box appears. 3 Click the Tool Access tab. 4 Enable any of the following check boxes to indicate which NetID utilities you want to give the user access to: Import utility -- Imports DNS information to your network Export utility -- Generates naming and addressing configuration files Report utility -- Generates reports on different types of network information including: network address utilization, user access privileges, DHCP Server statistics, and changes made to database objects CLI utility -- Allows users to add, delete, or modify hosts, domain names, and resource records through a command-line-based client Ping Audit utility -- Compares IP addresses in use with those stored in the database Trim Logs -- Trims the number of entries stored in server alarm, DHCP history, and object history tables 5 Click OK.

53 Chapter 2 Managing access privileges 53 Deleting a user When you delete a user, all of the access privileges to objects and any group memberships for that user are deleted. However, if you do not want to delete a user, you can instead deactivate that user in the User Properties dialog box so that he or she will not be able to log in (refer to Changing user properties on page 50). NetID administrators can delete NetID users and administrators from NetID. NetID users can delete those NetID users that they have Admin access to, but they cannot delete NetID administrators. To delete a user, follow these steps: 1 Under the Setup root object, expand the Users And Groups object, and select the Users object. The current users appear in the list area. 2 In the list area, right-click the user you want to delete, and choose Delete User from the menu. You are prompted to confirm the deletion. 3 Click OK. You are not permitted to delete a user who is currently logged in. Setting password requirements You can set the minimum length for user passwords and whether they must be alphabetic (containing all alpabetic characters) or alphanumeric (containing both alpabetic characters and integers). Once you set a length and format for passwords, the passwords for any new users you create must meet those requirements, and existing users whose passwords do not meet those requirements will be prompted to change their format when they log in to NetID. NetID users must have at least Local Update access to the System Options object to set password requirements. To set password requirements, follow these steps: Managing IP Addressing in Nortel NetID

54 54 Chapter 2 Managing access privileges 1 Under the Setup root object, right-click the System Options object, and choose Properties from the menu. The System Options Properties dialog box appears. 2 Click the Admin tab. 3 In the Minimum Password Length field, type the minimum number of characters you want passwords to have. 4 If you want passwords to require alphanumeric characters, enable the Password Must Contain At Least One Digit check box. If this check box is not enabled, passwords can consist only of alphabetic characters. 5 Click OK. Managing groups If you are granting multiple users in your organization similar access privileges, you may want to place these users in a single group. You can then grant, revoke, and update access privileges for the group as you would for an individual user, but all administrative changes are applied to each group member simultaneously. For example, if you want to grant five particular NetID users Local Read access to a subnet, instead of individually granting access to that subnet object for each user, you can simply grant the access to the group. Any changes to the access privileges granted to the group will also be applied to all five group members. Access privileges for an object specifically granted to an individual user take precedence over access privileges for an object that a user is granted from his or her group memberships. Further, when a user has multiple group access privileges that overlap, the user is granted the greatest possible level of access. For more information about overlapping access privileges, refer to Access permission levels on page 59. This section covers the following topics: Creating a group on page 55 Changing group properties on page 56

55 Chapter 2 Managing access privileges 55 Changing the membership of a group on page 56 Deleting a group on page 58 Creating a group NetID users must have Admin access to the Users And Groups object to create a group. For information on granting access to objects, refer to Controlling access privileges on a per-object basis on page 59. To create a new group, follow these steps: 1 Under the Setup root object, expand the Users And Groups object. 2 Right-click the Groups object, and choose New Group from the menu. The New Group dialog box appears. 3 In the Name field, type the name of the group. 4 (Optional step) Enable the Administrator Access check box to grant members of the group administrator access privileges. (Only NetID administrators can assign administrator access privileges.) Caution: Administrator access gives a user unlimited access to all objects in the Management Console. For security reasons, it is recommended that you assign access privileges for most users on a per-object basis (refer to Controlling access privileges on a per-object basis on page 59). 5 (Optional step) If you do not want the group members user to be able to log in to NetID, disable the Login Access check box. Although the group still appears under the Groups object, the group s account is not activated, so the access privileges granted to the group will not take effect for users, and its members will not be able to log in to NetID. Note: Since access privileges in NetID are cumulative, if a group members is individually given login access (refer to Changing user properties on page 50), that user will still be able to log in to NetID. Managing IP Addressing in Nortel NetID

56 56 Chapter 2 Managing access privileges 6 Click the Members tab. 7 In the Users list, double-click the user that you want to add to the group. The user you selected appears in the Members list. To remove a user from a group, double-click the user in the Members list. 8 Click OK. Changing group properties After you have created a group, you can change it in various ways. Changing a group can include any of the following tasks: Changing the name of the group and the access assigned to the group (refer to Creating a group on page 55) Changing the membership of a group on page 56 Granting a group access to NetID utilities on page 57 Changing the membership of a group NetID users must have Admin access to the group object and Admin access to each user object that they want to add to or remove from the group. For information on granting access to objects, refer to Controlling access privileges on a per-object basis on page 59. To change which users belong to a group, follow these steps: 1 Under the Setup root object, expand the Users And Groups object, and select the Groups object. The current groups appear in the list area. 2 Right-click the group you want to update, and choose Properties from the menu. The Group Properties dialog box appears. 3 Click the Members tab.

57 Chapter 2 Managing access privileges 57 4 In the Users list, select the user that you want to add to the group, and click the left arrow button. The user you selected appears in the Members list. 5 (Optional step) To remove a user from a group, select the user in the Members list, and click the right arrow button. The selected group moves to the Groups list. 6 Click OK. Granting a group access to NetID utilities You can grant groups without administrator access access to all of the NetID utilities. However, group members (either collectively, as a group, or individually, as users) must also be granted the appropriate access privileges to other objects to use the utilities. For example, a user granted access to the export tool can only export DNS files from those Name Server objects that he or she has at least Read access to (refer to Controlling access privileges on a per-object basis on page 59). NetID users must have at least Update access to a group object to grant its members access to any utilities. To grant a group access to NetID utilities, follow these steps: 1 Under the Setup root object, expand the Users And Groups object, and select the Groups object. 2 In the list area, right-click the user you want to give access to NetID utilities to, and choose Properties from the menu. The Group Properties dialog box appears. 3 Click the Tool Access tab. 4 Enable any of the following check boxes to indicate which NetID utilities you want to give the user access to: Import utility -- Imports DNS information to your network Export utility -- Generates naming and addressing configuration files Managing IP Addressing in Nortel NetID

58 58 Chapter 2 Managing access privileges Report utility -- Generates reports on different types of network information including: network address utilization, user access privileges, DHCP Server statistics, and users changes to database objects CLI -- Allows users to configure the network using a standard grammar Ping Audit utility -- Compares IP addresses in use with those stored in the database 5 Click OK. Deleting a group NetID administrators can delete groups (including other groups with administrator access) from NetID. However, NetID users can delete a group only if they have Admin access to that group object (you cannot, though, delete groups with administrator access). None of the users that are members of a group are deleted when the group is deleted. However, those users will lose access privileges granted to objects that they received as members of that group, since all of the access privileges for objects granted to that group are removed. To delete a group, follow these steps: 1 Under the Setup root object, expand the Users And Groups object, and select the Groups object. The current groups appear in the list area. 2 Right-click the group you want to delete, and choose Delete Group from the menu. You are prompted to confirm the deletion. 3 Click OK.

59 Chapter 2 Managing access privileges 59 Controlling access privileges on a per-object basis In NetID, administrative tasks associated with specific portions of the network (for example, particular subnets, subdomains, or hosts) can be delegated to NetID users on a per-object basis. An access control list (ACL) is maintained in the NetID database that specifies the permission levels (refer to Table 1 on page 59) that NetID users and groups have for accessing each object displayed in the Management Console. Permission levels cannot be set for NetID administrators. Access privileges are granted for local and child objects. An object selected in the tree area of the Management Console is considered the local object and an object subordinate to the selected object is considered a child object. Child access privileges can be set even if the local object does not have any child objects associated with it at the time. The child access privileges that are granted will automatically be applied to subsequent children. Controlling access privileges on a per-object basis involves the following tasks: Granting a user or a group access to an object on page 61 Granting a user or a group access to another user or group on page 62 Changing a user or a group s access to an object on page 63 Removing a user or a group s access to an object on page 64 Viewing which users have access to an object on page 64 Access permission levels The various access permission levels that can be granted to a user or group are listed in Table 1. Table 1 Access permission levels for objects Local access No Access View Read Description User or group cannot modify the object in any way. The object will not be visible unless it is required for the user or group to navigate to a child object they have access to. User or group cannot modify the object in any way. The object is visible only because it is required for the user or group to navigate to a child object they have access to. View access is automatically assigned by NetID and cannot be granted to users or groups. User or group can read all properties of the object but cannot modify them in any way. Managing IP Addressing in Nortel NetID

60 60 Chapter 2 Managing access privileges Table 1 Access permission levels for objects (continued) Update Admin Child access No Access Read Update Propagate Admin User or group can read and update all properties of the object, but cannot delete the object. User or group can read and update all properties of the object and give other users or groups to access to the object. By default, if Admin access is granted to the local object, the child object will automatically be granted Admin access. Description User or group cannot modify the selected object s children in any way. A child object will not be visible unless it is required for a user or group to navigate to another child object further down the tree that they have access to. User or group can read all properties of the selected object s children, but cannot modify them in any way. User or group can read and update all properties of selected object s children, but cannot delete them. The user or group also cannot add children to the parent object or its children. User or group can read and update all properties of the selected object s children and can subsequently add children to or delete children from that parent object or its children. User or group can read and update all properties of the selected object s children, and can subsequently add children to or delete children from the parent object.the user or group can also give other users or groups access to those children. When you grant access privileges on a per-object basis, two principles should be remembered: Access privileges granted specifically to a user have precedence over access privileges that the user gains from belonging to a group.

61 Chapter 2 Managing access privileges 61 For example, suppose the user Sue is granted an access privilege of Local Read to the mycompany subdomain and Local No Access to the yourcompany subdomain. However, Sue is also a member of Group 1, which has access privileges of Local No Access to mycompany and Local Read to yourcompany. Since access privileges granted to a user have precedence, Sue ultimately has Read access to the mycompany subdomain and No Access access to the yourcompany subdomain. Caution: If an existing NetID user or group is given administrator access, any access privileges to specific objects previously granted to that NetID user or group are removed from the access control list. Therefore, if the administrator access granted to the user or group is later revoked, any access privileges for specific objects will have to be manually reset. (For information about administrator access, refer to Evaluating users access requirements on page 48.) Group access privileges are cumulative -- If a user has multiple group access privileges that overlap, the user is granted the greatest combination of those access privileges. For example, as a member of the Customer Service group, Sue has Local Update and Child No Access on the subnet object, and as a member of the Super Product group, she has Local Read and Child Propagate access on the same object. When both sets of access privileges are evaluated, Sue is granted the greatest possible level of access for the subnet -- Local Update, Child Propagate. Granting a user or a group access to an object NetID users must have at least Admin access to any object that they want to grant a user access to. They must also have at least Read access to those users or groups. To grant a user or a group access privileges to an object or its children, follow these steps: 1 In the tree area, navigate to the object that you want give a user or group access to. 2 Right-click the object, and choose Properties from the menu. The appropriate Properties box appears. Managing IP Addressing in Nortel NetID

62 62 Chapter 2 Managing access privileges 3 Click the Access tab. 4 Click the Add button. The Add Users And Groups dialog box appears. Users are represented by an icon of a single person. Groups are represented by an icon of multiple people. 5 Select the user or group that you want to grant access privileges to, and click OK. 6 From the Local drop-down list, choose the level of access to the selected object that you want to grant to the user or group. 7 From the Child drop-down list, choose the level of access to the children of the selected object that you want to grant to the user or group. 8 Click OK. Granting a user or a group access to another user or group If you are a NetID administrator, you can grant users and groups access to other user and group objects, which allows them to view or modify other user and group objects. However, when users and groups have access to other users and groups, they can also grant those user or groups access to any objects that they have Admin access to themselves. For example, if the user Sue, who has Admin access to the IP address object, is given at least Read access to the user Bob, Sue can then give Bob access to the IP address object. NetID users can grant a user or a group access to other user or group objects if they have Admin access to the user or group object that they want another user or group to access. The NetID users also must have at least Read access to the user or group that they want to have the access. To assign a user or group access privileges to other users or groups, follow these steps: 1 Under the Setup root object, navigate to the user or group that you want to give other users or groups access to. 2 Right-click the user or group, and choose Properties from the menu.

63 The Users Properties or Groups Properties box appears. 3 Click the Access tab. 4 Click the Add button. The Add Users And Groups dialog box appears. Users are represented by an icon of a single person. Groups are represented by an icon of multiple people. Chapter 2 Managing access privileges 63 5 Select the user or group that you want to give other users or groups access to, and click OK. The selected user or group appears in the User Properties or Group Properties dialog box in the Access Granted To list. 6 From the Local drop-down list, choose at least Read access. 7 Click OK. Changing a user or a group s access to an object You can change a user or group s access privileges to an object. NetID users must have Admin access to the object and at least Read access to the user or group object that has access to that object. To change a user or a group s access privileges to an object, follow these steps: 1 In the tree area, navigate to the object for which you want to set an access privilege for a user or a group. 2 Right-click the object, and choose Properties from the menu. The appropriate Properties box appears. 3 Follow the steps from Granting a user or a group access to an object on page 61. Managing IP Addressing in Nortel NetID

64 64 Chapter 2 Managing access privileges Removing a user or a group s access to an object If a user or a group has access to an object, you can take away that user or group s access to that object. NetID users must have Admin access to the object and at least Read access to the user or group object that has access to that object. To remove a user or a group s access privileges to an object, follow these steps: 1 In the tree area, navigate to the object for which you want to delete the access privileges for a user or a group. 2 Right-click the object, and choose Properties from the menu. The appropriate Properties box appears. 3 Click the Access tab. 4 Choose the user or group whose access privileges you want to change. Users are represented by an icon of a single person. Groups are represented by an icon of multiple people. 5 Click the Remove button. 6 Click OK. Viewing which users have access to an object You can view which user or groups have access to a single object in the tree area and the level of local and child access they have to that object. NetID users must have Admin access to an object to view what access privileges other users or groups have to that object. NetID users can only view those NetID users or groups to whom they have at least Read access, and they cannot see any NetID administrators. Therefore, there can potentially be more users and groups with access to the object than those that the NetID users see. To view which user or groups have access to an object and the level of access they have, follow these steps:

65 Chapter 2 Managing access privileges 65 1 In the tree area, right-click an object, and choose View Security from the menu. The View Security dialog appears. 2 Click OK. Managing IP Addressing in Nortel NetID

66 66 Chapter 2 Managing access privileges

67 67 Chapter 3 Enabling Secure Socket Layer functionality Nortel NetID uses Secure Socket Layer (SSL) technology to protect information passing between the management console and the Application server. SSL technology is supported by both Netscape Navigator and Microsoft Internet Explorer as a protocol for transmitting private information over the Internet. Security is maintained through the use of a key that encrypts data transmitted through the SSL connection. In order for NetID to use SSL encryption, SSL certificates must be available in the <NetID_HOME>\etc directory. NetID installs the following files in the directory: cacert.pem - contains the public key information. cakey.pem - contains the private key information. random.pem - contains random information used by SSL. These files are installed in a default state and do not offer unique authentication. You must create your own unique SSL certificates. The Ping Audit, Import, Export, and Report tools will run in SSL mode without special configuration if the NetID management console connects to the Application server in SSL mode. To confirm this, look for the Lock icon at the bottom of your browser. Information about the certificate can be viewed by double-clicking the lock icon. Managing IP Addressing in Nortel NetID

68 68 Chapter 3 Enabling Secure Socket Layer functionality Creating SSL certificates You can create an SSL certificate for Windows, Solaris, or HPUX. When creating a certificate, you must specify information that is specific to your company in the certificate. The SSL certificate certifies to a client connecting to the NetID Application server that it is, indeed connecting to the NetID Application server of your company. This section covers the following subjects: Creating a certificate for Windows on page 69 Creating a certificate for HPUX or Solaris on page 70 After you have created a certificate, the permissions on the SSL files cacert.pem, cakey.pem and random.pem are set to be read-only for the owner of the files on UNIX platforms. For NetID, the owner is the root user. These permissions are set as a security precaution. World readable permissions are not recommended for the key file (cakey.pem) because this file must be kept private. The CLI tool is the only tool you can start in SSL mode, which means that the CLI requires access to the root-readable SSL files. You can run the CLI as root to have access to these files, but this is not very convenient. In order to allow a user with no root privileges to run the CLI, it is necessary to give this user read rights to these files. One way to achieve this is to create a UNIX group, assign group read permissions on the SSL files, and assign CLI tool users to this group. Write or Execute permissions are not required for these files. One or more of the following error messages may be displayed if the rights of the user are not sufficient to access the SSL files when running the Application server or CLI tool. SSL: Certificate file cacert.pem is inaccessible or invalid SSL: Private key file cakey.pem is inaccessible or invalid SSL: Private key does not match the public certificate SSL: SSL_CTX_load_verify_locations error

69 Chapter 3 Enabling Secure Socket Layer functionality 69 If the Application server fails to start in SSL mode, it will shut down. However, if the CLI server fails to run in SSL mode, it will simply not accept any incoming connections. Creating a certificate for Windows In the <NetID_HOME>\ssl directory of your NetID install directory, you will find the files needed to create a self-signed certificate for your company: certificate.bat - a batch file that calls the openssl.exe tool to create or sign certificates. libeay32.dll - a dynamic link library required by openssl.exe. ssleay32.dll - a dynamic link library required by openssl.exe. openssl.exe - a configuration script used by openssl.exe. openssl.exe - the OpenSSL console tool. The openssl.exe tool generates the files cacert.pem and cakey.pem. The contents of these files must not be edited directly. Nor should their names be changed. NetID specifically looks for these files when SSL is enabled. To create a certificate and private key for Windows, follow these steps: 1 Open a DOS window on the computer on which you installed NetID. 2 From the /ssl sub-directory of your NetID install directory, type the following command: certificate.bat 3 Enter the information requested by the tool. 4 You now have a private and a public key. The following files are generated and must be placed in the <NetID_HOME>/etc directory of any system on which the Application server or CLI client is installed: cakey.pem cacert.pem Managing IP Addressing in Nortel NetID

70 70 Chapter 3 Enabling Secure Socket Layer functionality Creating a certificate for HPUX or Solaris In the <NetID_HOME>/ssl directory of your NetID install directory, you will find the files needed to create a self-signed certificate for your company: ReadMe.txt - instructions for creating a certificate and key using the command line. openssl.cnf - a configuration script used by openssl*. openssl* - the OpenSSL console tool..rnd - a random file data file used by openssl to generate certificates The openssl* tool generates the files cacert.pem and cakey.pem. The contents of these files must not be edited directly. Nor should their names be changed. NetID searches for these files when SSL is enabled. To create a certificate and private key for HPUX or Solaris, follow these steps: 1 Open a console, and navigate to the <NetID_HOME>/ssl directory. 2 To create the certificate/key pair, type the following command. openssl req -config openssl.cnf -new -x509 -keyout cakey.pem -out cacert.pem -days 365 -nodes The private key must be named cakey.pem and the certificate must be named cacert.pem. a b At the CA certificate filename prompt (or enter to create prompt), press [ENTER] to create a new certificate. Follow the on-screen instructions. A private and a public key are generated. 3 Place the following lines in your <NetID_HOME>/etc directory. cakey.pem cacert.pem

71 Removing previous certificates Chapter 3 Enabling Secure Socket Layer functionality 71 Before removing existing SSL certificates from your system, ensure that you do not require them for other applications. To remove certificates from your system, do the following: Open the <NetID_HOME>/ect directory and delete the following files: cakey.pem cacert.pem Starting the Application server in SSL mode On Windows, you can start the Application server in SSL mode by typing the following at the command prompt: <NetID_HOME>/bin> nidappsv.exe -p 443 On UNIX, the root user can start the Application server by typing the following at the command prompt: #./nidappsrv -p 443 The Application server must be started with the -p 443 command parameter (which specifies port 443) to activate SSL. This parameter can also be set in the registry (or registry.cfg file on UNIX), either by specifying port 443 during the NetID installation, or by editing the Application server port number value in the existing key: HKEY_LOCAL_MACHINE\SOFTWARE\Nortel Networks\NetID\CurrentVersion\ Application Server NetID can only be configured to use SSL with this port number. If the Application server finds the necessary files for SSL (cacert.pem, cakey.pem, and random.pem) the server is started successfully in SSL mode. Otherwise it will not start. Managing IP Addressing in Nortel NetID

72 72 Chapter 3 Enabling Secure Socket Layer functionality Secure management console connection To open a secure connection between the management console and the Application server, you must point the browser on which the management console is running to the following URL: or Note: If the Application server is running in SSL mode, you MUST use the prefix in the browser when establishing a connection. You will need to edit the URL (to show the prefix) in the properties of the NetID management console shortcut to use it to establish a secure connection. Microsoft Internet Explorer and Netscape Communicator interpret and process certificates differently, although the basic concepts are similar. To accept the certificate, follow the instructions provided by the Security Alert dialog box (in Internet Explorer) or the New Site Certificate dialog box (in Netscape). Both applications provide a simple wizard-type acceptance process. The Command Line Interface The CLI application must be started with the -s parameter to set the CLI in SSL mode. The CLI client displays certificate information when you connect to the Application server running in SSL mode. An Application server running at a debug level of 9 displays the CLI client connecting through an exportable cipher combination. You cannot connect to an Application server running in SSL mode without using the -s parameter. The CLI client must have the same version of the files cakey.pem and cacert.pem as the Application server. The CLI user must have Read access to cacert.pem, cakey.pem and random.pem.

73 73 Chapter 4 Configuring Name Servers The Nortel NetID Name Server is a BIND-compliant domain name server that primarily interacts with the NetID database through the NetID BIND Controller and Server Manager. With the NetID Name Server, you do not need to generate DNS configuration files and restart the BIND Controller every time changes occur. You simply update DNS information using the Management Console, and the Name Server automatically retrieves the changes from the database through the NetID BIND Controller and Server Manager. (The NetID Name Servers for Windows and UNIX are based on BIND 9.x.) Before you can run the NetID BIND Controller, you need to use the NetID Management Console to create a valid Name Server configuration. You must also use the NetID Management Console to set up zones (for more information on setting up zones, refer to Chapter 9, Managing DNS zones, on page 171). This chapter contains the following subjects: Suggested changes to DNS architecture on page 74 Setting global name server alarm logging on page 74 Defining a Name Server on page 75 Changing a Name Server on page 76 Setting Name Server statements on page 79 Supporting Windows DDNS updates on page 86 Deleting a Name Server on page 88 Managing root Name Servers on page 89 Managing IP Addressing in Nortel NetID

74 74 Chapter 4 Configuring Name Servers Suggested changes to DNS architecture In versions of NetID prior to the version 4.4 series, users were encouraged to use a multi-master zone structure (i.e. several master servers with few or no slave servers). This arrangement was suggested because of limitations in the master-slave update mechanism in earlier versions of BIND. With the improvements to Incremental Zone Transfer (IXFR) functionality in BIND 9, it is now feasible to configure additional Name Servers within a zone as slaves instead of as masters, in order to facilitate DNS updates. Each zone should have two master Name Servers for redundancy purposes, but the rest of the servers in the zone can be slaves. Setting global name server alarm logging You can set Name Server alarm logging levels at the top level of the Name Server hierarchy so that, by default, those settings are inherited by all new Name Servers. To use different settings for a specific name, server refer to Defining a Name Server on page 75. (To view alarm results for Name Servers, refer to Viewing alarms on page 324.) NetID users can set global Name Server alarm logging if they have at least Local Read access to the Name Servers root object. To set global Name Server alarm logging, follow these steps: 1 Right-click the Name Servers root object, and choose Properties from the menu. The Name Servers Properties dialog box appears. 2 In the Server Alarms Logged area, enable any of the check boxes to specify the level of server alarms you want the Name Server to log by default. 3 Click OK.

75 Chapter 4 Configuring Name Servers 75 Defining a Name Server With the Domain Name System (DNS), Name Servers are used to store information about the portions of the domain name space (zones) to which they have been associated. When a name lookup is performed by a resolver on behalf of a client, the resolver queries the Name Server. The resolver then interprets the response from the Name Server (for example, resource record or an error), and provides the client with a response. You can find more information about the DNS in Appendix A, Domain Name System, on page 337. NetID users must have at least Child Propagate access to the Name Servers root object to define a Name Server. To define a Name Server, follow these steps: 1 Create a host address with a unique domain name (refer to Adding a host address on page 120). 2 In the tree area, right-click the Name Servers root object, and choose New Name Server from the menu. The Add Name Server dialog box appears. 3 In the Name Server field, type the domain name of the new Name Server. You can also click the domain name lookup button to choose the domain name from the Domain Name Lookup dialog box. NetID users will see only those domains that they have at least Read access to. The selected domain name appears in the Name Server field. 4 If you want this Name Server to log alarms and warnings according to the global Name Server settings, click the Global Options option button in the Server Alarms Logged area (refer to Setting global name server alarm logging on page 74). (To view alarm results for DHCP Servers, refer to Viewing alarms on page 324.) 5 If you want to this Name Server to log alarms and warnings of a specific level, click the Local Options button in the Server Alarms area, and enable any of the alarm level check boxes below the Local Options button. Managing IP Addressing in Nortel NetID

76 76 Chapter 4 Configuring Name Servers 6 Click OK. The Name Server appears in the list area. The icon beside the Name Server indicates whether it has an active connection with the Server Manager. Changing a Name Server After you have created a Name Server, you can change it in various ways. Changing a Name Server can include any of the following tasks: Adding a zone to a Name Server on page 76 Associating a Name Server with its inverse zone on page 78 Setting Name Server statements on page 79 Setting forwarding information on page 83 Supporting Windows DDNS updates on page 86 Managing root Name Servers on page 89 Adding a zone to a Name Server After you have created a Name Server, you must associate that Name Server with portions of the domain name space (zones) for which it will maintain data used to respond to the queries of resolvers. This procedure describes how to add a zone to a Name Server using the Name Servers root object. However, you can also add a Name Server to a zone using the Zones root object; refer to Adding a Name Server to a zone on page 182. In addition, if you associate a Name Server with a zone and make that Name Server the sole master, you must also associate that Name Server with its inverse zone so that it can reply to reverse queries (refer to Associating a Name Server with its inverse zone on page 78). To add a zone to a Name Server, NetID users must have at least Child Update access to the Name Servers root object and at least Read access to any zone objects to which you want to associate the Name Server. To add a zone to a Name Server, follow these steps:

77 Chapter 4 Configuring Name Servers 77 1 Expand the Name Servers root object, and navigate to the Name Server to which you want to add a zone. All of the zones for which a Name Server is responsible are displayed in the list area when that Name Server object is selected. 2 Right-click the Name Server object, and choose Add Zone from the menu. 3 In the Add Zone To Name Server dialog box, click the Zones Lookup button. The Zone Look Up dialog box appears. 4 Expand the root zone objects, choose a zone from the list, and click OK. You will not see any zones that have already been associated with a Name Server under the Zones root object (refer to Adding a Name Server to a zone on page 182). In addition, if you are a NetID user, you will see only those zones that you have at least Read access to. The zone name you select appears in the Zone field. 5 In the Type area, click one of the following option buttons to indicate what type of role you want the Name Server to assume for the selected zone: Master -- Maintains data for the zone, and is the authoritative Name Server for the zone. A master Name Server cannot receive transfers from any other type of Name Server. If you click the Master option button, go to step 10. Slave -- Receives its zone data from another Name Server. Although this Name Server can also be a slave, at some point the data must come from a master Name Server that is authoritative for the zone. You cannot use the Slave option if you have not already created a master server for the zone. Stub -- Receives only the NS records of a master zone. A stub zone can receive transfers from master, slave, or stub Name Servers. You cannot use the Stub option if you have not already created a master server for the zone. Forward -- Directs all queries to other Name Servers known as forwarders. Managing IP Addressing in Nortel NetID

78 78 Chapter 4 Configuring Name Servers To use this option you must provide the IP addresses of the forwarders to which the Name Server for this zone will direct its queries. (Follow the steps from Assigning forward zones on page 85.) 6 Click the Zone Transfers tab. 7 In the Available Name Servers list, select a Name Server from which you want to attempt zone transfers, and click the left arrow button. The selected Name Server appears in the Zone Transfers From list. Note: The number of times a Name Server appears in the Available Name Servers list represents the number of attempts that will be made to transfer zone information from that server. Therefore, you can add a Name Server to the Available Name Servers multiple times. The amount of time between amounts (the retry time) is specified when the zone is defined (refer to Creating a zone on page 171). 8 (Optional step) If you do not want to receive zone transfers from a Name Server, select the Name Server from the Zone Transfers From list, and click the right arrow button. The Name Server you selected is removed from the Zone Transfers From list. 9 (Optional step) When zone transfers are attempted, the Name Servers are queried in the order in which they appear in the zone transfer list. To change the priority of the Name Servers in the list, in the Zone Transfers From list, select the Name Server, and click the up or down arrows. 10 Click OK. Associating a Name Server with its inverse zone Queries to a Name Server are typically forward, or name to address, lookups (for example, What is the IP address for bob.eastcoast.sales.acme.com? ). However, Name Servers can also be issued reverse, or address to name, lookups (for example, What is the domain name for ? ). Therefore, if you add a Name Server and make it the only master Name Server for a zone (forward zones), you must also associate that Name Server with an appropriate in-addr.arpa (inverse) zone, so that it will be able to respond to reverse queries.

79 Chapter 4 Configuring Name Servers 79 To associate a Name Server with its inverse zone, NetID users must have at least Child Update access to the Name Servers root object and at least Read access to the in-addr.arpa zone to which they are associating the Name Server. To associate a Name Server with its inverse zone, follow these steps: 1 Expand the Name Servers root object, and navigate to the Name Server that you want to associate with its inverse zone. 2 Right-click the Name Server object, and choose Add Zone from the menu. 3 In the Add Zone To Name Server dialog box, click the Zones Lookup button. 4 In the Zone Look Up dialog box, expand the root zone objects, choose the appropriate in-addr.arpa zone from the list, and click OK. When a new network is created, an in-addr.arpa zone for that network is automatically created. The appropriate in-addr.arpa zone for a Name Server is one that shares the same network number. (For example, the appropriate in-addr.arpa zone for a Name Server with a host address of would be 47.in-addr.arpa.) The zone name you select appears in the Zone field. 5 In the Type area, click the Master option button. 6 Click OK. Setting Name Server statements You can use BIND 9.x Name Server statements to change the configuration of a Name Server and modify how it operates. This section covers the following subjects: BIND statement validation is disabled by default on page 80 Setting BIND statements on page 80 Setting global BIND statements on page 81 Setting forwarding information on page 83 Managing IP Addressing in Nortel NetID

80 80 Chapter 4 Configuring Name Servers BIND statement validation is disabled by default The procedures in this section assume that BIND statement validation is enabled. By default, BIND statement validation is disabled in NetID to facilitate the migration of data from earlier versions of NetID. To perform these procedures, you must enable BIND statement validation or enter the BIND or Name Server statements manually (see below). BIND statement validation is disabled by default to prevent users of prior versions of NetID from encountering errors when they upgrade to NetID 4.5. In some earlier versions of NetID, zone type forward and zone type stub were manually applied to Name Server objects (those displayed under the Name Servers root object). However, the BIND statement validation feature for NetID 4.5 does not consider a zone statement associated with a Name Server object as valid. In NetID 4.5, the role of master, slave, forward, or stub are predefined options that can be set for Name Servers that are associated with zones (those Name Server objects displayed under the Zones root object). Manually setting BIND statements for these Name Servers is unnecessary. To enable BIND statement validation, do the following: 1 Under the Setup root object, right-click the System Options object and choose Properties from the menu. 2 In the System Options Properties dialog box, click the Admin tab. 3 Enable the Validate BIND Statements check box and click OK. Setting BIND statements The NetID Name Server supports BIND 9.x statements. For more information on BIND statements, go to bind9arm.pdf. NetID users must have at least Update access to the Name Server object for which they want to set BIND statements. To set a BIND statement for a Name Server, follow these steps: 1 Under the Name Servers root object, navigate to a Name Server.

81 Chapter 4 Configuring Name Servers 81 2 Right-click the Name Server object, and choose Properties from the menu. 3 In the Name Server Properties dialog box, click the BIND Statements tab. 4 Click the Add button. In the Defined BIND Statements dialog box, navigate to the BIND statement that you want to set for the Name Server, and click OK. Note: You can also define BIND or Name Server statements manually, by clicking the Text Entry button. The BIND statement is added to the list. 5 Select the BIND statement from the list. Depending on the option selected, in the row beside the selected option, a text field or a drop-down list appears. 6 In the text field or drop-down list, type or choose the appropriate value. The Syntax area of the dialog box displays the required format of the BIND statement information. 7 (Optional step) To change the position of a BIND statement or Comment entry in the list, select the BIND statement or comment entry, and click the Move Up or Move Down buttons. The Move Up and Move Down buttons are useful if you want to reposition a Comment entry to precede the BIND statement to which it refers. 8 (Optional Step) To remove a BIND statement or Comment entry from the list, select the BIND statement or Comment entry, and click the Remove button. 9 Click OK. Setting global BIND statements The Global BIND Statement feature in NetID allows you to manage TSIG keys and ACL directives on a global basis. To set a global BIND statement, do the following: Managing IP Addressing in Nortel NetID

82 82 Chapter 4 Configuring Name Servers 1 Under the Setup root object, right-click the Global BIND Statement object and choose Edit Global BIND Statements from the menu. 2 In the Global BIND Statements dialog box, click the Add button. 3 In the Defined BIND Statements dialog box, expand either the ACL or Key folder and then click on the statement you want to add. Click OK. The global BIND statement is added to the list. 4 Select the global BIND statement from the list. Depending on the option selected, in the row beside the selected option, a text field or a drop-down list appears. 5 In the text field or drop-down list, type or choose the appropriate value. The Syntax area of the dialog box displays the required format of the BIND statement information. Applying a global BIND statement to a server-zone You can specify which server-zones in the NetID hierarchy will be configured with a global BIND statement. To apply a global BIND statement to a server-zone, do the following: 1 Expand the Global BIND Statements object. 2 Right-click on the global BIND statement object that you want to apply to a server-zone, and then choose Add/Remove Allow Update Statement to Server Zones from the menu. 3 In the Add/Remove Global BIND Statements to Server-Zones dialog box, click on a server-zone object and then enable the check box under the Select column. Repeat this step to apply the global BIND statement to additional server-zones. 4 Click OK. The global BIND statement is applied to the server-zone(s). An Access Control List is added to an allow-update BIND directive on the server-zones.

83 Chapter 4 Configuring Name Servers 83 Setting forwarding information Forwarders are Name Servers that handle all off-site queries from other internal Name Servers. By handling numerous queries, they build up a large cache of information. Forwarders are useful when an external network connection is slow or you are being charged for the amount of data that is sent out over that connection. You do not actually do anything to servers that are forwarders. In fact, you tell other servers which servers they should forward their queries to. When you set up forwarding for a Name Server, you have three options. You can configure a Name Server using the forward first BIND statement so that if, after a short period of time, the forwarder does not answer the Name Server, the Name Server contacts a remote server itself. You can choose to configure a Name Server so that it completely relies on its forwarders to answer its queries. You configure it so that it does not try to contact outside servers to answer its queries, using the forward only BIND statement. Finally, you can choose to configure a Name Server by omitting the forwarders statement entirely, so that it does not contact any other servers to answer its queries. You may want to do this when you do not want to have external information on your internal server. No forwarding is the default. Table 2 shows the differences between the three types of forwarding. Table 2 Forwarders BIND statements Type of forwarding Forwarder Restricted forwarder No forwarding Command options {forward first; forwarders {xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx;};}; options {forward only; forwarders {xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx;};}; options {forward first; }; Result If after a short period of time the forwarder does not answer the Name Server, then the Name Server contacts a remote server itself to answer a query. The server will go only to its forwarders to answer its queries. It will not contact a remote server. The server will not contact any other server to answer its queries. Managing IP Addressing in Nortel NetID

84 84 Chapter 4 Configuring Name Servers Assigning forwarders NetID users must have at least Update access to the Name Server object for which they want to set forwarding information. To assign a forwarder for a Name Server, follow these steps: 1 Expand the Name Servers root object, and navigate to the Name Server for which you want to assign a forwarder. 2 Right-click the Name Server object, and choose Properties from the menu. The Name Server Properties dialog box appears. 3 Click the BIND Statements tab. 4 Click the Add button. The Defined BIND Statements dialog box appears. Note: You can also define BIND or Name Server statements manually by clicking the Text Entry button. For information on BIND statements, go to 5 Under the Options folder, hold the [Ctrl] key and select the Forward and Forwarder options. 6 Click OK. The Defined BIND Statements dialog box closes, and the BIND statements are added to the list. 7 Select the Forward option, and from the drop-down list that appears, choose one of the following options from the Text Array drop-down list (Refer to Table 2 for more information about the differences between the three possible types of forwarding.): Only-- The Name Server will go only to its forwarders to answer its queries. It will not contact a remote server.

85 Chapter 4 Configuring Name Servers 85 First -- If there are forwarders specified, the Name Server will first go to them to answer its query. If after a short period of time the forwarder does not answer the Name Server, the Name Server will contact a remote server itself to answer a query. If no forwarders are specified (refer to step 8), the Name Server will not contact any other servers (forwarders or remote servers) to answer its queries. 8 Select the Forwarders option, and in the field that appears, type the IP addresses of the Name Servers that you want the selected Name Server to use as forwarders. (Separate each IP address with a semicolon.) If you do not type an IP address, and you have chosen the Forward First option in step 7, no forwarding will be applied. 9 (Optional step) To delete the Forward or Forwarders BIND statements from a zone, select the statements from the list, and click the Remove button. 10 Click OK. Assigning forward zones The forward zone feature allows you to specify that certain zones are forward only. This causes any queries for hosts in the forwarded zone to be forwarded to the Name Servers specified in the configuration file. NetID users must have at least Update access to the Name Server object for which they want to assign forward zones. To assign a forward zone, follow these steps: 1 Expand the Name Servers root object, and navigate to the Name Server that is serving a zone that you want to be forward only. 2 In the list area, right-click the name-server zone from the Zone Start column to which you want to add the forwarder statement, and choose Properties from the menu. The Name Server-Zone Properties dialog box appears. 3 In the Type area, click the Forward option. 4 Click the BIND statements tab. 5 Click the Add button. Managing IP Addressing in Nortel NetID

86 86 Chapter 4 Configuring Name Servers The Defined BIND Statements dialog box appears. Note: You can also define BIND or Name Server statements manually by clicking the Text Entry button. For information on BIND statements, go to 6 Hold the [Ctrl] key, and select the Forward and Forwarder options. 7 Click OK. The BIND statements are added to the list. 8 Select the Forward option, and, from the Text Array drop-down list that appears, choose Forward Only to specify that the Name Server for this zone will only forward queries to specific Name Servers. 9 Select the Forwarders option, and, in the IP Address Array field that appears, type the IP addresses of the Name Servers to which you want the Name Server for this zone to forward queries. (Separate each IP address with a semicolon.) 10 (Optional step) To delete the Forward or Forwarders BIND statements from a zone, select the statements from the list, and click the Remove button. 11 Click OK. Supporting Windows DDNS updates The Active Directory component of Windows servers has three key requirements for DNS: Support for dynamic registration, as specified in RFC 2136 Support for SRV resource records, as specified in RFC 2782 Support for non-alphanumeric characters in domain names, as specified in RFC 2181 By default, the NetID Name Server is not configured to accept dynamic DNS (DDNS) updates from Windows servers. If you would like to enable DDNS updates from Windows servers, you must do the following:

87 Chapter 4 Configuring Name Servers 87 Ensure that domain labels are not required to be globally unique and that the underscore character is not specified as an illegal domain character (refer to Setting options for domain names on page 305). Ensure that the Name Server to receive the DDNS updates is specified in the Source Domain Name (Master Name Server) field on the Zone tab of the zone for which it serves. This can be confirmed by right-clicking the zone under the Zones root object and choosing Properties from the menu. Ensure that the Name Server to receive the dynamic updates is the master Name Server for the zone. This can be confirmed by right-clicking the server zone, choosing Properties from the menu, and clicking the Name Server-Zone tab. Specify the IP addresses from which you wish to allow dynamic updates (refer to Configuring a Name Server to allow DDNS updates on page 87). Configuring a Name Server to allow DDNS updates You must set the NetID allow-update statement for a NetID Name Server so that it can accept dynamic DNS updates. The NetID allow-updates Name Server statement allows you to specify the IP addresses from which the Name Server can allow dynamic updates. To set the allow-update Name Server statement for a Name Server associated with a zone, NetID users must have at least Child Propagate access to the Name Servers root object and at least Update access to the appropriate zone object. To set the allow-update statement for a Name Server, follow these steps: 1 Expand the Zones root object, and navigate to a server zone. 2 Right-click the server zone object, and choose Properties from the menu. The Name Server-Zone Properties dialog box appears. 3 Click the BIND Statements tab. 4 Click the Add button. Managing IP Addressing in Nortel NetID

88 88 Chapter 4 Configuring Name Servers The Defined BIND Statements dialog box appears. Note: You can also define BIND or Name Server statements manually by clicking the Text Entry button. For information on BIND statements, go to 5 Expand the Options folder, select the Allow-Update object, and click OK. The allow-update statement is added to the list of statements. 6 In the Address Match List field beside the allow-update statement, type the IP address of the interface you want to allow to send DDNS update to the NetID Name Server. You can include more than one IP address. Separate each address with a semicolon. 7 Click OK. Deleting a Name Server When you delete a Name Server, it is removed from the pool of Name Servers and is no longer displayed under the Name Servers root object. Although the host address and domain name are no longer recognized as a Name Server, the host address and domain name are not deleted and remain in the NetID database. Note: Deleting a Name Server object from the Management Console does not stop or uninstall its associated Name Server application. Before you delete a Name Server object from the Management Console, you should stop (and possibly uninstall) its associated Name Server application. If you delete a Name Server object from the Management Console while the server is still associated with one or more zones, a synchronization problem can arise between the Name Server and the Server Manager. The Name Server application would continue to answer name resolution requests in spite of the fact that it is no longer listed in the database as a Name Server.

89 Chapter 4 Configuring Name Servers 89 NetID users must have at least Child Propagate access to the Name Servers root object to delete a Name Server. To delete a Name Server from the Name Server Pool, follow these steps: 1 Under the Name Servers root object, right-click a Name Server object. 2 Choose Delete Name Server from the menu. You are prompted to confirm the deletion. 3 Click OK. Managing root Name Servers When Name Servers cannot resolve a query, they begin a root-down name search. Each Name Server that does not reference a forwarder must be configured with a list of root Name Servers (or a hint zone) to which it sends the query. NetID is installed with a predefined set of root Name Servers, but you can modify this list by adding or deleting root Name Servers. Importing DNS information can also update the root Name Servers (refer to Importing a DNS database file on page 236). Adding a root Name Server NetID users must have at least Child Propagate access to the Dictionary object to add a Name Server to the list of root Name Servers that is referred to by all NetID Name Servers. To add a root Name Server, follow these steps: 1 Under the Setup root object, expand the Dictionary object. 2 Right-click the Root Name Servers object, and choose New Root Name Server from the menu. The Add Root Name Server dialog box appears. 3 In the IP Address field, type the IP address of the root Name Server. 4 In the Root Name Server field, type the name of the root Name Server. Managing IP Addressing in Nortel NetID

90 90 Chapter 4 Configuring Name Servers 5 Click OK. Deleting a root Name Server NetID users must have at least Child Propagate access to the Dictionary object to delete a root Name Server from the list of root Name Servers that is referred to by all NetID Name Servers. To delete a root Name Server, follow these steps: 1 Under the Setup root object, expand the Dictionary object, select the Root Name Servers object. The root Name Servers appear in the list area. 2 In the list area, right-click a root Name Server, and choose Delete Root Name Server from the menu. You are prompted to confirm the deletion. 3 Click OK.

91 91 Chapter 5 Managing domain names The Domain Name System (DNS) is name resolution software that associates meaningful hierarchical names (domain names) with network resources and retrieves resource record information based on those user-friendly domain names. For more information about how DNS operates, refer to Appendix A, Domain Name System, on page 337. Managing domain names involves the following tasks: Creating a domain name on page 91 Changing a domain name on page 93 Moving a domain name on page 98 Deleting a domain name on page 99 Note: Although the procedures in this chapter are primarily for NetID administrators, NetID users can also perform these procedures with the access privileges indicated at the beginning of each procedure. Refer to Chapter 2, Managing access privileges, on page 47, for more information about access privileges. Creating a domain name NetID users must have at least Child Propagate access to the Domain object to which they want to add a domain name. To create a new domain name, follow these steps: 1 Expand the Domain Names root object, and navigate to the domain to which you want to add a domain name. Managing IP Addressing in Nortel NetID

92 92 Chapter 5 Managing domain names 2 Right-click the domain name object, and choose New Domain from the menu. The New Domain Name dialog box appears. 3 In the Label field, type a new domain name (up to 63 characters long). 4 (Optional step) If you want to allow the new domain to have subdomains, enable the Subdomains Allowed check box. 5 Click OK. Creating wildcards for reverse zones If there are no PTR records in the in-addr.arpa zone, you can use wildcards to ensure that a DNS resolver receives an answer when it performs a reverse zone lookup. The asterisk (*) character is used to create a wildcard domain to apply to reverse zones. NetID users must have at least Child Propagate access to the Domain Names root object to create a wildcard domain. To create a wildcard for a domain, follow these steps: 1 In the tree area, right-click on the Domain Names object, and choose New Domain from the menu. The New Domain Name dialog box appears. 2 In the Label field, type the following: arpa 3 Enable the Subdomains Allowed check box. 4 Click OK to save the new domain. In the tree area, the arpa domain appears under the Domain Names root object. 5 Right-click on the arpa domain object, and choose New Domain from the menu. The New Domain Name dialog box appears.

93 Chapter 5 Managing domain names 93 6 In the Label field, type the following: in-addr 7 Enable the Subdomains Allowed check box. 8 Click OK. In the tree area, the in-addr domain object appears under the arpa domain object. 9 Right-click the in-addr object, and choose New Domain from the menu. The New Domain Name dialog box appears. 10 In the Label field, type the network or subnet number to which you want to apply a wildcard. 11 Enable the Subdomains Allowed check box. 12 Click OK. In the tree area, the new domain object appears under in the in-addr domain object. 13 Right-click the domain object you just created, and choose New Domain from the menu. The New Domain Name dialog box appears. 14 Type an asterisk (*) in the Label field. 15 Disable the Subdomains Allowed check box. 16 Click OK. Changing a domain name After you have created a domain name, you can change it in various ways. Changing a domain name can include any of the following tasks: Entering domain name custom field information on page 94 Adding a new resource record to a domain name on page 95 Managing IP Addressing in Nortel NetID

94 94 Chapter 5 Managing domain names Changing a resource record on page 96 Creating an alias on page 97 Entering domain name custom field information Domain name custom fields are used to associate pertinent information with a domain name object. For example, information such as the type of users or what division of the organization uses this domain name can be displayed. To enter information about a domain name in custom fields, the custom fields must already be created (refer to Defining a custom field on page 188). NetID users must have at least Update access to a domain name object to enter data into its custom fields. To enter custom field information for a domain name, follow these steps: 1 Expand the Domain Names root object, and navigate to the domain name for which you want to enter custom field information. 2 Right-click the domain name object, and choose Properties from the menu. The Domain Name Properties dialog box appears. You can also change custom field information for more than one domain name at the same time as long as the domain names have the same parent domain. Hold down the [Shift] key (to choose a block of contiguous domain names) or the [Ctrl] key (to choose a block of domain names that is not contiguous), and right-click the domain names for which you want to change custom field information. The custom field values you specify are applied to all of the selected domain names. 3 Click the Custom tab. 4 Type data in the Value fields, or choose a value from the drop-down list. Note: When custom fields are created, you can specify that only users with Admin access can edit them. Although NetID users without Admin access to the domain object cannot edit the custom fields, these fields will still appear in the New Domain Name or Domain Name Properties dialog boxes.

95 Chapter 5 Managing domain names 95 5 Click OK. Adding a new resource record to a domain name A resource record maintains information associated with a domain name such as the address, CNAME, and Well-Known Service (WKS). NetID supports Internet-class (IN) resource records. When certain procedures are performed in NetID, some resource record types are automatically generated. For example, an A record (Address) is generated when a user creates an IP address with a domain name; a CNAME (Canonical Name) is generated when a user creates a host alias; an NS (Name Server) is generated when a user creates a Name Server; and an SOA (Start of Authority) record is generated when a user creates a zone. However, you can also manually add resource record types to a domain name. Some of the resource record types that are automatically generated are standard and cannot be modified, but others are predefined and can be modified. (For information on managing predefined resource records, refer to Managing resource record types on page 309.) NetID users must have at least Update access to the domain name object to which they want to add a new resource record. To add a new resource record to a domain name, follow these steps: 1 Expand the Domain Names root object, and navigate to the domain name to which you want to add a resource record. 2 Right-click the domain name object, and choose Properties from the menu. The Domain Properties Name dialog box appears. 3 Click the Resource Record tab. 4 Click the Add button. A new field appears in the list. Managing IP Addressing in Nortel NetID

96 96 Chapter 5 Managing domain names 5 (Optional step) In the TTL field, type the time to live (in seconds) associated with the zone that contains the current domain name. Note: Normally you would leave this field blank to use the default time to live. For more information about a zone s time to live, refer to Chapter 9, Managing DNS zones, on page From the Type drop-down list, choose the resource record type. 7 In the Record Data field, type the appropriate information. The Syntax area at the bottom of the dialog box displays the format used by the resource record, as determined by the Type selected. For example, if you select MB (mail box) from the Type drop-down list, the following appears in the Syntax area: IN <ttl> MB <Mail Box Host (Domain Name)> The first three elements are the class, time to live, and type information you have already selected. The last element indicates what you should type in the Record Data field. In this case, you need to type the domain name of the mail box host. 8 To add more resource records, repeat steps 4 through 8. 9 (Optional step) To delete a resource record, select the record from the list that you want to delete, and click the Remove button. 10 Click OK. NetID validates the entry. If any errors are detected, a message appears. Changing a resource record You can change a resource record associated with a domain name by updating its time-to-live value and the information that appears in the Record Data field. You can also delete a resource record associated with a domain name. NetID users can change or delete resource record information for a domain name if they have at least Update access to that domain name object. To change a resource record, follow these steps:

97 Chapter 5 Managing domain names 97 1 Expand the Domain Names root object, and navigate to the domain name with those resource records you want to change. 2 Right-click the domain name object, and choose Properties from the menu. The Domain Name Properties dialog box appears. 3 Click the Resource Record tab. 4 Click the TTL field and type a new value. 5 Click the Record Data field and type a new value. 6 (Optional step) If you want to delete a resource record, select the record from the list, and click the Remove button. 7 Click OK. Note: You cannot change or delete resource records that have been added through dynamic DNS. However, you can view key information pertaining to these records by selecting the record in the list and clicking the Show button beside the DDNS field entry. Creating an alias An alias is another domain name that is associated with an IP address or domain name (CNAME). Aliases allow you to associate multiple domain names with a single IP address. NetID users must have at least Update access to the domain name object for which they want to create an alias. To create an alias, follow these steps: 1 Expand the Domain Names root object, and navigate to the domain name for which you want to create an alias. 2 Right-click the domain name object, and choose Properties from the menu. The Domain Name Properties dialog box appears. 3 Click the Aliases tab. 4 Click the Add button. Managing IP Addressing in Nortel NetID

98 98 Chapter 5 Managing domain names A new row appears in the list. 5 In the Domain Name field, type a new host name. You can also click the Look up Domain Name button to choose a domain name from the Domain Name Lookup dialog box. 6 In the Time To Live field, type a value (in seconds). Normally you would leave a 0 in this field to use the default time to live. The default time to live is the minimum specified for the zone. You can also click the clock button to set the time in days, minutes, hours, and/or seconds in the Time dialog box. The values you enter are converted into seconds. 7 If you are creating an alias with a canonical name type resource record, choose Yes from the CNAME drop-down list. If you are using duplicate address type resource records, choose No. CNAME creates a link between the alias name and the primary domain name with a CNAME-type resource record. A non-cname address (copy address) creates a direct link between the alias name and the address with an Address-type resource record. 8 (Optional step) To remove any aliases associated with the domain name, select the alias from the list, and click the Remove button. 9 Click OK. Moving a domain name You can move domain names to other domains or subdomains. This process also allows you to rename a domain name. NetID users must have at least Propagate access to both the parent domain they are moving the domain name from and the parent domain they are moving the domain name to. To move a domain name, follow these steps:

99 Chapter 5 Managing domain names 99 1 Expand the Domain Names root object, and navigate to the domain name you want to move. 2 Right-click the domain name object, and choose Move Domain from the menu. The Move Domain Name dialog box appears. 3 In the Parent Domain Name field, type a new parent domain name. You can also click the look up button to choose a parent domain name from the Domain Name Lookup dialog box. 4 (Optional step) If you want to rename the domain name, type a new name in the Label field. 5 Click OK. Deleting a domain name To delete a domain name object, NetID users must have at least Child Propagate access to that object s parent domain name object. To delete a domain name, follow these steps: 1 Under the Domain Names root object, navigate to the domain name you want to delete. 2 Right-click the domain name object that you want to delete, and choose Delete Domain from the menu. You are prompted to confirm the deletion. 3 Click OK. Caution: When you delete a domain name, you are also deleting all of its subdomains and associated resource records. Therefore, you could delete a large amount of information that you cannot recover without restoring a backup copy of the database. Managing IP Addressing in Nortel NetID

100 100 Chapter 5 Managing domain names

101 Chapter 6 Managing networks and subnets 101 Nortel NetID allows you to set up and manage networks through the Management Console. The Management Console graphically displays networks in a hierarchical manner to simplify their administration. All of the primary network components -- Networks, Subnets, Host Addresses, and Host Address Ranges -- are found under the IP addresses root object (Figure 2). Figure 2 IP Addresses root object Network object Subnet object IP addresses root object Host address Address range Managing IP Addressing in Nortel NetID

102 102 Chapter 6 Managing networks and subnets Subnetworking Subnetworking is the process of dividing your network address space into smaller, more manageable, areas called subnets. Subnets are functionally independent from one another, but share a common network address. Subnets can correspond to a variety of areas of your organization: offices in other regions, floors in your building, or groups of employees, such as accounting or sales, who share common tasks. A network can use one of the following types of subnetworking: No subnetworking -- Allows you to keep your network address space undivided and to create all IP addresses from a single network You cannot add subnets to your network or divide your network into subnets. When you choose no subnetworking, a single subnetwork is automatically created as a placeholder so that you can define the default domain name. Each time that you add a new host to the network, the default domain name automatically appears in the host name field, so you don t need to type it in. Fixed-length subnetworking -- Allows you to divide your network into subnets that each contain the same number of IP addresses Each time you create a new subnetwork, the next available subnetwork number is used. Fixed-length subnetworking is easy to manage, but it can result in a lot of unused address space. Certain routing protocols such as Routing Information Protocol (RIP) and Internet Gateway Routing Protocol (IGRP) require you to use fixed-length subnetworking. Variable-length subnetworking -- Allows you to divide your network into subnets that may each contain a different number of available IP addresses When you first create a network using variable-length subnetworking, a single subnetwork that spans the entire host address space is created. You can recursively partition any subnetwork into a number of equal-sized pieces. One of the advantages of variable-length subnetworking is that you waste less address space than with fixed-length subnetworking. Traditionally, one of the major disadvantages of variable-length subnetworking is that it is easy to make mistakes partitioning a network that already has assigned addresses. NetID helps to minimize this problem by automatically calculating the valid partitions for the subnet.

103 Chapter 6 Managing networks and subnets 103 Network classes and CIDR There are A, B, and C classes of networks, and each class uses a certain number of bits for the network ID portion of an IP address. Since a 32-bit IP address is composed of a network ID and a host ID, the number of bits used for the network number affects the number of hosts available. For example, class A networks use 8 bits and have a maximum of 16,777,214 hosts, class B networks use 16 bits and have a maximum of 65,534 hosts, and class C networks use 24 bits and have a maximum of 254 hosts. Classless Interdomain Routing (CIDR) allows you to override the distinction of network classes by decreasing or increasing the number of contiguous bits in the network portion of the subnet mask. Decreasing the number of contiguous bits increases the number of hosts available on the network; increasing the number of contiguous bits decreases the number of hosts available on the network. You may want to use the CIDR feature in NetID to divide a class A network into smaller, more manageable portions, or to combine a number of class C networks into one CIDR block. Subnet mask A subnet mask is used to allow separate physical networks to share one network number. It is a 32-bit number that matches up with a network address and uses part of that address host ID field to identify subnets. A bit-wise logical AND between a network address and its subnet mask produces the subnet number. When you create a network with fixed-length subnetworking, you must set the subnet mask length. The subnet mask length indicates the number of contiguous bits in the subnet mask, including the network portion of the mask. NetID does not support discontinuous network masks or supernetworking. Managing networks Managing networks in NetID involves the following tasks: Adding a network on page 104 Changing a network on page 106 Managing IP Addressing in Nortel NetID

104 104 Chapter 6 Managing networks and subnets Deleting a network on page 106 Adding a network NetID users can add a network using the Management Console if they have at least Child Propagate access to the IP Addresses root object. To add a new network, follow these steps: 1 In the tree, right-click the IP Addresses root object, and choose New Network from the menu. The New Network dialog box appears. 2 In the Network Number field, type the network number. You must enter the network number in IP address dotted-decimal format (###.###.###.###), with or without trailing zeros. If the number contains fewer than four components, NetID assumes that the remaining components are trailing zeros. For a Class A network, the first available network number is 1 and the last available network number is 126. For a Class B network, the first available network number is and the last available network number is For a Class C network, the first available network number is and the last available network number is Note: The American Registry of Internet Numbers (ARIN), Reseaux IP Europeens (RIPE), or the Asia Pacific Network Information Center (APNIC) are responsible for all Internet address assignment and allocation. When an organization registers its IP address with one of these bodies, that organization will be assigned a single, specific network number (typically a Class C network number). 3 In the Network Name field, type a name. 4 Click one of the following Subnet Type option buttons: Variable -- Allows variable-length subnets Fixed -- Allows fixed-length subnets or no subnetworking

105 Chapter 6 Managing networks and subnets 105 If you choose fixed-length subnetworking, you must type the mask length in the Mask Length field beside the Fixed option button. The mask length for a fixed-length subnet determines the number of hosts per subnet. Increasing the number in the Mask Length field adds contiguous bits to the non-host portion of the subnet mask, which decreases the number of hosts available by half and increases the number of subnets by half. For example, if you change the mask length from 23 to 24, the number of subnets will increase from 128 to 256, but the number of hosts will decrease from 512 to 128. The resulting subnet mask is displayed in the Mask Length field. If you exceed the minimum bit number required for the subnet mask, the Mask value in the Subnet Type area is declared invalid, and an error message will appear when you try to save the network. Note: If you are using no subnetworking, you should set the mask length to the natural subnet mask. For a Class A network, the natural subnet mask is For a Class B network, the natural subnet mask is For a Class C network, the natural subnet mask is If you want to use Classless Interdomain Routing to increase the number of hosts available on the network (refer to Network classes and CIDR on page 103), enable the Classless Network check box. If you do not want to use CIDR, go to step 8. 6 In the Classless Network area, type a number in the Mask Length field. Decreasing the number in the Mask Length field subtracts contiguous bits from the non-host portion of the network mask, effectively increasing the number of hosts available. Each time you subtract a number, you double the size of the network. Accordingly, increasing the number in the Mask Length field decreases the number of hosts. Managing IP Addressing in Nortel NetID

106 106 Chapter 6 Managing networks and subnets You can decrease the number only within a valid range, to avoid overlapping with another network. If you exceed the minimum bit number required for the CIDR mask, the mask value in the Classless Network area is declared invalid, and an error message will display when you try to save the network. Also, if you are using a fixed-length network with CIDR, the network mask length must be equal to or smaller than the length of the subnet mask length, or it will be declared invalid. 7 (Optional step) If you want to grant access privileges to the subnets on the network before the network is created, click the Access tab, and follow the steps in Granting a user or a group access to an object on page Click OK. The new network appears in the network list. Note: If you are using CIDR, you will notice that numerous inverse address (in-addr.arpa) zones may be created. This is because inverse address mappings are still based on network classes. If your CIDR block includes four Class C networks, you will see four in-addr.arpa zones. If you have divided a Class B network into smaller CIDR blocks, you will have numerous in-addr.arpa zones to correspond to the equivalent number of Class C networks. See Managing DNS zones on page 171 for information about DNS zones. Changing a network After you have created a network, you can change it in various ways. Changing a network can include either of the following tasks: Changing the name of a network (refer to Adding a network on page 104) Changing the DHCP options associated with the network (refer to DHCP/ BootP option precedence on page 165) Deleting a network NetID users can delete a network if they have at least Child Propagate access to the IP Addresses root object.

107 Chapter 6 Managing networks and subnets 107 To delete a network, follow these steps: 1 In the tree area, right-click the network object you want to delete, and choose Delete Network from the menu. You are prompted to confirm the deletion. 2 Click OK. All the IP addresses on the network are deleted, as well as, by default, the domain names and all associated resource records, unless the domain name has subdomains. You can set options for deleting IP addresses and domain names in the System Options dialog box (refer to Setting options for deleting addresses on page 303). Caution: When you delete a network, a lot of information is removed from the database that cannot be recovered without restoring a backup copy of the database. Even if a hold time for deleted addresses is specified (refer to Setting options for deleting addresses on page 303), deleting hosts with a network beneath them removes them from the database. Managing subnets A network address space can be divided into smaller segments known as subnetworks, or subnets. Subnets are functionally independent from one another, but share a common network address, thereby simplifying network administration. For more information on subnet characteristics, refer to Subnetworking on page 102. Managing subnets in NetID involves the following tasks: Adding a subnet on page 108 Changing a subnet on page 109 Partitioning a subnet on page 114 Joining a subnet on page 115 Deleting a subnet on page 116 Managing IP Addressing in Nortel NetID

108 108 Chapter 6 Managing networks and subnets Adding a subnet Although subnets can be created when the original network is created, they can also be created later by adding a subnet to a network that uses fixed-length subnetworking. For a network that uses variable-length subnetworking, you must add subnets by partitioning existing subnets (refer to Partitioning a subnet on page 114). NetID users can add a subnet to a network if they have at least Child Propagate access to that network object. To add a subnet in a fixed-length network, follow these steps: 1 Right-click the network object to which you want to add a subnet, and choose New Subnet from the menu. The New Subnet dialog box appears. 2 Accept the number displayed in the Subnet Number field, or type in a new number. This field is automatically filled with the next available subnet number, based on a reverse-binary counting scheme. You can change the field to any valid unallocated subnetwork on the selected network. The host address portion of the IP address will usually be 0. 3 Type a name in the Subnet Name field. 4 Type a default domain name in the Default Domain Name field. The name you type in the field must be a valid domain name that already exists in the domain name tree. You can also enter a domain name in this field by clicking the Domain Name Lookup button. The Domain Name Lookup dialog box appears. Select a domain name, and click OK. The information in the Default Domain Name field is appended to all hosts created on the subnet. NetID users will see only domains that they have at least Read access to. 5 Click OK.

109 Chapter 6 Managing networks and subnets 109 Changing a subnet After you have created a subnet, you can change it in various ways. Changing a subnet can include any of the following tasks: Enabling multinetting on page 109 Entering subnet custom field information on page 111 Applying subnet model information on page 112 Changing the access privileges to the network (refer to Controlling access privileges on a per-object basis on page 59) Note: To change multiple subnets in a single operation, hold down the [Shift] key (to choose a contiguous group of subnets) or the [Ctrl] key (to choose a group of subnets that is not contiguous), then right-click all of the subnets in the list area that you want to update. When you change a value in any of the fields in the Multi-Update Subnet dialog box, that new value is applied to all of the subnets you selected. Enabling multinetting Multinetting is a process that allows you to have multiple subnets on the same physical interface. You can use multinetting in the following circumstances: You are running out of address space You are readdressing a network and want the same host to have an address on both the old and the new subnets You are using a restricted network overlay (such as a different class of devices on the same physical interface) You use the Multinetting tab to group logical subnets into a multinetting list. NetID users can enabling multinetting if they have at least Update access to the primary subnet object and any subnet objects they want to add to the multinetting list. To enable multinetting, follow these steps: Managing IP Addressing in Nortel NetID

110 110 Chapter 6 Managing networks and subnets 1 Under the IP Addresses root object, navigate to the subnet that you want to multinet. This subnet will be considered the primary subnet. It will facilitate communication between any subnets that are added to the multinetting list. 2 Right-click the subnet object, and choose Properties from the menu. The Subnet Properties dialog box appears. This subnet will be considered the primary subnet and it will facilitate communication between any subnets that are added to the multinetting list. 3 Click the Multinetting tab. 4 Enable the Use Multinetting check box, and click the Add button. A row appears in the list. 5 In the Subnet Number column of the new row, type a subnet number. You can also click the Lookup icon to choose a subnet from the hierarchical list in the IP Addresses dialog box. 6 Repeat steps 4 and 5 to add additional subnets. 7 (Optional step) To remove a subnet from the list, select it, and click the Remove button. 8 Click OK. The multinetting information for the subnet or subnets you have entered in the multinetting tab is automatically updated. For example, if you have added subnets B and C to subnet A (through A s multinetting tab), subnet A and C will automatically be added to subnet B s multinetting tab and subnet A and B will automatically be added to subnet C s multinetting tab. Caution: If a primary subnet is removed from the multinetting list through the Multinetting tab of a dependent subnet, the link between the remaining subnets is also removed, and addressing problems will arise. Subnets should also be added only through the primary subnet to ensure proper connectivity.

111 Chapter 6 Managing networks and subnets 111 Note: If you assign a subnet that is already in a multinetting pool to another multinetting pool, only that subnet is assigned to the new pool, not the other subnets in its pool. When you make a subnet equivalent to another subnet, all of its existing equivalencies are lost. Entering subnet custom field information Subnet custom fields are used to associate pertinent information with a subnet. For example, information such as the types of devices hosted on that subnet or what division of the company that subnet is dedicated to can be displayed. NetID users must have at least Update access to the subnet object to enter data into the custom fields. However, to create the custom field definitions, NetID users must have at least Child Propagate access to the Dictionary object (refer to Defining a custom field on page 188). To enter custom field information for a subnet, follow these steps: 1 Under the IP Addresses root object, navigate to a subnet. 2 Right-click the subnet object, and choose Properties from the menu. The Subnet Properties dialog box appears. 3 Click the Custom tab. 4 Type data in the Value fields, or choose a value from the drop-down list. Note: When custom fields are created, you can specify that only administrators can edit them. Although NetID users cannot edit Administrator-only custom fields, these fields will still appear in the New Subnet or Update Subnet dialog box. 5 Click OK. Managing IP Addressing in Nortel NetID

112 112 Chapter 6 Managing networks and subnets Applying subnet model information A subnet model classifies hosts on a subnet by type and defines default host attributes. Subnet models associate address ranges with host types and set attributes for new hosts through the automatic application of host and DHCP option templates. Subnet models can also provide automatic naming through the automatic application of host templates. Templates allow you to specify a common set of information once and copy it to multiple records. If you want to use templates, you must create them before you apply subnet model information to a subnet. For more information, refer to Chapter 11, Managing templates, on page 193. NetID users can apply subnet model information to hosts on a subnet if they have at least Child Propagate access to that network object (if they are creating the subnet object), or if they have Update access to the subnet object (if they are updating an existing subnet object). To apply subnet model information to hosts on a subnet, follow these steps: 1 Under the IP Addresses root object, navigate to a subnet. 2 Right-click the subnet object, and choose Properties from the menu. The Subnet Properties dialog box appears. 3 Click the Model tab. 4 Click the Add button. A new row appears in the list of subnet model entries. You can also click the Apply Template button to add subnet model information from an existing template to the list. The Subnet Model Templates dialog box appears. Select the template that you want to apply to the subnet, and click OK. The subnet model values appear in the list. You can modify the information using the following steps. 5 In the Host Type field, type a name to indicate the kind of host for which you are creating the subnet model information (for example, router or pc ). 6 In the Start Offset field, type a number to indicate where the portion of address range you are reserving for the host type will begin.

113 Chapter 6 Managing networks and subnets 113 The value specified indicates how far offset the address range will be from the initial IP address in the subnet. For example, if a template with a start offset number of 100 is applied to a subnet of , the reserved range would begin at To use the lowest available address on the subnet (for this example, ), type a zero. 7 In the End Offset field, type a number to indicate where the portion of the address range you are reserving for the host type will end. The value specified indicates how far offset the address range will be from the initial IP address in the subnet. For example, if a template with an end offset number of 200 is applied to a subnet of , the reserved range would end at Therefore, when a start offset number of 100 and an end offset number of 200 are specified, a range from would be reserved. To use the highest available address on the subnet (in this example ), type a zero. 8 Click the button in the Host Template field. The Host Template Lookup dialog box appears. 9 Select a host template object from the Host Templates tree, and click OK. This applies the host template values to all addresses created in this subnet model template. 10 From the Option Template list, select the DHCP option template you want to apply. The Host and Option template fields identify the templates that NetID will apply to the new hosts when it creates them. 11 In the Name column, choose one of the following options: Non Editable -- Requires hosts to accept the domain name that NetID assigns Editable -- Does not require hosts to accept the domain name NetID assigns 12 In the Address column, choose one of the following options: Managing IP Addressing in Nortel NetID

114 114 Chapter 6 Managing networks and subnets Non Editable -- Requires hosts to accept the address that NetID assigns Editable -- Does not require hosts to accept the address that NetID assigns 13 (Optional steps) Enable any of the following check boxes: Allow Overlapping Offset Values For Address Assignment -- Allows ranges of addresses for host types to overlap so multiple host types can occupy the same range By default, NetID does not allow the range of addresses for host types to overlap. Enforce All Names -- Requires hosts to accept the automatically assigned domain name If you selected Editable in the Name column, this value will be overridden. Enforce All Addresses -- Requires hosts to accept the automatically assigned address If you selected Editable in the Address column, this value will be overridden. 14 (Optional step) To delete a host type, click the host type, and click Remove. 15 Click OK. Partitioning a subnet A network using variable-length subnetworking treats the entire host address space as a partitionable pool of addresses. Each partition is considered a subnet, and users can further partition these subnets into a number of smaller subnets. When you partition a subnet, all of the properties of the original subnet are copied to the new subnets. In addition, the same access privileges granted to specific users and groups for the original subnet will be copied to the new subnets. Therefore, you may want to note the access privileges that have been granted to the original subnet object before you partition it. (To find out what access privileges are granted to the subnet object, refer to Access privileges report on page 273.) NetID users can partition a subnet if they have at least Child Propagate access to the network object to which the subnet belongs.

115 Chapter 6 Managing networks and subnets 115 To partition a subnet, follow these steps: 1 Under the IP Addresses root object, navigate to the subnet that you want to multinet. 2 Right-click the subnet object, and choose Partition Subnet from the menu. The Partition Subnet dialog box appears, displaying all of the valid partitions for the subnet that you selected. Note: Occasionally you may not be able to partition a subnet that already has assigned addresses. For example, if more than half of the possible IP addresses available in a subnet are allocated, then even two partitions (the minimum possible number of partititons) are not possible. 3 In the Partition column, select the number of partitions you want to apply to the subnet. When you partition a subnet, the first and last addresses for each partition are reserved. Therefore, if an assigned IP address is the same as one of these reserved addresses, the partition is not valid, and it will not be displayed in the Partition column. So, if you have a subnet that already has many assigned addresses, you occasionally may not be able to partition it. 4 Click OK. Any assigned addresses are moved to the appropriate new partition. Subnet partitions cannot result in a host address with all zeros or all ones in the host component when the address is in binary format. 5 Set the subnet information by following these procedures: Enabling multinetting on page 109 Entering subnet custom field information on page 111 Applying subnet model information on page 112 DHCP/BootP option precedence on page 165 Joining a subnet You can join multiple variable-length subnets to make a single subnet. Managing IP Addressing in Nortel NetID

116 116 Chapter 6 Managing networks and subnets When subnets are joined, all of the subnets become incorporated into a single segment. All hosts on the partitioned subnets are moved to the same joined subnet. The new segment will use the custom field and DHCP option data held by the first segment (the one that had the lowest IP addresses). In addition, the access privileges held by that first segment will be applied to the new, joined segment. For example, if you join the subnet to , the resulting subnet would have the custom field and DHCP option data, and access privileges for those for would be subsumed when the two segments are joined. Therefore, you may want to note the access privileges that have been granted to the original subnet objects before they are combined into a larger object. (To find out the access privileges granted to the subnet object, you can run an access privileges report; refer to Access privileges report on page 273.) To join a subnet, follow these steps: 1 In the tree or list area, hold down the [Shift] key (to choose a contiguous group of subnets) or the [Ctrl] key (to choose a group of subnets that is not contiguous), and then right-click all of the subnets you want to join. 2 From the Options menu, choose Join Subnet. The Join Subnet dialog box appears. 3 From the list, select the subnets that you want to join. 4 Click OK. Deleting a subnet You can delete subnets on networks that use fixed-length subnetworking. To delete a variable-length subnet, you must actually join it to another variable-length subnet. For more information on joining variable-length subnets, refer to Joining a subnet on page 115. NetID users can delete a subnet if they have at least Child Propagate access to the network object to which the subnet belongs. To delete a subnet, follow these steps: 1 Under the IP Addresses root object, navigate to a subnet.

117 Chapter 6 Managing networks and subnets Right-click the subnet object, and choose Delete Subnet from the menu. Caution: Deleting hosts with a subnet removes them from the database even if you specified a hold time option in the System Options dialog box (refer to Setting options for deleting addresses on page 303 for more information). You are prompted to confirm the deletion. 3 Click OK. Managing IP Addressing in Nortel NetID

118 118 Chapter 6 Managing networks and subnets

119 Chapter 7 Managing host addresses 119 A host address, or an IP address, is the smallest object displayed under the IP Addresses root object in the Management Console. A host address can be static (it is manually assigned to a network device) or it can be dynamic (it is automatically assigned to a network device only for a given period). A host address can also reside directly on a subnet or it can be grouped together with other host addresses on a range. There are three types of address ranges in NetID: static, dynamic, and reserved. Figure 3 Management Console with expanded subnet objecttree Static range Dynamic range Reserved range Host Address Managing host addresses involves the following tasks: Adding a host address on page 120 Managing IP Addressing in Nortel NetID