Windows Server 2008 R2 networking

Transcription

1 Chapter3 Widows Server 2008 R2 etworkig Orgaizatios large ad small deped o computer etworks to operate their busiesses. Employees require aywhere access to data, while cliets ad busiess parters demad ehaced collaboratio ad real-time commuicatios. The eed for fast, depedable, ad feature-rich etworks has ever bee greater. As a Widows admiistrator, you eed to have the skills ecessary to maage, moitor, ad troubleshoot etworks. Eve if you work i a orgaizatio with a separate etwork team, it is crucial that you uderstad how etworks operate ad how Widows relies o the etwork to esure availability of critical busiess services ad applicatios ad provides several etwork features itself. This chapter covers the etworkig features available i Widows Server 2008 R2 as well as guidace for plaig ad settig up a Widows Server 2008 R2 etwork. You will also lear how to pla ad set up services such as Remote Access, Domai Namig System (DNS), ad Dyamic Host Cofiguratio Protocol (DHCP). This chapter will coclude with a overview of some commo etwork maagemet ad moitorig tools. OVERVIEW OF WINDOWS SERVER 2008 R2 NETWORKING Microsoft has ehaced may of the core etwork features with the release of Widows Server 2008 ad 2008 R2. Widows Server 2008 R2 also comes with some ewly added features that deliver greater security, reliability, ad a better ed-user experiece. Network ad Sharig Ceter The Network ad Sharig Ceter is the ew cetral cosole to cofigure ad maage etwork settigs i Widows Server 2008 R1, Widows Vista, Widows Server 2008 R2, ad Widows 7. It icludes optios that allow you to maage etwork adapters, eable or disable file sharig, chage etwork locatio settigs, ad troubleshoot coectio problems. We will explore the Network ad Sharig Ceter i more detail later i this chapter. 73

2 74 CHAPTER 3 Widows Server 2008 R2 etworkig Redesiged TCP/IP Network Stack Widows Server 2008 R2 icludes what Microsoft calls The Next Geeratio TCP/IP Stack. Durig the developmet of Widows Server 2008, Microsoft chose to completely redesig the TCP/IP stack to improve performace, add ew features for IP versio 4 (IPv4), ad to iclude support for IP versio 6 (IPv6). The redesig icludes ew features such as: Fail back support for default gateways Widows Server 2003 ad Widows XP provided the ability to add multiple default gateways for redudacy. If oe gateway became ureachable, Widows could fail over to a backup default gateway. Widows Server 2003 ad Widows XP did ot, however, provide a automatic check of the ureachable gateway to determie whe it came back olie. A admiistrator would have to maually fail back the computer to the origial gateway. Widows Server 2008 itroduces the ability to have the computer perform regular checks of a dead or ureachable gateway. Oce the gateway becomes reachable agai, the computer will fail back to the origial gateway automatically. TCP chimey off-load As etworks have advaced over the years, so has the amout of processig required to maage ad maitai etwork coectios. Sigificat icreases i CPU utilizatio have bee see whe performig large data trasfers, such as those see durig backups ad o iscsi Storage Area Network (SAN) coectios. Typically, this icreased utilizatio is see o 1-gigabit ad 10-gigabit coectio speeds. To address this issue, Microsoft developed the ability to off-load all TCP coectio processig to a TCP Off-load Egie (TOE) card. TOE cards are special etwork adapters built specifically to off-load TCP traffic from the computer s mai CPU. This allows the TOE card to carry the additioal processig load, freeig up the computer s primary CPU for other processig requests. Network Diagostics Framework The Network Diagostics Framework helps to locate ad diagose etwork coectivity problems ad i may cases it will take the ed-user through a series of steps to fid the cause of coectivity loss ad fix it. It ca help resolve several commo issues, such as IP address coflicts, dead default gateways, stopped DHCP cliet services, or discoected media. DNS ehacemets Widows Server 2008 ow icludes ew DNS features icludig IPv6 support ad the GlobalNames zoe. The GlobalNames zoe provides sigle-label ame resolutio without the eed for a dedicated Widows

3 Overview of Widows Server 2008 R2 etworkig 75 Iteret Namig System (WINS) deploymet. DNS desig ad deploymet will be discussed i detail later i this chapter. NOTES FROM THE FIELD The Widows Iteret Namig System (WINS) For those who are ufamiliar with WINS; it was origially developed to support ame resolutio over Widows etworks separated by wide area etwork (WAN) liks. WINS provided ame resolutio of NETBIOS ames before DNS became the primary techology used for computer ame resolutio. Though ot as prevalet, WINS ca be see o a lot of Widows etworks today supportig legacy NETBIOS based applicatios. The ew GlobalNames zoe is Microsoft's solutio to help traditioal WINS deploymets to move to DNS techologies for ame resolutio. Policy-based QoS Traditioally, Quality of Service (QoS) has bee set up to throttle or prioritize traffic betwee etwork switches ad routers; however, Policybased QoS i the Widows Server 2008 R2 allows admiistrators to deploy these features to servers ad desktops. This ability opes the door to more ehaced etwork badwidth maagemet. Policy-based QoS will be explored i more detail later i this chapter. SMB 2.0 Server Message Block (SMB) 1.0 was origially developed for sharig files i Widows operatig systems. SMB 2.0 was released as part of the Widows Server 2008 R1 ad Vista operatig systems, ad remais i 2008 R2 ad Widows 7 today. SMB 2.0 has greatly bee ehaced to icrease the performace of SMB file traffic. Copyig files betwee two SMB 2.0 capable systems occurs at much greater speeds as those see usig SMB 1.0. Several ehacemets to SMB, such as the ability to perform multiple operatios at the same time, make it more efficiet. SMB 1.0 would perform oly oe operatio ad wait for a respose before movig to the ext. SMB 2.0 ca issue two to three operatios or more makig it more efficiet ad faster i the eyes of the ed-user. A additioal beefit to SMB 2.0 is that it also has the ability to sustai a file trasfer eve if a brief etwork discoect occurs. Have you ever bee i the middle of a very large file trasfer, ad suddely the etwork coectio briefly drops? Do you remember the frustratio of havig to start the file trasfer all over agai? SMB 2.0 ca automatically maitai the file trasfer durig that brief coectivity drop ad cotiue copyig files after the coectivity is restored. SMB 2.0 is available i Widows

4 76 CHAPTER 3 Widows Server 2008 R2 etworkig Server 2008, Widows Server 2008 R2, Widows Vista, ad Widows 7 operatig systems. You may be woderig, What happes if I trasfer a file betwee a SMB 2.0 capable system ad a SMB 1.0 capable system, such as Widows XP? I this situatio, the file trasfer process will use the 1.0 versio of SMB providig backward compatibility to the older operatig system. Widows Firewall Microsoft first icluded the Widows Firewall i Widows Server 2003 ad Widows XP. The Widows Firewall i Widows Server 2003 provides the ability to lock dow certai ports ad applicatios resultig i a greater level of security ot oly for applicatios but also for the server system as a whole. Though the Widows Firewall was a great additio from a security stadpoit, it did have a few shortcomigs. The firewall was cumbersome to cofigure at times, especially for less experieced Widows admiistrators. It also filtered oly traffic icomig to the server, so all outboud coectios were allowed by default. Widows Server 2008 R1 ad R2 iclude a ew versio of the Widows Firewall with a much improved admiistrative experiece. The Widows Firewall has bee cofigured usig a cosole built ito the Server Maager iterface (see Figure 3.1). The firewall ow has the ability to filter both iboud ad outboud coectios. Additioally, Widows Server 2008 R2 services ad some applicatios will automatically create ecessary firewall rules to esure that they ca commuicate properly with the etwork. Additioally, the firewall has APIs which allow applicatio developers to publish their ow exceptio requiremets to the firewall durig istallatio of their give applicatio. The firewall ca also be chaged o a peretwork iterface, opposed to a particular rule or cofiguratio applyig to all iterfaces. You will lear about the Widows Firewall i detail i Chapter 10. IPv6 support IPv6 is the ext geeratio IP protocol desiged to evetually replace IPv4. Widows Server 2008 R2 atively supports both IPv6 ad IPv4 out-of-box. Both are istalled ad eabled by default i Widows Server 2008 R2. As with most techologies, support for IPv4 will cotiue to be required for several years but i the ear future IPv6 may very well become the IP stadard. To assist orgaizatios i movig to IPv6, Widows Server 2008 R2 icludes several stadards-based IPv4 to IPv6 trasitio techologies such as Teredo, 6to4, ad IP-HTTPS, all of which

5 Overview of Widows Server 2008 R2 etworkig 77 FIGURE 3.1 Widows Server 2008 R2 Firewall Cofiguratio. will be covered i more detail later i this book. We will explore IPv6 i a little more detail later i this chapter. Network awareess Widows Server 2008 R2 has the ability to sese chages i etwork coectivity, whether this is coectig ad discoectig o the same etwork or pluggig ito a differet etwork altogether. The Network Awareess APIs i Widows Server 2008 R2 allow developers to write applicatios that ca rely o this etwork state chage moitorig ad react whe chages occur. For example, a applicatio may require a coectio to the corporate etwork for certai features to fuctio properly. Usig Network Awareess APIs, the developer could istruct the applicatio to display oly those features whe it detects that the computer is coected to the corporate LAN.

6 78 CHAPTER 3 Widows Server 2008 R2 etworkig Network Access Protectio Network Access Protectio (NAP), origially released i Widows Server 2008 R1, is a techology that esures that computers o your etwork comply with IT health policies. NAP makes sure that cliet computers have curret operatig system updates istalled, ativirus software ruig, ad custom cofiguratios related to esurig that the cliet is compliat with corporate IT policies. NAP restricts the computer s etwork access util it verifies whether the cliet is i compliace. If the computer is foud ot to be i compliace with set policies, the ed-user ca be offered a way to remediate the problem ad the grated full etwork access. DirectAccess DirectAccess is a ew feature itroduced i Widows Server 2008 R2 ad Widows 7. DirectAccess provides ed-users with costat, secure coectivity to the corporate etwork aytime a Iteret coectio is available ad without the eed for traditioal Virtual Private Network (VPN) cliet software istalled. This coectio ot oly gives ed-users easy access to the compay etwork, but also provides systems such as cofiguratio maagemet ad software distributio server s access to the PC. This is a Wi-Wi feature for ed-users ad IT departmets alike. DirectAccess is accomplished by creatig a secure tuel betwee the Widows 7 workstatio ad the Widows Server 2008 R2 etwork. We will be lookig at DirectAccess i more detail i Chapter 13 as part of the Widows Server 2008 R2 ad Widows 7 Better Together story. Explorig Network ad Sharig Ceter The Network ad Sharig Ceter is the ew cetral cosole for maagig TCP/IP etwork coectivity ad features, such as Widows File sharig. The ew Network ad Sharig Ceter is the oe-stop shop to view, maage, ad troubleshoot your etwork coectivity i Widows Server 2008 R2. The Network ad Sharig Ceter ca be accessed via a few methods. It ca be accessed via the cotrol pael uder the Network ad Iteret sectio (see Figure 3.2), by right clickig o a etwork coectio i the system tray or by right clickig o the Network optio i the Start meu ad choosig properties. You will otice several optios preseted whe you first ope the Network ad Sharig Ceter. I the top middle sectio of the widow, you will see a basic coectivity map as see i Figure 3.3. The simple map provides a visual represetatio of etwork coectivity from the operatig system s

7 Overview of Widows Server 2008 R2 etworkig 79 FIGURE 3.2 Network ad Sharig Ceter. perspective. This icludes the ability to access a local etwork ad the Iteret. If the server fails to coect to either of these, the map will display the problem area with a red discoected status. The coectivity map may vary slightly depedig o what type of etwork your computer is coected to. FIGURE 3.3 Simple Network Map of Domai Joied Computer.

8 80 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.4 Network Coectivity. Below the coectivity map, you will see a sectio that lists the ame ad type of the etwork you are coected to alog with the media (wired or wireless) providig the coectio (see Figure 3.4). By clickig o ay coected media type, you ca view the status of the coectio as well as make cofiguratio chages, such as disablig the etwork adapter or settig the IP address. Movig dow the widow, you will see a sectio amed Chage your etwork settigs (see Figure 3.5). Here you ca chage various aspects of your etwork coectio, icludig settig up a ew coectio to a remote etwork via VPN or dial-up, coectig to a existig etwork, or diagosig curret etwork problems. The left-had sectio of the Network Sharig Ceter provides liks to the followig etwork ad cofiguratio settigs: Chage adapter settigs This lik opes the etwork coectios widow. Here you ca perform tasks such as disablig/eablig etwork adapters, ad assigig IP addresses ad protocols to those adapters. Chage advaced sharig settigs This lik takes you to the widow that allows you to tur etwork sharig, etwork discovery, ad public FIGURE 3.5 Chage Network Settigs.

9 Overview of Widows Server 2008 R2 etworkig 81 folder sharig o ad off. These settigs ca be tured o or off for each etwork profile idividually. NOTES FROM THE FIELD See Also Liks Throughout the cofiguratio widows i Widows Server 2008 R2, Microsoft has embedded See Also Liks. The liks take you to the cofiguratio ad maagemet cosoles similar to the curret cosole where the liks appear. Network profiles Widows Server 2008 ad Widows Vista itroduced a ew way to maage etwork cofiguratio based upo the etwork that the computer is coected to. For example, you ca cofigure the computer to ope Widows Firewall ports for Remote Desktop coectivity while coected to the corporate etwork ad to disable the ports whe coected to a public etwork. Widows Server 2008 R2 icludes the followig etwork profile types: Domai The domai etwork profile is used whe the computer is coected to the etwork that hosts the domai that it is a member of. For example, if a computer is a member of the Cotoso.com domai, the domai etwork profile will be used whe that computer coects to the etwork that hosts the Cotoso.com domai. Private The private etwork profile is used whe coectig the computer to a trusted etwork that does ot host the domai i which the computer is joied. This profile is less restrictive tha the public profile ad thus should oly be used o trusted etworks, such as a home etwork or i situatios where the computer is coected to the corporate etwork, but ot joied to a Widows domai. Public The public etwork profile should be used whe coectig the computer to a o-trusted etwork, such as a public Wi-Fi hotspot. This profile is much more restrictive toward other etwork computers ad devices. You will more tha likely ot be movig your productio servers betwee various etworks o a regular basis. However, it is importat that you uderstad how Network Profiles impact o the operatig system s cofiguratio to esure that proper settigs are applied for your give etwork sceario. For example, if you ope a Widows Firewall port for the private profile ad the computer is usig the domai profile, the the firewall chage that you made will have o impact o the computer s curret cofiguratio.

10 82 CHAPTER 3 Widows Server 2008 R2 etworkig PLANNING AND DEPLOYING A TCP/IP NETWORK INFRASTRUCTURE Widow etworks deped upo a reliable TCP/IP ifrastructure. A properly desiged ad maaged TCP/IP etwork helps to esure a successful Widows Server 2008 R2 deploymet, while a poorly desiged etwork almost guaratees that problems are goig to occur durig ad after your deploymet. Sped time to make sure that your etwork is healthy before rollig out Widows Server 2008 R2. If you already have a well-maaged ad reliable IP etwork, give yourself a pat o the back. This is ot always a easy objective to accomplish. Itroductio to TCP/IP Most of today s etworks, icludig the Iteret, rely heavily o the TCP/ IP protocol. The TCP/IP protocol stack has bee aroud sice the early days of computer etworks ad remais the de facto stadard of eterprises today. Before settig up or maagig a Widows etwork, you eed to have a good uderstadig of how TCP/IP works. I this sectio, we will cover some of the basics of TCP/IP ad how they apply to Widows. If you are already a experieced etwork admiistrator, ow might be a good time to review ad refresh your IP kowledge. IP addresses IP addresses are uique biary umbers assiged to hosts o a IP etwork. Thik of IP addressig i the same way as you thik of the addresses of houses i your eighborhood. Each house requires a uique street address. Whe someoe eeds to visit your home, they direct their vehicle to your address. The same applies i the world of TCP/IP etworks. Every computer ad device attached to the etwork requires a uique IP address. Data that eeds to reach a certai computer o the etwork is set to its IP address. As metioed, IP addresses are biary umbers; however, most people prefer to read IP addresses i decimal format for ease of use. It is importat that you as a etwork admiistrator uderstad this cocept to properly troubleshoot ad maage IP etworks. IP address classes IP addresses are distributed ito five classes: Class A, Class B, Class C, Class D, ad Class E. All IP addresses belog to a class based upo their decimal value of the first octet. Classes A, B, ad C are the oes you will see used o corporate etworks. Class D IPs are reserved multicast

11 Plaig ad deployig a TCP/IP etwork ifrastructure 83 addresses that caot be assiged to a sigle computer but used to sed ad receive multicast traffic. Class E addresses are reserved for use by the Iteret Egieerig Task Force (IETF). The IP classes ad their correspodig rage of IP addresses are listed i Table 3.1. IP subettig A subet mask is aother group of dotted decimal umbers, represetig a biary umber that distiguishes which part of the IP address represets the etwork. The subet mask is used to allow computers to determie whether the addresses of other computers they wish to commuicate with are o the local etwork or o a remote etwork. If the computer resides o a remote etwork, the commuicatio request is set to the default gateway. Figure 3.6 explais how subet masks work. Table 3.1 IP Address Classes Class Rage A B C D E FIGURE 3.6 How the Subet Mask Works.

12 84 CHAPTER 3 Widows Server 2008 R2 etworkig Table 3.2 Stadard Subet Masks Subet Mask Number of Supported Hosts per Network Class A Over 16 millio Class B Over 16 thousad Class C The three mai IP address classes have default subet masks. The stadard subet masks for each class, icludig umber of supported hosts o each etwork are listed i Table 3.2. The default subet mask is ot practical i most etwork cofiguratios. For example, let us say that you owed a Class B etwork of Usig the default mask, you could have over 16,000 computers o oe oroutable etwork segmet. What if you had a remote office coected via a WAN lik? Would you eed to acquire aother Class B etwork rage for that office? First, this would be a major waste of your IP addresses ad secod, good luck o gettig someoe to give you that may. Luckily, you ca create custom subet masks to split up your IP addresses. By simply chagig the subet mask from to , you have istatly give yourself 254 uique routable etworks that ca support 254 hosts each. Creatig a custom subet mask is as simple as addig some biary oes to replace zeros i the mask. But what if you eed to support 400 computers i a remote etwork? What does the mask look like the? This is where it gets a little tricky. You will eed to covert the dotted decimal to its biary equivalet ad perform a simple calculatio. Let us take a look at this process. 1. Decide how may subets or etworks you eed to support. This is pretty easy to calculate. Figure out how may etworks you have that are separated by a router. 2. Decide how may hosts you eed o each etwork. You eed to pla for the umber of computers ad other IP devices that you will wat to support at each etwork locatio. Remember that you may eed IP addresses for etwork switches, priters, ad other IP-eabled devices o top of the umber of computers that you eed to support each etwork. You should pla for growth here as well. Give yourself at least 10% growth room for a give etwork. 3. Calculate the subet mask. You ow have eough iformatio to calculate the proper custom subet mask. Perform the followig to calculate your subet mask.

13 Plaig ad deployig a TCP/IP etwork ifrastructure 85 a. Covert the stadard subet mask to biary. If we are usig a IP etwork of , the the mask would be The biary coversio is Notice that it takes eight biary umbers to make up the umber betwee each decimal. This is why each umber betwee the decimal is referred to as a octet. b. Add oe to the umber of etworks (subets) you eed. Assume that you eed five etworks. Add oe to it to get six. c. Covert the decimal umber to biary. You ca do this maually or the calculator i Widows works great for this. I our example, we covert the decimal umber six to biary, which is 110. d. Calculate the bits required for the mask. This is equal to the bits required to create the biary umber. Sice 110 is three idividual umbers, 3 bits are required. e. Add the bits to the stadard subet mask resultig i a ew biary subet mask of Now covert this biary back to decimal resultig i You ow have the subet mask to use o each etwork segmet. Now that you have leared how to create a custom subet mask, you should be aware that you ca use a special subet calculator to perform these steps for you. However, it is importat that you uderstad how subettig works if you pla o supportig Widows etworks. Public- versus private-ip addresses IP etworks expaded ad grew much larger tha the origial creators of the protocol ever iteded. IP blocks or classes were origially developed with a limited umber of available addresses. With the emergece of global itercoected etworks ad the Iteret, may orgaizatios foud themselves i a IP address shortage crisis. This is where private-ip addresses come ito play. Private-IPs costitute a set of three IP address rages, oe from each of the three primary classes that are ot routable o the Iteret (see Table 3.3). The result of ot makig them Iteret routable is that ayoe ca use them o their etworks. If the private-ip addresses eed to coect to the Iteret, a Network Address Traslator (NAT) device must be used to traslate the private-ip to a public-ip. This techology allows orgaizatios to purchase a limited umber of public-ip addresses ad use private-ip addresses o computers coected to their iteral etworks. The private-ip addressed computers ca the use the NAT device, which is assiged a public-ip, to commuicate o the Iteret. A simple private-ip addressed etwork is depicted i Figure 3.7. The use of private-ips ad NAT ot oly decreases the usage of public-ip Table 3.3 Private IP Rages IP Rage Class A Class B Class C

14 86 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.7 A Private-IP Network. addresses, but also makes etworks more secure by hidig computers from the global Iteret. Private-IP addressig is a techology that cotiues to be available i IPv6. Itroductio to IPv6 IPv6 is the ext geeratio IP etwork protocol developed to replace the agig IPv4. As metioed earlier, the desigers of IPv4 ever expected that billios of IP addresses would be eeded to support the global etworks we have today. Eve with the icreased use of private-ip rages ad techologies, such as NAT, the umber of available public-ip addresses cotiues to declie. It has become very clear that future IP etworks will require a lot more addresses tha that are available i IPv4. This is where IPv6 comes i. IPv6 moves from 32-bit (4 octets) IP addresses to 128-bit IP addresses. This icreases the umber of available addresses to such a large umber that every perso o earth could have roughly addresses. Yes, that is a lot of IP addresses. The itet of the Iteret Egieerig Task Force (IETF), the goverig body of IP etworkig, was ot just to create some isaely large

15 Plaig ad deployig a TCP/IP etwork ifrastructure 87 umber just to esure that we do ot ru out, but for easier maagemet ad assigmet of IP rages. IPv6 allows large blocks to be assiged, providig more efficiet routig ad easier admiistratio of those IP rages. Though IPv6 is clearly the future of IP etworks, the adoptio rate has bee very low to date. Major chages to eterprise etworks, such as chagig IP addresses, are ever cheap or quickly implemeted. Chaces are that IPv6-based etworks will emerge ad grow over the ext few years, but IPv4 will ot be goig away i the ear future. As a Widows admiistrator, the importat thig to uderstad is that Widows Server 2008 R2 fully supports IPv6, ad ca efficietly commuicate o both IPv4- ad IPv6-based etworks. IPv4 to IPv6 trasitio techologies To help orgaizatios move to IPv6, there are several stadards-based techologies that have bee created to allow IPv6 applicatios fuctio over a IPv4 etwork. Widows Server 2008 R2 icludes support for some of these techologies, icludig Teredo, 6to4, IP-HTTPS, ad ISATAP. A brief explaatio of each is provided below: Teredo Teredo is a stadards-based protocol that provides IPv6 coectios for IPv4-based computers that are behid a IPv4-based NAT. Teredo is a key techology allowig orgaizatios to make IPv6 coectios without chagig IP addresses of computers o their iteral private subets. 6to4 6to4 is a stadards-based protocol that allows computers with public-ipv4 addresses to make IPv6-based coectios over the IPv4- based Iteret. It is a key techology allowig orgaizatios to begi trasitioig to IPv6 while the Iteret at large cotiues to be based o IPv4. IP-HTTPS IP-HTTPS is a Microsoft techology that allows Widows 7 ad Widows Server 2008 R2 computers behid a firewall to establish IPv6 coectivity over a IPv4 etwork by creatig a IPv4-based tuel i which IPv6 packets ca travel. ISATAP ISATAP is a stadards-based techology that provides IPv6 coectivity across a IPv4-based iteral etwork. Desigig IP etworks We discussed the ecessity of plaig for a Widows Server 2008 R2 deploymet i Chapter 1. The same requiremet applies to buildig IPbased etworks. You eed to sped ample time plaig prior to buildig

16 88 CHAPTER 3 Widows Server 2008 R2 etworkig your etwork ifrastructure. Be sure to documet your game pla so that you will ot forget the critical tasks. Remember that your Widows etwork is ot worth much if your workstatios ad servers caot commuicate. As part of your desig, you eed to uderstad ad documet what etwork services ad applicatios you pla to support. You eed to kow how they commuicate, what protocols they use, ad how much badwidth they require. You will also wat to cosider the followig while developig your pla: Number of physical locatios ad logical etworks Number of etworks devices you pla to support Expected growth of your etwork Availability ad redudacy requiremets Badwidth eeds Routig optios Network switch eeds VLANs Network locatios that will host servers VPNs ad Remote Access techologies Iteret access ad firewall locatios These are just a few of the topics that you will eed to sped time desigig ad documetig prior to deploymet of a IP ifrastructure. The ed desig should match up with your Widows Server 2008 R2 deploymet pla. The IP ifrastructure must be desiged to support the various requiremets of etwork applicatios provided by Widows Servers. I the ed-user s eyes, if the etwork is dow, so are the services it supports. Policy-based QoS QoS features allow admiistrators to cofigure certai etwork protocols ad applicatios to have a higher etwork badwidth priority tha others. QoS also allows admiistrators to limit the badwidth used by lower priority applicatios. The use of QoS has icreased rapidly over the past several years as more orgaizatios have begu usig their etworks to sed more tha just ad browse the Web. Today s busiesses are usig their etworks to stream multimedia from ad to the Iteret, use cloudbased services, ad support Voice over IP (VoIP) phoe systems. Usig these services requires prioritizig some protocols over others. QoS has traditioally bee a etwork feature that could be set up o etwork routers ad layer 3 switches. The etwork devices are set up to ispect etwork traffic ad give certai protocols a higher priority tha others.

17 Plaig ad deployig a TCP/IP etwork ifrastructure 89 The most widely used method of implemetig QoS is usig differetial services code poit (DSCP) taggig. DSCP assigs a value betwee 0 ad 63 to data packets. QoS services read this value ad give higher umbers, a higher priority o the etwork. NOTES FROM THE FIELD QoS i Widows Server 2003 ad Widows XP Microsoft itroduced some basic QoS APIs i Widows XP ad Widows Server This allowed applicatio developers to apply QoS settigs to their applicatios but was limited i features ad eeded to have code writte to support QoS. Additioally, the admiistrator would eed to istall the QoS packet scheduler o the Widows Server after Widows istallatio. It should be oted that to support QoS, the full etwork path has to trust the QoS values comig from the cliet. This is typically somethig implemeted o iteral etworks, but due to a orgaizatio's iability to cotrol Iteret-based etwork routers, it is rarely implemeted over a Iteret coectio. Widows Server 2008 R2 icludes the feature Policy-based QoS. Policybased QoS allows Widows admiistrators to apply DSCP values to traffic eterig or leavig a computer based o applicatio, port umber, protocol, or source ad destiatio IP addresses. These QoS polices ca be applied to Widows Vista, Widows 7, Widows Server 2008, ad Widows Server 2008 R2 computers ad users logged oto these operatig systems. These policies are deployed via traditioal group policies. This meas that you ca apply differet QoS policies to differet systems based upo their Active Directory (AD) site, OU membership, or the domai they belog to. This makes QoS maagemet very graular ad less complicated to admiister. Let us set up ad see Policy-based QoS i actio. Policy-based QoS ca be especially helpful i VoIP techology deploymets such as Microsoft Office Commuicatios Server 2007 R2. Creatig a Policy-based QoS GPO I the below exercise, we will create a ew Policy-based QoS GPO for traffic destied for port 80 (http). This will give stadard Web browsig traffic a higher value leavig the computer over other etwork traffic. If the etwork devices support the DSCP value provided by the policy, they will also give the traffic higher priority. 1. I our example, we will use a local computer policy; however, the same policy ca be set up i AD. Ope the group policy editor:

18 90 CHAPTER 3 Widows Server 2008 R2 etworkig Start j Ru type gpedit.msc ad click OK. The Local Group Policy Editor will ope as see i Figure Expad the odes Computer Cofiguratio j Widows Settigs ad User Cofiguratio j Widows Settigs (see Figure 3.9). You will otice that Policy-based QoS ca be applied to the computer or to the user. For our example, we will use a computer-based policy. 3. Right click the Policy-based QoS ode ad choose Create New Policy. 4. The Policy-based QoS Wizard will lauch (see Figure 3.10). Eter a descriptive ame i the Policy Name field. The use the Specify DSCP value optio to set a DSCP value. I our example, we will ot be throttlig the traffic so leave this optio uchecked. Click Next to cotiue. 5. We ca assig the DSCP policy to specific applicatios by choosig the executable, or if this server is set up as a Web applicatio server, FIGURE 3.8 Local Group Policy Editor.

19 Plaig ad deployig a TCP/IP etwork ifrastructure 91 FIGURE 3.9 Computer ad User Policy-Based QoS Optios. we ca specify the URL of the applicatio. For our example, we will leave the default of All Applicatios selected (see Figure 3.11). Click Next to cotiue. 6. We ca specify that this policy applies oly to certai source or destiatio IP addresses (see Figure 3.12). We will leave both of these optios as the default for our example. Click Next. 7. We ow eed to choose the protocol ad port umber or rage that we wat the DSCP value to (see Figure 3.13). For our testig purposes, let us choose port 80 (http) as the destiatio port. This will allow us to easily use a Web browser to test our policy. Click Fiish to create the policy. 8. You should ow see the policy appear uder the Policy-based QoS ode i the Local Group Policy Editor widow as see i Figure Now let us test our ew policy. To perform this test, you will eed to dowload ad istall Network Moitor. Network Moitor ca be dowloaded from Microsoft Dowload Ceter at microsoft.com. After istallig Network Moitor, ope it by goig to Start j All Programs j Network Moitor 3.3.

20 92 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.10 Policy Name ad DSCP Value. FIGURE 3.11 Policy-Based QoS Applicatios.

21 Plaig ad deployig a TCP/IP etwork ifrastructure 93 FIGURE 3.12 Limit Policy-Based QoS to Listed Source or Destiatio IP Addresses. FIGURE 3.13 Policy-Based QoS Protocol ad Port Number Optios.

22 94 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.14 New Policy-Based QoS Policy. 10. The Network Moitor Start Page will be opeed as see i Figure Click the lik New Capture Tab to set up a ew etwork capture sessio. 11. A ew capture tab will be opeed. Click the Start butto at the top of the Network Moitor widow to start capturig traffic (see Figure 3.16). 12. Now let us create some outboud http traffic. Ope Iteret Explorer by goig to Start j All Programs j Iteret Explorer. 13. Browse a stadard http Web site. The close Iteret Explorer. 14. Go back to the Network Moitor widow ad click the Stop butto. You should see that the utility has captured traffic i the frame summary pae (see Figure 3.17). 15. Expad the iexplorer.exe ode i the etwork coversatios pae. 16. Locate oe of the IPv4 sessios (see Figure 3.18) ad select the sessio you wat to view. 17. After selectig a IPv4 sessio, otice the list of frames i the frames summary pae as see i Figure Select a frame that cotais DstPort¼HTTP(80). 18. Expad the IPv4 sectio i the frame details pae (see Figure 3.20). Notice the DifferetiatedServicesField subode. You will otice that the frame has bee give a DSCP value of 10. This shows that the policy is correctly applyig a DSCP value to outboud port 80 traffic. Test various QoS policies i your test lab durig your Widows Server 2008 R2 deploymet. You ca use them to help esure that the critical applicatios receive ecessary etwork badwidth to perform optimally.

23 Routig ad Remote Access 95 FIGURE 3.15 Network Moitor Start Page. ROUTING AND REMOTE ACCESS Widows Server 2008 R2 icludes Routig ad Remote Access features to provide basic IPv4 ad IPv6 routig as well as remote access services, such as VPN ad dial-up. These access features allow remote users to coect to the corporate etwork ad access etwork resources, such as file servers, prit servers, ad itraet Web sites. VPN ad dial-up services ca also be used to provide site site coectivity withi the corporate etwork. Additioally, you ca use the routig features i Routig ad Remote Access to create a router betwee two separate subets. As you leared earlier i this chapter, etworks are rarely composed of a sigle

24 96 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.16 New Capture Sessio. subet ad require a router to sed traffic betwee subets. Most orgaizatios deploy dedicated router appliaces to create this fuctioality, but Widows Server 2008 R2 Routig ad Remote Access ca be used to fulfill the same eeds to route traffic betwee two separate logical subets. Istallig Routig ad Remote Access Routig ad Remote Access is istalled by addig the Network Policy ad Access Services role. To istall Routig ad Remote Access, perform the followig: 1. Ope Server Maager by selectig Start j Admiistrative Tools j Server Mager.

25 Routig ad Remote Access 97 FIGURE 3.17 Network Moitor Captured Traffic. 2. The Server Maager widow will ope. Select the Roles ode, the click the Add Roles lik i the middle pae. 3. The Add Roles Wizard will lauch. Click Next to cotiue. 4. Select the Network Policy ad Access Services role as see i Figure The click Next. 5. This will take you to the role summary scree. Click Next to cotiue. 6. Select the Routig ad Remote Access role service (see Figure 3.22). The click Next. 7. Verify the selectio ad the click Istall. Whe the istallatio is complete, click Close.

26 98 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.18 Selected IPv4 Sessio frames. 8. You ca maage Routig ad Remote Access by opeig Server Maager ad selectig Roles j Network Policy ad Access Services j Routig ad Remote Access as see i Figure Cofigurig Routig ad Remote Access to support Remote Access VPN You ca set up Routig ad Remote Access to provide remote users access to your etwork via VPN services. The followig exercise will take you through cofigurig Routig ad Remote Access to support VPN coectivity. You will eed to esure that your VPN server has two etwork adapters (NICS) istalled prior to cofigurig Routig ad Remote Access to support VPN.

27 Routig ad Remote Access 99 FIGURE 3.19 The Frames Summary Pae. FIGURE 3.20 IPv4 Sessio Frame Details.

28 100 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.21 Add Network Policy ad Access Services Role. 1. Lauch Server Maager by opeig Start j Admiistrative Tools j Server Maager. 2. Select the Routig ad Remote Access ode from Roles j Network Policy ad Access Services j Routig ad Remote Access. 3. Right click the Routig ad Remote Access ode ad select the optio Cofigure ad Eable Routig ad Remote Access (see Figure 3.24). 4. The Routig ad Remote Access Setup Wizard will lauch. Click Next to begi cofiguratio. 5. Select the first optio Remote Access (dial-up or VPN). The click Next. 6. Sice we will be providig oly VPN services, select oly the VPN optio for remote access (see Figure 3.25). The click Next.

29 Routig ad Remote Access 101 FIGURE 3.22 Routig ad Remote Access Role Services. FIGURE 3.23 Routig ad Remote Access Maagemet Cosole.

30 102 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.24 Cofigure ad Eable Routig ad Remote Access. FIGURE 3.25 VPN Access Optio. 7. Select a etwork iterface that coects the VPN server to the Iteret (see Figure 3.26). Routig ad Remote Access will use the Iteret-coected adapter to accept icomig VPN coectios ad use the other adapter to route iboud VPN traffic to the corporate etwork. Leave the optio Eable security o the selected iterface

31 Routig ad Remote Access 103 FIGURE 3.26 Select Iteret Iterface. by settig up static packet filters checked. This will set up packet filters to esure that oly VPN traffic is allowed to commuicate to the Iteret-facig iterface, providig a greater level of security. Click Next to cotiue. 8. Select how you would like to assig IP addresses to cliets coectig to the etwork via VPN (see Figure 3.27). You ca choose to have the computers request a address either from your existig DHCP pools or from a rage of specific addresses. For this example, we will use DHCP (DHCP is covered later i this chapter). The click Next. 9. Select how you wat the VPN server to autheticate. Here you ca choose whether to have the VPN server autheticate users or sed the autheticatio to a Remote Autheticatio Dial-i User Service (RADIUS) server. I larger deploymets, you may wat to use RADIUS. RADIUS ca provide a greater level of security ad maagemet by hadlig autheticatio for VPN coectios istead of allowig them to autheticate directly to your AD domai. I our example, we will allow the VPN server to autheticate users (see Figure 3.28). Select the optio No, ad use Routig ad Remote Access to autheticate coectio requests. The click Next. 10. Verify your settigs o the summary page, ad the click Fiish.

32 104 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.27 Automatic IP Assigmet. FIGURE 3.28 Routig ad Remote Access Autheticatio.

33 Plaig ad deployig DNS The server is ow cofigured to support VPN coectios via Poitto-Poit Tuelig Protocol (PPTP), Layer 2 Tuelig Protocol (L2TP), ad Secure Socket Tuelig Protocol (SSTP). NOTES FROM THE FIELD Cosider DirectAccess Widows Server 2008 R2 cotiues the traditio of supportig remote dial-up ad coectivity services. If you have Widows 7 cliets o your etwork, you may wat to cosider settig up DirectAccess istead or alog with traditioal VPN access. DirectAccess provides a secure remote coectio back to the corporate etwork without the eed for traditioal VPN services. We will discuss DirectAccess i detail i Chapter 13. PLANNING AND DEPLOYING DNS DNS is oe of the most missio-critical compoets used by today s Widows etworks. DNS ame resolutio is a process that traslates computer ames to IP addresses ad vice versa. I this sectio, we will explore what DNS is ad how it works. It is importat to uderstad how to set up, cofigure, ad maage DNS before deployig a Widows Server 2008 R2 etwork. If the DNS services break, so does your etwork. We will the discuss desigig ad the deployig DNS services. We will fiish our DNS discussio by explorig how to admiister ad troubleshoot Widows Server 2008 R2 DNS services. Overview of ame resolutio ad DNS Before settig up ad cofigurig DNS, it is importat to uderstad how ame resolutio works ad why it is eeded by Widows etworks. Like most other etwork services covered i this chapter, you eed to uderstad what is goig o uder the covers to really grasp how the service works ad why it is importat. DNS at a basic level is performig oe mai fuctio, resolvig ames to IP addresses. Earlier i this chapter, you leared that computers use TCP/ IP to commuicate ad that each computer is give a uique IP address. For computer A to talk to computer B, computer A must kow the IP address of computer B. IP-based commuicatio poses a small problem to humas. How do you remember all of those IP addresses? Thik about havig to remember the IP address of your 20 favorite Web sites o the Iteret (remember all computers, eve Web servers hostig Web sites, require IP address-based commuicatio). Luckily, this is where DNS helps. DNS allows us to remember a ame kow as a Fully Qualified

34 106 CHAPTER 3 Widows Server 2008 R2 etworkig Domai Name (FQDN) istead of the IP address of the computer that we are tryig to reach. We ca reach or by simply typig the Web address, also kow as the FQDN. DNS the traslates this FQDN to a IP address. After DNS traslates the ame to IP address, your computer coects to that address. So how exactly does all of this work? The example below will take you through the Widows ame resolutio process. 1. Your computer would like to access the Web site 2. Your computer s DNS cliet service seds a ame resolutio request to the DNS Server whose IP address is listed i the DNS Servers sectio of the computer s IP cofiguratio. We will refer to this server as the local DNS Server. 3. The local DNS Server receives the request ad determies if it should host the domai ame beig requested. If it does host the domai, the it looks up the DNS record ad returs it to the cliet. If it does ot host the domai, the local DNS Server queries a root DNS Server for the IP address of the.com DNS Server. 4. Oce the IP of the.com DNS Server is received, the local DNS Server queries the.com DNS Server for the IP address of the big.com DNS Server. 5. The local DNS Server the queries the big.com DNS Server for the IP address of 6. Your cliet computer the receives the IP address of the server from your local DNS Server. Figure 3.29 illustrates this process. DNS zoes DNS Servers host zoes which i tur host records that resolve a ame to a IP address. The zoe is the authoritative source for iformatio about the domai ame maaged by that zoe. A DNS zoe is typically the same as the domai ame beig hosted o the DNS Server. For example, if the DNS Server will be hostig the domai sygress.com, the the zoe sygress.com must be created o the DNS Server. There are two Primary zoe types that ca be set up o a DNS Server Forward Lookup Zoes ad Reverse Lookup Zoes. Forward Lookup Zoes Forward Lookup Zoes allow the DNS Server to resolve queries where the cliet seds a ame to the DNS Server to request the IP address of the requested host. Reverse Lookup Zoes Reverse DNS zoes perform the opposite task as Forward Lookup Zoes. They retur the fully qualified domai ame (FQDN) of a give IP address. For example, a cliet could sed

35 Plaig ad deployig DNS 107 FIGURE 3.29 DNS Name Resolutio Process. the IP address of to a DNS Server. If the server hosted a reverse zoe that icluded that IP address, it would retur the FQDN for that address, such as I additio to the stadard zoe types, DNS zoes ca be further broke dow ito the followig zoe types: Primary zoe (stored i AD) These zoes are stored i AD ad replicated via ormal AD replicatio. This provides a optimized way to replicate the zoes withi your corporate etwork. Primary zoes stored i AD follow the same multimaster rules as other AD services. This meas that you ca perform updates o ay AD Domai Cotroller ad they will replicate to the other Domai Cotrollers. Primary zoe (stadard) Stadard Primary zoes are stored i a flat file o the DNS Server. The Primary zoe is cosidered the master

36 108 CHAPTER 3 Widows Server 2008 R2 etworkig copy of the zoe database file. All updates to the zoe must be performed o the Primary zoe server. Secodary zoe Secodary zoes are read-oly copies of the Primary zoes. Secodary zoes replicate a copy of the zoe from the Primary zoe server to provide redudacy. Ay updates to the zoe must be performed o the Primary zoe server. Stub zoe Stub zoes are similar to Secodary zoes i that they are read-oly copies of the zoe database file. Stub zoes, however, cotai oly the Name Server (NS), Start of Authority (SOA), ad host (A) records for the Name Servers. BEST PRACTICES Create Reverse Lookup Zoes Some applicatios require the ability to perform Reverse DNS Lookups. As a best practice, you should set up Reverse Lookup Zoes for IP subets o your etwork. Global Namig Zoes Before Widows etworks relied so heavily o DNS, they used the Widows Iteret Namig Service (WINS) to provide ame resolutio. WINS provides the ability to resolve a NETBIOS ame to a IP address. If you support legacy applicatios that rely o NETBIOS ames, it is highly possible that you are still supportig WINS o your etwork. To help orgaizatios move away from WINS, Microsoft developed Global Namig Zoes (GNZs). GNZs, i Widows Server 2008 R2, allow compaies to decommissio WINS while still supportig NETBIOS ames. GNZs require that your domai cotrollers be at Widows Server 2008 or later. Widows Server 2003 DCs do ot support GNZs. DNS records DNS records are the data of DNS zoes. Records map host ames to IP addresses ad IP addresses to host ames. The most commoly used DNS records are listed below: A(Host)Record A records are stadard records that map the FQDN of a host to a IP address. For example, the sygress.com zoe could cotai a host record www that poits to the IP address of the Sygress Web site. CNAME (Alias) Record CNAME records, also kow as aliases, map a host ame to a existig A record. For example, a CNAME record could map to Web server1.sygress.com.

37 Plaig ad deployig DNS 109 MX (Mail Exchager) Record MX records are used to map a domai ame to a A record for mail delivery. MX records also cotai a priority to allow failover to secodary mail servers i the evet that your primary mail server is uavailable. MX records are crucial to esure mail flow. NS (Name Server) Record NS records idetify all the authoritative DNS servers for a give zoe. The primary DNS Server ad the secodary DNS Server should have NS records i the zoe. SRV (Service) Record SRV records provide autodiscovery of TCP/IP resource o the etwork. Usig SRV records, cliets ca query the domai for iformatio about a particular service, such as what server it may reside o. SRV records are beig used by more ad more applicatios to provide autodiscovery for products such as Exchage Server ad Office Commuicatios Server. PTR (Poiter) Record PTR records are Reverse Lookup records that reside i Reverse DNS zoes. PTR records perform the opposite fuctio as A records. Desigig a DNS ifrastructure Whe creatig your DNS desig documetatio, you will wat to esure that the ifrastructure is highly available ad redudat. As previously metioed, DNS is oe of the most missio-critical services o your etwork. As you desig your DNS ifrastructure, you will wat to cosider the followig: Number of physical ad logical etworks that will eed ame resolutio. Available WAN badwidth. Number of domais or zoes you will eed to support. Other o-widows-based DNS hosts. Where DNS zoes will be stored AD or DNS flat files? Itegratio with WINS servers. Ca GNZs replace WINS? What types of records will be required? How may records will be eeded? Will subdomais be required (subdomai.sygress.com)? Will DNS Forwardig be used? Number of cliets usig DNS for ame resolutio. Remember that a good DNS desig allows quick ame resolutio to cliets ad provides adequate redudacy so that DNS services remai available i the evet of a DNS Server failure. As metioed throughout this

38 110 CHAPTER 3 Widows Server 2008 R2 etworkig book, you will wat to test your desig thoroughly before deployig to a productio etwork. DNS is o exceptio. You eed to be able to aswer questios such as Does ame resolutio still work efficietly if a DNS Server fails? ad Is the DNS respose time quick eough to support the umber of cliets o my etwork? Be sure that you adequately documet your DNS desig. As your etwork grows, you will wat to refer the desig ad make modificatios to support ew etwork segmets ad icreased umbers of cliets. Figure 3.30 depicts a desig of a small etwork. FIGURE 3.30 Simple DNS desig.

39 Plaig ad deployig DNS 111 Deployig DNS After desigig (ad testig) your DNS ifrastructure, you are ready to begi deploymet. How you deploy will deped upo how you pla to cofigure ad support DNS. DNS ca be istalled just like ay other server role, or if you are plaig o usig DNS o a AD Domai Cotroller, it is istalled usig the AD dcpromo process. We will explore usig DNS with AD i detail i Chapter 4, so i this chapter we will focus o deployig oad itegrated DNS Servers. Istallig the DNS Server role Istallig DNS ca be doe the same way as you would istall ay other server role. To istall DNS perform the followig steps: 1. Ope Server Maager from Start j Admiistrative Tools j Server Maager. 2. Click to highlight the Roles ode i the left pae. The click the Add Roles lik i the middle pae. This will lauch the Add Roles Wizard. 3. Click Next to begi the istallatio process. 4. Select DNS Server from the list of available roles (see Figure 3.31). The click Next. 5. The Itroductio to DNS Server page will appear. Click Next to cotiue. 6. Cofirm that DNS was selected o the summary page, ad the click Istall. 7. After DNS istallatio is completed, you will be take to a istallatio results page. Verify that the DNS role was istalled successfully, ad the click Close. 8. You should ow see the DNS role listed uder the Roles ode i Server Maager as see i Figure Cofigurig DNS Servers After DNS is istalled, you will eed to cofigure the service to support ame resolutio. The primary DNS cofiguratio tool is the DNS cosole i Server Maager. Let us take a look at DNS Server cofiguratio settigs. You ca access the server s DNS properties by expadig the odes Roles j DNS Server j DNS, ad the right clickig the listed DNS Server ad choosig Properties as see i Figure The properties widow will ope ad you will be preseted with a series of cofiguratio tabs as see i Figure 3.34.

40 112 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.31 Select DNS Server role. FIGURE 3.32 Server Maager DNS Server role.

41 Plaig ad deployig DNS 113 FIGURE 3.33 Opeig DNS Properties. We will ow take a look at each of the cofiguratio tabs ad explore the optios that ca be set up. The followig cofiguratio tabs are displayed i the DNS properties widow: Iterfaces The Iterfaces tab allows you to select the IP addresses (icludig IPv6 addresses) that you wat to liste for DNS requests o. By default, the optio to liste o all iterfaces is selected. Forwarders The Forwarders optio allows you to specify the DNS Servers that the curret DNS Server ca forward the requests to, if it caot resolve the requested query. BEST PRACTICES Usig DNS forwarders As a best practice, you should have a set of DNS Servers that use root hits to perform DNS lookups. You should the cofigure all other DNS Servers o your etwork to forward Iteret-based requests to these servers. Forwarders provide additioal security agaist DNS cache poisoig by limitig which servers pull records from Iteret DNS Servers.

42 114 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.34 DNS Server Properties. Advaced Most DNS istallatios will ot require you to modify the settigs o the Advaced tab; however, there may be occasios where chagig these optios are ecessary. o Disable recursio Disablig recursio will prevet the DNS Server from performig a referral lookup of zoes ot hosted o this DNS Server. If recursio is disabled ad a cliet queries the DNS Server for a zoe that is ot hosted o the DNS Server, the query will fail. o BIND Secodaries Eablig this optio will allow Widows DNS Servers to perform fast zoe trasfers to compatible BIND DNS Servers. Fast zoe trasfers use compressio to perform a faster trasfer of data from a primary DNS Server to secodary DNS Servers. o Fail o load if bad zoe data Eablig this optio will istruct the DNS Server to ot load the zoe if there are errors i the zoe files.

43 Plaig ad deployig DNS 115 o Eable roud robi This feature, eabled by default, allows DNS to use roud robi techiques to sed traffic to multiple IP addresses for a sigle host. o Eable etmask orderig This feature, also eabled by default, esures that a host IP o the cliet s local subet will be retured if multiple IP addresses (host records) are give for a sigle hostame. o Secure cache agaist pollutio This feature attempts to prevet the local DNS cache from beig polluted by discardig records i the cache that could be cosidered isecure due to the fact that they were received from a DNS Server that is ot part of the domai path that the origial request was set to. Root Hits The root hits tab lists the root DNS Servers that the server will use to resolve a query if it does ot host the zoe. Debug Loggig Debug Loggig allows you to create a very detailed log of DNS packets set ad received by the DNS Server. Debug Loggig ca create very large logs depedig o how may packets are captured. It is oly recommeded that you tur o Debug Loggig whe troubleshootig DNS problems. Evet Loggig This settig cofigures what type of DNS evets should be writte to the DNS Evet Log. By default, the All Evets optio is selected. Trust Achors Trust Achors are part of DNS Security Extesios (DNSSEC). Trust Achors are used to validate resposes from remote DNS Servers. Moitorig The Moitorig tab allows you to perform basic or recursive queries agaist the DNS Server maually or o a scheduled basis. Settig up DNS zoes Hostig a domai o a DNS Server requires settig up the zoe for that domai. To set up a ew DNS zoe, perform the followig: 1. Ope Server Maager from Start j Admiistrative Tools j Server Maager. 2. Select the Forward Lookup Zoes ode from Roles j DNS Server j DNS j <your DNS Server ame> (see Figure 3.35). 3. Right click the Forward Lookup Zoes ode ad select New Zoe. The New Zoe wizard will lauch. Click Next to begi creatig a ew DNS zoe. 4. Select the zoe type (see Figure 3.36). If this is the first copy of the zoe, you will wat to select the Primary zoe optio. The click Next.

44 116 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.35 Forward Lookup Zoes. FIGURE 3.36 DNS Zoe Type.

45 Plaig ad deployig DNS 117 FIGURE 3.37 Zoe Name. 5. Eter the Zoe Name. This is the amespace for which this server will be authoritative. For example, if the server is hostig Sygress.com, eter that ito the Zoe Name field as see i Figure The click Next. 6. If this is a ew zoe, eter a ame for the DNS file. If the zoe was previously set up o aother server, such as a lab, you ca use a existig DNS file to prepopulate the zoe o this server. Click Next to cotiue. 7. Select whether you wat to allow dyamic updates or ot. By default dyamic updates are disabled. Click Next to cotiue. 8. Verify your settigs o the summary page, ad the click Fiish to create the zoe. 9. You will see the zoe ow listed i Server Maager as see i Figure You ca select the zoe to see records that belog to the zoe i the middle pae. By default every zoe creates NS ad SOA records. Replicatig DNS zoes After you set up your primary DNS zoe, you will the wat to replicate the zoes to at least oe secodary server. To set up DNS replicatio, perform the followig:

46 118 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.38 Newly Created DNS Zoe. 1. Log o to the server that will serve as a host to the secodary DNS zoe. 2. Ope Server Maager from Start j Admiistrative Tools j Server Maager. 3. If the DNS Server Role is ot istalled, you will eed to istall it. 4. Select the Forward Lookup Zoes ode from Roles j DNS Server j DNS j <your DNS Server ame>. 5. Right click the Forward Lookup Zoes ode ad select New Zoe. The New Zoe wizard will lauch. Click Next to begi creatig a ew DNS zoe. 6. Select the zoe type (see Figure 3.39). Sice this will be a Secodary zoe, select the Secodary zoe optio. The click Next. 7. Eter the ame of the zoe (see Figure 3.40). This should be the same ame as the Primary zoe. I our example, we will use Sygress.com. 8. Eter the IP address of FQDN of the primary DNS Server (see Figure 3.41). The click Next. 9. Click the Fiish butto to complete the set up of the Secodary zoe. You ow eed to allow the Secodary zoe to pull iformatio from the primary. To do this, log o to the primary DNS Server. 10. Ope Server Maager from Start j Admiistrative Tools j Server Maager. 11. Select the Forward Lookup Zoes ode from Roles j DNS Server j DNS j <your DNS Server ame> 12. Right click the zoe you wish to modify. The click Properties. I our case, we will be modifyig Sygress.com. 13. Click to select the Name Servers tab. 14. Eter the IP address ad FQDN of the secodary DNS Server (see Figure 3.42). The click OK.

47 Plaig ad deployig DNS 119 FIGURE 3.39 Creatig Secodary DNS Zoes. FIGURE 3.40 Secodary Zoe Name.

48 120 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.41 Primary DNS Server Used for Replicatio. FIGURE 3.42 Addig secodary DNS Server.

49 Plaig ad deployig DNS You should ow be able to go back to the secodary DNS Server ad see the zoe data iside the zoe. Ay ew records created o the primary server should automatically replicate to the secodary server. Creatig DNS records After DNS zoes are set up, cofigured, ad verified, you are ready to start creatig records. To create a ew DNS record, perform the followig: 1. Log o to the server that hosts the primary DNS zoe. 2. Ope Server Maager from Start j Admiistrative Tools j Server Maager. 3. Expad the DNS role ad servers. The expad the Forward Lookup Zoes ode. Right click the zoe where you wat to create a ew record ad select New Host (A or AAAA) Record Eter the host ame to complete the FQDN, ad the eter the IP address that the record should poit to (see Figure 3.43). 5. You ca ow test the ew host record. Esure that your computer is set to use your DNS Server as the primary DNS Server i the TCP/IP settigs. 6. Ope a commad prompt. 7. Type slookup at the commad prompt, ad the hit Eter. FIGURE 3.43 Creatig a New Host (A) record.

50 122 CHAPTER 3 Widows Server 2008 R2 etworkig 8. Type 9. You should come back with a oauthoritative reply with the IP address you specified whe settig up the record (see Figure 3.44). Dyamic DNS records Dyamic DNS (DDNS) allows dyamic creatio ad updates to DNS records. By allowig DDNS, hosts ca automatically update their ow records withi the DNS zoe. Usig DDNS raises some obvious security questios. For this reaso, it is best practice ot to eable DDNS for ay zoes that are facig the public Iteret. You should also cosider usig Secure Dyamic Updates o your LAN whe the DNS zoes are AD itegrated. We will explore DDNS further i Chapter 4. DNS ad Active Directory I this chapter, we have primarily covered traditioal DNS systems usig primary ad secodary DNS zoes. Whe usig DNS i a AD eviromet, you have the optio to itegrate zoes ito AD istead of usig the primary/secodary model. There are some iherit beefits of usig AD itegrated zoes. We will discuss this optio i legth i Chapter 4. FIGURE 3.44 Testig DNS Record with NSLookup.

51 Plaig ad deployig DNS 123 Securig DNS Due to the critical ature of DNS services, it is importat that you make sure your DNS Servers are as secure as possible. This is especially true for DNS Servers that are coected to the Iteret. Cosider implemetig some of the followig to secure your DNS Servers: Ope oly ecessary firewall ports required to perform ame resolutio (53 TCP/UDP). Restrict log-o to DNS Servers to DNS admis. Tur off recursive lookups if the DNS Servers will be used oly for respodig to queries for zoes they host. If you pla to allow cliets to use the DNS Servers for ame resolutio, you will eed to leave this o. Do ot allow DDNS Updates for o-ad-based zoes. Be sure to use oly Secure Dyamic Updates for AD-itegrated zoes. Esure that zoe trasfers ca occur oly to authorized secodary servers. Takig the precedig steps ad followig other security best practices ca help esure that your DNS Servers remai secure ad reliable. Moitorig ad troubleshootig DNS To esure that you have reliable DNS services, you eed to moitor your DNS Servers ad esure that they perform ame resolutio properly. I this sectio, we will take a look at some of the tools provided i Widows to moitor DNS ad troubleshoot problems. Evet log ad debug loggig You will wat to review the DNS evet log o a regular basis to esure that services are olie ad available. Search the evet log for ay error evets ad correct ay issues that appear i the evet log. You should also keep a eye o warig evets. These ca poit to cofiguratio issues that may ot curretly be causig a outage, but could do so at a future time. Debug loggig ca really help you home i o the root cause of DNS problems (see Figure 3.45) where the solutio may ot be apparet usig other moitorig methods ad evet logs. You will ot wat to leave debug loggig eabled all the time. Tur it o whe you eed details o DNS packets set ad received from ad to the server. After resolvig the problem, be sure to disable debug loggig to prevet the hard drive from fillig up. The debug log settigs ca be foud i the properties of the DNS Server.

52 124 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.45 Debug Loggig. DNS Moitorig tab You ca test basic query fuctioality of the DNS Server by goig to the server properties ad selectig the Moitorig tab. Here you ca maually ru both simple ad recursive queries agaist the DNS Server maually ad o a scheduled basis. NSLookup ad DNScmd NSLookup ad DNScmd are two very importat commad lie tools that ca assist i troubleshootig DNS problems. You should have both of these tools as part of your admi toolkit. Luckily, they are already istalled o the server as a part of the operatig system.

53 Plaig ad deployig DNS 125 NSLookup is a tool used to test queries agaist DNS Servers. You ca ru this commad lie tool from your workstatio ad poit it to a DNS Server that you wish to test. You ca the ru various queries agaist the server to see detailed iformatio o the data retured. DNScmd is a tool ow icluded as a part of the Widows operatig system. DNScmd icludes a array of optios that allow you to perform DNS admiistrative actios from the commad lie. These actios iclude creatig/deletig DNS zoes, addig ad deletig records, ad maagig the DNS widows services. Table 3.4 lists some commoly used DNScmd commads. Viewig cache If your DNS Server does recursive queries agaist other DNS Servers, it will begi buildig a cache of lookups it has performed. The ext time the same lookup is requested, the DNS Server simply pulls the query result from the cache. You ca view the cache by goig to the DNS Server, ad the goig to the View meu ad selectig the Advaced optio. You will see the cache folder appear i the maagemet cosole. You ca ope the zoe to review records or right click ad the optio Clear Cache to delete all cached copies of the records. Table 3.4 Commo DNScmd Commads Commad Descriptio Example DNScmd/zoeadd zoeame/primary DNScmd/zoeadd zoeame/secodary IP Address of Primary DNScmd/zoedelete zoeame DNScmd/eumzoes DNScmd/zoeprit zoeame DNScmd/recordadd zoeame hostame A IP Address DNScmd/recordadd FQDN of mail server Create a ew primary DNS zoe Create a ew secodary DNS zoe Delete a DNS zoe List DNS zoes o a server List all the DNS records i a zoe Create a ew host (A) record Create a ew mail exchager (MX) record DNScmd/zoeadd sygress.com/primary DNScmd/zoeadd sygress.com/secodary DNScmd/zoedelete sygress.com DNScmd/eumzoes DNScmd/zoeprit sygress.com DNScmd/recordadd sygress.com www A DNScmd/recordadd MX 100 mail.sygress.com

54 126 CHAPTER 3 Widows Server 2008 R2 etworkig Agig ad scavegig The agig ad scavegig process allows DNS to perform basic automated admiistratio by deletig old DNS records that are o loger i use. This feature will be more importat for AD-itegrated zoes but ca also be helpful for stadard primary/secodary DNS zoes. The agig ad scavegig process ca be set up o the server level, zoe level, or both. Server level settigs apply to all the zoes o the server. Zoe-level settigs ca be set o idividual zoes to override the serverlevel settigs. Agig ad scavegig are set up either i the server properties or i the zoe properties (see Figure 3.46). After providig your preferred scavegig settigs, you have to eable a DNS Server to actually ru the scavege process. To do this, ope the server properties widow, ad the select the Advaced tab. Click the optio Eable automatic scavegig of stale records (see Figure 3.47). Usig the default settigs, the scavege process will ru every seve days ad will purge records that have ot bee updated i fourtee days. FIGURE 3.46 Server Level Scavegig.

55 Plaig ad deployig DNS 127 FIGURE 3.47 Eablig a DNS Server to ru the scavege process. Overview of WINS The WINS provides ame resolutio services for NETBIOS ames o Widows etworks. WINS was origially developed to provide NETBIOS ame resolutio before Widows etworks relied so heavily o DNS. WINS works much like DNS i the sese that DNS maps FQDNs to IP addresses while WINS maps NETBIOS ames to IP addresses. You should probably try to avoid usig WINS if you are buildig a ew etwork. Microsoft is deemphasizig WINS i curret operatig systems ad may decide to remove support i future Widows versios. With that beig said, it is possible that at some poit you may ed up eedig to admiister a existig etwork that still uses WINS for legacy applicatios or operatig systems. You should uderstad how WINS works prior to takig owership of that etwork.

56 128 CHAPTER 3 Widows Server 2008 R2 etworkig NOTES FROM THE FIELD WINS ad IPv6 WINS is cosidered as a legacy ame resolutio service; thus it does ot support IPv6 addresses. You eed to keep this i mid if you have WINS deployed ad pla o movig to IPv6. You may wat to cosider GNZs i DNS istead of WINS. WINS is deemphasized to the poit that it is ot cosidered a role i Widows Server 2008 R2. To set up a WINS server, you will eed to istall the service from the Features ode i Server Maager (see Figure 3.48). FIGURE 3.48 Istall WINS Feature.

57 Plaig ad deployig DHCP 129 Oce the WINS feature is istalled, it ca be used immediately. You ca cofigure cliets ad servers to register with the WINS server, ad they will begi creatig records withi the WINS database. Whe plaig for WINS, you may wat to cosider placig a WINS server o larger etwork segmets to limit the amout of traffic beig set over WAN liks. Like DNS, you ca place multiple WINS servers o your etwork that replicate with each other. WINS servers ca be set up for push replicatio, pull replicatio, or both. Durig push replicatio, the server pushes chages out to replicatio parter. Durig pull replicatio, a WINS server pulls chages from a replicatio parter. If missio-critical applicatios rely o WINS, you should also cosider deployig multiple WINS servers for redudacy. Cliets ca the be poited to multiple WINS servers for failover i the evet that the primary server fails. PLANNING AND DEPLOYING DHCP We will roud out this chapter coverig the DHCP. As you leared earlier i this chapter, every device that commuicates o a TCP/IP etwork must have a IP address. This icludes computer workstatios, laptops, etwork priters, routers, ad servers. As you ca imagie, the umber of required IP addresses ca add up. Thik about maagig a etwork with 5000 computers or eve 10,000 computers. How do you assig IP addresses to each computer? This is where DHCP comes i. I this sectio, we will discuss what DHCP is ad how it works. We will also cover istallig ad cofigurig DHCP ad fiish out the sectio learig how to troubleshoot DHCP. Overview of DHCP Most admiistrators kow that maagig a large etwork ca be a dautig task at times. Ca you imagie how dautig it would be to maually assig IP addresses to every device o your etwork? DHCP solves this problem by creatig pools of IP addresses that ca be leased by computers. DHCP is a idustry stadard protocol used to assig IP addresses to cliet computers. So exactly how does this process work? The DHCP process is outlied i the followig steps ad depicted i Figure A cliet cofigured to use DHCP for IP assigmet seds a broadcast out to the etwork askig for a IP address. 2. The DHCP server picks up this broadcast ad offers the requestig DHCP cliet a IP address from its pool.

58 130 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.49 DHCP IP Assigmet Process. 3. The DHCP cliet seds a request back to the DHCP server basically statig that it truly wats to use the offered IP address. 4. The DHCP server the seds a ackowledgmet back to the DHCP cliet statig that it has accepted the request. 5. O a scheduled basis, based upo a DHCP server settig, the cliet will reew its lease ad sed a request to the DHCP server for reewal.

59 Plaig ad deployig DHCP If the DHCP server accepts the request, it seds aother ackowledgmet back to the DHCP cliet, iformig it that it ca cotiue to use the same IP address ad resets the lease period. Oce the ew lease period expires, the cliet must perform steps 5 ad 6 agai. DHCP provides ot oly IP addresses to cliets, but also other cofiguratio iformatio, such as DNS Servers, the default gateway, ad subet mask iformatio. Not oly does DHCP prevet you from havig to cofigure all of your devices, but also chages to your etwork ca be made to all DHCP cliets simply by makig a cofiguratio chage o the DHCP server. The ew cofiguratio chages are pulled dow by cliets whe they request a ew IP address. BEST PRACTICES Assigig IP addresses to servers I most cases, it is best practice to use static IP assigmets for servers. Additioally, it is highly recommeded that DHCP be ever used to assig IP addresses to DNS Servers or AD domai cotrollers. Plaig for DHCP Like DNS, DHCP is cosidered oe of the most critical services o Widows etwork. If DHCP fails, the the cliet computers do ot receive IP addresses ad thus they caot commuicate o the IP etwork. If you wat a reliable ad highly available IP etwork, the DHCP failure is ot a optio. There are several factors to cosider whe desigig your DHCP ifrastructure. The umber of physical ad logical etwork locatios requirig automatic IP cofiguratio Router placemet WAN coectios ad speed VLANs Availability requiremets IP cofiguratio optios set to cliets DHCP relay agets A key poit to remember is that DHCP requests are broadcasts that will ot traverse most etwork routers. This meas that you must put a DHCP server or DHCP relay aget o each IP segmet or subet. A DHCP relay aget is a compoet of Routig ad Remote Access that simply forwards DHCP requests to aother etwork segmet (see Figure 3.50).

60 132 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.50 DHCP Relay Aget Cofiguratio. NOTES FROM THE FIELD DHCP forwardig o etwork routers May of today's etwork routers provide DHCP-forwardig services. If your etwork routers support DHCP forwardig, you may wat to cosider usig them to forward DHCP requests istead of DHCP relay agets. Plaig for DHCP high availability Whe deployig DHCP servers, you will wat to esure that you provide highly available DHCP services. There are a couple of ways to achieve this:

61 Plaig ad deployig DHCP 133 Multiple DHCP servers This is the most commo method used to esure DHCP availability. I this sceario, you ca set up multiple DHCP servers ad distribute the active IP addresses across them. For example, DHCP Server 1 might offer IP addresses from to ad DHCP Server 2 might offer the IP addresses from to I the evet that DHCP Server 1 fails, DHCP Server 2 would still be olie ad offer addresses to DHCP cliets. Whe settig up multiple DHCP servers, you should cosider how you wat to split up your IP rages. Several commo practices exist, icludig the 80/20 split ad the 50/50 split. The 80/20 split ivolves addig 80% of your IP addresses to oe DHCP server ad 20% to the other server. Usig the 50/50 split, you place half of your IP addresses o oe DHCP server ad the other half o a secod DHCP server. DHCP cluster Usig Widows Clusterig Services you ca set up a DHCP server o the top of a Widows Cluster. This active/passive availability optio will allow a DHCP server to fail over to a secodary ode i the cluster if the primary ode fails. We will be explorig Widows Clusterig i Chapter 9. You ca use the Multiple DHCP server method, the DHCP Cluster method, or a combiatio of the two to provide high availability to DHCP. Deployig DHCP DHCP is istalled by addig the DHCP role i Server Maager. The iitial set up process will istall the DHCP compoets ad will take you through the iitial cofiguratio of the DHCP server. To add the DHCP server role, perform the followig steps: 1. Ope Server Maager from Start j Admiistrative Tools j Server Maager. 2. Click to highlight the Roles ode i the left pae. The click the Add Roles lik i the middle pae. This will lauch the Add Roles Wizard. 3. Click Next to begi the istallatio process. 4. Select DHCP Server from the list of available roles (see Figure 3.51). The click Next. 5. You will be take to the DHCP summary page. Click Next to cotiue. 6. The first cofiguratio optio will ask you to provide the domai ame ad the DNS Servers to provide to each cliet. These are the DNS Servers that each DHCP cliet will use for ame resolutio. Eter the IP address of two DNS Servers o your etwork, ad the click Next. 7. If you are usig WINS, you will eed to specify the IP addresses of the primary ad secodary WINS servers. If WINS is ot used, leave

62 134 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.51 Select DHCP Server Role. the optio WINS is ot required for applicatios o this etwork selected. The click Next. 8. You are ow ready to set up a DHCP scope. Remember that a scope is the rage of IP addresses you wat to make available to DHCP cliets. Eter the DHCP rage as see i Figure At this stage, you ca also set the subet mask ad default gateway to be used by DHCP cliets. After settig the scope rage ad optios, click OK. The click Next. 9. If you are usig IPv6, you ca ow add the DHCPv6 cofiguratio iformatio. For our example, we will disable stateless DHCP mode for the server. The click Next. 10. You will ow eed to authorize the DHCP server i AD, assumig that you have AD deployed o your etwork. DHCP authorizatio esures that oly authorized DHCP servers ca offer IP addresses to DHCP cliets. Choose or eter credetials that have the ability to authorize DHCP servers (see Figure 3.53), the click Next. 11. You will ow see the DHCP istall summary scree. Verify whether the settigs are correct. The click Istall. This process will ow istall, perform iitial cofiguratio, ad authorize DHCP.

63 Plaig ad deployig DHCP 135 FIGURE 3.52 Creatig DHCP Scopes. FIGURE 3.53 Authorize DHCP Server.

64 136 CHAPTER 3 Widows Server 2008 R2 etworkig 12. Oce the istallatio is completed, you should see a istallatio success message. The server should ow start to lease IP addresses to DHCP cliet computers. 13. The DHCP Maagemet cosole will appear uder the Roles ode i Server Maager. You ca go here to chage cofiguratio optios, icludig chagig lease settigs or addig additioal scopes. NOTES FROM THE FIELD DHCP advaced optios for devices Some devices like Voice over IP Phoes require custom optios to be set for the DHCP scope. These custom optios ca be added to DHCP easily but you will eed to get the full list of optios from your hardware provider. Admiisterig ad troubleshootig DHCP After DHCP is set up ad ruig, there is very little ogoig maiteace required. There are a few admiistrative cocepts that you eed to uderstad thoroughly. These iclude reservatios, exclusios, ad the ew allow ad dey filters. If you eed to add additioal IP rages to your DHCP server, you will simply eed to create a ew scope. This ca be doe by opeig the DHCP ode i Server Maager, ad the right clickig the DHCP server. You should select the optio Create ew scope. This will lauch the wizard to create a ew scope. Eter the ecessary cofiguratio iformatio similar to what you did durig the iitial istallatio of the role. Additioally, you ca add what is kow as a exclusio rage to a existig scope. A exclusio rage is just a rage of IP addresses to exclude from the rage beig offered to cliets. This ca be helpful if you have a rage of IP addresses that you temporarily do ot wat to be used o the server, or if you eed to reserve certai rages for etwork devices, priters, etc. DHCP Filters is a ew feature available i Widows Server 2008 R2. DHCP filters permit you to specifically allow or dey specific etwork adapter hardware addresses. The dey optio ca be very useful if you have a rogue computer that you wat to esure does ot get a IP address o your etwork.

65 Network Moitorig ad troubleshootig utilities 137 NETWORK MONITORING AND TROUBLESHOOTING UTILITIES To properly maage ad moitor your Widows etwork, you eed to become familiar with the tools required to maage, moitor, ad troubleshoot problems. Let us take a look at some of the basic etwork utilities. Pig This is oe of the most basic, yet most useful tool you will use whe troubleshootig server problems. The pig utility does just that it pigs a give server ame or IP address to see if the host is respodig o the etwork. If a server fails to respod to a pig, it may be off-lie. PathPig PathPig provides a more i-depth pig test that ot oly tests to see if the host is alive, but also displays the IP paths that the pig has goe through, such as etwork routers. PathPig also gathers statistics related to the pig test. NSLookup NSLookup is a key DNS ame resolutio testig utility. The NSLookup commad allows you to sed queries to DNS Servers to esure that they respod ad provide the correct result to the query. Network Moitor (etmo) Network Moitor allows you to capture etwork traffic ad packets o your etwork ad aalyze them. Network Moitor is a great utility to uderstad which servers talk to each other ad what protocols ad ports they use to do so. Usig pig, PathPig, ad NSLookup Pig, PathPig, ad NSLookup are great tools to assist with testig ad troubleshootig Widows etworks. Brief examples of usig each are provided below. As metioed, Pig ca be used to see if a IP address is alive o the etwork. The pig utility will also retur the time it took the ICMP pig packet to reach the target IP ad receive a reply. To perform a simple pig, ope a commad prompt ad issue the commad Pig IP Address or Hostame. For example, Pig or Pig server1 PathPig commads are issued i the same format but provide more i-depth aalysis of the path beig take by the pig. The NSLookup utility ca help you test ame resolutio usig DNS. To perform a simple DNS query test usig NSLookup, simply ope a commad prompt ad eter the commad NSLookup FQDN of host, for example, NSLookup You ca additioally move to a NSLookup cosole by simply eterig NSLookup at a commad prompt. From there you ca perform a query by eterig a hostame. You ca also

66 138 CHAPTER 3 Widows Server 2008 R2 etworkig chage DNS Servers for queries by eterig the commad server DNS Server FQDN, for example, server s1.sygress.com. Overview of Network Moitor Microsoft origially icluded a slimmed-dow versio of the Network Moitor as part of the operatig system. As a admiistrator, you could add the compoet ad use the lightweight Network Moitor versio. The fully featured versio of Network Moitor was icluded as part of System Maagemet Server (SMS). Recetly Microsoft released a fully fuctioal Network Moitor that was made available free from the Microsoft Dowload Ceter Web site. Network Moitor 3.3 ca be dowloaded via this lik: 983b941d-06cb-4658-b7f d062f After istallig Network Moitor, it ca be lauched from a desktop shortcut or via the Start meu. Upo lauchig, the mai Network Moitor widow will ope as see i Figure This is where you ca start a ew packet capture process ad select the etwork adapters to iclude i the capture. FIGURE 3.54 Microsoft Network Moitor.

67 Network Moitorig ad troubleshootig utilities 139 To begi a ew etwork capture, click the Capture butto opeig a ew capture tab. The click the Start butto. You will immediately see packet iformatio displayed i real-time as traffic flows to ad from the selected etwork iterfaces. After you have fiished capturig traffic, click the Stop butto. Whe troubleshootig, typically, you will start the capture just prior to a specific error appearig, ad the stoppig the capture after the error occurs. After you have captured etwork data, you ca view frame details of captured packets by selectig a frame i the frame summary pae. The details will be displayed i frame details (see Figure 3.55). Here you ca dissect exactly what iformatio was iside the frame. You ca optioally limit iformatio displayed i the frame summary pae by selectig the specific applicatio you wat to view from the left pae. If you wat to further limit the types of traffic displayed i the frame summary pae, you ca create filters. A filter is a way to view oly specific traffic based upo criteria defied i the filter. For example, if you wat to view oly URL traffic for sygress.com, you could apply the http URL filter as see i Figure The Network Moitor ca be a very valuable tool whe troubleshootig issues that are related to etwork coectivity. Usig Network Moitor, you FIGURE 3.55 Frame Details from Captured Packets.

68 140 CHAPTER 3 Widows Server 2008 R2 etworkig FIGURE 3.56 Usig a Network Moitor Display Filter. ca view i-depth details about where servers are attemptig to commuicate ad what type of traffic is beig set over particular etwork iterfaces. SUMMARY I this chapter, we covered what you eed to uderstad to desig ad implemet Widows Server 2008 R2 etworkig services. We explored IP etworkig basics ad core Widows etworkig services such as DHCP, DNS, ad Remote Access. We discussed how these techologies ca be implemeted o your etwork ad the features they brig to your Widows Server 2008 R2 deploymet. This chapter discussed the processes to desig ad implemet these services, usig Widows Server 2008 R2. This chapter cocluded with a itroductio to a few etwork maagemet ad moitorig utilities such as Pig, PathPig, NSLookup, ad Network Moitor.