TCP/IP on NT 4.0

Subnetting
Decimal Subnets # Class A Hosts # Class B Hosts # Class C Hosts
.192 2 4,194,302 16,382 62
.224 6 2,097,150 8,190 30
.240 14 1,048,574 4,094 14
.248 30 524,286 2,046 6
.252 62 262,142 1,022 2
.254 126 131,070 510 NA
.255 254 65,534 254 NA

Binary values
128 10000000
64 01000000
32 00100000
16 00010000
8 00001000
4 00000100
2 00000010
1 00000001

Classes
A 1-126
B 128-191
C 192-223

IP routing
Windows NT Server has the ability to be configured as a router. This is known as a multihomed computer. A multihomed computer must have at least two network interfaces connected to separate subnets.

Each network interface is capable of having up to five IP addresses.

Multihomed computers can be configured as either static or dynamic routers.

  • ROUTE.EXE is used for configuring static gateways. The router must have the next routers destination IP address and hardware address loaded in their ARP cache for a successful hop.
  • Dynamic routers use the RIP protocol.

ARP - Address Resolution Protocol
ARP resolves IP addresses to hardware addresses. Each network adapter has a unique hardware address (commonly referred to as a MAC address) which it uses for identification on the network.

When there is a need to locate a computer/peripheral on the TCP/IP network, ARP first checks its local cache to see if it contains the hardware address for the computer/peripheral it is trying to connect to. If it the address is not in the ARP cache, ARP broadcasts a message to the known IP address for its hardware address. The computer it is trying to locate will receive the broadcast and send a reply with its IP and hardware addresses. Once the hardware address has been attained, ARP stores the resolved IP and hardware addresses in cache, then proceeds with communication.

The ARP cache can be viewed and edited using the ARP.EXE utility.

Name Resolution
Name resolution is the method of resolving a computer name to its IP address. The computer can have two names: a NetBIOS name and a Host name.
  • NetBIOS name - Microsoft's naming system implemented with LAN Manager, Windows and Windows NT.
  • Host name - an older naming system primarily used with UNIX systems.

    Typical orders for resolution methods:
    NetBIOS - local netbios name Cache, WINS, Broadcast, LMHosts, Hosts, DNS.
    Host - Local host name, Hosts, DNS, local netbios name Cache, WINS, Broadcast, LMHosts.

    NetBIOS                    Host
    C Cram H Harry
    W Well D Didnt
    B Before C Cram
    L Leaving W Well
    H (and) He'll B Before
    D Do (well) L Leaving (to take the exam)

  • Local NetBIOS name cache
    The NetBIOS name cache contains every NetBIOS name that was recently associated with an IP address. This local cache helps reduce network traffic by eliminating the need for broadcasting or WINS queries, it can simpling start communicating with the host.

    The local NetBIOS cache can be viewed with the NBTSTAT.EXE command.

    NetBIOS name resolution nodes
    NetBIOS name resolution nodes define the order of the methods it uses for name resolution.

    Note: regardless of which node the computer is using, the computer will always check the local NetBIOS name cache first, and the LMHOSTS file last.

    H-node Hybrid node. The computer will first query the WINS Server for the mapping, then if not successful, will use (up to) 3 b-node broadcasts. By inserting the IP address of the WINS Server in the computer's network properties, it defaults to H-node.
    M-node Mixed node. The computer will first use (up to) 3 b-node broadcasts, then if not successful, will query the WINS Server.
    P-node Point-to-point (aka Peer-to-peer). The computer will only query the WINS Server.
    B-node Broadcast. The computer will send out a broadcast to all computers on its local network to have the computer with the requested name send back a confirmation with its IP address. B-node is the default node method for non-WINS clients.

    To alter which node your computer uses, you will need to make the proper changes in the DHCP Server. You will be prompted to give a value for the node you wish to use.

    H-node = 08
    M-node = 04
    P-node = 02
    B-node = 01

    WINS - Windows Internet Naming Services
    WINS is a dynamic database located on a Windows NT Server, which stores NetBIOS names to IP address mappings.

    Microsoft recommends 1 primary and 1 secondary backup server per 10,000 clients.

    WINS operates with a push/pull replication method. WINS databases can be configured as one or the other, or both.

  • Push - The server will send its database changes once the number of changes have met a predetermined value in the push settings. This could cause traffic at the wrong time of day, and is not recommended over WAN links.

  • Pull - The server will pull database changes from another server at a predetermined time of day, or at regular timely intervals, as determined in pull settings. Is recommended for WAN links, as it can be setup to pull changes after hours or at times of day which traffic is not as heavy.

    A WINS client attempts to renew its mapping with the primary WINS Server at 1/8th of its TTL (Time to Live) and then every two minutes after that, until it reaches 1/2 TTL. At 1/2 TTL it then attempts renewal once with the nominated secondary server (if one is present) and again at 1/8th TTL, then for every 2 minutes until TTL expires.

    Microsoft recommends to compact the database if it is over 30mb in size. To compact the database, use the JETPACK.EXE utility.

    Corrupt Databases
    There are three ways to recover from a corrupt database:

    1) Stop and restart the WINS Services. If NT detects the database as being corrupt, it will automatically restore the backup copy when the WINS service restarts.
    2) In the WINS Manager, select the Restore Local Database option.
    3) Manually copy over the database from your backup directory.

  • WINS Proxy - A WINS Proxy is an NT computer, which is not already a WINS Server, that listens for b-node broadcasts from non-WINS computers. Once a b-node broadcast is detected, it intercepts the broadcast, and checks its local NetBIOS cache for the requested computer name. If the computer name is not found in the proxy's cache, it forwards the request to a WINS Server. The WINS Server then returns the mapping for the name, and the WINS Proxy forwards its findings to the requesting non-WINS computer.

    Non-WINS computers can have their NetBIOS name mappings stored in the WINS Servers database by being manually added. If your network was using LMHOSTS files before adding the WINS Server, you can import it into the database in the Add Static Mappings option.

  • LMHosts.
    The LMHosts. file, originally used with MS-LAN Manager, contains a list of NetBIOS name to IP address mappings. It is a regular text file named LMHOSTS. and is located in the %Systemroot%\system32\drivers\etc directory.

    To view a sample LMHosts. file, look in the Windows directory of your DOS/Windows95 computer (or the %Systemroot%\system32\drivers\etc directory on your NT machine), and open it with a text editor.

    The tags associated with the LMHosts. file are as follows:

    #PRE will cause the entry to be preloaded into the NetBIOS name cache.
    #DOM:domainname specifies the domain master browser in another domain. Must be preceded by the #PRE tag.
    #INCLUDE:\\servername\share\lmhosts. specifies the LMHosts. file on another computer, and will parse it as if it was local.
    #BEGIN_ALTERNATE precedes multiple #INCLUDE statements.
    #END_ALTERNATE succedes multiple #INCLUDE statements.

    The LMHosts file is not case-sensitive.

    Note: All items after the # sign on the same line are noted as comments.

    DNS - Domain Name Services
    Domain Name Services is a heirarchical server database which contains host name to IP address static mappings.

    DNS can be used to resolve NetBIOS names, but only when the box is checked to enable DNS for NetBIOS name resolution in TCP/IP properties in the Network configuration window.

    A CNAME is a method of DNS aliasing. It is normally used to alias a server as www or ftp.

    Windows NT is able to list up to three DNS Servers in its network properties.

    If a DNS Server is queried, but is unable to resolve the host name, it will return a negative acknowledgement to the querying computer. The querying computer will then attempt another method of name resolution, rather than trying the other DNS Servers.

    If a DNS Server is queried, but is unable to be located, the querying computer will then attempt to contact the next DNS Server in the list.

    A DNS Server can be setup to be a zone transfer server. Zone transfer will allow the DNS Server to query other DNS Servers if it is unable to resolve the request.

  • Secondary DNS server - A Secondary DNS server uses Zone Transfers to collect the DNS database from it's Primary DNS Server.

  • Caching DNS Server - A Caching DNS Server does not maintain any static DNS records. All of it's records are created by resolving DNS queries to a Primary or Secondary DNS server. Caching DNS servers thus add redundancy to the DNS namespace.

  • Hosts.
    The Hosts. file, originally used with UNIX systems, contains a list of host name to IP address mappings. It is a regular text file named HOSTS. and is located in the %Systemroot%\system32\drivers\etc directory.

    The Hosts. file is not case sensitive when working with NT networks. However, UNIX computer names are case-sensitive. When connecting from NT to UNIX, the hosts file must have proper case-sensitivity.

    A hostname containing a numerals must be specified in the Hosts. file within single quotation marks (i.e. '1997').

    The Hosts. file is only parsed for NetBIOS name resolution when the box is checked to enable DNS for NetBIOS name resolution.

    DHCP - Dynamic Host Configuration Protocol
    DHCP is a server-based adminstration utility used to automatically assign IP addresses to clients.

    DHCP clients communicate with DHCP Servers via BOOTP broadcast messages which can only cross routers if the router is a RFC1542-compliant router, and has BOOTP forwarding enabled.

    DHCP clients automatically attempt to renew their IP address lease after 50% of the lease has expired. It will broadcast to the DHCP Server for a renewal. If the DHCP Server is not available to renew the IP address, the client will wait until 87.5% (7/8) of the lease has expired, and send a broadcast to all DHCP Servers for a renewal.

    Scope options are available for using custom settings. A scope is a range of IP addresses for a subnet. There are three options for scope settings:

    • Global - Changes made here affect all scopes available in the DHCP Server.
    • Scope - Changes made here affect only the highlighted scope.
    • Client - Changes made here affect only the specified client.

    Client Reservations need to be made for DHCP clients that require having a static IP address reserved, so that no DHCP clients attempt to take that address, such as Domain controllers, member servers, web servers, etc.

    In the scope options, options are available to let DHCP automatically update the client with addressing for WINS Servers, default gateways, etc.

    SNMP - Simple Network Management Protocol
    SNMP is a management tool used to monitor and control remote network devices. It can be used to poll specific information from the agent.

    SNMP must be installed on a Windows NT computer to enable Performance Monitor to monitor TCP/IP activity to and from your computer.

    An SNMP community is a functional group of SNMP agents and managers. Agents receive requests and report information to the SNMP managers for the communities the agent belongs to.

    An SNMP trap is an alert that, under predefined conditions or thresholds, the SNMP agent sends to the SNMP manager.

    Security

    • Send Authentication Trap - sends a message to the trap destinations if it receives a request with an incorrect community name.

    • Only Accept SNMP packets from these hosts - allows agent to accept only packets from defined hosts. Defined hosts are known by either their IP or IPX addresses or by their host name.

    FTP - File Transfer Protocol
    FTP is used to transfer files from a computer to a server, or vice versa. FTP is a fast, error-free method of communication.

    Passwords are always sent to the FTP server unencrypted.

    To prevent disclosure of passwords, check the box Allow Anonymous connections only in the FTP Service properties box within the network properties window. Allow Anonymous Connections must first be enabled, by checking its box, before being able to Allow Anonymous connections only. Default anonymous user names are anonymous and ftp.

    FTP and NTFS can both be used to prevent unauthorized FTP access to places in the server.

    Troubleshooting

    The address 127.0.0.1 is used as a loopback test. Ping this address to test TCP/IP functionality.

    A default gateway must be on the same subnet as the host computer.

    Incorrect subnet masks will cause connectivity problems.

    Incorrect default gateways will keep you from communicating outside of the subnet.

    Commands & Utilities

    Know what all of these commands and utilities are used for.

  • NBTSTAT - Displays protocol statistics and current TCP/IP connections using NetBIOS. Is also used to display NetBIOS name cache.

  • NETSTAT - Displays protocol statistics and current TCP/IP network connections. Netstat shows statistics since the server was booted.

  • ARP - Used to display and edit the ARP cache. Is used to resolve IP addresses to hardware addresses.

  • TRACERT - Is used to determine what route a packet takes to get from the source to the destination.

  • ROUTE - Used to display and edit static routing tables.

  • IPCONFIG - Quickly displays Windows IP configuration settings.

  • IPCONFIG /ALL - Thoroughly displays Windows IP configuration settings.

  • LPQ - Displays status of a remote LPD print queue.

  • LPR - Sends a print job to a remote print queue.

  • Performance Monitor - Monitors network and computer statistics. Is able to log the data and export it for spreadsheet usage.

  • Network Monitor - Monitors network activity and is able to capture look at packets of data sent over the network.

  • Registry hacks

    TCP/IP

  • TCPWindowSize - Should be increased when having trouble with communications across WAN links. This will decrease the number of acknowledgements, the number of packets sent, and retransmission of out-of-order packets.

  • DefaultTTL - Defines default time to live. Should be increased if numerous links in the network path are slow and or packets are constantly being discarded due to packet expiration.

  • TCPMaxConnectRetransmissions - Defines number of times TCP will retransmit a connect request before aborting the attempt. Increasing the value in small increments may allow a client to connect over a slow WAN link.

    Multihomed IP Router

  • ForwardBufferMemory - Defines amount of memory used by the router to store IP packets in the route queue. Increase the value if packets are constantly being discarded by the router.

  • NumForwardPackets - Defines the number of packets which the router stores in its IP packets in the route queue. Must be at least the same size that the ForwardBufferMemory has defined for the buffer's capacity.

  • TCPNumConnections - Limits the maximum number of connections TCP may have open simultaneously.

  •