11 networking wih windows 7
TRANSCRIPT
Windows 7 – Windows 7 Networking
Page | 1
Windows 7 Chapter
Windows 7 Networking 11
Introduction
This block of notes discusses the technologies behind making a Windows 7 based
computer work within a Windows 2008 domain environment using both IPv4 and
IPv6. The topics covered include: include wireless and wired network connectivity,
Windows HomeGroup, Firewalls, remote management, and virtualisation.
Understanding Networking
Like almost anything in computer networking analysis and design is vital and will
determine where and how the hosts will be installed on the network. Factors that will
influence the design include: the number of users on the network, the organisational
structure, geographical location and the amount of money in the budget. There are
two basic design methodologies: client server networks and peer-to-peer networks.
In Microsoft speak client server networks are Active Directory domain-based and
peer-to-peer networks are workgroup networks.
Peer-to-peer networks tend to be small networks and every computer has the same
status – they are peers and can act as clients or servers. Microsoft recommends no
more than ten hosts in a peer-to-peer network. The big advantage of a peer-to-peer
network is that they don‟t need expensive server software. The downside is they are
difficult to manage and keep secure. If the network has ten users and ten computers
and every user needs access to every computer they need a username and
password on every computer. This amounts 10 x 10 or 100 usernames and
passwords for someone to manage.
Another disadvantage of peer-to-peer networks is backups. It is very difficult to
backup up ten individual workgroup-based machines centrally and even more
difficult to get the individual users to back up their own machines.
Client Server (Windows Server 2008 Active Directory) Networks
Active Directory requires a Windows Server platform such as Windows 2008 R1 or
R2. Active Directory is a single distributed database that contains all the objects
Windows 7 – Windows 7 Networking
Page | 2
contained within a domain-based network. It is a logical representation of the
physical network and the logical structure maps onto the physical structure. Some of
the objects in Active Directory include user accounts, group accounts, and published
objects, such as folders and printers.
The big advantage of Active Directory based networks is centralised management.
In the earlier peer-to-peer example, it needed to 100 accounts to give the users
access to the resources they needed. Now with a domain, only 10 accounts are
required. An administrator can determine, based on job function, which files or
folders a user can access and which system privileges they need.
An Active Directory structure is made up of one or more domains. In Microsoft
speak a domain is represented by a triangle. See Figure 1
An Active Directory structure is made up of one or more domains. A domain is a
logical grouping of objects within an organization.
The Active Directory namespace is arranged in a hierarchy starting with a root
domain at the top. If a domain branches off from another domain, it is called a child
domain and the domain it branches off from is called the parent domain. The name
of the child domain will include the full name of the parent.
Figure 1
An Active Directory Forest
Windows 7 – Windows 7 Networking
Page | 3
Looking at Figure 1 it can be seen that stevenson.ac.uk is the parent domain and
that it has two child domains: leith.stevenson.ac.uk and dalry.stevenson.ac.uk and
computing.leith.stevenson.ac.uk is the child of leith.stevenson.ac.uk and so on.
As shown in Figure 1, child domains can be based on location but they can also
reflect organisation structure as well
A benefit of creating child domains is scalability. A single Active Directory domain
has the ability to store millions of objects, but child domains give an administrator the
flexibility to design a structure layout that meets the needs of their organization.
Between a parent domain and a child domain there exists a two-way transitive trust.
A trust allows a user to be granted access to resources in a domain even their
accounts reside in a different domain. A two-way transitive trust means that by
default all domains within the same forest automatically trust one another.
Another important feature of an Active Directory domain is an extensible schema.
The Active Directory schema contains all the objects and attributes of the Active
database. For example when a new user is created using Active Directory Users
and Computers (AUDC) the system asks for the user‟s first name, last name,
username and password. The definitions for these fields are defined within the
schema. The schema is extensible and a Schema Administrator can amend the
schema. This is not normally recommended practice. However, programs that are
Active Directory aware frequently modify the schema when they are installed. A
common example is Exchange Server, which modifies the schema to accommodate
details of a user‟s e-mail account.
Microsoft Networking Terms and Roles
A server is a machine that users connect to so they can access resources located on
that machine. For example, a file server stores files. Application servers can run
applications for the users. Sometimes a server is referred to by the specific
application it runs, for example, an SQL Server or an Exchange server.
A domain controller is a server that contains a replica of the Active Directory
database. All domain controllers in are created equal in as much as they all they all
have the same copy of Active Directory. However some domain controllers have
Windows 7 – Windows 7 Networking
Page | 4
specialised roles such as hosting the Global Catalogue, but these roles, except that
of the Global Catalog are outside the scope of this course.
The Global Catalog is a database consisting of a partial representation of the Active
Directory objects. When it is necessary to locate a domain-based resource, the
Global catalogue is used to find its location. Global Catalogs are a requirement on
an Active Directory domain.
A member server is a server that is a member of a domain-based network but does
not contain a copy of Active Directory. It is good practice to put applications such as
Exchange and SQL Server on a member server.
A standalone server is not a member of a domain. Many organizations use this type
of server for server virtualization. This is when Windows Server 2008 is installed on
a powerful server and multiple copies of Hyper-V are installed on to the server. A
copy of Windows Server is installed into Hyper-V and these can then act as domain
controllers, member servers or any other type of server.
A client machine is a computer that normally is used by a company‟s end users. The
most common operating systems for a client machine are Windows Vista, and
Windows 7.
A Domain Name Service (DNS) server has the DNS service running on it. DNS is a
name resolution service that turns a host name into a TCP/IP address (forward
lookup) or converts an IP address to a host name (reverse lookup). Hosts have
easily remembered user-friendly host names like www.stervenson.ac.uk.
Unfortunately computers use rather less convenient IP addresses and binary to talk
to each other. DNS takes the user-friendly host name and returns an IP address. It
can also convert IP addresses into hostnames when required to do so. DNS can
help resolve either IPv4 or IPv6 TCP/IP addresses. This is possible because the
Link Local Multicast Name Resolution, or LLMNR, protocol. The Link Local Multicast
Name Resolution protocol is based on DNS packet formats that allow both IPv4 and
IPv6 hosts to perform name resolution for hosts on the same local network.
DNS is a requirement for Active Directory. DNS can be installed before or during the
installation of Active Directory.
Windows 7 – Windows 7 Networking
Page | 5
Dynamic Host Configuration Protocol (DHCP) automatically assigns IP address
configurations to appropriately configured client computers. Every computer needs
at least three things to operate properly with the Internet and intranet and these are:
a TCP/IP address, a sub-net mask, and a default gateway, which is the IP address of
the internal network interface of a router that connects the internal LAN to the
outside world. A properly configured DHCP server can provide much more including
the IP addresses of a preferred a secondary DNS Server and the IP address of a
WINs server if required. If a client cannot access a DHCP server when configured to
use a DHCP server it will assign itself an address in the range 169.254.x.x. This is
called an Automatic Private IP Address and is provided by the Automatic Private IP
Addressing (APIPA) service. DHCP can issue either IPv4 or IPv6 TCP/IP
addresses.
For redundancy, a network should, budget permitting have multiple domain
controllers, DHCP, DNS and Global Catalogues for redundancy. For example if the
network only has one DHCP Server, should it fail clients requesting IP addresses will
end up with APIPA addresses and will be unable to communicate with computers
with valid IP addresses, or with the Internet.
Configuring Windows 7 NIC Devices
A network interface card (NIC) is a hardware component used to connect one host to
other hosts on the network. The most common place to find a network adapter is in
a computer, but they are needed for any host connecting to a network, such as
network printers, routers, switches, firewalls and Intrusion Detection Systems (IDS)s.
Network adapters do not need to he separate cards; they can he built in, as in the
case of most medium and budget-priced motherboards. Like any other hardware
device a NIC needs a driver to communicate with the operating system. Check to
see that a NIC is on the Windows 7 compatibility list before trying to use it with
Windows 7 and that it has plug „n‟ play capabilities. If it is on the approved list it is
likely as not there will be a driver in the Windows 7 driver CAB file, which means that
when installed it plug „n‟ play will install it properly and use the driver in the CAB file.
Windows 7 – Windows 7 Networking
Page | 6
Configuring a Network Adapter
Once installed, the NIC can be configured using its Properties dialog box. There are
several ways to get to the network adapter property pages, one being the Network
and Sharing Center, another through Computer Management, and yet a third directly
through Device Manager. Since the Network and Sharing Center will be covered in
detail later in the chapter, this is how it is done using the Device Manager. To
access the Properties dialog box, choose
1. Start and type Device Manager in the Windows search box to launch the Device
Manager.
2. Expand the Network Adapters node
3. Right-click the NIC and click Properties to open the drivers property box as
shown in Figure 2
The Properties dialogue box has five tabs: General, About, Driver, Details and
Resources.
The General tab shows the name of the adapter, the device type, the manufacturer,
and the location. T he Device Status box represents whether the device is working
properly or not. If the NIC isn‟t working properly the Device Status box will display
and error code and a brief description of what the operating system deems to be the
Figure 2
NIC drive r Poperty box
Windows 7 – Windows 7 Networking
Page | 7
problem. The error code can be used to do an Internet search for a resolution to the
problem.
The content of the About tab rather depends upon the NIC itself and the driver.
Figure 3 shows the About tab for the NIC currently installed in my PC. Some NICs
will replace the About tab with an Advanced tab
In general the Advanced tab where it exists will contain a property list and a value
list. To configure options in this dialog box, choose the property to be modified in the
Property list box and specify the desired value for the property in the Value box on
the right. See Figure 4
The sort of information that Driver tab provides includes the following: the driver
provider, the date the driver was released, the driver version and the provider of the
Figure 3
The About tab in the NIC driver Poperty box
Figure 4
The Advanced tab in the Marvell Libitas Wireless NIC driver Poperty box
Windows 7 – Windows 7 Networking
Page | 8
digital signature. The information will often vary depending upon the NIC. The driver
tab from my NIC is shown in Figure 5.
Clicking the Driver Details button launches the Driver File Details dialogue box that
provides the following information about the driver: the location of the driver file
(useful for troubleshooting), the original provider of the driver, the file version (useful
for troubleshooting), copyright information about the driver and the digital signer for
the driver.
The Update, Roll back Disable and Uninstall buttons do pretty much what they say.
The Update button launches a Wizard that steps through the driver update process.
The Roll back button can be used to roll the driver back to the previous version
should an update disable the driver. The Disable button is used to disable the
device. Once the device is disabled, the Disable button becomes an Enable button.
The Uninstall button removes the driver from the computer‟s configuration. The
device would be uninstalled prior to physically removing the device from the
computer.
The Details tab box lists the resource settings for the network adapter. This
information will vary from device to device. Figure 6 shows the Details tab for my
own NIC.
Figure 5
The Driver tab in the NIC driver Poperty box
Windows 7 – Windows 7 Networking
Page | 9
The Resources tab of the network adapter‟s Properties dialog box lists
resource settings for the NIC including: interrupt request (IRQ) memory, and
input/output (I/O) resources. This can be important if other devices are trying to use
the same resource settings. This is this is normally the case with Windows 7 as plug
„n‟ play should set up non-conflicting parameters. However, if there are issues, the
Conflicting Device list box at the bottom the Resources tab shows the conflicts.
Troubleshooting a NIC
When a NIC just won‟t work their can be a number of causes. For example the NIC
may not be on the Windows 7 Hardware Compatibility List (HCL) use the Internet to
see if the vendor has released a compatible drive, since there is unlikely to be one in
the Windows 7 CAB file.
The driver might be out-dated in which case click the Update Driver button and
having Windows search for a better driver, or check for the latest driver on the
hardware vendor‟s website.
If Windows 7 does not recognise the NIC then try to install it manually.
Another troubleshooting ploy is to make sure that the settings for the network card
are correct configured.
Make sure that all network cables are functioning and are the correct type. This
includes making sure that the connector is properly seated, the cable is straight
Figure 6
The Details tab in the NIC driver Poperty box
Windows 7 – Windows 7 Networking
Page | 10
through or cross over cable depending on what sort of device it is plugged into. If it
plugged into a switch it would need a straight through and if it is plugged into another
PC it would need a cross over cable.
Finally, verify that the device(s) that the computer is connected to is (are) working.
For example, on a Fast Ethernet network, make sure the switch ports are functioning
properly.
Configuring Wireless NIC Devices
Wireless technology is maturing to the point where it is becoming a cost-effective
and secure method of networking. Very few homes in the UK are without their own
mini-wireless networks as several member of the family all want to use the same
router to get out onto the Internet.
Windows 7 supports wireless auto-configuration, which will automatically discover
the available wireless connections and connect the computer to the preferred
network. Although conveniently connected, there is still at least one vital
consideration to take into account, namely security.
A Windows 7 compatible wireless NIC will be recognised automatically by the
operating system. Once installed the wireless NIC will be displayed in both the
Device Manager and the Network and Sharing Center. The Network and Sharing
Center is illustrated in Figure 7 showing a wireless connection to stevenson.ac.uk.
Figure 7
The Network and Sharing Center
Windows 7 – Windows 7 Networking
Page | 11
To access the Network Sharing Centre click Start Control Panel Network and
Internet Network And Sharing Center or Click Start and type Network and Sharing
Center in the Windows integrated search box.
Viewing the Wireless Network Connection Status
The Wireless Network Connection Status window displays, among other things, the
network layer (layer 3) connectivity status for IPv4 and IPv6, media state, the Service
Set ID (SSID), how long the connection has been active, and the signal quality. See
Figure 8
.
The Details button of the Wireless Network Connection Status window provides,
detailed information including physical address, logical address, DHCP settings,
name resolution, and much more. This a very useful place to look when
troubleshooting a connection.
Exercise 1 – Viewing the Network Connection Details
1. Choose Start and type Network and Sharing Center in the Windows 7 integrated
search window and press Enter.
2. Select the Wireless Network Connection menu item from the View Your Active
Networks section
3. Click the Details button
Figure 8
The Wireless Network Connection Status
Windows 7 – Windows 7 Networking
Page | 12
4. Review the Network Connection Details for this connection
The Activity section of the Wireless Network Connection Status window shows real-
time traffic (in bytes) sent to and received from the network. The Wireless Network
Connection Status window also provides access to the Wireless Connection
Properties which includes which includes access to the wireless adapter
configuration.
To access the Properties dialogue click the Activity section. The Wireless Network
Connection Properties dialogue is shown in Figure.9.
The Networking tab on the Wireless Network Connection Properties page can be
used to show which NIC is being used for the connection. The Sharing tab is for
configuring Internet Connection Sharing, which is a mechanism for allowing the other
users on the network access to the Internet through this machine‟s Internet
connection.
The “This Connection Uses The Following Items” is used to display and configure
the various clients, services, and protocols that are currently available for the
connection. Network clients, network services, and network protocols can be
installed or uninstalled by clicking the appropriate buttons. Clicking the Properties
button opens the Properties page for the currently selected item. If the Properties
Figure 9
The Wireless Network Connection Properties dialogue
Windows 7 – Windows 7 Networking
Page | 13
button is greyed-out then a properties page is not available for the item. The
Configure button is used to access the network adapter‟s hardware configuration
Property pages, which are the same pages as those that are accessed through the
Device Manager.
Exercise 2 – Viewing the Wireless Network Connection Properties
1. Click Start and type Network and Sharing Center in the Windows 7 integrated
search window and then press Enter.
2. Select Wireless Network Connection from the View Your Active Networks
section.
3. Click the Properties button from the Activity section.
4. Click the Configure button
5. .View the various tabs regarding the network adapter properties.
6. Choose Cancel to return to the Wireless Network Connection Status window.
Configuring Wireless Network Security
Network security is vital and is intimately related to the wireless access point or
wireless router to which the computer is connected
However, large or the network security is vital and needs careful planning. There are
several basic steps that can be taken to secure the network including disabling the
broadcasting of the SSID, creating a MAC address filter list and enabling encryption
such as WPA or WPA2.
When the SSID is not broadcast the network cannot be automatically detected until
the wireless NIC is manually configured to connect to that SSID.
Creating a MAC address filter list creates a list of specific MAC addresses that are
allowed to connect to the device. Remember however that MAC addresses just like
IP addresses can be spoofed.
The best way to secure the network is with good, solid encryption.
There are a variety of wireless network connectivity devices ranging from enterprise
scale to home-based wireless routers. In either case the Windows 7 client must be
set up to match the security settings of the wireless network access devices. Most
Windows 7 – Windows 7 Networking
Page | 14
modern wireless network connectivity devices have a built-in web server to allow the
HTTP connection from a web browser. Windows 7 can be used to configure a
wireless access device.
Exercise 3 – Configuring a Wireless Access Point
1. Click Start and type Network and Sharing Center in the Windows 7 integrated
search window and then press Enter
2. Select the Choose the Set Up A New Connection Or Network option
3. Select Set Up A New Network to configure a new router or access point and then
click Next
4. Select the appropriate wireless access device from the Set Up A Network
window and then click Next.
5. If requested, enter a PIN or password or any other required identification and
click Next
6. On the next screen, configure the security settings. And then click Next
These settings need to be configured for each client connecting to the wireless
network.
7. Click Finish.
However once the network access connection has been configured, the Windows 7
clients still need to be configured. If the network connection is unencrypted,
Windows 7 will connect automatically without much user intervention. This is not a
good idea even on a home-based network as other nearby users can use the
connection, which amounts to stealing by using the bandwidth someone else has
paid for, that is quite apart from the risk of somebody reading the data, like bank or
credit card details, going across the connection.
If the connection is secured, the Windows 7 client will have to be configured with the
correct security settings.
Exercise 4 – Accessing the Wireless Properties.
1. Click Start and type Network and Sharing Center in the Windows 7 integrated
search window and then press Enter.
Windows 7 – Windows 7 Networking
Page | 15
2. Choose the Wireless Network Connection from the View Your Active Networks
section of the Network and Sharing Center.
3. Click the Wireless Properties button from within the Connection area of the
Wireless Network. See Figure 10
4. The Wireless Network Properties tabbed dialog box opens, displaying the
current setup for the wireless network.
Some wireless cards have an extra button in addition to the Details button called
Wireless Properties that when clicked opens the Wireless Network Properties
dialogue box, from which the Windows 7 client configuration can be set. This
particular card a relatively inexpensive Realtek 8185 lacks this facility.
Where this facility does exist it usually has two tabs: Connection and Security.
The Connection tab, which displays the following information: the name assigned to
the network, the SSID, the network type, network availability, Connect Automatically
When This Network Is In Range Connect To A More Preferred Network If Available
and Connect Even If The Network Is Not Broadcasting Its Name
The SSID defines a user-friendly name for the wireless network Some wireless
access devices are able to broadcast more than one SSID at the same time,
allowing it to support more than one wireless network. The SSID is usually
broadcast be default.
Network type shows the mode the wireless network is using. If this parameter is set
to Access Point the wireless network is in infrastructure mode. If it is set to
Computer-To-Computer then the network is in ad hoc mode.
Figure 10
The Wireless Network Connection Properties
Windows 7 – Windows 7 Networking
Page | 16
Network Availability displays to whom the wireless network is available. For
example, this could be All Users or Me Only.
When selected, the Connect Automatically When This Network Is In Range option
allows automatic connection for the wireless network. Deselecting this option
requires the user to select this wireless network for connection. If the Connect To A
More Preferred Network If Available option is selected as well, Windows 7 will
attempt to connect to a preferred network. If there is more than one preferred
network, Windows 7 might switch back and forth if they are both available at the
same time. Clearing this check box will allow the currently connected network to stay
connected until it is no longer available, possibly preventing the dropping of data or
even dropped connections.
If the network is not broadcasting its SSID, the select the Connect Even If The
Network Is Not Broadcasting Its Name (SSID) option to allow Windows 7 to
automatically connect.
The Security tab is for configuring the security parameters as defined in the security
policy and configured on the wireless network access devices.
Troubleshooting Wireless Connectivity
There are a few common issues that can occur with wireless networks and here are
a few of them together with possible solutions.
The first and obvious thing to do is make sure that the wireless NIC is enabled. If a
laptop has a hotkey for enabling and disabling the NIC make sure it hasn‟t been
accidently disabled.
Sometimes the signal from a from an access point is attenuated by walls or other
barriers between the access point and the computer with a wireless NIC. This is a
comon problem in Edinburgh where the walls in some of the city‟s Georgian
buildings in the New Town are very thick.
The access device and the wireless card must be fully compatible. For example an
802.11a wireless NIC can only connect to an 802.11a access device or an
802.11a/b/g device that has been configured to accept connections from an 802.11a
NIC.
Windows 7 – Windows 7 Networking
Page | 17
Wireless NICs that are compatible with the 802.11b standard can connect to only
802.11b or 802.11b/g access devices configured to accept connections from an
802.11b NIC.
An 802.11n card needs to connect to an 802.11n access device for efficiency
although most will auto-negotiate to the best specification available.
Make sure that the security parameters are the same on the NIC and the access
point.
When connecting to an access point that is not broadcasting an SSID, select the
Connect Even If The Network Is Not Broadcasting check box in the Wireless
Network Properties dialog box.
Smaller organisations and home networks use so-called wireless routers, which are
in fact small layer three switches as the combine the functions of router and have a
number of Ethernet switch ports for connecting hard-wired devices on the private
network as well as an Internet port to connect to the outside world.
When troubleshooting this type of device start with the hard-wired devices, and see
whether they can communicate with each other and the Internet and with each other,
just to eleimate the router as the source of the problem
Understanding TCP/IP
Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of industry
standard protocols for network, internetwork, and Internet connectivity
including:Internet Protocol (IP), Transmission Control Protocol (TCP), User
Datagram Protocol (UDP), Address Resolution Protocol (ARP), Internet Control
Message Protocol (ICMP), and Internet Group Management Protocol (IGMP).
The Features of TCP/IP
TCP/IP is a dependable and scalable suite of protocols that provides a common
structure for network communications across a wide variety of hardware and
operating system software. It is independent of the operating systems used at the
upper end of the OSI model and of the physical components at the lower end of the
OSI model.
Windows 7 – Windows 7 Networking
Page | 18
TCP/IP comes with a host of connectivity tools including among others: HTTP, FTP,
TFTP, Telnet, Finger and support for TCP/IP network printing, together with a
plethora of diagnostic and management tools including: ipconfig, arp, ping, nbtstat,
netsh, route,nslookup,tracert,and pathping and a Simple Network Management
Protocol (SNMP) agent used to monitor performance and resource use of a TCP/IP
host, server, or other network hardware device. TCP/IP also supports multihoming,
that is the inclusion of multiple NICs, which is usually associated with routing for
internetwork connectivity.
TCP/IP is without doubt the industry standard networking protocol suite and with the
introduction of IPv6 is likely to remain so for the foreseeable future.
TCP is designed where necessary to verify at the connection layer to that each data
segment is received and passed to the application running at the Application Layer.
Where packets are lost or corrupted it can request data retransmission. TCP/IP also
supports (Quality of Service), which allows time-sensitive data streams to get
preferential treatment.
TCP/IP is flexible and scalable enough to allow a network to be divided into multiple
segments or subnets to facilitate network traffic management. In addition it is highly
fault tolerant and can dynamically re-route packets around failed links, assuming that
such paths exist.
TCP/IP provides support for Domain Name Service (DNS) and Dynamic Host
Configuration Protocol (DHCP). DNS provides host name-to-IP address resolution
and DHCP provides automatic IP address configurations to appropriately configured
clients. For clients that are unable to contact a DHCP server APIPA will provide an
IP address in the range 169.254.0.0 to169.254.255.255. The inclusion of Alternate
IP Configuration allows users to have a static and a DHCP-assigned IP address
mapped to a single network adapter. This feature supports mobile users who may
lease a DHCP address when working in the office and attach to a static network in
their homes or at another office.
The biggest change to occur to TCP/IP is the introduction of IPv6, which supports a
IPv6 incorporates a much larger address space, and more importantly, incorporates
many of the additional features of TCP/IP into a standardized protocol. Take up in
Windows 7 – Windows 7 Networking
Page | 19
the UK has been slow but it is being rolled out by Internet Service Providers in the
USA and where the USA leads the UK is bound to follow.
IPv6 Addressing
At first sight IPv6 looks daunting. In truth it is easier than IPv4 and
although an IPv6 address like:
4305:A93E:BADC:8956:3586:8D9C:7032:1423
has a good deal of logic to its construction.
IPv6 Shorthand Notation
An IPv6 address consists of 8 groups of 4 totaling 32 hexadecimal digits. The IPv6
shorthand notation replaces consecutive zeros with the “colon notation”, which can
be interpreted to mean “use zeros until”.
For example the multicast address:
FF02:0000:0000:0000:0000:0000:0001:0002
can be shortened to FF02::1:2.
A single colon is used to replace the zeros in a group of zeros in a single group of
hexadecimal digits such as the final group 0002, which becomes :2 and the double
colon is used to replace multiple groups of four zeros. In this case
0000:0000:0000:0000:0000:0001 which becomes ::1.
To retrieve the original IPv6 address insert zeros until the original is obtained.
Starting with the final group :2 which becomes 0002. As the first group is FF02 and
the final group :0002 adds up to 8 digits. 32-8 = 24 therefore there must be twenty
four missing digits the last of which is a 1 preceded by 23 zeros. The three
segments are therefore:
FF02:
0000:0000:0000:0000:0000:0001:
0002
Putting them together gives FF02:0000:0000:0000:0000:0000:0001:0002, which is
the original IPv6 address.
Windows 7 – Windows 7 Networking
Page | 20
For those needing a mantra or set of rules:
1 Count how many octets are at the end. In this case, there are two octets. One
octet contains one, and the other octet contains two.
2. Place zeros until reaching the first of the octets at the end.
3. Next start with FF02 and then place zeroes until the seventh octet, which ends in
a 2:
FF02:0000:0000:0000:0000:0000:0001:ZZZZ
3 Check the remaining octets for possible shorthand; then place zeros to fill them
in.
Anatomy IPv6
At the most basic level IPv6 addresses are broken into two 64-bit portions, one of
which is called the prefix portion and one of which is called the host portion, or the
interface ID.
The first 48 bits of the prefix portion of the address is given over to three
organizations: Internet Corporation for Assigned Names and Numbers (ICANN)
Regional Internet Registry (RIR) the Internet service provider (ISP). The next 16 bits
are allocated to subnet addressing, which is sufficient for 65,536 subnets. The
second portion of the address, the 65th to the 128th bit of the address, is the host
portion of the network. This is enough for 224 hosts.
IPv6 Address Types
In IPv6 there are three important address types: Unicast, Multicast and Anycast.
A unicast address is an address that is absolutely unique to a particular host.
A multicast address is effectively a grouping of addresses that is used for sending
and receiving information to (from) that group.
Anycast is a network addressing and routing methodology in which datagrams from
a single sender are routed to the topologically nearest node in a group of potential
receivers all identified by the same destination address.
Windows 7 – Windows 7 Networking
Page | 21
IPv6 Static and Dynamic Addressing
IPv6 addresses can be dynamic or static. Dynamic addresses are assigned by a
Dynamic Host Control Protocol version 6 (DHCPv6) Server, whereas static
addresses are assigned manually by someone with the appropriate rights.
It is important both for the SQA and Microsoft tests to have a clear understanding of
the conventions IPv6 uses to assign addresses to a network. There are four
possible combinations: two of which are used for static addressing and two of which
are used for dynamic addressing.
EUI-64
One of the great benefits of having such a long host field is the ability to specify a
great deal of uniqueness into an individual address. A host interface normally
supports two types of address a unique physical address (MAC address) and a
configurable logical address (IP address). A MAC addresses is 48 bits in length,
which is normally expressed as 6 pairs of hexadecimal digits. For example: 00-1A-
A0-05-2A-B7.
For the purposes of getting to grips with the anatomy of an IPv6 address split the
MAC address into two sets of 6 digits as follows: 001AA0 052AB7.
When the Internet Engineering Task Force (IETF) formulated the IPv6 standard they
deduced that the use of the modified MAC address in the host field would have the
dual benefit of making the host address unique and allow a static address to be
entered without the need to enter every single digit. However a MAC address is 16-
bits short of the full host field of 64 bits so some padding is required. This entails
taking the hex field FFFF into the centre of the MAC address so that it becomes:
001AA0 FFFF 052AB7. To conclude the seventh bit of the MAC address has to be
inverted1. This means taking the first two hex digits which happen in this case to be
00hex or 00000000 in binary and changing inverting the penultimate bit so that it
reads as 00000010 bin or 02 hex thus the new address becomes 021AA0 FFFF
052AB7 or more concisely 021A:A0FF:FF 05:2AB7.
1 The reasons for this are fully specified in the appropriate RFC. Recommended reading for the
merely curious or the insomniac.
Windows 7 – Windows 7 Networking
Page | 22
Manual Assignment
An IPv6 address can be assigned manually. Each piece of the address is typed in
manually using hexadecimal notation. See Figure 11
DHCP v 6
In DHCPv6 there are two supported states stateful and stateless. Stateful DHCP
tracks the state of the interfaces it communicates such as how long the lease on the
dynamic address lasts. Since IPv6 doesn‟t use broadcasts it requires the use of a
default multicast address: FF02:0000:0000:0000:0000:0000:0001:0002.
In stateless DHCP, the "state information" such as whether an interface is up or
down, how long the lease exists, and so on is ignored. Typically, stateless DHCP is
used in conjunction with stateless autoconfiguration, a method used by IPv6 to
automatically assign addresses to given interfaces based on their EUI-64 address.
The essential difference between stateless and stateful is that stateless doesn't
remember IP addresses, but it can still supply information such as the location of a
DNS server.
There will be much more to say about IPv6 and DHCPv6 in the DF9M 34 and DF9N
34 Network Server Operating Systems and Network Infrastructure.
IP v 4
It is customary in textbooks to introduce IPv4 before IPv6, unfortunately this creates
the impression that IPv6 is “more difficult” than IPv4, which simply isn‟t true. If
Figure 11
Configuring IPv6
Windows 7 – Windows 7 Networking
Page | 23
anything the very opposite is true. However, even though IPv4 will eventually be
replaced by IPv6 it will be a relatively slow process and it is necessary therefore to
understand the principles of IPv4
IP v 4 IP Address Ranges
IPv4 uses a set of four octets to create an individual, but not necessarily unique,
logical address that can be used for the purposes of routing packets across
networks. A subnet mask partitions the address into different subnets for the
purpose of sending and receiving broadcast traffic
There are five basic classes of IP address that are defined by the first few bits of the
first octet of the IP address and by the subnet mask. For the benefit of the SQA
exams and the Microsoft exam the most important classes are classes A, B and C,
which are described in Table 1.
Address Class Number of network bits
Number of host bits
Maximum number of hosts
A 8 24 16,777,214
B 16 16 65,534
C 24 8 254
Each of these classes of networks is assigned a given range that is predefined for a
given network design. Given your address class, you will fall into one of the ranges
listed in Table 2.
Address Class Number of network bits
A 1.0.0.0 to 126.255.255.255
B 128.0.0.0 to 191.255.255.255
C 192.0.0.0 to 223.255.255.255
When designing a network two key pieces of information are the number of subnets
and the number of hosts that are required. Once in possession of this information
then the process of sub-netting can begin.
Addressing and Sub-netting IPv4
The following sections assume a working knowledge of the basics of binary, hex,
and decimal conversion.
Table 1:
TCP/IP address classes
Table 2:
TCP/IP address class ranges
Windows 7 – Windows 7 Networking
Page | 24
Working with the Number of Hosts and Sub-networks
Assume that the brief is to build a network to support one server and 5 clients so that
the subnet mask must support six computers.
The default subnet mask for a Class C network is 255.255.255.0 or in binary notation
11111111.11111111.11111111.00000000. The ones represent the network portion
and the zeros represent the host portion.
One way to calculate the number of host bits required is by taking 2 and raising it to
the number of host bits and then subtracting two to allow for the network and
broadcast addresses. For example:
21 = 2
22 = 4
23 = 8
24 = 16
25 = 32
26 = 64
27 = 128
28 = 256
From the list it can be seen that 23 = 8 will support 6 hosts plus the network and
broadcast addresses. This means the subnet mask for the network is
11111111.11111111.11111111.11111000 or 255.255.255.248. In shorthand, this
would be written as /29, because it uses 29 bits.
The number of bits available for the sub-networks is five. 25 = 32 subnets
Addressing a Given Topology
Consider a network with six offices. Office two acts as a hub for the other five
offices. The immediate job in hand is to subnet the network. The network address
assigned to the project is 209.81.3.0. Checking back to Table 2 indicates that this a
Class C network, which means a default subnet mask of 255.255.255.0, which
means concentrating on the last octet.
To support six subnets requires 3 bits, because 22 = 4 is not enough but 23 = 8,
which is two more than required thus the subnet mask is 209.81.3.224. The number
of hosts is given by the formula 2n – 2, where the minus 2 accounts for the network
Windows 7 – Windows 7 Networking
Page | 25
address and the subnet broadcast address. Hence the number of hosts that can be
supported on each network is 25 – 2 = 30.
When sub-netting an IP address in this way, it is necessary to calculate the range of
the IP addresses in each network because a sub-netted network cannot
communicate with an IP address that is out of the range of its own subnet without a
router. To calculate the range of the sub-nets take the value the last bit position in
the subnet mask and calculate its value, which in the case under consideration, 32.
By starting at zero in the last octet keep adding 32 until reaching the total of 224 as
follows
209.81.3.0
209.81.3.32
209.81.3.64
209.81.3.96
209.81.3.128
209.81.3.160
209.81.3.192
209.81.3.224
The broadcast address can be located by subtracting 1 from the last octet in all these
numbers, with the exception of 0 as follows:
209.81.3.0
209.81.3.31
209.81.3.63
209.81.3.95
209.81.3.127
209.81.3.159
209.81.3.191
209.81.3.223
Windows 7 – Windows 7 Networking
Page | 26
The usable addresses are those in between and are summarized in Table 3
Network Address Broadcast Address Usable Addresses
209.81.3.0 209.81.3.31 209.81.3.1 to 30
209.81.3.32 209.81.3.63 209.81.3.33 to 62
209.81.3.64 209.81.3.95 209.81.3.65 to 94
209.81.3.96 209.81.3.127 209.81.3.97 to 126
209.81.3.128 209.81.3.159 209.81.3.129 to 158
209.81.3.160 209.81.3.191 209.81.3.161 to 190
209.81.3.192 209.81.3.223 209.81.3.193 to 222
209.81.3.224 209.81.3.254 209.81.3.225 to 253
Exercise 5 – Sub-netting a network
Debbie has just been employed by MegaGames a leading firm of games developers.
MegaGames is an multi-national corporation with an office in Dundee that has about
100 users.
Currently, the part of the network that Debbie has responsibility for is broken down
into three separate networks connected by WAN links. The Enterprise
Administrator, who is based in the California office, has decided that he wants
Debbie to re-address her network using the address space of 209.113.60.0.
The topology consists of three sites. Site A has one user, Site B has 25 users and
Site C has 30 users. Debbie‟s brief is to use the fewest number of possible sub-
networks but each of these sustains enough host bits to support the required number
of users.
What subnet mask would Debbie need for the whole network and what three
broadcast addresses would she need to assign assuming that the corporate
specifications for network design require the lowest incremental broadcast address
to be applied to Site A, then the next highest to Site B, and the next highest to Site
C. MegaGames have no plans to expand its operations in Dundee given the refusal
of the UK Government to provide adequate tax incentives, so growth is not a
consideration in this design.
Since none of the networks have more than 30 users and growth is not an issue the
number of bits required for the hosts is 25 = 32. This leaves 3 bits for the network
portion.
Table 3:
The TCP/IP subnet ranges
Windows 7 – Windows 7 Networking
Page | 27
This means that the subnet mask for the network as a whole is a /27 mask or in long
hand 255.255.255.224 and the network addresses are
209.113.60.0
209.113.60.32
209.113.60.64
209.113.60.96
And the required broadcast addresses are:
209.113.60.31
209.113.60.63
209.113.60.95
Having learned the theory behind sub-netting now would be a good time to introduce
a use shorthand method of calculating subnets called “Clark‟s Magic Number2”.
Clark‟s Magic number is 256. Having worked out what the value of the final octet of
the subnet mask, subtract it from 256. For example in the example above it
becomes 256 – 224 = 32, which is the number that is repeatedly added in order to
get all of the subnets.
There is a lot more to say about IPv4 that is beyond the scope of this course.
However, it covers enough to demonstrate how much harder IPv4 is than IPv6.
Configuring a Windows 7 Machine to use DHCP
If a client is configured to receive a dynamic IP configuration a DHCP is required to
provide that IP configuration. On a large network trying to assign IP addresses by
hand would be both time consuming and error prone.
Exercise 5 – Configuring the NIC in a Windows 7 client to obtain a dynamic address
1. Click Start and type Network and Sharing Center in the Windows 7 integrated
search box.
2 Clark‟s Magic Number is named after my colleague Margaret Clark, who first explained it to me.
Windows 7 – Windows 7 Networking
Page | 28
2. In the Network and Sharing Center window, click the Local Area Connection item
in the View Your Active Networks section.
3. Click the Properties button from the Activity section of the Local Area
Connection Status box.
4. In the Local Area Connection Properties dialog box, make sure IPv4 check box
is checked and then select Properties. (DHCP also works for IPv6)
5. Choose the Obtain An IP Address Automatically radio button from the General
tab of the Properties dialog box.
6. Choose the Obtain DNS Server Address Automatically radio button from the
General tab Properties dialog box.
7. To use this configuration, click OK to accept the selection and close the dialogue
box.
If the machine is not connecting to the local LAN and the Internet correctly open a
command-line window ant type ipconfig and then press Enter. If the IP address
begins with 169.254.x.y it is unable to locate a DHCP Server and the computer has
leased itself an APIPA address.
Automatic Private IP Addressing (APIPA)
An APIPA address is assigned to a computer that is configured to lease a dynamic
IP configuration from a DHCP Server but cannot locate a DHCP Server. Because it
leases itself the IP configuration it may lease itself the same address as another
node on the network. To prevent this, a client leasing itself an APIPA address will
broadcast its address to the network and if another node has the same address it will
lease itself another APIPA address and try again. It will do this up to ten times.
This means APIPA could be used to provide IP configurations to a small office or
home network to save using DHCP or configuring all of the hosts with static IP
addresses.
However, there is potentially scope for duplicate IP addresses if there are more than
ten hosts on the network.
If on a larger enterprise network the DHCP Server fails, and there is no other DHCP
Server available to service a DHCP request any client requesting an IP address
Windows 7 – Windows 7 Networking
Page | 29
configuration will end up with an APIPA address, while some of the hosts will have a
properly configured IP address leased from the DHCP server before it crashed. The
computers with the addresses leased before the DHCP server crashed will be able
to communicate with each other. The computers with APIPA addresses can
communicate with each other. Unfortunately the two groups won‟t be able to
communicate as they are effectively are on separate subnets. A wise administrator,
if he or she can afford it will have multiple DHCP Servers to address this particular
scenario.
IPv4 to IPv6 Transitional Techniques
In spite of its obvious advantages it will be impossible to switch over to IPv6
overnight. This means that for the transitional period there needs to be a
mechanism for interoperating IPv4 with IPv6. The three methods discussed in the
next few sections: dual stacking, tunneling, and translation.
Dual Stacking
Dual stacking involves operating both an IPv4 address and an IPv6 address. In
Windows 7 dual stacking is implemented by default, which means the ipconfig
command displays both the IPv6 hexadecimal address and the dotted decimal IPv4
address. Both the IPv4 and the IPv6 addresses are logical addresses and there is
no reason why a network adapter can be identified with multiple logical addresses.
This can be done in one of two ways by using a complete dual stack or by using a
dual IP layer.
Dual stacking creates a separate stack through which each protocol travels. An
implication of this is that networking devices like routers must be capable of
supporting both IPv4 and IPv6 and each stack will require its own Transport Layer
(Layer 4) implementation that interfaces with the Application Layer.
In dual layer implementations the network portion contains both the IPv4 and IPv6
implementations, and they both access the same transport layer. This technology is
supported by Windows 7 and Windows Server 2008 R1 and R2.
Windows 7 – Windows 7 Networking
Page | 30
Dual stacking and dual layer becomes complicated with the introduction of DNS.
Unfortunately, the record types for IPv4 and IPv6 are completely different so it is
necessary to maintain records for both types of implementation.
Tunneling
IP Tunneling is in principle very simple. Tunneling IPv6 through an IPv4
infrastructure can be achieved by attaching an IPv4 header to the IPv6 packet. This
can be done in one of two ways, automatically or manually. Manually configured
tunnels can be configured by using the netsh interface ipv6 add v6v4tunnel
command. Automatic tunnels can be configured using 6to4, Teredo, or ISATAP.
Tunneling Between Devices
Suppose there are two IPv6 networks separated by an IPv4-only infrastructure.
Given that the routers that connect the IPv6 networks to the IPv4 network are
capable of supporting both IPv6 and IPv4, they will communicate with each other by
referencing the network behind each of the routers and then sending the IPv6
packets across the IPv4 infrastructure by encapsulating them in IPv4 packets.
When two hosts running both IPv4 and IPv6 stacks in an IPv4 infrastructure
communicate, IPv6 packets can be sent across the IPv4 infrastructure by
encapsulating the IPv6 packets in and IPv4 packet to create a tunnel through the
IPv4 network.
When operating between hosts that reside between firewalls or routers, a host
running IPv4 can communicate between infrastructures operating different IP
protocols by encapsulating the IPv6 packets in an IPv4 packet to create a tunnel
containing IPv6 packets. As usual routers have to be capable of supporting both
IPv4 and IPv6. When an IPv4-capable computer sends a request to the router with
an embedded IPv6 packet, the receiving router, examines the internal IPv6 packet,
and then forwards that packet onto the IPv6 host computer running in an IPv6
infrastructure.
6to4
6to4 is a direct method of translating from IPv6 to the IPv4 protocol. It does so by
implementing both the IPv4 and IPv6 protocol stacks converting the IPv4 addresses
Windows 7 – Windows 7 Networking
Page | 31
into standard IPv6 addresses by inserting them into hexadecimal IPv6 format. The
translated address takes the form 2002:AABB:CCDD:subnet:InterfaceID where AA is
the hexadecimal representation of the first octet of the IPv4 addresst, BB is the
second octet, CC is the third octet, and DD is the fourth octet.
As an example consider the IPv4 address 129.118.1.3. Converting each octet to hex
gives:
129 = 81
118 = 76
1 = 1
3 = 3
So the fully translated address would take the form: 2002:8176:13:subnet:InterfaceID
Within 6to4 tunneling, the entire subnet is treated as a single link. Hosts are
automatically given their 2002:AABB:CCDD:Subnet address with a /64 mask. If the
given address is not found the information is passed onto a 6to4 router that exists on
a /16 mask by default.
A Windows Server 2008, Windows Vista and Windows 7 computer can act as a
6to4 router through Internet Connection Sharing (ICS).
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
ISATAP is an automatic dual stacking tunneling technology that is installed by
default in Windows Vista, Windows 7 and Windows Server 2008. ISATAP allows
computers operating IPv6 in IPv4 infrastructures to communicate with IPv4 clients in
the same subnet.
ISATAP can be used for either public or private addressing. With public unicast
addressing, ISATAP uses the global address
::5EFE:A.B.C.D.
where A.B.C.D are the octets of the IPv4 address, together with the private address
of
::200:5EFE:A.B.C.D
Windows 7 – Windows 7 Networking
Page | 32
where once again, A.B.C.D are the octets of the IPv4 address. Using this
methodology ISATAP creates a link-local address that can be used to communicate
between devices through tunneling.
To communicate with additional subnets running either pure or mixed IP protocols,
an ISATAP router is required. Normally, this router is resolved either through the
mapping of the "ISATAP" hostname or by the use of the netsh interface isatap set
router command, which allows the address of the router to be manually specified in
either Windows Server 2008 or Windows 7.
Teredo
Teredo is also known as Network Address Translator Traversal (NAT-T). What it
does is provide a unicast address for each device located within the NAT pool. It
does so by sending out IPv6 data over Uniform Data Protocol (UDP) establishing a
tunnel directly between two individual hosts. The process breaks down into two
portions: initial client configuration and initial client communication.
1. The client sends a router solicitation request (RS) to a Teredo server with the
cone flag set. The cone flag is a high-order bit that indicates a device is behind a
NAT.
2. The Teredo server responds with a router advertisement (RA) from a router that
is on an alternate IPv4 address so it can determine whether the address is
behind a NAT.
3. If the RA is not received, the client repeats the RS with the cone flag not set.
4. The server responds with an RA from the source address to the destination
address. If the client receives the RA, it is behind a restricted NAT.
5. To make sure there isn't a symmetric NAT in place, the client sends another RS
to an alternate server.
6. The alternate server responds. If the RAs are different, the map is mapping the
same internal address and UDP port number, and Teredo will not be available.
Teredo has several different methods of initial communication based on what type of
NAT the client is assigned under. The most commonly referenced of these is a
Windows 7 – Windows 7 Networking
Page | 33
situation where a client resides on a restricted NAT. In which case, the process of
two computers, A and B, communicating is as follows: „
1. Client A sends a bubble packet to Client B.
2. Client A sends a bubble packet to Client B through Client B's Teredo server.
3. Client B's Teredo server forwards the packet to Client B.
4. Client B responds to the packet with its own bubble packet to Client A.
5. Client A determines NAT mappings for both NATs.
Testing an IP Configuration
There are a number of tools and utilities that can be used to test and troubleshoot a
TCP/IP configuration. These include: pconfig, ping, and nbtstat. A graphical view of
the connection details is available using Local Area Connection Status of the
Network and Sharing Center.
The ipconfig command see Figure 12 is a command line utility used to examine the
IP address configuration on the network interfaces on a network host.
Ipconfig comes with a number of switches ranging from /? For getting help
/setclassID that can be used to modify the DHCP class ID. See Table 4
Figure 12: ipconfig
Windows 7 – Windows 7 Networking
Page | 34
Switch Description
/? Provides help for all of the ipconfig switches
/all Shows verbose information about an IP configuration, including ther computer‟s physical address, the preferred DNS server, and whether the address is static or dynamically assigned
/allcompartments allcompartments Shows IP information for all compartments
/release Releases the current IPv4 address assigned by DHCP
/release6 Releases the current IPv6 address assigned by DHCP
/renew Renews the current IPv4 address assigned by DHCP
/renew6 Renews the current IPv6 address assigned by DHCP
/flushdns Flushes the DNS Resolver cache
/registerdns Registers or re-registers clients credentials with DNS
/displaydns Displays the contents of the DNS Resolver cache
/showclassid Lists the DHCP IPv4 class IDs allowed by the computer
/showclassid6 Lists the DHCP IPv6 class IDs allowed by the computer
/setclassID Modifies the IPv4DHCP class ID
/setclassID6 Modifies the IPv6DHCP class ID
TCP/IP Troubleshooting
The way in which to troubleshoot a TCP/IP configuration rather depends on the
nature of the problem. For example if a single machine cannot access the Internet
then start troubleshooting from that machine as the fault is likely to be with that
machine. If all of the users are having the same problem a good place is to start is
with the default gateway.
When troubleshooting a PC, start by checking that the Ethernet drop cable is
properly connected. Next, make sure the NIC and the NIC driver are properly
installed. If the driver for the NIC is not in the Windows 7 driver .cab file it might be
necessary to get the driver from an accompanying CD or from the manufacturer‟s
Web site.
The next step is to open a command window and run ipconfig and make sure there
is a valid IP address configuration. If the IPv4 address is in the range 169.254.0.0
to169.254.255.255 the NIC has been configured to obtain its IP configuration from a
DHCP Server but cannot locate a DHCP Server. If the network uses static IP
addressing give the computer a static IP address. If the computer should be getting
an IP address from a DHCP Server make sure the server is up and running and
Table 4:
Ipconfig switches
Windows 7 – Windows 7 Networking
Page | 35
hasn‟t crashed. Next ping the loopback address on the NIC. Do this by typing ping
127.0.0.1 at a command prompt and then pressing Enter. See Figure 13
This will test to make sure the TCP/IP stack is correctly installed on the NIC. Next
use ping to try and reach a host on the same subnet. If this works ping the default
gateway. Finally, ping a remote host. Methodically work outwards eliminating one
thing at a time until the problem is isolated.
Configuring Windows 7 on a Network
In a large enterprise environment, the client machines will almost certainly connected
to an Active Directory domain. A computer can be joined to a domain either from the
Windows 7 operating system or from within Active Directory. Active Directory
confers many benefits. One of the most important features of an Active Directory is
the notion of a single login, which gives a user access to any resources the
administrator gives them permissions for wherever those resources are on the
network. Another big benefit is the ability to deploy software or configure security
from a single Active Directory Group Policy Object (GPO) rather that configuring
Local GPOs on each individual client. If users save their data to a centralized file
server it can be backed up centrally. There are many more benefits which are
outside the scope of this unit but will become apparent when studying DF9N 34
Network Server Operating Systems and DF9R 35 Network Infrastructure 1:
Implementation and Management.
Exercise 6 – Joining a Windows 7 Computer to an Active Directory domain
From a Windows 7 Computer
1. Start and then right-click Computer. Choose Properties
Figure 13:
Pinging the loopback address
Windows 7 – Windows 7 Networking
Page | 36
2. Under the Computer Name, Domain, And Workgroup section, click the Change
Settings link
3. Click the Change button next to the To Rename This Computer Or Change Its
Domain Or Workgroup section
4. In the Member Of section, click the Domain radio button and type in the name of
the Windows Server 2008 Active Directory domain to launch the Active Directory
credential dialogue
5. Enter the username and password of a user with the necessary privileges to join
a client computer to the domain
This is frequently the domain administrator
6. A dialog box stating that the computer is a part of the domain appears. Click OK
and reboot the machine
A word of warning: Before a computer can be joined to a domain it will want to
access the domain SRV record in the domain‟s DNS server. Make sure the
Preferred DNS setting the Properties dialogue for the NIC in the Windows 7
computer‟s NIC is pointing at the correct DNS Server.
Exercise 7 – Joining a Windows 7 Computer to an Active Directory domain
From Active Directory Users and Computers (AUDC)
1 On a Windows Server 2008 Active Directory Domain Controller (DC) click Start |
Administrative Tools | Active Directory Users And Computers
2 Expand the domain and right-click the container object within which the
computer is to be installed and select New | Computer
3 In the Computer Name field, type in the name of the Windows 7 computer. Click
OK
4. Double-click the new Windows 7 computer in the right-hand window to open the
properties and look at the different tabs and then click the Cancel button.
Joining and Sharing HomeGroups in Windows 7
HomeGroups was designed to simplify the sharing of music, pictures, documents
and USB-connected printers within a small office or home office (SOHO) network.
Windows 7 – Windows 7 Networking
Page | 37
For example, a shared USB printer is automatically installed onto the other
HomeGroup-enabled computers. This extends to Windows 7 computers joined to a
domain as they can also participate in a HomeGroup but not create one.
HomeGroups can be created only on computers running Home Premium, Enterprise,
Professional, or Ultimate, however once it is up and running all versions of Windows
7 can participate in a HomeGroup. IPv6 must be running in for computers to create
and participate in HomeGroups.
If the Windows 7 network discovery feature is not enabled the system will ask for the
HomeGroup to be created. To do this open the Network and Sharing Center, select
Choose HomeGroup And Sharing Options and then click the Create A HomeGroup
button. See Figure 14.
With Windows 7 network discovery turned on (the default), HomeGroup is created
automatically. However, it will still be necessary to join the HomeGroup. To join a
Home Group open the Network and Sharing and click the Join Now button.
An important part of joining a HomeGroup is to decide what exactly should be
shared. The “Share with other home computers running Windows 7” page has
check-boxes for Pictures, Documents, Music, Printers and Videos. Check the boxes
for the things that will be shared. See Figure 15
Figure 14: Creating a HomeGroup
Windows 7 – Windows 7 Networking
Page | 38
The next step is to enter the HomeGroup password. See Figure 16
The first machine in the HomeGroup will create a random secure password. To view
and or print the HomeGroup password, open the Network and Sharing Center click
the Choose HomeGroup And Sharing Options link and then choose View Or Print
The HomeGroup Password item, as shown in Figure 17.
Figure 15:
Configuring what can be shared
Figure 16:
Entering the HomeGroup password
Windows 7 – Windows 7 Networking
Page | 39
To change the password open the Network and Sharing Center click the Choose
HomeGroup And Sharing Options link and then choose Change the password to
launch the change password dialogue as shown in Figure 18.
Note the warning at the top of the dialogue that states that changing the password
will disconnect everyone. After changing the HomeGroup password, it will be
necessary to go to each of the other Windows 7 machines in the HomeGroup and
change the password.
Once the HomeGroup is set up the other members shared resources can be viewed
from the HomeGroup option of Windows Explorer. It can also be added to the Start
menu if required.
Figure 17:
Viewing / printing the HomeGroup password
Figure 18: Changing the HomeGroup password
Windows 7 – Windows 7 Networking
Page | 40
Configuring Windows Firewall
Windows Firewall is designed to prevent unauthorized users or malicious software
from accessing a computer. Windows Firewall does not pass unsolicited traffic. That
is traffic that was not sent in response to a request
Windows Firewall is configured by clicking Start | Control Panel | Large icons | View
Windows Firewall. See Figure 19.
The Windows Firewall settings dialog box, see Figure 20 is used to turn Windows
Firewall on or off for both private and public networks.
Figure 19 Configuring Windows Firewall
Figure 20 Turning on Windows Firewall
Windows 7 – Windows 7 Networking
Page | 41
The “Off” setting will allow external sources to connect. The “On” setting will block
external sources except those that are specified on the Exceptions tab.
When Block All Incoming Connections is enabled, exceptions are ignored and no
notification will be given when an application is blocked by Windows Firewall. The
exceptions section of the Windows Firewall settings dialog box, shown in Figure 21,
is used to define which programs and services should be allowed to pass through
the Firewall.
Think carefully when enabling exceptions as there is potential for letting traffic
through the firewall that could be used by a hacker to hack into the system.
Windows Firewall with Advanced Security (WFAS)
WFAS can be used to configure more advanced settings. To launch WFAS click
Start Control Panel | Large Icons View Windows Firewall and then click the
Advanced Settings link. See Figure 22
The items in the scope pane include inbound and outbound rules, connection
security rules, and monitoring rules. The central pane displays an overview of the
firewall‟s status, as well as the current profile settings.
Figure 21
Windows Firewall Allowed Programs dialogue
Windows 7 – Windows 7 Networking
Page | 42
Inbound and Outbound Rules
Inbound rules monitor inbound traffic, see Figure 23 and outbound rules monitor
outbound traffic. Many of the rules are disabled by default. Double-clicking a rule
will bring up its Properties dialog box, as shown in Figure24
Figure 22
Windows Firewall with Advanced Security
Figure 23
Windows Firewall Outbound connections
Windows 7 – Windows 7 Networking
Page | 43
A filter can be applied to the rules to make them easier to view. Filtering can be
performed based on the profile the rule affects, by state that is whether the rule is
enabled or disabled, or based on the rule group. See Figure 25.
If there isn‟t a predefined rule that meets a specific need it is possible to create a
new rule by right-clicking Inbound Rules or Outbound Rules in the scope pane, and
then selecting New Rule to launch the New Inbound (or Outbound) Rule Wizard.
The Wizard will ask whether the rule should be based on a particular program,
protocol or port, predefined category, or custom settings.
Figure 24
Outbound rule Properties dialogue box
Figure 25 Setting up filtering
Windows 7 – Windows 7 Networking
Page | 44
Exercise 8 – Creating a New Inbound Rule
1. Choose Start | Control Panel Large Icon View | Windows Firewall
2. Click Advanced Settings on the left side
3. Right-click Inbound Rules and select New Rule
4. Choose a Rule Type. For this exercise, choose Custom then click Next.
5. Choose the programs or services that are affected by this rule. For this exercise,
let‟s choose All Programs. Then click Next.
6. Choose the protocol type, as well as the local and remote port numbers that are
affected by this rule. Click Next to continue.
For the benefit of this exercise choose TCP and All ports is selected for both
Local Port and Remote Port and click Next.
7. Choose the local and remote IP addresses that are affected by this rule then click
Next
For this example select Any IP Address for both local and remote
8. Specify whether this rule will allow the connection, allow the connection only if it
is secure, or block the connection.
For the current example select the options Allow The Connection If It Is Secure
then click Next.
9. Specify whether connections should be allowed only from certain users, then
click Next
10. Specify whether connections should be allowed only from certain computers
11. Choose which profiles will be affected by this rule and then click Next
12. Give the profile a name and description, and then click Finish.
The newly created customized rule will appear in the list of Inbound Rules, and
the rule will be enabled
13 To change any of the options double click the rule.
14 To disable the rule un-check the check box. And click OK.
Connection Security Rules
Connection security rules do not specifically allow connections, instead they are
used to configure how and when authentication occurs. There are four security
rules: Isolation, Authentication Exemption, Server-to-server and Tunnel
Windows 7 – Windows 7 Networking
Page | 45
Isolation is used to restrict a connection based on authentication criteria.
Authentication Exemption is used to specify computers that do not need to
authenticate. Server-to-Server is used to authenticate connections between
computers and Tunnel is used to authenticate connections between computers
acting as gateways
Monitoring
The Monitoring section provides detailed information about how the firewall has been
configured for the Domain, Public and Private profiles.
Configuring Remote Management
Windows PowerShell and Windows Remote Management can be used in addition to
Remote Assistance and Remote Desktop to help Windows 7 users remotely.
Windows PowerShell
A complete study of Windows PowerShell is well beyond the scope of this unit,
however it is a very powerful tools and it is certainly worth knowing that it exists and
what it can do.
PowerShell runs at the command line and can be used to execute command on a
remote Windows 7 computer. One of the benefits it confers is the use of cmdlets
which are command that are built into PowerShell. There are more than one
hundred pre-defined cmdlets and administrators can also write their own customized
cmdlets.
PowerShell can be used to gain access to a file system, Registry, digital certificate
stores, and other data stores on a computer.
Table 5 lists a few of PowerShell‟s pre-defined cmdlets.
Cmdlet Description
Clear-History Deletes entries from the command history
Format-table Shows results as a table
Get-Date Gets the date and time
Get-Event Gets and event in the event queue
Import-Module Adds modules to the current session
Invoke-command Runs commands on local or remote computers
Table 5
Common PowerShell cmdlets
Windows 7 – Windows 7 Networking
Page | 46
Cmdlet Description
Start-job Starts a PowerShell background job
Stop-job Stops a PowerShell background job
Exercise 9 – Starting PowerShell
1. Start PowerShell by clicking Start | All Programs Accessories | Windows
PowerShell | PoweShell.
2. Type Help and press Enter to get Help with PowerShell. See Figure 26
Windows Remote Management (WinRm)
WinRM is the Microsoft implementation of the industry standard WS-Management
Protocol, designed to allow different vendor operating systems and hardware to
work together.
WinRm utility can be accessed either through the WinRM command-line tool, WinRM
scripting objects or through the Windows Remote Shell command-line tool.
WinRm can be used to remotely execute commands and obtain management data
from local and remote computers. A big advantage of WinRm is that because it is an
implementation of an industry standard protocol it can be used on Windows- based
operating systems and non-Windows-based operating systems. Table 6 shows
some of the WinRm commands and their meanings.
Figure 26 Windows PowerShell
Windows 7 – Windows 7 Networking
Page | 47
Command Description
WInRM eorWinRM enumerate
Lists all instances of a managed resource
WInRM c or WnRM create
Creates a new instance on the managed resources
WInRM I orWinRM invoke
Executes a method on a managed resource
WInRM d or WinRM delete
Removes an instance from a managed resource
WinRM s or WinRM set Modifies management information
WnRM g orWinRM get Retrieves management information
BranchCache
BranchCache is designed for organizations with multiple offices connected with slow
links so that they can cache data so that data does not have to be transferred across
a slow link each time a file is accessed. There are two BranchCache modes
distributed cache mode and hosted mode.
Distributed Cache Mode
When running in distributed cache mode client machines cache the files locally on
the client machines so that a server running Windows Server 2008 R2 is not required
at the branch office. However the content servers at the main office must be running
Windows Server 2008 R2. Essentially, the Windows 7 computers download the data
files from the content servers at the main office and become the local cache servers.
To function as local cache servers the Windows 7 computers must be running
Windows 7 Enterprise Edition or Windows 7 Ultimate Edition.
To implement distributed cache mode as well as having a content server at the main
office running Windows Server 2008, R2 the branch office also needs a server
running R2 of Windows Server 2008. Once the content server is installed physical
connections (WAN or VPN connections) between the sites and branch offices must
be established.
Client computers running Windows 7 have BranchCache installed by default, but it
must be enabled and configured before it can be used and an exception configured
on the firewall.
Table 6
WinRm Commands
Windows 7 – Windows 7 Networking
Page | 48
Exercise 10 – Configuring the Firewall for BranchCache.
1. On a domain controller, click Start | Administrative Tools | Group Policy
Management to launch the Group Policy Management console.
2. In the Group Policy Management console, browse to Forest | Domains | Group
Policy Objects making sure that the domain contains the Windows 7 client
computer accounts that need to be configured.
3. In the Group Policy Management console, right-click Group Policy Objects and
select Create And Link Group Policy Here.
Name the policy BranchCache Client and press Enter.
Right-click BranchCache Client and click Edit to launch the Group Policy
Management Editor console
4. In the Group Policy Management Editor console, browse to: Computer
Configuration | Policies | Windows Settings | Security Settings | Windows
Firewall with Advanced Security | Windows Firewall with Advanced Security |
LDAP | lnbound Rules.
5. Right-click Inbound Rules and then click New Rule to launch the. The New
Inbound Rule Wizard
6. In Rule Type, click Predefined, expand the list of choices, and then click
BranchCache - Content Retrieval (Uses HTTP) then click Next.
7. In Predefined Rules, click Next.
8. In Action, ensure that Allow The Connection is selected, and then click Finish.
9. Now to create the WS-Discovery firewall exception, right-click Inbound Rules,
and click New Rule to launch the New Inbound Rule Wizard
10. In Rule Type, click Predefined, expand the list of choices, and then click
BranchCache - Peer Discovery (Uses WSD) and then click Next.
11. In Predefined Rules, click Next.
12. In Action, ensure that Allow The Connection is selected, and then click Finish.
Windows 7 – Windows 7 Networking
Page | 49
13. In the Group Policy Management Editor console, right-click Outbound Rules, and
then click New Rule to launch the New Outbound Rule Wizard
14. In Rule Type, click Predefined, expand the list of choices, and then click
BranchCache - Content Retrieval (Uses HTTP) and click Next.
15. In Predefined Rules, click Next.
16. In Action, ensure that Allow The Connection is selected, and then click Finish.
17. Create the WS-Discovery firewall exception by right-clicking Outbound Rules,
and then clicking New Rule to launch the Outbound Rule Wizard.
18. In Rule Type, click Predefined, expand the list of choices, and then click
BranchCache - Peer Discovery (Uses WSD) and then click Next.
19. In Predefined Rules, click Next.
20. In Action, ensure that Allow The Connection is selected, and then click Finish.
Hosted Mode
Hosted mode requires a Windows Server 2008 R2 based computer in both offices
and all of the client computers at the branch must be running Windows 7
Enterprise or Ultimate editions.
A Windows 7 machine downloads data from the main cache server, and then the
cache servers at the branch offices store a copy of the downloaded data for other
users to use.
Once a caching server at the branch office has been set up it needs to get a server
certificate so the client computers in the branch offices can identify it.
Exercise 11 – Installing BranchCache on a Windows Server 2008 R2 machine
1. Logon as an Administrator
2. Click clicking Start | Administrative Tools | Server Manager
3. In Server Manager, right-click Features and then choose the Add Feature link
4. The Add Features Wizard starts. Select the BranchCache check box and then
click Next
5. . At the Confirm Installation Selections screen, click Install
Windows 7 – Windows 7 Networking
Page | 50
6. After the BranchCache feature installs, click Close.
7. In the Server Manager left window pane, double-click Configuration and then
click Services
8. In the Services detail pane, double-click BranchCache to launch the
BranchCache Properties dialog box
9. Click the General tab and then click Start. Click OK.
10. Close Server Manager.
11. Repeat steps 1 – 10 on all branch office cache servers
Configuring Direct Access
DirectAccess is new to the Windows Server 2008 R2 and Windows 7 operating
systems. It allows a remote user to connect to their corporate network without using
a VPN. As long as the user is connected to the Internet DirectAccess will
automatically connect the remote user to the corporate network. Because the
connection is bidirectional, the IT administrator can also remotely manage the
Windows 7 machine while the machine is away from the network.
DirectAcess vs VPNs.
VPNs allow a remote user to securely connect to a corporate network by tunneling
through the Internet however VPNs do have a number of downsides. For example, if
a user gets disconnected from their VPN connection, they must reestablish the VPN
connection. Also if an organization‟s Internet connections are the same as their VPN
connections it cause their Internet connections to be slower. Finally for security
reasons it may not be possible for an organization to open a port on their firewall to
allow VPN traffic.
DirectAcess
DirectAccess does not face the same limitations of a VPN. To establish a
connection DirectAcess uses Internet Protocol Security (IPsec) to provide a high
level of security between the client and the server. According to Microsoft the way in
which DirectAcess works is as follows:
Windows 7 – Windows 7 Networking
Page | 51
1. The Windows 7 DirectAccess client determines whether the machine is
connected to a network or to the Internet.
2. The Windows 7 DirectAccess computer tries to connect to the web server
specified during the DirectAccess setup configuration.
3. The Windows 7 DirectAccess client computer connects to the Windows Server
2008 R2 DirectAccess server using IPv6 and IPsec. Because most users connect
to the Internet by using IPv4, the client establishes an IPv6-over-IPv4 tunnel
using 6to4 or Teredo.
4. If an organization has a firewall that prevents the DirectAccess client computer
using 6to4 or Teredo from connecting to the DirectAccess server, the Windows 7
client automatically attempts to connect by using the IP-HTTPS protocol.
5. As part of establishing the IPsec session, the Windows 7 DirectAccess client and
server authenticate each other by using computer certificates for authentication.
6. The DirectAccess server uses Active Directory membership and the
DirectAccess server verifies that the computer and user are authorized to
connect by using DirectAccess.
7. The DirectAccess server begins forwarding traffic from the DirectAccess client to
the intranet resources to which the user has been granted access.
Setting up DirectAcess
To set up DirectAccess, your network infrastructure must meet some
minimum requirements.
The Windows Server 2008 R2 computer that has been configured to use
DirectAccess must be a multihomed device with one NIC connected to the Internet
and the other NIC connected to the intranet. Each network adapter will be
configured with its own TCP/IP address. The DirectAccess server must be
configured to use IPv6 and be capable of supporting ISATAP, Teredo, or 6to4. The
client machines must be configured to use DirectAccess.
Exercise 12 – Installing DirectAccess
1. Start Server Manager by clicking Start | Administrative Tools | Server Manager.
Windows 7 – Windows 7 Networking
Page | 52
2. In the left window pane, click Features.
3. In the right window, click the Add Feature link.
4. Click the DirectAccess Management Console check box.
5. A dialog box may appear, asking to install any other features required by
DirectAccess. Click the Add Required Features button.
6. Click Next and then click the Install button.
7. Verify that the installation was complete and then close Server Manager.
Open the Direct Access Manager from Administrative Tools. When the DirectAccess
Manager starts up, click Setup to launch the DirectAccess Setup Wizard. This will
step through setting up the Remote Clients, DirectAccess Server, Infrastructure
Servers, Application Servers and the selection of the Windows 7 computers that can
use DirectAccess.
To complete the setup and allow this to function properly, a certificate server, domain
controller, and DNS server are required.
Understanding Virtualization
Server virtualization can be used to run more than one operating systems in virtual
machines on a single physical server platform using Hyper-V. The notion behind
server virtualization is to reduce their hardware costs. At the client level virtualization
can take place using Virtual PC.
Virtual machines are full operating systems that run in a virtualized environment.
The end users that connect to the virtual machines cannot tell the difference
between a normal machine and virtualized machine.
Hyper-V
Microsoft has now incorporated server virtualization into the operating system with
the release of Hyper-V.
One of the big advantages of Hyper-V is that it will support multiple operating
systems, including non-Windows operating systems, running on the same Windows
Server 2008 machine. Each VM can have its own unique resources running on its
operating system. Another advantage is the ability to rapidly recover from a crash
Windows 7 – Windows 7 Networking
Page | 53
because it is only necessary to move the Hyper-V virtual machine to another
machine.
One thing to be careful to avoid is not to put all the servers that have specialized
functions in virtual machines on the same physical server. For example if all the
virtual DHCP servers are on the same physical platform and it goes down, there will
be no DHCP service until the VMs can be moved to another physical server.
Creating a Hyper-V Windows 7 Virtual Machine
The hypervisor, in Hyper-V, is a 64-bit mechanism that allows Hyper-V to run
multiple virtual machines on the same physical machine. The hypervisor's job is to
create and manage the partitions between virtual machines. The hypervisor is a thin
software layer that sits between the virtual machines and the hardware.
Exercise 12 – Making a Windows 7 .VHD
1. Start the Hyper-V Manager by clicking Start | Administrative Tools | Hyper-
V Manager.
2. When the Hyper-V Manager starts, under the Actions section click the New,
Virtual Machine link.
3. At the Before You Begin screen click Next.
4. At the Specify Name And Location screen, type Win7VM in the Name field. Leave
the default location. Click Next.
5. At the Assign Memory screen, type 1024MB and click Next.
6. At the Configure Networking screen, pull down the Connection type and choose
the network adapter and then click Next.
7. At the Connect Virtual Hard Disk screen. Click Create A New Virtual Hard Disk.
8. TypeWin7.vhd and make the hard drive size 20 GB. Click Next.
9. At the Summary screen, select the Start The Virtual Machine After It Is Created
check box and click Finish.
10. When the Win7VM starts, you will receive a boot failure. Click the Media
menu option. Click the DVD Drive option and then Capture Your DVD
Drive. Then click Enter.
Windows 7 – Windows 7 Networking
Page | 54
11. Install the Windows 7 Enterprise Edition as normal.
Windows Virtual PC
Microsoft also has a virtualization environment that can operate on its client software
called Windows Virtual PC. Windows Virtual PC enables can be used to create and
manage virtual machines without the need of a server operating system. The
advantage here is that a server operating systems can run in a client environment
such as Windows XP, Windows Vista, or Windows 7.
Virtual PC is good for testing things before implementing on a physical hardware
platform. It is also useful when a user has an application that ran on a legacy
system such as Windows 2000 Professional but will not run in Windows 7. Windows
2000 can be installed in virtual PC and the application run on the Virtual machine.