11 networking wih windows 7

Windows 7 – Windows 7 Networking

Page | 1

Windows 7 Chapter

Windows 7 Networking 11

Introduction

This block of notes discusses the technologies behind making a Windows 7 based

computer work within a Windows 2008 domain environment using both IPv4 and

IPv6. The topics covered include: include wireless and wired network connectivity,

Windows HomeGroup, Firewalls, remote management, and virtualisation.

Understanding Networking

Like almost anything in computer networking analysis and design is vital and will

determine where and how the hosts will be installed on the network. Factors that will

influence the design include: the number of users on the network, the organisational

structure, geographical location and the amount of money in the budget. There are

two basic design methodologies: client server networks and peer-to-peer networks.

In Microsoft speak client server networks are Active Directory domain-based and

peer-to-peer networks are workgroup networks.

Peer-to-peer networks tend to be small networks and every computer has the same

status – they are peers and can act as clients or servers. Microsoft recommends no

more than ten hosts in a peer-to-peer network. The big advantage of a peer-to-peer

network is that they don‟t need expensive server software. The downside is they are

difficult to manage and keep secure. If the network has ten users and ten computers

and every user needs access to every computer they need a username and

password on every computer. This amounts 10 x 10 or 100 usernames and

passwords for someone to manage.

Another disadvantage of peer-to-peer networks is backups. It is very difficult to

backup up ten individual workgroup-based machines centrally and even more

difficult to get the individual users to back up their own machines.

Client Server (Windows Server 2008 Active Directory) Networks

Active Directory requires a Windows Server platform such as Windows 2008 R1 or

R2. Active Directory is a single distributed database that contains all the objects


Page | 2

contained within a domain-based network. It is a logical representation of the

physical network and the logical structure maps onto the physical structure. Some of

the objects in Active Directory include user accounts, group accounts, and published

objects, such as folders and printers.

The big advantage of Active Directory based networks is centralised management.

In the earlier peer-to-peer example, it needed to 100 accounts to give the users

access to the resources they needed. Now with a domain, only 10 accounts are

required. An administrator can determine, based on job function, which files or

folders a user can access and which system privileges they need.

An Active Directory structure is made up of one or more domains. In Microsoft

speak a domain is represented by a triangle. See Figure 1

An Active Directory structure is made up of one or more domains. A domain is a

logical grouping of objects within an organization.

The Active Directory namespace is arranged in a hierarchy starting with a root

domain at the top. If a domain branches off from another domain, it is called a child

domain and the domain it branches off from is called the parent domain. The name

of the child domain will include the full name of the parent.

Figure 1

An Active Directory Forest


Page | 3

Looking at Figure 1 it can be seen that stevenson.ac.uk is the parent domain and

that it has two child domains: leith.stevenson.ac.uk and dalry.stevenson.ac.uk and

computing.leith.stevenson.ac.uk is the child of leith.stevenson.ac.uk and so on.

As shown in Figure 1, child domains can be based on location but they can also

reflect organisation structure as well

A benefit of creating child domains is scalability. A single Active Directory domain

has the ability to store millions of objects, but child domains give an administrator the

flexibility to design a structure layout that meets the needs of their organization.

Between a parent domain and a child domain there exists a two-way transitive trust.

A trust allows a user to be granted access to resources in a domain even their

accounts reside in a different domain. A two-way transitive trust means that by

default all domains within the same forest automatically trust one another.

Another important feature of an Active Directory domain is an extensible schema.

The Active Directory schema contains all the objects and attributes of the Active

database. For example when a new user is created using Active Directory Users

and Computers (AUDC) the system asks for the user‟s first name, last name,

username and password. The definitions for these fields are defined within the

schema. The schema is extensible and a Schema Administrator can amend the

schema. This is not normally recommended practice. However, programs that are

Active Directory aware frequently modify the schema when they are installed. A

common example is Exchange Server, which modifies the schema to accommodate

details of a user‟s e-mail account.

Microsoft Networking Terms and Roles

A server is a machine that users connect to so they can access resources located on

that machine. For example, a file server stores files. Application servers can run

applications for the users. Sometimes a server is referred to by the specific

application it runs, for example, an SQL Server or an Exchange server.

A domain controller is a server that contains a replica of the Active Directory

database. All domain controllers in are created equal in as much as they all they all

have the same copy of Active Directory. However some domain controllers have


Page | 4

specialised roles such as hosting the Global Catalogue, but these roles, except that

of the Global Catalog are outside the scope of this course.

The Global Catalog is a database consisting of a partial representation of the Active

Directory objects. When it is necessary to locate a domain-based resource, the

Global catalogue is used to find its location. Global Catalogs are a requirement on

an Active Directory domain.

A member server is a server that is a member of a domain-based network but does

not contain a copy of Active Directory. It is good practice to put applications such as

Exchange and SQL Server on a member server.

A standalone server is not a member of a domain. Many organizations use this type

of server for server virtualization. This is when Windows Server 2008 is installed on

a powerful server and multiple copies of Hyper-V are installed on to the server. A

copy of Windows Server is installed into Hyper-V and these can then act as domain

controllers, member servers or any other type of server.

A client machine is a computer that normally is used by a company‟s end users. The

most common operating systems for a client machine are Windows Vista, and

Windows 7.

A Domain Name Service (DNS) server has the DNS service running on it. DNS is a

name resolution service that turns a host name into a TCP/IP address (forward

lookup) or converts an IP address to a host name (reverse lookup). Hosts have

easily remembered user-friendly host names like www.stervenson.ac.uk.

Unfortunately computers use rather less convenient IP addresses and binary to talk

to each other. DNS takes the user-friendly host name and returns an IP address. It

can also convert IP addresses into hostnames when required to do so. DNS can

help resolve either IPv4 or IPv6 TCP/IP addresses. This is possible because the

Link Local Multicast Name Resolution, or LLMNR, protocol. The Link Local Multicast

Name Resolution protocol is based on DNS packet formats that allow both IPv4 and

IPv6 hosts to perform name resolution for hosts on the same local network.

DNS is a requirement for Active Directory. DNS can be installed before or during the

installation of Active Directory.


Page | 5

Dynamic Host Configuration Protocol (DHCP) automatically assigns IP address

configurations to appropriately configured client computers. Every computer needs

at least three things to operate properly with the Internet and intranet and these are:

a TCP/IP address, a sub-net mask, and a default gateway, which is the IP address of

the internal network interface of a router that connects the internal LAN to the

outside world. A properly configured DHCP server can provide much more including

the IP addresses of a preferred a secondary DNS Server and the IP address of a

WINs server if required. If a client cannot access a DHCP server when configured to

use a DHCP server it will assign itself an address in the range 169.254.x.x. This is

called an Automatic Private IP Address and is provided by the Automatic Private IP

Addressing (APIPA) service. DHCP can issue either IPv4 or IPv6 TCP/IP

addresses.

For redundancy, a network should, budget permitting have multiple domain

controllers, DHCP, DNS and Global Catalogues for redundancy. For example if the

network only has one DHCP Server, should it fail clients requesting IP addresses will

end up with APIPA addresses and will be unable to communicate with computers

with valid IP addresses, or with the Internet.

Configuring Windows 7 NIC Devices

A network interface card (NIC) is a hardware component used to connect one host to

other hosts on the network. The most common place to find a network adapter is in

a computer, but they are needed for any host connecting to a network, such as

network printers, routers, switches, firewalls and Intrusion Detection Systems (IDS)s.

Network adapters do not need to he separate cards; they can he built in, as in the

case of most medium and budget-priced motherboards. Like any other hardware

device a NIC needs a driver to communicate with the operating system. Check to

see that a NIC is on the Windows 7 compatibility list before trying to use it with

Windows 7 and that it has plug „n‟ play capabilities. If it is on the approved list it is

likely as not there will be a driver in the Windows 7 driver CAB file, which means that

when installed it plug „n‟ play will install it properly and use the driver in the CAB file.


Page | 6

Configuring a Network Adapter

Once installed, the NIC can be configured using its Properties dialog box. There are

several ways to get to the network adapter property pages, one being the Network

and Sharing Center, another through Computer Management, and yet a third directly

through Device Manager. Since the Network and Sharing Center will be covered in

detail later in the chapter, this is how it is done using the Device Manager. To

access the Properties dialog box, choose

1. Start and type Device Manager in the Windows search box to launch the Device

Manager.

2. Expand the Network Adapters node

3. Right-click the NIC and click Properties to open the drivers property box as

shown in Figure 2

The Properties dialogue box has five tabs: General, About, Driver, Details and

Resources.

The General tab shows the name of the adapter, the device type, the manufacturer,

and the location. T he Device Status box represents whether the device is working

properly or not. If the NIC isn‟t working properly the Device Status box will display

and error code and a brief description of what the operating system deems to be the

Figure 2

NIC drive r Poperty box


Page | 7

problem. The error code can be used to do an Internet search for a resolution to the

problem.

The content of the About tab rather depends upon the NIC itself and the driver.

Figure 3 shows the About tab for the NIC currently installed in my PC. Some NICs

will replace the About tab with an Advanced tab

In general the Advanced tab where it exists will contain a property list and a value

list. To configure options in this dialog box, choose the property to be modified in the

Property list box and specify the desired value for the property in the Value box on

the right. See Figure 4

The sort of information that Driver tab provides includes the following: the driver

provider, the date the driver was released, the driver version and the provider of the

Figure 3

The About tab in the NIC driver Poperty box

Figure 4

The Advanced tab in the Marvell Libitas Wireless NIC driver Poperty box


Page | 8

digital signature. The information will often vary depending upon the NIC. The driver

tab from my NIC is shown in Figure 5.

Clicking the Driver Details button launches the Driver File Details dialogue box that

provides the following information about the driver: the location of the driver file

(useful for troubleshooting), the original provider of the driver, the file version (useful

for troubleshooting), copyright information about the driver and the digital signer for

the driver.

The Update, Roll back Disable and Uninstall buttons do pretty much what they say.

The Update button launches a Wizard that steps through the driver update process.

The Roll back button can be used to roll the driver back to the previous version

should an update disable the driver. The Disable button is used to disable the

device. Once the device is disabled, the Disable button becomes an Enable button.

The Uninstall button removes the driver from the computer‟s configuration. The

device would be uninstalled prior to physically removing the device from the

computer.

The Details tab box lists the resource settings for the network adapter. This

information will vary from device to device. Figure 6 shows the Details tab for my

own NIC.

Figure 5

The Driver tab in the NIC driver Poperty box


Page | 9

The Resources tab of the network adapter‟s Properties dialog box lists

resource settings for the NIC including: interrupt request (IRQ) memory, and

input/output (I/O) resources. This can be important if other devices are trying to use

the same resource settings. This is this is normally the case with Windows 7 as plug

„n‟ play should set up non-conflicting parameters. However, if there are issues, the

Conflicting Device list box at the bottom the Resources tab shows the conflicts.

Troubleshooting a NIC

When a NIC just won‟t work their can be a number of causes. For example the NIC

may not be on the Windows 7 Hardware Compatibility List (HCL) use the Internet to

see if the vendor has released a compatible drive, since there is unlikely to be one in

the Windows 7 CAB file.

The driver might be out-dated in which case click the Update Driver button and

having Windows search for a better driver, or check for the latest driver on the

hardware vendor‟s website.

If Windows 7 does not recognise the NIC then try to install it manually.

Another troubleshooting ploy is to make sure that the settings for the network card

are correct configured.

Make sure that all network cables are functioning and are the correct type. This

includes making sure that the connector is properly seated, the cable is straight

Figure 6

The Details tab in the NIC driver Poperty box


Page | 10

through or cross over cable depending on what sort of device it is plugged into. If it

plugged into a switch it would need a straight through and if it is plugged into another

PC it would need a cross over cable.

Finally, verify that the device(s) that the computer is connected to is (are) working.

For example, on a Fast Ethernet network, make sure the switch ports are functioning

properly.

Configuring Wireless NIC Devices

Wireless technology is maturing to the point where it is becoming a cost-effective

and secure method of networking. Very few homes in the UK are without their own

mini-wireless networks as several member of the family all want to use the same

router to get out onto the Internet.

Windows 7 supports wireless auto-configuration, which will automatically discover

the available wireless connections and connect the computer to the preferred

network. Although conveniently connected, there is still at least one vital

consideration to take into account, namely security.

A Windows 7 compatible wireless NIC will be recognised automatically by the

operating system. Once installed the wireless NIC will be displayed in both the

Device Manager and the Network and Sharing Center. The Network and Sharing

Center is illustrated in Figure 7 showing a wireless connection to stevenson.ac.uk.

Figure 7

The Network and Sharing Center


Page | 11

To access the Network Sharing Centre click Start Control Panel Network and

Internet Network And Sharing Center or Click Start and type Network and Sharing

Center in the Windows integrated search box.

Viewing the Wireless Network Connection Status

The Wireless Network Connection Status window displays, among other things, the

network layer (layer 3) connectivity status for IPv4 and IPv6, media state, the Service

Set ID (SSID), how long the connection has been active, and the signal quality. See

Figure 8

.

The Details button of the Wireless Network Connection Status window provides,

detailed information including physical address, logical address, DHCP settings,

name resolution, and much more. This a very useful place to look when

troubleshooting a connection.

Exercise 1 – Viewing the Network Connection Details

1. Choose Start and type Network and Sharing Center in the Windows 7 integrated

search window and press Enter.

2. Select the Wireless Network Connection menu item from the View Your Active

Networks section

3. Click the Details button

Figure 8

The Wireless Network Connection Status


Page | 12

4. Review the Network Connection Details for this connection

The Activity section of the Wireless Network Connection Status window shows real-

time traffic (in bytes) sent to and received from the network. The Wireless Network

Connection Status window also provides access to the Wireless Connection

Properties which includes which includes access to the wireless adapter

configuration.

To access the Properties dialogue click the Activity section. The Wireless Network

Connection Properties dialogue is shown in Figure.9.

The Networking tab on the Wireless Network Connection Properties page can be

used to show which NIC is being used for the connection. The Sharing tab is for

configuring Internet Connection Sharing, which is a mechanism for allowing the other

users on the network access to the Internet through this machine‟s Internet

connection.

The “This Connection Uses The Following Items” is used to display and configure

the various clients, services, and protocols that are currently available for the

connection. Network clients, network services, and network protocols can be

installed or uninstalled by clicking the appropriate buttons. Clicking the Properties

button opens the Properties page for the currently selected item. If the Properties

Figure 9

The Wireless Network Connection Properties dialogue


Page | 13

button is greyed-out then a properties page is not available for the item. The

Configure button is used to access the network adapter‟s hardware configuration

Property pages, which are the same pages as those that are accessed through the

Device Manager.

Exercise 2 – Viewing the Wireless Network Connection Properties

1. Click Start and type Network and Sharing Center in the Windows 7 integrated

search window and then press Enter.

2. Select Wireless Network Connection from the View Your Active Networks

section.

3. Click the Properties button from the Activity section.

4. Click the Configure button

5. .View the various tabs regarding the network adapter properties.

6. Choose Cancel to return to the Wireless Network Connection Status window.

Configuring Wireless Network Security

Network security is vital and is intimately related to the wireless access point or

wireless router to which the computer is connected

However, large or the network security is vital and needs careful planning. There are

several basic steps that can be taken to secure the network including disabling the

broadcasting of the SSID, creating a MAC address filter list and enabling encryption

such as WPA or WPA2.

When the SSID is not broadcast the network cannot be automatically detected until

the wireless NIC is manually configured to connect to that SSID.

Creating a MAC address filter list creates a list of specific MAC addresses that are

allowed to connect to the device. Remember however that MAC addresses just like

IP addresses can be spoofed.

The best way to secure the network is with good, solid encryption.

There are a variety of wireless network connectivity devices ranging from enterprise

scale to home-based wireless routers. In either case the Windows 7 client must be

set up to match the security settings of the wireless network access devices. Most


Page | 14

modern wireless network connectivity devices have a built-in web server to allow the

HTTP connection from a web browser. Windows 7 can be used to configure a

wireless access device.

Exercise 3 – Configuring a Wireless Access Point


search window and then press Enter

2. Select the Choose the Set Up A New Connection Or Network option

3. Select Set Up A New Network to configure a new router or access point and then

click Next

4. Select the appropriate wireless access device from the Set Up A Network

window and then click Next.

5. If requested, enter a PIN or password or any other required identification and

click Next

6. On the next screen, configure the security settings. And then click Next

These settings need to be configured for each client connecting to the wireless

network.

7. Click Finish.

However once the network access connection has been configured, the Windows 7

clients still need to be configured. If the network connection is unencrypted,

Windows 7 will connect automatically without much user intervention. This is not a

good idea even on a home-based network as other nearby users can use the

connection, which amounts to stealing by using the bandwidth someone else has

paid for, that is quite apart from the risk of somebody reading the data, like bank or

credit card details, going across the connection.

If the connection is secured, the Windows 7 client will have to be configured with the

correct security settings.

Exercise 4 – Accessing the Wireless Properties.


search window and then press Enter.


Page | 15

2. Choose the Wireless Network Connection from the View Your Active Networks

section of the Network and Sharing Center.

3. Click the Wireless Properties button from within the Connection area of the

Wireless Network. See Figure 10

4. The Wireless Network Properties tabbed dialog box opens, displaying the

current setup for the wireless network.

Some wireless cards have an extra button in addition to the Details button called

Wireless Properties that when clicked opens the Wireless Network Properties

dialogue box, from which the Windows 7 client configuration can be set. This

particular card a relatively inexpensive Realtek 8185 lacks this facility.

Where this facility does exist it usually has two tabs: Connection and Security.

The Connection tab, which displays the following information: the name assigned to

the network, the SSID, the network type, network availability, Connect Automatically

When This Network Is In Range Connect To A More Preferred Network If Available

and Connect Even If The Network Is Not Broadcasting Its Name

The SSID defines a user-friendly name for the wireless network Some wireless

access devices are able to broadcast more than one SSID at the same time,

allowing it to support more than one wireless network. The SSID is usually

broadcast be default.

Network type shows the mode the wireless network is using. If this parameter is set

to Access Point the wireless network is in infrastructure mode. If it is set to

Computer-To-Computer then the network is in ad hoc mode.

Figure 10

The Wireless Network Connection Properties


Page | 16

Network Availability displays to whom the wireless network is available. For

example, this could be All Users or Me Only.

When selected, the Connect Automatically When This Network Is In Range option

allows automatic connection for the wireless network. Deselecting this option

requires the user to select this wireless network for connection. If the Connect To A

More Preferred Network If Available option is selected as well, Windows 7 will

attempt to connect to a preferred network. If there is more than one preferred

network, Windows 7 might switch back and forth if they are both available at the

same time. Clearing this check box will allow the currently connected network to stay

connected until it is no longer available, possibly preventing the dropping of data or

even dropped connections.

If the network is not broadcasting its SSID, the select the Connect Even If The

Network Is Not Broadcasting Its Name (SSID) option to allow Windows 7 to

automatically connect.

The Security tab is for configuring the security parameters as defined in the security

policy and configured on the wireless network access devices.

Troubleshooting Wireless Connectivity

There are a few common issues that can occur with wireless networks and here are

a few of them together with possible solutions.

The first and obvious thing to do is make sure that the wireless NIC is enabled. If a

laptop has a hotkey for enabling and disabling the NIC make sure it hasn‟t been

accidently disabled.

Sometimes the signal from a from an access point is attenuated by walls or other

barriers between the access point and the computer with a wireless NIC. This is a

comon problem in Edinburgh where the walls in some of the city‟s Georgian

buildings in the New Town are very thick.

The access device and the wireless card must be fully compatible. For example an

802.11a wireless NIC can only connect to an 802.11a access device or an

802.11a/b/g device that has been configured to accept connections from an 802.11a

NIC.


Page | 17

Wireless NICs that are compatible with the 802.11b standard can connect to only

802.11b or 802.11b/g access devices configured to accept connections from an

802.11b NIC.

An 802.11n card needs to connect to an 802.11n access device for efficiency

although most will auto-negotiate to the best specification available.

Make sure that the security parameters are the same on the NIC and the access

point.

When connecting to an access point that is not broadcasting an SSID, select the

Connect Even If The Network Is Not Broadcasting check box in the Wireless

Network Properties dialog box.

Smaller organisations and home networks use so-called wireless routers, which are

in fact small layer three switches as the combine the functions of router and have a

number of Ethernet switch ports for connecting hard-wired devices on the private

network as well as an Internet port to connect to the outside world.

When troubleshooting this type of device start with the hard-wired devices, and see

whether they can communicate with each other and the Internet and with each other,

just to eleimate the router as the source of the problem

Understanding TCP/IP

Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of industry

standard protocols for network, internetwork, and Internet connectivity

including:Internet Protocol (IP), Transmission Control Protocol (TCP), User

Datagram Protocol (UDP), Address Resolution Protocol (ARP), Internet Control

Message Protocol (ICMP), and Internet Group Management Protocol (IGMP).

The Features of TCP/IP

TCP/IP is a dependable and scalable suite of protocols that provides a common

structure for network communications across a wide variety of hardware and

operating system software. It is independent of the operating systems used at the

upper end of the OSI model and of the physical components at the lower end of the

OSI model.


Page | 18

TCP/IP comes with a host of connectivity tools including among others: HTTP, FTP,

TFTP, Telnet, Finger and support for TCP/IP network printing, together with a

plethora of diagnostic and management tools including: ipconfig, arp, ping, nbtstat,

netsh, route,nslookup,tracert,and pathping and a Simple Network Management

Protocol (SNMP) agent used to monitor performance and resource use of a TCP/IP

host, server, or other network hardware device. TCP/IP also supports multihoming,

that is the inclusion of multiple NICs, which is usually associated with routing for

internetwork connectivity.

TCP/IP is without doubt the industry standard networking protocol suite and with the

introduction of IPv6 is likely to remain so for the foreseeable future.

TCP is designed where necessary to verify at the connection layer to that each data

segment is received and passed to the application running at the Application Layer.

Where packets are lost or corrupted it can request data retransmission. TCP/IP also

supports (Quality of Service), which allows time-sensitive data streams to get

preferential treatment.

TCP/IP is flexible and scalable enough to allow a network to be divided into multiple

segments or subnets to facilitate network traffic management. In addition it is highly

fault tolerant and can dynamically re-route packets around failed links, assuming that

such paths exist.

TCP/IP provides support for Domain Name Service (DNS) and Dynamic Host

Configuration Protocol (DHCP). DNS provides host name-to-IP address resolution

and DHCP provides automatic IP address configurations to appropriately configured

clients. For clients that are unable to contact a DHCP server APIPA will provide an

IP address in the range 169.254.0.0 to169.254.255.255. The inclusion of Alternate

IP Configuration allows users to have a static and a DHCP-assigned IP address

mapped to a single network adapter. This feature supports mobile users who may

lease a DHCP address when working in the office and attach to a static network in

their homes or at another office.

The biggest change to occur to TCP/IP is the introduction of IPv6, which supports a

IPv6 incorporates a much larger address space, and more importantly, incorporates

many of the additional features of TCP/IP into a standardized protocol. Take up in


Page | 19

the UK has been slow but it is being rolled out by Internet Service Providers in the

USA and where the USA leads the UK is bound to follow.

IPv6 Addressing

At first sight IPv6 looks daunting. In truth it is easier than IPv4 and

although an IPv6 address like:

4305:A93E:BADC:8956:3586:8D9C:7032:1423

has a good deal of logic to its construction.

IPv6 Shorthand Notation

An IPv6 address consists of 8 groups of 4 totaling 32 hexadecimal digits. The IPv6

shorthand notation replaces consecutive zeros with the “colon notation”, which can

be interpreted to mean “use zeros until”.

For example the multicast address:

FF02:0000:0000:0000:0000:0000:0001:0002

can be shortened to FF02::1:2.

A single colon is used to replace the zeros in a group of zeros in a single group of

hexadecimal digits such as the final group 0002, which becomes :2 and the double

colon is used to replace multiple groups of four zeros. In this case

0000:0000:0000:0000:0000:0001 which becomes ::1.

To retrieve the original IPv6 address insert zeros until the original is obtained.

Starting with the final group :2 which becomes 0002. As the first group is FF02 and

the final group :0002 adds up to 8 digits. 32-8 = 24 therefore there must be twenty

four missing digits the last of which is a 1 preceded by 23 zeros. The three

segments are therefore:

FF02:

0000:0000:0000:0000:0000:0001:

0002

Putting them together gives FF02:0000:0000:0000:0000:0000:0001:0002, which is

the original IPv6 address.


Page | 20

For those needing a mantra or set of rules:

1 Count how many octets are at the end. In this case, there are two octets. One

octet contains one, and the other octet contains two.

2. Place zeros until reaching the first of the octets at the end.

3. Next start with FF02 and then place zeroes until the seventh octet, which ends in

a 2:

FF02:0000:0000:0000:0000:0000:0001:ZZZZ

3 Check the remaining octets for possible shorthand; then place zeros to fill them

in.

Anatomy IPv6

At the most basic level IPv6 addresses are broken into two 64-bit portions, one of

which is called the prefix portion and one of which is called the host portion, or the

interface ID.

The first 48 bits of the prefix portion of the address is given over to three

organizations: Internet Corporation for Assigned Names and Numbers (ICANN)

Regional Internet Registry (RIR) the Internet service provider (ISP). The next 16 bits

are allocated to subnet addressing, which is sufficient for 65,536 subnets. The

second portion of the address, the 65th to the 128th bit of the address, is the host

portion of the network. This is enough for 224 hosts.

IPv6 Address Types

In IPv6 there are three important address types: Unicast, Multicast and Anycast.

A unicast address is an address that is absolutely unique to a particular host.

A multicast address is effectively a grouping of addresses that is used for sending

and receiving information to (from) that group.

Anycast is a network addressing and routing methodology in which datagrams from

a single sender are routed to the topologically nearest node in a group of potential

receivers all identified by the same destination address.


Page | 21

IPv6 Static and Dynamic Addressing

IPv6 addresses can be dynamic or static. Dynamic addresses are assigned by a

Dynamic Host Control Protocol version 6 (DHCPv6) Server, whereas static

addresses are assigned manually by someone with the appropriate rights.

It is important both for the SQA and Microsoft tests to have a clear understanding of

the conventions IPv6 uses to assign addresses to a network. There are four

possible combinations: two of which are used for static addressing and two of which

are used for dynamic addressing.

EUI-64

One of the great benefits of having such a long host field is the ability to specify a

great deal of uniqueness into an individual address. A host interface normally

supports two types of address a unique physical address (MAC address) and a

configurable logical address (IP address). A MAC addresses is 48 bits in length,

which is normally expressed as 6 pairs of hexadecimal digits. For example: 00-1A-

A0-05-2A-B7.

For the purposes of getting to grips with the anatomy of an IPv6 address split the

MAC address into two sets of 6 digits as follows: 001AA0 052AB7.

When the Internet Engineering Task Force (IETF) formulated the IPv6 standard they

deduced that the use of the modified MAC address in the host field would have the

dual benefit of making the host address unique and allow a static address to be

entered without the need to enter every single digit. However a MAC address is 16-

bits short of the full host field of 64 bits so some padding is required. This entails

taking the hex field FFFF into the centre of the MAC address so that it becomes:

001AA0 FFFF 052AB7. To conclude the seventh bit of the MAC address has to be

inverted1. This means taking the first two hex digits which happen in this case to be

00hex or 00000000 in binary and changing inverting the penultimate bit so that it

reads as 00000010 bin or 02 hex thus the new address becomes 021AA0 FFFF

052AB7 or more concisely 021A:A0FF:FF 05:2AB7.

1 The reasons for this are fully specified in the appropriate RFC. Recommended reading for the

merely curious or the insomniac.


Page | 22

Manual Assignment

An IPv6 address can be assigned manually. Each piece of the address is typed in

manually using hexadecimal notation. See Figure 11

DHCP v 6

In DHCPv6 there are two supported states stateful and stateless. Stateful DHCP

tracks the state of the interfaces it communicates such as how long the lease on the

dynamic address lasts. Since IPv6 doesn‟t use broadcasts it requires the use of a

default multicast address: FF02:0000:0000:0000:0000:0000:0001:0002.

In stateless DHCP, the "state information" such as whether an interface is up or

down, how long the lease exists, and so on is ignored. Typically, stateless DHCP is

used in conjunction with stateless autoconfiguration, a method used by IPv6 to

automatically assign addresses to given interfaces based on their EUI-64 address.

The essential difference between stateless and stateful is that stateless doesn't

remember IP addresses, but it can still supply information such as the location of a

DNS server.

There will be much more to say about IPv6 and DHCPv6 in the DF9M 34 and DF9N

34 Network Server Operating Systems and Network Infrastructure.

IP v 4

It is customary in textbooks to introduce IPv4 before IPv6, unfortunately this creates

the impression that IPv6 is “more difficult” than IPv4, which simply isn‟t true. If

Figure 11

Configuring IPv6


Page | 23

anything the very opposite is true. However, even though IPv4 will eventually be

replaced by IPv6 it will be a relatively slow process and it is necessary therefore to

understand the principles of IPv4

IP v 4 IP Address Ranges

IPv4 uses a set of four octets to create an individual, but not necessarily unique,

logical address that can be used for the purposes of routing packets across

networks. A subnet mask partitions the address into different subnets for the

purpose of sending and receiving broadcast traffic

There are five basic classes of IP address that are defined by the first few bits of the

first octet of the IP address and by the subnet mask. For the benefit of the SQA

exams and the Microsoft exam the most important classes are classes A, B and C,

which are described in Table 1.

Address Class Number of network bits

Number of host bits

Maximum number of hosts

A 8 24 16,777,214

B 16 16 65,534

C 24 8 254

Each of these classes of networks is assigned a given range that is predefined for a

given network design. Given your address class, you will fall into one of the ranges

listed in Table 2.

Address Class Number of network bits

A 1.0.0.0 to 126.255.255.255

B 128.0.0.0 to 191.255.255.255

C 192.0.0.0 to 223.255.255.255

When designing a network two key pieces of information are the number of subnets

and the number of hosts that are required. Once in possession of this information

then the process of sub-netting can begin.

Addressing and Sub-netting IPv4

The following sections assume a working knowledge of the basics of binary, hex,

and decimal conversion.

Table 1:

TCP/IP address classes

Table 2:

TCP/IP address class ranges


Page | 24

Working with the Number of Hosts and Sub-networks

Assume that the brief is to build a network to support one server and 5 clients so that

the subnet mask must support six computers.

The default subnet mask for a Class C network is 255.255.255.0 or in binary notation

11111111.11111111.11111111.00000000. The ones represent the network portion

and the zeros represent the host portion.

One way to calculate the number of host bits required is by taking 2 and raising it to

the number of host bits and then subtracting two to allow for the network and

broadcast addresses. For example:

21 = 2

22 = 4

23 = 8

24 = 16

25 = 32

26 = 64

27 = 128

28 = 256

From the list it can be seen that 23 = 8 will support 6 hosts plus the network and

broadcast addresses. This means the subnet mask for the network is

11111111.11111111.11111111.11111000 or 255.255.255.248. In shorthand, this

would be written as /29, because it uses 29 bits.

The number of bits available for the sub-networks is five. 25 = 32 subnets

Addressing a Given Topology

Consider a network with six offices. Office two acts as a hub for the other five

offices. The immediate job in hand is to subnet the network. The network address

assigned to the project is 209.81.3.0. Checking back to Table 2 indicates that this a

Class C network, which means a default subnet mask of 255.255.255.0, which

means concentrating on the last octet.

To support six subnets requires 3 bits, because 22 = 4 is not enough but 23 = 8,

which is two more than required thus the subnet mask is 209.81.3.224. The number

of hosts is given by the formula 2n – 2, where the minus 2 accounts for the network


Page | 25

address and the subnet broadcast address. Hence the number of hosts that can be

supported on each network is 25 – 2 = 30.

When sub-netting an IP address in this way, it is necessary to calculate the range of

the IP addresses in each network because a sub-netted network cannot

communicate with an IP address that is out of the range of its own subnet without a

router. To calculate the range of the sub-nets take the value the last bit position in

the subnet mask and calculate its value, which in the case under consideration, 32.

By starting at zero in the last octet keep adding 32 until reaching the total of 224 as

follows

209.81.3.0

209.81.3.32

209.81.3.64

209.81.3.96

209.81.3.128

209.81.3.160

209.81.3.192

209.81.3.224

The broadcast address can be located by subtracting 1 from the last octet in all these

numbers, with the exception of 0 as follows:

209.81.3.0

209.81.3.31

209.81.3.63

209.81.3.95

209.81.3.127

209.81.3.159

209.81.3.191

209.81.3.223


Page | 26

The usable addresses are those in between and are summarized in Table 3

Network Address Broadcast Address Usable Addresses

209.81.3.0 209.81.3.31 209.81.3.1 to 30

209.81.3.32 209.81.3.63 209.81.3.33 to 62

209.81.3.64 209.81.3.95 209.81.3.65 to 94

209.81.3.96 209.81.3.127 209.81.3.97 to 126

209.81.3.128 209.81.3.159 209.81.3.129 to 158

209.81.3.160 209.81.3.191 209.81.3.161 to 190

209.81.3.192 209.81.3.223 209.81.3.193 to 222

209.81.3.224 209.81.3.254 209.81.3.225 to 253

Exercise 5 – Sub-netting a network

Debbie has just been employed by MegaGames a leading firm of games developers.

MegaGames is an multi-national corporation with an office in Dundee that has about

100 users.

Currently, the part of the network that Debbie has responsibility for is broken down

into three separate networks connected by WAN links. The Enterprise

Administrator, who is based in the California office, has decided that he wants

Debbie to re-address her network using the address space of 209.113.60.0.

The topology consists of three sites. Site A has one user, Site B has 25 users and

Site C has 30 users. Debbie‟s brief is to use the fewest number of possible sub-

networks but each of these sustains enough host bits to support the required number

of users.

What subnet mask would Debbie need for the whole network and what three

broadcast addresses would she need to assign assuming that the corporate

specifications for network design require the lowest incremental broadcast address

to be applied to Site A, then the next highest to Site B, and the next highest to Site

C. MegaGames have no plans to expand its operations in Dundee given the refusal

of the UK Government to provide adequate tax incentives, so growth is not a

consideration in this design.

Since none of the networks have more than 30 users and growth is not an issue the

number of bits required for the hosts is 25 = 32. This leaves 3 bits for the network

portion.

Table 3:

The TCP/IP subnet ranges


Page | 27

This means that the subnet mask for the network as a whole is a /27 mask or in long

hand 255.255.255.224 and the network addresses are

209.113.60.0

209.113.60.32

209.113.60.64

209.113.60.96

And the required broadcast addresses are:

209.113.60.31

209.113.60.63

209.113.60.95

Having learned the theory behind sub-netting now would be a good time to introduce

a use shorthand method of calculating subnets called “Clark‟s Magic Number2”.

Clark‟s Magic number is 256. Having worked out what the value of the final octet of

the subnet mask, subtract it from 256. For example in the example above it

becomes 256 – 224 = 32, which is the number that is repeatedly added in order to

get all of the subnets.

There is a lot more to say about IPv4 that is beyond the scope of this course.

However, it covers enough to demonstrate how much harder IPv4 is than IPv6.

Configuring a Windows 7 Machine to use DHCP

If a client is configured to receive a dynamic IP configuration a DHCP is required to

provide that IP configuration. On a large network trying to assign IP addresses by

hand would be both time consuming and error prone.

Exercise 5 – Configuring the NIC in a Windows 7 client to obtain a dynamic address


search box.

2 Clark‟s Magic Number is named after my colleague Margaret Clark, who first explained it to me.


Page | 28

2. In the Network and Sharing Center window, click the Local Area Connection item

in the View Your Active Networks section.

3. Click the Properties button from the Activity section of the Local Area

Connection Status box.

4. In the Local Area Connection Properties dialog box, make sure IPv4 check box

is checked and then select Properties. (DHCP also works for IPv6)

5. Choose the Obtain An IP Address Automatically radio button from the General

tab of the Properties dialog box.

6. Choose the Obtain DNS Server Address Automatically radio button from the

General tab Properties dialog box.

7. To use this configuration, click OK to accept the selection and close the dialogue

box.

If the machine is not connecting to the local LAN and the Internet correctly open a

command-line window ant type ipconfig and then press Enter. If the IP address

begins with 169.254.x.y it is unable to locate a DHCP Server and the computer has

leased itself an APIPA address.

Automatic Private IP Addressing (APIPA)

An APIPA address is assigned to a computer that is configured to lease a dynamic

IP configuration from a DHCP Server but cannot locate a DHCP Server. Because it

leases itself the IP configuration it may lease itself the same address as another

node on the network. To prevent this, a client leasing itself an APIPA address will

broadcast its address to the network and if another node has the same address it will

lease itself another APIPA address and try again. It will do this up to ten times.

This means APIPA could be used to provide IP configurations to a small office or

home network to save using DHCP or configuring all of the hosts with static IP

addresses.

However, there is potentially scope for duplicate IP addresses if there are more than

ten hosts on the network.

If on a larger enterprise network the DHCP Server fails, and there is no other DHCP

Server available to service a DHCP request any client requesting an IP address


Page | 29

configuration will end up with an APIPA address, while some of the hosts will have a

properly configured IP address leased from the DHCP server before it crashed. The

computers with the addresses leased before the DHCP server crashed will be able

to communicate with each other. The computers with APIPA addresses can

communicate with each other. Unfortunately the two groups won‟t be able to

communicate as they are effectively are on separate subnets. A wise administrator,

if he or she can afford it will have multiple DHCP Servers to address this particular

scenario.

IPv4 to IPv6 Transitional Techniques

In spite of its obvious advantages it will be impossible to switch over to IPv6

overnight. This means that for the transitional period there needs to be a

mechanism for interoperating IPv4 with IPv6. The three methods discussed in the

next few sections: dual stacking, tunneling, and translation.

Dual Stacking

Dual stacking involves operating both an IPv4 address and an IPv6 address. In

Windows 7 dual stacking is implemented by default, which means the ipconfig

command displays both the IPv6 hexadecimal address and the dotted decimal IPv4

address. Both the IPv4 and the IPv6 addresses are logical addresses and there is

no reason why a network adapter can be identified with multiple logical addresses.

This can be done in one of two ways by using a complete dual stack or by using a

dual IP layer.

Dual stacking creates a separate stack through which each protocol travels. An

implication of this is that networking devices like routers must be capable of

supporting both IPv4 and IPv6 and each stack will require its own Transport Layer

(Layer 4) implementation that interfaces with the Application Layer.

In dual layer implementations the network portion contains both the IPv4 and IPv6

implementations, and they both access the same transport layer. This technology is

supported by Windows 7 and Windows Server 2008 R1 and R2.


Page | 30

Dual stacking and dual layer becomes complicated with the introduction of DNS.

Unfortunately, the record types for IPv4 and IPv6 are completely different so it is

necessary to maintain records for both types of implementation.

Tunneling

IP Tunneling is in principle very simple. Tunneling IPv6 through an IPv4

infrastructure can be achieved by attaching an IPv4 header to the IPv6 packet. This

can be done in one of two ways, automatically or manually. Manually configured

tunnels can be configured by using the netsh interface ipv6 add v6v4tunnel

command. Automatic tunnels can be configured using 6to4, Teredo, or ISATAP.

Tunneling Between Devices

Suppose there are two IPv6 networks separated by an IPv4-only infrastructure.

Given that the routers that connect the IPv6 networks to the IPv4 network are

capable of supporting both IPv6 and IPv4, they will communicate with each other by

referencing the network behind each of the routers and then sending the IPv6

packets across the IPv4 infrastructure by encapsulating them in IPv4 packets.

When two hosts running both IPv4 and IPv6 stacks in an IPv4 infrastructure

communicate, IPv6 packets can be sent across the IPv4 infrastructure by

encapsulating the IPv6 packets in and IPv4 packet to create a tunnel through the

IPv4 network.

When operating between hosts that reside between firewalls or routers, a host

running IPv4 can communicate between infrastructures operating different IP

protocols by encapsulating the IPv6 packets in an IPv4 packet to create a tunnel

containing IPv6 packets. As usual routers have to be capable of supporting both

IPv4 and IPv6. When an IPv4-capable computer sends a request to the router with

an embedded IPv6 packet, the receiving router, examines the internal IPv6 packet,

and then forwards that packet onto the IPv6 host computer running in an IPv6

infrastructure.

6to4

6to4 is a direct method of translating from IPv6 to the IPv4 protocol. It does so by

implementing both the IPv4 and IPv6 protocol stacks converting the IPv4 addresses


Page | 31

into standard IPv6 addresses by inserting them into hexadecimal IPv6 format. The

translated address takes the form 2002:AABB:CCDD:subnet:InterfaceID where AA is

the hexadecimal representation of the first octet of the IPv4 addresst, BB is the

second octet, CC is the third octet, and DD is the fourth octet.

As an example consider the IPv4 address 129.118.1.3. Converting each octet to hex

gives:

129 = 81

118 = 76

1 = 1

3 = 3

So the fully translated address would take the form: 2002:8176:13:subnet:InterfaceID

Within 6to4 tunneling, the entire subnet is treated as a single link. Hosts are

automatically given their 2002:AABB:CCDD:Subnet address with a /64 mask. If the

given address is not found the information is passed onto a 6to4 router that exists on

a /16 mask by default.

A Windows Server 2008, Windows Vista and Windows 7 computer can act as a

6to4 router through Internet Connection Sharing (ICS).

Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)

ISATAP is an automatic dual stacking tunneling technology that is installed by

default in Windows Vista, Windows 7 and Windows Server 2008. ISATAP allows

computers operating IPv6 in IPv4 infrastructures to communicate with IPv4 clients in

the same subnet.

ISATAP can be used for either public or private addressing. With public unicast

addressing, ISATAP uses the global address

::5EFE:A.B.C.D.

where A.B.C.D are the octets of the IPv4 address, together with the private address

of

::200:5EFE:A.B.C.D


Page | 32

where once again, A.B.C.D are the octets of the IPv4 address. Using this

methodology ISATAP creates a link-local address that can be used to communicate

between devices through tunneling.

To communicate with additional subnets running either pure or mixed IP protocols,

an ISATAP router is required. Normally, this router is resolved either through the

mapping of the "ISATAP" hostname or by the use of the netsh interface isatap set

router command, which allows the address of the router to be manually specified in

either Windows Server 2008 or Windows 7.

Teredo

Teredo is also known as Network Address Translator Traversal (NAT-T). What it

does is provide a unicast address for each device located within the NAT pool. It

does so by sending out IPv6 data over Uniform Data Protocol (UDP) establishing a

tunnel directly between two individual hosts. The process breaks down into two

portions: initial client configuration and initial client communication.

1. The client sends a router solicitation request (RS) to a Teredo server with the

cone flag set. The cone flag is a high-order bit that indicates a device is behind a

NAT.

2. The Teredo server responds with a router advertisement (RA) from a router that

is on an alternate IPv4 address so it can determine whether the address is

behind a NAT.

3. If the RA is not received, the client repeats the RS with the cone flag not set.

4. The server responds with an RA from the source address to the destination

address. If the client receives the RA, it is behind a restricted NAT.

5. To make sure there isn't a symmetric NAT in place, the client sends another RS

to an alternate server.

6. The alternate server responds. If the RAs are different, the map is mapping the

same internal address and UDP port number, and Teredo will not be available.

Teredo has several different methods of initial communication based on what type of

NAT the client is assigned under. The most commonly referenced of these is a


Page | 33

situation where a client resides on a restricted NAT. In which case, the process of

two computers, A and B, communicating is as follows: „

1. Client A sends a bubble packet to Client B.

2. Client A sends a bubble packet to Client B through Client B's Teredo server.

3. Client B's Teredo server forwards the packet to Client B.

4. Client B responds to the packet with its own bubble packet to Client A.

5. Client A determines NAT mappings for both NATs.

Testing an IP Configuration

There are a number of tools and utilities that can be used to test and troubleshoot a

TCP/IP configuration. These include: pconfig, ping, and nbtstat. A graphical view of

the connection details is available using Local Area Connection Status of the

Network and Sharing Center.

The ipconfig command see Figure 12 is a command line utility used to examine the

IP address configuration on the network interfaces on a network host.

Ipconfig comes with a number of switches ranging from /? For getting help

/setclassID that can be used to modify the DHCP class ID. See Table 4

Figure 12: ipconfig


Page | 34

Switch Description

/? Provides help for all of the ipconfig switches

/all Shows verbose information about an IP configuration, including ther computer‟s physical address, the preferred DNS server, and whether the address is static or dynamically assigned

/allcompartments allcompartments Shows IP information for all compartments

/release Releases the current IPv4 address assigned by DHCP

/release6 Releases the current IPv6 address assigned by DHCP

/renew Renews the current IPv4 address assigned by DHCP

/renew6 Renews the current IPv6 address assigned by DHCP

/flushdns Flushes the DNS Resolver cache

/registerdns Registers or re-registers clients credentials with DNS

/displaydns Displays the contents of the DNS Resolver cache

/showclassid Lists the DHCP IPv4 class IDs allowed by the computer

/showclassid6 Lists the DHCP IPv6 class IDs allowed by the computer

/setclassID Modifies the IPv4DHCP class ID

/setclassID6 Modifies the IPv6DHCP class ID

TCP/IP Troubleshooting

The way in which to troubleshoot a TCP/IP configuration rather depends on the

nature of the problem. For example if a single machine cannot access the Internet

then start troubleshooting from that machine as the fault is likely to be with that

machine. If all of the users are having the same problem a good place is to start is

with the default gateway.

When troubleshooting a PC, start by checking that the Ethernet drop cable is

properly connected. Next, make sure the NIC and the NIC driver are properly

installed. If the driver for the NIC is not in the Windows 7 driver .cab file it might be

necessary to get the driver from an accompanying CD or from the manufacturer‟s

Web site.

The next step is to open a command window and run ipconfig and make sure there

is a valid IP address configuration. If the IPv4 address is in the range 169.254.0.0

to169.254.255.255 the NIC has been configured to obtain its IP configuration from a

DHCP Server but cannot locate a DHCP Server. If the network uses static IP

addressing give the computer a static IP address. If the computer should be getting

an IP address from a DHCP Server make sure the server is up and running and

Table 4:

Ipconfig switches


Page | 35

hasn‟t crashed. Next ping the loopback address on the NIC. Do this by typing ping

127.0.0.1 at a command prompt and then pressing Enter. See Figure 13

This will test to make sure the TCP/IP stack is correctly installed on the NIC. Next

use ping to try and reach a host on the same subnet. If this works ping the default

gateway. Finally, ping a remote host. Methodically work outwards eliminating one

thing at a time until the problem is isolated.

Configuring Windows 7 on a Network

In a large enterprise environment, the client machines will almost certainly connected

to an Active Directory domain. A computer can be joined to a domain either from the

Windows 7 operating system or from within Active Directory. Active Directory

confers many benefits. One of the most important features of an Active Directory is

the notion of a single login, which gives a user access to any resources the

administrator gives them permissions for wherever those resources are on the

network. Another big benefit is the ability to deploy software or configure security

from a single Active Directory Group Policy Object (GPO) rather that configuring

Local GPOs on each individual client. If users save their data to a centralized file

server it can be backed up centrally. There are many more benefits which are

outside the scope of this unit but will become apparent when studying DF9N 34

Network Server Operating Systems and DF9R 35 Network Infrastructure 1:

Implementation and Management.

Exercise 6 – Joining a Windows 7 Computer to an Active Directory domain

From a Windows 7 Computer

1. Start and then right-click Computer. Choose Properties

Figure 13:

Pinging the loopback address


Page | 36

2. Under the Computer Name, Domain, And Workgroup section, click the Change

Settings link

3. Click the Change button next to the To Rename This Computer Or Change Its

Domain Or Workgroup section

4. In the Member Of section, click the Domain radio button and type in the name of

the Windows Server 2008 Active Directory domain to launch the Active Directory

credential dialogue

5. Enter the username and password of a user with the necessary privileges to join

a client computer to the domain

This is frequently the domain administrator

6. A dialog box stating that the computer is a part of the domain appears. Click OK

and reboot the machine

A word of warning: Before a computer can be joined to a domain it will want to

access the domain SRV record in the domain‟s DNS server. Make sure the

Preferred DNS setting the Properties dialogue for the NIC in the Windows 7

computer‟s NIC is pointing at the correct DNS Server.

Exercise 7 – Joining a Windows 7 Computer to an Active Directory domain

From Active Directory Users and Computers (AUDC)

1 On a Windows Server 2008 Active Directory Domain Controller (DC) click Start |

Administrative Tools | Active Directory Users And Computers

2 Expand the domain and right-click the container object within which the

computer is to be installed and select New | Computer

3 In the Computer Name field, type in the name of the Windows 7 computer. Click

OK

4. Double-click the new Windows 7 computer in the right-hand window to open the

properties and look at the different tabs and then click the Cancel button.

Joining and Sharing HomeGroups in Windows 7

HomeGroups was designed to simplify the sharing of music, pictures, documents

and USB-connected printers within a small office or home office (SOHO) network.


Page | 37

For example, a shared USB printer is automatically installed onto the other

HomeGroup-enabled computers. This extends to Windows 7 computers joined to a

domain as they can also participate in a HomeGroup but not create one.

HomeGroups can be created only on computers running Home Premium, Enterprise,

Professional, or Ultimate, however once it is up and running all versions of Windows

7 can participate in a HomeGroup. IPv6 must be running in for computers to create

and participate in HomeGroups.

If the Windows 7 network discovery feature is not enabled the system will ask for the

HomeGroup to be created. To do this open the Network and Sharing Center, select

Choose HomeGroup And Sharing Options and then click the Create A HomeGroup

button. See Figure 14.

With Windows 7 network discovery turned on (the default), HomeGroup is created

automatically. However, it will still be necessary to join the HomeGroup. To join a

Home Group open the Network and Sharing and click the Join Now button.

An important part of joining a HomeGroup is to decide what exactly should be

shared. The “Share with other home computers running Windows 7” page has

check-boxes for Pictures, Documents, Music, Printers and Videos. Check the boxes

for the things that will be shared. See Figure 15

Figure 14: Creating a HomeGroup


Page | 38

The next step is to enter the HomeGroup password. See Figure 16

The first machine in the HomeGroup will create a random secure password. To view

and or print the HomeGroup password, open the Network and Sharing Center click

the Choose HomeGroup And Sharing Options link and then choose View Or Print

The HomeGroup Password item, as shown in Figure 17.

Figure 15:

Configuring what can be shared

Figure 16:

Entering the HomeGroup password


Page | 39

To change the password open the Network and Sharing Center click the Choose

HomeGroup And Sharing Options link and then choose Change the password to

launch the change password dialogue as shown in Figure 18.

Note the warning at the top of the dialogue that states that changing the password

will disconnect everyone. After changing the HomeGroup password, it will be

necessary to go to each of the other Windows 7 machines in the HomeGroup and

change the password.

Once the HomeGroup is set up the other members shared resources can be viewed

from the HomeGroup option of Windows Explorer. It can also be added to the Start

menu if required.

Figure 17:

Viewing / printing the HomeGroup password

Figure 18: Changing the HomeGroup password


Page | 40

Configuring Windows Firewall

Windows Firewall is designed to prevent unauthorized users or malicious software

from accessing a computer. Windows Firewall does not pass unsolicited traffic. That

is traffic that was not sent in response to a request

Windows Firewall is configured by clicking Start | Control Panel | Large icons | View

Windows Firewall. See Figure 19.

The Windows Firewall settings dialog box, see Figure 20 is used to turn Windows

Firewall on or off for both private and public networks.

Figure 19 Configuring Windows Firewall

Figure 20 Turning on Windows Firewall


Page | 41

The “Off” setting will allow external sources to connect. The “On” setting will block

external sources except those that are specified on the Exceptions tab.

When Block All Incoming Connections is enabled, exceptions are ignored and no

notification will be given when an application is blocked by Windows Firewall. The

exceptions section of the Windows Firewall settings dialog box, shown in Figure 21,

is used to define which programs and services should be allowed to pass through

the Firewall.

Think carefully when enabling exceptions as there is potential for letting traffic

through the firewall that could be used by a hacker to hack into the system.

Windows Firewall with Advanced Security (WFAS)

WFAS can be used to configure more advanced settings. To launch WFAS click

Start Control Panel | Large Icons View Windows Firewall and then click the

Advanced Settings link. See Figure 22

The items in the scope pane include inbound and outbound rules, connection

security rules, and monitoring rules. The central pane displays an overview of the

firewall‟s status, as well as the current profile settings.

Figure 21

Windows Firewall Allowed Programs dialogue


Page | 42

Inbound and Outbound Rules

Inbound rules monitor inbound traffic, see Figure 23 and outbound rules monitor

outbound traffic. Many of the rules are disabled by default. Double-clicking a rule

will bring up its Properties dialog box, as shown in Figure24

Figure 22

Windows Firewall with Advanced Security

Figure 23

Windows Firewall Outbound connections


Page | 43

A filter can be applied to the rules to make them easier to view. Filtering can be

performed based on the profile the rule affects, by state that is whether the rule is

enabled or disabled, or based on the rule group. See Figure 25.

If there isn‟t a predefined rule that meets a specific need it is possible to create a

new rule by right-clicking Inbound Rules or Outbound Rules in the scope pane, and

then selecting New Rule to launch the New Inbound (or Outbound) Rule Wizard.

The Wizard will ask whether the rule should be based on a particular program,

protocol or port, predefined category, or custom settings.

Figure 24

Outbound rule Properties dialogue box

Figure 25 Setting up filtering


Page | 44

Exercise 8 – Creating a New Inbound Rule

1. Choose Start | Control Panel Large Icon View | Windows Firewall

2. Click Advanced Settings on the left side

3. Right-click Inbound Rules and select New Rule

4. Choose a Rule Type. For this exercise, choose Custom then click Next.

5. Choose the programs or services that are affected by this rule. For this exercise,

let‟s choose All Programs. Then click Next.

6. Choose the protocol type, as well as the local and remote port numbers that are

affected by this rule. Click Next to continue.

For the benefit of this exercise choose TCP and All ports is selected for both

Local Port and Remote Port and click Next.

7. Choose the local and remote IP addresses that are affected by this rule then click

Next

For this example select Any IP Address for both local and remote

8. Specify whether this rule will allow the connection, allow the connection only if it

is secure, or block the connection.

For the current example select the options Allow The Connection If It Is Secure

then click Next.

9. Specify whether connections should be allowed only from certain users, then

click Next

10. Specify whether connections should be allowed only from certain computers

11. Choose which profiles will be affected by this rule and then click Next

12. Give the profile a name and description, and then click Finish.

The newly created customized rule will appear in the list of Inbound Rules, and

the rule will be enabled

13 To change any of the options double click the rule.

14 To disable the rule un-check the check box. And click OK.

Connection Security Rules

Connection security rules do not specifically allow connections, instead they are

used to configure how and when authentication occurs. There are four security

rules: Isolation, Authentication Exemption, Server-to-server and Tunnel


Page | 45

Isolation is used to restrict a connection based on authentication criteria.

Authentication Exemption is used to specify computers that do not need to

authenticate. Server-to-Server is used to authenticate connections between

computers and Tunnel is used to authenticate connections between computers

acting as gateways

Monitoring

The Monitoring section provides detailed information about how the firewall has been

configured for the Domain, Public and Private profiles.

Configuring Remote Management

Windows PowerShell and Windows Remote Management can be used in addition to

Remote Assistance and Remote Desktop to help Windows 7 users remotely.

Windows PowerShell

A complete study of Windows PowerShell is well beyond the scope of this unit,

however it is a very powerful tools and it is certainly worth knowing that it exists and

what it can do.

PowerShell runs at the command line and can be used to execute command on a

remote Windows 7 computer. One of the benefits it confers is the use of cmdlets

which are command that are built into PowerShell. There are more than one

hundred pre-defined cmdlets and administrators can also write their own customized

cmdlets.

PowerShell can be used to gain access to a file system, Registry, digital certificate

stores, and other data stores on a computer.

Table 5 lists a few of PowerShell‟s pre-defined cmdlets.

Cmdlet Description

Clear-History Deletes entries from the command history

Format-table Shows results as a table

Get-Date Gets the date and time

Get-Event Gets and event in the event queue

Import-Module Adds modules to the current session

Invoke-command Runs commands on local or remote computers

Table 5

Common PowerShell cmdlets


Page | 46

Cmdlet Description

Start-job Starts a PowerShell background job

Stop-job Stops a PowerShell background job

Exercise 9 – Starting PowerShell

1. Start PowerShell by clicking Start | All Programs Accessories | Windows

PowerShell | PoweShell.

2. Type Help and press Enter to get Help with PowerShell. See Figure 26

Windows Remote Management (WinRm)

WinRM is the Microsoft implementation of the industry standard WS-Management

Protocol, designed to allow different vendor operating systems and hardware to

work together.

WinRm utility can be accessed either through the WinRM command-line tool, WinRM

scripting objects or through the Windows Remote Shell command-line tool.

WinRm can be used to remotely execute commands and obtain management data

from local and remote computers. A big advantage of WinRm is that because it is an

implementation of an industry standard protocol it can be used on Windows- based

operating systems and non-Windows-based operating systems. Table 6 shows

some of the WinRm commands and their meanings.

Figure 26 Windows PowerShell


Page | 47

Command Description

WInRM eorWinRM enumerate

Lists all instances of a managed resource

WInRM c or WnRM create

Creates a new instance on the managed resources

WInRM I orWinRM invoke

Executes a method on a managed resource

WInRM d or WinRM delete

Removes an instance from a managed resource

WinRM s or WinRM set Modifies management information

WnRM g orWinRM get Retrieves management information

BranchCache

BranchCache is designed for organizations with multiple offices connected with slow

links so that they can cache data so that data does not have to be transferred across

a slow link each time a file is accessed. There are two BranchCache modes

distributed cache mode and hosted mode.

Distributed Cache Mode

When running in distributed cache mode client machines cache the files locally on

the client machines so that a server running Windows Server 2008 R2 is not required

at the branch office. However the content servers at the main office must be running

Windows Server 2008 R2. Essentially, the Windows 7 computers download the data

files from the content servers at the main office and become the local cache servers.

To function as local cache servers the Windows 7 computers must be running

Windows 7 Enterprise Edition or Windows 7 Ultimate Edition.

To implement distributed cache mode as well as having a content server at the main

office running Windows Server 2008, R2 the branch office also needs a server

running R2 of Windows Server 2008. Once the content server is installed physical

connections (WAN or VPN connections) between the sites and branch offices must

be established.

Client computers running Windows 7 have BranchCache installed by default, but it

must be enabled and configured before it can be used and an exception configured

on the firewall.

Table 6

WinRm Commands


Page | 48

Exercise 10 – Configuring the Firewall for BranchCache.

1. On a domain controller, click Start | Administrative Tools | Group Policy

Management to launch the Group Policy Management console.

2. In the Group Policy Management console, browse to Forest | Domains | Group

Policy Objects making sure that the domain contains the Windows 7 client

computer accounts that need to be configured.

3. In the Group Policy Management console, right-click Group Policy Objects and

select Create And Link Group Policy Here.

Name the policy BranchCache Client and press Enter.

Right-click BranchCache Client and click Edit to launch the Group Policy

Management Editor console

4. In the Group Policy Management Editor console, browse to: Computer

Configuration | Policies | Windows Settings | Security Settings | Windows

Firewall with Advanced Security | Windows Firewall with Advanced Security |

LDAP | lnbound Rules.

5. Right-click Inbound Rules and then click New Rule to launch the. The New

Inbound Rule Wizard

6. In Rule Type, click Predefined, expand the list of choices, and then click

BranchCache - Content Retrieval (Uses HTTP) then click Next.

7. In Predefined Rules, click Next.

8. In Action, ensure that Allow The Connection is selected, and then click Finish.

9. Now to create the WS-Discovery firewall exception, right-click Inbound Rules,

and click New Rule to launch the New Inbound Rule Wizard


BranchCache - Peer Discovery (Uses WSD) and then click Next.




Page | 49

13. In the Group Policy Management Editor console, right-click Outbound Rules, and

then click New Rule to launch the New Outbound Rule Wizard


BranchCache - Content Retrieval (Uses HTTP) and click Next.



17. Create the WS-Discovery firewall exception by right-clicking Outbound Rules,

and then clicking New Rule to launch the Outbound Rule Wizard.


BranchCache - Peer Discovery (Uses WSD) and then click Next.



Hosted Mode

Hosted mode requires a Windows Server 2008 R2 based computer in both offices

and all of the client computers at the branch must be running Windows 7

Enterprise or Ultimate editions.

A Windows 7 machine downloads data from the main cache server, and then the

cache servers at the branch offices store a copy of the downloaded data for other

users to use.

Once a caching server at the branch office has been set up it needs to get a server

certificate so the client computers in the branch offices can identify it.

Exercise 11 – Installing BranchCache on a Windows Server 2008 R2 machine

1. Logon as an Administrator

2. Click clicking Start | Administrative Tools | Server Manager

3. In Server Manager, right-click Features and then choose the Add Feature link

4. The Add Features Wizard starts. Select the BranchCache check box and then

click Next

5. . At the Confirm Installation Selections screen, click Install


Page | 50

6. After the BranchCache feature installs, click Close.

7. In the Server Manager left window pane, double-click Configuration and then

click Services

8. In the Services detail pane, double-click BranchCache to launch the

BranchCache Properties dialog box

9. Click the General tab and then click Start. Click OK.

10. Close Server Manager.

11. Repeat steps 1 – 10 on all branch office cache servers

Configuring Direct Access

DirectAccess is new to the Windows Server 2008 R2 and Windows 7 operating

systems. It allows a remote user to connect to their corporate network without using

a VPN. As long as the user is connected to the Internet DirectAccess will

automatically connect the remote user to the corporate network. Because the

connection is bidirectional, the IT administrator can also remotely manage the

Windows 7 machine while the machine is away from the network.

DirectAcess vs VPNs.

VPNs allow a remote user to securely connect to a corporate network by tunneling

through the Internet however VPNs do have a number of downsides. For example, if

a user gets disconnected from their VPN connection, they must reestablish the VPN

connection. Also if an organization‟s Internet connections are the same as their VPN

connections it cause their Internet connections to be slower. Finally for security

reasons it may not be possible for an organization to open a port on their firewall to

allow VPN traffic.

DirectAcess

DirectAccess does not face the same limitations of a VPN. To establish a

connection DirectAcess uses Internet Protocol Security (IPsec) to provide a high

level of security between the client and the server. According to Microsoft the way in

which DirectAcess works is as follows:


Page | 51

1. The Windows 7 DirectAccess client determines whether the machine is

connected to a network or to the Internet.

2. The Windows 7 DirectAccess computer tries to connect to the web server

specified during the DirectAccess setup configuration.

3. The Windows 7 DirectAccess client computer connects to the Windows Server

2008 R2 DirectAccess server using IPv6 and IPsec. Because most users connect

to the Internet by using IPv4, the client establishes an IPv6-over-IPv4 tunnel

using 6to4 or Teredo.

4. If an organization has a firewall that prevents the DirectAccess client computer

using 6to4 or Teredo from connecting to the DirectAccess server, the Windows 7

client automatically attempts to connect by using the IP-HTTPS protocol.

5. As part of establishing the IPsec session, the Windows 7 DirectAccess client and

server authenticate each other by using computer certificates for authentication.

6. The DirectAccess server uses Active Directory membership and the

DirectAccess server verifies that the computer and user are authorized to

connect by using DirectAccess.

7. The DirectAccess server begins forwarding traffic from the DirectAccess client to

the intranet resources to which the user has been granted access.

Setting up DirectAcess

To set up DirectAccess, your network infrastructure must meet some

minimum requirements.

The Windows Server 2008 R2 computer that has been configured to use

DirectAccess must be a multihomed device with one NIC connected to the Internet

and the other NIC connected to the intranet. Each network adapter will be

configured with its own TCP/IP address. The DirectAccess server must be

configured to use IPv6 and be capable of supporting ISATAP, Teredo, or 6to4. The

client machines must be configured to use DirectAccess.

Exercise 12 – Installing DirectAccess

1. Start Server Manager by clicking Start | Administrative Tools | Server Manager.


Page | 52

2. In the left window pane, click Features.

3. In the right window, click the Add Feature link.

4. Click the DirectAccess Management Console check box.

5. A dialog box may appear, asking to install any other features required by

DirectAccess. Click the Add Required Features button.

6. Click Next and then click the Install button.

7. Verify that the installation was complete and then close Server Manager.

Open the Direct Access Manager from Administrative Tools. When the DirectAccess

Manager starts up, click Setup to launch the DirectAccess Setup Wizard. This will

step through setting up the Remote Clients, DirectAccess Server, Infrastructure

Servers, Application Servers and the selection of the Windows 7 computers that can

use DirectAccess.

To complete the setup and allow this to function properly, a certificate server, domain

controller, and DNS server are required.

Understanding Virtualization

Server virtualization can be used to run more than one operating systems in virtual

machines on a single physical server platform using Hyper-V. The notion behind

server virtualization is to reduce their hardware costs. At the client level virtualization

can take place using Virtual PC.

Virtual machines are full operating systems that run in a virtualized environment.

The end users that connect to the virtual machines cannot tell the difference

between a normal machine and virtualized machine.

Hyper-V

Microsoft has now incorporated server virtualization into the operating system with

the release of Hyper-V.

One of the big advantages of Hyper-V is that it will support multiple operating

systems, including non-Windows operating systems, running on the same Windows

Server 2008 machine. Each VM can have its own unique resources running on its

operating system. Another advantage is the ability to rapidly recover from a crash


Page | 53

because it is only necessary to move the Hyper-V virtual machine to another

machine.

One thing to be careful to avoid is not to put all the servers that have specialized

functions in virtual machines on the same physical server. For example if all the

virtual DHCP servers are on the same physical platform and it goes down, there will

be no DHCP service until the VMs can be moved to another physical server.

Creating a Hyper-V Windows 7 Virtual Machine

The hypervisor, in Hyper-V, is a 64-bit mechanism that allows Hyper-V to run

multiple virtual machines on the same physical machine. The hypervisor's job is to

create and manage the partitions between virtual machines. The hypervisor is a thin

software layer that sits between the virtual machines and the hardware.

Exercise 12 – Making a Windows 7 .VHD

1. Start the Hyper-V Manager by clicking Start | Administrative Tools | Hyper-

V Manager.

2. When the Hyper-V Manager starts, under the Actions section click the New,

Virtual Machine link.

3. At the Before You Begin screen click Next.

4. At the Specify Name And Location screen, type Win7VM in the Name field. Leave

the default location. Click Next.

5. At the Assign Memory screen, type 1024MB and click Next.

6. At the Configure Networking screen, pull down the Connection type and choose

the network adapter and then click Next.

7. At the Connect Virtual Hard Disk screen. Click Create A New Virtual Hard Disk.

8. TypeWin7.vhd and make the hard drive size 20 GB. Click Next.

9. At the Summary screen, select the Start The Virtual Machine After It Is Created

check box and click Finish.

10. When the Win7VM starts, you will receive a boot failure. Click the Media

menu option. Click the DVD Drive option and then Capture Your DVD

Drive. Then click Enter.


Page | 54

11. Install the Windows 7 Enterprise Edition as normal.

Windows Virtual PC

Microsoft also has a virtualization environment that can operate on its client software

called Windows Virtual PC. Windows Virtual PC enables can be used to create and

manage virtual machines without the need of a server operating system. The

advantage here is that a server operating systems can run in a client environment

such as Windows XP, Windows Vista, or Windows 7.

Virtual PC is good for testing things before implementing on a physical hardware

platform. It is also useful when a user has an application that ran on a legacy

system such as Windows 2000 Professional but will not run in Windows 7. Windows

2000 can be installed in virtual PC and the application run on the Virtual machine.