Home > Articles

Enterprise Foundations

  • Print
  • + Share This
This chapter is from the book

Windows Core Technologies

Windows provides the same core technologies that any good network operating system provides. These technologies are grouped into three functional categories: Communications, Security, and Network Services.


One primary purpose of an operating system is to provide communications services for the applications that run on the operating system. Windows 2000 and Windows .NET provide applications with an Application Programming Interface that abstracts the concept of communication from the actual implementation. In other words, applications simply ask the operating system to send and receive data, and the operating system worries about all the different methods—LANs, wireless networks, dial-up connections, and so forth—that the communications may need to travel across.

Windows uses the TCP/IP network protocol suite as its primary, native communications protocol. Windows also provides support for older network protocols, such as Microsoft NWLink, which is compatible with Novell's NetWare IPX/SPX networking protocol. The advantage of TCP/IP is that the entire protocol suite is media-independent, which means it can be transported over just about any time of network. The .NET Enterprise Servers rely heavily on TCP/IP, and in fact that protocol is a requirement for most of the newer .NET Enterprise Servers. Designing a network that uses the .NET Enterprise Servers requires you to have a solid understanding of how TCP/IP works, and how applications interact with it. Although I can't provide a complete TCP/IP tutorial in these pages (there are a number of good books devoted entirely to that topic), the next few sections will provide a brief overview to help refresh your memory on key Windows TCP/IP concepts.

TCP/IP Addressing

All computers on a TCP/IP network must have a unique TCP/IP address (also called an IP address), which functions a bit like the computers' own private phone number. Addresses are entered and displayed in a dotted-decimal format, such as Each group of numbers separated by a dot is referred to as an octet. An IP address actually contains two pieces of information: A unique network ID number, and a unique host ID number. The network ID number is a bit like an area code, and is shared by all computers on a single physical network. The host ID number is the remaining portion of the phone number, and uniquely identifies a particular host within a network.

In order to ensure that all computers on the Internet have a universally unique IP address, address assignment is handled by the Internet Assigned Numbers Authority (IANA). IANA distributes available IP addresses to Internet service providers (ISPs), who in turn distribute them to companies and individuals. IANA has reserved three blocks of IP addresses for private use, and ensures that the reserved addresses are never issued to Internet computers. These private addresses provide companies with a large number of IP addresses that can be used on private corporate networks, even though the number of available public IP addresses is growing smaller and smaller with the growth of the Internet.


A new IP addressing scheme, called IPv6, promises to solve the scarcity of public IP addresses by vastly increasing the number of available addresses. However, all of the hardware and software necessary to support IPv6 hasn't been globally adopted, so we're still stuck with the old addressing scheme. IPv6 has actually been around for a few years now, and the adoption rate is still moving at a crawl, so don't expect to see IPv6 addressing in your environment anytime soon.

Although computers using private IP addresses can't access the Internet directly (because you must have a public IP address in order to access the Internet), Network Address Translation (NAT) devices can translate between public and private IP addresses. NAT enables corporations using private IP addresses to provide Internet access to their users, and also reduces the number of public IP addresses required to provide that access. Windows's built-in Routing and Remote Access Service (RRAS) includes NAT capabilities, as does Microsoft's Internet Security and Acceleration Server.

For more information about Internet Security and Acceleration Servers features, see "Technology Capabilities," p. 324


RRAS provides other key communications capabilities to Windows, including the capability to securely connect networks to one another over the Internet, and the capability to provide dial-up access to remote users. I'll cover RRAS in a bit more detail later in this chapter.

Subnets and Routing

Computer networks, like major highways, don't benefit from having too many computers on one network. Networks are shared communications resources, and too many computers trying to use one network has pretty much the same effect as rush hour does on a metropolitan highway. To prevent network congestion, computer networks are divided into multiple independent segments. Each segment is basically a computer network in its own right, which raises the problem of how to move information from one network to another. If you think of computer networks as a neighborhood of houses then you can think of information delivery in terms of delivering mail. If you need to send mail to someone in your neighborhood, you might just walk the information over and drop it into the recipient's mailbox yourself. If you need to send mail to someone in another neighborhood, perhaps across the country, you let the Post Office handle it for you, because they know how to route mail from place to place very efficiently. Likewise, when information on one computer network needs to move to another computer network, you rely on routing.

Routing is conducted by hardware devices called, appropriately enough, routers. Routers are connected to multiple networks at the same time, and are responsible for moving data between those networks. Routers rely on the fact that all TCP/IP data transmissions include the IP address of the destination computer, and that IP addresses contain both a network ID and a host ID. Looking at a typical IP address—such as—it's hard to tell which portion of the address is the network ID, and which portion is the host ID. To make that determination, computers rely on a subnet mask.

For subnet masks to make sense, you have to remember that computers all work in binary. In other words, everything in a computer is represented as a series of ones and zeros. Computers are designed to display that information in a friendlier fashion for us humans, but subnet masks get right to the binary heart of how computers work. Take our sample IP address of, and a sample subnet mask of If you convert each octet in the IP address and subnet mask to binary, you have the following:

  • IP address: 00001010.00000001.00000100.11111010

  • Subnet mask: 11111111.11111111.00000000.00000000


If you use the Windows Calculator's scientific view, you can use it to convert numbers between decimal and binary.

The subnet mask determines which parts of the IP address represent the network ID, and which parts represent the host ID. Notice that each octet is composed of eight binary digits, or bits. Every bit in the subnet mask that's set to one represents a portion of the IP address that's the network ID. Every zero in the subnet mask corresponds to a bit in the IP address that's the host ID. So, for this sample IP address and subnet mask, the network ID is 10.1.x.x, and the host ID is 4.250. Note that subnet masks should always be a string of 1s, followed by a string of 0s. It's theoretically possible to have a subnet mask that translates to something like 11110111.00111100.11100011.00000000, but such a mask isn't (and won't be) supported by any current implementation of TCP/IP.

When Windows needs to send data, it looks at the network ID of the destination and its own network ID. If the two have the same network ID, then Windows sends the information out onto the local computer network, knowing that the destination computer will see it and pick it up. If the network IDs don't match, then Windows sends the data to its default gateway, which is a special IP address that you configure in Windows. The default gateway is usually a router, and it becomes the router's responsibility to either place the data onto the appropriate network, or forward the packet to yet another router for delivery.

Application Ports

Once a packet of data reaches the appropriate computer, the computer needs a way to determine what to do with the data. Computers can, of course, perform a number of different functions simultaneously, and keeping track of the associated network traffic can be complex. For example, suppose that you're surfing a Web site in one window, while opening a Microsoft Word document from a file serer in another window. You've got two kinds of traffic coming back to your computer: the data that makes up the Web page you're trying to view, and the data that makes up the Word document you're trying to open. How does your computer know that Internet Explorer should get the first pieces of data, while Microsoft Word should get the other pieces?

The answer is port numbers. A port number is almost like an IP address for a specific application on your computer. When your computer sends data, it sends the data to an IP address, which represents the destination network and host, and to a specific port number, which represents the application on the destination computer. Requests for Web pages, for example, are usually sent to port 80. IANA steps in again by keeping track of the port numbers used by different network applications, and ensuring that at least the most common applications all have a unique port number to prevent global confusion. When a Windows computer receives data, it examines the port number to see which application should receive the data.

Ports become especially important in the security realm. Many companies, for example, invite the public to browse their Web servers, and perhaps allow the public to access an FTP server to download files. On the other hand, companies usually don't want the public to have access to the company's file servers, network printers, database servers, and other network resources. Because each of these functions uses a different port number, port numbers can become a means of filtering traffic and securing the network. Network devices called firewalls, or firewall software such as Internet Security and Acceleration Server, can allow traffic to come into the network on specific port numbers, while blocking traffic on other port numbers.

→ For more information about Internet Security and Acceleration Servers features, see "Technology Capabilities," p. 324


IANA defines port numbers from 0 to 1024, which are also called well-known ports. Windows includes a list of some of these ports in a text file named services, which is located under the Windows installation directory in System32\Drivers\Etc\. IANA accepts definitions for other port numbers, as well, although there is a greater possibility of multiple applications using the same port number for port numbers over 1024. The services file, for example, lists a number of ports over 1024 that are in common use.

Network Services

Windows provides a number of core network services that are required for the smooth operation of any larger network (although especially small networks with a handful of computers can get by without them). These services are provided by optional components that are included with every Windows server platform, although none of them are installed by default. These core network services include name resolution services, IP configuration services, and routing and remote access services.

Name Resolution

Name resolution services are important to any network. While it's all well and good for computers to address one another using IP addresses such as, we humans work better with meaningful names, such as ServerA. Name resolution services enable users to utilize meaningful names for servers and other network resources, while giving computers a way to translate—or resolve—those names into the IP addresses needed for network communications. Windows includes two different name resolution services: the Domain Name System, or DNS, and the Windows Internet Naming Service, or WINS.


DNS services are provided by computers running a DNS server. Windows operating systems are compatible with almost any industry-standard DNS server, including those running on Unix operating systems. Windows does include its own DNS server software, which you can install on any Windows 2000 or Windows .NET server operating system.


What's the difference between WINS and DNS? WINS is used to resolve computers' names to IP addresses, and "names" in this case refers to the specific, Microsoft-style computer names used by Windows operating systems. DNS, on the other hand, is more universal and is used to resolve host names. In a Windows environment there might not seem like much difference, since the two names are the same. Windows 2000 and later, however, are designed to rely primarily on DNS services, as Microsoft is slowly phasing out the use of (and need for) WINS.

The IP configuration of every computer on your network must include the IP address of at least one DNS server. You can't use the name of the DNS server, since there would be no way to resolve that name to an IP address without a DNS server; providing an IP address prevents a catch-22 in the IP configuration. Once configured with the IP address of a DNS server, Windows 2000 and higher computers will use that DNS server to try to translate names to IP addresses. For example, if you use Internet Explorer to visit http://www.braincore.net, your computer will contact the DNS server to resolve that name to an IP address.

The Internet's DNS system is hierarchical. At the top level of the hierarchy are the top-level domains, or TLDs. Various contractors run the Internet's official TLD DNS servers, which provide references to other servers in the hierarchy. For example, let's say you used a computer on your corporate network to try and contact http://www.braincore.net. Your corporate DNS server wouldn't have an entry for http://www.braincore.net, and would instead contact a DNS server that was authoritative for the .net TLD. The .net TLD server would know the IP address of a server that was authoritative for the braincore.net domain, and that server would be able to provide an IP address for the computer named http://www. This process of forwarding name resolution requests minimizes the burden on any one DNS server in the system, and enables the overall DNS system to be more flexible.

Windows utilizes a special DNS feature called Dynamic DNS, or DDNS. Whenever a Windows 2000 (or higher) computer starts, it contacts its configured DNS server and provides its computer name and current IP address. The DNS server updates its database to reflect the change. DDNS enables computers to dynamically update the DNS server with the latest IP addressing information, and enables the DNS server to provide accurate name resolution services on dynamic, constantly changing networks.

To help distribute the workload of name resolution in a large environment, you can configure secondary servers and caching servers. A secondary server doesn't contain its own database, but instead transfers the DNS database from a designated primary DNS server. Secondary servers are good for providing name resolution services, but they cannot always accept dynamic DNS updates (some types of secondary servers can accept updates and send them along to their primary server). Caching DNS servers don't even transfer a copy of the DNS database. Instead, when they receive a name resolution request, the caching server contacts a regular DNS server to complete the resolution. The caching server then saves the IP address, and uses the saved—or cached—information to satisfy future requests for the same name. Cache entries eventually expire, forcing the caching server to re-resolve the name and obtain the most recent IP address.


Windows's DNS server software enables you to store the DNS data in a regular text file or in Active Directory. By selecting Active Directory, you have the option to install DNS on any domain controller. You also get the advantages of Active Directory's fault tolerance, providing you with a quick recovery solution in case a DNS server fails—simply install DNS on another domain controller, which can use the DNS information that's already in Active Directory.


WINS works a lot like DNS, but for a slightly different reason. Prior to Windows 2000, Windows computers relied on a networking protocol named NetBIOS. NetBIOS requires each computer to have a unique computer name, and WINS provides a name resolution service that translates NetBIOS computer names into IP addresses. DNS requires a unique name, too, but only within a particular domain. For example, DNS allows a computer named "Client1" to exist within the brincore.net domain and one within the Microsoft.com domain; WINS, however, is a flat naming space and requires all computers on the network to have unique names. WINS therefore isn't used on the global Internet like DNS is, but only on local private networks.

Windows 2000 (and higher) still uses NetBIOS names for backward compatibility, although an all-2000 or higher network doesn't require WINS. Windows 2000 and Windows .NET server operating systems still include a WINS server component, providing you with the capability to support older clients that still rely on WINS. Microsoft is gradually phasing out the use of NetBIOS, and relying on DNS to provide name resolution services, rather than the proprietary WINS service.

One unique feature of WINS is the capability to replicate between WINS servers. This feature enables you to deploy multiple WINS servers on your network, and effectively allow them to share a database, because the WINS servers can communicate with each other and exchange information on new or updated IP address mappings.

IP Configuration

On a small network, configuring the IP addresses, subnet masks, default gateway, DNS, and WINS servers for each computer on the network is no big deal. For large networks with hundreds or thousands of computers, though, manual IP configuration is time-consuming and error-prone. The TCP/IP protocol suite includes a protocol named the Dynamic Host Configuration Protocol, or DHCP. DHCP is designed to enable client computers to dynamically request IP configuration information from a DHCP server. The DHCP server, in turn, can be configured with the necessary IP configuration information. The DHCP server tracks the IP addresses it issues, ensuring that no address is issued more than once. The DHCP server can also issue DNS and WINS server addresses, and can also configure each client computer with the correct default gateway for its network segment.

Windows server operating systems include an optional DHCP Server service, which is capable of supporting clients on multiple network segments from a single server.

Routing and Remote Access

Windows servers include the Routing and Remote Access Service (RRAS), which enables a Windows server to act as a software-based network router, virtual private network (VPN) server, and dial-up server. The RRAS software is installed on Windows by default, but isn't configured to perform any functions. Most administrators rely on RRAS as a VPN server, either to securely connect two office networks across an Internet connection, or to accept incoming VPN connections from employees who have their own Internet connections. Administrators also rely on RRAS to provide dial-up access for company employees.


Perhaps the most important function served by a network operating system is security. Windows operating systems include technology for very high-end security:

  • The NTFS file system provides the capability to assign specific access rights to individual user accounts or to group accounts.

  • Individual Windows computers can maintain their own database of user and group accounts, or can join a domain and assign access rights to domain user and group accounts.

  • Windows includes support for IPSec, a security protocol that addresses security at the network transport protocol level. IPSec can be used to automatically encrypt certain kinds of traffic, encrypt traffic between specific computers, and so forth. For example, if your company has a file server that contains confidential information, you can configure IPSec on the server so that it only accepts connections from workstations that can support an encrypted connection, thus preventing any data from being transferred in an unencrypted form which could be subject to electronic eavesdropping.

  • Windows computers can be configured to require long, complex passwords for user accounts. Longer, more complex passwords are more difficult for intruders to guess. Other password policies can require users to change their passwords frequently, use unique passwords each time they select a new password, and lock out a user account if it appears that an intruder is trying to repeatedly guess the correct password.

  • Windows 2000 (and higher) computers natively use the Kerberos authentication protocol, which not only enables servers to ensure that users are correctly identified, but assures users that they are actually connecting to the server they intended to connect to (and not a server that is masquerading as the intended server, with the intent of tricking the user into divulging confidential information).

  • Windows contains a built-in application programming interface for data encryption, called the CryptoAPI. This interface makes it easier for developers to create applications that utilize data encryption techniques to protect data.

  • The NTFS file system provides support for the Encrypted File System (EFS), which enables users to encrypt files and then continue to transparently access the files as if they were not encrypted. Other users are unable to access encrypted files. In order to protect corporate information from being lost, EFS provides data recovery capabilities for authorized administrators who need to decrypt data which has been encrypted by a corporate user.


One of Windows's most public shortcomings is the number of high-profile security flaws which have been found in the product. Microsoft typically moves quickly to release a patch, or hot fix, that corrects the problem. The trick is to keep up with all of the latest fixes. One way is to regularly visit the Microsoft security Web site at http://www.microsoft.com/security. The Web site also allows you to sign up for email notifications of new security alerts and the availability of corrective hot fixes.


Another perceived security flaw with Windows 2000 and earlier versions is that the operating system's default configuration is relatively insecure. Microsoft's goal was to make the operating system easy to configure and administer, which necessarily means activating features which can potentially be exploited by hackers. Microsoft has reversed its philosophy with Windows .NET Server 2003, which provides a much more secure default configuration. The tradeoff is complexity: In order to use many of Windows .NET Server 2003's features, additional configuration or installation is required, since many more optional features (such as IIS) are disabled by default to prevent them from being used as a security "hole."

The various .NET Enterprise Servers rely heavily on Windows's built-in security features, including NTFS file access permissions, Active Directory user accounts, Kerberos authentication, data encryption, and much more.

Performance Monitoring

Windows provides the basic infrastructure for an extensible performance monitoring system. Every Windows server includes the System Monitor application, which can display real-time performance statistics, save performance information to a log over a period of time, and even generate alerts when certain performance values (which you define) are exceeded by the server. By default, System Monitor includes a number of performance objects, which each represent a major subsystem of the operating system, such as the memory subsystem or processor subsystem. Each performance object contains several performance counters, which each represent a specific performance time, such as processor utilization or available memory. System Monitor's capabilities can be extended through additional performance objects. All of the .NET Enterprise Servers, in fact, install additional performance objects. SQL Server, for example, installs performance objects that enable you to monitor nearly every aspect of SQL Server's operations. Exchange Server, Application Center, and all of the other .NET Enterprise Servers install at least one performance object, and many install several different performance objects to represent their different subsystems.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020