Windows Core Technologies
Windows provides the same core technologies that any good network operating system provides. These technologies are grouped into three functional categories: Communications, Security, and Network Services.
One primary purpose of an operating system is to provide communications services for the applications that run on the operating system. Windows 2000 and Windows .NET provide applications with an Application Programming Interface that abstracts the concept of communication from the actual implementation. In other words, applications simply ask the operating system to send and receive data, and the operating system worries about all the different methodsLANs, wireless networks, dial-up connections, and so forththat the communications may need to travel across.
Windows uses the TCP/IP network protocol suite as its primary, native communications protocol. Windows also provides support for older network protocols, such as Microsoft NWLink, which is compatible with Novell's NetWare IPX/SPX networking protocol. The advantage of TCP/IP is that the entire protocol suite is media-independent, which means it can be transported over just about any time of network. The .NET Enterprise Servers rely heavily on TCP/IP, and in fact that protocol is a requirement for most of the newer .NET Enterprise Servers. Designing a network that uses the .NET Enterprise Servers requires you to have a solid understanding of how TCP/IP works, and how applications interact with it. Although I can't provide a complete TCP/IP tutorial in these pages (there are a number of good books devoted entirely to that topic), the next few sections will provide a brief overview to help refresh your memory on key Windows TCP/IP concepts.
All computers on a TCP/IP network must have a unique TCP/IP address (also called an IP address), which functions a bit like the computers' own private phone number. Addresses are entered and displayed in a dotted-decimal format, such as 192.168.10.10. Each group of numbers separated by a dot is referred to as an octet. An IP address actually contains two pieces of information: A unique network ID number, and a unique host ID number. The network ID number is a bit like an area code, and is shared by all computers on a single physical network. The host ID number is the remaining portion of the phone number, and uniquely identifies a particular host within a network.
In order to ensure that all computers on the Internet have a universally unique IP address, address assignment is handled by the Internet Assigned Numbers Authority (IANA). IANA distributes available IP addresses to Internet service providers (ISPs), who in turn distribute them to companies and individuals. IANA has reserved three blocks of IP addresses for private use, and ensures that the reserved addresses are never issued to Internet computers. These private addresses provide companies with a large number of IP addresses that can be used on private corporate networks, even though the number of available public IP addresses is growing smaller and smaller with the growth of the Internet.
A new IP addressing scheme, called IPv6, promises to solve the scarcity of public IP addresses by vastly increasing the number of available addresses. However, all of the hardware and software necessary to support IPv6 hasn't been globally adopted, so we're still stuck with the old addressing scheme. IPv6 has actually been around for a few years now, and the adoption rate is still moving at a crawl, so don't expect to see IPv6 addressing in your environment anytime soon.
Although computers using private IP addresses can't access the Internet directly (because you must have a public IP address in order to access the Internet), Network Address Translation (NAT) devices can translate between public and private IP addresses. NAT enables corporations using private IP addresses to provide Internet access to their users, and also reduces the number of public IP addresses required to provide that access. Windows's built-in Routing and Remote Access Service (RRAS) includes NAT capabilities, as does Microsoft's Internet Security and Acceleration Server.
For more information about Internet Security and Acceleration Servers features, see "Technology Capabilities," p. 324
RRAS provides other key communications capabilities to Windows, including the capability to securely connect networks to one another over the Internet, and the capability to provide dial-up access to remote users. I'll cover RRAS in a bit more detail later in this chapter.
Subnets and Routing
Computer networks, like major highways, don't benefit from having too many computers on one network. Networks are shared communications resources, and too many computers trying to use one network has pretty much the same effect as rush hour does on a metropolitan highway. To prevent network congestion, computer networks are divided into multiple independent segments. Each segment is basically a computer network in its own right, which raises the problem of how to move information from one network to another. If you think of computer networks as a neighborhood of houses then you can think of information delivery in terms of delivering mail. If you need to send mail to someone in your neighborhood, you might just walk the information over and drop it into the recipient's mailbox yourself. If you need to send mail to someone in another neighborhood, perhaps across the country, you let the Post Office handle it for you, because they know how to route mail from place to place very efficiently. Likewise, when information on one computer network needs to move to another computer network, you rely on routing.
Routing is conducted by hardware devices called, appropriately enough, routers. Routers are connected to multiple networks at the same time, and are responsible for moving data between those networks. Routers rely on the fact that all TCP/IP data transmissions include the IP address of the destination computer, and that IP addresses contain both a network ID and a host ID. Looking at a typical IP addresssuch as 10.1.4.250it's hard to tell which portion of the address is the network ID, and which portion is the host ID. To make that determination, computers rely on a subnet mask.
For subnet masks to make sense, you have to remember that computers all work in binary. In other words, everything in a computer is represented as a series of ones and zeros. Computers are designed to display that information in a friendlier fashion for us humans, but subnet masks get right to the binary heart of how computers work. Take our sample IP address of 10.1.4.250, and a sample subnet mask of 255.255.0.0. If you convert each octet in the IP address and subnet mask to binary, you have the following:
IP address: 00001010.00000001.00000100.11111010
Subnet mask: 11111111.11111111.00000000.00000000
If you use the Windows Calculator's scientific view, you can use it to convert numbers between decimal and binary.
The subnet mask determines which parts of the IP address represent the network ID, and which parts represent the host ID. Notice that each octet is composed of eight binary digits, or bits. Every bit in the subnet mask that's set to one represents a portion of the IP address that's the network ID. Every zero in the subnet mask corresponds to a bit in the IP address that's the host ID. So, for this sample IP address and subnet mask, the network ID is 10.1.x.x, and the host ID is 4.250. Note that subnet masks should always be a string of 1s, followed by a string of 0s. It's theoretically possible to have a subnet mask that translates to something like 11110111.00111100.11100011.00000000, but such a mask isn't (and won't be) supported by any current implementation of TCP/IP.
When Windows needs to send data, it looks at the network ID of the destination and its own network ID. If the two have the same network ID, then Windows sends the information out onto the local computer network, knowing that the destination computer will see it and pick it up. If the network IDs don't match, then Windows sends the data to its default gateway, which is a special IP address that you configure in Windows. The default gateway is usually a router, and it becomes the router's responsibility to either place the data onto the appropriate network, or forward the packet to yet another router for delivery.
Once a packet of data reaches the appropriate computer, the computer needs a way to determine what to do with the data. Computers can, of course, perform a number of different functions simultaneously, and keeping track of the associated network traffic can be complex. For example, suppose that you're surfing a Web site in one window, while opening a Microsoft Word document from a file serer in another window. You've got two kinds of traffic coming back to your computer: the data that makes up the Web page you're trying to view, and the data that makes up the Word document you're trying to open. How does your computer know that Internet Explorer should get the first pieces of data, while Microsoft Word should get the other pieces?
The answer is port numbers. A port number is almost like an IP address for a specific application on your computer. When your computer sends data, it sends the data to an IP address, which represents the destination network and host, and to a specific port number, which represents the application on the destination computer. Requests for Web pages, for example, are usually sent to port 80. IANA steps in again by keeping track of the port numbers used by different network applications, and ensuring that at least the most common applications all have a unique port number to prevent global confusion. When a Windows computer receives data, it examines the port number to see which application should receive the data.
Ports become especially important in the security realm. Many companies, for example, invite the public to browse their Web servers, and perhaps allow the public to access an FTP server to download files. On the other hand, companies usually don't want the public to have access to the company's file servers, network printers, database servers, and other network resources. Because each of these functions uses a different port number, port numbers can become a means of filtering traffic and securing the network. Network devices called firewalls, or firewall software such as Internet Security and Acceleration Server, can allow traffic to come into the network on specific port numbers, while blocking traffic on other port numbers.
→ For more information about Internet Security and Acceleration Servers features, see "Technology Capabilities," p. 324
IANA defines port numbers from 0 to 1024, which are also called well-known ports. Windows includes a list of some of these ports in a text file named services, which is located under the Windows installation directory in System32\Drivers\Etc\. IANA accepts definitions for other port numbers, as well, although there is a greater possibility of multiple applications using the same port number for port numbers over 1024. The services file, for example, lists a number of ports over 1024 that are in common use.
Windows provides a number of core network services that are required for the smooth operation of any larger network (although especially small networks with a handful of computers can get by without them). These services are provided by optional components that are included with every Windows server platform, although none of them are installed by default. These core network services include name resolution services, IP configuration services, and routing and remote access services.
Name resolution services are important to any network. While it's all well and good for computers to address one another using IP addresses such as 192.168.50.67, we humans work better with meaningful names, such as ServerA. Name resolution services enable users to utilize meaningful names for servers and other network resources, while giving computers a way to translateor resolvethose names into the IP addresses needed for network communications. Windows includes two different name resolution services: the Domain Name System, or DNS, and the Windows Internet Naming Service, or WINS.
DNS services are provided by computers running a DNS server. Windows operating systems are compatible with almost any industry-standard DNS server, including those running on Unix operating systems. Windows does include its own DNS server software, which you can install on any Windows 2000 or Windows .NET server operating system.
What's the difference between WINS and DNS? WINS is used to resolve computers' names to IP addresses, and "names" in this case refers to the specific, Microsoft-style computer names used by Windows operating systems. DNS, on the other hand, is more universal and is used to resolve host names. In a Windows environment there might not seem like much difference, since the two names are the same. Windows 2000 and later, however, are designed to rely primarily on DNS services, as Microsoft is slowly phasing out the use of (and need for) WINS.
The IP configuration of every computer on your network must include the IP address of at least one DNS server. You can't use the name of the DNS server, since there would be no way to resolve that name to an IP address without a DNS server; providing an IP address prevents a catch-22 in the IP configuration. Once configured with the IP address of a DNS server, Windows 2000 and higher computers will use that DNS server to try to translate names to IP addresses. For example, if you use Internet Explorer to visit http://www.braincore.net, your computer will contact the DNS server to resolve that name to an IP address.
The Internet's DNS system is hierarchical. At the top level of the hierarchy are the top-level domains, or TLDs. Various contractors run the Internet's official TLD DNS servers, which provide references to other servers in the hierarchy. For example, let's say you used a computer on your corporate network to try and contact http://www.braincore.net. Your corporate DNS server wouldn't have an entry for http://www.braincore.net, and would instead contact a DNS server that was authoritative for the .net TLD. The .net TLD server would know the IP address of a server that was authoritative for the braincore.net domain, and that server would be able to provide an IP address for the computer named http://www. This process of forwarding name resolution requests minimizes the burden on any one DNS server in the system, and enables the overall DNS system to be more flexible.
Windows utilizes a special DNS feature called Dynamic DNS, or DDNS. Whenever a Windows 2000 (or higher) computer starts, it contacts its configured DNS server and provides its computer name and current IP address. The DNS server updates its database to reflect the change. DDNS enables computers to dynamically update the DNS server with the latest IP addressing information, and enables the DNS server to provide accurate name resolution services on dynamic, constantly changing networks.
To help distribute the workload of name resolution in a large environment, you can configure secondary servers and caching servers. A secondary server doesn't contain its own database, but instead transfers the DNS database from a designated primary DNS server. Secondary servers are good for providing name resolution services, but they cannot always accept dynamic DNS updates (some types of secondary servers can accept updates and send them along to their primary server). Caching DNS servers don't even transfer a copy of the DNS database. Instead, when they receive a name resolution request, the caching server contacts a regular DNS server to complete the resolution. The caching server then saves the IP address, and uses the savedor cachedinformation to satisfy future requests for the same name. Cache entries eventually expire, forcing the caching server to re-resolve the name and obtain the most recent IP address.
Windows's DNS server software enables you to store the DNS data in a regular text file or in Active Directory. By selecting Active Directory, you have the option to install DNS on any domain controller. You also get the advantages of Active Directory's fault tolerance, providing you with a quick recovery solution in case a DNS server failssimply install DNS on another domain controller, which can use the DNS information that's already in Active Directory.
WINS works a lot like DNS, but for a slightly different reason. Prior to Windows 2000, Windows computers relied on a networking protocol named NetBIOS. NetBIOS requires each computer to have a unique computer name, and WINS provides a name resolution service that translates NetBIOS computer names into IP addresses. DNS requires a unique name, too, but only within a particular domain. For example, DNS allows a computer named "Client1" to exist within the brincore.net domain and one within the Microsoft.com domain; WINS, however, is a flat naming space and requires all computers on the network to have unique names. WINS therefore isn't used on the global Internet like DNS is, but only on local private networks.
Windows 2000 (and higher) still uses NetBIOS names for backward compatibility, although an all-2000 or higher network doesn't require WINS. Windows 2000 and Windows .NET server operating systems still include a WINS server component, providing you with the capability to support older clients that still rely on WINS. Microsoft is gradually phasing out the use of NetBIOS, and relying on DNS to provide name resolution services, rather than the proprietary WINS service.
One unique feature of WINS is the capability to replicate between WINS servers. This feature enables you to deploy multiple WINS servers on your network, and effectively allow them to share a database, because the WINS servers can communicate with each other and exchange information on new or updated IP address mappings.
On a small network, configuring the IP addresses, subnet masks, default gateway, DNS, and WINS servers for each computer on the network is no big deal. For large networks with hundreds or thousands of computers, though, manual IP configuration is time-consuming and error-prone. The TCP/IP protocol suite includes a protocol named the Dynamic Host Configuration Protocol, or DHCP. DHCP is designed to enable client computers to dynamically request IP configuration information from a DHCP server. The DHCP server, in turn, can be configured with the necessary IP configuration information. The DHCP server tracks the IP addresses it issues, ensuring that no address is issued more than once. The DHCP server can also issue DNS and WINS server addresses, and can also configure each client computer with the correct default gateway for its network segment.
Windows server operating systems include an optional DHCP Server service, which is capable of supporting clients on multiple network segments from a single server.
Routing and Remote Access
Windows servers include the Routing and Remote Access Service (RRAS), which enables a Windows server to act as a software-based network router, virtual private network (VPN) server, and dial-up server. The RRAS software is installed on Windows by default, but isn't configured to perform any functions. Most administrators rely on RRAS as a VPN server, either to securely connect two office networks across an Internet connection, or to accept incoming VPN connections from employees who have their own Internet connections. Administrators also rely on RRAS to provide dial-up access for company employees.
Perhaps the most important function served by a network operating system is security. Windows operating systems include technology for very high-end security:
The NTFS file system provides the capability to assign specific access rights to individual user accounts or to group accounts.
Individual Windows computers can maintain their own database of user and group accounts, or can join a domain and assign access rights to domain user and group accounts.
Windows includes support for IPSec, a security protocol that addresses security at the network transport protocol level. IPSec can be used to automatically encrypt certain kinds of traffic, encrypt traffic between specific computers, and so forth. For example, if your company has a file server that contains confidential information, you can configure IPSec on the server so that it only accepts connections from workstations that can support an encrypted connection, thus preventing any data from being transferred in an unencrypted form which could be subject to electronic eavesdropping.
Windows computers can be configured to require long, complex passwords for user accounts. Longer, more complex passwords are more difficult for intruders to guess. Other password policies can require users to change their passwords frequently, use unique passwords each time they select a new password, and lock out a user account if it appears that an intruder is trying to repeatedly guess the correct password.
Windows 2000 (and higher) computers natively use the Kerberos authentication protocol, which not only enables servers to ensure that users are correctly identified, but assures users that they are actually connecting to the server they intended to connect to (and not a server that is masquerading as the intended server, with the intent of tricking the user into divulging confidential information).
Windows contains a built-in application programming interface for data encryption, called the CryptoAPI. This interface makes it easier for developers to create applications that utilize data encryption techniques to protect data.
The NTFS file system provides support for the Encrypted File System (EFS), which enables users to encrypt files and then continue to transparently access the files as if they were not encrypted. Other users are unable to access encrypted files. In order to protect corporate information from being lost, EFS provides data recovery capabilities for authorized administrators who need to decrypt data which has been encrypted by a corporate user.
One of Windows's most public shortcomings is the number of high-profile security flaws which have been found in the product. Microsoft typically moves quickly to release a patch, or hot fix, that corrects the problem. The trick is to keep up with all of the latest fixes. One way is to regularly visit the Microsoft security Web site at http://www.microsoft.com/security. The Web site also allows you to sign up for email notifications of new security alerts and the availability of corrective hot fixes.
Another perceived security flaw with Windows 2000 and earlier versions is that the operating system's default configuration is relatively insecure. Microsoft's goal was to make the operating system easy to configure and administer, which necessarily means activating features which can potentially be exploited by hackers. Microsoft has reversed its philosophy with Windows .NET Server 2003, which provides a much more secure default configuration. The tradeoff is complexity: In order to use many of Windows .NET Server 2003's features, additional configuration or installation is required, since many more optional features (such as IIS) are disabled by default to prevent them from being used as a security "hole."
The various .NET Enterprise Servers rely heavily on Windows's built-in security features, including NTFS file access permissions, Active Directory user accounts, Kerberos authentication, data encryption, and much more.
Windows provides the basic infrastructure for an extensible performance monitoring system. Every Windows server includes the System Monitor application, which can display real-time performance statistics, save performance information to a log over a period of time, and even generate alerts when certain performance values (which you define) are exceeded by the server. By default, System Monitor includes a number of performance objects, which each represent a major subsystem of the operating system, such as the memory subsystem or processor subsystem. Each performance object contains several performance counters, which each represent a specific performance time, such as processor utilization or available memory. System Monitor's capabilities can be extended through additional performance objects. All of the .NET Enterprise Servers, in fact, install additional performance objects. SQL Server, for example, installs performance objects that enable you to monitor nearly every aspect of SQL Server's operations. Exchange Server, Application Center, and all of the other .NET Enterprise Servers install at least one performance object, and many install several different performance objects to represent their different subsystems.