You are not required to have a diskette drive installed to perform an ASR backup, but you are required to have a diskette drive installed to perform an ASR restore.You can create the ASR diskette after the Wizard completes by copying the files asr.sif and asrpnp.sif (located in the %system- root%\Repair directory) to a diskette. If you do not have a floppy disk drive installed in your system, you will see the warning in Figure 7.58.This does not mean that the ASR process will fail; it just means that you will need to create the diskette manually later. Click OK to close the warning dialog box. If you are performing an ASR backup without using a diskette, next, you will see the warning shown in Figure 7.59. Click OK to close the dialog box. Performing an ASR Restore An ASR restore is a fairly straightforward process. Boot from your original Windows Server 2003 CD-ROM. If a third-party storage driver needs to be loaded, press F6 when prompted to load the driver.To begin the ASR recovery process, press F2 when prompted, as shown in Figure 7.60. Next, you will be prompted to insert the ASR diskette into the floppy drive, as shown in Figure 7.61. 286 Chapter 7 • Planning, Implementing, and Maintaining a High-Availability Strategy Figure 7.57 Creating the ASR Diskette Figure 7.58 No Floppy Drive Warning Figure 7.59 ASR Diskette Warning Message 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 286 The ASR process will begin partitioning and formatting your server’s boot and system parti- tions/volumes, as well as any other partitions or volumes that contained operating system files.This process will automatically re-create the operating system as it existed at the time the ASR set was created. If the backup media that is part of the ASR set cannot be located, you will be prompted for its location. Once the ASR restore is complete, the system will reboot. Planning for Fault Tolerance Fault tolerance is the ability to encounter failures and continue to function. Fault tolerance is created by using a combination of redundancy (the duplication of components or resources), efficient distri- bution of workload, proper planning, proper procedures, and training. When all of these are done correctly and in the right proportions, high availability is the result. To properly plan for fault tolerance, examine all of the possible areas a failure could occur that would affect continuous operation.The following are the most common areas of failure: Planning, Implementing, and Maintaining a High-Availability Strategy • Chapter 7 287 Figure 7.60 Text-Mode ASR Prompt Figure 7.61 Insert the ASR Diskette Prompt 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 287 ■ Hardware (disk, RAM, CPU, power supply, cooling fans, and network) ■ Infrastructure (power feeds, environmental, and wide-area communications) ■ Operational (documentation, change of media, and procedures) ■ Functional (placing too many critical processes into a failure-susceptible area). One fault-tolerant-related phrase you may have heard before is five nines, which is a reference to the larger scale of nines measure of computer system availability first developed by Jim Gray.The scale of nines refers to the percentage of downtime allowed per year, described by the number of nines in the availability statistic. Five nines refers to an achievable level of reliability in the middle scale.Table 7.2 illustrates the amount of downtime each level of “nines” means per year. Table 7.2 The Scale of Nines and What Five-Nines Means Name Percentage of Uptime per Year Effective Downtime per Year One nine 90% 36 days, 12 hours Two nines 99% 3 days, 15 hours, 36 minutes Three nines 99.9% 8 hours, 45 minutes, 36 seconds Four nines 99.99% 52 minutes, 34 seconds Five nines 99.999% 5 minutes, 15 seconds Six nines 99.9999% 31.5 seconds Seven nines 99.99999% 3.2 seconds Eight nines 99.999999% 0.32 second Nine nines 99.9999999% 0.03 second Five nines reliability is commonly discussed because it is possible to achieve given current tech- nology.The primary factor with the scale of nines is cost. Higher levels of availability are becoming possible to achieve, but they usually come at a steep price. Network Fault-Tolerance Solutions One area of component failure is the network interface. If a system has one interface to a network, and a component of that interface fails (the switch, the cable, or the NIC), the whole interface fails. As a result, it is a good idea to build redundancy into your network interfaces. Several manufacturers sell NICs that have two or more ports. Using the appropriate drivers, these cards usually support either a failover configuration or a load-balanced configuration, which work as follows: ■ Failover Keeps one port idle and waiting, while the other port(s) handle communica- tions. If a component of that interface fails, the idle port comes online and takes over for the failed port. A failover configuration can be used with switches or nonswitched net- work hubs. ■ Load-balanced configuration Uses multiple ports simultaneously and spreads the com- munication load among the ports. In the event of an interface failure, the communications 288 Chapter 7 • Planning, Implementing, and Maintaining a High-Availability Strategy 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 288 load is reassigned to the remaining active ports. A load-balanced configuration yields higher availability and performance but can be used only in conjunction with higher-end intelligent switches. Some network topology issues can affect network availability as well. When designing a net- work, keep in mind all of the potential failure points, including routers, switches, bridges, and wide area network (WAN) components. In all but the smallest networks, it is a good idea to have redundant functionality for critical ser- vices. If you are using AD, make sure that you have more than one domain controller and DNS server. If you are using WINS, create a secondary WINS server and have it replicate with the pri- mary WINS server. If you are using DHCP, create a secondary DHCP server on each subnet and configure each with the appropriate scopes. Following these guidelines will ensure continued opera- tion of these services in the event of failures. Internet Fault-Tolerance Solutions Many of the Internet fault-tolerance solutions are the same as general network fault-tolerance solu- tions, but there are a few extra considerations. Network Load Balancing (NLB), discussed in the previous chapter, is a set of features included with all versions of Windows Server 2003 that can increase the redundancy, performance, and avail- ability of Web sites. Most medium and large networks access the Internet through a proxy server. If your environment includes a proxy server, consider building redundancy into it. A secondary proxy server may be in order. The actual communication circuits and Internet Service Providers (ISPs) are other potential points of failure. It is common for large companies and organizations to have multiple WAN circuits and even multiple circuits to more than one ISP.This increases cost but also reduces the likelihood of a communications failure in an area usually outside your control. Disk Fault-Tolerance Solutions The most common hardware component that fails is the hard drive. Even though modern disk drives commonly operate for months or years without incident, failure is a given. As a result, disk fault-toler- ance solutions are some of the most well-developed and reliable technologies, and they employ some of the oldest and most simple techniques.These solutions were discussed earlier in Chapter 5. Server Fault-Tolerance Solutions The server is our final point of consideration for fault-tolerance.There are two basic methods for introducing fault-tolerance on a server: hardware redundancy and virtualization (called clustering). Clustering was covered earlier in Chapter 6. Modern server hardware is designed around increasing performance and reliability. Higher-end (more complicated and expensive) servers often include many built-in redundancy features. It is pos- sible to find servers that support spare RAM and CPUs, redundant power supplies and cooling fans, built-in hardware RAID support, and many other features integrated into the basic system. In addi- tion, many components in modern higher-end servers are hot-swappable, meaning the power does not need to be turned off in order to remove or change the component. Planning, Implementing, and Maintaining a High-Availability Strategy • Chapter 7 289 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 289 Another hardware component that is often overlooked but is easily acquired and implemented is a redundant power source. Ideally, you want duplicate power sources all the way back to duplicate utility companies, but that is usually not possible. What is possible is the installation of an Uninterruptible Power Supply (UPS) and the software to communicate with it. Size a UPS by the amount of power it must provide and the length of time needed to run when on battery.The more equipment on a UPS or the longer the required runtime, the “larger” the UPS must be. In very large environments, consider multiple UPSs operating in parallel (never “daisy-chain” UPSs) and possibly a backup generator. 290 Chapter 7 • Planning, Implementing, and Maintaining a High-Availability Strategy 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 290 Monitoring and Troubleshooting Network Activity In this chapter: ■ Using Network Monitor ■ Monitoring and Troubleshooting Internet Connectivity ■ Monitoring IPSec Connections Introduction Managing a network involves a great deal of planning, design, and implementation. Even the most efficient networks require analysis and monitoring to validate your network design. Once your network is implemented, you will need to identify baselines for net- work activity, and be prepared to recognize abnormal behavior, and diagnose unex- pected changes and troubleshoot problems with your network. Understanding your network will also provide you with the information necessary to plan for growth by examining trends and identifying the effects of adding hosts. As challenging as it is to manage a regular local area network (LAN), we are expanding our scope of responsibility by allowing access to the Internet, and allowing our employees to access our networks from their homes, other businesses, and even hotels and coffee houses. With that perspective in mind, you spent all that time and effort to create a secure and reliable environment, and now you have clients transmitting company data from a network about which you know nothing.That fact alone makes it imperative that you implement strong security policies to protect loss of corporate data, and understand how to support and monitor the traffic in and out of your LAN from the Internet. It also places a burden on you to provide highly available and fast Internet access to support the telecommuters and any other remote clients that use the Internet to access the corporate LAN. Due to the ever growing complexity with network design, and the large quantity of data flow on today’s networks, we must understand the traffic and the tools that we use to capture and analyze that traffic. One of the most valuable tools we have at our dis- Chapter 8 291 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 291 posal is Network Monitor. In this chapter, you will become familiar with network monitor and how to use Network Monitor to view your network traffic and identify information about the network traffic. Network Monitor is a great tool to help understand and troubleshoot connectivity problems. We will discuss the identification and resolution for Internet connectivity problems. We will focus on Network Address Translation (NAT), name resolution, and IP addressing issues. In addition to trou- bleshooting and monitoring regular network traffic, we will also focus on monitoring network traffic that is encrypted. IP Security (IPSec) is based on open standards that are used to provide reliable trans- mission of encrypted data and authentication of data over IP. We will discuss how to use IPSec Security Monitor console to monitor and troubleshoot IPSec connections on your network. Using Network Monitor As a network administrator, you are tasked with understanding your network. One of the primary functions of the network is the reliable delivery of data. In addition to reliability, you must provide security and ensure that the data is accessible by those who are intended to receive it. Network Monitor provides network administrators with a window to the information being delivered over the network. Network Monitor captures the frames of data as they are delivered over the wire, time stamps them, and provides statistical data about those frames. After you have captured the frames of data, Network Monitor will decode the headers and provide an easy-to-read summary of the type of packet, the source, the destination, and if the data is not encrypted, the data in the packet as well. In this section we will install Network Monitor. After we install Network Monitor, we explain the general layout of the main console, and then look at some captured frames. We look at how to filter captured data by setting capture filters and capture triggers, and then view more concise data using display filters. Installing Network Monitor There are two versions of Network Monitor.The full featured version ships with both Microsoft Systems Management Server (SMS) and the limited version.The limited version is included with the operating system, but is not installed in Windows Server 2003 by default. Installing Network Monitor is actually a simple task—it is installed as a Windows Component via Add/Remove Programs. Use the following steps to install Network Monitor. During the installation, the driver for Network Monitor is automatically installed. Install Network Monitor You will need the Windows Server 2003 product disc during the installation. It will be helpful to have other machines available to you after the example is complete to see network traffic and per- form the captures. 1. Navigate to Control Panel | Add or Remove Programs.The Add or Remove pro- grams dialog is displayed. 2. Select Add/Remove Windows Components from the shortcut bar. 3. The Windows Components Wizard is displayed (see Figure 8.1). 292 Chapter 8 • Monitoring and Troubleshooting Network Activity 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 292 4. Select the item Management and Monitoring Tools as shown in Figure 8.1, and click the Details button. 5. The Management and Monitoring Tools dialog is shown as in Figure 8.2. Click the check box next to Network Monitor Tools and click OK. 6. The Windows Components Wizard is displayed again (see Figure 8.3), this time with the check box next to Management and Monitoring Tools checked and gray. 7. Click Next to apply the changes and install the necessary software components.You will see what appears to be several components that you did not choose appear in the Status messages seen above the progress bar in Figure 8.4.This is part of a routine and there is no need for alarm. Only the necessary components for Network Monitor will be installed. Monitoring and Troubleshooting Network Activity • Chapter 8 293 Figure 8.1 Windows Components Wizard Figure 8.2 Management and Monitoring Tools 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 293 8. During the installation process, if the installation files for Windows Server 2003 are not accessible on the machine or existing network connections, then you will be prompted for the Windows Server 2003 setup disk as shown in Figure 8.5. If the installation files are located on the hard disk or a network share, you should still click OK and then you’ll be able to enter the path on the next screen. 294 Chapter 8 • Monitoring and Troubleshooting Network Activity Figure 8.3 Windows Components Wizard after Selecting the Network Monitoring Subcomponent Figure 8.4 Configuring Components Figure 8.5 Insert Disk 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 294 9. When the installation is complete, you will see the Completing the Windows Components Wizard message (see Figure 8.6). Click Finish. In this example, we installed the operating system component version of Network Monitor. Now it is possible to capture and view frames of data from your network. We can now become more familiar with using Network Monitor and understand how to use it effectively.Let’s take a look at how to capture frames. Click Start | Administrative Tools | Network Monitor.The first time you launch Network Monitor, you will see a message informing you that you must select a network to monitor, or Network Monitor will select one for you, as shown in Figure 8.7. Figures 8.8 and 8.9 show the dialog that you will use to select the network on which you will monitor traffic using this instance of Network Monitor. If you are capturing data from multiple LANS simultaneously, you must install and configure one adapter for each network and start a unique instance of Network Monitor for each adapter.You must select the network for each instance of Network Monitor by selecting Capture | Networks and selecting the appropriate network.The net- work for newly installed adapters will not be available until you restart Network Monitor. Monitoring and Troubleshooting Network Activity • Chapter 8 295 Figure 8.6 Windows Components Wizard—Completing the Windows Components Wizard Figure 8.7 Microsoft Network Monitor Console 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 295 . During the installation process, if the installation files for Windows Server 2003 are not accessible on the machine or existing network connections, then you will be prompted for the Windows Server. need the Windows Server 2003 product disc during the installation. It will be helpful to have other machines available to you after the example is complete to see network traffic and per- form the. captured the frames of data, Network Monitor will decode the headers and provide an easy-to-read summary of the type of packet, the source, the destination, and if the data is not encrypted, the data