zero in on problem routers, or slow connections on a route. An example of the command pathping destination address is shown in Figure 8.37. It is also possible to use pathping to trace the latency from a different source to the same destination.This provides a means for you to troubleshoot a connection on another machine, from a different client on the network.The command for speci- fying a different source address is pathping –i<IP address of source> destination address. It can also provide means for you to monitor a specific set of links in the route that may reduce the overall time to perform the trace. Pathping command line options are case sensitive. Network Access Quarantine Control Internet Authentication Service (IAS), combined with Remote Authentication Dial-In User Service protocol and RRAS, provide a new function called Network Access Quarantine Control (NAQC). The primary function of NAQC is not to provide additional security, but to help protect your net- work from improperly configured clients that access your network using Virtual Private Networking (VPN). A perfect example of using NAQC would be ensuring that a client has the correct version of virus scan software, with the latest virus definitions, and also enable the software if it is currently disabled, all before allowing the client to access any other network resources. The basic components involve all the services previously listed—RRAS, with MS Quarantine IPFilter and remote access policies such as MS Quarantine Session Timeout, and RADIUS with IAS.The client components to NAQC are a Connection Manager (CM) profile, which can be dis- tributed with a CM policy from the RRAS servers, and a script using the client component RQC.exe.The remaining server components consist of the resources necessary to provide name resolution, script and file access, and the service component RQS.exe, which is installed on the RRAS server. Generally, NAQC would function basically by a client using a CM profile that has the quaran- tine policy to connect to a RRAS server with quarantine capabilities and configured with the MS Quarantine IPFilter and MS Quarantine Session Timeout policies.The RRAS server forwards the RADIUS access request to the IAS server that will validate the user credentials and match the quar- antine policy.The IAS server will provide a quarantine restricted access acceptance via RADIUS that will allow the client limited access to network resources such as obtaining an IP address, DNS access for name resolution, and the attributes that are part of the quarantine policies. Once the client 316 Chapter 8 • Monitoring and Troubleshooting Network Activity Figure 8.37 Results of pathping 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 316 has an IP address and policies, the client is restricted to accessing resources that match the quaran- tine filters, and only for the time allotted in the MS Quarantine Session Timeout policy. The script is executed on the client by the CM profile, and is used to verify that the client con- figuration meets the requirements of the network policies. Once the verification is complete, the script executes rqc.exe with the necessary command line settings, which will send an unencrypted, unauthenticated notification to the RRAS server rqs.exe service.The rqs traffic is allowed to pass through the RRAS filters, since it is defined in the RRAS IPFilter settings with the MS Quarantine IPFilter attributes. Rqs then verifies the information and parameters passed from rqc, one of which is the script version passed in the rqc command line. If the client meets the requirements, then RRAS will get a notification from rqs that the client is valid, and subsequently RRAS will lift the MS Quarantine IPFilter and MS Quarantine Session Timeout policy restrictions and allow the client normal access to the LAN. Once this process is complete, the rqc component will write a message to the System event log. Unfortunately, due to the fact that NAQC requires RRAS and the post connect script in the CM profile, it cannot be used on the LAN for regular clients.You can, however, implement similar functionality in logon scripts and domain policies since the LAN clients are very likely to be using domain accounts to access the network. DHCP Issues DHCP is an easy way to manage IP addressing schemes for larger networks. Some of the items to consider when you implement and use DHCP include: ■ Lease time ■ Number of hosts in a scope ■ Network traffic ■ Scope options ■ Topology When a machine acquires an IP address from a DHCP server, it acquires a lease.The request for the lease is a message called a DHCPREQUEST, which is broadcast by the DHCP client looking for DHCPOFFERs of a lease from a DHCP server.The lease duration for a DCHP address is specified in the scope set on the server and defaults to eight days.At 50 percent of the lease duration, the DCHP client sends a directed request to the DHCP server that issued the lease and requests a renewal of the lease. If no DHCPACK (acknowledgement) is received from the server, the DHCP Client waits until 87.5 percent of the lease time and makes a final request to renew the IP address. If no DHC- PACK is received at this point, then the client waits until the lease is expired and starts the process over. If a DHCP Client is unable to receive an IP address lease, then it will use an alternate configura- tion if one is specified. If there is no alternate configuration, the client will use APIPA to start the TCP/IP services and assign itself an address from the APIPA pool (169.254.0.0/16). Monitoring and Troubleshooting Network Activity • Chapter 8 317 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 317 To determine the appropriate lease time for your network, consider the following: ■ Number of hosts If the number of hosts is close to the number of total IP addresses in your DHCP server’s scope, then the lease should be shorter—about three days. If there are a great deal more IP addresses than hosts, then a longer lease can be assigned. ■ Mobile Users If you have a small number of mobile users and the client machines do not frequently move from one network to the other, then a longer lease duration is rec- ommended; conversely, if you have more mobile users, then a shorter lease will be pre- ferred so that the IP addresses will be released sooner and return to the available pool of addresses. ■ Unlimited It is possible to set the lease duration to unlimited, but it presents a challenge if you wish to change the DHCP settings, since this setting requires the client to initiate the DHCPREQUEST. Because they are broadcast, the DHCPREQUEST messages do not cross router boundaries, unless the router is capable of forwarding DHCP broadcast messages, in compliance with RFC 2131.You can also configure a DHCP Relay Agent to forward the requests to a DHCP server. Using DHCP can reduce IP address conflicts, by preventing the need for static IP addresses. It also can eliminate invalid subnet masks, since they are assigned by the DHCP server as well. Another advantage is the scope properties. By assigning scope properties, you can define default gateways, DNS servers, WINS servers, and the type of name resolution that is preferred. By managing name resolution settings, you can help eliminate broadcast traffic. Monitoring IPSec Connections The connections established using the IPSec protocol are end-to-end connections, and are sometimes difficult to troubleshoot. Often the problems are related to connectivity of the networks over which the IPSec connection is established.There are also many different policies that we can apply that could have different effects depending on whether they are applied by the domain the machines are mem- bers of, or the ones that exist on the local computer.The network traffic is also a challenge, since it is responsible for delivering the data between the destinations. In this section, we are going to discuss the different methods to obtain useful information about IPSec connections and their settings. IPSec Monitor Console Information about IPSec traffic can be obtained using several different methods. One of the simplest methods is using the IPSec Monitor Console. IPSec monitor gives you information about domain and computer polices that are applied to the machine you are monitoring. In addition, it gives you information about main mode and quick mode statistics and filters. Most often, we may use IPSec monitor on the machine we are troubleshooting; however, it is possible to connect to a remote computer and view IPSec polices and settings using the IPSec Monitor snap-in. IPSec Security Monitor allows us to watch for developing trends of security and authentication failures.This will help you to identify policy conflicts for specific IPSec tunnels.You can also deter- mine the volume of traffic, the policies and associations, and how they are distributed.You can also 318 Chapter 8 • Monitoring and Troubleshooting Network Activity 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 318 evaluate the ESP packets with the total packets to identify potential holes in the security of the transmitted data and correct the security polices on the affected machines. Network Monitor The Network Monitor software that is part of Windows Server 2003 includes all the necessary pro- tocol parsers for Internet Key Exchange (IKE) Internet Security Association and Key Management Protocol (ISAKMP), IP Authentication Header (AH), and IP Encapsulating Security Payload (ESP) protocols.The ESP parsers only function if null-encryption is being used and the entire ESP packet is captured. Network Monitor cannot parse the encrypted portions of ESP traffic that is encapsu- lated by IPSec unless encryption is being performed by an IPSec hardware offload network adapter. This implies that the packets are decrypted by the hardware and as a result, the ESP packets are decrypted when Network Monitor captures them.This allows Network Monitor parsers to parse and interpret the data for the upper-layer protocols. Netsh IPSec packet event logging can be enabled using netsh command line utility.The command is netsh ipsec dynamic set config ipsecdiagnostics Level, where level is a whole value between 1 and 7. The option values are listed in Table 8.2.To see dropped packet events, you must set the logging level to 7.The change will be written to the registry and will not take effect until the next reboot, when the IPSec driver reads the registry on start up.The registry key that contains the logging level value is HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSec\ EnableDiagnostics, and the value is a valid whole number in the DWORD registry setting between 1 and 7. All the events that are defined for the specified log level are written to the System event log once every hour or when the event buffer is full and must be written to the log. Table 8.2 Log Level Options for IPSec Driver Using Netsh Log level Effective logging 1 Total number of incorrect Security Parameters Index (SPI) packets 2 Inbound only per-packet drop events 3 Combined effect of level 1 and 2 logging is enabled, as well as any unex- pected plaintext packets (clear-text events) inbound or outbound 4 Outbound only per-packet drop events 5 Combined effect of level 1 and 4 logging is enabled 6 Combined effect of level 2 and 4 logging is enabled 7 All logging levels are enabled The logging occurs at regular intervals based on the LogInterval setting in the registry, located in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSec\. You can set this value by using the registry, or by the preferred method of using netsh ipsec dynamic set config ipsecloginterval Interval, where Interval is the number of seconds between event log writes.The recommended value of the Interval parameter for troubleshooting is 60 seconds, which Monitoring and Troubleshooting Network Activity • Chapter 8 319 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 319 is also the minimum value.You can set the interval as high as 86400 seconds, which is equal to 1440 minutes or 24 hours.You can view information about IPSec policies using either the netsh ipsec static show command or the netsh ipsec dynamic show command. Ipseccmd The command line tool Ipseccmd is used to script the creation of IPSec policy, and display active SAs and policy assignments. Ipseccmd is no longer supported on Windows Server 2003 and its functionality is replaced by netsh.All IPSec-specific functionality is present in the netsh utility.You can view information about IPSec policies using either the netsh ipsec static show command or the netsh ipsec dynamic show command. Netdiag Although Netdiag.exe can still be used to obtain information about networking, Windows Server 2003 no longer uses the netdiag /test:ipsec option; it has been removed and replaced with the netsh commands for IPSec. All IPSec-specific functionality is present in the netsh utility.You can view information about IPSec policies using either the netsh ipsec static show command or the netsh ipsec dynamic show command. Event Viewer To view Internet Key Exchange (IKE) events in the security log, you must enable success or failure auditing for the Audit logon events policy for your domain or workgroup, although these events are not exclusive to IPSec services. Enabling success or failure auditing will cause IPSec to record the success or failure of the negotiation, establishment, and termination of each main mode and quick mode connection as events. You should be very cautious when enabling IKE events, especially if the server is exposed to the Internet, or provides IPSec services to lots of clients. Hack attempts on the IKE protocol could cause the security log to fill very quickly. IKE events can also fill the security log for servers that use IPSec to secure traffic to many clients.To avoid this, you can disable auditing for IKE events in the security log by modifying the registry. To view IPSec policy change events in the Security log, enable success or failure auditing on the Audit policy node Audit Policy Change policy for your domain or local computer. 320 Chapter 8 • Monitoring and Troubleshooting Network Activity 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 320 Active Directory Infrastructure Overview In this chapter: ■ Introducing Directory Services ■ Understanding How Active Directory Works ■ Using Active Directory Administrative Tools ■ Implementing Active Directory Security and Access Control ■ What’s New in Windows Server 2003 Active Directory? Introduction The Active Directory is the foundation of an enterprise-level Windows network, and Windows Server 2003 includes a number of improvements and enhancements to its directory services that will make a network administrator’s job easier. Windows Server 2003 administrators must understand the basics of how directory services work and the role they play in the network, and specifically how the directory services concept is implemented in Microsoft’s Active Directory. In this chapter, we start with the basics by defining directory services and providing a brief background of the directory services standards and protocols.You’ll learn how the Active Directory works, and be introduced to the terminology and concepts required to understand the Active Directory infrastructure. We discuss how the directory is structured into sites, forests, domains, domain trees, and organizational units (OUs), and you’ll learn about the components that make up the Active Directory, including both logical and physical components.These include the schema, the Global Catalog (GC), domain controllers (DCs), and the replication service. You’ll learn to use the Active Directory administrative tools, and we discuss directory security and access control. Finally, we provide an overview of what’s new for Active Directory in Windows Server 2003. Chapter 9 321 301_BD_W2k3_09.qxd 5/12/04 9:00 AM Page 321 This chapter lays the groundwork for the specific Active Directory-related administrative tasks that you will learn to perform throughout the rest of the book. Even if you’re very familiar with AD concepts, this chapter may still serve as a good refresher. Introducing Directory Services As anyone familiar with networking knows, a network can be comprised of a vast number of ele- ments, including user accounts, file servers, volumes, fax servers, printers, applications, databases, and other shared resources. Because the number of objects making up a network increases as an organi- zation grows, finding and managing these accounts and resources becomes harder as the network gets bigger.To make a monolithic enterprise network more manageable, directory services are used to store a collection of information about users and resources, so they are organized and accessible across the network. A directory allows accounts and resources to be organized in a logical, hierarchical fashion so that information can be found easily. By searching the directory, users can find the resources they need, and administrators are able to control and configure accounts and resources easily and effectively. Keeping this information in a centralized location ensures that users and administrators don’t have to waste time looking at what’s available on each server, they only have to refer to the directory. Any directory is a structured source of information, consisting of objects and their attributes. Those who have access to the directory can look up an object, and then view its attributes. If they have sufficient rights (as in the case of an administrator), the object can be modified.These attributes can be used to provide information that’s accessible to users, or control security at a granular level. Because a user can access account information from anywhere on the network, directory ser- vices allow a user to log on to multiple servers using a single logon. A single logon is an important feature to directory services, because without it, a user must log on to each server that provides needed resources.This is common on Windows NT networks, where the administrator must create a different account on each server the user needs to access.The user then needs to log on to each server individually.This is significantly different from the way Windows 2000/2003’s directory ser- vices work, where a user logs on to the network once and can use any of the resources to which he or she has been given access. Sophisticated directory services give administrators the ability to organize information, control security, and manage users and resources anywhere on the network. Information resides in a central repository that’s replicated to different servers on the network. It allows the data to be accessed when needed and saves the administrator from having to visit each server to manage accounts.This lowers the amount of work needed to manage the network, while providing granular control over rights and permissions.The administrator only needs to modify a user account or other object once, and these security changes are replicated throughout the network. Directory services have been used on different network operating systems for years, and have proven to be a useful and powerful technology. Following suit, Microsoft created its own implemen- tation of directory services on Windows NT called NTDS, and then followed with Active Directory on newer versions of servers. NTDS used a flat namespace, which provided limited functionality in comparison with Active Directory’s hierarchical structure and feature set. Active Directory was first introduced in Windows 2000, and continues to provide directory services to the Windows Server 2003 family of servers. It can be installed on the Standard, Enterprise, and Datacenter Editions of Windows Server 2003, and provides a necessary foundation for any network using these servers. 322 Chapter 9 • Active Directory Infrastructure Overview 301_BD_W2k3_09.qxd 5/12/04 9:00 AM Page 322 NOTE Installation of Active Directory on a Windows 2000 or Windows Server 2003 server makes that computer a DC. Windows Server 2003 Web Edition cannot function as a DC, and thus cannot have Active Directory installed. Terminology and Concepts Before delving too far into the specifics of Active Directory, it is important to discuss a number of concepts and terms to appreciate the features and functionality of a directory service. As with any- thing dealing with technology, certain words and phrases associated with Active Directory and Windows Server 2003 are useful in identifying and defining specific components of the network. Whether you’re new to Active Directory or experienced from using previous versions, the informa- tion provided here will help you to understand other topics that follow in this book. In reading this section, it is important to realize that this is an overview of topics that we discuss later in greater detail. We define some of the terms used throughout this book, and look at concepts that we’ll build on in later sections. Some of the terms and concepts we discuss in the following subsections include: ■ Directory data store ■ Directory partitions ■ Policy-based administration ■ DAP and LDAP ■ Naming schemes used in Active Directory Directory Data Store Active Directory isn’t just a service that provides access to directory services; it’s also a method of storing data about network elements. If you didn’t have a place where configurations and directory data are saved, you’d lose this information every time you shut down your server.The data store contains a vast amount of information, including data dealing with users, groups, computers, the resources they can access, and other components of the network. Because the Active Directory data store is a database of all directory information, it is also referred to as the directory. When you install the directory on a Windows Server 2003 server, the Active Directory data source is placed on the server’s hard disk.The file used to store directory information is called NTDS.DIT, and is located in the NTDS folder in the systemroot (for example, C:\WINDOWS). Any changes made to the directory are saved to this file. The presence of Active Directory’s data store on a Windows Server 2003 server has a major impact on that server’s role in the network. As shown in Figure 9.1, the directory is stored on DCs, which are servers with writable copies of the data store.A DC is used to manage domains, which are groups of computers, users, and other objects that share (or are included in) the same directory. Active Directory Infrastructure Overview • Chapter 9 323 301_BD_W2k3_09.qxd 5/12/04 9:00 AM Page 323 Domains that use different Active Directory data sources can still communicate with one another, but (as we’ll see later in this chapter) secure relationships between them must be configured. Each DC retains its own copy of the directory, containing information on the domain in which it is located. If one DC becomes unavailable, users and computers can still access the Active Directory data store on another DC in that domain.This allows users to continue logging on to the network even though the DC that’s normally used is unavailable. It also allows computers and applications that require directory information to continue functioning while one of these servers is down. Because a domain can have more than one DC, changes made to the directory on one DC must be updated on others.The process of copying these updates is called replication, and is used to synchronize information in the directory. Without replication, features in Active Directory would fail to function properly. For example, if you added a user on one DC, the new account would be added to the directory store on that server.This would allow the user to log on to that domain con- troller, but he or she still couldn’t log on to other DCs until these changes to the directory were replicated. When a change is made on one DC, the changes need to be replicated quickly so that each DC continues to have an accurate duplicate copy of Active Directory. Because replication is so important to making the directory consistent across the network, the data source is organized in a way to make replication more efficient. Not every piece of data is saved in the same location of the data source.As shown in Figure 9.2, information resides in different areas of the directory, called directory partitions. Because Active Directory is a logical, hierarchical struc- ture, it has a treelike structure similar to that of the Windows Registry or folders on a hard disk. 324 Chapter 9 • Active Directory Infrastructure Overview Figure 9.1 Relationship Between Active Directory, Domain Controllers, Member Servers, and Clients Domain Controller Domain Controller Domain Controller Member Server Client Client Member Server Client Active Directory Active Directory is installed on all domain controllers Member Servers are Windows 2000 or 2003 Servers that don’t have AD installed on them Clients log on to domain through domain controllers. Domain controllers use AD to authenticate users and determine access to resources Active Directory information is replicated between domain controllers, so all have a duplicate copy of AD Unavailable Domain Controller If a domain controller isn’t available, clients can log on to other DCs in the domain 301_BD_W2k3_09.qxd 5/12/04 9:00 AM Page 324 Data is stored within subtrees of the directory, much like data on your hard disk is stored within folders that are nested within one another. Each contiguous subtree in the directory is a partition. Any data that changes within a directory partition is replicated as a single unit to other DCs. In Active Directory, three partitions exist on any DC and must be replicated, as these contain data that the Microsoft network needs to function properly: ■ Domain partition ■ Configuration partition ■ Schema partition Active Directory Infrastructure Overview • Chapter 9 325 Figure 9.2 Active Directory Is a Hierarchical Structure Forest Root Domain Directory Partition Configuration Partition Schema Directory Partition Directory Root Domain Trees 301_BD_W2k3_09.qxd 5/12/04 9:00 AM Page 325 . Control ■ What’s New in Windows Server 2003 Active Directory? Introduction The Active Directory is the foundation of an enterprise-level Windows network, and Windows Server 2003 includes a number. in Windows 2000, and continues to provide directory services to the Windows Server 2003 family of servers. It can be installed on the Standard, Enterprise, and Datacenter Editions of Windows Server. with the MS Quarantine IPFilter and MS Quarantine Session Timeout policies .The RRAS server forwards the RADIUS access request to the IAS server that will validate the user credentials and match the