The ipconfig command, when used with the all switch (ipconfig /all), provides information about existing network interfaces, both real and virtual. Figure 25.16 shows the output from the ipconfig command when used with the all switch. The netsh command utility was introduced with Windows 2000. It provides scripting, display, and modification capabilities for virtually every aspect of Windows Server 2003 networking. Figure 25.17 displays a list of available options from the netsh command line interface.The netsh com- mand has been expanded with additional helper files and so has more functionality in its Windows Server 2003 version (for example, the IPSec context). 886 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access Figure 25.16 Ipconfig Command Display Figure 25.17 Netsh Command Line Options 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 886 Several of the netsh commands typically are used more from the server but netsh provides functions for client side interaction as well. The nslookup command is used to troubleshoot and test DNS information for client systems. When used with a computer name or FQDN within an Active Directory environment, nslookup can illustrate DNS name resolution mappings, as well as general DNS information. Figure 25.18 illustrates the output from a typical nslookup command. The ping command is used to test general network layer connectivity between hosts. Several switches are available for use with the ping command. Ping sends an ICMP echo request to the host that the ping command was issued to.The host, if available, will reply with an ICMP reply to the ping issued to the initiating system. From the initiating system, a successful ping will list the responses with TTL times displayed next to each request. Figure 25.19 displays one successful ping command and one failed ping command. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 887 Figure 25.18 Using the Nslookup Command Figure 25.19 Using the Ping Command 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 887 Troubleshooting Remote Access Server Connections Troubleshooting remote access server connections is not so different from troubleshooting remote access client connections.The best approach is to follow the OSI reference model from the simple lower layers, working your way up through the various upper layers. Again, begin by checking phys- ical layer attributes. Make sure cables are properly connected and secured. Ensure hardware is con- figured with the right drivers and, if necessary, hardware configurations. Verify the problem is truly a server problem. If some clients are able to connect and others are not, it is possible that the problem is with the client configurations. It is quite common for clients to have access to a remote access server, but not to systems beyond the server.This could be a problem with IP routing on the remote access server. Verify IP connectivity beyond the remote access server by pinging either the inside network interface on the remote access server or ping another internal address on the remote LAN. If you are unable to reach internal addresses on the remote LAN, verify that IP Routing is enabled on the remote access server. For AppleTalk clients, verify that network access is allowed for AppleTalk clients on the AppleTalk tab on the server properties sheet. If the AppleTalk tab does not exist on the server, AppleTalk needs to be installed on the server. Another possible network layer problem involves static routing. If the remote LAN does not have a static route entry back to the client system, client traffic will enter the remote LAN only to die within the confines of the remote LAN. Other network layer problems can occur with dynamic routing enabled (RIP or OSPF). One possible compatibility problem to consider: Windows XP 64-bit and Windows Server 2003 64-bit do not support OSPF routing. RIP v1 is a classful routing protocol.This means that RIP v1 net- works must be divided at standard default subnet mask boundaries. If two networks exist within your IP network that do not use standard network masks, this can present routing problems. RIP v1 cannot properly advertise a network that does not use default subnet masks. Also, when using DHCP to allocate addresses, it is possible to run out of addresses or to lose proper connectivity with the DHCP server. As mentioned in the previous section, this will result in APIPA assignment (unless APIPA has been disabled or there is an alternate configuration set). APIPA addresses fall within the range of 169.254.0.1 and 169.254.255.254, and having an APIPA assigned address could be the result of connectivity problems between the RRAS client and server or between the RRAS server and DHCP server. Check the RRAS server to ensure the server is using the proper network inter- face to communicate with the DHCP server. Look for an APIPA assigned address at the RRAS server. Also, try ping connectivity testing between the RRAS server and the DHCP server. Part of the address distribution troubleshooting process involves understanding where the addresses are coming from. If a DHCP server is supposed to provide clients with addresses, this server should be the next stop for troubleshooting address problems. Likewise, if the RRAS server is distributing addresses from a static address pool, this server will be the next stop for address troubleshooting. In order to properly troubleshoot routing problems in a Windows Server 2003 environment, you have a few commands at your disposal.Along with the commands listed in the previous section, the following commands will be useful for troubleshooting network layer connectivity and routing problems: 888 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 888 ■ Pathping ■ Tracert ■ Route The pathping command was introduced with Windows 2000.This command combines char- acteristics of the ping command, discussed in the previous section, with the tracert command.This command enumerates the routing path that IP traffic will take to a given destination, as well as listing statistical information about the path to each router along the route to the destination.This command is useful for testing packet loss along a path. If you suspect a router along the path is dropping packets, this is the command to use. From a command prompt, type pathping w.x.y.z, where w.x.y.z is the remote system address whose path you are testing.The results from a pathping are displayed in Figure 25.20. The tracert command enumerates the routing path that IP traffic will take to a given destina- tion. Again, some basic statistical information is also listed with the trace.This command is a little less detailed than the pathping command. . From a command prompt, type tracert w.x.y.z, where w.x.y.z is the remote system address whose path you are testing.The results from a tracert are dis- played in Figure 25.21. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 889 Figure 25.20 Pathping Test Results 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 889 The route command is used to add, modify, delete, and display routing information for a Windows Server 2003 router.This command is useful in determining existing routes available for IP traffic passing through the server. Figure 25.22 illustrates the route command with the print switch. Finally, completing our network layer troubleshooting and working up to the transport layer, make sure the client traffic passes through any packet filters that might be in place. If the client’s network settings match any single rule in the packet filter criteria for denied access, the client will be denied access. If this is the case, determine how the rule might be rewritten to allow client access. Another option would be to determine a way to modify the client configuration so the packet filter rule does not prevent client access to the network. 890 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access Figure 25.21 Tracert Results Figure 25.22 Using the Route Command 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 890 Configuring Internet Authentication Services The Windows Server 2003 Internet Authentication Services (IAS) provide open standard centralized connection authentication, authorization, and accounting for several types of network access.This open standard is more commonly known as Remote Authentication Dial-In User Service (RADIUS).This Microsoft implementation of RADIUS provides authentication for the following network connection types: ■ Authenticating switch ■ Dial-up ■ Router-to-router connections ■ Virtual private network (VPN) remote access ■ Wireless The major advantage of IAS/RADIUS is that it provides an open standard solution.This means that equipment and software from various vendors can be tied together through the RADIUS authentication service, thereby simplifying account administration for remote access users and sys- tems. Windows Server 2003 IAS supports the IETF RADIUS standards specified in RFC 2865 and 2866. One advantage to using the Microsoft implementation of RADIUS in conjunction with Active Directory is the capability for a single sign-on.The centralized authentication capabilities for IAS provide for authentication forwarding to Active Directory for authentication. In this fashion, all users are authenticated from the same source. If a user logs in to the local LAN, his or her username and password will be the same as the one used for remote access through VPN, wireless networking, or any other network connection whose authentication is provided by Microsoft IAS. IAS must be installed as a separate Windows component.The first step in IAS configuration is installing the IAS component. Next, we must configure the properties for one of the IAS servers. After that, the remote access servers that will act as clients to this IAS server must be added. When IAS is implemented the IAS servers will carry out remote access policies. Remote access policies should be configured at this time on the IAS server. Logging methods must be configured for authentication and accounting. As the configuration of the first server is nearly complete, we can now copy the configuration from this IAS server to additional IAS servers on our network.The IAS servers must be registered in the correct Active Directory domains as a final configuration step. After completing the actual configuration, it is considered best practice to verify all configurations and operational settings.There are three ways to register the IAS servers in the appropriate Active Directory domains.You can use any one of these methods: ■ Register the IAS server in the default domain using Active Directory Users and Computers. ■ Register the IAS server in the default domain using Internet Authentication Service. ■ Register the IAS server in the default domain using the netsh command. We have completed the installation and configuration for the IAS server. Before placing the server into production, we should verify the configuration of RADIUS accounting and authentication on Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 891 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 891 the access servers. Also, depending on the role of the server, we should verify that the access servers are properly configured for operation. For example, for dial-up and VPN connections we should establish a connection through standard dial-up as well as a VPN connection.The following steps walk you through configuring IAS in Windows Server 2003. Configure IAS 1. Click Start | Control Panel | Add Remove Programs. 2. Click Add/Remove Windows Components. 3. From the dialog box in the Windows Components Wizard, select Networking Services | Details. 4. Select Internet Authentication Service followed by OK | Next. Now that IAS is installed, it is time to configure the properties for the IAS server as follows: 1. Click Start | Programs | Administrative Tools | Internet Authentication Service. 2. Right-click Internet Authentication Service and select Properties. 3. Select the Ports tab, and configure the RADIUS authentication and accounting UDP ports if they differ from the defaults of 1812 and 1645 for authentication, and 1813 and 1646 for accounting. 4. Continuing from Properties, on the General tab, select each required option for IAS event logging , and then click OK. 5. Right-click RADIUS Clients and select New RADIUS Client. 6. From the New RADIUS Client Wizard add basic client information. Click Next. 7. Select RADIUS Standard from the Client-Vendor drop-down list on the New RADIUS Client screen and enter the shared secret password; then select Finish. 8. Configure the remote access policies. In our example, we will grant access to a Windows Global Group called Radius-Clients. Configure the remote access policy to grant access to members of the Radius-Clients group. 9. From the left pane of the Microsoft management console, select Remote access logging. 10. From the right pane, right-click Local File or SQL Server, and then select Properties. 11. From the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files: ■ For accounting request and response captures, select Accounting requests. ■ For authentication requests, Access-Accept messages, and Access-Reject messages cap- tures, select Authentication requests. ■ For periodic status update captures, select Periodic status. 892 Chapter 25 • Planning, Implementing, Maintaining Routing and Remote Access 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 892 Now that we have a configuration nearly completed, we can copy the IAS configuration from the first IAS server to additional IAS servers. 1. Begin from a Command Prompt. Click Start | Run and type cmd, then click OK. 2. From the command prompt, type netsh aaaa show config > path\file.txt. This stores all configuration settings in a text file.You can use a relative or absolute path, or a UNC path. 3. Copy this file to the destination computer or computers. 4. From a command prompt on the destination computer, type netsh exec path\file.txt. As a final configuration step, we have to register the IAS servers in the appropriate Active Directory domains.There are three ways to accomplish this task: ■ Register the IAS server in the default domain using Active Directory Users and Computers: 1. Log on to the IAS server with an account that has administrative credentials for the domain. 2. Open Active Directory Users and Computers. Click Start | Programs | Administrative Tools | Active Directory Users and Computers. 3. In the left pane of the ADUC console, click the Users folder for your domain. 4. In the right pane, right-click RAS and IAS Servers, and then click Properties. 5. In the RAS and IAS Servers Properties dialog box, on the Members tab, add each of the IAS servers. ■ To register the IAS server in the default domain using Internet Authentication Service: 1. Log on to the IAS server with an account that has administrative credentials for the domain. 2. Open Internet Authentication Service. Click Start | Programs | Administrative Tools | Internet Authentication Service. 3. Right-click Internet Authentication Service, and select Register Server in Active Directory. 4. Select OK when the Register Internet Authentication Service in Active Directory dialog box appears. ■ To register the IAS server in the default domain using the netsh command: 1. Log on to the IAS server with an account that has administrative credentials for the domain. 2. Open Command Prompt. Click Start | Run and type cmd, then click OK. 3. Type netsh ras add registeredserver at the command prompt. Planning, Implementing, Maintaining Routing and Remote Access • Chapter 25 893 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 893 301_BD_W2k3_25.qxd 5/14/04 9:50 AM Page 894 Managing Web Servers with IIS 6.0 In this chapter: Installing and Configuring IIS 6.0 What’s New in IIS 6.0? Managing IIS 6.0 Troubleshooting IIS 6.0 Using New IIS Command-Line Utilities Introduction Microsoft’s Internet Information Services (IIS) is one of the most popular Web servers in use on the Internet and in intranets throughout the world. Windows Server 2003 includes the latest version, IIS 6.0.There have been changes, additions and improve- ments to the software in the areas of core functionality and services, administration, security, and performance. IIS 6.0 has been redesigned to provide better reliability and more flexibility in configuring application environments. A Web server is a common point of vulnerability to hackers. In the past, it has been common for servers to be running “rogue” Web services without the knowledge of administrators.Thus, for security reasons, IIS 6.0 is not installed by default on Windows Server 2003 servers (with the exception of the Web Server Edition), and when you do install it, it is initially configured in a high security (“locked”) mode. Because Web servers are common targets of attack due to their exposure to those outside the local network, security is a priority in this new version. Consequently, a number of important Web services features – which worked automatically in previous versions – now have to be explicitly enabled before they will work.This new focus on security means adminis- trators need to familiarize themselves with these changes to provide the Web server ser- vices needed on their networks. Chapter 26 895 301_BD_W2k3_26.qxd 5/14/04 9:52 AM Page 895 . server and DHCP server. Check the RRAS server to ensure the server is using the proper network inter- face to communicate with the DHCP server. Look for an APIPA assigned address at the RRAS server. . remote access server. Verify IP connectivity beyond the remote access server by pinging either the inside network interface on the remote access server or ping another internal address on the remote. methods: ■ Register the IAS server in the default domain using Active Directory Users and Computers. ■ Register the IAS server in the default domain using Internet Authentication Service. ■ Register the IAS server