• Chapter 1. Installing and Configuring Windows Server 2003
  • software development Company Server 2003
  • Chapter 1. Installing and Configuring Windows Server 2003
  • New Features in Windows Server 2003
  • Best Practices
  • Moving Forward
  • Version Comparisons
  • Hardware Recommendations
  • Installation Checklist
  • Functional Overview of Windows Server 2003 Setup
  • Installing Windows Server 2003
  • Post Setup Configurations
  • Functional Description of the Windows Server 2003 Boot Process
  • Correcting Common Setup Problems
  • Chapter 2. Performing Upgrades and Automated Installations
  • New Features in Windows Server 2003
  • NT4 Upgrade Functional Overview
  • Upgrading an NT4 or Windows 2000 Server
  • Automating Windows Server 2003 Deployments
  • Moving Forward
  • Chapter 3. Adding Hardware
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Architecture
  • Overview of Windows Server 2003 Plug and Play
  • Installing and Configuring Devices
  • Troubleshooting New Devices
  • Moving Forward
  • Chapter 4. Managing NetBIOS Name Resolution
  • New Features in Windows Server 2003
  • Moving Forward
  • Overview of Windows Server 2003 Networking
  • Name Resolution and Network Services
  • Network Diagnostic Utilities
  • Resolving NetBIOS Names Using Broadcasts
  • Resolving NetBIOS Names Using Lmhosts
  • Resolving NetBIOS Names Using WINS
  • Managing WINS
  • Disabling NetBIOS-over-TCP/IP Name Resolution
  • Chapter 5. Managing DNS
  • New Features in Windows Server 2003
  • Configuring a Caching-Only Server
  • Configuring a DNS Server to Use a Forwarder
  • Managing Dynamic DNS
  • Configuring Advanced DNS Server Parameters
  • Examining Zones with Nslookup
  • Command-Line Management of DNS
  • Configuring DHCP to Support DNS
  • Moving Forward
  • Overview of DNS Domain Structure
  • Functional Description of DNS Query Handling
  • Designing DNS Domains
  • Active Directory Integration
  • Configuring DNS Clients
  • Installing and Configuring DNS Servers
  • Configuring Secondary DNS Servers
  • Integrating DNS Zones into Active Directory
  • Chapter 6. Understanding Active Directory Services
  • New Features in Windows Server 2003
  • Active Directory Support Files
  • Active Directory Utilities
  • Bulk Imports and Exports
  • Moving Forward
  • Limitations of Classic NT Security
  • Directory Service Components
  • Brief History of Directory Services
  • X.500 Overview
  • LDAP Information Model
  • LDAP Namespace Structure
  • Active Directory Namespace Structure
  • Active Directory Schema
  • Chapter 7. Managing Active Directory Replication
  • New Features in Windows Server 2003
  • Replication Overview
  • Detailed Replication Transaction Descriptions
  • Designing Site Architectures
  • Configuring Inter-site Replication
  • Controlling Replication Parameters
  • Special Replication Operations
  • Troubleshooting Replication Problems
  • Moving Forward
  • Chapter 8. Designing Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Design Objectives
  • DNS and Active Directory Namespaces
  • Domain Design Strategies
  • Strategies for OU Design
  • Flexible Single Master Operations
  • Domain Controller Placement
  • Moving Forward
  • Chapter 9. Deploying Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Preparing for an NT Domain Upgrade
  • In-Place Upgrade of an NT4 Domain
  • In-Place Upgrade of a Windows 2000 Forest
  • Migrating from NT and Windows 2000 Domains to Windows Server 2003
  • Additional Domain Operations
  • Moving Forward
  • Chapter 10. Active Directory Maintenance
  • New Features in Windows Server 2003
  • Loss of a DNS Server
  • Loss of a Domain Controller
  • Loss of Key Replication Components
  • Backing Up the Directory
  • Performing Directory Maintenance
  • Moving Forward
  • Chapter 11. Understanding Network Access Security and Kerberos
  • New Features in Windows Server 2003
  • Windows Server 2003 Security Architecture
  • Security Components
  • Password Security
  • Authentication
  • Analysis of Kerberos Transactions
  • MITv5 Kerberos Interoperability
  • Security Auditing
  • Moving Forward
  • Chapter 12. Managing Group Policies
  • New Features in Windows Server 2003
  • Group Policy Operational Overview
  • Managing Individual Group Policy Types
  • Moving Forward
  • Chapter 13. Managing Active Directory Security
  • New Features in Windows Server 2003
  • Overview of Active Directory Security
  • Using Groups to Manage Active Directory Objects
  • Service Accounts
  • Using the Secondary Logon Service and RunAs
  • Using WMI for Active Directory Event Notification
  • Moving Forward
  • Chapter 14. Configuring Data Storage
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Data Storage
  • Performing Disk Operations on IA32 Systems
  • Recovering Failed Fault Tolerant Disks
  • Working with GPT Disks
  • Moving Forward
  • Chapter 15. Managing File Systems
  • New Features in Windows Server 2003
  • Overview of Windows Server 2003 File Systems
  • NTFS Attributes
  • Link Tracking Service
  • Reparse Points
  • File System Recovery and Fault Tolerance
  • Quotas
  • File System Operations
  • Moving Forward
  • Chapter 16. Managing Shared Resources
  • New Features in Windows Server 2003
  • Functional Description of Windows Resource Sharing
  • Configuring File Sharing
  • Connecting to Shared Folders
  • Resource Sharing Using the Distributed File System (Dfs)
  • Printer Sharing
  • Configuring Windows Server 2003 Clients to Print
  • Managing Print Services
  • Moving Forward
  • Chapter 17. Managing File Encryption
  • New Features in Windows Server 2003
  • File Encryption Functional Description
  • Certificate Management
  • Encrypted File Recovery
  • Encrypting Server-Based Files
  • EFS File Transactions and WebDAV
  • Special EFS Guidelines
  • EFS Procedures
  • Moving Forward
  • Chapter 18. Managing a Public Key Infrastructure
  • New Features in Windows Server 2003
  • Moving Forward
  • PKI Goals
  • Cryptographic Elements in Windows Server 2003
  • Public/Private Key Services
  • Certificates
  • Certification Authorities
  • Certificate Enrollment
  • Key Archival and Recovery
  • Command-Line PKI Tools
  • Chapter 19. Managing the User Operating Environment
  • New Features in Windows Server 2003
  • Side-by-Side Assemblies
  • User State Migration
  • Managing Folder Redirection
  • Creating and Managing Home Directories
  • Managing Offline Files
  • Managing Servers via Remote Desktop
  • Moving Forward
  • Chapter 20. Managing Remote Access and Internet Routing
  • New Features in Windows Server 2003
  • Configuring a Network Bridge
  • Configuring Virtual Private Network Connections
  • Configuring Internet Authentication Services (IAS)
  • Moving Forward
  • Functional Description of WAN Device Support
  • PPP Authentication
  • NT4 RAS Servers and Active Directory Domains
  • Deploying Smart Cards for Remote Access
  • Installing and Configuring Modems
  • Configuring a Remote Access Server
  • Configuring a Demand-Dial Router
  • Configuring an Internet Gateway Using NAT
  • Chapter 21. Recovering from System Failures
  • New Features in Windows Server 2003
  • Functional Description Ntbackup
  • Backup and Restore Operations
  • Recovering from Blue Screen Stops
  • Using Emergency Management Services (EMS)
  • Using Safe Mode
  • Restoring Functionality with the Last Known Good Configuration
  • Recovery Console
  • Moving Forward
  • Who Should Read This Book
  • Who This Book Is Not For
  • Conventions
  • Acknowledgments
  • About the Author
  • About the Technical Reviewers
  • Index
  • Index A
  • Index B
  • Index C
  • Index D
  • Index E
  • Index F
  • Index G
  • Index H
  • Index I
  • Index J
  • Index K
  • Index L
  • Index M
  • Index N
  • Index O
  • Index P
  • Index Q
  • Index R
  • Index S
  • Index SYMBOL
  • Index T
  • Index U
  • Index V
  • Index W
  • Index X
  • Index Z
  • Preface
  • Previous Section Next Section

    Configuring a Demand-Dial Router

    Broadband is becoming available in most metropolitan areas, but DSL is highly sensitive to the distance from the central office and digital cable is only just now being offered to businesses. Other full-time connection alternatives, such as fractional T-1s, are pricey even in an area with reasonable tariffs.

    Often, the only affordable solution for branch-office or SOHO connectivity is a circuit-switched connection using modems or ISDN lines. There is no difference, at least conceptually, between routing over a circuit-switched connection or a leased line. The only practical difference is the speed and the delay as the connections are made and broken. For ISDN, this is a matter of a few hundred milliseconds. For modems, it should be no more than 15 to 20 seconds.

    A Windows Server 2003 RRAS server can be configured to make and maintain a circuit-switched connection that can function as a tolerably good point-to-point solution. By using multiple modems, you can often achieve faster throughput than with ISDN and low-cost dedicated circuits.

    Many ISDN routers have demand-dial routing built in, but you can get an attractive price for a simple ISDN terminal adapter that does not do "B" channel (bearer channel) bonding or demand-dial routing, then let RRAS do the chores. This section describes how to initialize routing services in an RRAS server and configure demand-dial connections to the Internet, either by using public IP addresses or NAT and a firewall.

    Initializing Routing Services

    To use any of the demand-dial alternatives, it is necessary to enable both Remote Access and Routing features in RRAS. Enabling routing in an existing remote access server involves restarting the service, so perform these steps after working hours, if necessary. You will not lose any existing remote access settings. Proceed as directed in Procedure 20.10.

    Procedure 20.10 Initial Configuration of Routing Services

    1. Open the Routing and Remote Access console.

    2. Select the Remote Access Clients icon and verify that no users are connected to the server.

    3. Right-click the local server name and select DISABLE ROUTING AND REMOTE ACCESS from the flyout menu. A warning appears informing you that disabling the service requires reconfiguration when it is re-enabled. Click Yes to acknowledge the warning and disable the service.

    4. After the service stopsЧand this might take a whileЧthe icon associated with the server changes to a red down-arrow. After the service has stopped, reinitialize RRAS using the instructions in Procedure 20.9 with the following additional steps.

    5. At the Routing and Remote Access window, select Enable Server as a Router and select the Local and Remote Routing (LAN and WAN) radio button.

    6. At the Dial-in or Demand Dial Interfaces window, select the Enable All Devices For Both Routing and Remote Access radio button.

    7. The remaining steps are the same. When the RRAS service restarts, the Routing and Remote Access console contains an additional icon called Routing Interfaces.

    After you have enabled routing, you can configure the server to be a demand-dial router to another office, a demand-dial Internet router, or a demand-dial Internet NAT gateway. The next two sections describe how to configure a demand-dial Internet router and an Internet NAT gateway. Demand-dial routing between offices is not covered because it is becoming increasingly rare as organizations move their commerce to the Internet.

    Configuring a Demand-Dial Internet Router

    If you want to retain public addresses in your network, then you will need a routed interface to the Internet. If this is a dial-up connection, then you need to configure the RRAS sever to automatically make a connection whenever a client attempts to touch an Internet host. Here are the prerequisites for configuring a demand-dial Internet connection:

    • Windows Server 2003 equipped with a modem or ISDN adapter. If you have multiple modems or bearer channels, you can use multilink to bundle them together after the interface has been created.

    • Routing must be enabled on the server. See "Initializing Routing Services."

    • Assign the LAN interface on the demand-dial server a static address and do not assign a gateway. Configure the clients on the network to use the demand-dial server as their default gateway.

    • You must have a valid PPP account at the ISP. The ISP must agree to let you connect to its network using a router. This generally involves an agreement to filter all unacceptable traffic. This includes NETBEUI, IPX, and any other transport protocols other than IP. You must also block broadcasts, although ISPs are good about doing that for you at their boundary routers.

    • The ISP must also agree to add your network to the routing tables on its routers. This usually comes as part of the fee for the IP addresses. If you provide your own addresses, an extra fee is added. ISPs generally charge fees at the top of the market for this service because they know that without their routers, you cannot connect to the Internet. The routing fee often comes bundled with a service package that includes DNS and email. You may or may not want this package.

    • Your network must use an IP subnet with sufficient public addresses to support all IP devices, including those that might never access the Internet. Getting those addresses might cost quite a bit of money.

    Installing a Demand-Dial Interface

    With the prerequisites in place, you're ready to install the demand-dial interface, configure it to route to the Internet, and configure automatic connection pickup. Start with installing the interface by following Procedure 20.11.

    Procedure 20.11 Installing a Demand-Dial Interface

    1. Open the Routing and Remote Access console.

    2. Each communications device must be configured for demand-dial routing. Right-click the Ports icon and select PROPERTIES from the flyout menu. The Port Properties window opens.

    3. Double-click a device that will be used for the demand-dial interface to open its Configure Device window.

    4. Select the Demand-Dial Routing Connections option and click OK.

    5. Repeat for each device that will be used for demand-dial routing then close the Ports Properties window.

    6. At the RRAS console window, right-click the Routing Interfaces icon and select NEW DEMAND-DIAL INTERFACE from the flyout menu. The Demand Dial Interface Wizard starts.

    7. Click Next. The Interface Name window opens. Enter a name that describes the destination of the router. For example, use a name like ISP_rtr.

    8. Click Next. The Connection Type window opens. Select the Connect Using a Modem, ISDN Adapter unless you are using a VPN. If you select the VPN option, the wizard presents an additional window for VPN Type (set to Automatic by default) and the IP address or host name of the VPN server.

    9. Click Next. If you have multiple circuit-switched devices, the Select A Device list appears. Select the device you want to associate with the demand-dial interface. If you want to use more than one device and multilink them together, you can do that after creating the demand-dial interface.

      If the device you want to use does not appear on the list but it does appear on the Port list, make sure you configured it for demand-dial routing.

    10. Click Next. The Phone Number window opens. Enter the phone number of the modem or ISDN line at the remote location. The Alternate option permits adding more numbers to call if the first is busy.

    11. Click Next. The Protocols and Security window opens. Leave the Route IP Packets On This Interface selected. If you normally need to use login scripts when connecting to the ISP, select the Use Scripting option. The wizard presents you with a Router Scripting window to select a script.

    12. Click Next. The Dial Out Credentials window opens. Enter the Name and Password for the account that will make the dial-up connection. Because this is a connection to the Internet, you should not need a domain unless your ISP uses NT or Windows Server 2003 to perform authentications.

    13. Click Next. The final wizard window opens. Click Finish to add the interface and return to the Routing and Remote Access console.

    Configuring the Demand-Dial Router

    Now that the interface is in place, it must be configured to connect to the Internet Service Provider's access server (see Procedure 20.12).

    Procedure 20.12 Configuring a Demand-Dial Router

    1. Highlight the Routing Interfaces icon. The new demand-dial interface is listed in the right pane with a status of Enabled.

    2. Right-click the demand-dial icon and select PROPERTIES from the flyout menu to open a properties window. At the General tab, under Connect Using, you can select additional modems or ISDN adapters if your ISP supports multilink.

    3. Select the Options tab. Use the Connection Type option to set an inactivity time for the interface. You can choose to make this a Persistent Connection, but this generally violates the ISPs fair use agreement unless you have contracted for a full-time connection.

      The default value for Redial Attempts is set to 0. The value you set depends on how often you need to retry the ISP line during the busiest time of the day.

    4. Select the Networking tab then open the Properties window for Internet Protocol.

      You must obtain a fixed IP address for the WAN interface from the ISP. This is the address that the ISP will put in its routing tables to get to your network. Some ISPs assign a fixed address automatically based your logon ID. In this case, you can leave the Obtain An Address Automatically radio button selected.

    5. Click OK to save the changes and return to the RRAS console.

    Test the connection by right-clicking the demand-dial interface icon and selecting CONNECT from the flyout menu. When the connection is made and the interface status changes to Connected, ping a few Internet addresses and names to make sure you have connectivity and proper DNS operation.

    If the connection does not work, test using a standard dial-up connection. If that works, check the name and password you're using by right-clicking the demand-dial interface icon under Routing Interfaces and selecting CREDENTIALS from the flyout menu.

    Configuring Automatic Connection Pickup

    Now that the ISP connection is made, you must add a routing table entry so that traffic from clients in the local LAN is routed to the Internet interface. It is impossible to define a routing table that contains all the different IP addresses on the Internet, so the alternative is to configure a gateway that routes all non-local traffic to the demand-dial interface.

    The default gateway is defined by a single routing table entry consisting of zeros for network destination and subnet mask. Default gateways are configured automatically for dial-up clients but you must enter the route manually for demand-dial interfaces.

    You have already removed the default gateway from the LAN interface as part of the prerequisites for demand-dial routing. At this point, before configuring a default gateway, verify that one does not already exist. Run route print from the command line. There should be no 0.0.0.0 entries, meaning that there is no default gateway for the router. Here is an example routing table before adding a gateway entry:

    C:\>route print
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0xe000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    0x11000002 ...00 c0 4f 53 6a f2 ......3Com 3C918
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
             10.1.0.0      255.255.0.0         10.1.1.1        10.1.1.1       1
             10.1.1.1  255.255.255.255        127.0.0.1       127.0.0.1       1
       10.255.255.255  255.255.255.255         10.1.1.1        10.1.1.1       1
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
            127.0.0.1  255.255.255.255        127.0.0.1       127.0.0.1       1
        206.132.49.94  255.255.255.255        127.0.0.1       127.0.0.1       1
       206.132.49.255  255.255.255.255    206.132.49.94   206.132.49.94       1
            224.0.0.0        240.0.0.0         10.1.1.1        10.1.1.1       1
            224.0.0.0        240.0.0.0    206.132.49.94   206.132.49.94       1
      255.255.255.255  255.255.255.255         10.1.1.1        10.1.1.1       1
      255.255.255.255  255.255.255.255    206.132.49.94   206.132.49.94       1
    ===========================================================================
    Persistent Routes:
      None
    

    Addresses with host octets of 255 represent subnet broadcasts. Addresses of 255.255.255.255 represent general broadcasts. Addresses starting with 224.0.0.0 represent multicast subnets. Procedure 20.13 shows how to configure the interface for automatic pickup.

    Procedure 20.13 Configuring Automatic Connection Pickup

    1. From the RRAS console, expand the tree under the Local Server icon to show the IP Routing icon.

    2. Right-click Static Routes and select CREATE A NEW STATIC ROUTE from the flyout menu. The Static Route window opens (see Figure 20.33).

      Figure 20.33. Static Route window showing default gateway route.

      graphics/20fig33.gif

    3. Under Interface, select the new ISP demand-dial interface you just created.

    4. Under Destination and Network Mask, enter all zeros (0). This designates the demand-dial interface as the default gateway for the router. The Gateway entry itself is dimmed because demand-dial connections have no gateways.

    5. Leave Metric set for 1.

    6. Verify that Use This Route To Initiate Demand-dial Connections is selected. This tells RRAS to pick up the demand-dial circuit when any traffic arrives that is not bound for an address on the local subnet.

    7. Click OK to save the changes and return to the RRAS console. The new static route appears in the right pane.

    Now test the connection. From a client that is configured to use the demand-dial router as a gateway, ping the WAN interface on the server. When that ping succeeds, start a continuous ping to an Internet address, such as ping Цt 192.80.3.105. Wait for the demand-dial connection to the ISP to pick up.

    At that point, the ping succeeds. If either ping fails, use TRACERT or PATHPING to see where the connection is failing. If you get an Internet Control Management Protocol (ICMP) echo from the demand-dial router but not from the Internet, check that you correctly configured the routing table at the ISP router. Make sure to keep connection up while you troubleshoot.

    Unless you select the Persistent Connection option, the demand-dial connection will eventually time out and disconnect. If you are using a modem, you need to educate your users to wait for a few seconds after they fire off their browsers while the modem picks up. For ISDN links, you have the opposite problem. You do not want the ISDN line to stay hot continuously. Ask anyone who has gotten a $2000 phone bill the month after installing his spanking new ISDN line. Stay aware of the traffic patterns at the demand-dial router until you're sure that you won't get any surprises.

    One note of caution: In this demand-dial router configuration, your network is bare to the Internet. The NAT option in the next section includes the ability to enable the Internet Connection Firewall (ICF) in Windows Server 2003. This is preferable than the simple demand-dial routing configuration outlined in this section. If you do not want to use NAT, you should install a firewall in front of the demand-dial router.

      Previous Section Next Section