Some people have characterized networking as "magic," or "smoke and mirrors." Actually, it is really neither. It is complex, and every network ends up being quite different. This chapter will give you more insights into how things work, and some options for customizing the network to more closely meet your needs.
SOLUTIONS: How can I set the minimum password length for Windows 95? Having a password of more than four characters strengthens your security. In fact, the longer the password is, the more difficult it is to break. Set the minimum password length in the HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\Network key. Add a DWORD value called MinPwdLen and set it to the number of characters you would like, in decimal format.
Security is a huge issue to deal with. Using the maximum password length will make your work a little easier. In Windows NT, you can set the password length in User Manager for Domains, in the Policies | Account Policies section.
SOLUTIONS: Normally, I log on to an NT domain from a Windows 95 system. Can I get a confirmation that it actually let me log on? Normally, you would only know if it didn't work. If you need to get a confirmation, a simple change to the Registry will do that for you. Add a REG_DWORD value called DomainLogonMessage to the HKEY_LOCAL_MACHINE\Network\Logon key. Set the value of the DomainLogonMessage to 1, and every time you log on to the domain, you will get a message similar to the one in Figure 21.1.
Figure 21.1. Domain logon confirmation.
Because networking is not as fundamental to Windows 95 as it is to Windows NT,
some
features are not included in the interface. In an effort to make it as powerful as
possible, Microsoft did include many options that make 95 a much better client on
the network.
SOLUTIONS: Windows NT allows me to easily set multiple IP addresses to a single network card. Can I do the same thing with Windows 95? Yes, you can; it just isn't part of the interface. Maybe Microsoft didn't think anyone would want to do it. The IP address information is stored in the Registry in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\
NetTrans key. Find the subkey that holds the IP address. Figure 21.2 shows the key with the correct IP addresses set.Figure 21.2. Location of the IP addresses in the Windows 95 Registry.
If you want to add another IP address to the network card, edit the IPAddress value, and add another IP address to the end of the string, separated by a comma, but no spaces. Figure 21.3 shows the correct format of the text.Figure 21.3. Adding an additional IP address to a network card.
Whenever you add an IP address, you must also add the corresponding subnet mask for that address in the IPMask value. Figure 21.4 shows the key with the correct values for two IP addresses attached to the same card.Figure 21.4. Multiple IP addresses assigned to the same network card.
You can add as many addresses as will fit within the limitation of 255 characters of the String entry.
A cache normally holds the last information given it. If the cache fills up, the first item is expelled, and the next is taken in. Sometimes, a function that looks exactly like a cache doesn't perform the same way. The next problem is an indication of that.
SOLUTIONS: I use Windows 95 on my notebook, and I connect to several different networks using TCP/IP. Because each one uses a different set of IP addresses, I have the server assign me an IP address through DHCP. I have used several different PCMCIA network cards, and several docking stations, and even modems to connect, and now, all of a sudden, I am not getting an IP address, and I cannot get onto the network. What went wrong? The Windows 95 Registry stores information about every network card and modem used for Dial-Up Networking. The information, called a MAC address, is unique for every network card in the world. Once Windows 95 gets to eight cards listed, it will not list any more. If you were to go back to one of the cards you had used previously, you would probably get an address. Once past eight, you will never get another. Figure 21.5 shows the location of the storage of the MAC addresses. The Registry will create a new DhcpInfo0x key for every new network card it finds, plus one for any modem used to dial into a network where the server will provide an IP address (such as an Internet service provider).Figure 21.5. Each address requester has an entry in the Registry.
Because the system will automatically put an entry for each DHCP address requester, you can simply remove all of the subkeys below Dhcp except DhcpInfo00, if it exists. The necessary ones will be re-created as necessary. Then, as you connect to the network, a DHCP request will be given, and you will get a dynamically assigned IP address.
Remotely editing the Registry is a powerful function. If you can edit another system's Registry from your desktop, it will save you time, effort, and give you freedom from explaining more than you actually want to. You should train your users as much as possible, but explaining IP addresses and DNS servers may not really help them, anyway.
SOLUTIONS: I need to change the IP address, the subnet mask, the DNS host name, and DNS server on several NT systems on my network. Do I have to go to each one and run the Control Panel options, or can I do it remotely with a Registry editor? Making all the TCP/IP settings on a remote machine is quite simple, if you know where the Registry entries are. All TCP/IP functions are separated into two categories: general settings and card-specific settings. The card-specific settings require you to know the network card driver, but the general settings just use the Tcpip key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters. The TCP/IP settings that use the general settings are listed in Table 21.1, with the values that are associated with them.
Table 21.1. Generic TCP/IP settings.
TCP/IP Function Registry Value Domain name Domain Host name Hostname IP Routing IPEnableRouter DNS Server NameServer
The TCP/IP settings that use the network card driver information use HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Adapter Name\Parameters\Tcpip, and are listed in Table 21.2, with their values.
Table 21.2. Card-specific TCP/IP settings.
TCP/IP Function Registry Value DHCP EnableDHCP IP Address IPAddress Subnet Mask SubnetMask Default Gateway DefaultGateway
With this information, you can easily find the correct location to make any TCP/IP setting you need on a remote system, without having to go there and use the Control Panel. You also won't have to try to explain it to your users, so they can be your fingers for you.
Another way to quickly set the TCP/IP information across the network would be to create a custom template file for System Policy Editor, as outlined in Chapter 34, "Creating Custom Policies."
SOLUTIONS: My NT system can't find the files it needs to run TCP/IP correctly. Where are they? What are they? For TCP/IP to work properly, the system needs access to several files, including HOSTS, LMHOSTS, NETWORKS, and PROTOCOLS. Normally, those files are in %SYSTEMROOT%\SYSTEM32\DRIVERS\ETC. If they are going to be stored in any other location, that location needs to be specified in the Registry. In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters, edit the value named DatabasePath. It is a REG_EXPAND_SZ entry, which means that you can enter a variable, and it will be replaced with the actual data when read. Enter the location of the files.
Until there is a better way, you will have to continue to use all the settings, files, and options created for the Internet when it was still quite small. Now that it is huge, with nearly 20 million hosts (at the time of this writing), some of the functions are a little dated. The fact that it still works at all is amazing, but the challenges of using the Internet effectively are sometimes daunting.
SOLUTIONS: Our network has a gateway setup to give us access to the Internet, but sometimes it doesn't work. Then I can't get the information I need. What can I do to make it work better? A gateway allows access to the Internet from your network. It is essentially the connecting point to the Internet. Sometimes it gets too busy to allow all the traffic to pass through. Other times, it may not be able to transmit data because its line to the Internet is down. Whatever the case, there is not much you can do, except to have a backup gateway in place. If a system cannot transmit data through a gateway, even after several tries, the Transport Control Protocol (TCP) asks the IP portion to switch to a backup gateway if one has been specified, and this Registry change has been made. The address for the backup gateway is set in Control Panel | Network | Protocol | TCP/IP Protocol | Properties | Advanced. But that is not enough; you also need to make a change to the Registry. The value name to add is EnableDeadGWDetect, a REG_DWORD value, in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key. Set the value to 1, and if the first gateway does not respond, it will switch to the second.
The Internet is a very flexible network, sometimes to its detriment. Because information may be transferred over many lines, go through many routers, and be handled by so many servers, the security of the information may be compromised. The sensitivity of the data will determine what level of security is required, and, fortunately, there are many options that allow you to increase that security.
SOLUTIONS: I am concerned about sending private data over the Internet. Do I have any options that will give me more security than PPP or SLIP? Certainly, PPP and SLIP are good protocols for transferring data over the Internet, but they are not very secure. PPTP (Point to Point Tunneling Protocol) is designed to allow secure, authenticated connections to a server. NT 4.0 is the first Windows NT server to support it, and it ushers in a breakthrough in security across phone lines. It basically creates a secure tunnel through which all the data goes. None can get in, and none can get out, until the data hits the end. Unauthorized users are not welcome. The PPTP functions in NT 4.0 are in the HKEY_LOCAL_MACHINE\SYSTEM\Services\RASPPTPE\ Parameters\Configuration key. In order to enable PPTP, there are two values that need to be changed. The value name AuthenticateIncomingCalls turns on the authentication procedure so only listed IP addresses can connect. It is a REG_DWORD entry. Set it to 1, and only PPTP connections can be made, and only from the IP addresses in the next value. PeerClientIPAddresses is a REG_MULTI_SZ value that lists all authenticated addresses for PPTP connection. The format of PeerClientIPAddresses is a valid IP address xxx.xxx.xxx.xxx with each entry on an separate line. The entries are the only IP addresses of PPTP clients from which this server will accept PPTP calls. Both values must be set. If one is not set, PPTP will not work.
Browsing is another great challenge in a Windows network. Browsing is the function that lets you see what you can connect to, either as a printer client or a server's share client. If you don't have the list, you need to know exactly the name of the server and the name of the shared device. If you want to choose from a list, browsing has to be working on the network. It's interesting to see how some of the things that Microsoft says are so, just aren't. Browsing is one of the tools that you must take control of, or it may not work as expected.
SOLUTIONS: Who should be my master browser? How can I choose? Windows networking uses a master browser and a browse server. The browse server holds a list of all the shares on the network. The master browser answers requests for the list. They can be separate machines or the same machine. Set systems that have the highest performance/lowest demand combination to be your browse servers (2 per segment), and your domain controller to be your master browser. Whatever you do, do not let your Windows 95 systems be your browse servers. There is a bug in the server list maintenance function of Windows 95 that will make it so no one can browse the network. Turn it off in Windows 95 with Control Panel | Network | File and Printer Sharing for Microsoft Networks. On the NT system you would like to be a browse server, edit the MaintainServerList value in the HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Browser\Parameters key. Set the MaintainServerList value to YES, and the system will be a browse server. On the NT system that you would like to be the master browser, set the IsDomainMaster in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Browser\Parameters to 1.
Internal security comes from limiting choices that users have on the network. If you limit the number of options a user has at his disposal, you can reduce the risk exposure. Forcing the users to know share names and server names can certainly hinder their progress in breaking your security.
SOLUTIONS: I don't want everyone to be able to see my NT system on the network. Is there any way that I can hide it? You can hide it by adding a single Registry change. It will hide the system from Network Neighborhood, My Computer, and Open/Save dialog boxes. To hide it, add a new REG_DWORD value called Hidden to the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ Services\LanmanServer\Parameters key. Set the value to 1 to hide the system from the browse list. Even though the system is hidden from the browse list, you can still connect to it with a UNC name.
Managing the browse lists and determining what users are going to see on the network really comes down to restricting what will be shown, or expanding what will be shown.
SOLUTIONS: I want to be able to browse all the shares on the network, even though they are on a different segment. Can I do that with NT? Configure your network with your NT server so it functions as a multihomed router, with two or more network cards, each connected to a separate segment. Then you can add a new Registry value, and the systems on any segment can browse all of the shares on any other segment. By default, each segment will have its own browse list, and the users will only be able to see the rest of the browse list that they belong to. What you will do is disable one of the browse lists so everyone will be part of the same browse list, and they will get to see all of the shares on both segments. The new value will be entered in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Browser\Parameters key. The value name is UnboundBindings, a REG_MULTI_SZ entry. In the value, enter the name of one of the network cards. You can find the name of your network card in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key. There will be two names for each card, one with a number at the end. For example, the driver for a Xircom Creditcard Ethernet Adapter IIps is CE2XPS. In the Registry, you would find CE2XPS and CE2XPS1 keys. If you had more than one of the same network card, the second would end in a 2. Use the name with the number on the end. You should only put one of the network card names in the list if you only have two network cards in the server. If you have three, you would put in two names. The idea is to remove all but one browse list.
How much of a remote system's shares can be seen by the rest of the network is also configurable in the Registry. The setting is actually at the server, not at the workstation.
SOLUTIONS: I can't see the shares of any systems that are connected to my NT Server with RAS. Is that normal? Yes, it is, but you can change it, if you would like. At the server, add a REG_DWORD value called RemoteListen to the HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\RemoteAccess\Parameters\NetBIOSGateway key. If you set this value to 2, remote clients look just like those connected directly to the network.
WARNING: If you have several systems connected to the RAS server at once, the traffic associated with this procedure may be overwhelming. Also, the resources required to manage those connections may be significant. Limiting the number of connections reduces the overhead.
Traffic on a network is always a concern. If there is too much traffic, the normal packets to be transferred will be extremely slow. You can watch your traffic with Network Monitor, SMS, or other tools from third-party vendors.
SOLUTIONS: When I connect to my server from NT Workstation, I don't always get my share connections. When I browse, I can find them, and when I activate the programs that use the connections, they work, but they are slow. Why? Even if you select to reconnect at logon, the network shares are sometimes not available. The system that is sharing them might be busy. The browse server might be busy, and the browse master wouldn't be able to give them to you. You should consider adding another browser server, if it happens too often. As an added help, you can force your system to keep trying. Instead of making a cursory attempt at finding the shares, it will keep trying until it either verifies the shares, or verifies that the shares are not available. In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider, there should be a REG_DWORD value called RestoreConnection. If it is not there, add it. Set the RestoreConnection value to 1 to ensure the connections are restored. If it seems that your connections take too long, you could set RestoreConnection to 0, and then it would ghost the connections and only actually connect when they are needed.
Some of the entries that are in the Registry are designed for specific uses. In some cases, there are ways to use a change in the Registry to achieve a particular function that it was not necessarily designed for. The next tip is one of those.
SOLUTIONS: I need to do some maintenance on the servers. Can I disconnect my network users so it forces them to log off the network? There is an option to force users off the network after a preset time of no activity, and you could possibly use that as an alternative. If a user is connected to your network without activity for too long, this can indicate a potential security threat. Other users can use the system without the logon requirement. A good way to ensure that users log off their systems when they leave them is to set up automatic disconnection. The system recognizes the idle time and, after a preset period, disconnects the idle user. Another circumstance in which this Solution becomes handy is in an environment where you have more users than IP addresses in your DHCP server. Users get an IP address from DHCP only when they connect to the network. When a user disconnects, the IP address goes back into the pool to be allocated to another. If someone forgets to disconnect, the IP address is used for an idle system, and thus is essentially wasted. Add a new value to HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\LanmanServer\Parameters to the server. The new value name is AutoDisconnect, a REG_SZ entry. The range of the data is 0-4294967295 (Oxffffffff) in minutes. That is over 4 billion minutes, or over 8,171 years! If a user hasn't disconnected by then, he probably won't notice if you do it for him. Setting AutoDisconnect to 0 does not turn it off, but rather it sets the disconnect for 0 minutes. As soon as you log on and take a deep breath, you get disconnected. If you need to make sure everyone is off the system, you could set it to 0. Then, to activate the setting, you need to restart the server. As soon as it restarts, every user would be disconnected.
Some may say that idleness is a curse. Of course, there are reasons to be idle on the network, and that is OK. It is when the connection is taken and not being used that it is frustrating for the technical support staff. On the other hand, getting disconnected because of no traffic is a real hassle if you are doing so many things at once that you miss using a connection because you took a moment too long to return to the dial-up connection.
SOLUTIONS: How can I change the amount of time my RAS server waits before disconnecting idle users? It is important to remove idle users from RAS connections so others can use the connections. The waiting time is set in HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\RemoteAccess\Parameters, in the AutoDisconnect value. The range is 0-60000 minutes, with the default of 20 (minutes). Setting it to 0 disables AutoDisconnect.
Netware IPX and Microsoft NWLink use three different types of identification numbers to allow communication across the network. The IPX/NWLink client uses its MAC address (the physical address of the network card) so others can communicate with it. The server uses two different types of addresses, an internal network number (also called a virtual network number), and an external network number. There has been a great amount of confusion regarding this.
The internal, or virtual, network number is a number assigned to a server that uses IPX/SPX or NWLink as a communications protocol. It's basically the identifier or address of that server that makes it unique in a multiple-server environment. That address is how the rest of the systems know which server sent the information.
The external network number is the network or segment number. Each segment on a multisegment network has its own external network number. In a server with multiple network cards attached to different segments, each card is assigned its own external network number.
The next three questions reference these numbers.
SOLUTIONS: I am having trouble seeing my NetWare servers during a browse from Windows NT. What's going on? Windows NT automatically sets the internal network number for NWLink. Set to zero, the system generates a unique, random number to use as its internal network number. The setting in the Control Panel to change the number is available only if more than one network card is installed. Setting the number manually may be required if the system cannot see the server during a browse. It may also be required if you choose to use multiple frame types on a single adapter, if you have bound NWLink to multiple adapters on your system, or if your computer is acting as a Windows NT server for an application that uses the NetWare Service Advertising Protocol (SAP), such as SQL Server or Systems Network Architecture (SNA) Server. Manually set the number in HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\NwlnkIpx\Parameters. The value name is VirtualNetworkNumber. Use the number that the NetWare network administrator creates. The number must be an 8-digit hexadecimal number, for example, abcd1234. (It can actually be any 8-digit hexadecimal number, as long as it is the same at the workstation as it is at the NetWare server.) When using the DWORD Editor, make sure that Hex is selected as the data type, and type the new number. The only time to manually set the internal network number is if the system cannot automatically do so itself.
WARNING: After you set the number in the Registry, return to the Control Panel. If the NWLink IPX/SPX Protocol Configuration dialog box is opened and if you click on OK to confirm, the number resets to zero. If you cancel, the number is left alone.
Here is another question that is closely related.
SOLUTIONS: I am running Windows NT, connected to a NetWare server. I can send data to everyone on my segment, but I cannot send anything to the other segment. What should I do? When there is more than one segment on a network running NWLink, each segment must have a unique external network number, or number for that segment. When traffic moves from one segment to the other, this number, which identifies where the data came from, is part of the header in the packet. The key where the changes will take place is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ NWLnkIPX\NetConfig\adapter name. Because each segment could be using a different frame type, you must set two values, NetworkNumber and PktType, for each frame type. The PktType settings are listed in Table 21.3 for your convenience.
Table 21.3. Possible values for PktType.
Value Frame Type 0 Ethernet II 1 Ethernet 802.2 2 Ethernet 802.3 3 Ethernet SNAP 4 Arcnet ff Auto Detect
NetworkNumber is a REG_MULTI_SZ entry, and the numbers correspond with the values in PktType. Enter an 8-digit hexadecimal number as a NetworkNumber value for each corresponding PktType. To obtain the number entered as a NetworkNumber, run the IPXROUTE CONFIG command from the command prompt on a working system, or look in the Autoexec.ncf file at a NetWare server that is on the same segment.
The next question is very similar, except that the two networks are connected to two separate network cards.
SOLUTIONS: I am trying to access two different IPX networks on two different network adapters from my NT Server. I can't seem to get the systems on both segments to communicate with each other. What should I do? If you are running more than one segment, and if each segment is attached to its own network card, you can make them all communicate with each other by changing the Registry. Each card shows under NWLink\NetConfig independently. Using the preceding same functions (NetworkNumber and PktType), you can set the external network number for each card. By default, both networks would use the same frame type. Change the frame types as required, as shown in Table 21.3, and enter the corresponding network numbers.
Directory Services Manager for NetWare allows you to manage all of the NetWare servers in a network from a Windows NT domain. The users and groups all get centralized into one list, and it is extremely easy to manage. The next question relates to setting it up correctly.
SOLUTIONS: How do I add NetWare 4.x servers to Directory Services Manager for NetWare? Directory Service Manager for NetWare (DSMN) enables NT to pull NetWare servers into the NT domain. All the users and groups become part of the domain, and the server stays running, but no NetWare client is required. A simple logon from the NT PDC allows access. With NT 4.0, the client (CSNW) and gateway (GSNW) support NetWare 4.x servers directly. DSMN talks to them only if they are running in bindery emulation (making them look like a 3.x server). However, when you try to connect to a NetWare 4.x server, even if you are running them in bindery emulation, you will get an error that prevents you from connecting. Make this change to make the connection work: In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSSYNC\Parameters, add a value named Allow4X, as a REG_DWORD value. Set the Allow4X value to 1, and the system running DSMN will recognize NetWare 4.x servers running in bindery emulation.
Because Macintosh clients do not have a native client for Windows networking, all the translation must be done at the server. This may put a tremendous load on the server. If you are going to use Macintosh clients, consider dedicating a server on the NT network just for them. Then make the settings necessary to make the Macintosh clients perform as well as they can.
SOLUTIONS: How can I boost the performance for my Macintosh clients? When the server is set up to use services for Macintosh, those Mac clients can use an NTFS volume (or part of one) as a network share. The shared directories are still available to the standard Windows and DOS clients, which allows for easy sharing of data. The biggest challenge is the performance of the client functions for the Macintosh. Extending the amount of RAM and the amount of paging file space allocated for the Macintosh services is a tremendous boon to performance. Be aware, though, that whenever more resources are allocated to a particular service, they are removed from another. Make sure you have enough RAM and paging file space to accommodate all requirements. In HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\MacFile\Parameters, add the value name PagedMemLimit, a REG_DWORD entry, to extend the default size of the paging file allocated to Macintosh services. To extend the amount of RAM allocated, add the REG_DWORD value named NonPagedMemLimit. The default for PagedMemLimit is 20000 kilobytes (about 20MB). It can be set to any amount from 1000-256000 (kilobytes, in decimal). The default for NonPagedMemLimit is 4000 (approximately 4MB of RAM). Allocate any amount from 256-16000 (256KB-16MB). If you extend the amount of the paging file and RAM, your Macintosh performance should go up.
Customization is simply making things work the way you want them to. There are many options in Windows 95 and Windows NT to make them perform the way you would like them to, either as a server or as a client. To go beyond that, you will need to edit the Registry to create the optimum networking environment.
© Copyright, Macmillan Computer Publishing. All rights reserved.
