Professional Documents
Culture Documents
The original designers of TCP/IP defined an IP address as a 32-bit number[1] and this
system, known as Internet Protocol Version 4 or IPv4, is still in use today. However, due
to the enormous growth of the Internet and the resulting depletion of available addresses,
a new addressing system (IPv6), using 128 bits for the address, was developed in 1995[3]
and last standardized by RFC 2460 in 1998.[4] Although IP addresses are stored as binary
numbers, they are usually displayed in human-readable notations, such as 208.77.188.166
(for IPv4), and 2001:db8:0:1234:0:567:1:1 (for IPv6).
The Internet Protocol also has the task of routing data packets between networks, and IP
addresses specify the locations of the source and destination nodes in the topology of the
routing system. For this purpose, some of the bits in an IP address are used to designate a
subnetwork. The number of these bits is indicated in CIDR notation, appended to the IP
address, e.g., 208.77.188.166/24.
With the development of private networks and the threat of IPv4 address exhaustion, a
group of private address spaces was set aside by RFC 1918. These private addresses may
be used by anyone on private networks. They are often used with network address
translators to connect to the global public Internet.
The Internet Assigned Numbers Authority (IANA) manages the IP address space
allocations globally. IANA works in cooperation with five Regional Internet Registries
(RIRs) to allocate IP address blocks to Local Internet Registries (Internet service
providers) and other entities.
What is a Subnet Mask?
A subnet mask allows you to identify which part of an IP address is reserved for the
network, and which part is available for host use. If you look at the IP address alone,
especially now with classless inter-domain routing, you can't tell which part of the
address is which. Adding the subnet mask, or netmask, gives you all the information you
need to calculate network and host portions of the address with ease. In summary,
knowing the subnet mask can allow you to easily calculate whether IP addresses are on
the same subnet, or not.
What is ARP?
ARP is the Address Resolution Protocol.
The Data Link layer of TCP/IP networks utilizes MAC addresses; the Network Layer of
TCP/IP networks utilizes IP addresses.
RARP, the Reverse ARP Protocol, is used to map MAC addresses to IP addresse
Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP
Poison Routing (APR), is a technique used to attack an Ethernet
http://wiki.answers.com/wiki/Ethernet or
http://wiki.answers.com/wiki/Wireless_network. ARP Spoofing may allow an attacker to
http://wiki.answers.com/wiki/Packet_sniffer http://wiki.answers.com/wiki/Data_frame on
a http://wiki.answers.com/wiki/Local_area_network (LAN), modify the traffic, or stop
the traffic altogether (known as a http://wiki.answers.com/wiki/Denial-of-service_attack).
The attack can only be used on networks that actually make use of ARP and not another
method of address resolution.
5 What is the ANDing process?
In order to determine whether a destination host is local or remote, a computer will
perform a simple mathematical computation referred to as an AND operation. While the
sending host does this operation internally, understanding what takes place is the key to
understanding how an IP-based system knows whether to send packets directly to a host
or to a router.
What is a Subnet?
A subnet is a logical organization of network address ranges used to separate hosts and
network devices from each other to serve a design purpose. In many cases, subnets are
created to serve as physical or geographical separations similar to those found between
rooms, floors, buildings, or cities.
1. the number of hosts that needs to exist on the subnet now and in the future;
2. the necessary security controls between networks; and
3. the performance required for communications between hosts.
Legacy Subnets
Legacy subnets were not flexible because they had predefined limitations on their size
and numbers. These were called "classful" networks because each network could be
easily identified and placed into a specific class. Shown below is a table containing the
original "classful" definitions for IP addresses :
CIDR Total # of
IP Address Range Purpose RFC Class
Equivalent Addresses
0.0.0.0 -
0.0.0.0/8 Zero Addresses 1700 A 16,777,216
0.255.255.255
10.0.0.0 -
10.0.0.0/8 Private IP addresses 1918 A 16,777,216
10.255.255.255
127.0.0.0 - Localhost Loopback
127.0.0.0/8 1700 A 16,777,216
127.255.255.255 Address
169.254.0.0 -
169.254.0.0/16 Zeroconf / APIPA 3330 B 65,536
169.254.255.255
172.16.0.0 -
172.16.0.0/12 Private IP addresses 1918 B 1,048,576
172.31.255.255
192.0.2.0 - Documentation and
192.0.2.0/24 3330 C 256
192.0.2.255 Examples
192.88.99.0 - IPv6 to IPv4 relay
192.88.99.0/24 3068 C 256
192.88.99.255 Anycast
192.168.0.0 - 192.168.
192.168.0.0/16 Private IP addresses 1918 C 65,536
255.255
198.18.0.0 - Network Device
198.18.0.0/15 2544 C 131,072
198.19.255.255 Benchmark
224.0.0.0 -
224.0.0.0/4 Multicast 3171 D 268,435,456
239.255.255.255
240.0.0.0 - 255.255.25
240.0.0.0/4 Reserved 1700 E 268,435,456
5.255
Classless IP Addresses
With the advent of CIDR (Classless Inter-Domain Routing), the "classful" definition of
subnet divisions was lifted. Any network address could be defined just as any of the
"classful" subnet of the past could be defined. All that is required is enough neighboring
address space to cover all the IP addresses needed. Classless addresses also assist in
reducing the overall size of the global routing tables on network devices.
WHAT IS APIPA?
Understanding APIPA
Automatic Private IP Addressing (APIPA) Overview
DHCP is a service that functions at the application layer of the TCP/IP protocol stack.
One of the primary tasks of the DHCP service is to automatically assign IP addresses to
DHCP clients. A server running the DHCP service is called a DHCP server. The DHCP
service automates the configuration of TCP/IP clients because IP addressing occurs
through the system. The DHCP server assigns IP addresses from a predetermined IP
address range(s), called a scope. To summarize, the DHCP server dynamically assigns IP
addresses to DHCP clients, and also allocates TCP/IP configuration information to DHCP
clients, such as DNS server IP address and WINS server IP address.
APIPA addresses are invalid on the Internet, and computers that are using APIPA
addresses can only communicate with other computers using APIPA addresses on the
same network segment.
• IP address
• Subnet mask
The APIPA feature cannot configure the client with any other TCP/IP configuration:
• Default gateway
• DNS server IP address
• WINS server IP address
You have to use an alternate configuration to provide the above TCP/IP configuration
information to a client when no DHCP server is available for the client.
• Windows 98
• Windows Millennium Edition (Me)
• Windows 2000
• Windows XP
• Windows Server 2003
You can disable the APIPA feature for only one adapter, or you can disable APIPA for
all adapters. The APIPA feature is disabled by editing certain Registry keys in the
Windows Registry.
Private IP addresses also provide a basic form of security as in a typical network configuation
of this type it is not possible for the outside world (Internet) to establish a connection directly
to a host using these addresses.
Name start IP address end IP address classful description largest CIDR block
24-bit block 10.0.0.0 10.255.255.255 single class A 10.0.0.0/8
20-bit block 172.16.0.0 172.31.255.255 16 contiguous class Bs 172.16.0.0/12
16-bit block 192.168.0.0 192.168.255.255 256 contiguous class Cs 192.168.0.0/16
RFC 1597 was the original specification but is now for historical purposes onl
WHAT IS CIDR?
Definition: CIDR is an efficient method for specifying IP addresses to Internet routers. CIDR
was developed to cope with the surge in demand for IPv4 Internet addresses in the 1990s.
Before CIDR, Internet routers used an inefficient IP addressing scheme based on classes.
Organizations like ISPs reserved address blocks in large "Class A," "Class B," or "Class C"
chunks that wasted much of the IP address range.
In contrast, CIDR makes the IP addressing space classless. CIDR associates network masks
with IP network numbers independent of their traditional class. Routers that support CIDR
recognize these networks as individual routes, even though they may represent an
aggregation of several traditional subnets.
Also Known As: Classless Inter-Domain Routing, Classless Internet Domain Routing,
supernetting
Examples:
CIDR shorthand notation writes an IP address and its associated network mask in the form
xxx.xxx.xxx.xxx/n, where 'n' is a number between 1 and 31 that is the number of '1' bits in
the mask.
Disadvantage
Your machine name does not change when you get a new IP address. The DNS (Domain
Name System) name is associated with your IP address and therefore does change. This
only presents a problem if other clients try to access your machine by its DNS name.
Benefits:
Disadvantage
Your machine name does not change when you get a new IP address. The DNS (Domain
Name System) name is associated with your IP address and therefore does change. This
only presents a problem if other clients try to access your machine by its DNS name.
DHCP was originally defined in RFC 1531 (Dynamic Host Configuration Protocol, October 1993)
but the most recent update is RFC 2131 (Dynamic Host Configuration Protocol, March 1997).
The IETF Dynamic Host Configuration (dhc) Working Group is chartered to produce a protocol
for automated allocation, configuration, and management of IP addresses and TCP/IP protocol
stack parameters.
DHCP server will issue a NAK to the client ONLY IF it is sure that the client, "on the
local subnet", is asking for an address that doesn't exist on that subnet.
1. Requested address from possibly the same subnet but not in the address pool of the
server:-
This can be the failover scenario in which 2 DHCP servers are serving the same subnet so
that when one goes down, the other should not NAK to clients which got an IP from the
first server.
If the Address is from the same superscope to which the subnet belongs, DHCP server
will ACK the REQUEST
• DHCP
• Lease duration
• Scopes
• Superscopes
• Multicast scopes
• Scope options
• Installing DHCP
• Understanding the DHCP lease process
• Creating scopes, superscopes, and multicast scopes
• Configuring the lease duration
• Configuring optional IP parameters that can be assigned to DHCP clients
• Understanding how DHCP interacts with DNS
• Configuring DHCP for DNS integration
• Authorizing a DHCP server in Active Directory
• Managing a DHCP server
• Monitoring a DHCP server
Introduction
The TCP/IP protocol is an Active Directory operational requirement. This means that all
computers on a Windows 2000 network require a unique IP address to communicate with
the Active Directory. Static IP addresses can add a lot of administrative overhead. Not
only can management of static IP addresses become time consuming, but such
management also increases the chances of misconfigured parameters. Imagine having to
manually type 10,000 IP addresses and not make a single error. The Dynamic Host
Configuration Protocol (DHCP) can be implemented to centralize the administration of
IP addresses. Through DHCP, many of the tasks associated with IP addressing can be
automated. However, implementing DHCP also introduces some security issues because
anyone with physical access to the network can plug in a laptop and obtain IP
information about the internal network.
In this chapter, you'll learn how to implement a DHCP server, including the installation
process, authorization of the server, and the configuration of DHCP scopes. The chapter
ends by looking at how to manage a DHCP server and monitor its performance.
What is DHCPINFORM?
DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While
PPP remote access clients do not use DHCP to obtain IP addresses for the remote access
connection, Windows 2000 and Windows 98 remote access clients use the DHCPInform
message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS
domain name. The DHCPInform message is sent after the IPCP negotiation is concluded.
The DHCPInform message received by the remote access server is then forwarded to a
DHCP server. The remote access server forwards DHCPInform messages only if it has
been configured with the DHCP Relay Agent..
This integration provides practical operational efficiencies that lower total cost of
ownership. Creating a DHCP network automatically creates an associated DNS zone, for
example, reducing the number of tasks required of network administrators. And
integration of DNS and DHCP in the same database instance provides unmatched
consistency between service and management views of IP address-centric network
services data.
Subnet mask
DNS server
ipconfig /setclassid "<Name of your Network card>" <Name of the class you created on
DHCP and you want to join (Name is case sensitive)>
Eg:
The following list contains pre-defined vendor classes that are available in Windows
2000 DHCP server.
If you have non-Microsoft DHCP clients, you can define other vendor-specific classes on
the DHCP server. When you define such classes, make sure the vendor class identifier
that you define matches the identifier used by the clients.
User Classes
The following list contains pre-defined user classes that are available in Windows 2000
DHCP server.
Class Class Description Unspecified Default user class All DHCP clients that have no
ID Type user class specified. RRAS.Microsoft Default Routing and
Remote Access class All Dial-Up Networking (DUN) clients.
Bootp Default Bootp class All Bootp clients
In addition to these pre-defined classes, you can also add custom user classes for
Windows 2000 DHCP clients. When you configure such classes, you must specify a
custom identifier that corresponds to the user class defined on the DHCP server.
For additional information about how to create other user and vendor classes, click the
article number below to view the article in the Microsoft Knowledge Base:
• a unique IP address to the requester (using port 67) similar to the DHCP request
on port 68 AND
• can provide (where supported) the ability to boot a system without a hard drive
(ie: a diskless client)
Apple OS X 10.* Server supports BootP (albeit) renamed as NetBoot. The facility allows
the Admin to maintain a selected set of configurations as boot images and then assign
sets of client systems to share(or boot from) that image. For example Accounting,
Management, and Engineering departments have elements in common, but which can be
unique from other departments. Performing upgrades and maintenance on three images is
far more productive that working on all client systems individually.
Startup is obviously network intensive, and beyond 40-50 clients, the Admin needs to
carefully subnet the infrastructure, use gigabit switches, and host the images local to the
clients to avoid saturating the network. This will expand the number of BootP servers and
multiply the number of images, but the productivity of 1 BootP server per 50 clients is
undeniable :)
iii)Stub Zone :-
Stubzone is read only copy of primary zone.but it contains only 3 records viz
the SOA for the primary zone, NS record and a Host (A) record.
SOA Make a point of finding the Start of Authority (SOA) tab at the
DNS Server.
For more knowledge
Srv records :- A SRV or Service Record is a category of data in the DNS specifying
information on available services. When looking up for a service, you must first lookup
the SRV Record for the service to see which server actually handles it. Then it looks up
the Address Record for the server to connect to its IP Address.
Authoritative Name Server [NS] Record :-A Zone should contain one NS Record for
each of its own DNS servers (primary and secondary). This mostly is used for Zone
Transfer purposes (notify). These NS Records have the same name as the Zone in which
they are located.
SOA :-This record is used while syncronising data between multiple computers.A given
zone must have precisely one SOA record which contains Name of Primary DNS
Server,Mailbox of the Responsible Person,Serial Number: Used by Secondary DNS
Servers to check if the Zone has changed. If the Serial Number is higher than what the
Secondary Server has, a Zone Transfer will be initiated,Refresh Interval: How often
Secondary DNS Servers should check if changes are made to the zone,Retry Interval:
How often Secondary DNS Server should retry checking, if changes are made - if the first
refresh fails,Expire Interval: How long the Zone will be valid after a refresh. Secondary
Servers will discard the Zone if no refresh could be made within this interval.Minimum
(Default) TTL: Used as the default TTL for new Records created within the zone. Also
used by other DNS Server to cache negative responses (such as Record does not exist,
etc.).
If you host Web sites on this server and have a standalone DNS server acting as a
primary (master) name server for your sites, you may want to set up your control panel's
DNS server to function as a secondary (slave) name server:
To make the control panel's DNS server act as a secondary name server:
1. Go to Domains > domain name > DNS Settings (in the Web Site group).
2. Click Switch DNS Service Mode.
3. Specify the IP address of the primary (master) DNS server.
4. Click Add.
5. Repeat steps from 1 to 5 for each Web site that needs to have a secondary name
server on this machine.
To make the control panel's DNS server act as a primary for a zone:
1. Go to Domains > domain name > DNS Settings (in the Web Site group).
2. Click Switch DNS Service Mode. The original resource records for the zone will
be restored.
If you host Web sites on this server and rely entirely on other machines to perform the
Domain Name Service for your sites (there are two external name servers - a primary and
a secondary), switch off the control panel's DNS service for each site served by external
name servers.
To switch off the control panel's DNS service for a site served by an external name
server:
1. Go to Domains > domain name > DNS Settings (in the Web Site group).
2. Click Switch Off the DNS Service in the Tools group. Turning the DNS service
off for the zone will refresh the screen, so that only a list of name servers remains.
Note: The listed name server records have no effect on the system. They are only
presented on the screen as clickable links to give you a chance to validate the
configuration of the zone maintained on the external authoritative name servers.
1. Repeat the steps from 1 to 3 to switch off the local domain name service for each
site served by external name servers.
1. Go to Domains > domain name > DNS Settings (in the Web Site group).
2. Add to the list the entries pointing to the appropriate name servers that are
authoritative for the zone: click Add, specify a name server, and click OK.
Repeat this for each name server you would like to test.
1. Click the records that you have just created. Parallels Plesk Panel will retrieve the
zone file from a remote name server and check the resource records to make sure
that domain's resources are properly resolved.
Recursion refers to the action of a DNS server querying additional DNS servers (e.g.
local ISP DNS or the root DNS servers) to resolve queries that it cannot resolve from its
own database. So what is the difference between these settings?
The DNS server will attempt to resolve the name locally, then will forward requests to
any DNS servers specified as forwarders. If Do not use recursion for this domain is
enabled, the DNS server will pass the query on to forwarders, but will not recursively
query any other DNS servers (e.g. external DNS servers) if the forwarders cannot resolve
the query.
If Disable recursion (also disables forwarders) is set, the server will attempt to resolve a
query from its own database only. It will not query any additional servers.
If neither of these options is set, the server will attempt to resolve queries normally:
... the local database is queried
... if an entry is not found, the request is passed to any forwarders that are set
... if no forwarders are set, the server will query servers on the Root Hints tab to resolve
queries beginning at the root domains.
When you install Active Directory on a member server, the member server is promoted to
a domain controller. Active Directory uses DNS as the location mechanism for domain
controllers, enabling computers on the network to obtain IP addresses of domain
controllers.
During the installation of Active Directory, the service (SRV) and address (A) resource
records are dynamically registered in DNS, which are necessary for the successful
functionality of the domain controller locator (Locator) mechanism.
To find domain controllers in a domain or forest, a client queries DNS for the SRV and A
DNS resource records of the domain controller, which provide the client with the names
and IP addresses of the domain controllers. In this context, the SRV and A resource
records are referred to as Locator DNS resource records.
When adding a domain controller to a forest, you are updating a DNS zone hosted on a
DNS server with the Locator DNS resource records and identifying the domain
controller. For this reason, the DNS zone must allow dynamic updates (RFC 2136) and
the DNS server hosting that zone must support the SRV resource records (RFC 2782) to
advertise the Active Directory directory service. For more information about RFCs, see
DNS RFCs.
If the DNS server hosting the authoritative DNS zone is not a server running Windows
2000 or Windows Server 2003, contact your DNS administrator to determine if the DNS
server supports the required standards. If the server does not support the required
standards, or the authoritative DNS zone cannot be configured to allow dynamic updates,
then modification is required to your existing DNS infrastructure.
For more information, see Checklist: Verifying DNS before installing Active Directory
and Using the Active Directory Installation Wizard.
Important
The DNS server used to support Active Directory must support SRV resource records for
the Locator mechanism to function. For more information, see Managing resource
records.
It is recommended that the DNS infrastructure allows dynamic updates of Locator DNS
resource records (SRV and A) before installing Active Directory, but your DNS
administrator may add these resource records manually after installation.
After installing Active Directory, these records can be found on the domain controller in
the following location: systemroot\System32\Config\Netlogon.dns
rightclick on the zone you want to add srv record to and choose "other new record"
2. By creating AD- integrated zone you can also trace hacker and spammer by creating
reverse zone.
3. AD integrated zoned all for incremental zone transfers which on transfer changes and
not the entire zone. This reduces zone transfer traffic.
5. AD integrated zones are stored as part of the active directory and support domain-wide
or forest-wide replication through application pertitions in AD.