PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

CHAPTER 1
INTRODUCTION TO NETWORKS

1.1- What is a Computer Network?

Computer networking refers to interconnected computing devices that can exchange
data and share resources with each other. These networked devices use a system of
rules, called communications protocols, to transmit information over physical or wireless
technologies.

1.2 - Network Architectures:

Network architecture refers to the way network devices and services are structured to
serve the connectivity needs of client devices. Network devices typically include
switches and routers. Types of services include DHCP and DNS.
The two types of network architectures are used:
 Peer-To-Peer network.
 Client/Server network.

 What is a peer-to-peer network?

In a P2P network, computing devices use software to connect with each other over a
private network, such as a home local area network (LAN) or a public network,
1
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Such as the Internet. This direct connection allows each device to share files without
requiring the assistance of a remote serve.

 What is a client server network?

The client-server architecture refers to a system that hosts, delivers, and manages most
of the resources and services that the client requests. In this model, all requests and
services are delivered over a network, and it is also referred to as the networking
computing model or client server network.

1.3 - Types of Networks:

There are several different types of computer networks. Computer networks can be
characterized by their size as well as their purpose.
The size of a network can be expressed by the geographic area they occupy and the
number of computers that are part of the network. Networks can cover anything from a
handful of devices within a single room to millions of devices spread across the entire
globe.
Some of the different networks based on size are:

 Personal area network, or PAN

 Local area network, or LAN
 Wireless Local area network WLAN
 Metropolitan area network, or MAN
 Wide area network, or WAN

2
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

 Personal Area Network

A personal area network, or PAN, is a computer network organized around an
individual person within a single building. This could be inside a small office or
residence. A typical PAN would include one or more computers, telephones, peripheral
devices, video game consoles and other personal entertainment devices.
If multiple individuals use the same network within a residence, the network is sometimes
referred to as a home area network, or HAN. In a very typical setup, a residence will have
a single wired Internet connection connected to a modem. This modem then provides
both wired and wireless connections for multiple devices. The network is typically
managed from a single computer but can be accessed from any device.
This type of network provides great flexibility. For example, it allows you to:

 Send a document to the printer in the office upstairs while you are sitting on the
couch with your laptop.
 Upload a photo from your cell phone to your desktop computer.
 Watch movies from an online streaming service to your TV.

If this sounds familiar to you, you likely have a PAN in your house without having called
it by its name.

 Local Area Network

A local area network, or LAN, consists of a computer network at a single site,
typically an individual office building. A LAN is very useful for sharing resources, such
as data storage and printers. LANs can be built with relatively inexpensive hardware,
such as hubs, network adapters and Ethernet cables.
The smallest LAN may only use two computers, while larger LANs can accommodate
thousands of computers.

3
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

A LAN typically relies mostly on wired connections for increased speed and security, but
wireless connections can also be part of a LAN. High speed and relatively low cost are
the defining characteristics of LANs.
LANs are typically used for single sites where people need to share resources among
themselves but not with the rest of the outside world. Think of an office building where
everybody should be able to access files on a central server or be able to print a document
to one or more central printers. Those tasks should be easy for everybody working in the
same office, but you would not want somebody just walking outside to be able to send a
document to the printer from their cell phone! If a local area network, or LAN, is entirely
wireless, it is referred to as a wireless local area network, or WLAN.

 Wireless Local Area Network

A wireless local-area network (WLAN) is a group of collocated computers or other
devices that form a network based on radio transmissions rather than wired connections.
A Wi-Fi network is a type of WLAN; anyone connected to Wi-Fi while reading this
webpage is using a WLAN.

4
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

 Metropolitan Area Network

A metropolitan area network, or MAN, consists of a computer network across an
entire city, college campus or small region. A MAN is larger than a LAN, which is
typically limited to a single building or site. Depending on the configuration, this type of
network can cover an area from several miles to tens of miles. A MAN is often used to
connect several LANs together to form a bigger network. When this type of network is
specifically designed for a college campus, it is sometimes referred to as a campus area
network, or CAN.

 Wide Area Network

A wide area network, or WAN, occupies a very large area, such as an entire country or
the entire world. A WAN can contain multiple smaller networks, such as LANs or MANs.
The Internet is the best-known example of a public WAN.
A WAN can be setup both physically and virtually. A WAN can connect multiple other
LANs virtually, creating what is called a VLAN. In this sense it is like a LAN of LANs!
When it comes to today's increased use of remote work connections, the WAN is a
powerful tool that provides interfaces to the Internet as well as giving access to systems
that may be spread throughout the world.
One means of connecting to a WAN is through a VPN or virtual private network. This
allows a secure connection to the WAN, thus protecting your data and device from attack.
In addition to virtual connections, fiber optic provides a backbone to many WAN setups.

5
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

o Private Networks
One of the benefits of networks like PAN and LAN is that they can be kept entirely
private by restricting some communications to the connections within the network. This
means that those communications never go over the Internet.

1.4 - Networking Cables

Networking cables are networking hardware used to connect one network device to
other network devices or to connect two or more computers to share devices...
Fiber optic cable, twisted pair cable, and coaxial cable are the three main types of
network cables used in communication systems. Each of them is different and suitable
for various applications.

 Fiber Optic Cable

Fiber optic cable consists of a bundle of glass threads, each of which is capable of
transmitting messages modulated onto light waves.
Fiber Optic cable has a complicated design and structure. This type of cable has an outer
optical casing that surrounds the light and traps it within a central core. The inside of the
cable (the core) must configured in two different ways – Single-mode and multi-mode;
although the difference may seem small, it makes a tremendous difference to the
performance and the usage of fiber optic cables.

6
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

 Twisted Pair Cable

Twisted pair cable is a type of ordinary wiring which connects home and many
business computers to the telephone company. It is made by putting two separate
insulated wires together in a twisted pattern and running them parallel to each other,
which helps to reduce crosstalk or electromagnetic induction between pairs of wires.
Twisted pair cable is suitable for transferring balanced differential signals. The method
of transmitting signals dates back to the early days of the telegraph and radio. The
advantages of improved signal-to-noise ratio, crosstalk, and ground bounce that balanced
signal transmission brings are particularly valuable in wide bandwidth and high fidelity
systems.
According to whether the cable has a shielding layer, there are two common types of
twisted pair cables—shielded twisted pair (STP) cable and unshielded twisted pair (UTP)
cable. STP cable is available for Token Ring networks, while the UTP cable is more
suitable for Ethernet networks. The most common UTP cable types applied in Ethernet
network are cat5e, cat6a, and cat7 cables, etc. The following image shows the different
structures of UTP and STP cables.

 Coaxial Cable
Coaxial cable, or coax cable, is another type of copper cable which has an inner
conductor surrounded by foam insulation, symmetrically wrapped by a woven braided
metal shield, then covered by in a plastic jacket (as shown in the following image). This
unique design allows coaxial cable runs too installed next to metal objects such as gutters
without the power losses that occur in other types of transmission lines. The coaxial cable
acts as a high-frequency transmission cable made up of a single solid copper core and
compared to twisted pair cable. It has 80 times or more transmission capability. This kind
of cable is mainly adopted in feedlines connecting radio transmitters and receivers with
their antennas, computer network connections, and distributing cable television signals.

7
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Conclusion
Choosing among coaxial cable, twisted pair cable, and fiber optic cable mainly
depends on your needs and network topology. You can balance the cost and the
requirements of bandwidth to make a choice. No matter coaxial cable, twisted pair cable,
or fiber cable, suiting your network requirements is the best.

8
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

1.5 - Network Devices:

Network devices, also known as networking hardware, are physical devices that
allow hardware on a computer network to communicate and interact with one another.
For example NIC, Repeater, Hub, Switch, Bridge, Routers, Gateway and Brouter etc.

1.5.1. Network Interface Card (NIC)

A network interface card (NIC) is a hardware component, typically a circuit board
or chip, which is installed on a computer so it can connect to a network. Modern NICs
provide functionality to computers, such as support for I/O interrupt, direct memory
access (DMA) interfaces, data transmission, network traffic engineering and partitioning,
transfer of bits and flow control, signals encoding/decoding, MAC addressing.
A NIC provides a computer with a dedicated, full-time connection to a network. It
implements the physical layer circuitry necessary for communicating with a data link
layer standard, such as Ethernet or Wi-Fi. Each card represents a device and can prepare,
transmit and control the flow of data on the network.
The NIC uses the OSI model to send signals at the physical layer, transmit data packets
at the network layer and operate as an interface at the TCP/IP layer.

What is a MAC Address?

A MAC (Media Access Control) address, sometimes referred to as a hardware or
physical address, is a 48 bits unique represented as a set of 6 octets in hexadecimal.
The first 3 octets identify the manufacturer’s ID, while the last 3 octets represent
the device number. When a computer sends a message to another computer, the message
always includes the MAC address of the source and the destination computers.
An example of a MAC address is:

9
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

How to find MAC Address?

1.5.2. Repeater – A repeater operates at the physical layer. Its job is to regenerate
the signal over the same network before the signal becomes too weak or corrupted to
extend the length to which the signal can be transmitted over the same network. An
important point to be noted about repeaters is that they do not amplify the signal. When
the signal becomes weak, they copy it bit by bit and regenerate it at its star topology
connectors connecting if original strength. It is a 2-port device.

10
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

1.5.3. Hub – A hub is a basically multi-port repeater. A hub connects multiple wires
coming from different branches, for example, the connector in star topology which
connects different stations. Hubs cannot filter data, so data packets are sent to all
connected devices. In other words, the collision domain of all hosts connected through
Hub remains one. Also, they do not have the intelligence to find out the best path for
data packets which leads to inefficiencies and wastage.

 Active Hub: - These are the hubs that have their power supply and can clean,
boost, and relay the signal along with the network. It serves both as a repeater as
well as a wiring center. These are used to extend the maximum distance between
nodes.
 Passive Hub: - These are the hubs that collect wiring from nodes and power
supply from the active hub. These hubs relay signals onto the network without
cleaning and boosting them and can’t be used to extend the distance between nodes.

 Intelligent Hub: - It works like an active hub and includes remote management
capabilities. They also provide flexible data rates to network devices. It also enables
an administrator to monitor the traffic passing through the hub and to configure each
port in the hub.

1.5.4. Switch – A switch is a multiport bridge with a buffer and a design that can
boost its efficiency (a large number of ports imply less traffic) and performance. A
switch is a data link layer device. The switch can perform error checking before
forwarding data, which makes it very efficient as it does not forward packets that have
errors and forward good packets selectively to the correct port only. In other words, the
switch divides the collision domain of hosts, but the broadcast domain remains the
same.

11
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

1.5.5. Bridge – A bridge operates at the data link layer. A bridge is a repeater, with
add on the functionality of filtering content by reading the MAC addresses of the source
and destination. It is also used for interconnecting two LANs working on the same
protocol. It has a single input and single output port, thus making it a 2 port device.
Types of Bridges
 Transparent Bridges: - These are the bridge in which the stations are completely
unaware of the bridge’s existence i.e. whether or not a bridge is added or deleted
from the network, reconfiguration of the stations is unnecessary. These bridges make
use of two processes i.e. bridge forwarding and bridge learning.
 Source Routing Bridges: - In these bridges, routing operation is performed by the
source station and the frame specifies which route to follow. The host can discover
the frame by sending a special frame called the discovery frame, which spreads
through the entire network using all possible paths to the destination.

1.5.6. Routers – A router is a device like a switch that routes data packets based on
their IP addresses. The router is mainly a Network Layer device. Routers normally
connect LANs and WANs and have a dynamically updating routing table based on
which they make decisions on routing the data packets. The router divides the broadcast
domains of hosts connected through it.

12
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

1.5.7. Gateway – A gateway, as the name suggests, is a passage to connect two

networks that may work upon different networking models. They work as messenger
agents that take data from one system, interpret it, and transfer it to another system.
Gateways are also called protocol converters and can operate at any network layer.
Gateways are generally more complex than switches or routers. A gateway is also called
a protocol converter.

1.5.8. Brouter – It is also known as the bridging router is a device that combines
features of both bridge and router. It can work either at the data link layer or a network
layer. Working as a router, it is capable of routing packets across networks and working
as the bridge, it is capable of filtering local area network traffic.

13
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

1.6 – Logical Topologies:

The IEEE (Institute Electrical and Electronic Engineering) has defined three different
network architectures (Norms):
- Ethernet (IEEE 802.3)
- Token Ring (IEEE 802.5)
- Wireless (IEEE 802.11)

Ethernet Cabling and Connectors (IEEE 802.3)

10 Mb/s Physical Layers Twisted Pair Cabling
10Base2
10Base5 Unshielded Twisted Pair (UTP)
10Base-T Shielded Twisted Pair (STP)
10Base-F
100 Mb/s Physical Layers Coaxial Cabling
100Base-T
Thinnet
100Base-X
Thicknet
100Base-TX
CATV
100Base-FX
1000 Mb/s Physical Layers Fiber Optic Cabling
1000Base-X
Single-mode Fiber (SMF)
1000Base-LX
Multi-mode Fiber (MMF)
1000Base-T
Ethernet Connectors
RJ – 45
AUI

1.7 – TCP / IP Models:

Definition and Role:

TCP (Transmission Control Protocol): Divides a message or file into packets that are
transmitted over the internet and then reassembled when the destination is reached.
IP (Internet Protocol): Responsible for the address of each packet so it is sent to the
correct destination.
How TCP/IP works:

14
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

The TCP/IP model divides the networking process into four layers, each has different
functions, services and protocols.
A message is passed from one layer to the next, starting at the application layer in one
station, and proceeding to the bottom layer, over the channel to the next station and
back up the hierarchy.
Header information (PDU) is added to the message (payload data) as it moves down
through each layer (Encapsulation) and is then transmitted.
Decapsulation is the reverse process of encapsulation. After reaching the destination,
the message travels back upward and the header information that was added to the
message is removed away at each layer.

15
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

1.8 – IP Address:

Addressing

Physical Addressing Logical Addressing

MAC Address IPv4 IPv6

Public IP Private IP

IP Addressing:  Address of identity for the device (What).

 Communicate with other devices over network (Why).
Length of IP in IPv4 = 32 bits = 232 IP Addresses

Length of IP in IPv6 = 128 bits = 2128 IP Addresses

 IPv4:
32 bits logical addresses = 4 octet (0  255)
IP address  Network ID + Host ID
192 168 39 240
8 bits 8 bits 8bits 8bits
Classes: 1111 1111 0000 0000 0000 0000 0000 0000

 Class A: 1.0.0.0 to 126.0.0.0 = N.H.H.H

Default Subnet Mask = 255.0.0.0
 Class B: 128.0.0.0 to 191.255.0.0 = N.N.H.H
Default Subnet Mask = 255.255.0.0
 Class C: 192.0.0.0 to 223.255.255.0 = N.N.N.H
Default Subnet Mask = 255.255.255.0
Not  Class D: 224 to 239 = Reserved for Multicasting
Used  Class E: 240 to 255 = Reserved for Tests

Local Server: 127.0.0.0  Loop Back Address

0 and 127 belong to Class A theoretically

16
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

The Private Addresses:

Private IP Addresses (no Internet) Public IP Addresses (for Internet)
Can be used only for computers on local Can be used for computers on local
networks. Cannot be used for computers on the networks and on the Internet.
internet.
 Class A: 10.x.x.x to 10.x.x.x
 Class B: 172.16.x.x to 172.31.x.x All other IP Addresses
 Class C: 192.168.x.x to 192.168.x.x
Free for all people Paid

Ex.1: There are 3 computers having an IP addresses:

173.20.20.10 - 201.100.10.0 and 15.200.200.200
What is its Class? Justify your answer.
Solution:
173.20.20.10  Class B
201.100.10.0  Class C
15.200.200.200  Class A

Ex. 2: There are 3 computers having an IP addresses:

115.10.0.15 – 196.10.10.10 and 150.10.10.100
What is its Class? And Determine a Network ID.
Solution:
115.10.0.15  Class A therefore Network ID = 115.0.0.0
196.10.10.10  Class C therefore Network ID = 196.10.10.0
150.10.10.100  Class B therefore Network ID = 150.10.0.0

Ex.3: There are two computers having an IP addresses:

115.10.10.20 and 160.10.20.10
What is its Class? And determine the default Subnet Mask.
Solution:
115.10.10.20  Class A therefore Subnet Mask = 255.0.0.0
= 1111 1111.0000 0000.0000 0000.0000 0000
160.10.20.10  Class B therefore Subnet Mask = 255.255.0.0
= 1111 1111.1111 1111.0000 0000. 0000 0000
17
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Ex.4: An IP address 192.168.37.200, convert this IP address into Binary.

Solution:
27 26 25 24 23 22 21 20
128 64 32 16 8 4 2 1

Therefore 192 = 128 + 64 = 11000000

168 = 128 + 32 + 8 = 10101000
37 = 32 + 4 + 1 = 00100101
200 = 128 + 64 + 8 = 11001000

Ex.5: Given the two IP addresses 150.10.20.30 and 11.200.200.200

Find the: Network ID, Broadcast ID and the number of usable Host.
Solution:
 IP: 150.10.20.30
Network ID = 150.10.0.0
Broadcast ID = 150.10.255.255
No of usable Host = 216 – 2 = 65.534 IP
 IP: 11.200.200.200
Network ID = 11.0.0.0
Broadcast ID = 11.255.255.255
No of usable Host = 224 – 2 = 16777214 IP

 IPv6:
An IPv6 address is 128 bits long. A mask of /64 following the IP address means the first
64 bits are the network address such as:
0010000000010000110111……………… ……………………………………….001
64 bits 64 bits
Include the network address (like a Include the Host ID (like a house
street name) on the left side number) on the right side

18
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

 The network “Mask” tells us how many of the 128 bits, in order from left to right,
are used to identify the network (or street name).
 Each IPv6 address is broken down into 8 groups of 16 bits each, with each group
being separated by a colon:
00100… ……… ……… ……… ……… ……… …….. ……..
16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits

Such as:
2001 : 0DB8 : 4545 : 0003 : 0200 : F8FF : FE21 : 67CF
Main / Network ID Host / Host ID
Subnet
Routing Prefix Interface ID
ID

Ex:
Host A Host B Host C Host D
Printer

2001:DB8:21:111::/64 2001:DB8:21:333::/64

Fa 0/1 Fa 0/0
R1 2001:DB8:21:12::/64 R2 2001:DB8:21:23::/64 R3

Fa 0/0 Fa 0/0 Fa 0/1 Fa 0/1

 Comparison between IPv4 and IPv6:

IPv4 IPv6
32 bits Address Size 128 bits
Dotted Decimal Hexadecimal
Address Format
Notation Notation
340.282.366.920.938.
4.294.967.296 Number of Address
463.374.707.431….

Millions of Trillions of
Addresses Addresses

19
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

 Classful and Classless Addressing:

Classful Addressing:
Originally, all IP addresses were classful – they belong to Class A, B, C or D. Class D is
for Multicast and is rarely used. Class E is reserved and is not currently used.
Network boundaries are fixed at 8 bits, 16 bits and 24 bits as follows:
 Class A: 8 bits network addresses 255.0.0.0  e.g. 10.0.0.0 / 8
 Class B: 16 bits network addresses 255.255.0.0  e.g. 172.16.0.0 / 16
 Class C: 24 bits network addresses 255.255.255.0  e.g. 192.168.1.0 / 24
Classful addressing architecture was considered as wasteful technique! Let’s take an
example to show this: most of companies use the class B, which allocates space for up to
65.533 host addresses. A company who needed more than 254 host machines but fewer
a lot than the 65.533 host addresses, would essentially be “wasting” most of the block of
addresses allocated.

Classless Addressing
Classless IP addressing is when you start borrowing “Bits” from the host portion to create
more networks. You would change the default mask when you have divided your network
into subnets.
154.201.179.42 / 18

IP Address First 18 bits represent

network ID

Classless effectively solved the problem of wasting addresses by providing a new and
more flexible way to specify network addresses in routers. Network boundaries may
occur at any bit: /12, /14, /16, /19, /25 …

20
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Exercises
Exercise 1: Determine the Class, Network and Broadcast Addresses.
Default Network Broadcast
Class
Net mask Address Address
202.98.142.88 C 255.255.255.0 202.98.142.0 202.98.142.255
75.120.35.7 A 255.0.0.0 75.0.0.0 75.255.255.255
180.65.87.125 B 255.255.0.0 180.65.0.0 180.65.255.255
225.115.176.225 D Reserved for multicast
245.1.1.1 E Reserved for Tests

Exercise 2: What is the Class of the following IP Addresses?

One way to determine the class of an IP Address is to look at the first bits of the first
octet:
 1000 0000.0000 1010.1101 1000.0010 0111  Class B
 1110 1010.- -.- -.- -  Class D
 0100 1010.- -.- -.- -  Class A
 1100 1001.- -.- -.- -  Class C
 1000 0000.- -.- -.- -  Class B
 1111 0000.- -.- -.- -  Class E
Another way to determine the class of an IP Address is to look at the first decimal
octet:
 125.37.200.75  A / 125 [ 0 – 127 ]
 206.223.98.5  C / 206 [ 192 – 223 ]
 241.123.11.12  E / 241 [ 240 – 255 ]
 56.123.67.23  A / 56 [ 0 – 127 ]
 135.82.75.3  B / 135 [ 128 – 191 ]

Exercise 3: A computer has the IP address 162.15.11.0:

A. What is its class? Justify your answer.
B. What is the default mask?
C. What is the network address of the computer? Justify.
D. What is the broadcast address of the network?
E. What is the maximum number of valid addresses for the computers on this
network?
F. A machine has an IP address 172.16.20.23 and a subnet mask 255.255.248.0,
what is the network address of the subnet?

21
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Solution:
A. Class B / 162 [ 128 – 191 ] or 162  1010 0010 (first 2 bits).
B. Default Mask: 255.255.0.0
C. Network Address: 162.15.0.0 (set the host part to 0’s).
162. 15. 11. 0 (host)
AND
255. 255. 0. 0 (Mask)
162. 15. 0. 0 (Network Address)
D. Broadcast address: 162.15.255.255
(set the host part to 1’s  0.0  1111 1111 1111 1111  255.255)
E. Maximum number of valid addresses for computers: 2n – 2 (where n is the
number of host bit)  216 – 2 = 65536 – 2 = 65534 address for the computer.
F. Network Address of machine 172.16.20.23 with a subnet mask 255.255.248.0:
172. 16. 20. 23
Host Address
0001 0100
255. 255. 248. 0
AND
Subnet Mask
1111 1000

172. 16. 0001 0000. 0 Subnetwork Address

172. 16. 16. 0

Exercise 4: Given a Class C network 200.10.1.0 with the Subnet Mask

255.255.255.192:
a. Give the /n notation of the given mask: / 26
255 255 255 192
1111 1111 1111 1111 1111 1111 1100 0000

b. Is it a default mask? Justify:

No, the default mask for Class C is: 255.255.255.0 / 24
c. How many subnet bits?
2 bits (borrowed bits from host part)

22
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

d. How many host bits?

6 bits (hosts bits)
e. What is the number of possible subnet-works or subnets?
2n = 22 = 4 subnets.
f. What is the number of usable/valid hosts in a subnet?
2n – 2 = 26 – 2 = 64 – 2 = 62 hosts / subnet.
– 2  the subnet address and broadcast address cannot be used for a computer.
g. Give the Subnets Addresses:
 200.10.1.0 (subnet 1; that’s the original network address)
 256 – Mask Changed Octet
 256 – 192 = 64  200.10.1.64 (Subnet 2)
 64 + 64 = 128  200.10.1.192 (Subnet 3)
 64 + 64 = 192  200.10.1.192 (Subnet 4)
 64 + 192  (STOP)
h. Give the addresses of hosts and broadcasts of all Subnets:
Subnet 200.10.1.0 200.10.1.64 200.10.1.128 200.10.1.192
First Host 200.10.1.1 200.10.1.65 200.10.1.129 200.10.1.193
Last Host 200.10.1.62 200.10.1.126 200.10.1.190 200.10.1.254
Broadcast 200.10.1.63 200.10.1.127 200.10.1.191 200.10.1.255

Exercise 5: An Enterprise received a Class C address of 202.17.69.0; the network

is composed of 5 subnetworks; each subnet disposes 10 hosts. The number of subnets
will double the next year. The number of hosts in two of the subnets may reach 14
host.
a. What subnet mask should you use for this network? Justify.
b. What is the possible number of subnets?
c. What is the number of valid/usable hosts per subnet?
d. Give the address of the third subnet and its hosts range.

Exercise 6: A machine has an IP Address 10.32.33.34 with the S/M 255.255.0.0

a. Is it private or public? Justify.
b. What is the purpose of this address?
c. What is the IP Class?
d. What the maximum number of subnets?

23
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

e. Give the subnet address of the machine 10.32.33.34

f. Give the broadcast address of the machine 10.32.33.34
g. What are the usable addresses of the subnet of our machine?
h. What is the maximum number of hosts per subnet?
i. Can we assign the IP 10.255.0.0 to a host in one of the subnets above?
j. Can we assign the IP 10.0.255.255 to a host in one of the subnets above?
k. How a router can determine the IP class of a host?
l. How many distinct IPv.0 addresses are there?

Exercise 7: Can we use for the purpose of subnetting, the following S/M? Justify.
a. 255.0.0.0
b. 255.255.0.0
c. 255.255.255.0
d. 255.255.255.224
e. 255.255.64.0
f. 255.255.255.32

Exercise 8: Given the IP address 192.168.0.90 with the subnet mask

255.255.255.240
A. To which class this IP address belongs? Justify your answer.
B. What is the default subnet mask of this class?
C. This address is a public or a private address? Justify your answer.
D. Give the /n notation of the given subnet mask.
E. How many bits have been reserved for the subnets?
F. How many subnets are available?
G. How many bits have been reserved for the hosts?
H. How many hosts can contain each subnet?
I. Determine the subnet address to which this IP address belongs.
J. Determine the broadcast address to which this IP address belongs.
K. Quote the addresses of first five sub networks.

24
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Exercise 9: For a MAC address, answer the following questions:

a. How many bits it consists of?
b. With what base it is usually represented?
c. Give an example of a MAC address and show its structure.
d. How many distinct addresses are there?
e. How a broadcast address is represented?

Exercise 10: Convert the IPv4 address 192.168.99.1 to Hex (IPv6), then
converting back from IPv6 to IPv4:
 From IPv4 to IPv6:
Step1: Divide the first octet (192) by 16 (since Hex is a Base-16)
192/16 =12 times exactly with 0 left over
 12 in Hex is represented as C
 0 (zero) in Hex is 0
 Then, 192 in Hex is: C 0
Step2: Second octet (168)
168/16 = 10 times with 8 left over because 10*6 = 160
 10 in Hex is A
 8 in Hex is 8
 Then, 168 in Hex is: A 8

Step3: Third octet (99)

99/16 = 6 times with 3 left over
 6 in Hex is 6
 3 in Hex is 3
 Then, 99 in Hex is: 6 3

Step4: Last octet (1)

1/16 = 0 times with 1 left over
 0 in Hex is 0
 1 in Hex is 1
 Then, 1 in Hex is: 0 1

So the IPv4 address of 192.168.99.1 would be represented in IPv6 as:

C0A8:6301.
The complete IPv6 address would be: 2002:C0A8:6301::1/64

25
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

 Simple Method:

192 .168 .99 .1 Decimal

1100 0000 1010 1000 0110 0011 0000 0001 Binary

C 0 A 8 6 3 0 1 Hex

 C0 A8 : 63 01
 2002: C0A8:6301::1/64 Complete Address

 From IPv6 to IPv4:

Step1 According to Base 16 (Hex in Base 16) take C0 and multiply the first
character “C” by 16 and the second character “0” by 1. Add the two decimal
values together to get the IPv4 decimal value such as:
((C=12)*16) + (0*1) = 192
Step2, Step3 and Step4 repeat the same process as Step1 respectively with A8, 63
and 01 to get an IPv4 address of 192.168.99.1
Remark: Converting table between (Decimal, Binary and Hexadecimal)
Decimal Binary Hexadecimal
0 0000 0
1 0001 1
2 0010 2
3 0011 3
4 0100 4
5 0101 5
6 0110 6
7 0111 7
8 1000 8
9 1001 9
10 1010 A
11 1011 B
12 1100 C
13 1101 D
14 1110 E
15 1111 F

26
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

CHAPTER 2
MS WINDOWS SERVER

2.1- Introduction to MS windows server

Microsoft Windows Server OS (operating system) is a series of enterprise-class server
operating systems designed to share services with multiple users and provide extensive
administrative control of data storage, applications and corporate networks.
 Ms Windows Server Installation
 Partitionning.
 Format: the file system (FAT vs NTFS).
 Setup process.
Windows Server 2022 Installation: Step by Step
Step 1:

Part 1: Windows Server 2022 Hardware Requirements

Before we dive into the installation, let’s look at the minimum hardware/system
requirements for installing Windows Server 2022 operating system.
 Processor: 1.4 GHz 64-bit processor Compatible with x64 instruction set. Supports
NX and DEP, CMPXCHG16b, LAHF/SAHF, and prefetch.
 Memory/RAM: 512 MB (2GB for Server with Desktop Experience installation
option). ECC (Error Correcting Code) type or similar technology, for physical host
deployments
 Disk Space: Minimum 32 GB (Windows Server 2022 using the Server Core
installation option).
 Network Requirements: An Ethernet adapter capable of at least 1 gigabit per second
throughput. Compliant with the PCI Express architecture specification
 Additional requirements: UEFI 2.3.1c-based system and firmware that supports
secure boot; Trusted Platform Module; Graphics device and monitor capable of Super
VGA (1024 x 768) or higher-resolution.
Part 2: Windows Server 2022 Installation Options
Again, when you install Windows Server 2022, what options do you have?
Answer: You get two installation options to install Windows Server 2022.

27
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Choose the install option that servers you need based on the information provided below.
 Server Core – In many cases, this is the recommended installation option. Server Core
is a smaller installation that includes the core components of Windows Server and
supports all server roles. However, it doesn’t include a local graphical user interface
(GUI). It’s mostly used for remotely managed deployments usually through
PowerShell, Windows Admin Center, or other server management tools.
 Server with Desktop Experience – If you want a complete installation, including a
full GUI, this is your option. This option has a larger footprint than server core. It is
the most preferred option by organizations.

Step 2: Make the bootable ISO image for Windows Server 2022
After successfully downloading the Windows Server 2022 ISO file (or from DVD, CD…)
it's time to prepare your boot environment. You can either install Windows Server 2022
on a physical host or virtual machine using an ISO image.
Follow one of the relevant guides by Microsoft to create your bootable media:
 Create a Bootable USB Flash Drive
 Create Windows Server bootable USB (Rufus)
If you have access to MSDN (via Visual Studio Subscriptions and Benefits), you have
the option to download Windows Server 2022 ISO from there. All you have to do is
generate a new key by clicking Get Key and using this for activation of your installation
of Windows Server 2022.
Step 3: Install Windows Server 2022
With the boot media ready, you can now proceed to install Windows Server 2022. As it
is an extensive operating system with many editions available for purchase or download,
your company may want to choose which edition to install before beginning the process
and installing the desired edition properly!
You can pick from the following editions when using the latest Windows Server 2022:
 Windows Server 2022 Standard
 Windows Server 2022 Essential
 Windows Server 2022 Datacenter
As you may know, each version has different strengths, features, and prices. When
thinking about licensing, keep in mind that all editions of Windows Server 2022 require
a legal license in order to use. Now, let’s get on with the installation process. Continue
with the approach you prefer between Server Core and Desktop Experience.
Step 3.1: Installing Windows Server 2022 (Server Core)
If you want to install Windows Server 2022 using Server Core, follow the instructions in
this section. Server Core is a minimal installation method that uses a Command Prompt
to handle commands on the server. It’s suitable for smaller businesses that need to save
space and resources.
1. Power on your physical or virtual machine using the boot media you created.
You’ll be asked to press any key when it asks for an input, which is used as a

28
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

launching point for installing Microsoft’s newest server operating system.

2. Next, you’ll need to select a language of your choice, as well as keyboard layout
preference and your time/currency settings. Click "Next" in the window that pops
up, and let's get started!

3. Click on the Install now button to initiate the installation process for Windows
Server 2022. This will begin the installation of the Server Core edition of
Microsoft's server platform.

4. In the next window, choose the Windows Server 2022 server option you want to
install with Server Core that gives you access and use for some of Microsoft's
powerful command-line tools. Click Next to proceed.

29
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

5. Next, you need to read the License terms and agree to them for the installation
process to continue by checking the “I accept all license agreements” box.

6. When installing, select “Custom: Install Windows Server Operating System

only” if you're installing the OS on a fresh server. Otherwise, if upgrading from a
previous version of Windows Server, choose the “Upgrade: Install Microsoft
Server Operating System and keep files, settings, and applications” option.

7. Select a partition to install Windows Server onto. You can optionally create a new
partition or use the entire drive size. When done selecting the designated OS
partition, proceed by clicking “Next.”

30
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

8. The installer will begin installing the necessary system files. You’ll see when it’s
completed, and the system reboots automatically.

9. After a successful installation, the system should immediately reboot and prompt
you for an administrator password. Enter this information before re-entering it once
again to verify it, and then continue.

10.Next, you’ll be taken directly into Microsoft’s PowerShell interface, where you
can begin managing your newly installed Windows Server 2022 operating system
via the Server Core interface.

31
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Step 3.2: Installing Windows Server 2022 (Desktop Experience)

If you want to install Windows Server 2022 using Desktop Experience, follow the
instructions in this section. The Desktop Experience installation has a dedicated GUI
(Graphical User Interface) similar to a regular Windows operating system, making server
management easier.
1. Follow the same instructions as the Server Core installation until your system
restarts after installing the operating system. Also, make sure to select Desktop
Experience when choosing your Windows Server 2022 version.
2. After your system restarts, you’ll be greeted with a graphical interface. You’ll be
prompted to create an administrator password before you can proceed.
Click Finish when you’re done.

3. The login screen will appear when you press Ctrl + Alt + Del. Enter the password
set in the previous step to continue accessing your server.

2.2- Workgroup and Domain configuration:

You should see the Server Manager launch by default. You can begin configuring
your server here or explore more options in the Control Panel accessible in the
same way as it is on regular Windows operating systems.

32
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

2.2.1. Workgroup: A logical grouping of networked computers that share resources,

such as files and printers. A workgroup is sometimes referred to as a peer-to-peer network
because all computers in the workgroup can share resources as equals, without a
dedicated server. Each Windows Server such as windows Server 2003 computer in a
workgroup maintains its own local security database, which contains a list of user
accounts and resource security information specific to that computer.

2.2.2. Domain Configuration:

Step 4: Configure your network on Windows Server 2022
The previous sections covered how to install Windows Server 2022, but now it’s time for
configuration. The first things that need configuring on your network are IPs and gateway
addresses so that system admins can manage the server remotely and reach other parts of
their environments, including internet-based services.
Step 4.1: Network configuration on Windows Server 2022 Server Core
The instructions below will help you configure the network if you installed Windows
Server 2022 with a Server Core installation.
To configure the network for Windows Server 2022, run the following command in the
Command Prompt area: SConfig
1. You'll see a menu open on the screen. Choose option 8 for Network Settings.
You'll be taken to your network configuration page, where all of these adjustments
are made for both wired and wireless networks!

33
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

2. To begin configuration, you need to select which IP to configure first. In this

example case, we'll choose 1 since our server has only one network connection.
Normally, you might see multiple options here — select the one you want to work
with first.

3. Once you have selected your IP for configuration, you can begin customizing your
settings. The computer's network settings will be automatically updated. The
process should take no more than five minutes to complete.

Step 4.2: Network configuration on Windows Server 2022 Desktop Experience

The instructions below will help you configure the network if you install Windows Server
2022 with a desktop experience.
1. Open the Search interface in your taskbar by clicking on the magnifying glass
icon. You can also bring it up with the Windows + S keyboard shortcut.
2. Type in words Control Panel and click on the first matching search result. When
it opens, navigate to Network and Internet > Network Connections.
3. Right-click on the network you want to configure. We only have one network
connection to the server computer in our example; however, you may see many
possible options. Pick whichever you want to configure, and
choose Properties from the context menu.
4. You can begin configuring the network connection using the GUI, which
resembles Windows 10’s.

34
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

2.3- Domain Network:

2.3.1. Role of domain controller:
A domain controller is the server responsible for managing network and identity
security requests. It acts as a gatekeeper and authenticates whether the user is authorized
to access the IT resources in the domain.
For a Windows Server 2003 domain, the Windows Server 2003 server that authenticates
domain logons and maintains the security policy and the security accounts master
database for a domain. Domain Controllers manage user access to a network, which
includes logging on, authentication, and access to the directory and shared resources.
Two or more Domain Controllers within a domain also have evaluated replication
mechanisms to ensure data replication consistency of their database contents.
In summary there are three roles in the domain controller such as:
 User authentication and validation to access your network.
 Regulating access and permissions—overseeing a user's access rights within the
domain.
 Implementing network-wide rules and group security policies for passwords or
granting access.

2.3.2. The Active directory:

Active Directory (AD) is a database and set of services that connect users with the
network resources they need to get their work done. The database (or directory)
contains critical information about your environment, including what users and
computers there are and who's allowed to do what.

2.3.3. DNS names:

The domain name system (DNS) is a naming database in which internet domain
names are located and translated into Internet Protocol (IP) addresses. The domain
name system maps the name people use to locate a website to the IP address that a
computer uses to locate that website.

2.3.4. Installing / Uninstalling Active directory:

Create the Active Directory
After you have installed Windows Server 2003 on a stand-alone server, run the Active Directory
Wizard to create the new Active Directory forest or domain, and then convert the Windows
Server 2003 computer into the first domain controller in the forest. To convert a Windows
Server 2003 computer into the first domain controller in the forest, follow these steps:

1. Insert the Windows Server 2003 CD-ROM into your computer's CD-ROM or DVD-
ROM drive.
2. Click Start, click Run, and then type dcpromo.
3. Click OK to start the Active Directory Installation Wizard, and then click Next.
4. Click Domain controller for a new domain, and then click Next.
5. Click Domain in a new forest, and then click Next.
6. Specify the full DNS name for the new domain.

35
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Note that because this procedure is for a laboratory environment and you are not
integrating this environment into your existing DNS infrastructure, you can use
something generic, such as mycompany.local, for this setting. Click Next.
7. Accept the default domain NetBIOS name (this is "mycompany" if you used the
suggestion in step 6). Click Next.
8. Set the database and log file location to the default setting of the c:\winnt\ntds folder,
and then click Next.
9. Set the Sysvol folder location to the default setting of the c:\winnt\sysvol folder, and
then click Next.
10.Click Install and configure the DNS server on this computer, and then
click Next.
11.Click Permissions compatible only with Windows 2000 or Windows Server
2003 servers or operating systems, and then click Next.
12.Because this is a laboratory environment, leave the password for the Directory
Services Restore Mode Administrator blank. Note that in a full production
environment, this password is set by using a secure password format. Click Next.
13.Review and confirm the options that you selected, and then click Next.
14.The installation of Active Directory proceeds. Note that this operation may take
several minutes.
15.When you are prompted, restart the computer. After the computer restarts, confirm
that the Domain Name System (DNS) service location records for the new domain
controller have been created. To confirm that the DNS service location records have
been created, follow these steps:
a. Click Start, point to Administrative Tools, and then click DNS to start the
DNS Administrator Console.
b. Expand the server name, expand Forward Lookup Zones, and then expand
the domain.
c. Verify that the _msdcs, _sites, _tcp, and _udp folders are present. These
folders and the service location records they contain are critical to Active Directory
and Windows Server 2003 operations.
Removed the Active Directory
Active Directory is removed from a domain controller using the same command that is
used to install it—Dcpromo.exe. When you run this command on a computer that is
already a domain controller, the Active Directory Installation Wizard notifies you that it
will uninstall Active Directory if you choose to proceed. What Wizard pages follow
depend on whether the domain controller from which you are removing Active Directory
is the last domain controller for the domain or not. This section will discuss the
implications of removing Active Directory from both the last domain controller and an
additional domain controller in a Windows Server 2003 domain.

2.3.5. Active directory concepts: Forest and trees

An AD tree is a collection of domains and forest is a collection of trees.
The AD tree is a collection of one or more domains sharing a contiguous namespace and
is linked in a transitive trust hierarchy. A forest is a collection of trees that share the same
characteristics like a global catalog, directory schema, directory configurations and
logical structure.
36
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

In a tree, communication within domains occurs as either one-way or two-way trust.

However, an object in one forest can only communicate with an object in another forest
if the two forests have forest-level trust.

2.4- The Organizational Unit:

The OU is a particularly useful type of directory object contained within domains. Each
OU is an AD container within a domain into which users, groups, computers, and other
OUs of the domain can be placed. An OU cannot contain objects from other domains.
An OU is the smallest scope or unit to which Group Policy settings can be assigned or to
which administrative authority can be delegated. A hierarchy of OUs can be extended as
necessary to model the hierarchy of an organization within a domain. The administrative
model of the OU can be scaled to any size.
Administrative authority can be delegated for individual OUs or for multiple OUs.
Organizational units can be nested to create a hierarchy within a domain and form logical
administrative units for users, groups, and resource objects, such as printers, computers,
applications, and file shares. The OU hierarchy within a domain is independent of the
structure of other domains: Each domain can implement its own hierarchy. Likewise,
domains that are managed by the central authority can implement similar OU hierarchies.
The structure is flexible, which allows organizations to create an environment that mirrors
the administrative model, whether it is centralized or decentralized.

37
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

2.4.1. How to create Organizational Unit in windows server 2003:

An Organizational unit is a container in active directory domain environment that can
contain domain user’s domain group’s domain controllers published folders client
computers etc. When active directory services are installed on a Windows server 2003
computer to promote it as a domain controller by default one Organizational unit is
created which is Domain Controllers. This Organizational unit contains all the domain
controllers of the forest and/or domain. Whenever a new domain controller is promoted
its account is automatically created in Domain Controllers Organizational unit. The main
difference between a simple container (for example Users container in the domain) and
an Organizational unit in a domain is that in an Organizational unit you can link group
policy objects in order to make the tasks easier for the users and to limit their permissions
at the same time. You can create a new Organizational unit by following the steps given
below:

1. Log on to the domain controller with administrator privileges.

2. Click on Start button.
3. From the start menu go to Administrative Tools and from the submenu click
on Active Directory Users and Computers.
4. From Active Directory Users and Computers snap-in right click on the domain
name which in this case is TESTDOMAIN.COM.
5. From the context menu go to New and from the submenu click on Organizational
Unit.

2.4.2. Delegate control:

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016,
Windows Server 2012 R2, Windows Server 2012. Every Active Directory domain
contains a standard set of containers and organizational units (OUs) that are created
during the installation of Active Directory Domain Services (AD DS). These include the
following:
 Domain container, which serves as the root container to the hierarchy
 Built-in container, which holds the default service administrator accounts
 Users container, which is the default location for new user accounts and groups
created in the domain

38
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

 Computers container, which is the default location for new computer accounts
created in the domain
 Domain Controllers OU, which is the default location for the computer accounts for
domain controllers computer accounts.

2.5- Managing domain user account:

 Account names
 Built in users
 Create, rename, delete, change password, change properties of a user
account
Windows Server 2003 provides specific tools for managing user, group, and computer
accounts depending whether accounts are local to a computer or are defined at the domain
level.
Active Directory Users and Computers
The Active Directory Users and Computers interface is used to create and manage users,
groups, computers, and other Active Directory objects for a domain and is only available
on Domain Controllers.

Computer Management
The Computer Management interface is available on all Windows Server 2003 operating
systems. It supports management of audit logs, share assignments and permissions,
system services, as well as user and group accounts. On Domain Controllers, the user
and group accounts are managed from the Active Directory Users and Computers
interface instead of the Computer Management interface.

39
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Even if you will not be using Terminal Services or have any other users using your server
it is ALWAYS recommended to create an additional two (2) users, apart from
Administrator. These two users are - another member of the "Administrators" group (to
avoid actually logging on with the Administrator account, but you have the same
privileges) AND a regular user, who is part of the "Users" group. It is recommended to
only log on with the regular user, and use the "run as" command when you need to run a
program as an Administrator, and to only log on with the secondary Administrator user
when it is absolutely needed. This will show you how to create a secondary
Administrator.

Method:

Click the Start button, then Run...

40
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Then type "lusrmgr.msc" without the quotes

In the window that opens, right click in the right panel and click "New User"

In the New User dialog, type in your preferences for a new user name and password (this
will be our secondary Administrator account). Uncheck User must change password, and
check Password never expires

41
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Now, right click the new user and click Properties in the pop up menu

Go to the "Member of" tab and press the Add button

42
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Type "Administrators" without the quotes, then press the Check Names button (to
complete the name, it will add the name of your computer) and press OK when it is done,
then press OK on the Local Users and Groups dialog.

We now have a secondary Administrator account! To have a regular user (highly

recommended) do the same as above, until the User properties.

My reasoning

Q: If I already made a new Administrator account why do I have to make a user account?

A: You don't have to, you never have to, but it is recommended in case you stay logged
on, and someone gains control of the desktop (locally or remotely).

Q: Should I stay logged in with the Administrator account or the plain user account?

A: You should log out when you are not doing work on the server directly, however, if
you have a program that requires you to be logged in for it to work (a good example is
the bandwidth monitoring program, DU Meter) then you should stay logged in with the
ordinary user account.

In a Windows server environment, it is very important that only authenticated users are
allowed to log in for security reasons. To fulfill this requirement the creation of User
accounts and Groups is essential.

USER ACCOUNTS
In Windows Server 2003 computers there are two types of user accounts. These types
are local and domain user accounts. The local user accounts are the single user
accounts that are locally created on a Windows Server 2003 computer to allow a user to
log on to a local computer. The local user accounts are stored in Security Accounts
Manager (SAM) database locally on the hard disk. The local user accounts allow you to
access local resources on a computer.

43
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

On the other hand the domain user accounts are created on domain controllers and are
saved in Active Directory. These accounts allow to you access resources anywhere on
the network. On a Windows Server 2003 computer, which is a member of a domain, you
need a local user account to log in locally on the computer and a domain user account
to log in to the domain. Although you can have a same login and password for both the
accounts, they are still entirely different account types.
You become a local administrator on your computer automatically because local
computer account is created when a server is created. A domain administrator can
be local administrator on all the member computers of the domain because by default
the domain administrators are added to the local administrators group of the
computers that belong to the domain.
This article discusses about creating local as well as domain user accounts, creating
groups and then adding members to groups.

CREATING A LOCAL USER ACCOUNT

To create a local user account, you need to:
1. Log on as Administrator, or as a user of local administrator group or Account Operators
local group in the domain.
2. Open Administrative Tools in the Control Panel and then click Computer
Management, as shown in Figure 1.

Figure 1

44
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

3. Click Users folder under Local Users and Groups node, as shown in Figure 2.

Figure 2

4. Right-click Users and then click New User in the menu that appears, as shown in
Figure 3:

Figure 3

45
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

The New User dialog box appears as shown below in Figure 4.

5. Provide the User name and the Password for the user in their respective fields.
6. Select the desired password settings requirement.
Select User must change password at next logon option if you want the user to change
the password when the user first logs into computer. Select User cannot change
password option if you do not want the user to change the password. Select Password
never expires option if you do not want the password to become obsolete after a number
of days. Select Account is disabled to disable this user account.
7. Click Create, and then click Close:

Figure 4

The user account will appear on clicking Users node under Local Users and Groups on
the right panel of the window.
You can now associate the user to a group. To associate the user to a group, you need to:
8. Click Users folder under Local Users and Groups node.
9. Right-click the user and then select Properties from the menu that appears, as shown
in Figure 5:

46
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Figure 5

The Properties dialog box of the user account appears, as shown in Figure 6:
10. Click Member of tab.
The group(s) with which the user is currently associated appears.

11. Click Add.

Figure 6

47
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

The Select Groups dialog box appears, as shown in Figure 7.

12. Select the name of the group/object that you want the user to associate with from
the Enter the object names to select field.
If the group/object names do not appear, you can click Advanced button to find them.
Also if you want to choose different locations from the network or choose check the users
available, then click Locations or Check Names buttons.
13. Click OK .

Figure 7

The selected group will be associated with the user and will appear in the Properties
window of the user, as shown in Figure 8:

Figure 8

48
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

CREATING A DOMAIN USER ACCOUNT

The process of creating a domain user account is more or less similar to the process of
creating a local user account. The only difference is a few different options in the same
type of screens and a few steps more in between.
For example you need Active Directory Users and Computers MMC (Microsoft
Management Console) to create domain account users instead of Local Users and
Computers MMC. Also when you create a user in domain then a domain is associated
with the user by default. However, you can change the domain if you want.
Besides all this, although, a domain user account can be created in the Users container,
it is always better to create it in the desired Organization Unit (OU).
To create a domain user account follow the steps given below:
1. Log on as Administrator and open Active Directory Users and Computers MMC
from the Administrative Tools in Control Panel, as shown in Figure 9.
2. Expand the OU in which you want to create a user, right-click the OU and select
New-User from the menu that appears.

Figure 9

49
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

3. Alternatively, you can click on Action menu and select New->User from the menu
that appears.
The New Object –User dialog box appears, as shown in Figure 10.
4. Provide the First name, Last name, and Full name in their respective fields.
5. Provide a unique logon name in User logon name field and then select a domain from
the dropdown next to User logon name field if you want to change the domain name.
The domain and the user name that you have provided will appear in the User logon
name (pre-Windows 2000) fields to ensure that user is allowed to log on to domain
computers that are using earlier versions of Windows such as Windows NT.

Figure 10

6. Click Next.

The second screen of New Object –User dialog box appears similar to Figure 4.
7. Provide the User name and the Password in their respective fields.
8. Select the desired password settings requirement:
Select User must change password at next logon option if you want the user to change
the password when the user first logs into computer. Select User cannot change
password option if you do not want the user to change the password. Select Password
never expires option if you do not want the password to become obsolete after a number
of days. Select Account is disabled to disable this user account.
50
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

9. Click Next.
10. Verify the user details that you had provided and click Finish on the third screen
of New Object –User dialog box.
11. Follow the steps 9-13 mentioned in Creating a Local User Account section to
associate a user to a group.

2.6- CREATING GROUPS

Just like user accounts, the groups on a Windows Server 2003 computer are also of two
types, the built in local groups and built in domain groups. The example of certain built
in domain groups are: Account Operators, Administrators, Backup Operators, Network
Configuration Operators, Performance Monitor Users, and Users. Similarly certain built
in local groups are: Administrators, Users, Guests, and Backup operators.
The built in groups are created automatically when the operating system is installed and
become a part of a domain. However, sometimes you need to create your own groups to
meet your business requirements. The custom groups allow you limit the access of
resources on a network to users as per your business requirements. To create custom
groups in domain, you need to:
1. Log on as Administrator and open Active Directory Users and Computers MMC
from the Administrative Tools in Control Panel, as shown in Figure 9.
2. Right-click the OU and select New->Group from the menu that appears.
The New Object –Group dialog box appears, as shown in Figure 10.
3. Provide the name of the group in the Group name field.
The group name that you have provided will appear in the Group name (pre-Windows
2000) field to ensure that group is functional on domain computers that are using earlier
versions of Windows such as Windows NT.
4. Select the desired group scope of the group from the Group scope options.
If the Domain Local Scope is selected the members can come from any domain but the
members can access resources only from the local domain.
If Global scope is selected then members can come only from local domain but can
access resources in any domain.
If Universal scope is selected then members can come from any domain and members
can access resources from any domain.
5. Select the group type from the Group Type options.
The group type can be Security or Distribution . The Security groups are only used to
assign and gain permissions to access resources and Distribution groups are used for no-
security related tasks such as sending emails to all the group members.
51
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Figure 11

6. Click OK.
You can add members to group just as you add groups to members. Just right-click the
group in Active Directory Users and Computers node in the Active Directory Users
and Computers snap-in, select Properties, click Members tab from the Properties
window of the group and then follow the steps from 11-13 from Creating Local User
Accounts section.

SUMMARY
Dealing with User & Group accounts in a Windows Server environment is a very
important everyday task for any Administrator. This article covered basic administration
of user and group accounts at both local and domain environments.
If you have found the article useful, we would really appreciate you sharing it with others
by using the provided services on the top left corner of this article. Sharing our articles
takes only a minute of your time and helps Firewall.cx reach more people through such
services.
Windows 2003 Group Policies allow the administrators to efficiently manage a group
of people accessing a resource. Group policies can be used to control both the users and
the computers.
They give better productivity to administrators and save their time by allowing them to
manage all the users and computers centrally in just one go.

52
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Group policies are of two types, Local Group Policy and Domain-based Group
Policy. As the name suggests, Local Group Policies allow the local administrator to
manage all the users of a computer to access the resources and features available on the
computer. For example an administrator can remove the use of the Run command from
the start menu. This will ensure that the users will not find Run command on that
computer.
Domain-based Group Policies allow the domain / enterprise administrators to
manage all the users and the computers of a domain / forest centrally. They can define
the settings and the allowed actions for users and computers across sites, domains and
OUs through group policies.
There are more than 2000 pre-created group policy settings available in Windows Server
2003 / Windows XP. A default group policy already exists. You only need to modify the
values of different policy settings according to your specific requirements. You can create
new group policies to meet your specific business requirements. Group policies allow
you to implement:
Registry based settings: Allows you to create a policy to administer operating system
components and applications.
Security settings: Allows you to set security options for users and computers to restrict
them to run files based on path, hash, publisher criteria or URL zone.
Software restrictions: Allows you to create a policy that would restrict users running
unwanted applications and protect computers against virus and hacking attacks.
Software distribution and installation: Allows you to either assign or publish software
application to domain users centrally with the help of a group policy.
Roaming user profiles: Allows mobile users to see a familiar and consistent desktop
environment on all the computers of the domain by storing their profile centrally on a
server.
Internet Explorer maintenance: Allows administrators to manage the IE settings of the
users' computers in a domain by setting the security zones, privacy settings and other
parameters centrally with the help of group policy.

USING LOCAL GROUP POLICY

Local Group Policies affect only the users who log in to the local machine but domain-
based policies affect all the users of the domain. If you are creating domain-based policies
then you can create policy at three levels: sites, domains and OUs. Besides, you have to
make sure that each computer must belong to only one domain and only one site.
A Group Policy Object (GPO) is stored on a per domain basis. However, it can be
associated with multiple domains, sites and OUs and a single domain, site or OU can
have multiple GPOs. Besides this, any domain, site or OU can be associated with any
GPO across domains.

53
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

When a GPO is defined it is inherited by all the objects under it and is applied in a
cumulative fashion successively starting from local computer to site, domain and each
nested OU. For example if a GPO is created at domain level then it will affect all the
domain members and all the OUs beneath it.
After applying all the policies in hierarchy, the end result of the policy that takes effect
on a user or a computer is called the Resultant Set of Policy (RSoP).
To use GPOs with greater precision, you can apply Windows Management
Instrumentation (WMI) filters and Discretionary Access Control List (DACL)
permissions. The WMI filters allow you to apply GPOs only to specific computers that
meet a specific condition. For example, you can apply a GPO to all the computers that
have more than 500 MB of free disk space. The DACL permissions allow you to apply
GPOs based on the user's membership in security groups.
Windows Server 2003 provides a GPMC (Group Policy Management Console) that
allows you to manage group policy implementations centrally. It provides a unified view
of local computer, sites, domains and OUs (organizational units). You can have the
following tools in a single console:
 Active Directory Users and Computers
 Active Directory Sites and Services
 Resultant Set of Policy MMC snap-in
 ACL Editor
 Delegation Wizard

The screenshot below shows four tools in a single console.

A group policy can be configured for computers or users or both, as shown here:

54
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

The Group Policy editor can be run using the gpedit.msc command.
Both the policies are applied at the periodic refresh of Group Policies and can be used to
specify the desktop settings, operating system behavior, user logon and logoff scripts,
application settings, security settings, assigned and published applications options and
folder redirection options.
Computer-related policies are applied when the computer is rebooted and User-related
policies are applied when users log on to the computer.

2.7- CONFIGURING A LOCAL GROUP POLICY:

To configure a local group policy, you need to access the group policy editor. You can
use Group Policy Editor by logging in as a local administrator from any member server
of a domain or a workgroup server but not from a domain controller.
Sometimes this tool, or other Active directory tools that you need to manage group policy,
does not appear in Administrative Tools. In that case you need to follow steps 1-
10 given below to add Group Policy Editor Tool in the console.
1. Click Start-Run and type mmc. The Console window appears, as shown below:
2. Select Add/remove Snap-in from the File menu.

55
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

The Add/Remove Snap-in window appears, as shown below:

3. Click Add.
4. The Add Standalone Snap-in window appears.
5. Select Group Policy Object Editor snap-in from the list.
6. Click Add and then click OK in Add/remove Snap-in window.

The Select Group Policy Object window appears, as shown below:

7. Keep the default value “Local Computer”
8. Click Finish.

56
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

The Local Computer Policy MMC appears, as shown below.

You can now set the Computer Configuration or User Configuration policies as
desired. This example takes User Configuration setting.
9. Expand User Configuration node:

10. Expand Administrative Templates and then select the Start Menu and
Taskbar node, as shown in Figure 7.
11. Double-click the settings for the policy that you want to modify from the right panel.
In this example double-click Remove Run Menu from Start Menu.

57
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

The properties window of the setting appears as shown in the below screenshot:
12. Click Enabled to enable this setting.

Once you click on 'OK', the local policy that you have applied will take effect and all the
users who would log on to this computer will not be able to see the Run menu item of
the Start menu.
This completes our Local Group Policy configuration section. Next section
covers Domain Group Policies that will help you configure and control user access
throughout the Active Directory Domain.

SUMMARY
Group Policies are an Administrator's best friend. Group Policies can control every
aspect of a user's desktop, providing enhanced security measures and restricting access
to specified resources. Group policies can be applied to a local server, as shown on this
article, or to a whole domain.

Audit Policies
Security Administration

Auditing is both a proactive and reactive security measure. It informs administrators of

events that might be potentially dangerous and leaves a trail of accountability that can be
referenced in the future.
58
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

By default, all auditing is turned off; if you want to use this feature, you'll need to turn it
on. The easiest way to do this is through a security template that is applied to all your
servers.

Before you can configure a template for auditing, you must first plan your audit policy.
The following categories are available for auditing:

■ Account logon events

■ Account management

■ Directory service access

■ Logon events

■ Object access

■ Policy change

■ Privilege use

■ Process tracking

■ System events

On non-domain controller computers, you'll use either Computer Management or a GPO

to enable auditing on the local machine. On a domain controller, you'll use a Group Policy
to edit the audit policy.

When developing your audit policy, you'll need to account for three elements:

■ Who will be audited

■ Whether to audit failed events, successful events, or both

■ What type of object access will be audited

When you want to audit an individual resource such as a folder or printer, you'll need to
enable object access auditing on the computer hosting the resource. Then you'll need to
go to the resource's Properties dialog box and enable auditing there as well. Hence, when
auditing for object access, there is always a two-step process that doesn't exist with other
event categories.

The results of your auditing policy are displayed in the Security Event Log. This log
displays detailed information about the chosen events.

59
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

The "Event Logs" section of this chapter discusses how to use security tem-iTE plates to
configure the behavior of all logs on your Windows Server 2003 servers, Windows 2000-
based servers, and Windows 2000 and Windows XP Professional workstations.

The auditing options are as follows:

Audit account logon events Tracks events related to user logon and logoff activity
system-wide. Events are recorded on the domain controllers in your domain even if they
occur on member servers or workstations.

Audit account management Tracks account management actions in Active Directory

Users And Computers. Any time that a user, a computer, or a group account is created,
modified, or deleted, an event can be generated and placed in the log file.

Audit directory service access Tracks access to Active Directory by users or computers.
You will need to configure the object's properties to audit either success or failed events.

Audit logon events This is the same as Windows NT's Logon and Logoff audit category.
User logon and logoff activities are recorded in the local server's logs. This policy records
only activity for the local server to which the policy is applied.

Audit object access Tracks access to objects on non-domain controllers. You will need
to configure the object's properties to audit either success or failed events.

Audit policy change Tracks changes to user rights, auditing, and trust relationships.

Audit privilege use Tracks the use of user rights and privileges, such as when a user shuts
down a server.

The audit privilege use policy does not track the following user rights: bypass iTE
traverse checking, debug programs, create a token object, and replace process-level
token, generate security audits, back up files and folders, and restore files and folders. If
you want to track backup and restore activities, you'll need to override this default
behavior by enabling Audit Use Of Backup and Restore Privilege under the Security node
nested inside the Local Policies node.

Audit process tracking Tracks each process running on the server and the resources that
it uses.

Audit system events Tracks system events such as startup, shutdown, and restart. It also
tracks actions that affect system security or changes to the security log.

To turn on auditing, navigate to the desired template, drill down to the Audit Policy node
as shown in Figure 8, and make your selections.

60
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

FIGURE 8 Audit log selections for a security template

To enable auditing for object access, you'll need to access the folder or file properties
directly and enable it. To do so, follow these steps:

1. Open the object's Properties dialog box.

2. Click the Security tab.

3. Click the Advanced button to open the object's Access Control Settings dialog box.

4. Click the Auditing tab, click Add, select the accounts that you want to audit, and then
click OK

61
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

CHAPTER 3
PERMISSIONS

3.1- Disk volume properties:

On a dynamic disk, you manage volume properties. On a basic disk, you manage local
disk properties. Volumes and local disks perform the same function, and the options
discussed in the following sections apply to both. The examples are based on a dynamic
disk using a simple volume. If you are using basic storage, you will view the local disk
properties rather than the volume properties.

To view the properties of a volume, right-click the volume in the upper half of the Disk
Management main window and choose Properties. This brings up the volume Properties
dialog box, as shown in Figure 1.

FIGURE 1 The volume Properties dialog box

In the dialog box, the volume properties are organized on seven tabs (five for FAT
volumes): General, Tools, Hardware, Sharing, Security, Quota, and Web Sharing. The
Security and Quota tabs appear only for NTFS volumes. These tabs are covered in detail
in the following sections.

Configuring General Properties

The information on the General tab of the volume Properties dialog box (see Figure 6.8)
gives you a general idea of how the volume is configured. This dialog box shows the
label, type, file system, used and free space, and capacity of the volume. The label is
62
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB
shown in an editable text box, and you can change it if desired. The space allocated to
the volume is shown in a graphical representation as well as in text form.

The volume or local disk label is for informational purposes only. For example,
depending on its use, you might give a volume a label like APPS or ACCTDB.

The Disk Cleanup button starts the Disk Cleanup utility, which allows you to delete
unnecessary files and free disk space. This utility is covered in more detail later in this
chapter in the "Using the Disk Cleanup Utility" section.

Accessing Tools

The Tools tab of the volume Properties dialog box, shown in Figure 6.9, provides access
to three tools:

■ Click the Check Now button to run the Check Disk utility. You would check the volume
for errors if you were experiencing problems accessing the volume or if the volume had
been open during a system restart that had not gone through a proper shutdown sequence.
The Check Disk utility is covered later in this chapter in the "Troubleshooting Disk
Devices and Volumes" section.

■ Click the Backup Now button to run the Backup Wizard. This Wizard steps you
through backing up the files on the volume. Backup procedures are covered in Chapter
15, "Performing System Recovery Functions."

■ Click the Defragment Now button to run the Disk Defragmenter utility. This utility
defragments files on the volume by storing files in a contiguous manner on the hard drive.
Defragmentation is covered in detail later in this chapter in the "Defragmenting Disks"
section.

Viewing Hardware Information

63
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB
The Hardware tab of the volume Properties dialog box, shown in Figure 6.10, lists the
hardware associated with the disk drives that are recognized by the Windows 2000
operating system. The bottom half of the dialog box shows the properties of the device
highlighted in the top half of the dialog box.

Local Disk (D:) Properties

Security Quota Web Sharing

General Tools Hardware Sharing

Security Quota Web Sharing

General Tools Hardware Sharing

I Name I Type
EFUJITSU MPC3064AT Disk drives
O Maxtor 90871U 2 Disk drives
S3 Floppy disk drive Floppy disk...
âCOMPAQ CRD-8322B DVD/CD-R...

Device Properties

Manufacturer: (Standard disk drives) Hardware Revision: Not available Location:

Location 0 (0) Device Status: This device is working properly.

For more details about a hardware item, highlight it and click the Properties button in the
lower-right corner of the dialog box. This brings up a Properties dialog box for the item.
Figure 2 shows an example of the disk drive Properties dialog box. With luck, your device
status will report that "This device is working properly." If the device is not working
properly, you can click the Troubleshooter button to bring up a troubleshooting Wizard
to help you discover what the problem is.

FIGURE 2 A disk drive Properties dialog box accessed through the Hardware tab of the
volume Properties dialog box

64
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Sharing Volumes

The Sharing tab of the volume Properties dialog box, shown in Figure 3, allows you to
specify whether or not the volume is shared. By default, all volumes are shared. The share
name is the drive letter followed by a $ (dollar sign). The $ indicates that the share is
hidden. From this dialog box, you can set the user limit, permissions, and caching for the
share.

Configuring Security Options

The Security tab of the volume Properties dialog box, shown in Figure 4, appears only if
the volume is NTFS. The Security tab is used to set the NTFS permissions for the volume.
Notice that the default permissions allow the Everyone group Full Control permissions at
the root of the volume. This could cause major security problems if any user decides to
manipulate or delete the data within the volume.

65
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Setting Quotas

Like the Security tab, the Quota tab of the volume Properties dialog box appears only if
the volume is NTFS. Through this tab, you can limit the amount of space users can use
within the volume. Quotas are covered in detail later in this chapter in the "Setting Disk
Quotas" section.

3.2- NTFS File and Folder Permissions:

File permissions
Full: Control Modify
Read £ Execute
Write
Read

Folder permissions
Full Control Modify
Read $ Execute Write * Read Lis; Folder Contents

Introduction

NTFS file permissions

NTFS permissions are used to specify which users, groups, and computers can access
files and folders. NTFS permissions also dictate what users, groups, and computers can
do with the contents of the file or folder.

The following table lists the standard NTFS file permissions that you can grant and the
type of access that each permission provides.

NTFS file permission

Full Control Modify

Read & Execute

Write

Read
66
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Allows the user to:

Change permissions, take ownership, and perform the actions permitted by all other
NTFS file permissions

Modify and delete the file and perform the actions permitted by the Write permission and
the Read & Execute permission

Run applications and perform the actions permitted by the Read permission

Overwrite the file, change file attributes, and view file ownership and permissions

Read the file and view file attributes, ownership, and permissions

NTFS folder permissions control access to folders and the files and subfolders that are
contained in those folders. The following table lists the standard NTFS folder
permissions that you can grant and the type of access that each permission provides.

NTFS folder permission allows the user to:

Full Control Change permissions, take ownership, delete subfolders and files, and
perform actions permitted by all other NTFS folder permissions

Modify Delete the folder and perform actions permitted by the

Write permission and the Read & Execute permission

Read & Execute Traverse folders and perform actions permitted by the

Read permission and the List Folder Contents permission

Write Create new files and subfolders in the folder, change folder attributes, and
view folder ownership and permissions

Read View files and subfolders in the folder, folder attributes, ownership, and
permissions

List Folder Contents View the names of files and subfolders in the folder

Permission Inheritance for Files and Folders

By default, when you add a folder or file to an existing folder, the folder or file inherits
the permissions of the existing folder. For example, if the Domain Users group has access
to a folder and you add a file to this folder, members of the Domain Users group will be
able to access the file. Inherited permissions are automatically assigned when files and
folders are created.

67
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

When you assign new permissions to a folder, the permissions propagate down and are
inherited by all subfolders and files in the folder and supplement or replace existing
permissions. If you add permissions on a folder to allow a new group to access a folder,
these permissions are applied to all subfolders and files in the folder, meaning the
additional group is granted access. On the other hand, if you were to change the
permissions on the folder so h that, for instance, only members of the Engineering group
could access the folder, these per- missions would be applied to all subfolders and files
in the folder, meaning only members of the Engineering group would have access to the
folder, its subfolders, and its files.

Inheritance is automatic. If you do not want the permissions of subfolders and files within
folders to supplement or replace existing permissions, you must override inheritance
starting with the top-level folder from which the permissions are inherited. A top-level
folder is referred to as a parent folder. Files and folders below the parent folder are
referred to as child files and folders. This is identical to the parent/child structure of
objects in Active Directory.

Changing Shaded Permissions and Stopping Inheritance

If a permission you want to change is shaded, the file or folder is inheriting the permission
from a parent folder. To change the permission, you must do one of the following:

• Access the parent folder and make the desired changes. These changes will then be
inherited by child folders and files.

• Select the opposite permission to override the inherited permission if possible. In most
cases, Deny overrides Allow, so if you explicitly deny permission to a user or group for
a child folder or file, this permission should be denied to that user or group of users.

• Stop inheriting permissions from the parent folder and then copy or remove existing
permissions as appropriate.

To stop inheriting permissions from a parent folder, right-click the file or folder in
Windows Explorer, and then select Properties. In the Security tab of the Properties dialog
box, click Advanced to display the Advanced Security Settings dialog box.

Advanced Security Settings for EngData

68
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

To view more I Name Permission 1 Inherited From I Apply To I

information about
special permissions,
select a permission
entry, and then click
Edit. Permission entries:

1IM®
■Allow Domain Users Full Control <not inherited> This folder,
(CPAN... subfolders...
Allow Administrators Full Control CA This folder,
(CPAN... subfolders...
Allow SYSTEM Full Control CA This folder,
subfolders...
Allow CREATOR Full Control CA Subfolders
OWNER and files only
Allow Users (CPAN Read & CA This folder,
DIAU sers) Execute subfolders...
Allow Users (CPAN Special CA This folder
DIAU sers) and subfol...

Allow inheritable permissions from the parent to propagate to this object and all child
objects. Include these with entries explicitly defined here.

Replace permission entries on all child objects with entries shown here that apply to child
objects Learn more about access control.

Apply

Change inheritance as necessary.

Clear Allow Inheritable Permissions From The Parent To Propagate To This Object. You
now have the opportunity to copy over the permissions that were previously applied or
remove the inherited permission and only apply the permissions that you explicitly set on
the folder or file. Click Copy or Remove as appropriate.

Selecting this option means that the parent permission entries that apply to child objects
will no longer be applied to this object.

-To copy the permission entries that were previously applied from the parent to this
object, click Copy.

-To remove the permission entries that were previously applied from the parent and keep
only those permissions explicitly defined here, click Remove.

-To cancel this action, click Cancel.

69
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Copy over or remove the inherited permissions.

Resetting and Replacing Permissions

Another way to manage permissions is to reset the permissions of subfolders and files
within a folder, replacing their permissions with the current permissions assigned to the
folder you are working with. In this way, subfolders and files get all inheritable
permissions from the parent folder and all other explicitly defined permissions on the
individual subfolders and files are removed.

To reset permissions for subfolders and files of a folder, right-click the file or folder in
Windows Explorer, and then select Properties. In the Security tab of the Properties dialog
box, click Advanced to display the Advanced Security Settings dialog box.

Select Replace Permission Entries on All Child Objects with Entries Shown Here, and
click OK. As shown in Figure 21-19, you will see a prompt explaining that this action
will remove all explicitly defined permissions and enable propagation of inheritable
permissions. Click Yes.

Figure 21-19. Confirm that you want to replace the existing permissions on
subfolders and files.

File and Folder Ownership

Before working with file and folder permissions, you should understand the concept of
ownership as it applies to files and folders. In Windows Server 2003, the file or folder
owner isn't necessarily the file or folder's creator. Instead, the file or folder owner is the
person who has direct control over the file or folder. File or folder owners can grant access
permissions and give other users permission to take ownership of a file or folder.

The way ownership is assigned initially depends on where the file or folder is being
created. By default, the user who created the file or folder is listed as the current owner.
Ownership can be taken or transferred in several ways. Any administrator can take
ownership. Any user or group with the Take Ownership permission can take ownership.
Any user who has the right to Restore Files And Directories, such as a member of
the Backup Operators group, can take ownership as well. Any current owner can transfer
ownership to another user as well.

70
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

Taking Ownership of a File or Folder

You can take ownership using a file or folder's Properties dialog box. Right-click the file
or folder, and then select Properties. In the Security tab of the Properties dialog box,
display the Access Security Settings dialog box by clicking Advanced. Next, select the
Owner tab. In the Change Owner To list box, select the new owner. If you're taking
ownership of a folder, you can take ownership of all subfolders and files within the folder
by selecting the Replace Owner On Sub containers And Objects option. Click OK twice
when you are finished.

71
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

CHAPTER 4
SHARING

4.1- Share a folder, drive, or printer:

Once File and Printer Sharing is installed, to share a folder or drive:

1. Right-click the folder or drive you want to share.

2. Click Properties. From the Sharing tab, click Advanced Sharing.

3. Click Share this folder.

4. In the appropriate fields, type the name of the share (as it appears to other computers),
the maximum number of simultaneous users, and any comments that should appear
beside it.
5. If you would like to grant access to particular groups or individuals, click Permissions to
add the appropriate groups or usernames.

6. If you are using NTFS, check the permissions in the Security tab to ensure that they are
properly set to allow access to the share. Because Security settings override Share
permissions, it is possible for people on the Permissions list to be denied access to the
share because they either are not specified or are denied specifically in the Security list.

Note:

FAT32 does not provide the same level of security as NTFS; if you're using FAT32, you
will not see the Security tab.

7. Click OK.

To share a printer:

1. From the Control Panel, open Devices and Printers.

2. Right-click the printer you want to share. Click Printer Properties, and then select
the Sharing tab.

3. Check Share this Printer. Under Share name, select a shared name to identify the printer.
Click OK.

Access a shared folder or printer

To find and access a shared folder or printer:

1. Search for Network, and click to open it.

72
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB
2. Select Search Active Directory at the top of the window; you may need to first select
the Network tab on the upper left.

3. From the drop-down menu next to "Find:", select either Printers or Shared Folders.

4. You can now enter search terms in the appropriate fields to modify the search; to start the
search, click Find Now. To search for shared printers and folders that match any criteria,
click Find Now without entering any search terms.

5. You will see a list of shared printers and folders that are available on the network. Double-
click the item to which you want to connect.

If you know the exact name of the computer and the share, or the exact name of the
printer, you can enter it directly:

1. Navigate to a search field. Enter two backslashes, the name of the computer, another
backslash, and then the name of the share or printer. For example, if the name of the
computer is bl-iub-threepio.ads.iu.edu and the name of the share is r2d2, type:

\\bl-iub-threepio.ads.iu.edu\r2d2

2. Click OK.

If you need to repeatedly access a shared folder or network drive, you can map to it.
Mapping creates a persistent link to the share, allowing you to double-click its icon in My
Computer whenever you want access.

Share and NTFS Permissions

Introduction

The file server permissions must be carefully implemented to provide appropriate access
to content. This involves locking down permissions on the share and physical folders.

Permissions

The following table lists permissions that were used for the file server share and folders
in the Shared Hosting Setup mentioned in the Planning the Web Hosting
Architecture section of the Hosting Guidance. Based on the shared hosting environment
used, server administrators should develop their own custom permissions that meet their
needs.

Path Permissions Reason

\server\share$ (share) Domain Administrators - Full The share permissions
Control Domain Users - need to allow the
Change MachineAccounts$ - administrators and site
Full Control accounts to access the
73
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB
Path Permissions Reason
content. The physical
path will be restricted to
actual needed
permissions.
E:\Content (physical path of Administrators - Full Control This is the folder that is
share) System - Full Control shared. It does not need
permissions for any
accounts aside from the
built-in Administrators
group and System
account.
E:\Content\<sitename> (the Administrators - Full Control This folder is used as a
container for a specific site or System - Full Control Site container for folders like
user) Owner - List Folder Contents the site's home directory
and its log files. The Site
Owner should be able to
read this folder but does
not need write access.
E:\Content\<sitename> Administrators - Full Control This is the root of a Web
\wwwroot (the IIS home System - Full Control Site site belonging to the
directory for the site) Owner - Modify App Pool user account. App Pool
Username - Read Username is used as
both the application
pool identity and the
anonymous username
for the Web site.
E:\Content\<sitename>\Logs Administrators - Full Control Note that this folder for
(the container for logs) System - Full Control Site logs is stored ABOVE
Owner - Read the root of the site, so
that it is not accessible
by a visitor browsing the
site. It is not
recommended that you
put this folder in any
location accessible from
a Web browser, for
security purposes.
E:\Content\<sitename>\Logs\ Administrators - Full Control This is the folder used to
FailedReqLogs (the container System - Full Control App store Failed Request log
for failed request tracing logs) Pool Username - Full Control files, which allow a site

74
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB
Path Permissions Reason
owner to diagnose
problems with their
Web site. These logs are
written by the worker
process identity, App
Pool Username.
E:\Content\<sitename>\Logs\ Administrators - Full Control This is the folder used to
W3SVCLogFiles (the System - Full Control store the log files for the
container for W3SVC traffic MachineAccount$ - Full Web site, which allow a
logs) Control site owner to see their
traffic patterns. If the
server administrator
does not wish to share
these files or wants to
provide an alternate
method for determining
traffic, these files can be
stored elsewhere.
MachineAccount$ is the
Web server's machine
account, as these logs
are written by
HTTP.SYS.

4.2- Configuring Permissions:

To configure permissions for the share

1. In Windows Explorer, right-click the folder you want to share, and then
click Properties.
2. On the Sharing tab, click Advanced Sharing.
3. In User Account Control, click Continue to accept the prompt that Windows needs
your permission to perform the action.
4. In the Advanced Sharing dialog box, check Share this folder.
5. Set the Share name and Comments as appropriate. To make the share hidden, add
a $ to the end of the share name.

Note

Hiding a share means that when you connect to [\server](file://server/) you will not
see the share unless you specifically enter the path

[\server\share$](file://server/share$).

75
 PW COMPUTER NETWORKS – TS2 ELECTRONIC / ENGINEER HAYTHAM HARB

6. Click Permissions.
7. In the Permissions dialog box, remove the Everyone group, if it exists.

8. Add the appropriate user or group that should have access to the share.
9. Specify the permissions (Full Control, Change, Read) for the user or group.
10.Click OK twice and then click Close to close the dialog boxes.

To configure permissions for the folder structure

1. In Windows Explorer, right-click the folder you want to share, and then
click Properties.
2. On the Security tab, click Edit.
3. In the Permissions dialog box, add the appropriate users or groups that should have
access at each level of the folder structure.
4. Specify the permissions (Full control, Modify, Read & execute, List folder contents,
Read, Write Special permissions) for the users or groups.
5. Click OK twice to close the dialog boxes.

Create a Share Folder in Windows Server 2003

To create a shared folder
Follow these steps to create a share folder.
1.Right click the folder that you want to share and click Properties.

2.Click on the Sharing tab

3.Click on Share this folder and type the share name. By default the share name is the
same name as the folder

4.Click on Apply and then click OK. A hand sign appears beneath the folder stating that
the folder is now shared.

76