4.4. Troubleshooting Client Access to Remote Services in a Network
The greatest benefit of creating a network is the ability to share resources between the computers within the network. This benefit can only be realized if all of the components of the network are configured properly to allow the client to access the resources. Basically, there is no "in between" or "almost able to connect"; either all of the factors that affect network communication are configured properly or the network will not function properly for the user. Because of this, it is important that you understand all of the factors that can be involved in network communication and how to troubleshoot any problems that crop up related to these factors. In this section, we discuss each of these factors in detail.
4.4.1. Critical Information
You should understand and be able to troubleshoot all of the factors involved in a client connecting to remote resources on a network. These include:
Print services
Authentication
Protocol configuration
Physical connectivity
Small office/home office (SOHO) router
4.4.1.1. File Services
File services are protocols or services that enable computers to communicate with one another on a network for the purpose of sharing information. In other words, they enable the process of sharing files and folders on a network. Depending on the type of computers on your network, you might use many different types of file services. In this section, we discuss the most common file services used in today's networks: SMB, NetWare, and NFS.
4.4.1.1.1. Server Message Block (SMB)
Server message block (SMB) is a protocol used for sharing files, folders, and printers. It was first developed by IBM in the early 1980s, but it has since been enhanced and refined by Microsoft and other companies. SMB works as a client server, request response mechanism in many clients and servers, including all Microsoft clients and servers. Clients typically connect to the servers using the NetBIOS over TCP/IP protocol, but other protocols can also be used, such as IPX/SPX. Responding to the need for higher security, the latest Microsoft operating systems use SMB signing, which forces servers to identify themselves with a digital certificate instead of just a NetBIOS name. The newest versions of SMB that support signing are also being referred to as Common Internet File System (CIFS).
Typically, SMB works with few errors, but if you decide to use SMB signing with the newer operating systems, you should ensure that all clients and servers are capable of providing the service. Windows 2000 and later clients and servers provide this capability through Group Policy. Windows NT Service Pack 3 and higher can also be modified to provide SMB signing capability. There are two main levels of security with SMB:
Share level
Protection is applied at the share on the server. Each share can have its own password. This would most likely be used in a workgroup environment, rather than in a domain environment.
User level
Access to files and folders is based on user rights. A user must either log into the server itself or log into the domain of which the server is a member. This is the most common type of SMB file service.
4.4.1.1.2. NetWare File Services
NetWare file services work in roughly the same way as SMB: they provide access to files and folders through a network. NetWare file services, however, are proprietary to NetWare servers and clients. The most common troubleshooting that you might encounter would involve permissions for network shares. NetWare has a complex and sophisticated system of permissions for users and groups. This can be an advantage if you are familiar with the system—or a disadvantage if you are not.
4.4.1.1.3. NFS/Samba
NFS is the original file-sharing system used by Linux clients and servers. NFS allows a type of "drive mapping" that enables a disk on the server to be shared for the client so that the user can utilize the remote disk in the same way as the local disks on his computer. Samba is an extension of NFS which makes a type of SMB functionality available so the client can access specific files and folders on a disk. In addition, Samba makes shares available to Windows clients as well as Linux clients.
4.4.1.2. Print Services
Just as file services allow access to shared files and folders in a network, print services allow users to utilize shared printers. It's easier to understand printing terminology if you remember that printers are actually software and not hardware. Now, before you think I'm joking or just plain crazy, let me explain that a little further.
Printers are the software installed in an operating system that allows client computers to access and print to the print devices on a network. This may, at first, seem like just a distinction in terminology, but it's actually a very important fact. It's important because once you understand that printers are software, then print permissions, printer priorities, and printer pools become much easier to understand as well. Depending on the operating system you are using, the file systems that we discussed earlier can all provide print services, including permissions, printer priorities, and printer pools. In the paragraphs that follow, we will discuss each of these concepts in detail.
4.4.1.2.1. Printer Permissions
The exact terminology of printer permissions varies with the file and print service that you use, but all printer permissions offer approximately the same levels of permissions. We will use Microsoft printer permissions as an example, since they are the most common. Microsoft printer permissions are as follows:
Print
Allows a user to print to a printer and therefore receive output from the print device. A user can also manage his own document in the printer's queue, but cannot manage documents of other users.
Manage Documents
Allows a user to manage the print queue in regard to all of the documents. The user can also pause printing and stop and restart the spooler. A user with only Manage Documents permissions cannot print to the printer.
Manage Printer
Allows a user to print, to manage the queue and all of the print device operations, and to manage the printer and change its properties and the permissions of all users assigned to the printer.
4.4.1.2.2. Printer Priorities
When more than one user or group of users is utilizing the same print device, you can use printer priorities to determine whose documents will be given priority in the print queue. With printer priorities, multiple printers are used for the same print device, with different priorities assigned to each of the printers. Permissions are then used to ensure that only the groups that should have the higher-priority printer are able to access it. The result of sending a print job with a higher-priority printer is that the print job with higher priority will "jump" over all of the lower-priority print jobs in the queue and be printed as soon as the current document finishes printing. Figure 4.13 shows the Priority setting on the Advanced tab of a printer's properties dialog box.
Figure 4.13. The Priority setting for a printer
4.4.1.2.3. Printer Pools
Printer pools are logically the opposite of printer priorities. Whereas printer priorities involve multiple printers with only one print device, printer pools involve multiple print devices that all use the same printer. When a user sends a print job to a printer that controls a printer pool, the printer sends the print job to the first available print device. Printer pools are useful when a large clerical staff sends a great number of documents to the printer and that one device cannot possibly keep up with the demand on an ongoing basis. Some third-party services, such as HP Jet-direct, inform a user about the print device to which the document was sent; most operating system file and print services do not. For this reason, all of the print devices should be located in the same physical area to make finding the printed document easier for the user. Also, all of the print devices in a printer pool should ideally be identical, since they will all use exactly the same printer. Figure 4.14 shows the port settings on a printer with a printer pool.
Figure 4.14. Printer pool settings on a printer
4.4.1.3. Authentication
As we discussed earlier, authentication is the process of proving the identity of a user or a computer. Many types of authentication protocols are in use today, and they continue to evolve with the need for increased security in today's networks. In Chapter 2, we discussed the various authentication protocols that can be used between clients and servers in a remote connection. We also discussed the local authentication protocols that can be used within a network, such as Kerberos.
The main factor of which you should be aware in regard to authentication is the fact that two computers that are attempting to communicate must share an authentication protocol in order for communication to be successful. In fact, the best way to understand authentication is to think about it in regard to only two computers at a time. In other words, the client may be able to authenticate to many servers using several different methods, but the main factor that we are concerned with is "Can it authenticate with a specific server with a method that the server understands?" If it can, then the other methods that it might also be able to use are of little of no consequence for this specific connection. If it cannot, then we should make sure that the client and the server have at least one configured authentication mechanism in common.
4.4.2. Protocol Configuration
In Chapter 2 we discussed the major protocols (or rules of behavior) that computers use to communicate with one another in a network. We also stated that TCP/IP was by far the most common protocol used in today's networks. In this section, we briefly discuss the most common TCP/IP configuration errors that affect remote connections.
It should be understood that we are defining "remote connections" as any connection to a resource or service outside of the computer. This means that remote connections could be connections to a resource on your own LAN or they could be a connection through the Internet. With this in mind, the major factors that might affect TCP/IP protocol configuration and there-fore require troubleshooting are as follows:
IP address
The IP address configured for a computer must be correct for the subnet in which the computer exists and it must be unique. If the address is not correct for the subnet, then the computer will not be able to communicate at all. If the address is not unique for the subnet, an error will result and the computer that originally had the address will be notified with an error as well.
Subnet mask
If a subnet mask is not correct for an IP address, then the IP address really isn't correct either. This is because the IP address that the computer looks at is the computer's IP address "anded" with its subnet mask. Anding is a binary calculation that the computer uses with all IP addresses and subnet masks to determine the network ID and host ID of the address. If the subnet mask is not correct, you should change the subnet mask to match that of the other computers in the same subnet that are able to communicate.
Default gateway
A default gateway is the address that the computer uses to communicate outside of its own network. The default gateway for a computer is typically the router interface that is within its own subnet. If a computer has a correctly configured IP address and subnet mask but does not have a correctly configured default gateway, then the computer will be able to communicate within its own subnet but will not be able to communicate outside of its own subnet, or to the Internet. If a computer has these symptoms, you should configure its default gateway the same as the other computers within its subnet that can communicate with computers outside of their own subnet.
DNS address
The DNS address is the main name resolution address that computers use in today's networks. Computers use the DNS servers in their network and outside of their network to resolve hostnames to IP addresses. If the DNS address is not correct, the computer will usually have a very slow and unreliable connection to resources in your network. This is because the computer is actually using other backup methods of name resolution, as we discussed in Chapter 2.
WINS address
The WINS address is a name resolution address used primarily by Microsoft client and server computers earlier than Windows 2000. Legacy computers and applications use NetBIOS names, rather than hostnames, to refer to computers on the network. WINS, as discussed in Chapter 2, is a dynamic database that resolves NetBIOS names to IP addresses.
4.4.2.1. Physical Connectivity
Verifying physical connectivity on a network involves your sense of sight as well as your understanding of network tools. You have to pay attention to all of the elements that tell you whether you have physical connectivity. We have discussed some of these elements in previous sections, but the following is a summary that you can use as a checklist:
Cable connections
Cables connectors must be securely plugged into the computer or network device to ensure physical connectivity.
Link lights
Link lights (or link LEDs) are included with most NICs and network devices. You should make sure the link light is lit as part of verifying network connectivity. (As mentioned earlier, this is still no guarantee because the cable could be improperly configured.)
Indicators on the desktop, notification area, or other software tools
Most operating systems have a method of indicating whether a connection on a computer is properly connected to another computer. On Windows XP, for example, this is revealed in the notification area of the Taskbar.
Ping
Use the ping tool on a command prompt to verify physical connectivity. If you get a reply from the computer that you pinged, the physical connectivity (as well as proper IP configuration) is assured.
4.4.2.2. Small Office/Home Office (SOHO) Routers
Not long ago, a router was a network device that was configured only by a trained network professional. Today many individuals are setting up home networks or small office networks that do not require a network administrator. This development has opened the door for a new type of router called a Small Office/Home Office (SOHO) router. These routers are typically inexpensive compared with the larger routers used in most networks. They are available from Cisco, Linksys, Belkin, and other vendors who usually provide not only the device but also the software that walks you through installing the router. Many of these SOHO routers also offer such services as automatic address assignment and firewalls. You should refer to the vendor's website for details on configuring and troubleshooting these products.
4.4.3. Exam Essentials
Know how to troubleshoot file services. File services enable communication between computers in a network. Each network operating system vendor provides its own file services for network communication and to share files and folders. Microsoft uses Server Message Block (SMB) and it has very few problems, except with the newest operating systems that use SMB digital signing to enhance security. SMB signing for the newest clients and servers (Windows 2000, Windows XP, and Windows Server 2003) can be controlled through group policy; Windows NT with SP3 can also be modified for SMB signing.
Be able to troubleshoot print services. Print services are included with file services on the offerings of network operating system vendors. Print services might include printer permissions, printer priorities, and printer pooling. Be familiar with the permissions assigned to printers on a Microsoft network. You should know the difference between printer priorities and printer pooling and therefore how to get started troubleshooting each of these services.
Know how to troubleshoot authentication. Be familiar with the specific authentication protocols used for LANs as well as remote access networks, as discussed in Chapter 2. Troubleshooting authentication on a network should be accomplished by focusing on two computers at a time and determining the authentication protocols that each of them has in common. Servers and clients can be assigned multiple authentication protocols so that clients can use different protocols to communicate with various servers on a network.
Be able to troubleshoot protocol configuration. TCP/IP is by far the most prevalent protocol in use today. There are many elements involved in TCP/IP configuration, including (but not limited to) IP address, subnet mask, default gateway, DNS address, and WINS address. You should be able to recognize the likely symptoms of an improper configuration of each of these elements.
Know how to troubleshoot physical connectivity. Troubleshooting physical connectivity is accomplished by being observant of all aspects of your network. There are many indicators that assist you in troubleshooting physical connectivity, such as link lights and desktop notifications. A successful ping indicates proper physical connectivity and a proper (or at least functional) IP address.
Be able to troubleshoot SOHO routers. The SOHO router is a relatively new network component that has come into existence because of the large number of small office networks and home office networks. SOHO routers and the software that accompany them are designed to be installed by an individual who is not a networking professional. SOHO routers often have features such as automatic address assignment and firewalls; the best reference is the vendor's instructional information or the vendor website.