System Admin - Lab3/hw3 30 points - due March 9th NAME ____________________________________ SYSTEM Name _____________________________ This lab has 3 parts, A, B and C. And most of these we will be doing together as a class. So come to the labs on time...dont be late and dont miss class!!!! I will take roll. The main point of this lesson will be dealing with networks... Any system admin has to know a bit about networking and network services. For to be a system admin of a server, often you will be working on allowing clients on the network to access the server. Thus basics of networking, file sharing, configuration, monitoring, etc..have to be part of a system admins knowledge base. Plus a system admin often has to administer different types of servers, including file servers, print, email, web servers, and various network servers (dhcp, dns and others). Part A - Networking 1. Hook up your systems Network Card (ethernet card) with the Twisted Pair Cable (ethernet cable) to the Network Hub or Switch. [Every system connected to a network, needs a network card, a cable, and using a star topology, some type of device to pass the network packets (like a hub or a switch).] Each table area will be its own lan, with all systems being able to communicate with each other. 2. Open up a dos command window and try the following commands: [note - ping is a simple network command, that sends a single packet of data from one system to another, to test if the other system is alive and responding. "Request Timed Out" means that the other system is not responding. "Reply from...." means that the other system is alive and replying. Ping is a good simple test for network connectivity.] a. ping 128.6.100.200 Does it say "request time out" 4 times? Why? b. ping 128.6.100.xx where xx is your own ip number. Does this work? c. ping 128.6.100.yy where yy is your neighbors ip number. Does this work? d. ping 128.6.100.zz where zz is a system on another table (not hooked up to your switch). Does this work? So you should be able to ping yourself and any system on your lan (connected to the same switch as your system). But other systems should not be reachable. 3. note - the above had to use ip numbers, and not names, to identify machines, but all of our machines have names. Try ping labXX (where XX is the name of your neighbors machine). Does it work? Try " ping labXX.rutgers.edu" (where XX is the name of your neighbors machine). Does this work? Click on "My Network Places" (icon on left of your screen), and click on "Computer Near Me". What systems do you see listed? Right click on one of these systems and pull up Properties. What is that systems workgroup name? What is that systems type? You can ping a machine by ip address..thats very reliable. You can also ping machines using simple local names (like lab21), since all the machines in your lan are in the same simple workgroup and are visible to each other. But if you try to ping a machine by using its fully qualified domain name (like lab21.rutgers.edu) it fails, since you dont have DNS (Domain Name System) setup. Without running a dns server on a lan, there is another way to setup fully qualified domain names for your network. Open a command window and go to: cd c:\winnt\system32\drivers\etc a. "dir" (do you see the HOSTS file?) "more hosts" Whats in the file (besides comments, which begin with a "#")? This file can be used to hold hostnames and ip numbers and your system will use them to translate names to ip numbers and visa versa, if DNS is not available. Bring up Notepad (one of your accessories) and open and edit this file. After the last line of the file, add the following entries, each on a line by itself. (add the following entries) 128.6.100.xx yoursystem.rutgers.edu yoursystem 128.6.100.yy neighborsystem.rutgers.edu neighborsystem (use your name and ip number and your neighbors system name and ip number..the above is just an example) You should have something that looks like 128.6.100.21 lab21.rutgers.edu lab21 128.6.100.22 lab22.rutgers.edu lab22 (again, dont use lab21 or lab22, use your own name/ipnumber and that of your neighbors!) save this file. Next take a look at the file to double check: "more hosts" Thus this "hosts" file hold each systems local name (short name), fully qualified domain name and ip address. Now try pinging based on names: ping yoursystem.rutgers.edu ping neighborsystem.rutgers.edu Does this work? (this should work, because of the additions you made to the "hosts" file) Thus you can ping/talk to other systems, using their ip numbers or names (but if you are going to use full host names, then you need to be using DNS or have a host table on the local system). 4. File sharing Last time, you setup your system to share the "stan" folder in your C: drive. Your system was acting as a server. Check to make sure that this is still shared. Either use the "net share" command, or click on My Computer --> C: and check under Properties (for the stan folder) or look for the icon with the hand holding the "stan" folder. Any of the 3 methods will show you if the folder is being shared or not. It should be. If not, please share it. Thus on the server side, you use the "net share" command to see currently shares or to setup a share. One can also look under Properties of the folder, to see or turn on sharing. Make sure the folder C:\stan exists. If not, create it. There is probably nothing in the stan folder. So go into it and create a file or two (text files) with some message in it. (once inside the stan folder, from the file pull down menu, select New-->Text Document. Then double click on the files created and add some text to it.) This is the folder and files you will share from your server to the clients on the network. Next, since our systems are now setup to be servers and are sharing the "stan" folder, lets make believe our systems are also clients, and we are going to access our neighbors servers folder (that they shared) over the network. This is done by mapping a drive letter (a virtual drive, one that is not in use). First, in the dos command window, type in net use a. what does it say? why? type in "dir K:" b. what does it say? why? Next, you can setup the mapping by: net use k: \\128.6.100.yy\stan (where yy is your neighbors server) (or use: net use k: \\lab21\stan for example) if that works ok, then: net use c. what does it say now? why? dir k: d. what does it say now? why? Take a look at your neighbors files...(more filename). Get a good laugh... You have now successfully mapped the K: drive on your system (client) over to your neighbors system (server) and can see and access files/folders on their system. That is what a server/client lan is all about! (the K: drive is what you call a virtual drive, and this process is called drive mapping) You can now delete a mapping, by typing in net use /delete k: net use e. What does it say now? Try "dir k:" . What happens? Thus the "net use" command can be used on the Client Side, to view any current network mappings. It can also be used to map a drive letter to the server and also delete a mapping. The "net use" command is the client side command for networking. (like the "net share" command is the server side) There is also a graphical (gui) method to map a network drive. Single click with the RIGHT mouse button on My Computer. This pops open a window where you can either "Map Network Drive" or "Disconnect Network Drive". Try them both out. (just enter drive letter and the correct path, to do a mapping. TO see if the mapping worked, double click on C: and see if you see a new icon that shows the network drive!) Do they work the same (same outcome) as using the net use command? Thus the server uses the "net share" command and makes a folder available (shared) and the client uses the "net use" command to do drive mapping and attach (map) a drive letter that is not currently used, to the shared resource on the server. And as always, there is a gui and non-gui approach to both. In summary, the command line and gui commands for a server to share a folder, and for a client to map to a folder (or delete a mapping) is listed below: Command Line Gui Approach server net share right click on folder--> properties and under the Sharing Tab select "share this folder" client net use Right click on My Computer and pick "Map Network Drive" client net use /delete Right click on "My Computer" and pick "Disconnect Network Drive" -------------------------------------------------------------- -------------------------------------------------------------- -------------------------------------------------------------- Part B. More Networking. 1. enter "ipconfig /all" at the command window. a. What is your hostname? b. DNS server? c. Description of your network card? d. IP address? e. Ethernet (physical) address? f. Default Gateway? [ipconfig gives you configuration information about your network and tcp/ip. Note- you now see more info using ipconfig then in an earlier lab, since you are now connected to the network] 2. Go into start-->control panel --> network [this control panel icon/applet, is one of the most useful ones and allows you to setup your tcp/ip networking] Double click on Local Area Connection. In the General Tab: What is the status of your network connection? What is your speed? You can even see a count of your current activity. How many packets send? How many packets have been received? Click on Properties...then highlight "Internet Protocols (TCP/IP)". Click on its properties. a. Is your system using DHCP or hard coding an ip address? (check the "obtain ip address automatically field..which means DHCP) b. Is your system using any DNS servers? c. What is your ip address? Subnet mask? d. What is the default gateway? Now go back a window... e. What type of network card is listed? Who is the manufacturer? Click on Configure (under the network card listed). Under the Driver tab (which refers to the software driver that talks to your network card), what things can you do? Cancel out of making any changes. 3. File Sharing - More of a good thing.. TAKE YOUR TIME WITH THIS SECTION...LEARN!!!!!! Partner with your neighbor. One of you will be the server and the other the client (in a server/client network model). Pick who will be which (client or server). Watch each other, as one person does the work on their system..the other person watches and helps them (and learns!). Work together! a. Server: (first person) Make sure the megan account still exists and the password is abc123 (check via Computer Management --> Local Users and Groups). Create a folder/directory called C:\stan if its not already there. How? gui method - Open up the C: drive under My Computer, and from the File Pull down menu --> New --> folder non gui - (at the top level C: partition) mkdir stan Next, Copy c:\winnt\notepad.exe to c:\stan\stanpad.exe How? gui method - open up both of the above folders (winnt and stan) on the screen (you may need to click on "show folders" in the winnt folder, since these are system files and not normally visible). Then hold down the control key and drag notepad.exe from one to the other and then change the name. (dont make a shortcut, copy the file..thus you need to hold down the control key!) You can change the name of a file/folder by right clicking and picking "rename" and just name it "stanpad" (the extension gets added automatically). non-gui: copy c:\winnt\notepad.exe c:\stan\stanpad.exe Now right click on stanpad.exe --> properties --> security tab permissions should be: Everyone Full Control (that means everyone who has access to your system, those that have an account/password, have all permissions available to that file/folder) . These are NTFS local permissions (not share permissions). Note- cant share a file, only a folder. Thus files only have NTFS permissions. Folders have both share and NTFS permissions. Dont make any changes (cancel out of this). Go back up a level. (hit the back button on the window and go back to the stan folder) Now right click on stan folder --> properties --> Sharing Tab Share this folder if its not already shared. ("net share" command or just click on share tab) Check shared permissions under Sharing Tab. Should be Everyone Full control. (full control includes read, write, delete, etc..) Thus the file (stanpad.exe) local NTFS permissions are full control and the share permission of "stan" is FUll control (everything) to Everyone. Thus everyone should be able to do whatever they want to this folder (stan) and file (stanpad). b. Client (second person) Open My Computer - any virtual drives listed? (you will probably not see any virtual (networked) drives listed yet. Just local drives/partitions, like A:, C:, D:, E: and control panel). Keep this window open. Single right click on My Computer icon and pick Map Network Drive (gui method...we could have used "net use"). Pick F: (whatever default they give you) for share name pick: \\labxx\stan (where xx is your neighbors machine) Pick "Connect using a different user name": pick megan and correct password (abc123) Click Ok. Click finish You will see 2 things happen. In the "My Computer" window, you will see the network share pop up (F:). Also, a new small window will pop open on the screen showing you your new share ("stan on lab XX (F:)"). Launch stanpad. See it start up. then exit it. You have just accessed an application from your server..on your client. This is client-server networking at its best !!!!! (remember, you are running stanpad on the client...but its coming from the server....via the mapping of the F: drive. stanpad does not really exist locally on your client!) c. server (first person): Open up C: and then open the Stan folder. Keep an eye on the file "stanpad.exe". Watch it out of the corner of your eye!! (watch the magic of networking..now you see it and now you dont!!!) d. client (second person): On client, right click on stanpad.exe, and pick delete. Delete this file. You should see it disappear on both the client and the server!! Gone!! Cool! Magic !! Check the server window...does it disappear? (Houdini/blackstone/david copperfield/penn and teller would be proud!) Why did this happen? Bad permissions were set on the server! (you gave both share and local ntfs permissions set to full control for everyone..including delete permission). Never give users on clients Delete permissions!!! (except for their own home directories) Lets fix this. e. server: Go back on the server, and copy over notepad.exe over to the stan folder again, as above. Rename is stanpad again. Now right click on stanpad.exe and pick properties. Then pick Security Tab. (you are looking at the local NTFS file permissions..remember, share permissions dont exist for folders) Look at Everyones permissions (inherited from parent). Uncheck "allow inheritable permissions from parent to propagate to this object ...". Click Copy. Next, Click off full control, modify, write. Click OK. Thus stanpad only has NTFS permission of read and execute..users should NOT be able to write over or delete the file. (you can check out the Advanced Tab to see all of the particulars) You also need to tighten up permissions on the stan folder (that stanpad is within). Go back up a level by clicking on the BACK button on the window (go back to the stan folder). Right Click on the stan folder and pick Properties. Sharing Tab - these are the shared permissions. They should be set to Everyone and Full Control. Dont change anything. Leave as is. Security Tab - Uncheck "Allow inheritable permissions from parent to propagate to this object .." and then pick "COPY". Next, uncheck Full Control, Modify and Write. Click on OK. Thus, you are NOT changing the share permissions of the stan folder. Its still Everyone and Full control. What you changed were the NTFS permissions on the stan folder and stanpad.exe application....you took away write/delete options. f. client: Try again to launch stanpad.exe. It should still launch ok and run (you have RX permissions). Try to delete it (single click to highlight it, then file-->delete). You should no longer be able to delete it! Or try dragging it to the trashcan. What message do you get? Thus local NTFS permissions on files/directories and share permissions are very important to set correctly on the server. You can set permissions for Everyone, for a single user, or a group. And there are many types of permissions available (read, write, execute, delete, etc..). If you look under the Advanced Tab, you will see how fine grained detailed the permissions are. And again, for files, there are only NTFS permissions. While folders have both NTFS permissions and possibly Share permissions (if the folder is shared). And a persons overall permissions is a combination of both the Share Permission and the local NTFS permissions. Also, you should only share the folders/directories on the server, that really need to be shared (dont share everything). Thats better security. By default, normally the Share permissions are Everyone and Full Control. Most people leave it like that and just use the local NTFS permissions on the files/folders to control access. But you could alter the Share permissions (alter Everyones share permissions) or even remove Everyone and give Share permissions to only specific Groups or Users. Ditto with local NTFS permissions, you dont have to use Everyone, but instead only give specific permissions to certain groups/users. So there is alot of possibilities. We only just scratched the surface above! 4. There is a tool that allows you to monitor what is currently shared and who is accessing files on your server. This tool can be found under administrative tools --> computer management --> "shared folders". Shared Folders open up 3 options. a. Shares - this list the current shares that are available on your server (available to other clients to access). This is similar to the information you get from the "net share" command. The list of shares included both things you have explicitly shared and default shares that the server sets up. What is listed as shared? (if /stan is not listed, go back and share it and try again) b. Sessions - this shows which client is currently accessing a share from your server. Is anyone listed ? Have your neighbor connect to one of your shares (using net use or map network drive). Do you see someone listed now? What is listed? c. Open files - shows files that are accessed (open) on your server...being accessed from a client. Is anything listed? ========================================================================= ========================================================================= ========================================================================= Part C - And even More Networking.. As mentioned earlier, a system admin has to often administer different types of servers. File servers, Print servers, Web, Email, DNS, DHCP, and many other types of servers. The most common type of server is a file server. And in the above sections, you saw how to setup your system as a file server and share folders/files to your clients. In this section, you are going to investigate setting up a DHCP server. As mentioned in class, a dhcp server is used to help clients boot up. In our labs, we have hard coded the ip addresses and other info (subnet mask, default gateway, etc..) onto our systems. But in the TCP/IP Properties window, we could have checked "obtain IP address automatically". When that is selected, the client on bootup will request its ip number and other info from a DHCP server on the network. The client knows is Ethernet address, so it sends that out on the network with a requests for some DHCP server to help it boot up. The DHCP server gets that request, checks its internal table of ethernet addresses of clients it knows of, and when it finds a match, it responds back to the client with the corresponding info in its table (ip address, subnet mask, default gateway, etc..). 1. Ok. Lets start with setting up the DHCP server. Pick one of your machines on the lan to be the DHCP server (only one..you can normally just have on on the lan). All the others on your lan will just be clients. Everyone watch and help. There is a wizard called "Configure Your Server" that can be used to setup your server to be any type of server (file, print, web, email, dns, dhcp, etc..). Thats what we will be using. Its the same wizard that pops up after you logged in for the first time. DHCP Server: To start this wizard up, go to Start-->Programs-->Admin Tools--> Configure Your Server. When it starts up, on the left, look under Networking and Pick DHCP. Follow the wizard to setup your system as a DHCP server. If it asks for the name of the server, tell it the ip number of your system. When it asks for a scope of ip address (a range of ip addresses that the dhcp server can lease out to clients), tell it 128.6.100.120 to 128.6.100.130 (11 ip numbers in the lease pool). Also, make sure the subnet mask is 255.255.255.0 , the default router/gateway is 128.6.100.1 and there is no DNS server nor WINS. Also check to make sure the DHCP Server service is running. Go into Admin Tool--> Services. This is where you can view various services on your system, see if they are running, start/stop/pause/resume them...and also setup how they start on bootup (automatic, manual or disabled). Make sure the DHPC Server service is running (if not, start it and make sure its set to start automatically on boot up). Once DHCP is running, you should have a DHCP window on your server. You can do things like "Add Server", "Display Stats" and "New Scope" under the Action item. You will need to add your system as a dhcp server. Once done.. Answer these questions: a. What do the stats show? b. What server options are available? c. What is the address pool? d. What are the addresses leased? e. What is a reservation used for? DHCP Client: First open up a dos command window and do an "ipconfig /all" and record: hostname - physical address - dhcp enabled - ip address - subnet mask - default gateway - Now go into control panel --> network icon. Select TCP/IP and Properties. Check on the box that says "Obtain Ip address Automatically". His means your client will use dhcp when booting up, to get its ip number and other info, instead of having this information hard coded. (note the hard coded info from before disappears). Now reboot your client. Once it comes backup, login. Try a ping command in a dos command window. Does ping to another machine on your network work? That means your network is functioning properly (it should work). Do an "ipconfig /all" again. What info do you get now? hostname - physical address - dhcp enabled - ip address - subnet mask - default gateway - lease information - anything other dhcp based info? note- that your systems ip address is one of those that came from the dhcp servers pool of ip addresses (not the one from before). Also note that you client got all the other info (subnet mask, default gateway) correctly from the dhcp server. And thus your client was able to boot up, obtain networking info from the DHCP server and talk on the network. So DHCP works! DHCP Server: GO back to the server. Check the Stats again. Also check the Leases in Use. (you might have to refresh the view). What do you see? This is a perfect example of dhcp in action. You have learned to setup and configure a dhcp server. You have learned how easy it is to tell a client to use dhcp (obtain ip address automatically). ANd you put this into practice and actually have seen dhcp work. --------------