Professional Documents
Culture Documents
Volume 3
Appendices
Overview
Module Objectives
A-1
A-1
A-1
A-3
A-3
A-3
A-4
A-14
A-23
A-40
A-48
A-54
A-61
A-66
B-1
B-1
C-1
C-1
Appendices
Appendices
Overview
The appendices in this section provide additional information on the following topics:
Module Objectives
Upon completing this module, you will be able to these appendices provide information on
additional topics and concepts. This includes being able to meet these objectives:
Describe the configuration of the Wide Area Application Services lab on which the course
labs are based
Describe the topologies used for the design case study workshops
A-2
Appendix A
Objectives
Upon completing this lesson, you will be able to describe Microsoft Windows Networking
concepts. This includes being able to meet these objectives:
Describe Microsoft Windows name resolution and resource location functions, including
DNS, WINS, and the Computer Browser Service
Provide a list of reference documents on Microsoft TechNet for additional reference and
reading
1990s:
Microsoft Windows NT
Windows NT domains
Onset of TCP/IP and internetworking
2000s:
Microsoft Windows 2000
Microsoft Active Directory
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.75-4
A-4
Windows NT Domains
Created to address the manageability and scalability issues of
disparate departmental workgroup networks.
A group of computers have access to a common security and
user account database.
Single sign-on created for all permitted resources in the domain.
Flat hierarchy with one PDC and multiple BDCs.
Resource and account administration only on PDC.
PDC replicates domain database to BDCs regularly; BDC has
read-only replica of account database; can process logins.
Domains interconnected by manually configured trust
relationships.
WAAS v4.0.75-5
Windows NT domains still exist in organizations that have not fully migrated to AD.
Windows NT domains are a single, flat database structure made of computers, users, and
groups of users.
All administration is completed on the primary domain controller (PDC). All backup
domain controllers (BDCs) have a read-only copy of the flat database that is passed from
the PDC. The PDC manages the database and handles user logins while the BDCs handle
only logins.
If two domains are to have a trust relationship, two one-way trusts must be created. Each
domain must have a one-way trust to the other domain. The trust relationship in Windows
NT allows access to resources in the domain. In AD, trust relationships are automatically
created. In Windows NT the trusts are not automatically created and must be created
manually by the administrator.
Appendix A
A-5
WAAS v4.0.75-6
The table in the figure shows the number of trusts required for each model.
The following are important to know about Windows NT domains:
A-6
A single Windows NT domain supports less than 300 nodes. When you exceed this number
you have to move to a single-master or multiple-master domain model.
In the master domain model, users are created in the master domain and the resources are
created in the resource domains.
Large deployments in a multiple master or a complete trust design require many trusts to be
administered and makes scaling very challenging. This is why AD is a much better solution
in large environments or in environments that need to scale.
Active Directory
Was built to solve scalability and manageability challenges of
flat hierarchy NT domain structures
Stores information about objects on a network and makes this
information available to users and network administrators
Gives network users access to permitted resources with a single
logon process
Provides network administrators with an intuitive, hierarchical
view of the network and a single point of administration for all
network objects
Provides a distributed approach to network resource and policy
management
WAAS v4.0.75-7
Appendix A
A-7
Domain controller:
In an AD forest, a server that contains a writable copy of the
AD database participates in AD replication and controls access
to network resources.
Administrators can manage user accounts, network access,
shared resources, site topology, and other directory objects
from any domain controller in the forest.
WAAS v4.0.75-8
In AD, a domain is a collection of computer, user, and group objects that have been created by
the administrator. This domain is hosted by one or several domain controllers (DCs), which
have a writeable copy of the AD database. DCs also participate in AD replication and control
access to the network objects. Administrators use DCs to create and modify users, network
access, resources, and topology.
A-8
Domain forest:
One or more AD domains that share the same class
and attribute definitions (schema), site and
replication information (configuration), and forestwide
search capabilities (global catalog).
Domains in the same forest are linked with two-way,
transitive trust relationships.
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.75-9
A domain tree can contain one or more domains connected by trusts. You can have many child
domains under the parent domain similar to a domain name system (DNS) infrastructure.
A domain forest is one or more AD domains that share the same:
All domains are linked with two-way transitive trusts, that is, if A trusts B and B trusts C then
A trusts C, as well.
Appendix A
A-9
WAAS v4.0.75-10
Domains are administrative boundaries that do not extend privileges. The parent-child
relationship can be seen in the figure in the reskit.com and na.reskit.com domains.
Na.reskit.com is a child of reskit.com, and Atlanta.na.reskit.com is a child of na.reskit.com.
Transitive trusts are automatically applied after a trust between two domains is created.
A-10
WAAS v4.0.75-11
An AD forest is having more than one top-level domain along with a noncontiguous name
space, such as reskit.com and acquired.com.
These AD trees in the same forest share a common schema, configuration, and global catalog,
but they do not share the same name space.
Appendix A
A-11
client1
reskit.com
client1.reskit.com
WAAS v4.0.75-12
Two naming conventions are supported under AD, domain naming and NetBIOS domain
naming:
A-12
Domain naming: Each child domain can have only one parent domain. In
child.parent.com, child is the child, or subdomain, and parent is the parent domain. There
can not be two subdomains under the same parent containing the same name.
child.parent.com and child.parent.com are the same name, not two different names.
NetBIOS naming: There is a flat name space (no hierarchy) and a limit to a 15-byte length
for the name. NetBIOS naming supports legacy applications and operating systems, such as
Windows NT, Windows Me, and Windows 9x, and allows them to interoperate with AD.
WAAS v4.0.75-13
The AD structure can be viewed as a DNS name space, which is what is seen on the right in the
figure; however, when it is viewed from within the AD name space in Windows, it appears as
shown on the left of the figure. The focus for this example is the client1 computer. In the AD
name space, it is represented under the Computers subfolder of the Reskit folder, while in the
DNS name space, it is represented under the reskit.com domain. In AD, there is also a network
subnet that defines the actual network design behind AD.
The AD name space is translated, based on the network subnet configuration, to the DNS name
space and written to zone files or zone databases, which are hosted in AD.
Appendix A
A-13
Windows Authentication
Only two network authentication options are available for
Windows 2000 domains:
Kerberos v5 protocol:
The Kerberos v5 authentication protocol is the default for authentication of
users who are logging in to domain accounts from computers that are running
Windows 2000, or higher.
NTLM protocol:
The Windows NTLM protocol is the default for authentication in Windows NT
4.0.
It is retained in Windows 2000 for compatibility with clients and servers that
are running Windows NT version 4.0, and earlier.
It is also used to authenticate logins to standalone computers that are running
Windows 2000.
WAAS v4.0.75-15
In Windows 2000 domains there are two protocol options for authentication, Kerberos v5 (the
default method) and NTLM. NTLM support is still available in Windows 2000 to support
earlier operating systems, such as Windows NT 4.0 and Windows 9x products. NTLM is also
used if a standalone computer that is running Windows 2000 attempts to log in to a domain
where it is not a member.
A-14
Kerberos v5
Relies on shared secret authentication, using
secret key cryptography rather than sharing a
password.
The trusted intermediary in the protocol is the
KDC.
The KDC is a service running on the domain
controller.
WAAS v4.0.75-16
Kerberos does not share a password. It uses a shared secret mechanism hosted by the Key
Distribution Center (KDC), a service running on the DC. Windows 2000 supports many DCs in
AD, allowing logins to be supported from any one of these DCs, reducing the load on any one
DC.
Appendix A
A-15
Kerberos v5 (Cont.)
When a client wants to talk to a server:
The client sends a request to the KDC
The KDC distributes a unique session key for the two parties to
use when they authenticate each other.
The server's copy of the session key is encrypted in the server's
long-term key. The client's copy of the session key is encrypted in
the client's long-term key.
WAAS v4.0.75-17
The login process with Kerberos v5 is managed with keys rather than actual passwords. This
protects users logins and passwords by using a key to access each resource rather than using
the user name and password (like NTLM).
Clock synchronization is very critical to this process. Network Time Protocol (NTP) is a good
solution for clock synchronization.
A-16
WAAS v4.0.75-18
NTLM provides interactive authentication only. A user accesses a client machine and provides
a domain name, user name, and password. The client computes a cryptographic hash of the
password and discards the actual password.
Nowhere in the process is the password sent across the wire. Only a hash of the actual
password is sent for resource access.
Appendix A
A-17
WAAS v4.0.75-19
A-18
WAAS v4.0.75-20
Appendix A
A-19
WAAS v4.0.75-21
The security identifier can be assigned to users and user groups. A security identifier has
security principals assigned to it for access or permissions.
A-20
WAAS v4.0.75-22
Authorization to resources is granted based on user and group identity that is defined by SIDs.
With many environments, the preferred method of granting access to resources is by group, not
by individual, because this is much easier to manage. For example, if a new employee starts in
the accounting department, rather than assigning the user to each object or resource that the
new user needs access to, the administrator assigns the new user to the accounting group and
the user immediately takes on all resource assignments of the accounting group.
Appendix A
A-21
WAAS v4.0.75-23
A-22
An administrator can change users level of authorization for many resources by adding or
removing them as a member from a group.
A group created in one domain can be included in the membership of a group created in
another domain or in the membership of a universal group used throughout a tree of trusted
domains.
A users level of authorization is determined by a list of SIDs; one SID for the user and one
SID for each security group to which the user belongs.
WAAS v4.0.75-25
In Windows deployments, name resolution is key to users searching and browsing network
resources.
Appendix A
A-23
WAAS v4.0.75-26
A-24
WAAS v4.0.75-27
Appendix A
A-25
NetBIOS (Cont.)
NetBIOS uses a flat, nonhierarchical namespace:
16-byte address:
15 bytes for resource name identification
1 byte (reserved) for service type identification
NetBIOS is a session-level interface:
Establishes logical names on the network
Sessions established between two logical names
Transport agnostic: NetBEUI, TCP, and SPX can be used
WAAS v4.0.75-28
NetBIOS is a session-level interface that allows two devices to create a connection based on
logical names. Because the session level of the Open Systems International (OSI) model is
Layer 5 and the IP address itself is Layer 3, name resolution still must take place before the
session can be created.
A-26
NetBIOS (Cont.)
NetBIOS node types:
Defines default name resolution behavior
b-node: broadcast messages to register and resolve NetBIOS
p-node: point-to-point query against WINS server
m-node: broadcast first (b-node), then query WINS (p-node)
h-node: query WINS first (p-node), then broadcast (b-node)
WAAS v4.0.75-29
m-node: Uses a b-node first, and then, if necessary, it uses a server query.
h-node: Uses a hybrid of b-node and p-node. An h-node computer always tries a server
query first. It uses broadcast only if direct queries fail.
Appendix A
A-27
NetBIOS (Cont.)
A NetBIOS name is either a unique name (exclusive) or a group
name (nonexclusive).
Names registered can be divided into three groups:
Computer name
Domain name
Other name (service and so forth)
WAAS v4.0.75-30
NetBIOS uses either a unique name or a group name depending on the number of processes:
A-28
WAAS v4.0.75-31
WINS uses unicast based registration and resolution to reduce the broadcasting burden on the
network. WINS server must contain an entry for each NetBIOS machine on your network, or
name resolution might fail. If the clients are registering with different WINS servers for load
balancing, you have to configure the WINS servers to replicate their databases to one another.
Appendix A
A-29
WAAS v4.0.75-32
A-30
Register in the WINS database NetBIOS names of processes running on the client
Release from the WINS database the NetBIOS names of processes that are no longer
running
Resolve names by obtaining mappings for user names, NetBIOS names, DNS names, and
IP addresses from the database
WAAS v4.0.75-33
AD DNS integration allows the DNS records to be stored in AD rather than in a flat file
(traditional DNS), providing greater fault-tolerance and security.
Appendix A
A-31
WAAS v4.0.75-34
Due to the AD integration of DNS, dynamic updates to the DNS Zone files are automatic,
instead of the traditional static management of DNS names.
A-32
WAAS v4.0.75-35
Shared resources are located by publishing objects in AD domains and Browsing in Server
Message Block (SMB) based networks.
Appendix A
A-33
Printer publishing:
Allow users to locate
the most convenient
printer
Query by attributes,
printer type, features
Global catalog:
Stores copies of all
AD objects
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.75-36
Administrators can publish any shared network folder, including a distributed file system (DFS)
folder, in AD. Creating a shared folder object in AD does not automatically share the folder. It
is a two-step process: You must first share the folder and then publish it in AD. Users can
easily and quickly query AD for a shared folder.
A global catalog is a domain controller that stores a copy of all AD objects in a forest. The
global catalog stores a full copy of all objects in the directory for its host domain and a partial
copy of all objects for all other domains in the forest. The global catalog allows clients to
quickly and easily perform searches across all domains without having to search each domain
individually. The partial copies of all domain objects included in the global catalog are those
most commonly used in user search operations. These attributes are marked for inclusion in the
global catalog as part of their schema definition. Storing the most commonly searched upon
attributes of all domain objects in the global catalog provides users with efficient searches
without affecting network performance with unnecessary referrals to domain controllers. A
global catalog is created automatically on the initial domain controller in the forest. You can
add global catalog functionality to other domain controllers or change the default location of
the global catalog to another domain controller.
A-34
WAAS v4.0.75-37
The Computer Browser service runs on both workstations and servers. It allows users to access
the resources on that system.
Appendix A
A-35
WAAS v4.0.75-38
Browsing is required by network applications that use Common Internet File System (CIFS)
messaging, such as My Network Places, the net view command, and Windows NT Explorer.
A-36
WAAS v4.0.75-39
Different systems have different browsing roles, such as domain master browser, master
browser, backup browser, potential browser and nonbrowser.
The master browser does the following:
Collects and maintains the list of available network servers in its subnet.
Fully replicates its listed information with the domain master browser to obtain a complete
browse list for the network.
Distributes its completed list to back up browsers located on the same subnet.
Receives a copy of the browse list from the master browser for its subnet.
Can operate as a browse client, requesting browse lists from other computers operating as
browsers on the same subnet.
Appendix A
A-37
Browsing Roles
Domain master browser:
The domain controller (PDC in NT) operates in this role.
Collects and maintains master browse list of available servers for its domain, as
well as any names for other domains network (12-minute cycle); synchronizes the
browse list with WINS.
Distributes and synchronizes the master browse list for master browsers on other
subnets that have computers belonging to the same domain.
Only server versions of Windows can become domain master browsers.
WAAS v4.0.75-40
The domain master browser is responsible for keeping track of all resources in its domain.
A-38
Browser Elections
Browser elections occur under the following
circumstances:
When a computer can not locate a master browser
When a preferred master browser comes online
When a Windows NT domain controller starts
WAAS v4.0.75-41
Windows checks the number of computers in the subnet and the number of browse servers
present.
If the ratio of browse servers to computers in the subnet exceeds the defined ratio (usually
1:32), the master browser can select a potential browser computer to act as a backup
browser.
Appendix A
A-39
Introduction to CIFS
This section describes Microsoft CIFS file-sharing protocol and capabilities.
WAAS v4.0.75-43
Clients use the CIFS protocol to request file and print services from servers over a network.
A-40
SMB was invented in the late 80s and represents a core protocol that provides network file
sharing between Intel and Microsoft.
Many features have been added over time. Most Windows clients now support several
different variations, such as PC NETWORK PROGRAM 1.0, LANMAN 1.0, LM1.2X002,
and NTLM 0.12.
Over 120 different CIFS and SMB operations are available to date and the number is
growing.
CIFS Features
CIFS features include the following:
File access
File and record locking
Safe caching, read-ahead, and write-behind
File change notification
Protocol version negotiation
WAAS v4.0.75-44
File access: File operations include open, close, read, write, and seek.
File and record locking: After a file or record is locked, nonlocking applications are
denied access to the file.
Safe caching, read-ahead, and write-behind: Allow read/write access to a file from
multiple clients simultaneously.
File change notification: Applications can register for notifications when a file or
directory contents are modified.
Protocol version negotiation: Client and server negotiate the version (dialect) to be used.
The negotiation also dictates the command set that can be used between the client and the
server.
Appendix A
A-41
WAAS v4.0.75-45
Extended attributes:
CIFS protocol uses referrals to transparently direct a client to the appropriate server.
Clients can resolve server names with any name resolution mechanism.
Batched requests:
A-42
Supports Unicode strings (file names, resource names, and user names).
WAAS v4.0.75-46
Shared resources can be directory trees, printers, named pipes, and other objects.
Appendix A
A-43
WAAS v4.0.75-47
NTLM v1:
NTLM v2:
Enables using a secure channel (for signing and encryption) prior to the challenge/response.
Share-level security:
A-44
WAAS v4.0.75-48
The called name is constructed from the first component (or host portion) of the server's
DNS name in the following sequence:
Appendix A
A-45
WAAS v4.0.75-49
A single file can not span more than one server. A client can not be redirected to another
physical location (CIFS server) to access portions of a file that is already open. The entire file
must be accessed from only the server that the client is communicating with.
A file can span multiple volumes in multiple locations, but this is outside the scope of the CIFS
protocol definitions. The physical location of the file on the physical disks attached to the file
server is not relevant to CIFS.
Name resolution is performed by the client and is not controlled by the CIFS protocol. CIFS
traffic only uses the name in the data process, it does not use the IP address. The clients and
servers perform name resolution prior to establishing a session.
A-46
WAAS v4.0.75-50
DNS
The name resolution mechanism can constrain the form of the server name:
Appendix A
A-47
WAAS v4.0.75-52
ANDX-type client commands allow for aggregation of I/O commands into one request instead
of having multiple requests going back and forth. Many CIFS commands are dependant on one
another and sometimes are very small, so sending them together saves time in the
communication process.
Understanding the CIFS session flow and different packets is important for troubleshooting. If
you could capture packets from the network, you would see the negotiation, the session setup,
and then the transaction process, which is the actual send of the data.
A-48
NAS
Server \\NAS1
\docs shared as \share1
\priv shared as \share2
NAS
Server \\NAS2
\user shared as \user
sion
1 Ses
1 Se
ssion
X: \\NAS1\share1
Y: \\NAS1\share2
Z: \\NAS2\user
Network Attached
Storage
WAAS v4.0.75-53
Clients access shared resources by way of the session that is established between the client and
the server. The figure shows that, regardless of the number of resources accessed, typically only
one session is open between the client and the server at any given time.
Appendix A
A-49
CIFS Packets
Each packet consists of a fixed header and a variable
data portion.
The fixed header includes:
A command code
Status flags
Client process and server file identifiers
WAAS v4.0.75-54
The header shows which user is accessing the file as well as which file is being accessed.
A-50
WAAS v4.0.75-55
If a server receives a transport establishment request from a client with which it is already
conversing, the server can terminate all other transport connections to that client.
A server can drop the transport connection to a client at any time if the client is generating
malformed or illogical requests.
If a server gets a hard error on the transport, such as a send failure, the transport connection
to that client can be terminated.
A server can terminate the transport connection when the client has no open resources on
the server. The Windows idle timeout default is 15 minutes. This idle timeout is not
determined by CIFS; it is determined by the server application.
Appendix A
A-51
File ID:
Used for subsequent operations on a file
Process ID:
Identifies which client process is issuing CIFS request
User ID:
Identifies user issuing CIFS requests on client
Multiplex ID:
Allows multiple outstanding client requests to exist
WAAS v4.0.75-56
Session tracking is important because some of the session information for the client can be
reused for subsequent requests.
Tree ID (TID) identifies the resource a CIFS packet is referring to. This resource can be a share
on a server:
In the response packet, the server sets the TID to any number that it pleases.
The client uses the TID to make requests specific to that resource for following requests.
File ID (FID):
After a client successfully opens a file, the server response includes an FID that the client
should use for subsequent operations on the file.
Process ID (PID) identifies the process that is issuing the CIFS request on the client:
The server uses the PID to check for concurrency issues to prevent corruption by
competing client processes.
User ID (UID) identifies the user who is issuing CIFS requests on the client side:
The client uses the assigned UID in all future CIFS requests.
Multiplex ID (MID) allows multiple outstanding client requests to exist without confusion:
A-52
The server ensures that the response it sends matches the request MID that it received.
The client can always know exactly which outstanding request an incoming reply is
correlated to.
SMB_COM_SESSION_SETUP_ANDX
SMB_COM_TREE_CONNECT_ANDX
SMB_COM_OPEN_ANDX
SMB_COM_READ
SMB_COM_CLOSE
SMB_COM_TREE_DISCONNECT
WAAS v4.0.75-57
Appendix A
A-53
CIFS Locking
CIFS locking allows a client process to prevent read
and write access to regions of a file by other
processes.
A client request defines a region by specifying its
length and offset values within a file.
The locked regions are associated with the file handle
(FID) and can be anywhere in the logical file.
Only processes using the FID specified in the locking
request have access to the locked bytes.
Locking a region fails entirely if any subregions or
overlapping regions are already locked.
2007 Cisco Systems, Inc. All rights reserved.
WAAS v4.0.75-59
CIFS locking allows the entire file, or part of the file, to be locked by a client or clients.
Whether the entire file or part of the file can be locked is a function of the client/server
application.
A-54
WAAS v4.0.75-60
Many options are available for CIFS locking. Full details can be found by searching
www.microsoft.com for CIFS file locking.
Appendix A
A-55
WAAS v4.0.75-61
Upon an Opportunistic Lock (oplock) break notification, any dirty buffers are flushed. This is
problematic over a slow WAN because the client might be holding too much data before the
flush process. The CIFS lock timeout from the other client can time out while waiting for the
flush or the request itself can time out because the connection to the server can time out.
The timeout for any CIFS operation is 90 seconds.
If the application such as Microsoft Word has an oplock and there are two separate threads to
the file, the second thread can cause the first lock to timeout and create errors within the
application.
A-56
Type II Oplock
A type II oplock is characterized by the following:
There are multiple concurrent clients of a file, and none have yet
modified it.
Allows the client to perform read operations and file attribute
fetches with cached or read-ahead local information.
All other requests have to be sent to the server.
WAAS v4.0.75-62
There are multiple concurrent clients of a file, and none have yet modified it.
Allows the client to perform read operations and file attribute fetches with cached or readahead local information.
Appendix A
A-57
Exclusive Oplock
An exclusive oplock is characterized by the following:
The client is the only entity to have a file open.
Allows the client to perform all file operations with cached or readahead local information until it closes the file
Upon file close, server must be updated with any changes made to
the state of the file (contents and attributes).
WAAS v4.0.75-63
A-58
Exclusive oplock allows the client to perform file operations using cached or read-ahead
local information until it closes the file.
Upon file close, the server must be updated with any changes made to the state of the file
(contents and attributes).
Batch Oplock
A batch oplock is characterized by the following:
The client is the only entity to have a file open.
Allows the client to perform all file operations on cached or readahead local information (including open and close operations).
Break reasons of lower-level oplock types also apply.
WAAS v4.0.75-64
Batch oplock allows the client to perform all file operations on cached or read-ahead local
information, including open and close operations.
Word and Excel are examples of client applications that use batch oplocks.
Appendix A
A-59
WAAS v4.0.75-65
An application can choose not to use locks; instead, it can choose to open the file in a share
mode:
A-60
WAAS v4.0.75-67
The storage of the DFS topology for a single DFS server design is in the Windows registry. The
storage of the DFS topology for multiple DFS servers is in the AD database. Please see the
Microsoft Windows Networking module for more detailed information on DFS.
Appendix A
A-61
WAAS v4.0.75-68
With name transparency, users can navigate the logical name space without having to know the
physical locations of the data.
Site awareness and site proximity support include the following:
A-62
Windows 2000 provides Site Awareness and Windows 2003 added Site Proximity Support.
This allows the user to get to the closest server that contains the data they are looking for.
This is very important when deploying Wide Area File Services (WAFS) Edge Wide Area
Application Engines (WAEs).
DFS terminology:
DFS root: Clients map to the
DFS root as a starting point to
locate shared directories.
DFS link: Object in the DFS
tree that provides redirection to
another location on the
network (that is, to a nearby file
server or Edge WAE published
name).
DFS target (replica): The
physical location of the share
being accessed on the nearby
file server or Edge WAE
published name.
2007 Cisco Systems, Inc. All rights reserved.
3
\\server1\share1
1
\\company.com\DFS\share1
2
\\server1
\share1
\share2
\share3
REFERRAL LIST
(prioritized)
\\sever1\share1
\\server2\share1
DFS root
\\company.com\DFS
\share1
\share2
\share3
\\server2
\share1
\share2
\share3
Replicas:
\\server1\share1
\\server1\share2
\\server1\share3
\\server2\share1
\\server2\share2
\\server2\share3
WAAS v4.0.75-69
DFS root:
The share at the top of the DFS topology that is the starting point for the links and shared
files that make up the DFS name space.
A DFS root can be defined at the domain level for domain-based operation or at the server
level for standalone operation.
Domain-based DFS can have multiple roots in the domain but only one root on each server.
If the DFS root goes away, then the users pointing to it are not able to see the DFS data.
DFS link:
A link is another share somewhere on the network that goes under the root. When a user
opens this link, they are redirected to a shared folder.
Both DFS Roots and DFS links can have replicas for high availability and load sharing.
Note
Alias names as published by a WAFS Edge WAE can be added to DFS as replicas.
The server and the client use CIFS protocol to communicate. The DFS client intercepts Shared
Folder access requests and checks the local cache for a valid referral containing the Universal
Naming Convention (UNC) for the requested shared folder. If one is found, the user is referred
to the specified shared folder transparently. If the target shared folder has never been requested
before or if the data in the cache for it has expired, the DFS client asks the DFS server for a
referral. The DFS server looks in the partition knowledge table (PKT) and returns a referral to
the client. If the referral contains a replica set, the server uses the IP address of the client to
determine the site in which the client resides. It then randomizes the list of replicas, giving
preference to those located in the same site as the client. The client receives the referral and
connects to the first available server in the randomly ordered list. The referral is stored in the
2007 Cisco Systems, Inc.
Appendix A
A-63
local PKT cache and locked. If the time to live (TTL) has not expired, the client always selects
the first replica on the list. If a failover occurs, the client walks down the list for an available
replica. If no replicas are available, the client gets a new replica list from the DFS server.
A-64
WAAS v4.0.75-70
Appendix A
A-65
References
Links to the following references can be found on
http://www.microsoft.com/technet.
Active Directory
Active Directory Concepts
Win2K Distributed Systems Guide Ch. 1 - Active Directory Logical
Understanding Domain Trusts
W2K Authentication
Win2K Distributed Systems Guide Ch. 11 - Authentication
Access Control
Win2K Distributed Systems Guide Ch. 12 Access Control
WAAS v4.0.75-72
Access control:
A-66
References (Cont.)
WINS:
WINS Overview
Win2K TCP/IP Networking Guide: Ch. 7, Windows Internet Name Service
DNS:
Win2K TCP/IP Networking Guide: Ch. 5 Introduction to DNS
Win2K TCP/IP Networking Guide: Ch. 6 Windows 2000 DNS
WAAS v4.0.75-73
WINS:
WINS Overview
DNS:
DFS:
Appendix A
A-67
A-68
Appendix B
Pod Topology
Branch Office
WAN
Data Center
Edge Router
WAN: VLAN 200
10.10.200.X
LAN: 802.1q
VLAN X0: 10.10.X0.1
VLAN X1: 10.10.X1.1
DC Router
WAN: VLAN
201
10.10.200.1X
Internal (NME-WAE)
VLAN X2: 10.10.X2.1
Windows XP PC
WANBridge
10.10.90.254
Edge WAE
10.10.X1.250
VLAN X1
Edge NME-WAE
VLAN X2:
10.10.X2.250
Server
(Domain, FTP,
DC Router
CIFS, Web,
LAN: 802.1q
TFTP)
VLAN 100: 10.10.100.X
10.10.100.100
VLAN X3: 10.10.X3.1
Core WAE VLAN 100
10.10.X3.250
VLAN X3
Domain NetBIOS name: WAAS
FQDN: waas.local
X = your pod number
WAAS v4.0.75-2
B-2
VLANs
Branch Office
WAN
Data Center
VLAN 100
VLAN 200
VLAN 201
VLAN X0
VLAN X1
VLAN X2
VLAN X3
WAAS v4.0.75-3
Appendix B
B-3
Switch VLANs
A LAN switch is a shared resource and configured with VLANs:
VLAN X0 (branch workstation VLAN, per pod)
VLAN X1 (branch WAE appliance VLAN, per pod)
VLAN X2 (branch NME-WAE VLAN, per pod)
VLAN X3 (data center WAE appliance VLAN, per pod)
VLAN 100 (data center access VLAN, shared)
VLAN 200 (WAN subnet, shared, branch facing)
VLAN 201 (WAN subnet, shared, data center facing)
The LAN switch should have an IP address in each VLAN of
10.10.(vlan).253.
WAAS v4.0.75-4
B-4
Router VLANs
Each branch router should be configured to trunk two VLANs to the
branch LAN via the branch LAN interface:
VLAN x0: Branch office client workstation
VLAN x: Branch office WAE appliance
Note: The branch office WAE VLAN is also physically inline for both of these VLANs
between the router and the switch
VLANs 200 and 201 are the WAN VLANs. WANBridge installs as a
bridge between these VLANs to provide WAN emulation between
branch routers and data center routers.
WAAS v4.0.75-5
Each branch router should be configured to trunk two VLANs to the branch LAN with the
branch LAN interface:
Each data center router should be configured to trunk two VLANs to the data center LAN with
the data center LAN interface:
Appendix B
B-5
IP Addressing Schema
The shared LAN switch should be configured with the following
VLANs and use the following IP address schema:
10.10.(vlan#).(node#)
Class C subnet universally
Where:
.1 is always the router interface
.10 is the Windows PC
.100 is the server
.24X is the CM WAE (Central Manager WAEs only)
.250 is the WAE (optimization WAEs only)
.253 is the switch
.254 is the WANBridge
WAAS v4.0.75-6
The shared LAN switch should be configured with the following VLANs and use the following
IP address schema:
10.10.(vlan#).(node#)
Where:
B-6
Servers
The data center server is a shared component with a single (required)
network interface in the shared data center VLAN.
Configured to provide the following services:
Domain controller (single domain)
CIFS file services, shares, and files, with appropriate permissions
configured per student pod (user)
Intranet web services with sample content to download
FTP server service for content upload and download
TFTP server service for device image transfer and configuration transfer
Network printer controlled by server
WAAS v4.0.75-7
The data center server is a shared component with a single (required) network interface in the
shared data center VLAN. It is configured to provide the following services:
CIFS file services, shares, and files with appropriate permissions configured per student
pod (user)
TFTP server service for device image transfer and configuration transfer
The domain name is waas.local. The server must be configured with static routes for user
workstations to go through that users router path.
Appendix B
B-7
WAN Emulation
WANBridge is installed as a bridging device between VLANs 90
and 91. No routing configuration is required, because it does not
insert itself beyond Layer 2.
Assumes that correct Layer 3 configuration and routing are
configured:
Must ensure that client workstation traffic going to server traverses routers
associated only with client pod
Must ensure that server traffic returning to client workstation traverses routers
associated only with client pod
WAAS v4.0.75-8
You must ensure that client workstation traffic going to server traverses routers is
associated only with client pods.
You must ensure that server traffic returning to client workstation traverses routers is
associated only with client pods.
Dedicated WANBridge PC per pod; common EIGRP AS on each of the pod routers
(branch and data center) (recommended)
Shared WANBridge PC per pod; unique EIGRP AS on each of the pod routers (branch and
data center)
B-8
Browse to www.labgear.net.
2.
WAAS v4.0.75-9
Browse to www.labgear.net.
Step 2
Step 3
Step 4
Appendix B
B-9
Passwords
Device
User Name
Password
WAEs
admin
default
Routers
admin
cisco
Windows PCs
administrator
cisco
WAAS v4.0.75-10
The figure shows the default user names and passwords for both labs.
B-10
Appendix C
FogHorn International
Bellevue, WA
Branch Office
1Mbps WAN
50 Users
2 Servers
Provo, UT
Branch Office
1Mbps WAN
15 Users
0 Servers
Denver, CO
Branch Office
1Mbps WAN
30 Users
2 Servers
St Paul, MN
Branch Office
45Mbps WAN
200 Users
4 Servers
Chicago, IL
Branch Office
45Mbps WAN
300 Users
4 Servers
St Louis, MO
Branch Office
1Mbps WAN
20 Users
2 Servers
Anaheim, CA
Branch Office
45Mbps WAN
300 Users
8 Servers
Houston, TX
Data Center
155Mbps WAN
2007 Cisco Systems, Inc. All rights reserved.
New York, NY
Branch Office
10Mbps WAN
150 Users
2 Servers
Cary, NC
Branch Office
8Mbps WAN
100 Users
2 Servers
Orlando, FL
Branch Office
1.5Mbps WAN
50 Users
2 Servers
WAAS v4.0.75-2
C-2
XYZ Limited
Seattle, WA
Regional Office
155Mbps WAN
300 Users
4 Servers
San Jose, CA
Data Center
1Gbps WAN
10,000 Users
50 Servers
Denver, CO
Regional
Office
45Mbps WAN
100 Users
2 Servers
Chicago, IL
Regional Office
155Mbps WAN
400 Users
5 Servers
Boxborough, MA
Regional Office
310Mbps WAN
800 Users
10 Servers
Raleigh, NC
Data Center
1Gbps WAN
5000 Users
20 Servers
Richardson, TX
Regional Office
155Mbps WAN
500 Users
30 Servers
WAAS v4.0.75-3
Appendix C
C-3
C-4