Windows Networking
Windows Networking is the suite of programs that provide file and printer sharing between computers running Microsoft Windows (and compatible Network Operating Systems, such as Linux). If you reference the OSI Network Model, Windows Networking runs at the Application level. It uses Server Message Blocks over the lower network layers, such as Ethernet or WiFi, for connectivity.
By default, Windows Networking uses SMBs over NetBIOS Over TCP/IP (NetBT), and TCP/IP, for logical connectivity. It can be customised to use alternate transports, like IPX/SPX or NetBEUI, if you're prepared to deal with the support issues. On a large LAN with a dedicated DNS server for local name resolution, it can use SMBs directly bound to ("hosted on") Internet Protocol.
Whatever transport that you choose, though, all computers need to use the same one.
There are five concepts, which you need to understand, to deal with Windows Networking problems.
- Grouping of computers in a domain or workgroup.
- Resolution How do I address each resource?
- Browsing What resources are there for me to access?
- Authentication / Authorisation Who am I, and should I be allowed to access a resource?
- The Total Picture How do Group Memberships, Browsing, Name Resolution, and Authentication / Authorisation affect me?
Domains / Workgroups
Computers are grouped in domains or workgroups, with membership in either grouping providing benefits.
We can browse My Network Places (known sometimes as "Network Neighborhood"), and see all nearby computers. The workgroup that we are in is the part of My Network Places that is nearest to us - those are the computers that we need access to the most. A workgroup provides a way of identifying the computers that relate closely to our computer.
A domain, on the other hand, is a collection of computers that trust each other. When your computer is joined to a domain, it sets up a two way trust, where the computer and the domain are trained to trust each other.
- You authenticate (login as a local administrator) to your computer.
- You allow a domain administrator to authenticate to the domain from your computer.
- Your computer learns to trust the domain. A "certificate" from the domain is added to your computer.
- The domain learns to trust your computer. A "certificate" from your computer is added to the domain.
The domain membership also gives workgroup visibility. You see the other members of "your" domain. as you would see the other members of "your" workgroup. But the two way trust in the domain is special.
- You gain access to your computer thru domain authentication - you trust the domain, based upon the certificate from the domain that's now on your computer, and upon the credentials (domain account / password) that you supply.
- You gain access to domain resources in a similar way, from the certificate from your computer that's now in the domain, and from the credentials that you supply.
- Other people in your work area, and presumably in your domain, can potentially access your computer, as you access theirs.
- For an allegorical description of two factor (certificate / credential) authentication, see Designing an Authentication System....
Most small LANs will use workgroups, although small domains are worthwhile. Domain membership provides two components - Authentication / Authorisation, and Browsing. Workgroup membership provides one component - Browsing. Workgroup membership provides no authentication / authorisation; that must be provided by redundant accounts setup on both the client and the server.
Outside of becoming invisible in Network Neighborhood, by changing your domain / workgroup membership, you are not adding to your security at all. Becoming invisible is simply a form of Security By Obscurity. If you're on a network with untrustable computers or people, making yourself invisible won't protect you; you need Layered Protection, including a perimeter and / or personal firewall.
>> Top
Name To Address Resolution
You might call the computer in your kitchen "Kitchen Computer", but it's a safe bet that your equipment will call it something more definitive, like "192.168.0.101" (an IP address), or "06-04-7A-D7-EF-BA" (a MAC address). The IP address, and the MAC address, are used by the various operating systems and network devices, to send message from computer to computer.
The process of translating a name like "Kitchen Computer" to an IP address like "192.168.0.101" is called name resolution. Name resolution is provided independently of domain / workgroup membership. A domain may contain a DNS or WINS server, but that's not a given. Less likely, but still possibly, a workgroup may contain either. Without a name resolution server, all computers use peer-peer name resolution. Please don't confuse peer-peer resolution with Node Type "Peer-Peer", which is just the opposite.
If your network (domain or workgroup) is setup properly, but does not contain a DNS or WINS server, all computers will use peer-peer broadcasts to resolve names. Using IP addresses to refer to computers should not be necessary, except in extreme situations. And, if you're using an alternate protocol, an IP address won't work at all.
>> Top
Browsing
Each domain / workgroup uses a browser server to tell it what resources are out there. For every domain / workgroup on a network, there should be at least one browser server in that domain / workgroup.
You can have computers in a workgroup, sharing a network with a domain. If a workgroup has its own browser server, the computers in the workgroup can see each other, and can see the computers in the adjoining domain.
If a workgroup has no browser server, its members will still be able to see each other, and the computers in the domain, if you make the workgroup name identical to the domain name. If you have a computer that's not a domain member, AND you give that computer a workgroup name identical to the domain name, the browser servers in the domain will provide visibility between that computer and the computers in the domain.
In order for browsing to work properly, several essential relationships have to exist between the various computers on the LAN in question.
Does your domain / workgroup occupy multiple subnets? If so, you need to know about Browsing Across Subnets. Do you maybe have two (or more) routers, but would prefer to have one subnet? If so, then read about File Sharing On A LAN With Two Routers.
>> Top
The Total Picture
Browsing is, arguably, not essential in a small LAN. Without the use of a browser server, a common workaround is to make an adhoc mapping to a share.
- Hit the Start button.
- Hit the Run button.
- Type "\\OtherComputerName" (substituting the Other Computer Name, and less the ""), and hit Enter.
Or, you may make a persistent mapping from Windows Explorer.
- Select Tools, then Map Network Drive, from the Windows Explorer menu.
- Substitute the Server, and Share, into "\\Server\Share" as entered into the Folder: box.
- Select "Reconnect at logon", if desired.
- Select the Finish button.
Name resolution is not essential either. Without the use of name resolution, you can map a resource by substituting the ip address of the server for the name (again, if you're using NetBIOS Over TCP/IP as the transport).
- Hit the Start button.
- Hit the Run button.
- Type "\\OtherComputerIPAddress" (substituting the Other Computer IP Address, and again less the ""), and hit Enter.
But, when you use Network Neighborhood (My Network Places) to provide a neat list of all the shared folders and printers on your network, you select and double click on a share, and you get a connection, you are using, in turn,
If you're having a problem with Network Neighborhood:
- Network Neighborhood is empty, or lacks an entry for one or more computers that you know are there.
- Computer A shows in Network Neighborhood for Computer B, but Computer B doesn't show in Network Neighborhood for Computer A.
- You get an error "(Workgroup) is not accessible..." when opening Network Neighborhood.
- You get a variant (and there are many variants here) of "not accessible / name not found ... access denied" when clicking on an entry in Network Neighborhood.
then you likely have a problem with either browsing, or name resolution. Diagnose Windows Networking first. If, and only if, you can't find any problems with Windows Networking, look at File Sharing. Whenever working on problems with Windows Networking, work from the bottom up.
You may also benefit from reading about Server Message Blocks, and Windows Networking.
>> Top
Authentication and Authorisation
Whether or not you do use the browser to list resources, and / or name resolution to locate the resources, you will still have to setup authentication and authorisation properly, if you wish to actually connect to, access, and change those resources. You can avoid use of the browser, and of name resolution; you cannot avoid authentication and authorisation.
>> Top
Share This Post!
Del.icio.us
Digg
Facebook
StumbleUpon
Technorati
Twitter
Posts
1 comments:
Hello,
I'm in the process of setting up a samba server and, on the way, I'm trying to fully understand windows networking layers and why it evolved from NetBIOS to SMB, to workgroup, to domain and finally to Active Directory.
Samab doc states that windows 9x series uses 3 types of passwords: "local" windows password (only used to gain access to the pwl file containing other passwords), windows network password and share specific passwords.
I enjoyed your blog post but still can't figure out what the "windows networking password" is used for... In the windows 9x series AD does not exists, only workgroups do. And workgroup networking being a peer to peer type of network there is no central authentication. That's why I don't get where the network password fits.
Do you have the answer?
Cheers,
Gildas
Post a Comment