48 Chapter 1 • TCP/IP Overview
new operating system is done in a well-organized fashion. Testing and
prototyping, pilot programs, and a thoughtfully-planned rollout strategy
will go a long way toward reducing the incidence of troubleshooting that
will be required later on.
FAQs
Q: Why do some books specify that certain software components, such as
redirectors, operate at the Application layer, while others say that
redirectors work at the Presentation layer?
A: There are a few reasons for the discrepancy. First, there are many
different types of network redirectors, some of which are part of the
operating system, and others (such as the Novell Client 32 software
for connecting a Windows machine to a NetWare network) made by
third parties. Additionally, some books reference the OSI networking
model, which consists of seven layers, while others are basing their
statements on the DoD model, which only has four. A component that
operates at the Presentation layer of the OSI model would be operating
at the Application (or Application/Process) layer of the DoD model.
Q: It’s called TCP/IP. What are all those other protocols, and what are
they for?
A: TCP and IP are the “core” protocols (sometimes called the “protocol
stack”), but an entire suite of useful protocols has grown up around
them. Some of these provide for basic functionality in performing such
common network tasks as transferring files between two computers
(FTP) or running applications on a remote computer (Telnet). Others
are used for information gathering (SNMP, NETSTAT, IPCONFIG), and
many are troubleshooting tools that also allow you to perform basic
configuration tasks (ARP, ROUTE).
Q: What is the difference between TCP and UDP if they both operate at
the Transport layer?
A: Although both TCP and UDP are Transport layer protocols and provide

the same basic function, TCP is a connection-oriented protocol, which
means a session is established before data is transmitted, and
acknowledgments are sent back to the sending computer to verify that
the data did arrive and was accurate and complete. UDP is
connectionless; no session or one-to-one connection is established
prior to data transmission. This makes UDP the faster of the two, and
TCP the more reliable.
91_tcpip_01.qx 2/25/00 12:26 PM Page 48
TCP/IP Overview• Chapter 1 49
Q: What is the purpose of a networking model? How will knowing this
theoretical stuff help me in administering my TCP/IP network?
A: The models give us a way to understand the process that takes place
when computers communicate with each other across the network,
the order in which tasks are processed, and which protocols are
responsible for handling which duties. Understanding the models will
help you to narrow down the source of your TCP/IP connectivity
problems. For example, if you know that the data is being sent but is
not arriving at the correct destination, you will know to start
troubleshooting by examining what is happening at the Network layer,
since that’s where addressing and routing takes place.
Q: Why do we need three different networking models? Why can’t
everyone use the same one?
A: Actually, that was the plan when the ISO developed the Open Systems
Interconnection model. It was to be the common standard used by all
vendors and software developers in describing the network
communication process. The DoD model actually predates the OSI,
and the seven-layer OSI model builds on (and further breaks down)
the components of the DoD model. However, individual vendors such
as Microsoft still use their own models, which map more closely to
their software (such as the Windows NT/2000 model), although they

also use the OSI model as a guideline.
Q: What is a gateway, and why would I need one?
A: The word gateway has many different meanings in the IT world. A
protocol translating gateway translates between different protocols.
Think of it as the United Nations interpreter of the networking world.
If the president of the United States needs to exchange information
with the president of France, but neither speaks the other’s language,
they can call in someone who is fluent in both to help them get their
messages across. Similarly, if a mainframe system and a Windows
2000 computer need to communicate with one another—perhaps the
mainframe has important files that need to be accessed by the PC—
but they don’t know how to “talk” to each other, you can install a
gateway to clear up the confusion. The gateway is even more skilled
than the interpreter is; it actually fools the mainframe into believing
it’s communicating with another mainframe, and makes the PC think
it is having a “conversation” with a fellow PC. Gateway is also the term
used to refer to the address of a router that connects your network to
another, acting as the gateway to the “outside world.”
91_tcpip_01.qx 2/25/00 12:26 PM Page 49
91_tcpip_01.qx 2/25/00 12:26 PM Page 50
Setting Up a
Windows 2000
TCP/IP Network
Solutions in this chapter:
■
Designing the Network
■
Migrating from Windows NT 4.0
■
Migrating from Novell NetWare

■
Setting Up a Windows 2000 TCP/IP
Network from Scratch
Chapter 2
51
91_tcpip_02.qx 2/25/00 12:30 PM Page 51
52 Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Introduction
The process of setting up a new TCP/IP-based Windows 2000 network
can be relatively simple or hopelessly complex. Whether you’re building a
brand new network from scratch or migrating to Windows 2000 from
another operating system(s), planning is the key.
No set formula works in every situation. You may encounter issues in
upgrading your NT 4.0 network that will be completely different from
those involved in migrating from NetWare or UNIX. If you’re starting at
ground zero, constructing a new network where there was none before,
you’ll have more options, but that can make your job more challenging
instead of less.
Fortunately, even though every case is different, there are some gener-
al guidelines that are common to all, and design checklists to get you
started. Migrating or creating a network is a massive undertaking. A
TCP/IP network will usually require more planning than one that runs on
IPX or NetBEUI, due to the potential complexity of IP addressing issues.
Likewise, planning a Windows 2000 network may require more (or a dif-
ferent type of) planning than one based on NT servers due to the greater
complexity of the directory services structure. If a functioning network is
already in place and is running a different protocol stack or network
operating system, you will face special challenges. Each migration sce-
nario presents its own unique problems and opportunities.
In this chapter, we will examine some of the more common situations

you may encounter in setting up a new Windows 2000 TCP/IP network,
either “from the ground up” or making the switch from another popular
network operating system.
Designing a New Windows 2000
TCP/IP Network
Good network design is key in preventing later problems. As a network
administrator, you may have come to the job too late to have much (or
any) input into the design process. If the network infrastructure was
already in place when you took on the position, you inherited the prob-
lems of your predecessor.
Your network may have been carefully and thoughtfully planned, with
future upgrades in mind. If so, count yourself lucky. All too often, a net-
work just “grows that way.” As the computing and connectivity needs of
the organization expand, a server is added here, a router is installed
there, and systems are upgraded in some departments but not in others.
The result is a diversity of hardware and software configurations in place
91_tcpip_02.qx 2/25/00 12:30 PM Page 52
Setting Up a Windows 2000 TCP/IP Network • Chapter 2 53
throughout the network. This can make for many administrative
headaches.
In building a new network, you face a lot of hard work, but you have
the chance to learn from past mistakes (both yours and those of others
who came before you) and do it right. Patience is a virtue, and this is
never truer than when planning the design of a new Windows 2000
TCP/IP network.
The Planning Team
Two or more heads are often better than one when it comes to putting
together an upgrade plan. In all but the smallest organizations, you
should first gather a planning team to share the multiplicity of tasks
involved and to lend different perspectives in the important early design

stages. Your team members should be well versed in the company’s
unique needs, the Windows 2000 operating system, and how TCP/IP
communication works.
In some cases, it may be beneficial to hire outside consultants who
are experienced in network design. However, those who will ultimately be
responsible for administering the network should be heavily involved in
the planning process from the beginning. Some companies make the mis-
take of asking for a “turn key operation,” thinking this means that no one
on staff has to bother with design and setup issues. You pay someone
else (usually quite handsomely) to do it all, and a few months later they
hand you a complete, ready-to-go-online enterprise-level network. The
idea sounds attractive, but it can turn into a nightmare later on. Those
who will be working with the hardware and software on a daily basis can
give valuable input during the planning stages, which may prevent many
common post-deployment problems.
Whether you recruit and lead a planning team from within the organi-
zation or work closely with an outside group, it’s important that you, the
network administrator, be aware of some of the issues involved in estab-
lishing a new Windows 2000 network.
Planning the Hardware Configurations
One of the strengths of the TCP/IP protocol stack is that it will run on
almost any hardware platform. However, the Windows 2000 operating
system has minimum hardware requirements that must be considered in
planning any new installation, upgrade, or migration. Hardware-related
problems can be mistaken for TCP/IP connectivity problems, so in order
to reduce the time spent troubleshooting communication problems, start
with the proper hardware.
91_tcpip_02.qx 2/25/00 12:30 PM Page 53
54 Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
You can avoid many problems by ensuring that your systems and

their components meet the minimum requirements. Check the Hardware
Compatibility List (HCL) on Microsoft’s Web site before implementing
Windows 2000 on your network. Plan to upgrade hardware that does not
meet the requirements, or alternately, to run so-called “down-level” oper-
ating systems on those computers (Windows NT or Windows 9x) until they
can be upgraded or replaced.
Hardware Compatibility Lists for all current Windows operating systems can
be found at www.microsoft.com/hwtest/hcl/.
In general, Microsoft’s published minimum system requirements to
run Windows 2000 include:
■
Pentium 133 or equivalent processor
■
64MB RAM for Windows 2000 Professional; 128MB RAM for
Windows 2000 Server/Advanced Server
■
Approximately 1GB hard disk space
■
VGA or better display; keyboard (mouse optional)
These should be taken as absolute minimums, not as recommenda-
tions. Optimum performance will require more memory and faster proces-
sor(s), especially for heavily-used servers. A Windows 2000 server acting
as a domain controller (DC), due to the high overhead required for the
Active Directory, realistically requires a minimum of 128 to 256MB of
RAM for minimally acceptable performance.
Disk space requirements vary widely depending on whether you are
installing to a clean drive or upgrading a previous operating system, what
file system is being used, and other factors. It is important that you
assess your needs carefully, in accordance with budgetary and other con-
siderations.

Planning the Physical Layout
The physical layout, or topology, of the network will directly or indirectly
influence such things as the type of cabling to be used, the media access
control method, the limitations on cable distance, number of nodes per
segment, and other “rules and regulations” with which you must comply
to meet standard specifications for Ethernet, Token Ring, or other net-
work types.
NOTE
91_tcpip_02.qx 2/25/00 12:30 PM Page 54
Setting Up a Windows 2000 TCP/IP Network • Chapter 2 55
Numerous excellent resources offer guidance in the implementation of
the popular network topologies and architectures. In some cases, the net-
work administrator will be directly involved in selecting cable types and
choosing individual pieces of network hardware. In a large network envi-
ronment, an outside firm may be hired and given an overall “mission,”
and granted the authority to make most such decisions. Either way, it is
important to ensure that the final implementation complies with ISO,
IEEE, and other industry standards, and building codes and other local
regulations.
Diagramming the Network Layout
One of your most important tasks in planning the physical layout is to
diagram the network. There are many excellent software tools, such as
Visio, that you can use to visually represent the layout and show the con-
nections of servers, hubs, routers, workstations, and other network
devices. See Figure 2.1 for an example of a Visio drawing using the net-
work diagramming templates included with the software.
Figure 2.1 A simplified sample network diagram.
dev.tacteam.net
federation.tacteam.net
Proxy Server

Internet
tacteam.net
Wkst1
WkstB
Wkst2 Wkst3
WkstA WkstC
Hub
Hub
Router
91_tcpip_02.qx 2/25/00 12:30 PM Page 55
56 Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Whether you use diagramming software to construct a professional-
looking diagram or simply sketch the network layout manually, how you
do it is less important than getting it done. You may be tempted to skip
this step if you’re on a tight schedule, thinking you can always come back
and create this documentation after the fact.
However, the network diagram, properly used, is more than just a
record of the network’s design. It is also a planning tool. It is much easier
to move devices around and reroute cabling on paper (or on the screen)
than it is to lug those heavy pieces of equipment from place to place or
manipulate lengths of twisted pair through crawlspaces to “try out” differ-
ent configurations in the corporeal world. You can save much time, effort,
and aggravation by considering different options during the diagramming
stage.
Remember that later changes to the infrastructure will be expensive
and time-consuming, and may result in high indirect costs due to down-
time. The physical aspects of the network are its foundation, so get that
right from the beginning and you will automatically reduce the chances of
problems in the future.
Visio 2000 Enterprise edition will even discover and draw out the network

for you! For more information, see www.visio.com/visio2000/enterprise/.
Planning for Sites
If you built or worked with wide area networks (WANs) based on NT 4.0
servers, you probably thought of each separate geographic location, such
as a branch office, as a “site.” In Windows 2000 TCP/IP networking, the
term “site” has a new and specific meaning, and site planning has taken
on a new importance.
What Is an Active Directory Site?
According to Microsoft, in Windows 2000 a site is defined as “one or more
well-connected (highly reliable and fast) TCP/IP subnets that allows
administrators to configure Active Directory access and replication topolo-
gy quickly and easily to take advantage of the physical network.” Sites are
published to the Active Directory, which uses the site information in per-
forming replication and responding to service requests. The goal is to
improve the efficiency and performance of the WAN.
TIP
91_tcpip_02.qx 2/25/00 12:30 PM Page 56
Setting Up a Windows 2000 TCP/IP Network • Chapter 2 57
Note that creating a site is a way of grouping together computers that
have a fast connection. A site does not necessarily represent a group of
computers that are at the same physical location. The site concept is
independent of domain configuration. A site can span multiple domains,
or one domain may include computers at different sites.
In general, computers in the same TCP/IP subnet will share a fast
connection (Microsoft documentation refers to them as “well connected”).
Thus when you set up a new Windows 2000 network, subnetting deci-
sions and site planning will go together.
Sites are created and configured using the Sites and Services MMC.
To access the MMC:
Start | Programs | Administrative Tools | Active Directory Sites and

Services.
Figure 2.2 shows how a new site is created with this tool.
Figure 2.2 Using the AD Sites and Services MMC to create a new site.
With this tool, you can establish links between two or more sites, set
up replication frequency, configure site link cost, create subnets and
associate them with sites, force replication over a connection, and per-
form many other tasks involved in using Active Directory sites.
91_tcpip_02.qx 2/25/00 12:30 PM Page 57
58 Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Site link costs are defined by the administrator, using relative numbers. The
cost of the replication over the link is based on the speed of the
connection, in relation to other links. For example, if two sites A and B are
connected with a high-speed T1 connection, and sites A and C are
connected by a 56K modem connection, the “cost” value assigned to the A-
C link would be higher than that assigned to A-B.
How Sites Are Used in Windows 2000 Networks
Once sites are set up, Windows 2000 and the Active Directory use them
for three primary purposes:
■
To optimize logon authentication
■
To optimize Active Directory replication
■
To optimize Active Directory enabled services
Optimizing Logon Authentication
Sites are used during domain logon, to optimize the logon authentication
process. When a computer initiates logon to the domain, the global cata-
log (GC) will be searched for a domain controller that belongs to the same
site as the computer that is logging on. This minimizes the possibility of
computers using a slow WAN link to log on.

Optimizing Active Directory Replication
The Active Directory uses Windows 2000 site information in determining
how and when to replicate directory information between domain con-
trollers. In Windows NT 4.0 networks, only the primary domain controller
(PDC) has a writable copy of the security accounts database, and read-
only copies are replicated to backup domain controllers (BDCs) on a regu-
lar basis. In Windows 2000 networks, all domain controllers have a
complete read/write copy of the Active Directory partition, which contains
the security database and other directory information.
Since changes can be made to any of these domain controllers, it is
important that those changes be replicated to other domain controllers
throughout the network to keep each up to date. Replication traffic can
become a problem on a heavily-used network, so Microsoft uses the site
concept to attempt to achieve a balance and reduce “traffic jams” caused
by frequent replication across low-bandwidth links.
NOTE
91_tcpip_02.qx 2/25/00 12:30 PM Page 58
Setting Up a Windows 2000 TCP/IP Network • Chapter 2 59
Windows 2000 allows the administrator to customize the replication
schedule between sites by creating site links. Replication between domain
controllers within a site (intrasite replication) can take place at shorter
intervals, while replication to domain controllers at remote sites can be
scheduled less frequently, and/or configured to occur at low-usage times
of the day.
Optimizing Active Directory Enabled Services
Services that use the Active Directory for distribution of information will
also show increased performance when AD sites are properly planned and
implemented.
In a Windows 2000 network, the Active Directory can be used to pub-
lish what Microsoft calls “service-centric” configurations to make a service

more accessible and easier to manage. When the service is published to
the Active Directory, applications can access the directory for information
that they can use to access the servers’ services. The advantage is that
the client doesn’t have to know which server a resource resides on in
order to access it. The request for services is made to the Active Directory
itself, which is always located on a domain controller.
The Services node is not displayed by default in Active Directory Sites and
Services. To show it, you must open the Sites and Services administrative
tool and choose “Show services node” on the View menu.
What type of service information would you want to publish to the Active
Directory? Most commonly, this would include configuration information. This
information is then accessed by the client applications so that less manual
configuration of applications is required of users and administrators.
Planning the Namespace
An integral part of a Windows 2000 TCP/IP network is the Active
Directory namespace. Unlike a Windows NT network, the Windows 2000
namespace is hierarchical. That is, domains are structured in trees,
which start with a root domain under which subdomains (called “child
domains”) exist, with each child domain incorporating the parent
domain’s name as part of its own. Separate trees can be combined into
forests in which each tree has a unique namespace, but within which the
root domains of all the trees share a transitive trust relationship. Figure
2.3 demonstrates the domain relationships in a Windows 2000 network.
TIP
91_tcpip_02.qx 2/25/00 12:30 PM Page 59
60 Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
You will notice that the hierarchical namespace used by Active
Directory is patterned after the Domain Name System (DNS) namespace
used on the Internet. In fact, DNS (or Windows 2000’s dynamic imple-
mentation, called Dynamic DNS, or DDNS) is a required service on a

Windows 2000 network using Microsoft’s new directory services.
You will want to plan the namespace carefully, considering such fac-
tors as:
■
Geographic divisions of the company
■
Divisions of administrative responsibility
■
Special needs requiring different domain policies (language and
currency differences, for instance)
■
Potential replication traffic
Creation of the namespace should be done in conjunction with the
creation of IP subnets and Active Directory sites.
Planning the Addressing Scheme
Another important aspect of planning the new network is giving some
thought to your IP addressing scheme. For TCP/IP communication to take
place, each network interface (which includes each network card in each
computer, and each router interface) must be assigned an IP address that
Figure 2.3 Two domain trees in a Windows 2000 forest.
tacteam.
net
shinder.
net
dev.
tacteam.
net
fed.
tacteam.
net

training.
shinder.
net
efc.
training.
shinder.net
root domains
tacteam.net tree
shinder.net tree
91_tcpip_02.qx 2/25/00 12:30 PM Page 60
Setting Up a Windows 2000 TCP/IP Network • Chapter 2 61
is correct for the network segment to which it is attached. In configuring
the TCP/IP protocol, it is mandatory that you either enter an address
manually or set up the computer to get an address automatically from a
DHCP server.
You also must configure each TCP/IP computer with a subnet mask,
which is used to determine what portion of its IP address represents the
network identification and what part represents the particular host com-
puter on that network. If your class A, B, or C network is divided into
subnets, the subnet mask must be calculated based on the desired num-
ber of network IDs and the desired number of hosts per subnet. For more
detailed information on IP subnetting, see Chapter 8, “Troubleshooting
Windows 2000 NetBIOS Name Resolution Problems.”
If your network is not subnetted, you can use the default subnet mask for
that network class. In decimal form, the default subnet masks are as
follows:
Class A: 255.0.0.0
Class B: 255.255.0.0
Class C: 255.255.255.0
In planning your IP addressing scheme, you need to consider whether

you will reserve a block of public addresses so that each computer can
access the Internet via a registered address, or whether you will use a proxy
server or Network Address Translation (NAT) to provide Internet access to
multiple computers through one registered address. Will you assign IP
addresses manually, via a DHCP server, or a combination of the two?
You must decide whether to divide the network into subnets. Unless it
is a very small organization, it’s likely that you will need to do so in order
to optimize performance. It will also be necessary to consider the best
placement of routers, domain controllers, DNS, WINS, and DHCP servers.
Installing and Configuring
Windows 2000 TCP/IP
The first step in preventing problems with TCP/IP connectivity is to ensure
that the protocols are installed and configured properly. Windows 2000 makes
it easy; in fact, TCP/IP is the default networking protocol and is normally
installed when you install the operating system. If it was not, or if it has been
removed, installing the TCP/IP suite is a straightforward process.
NOTE
91_tcpip_02.qx 2/25/00 12:30 PM Page 61
62 Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Installing TCP/IP on a Windows 2000 Computer
Before beginning the installation process, be sure you have the informa-
tion that will be needed as you go through the steps. First, you must
know whether your network uses a DHCP server or manual IP address
assignment. If you are going to assign an address manually, you will need
to have the following information:
■
A valid address for the network segment on which the computer
will reside, not currently in use by another computer
■
A valid subnet mask

■
The IP addresses of the DNS and WINS servers that the
computer will use for name resolution
■
The IP address of the default gateway (router) for your network
segment, if applicable
You should write this information down and keep it with other docu-
mentation for the computer, so that if the settings are lost and must be
reconfigured at a later time, you will have it at hand.
Network Design Checklist
❏ Put together a planning team of persons who are
■
Knowledgeable about how a TCP/IP network works
■
Knowledgeable about the Windows 2000 operating system
■
Knowledgeable about the company’s unique needs
❏ Assess hardware
■
Check the Hardware Compatibility List
■
Upgrade if necessary
❏ Plan the physical layout of the network
■
Select the topology
■
Check requirements for compliance with standards and reg-
ulations
■
Diagram the network

❏ Plan Active Directory sites
❏ Plan the Active Directory namespace
❏ Plan the IP addressing scheme
91_tcpip_02.qx 2/25/00 12:30 PM Page 62
Setting Up a Windows 2000 TCP/IP Network • Chapter 2 63
If your network is not routed, the default gateway parameter is left blank.
When you have all of the required information, you can proceed with
installing the protocols. You will need to configure TCP/IP for each net-
work adapter card that will use the protocol.
The easiest way to find the subnet mask, gateway, and name resolution
server information is to look at the TCP/IP configuration screen on another
computer that is successfully connected on the same network segment.
The Protocol Installation Process
Those who are familiar with installing networking components in Windows NT
will find that the interface has changed in Windows 2000. To install TCP/IP (or
other protocols), open the Network and Dialup Connections applet:
Start | Settings | Network and Dialup Connections
You can then select the icon for the network connection over which you
wish to use TCP/IP (or click the Make New Connection icon to create one). In
our example, this is our local area network connection (see Figure 2.4).
Double-click the connection’s icon and click P
ROPERTIES. This will open
a screen similar to the one shown in Figure 2.5.
The Properties sheet will list those protocols and components already
installed, and allow you to install, uninstall, and configure the properties
of networking components.
If you uninstall a protocol, it will be uninstalled for all network connections
on your computer that use this adapter, not just the connection associated
with the Properties sheet from which you uninstall it. For example, if you
uninstall TCP/IP in the VPN connection Properties sheet, it will no longer be

available for your local area connection. There is no warning message
informing you of this, so be careful when uninstalling protocols.
NOTE
TIP
WARNING
91_tcpip_02.qx 2/25/00 12:30 PM Page 63
64 Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
To install the TCP/IP protocol, click INSTALL. You will see the screen
shown in Figure 2.6.
Select Protocol from the list of component types, and click A
DD
. You
will be shown a list of the protocols available for installation, as in Figure
2.7.
Click Internet Protocol (TCP/IP), and click O
K. The protocol stack will
be installed on your computer, and will now show up in the list of proto-
cols on the Properties sheet for the connection.
Unlike Windows NT, Windows 2000 will not display TCP/IP (or other
components) in the list of available protocols to be installed if it is already
installed, so you cannot install multiple instances of the protocol.
Figure 2.4 Select a network connection for which you wish to install TCP/IP.
TIP
91_tcpip_02.qx 2/25/00 12:30 PM Page 64
Setting Up a Windows 2000 TCP/IP Network • Chapter 2 65
Figure 2.5 The Properties sheet for the local area connection shows which
components and protocols are installed for this network adapter.
Figure 2.6 The Select Network Component Type dialog box allows you to add client
software, a network service, or a networking protocol.
91_tcpip_02.qx 2/25/00 12:30 PM Page 65

66 Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Configuring TCP/IP
The next step is to configure TCP/IP’s properties. To do so, select it on
the Network Components Properties sheet (the same one shown previous-
ly in Figure 2.5) and click P
ROPERTIES. You will see the TCP/IP Properties
sheet shown in Figure 2.8.
If there is a DHCP server on your network that this computer will use
to obtain an IP address, select the radio button to obtain an IP address
automatically. Otherwise, you will need to manually configure the IP
address, subnet mask, default gateway, and DNS server address(es).
Even if your network uses a DHCP server, some computers—because of their
roles and functions—may need to be assigned static addresses manually. In
general, domain controllers, DNS and WINS servers, and the DHCP server
itself should not use dynamic addresses.
By clicking A
DVANCED, you can add multiple IP addresses and gate-
ways, fine-tune DNS and WINS settings, and enable and configure IP
Security (IPSec) and TCP/IP filtering. These issues will be discussed in
later chapters in conjunction with troubleshooting addressing, name reso-
lution, and security problems.
Figure 2.7 Select TCP/IP from the list of available networking protocols.
NOTE
91_tcpip_02.qx 2/25/00 12:30 PM Page 66
Setting Up a Windows 2000 TCP/IP Network • Chapter 2 67
After installing and configuring TCP/IP, you may need to reboot the
computer in order to log on to your Windows 2000 domain.
Figure 2.8 Use the TCP/IP Properties sheet to assign addressing information.
TIP
TCP/IP Installation and Configuration Checklist

❏ Gather needed information
■
DHCP server address or
■
IP address to be manually entered, DNS and WINS server
addresses, subnet mask, and default gateway (if applicable)
❏ Install the TCP/IP protocol
❏ Configure the TCP/IP protocol
91_tcpip_02.qx 2/25/00 12:30 PM Page 67
68 Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Upgrading to Windows 2000
from Windows NT 4.0
Microsoft designed Windows 2000 as the successor to Windows NT 4.0,
thus some thought and planning were given to providing a viable upgrade
path. You may find, however, that restructuring your NT 4.0 network
prior to the upgrade will make the transition to Windows 2000 go more
smoothly. There are several NT domain models, and some will be easier to
upgrade than others. In particular, you may find it expedient to combine
several NT domains into one before the upgrade.
A Windows 2000 network generally requires fewer domains than NT
networks. This is because in Windows NT networks, the domain was the
smallest security entity. If you wished to decentralize administrative
authority, you needed to create separate domains. Windows 2000 allows
for more granular assignment of administrative privileges. Organizational
units (OUs) can be created and control over different OUs given to differ-
ent persons without making them administrators over the entire domain.
Another reason for creating new domains in an NT network was the
limitation on the number of security principals (user and group accounts)
that could exist in a domain. Since Microsoft recommended that the
Security Accounts Database not exceed 40MB in size, for practical pur-

poses an NT domain could only contain about 40,000 accounts, which
represented the total of user, computer, global group, and local group
accounts. With Windows 2000, security information is kept in the Active
Directory, which can hold literally millions of security objects.
Compaq Corporation has been able to run successful simulations of
Windows 2000 Advanced Server with up to 16 million security principles!
The Windows NT Domain Models
In Microsoft networking, a domain is a basic security unit, with a unique
name, which provides access to the centralized user accounts and group
accounts maintained by the administrator of the domain. Each domain
has its own security policies and security relationships (called trust rela-
tionships) with other domains. Domains can span multiple physical loca-
tions.
NOTE
91_tcpip_02.qx 2/25/00 12:30 PM Page 68
Setting Up a Windows 2000 TCP/IP Network • Chapter 2 69
Four basic domain models are recognized in NT server-based networking:
■
Single domain
■
Single master domain
■
Multiple master domains
■
Complete trust
Let’s look at each of these in the context of preparing for an upgrade
to Windows 2000.
Single Domain
The single domain model is simple. As the name implies, the network
consists of one domain to which all user accounts and resources belong.

See Figure 2.9 for an illustration of a simple single domain network.
Figure 2.9 In the single domain model, all users log on to one domain, and all
resources are located in the same domain.
User Accounts
Single Domain
Resources
User
User
User
Logon
Logon
Logon
Obviously, no combining of domains is necessary in this situation.
Single Master Domain
In the single master domain model, the network is structured into two or
more domains, with all user accounts placed in one domain, called the
master domain. All users log on to the master domain. Other domains,
91_tcpip_02.qx 2/25/00 12:30 PM Page 69
70 Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
which can hold computer accounts, shared files, printers, and other net-
work resources, are called resource domains. Figure 2.10 shows the rela-
tionships of domains in the single master model.
Figure 2.10 In the single master domain model, all user accounts are in the
master domain, and resource domains trust the master domain.
Master Domain
Resource Domain
1
Resource Domain
2
User1 User2 User3 User4

Logon
Logon
Solid black arrows indicate trust relationships. In this illustration, the
resource domains are shown trusting the master domain, which means
users in the master domain can access shared files, printers, and so on
in the resource domains.
In NT, the trust relationship is one-way. In a master domain model, resource
domains do not have access to shares in the master domain.
The advantage of this model is that user accounts can be managed
centrally, while departments or divisions can still manage their own
resources.
NOTE
91_tcpip_02.qx 2/25/00 12:30 PM Page 70
Setting Up a Windows 2000 TCP/IP Network • Chapter 2 71
Multiple Master Domains
The multiple master domain model is an extension of the single master
model. In this case, there are two or more master domains into which the
user accounts are placed. This is a way of scaling the master domain con-
cept to a large enterprise network, in which there are too many user
accounts to fit into a single master domain. An example of the multiple
master domain model is shown in Figure 2.11.
Figure 2.11 In the multiple master domain model, user accounts reside in master
domains, which trust each other, and each resource domain trusts all master
domains.
Master Domain
1
Master Domain
2
Resource
Domain 1

Resource
Domain 2
Resource
Domain 3
User User User User
Logon
Logon
Logon
Logon
Another reason for creating multiple master domains is to delegate
administrative authority over the user accounts to different administra-
tors. For example, a company has two distinct divisions, and each wants
to maintain exclusive control over its user accounts. The company also
wants all users from both divisions to be able to access resources
throughout the parent company. The multiple master domain model
would be appropriate in this situation.
91_tcpip_02.qx 2/25/00 12:30 PM Page 71
72 Chapter 2 • Setting Up a Windows 2000 TCP/IP Network
Complete Trust
The complete trust domain model certainly sounds good. After all, trust is
the foundation of every good relationship, right? In this case, it turns out
to be another one of those things that seems better in theory than in
practice. The complete trust domain model usually ends up being an
administrative nightmare.
This is because, unlike the master and multiple master models, there
is no hierarchical organization to the complete trust. Every domain has
two one-way trust relationships with every other domain in the network.
User accounts can be located in any domain, as can resources. As the
number of domains increases, this model becomes more and more
unwieldy and difficult to manage. There is no centralized control. Instead,

each domain contains its own security groups and administrators. See
Figure 2.12 for an illustration of how a complete trust works.
Figure 2.12 In the complete trust domain model, all domains can contain both
users and resources, and there are two one-way trust relationships between
every domain and every other domain.
Domain 1 Domain 2
Domain 3
Users
Resources
Resources
Resources
Users Users
The complete trust is used less often than the other domain models.
As you can see from the illustration, the number of trusts will expand
exponentially as additional domains are added to the network. Even with
only three domains, six trusts must be created and managed. Adding just
one more domain, for a total of four, will increase the required number of
trusts to 12.
91_tcpip_02.qx 2/25/00 12:30 PM Page 72