Core Networking Improvements CHAPTER 25
1203
As with other versions of Windows, server-side support for SMB (sharing files and printers)
is provided by the Server service, and client-side support (connecting to shared resources) is
provided by the Workstation service. Both services are configured to start automatically, and
you can safely disable either service if you don’t require it. The security risks presented by
having the Server service running are minimized because Windows Firewall will block incom-
ing requests to the Server service on public networks by default.
Strong Host Model
When a unicast packet arrives at a host, IP must determine whether the packet is locally
destined (its destination matches an address that is assigned to an interface of the host). IP
implementations that follow a weak host model accept any locally destined packet, regardless
of the interface on which the packet was received. IP implementations that follow the strong
host model accept locally destined packets only if the destination address in the packet
matches an address assigned to the interface on which the packet was received.
The current IPv4 implementation in Windows XP and Windows Server 2003 uses the weak
host model. Windows Vista and Windows 7 support the strong host model for both IPv4 and
IPv6 and are configured to use it by default. However, you can revert to the weak host model
using Netsh. The weak host model provides better network connectivity, but it also makes
hosts susceptible to multihome-based network attacks.
To change the host model being used, use the following Netsh commands (and specify the
name of the network adapter).
Netsh interface IPv4 set interface "Local Area Connection" WeakHostSend=enabled
Ok.
Netsh interface IPv4 set interface "Local Area Connection" WeakHostReceive=enabled
Ok.
To return to the default settings, use the same command format but disable the
WeakHostSend and WeakHostReceive parameters.
Wireless Networking
In Windows Server 2003 and Windows XP, the software infrastructure that supports
wireless connections was built to emulate an Ethernet connection and can be extended

only by supporting additional Extensible Authentication Protocol (EAP) types for 802.1X
authentication. In Windows Vista and Windows 7, the software infrastructure for 802.11
wireless connections, called the Native Wi-Fi Architecture (also referred to as Revised Native
Wi-Fi MSM, or RMSM), has been redesigned for the following:
n
IEEE 802.11 is now represented inside of Windows as a media type separate from IEEE
802.3. This allows hardware vendors more flexibility in supporting advanced features of
IEEE 802.11 networks, such as a larger frame size than Ethernet.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1204
n
New features in the Native Wi-Fi Architecture perform authentication, authorization,
and management of 802.11 connections, reducing the burden on hardware vendors to
incorporate these functions into their wireless network adapter drivers. This makes the
development of wireless network adapter drivers much easier.
n
The Native Wi-Fi Architecture supports APIs to allow hardware vendors the ability to
extend the built-in wireless client for additional wireless services and custom capabili-
ties. Extensible components written by hardware vendors can also provide customized
configuration dialog boxes and wizards.
In addition, Windows Vista and Windows 7 include several important changes to the
behavior of wireless auto configuration. Wireless auto configuration is now implemented in
the WLAN AutoConfig service, which dynamically selects the wireless network to which the
computer will connect automatically, based either on your preferences or on default settings.
This includes automatically selecting and connecting to a more preferred wireless network
when it becomes available. The changes include:
n
Single sign-on To enable users to connect to protected wireless networks before
logon (and thus, allow wireless users to authenticate to a domain), administrators can

use Group Policy settings or the new Netsh wireless commands to configure single
sign-on profiles on wireless client computers. After a single sign-on profile is config-
ured, 802.1X authentication will precede the computer logon to the domain and users
are prompted for credential information only if needed. This feature ensures that the
wireless connection is placed prior to the computer domain logon, which enables
scenarios that require network connectivity prior to user logon, such as Group Policy
updates, execution of login scripts, and wireless client domain joins.
n
Behavior when no preferred wireless networks are available In earlier versions of
Windows, Windows created a random wireless network name and placed the network
adapter in infrastructure mode if no preferred network was available and automatically
connecting to nonpreferred networks was disabled. Windows would then scan for pre-
ferred wireless networks every 60 seconds. Windows Vista and Windows 7 no longer
creates a randomly named network; instead, Windows “parks” the wireless network
adapter while periodically scanning for networks, preventing the randomly generated
wireless network name from matching an existing network name.
n
Support for hidden wireless networks Earlier versions of Windows would always
connect to preferred wireless networks that broadcast a Service Set Identifier (SSID)
before connecting to preferred wireless networks that did not broadcast that identifier,
even if the hidden network had a higher priority. Windows Vista and Windows 7 con-
nect to preferred wireless networks based on their priority, regardless of whether they
broadcast an SSID.
n
WPA2 support Windows Vista and Windows 7 support Wi-Fi Protected Access 2
(WPA2) authentication options, configurable by either the user (to configure the stan-
dard profile) or by AD DS domain administrators using Group Policy settings. Windows
Vista and Windows 7 support both Enterprise (IEEE 802.1X authentication) and Personal
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Improved APIs CHAPTER 25

1205
(preshared key authentication) modes of operation for WPA2 and can connect to ad
hoc wireless networks protected by WPA2.
n
Integration with NAP WPA2-Enterprise, WPA-Enterprise, and dynamic WEP
connections that use 802.1X authentication can use the NAP platform to prevent
wireless clients that do not comply with system health requirements from gaining
unlimited access to a private network.
In addition, troubleshooting wireless connection problems is now easier because wireless
connections do the following:
n
Support the Network Diagnostics Framework, which attempts to diagnose and fix
common problems
n
Record detailed information in the event log if a wireless connection attempt fails
n
Prompt the user to send diagnostic information to Microsoft for analysis and
improvement
For more information about troubleshooting wireless networks, see Chapter 31. For more
information about configuring wireless networks, see the section titled “How to Configure
Wireless Settings” later in this chapter.
Improved APIs
Windows Vista and Windows 7 also include improved APIs that will enable more powerful
networked applications. Systems administrators will not realize immediate benefits from these
improved APIs; however, developers can use these APIs to create applications that are more
robust when running on Windows Vista and Windows 7. This enables developers to create
applications faster and to add more powerful features to those applications.
Network Awareness
More applications are connecting to the Internet to look for updates, download real-time
information, and facilitate collaboration between users. However, creating applications

that can adapt to changing network conditions has been difficult for developers. Network
Awareness enables applications to sense changes to the network to which the computer is
connected, such as closing a mobile PC at work and then opening it at a coffee shop wireless
hotspot. This enables Windows Vista and Windows 7 to alert applications of network changes.
The application can then behave differently, providing a seamless experience.
For example, Windows Firewall with Advanced Security can take advantage of Network
Awareness to automatically allow incoming traffic from network management tools when the
computer is on the corporate network but block the same traffic when the computer is on a
home network or wireless hotspot. Network Awareness can therefore provide flexibility on
your internal network without sacrificing security when mobile users travel.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1206
Applications can also take advantage of Network Awareness. For example, if a user discon-
nects from a corporate internal network and then connects to his or her home network, an
application could adjust security settings and request that the user establish a VPN connec-
tion to maintain connectivity to an intranet server. New applications can go offline or online
automatically as mobile users move between environments. In addition, software vendors can
integrate their software into the network logon process more easily because Windows Vista
and Windows 7 enable access providers to add custom connections for use during logon.
Network Awareness benefits only applications that take advantage of the new API and
does not require any management or configuration. For Network Awareness to function, the
Network Location Awareness and Network List Service services must be running.
Improved Peer Networking
Windows Peer-to-Peer Networking, originally introduced with the Advanced Networking
Pack for Windows XP and later included in Windows XP SP2, is an operating system platform
and API in Windows Vista and Windows 7 that allow the development of peer-to-peer (P2P)
applications that do not require a server. Windows Vista and Windows 7 include the following
enhancements to Windows Peer-to-Peer Networking:
n

New, easy-to-use API APIs to access Windows Peer-to-Peer Networking capabilities
such as name resolution, group creation, and security have been highly simplified
in Windows Vista and Windows 7, making it easier for developers to create P2P
applications.
n
New version of PNRP Peer Name Resolution Protocol (PNRP) is a name resolution
protocol, like DNS, that functions without a server. PNRP uniquely identifies comput-
ers within a peer cloud. Windows Vista and Windows 7 include a new version of PNRP
(PNRP v2) that is more scalable and uses less network bandwidth. For PNRP v2 in
Windows Vista and Windows 7, Windows Peer-to-Peer Networking applications can
access PNRP name publication and resolution functions through a simplified PNRP API
that supports the standard name resolution methods used by applications. For IPv6
addresses, applications can use the getaddrinfo() function to resolve the fully qualified
domain name (FQDN) name.prnp.net, in which name is the peer name being resolved.
The pnrp.net domain is a reserved domain for PNRP name resolution. The PNRP v2
protocol is incompatible with the PNRP protocol used by computers running Windows
XP. Microsoft is investigating the development and release of an update to the
Windows Peer-to-Peer Networking features in Windows XP to support PNRP v2.
n
People Near Me People Near Me is a new capability of Windows Peer-to-Peer
Networking that allows users to dynamically discover other users on the local subnet
and their registered People Near Me–capable applications, as well as to invite users
into a collaboration activity easily. The invitation and its acceptance start an applica-
tion on the invited user’s computer, and the two applications can begin participating
in a collaboration activity such as chatting, photo sharing, or game playing.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Improved APIs CHAPTER 25
1207
PNRP v2 is not backward compatible with earlier versions of the protocol. Although PNRP
v2 can coexist on a network with earlier versions, it cannot communicate with PNRP v1 clients.

Services Used by Peer-to-Peer Networking
Windows Peer-to-Peer Networking uses the following services, which by default start
manually (Windows will start services automatically as required):
n
Peer Name Resolution Protocol (PNRP)
n
Peer Networking Grouping
n
Peer Networking Identity Manager
n
PNRP Machine Name Publication Service
If these services are disabled, some P2P and collaborative applications might not function.
Managing Peer-to-Peer Networking
Windows Peer-to-Peer Networking is a set of tools for applications to use, so they don’t
provide capabilities without an application. You can manage Windows Peer-to-Peer
Networking using the Netsh tool or by using Group Policy settings:
n
Netsh tool Commands in the Netsh p2p context will be used primarily by developers
creating P2P applications. Systems administrators should not need to troubleshoot or
manage Windows Peer-to-Peer Networking directly, so that aspect of the Netsh tool is
not discussed further here.
n
Group Policy settings You can configure or completely disable Windows Peer-to-
Peer Networking by using the Group Policy settings in Computer Configuration
\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking
Services. You should need to modify the configuration only if an application has
specific, nondefault requirements.
HoW it WoRKS
Peer-to-Peer Name Resolution
I

n P2P networking, peers use PNRP names to identify computers, users, groups,
services, and anything else that should be resolved to an IP address. Peer names
can be registered as unsecured or secured. Unsecured names are just automatically
generated text strings that are subject to spoofing by a malicious computer that
registers the same name. Unsecured names are therefore best used in private or
otherwise secure networks. Secured names are signed digitally with a certificate and
thus can be registered only by the owner.
PNRP IDs are 256 bits long and are composed of the following:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1208
n
The high-order 128 bits, known as the peer-to-peer ID, are a hash of a peer
name assigned to the endpoint.
n
The low-order 128 bits are used for the service location, which is a generated
number that uniquely identifies different instances of the same ID in a cloud.
The 256-bit combination of peer-to-peer ID and service location allows multiple
PNRP IDs to be registered from a single computer. For each cloud, each peer node
manages a cache of PNRP IDs that includes both its own registered PNRP IDs and
the entries cached over time.
When a peer needs to resolve a PNRP ID to the address, protocol, and port number,
it first examines its own cache for entries with a matching peer ID (in case the client
has resolved a PNRP ID for a different service location on the same peer). If that
peer is found, the resolving client sends a request directly to the peer.
If the resolving client does not have an entry for the peer ID, it sends requests to
other peers in the same cloud, one at a time. If one of those peers has an entry
cached, that peer first verifies that the requested peer is connected to the network
before resolving the name for the requesting client. While the PNRP request mes-
sage is being forwarded, its contents are used to populate caches of nodes that are

forwarding it. When the response is sent back through the return path, its contents
are also used to populate node caches. This name resolution mechanism allows
clients to identify each other without a server infrastructure.
EAPHost Architecture
For easier development of EAP authentication methods for IEEE 802.1X-authenticated wireless
connections, Windows Vista and Windows 7 support a new EAP architecture called EAPHost.
EAPHost provides the following features that are not supported by the EAP implementation
in earlier versions of Windows:
n
Network Discovery EAPHost supports Network Discovery as defined in the “Identity
selection hints for Extensible Authentication Protocol (EAP)” Internet draft.
n
RFC 3748 compliance EAPHost will conform to the EAP State Machine and address
a number of security vulnerabilities that are specified in RFC 3748. In addition, EAPHost
will support additional capabilities such as Expanded EAP Types (including vendor-
specific EAP methods).
n
EAP method coexistence EAPHost allows multiple implementations of the same
EAP method to coexist simultaneously. For example, the Microsoft version of Protected
EAP (PEAP) and the Cisco Systems, Inc. version of PEAP can be installed and selected.
n
Modular supplicant architecture In addition to supporting modular EAP methods,
EAPHost also supports a modular supplicant architecture in which new supplicants can
be added easily without having to replace the entire EAP implementation.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Improved APIs CHAPTER 25
1209
For EAP method vendors, EAPHost provides support for EAP methods already developed
for Windows Server 2003 and Windows XP, as well as an easier method of developing new
EAP methods. Certified EAP methods can be distributed with Windows Update. EAPHost also

allows better classification of EAP types so that the built-in 802.1X- and PPP-based Windows
supplicants can use them.
For supplicant method vendors, EAPHost provides support for modular and pluggable
supplicants for new link layers. Because EAPHost is integrated with NAP, new supplicants do
not have to be NAP aware. To participate in NAP, new supplicants only need to register a con-
nection identifier and a callback function that informs the supplicant to re-authenticate.
For more information, read “EAPHost in Windows” at
/magazine/cc162364.aspx.
Layered Service Provider (LSP)
The Windows Sockets (Winsock) Layered Service Provider (LSP) architecture resides between
the Winsock dynamic-link library (DLL), which applications use to communicate on the
network, and the Winsock kernel-mode driver (Afd.sys), which communicates with network
adapter drivers. LSPs are used in several categories of applications, including:
n
Proxy and firewalls.
n
Content filtering.
n
Virus scanning.
n
Adware and other network data manipulators.
n
Spyware and other data-monitoring applications.
n
Security, authentication, and encryption.
Windows Vista and Windows 7 include several improvements to LSPs to enable more
powerful network applications and better security:
n
Adding and removing LSPs is logged to the System Event Log. Administrators can use
these events to determine which application installed an LSP and to troubleshoot failed

LSP installations.
n
A new installation API (WSCInstallProviderAndChains) provides simpler, more reliable
LSP installations.
n
New facilities categorize LSPs and allow critical system services to bypass LSPs. This can
improve reliability when working with flawed LSPs.
n
A diagnostics module for the Network Diagnostics Framework allows users to selectively
remove LSPs that are causing problems.
Windows Sockets Direct Path for System Area Networks
Windows Sockets Direct (WSD) enables Winsock applications that use TCP/IP to obtain the
performance benefits of system area networks (SANs) without application modifications.
SANs are a type of high-performance network often used for computer clusters.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1210
WSD allows communications across a SAN to bypass the TCP/IP protocol stack, taking
advantage of the reliable, direct communications provided by a SAN. In Windows Vista and
Windows 7, this is implemented by adding a virtual switch between Winsock and the TCP/IP
stack. This switch has the ability to examine traffic and pass communications to a SAN
Winsock provider, bypassing TCP/IP entirely. Figure 25-13 illustrates this architecture.
Application
Winsock
Switch
User
Kernel
SAN NDIS MiniPort
SAN Network Adapter
SAN Winsock

Provider
SAN
Winsock
Driver
Base Winsock
Provider
TCP/IP
FIGURE 25-13
WSD enables improved performance across SANs by selectively bypassing TCP/IP using a
virtual switch.
How to Configure Wireless Settings
Users want to stay constantly connected to their networks, and wireless LANs and
wireless WANs are beginning to make that possible. However, managing multiple network
connections can be challenging, and users often have difficulty resolving connectivity
problems. As a result, users place more calls to support centers, increasing support cost and
user frustration. You can reduce this by configuring client computers to connect to preferred
wireless networks.
Windows will connect automatically to most wired networks. Wireless networks, however,
require configuration before Windows will connect to them. You can connect Windows com-
puters to wireless networks in three different ways:
n
Manually Windows 7 includes a new user interface that makes it simple to connect
to wireless networks. You can use this interface to manually configure intranet-based
computers running Windows 7; users can use this method to connect to public net-
works when they travel.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How to Configure Wireless Settings CHAPTER 25
1211
n
Using Group Policy Group Policy settings are the most efficient way to configure

any number of computers running Windows in your organization to connect to your
internal wireless networks.
n
From the command line or by using scripts Using the Netsh tool and commands
in the netsh wlan context, you can export existing wireless network profiles, import
them into other computers, connect to available wireless networks, or disconnect a
wireless network.
After a wireless network is configured, the Wireless Single Sign-On feature executes 802.1X
authentication at the appropriate time based on the network security configuration, while
simply and seamlessly integrating with the user’s Windows logon experience. The following
sections describe each of these configuration techniques.
Configuring Wireless Settings Manually
Windows 7 makes it very easy to connect to a wireless network using the enhanced View
Available Networks (VAN) feature included in the platform. For example, to configure a
wireless network that is currently available, follow these steps:
1.
Click the networking icon in the notification area.
note
The WLAN AutoConfig service must be started for wireless networks to be
available. This service by default is set to start automatically.
2.
Click the network to which you want to connect and then click Connect, as shown in
Figure 25-14.
FIGURE 25-14
The Network Connection Details dialog box
provides graphical access to IP configuration settings.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1212
note

A network that is configured not to broadcast an SSID will appear as an
Unnamed Network, allowing you to connect to the network.
3.
If the network is encrypted, provide the encryption key.
Why Disabling SSID Broadcasting Doesn’t Improve Security
W
ireless networks broadcast an SSID that specifies the network name to help
users who have not connected to the network previously find it. However,
disabling the SSID broadcast does not increase security, because the tools that a
malicious attacker might use to find and connect to your wireless network do not
rely on SSID broadcasts. The SSID broadcast does make it easier for legitimate users
to find and connect to your wireless networks. So by disabling the broadcast of the
SSID, you can negatively affect the people whom you do want to be able to connect.
Using Group Policy to Configure Wireless Settings
In AD DS environments, you can use Group Policy settings to configure wireless network
policies. For best results, you should have Windows Server 2003 SP1 or later installed on your
domain controllers because Microsoft extended support for wireless Group Policy settings
when they released SP1.
Before you can use Group Policy to configure wireless networks, you need to extend the
AD DS schema using the 802.11Schema.ldf file included on this book’s companion media.
If you do not have access to the companion media, you can copy the schema file from
To extend the schema, follow
these steps:
1.
Copy the 802.11Schema.ldf file to a folder on a domain controller.
2.
Log on to the domain controller with Domain Admin privileges and open a command
prompt.
3.
Select the folder containing the 802.11Schema.ldf file and run the following com-

mand (where Dist_Name_of_AD_Domain is the distinguished name of the AD DS
domain whose schema is being modified; an example of a distinguished name is
DC=wcoast,DC=microsoft,DC=com for the wcoast.microsoft.com AD DS domain).
ldifde -i -v -k -f 802.11Schema.ldf -c DC=X Dist_Name_of_AD_Domain
4.
Restart the domain controller.
After you extend the schema, you can configure a wireless network policy by
following these steps:
1.
Open the Active Directory GPO in the Group Policy Object Editor.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How to Configure Wireless Settings CHAPTER 25
1213
2.
Expand Computer Configuration, Windows Settings, Security Settings, and then click
Wireless Network (IEEE 802.11) Policies.
3.
Right-click Wireless Network (IEEE 802.11) Policies and then click Create A New
Windows Vista Policy. The Wireless Network Properties dialog box appears.
4.
To add an infrastructure network, click Add and then click Infrastructure to open the
Connection tab of the New Profile Properties dialog box. In the Network Names list,
click NEWSSID and then click Remove. Then, type a valid internal SSID in the Network
Names box and click Add. Repeat this to configure multiple SSIDs for a single profile.
If the network is hidden, select the Connect Even If The Network Is Not Broadcasting
check box.
5.
On the New Profile Properties dialog box, click the Security tab. Use this tab to config-
ure the wireless network authentication and encryption settings. Click OK.
note

This resource kit does not cover how to design wireless networks. However, you
should avoid using Wired Equivalent Privacy (WEP) whenever possible. WEP is vulnerable to
several different types of attack, and WEP keys can be difficult to change. Whenever pos-
sible, use WPA or WPA2, which both use strong authentication and dynamic encryption keys.
The settings described in the previous process will configure client computers to connect
automatically to your internal wireless networks and to not connect to other wireless networks.
Configuring Wireless Settings from the Command Line or a
Script
You can also configure wireless settings using commands in the netsh wlan context of the
Netsh command-line tool, which enables you to create scripts that connect to different
wireless networks (whether encrypted or not). To list available wireless networks, run the
following command.
Netsh wlan show networks
Interface Name : Wireless Network Connection
There are 2 networks currently visible

SSID 1 : Litware
Network Type : Infrastructure
Authentication : Open
Encryption : None

SSID 1 : Contoso
Network Type : Infrastructure
Authentication : Open
Encryption : WEP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1214
Before you can connect to a wireless network using Netsh, you must have a profile saved
for that network. Profiles contain the SSID and security information required to connect to

a network. If you have previously connected to a network, the computer will have a profile
for that network saved. If a computer has never connected to a wireless network, you need
to save a profile before you can use Netsh to connect to it. You can save a profile from one
computer to an Extensible Markup Language (XML) file and then distribute the XML file to
other computers in your network. To save a profile, run the following command after manu-
ally connecting to a network.
Netsh wlan export profile name="SSID"
Interface profile "SSID" is saved in file ".\Wireless Network
Connection-SSID.xml" successfully.
Before you can connect to a new wireless network, you can load a profile from a file. The
following example demonstrates how to create a wireless profile (which is saved as an XML
file) from a script or the command line.
Netsh wlan add profile filename="C:\profiles\contoso1.xml"
Profile contoso1 is added on interface Wireless Network Connection
To connect to a wireless network quickly, use the netsh wlan connect command and
specify a wireless profile name (which must be configured or added previously). The following
examples demonstrate different but equivalent syntaxes for connecting to a wireless network
with the Contoso1 SSID.
Netsh wlan connect Contoso1
Connection request is received successfully
Netsh wlan connect Contoso1 interface="Wireless Network Connection"
Connection request is received successfully
Note that you need to specify the interface name only if you have multiple wireless net-
work adapters—an uncommon situation. You can use the following command to disconnect
from all wireless networks.
Netsh wlan disconnect
Disconnection request is received successfully
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How to Configure Wireless Settings CHAPTER 25
1215

You can use scripts and profiles to simplify the process of connecting to private wireless
networks for your users. Ideally, you should use scripts and profiles to save users from ever
needing to type wireless security keys.
You can also use Netsh to allow or block access to wireless networks based on their SSIDs.
For example, the following command allows access to a wireless network with the Contoso1
SSID.
Netsh wlan add filter permission=allow ssid=Contoso networktype=infrastructure
Similarly, the following command blocks access to the Fabrikam wireless network.
Netsh wlan add filter permission=block ssid=Fabrikam networktype=adhoc
To block all ad hoc networks, use the Denyall permission, as the following example
demonstrates.
Netsh wlan add filter permission=denyall networktype=adhoc
To prevent Windows from automatically connecting to wireless networks, run the follow-
ing command.
Netsh wlan set autoconfig enabled=no interface="Wireless Network Connection"
You can also use Netsh to define the priority of user profiles (but not Group Policy pro-
files). Group Policy profiles always have precedence over user profiles. The following example
demonstrates how to configure Windows to connect automatically to the wireless network
defined by the Contoso profile before connecting to the wireless network defined by the
Fabrikam profile.
Netsh wlan set profileorder name=Contoso interface="Wireless Network Connection"
priority=1
Netsh wlan set profileorder name=Fabrikam interface="Wireless Network Connection"
priority=2
Netsh has many other commands for configuring wireless networking. For more informa-
tion, run the following at a command prompt.
Netsh wlan help
note
When troubleshooting problems connecting to wireless networks, open
Event Viewer and browse the Applications And Services Logs\Microsoft\Windows

\WLAN-AutoConfig event log. You can also use this log to determine the wireless
networks to which a client is connected, which might be useful when identifying the
source of a security compromise. For more information, see Chapter 31.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1216
How to Configure TCP/IP
You can use several different techniques to configure TCP/IP. Most environments use DHCP
to provide basic settings. Alternatively, you can configure TCP/IP settings manually using
graphical tools. Finally, some settings are configured most easily using scripts that call
command-line tools such as Netsh. You can use logon scripts to automate command-line
configuration. The following sections describe each of these configuration techniques.
note
For wireless networks, you will need to first connect the wireless adapter to the
wireless network and then configure the TCP/IP settings. However, wireless networks
almost always have a DHCP server available.
DHCP
Almost all client computers should be configured using DHCP. With DHCP, you configure
a DHCP server (such as a computer running Windows Server 2003) to provide IP addresses
and network configuration settings to client computers when they start up. Windows 7 and
all recent Windows operating systems are configured to use DHCP by default, so you can
configure network settings by simply setting up a DHCP server and connecting a computer to
the network.
As the number of mobile computers, traveling users, and wireless networks has increased,
so has the importance of DHCP. Because computers may have to connect to several differ-
ent networks, manually configuring network settings would require users to make changes
each time they connected to a network. With DHCP, the DHCP server on the local network
provides the correct settings when the client connects.
Some of the configuration settings you can configure with DHCP include the following:
n

IP address Identifies a computer on the network
n
Default gateway Identifies the router that the client computer will use to send traffic
to other networks
n
DNS servers Internet name that servers use to resolve host names of other computers
n
WINS servers Microsoft name that servers use for identifying specific computers on
the network
n
Boot server Used for loading an operating system across the network when config-
uring new computers or starting diskless workstations
Clients use the following process to retrieve DHCP settings:
1.
The client computers transmit a DHCPDiscover broadcast packet on the local network.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How to Configure TCP/IP CHAPTER 25
1217
2.
DHCP servers receive this broadcast packet and send a DHCPOffer broadcast packet
back to the client computer. This packet includes the IP address configuration informa-
tion. If more than one DHCP server is on the local network, the client computer might
receive multiple DHCPOffer packets.
3.
The client computer sends a DHCPRequest packet to a single DHCP server request-
ing the use of those configuration settings. Other DHCP servers that might have sent
a DHCPOffer broadcast will see this response and know that they no longer need to
reserve an IP address for the client.
4.
Finally, the DHCP server sends a DHCPACK packet to acknowledge that the IP address

has been leased to the client for a specific amount of time. The client can now begin
using the IP address settings.
In addition, client computers will attempt to renew their IP addresses after half the DHCP
lease time has expired. By default, computers running Windows Server 2003 have a lease time
of eight days. Therefore, client computers running Windows attempt to renew their DHCP
settings after four days and will retrieve updated settings if you have made any changes to
the DHCP server.
Because client computers retrieve new DHCP settings each time they start up, connect to
a new network, or a DHCP lease expires, you have the opportunity to change configuration
settings with only a few days’ notice. Therefore, if you need to replace a DNS server and you
want to use a new IP address, you can add the new address to your DHCP server settings, wait
eight days for client computers to renew their DHCP leases and acquire the new settings,
and then have a high level of confidence that client computers will have the new server’s IP
address before shutting down the old DNS server.
If a client computer does not receive a DHCP address and an alternate IP address configu-
ration has not been manually configured, Windows client computers automatically configure
themselves with a randomly selected Automatic Private IP Addressing (APIPA) address in the
range of 169.254.0.1 to 169.254.255.255. If more than one computer running Windows on a
network has an APIPA address, the computers will be able to communicate. However, APIPA
has no default gateway, so client computers will not be able to connect to the Internet, to
other networks, or to computers with non-APIPA addresses. For information about IPv6, refer
to Chapter 28.
You can use the following techniques to determine whether a client has been assigned an
IP address and to troubleshoot DHCP-related problems:
n
IPConfig From a command line, run IPConfig /all to view the current IP configura-
tion. If the client has a DHCP-assigned IP address, the DHCP Enabled property will be
set to Yes, and the DHCP Server property will have an IP address assigned, as the fol-
lowing example demonstrates.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

CHAPTER 25 Configuring Windows Networking
1218
Ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Win7
Primary Dns Suffix . . . . . . . : hq.contoso.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : contoso.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : contoso.com
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
Controller
Physical Address. . . . . . . . . : 00-15-C5-08-82-F3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::a1f2:3425:87f6:49c2%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.242(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, August 20, 2006 11:12:44 PM
Lease Expires . . . . . . . . . . : Monday, August 28, 2006 11:12:44 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.210
DNS Servers . . . . . . . . . . . : 192.168.1.210
NetBIOS over Tcpip . . . . . . . . . . : Enabled
note

If you are troubleshooting a client connectivity problem and notice that the IP
address begins with 169.254, the DHCP server was not available when the client com-
puter started. Verify that the DHCP server is available and the client computer is prop-
erly connected to the network. Then, issue the ipconfig /release and ipconfig /renew
commands to acquire a new IP address. For more information about troubleshooting
network connections, see Chapter 31.
n
Network And Sharing Center In Network And Sharing Center, click the name of the
connection (such as Local Area Connection) to open the connection status. Then, click
Details to open the Network Connection Details dialog box, as shown in Figure 25-15.
This dialog box provides similar information to that displayed by the IPConfig /all
command.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How to Configure TCP/IP CHAPTER 25
1219
FIGURE 25-15
The Network Connection Details dialog box provides graphical access to IP
configuration settings.
n
Event Viewer Open Event Viewer and browse the Windows Logs\System Event Log.
Look for events with a source of Dhcp-Client for IPv4 addresses or DHCPv6-Client for
IPv6 addresses. Although this technique is not useful for determining the active
configuration, it can reveal problems that occurred in the past.
Configuring IP Addresses Manually
The alternative to using DHCP is to configure IP address settings manually. However, because
of the time required to configure settings, the likelihood of making a configuration error, and
the challenge of connecting new computers to a network, manually configuring IP addresses
is rarely the best choice for client computers.
To configure an IPv4 address manually, follow these steps:
1.

Click the network icon in the notification area and then click Open Network And
Sharing Center.
2.
Click Change Adapter Settings.
3.
Right-click the network adapter and then click Properties.
4.
In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and then click
Properties.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1220
5.
If you always want to use manually configured network settings, click the General tab
and then click Use The Following IP Address. If you want to use manually configured
network settings only when a DHCP server is not available, click the Alternate Configu-
ration tab and then click User Configured. Then, configure the computer’s IP address,
default gateway, and DNS servers.
6.
Click OK twice. The configuration changes will take effect immediately, without requir-
ing you to restart the computer.
You should rarely need to configure an IPv6 address manually because IPv6 is designed
to configure itself automatically. For more information about IPv6 autoconfiguration, refer to
Chapter 28. To configure an IPv6 address manually, follow these steps:
1.
Click the network icon in the notification area and then click Open Network And
Sharing Center.
2.
Click Change Adapter Settings.
3.

Right-click the network adapter and then click Properties.
4.
In the Properties dialog box, click Internet Protocol Version 6 (TCP/IPv6) and then click
Properties.
5.
Click Use The Following IPv6 Address and configure the computer’s IP address, subnet
prefix length, default gateway, and DNS servers. TCP/IPv6 does not support an alternate
configuration, as TCP/IPv4 does.
6.
Click OK twice. The configuration changes will take effect immediately, without
requiring you to restart the computer.
You can prevent users from accessing these graphical tools. Most important settings
require administrative credentials, so simply not giving users local administrator access to
their computers will prevent them from making most important changes. You can also use
the Group Policy settings located in User Configuration\Policies\Administrative Templates
\Network\Network Connections to restrict the user interface further (but this will not neces-
sarily prevent a user from using other tools to make changes).
Command Line and Scripts
You can also configure network settings from the command line or from a script using the
Netsh tool and commands in the Netsh interface ipv4 or Netsh interface ipv6 contexts. For
example, to configure the standard network interface to use DHCP and to use the DNS
servers provided by DHCP, you could issue the following commands.
Netsh interface ipv4 set address "Local Area Connection" dhcp
Netsh interface ipv4 set dnsserver "Local Area Connection" dhcp
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How to Configure TCP/IP CHAPTER 25
1221
note
Windows XP also included the Netsh tool. However, the Windows XP version of
Netsh uses different commands. For example, you would use Netsh interface ip set dns to

configure DNS settings for a computer running Windows XP instead of Netsh interface ipv4
set dnsserver, which you use to configure DNS settings for a computer running Windows
Vista or Windows 7. However, Netsh in Windows Vista and Windows 7 is backward compat-
ible and will accept the older, Windows XP–compatible syntax.
Because DHCP is the default setting for network adapters, it is more likely that you will
need to use Netsh commands to configure a static IP address. The following command
demonstrates how to do this for IPv4.
Netsh interface ipv4 set address "Local Area Connection" source=static
address=192.168.1.10 mask=255.255.255.0 gateway=192.168.1.1
Netsh interface ipv4 set dnsserver "Local Area Connection" source=static
address=192.168.1.2 register=primary
The following commands demonstrate configuring a static IP address and DNS server
configuration for IPv6.
Netsh interface ipv6 set address "Local Area Connection" address=2001:db8:3fa8:102a::2
anycast
Netsh interface ipv6 set dnsserver "Local Area Connection" source=static
address=2001:db8:
3fa8:1719::1 register=primary
You should avoid using scripts to configure production client computers because they
are not tolerant of varying hardware configurations and because DHCP provides most of the
configuration capabilities required for production networks. However, scripts can be useful
for quickly changing the network configuration of computers in lab environments. Instead of
manually writing Netsh commands, you can configure a computer using graphical tools and
use the Netsh tool to generate a configuration script.
note
You can generate a configuration script that can be run from within Netsh by run-
ning the command Netsh interface dump > script_filename. You can then apply that script
using the command Netsh –f script_filename.
Netsh provides the ability to configure almost any aspect of Windows 7 networking. For
detailed instructions, refer to Windows Help And Support or run the following command

from a command prompt.
Netsh ?
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1222
diReCt FRoM tHe SoURCe
Automate Network Interface Card Configuration Using Netsh
Don Baker, Premier Field Engineer
Windows Platform
D
uring the years I worked as a consultant, it was not uncommon to connect my
laptop to several different networks in the same day. In some cases, they were
DHCP-enabled, so connection was easy. For others, I would have to configure the
network adapter manually. Ugh!
Enter the Netsh commands. You can use the Netsh command to modify the network
configuration on computers running Windows 2000 and later versions. It’s not the
friendliest syntax to use, but it is a real time-saver once you learn to use it. The fol-
lowing sample scripts use Netsh to set STATIC IP entries on an adapter and to set
the adapter back to DHCP mode so the settings can be obtained automatically. To
use the code, type it into a batch file, modify "name=" to the name of the adapter in
quotation marks, and change the IP addresses.
Static IP
netsh interface ipv4 set address name="Wireless Network Connection"
source=static addr=192.168.0.100 mask=255.255.255.0 gateway=192.168.0.250
gwmetric=0
netsh interface ipv4 set dnsserver name="Wireless Network Connection"
source=static addr=192.168.0.2 register=NONE
REM netsh interface ipv4 set wins name="Wireless Network Connection"
source=static addr=10.217.27.9
REM OR if no WINS server

netsh interface ipv4 set winsserver name="Wireless Network Connection"
source=dhcp
ipconfig /all
DHCP
netsh interface ipv4 set address name="Wireless Network Connection"
source=dhcp
netsh interface ipv4 set dnsserver name="Wireless Network Connection"
source=dhcp
netsh interface ipv4 set winsserver name="Wireless Network Connection"
source=dhcp
ipconfig /renew "Wireless Network Connection"
ipconfig /all
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.