Here are the latest Networking-related KB articles:
948505 The gethostbyname function unexpectedly returns the IP addresses in numeric order on a Windows Vista-based computer or on a Windows Server 2008-based computer
951422 The WTSQuerySessionInformation function on a Windows Server 2008-based terminal server returns ambiguous IPv6 address data
948572 A handle leak occurs in a Server Message Block (SMB) session between two Windows Vista-based computers or between two Windows Server 2008-based computers
951037 Information about the TCP Chimney Offload feature in Windows Server 2008
942567 Description of the Windows Vista Feature Pack for Wireless
948180 Error message when you try to automatically connect to a wireless access point that uses shared-mode network authentication in Windows Vista: "Windows cannot connect to <access_point>"
- Mike Platts
NetMon is a common tool which comes in handy in revealing behaviour of various problems. When Network engineers receive traces for review, some basic information is required before starting work on this:
Well, these are exactly the pain areas that I am trying to address using DOS scripting and “nmcap” command line utility of NetMon 3.
Let’s start with “simultaneous traces”.
@echo off
if "%1"=="" goto Usage
REM Following line is wrapped
start /min cmd.exe /c nmcap /network * /capture /file c:\trace\%computername%.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1"
start /min cmd.exe /c psexec \\%1 "nmcap" /network * /capture /file c:\%1.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1"
echo Press any key to stop the tracing
pause
psexec \\%1 "ping" -n 1 4.3.2.1
ping -n 1 4.3.2.1
ipconfig/all > c:\trace\%computername%.txt
psexec \\%1 "ipconfig" /all > \\%computername%\C$\trace\%1.txt
copy \\%1\C$\%1.cap c:\trace\%1.cap
del \\%1\C$\%1.cap
goto :EOF
:Usage
echo Usage:
echo %0 "remote machine host name"
echo In this case, it is assumed that the directory c:\trace exists on the executing machine and files are stored only in this location.
The above script uses a sysinternals tool called psexec to run commands on a remote machine. See http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx for more information. You can actually use psexec to run the command on several machines at the same time.
The above script starts tracing on the computer it is executed on and one specified in the argument simultaneously (ok, nearly simultaneously!) and waits for a keystroke (any) to stop it. Thus, one can simply run the script, reproduce the problem, go back to the original command prompt and hit a key! Traces from both machines and also ipconfig information are dumped as computername.cap & .txt in the folder c:\trace on the executing machine.
Note
1. nmcap cannot create the folder specified. So one has to ensure that c:\trace exists or replace that with an existing folder name.
2. This script relies on file copy to get all files in one location – so please do not expect to capture file copy issue with this one! Change the script to save capture files on local machines.
3. psexec & nmcap require administrative rights on the machines – thus the logged on user should have admin rights on both machines.
To make things simple, it is best to create a folder c:\trace (or whatever else you like ensuring that you modify the script accordingly) and dump the required utilities (like psexec.exe) including the script in that folder and then execute the script from that folder.
Is ipconfig information not enough? Want to gather MPS reports just then so that the error you just reproduced is captured?
Use MPSRPT_NETWORK /Q in place of ipconfig/all > c:\trace\%computername%.txt. My experience with MPS tells me to let it dump the cab file %COMPUTERNAME%_MPSReports.CAB in its default location %systemroot%\MPSReports\Network\Bin\Reports\Cab. Of course the MPS RPT file name & storage path will differ with speciality.
Thus:
start cmd.exe /c nmcap /network * /capture /file c:\trace\%computername%.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1"
start cmd.exe /c psexec \\%1 "nmcap" /network * /capture /file c:\%1.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1"
MPSRPT_NETWORK /Q
psexec \\%1 " MPSRPT_NETWORK” /Q
copy \\%1\%systemroot%\MPSReports\Network\Bin\Reports\Cab\*.CAB c:\trace\*.cab
copy %systemroot%\MPSReports\Network\Bin\Reports\Cab\*.CAB c:\trace\*.cab
Want to gather traces and capture a particular event in the Event Logs? A great place to get information on this is Paul Long’s blog http://blogs.technet.com/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx. Again here, I tried to extend it to take traces simultaneously:
if "%2"=="" goto Usage
start cmd.exe /c nmcap /network * /capture /file c:\trace\%computername%.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations
start cmd.exe /c psexec \\%1 "nmcap" /network * /capture /file c:\%1.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations
cscript //NoLogo EvtMon.vbs %2 %3
echo %0 remotecomputer EventNumber [LogFile]
echo Logfile is optional. If used, the eventlog name
echo file ie, application, system, security, etc...
Getting to see the pattern? Modify the above to gather whatever information you like.
Modify the nmcap command line to capture on a particular network connection, use a capture filter or start & stop using time as a trigger. For example:
start cmd.exe /c nmcap /network %2 /capture /file %3\%computername%.cap /stopwhen /timeafter %1 /DisableConversations
ipconfig/all > %3%computername%.txt
echo %0 time networknumber Capturepath
echo.
echo time is the time in seconds for which you want the trace to run
echo use * for networknumber to capture on all available networks or use from list below
nmcap/displaynetworks
echo ensure that you complete the capture path with a "\" eg: "c:\trace\". In case path is omitted, the files are saved in the current directory (as the command prompt)
Don’t use arguments if modifying a script for a specific case.
One situation I can’t help sharing is when I discovered a certain pattern in a chain of traces (taken using .chn). Each file, after the display filter, was pretty small and it was simply crazy to refer several files to explain the pattern. Use the following to merge:
nmcap /InputCapture 10.cap 11.cap 12.cap 13.cap 14.cap 15.cap 16.cap 17.cap 18.cap 19.cap /Capture /File trace10-19.cap
10.cap, 11.cap etc are the discrete filtered files while trace10-19.cap is the resultant file.
Contributed by: Rajeev Narshana
The Windows Server 2008 Technical Library is a great resource for finding information about performing common tasks and operations for Windows technologies. The content in the networking section of this library offers some great information on many areas, like DHCP, Network Access Protection (NAP), Network Policy Server (NPS), Netsh, RRAS, SNMP, Windows Firewall with Advanced Security (WFAS), and more..
Looking for information about Windows Firewall with Advanced Security and IPsec? The guide provides documentation regarding product evaluations, getting started, planning architecture, deployment, operations and troubleshooting.
How about NAP Step-by-Step Guides for IPsec, 802.1X, VPN or DHCP NAP Enforcement?
Some sections currently have placeholders that indicate "This document is not yet available." Keep checking back as these sections will be updated when the content is available.
Similar content for Windows 2003 is also available in the Windows Server 2003: Operations guide.
-Michael Vargo
Here are the most recent networking-related KB articles:
951008 No firewall is enabled after you upgrade a Windows Server 2003-based NAT/Basic Firewall router to Windows Server 2008
951005 The Network Policy Server may not log successful authentication events or failed authentication events in Event Viewer in Windows Server 2008
951006 Hyper-V virtual machines cannot reach the network when the vLan tagging is enabled on a Windows Server 2008-based computer
950094 A program may stop responding when it calls RPC functions on a Windows Server 2003-based computer that has remote access connections or VPN connections established
945553 MS08-020: Vulnerability in DNS client could allow spoofing
950676 PING commands to a Windows Server 2003-based computer may fail if you have enabled the Routing and Remote Access service by configuring the "NAT and basic firewall" and "LAN routing" services
946565 On a Windows Server 2003-based computer that has the update from security bulletin MS07-062 installed, you may experience a memory leak in DNS
951013 Error message when you establish an outgoing remote access connection in Windows Server 2003: "Error 734 - The PPP link control protocol terminated" or "TCP/IP CP reported error 31: A device attached to the system is not functioning"
947334 Error message when you try to connect a Windows Vista-based computer to a network projector in Windows Meeting Space: "The Network Projector could not be added to the meeting"
950134 On a Windows Vista-based computer, an application that uses the EnableStatic method of the Win32_NetworkAdapterConfiguration class may not always set a static IP address for a network adapter
949984 Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3
In a nutshell, Link-Local Multicast Name Resolution (LLMNR) resolves single label names (like: COMPUTER1), on the local subnet, when DNS devolution is unable to resolve the name. This is helpful if you are in an Ad-Hoc network scenario, or in a scenario where DNS entries do not include hosts on the local subnet.
In order to benefit from LLMNR, you need to enable Network Discovery on all nodes on the local subnet. In Microsoft operating systems, this option and LLMNR functionality are only included on Windows Vista and Windows Server 2008.
My testing of LLMNR has uncovered a couple of points of interest:
Group Policy = Computer Configuration\Administrative Templates\Network\DNS Client\Turn off Multicast Name Resolution. (Enabled = Don't use LLMNR, Disabled = Use LLMNR)
This limitation is important because, by default, a network where LLMNR is likely to be most useful is an Ad-Hoc network, such as a few friends at a coffee shop on a Wi-Fi network. In these scenarios, Network and Sharing Center is most likely going to classify the network as a Public network. This classification, in addition to enforcing the public firewall profile, will turn off Network Discovery, File Sharing, Public Folder Sharing and Printer Sharing. Therefore, none of the hosts will respond to LLMNR requests since Network Discovery is turned off.
Network Discovery can be turned on in these scenarios by going to the Control Panel and double clicking Network and Sharing Center. Then, under Sharing and Discovery, select Network Discovery. Click the option Turn on Network Discovery and click Apply. You will be prompted to accept the associated security risk of being discoverable on a public network. After enabling Network Discovery on each host, they will respond to LLMNR requests and you will be able to resolve the IP of computers by single label name.
For a very good description of what Link-Local Multicast Name Resolution is, and how it works, see this article from The Cable Guy : http://technet.microsoft.com/en-us/library/bb878128.aspx