seems like user profile got mess up.
how many user accounts do you have?
if you only have one.
Try create new user and set it as Administrator.
Then login with that new user account and check My Documents properties
as next step
- login with new user you just created.
- right click on "My Computer"
- left click on "Properties"
- click on "Advanced" tab
- in middle section you will see users profile and click on "Settings"
- left click on the line with new username
- click on "Copy To"
- click on "browse"
- then go to C:\Documents and Settings\{your old username} and click "OK"
- then click "OK" one more time to close the dialog
- close everything out
- logout new user
- log back in with old user
see it fix. you might lose those shortcuts on desktop. you may backup them before you do.
backup all the documents under "My Documents" before you do just in case if you do something wrong. You can find your documents from there:
C:\Documents and Settings\{your old username}\My Documents
Thursday, 30 June 2011
Programs disappear from All Programs in XP
The Problem:-
When you Click Start button and navigate to "All Programs",you find the menu is missing.
Resolution 1: The only way I found around it was to do a system restore to a previous date and that fixed the problem
Resolution 2:
Start>Run>Regedit>ok
Now navigate to the following keys:-
HKEY CURRENT USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersSet Start Menu value to "%USERPROFILE%\Start Menu"
HKEY LOCAL MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Set Common Start Menu value to "%ALLUSERSPROFILE%\Start Menu"
Close the registry editor and restart the machine
****************************************************************************
When you Click Start button and navigate to "All Programs",you find the menu is missing.
Resolution 1: The only way I found around it was to do a system restore to a previous date and that fixed the problem
Resolution 2:
Start>Run>Regedit>ok
Now navigate to the following keys:-
HKEY CURRENT USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersSet Start Menu value to "%USERPROFILE%\Start Menu"
HKEY LOCAL MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Set Common Start Menu value to "%ALLUSERSPROFILE%\Start Menu"
Close the registry editor and restart the machine
****************************************************************************
Recovering a Lost User Profile in Windows XP Read
A user profile is a personal set of audio, visual and desktop settings based purely on the user’s choice. A user profile may vary from user to user and is indicative of the interests and personality of the user.
Windows XP allows each user to make his/ her profile once (i.e. choose his/ her favorable settings) and then save this profile too. This saves time and energy as the profile once chosen is saved in the permanent storage (hard disk) and is retrieved every time the user restarts the system or logs in.
Windows XP users may encounter a situation where they have a lost user profile, which means that when the user logs in to the system and his/her personal profile does not load.
The following three scenarios may have occurred in such cases:
1. A user profile exists in storage but it has disappeared.
2. The user name at the Welcome screen doesn’t match with the one in the task manager
3. A user profile has been deleted accidentally.
Windows XP allows each user to make his/ her profile once (i.e. choose his/ her favorable settings) and then save this profile too. This saves time and energy as the profile once chosen is saved in the permanent storage (hard disk) and is retrieved every time the user restarts the system or logs in.
Windows XP users may encounter a situation where they have a lost user profile, which means that when the user logs in to the system and his/her personal profile does not load.
The following three scenarios may have occurred in such cases:
1. A user profile exists in storage but it has disappeared.
2. The user name at the Welcome screen doesn’t match with the one in the task manager
3. A user profile has been deleted accidentally.
Recovering XP Deleted Or Lost Profile
Now let's move on to the solution of these problem; to recover the lost profiles in the three situations stated above. Given below is the procedure that should be followed to overcome the lost profile problem:
1. A user profile exists in the storage but it has disappeared.
In some cases, the profile exists in the hard disk but it just does not appear at the Welcome screen or in the User Accounts folder in the Control Panel. In such cases, the user may receive the following error message when he/ she attempts to create a new account with the same name; “the account already exists”. This happens when the user account has been disabled or is not active. Such accounts do not appear in the User Accounts or at the Welcome Screen. These disabled accounts can only be accessed in the Local Users and Groups window. To determine whether an account is active or not, follow this:
a. Go to RUN, type in “compmgmt.msc”, hit Enter.
b. Double-click on the Local Users and Groups folder.
c. Double-click on Users.
If a user name is displayed with a red cross in the check box before it, this means that the account is disabled or not active. In order to activate the disabled user account:
a. Double-click the user name.
b. Unclear the ticked check box.
This way, the disappeared profile will show up again at the Welcome Screen as well as in the User Accounts folder in Control Panel.
2. The user name at the Welcome screen doesn’t match with the one in the Task Manager.
It can also happen that the user name appearing at the Welcome screen is not consistent with the one that’s appearing in the Documents and Settings folder or on the users tab in the Task Manager. This happens because the user has modified the user name in the User Accounts folder in the Control Panel. This effects the name appearing at the Welcome screen. It is changed but the name of the actual account does not change in the hard disk. The user names displayed in the folders Documents and Settings and Task Manager remain the same as before. Modification in the Control Panel folder does not affect them. To overcome this mismatch in the names of the same account holder, the user needs to find out which account corresponds to which display name. Here’s the procedure:
a. Log on as the particular user whose name is mismatched.
b. Go to the Task manager.
c. Click the Users tab.
d. The user account which is marked as active is the one currently logged in.
e. Now you can easily change the user name to resolve the profile error problem.
1. A user profile exists in the storage but it has disappeared.
In some cases, the profile exists in the hard disk but it just does not appear at the Welcome screen or in the User Accounts folder in the Control Panel. In such cases, the user may receive the following error message when he/ she attempts to create a new account with the same name; “the account already exists”. This happens when the user account has been disabled or is not active. Such accounts do not appear in the User Accounts or at the Welcome Screen. These disabled accounts can only be accessed in the Local Users and Groups window. To determine whether an account is active or not, follow this:
a. Go to RUN, type in “compmgmt.msc”, hit Enter.
b. Double-click on the Local Users and Groups folder.
c. Double-click on Users.
If a user name is displayed with a red cross in the check box before it, this means that the account is disabled or not active. In order to activate the disabled user account:
a. Double-click the user name.
b. Unclear the ticked check box.
This way, the disappeared profile will show up again at the Welcome Screen as well as in the User Accounts folder in Control Panel.
2. The user name at the Welcome screen doesn’t match with the one in the Task Manager.
It can also happen that the user name appearing at the Welcome screen is not consistent with the one that’s appearing in the Documents and Settings folder or on the users tab in the Task Manager. This happens because the user has modified the user name in the User Accounts folder in the Control Panel. This effects the name appearing at the Welcome screen. It is changed but the name of the actual account does not change in the hard disk. The user names displayed in the folders Documents and Settings and Task Manager remain the same as before. Modification in the Control Panel folder does not affect them. To overcome this mismatch in the names of the same account holder, the user needs to find out which account corresponds to which display name. Here’s the procedure:
a. Log on as the particular user whose name is mismatched.
b. Go to the Task manager.
c. Click the Users tab.
d. The user account which is marked as active is the one currently logged in.
e. Now you can easily change the user name to resolve the profile error problem.
Recovering XP Deleted Or Lost Profile (Continued From Page 1)
3. A user profile has been deleted accidentally
In case the user profile has been deleted accidentally, only the administrator’s login will be shown at the Welcome screen; the user’s personal login icon will not be shown. To recover the lost user profile, we will need to use Windows Registry editor.
Note: The Registry is one of the most crucial components of Windows operating systems, therefore it is important to backup the current Registry prior to making any changes to it. To create a backup, follow these simple steps:
a. Go to RUN and type “regedit”, hit Enter.
b. Open the File menu and click on Export, a new screen will open.
c. In the bottom of the screen, select All under Export range (it is a good idea to backup everything in the registry in case a registry entry accidentally gets changed)
d. Give a name to your Registry backup file and then press the Save button.
Note: To restore the registry, open File menu in the Registry editor and select Import. Browse and select the backup file you created and then press Open. Your Registry will be restored.
Now when you've successfully created a backup of Windows registry, follow these steps to recover the lost user profile:
a. Go to RUN and type in ‘Regedit’ then press OK.
b. This will open the Registry Editor - A Windows tool that stores important operating system and users’ information.
c. Navigate to the following registry entry: ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT
\CurrentVersion\Winlogon\SpecialAccounts\UserList’
d. On the right-hand side of the window, right-click on the empty space and inside New, select DWORD Value. A new value item will be created and will be shown on the screen.
e. Give it the same name as the user name that had its profile lost.
f. Double-click on this value item and set Value data to 1. This will re-create a new user profile with the given username.
Now when you will restart your computer and log back into your Windows account, you will no longer face the same profile issue.
-- Got a deleted or corrupted user profile in Windows Vista? Find out how to fix it in Recovering a Corrupted or Deleted User Profile in Windows Vista
In case the user profile has been deleted accidentally, only the administrator’s login will be shown at the Welcome screen; the user’s personal login icon will not be shown. To recover the lost user profile, we will need to use Windows Registry editor.
Note: The Registry is one of the most crucial components of Windows operating systems, therefore it is important to backup the current Registry prior to making any changes to it. To create a backup, follow these simple steps:
a. Go to RUN and type “regedit”, hit Enter.
b. Open the File menu and click on Export, a new screen will open.
c. In the bottom of the screen, select All under Export range (it is a good idea to backup everything in the registry in case a registry entry accidentally gets changed)
d. Give a name to your Registry backup file and then press the Save button.
Note: To restore the registry, open File menu in the Registry editor and select Import. Browse and select the backup file you created and then press Open. Your Registry will be restored.
Now when you've successfully created a backup of Windows registry, follow these steps to recover the lost user profile:
a. Go to RUN and type in ‘Regedit’ then press OK.
b. This will open the Registry Editor - A Windows tool that stores important operating system and users’ information.
c. Navigate to the following registry entry: ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT
\CurrentVersion\Winlogon\SpecialAccounts\UserList’
d. On the right-hand side of the window, right-click on the empty space and inside New, select DWORD Value. A new value item will be created and will be shown on the screen.
e. Give it the same name as the user name that had its profile lost.
f. Double-click on this value item and set Value data to 1. This will re-create a new user profile with the given username.
Now when you will restart your computer and log back into your Windows account, you will no longer face the same profile issue.
-- Got a deleted or corrupted user profile in Windows Vista? Find out how to fix it in Recovering a Corrupted or Deleted User Profile in Windows Vista
Tuesday, 28 June 2011
Solution to Reason 442: Failed to Enable Virtual Adapter with Cisco VPN Client on Vista x86
UPDATED July 2008 : Please see below for updated solution to this problem
Again and again I see people complain about this error message (e.g. CISCO VPN Client Software on Windows Vista)
This is actually a quite easy (but annoying) thing to fix. Here's the 100% reliable method I use to fix this.
- In Network Connections, right-click your Cisco Systems VPN Adapter which should be disabled and enable it
- Right-click your Cisco Systems VPN Adapter again, this time selecting "Diagnose", and you should get the following prompt (your adapter may be numbered different from Local Area Connection 3)
- Select "Reset the network adapter ........ ", this will take a while (around 60 seconds on my laptop)
- Windows will again prompt you saying the IP configuration is still invalid, ignore this and just press Cancel.
- Go back to the Network Connections, right-click your VPN Virtual Adapter and Disable.
- Now open Cisco VPN, and you should be able to connect without any issues.
The problem will reoccur every time the connection is not cleanly closed - i.e. suspend / hibernate / loss of signal. However all you need to do is follow the above steps and it'll reset itself.
Update: This problem has been fixed in Cisco VPN Client 5.0.03.0530. Please speak to your Cisco supplier to obtain this new version. When disconnecting from a VPN connection it appears the new client performs these actions for you automatically (it takes around 60 - 90 seconds now to disconnect from the VPN session). I am unable to redistribute the client from this site - please speak to your Cisco supplier / IT Team.
Wednesday, 25 May 2011
http://www.hindu.com/2005/02/20/stories/2005022006830500.htm
Bullock-cart wheel set to `light up' rural lives?
By Our Staff Reporter
A student demonstrates the model at the technical festival at Osmania University College of Engineering in Hyderabad.
HYDERABAD, FEB. 19. The symbol of rural transport can now produce power that can light up villages sans power bills. A group of engineering students from Adilabad district have designed a model that produces power using the bullock-cart wheel!
The model is based on the function that when the wheels of the cart rotate, the mechanical energy of the wheel is converted into electric energy using power transmission system and an alternator coupled to it.
The exhibit, which is being displayed at Techsonance-2005, the annual technical festival of the Department of Electrical & Electronics Department of the Osmania University College of Engineering, has attracted lot of attention given its earthy solution to generate electricity using the bullock-cart, widely used by farmers in villages.
Cheap energy
"The energy produced is cheap and can be conveniently used by villagers for domestic purpose," explains V. Paritosh Kumar, a student of Jatipita College of Engineering, Adilabad and a member of the group that created the model. Explaining the concept, Paritosh says in order to increase the Rotations Per Minute (RPM) from a mere 15 RPM of the normal cart-wheel to 540 RPM a rubber wheel of 4 inch diameter is fixed to the external surface of the rim of the cart-wheel. To further increase the speed to 1,500 RPM and get the desired 100W to 240W an hour, a power transmission system is fixed. This rotational energy is then converted into electrical energy in the form of DC by using a dynamo and charged in the battery.
So, if a bullock-cart moves for about six hours, nearly one KW of electricity is produced that can be used for bulbs, fans and small electronic gadgets. Farmers widely use bullock-carts for agricultural work and this electricity can be produced even as they are engaged in their regular work.
Though the students have spent nearly a lakh of rupees for developing the model, they say bulk production would reduce the cost to just Rs. 10,000.
They have already patented their product, but want to further improve it with the help of sponsors from the industry. Other students of the group are Prasanna Chandri, B. Sateesh Kumar and D. Naveen
By Our Staff Reporter
A student demonstrates the model at the technical festival at Osmania University College of Engineering in Hyderabad.
HYDERABAD, FEB. 19. The symbol of rural transport can now produce power that can light up villages sans power bills. A group of engineering students from Adilabad district have designed a model that produces power using the bullock-cart wheel!
The model is based on the function that when the wheels of the cart rotate, the mechanical energy of the wheel is converted into electric energy using power transmission system and an alternator coupled to it.
The exhibit, which is being displayed at Techsonance-2005, the annual technical festival of the Department of Electrical & Electronics Department of the Osmania University College of Engineering, has attracted lot of attention given its earthy solution to generate electricity using the bullock-cart, widely used by farmers in villages.
Cheap energy
"The energy produced is cheap and can be conveniently used by villagers for domestic purpose," explains V. Paritosh Kumar, a student of Jatipita College of Engineering, Adilabad and a member of the group that created the model. Explaining the concept, Paritosh says in order to increase the Rotations Per Minute (RPM) from a mere 15 RPM of the normal cart-wheel to 540 RPM a rubber wheel of 4 inch diameter is fixed to the external surface of the rim of the cart-wheel. To further increase the speed to 1,500 RPM and get the desired 100W to 240W an hour, a power transmission system is fixed. This rotational energy is then converted into electrical energy in the form of DC by using a dynamo and charged in the battery.
So, if a bullock-cart moves for about six hours, nearly one KW of electricity is produced that can be used for bulbs, fans and small electronic gadgets. Farmers widely use bullock-carts for agricultural work and this electricity can be produced even as they are engaged in their regular work.
Though the students have spent nearly a lakh of rupees for developing the model, they say bulk production would reduce the cost to just Rs. 10,000.
They have already patented their product, but want to further improve it with the help of sponsors from the industry. Other students of the group are Prasanna Chandri, B. Sateesh Kumar and D. Naveen
Tuesday, 3 May 2011
command here install in windows server
1. Navigate in your Registry to
HKEY_LOCAL_MACHINE/Software/Classes/Folder/Shell
and create a key called "Command Prompt" without the quotes.
2. Set the default string to whatever text you want to appear in the right-click menu.
3. Create a new key within your newly created command prompt named "command," and set the default string to
cmd.exe /k pushd %1
You may need to add %SystemRoot%\system32\ before the cmd.exe if the executable can't be found.
4. The changes should take place immediately. Right click a folder and your new menu item should appear.
HKEY_LOCAL_MACHINE/Software/Classes/Folder/Shell
and create a key called "Command Prompt" without the quotes.
2. Set the default string to whatever text you want to appear in the right-click menu.
3. Create a new key within your newly created command prompt named "command," and set the default string to
cmd.exe /k pushd %1
You may need to add %SystemRoot%\system32\ before the cmd.exe if the executable can't be found.
4. The changes should take place immediately. Right click a folder and your new menu item should appear.
Tuesday, 26 April 2011
Network Address Translation (NAT) Overview
The Microsoft implementation of an address translation feature is called Network Address Translation (NAT). NAT can be used to enable computers on a network such as in small offices or home offices (SOHOs) to have a common Internet connection using a single public IP address. NAT translates IP addresses and associated TCP/UDP port numbers on the private network to public IP addresses which can be routed on the Internet. Often, the size of the network and the security requirements of the network would dictate whether NAT is used. Networks that do not require an implementation of a firewall solution or a proxy server solution can use NAT to provide basic Internet connectivity. Through NAT, host computers are able to share a single publicly registered IP address to access the Internet.
With NAT, all outgoing packets are forwarded to the NAT server. At the NAT server, the source address of these outgoing packets are modified, and then forwarded to the Internet. All incoming packets are transmitted to the NAT server. At the NAT server, the addresses of the packets are changed to internal IP addresses, and are then returned to the source which sent the packet.
The computer that has NAT installed can be configured as either of the following:
- Network address translator server.
- A basic Dynamic Host Configuration Protocol (DHCP) server
- A Domain Name System (DNS) proxy.
- A Windows Internet Name Service (WINS) proxy.
In Routing and Remote Access Service (RRAS), NAT can be used to provide basic Internet connectivity for small offices or home offices. NAT also offers a number of security features which can be used to secure the network resources on your private network. In addition,DNS queries can be sent to a DNS server defined in NAT. NAT also supports a DHCP-compatible IP configuration.
With Windows Server 2003, the NAT server can support the following services or components:
- NAT – the address translation service/component: Here, the computer on which NAT is installed is the network address translator server. NAT translates outgoing and incoming packets' IP addresses and TCP and UDP port numbers that are transmitted to the Internet.
- DNS – name resolution component: Here, the computer that has NAT installed acts as a DNS server to other computers residing on the home network. NAT forwards name resolution requests to its defined Internet DNS servers, and then forwards any responses to the particular home network computer.
- DHCP – IP addressing component: Here, the computer that has NAT installed acts as a simplified DHCP server that assign the IP address information listed below to other computers residing on the home network. The computers residing on the home network have to be defined as DHCP clients though:
- IP address
- Subnet mask
- Default gateway
- DNS server IP address
The existing network would determine which services you need to enable when you install NAT and configure the NAT server. For instance, if you have existing DNS and DHCP servers, you can still proceed with using these servers when NAT is enabled.
The NAT service is actually integrated with the router that changes the information of the originator in packets prior to them being forwarded to the Internet. NAT can be configured through either of the following components:
- Demand-dial interface: The connection is only established when the client specifically requests the connection.
- Persistent connection: These connections are permanent connections, and remain open all the time. Examples of persistent connections is a DSL dedicated line, or a dial-up interface that redials when the connection is lost.
A Windows Server 2003 server configured with either of the following services can act as the NAT server:
- Routing and Remote Access; a NAT implementation through Routing and Remote Access is the recommended approach.
- Internet Connection Sharing; should be used for exceptionally small networks only.
As mentioned previously, NAT translates IP addresses and associated TCP/UDP port numbers on the private network to public IP addresses which can be routed on the Internet. When this translation occurs, NAT assigns a unique port number to the session as well. A client computer is mapped to a single public IP address assigned by the ISP of the organization or assigned by the Internet Network Information Center (InterNIC). Through this mapping, NAT is then able to return responses to the correct client computer. Information on these mapping are stored in the NAT Session Mapping table.
The default configuration is that NAT translates IP addresses and TCP/UDP ports in the IP datagrams, which in turn result in the changing of these fields within the IP, TCP, and UDP headers:
- Source IP address
- TCP, UDP and IP checksum
- Source port.
Windows Server 2003 includes support for L2TP/IPSec VPN connections to function with NAT. You can also use a NAT editor for a few applications that do not contain IP addresses/port information within its header.
Windows Server 2003 includes the NAT editors listed below:
- File Transfer Protocol (FTP)
- Internet Control Message Protocol (ICMP)
- Point-to-Point to the Internet
- Direct Play out to the Internet
- Lightweight Directory Access Protocol (LDAP) based Internet Locator Service (ILS) registration out to the Internet.
Understanding the Limitations of NAT
There are a few protocols that NAT is unable to perform network address translation for. For NAT to work and perform network address translation, it needs the IP information or port number information in the IP header and TCP header of packets. NAT uses IP addresses and the TCP port and UDP port within the TCP header, UDP header, and IP header to translate NAT traffic. While you can use a NAT editor to translate FTP traffic through a NAT system, this is not true for all protocols. A NAT editor only works for a few protocols such as FTP and PPTP. The protocols that are basically unable to pass NAT, is probably one of the most significant limitations of NAT.
A few limitations of NAT are listed here:
- When NAT is implemented through Routing and Remote Access, only the IP protocol is supported. The following protocols are protocols that NAT cannot perform address translation on:
- Simple Network Management Protocol (SNMP)
- Lightweight Directory Access Protocol (LDAP)
- Kerberos version 5
- Component Object Model (COM)
- Distributed Component Object Model (DCOM)
- Microsoft Remote Procedure Call (RPC)
- The latest Microsoft IP Security protocol (IPSec) that provides IP header encryption through Authentication Header (AH) cannot pass over NAT.
- Domain controllers are unable to replicate over the NAT server.
Understanding How NAT Works
NAT works transparently to clients. This means that clients are not aware that NAT is functioning. A client is basically configured with the address of the NAT server as its default gateway. Hence, when the client sends an outgoing packet, the packet is forwarded to the NAT server.
When the NAT server receives the packet, it performs the following functions:
- A connection attempt is made to connect to a public address.
- NAT examines the source address and destination address, as well as the TCP/UDP port numbers within the packet header.
- The source address, destination address, and port information is stored in the NAT Session Mapping table.
- NAT replaces the source address of the packet with the public address of the NAT server. A port number is also assigned.
- The packet is sent over the Internet.
- Responses from the remote server is sent to the NAT server's public address and assigned port number.
- NAT at this stage consults its NAT mapping table to determine whether it should forward the response to the private network.
- When the NAT table contains a match, NAT checks which client the response should be forwarded to.
- The packet is then modified to reflect the internal private address of the client as its destination address. The port number is changed if required.
- The response packet is then sent over the private network to the client that initially sent the packet over the Internet.
The NAT Session Mapping Table
The information contained in the NAT Session Mapping table enables NAT to return responses to the correct client computer.
The information stored in the NAT Session Mapping table is listed here:
- Protocol; specified as either TCP or UDP, it is the protocol utilized to forward packets.
- Direction; specified as either inbound traffic, or as outbound traffic
- Private Address; the internal client computer's private IP address.
- Private Port; the private port number for the session.
- Public Address; the public IP address as assigned by the ISP of the organization or by the Internet Network Information Center (InterNIC)
- Public Port; port number assigned to the session.
- Remote Address; IP address which the client wants to access.
- Remote Port; port number assigned to session.
- Idle Time; for tracking of the entries within the NAT Session Mapping table. Entries are removed when no traffic is sent over the specific connection for a predefined time period.
Understanding the Differences between NAT and Internet Connection Sharing (ICS)
Internet Connection Sharing (ICS) is another feature integrated with Windows that provides Internet connectivity to hosts using an interface. ICS provides a single public IP address to connect to the Internet, fixed address range for hosts, DNS proxy for name resolution, and automatic IP addressing. ICS is also easy to configure.
While a NAT implementation through Routing and Remote Access is the recommended approach, you can use Internet Connection Sharing for exceptionally small networks. You can use ICS to connect the whole network to the Internet. This is due to the ICS feature providing a translated connection – all computers can access resources on the Internet. Much like NAT, when ICS is used, private IP addresses are hidden from the public network. Public external addresses are used over the public network. While NAT includes the Basic Firewallfeature that only allows response traffic to be forwarded to the private network, ICS includes the Internet Connection Firewall service for the same functionality.
One of the main features of using ICS is that it is preconfigured. ICS automatically configures the internal address of the computer hosting the shared connection as 192.168.0.1. Internal clients are assigned addresses in the 192.168.0.0/24 address range. Internal clients exist on the identical physical subnet. All internal clients point to the ICS computer for DNS resolution. The shared external interface has a single public address.
With a NAT implementation, the NAT server can be configured with any private IP address as its internal address. You can also disable the DNS proxy and DHCP server features if you have a DNS server and DHCP server configured within your environment. With NAT, you can use multiple interfaces. The shared external interface can be configured with a single public address or with multiple public addresses.
You can install ICS using Network And Dial-Up Connections. NAT is installed through the Routing And Remote Access console.
NAT Design Requirements
A few NAT-specific design requirements are listed here:
- Define the characteristics of the data passing through the NAT server. Requirements should include data confidentiality and the quantity of data the NAT server should handle.
- The resources residing in the private network which should be accessible to Internet users.
- The time duration for which users need access using the Internet connection.
- The response time for those applications accessing resources using the Internet connection.
- Router characteristics, including current WAN connections, protocols being used in the rivate network, and placement of existing routers.
- Future network expansion.
Designing a NAT Strategy
The factors that should be included when you define and design a NAT strategy are listed below:
- Determine whether NAT is indeed the proper address translation mechanism for your network. Factors to include in this decision should be:
- Requirements of the users
- Type of client computers that NAT must support
- Size of the organization
- Existing infrastructure
- Determine which protocols and applications will not be able to pass through NAT. For instance, NAT cannot perform address translation on Simple Network Management Protocol (SNMP) and Lightweight Directory Access Protocol (LDAP).
- Determine the type of connection which will be used. With a demand-dial interface, the connection is only established when the client specifically requests the connection. With a persistent connection, the connections are permanent connections, and remain open all the time.
- Determine the private network IP addressing scheme and the number of public IP addresses to acquire.
- Determine which interfaces are going to be configured with private IP addresses, and which interfaces will be configured with public IP addresses.
- Determine the optimal number of connections required to ensure availability and improved performance or your NAT solution.
- Determine whether your implementation of NAT will encompass multiple Internet connections for redundancy purposes.
- Determine the servers that will be configured as NAT servers.
- Determine whether NAT will allow Internet users to be able to access resources on the private network.
- Determine how access to resources on the private network will be assigned and maintained.
- Determine whether filters will be configured to restrict users located within the private network from accessing the Internet.
- Determine whether NAT will be performing the following functions in addition to network address translation:
- Issue IP addresses.
- Handle DNS resolution requests.
When client computers access resources on the Internet, they use fully qualified domain names (FQDNs) which need to be resolved to IP addresses by DNS servers. You therefore need to determine which method will be used for DNS name resolution for client computes that need to access the Internet.
The methods which you can use to define the DNS server which clients can use to resolve fully qualified domain names (FQDNs) are listed here:
- You can manually configure each client computer. This method should be utilized if you want to use different DNS name resolution methods for different client computers.
- You can define the DNS server NAT so that the FQDNs are automatically resolved for client computers.
The advantages and disadvantages of using certain IP configuration methods are discussed now. The information provided can be useful when you need to decide on the IP configuration method to use with your NAT design.
The advantages of using the NAT IP address assignment feature as the IP configuration method are listed here.
- Misconfigurations are reduced, and hardly any time is required to assign IP configuration information.
- No additional expenses are needed.
- Multiple network segments are supported.
The disadvantage of using the NAT IP address assignment feature is that it is only available for DHCP clients.
The advantages of using a DHCP server as the IP configuration method are listed next:
- Misconfigurations are reduced, and hardly any time is required to assign IP configuration information.
- Multiple network segments are supported.
The disadvantages of using a DHCP server as the IP configuration method is listed below:
- The DHCP server can only be accessed and used for IP address assignment by DHCP client computers.
- Additional expenditure is required for setting up of the DHCP server(s).
The advantages of using Automatic Private IP Assignment (APIPA) as the IP configuration method are listed here:
- Misconfigurations are reduced, and hardly any time is required to assign IP configuration information.
- No additional expenditure is necessary.
The disadvantages of using Automatic Private IP Assignment (APIPA) as the IP configuration method is listed below:
- Not all Windows client computers can use APIPA.
- APIPA also only supports one segment SOHO or branch office networks.
The advantage of using manual configuration as the IP configuration method is listed here:
- All Windows client computers can be manually configured.
The disadvantages of using manual configuration as the IP configuration method is listed below:
- Susceptible to misconfigurations.
- Extremely time consuming and intricate to manage as the network expands.
NAT Server Placement and NAT Server Requirements
The NAT server should reside on the private network, and should have the following components:
- One network adapter card configured with the internal private IP addresses connecting the internal private client computers. You can define one or multiple NAT server interfaces to the private branch office network or small office or home office (SOHO).
- One network adapter configured with the public IP address which connects to the Internet.
A few recommendations for placing NAT servers within your environment are listed here:
- IP forwarding should not be enabled on the interface of the NAT server which is connected to the Internet.
- IP routing should be enabled on the interfaces of the NAT server which are connected to private network segments/small office or home office (SOHO).
- Private network segments/SOHO should be isolated from the Internet.
To improve NAT server performance and optimize your NAT server hardware, consider the following recommendations:
- Use a dedicated computer to run NAT. When using a dedicated NAT server, you provide the following key features for your NAT implementation:
- Preventing other services and applications from running on the same computer as NAT means that these services/applications do not use system resources. System resources are dedicated to NAT which in turn provides optimal NAT server performance.
- You would also be preventing other services and applications from being the cause of the NAT server needing to be restarted, or shutting down.
- Using a persistent Internet connection would ensure that the NAT server can at all time connect to the Internet.
- Using a higher data rate Internet connection leads to improved performance of traffic passing through the Internet connection.
NAT Security
NAT does provide some security features that you can use to secure your private internal network and its resources from unauthorized access. Remember that NAT should not be used an alternative to implementing a firewall solution, if necessary.
While NAT security is on the whole sound, you can use the security features provided by NAT to enhance security of your NAT implementation further. The security requirements of the organization should be used as the basis for implementing a few NAT security features.
One of the primary objectives of implementing NAT security should be to restrict inbound traffic on the NAT server.
Routing and Remote Access Service (RRAS) IP packet filters can be used to restrict incoming or outgoing IP address ranges based on information in the IP header. You can configure and combine multiple filters to control network traffic.
A few important characteristics of IP packet filters are listed below:
- IP packet filters restrict all traffic sent through routers.
- IP packet filters restrictions are cumulative over multiple routers/interfaces.
Unwanted traffic that should be filtered usually includes:
- Unauthorized Internet users attempting to access resources on the private network.
- Applications/games which are not supported by your organization.
When to use IP packet filters:
- To restrict traffic being sent to, or from a specific computer, you can filter on source/destination IP address range.
- To restrict traffic coming from, or being sent to a specific IP address range of a network segment, you can filter on source/destination IP address range.
- To restrict traffic being transmitted to/from a particular application, you can filter on protocol number.
With NAT, you can configure two types of IP packet filters. When defining criteria for the packet filters, you can use whatever combination of IP header information.
The types of IP packet filters configurable for NAT are:
- Inbound IP packet filters: Here, traffic is filtered based on the IP address of the workstation attempting to access the private network. NAT by default drops all inbound requests to access private network resources. Therefore, you need to specifically allow access to private network resources using some additional configuration.
- Outbound IP packet filters: These filters are used to filter or restrict traffic attempting to access the Internet.
There may be occasions when you want specific Internet users or VPN users to access resources on the private network, or access a Web server residing on the private network. The methods which you can utilize to map external public IP addresses and ports to private IP addresses and private ports so that internal private resources can be accessed are discussed here:
- NAT address mappings: You can use a special port to map specific Internet users to resources within the private network, and in doing so, provide Internet users with access to resources residing within the private network. A special port can be defined as a static mapping of a public IP address and port number combination to a private IP address and port number. Administrators can configure a NAT address mapping for each specific private network resource that Internet users are allowed to access. The actual number of private network resources that you can make available to Internet users to access is determined by the number of TCP/UDP port numbers.
- NAT address pools: The NAT address pool feature can be used to allow VPN users and Internet users to access private network resources. The NAT server requests for one of the public IP addresses with a specific TCP/UDP port number to resources in the private network.A few basic rules for using NAT address pools are listed here:
- Administrators must provide the private network IP addresses of the servers which the NAT server can connect users to.
- Administrators have to implement a port restricting strategy to limit the traffic that is allowed to access the private network.
Subscribe to:
Posts (Atom)