INFOLINK UNIVERSITY COLLEGE

DILLA CAMPUS

Information Technology Department

System and Network Administration Module

Atnafu Gizaw
Computer Science & Engineering (BSc)
Computer Science and Networking (MSc)

Dilla, Ethiopia
April, 2022

System and Network Administration [Compiled By: Atnafu G(MSc)] 1

 System and Network Administration
Chapter 1: Introduction & Background
1.1. Computer Systems & Network Overview
Computer System
Computer system is a collection of entities (hardware and software) that are designed to receive process,
manage and present information in a meaningful format. Hardware refers to the physical, tangible computer
equipment and devices, which provide support for major functions such as input, processing (internal
storage, computation and control), output, secondary storage (for data and programs), and communication.
There are five main hardware components in a computer system: Input, Processing, Storage, Output and
Communication devices.
Computer software, also known as programs or applications, are the intangible components of the computer
system. They can be classified into two main classes namely – system software and application software.
Network Overview
A network can be defined as two or more computers connected together in such a way that they can share
resources. The primary purpose of a network is to share resources, and a resource could be:
 a file,  a disk drive,
 a folder,  or just about anything else that exists on
 a printer, a computer.
Therefore, a computer network is simply a collection of computers or other hardware devices that are
connected together, either physically or logically, using special hardware and software, to allow them to
exchange information and cooperate. Networking is the term that describes the processes involved in
designing, implementing, upgrading, managing and otherwise working with networks and network
technologies.
There are different types of a computer networks based on their respective attributes. These includes:
geographical span, inter-connectivity (physical topology), administration and architecture.

Geographical Span: based on geographical area it covers there are different types of network:

 Personal Area Network (PAN): is a network may be spanned across a given table with distances between
the devices not more than few meters. The technology used to interconnect the devices could be a Bluetooth.
These networks are called Personal Area Networks, since the devices interconnected in these networks are
belongs to a single person.
 Local Area Network (LAN): is a network that may span across a building, or across several buildings
within a single organization, by using intermediate devices, like switches and/or hubs, to interconnect
devices in all floors.

System and Network Administration [Compiled By: Atnafu G(MSc)] 2

 Metropolitan Area Network (MAN): is a network that may span across a whole city interconnecting
several buildings and organizations.
 Wide Area Network (WAN): is a network that may span across multiple cities, or an entire country, or an
entire continent, or it may even cover the whole world. For example, an Internet is one example of WAN.

Inter-connectivity: components of a network, including end devices and interconnecting devices, can be
connected to each other differently in some fashion. By connectedness we mean either logically, physically
or both ways. Network topology refers to the shape of a network, or the network’s layout. It is the geometric
representation of the relationship of all the links and linking devices to one another. There are four basic
types of topologies, namely bus, star, ring and mesh topologies.

 Bus Topology: in this topology all devices are connected to a central cable, called the bus or backbone,
which is terminated at its ends (see figure 1.1 a). The purpose of the terminators is to stop the signal from
bouncing, thereby clearing the cable so that other computers can send data. Message transmitted along the
Bus is visible to all computers connected to the backbone cable. As the message arrives at each workstation,
the workstation checks the destination address contained in the message either to process or drop the packet
if it matches or not respectively. Its advantages are, ease of installation and less amount of cable
requirement. Its main drawback is, the entire network will be shut down if there is a break in the main cable.
 Star Topology: in this topology, each node is connected directly to a central device called a hub or a switch
(see figure 1.1 b). Data on a star network passes through the central device (switch) before continuing to its
destination. The central device manages and controls all functions of the network. This configuration is
common with twisted pair cable. RJ-45 Connectors are used to connect the cable to the Network Interface
Card (NIC) of each computer. Its advantages include, ease of installation and reconfiguration, robust (ease of
fault identification and isolation), link failure only affects device(s) connected to that link, and is less
expensive than mesh. Its drawbacks include more cable requirements (than bus and ring) and single point of
failure (if central device fail, the whole system will be down).

 Ring Topology: in this topology, all devices are connected to one another in the shape of a closed loop, so
that each device is connected directly to two other devices, one on either side of it (see figure 1.1 c). Some of
its advantages include, easy to install and reconfigure, less expensive (than mesh), and performance is even
despite the number of users. Its cons include, break in the ring (such as a disabled station) can disable the
entire network, and limitations on media and traffic (limitation on ring length and number of devices).

 Mesh Topology: in this topology devices are connected with many redundant interconnections between
network nodes. In a full mesh topology (see figure 1.1 d), every node has a connection to every other node in

System and Network Administration [Compiled By: Atnafu G(MSc)] 3

the network, which makes it the most expensive topology over all the other topologies. The number of cables
grows fast as the number of nodes increases, and it can be calculated by using the general formula ((n (n –
1)) /2) , where n is the number of nodes in the network. It has several benefits, such as: dedicated links
between devices, robust (single link failure don’t affect entire network), privacy/security (direct
communication between communicating devices), and ease of fault identification and isolation. Its
drawbacks include, installation and reconnection are difficult (large number of cables), huge amount of
cables consumes a lot of space, and it is the most expensive of all.

Hybrid Topology: A network structure whose design contains more than one topology is said to be Hybrid
Topology. Hybrid topology inherits merits and demerits of all the incorporating topologies. As its name
indicates, this topology can be created by merging one or more of the above basic topologies. Figure 1.1
e shows hybrid topology that made up of ring and star.

Figure 1.1. Types of computer networks based on their physical topology

Administration: From administrator’s point of view, a network can be private network which belongs to a
single autonomous system and cannot accessed outside of its physical or logical domain. Or a network can
be public network, which can be accessed by anyone inside or outside of an organization.

System and Network Administration [Compiled By: Atnafu G(MSc)] 4

 Network Architecture: based on the architecture (where do the clients get the shared resources?), networks
can be categorized into three:
 Client-Server Architecture: There can be one or more systems acting as Server. Other being Client, request
the Server to serve requests. Servers take and process request on clients’ behalf.
 Peer-to-Peer (Point-to-point): Two systems can be connected Point-to-Point, or in other words back-to-
back fashion. They both reside on same level and called peers.
 There can be hybrid network which involves network architecture of both the above types.

Figure 1.2. Client-Server (left) and Peer-to-Peer (right) network

1. Network Protocols
Protocol is a set of rules or standards that control data transmission and other interactions between networks,
computers, peripheral devices, and operating systems.
While to devices communicate with each other, the same protocol must be used on the sending and receiving
devices. It is possible for two devices that use different protocols to communicate with each other, but
a gateway is needed in between.

1.1.2. Overview of the TCP/IP Protocol suites

The TCP/IP protocol suite was developed prior to the OSI model. Therefore, the layers in the TCP/IP
protocol suite do not exactly match those in the OSI model. The original TCP/IP protocol suite was defined
as having four layers: host-to-network, Internet, transport, and application layers. However, when TCP/IP is
compared to OSI, we can say that the host-to-network layer is equivalent to the combination of the physical
and data link layers. The Internet layer is equivalent to the network layer, and the application layer is
roughly doing the job of the session, presentation, and application layers with the transport layer in TCP/IP
taking care of part of the duties of the session layer.

TCP/IP is a hierarchical protocol made up of interactive modules, each of which provides a specific
functionality; however, the modules are not necessarily interdependent. Whereas the OSI model specifies
which functions belong to each of its layers, the layers of TCP/IP suite contain relatively independent
protocols that can be mixed and matched depending on the needs of the system. The term hierarchical means
that each upper-level protocol is supported by one or more lower-level protocols.

System and Network Administration [Compiled By: Atnafu G(MSc)] 5

 At the transport layer, TCP/IP defines three protocols: Transmission Control Protocol (TCP), User Datagram
Protocol (UDP), and Stream Control Transmission Protocol (SCTP). At the network layer, the main protocol
defined by TCP/IP is the Internetworking Protocol (IP); there are also some other protocols that support
data movement in this layer.

Figure 1.3. TCP/IP Protocol Stack

 Network Access (Physical and Data Link Layers)
The Network Access layer of the TCP/IP model corresponds with the Data Link and Physical layers of the
OSI reference model. It defines the protocols and hardware required to connect a host to a physical network
and to deliver data across it. Packets from the Internet layer are sent down the Network Access layer for
delivery within the physical network. The destination can be another host in the network, itself, or a router
for further forwarding. So the Internet layer has a view of the entire Internetwork whereas the Network
Access layer is limited to the physical layer boundary that is often defined by a layer 3 device such as a
router.

The Network Interface layer (also called the Network Access layer) is responsible for placing TCP/IP
packets on the network medium and receiving TCP/IP packets off the network medium. TCP/IP was
designed to be independent of the network access method, frame format, and medium. In this way, TCP/IP
can be used to connect differing network types. These include LAN technologies such as Ethernet and Token
Ring and WAN technologies such as X.25 and Frame Relay. Independence from any specific network
technology gives TCP/IP the ability to be adapted to new technologies such as Asynchronous Transfer Mode
(ATM). Network Access layer uses a physical address to identify hosts and to deliver data.

System and Network Administration [Compiled By: Atnafu G(MSc)] 6

 The Network Access layer PDU is called a frame.
 It contains the IP packet as well as a protocol header and trailer from this layer.

 The Network Access layer header and trailer are only relevant in the physical network. When a router
receives a frame, it strips of the header and trailer and adds a new header and trailer before sending it out the
next physical network towards the destination.
The Network Access layer manages all the services and functions necessary to prepare the data for the
physical network. These responsibilities include:
 Interfacing with the computer’s network adapter.
o Coordinating the data transmission with the conventions of the appropriate access method.
o Formatting the data into a unit called a frame and converting that frame into the stream of
electric or analog pulses that passes across the transmission medium.
o Checking for errors in incoming frames.
 Adding error-checking information to outgoing frames so that the receiving computer can check the
frame for errors.
o Acknowledging receipt of frames and resending frames if acknowledgment is not received.
Network Access Layer Protocols
The Network Access layer defines the procedures for interfacing with the network hardware and accessing
the transmission medium. Below the surface of TCP/IP’s Network Access layer, you’ll find an intricate
interplay of hardware, software, and transmission-medium specifications. Unfortunately, at least for the
purposes of a concise description, there are many different types of physical networks that all have their own
conventions, and any one of these physical networks can form the basis for the Network Access layer. A few
examples include:
 Ethernet
o Token ring
o FDDI (Fiber Distributed Data Interface)
o PPP (Point-to-Point Protocol, through a modem)
o Wireless networks
o Frame Relay
The good news is that the Network Access layer is almost totally invisible to the end user. The network
adapter driver, coupled with key low-level components of the operating system and protocol software,
manages most of the tasks relegated to the Network Access layer, and a few short configuration steps are
usually all that is required of a user. These steps are becoming simpler with the improved plug-and- play
features of desktop operating systems.

System and Network Administration [Compiled By: Atnafu G(MSc)] 7

 Network (Internet) Layer

At the network layer (or, more accurately, the Internetwork layer), TCP/IP supports the Internetworking
Protocol. IP, in turn, uses four supporting protocols: ARP, RARP, ICMP, and IGMP.

The Internet (Network) Layer Protocols

 Internet Protocol (IP): IP essentially is the Internet layer. The other protocols found here merely exist to
support it. It is an unreliable and connectionless protocol (i.e. a best-effort delivery service). The term best
effort means that IP provides no error checking or tracking. It assumes the unreliability of the underlying
layers and does its best to get a transmission through to its destination, but with no guarantees.

 IP transports data in packets called datagrams, each of which is transported separately. Datagrams can
travel along different routes and can arrive out of sequence or be duplicated. IP does not keep track of the
routes and has no facility for reordering datagrams once they arrive at their destination.

 Internet Control Message Protocol (ICMP): works at the Network layer and is used by IP for many
different services. ICMP is a management protocol and messaging service provider for IP. The following are
some common events and messages that ICMP relates to:
 Destination Unreachable If a router can’t send an IP datagram any further, it uses ICMP to send a message
back to the sender, advising it of the situation.
 Buffer Full If a router’s memory buffer for receiving incoming datagrams is full, it will use ICMP to send
out this message until the congestion abates.
 Hops Each IP datagram is allotted a certain number of routers, called hops, to pass through. If it reaches its
limit of hops before arriving at its destination, the last router to receive that datagram deletes it. The
executioner router then uses ICMP to send an obituary message, informing the sending machine of the
demise of its datagram.
 Ping (Packet Internet Groper) uses ICMP echo messages to check the physical and logical connectivity of
machines on a network.
 Traceroute Using ICMP timeouts, Traceroute is used to discover the path a packet takes as it traverses an
Internetwork.
 Address Resolution Protocol (ARP): finds the hardware address (physical or MAC address) of a host
from a known IP address. ARP interrogates the local network by sending out a broadcast asking the machine
with the specified IP address to reply with its hardware address.

System and Network Administration [Compiled By: Atnafu G(MSc)] 8

  Reverse Address Resolution Protocol (RARP): discovers the identity of the IP address for diskless
machines by sending out a packet that includes its MAC address and a request for the IP address assigned to
that MAC address. A designated machine, called a RARP server, responds with the answer, and the identity
crisis is over.

 Transport Layer
Traditionally the transport layer was represented in TCP/IP by two protocols: TCP and UDP. IP is a host-to-
host protocol, meaning that it can deliver a packet from one physical device to another. UDP and TCP are
transport level protocols responsible for delivery of a message from a process (running program) to another
process. A new transport layer protocol, SCTP, has been devised to meet the needs of some newer
applications.
The Transport Layer Protocol
 Transmission Control Protocol (TCP): TCP provides full transport-layer services to applications. TCP
is a reliable stream transport protocol. The term stream, in this context, means connection-oriented (i.e. a
connection must be established between both ends of a transmission before either of the communicating
devices can transmit data – three way handshaking). At the sending end of each transmission, TCP divides
a stream of data (that it received from the application layer) into smaller units called segments. Each
segment includes a sequence number for reordering after receipt, together with an acknowledgment number
for the segments received. Segments are carried across the Internet inside of IP datagrams. At the receiving
end, TCP collects each datagram as it comes in and the destination’s TCP protocol reorders the
transmission based on sequence numbers.
 User Datagram Protocol (UDP): UDP is the simplest of all transport layer protocols, and it is a process-
to-process protocol which does not sequence the segments and does not care in which order the segments
arrive at the destination, . But after that, UDP sends the segments off and forgets about them. It doesn’t
follow through, check up on them, or even allow for an acknowledgment of safe arrival complete
abandonment (i.e. it does not guarantee successful delivery of transmitted message).
 Stream Control Transmission Protocol: SCTP provides support for newer applications such as voice
over the Internet (VoIP). It is a transport layer protocol that combines the best features of both UDP and
TCP.
NOTE: TCP for reliability and UDP for faster transfers.

The Port Numbers

TCP and UDP must use port numbers to communicate with the upper layers, because they’re what keeps
track of different conversations crossing the network simultaneously. These port numbers identify the source
and destination application or process in the TCP segment. There are 216 = 65,536 ports available.

System and Network Administration [Compiled By: Atnafu G(MSc)] 9

 Well-known ports: The port numbers range from 0 to 1,023.
 Registered ports: The port numbers range from 1,024 to 49,151. Registered ports are used by applications
or services that need to have consistent port assignments.
 Dynamic or private ports: The port numbers range from 49,152 to 65,535. These ports are not assigned to
any protocol or service in particular and can be used for any service or application.

If a port is closed/blocked, you cannot communicate with the computer by the protocol using that port. For
example, if port 25 is blocked you cannot send mail. Firewalls by default block all ports. You should know
the port numbers of different protocols!!

TCP Ports Protocol TCP Port Number UDP Ports Protocol TCP Port Number
Telnet 23 SNMP 161
SMTP 25 TFTP 69
HTTP 80 DNS 53
FTP 21 POP3 110
DNS 53 DHCP 68
HTTPS 443 NTP 123
SSH 22 RPC 530
Table 1.1. Sample TCP and UDP port numbers from well-known category
 Application Layer
The application layer in TCP/IP is equivalent to the combined session, presentation, and application layers
in the OSI model, and many protocols are defined at this layer.
The Process/Application Layer Protocols
 Telnet: allows a user on a remote client machine, called the Telnet client, to access the resources of
another machine, the Telnet server. Telnet makes client machine appear as though it were a terminal directly
attached to the server.
 File Transfer Protocol (FTP): is the protocol that actually lets us transfer files, and it can accomplish this
between any two machines using it. Usually users are subjected to authentication before accessing an FTP
server.
 Network File System (NFS): a protocol specializing in file sharing allowing two different types of file
systems to interoperate.
 Simple Mail Transfer Protocol (SMTP): uses a spooled, or queued, method of mail delivery.
_ POP3 is used to receive mail.
 Simple Network Management Protocol (SNMP): collects and manipulates valuable network
information. This protocol stands as a watchdog over the network, quickly notifying managers of any sudden
turn of events.

System and Network Administration [Compiled By: Atnafu G(MSc)] 10

  Domain Name Service (DNS): resolves hostnames—specifically, Internet names, such
as www.iud.edu.et to the IP address 196.194.212.22
 Dynamic Host Configuration Protocol (DHCP): gives IP addresses to hosts. It allows easier
administration and works well in small-to-even-very large network environments.

1.2. Philosophy of System Administration

1. What is Network Administration?
Network Administrators Focus on Computers Working Together. A Network Administrator’s main
responsibilities include installing, configuring, and supporting an organization’s local area network (LAN),
wide area network (WAN), Internet systems, and/or a segment of a network system. Daily job duties may
depend on the size of a company’s network. For example, at a smaller company, a network administrator
may be directly responsible for performing updates and maintenance on network and IT systems, as well as
overseeing network switches and setting up and monitoring a virtual private network (VPN). However, at a
larger company, responsibilities may be more broad and managerial, such as overseeing a team of IT
specialists and working with network architects to make decisions about equipment and hardware purchases
and upgrades.
Network administration involves a wide array of operational tasks that help a network to run smoothly and
efficiently. Without network administration, it would be difficult for all but the smallest networks to
maintain network operations.
The main tasks associated with network administration include:
 Design, installation and evaluation of the network
 Execution and administration of regular backups
 Creation of precise technical documentation, such as network diagrams, network cabling
documents, etc.
 Provision for precise authentication to access network resources
 Provision for troubleshooting assistance
 Administration of network security, including intrusion detection
As you can easily guess, the exact definition of “network administration” is hard to pin down. In a larger
enterprise, it would more often be strictly related to the actual network. Specifically, this would include the
management and maintenance of switches, routers, firewalls, VPN gateways, etc. In smaller companies, the
network administrator is often a jack-of-all trades and involved in the configuration of databases,
installation, maintenance and upgrading of software, management of user accounts and security groups,
desktop support, and sometimes even basic software development.

System and Network Administration [Compiled By: Atnafu G(MSc)] 11

Network administrator is a person who is responsible for installing, update, configuring network devices.
Troubleshoot and maintain network devices work on routers, cabling, Phone system (VoIP), switches and
firewalls.
1.1.2. What is System Administration?
System Administrators work directly with computer hardware and software. At the most basic level, the
difference between these two roles (between system and network administrators) is that a Network
Administrator oversees the network (a group of computers connected together), while a System
Administrator is in charge of the computer systems – all the parts that make a computer function. A
Computer Systems Administrator’s responsibilities may include software and hardware installation and
upkeep, data recovery and backup, setup, and training on user accounts and maintenance of basic security
best practices.

As with Network Administrator positions, specific daily job duties may depend on the size and scope of a
company’s computer systems. At smaller businesses, the System Administrator may handle all IT duties, and
thus maintain and update all computers as well as ensure data security and backup. Larger corporations may
divide system administrators’ responsibilities into more specific sub-roles, therefore resulting in specialized
positions like database administrators or security administrators.

System administration refers to the management of one or more hardware and software systems. The task is
performed by a system administrator who monitors system health, monitors and allocates system resources
like disk space, performs backups, provides user access, manages user accounts, monitors system security
and performs many other functions.
System administration is a job done by IT experts for an organization. The job is to ensure that computer
systems and all related services are working well. The duties in system administration are wide ranging and
often vary depending on the type of computer systems being maintained, although most of them share some
common tasks that may be executed in different ways.
Common tasks include installation of new hardware or software, creating and managing user accounts,
maintaining computer systems such as servers and databases, and planning and properly responding to
system outages and various other problems. Other responsibilities may include light programing or scripting
to make the system work flows easier as well as training computer users and assistants. Whereas system
administrator is a person who is responsible for active configure reliable of computer systems especially
multi user computers such as servers. System administrator ensures the up time, performance, resources and
security of the computers. And also install, upgrade hardware and software components. System
administrator maintain security polices and troubleshoot. System administrator install server operating
system and work on/with servers/vendors.

System and Network Administration [Compiled By: Atnafu G(MSc)] 12

 Although the specifics of being a system administrator may change from platform to platform, there are
underlying themes that do not. These themes make up the philosophy of system administration.
The themes are:
 Automate everything  Security cannot be an afterthought
 Document everything  Plan ahead
 Communicate as much as possible  Expect the unexpected
 Know your resources  Backup and disaster recovery planning
 Know your users  Patching
 Know your business
Automate Everything
Most system administrators are outnumbered — either by their users, their systems, or both. In many cases,
automation is the only way to keep up. In general, anything done more than once should be examined as a
possible candidate for automation. Here are some commonly automated tasks:
 Free disk space checking and reporting
 Backups
 System performance data collection
 User account maintenance (creation, deletion, etc.)
 Business specific functions (pushing new data to a Web server, running monthly/quarterly/yearly
reports, etc.)
This list is by no means complete; the functions automated by system administrators are only limited by an
administrator’s willingness to write the necessary scripts.
Document Everything
If given the choice between installing a brand-new server and writing a procedural document on performing
system backups, the average system administrator would install the new server every time. While this is not
at all unusual, you must document what you do. Many system administrators put off doing the necessary
documentation for a variety of reasons:
What should you document? Here is a partial list:
 Hardware inventory: Maintain lists of all your physical and virtual servers with the following details:
 OS: Linux or Windows, hypervisor with versions
 RAM: DIMM slots in physical servers
 CPU: Logical and virtual CPUs
 HDD: Type and size of hard disks
 External storage (SAN/NAS): Make and model of storage with management IP address and
interface IP address
 Open ports: Ports opened at the server end for incoming traffic
 IP address: Management and interface IP address with VLANs
 Engineering appliances: e.g., Exalogic, PureApp, etc.

 Software inventory:

System and Network Administration [Compiled By: Atnafu G(MSc)] 13

o Configured applications: e.g., Oracle WebLogic, IBM WebSphere Application Server, Apache Tomcat,
Red Hat JBoss, etc.
 Third-party software: Any software not shipped with the installed OS
 License details
o Maintain license counts and details for physical servers and virtual servers (VMs), including licenses for
Windows, subscriptions for Linux OS, and the license limit of hypervisor host.
 Policies: Policies are written to formalize and clarify the relationship you have with your user community.
They make it clear to your users how their requests for resources and/or assistance are handled. The nature,
style, and method of disseminating policies to your a community varies from organization to organization.
 Procedures: Procedures are any step-by-step sequence of actions that must be taken to accomplish a certain
task. Procedures to be documented can include backup procedures, user account management procedures,
problem reporting procedures, and so on. Like automation, if a procedure is followed more than once, it is a
good idea to document it.
 Changes: A large part of a system administrator’s career revolves around making changes configuring
systems for maximum performance, tweaking scripts, modifying configuration files, and so on. All of these
changes should be documented in some fashion. Otherwise, you could find yourself being completely
confused about a change you made several months earlier. Some organizations use more complex methods
for keeping track of changes, but in many cases a simple revision history at the start of the file being
changed is all that is necessary. At a minimum, each entry in the revision history should contain:
 The name or initials of the person making the change
 The date the change was made
 The reason the change was made
Backup and disaster recovery planning
Communicate with the backup team and provide them the data and client priorities for backup. The
recommended backup criteria for production servers is:
 Incremental backups: Daily, Monday to Friday
 Full backup: Saturday and Sunday
 Disaster recovery drills: Perform restoration mock drills once a month (preferably, or quarterly if
necessary) with the backup team to ensure the data can be restored in case of an issue.
Patching
Operating system patches for known vulnerabilities must be implemented promptly. There are many types
and levels of patches, including:
 Security
 Critical
 Moderate

System and Network Administration [Compiled By: Atnafu G(MSc)] 14

 When a patch is released, check the bug or vulnerability details to see how it applies to your system (e.g.,
does the vulnerability affect the hardware in your system?), and take any necessary actions to apply the
patches when required. Make sure to cross-verify applications’ compatibility with patches or upgrades.
Server hardening
Linux:
 Set a BIOS password: This prevents users from altering BIOS settings.
 Set a GRUB password: This stops users from altering the GRUB bootloader.
 Deny root access: Rejecting root access minimizes the probability of intrusions.
 Sudo users: Make sudo users and assign limited privileges to invoke commands.
 TCP wrappers: This is the weapon to protect a server from hackers. Apply a rule for the SSH daemon to
allow only trusted hosts to access the server, and deny all others. Apply similar rules for other services like
FTP, SSH File Transfer Protocol, etc.
 Firewalld/iptables: Configure firewalld and iptables rules for incoming traffic to the server. Include the
particular port, source IP, and destination IP and allow, reject, deny ICMP requests, etc. for the public zone
and private zone.
 Antivirus: Install antivirus software and update virus definitions regularly.
 Secure and audit logs: Check the logs regularly and when required.
 Rotate the logs: Keep the logs for limited period of time like “for 7 days”, to keep the sufficient disk space
for flawless operation.

Windows:
 Set a BIOS password: This prevents users from altering BIOS settings.

 Antivirus: Install antivirus software and update virus definitions regularly.

 Configure firewall rules: Prevent unauthorized parties from accessing your systems.
 Deny administrator login: Limit users’ ability to make changes that could increase your systems’
vulnerabilities.

Use a syslog server

By configuring a syslog server in the environment to keep records of system and application logs, in the
event of an intrusion or issue, the sysadmin can check previous and real-time logs to diagnose and resolve
the problem.
Communicate as Much as Possible
When it comes to your users, you can never communicate too much. Be aware that small system changes
you might think are practically unnoticeable could very well completely confuse the administrative assistant
in Human Resources.
Know Your Resources

System and Network Administration [Compiled By: Atnafu G(MSc)] 15

System administration is mostly a matter of balancing available resources against the people and programs
that use those resources. Therefore, your career as a system administrator will be a short and stress-filled one
unless you fully understand the resources you have at your disposal. Some of the resources are ones that
seem pretty obvious:
 System resources, such as available processing power, memory, and disk space
 Network bandwidth
 Available money in the IT budget

Security cannot be an Afterthought

No matter what you might think about the environment in which your systems are running, you cannot take
security for granted. Even standalone systems not connected to the Internet may be at risk (although
obviously the risks will be different from a system that has connections to the outside world). Therefore, it is
extremely important to consider the security implications of everything you do. The following list illustrates
the different kinds of issues you should consider:
 The nature of possible threats to each of the systems under your care
 The location, type, and value of the data on those systems
 The type and frequency of authorized access to the systems
While you are thinking about security, do not make the mistake of assuming that possible intruders will only
attack your systems from outside of your company. Many times, the perpetrator is someone within the
company. So the next time you walk around the office, look at the people.

System and Network Administration [Compiled By: Atnafu G(MSc)] 16

 Chapter 2: Windows Network Concepts
2.1 Workgroups
In computer networking a workgroup is a collection of computers on a LAN that share common resources
and responsibilities. Workgroup is Microsoft’s term for a peer-to-peer L. Windows WORKGROUPs can be
found in homes, schools and small businesses. Computers running Windows OSs in the same work group
may share files, printers, or Internet connection. Workgroup contrasts with domain, in which computers
rely on centralized authentication.

A Windows workgroup is a group of standalone computers in a peer-to-peer network. Each computer in the
workgroup uses its own local accounts database to authenticate resource access. The computers in a
workgroup also do not have a common authentication process. The default-networking environment for a
clean windows load is workgroup.

In general, a given Windows workgroup environment can contain many computers but work best with 15 or
fewer computers. As the number of computers increases, a workgroup eventually become very difficult to
administer and should be re-organized into multiple networks or set up as a client-server network.

The computers in a workgroup are considered peers because they are all equal and share resources among
each other without requiring a server. Since the workgroup doesn’t share a common security and resource
database, users and resources must be defined on each computer. Joining a workgroup requires all
participants to use a matching name, all Windows computers (Windows 7, 8 and 10) are automatically
assigned to a default group named WORKGROUP (MSHOME in WindowsXP).

To access shared resources on other PCs within its group, a user must know the name of the workgroup that
computer belongs to plus the username and password of an account on the remote computer.

The main disadvantages of workgroups are:

 If a user account will be used for accessing resources on multiple machines, the user account will need to be
created on those machines this requires that the same username and password be used.
 The low security protocol used for authentication between nodes.
 Desktop computers have a fixed limit of 15 or less connections. Note that this is in reference to connections
to an individual desktop.

One of the most common mistakes when setting up a peer-to-peer network is misspelling the workgroup
name on one of the computers. For example, suppose you decide that all the computers should belong to a
workgroup named MYGROUP. If you accidentally spell the workgroup name MYGRUOP for one of the

System and Network Administration [Compiled By: Atnafu G(MSc)] 17

computers, that computer will be isolated in its own workgroup. If you can’t locate a computer on your
network, the workgroup name is one of the first things to check.

2.1.1. Windows Workgroups vs Homegroups and Domains

Server Domain

Windows domains support client-server local networks. A specially configured computer called Domain
Controller running a Windows Server operating system serves as a central server for all clients. Windows
domains can handle more computers than workgroups due to the ability to maintain centralized resource
sharing and access control. A client PC can belong to either to a workgroup or to a Windows domain, but not
both. Assigning a computer to the domain automatically removes it from the workgroup.

Microsoft HomeGroup

Microsoft introduced the Homegroup concepts in windows 7. Homegroups are designed to simplify the
management of workgroups for administrators, particularly homeowners. Instead of requiring an
administrator to manually set up shared user accounts on every PC, HomeGroup security settings can be
managed through one shared login.

Joining a Homegroup does not remove a PC from its Windows WORKGROUP, the two sharing methods co-
exist. Computers running versions of Windows operating systems older than Windows 7 (like XP and vista),
however cannot be members of HomeGroups.
Other Computer Workgroup technologies
The open source software package samba (which uses SMB technologies) allows Apple macOS, Linux and
other Unix based system to join existing windows workgroups. Apple originally developed AppleTalk to
support workgroups on Macintosh computers but phased out this technology in the late 2000s in favor of
newer standards like SMB.
Samba is a free software that provides file and print services for various Microsoft Windows clients and can
integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain
member. As of version 4, it supports Active Directory and Microsoft Windows NT domains. Samba runs on
most Unix-like systems, such as Linux, Solaris, AIX and the BSD variants, including Apple’s macOS
Server, and macOS client (Mac OS X 10.2 and greater). It is standard on nearly all distributions of Linux
and is commonly included as a basic system service on other Unix-based operating systems as well. Samba
is released under the terms of the GNU General Public License. The name Samba comes from SMB (Server
Message Block), the name of the proprietary protocol used by the Microsoft Windows network file system.

System and Network Administration [Compiled By: Atnafu G(MSc)] 18

2.2 Domain Controllers
A domain controller (DC) is a server computer that responds to security authentication requests within a
computer network domain. It is a network server that is responsible for allowing end devices to access
shared domain resources. It authenticates users, stores user account information and enforces security policy
for a domain. It is most commonly implemented in Microsoft Windows environments (see below about
Windows Domain), where it is the centerpiece of the Windows Active Directory service. However, non-
Windows domain controllers can be established via identity management software such as Samba.
Domain controllers are typically deployed as a cluster to ensure high-availability and maximize reliability.
In a Windows environment, one domain controller serves as the Primary Domain Controller (PDC) and
all other servers promoted to domain controller status in the domain server as a Backup Domain
Controller (BDC). In Unix-based environments, one machine serves as the master domain controller and
others serve as replica domain controllers, periodically replicating database information from the main
domain controller and storing it in a read-only format.

On Microsoft Servers, a domain controller (DC) is a server computer that responds to security
authentication requests (logging in, etc.) within a Windows domain. A Windows domain is a form of a
computer network in which all user accounts, computers, printers and other security principals, are registered
with a central database located on one or more clusters of central computers known as domain controllers.
A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of
computer resources with the use of a single username and password combination. You must setup at least
one Domain Controller in every Windows domain. Figure 2.2 shows the Domain Controller in Windows
domain.

Figure 2.2. Domain Controller

Windows Server can be one of three kinds: Active Directory “domain controllers” (ones that provide identity
and authentication), Active Directory “member servers” (ones that provide complementary services such as

System and Network Administration [Compiled By: Atnafu G(MSc)] 19

file repositories and schema) and Windows Workgroup “stand-alone servers”. The term “Active Directory
Server” is sometimes used by Microsoft as synonymous to “Domain Controller” but the term is discouraged.

2.2.1. System requirements for a Domain Controller

This section outlines the minimum hardware requirements to run the latest Windows Server available as this
resource is prepared (i.e. Windows Server 2022). If your computer has less than the minimum requirements,
you will not be able to install the server correctly. Actual requirements will vary based on your system
configuration and the applications and features you install.

Processor
Processor performance depends not only on the clock frequency of the processor, but also on the number of
processor cores and the size of the processor cache.
The following are the minimum processor requirements for the product:
 1.4 GHz 64-bit processor
 Compatible with x64 instruction set
RAM
The following are the estimated minimum RAM requirements for the product:
 512 MB (2 GB for Server with Desktop Experience installation option)
Storage controller and disk space requirements
Computers that run Windows Server must include a storage adapter that is compliant with the PCI Express
architecture specification. Persistent storage devices on servers classified as hard disk drives must not be
PATA. Windows Server does not allow ATA/PATA/IDE/EIDE for boot, page, or data drives. The
estimated minimum disk space requirements for the system partition is 32 GB

Network adapter requirements

Network adapters used with this latest release should include an Ethernet adapter capable of at least 1
gigabit per second throughput.
The following is a list of minimum system requirements for older versions of Windows Servers:
Component Windows Server Windows Server 2008 Windows Server 2008 R2 64-bit
2003 32-bit 32-bit
Computer Server Computer with Server Computer with a x64, 1.4 GHz if single core,
and a 133-MHz processor Minimum 1GHz 1.3GHz if multi core
processor processor
Memory 25 TFTP 512 MB RAM
Hard disk 1.5 GB available hard- 20 GB available hard- 32 GB available hard-disk space
disk space disk space
Table 2.1. System requirements for a domain controller

System and Network Administration [Compiled By: Atnafu G(MSc)] 20

2.3. LDAP & Windows Active Directory
2.3.1. Lightweight Directory Access Protocol (LDAP)

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard
application protocol for accessing and maintaining distributed directory information services over an Internet
Protocol (IP) network. Directory services play an important role in developing intranet and Internet
applications by allowing the sharing of information about users, systems, networks, services, and
applications throughout the network. As examples, directory services may provide any organized set of
records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone
directory is a list of subscribers with an address and a phone number.
A common use of LDAP is to provide a central place to store usernames and passwords. This allows many
different applications and services to connect to the LDAP server to validate users.
In the early engineering stages of LDAP, it was known as Lightweight Directory Browsing Protocol,
or LDBP. It was renamed with the expansion of the scope of the protocol beyond directory browsing and
searching, to include directory update functions. It was given its Lightweight name because it was not as
network intensive as its predecessors and thus was more easily implemented over the Internet due to its
relatively modest bandwidth usage.
LDAP has influenced subsequent Internet protocols, including later versions of X.500, XML Enabled
Directory (XED), Directory Service Markup Language (DSML), Service Provisioning Markup Language
(SPML), and the Service Location Protocol (SLP). It is also used as the basis for Microsoft’s Active
Directory.
Protocol overview
A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA),
by default on TCP and UDP port 389, or on port 636 for LDAPS (LDAP over TLS/SSL, see below). The
client then sends an operation request to the server, and a server sends responses in return. With some
exceptions, the client does not need to wait for a response before sending the next request, and the server
may send the responses in any order. All information is transmitted using Basic Encoding Rules (BER).
The client may request the following operations:
 StartTLS– use LDAPv3 Transport Layer Security (TLS) extension for a secure connection
 Bind – authenticate and specify LDAP protocol version
 Search – search for and/or retrieve directory entries
 Compare – test if a named entry contains a given attribute value
 Add a new entry
 Delete an entry
 Modify an entry
 Modify Distinguished Name (DN) – move or rename an entry

System and Network Administration [Compiled By: Atnafu G(MSc)] 21

  Abandon – abort a previous request
 Extended Operation – generic operation used to define other operations
 Unbind – close the connection (not the inverse of Bind)

A common alternative method of securing LDAP communication is using an SSL tunnel. The default port
for LDAP over SSL is 636. The use of LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it
was never standardized in any formal specification. This usage has been deprecated along with LDAPv2,
which was officially retired in 2003.
The protocol provides an interface with directories as follows:
 An entry consists of a set of attributes.
 An attribute has a name (an attribute type or attribute description) and one or more values.
 Each entry has a unique identifier: its Distinguished Name (DN). This consists of its Relative Distinguished
Name (RDN), constructed from some attribute(s) in the entry, followed by the parent entry’s DN. Think of
the DN as the full file path and the RDN as its relative filename in its parent folder (e.g.
if /foo/bar/myfile.txt were the DN, then myfile.txt would be the RDN).
A DN may change over the lifetime of the entry, for instance, when entries are moved within a tree. To
reliably and unambiguously identify entries, a UUID might be provided in the set of the entry’s operational
attributes.
2.3.2. Windows Active Directory
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is
included in most Windows Server operating systems as a set of processes and services. Initially, it was used
only for centralized domain management. However, it eventually became an umbrella title for a broad range
of directory-based identity-related services.
A server running the Active Directory Domain Service (AD DS) role is called a domain controller. It
authenticates and authorizes all users and computers in a Windows domain type network, assigning and
enforcing security policies for all computers, and installing or updating software. For example, when a user
logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and
determines whether the user is a system administrator or normal user. Also, it allows management and
storage of information, provides authentication and authorization mechanisms, and establishes a framework
to deploy other related services: Certificate Services, AD Federation Services, Lightweight Directory
Services, and Rights Management Services. Active Directory uses LDAP versions 2 and 3, Microsoft’s
version of Kerberos, and DNS.
Microsoft previewed Active Directory in 1999, released it first with Windows 2000 Server edition, and
revised it to extend functionality and improve administration in Windows Server 2003. Additional
improvements came with subsequent versions of Windows Server. In Windows Server 2008, additional
services were added to Active Directory, such as Active Directory Federation Services. The part of the

System and Network Administration [Compiled By: Atnafu G(MSc)] 22

directory in charge of management of domains, which was previously a core part of the operating system,
was renamed Active Directory Domain Services (ADDS) and became a server role like others. Active
Directory became the umbrella title of a broader range of directory-based services; everything related to
identity was brought under Active Directory’s banner.
2.3.2.1. Active Directory Services

Active Directory Services consist of multiple directory services. The best known is Active Directory Domain
Services, commonly abbreviated as AD DS or simply AD.
Domain Services (DS)
AD DS is the foundation stone of every Windows domain network. It stores information about
members of the domain, including devices and users, verifies their credentials and defines their
access rights. The server running this service is called a domain controller. A domain controller is
contacted when a user logs into a device, accesses another device across the network, or runs a line-
of-business Metro-style app sideloaded into a device.
Other Active Directory services (excluding LDS, which is discussed below) as well as most of
Microsoft server technologies rely on or use Domain Services; examples include Group Policy,
Encrypting File System, BitLocker, Domain Name Services, Remote Desktop Services, Exchange
Server and SharePoint Server.
Lightweight Directory Services (LDS)
Active Directory Lightweight Directory Services, formerly known as AD Application
Mode (ADAM), is an implementation of LDAP protocol for AD DS. AD LDS runs as a service on
Windows Server. AD LDS shares the code base with AD DS and provides the same functionality,
including an identical API, but does not require the creation of domains or domain controllers.
It provides a Data Store for storage of directory data and a Directory Service with an
LDAP Directory Service Interface. Unlike AD DS, however, multiple AD LDS instances can run on
the same server.
Certificate Services (CS)
AD Certificate Services (AD CS) establishes an on-premises public key infrastructure. It can create,
validate and revoke public key certificates for internal uses of an organization. These certificates can
be used to encrypt files, emails, and network traffic (when used by virtual private networks or IPSec
protocol). AD CS requires an AD DS infrastructure.
Federation Services (FS)
AD Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place,
users may use several web-based services (e.g. Internet forum, blog, online shopping, webmail) or
network resources using only one set of credentials stored at a central location, as opposed to having

System and Network Administration [Compiled By: Atnafu G(MSc)] 23

 to be granted a dedicated set of credentials for each service. AD FS‘s purpose is an extension of that
of AD DS: The latter (AD Ds) enables users to authenticate with and use the devices that are part of
the same network, using one set of credentials. The former (AD FS) enables them to use the same set
of credentials in a different network.
As the name suggests, AD FS works based on the concept of federated identity. AD FS requires an
AD DS infrastructure, although its federation partner may not.
Rights Management Services (RMS)
AD Rights Management Services (AD RMS) is a server software for information rights management
shipped with Windows Server. It uses encryption and a form of selective functionality denial for
limiting access to documents such as corporate e-mails, Microsoft Word documents, and web pages,
and the operations authorized users can perform on them.
2.3.2.2. Logical Structure

As a directory service, an Active Directory instance consists of a database and corresponding executable
code responsible for servicing requests and maintaining the database. The executable part, known as
Directory System Agent, is a collection of Windows services and processes that run on Windows 2000 and
later. Objects in Active Directory databases can be accessed via LDAP, ADSI (a component object model
interface), messaging API and Security Accounts Manager services.

Figure 2.1. Sample Network Diagram to indicate a Domain

Objects
Active Directory structures are arrangements of information about objects. The objects fall into two broad
categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security
principals are assigned unique security identifiers (SIDs).

System and Network Administration [Compiled By: Atnafu G(MSc)] 24

Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes.
Certain objects can contain other objects. An object is uniquely identified by its name and has a set of
attributes—the characteristics and information that the object represents— defined by a schema, which also
determines the kinds of objects that can be stored in Active Directory.
The schema object lets administrators extend or modify the schema when necessary. However, because each
schema object is integral to the definition of Active Directory objects, deactivating or changing these objects
can fundamentally change or disrupt a deployment. Schema changes automatically propagate throughout the
system. Once created, an object can only be deactivated—not deleted. Changing the schema usually requires
planning.
Forests, trees, and domains
The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree,
and domain are the logical divisions in an Active Directory network.
Within a deployment, objects are grouped into domains. The objects for a single domain are stored in
a single database (which can be replicated). Domains are identified by their DNS name structure, the
namespace.
A domain is defined as a logical group of network objects (computers, users, devices) that share the
same Active Directory database.
A tree is a collection of one or more domains and domain trees in a contiguous namespace, and is linked in
a transitive trust hierarchy.
At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog,
directory schema, logical structure, and directory configuration. The forest represents the security boundary
within which users, computers, groups, and other objects are accessible.
Organizational Units
The objects held within a domain can be grouped into organizational units (OUs). OUs can provide
hierarchy to a domain, ease its administration, and can resemble the organization’s structure in managerial or
geographical terms. Microsoft recommends using OUs rather than domains for structure and to simplify the
implementation of policies and administration. The OU is the recommended level at which to apply group
policies, which are Active Directory objects formally named group policy objects (GPOs), although
policies can also be applied to domains or sites (see below). The OU is the level at which administrative
powers are commonly delegated, but delegation can be performed on individual objects or attributes as well.
Organizational units (OUs) do not each have a separate namespace. As a consequence, for compatibility with
Legacy NetBios implementations, user accounts with an identical account name are not allowed within
the same domain even if the accounts objects are in separate OUs. This’s because account name, a user
object attribute, must be unique within the domain. However, two users in different OUs can have the same

System and Network Administration [Compiled By: Atnafu G(MSc)] 25

common name (CN), the name under which they are stored in the directory itself such as “fred.staff-
ou.domain” and “fred.student-ou.domain”, where “staff-ou” and “student-ou” are the Ous.
Note:
The reason for lack of duplicate names through hierarchical directory placement is that Microsoft
primarily relies on the principles of NetBIOS (i.e. a flat-namespace method of network object
management). Allowing for duplication of object names in the directory, or
completely removing the use of NetBIOS names, would prevent backward compatibility with legacy
software and equipment. However, disallowing duplicate object names in this way is a violation of
the LDAP RFCs on which Active Directory is supposedly based.
As the number of users in a domain increases, duplicate naming issue even gets more complicated.
Workarounds include adding a digit to the end of username. Alternatives include creating a separate ID
system of unique user ID numbers to use as account names in place of actual users’ names, and allowing
users to nominate their preferred word sequence within an acceptable use policy.
Because duplicate usernames cannot exist within a domain, account name generation poses a significant
challenge for large organizations that cannot be easily subdivided into separate domains, such as students in
a public school system or university who must be able to use any computer across the network.
2.3.2.3. Physical Structure

Sites are physical (rather than logical) groupings defined by one or more IP subnets. AD also holds the
definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN) links.
Site definitions are independent of the domain and OU structure and are common across the forest. Sites are
used to control network traffic generated by replication and also to refer clients to the nearest domain
controllers (DCs).
Physically, the Active Directory information is held on one or more peer domain controllers (DCs). Each DC
has a copy of the AD. Servers joined to AD that are not domain controllers are called Member Servers. A
subset of objects in the domain partition replicate to domain controllers that are configured as global
catalogs. Global catalog (GC) servers provide a global listing of all objects in the Forest. Global Catalog
servers replicate to themselves all objects from all domains and, hence, provide a global listing of objects in
the forest. However, to minimize replication traffic and keep the GC’s database small, only selected
attributes of each object are replicated. This is called the partial attribute set (PAS).
Replication
Active Directory synchronizes changes using multi-master replication. Replication by default is ‘pull‘
rather than ‘push’, meaning that replicas pull changes from the server where the change was effected.
The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the
defined sites to manage traffic. Intra-site replication is frequent and automatic as a result of change
notification, which triggers peers to begin a pull replication cycle. Inter-site replication intervals are
typically less frequent and do not use change notification by default, although this is configurable and can be

System and Network Administration [Compiled By: Atnafu G(MSc)] 26

 made identical to intra-site replication. Replication of Active Directory uses Remote Procedure Calls (RPC)
over IP (RPC/IP).
2.3.2.4. Implementation
In general, a network utilizing Active Directory has more than one licensed Windows server computer.
Backup and restore of Active Directory is possible for a network with a single domain controller, but
Microsoft recommends more than one domain controller to provide automatic failover protection of the
directory. Domain controllers are also ideally single-purpose for directory operations only, and should not
run any other software or role.
Certain Microsoft products such as SQL Server and Exchange can interfere with the operation of a domain
controller, necessitating isolation of these products on additional Windows servers. Combining them can
make configuration or troubleshooting of either the domain controller or the other installed software more
difficult. A business intending to implement Active Directory is therefore recommended to purchase a
number of Windows server licenses, to provide for at least two separate domain controllers, and optionally,
additional domain controllers for performance or redundancy, a separate file server, a separate Exchange
server, a separate SQL Server, and so forth to support the various server roles.
Physical hardware costs for the many separate servers can be reduced through the use of virtualization,
although for proper failover protection, Microsoft recommends not running multiple virtualized domain
controllers on the same physical hardware.

2.3.2.5. Trusting

To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a
forest are automatically created when domains are created. The forest sets the default boundaries of trust,
and implicit, transitive trust is automatic for all domains within a forest.
Terminology
 One-way trust: One domain allows access to users on another domain, but the other domain does not allow
access to users on the first domain.
o Two-way trust: Two domains allow access to users on both domains.
 Trusted domain: The domain that is trusted; whose users have access to the trusting domain.
 Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest.
 Intransitive trust: A one way trust that does not extend beyond two domains.
 Explicit trust: A trust that an admin creates. It is not transitive and is one way only.
 Cross-link trust: An explicit trust between domains in different trees or in the same tree when a
descendant/ancestor (child/parent) relationship does not exist between the two domains.
 Shortcut: Joins two domains in different trees, transitive, one- or two-way.

System and Network Administration [Compiled By: Atnafu G(MSc)] 27

  Forest trust: Applies to the entire forest. Transitive, one- or two-way.
 Realm: Can be transitive or nontransitive (intransitive), one- or two-way.
 External: Connect to other forests or non-AD domains. Nontransitive, one- or two-way.
 PAM trust: A one-way trust used by Microsoft Identity Manager from a (possibly low-level)
production forest to a (Windows Server 2016 functionality level) ‘bastion’ forest, which issues time-
limited group memberships.
2.3.2.6. Management solutions
Microsoft Active Directory management tools include:
 Active Directory Administrative Center (Introduced with Windows Server 2012 and above),
 Active Directory Users and Computers,
 Active Directory Domains and Trusts,
o Active Directory Sites and Services,
o ADSI Edit,
o Local Users and Groups,
o Active Directory Schema snap-ins for Microsoft Management Console (MMC),
o SysInternals ADExplorer
These management tools may not provide enough functionality for efficient workflow in large environments.
Some third-party solutions extend the administration and management capabilities. They provide essential
features for a more convenient administration processes, such as automation, reports, integration with other
services, etc.
2.3.2.7. Unix integration

Varying levels of interoperability with Active Directory can be achieved on most Unix-like operating
systems (including Unix, Linux, Mac OS X or Java and Unix-based programs) through standards- compliant
LDAP clients, but these systems usually do not interpret many attributes associated with Windows
components, such as Group Policy and support for one-way trusts.
Third parties offer Active Directory integration for Unix-like platforms, including:

 PowerBroker Identity Services – Allows a non-Windows client to join Active Directory

o ADmitMac (Thursby Software Systems)
 Samba – Can act as a domain controller
Administration (querying, modifying, and monitoring) of Active Directory can be achieved via many
scripting languages, including PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby. Free and
non-free AD administration tools can help to simplify and possibly automate AD management tasks. Since
October 2017 Amazon AWS offers integration with Microsoft Active Directory.

System and Network Administration [Compiled By: Atnafu G(MSc)] 28

Chapter 3: User Administration Concepts & Mechanisms
3.1. Users and Capabilities
A user account is a collection of settings and information that tells Windows which files and folders you can
access, what you can do on your computer, what are your preferences, and what network resources you can
access when connected to a network.

The user account allows you to authenticate to Windows or any other operating system so that you are
granted authorization to use them. Multi-user operating systems such as Windows don’t allow a user to use
them without having a user account.
A user account in Windows is characterized by the following attributes:

 User name: the name you are giving to that account.

 Password: the password associated with the user account (in Windows 7 or older versions you can also use
blank passwords).
 User group: a collection of user accounts that share the same security rights and permissions. A user account
must be a member of at least one user group.
 Type: all user accounts have a type which defines their permissions and what they can do in Windows.

Administrator: The “Administrator” user account has complete control over the PC. He or she can install anything
and make changes that affect all users of that PC.

Standard: The “Standard” user account can only use the software that’s already installed by the administrator and
change system settings that don’t affect other users.

Guest: The “Guest” account is a special type of user account that has the name Guest and no password. This is only
for users that need temporary access to the PC. This user can only use the software that’s already installed by the
administrator and cannot make any changes to system settings.

All user accounts have specific capabilities, privileges, and rights. When you create a user account, you can
grant the user specific capabilities by making the user a member of one or more groups. This gives the user
the capabilities of these groups. You then assign additional capabilities by making a user a member of the
appropriate groups or withdraw capabilities by removing a user from a group.

An important part of an administrator’s job is being able to determine and set permissions, privileges, and
logon rights as necessary. Although you can’t change a group’s built-in capabilities, you can change a
group’s default privileges and logon rights. For example, you could revoke network access to a computer by
removing a group’s right to access the computer from the network.

System and Network Administration [Compiled By: Atnafu G(MSc)] 29

 3.1.1. What is File & Folder Permissions?
Permissions are a method for assigning access rights to specific user accounts and user groups. Through the
use of permissions, Windows defines which user accounts and user groups can access which files and
folders, and what they can do with them. To put it simply, permissions are the operating system’s way of
telling you what you can or cannot do with a file or folder.

On Windows operating system, to learn the permissions of any folder, right click on it and select
“Properties.” In the Properties window, go to the Security tab. In the “Group or user names” section you
will see all the user accounts and use groups that have permissions to that folder. If you select a group or a
user account, then see its assigned permissions, in the “Permissions for Users” section.

In Windows, a user account or a user group can receive one of the following permissions to any file or
folder:
 Read: allows the viewing and listing of a file or folder. When viewing a folder, you can view all its files and
subfolders.
 Write: allows writing to a file or adding files and subfolders to a folder.
 List folder contents: this permission can be assigned only to folders. It permits the viewing and listing of files and
subfolders, as well as executing files that are found in that folder.
 Read & execute: permits the reading and accessing of a file’s contents as well as its execution. When dealing with
folders, it allows the viewing and listing of files and subfolders, as well as the execution of files.
 Modify: when dealing with files, it allows their reading, writing and deletion. When dealing with folders, it allows the
reading and writing of files and subfolders, plus the deletion of the folder.
 Full control: it allows reading, writing, changing and deleting of any file and subfolder. Generally, files inherit the
permissions of the folder where they are placed, but users can also define specific permissions that are assigned only to
a specific file. To make your computing life simpler, it is best to edit permissions only at a folder level.

Assigning User Rights

The most efficient way to assign user rights is to make the user a member of a group that already has the
right. In some cases, however, you might want a user to have a particular right but not have all the other
rights of the group. One way to resolve this problem is to give the user the rights directly. Another way to
resolve this is to create a special group for users that need the right. This is the approach used with the
Remote Desktop Users group, which was created by Microsoft to grant Allow Logon Through Terminal
Services to groups of users.

System and Network Administration [Compiled By: Atnafu G(MSc)] 30

 You assign user rights through the Local Policies node of Group Policy. Local policies can be set on a per-
computer basis using a computer’s local security policy or on a domain or OU basis through an existing
group policy for the related domain or OU. When you do this, the local policies apply to all accounts in the
domain or OU.

3.2. Policy Tools & Roaming Profiles

 What is Roaming profile?
A Windows profile is a set of files that contains all settings of a user including per-user configuration files
and registry settings. In an Active Directory or NT4 domain you can set that the profile of a user is stored on
a server. This enables the user to log on to different Windows domain members and use the same settings.
When using roaming user profiles, a copy of the profile is downloaded from the server to the Windows
domain member when a user logs into. Until the user logs out, all settings are stored and updated in the local
copy. During the log out, the profile is uploaded to the server.
Assigning a Roaming Profile to a User
Depending on the Windows version, Windows uses different folders to store the roaming profile of a user.
However, when you set the profile path for a user, you always set the path to the folder without any version
suffix.
For example: \\server\profiles\user_name
A roaming user profile is a file synchronization concept in the Windows NT family of operating systems
that allows users with a computer joined to a Windows domain to log on to any computer on the same
domain and access their documents and have a consistent desktop experience, such as applications
remembering toolbar positions and preferences, or the desktop appearance staying the
same, while keeping all related files stored locally, to not continuously depend on a fast and reliable network
connection to a file server.
All Windows operating systems since Windows NT 3.1 are designed to support roaming profiles. Normally,
a standalone computer stores the user’s documents, desktop items, application preferences, and desktop
appearance on the local computer in two divided sections, consisting of the portion that could roam plus an
additional temporary portion containing items such as the web browser cache. The Windows Registry is
similarly divided to support roaming; there are System and Local Machine hives that stay on the local
computer, plus a separate User hive (HKEY CURRENT USER) designed to be able to roam with the user
profile.
When a roaming user is created, the user’s profile information is instead stored on a centralized file server
accessible from any network-joined desktop computer. The login prompt on the local computer checks to see
if the user exists in the domain rather than on the local computer; no preexisting account is required on the

System and Network Administration [Compiled By: Atnafu G(MSc)] 31

local computer. If the domain login is successful, the roaming profile is copied from the central file server to
the desktop computer, and a local account is created for the user.
When the user logs off from the desktop computer, the user’s roaming profile is merged from the local
computer back to the central file server, not including the temporary local profile items. Because this is a
merge and not a move/delete, the user’s profile information remains on the local computer in addition to
being merged to the network.
When the user logs in on a second desktop computer, this process repeats, merging the roaming profile from
the server to the second desktop computer, and then merging back from the desktop to the server when the
user logs off.
When the user returns to the first desktop computer and logs in, the roaming profile is merged with the
previous profile information, replacing it. If profile caching is enabled, the server is capable of merging only
the newest files to the local computer, reusing the existing local files that have not changed since the last
login, and thereby speeding up the login process.
Windows stores information about a particular user in a so-called profile. Some examples of the sort of data
that gets stored in a profile are (N.B. this list is not exhaustive):
 Application data and settings
 The “Documents”/”My Documents” folder

 The “Downloads” folder, which is where your internet browser may save to by default
 Files stored on your Desktop
 Directories you create under c:\users\[your-username]
Members of some groups in the department have a roaming profile. This means that the master copy of the
profile is stored on a fileserver. When you log in to a Windows computer, the contents of your profile will be
synchronized from the fileserver to the local computer. When you log out of the computer, any changes to
the profile are then synchronized back to the server. Instructions for checking whether or not you have a
roaming profile are available.
There are two main reasons why a roaming profile might be useful in the department. Firstly, because the
contents of the profile are stored centrally, whenever you log on to any computer in the department you will
have the same application data and settings (e.g., internet browser bookmarks, preferences in Microsoft
Office etc.).
Secondly, because the master copy of your roaming profile is stored on a Departmentally-managed
fileserver, all data stored within it is automatically backed up.
What are the main differences of roaming and local profiles?
Windows roaming and local profiles are similar in that they both store Windows user settings and data. A
local profile is one that is stored directly on the computer. The main advantage to using a local profile is that

System and Network Administration [Compiled By: Atnafu G(MSc)] 32

 the profile is accessible even when the computer is disconnected from the network. A major drawback of a
local profile is that the user profile data is not being automatically backed up by the server. Since most users
rarely back up their computers, if a hard drive fails, any data that is stored within local profiles on that
machine would be lost.
Roaming profiles are stored on a server and can be accessed by logging into any computer on the network.
In a roaming profile, when a user logs onto the network, his/her profile is copied from the server to the
user’s desktop. When the user logs off of their computer, the profile (including any changes that the user
might have made) is copied back to the server. A major drawback of roaming profiles is that they can slow
down the network. Windows user profiles often become very large as the user profile data continues to grow.
If you have a large roaming profile, the login and logoff times may take a significant amount of time.
The solution to this problem is to use folder redirection with roaming profiles. Folder redirection allows
specific folders (such as the Desktop and Documents folder) to be permanently stored on the server. Doing
so eliminates the need for the redirected folder to be copied as a part of the logon and logoff processes.
In summary, for a hassle-free network experience one should choose the default local profile. However, if
you need roaming profiles enabled, Concise can assist you with the configuration and deployment of
roaming profiles utilizing folder redirection so you can have the best of both worlds!

3.3. Advanced Concepts I

 The Registry
The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows
operating system and for applications that opt to use the registry. The kernel, device drivers, services,
Security Accounts Manager, and user interface can all use the registry. The registry also allows access to
counters for profiling system performance.

In other words, the registry or Windows Registry contains information, settings, options, and other values for
programs and hardware installed on all versions of Microsoft Windows operating systems. For example,
when a program is installed, a new subkey containing settings such as a program’s location, its version, and
how to start the program, are all added to the Windows Registry.

When introduced with Windows 3.1, the Windows Registry primarily stored configuration information for
COM-based components. Windows 95 and Windows NT extended its use to rationalize and centralize the
information in the profusion of INI files, which held the configurations for individual programs, and were
stored at various locations. It is not a requirement for Windows applications to use the Windows Registry.
For example, .NET Framework applications use XMLfiles for configuration, while portable applications
usually keep their configuration files with their executables.

System and Network Administration [Compiled By: Atnafu G(MSc)] 33

Prior to the Windows Registry, .INI files stored each program’s settings as a text file or binary file, often
located in a shared location that did not provide user-specific settings in a multi-user scenario. By contrast,
the Windows Registry stores all application settings in one logical repository (but a number of discrete files)
and in a standardized form. According to Microsoft, this offers several advantages over .INI files. Since file
parsing is done much more efficiently with a binary format, it may be read from or written to more quickly
than a text INI file. Furthermore, strongly typed data can be stored in the registry, as opposed to the text
information stored in .INI files. This is a benefit when editing keys manually using regedit.exe, the built-in
Windows Registry Editor. Because user-based registry settings are loaded from a user-specific path rather
than from a read-only system location, the registry allows multiple users to share the same machine, and also
allows programs to work for less privileged users. Backup and restoration is also simplified as the registry
can be accessed over a network connection for remote management/support, including from scripts, using
the standard set of APIs, as long as the Remote Registry service is running and firewall rules permit this.

Because the registry is a database, it offers improved system integrity with features such as atomic updates.
If two processes attempt to update the same registry value at the same time, one process’s change will
precede the other’s and the overall consistency of the data will be maintained. Where changes are made to
.INI files, such race conditions can result in inconsistent data that does not match either attempted update.
Windows Vista and later operating systems provide transactional updates to the registry by means of the
Kernel Transaction Manager, extending the atomicity guarantees across multiple key and/or value changes,
with traditional commit–abort semantics. (Note however that NTFS provides such support for the file system
as well, so the same guarantees could, in theory, be obtained with traditional configuration files.)

3.3.1.1. Structure
Keys and values
The registry contains two basic elements: keys and values. Registry keys are container objects similar
to folders. Registry values are non-container objects similar to files. Keys may contain values and subkeys.
Keys are referenced with a syntax similar to Windows’ path names, using backslashes to indicate levels of
hierarchy. Keys must have a case insensitive name without backslashes.
The hierarchy of registry keys can only be accessed from a known root key handle (which is anonymous but
whose effective value is a constant numeric handle) that is mapped to the content of a registry key preloaded
by the kernel from a stored “hive“, or to the content of a subkey within another root key, or mapped to a
registered service or DLL that provides access to its contained subkeys and values.

System and Network Administration [Compiled By: Atnafu G(MSc)] 34

 There are seven predefined root keys, traditionally named according to their constant handles defined in the
Win32 API, or by synonymous abbreviations (depending on applications):
 HKEY_LOCAL_MACHINE or HKLM
 HKEY_CURRENT_CONFIG or HKCC
o HKEY_CLASSES_ROOT or HKCR
o HKEY_CURRENT_USER or HKCU
o HKEY_USERS or HKU
o HKEY_PERFORMANCE_DATA (only in Windows NT, but invisible in the Windows Registry
Editor)
o HKEY_DYN_DATA (only in Windows 9x, and visible in the Windows Registry Editor)
Like other files and services in Windows, all registry keys may be restricted by access control lists (ACLs),
depending on user privileges, or on security tokens acquired by applications, or on system security policies
enforced by the system (these restrictions may be predefined by the system itself, and configured by local
system administrators or by domain administrators). Different users, programs, services or remote systems
may only see some parts of the hierarchy or distinct hierarchies from the same root keys.
Registry values are name/data pairs stored within keys. Registry values are referenced separately from
registry keys. Each registry value stored in a registry key has a unique name whose letter case is not
significant. The Windows API functions that query and manipulate registry values take value names
separately from the key path and/or handle that identifies the parent key. Registry values may contain
backslashes in their names, but doing so makes them difficult to distinguish from their key paths when using
some legacy Windows Registry API functions (whose usage is deprecated in Win32).
The terminology is somewhat misleading, as each registry key is similar to an associative array, where
standard terminology would refer to the name part of each registry value as a “key”. The terms are a holdout
from the 16-bit registry in Windows 3, in which registry keys could not contain arbitrary name/data pairs,
but rather contained only one unnamed value (which had to be a string). In this sense, the Windows 3
registry was like a single associative array, in which the keys (in the sense of both ‘registry key’ and
‘associative array key’) formed a hierarchy, and the registry values were all strings. When the 32-bit registry
was created, so was the additional capability of creating multiple named values per key, and the meanings of
the names were somewhat distorted. For compatibility with the previous behavior, each registry key may
have a “default” value, whose name is the empty string.

System and Network Administration [Compiled By: Atnafu G(MSc)] 35

Each value can store arbitrary data with variable length and encoding, but which is associated with a
symbolic type (defined as a numeric constant) defining how to parse this data. The standard types are:

Ty Symbolic Type Name Meaning and encoding of the data stored in the registry value
pe
ID
0 REG_NONE No type (the stored value, if any)

1 REG_SZ A string value, normally stored and exposed in UTF-16LE (when using the
Unicode version of Win32 API functions), usually terminated by a NUL
character
2 REG_EXPAND_SZ An “expandable” string value that can contain environment variables, normally
stored and exposed in UTF-16LE, usually terminated by a NUL character

3 REG_BINARY Binary data (any arbitrary data)

4 REG_DWORD / A DWORD value, a 32-bit unsigned integer (numbers between 0 and

REG_DWORD_LITTL 4,294,967,295 [232 – 1]) (little-endian)
E_ENDIAN
5 REG_DWORD_BIG_E A DWORD value, a 32-bit unsigned integer (numbers between 0 and
NDIAN 4,294,967,295 [232 – 1])

6 REG_LINK A symbolic link (UNICODE) to another registry key, specifying a root key and
the path to the target key

7 REG_MULTI_SZ A multi-string value, which is an ordered list of non- empty strings, normally
stored and exposed in Unicode, each one terminated by a null character, the list
being normally terminated by a second null character.

8 REG_RESOURCE_LIS A resource list (used by the Plug-n-Play hardware enumeration and

T configuration)

9 REG_FULL_RESOUR A resource descriptor (used by the Plug-n-Play hardware enumeration and

CE_DESCR IPTOR configuration)

10 REG_RESOURCE_RE A resource requirements list (used by the Plug-n-Play hardware enumeration

QUIREME NTS_LIST and configuration)

11 REG_QWORD A QWORD value, a 64-bit integer (either big- or little- endian, or unspecified)
/ (introduced in Windows 2000)
REG_QWORD_LITTL
E_ENDIAN
Table 3.1. List of Standard Registry value types
When an administrator runs the command regedit, pre-defined keys called root keys, high-level
keys or HKEYS display in the left pane of the Registry Editor window. A pre-defined key and its nested
subkeys are collectively called a hive.

An application must open a key before it can add data to the registry, so having pre-defined keys that are
always open helps an application navigate the registry. Although pre-defined keys cannot be changed,

System and Network Administration [Compiled By: Atnafu G(MSc)] 36

subkeys can be modified or deleted as long as the user has permission to do so and the subkey is not located
directly under a high-level key.

Before making any changes to registry keys, however, Microsoft strongly recommends the registry be
backed up and that the end user only change values in the registry that they understand or have been told to
change by a trusted advisor. Keys and subkeys are referred to with a syntax that’s similar to Windows’ path
names, using backslashes to indicate levels in the hierarchy. Edits to the registry that cause syntax errors can
make the computer inoperable.
Root keys
The keys at the root level of the hierarchical database are generally named by their Windows API
definitions, which all begin “HKEY”. They are frequently abbreviated to a three- or four-letter short name
starting with “HK” (e.g. HKCU and HKLM). Technically, they are predefined handles (with known constant
values) to specific keys that are either maintained in memory, or stored in hive files stored in the local
filesystem and loaded by the system kernel at boot time and then shared (with various access rights) between
all processes running on the local system, or loaded and mapped in all processes started in a user session
when the user logs on the system.

The registry is a hierarchical database where information is presented on a number of levels. Hive keys are
on the first level. There are seven hive keys as we discussed previously. Registry keys are on the second
level, subkeys are on the third and then come values. If we consider the registry in terms of a hierarchical
file system.

The HKEY_LOCAL_MACHINE (local machine-specific configuration data) and

HKEY_CURRENT_USER (user-specific configuration data) nodes have a similar structure to each other;
user applications typically look up their settings by first checking for them in
“HKEY_CURRENT_USER\Software\Vendor’s name\Application’s name\Version\Setting name”, and if the
setting is not found, look instead in the same location under the HKEY_LOCAL_MACHINE key[citation
needed]. However, the converse may apply for administrator-enforced policy settings where HKLM may
take precedence over HKCU. The Windows Logo Program has specific requirements for where different
types of user data may be stored, and that the concept of least privilege be followed so that administrator-
level access is not required to use an application.
HKEY_CLASSES_ROOT (HKCR)
This key contains several subkeys with information about extensions of all registred file types and COM
servers. This information is necessary for opening files with a double-click, or for drag-and-drop operations.

System and Network Administration [Compiled By: Atnafu G(MSc)] 37

 Besides, the HKEY_CLASSES_ROOT key provides combined data to applications that were created for
earlier versions of Windows.
HKEY_CURRENT_USER (HKCU)
This key store settings which are specific to the currently logged-in user (Windows Start menu, desktop,
etc.). Its subkeys store information about environment variables, program groups, desktop settings, screen
colors, network connections, printers and additional application settings. This information is gathered from
the Security ID subkey (SID) of HKEY_USERS for the current user. In fact, this key stores all information
related to the profile of the user who is currently working with Windows.
HKEY_LOCAL_MACHINE (HKLM)
Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are specific to the local computer.
The key located by HKLM is actually not stored on disk, but maintained in memory by the system kernel in
order to map all the other subkeys. Applications cannot create any additional subkeys. On Windows NT, this
key contains four subkeys, “SAM”, “SECURITY”, “SYSTEM”, and “SOFTWARE”,
that are loaded at boot time within their respective files located in the %SystemRoot

%\System32\config folder. A fifth subkey, “HARDWARE”, is volatile and is created dynamically, and as
such is not stored in a file (it exposes a view of all the currently detected Plug-and-Play devices). On
Windows Vista and above, a sixth and seventh subkey, “COMPONENTS” and “BCD”, are mapped in
memory by the kernel on-demand and loaded from %SystemRoot%\system32\config\COMPONENTS or
from boot configuration data, \boot\BCD on the system partition.

 The “HKLM\SAM” key usually appears as empty for most users (unless they are granted access by administrators of
the local system or administrators of domains managing the local system). It is used to reference all “Security
Accounts Manager” (SAM) databases for all domains into which the local system has been administratively authorized
or configured (including the local domain of the running system, whose SAM database is stored in a subkey also
named “SAM”: other subkeys will be created as needed, one for each supplementary domain). Each SAM database
contains all builtin accounts (mostly group aliases) and configured accounts (users, groups and their aliases, including
guest accounts and administrator accounts) created and configured on the respective domain, for each account in that
domain, it notably contains the user name which can be used to log on that domain, the internal unique user identifier
in the domain, a cryptographic hash of each user’s password for each enabled authentication protocol, the location of
storage of their user registry hive, various status flags (for example if the account can be enumerated and be visible in
the logon prompt screen), and the list of domains (including the local domain) into which the account was configured.
 The “HKLM\SECURITY” key usually appears empty for most users (unless they are granted access by users with
administrative privileges) and is linked to the Security database of the

System and Network Administration [Compiled By: Atnafu G(MSc)] 38

 domain into which the current user is logged on (if the user is logged on the local system domain, this key
will be linked to the registry hive stored by the local machine and managed by local system administrators or
by the builtin “System” account and Windows installers). The kernel will access it to read and enforce the
security policy applicable to the current user and all applications or operations executed by this user. It also
contains a “SAM” subkey which is dynamically linked to the SAM database of the domain onto which the
current user logged on.

 The “HKLM\SYSTEM” key is normally only writable by users with administrative privileges on the local system. It
contains information about the Windows system setup, data for the secure random number generator (RNG), the list of
currently mounted devices containing a filesystem, several numbered “HKLM\SYSTEM\Control Sets” containing
alternative configurations for system hardware drivers and services running on the local system (including the
currently used one and a backup), a “HKLM\SYSTEM\Select” subkey containing the status of these Control Sets, and
a “HKLM\SYSTEM\CurrentControlSet” which is dynamically linked at boot time to the Control Set which is
currently used on the local system. Each configured Control Set contains:
o an “Enum” subkey enumerating all known Plug-and-Play devices and associating them with installed system drivers
(and storing the device-specific configurations of these drivers),
o a “Services” subkey listing all installed system drivers (with non device-specific configuration, and the enumeration of
devices for which they are instantiated) and all programs running as services (how and when they can be automatically
started),
o a “Control” subkey organizing the various hardware drivers and programs running as services and all other system-
wide configuration,
o a “Hardware Profiles” subkey enumerating the various profiles that have been tuned (each one with “System” or
“Software” settings used to modify the default profile, either in system drivers and services or in the applications) as
well as the “Hardware Profiles\Current” subkey which is dynamically linked to one of these profiles.

 The “HKLM\SOFTWARE” subkey contains software and Windows settings (in the default hardware profile). It is
mostly modified by application and system installers. It is organized by software vendor (with a subkey for each), but
also contains a “Windows” subkey for some settings of the Windows user interface, a “Classes” subkey containing all
registered associations from file extensions, MIME types, Object Classes IDs and interfaces IDs (for OLE,
COM/DCOM and ActiveX), to the installed applications or DLLs that may be handling these types on the local
machine (however these associations are configurable for each user, see below), and a “Policies” subkey (also
organized by vendor) for enforcing general usage policies on applications and system services (including the central
certificates store used for authenticating, authorizing or disallowing remote systems or services running outside the
local network domain).

System and Network Administration [Compiled By: Atnafu G(MSc)] 39

 The “HKLM\SOFTWARE\Wow6432Node” key is used by 32-bit applications on a 64-bit Windows OS, and is
equivalent to but separate from “HKLM\SOFTWARE”. The key path is transparently presented to 32-bit applications
by WoW64 as HKLM\SOFTWARE (in a similar way that 32-bit applications see %SystemRoot%\Syswow64 as
%SystemRoot%\System32)

HKEY_USERS (HKU)

While the HKEY_CURRENT_USER key stores the settings of the current user, this key stores Windows
settings for all users. Its subkeys contain information about all user profiles, and one of the subkeys always
corresponds to the HKEY_CURRENT_USER key (via the Security ID (SID) parameter of the user).
Another subkey, HKEY_USERS\DEFAULT, stores information about system settings at the moment before
the start of the current user session.

HKEY_CURRENT_CONFIG (HKCC)

This key store information about a hardware profile which is used by the local computer at system startup.
Hardware profiles allow selecting drivers of supported devices for the specified session.

HKEY_PERFORMANCE_DATA

This key provides runtime information into performance data provided by either the NT kernel itself, or
running system drivers, programs and services that provide performance data. This key is not stored in any
hive and not displayed in the Registry Editor, but it is visible through the registry functions in the Windows
API, or in a simplified view via the Performance tab of the Task Manager (only for a few performance data
on the local system) or via more advanced control panels (such as the Performances Monitor or the
Performances Analyzer which allows collecting and logging these data, including from remote systems).
HKEY_DYN_DATA
This key is used only on Windows 95, Windows 98 and Windows ME. It contains information about
hardware devices, including Plug and Play and network performance statistics. The information in this hive
is also not stored on the hard drive. The Plug and Play information is gathered and configured at startup and
is stored in memory.

3.1.2. Automating Administrative Tasks – Windows Host Scripting

The Microsoft Windows Script Host (WSH) (formerly named Windows Scripting Host) is an automation
technology for Microsoft Windows operating systems that provides scripting abilities comparable
to batch files, but with a wider range of supported features. This tool was first provided on Windows 95
after Build 950a on the installation discs as an optional installation configurable and installable by means of

System and Network Administration [Compiled By: Atnafu G(MSc)] 40

the Control Panel. Windows Script Host is distributed and installed by default on Windows 98 and later
versions of Windows. It is also installed if Internet Explorer 5 (or a later version) is installed. Beginning with
Windows 2000, the Windows Script Host became available for use with user login scripts.
It is language-independent in that it can make use of different Active Scripting language engines. By
default, it interprets and runs plain-text JScript (.JS & .JSE files) and VBScript (.VBS & .VBE files).

Users can install different scripting engines to enable them to script in other languages, for instance
PerlScript. The language independent filename extension WSF can also be used. The advantage of the
Windows Script File (.WSF) is that it allows multiple scripts (“jobs”) as well as a combination of scripting
languages within a single file.

WSH engines include various implementations for the Rexx, BASIC, Perl, Ruby, Tcl, PHP, JavaScript,
Delphi, Python, XSLT, and other languages.
Usage
Windows Script Host may be used for a variety of purposes, including logon scripts, administration and
general automation. Microsoft describes it as an administration tool. WSH provides an environment for
scripts to run – it invokes the appropriate script engine and provides a set of services and objects for the
script to work with. These scripts may be run in GUI mode (WScript.exe) or command line mode
(CScript.exe), or from a COM object (wshom.ocx), offering flexibility to the user for interactive or non-
interactive scripts. Windows Management Instrumentation is also scriptable by this means.

The WSH, the engines, and related functionality are also listed as objects which can be accessed and scripted
and queried by means of the VBA and Visual Studio object explorers and those for similar tools like the
various script debuggers, e.g. Microsoft Script Debugger, and editors.

WSH implements an object model which exposes a set of Component Object Model (COM) interfaces. So in
addition to ASP, IIS, Internet Explorer, CScript and WScript, the WSH can be used to automate and
communicate with any Windows application with COM and other exposed objects, such as using PerlScript
to query Microsoft Access by various means including various ODBC engines and SQL, ooRexxScript to
create what are in effect Rexx macros in Microsoft Excel, Quattro Pro, Microsoft Word, Lotus Notes and
any of the like, the XLNT script to get environment variables and print them in a new TextPad document,
and so on.

The VBA functionality of Microsoft Office, Open Office (as well as Python and other installable macro
languages) and Corel WordPerfect Office is separate from WSH engines although Outlook 97 uses VBScript
rather than VBA as its macro language.

System and Network Administration [Compiled By: Atnafu G(MSc)] 41

VBScript, JScript, and some third-party engines have the ability to create and execute scripts in an encoded
format which prevents editing with a text editor; the file extensions for these encoded scripts is .vbe and .jse
and others of that type.

Unless otherwise specified, any WSH scripting engine can be used with the various Windows server
software packages to provide CGI scripting. The current versions of the default WSH engines and all or
most of the third party engines have socket abilities as well; as a CGI script or otherwise, PerlScript is the
choice of many programmers for this purpose and the VBScript and various Rexx-based engines are also
rated as sufficiently powerful in connectivity and text-processing abilities to also be useful. This also goes
for file access and processing—the earliest WSH engines for VBScript and JScript do not since the base
language did not, whilst PerlScript, ooRexxScript, and the others have this from the beginning.

Any scripting language installed under Windows can be accessed by external means of PerlScript,
PythonScript, VBScript and the other engines available can be used to access databases (Lotus Notes,
Microsoft Access, Oracle Database, Paradox) and spreadsheets (Microsoft Excel, Lotus 1-2-3, Quattro Pro)
and other tools like word processors, terminal emulators, command shells and so on. This can be
accomplished by means of the WSH, so any language can be used if there is an installed engine.
Examples
The first example is very simple; it shows some VBScript which uses the root WSH COM object “WScript”
to display a message with an ‘OK’ button. Upon launching this script the CScript or WScript engine would
be called and the runtime environment provided. Content of a file hello0.vbs:
Save the file as ‘hello0.vbs’
WScript.Echo “Hello world” WScript.Quit

WSH programming can also use the JScript language. Content of a file hello1.js:
Save the file as ‘hello1.js’
WSH.Echo(“Hello world”); WSH.Quit();

Or, code can be mixed in one WSF file, such as VBScript and JScript, or any other: Content of a file
hello2.wsf:
Save the file as ‘hello2.wsf’

<job> <script language=”VBScript”> MsgBox “hello world (from vb)” </script> <script language=”JScript”>
WSH.echo(“hello world (from js)”); </script> </job>

Security Concerns
Windows applications and processes may be automated using a script in Windows Script Host. Viruses and
malware could be written to exploit this ability. Thus, some suggest disabling it for security reasons.

System and Network Administration [Compiled By: Atnafu G(MSc)] 42

Alternatively, antivirus programs may offer features to control .vbs and other scripts which run in the WSH
environment.
Since version 5.6 of WSH, scripts can be digitally signed programmatically using
the Scripting.Signer object in a script itself, provided a valid certificate is present on the system.
Alternatively, the signcode tool from the Platform SDK, which has been extended to support WSH filetypes,
may be used at the command line.

By using Software Restriction Policies introduced with Windows XP, a system may be configured to
execute only those scripts which are stored in trusted locations, have a known MD5 hash, or have been
digitally signed by a trusted publisher, thus preventing the execution of untrusted scripts.

3.4. Advanced Concepts II

Routing and NAT
Routing refers to establishing the routes that data packets take on their way to a particular destination. This
term can be applied to data traveling on the Internet, over 3G or 4G networks, or over similar networks used
for telecom and other digital communications setups. Routing can also take place within proprietary
networks.

In general, routing involves the network topology, or the setup of hardware, that can effectively relay data.
Standard protocols help to identify the best routes for data and to ensure quality transmission. Individual
pieces of hardware such as routers are referred to as “nodes” in the network. Different algorithms and
protocols can be used to figure out how to best route data packets, and which nodes should be used. For
example, some data packets travel according to a distance vector model that primarily uses distance as a
factor, whereas others use Link-State Protocol, which involves other aspects of a “best path” for data.

Data packets are also made to give networks information. Headers on packets provide details about origin
and destination. Standards for data packets allow for conventional design, which can help with future routing
methodologies. As the world of digital technology evolves, routing will also evolve according to the needs
and utility of a particular network.

In Internetworking, the process of moving a packet of data from source to destination. Routing is usually
performed by a dedicated device called a router. Routing is a key feature of the Internet because it enables
messages to pass from one computer to another and eventually reach the target machine. Each intermediary
computer performs routing by passing along the message to the next computer. Part of this process involves
analyzing a routing table to determine the best path.

System and Network Administration [Compiled By: Atnafu G(MSc)] 43

Routing is often confused with bridging, which performs a similar function. The principal difference
between the two is that bridging occurs at a lower level and is therefore more of a hardware function
whereas routing occurs at a higher level where the software component is more important. And because
routing occurs at a higher level, it can perform more complex analysis to determine the optimal path for the
packet.

Network Address Translation (NAT)

NAT translates the IP addresses of computers in a local network to a single IP address. This address is often
used by the router that connects the computers to the Internet. The router can be connected to a DSL modem,
cable modem, T1 line, or even a dial-up modem. When other computers on the Internet attempt to access
computers within the local network, they only see the IP address of the router. This adds an extra level of
security, since the router can be configured as a firewall, only allowing authorized systems to access the
computers within the network.

Once a system from outside the network has been allowed to access a computer within the network, the IP
address is then translated from the router’s address to the computer’s unique address. The address is found in
a “NAT table” that defines the internal IP addresses of computers on the network. The NAT table also
defines the global address seen by computers outside the network. Even though each computer within the
local network has a specific IP address, external systems can only see one IP address when connecting to any
of the computers within the network.

To simplify, network address translation makes computers outside the local area network (LAN) see only
one IP address, while computers within the network can see each system’s unique address. While this aids in
network security, it also limits the number of IP addresses needed by companies and organizations. Using
NAT, even large companies with thousands of computers can use a single IP address for connecting to the
Internet. Now that’s efficient.

Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a
public address to a computer (or group of computers) inside a private network. The main use of NAT is to
limit the number of public IP addresses an organization or company must use, for both economy and security
purposes.
The most common form of network translation involves a large private network using addresses in a
private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to
192.168.255.255). The private addressing scheme works well for computers that only have to access
resources inside the network, like workstations needing access to file servers and printers. Routers inside the

System and Network Administration [Compiled By: Atnafu G(MSc)] 44

private network can route traffic between private addresses with no trouble. However, to access resources
outside the network, like the Internet, these computers have to have a public address in order for responses to
their requests to return to them. This is where NAT comes into play.

Internet requests that require Network Address Translation (NAT) are quite complex but happen so rapidly
that the end user rarely knows it has occurred. A workstation inside a network makes a request to a computer
on the Internet. Routers within the network recognize that the request is not for a resource inside the
network, so they send the request to the firewall. The firewall sees the request from the computer with the
internal IP. It then makes the same request to the Internet using its own public address, and returns the
response from the Internet resource to the computer inside the private network. From the perspective of the
resource on the Internet, it is sending information to the address of the firewall. From the perspective of the
workstation, it appears that communication is directly with the site on the Internet. When NAT is used in this
way, all users inside the private network access the Internet have the same public IP address when they use
the Internet. That means only one public address is needed for hundreds or even thousands of users.

Most modern firewalls are stateful – that is, they are able to set up the connection between the internal
workstation and the Internet resource. They can keep track of the details of the connection, like ports, packet
order, and the IP addresses involved. This is called keeping track of the state of the connection. In this way,
they are able to keep track of the session composed of communication between the workstation and the
firewall, and the firewall with the Internet. When the session ends, the firewall discards all of the
information about the connection.

There are other uses for Network Address Translation (NAT) beyond simply allowing workstations with
internal IP addresses to access the Internet. In large networks, some servers may act as Web servers and
require access from the Internet. These servers are assigned public IP addresses on the firewall, allowing the
public to access the servers only through that IP address. However, as an additional layer of security, the
firewall acts as the intermediary between the outside world and the protected internal network. Additional
rules can be added, including which ports can be accessed at that IP address. Using NAT in this way allows
network engineers to more efficiently route internal network traffic to the same resources, and allow access
to more ports, while restricting access at the firewall. It also allows detailed logging of communications
between the network and the outside world.

Additionally, NAT can be used to allow selective access to the outside of the network, too. Workstations or
other computers requiring special access outside the network can be assigned specific external IPs using
NAT, allowing them to communicate with computers and applications that require a unique public IP

System and Network Administration [Compiled By: Atnafu G(MSc)] 45

 address. Again, the firewall acts as the intermediary, and can control the session in both directions,
restricting port access and protocols.

NAT is a very important aspect of firewall security. It conserves the number of public addresses used within
an organization, and it allows for stricter control of access to resources on both sides of the firewall.

3.1.2. Proxies and Gateways

What is proxy server?
A proxy server acts as a gateway between you and the Internet. It’s an intermediary server separating end
users from the websites they browse. Proxy servers provide varying levels of functionality, security, and
privacy depending on your use case, needs, or company policy.
Modern proxy servers do much more than forwarding web requests, all in the name of data security and
network performance. Proxy servers act as a firewall and web filter, provide shared network connections,
and cache data to speed up common requests. A good proxy server keeps users and the internal network
protected from the bad stuff that lives out in the wild Internet. Lastly, proxy servers can provide a high level
of privacy.
A proxy server is a bridge between you and the rest of the Internet. Normally, when you use your browser to
surf the Internet, you’ll connect directly to the website you’re visiting. Proxies communicate with websites
on your behalf.
When you use a proxy, your browser first connects to the proxy, and the proxy forwards your traffic to the
website. That’s why proxy servers are also known as “forward proxies.” A proxy will also receive the
website’s response and send it back to you.

In everyday use, the word “proxy” refers to someone who is authorized to take an action on your behalf
 such as voting in an important meeting that you can’t attend. A proxy server fills the same role, but online.
Instead of you communicating directly with the websites you visit, a proxy steps in to handle that
relationship for you.
What does a proxy server do, exactly?
As your intermediary on the web, proxy servers have many useful roles. Here’s a few of the primary uses for
a proxy server:
 Firewalls: A firewall is a type of network security system that acts as a barrier between a network and the
wider Internet. Security professionals configure firewalls to block unwanted access to the networks they are
trying to protect, often as an anti-malware or anti-hacking countermeasure. A proxy server between a trusted
network and the Internet is the perfect place to host a firewall designed to intercept and either approve or
block incoming traffic before it reaches the network.

System and Network Administration [Compiled By: Atnafu G(MSc)] 46

  Content filters: Just as proxy servers can regulate incoming connection requests with a firewall, they
can also act as content filters by blocking undesired outgoing traffic. Companies may configure
proxy servers as content filters to prevent employees from accessing the blocked websites while at
work.
 Bypassing content filters: That’s right — you can outsmart a proxy with another proxy. If your
company’s proxy has blocked your favorite website, but it hasn’t blocked access to your personal
proxy server or favorite web-based proxy, you can access your proxy and use it to reach the websites
you want.
 Caching: Caching refers to the temporary storage of frequently accessed data, which makes it easier
and faster to access it again in the future. Proxies can cache websites so that they’ll load faster than if
you were to send your traffic all the way through the Internet to the website’s server. This reduces
latency — the time it takes for data to travel through the Internet.
 Security: In addition to hosting firewalls, proxy servers can also enhance security by serving as the
singular public face of the network. From an outside point of view, all the network’s users are
anonymous, hidden behind the proxy’s IP address. If a hacker wants to access a specific device on a
network, it’ll be a lot harder for them to find it.
 Sharing Internet connections: Businesses or even homes with a single Internet connection can use
a proxy server to funnel all their devices through that one connection. Using a Wi-Fi router and
wireless-capable devices is another solution to this issue.

What is a Gateway
A gateway is a node (router) in a computer network, a key stopping point for data on its way to or from other
networks. Thanks to gateways, we are able to communicate and send data back and forth. The Internet
wouldn’t be any use to us without gateways (as well as a lot of other hardware and software).

In a workplace, the gateway is the computer that routes traffic from a workstation to the outside network that
is serving up the Web pages. For basic Internet connections at home, the gateway is the Internet Service
Provider that gives you access to the entire Internet.

A node is simply a physical place where the data stops for either transporting or reading/using. (A computer
or modem is a node; a computer cable isn’t.) Here are a few node notes:

 On the Internet, the node that’s a stopping point can be a gateway or a host node.
 A computer that controls the traffic your Internet Service Provider (ISP) receives is a node.

System and Network Administration [Compiled By: Atnafu G(MSc)] 47

  If you have a wireless network at home that gives your entire family access to the Internet, your
gateway is the modem (or modem-router combo) your ISP provides so you can connect to their
network. On the other end, the computer that controls all of the data traffic your Internet Service
Provider (ISP) takes and sends out is itself a node.
 When a computer-server acts as a gateway, it also operates as a firewall and a proxy server. A
firewall keeps out unwanted traffic and outsiders off a private network. A proxy server is software
that “sits” between programs on your computer that you use (such as a Web browser) and a computer
server—the computer that serves your network. The proxy server’s task is to make sure the real
server can handle your online data requests.

A gateway is a hardware device that acts as a “gate” between two networks. It may be a router, firewall,
server, or other device that enables traffic to flow in and out of the network. While a gateway protects the
nodes within network, it also a node itself. The gateway node is considered to be on the “edge” of the
network as all data must flow through it before coming in or going out of the network. It may also translate
data received from outside networks into a format or protocol recognized by devices within the internal
network. A router is a common type of gateway used in home networks. It allows computers within the local
network to send and receive data over the Internet. A firewall is a more

advanced type of gateway, which filters inbound and outbound traffic, disallowing incoming data from
suspicious or unauthorized sources. A proxy server is another type of gateway that uses a combination of
hardware and software to filter traffic between two networks.

A gateway is a network node used in telecommunications that connects two networks with different
transmission protocols together. Gateways serve as an entry and exit point for a network as all data must
pass through or communicate with the gateway prior to being routed. In most IP-based networks, the only
traffic that does not go through at least one gateway is traffic flowing among nodes on the same local area
network (LAN) segment. The term default gateway or network gateway may also be used to describe the
same concept.
The primary advantage of using a gateway in personal or enterprise scenarios is simplifying Internet
connectivity into one device. In the enterprise, a gateway node can also act as a proxy server and a firewall.
Gateways can be purchased through popular technology retailers, such as Best Buy, or rented through an
Internet service provider.
How gateways work
All networks have a boundary that limits communication to devices that are directly connected to it. Due to
this, if a network wants to communicate with devices, nodes or networks outside of that boundary, they

System and Network Administration [Compiled By: Atnafu G(MSc)] 48

 require the functionality of a gateway. A gateway is often characterized as being the combination of a router
and a modem.

The gateways is implemented at the edge of a network and manages all data that is directed internally or
externally from that network. When one network wants to communicate with another, the data packet is
passed to the gateway and then routed to the destination through the most efficient path. In addition to
routing data, a gateway will also store information about the host network’s internal paths and the paths of
any additional networks that are encountered.

Gateways are basically protocol converters, facilitating compatibility between two protocols and operating
on any layer of the open systems interconnection (OSI) model.
Types of gateways
Gateways can take several forms and perform a variety of tasks. Examples of this include:
 Web application firewalls- This type filters traffic to and from a web server and looks at application-layer
data.
 Cloud storage gateways- This type translates storage requests with various cloud storage service
API calls. It allows organizations to integrate storage from a private cloud into applications without
migrating into a public cloud.
 API, SOA or XML gateways – This type manages traffic flowing into and out of a service,
microservices-oriented architecture or XML-based web service.
 IoT gateways- This type aggregates sensor data from devices in an IoT environment, translates
between sensor protocols and processes sensor data before sending it onward.
 Media gateways- This type converts data from the format required for one type of network to the
format required for another.
 Email security gateways- This type prevents the transmission of emails that break company policy
or will transfer information with malicious intent.
 VoIP trunk gateways- This type facilitates the use of plain old telephone service equipment, such as
landline phones and fax machines, with a voice over IP (VoIP) network.
Additionally, a service provider may develop their own personal gateways that can be used by customers.
For instance, Amazon Web Services (AWS) has Gateway that allows a developer to connect non-AWS
applications to AWS back end resources.

System and Network Administration [Compiled By: Atnafu G(MSc)] 49

 Chapter 4: Resource Monitoring & Management
4.1. Resource Monitoring & Management
As stated earlier, a great deal of system administration revolves around resources and their efficient use. By
balancing various resources against the people and programs that use those resources, you waste less money
and make your users as happy as possible. However, this leaves two questions:
 What are resources?
 How is it possible to know what resources are being used (and to what extent)?
The purpose of this chapter is to enable you to answer these questions by helping you to learn more about
resources and how they can be monitored.
Before you can monitor resources, you first have to know what resources there are to monitor. All systems
have the following resources available:
 CPU power
 Bandwidth
 Memory
 Storage
These resources have a direct impact on system performance, and therefore, on your users’ productivity and
happiness. At its simplest, resource monitoring is nothing more than obtaining information concerning
the utilization of one or more system resources.
However, it is rarely this simple. First, one must take into account the resources to be monitored. Then it is
necessary to examine each system to be monitored, paying particular attention to each system’s situation.
The systems you monitor fall into one of two categories:
 The system is currently experiencing performance problems at least part of the time and you would like to
improve its performance.
 The system is currently running well and you would like it to stay that way.
The first category means you should monitor resources from a system performance perspective, while the
second category means you should monitor system resources from a capacity planning perspective.
Because each perspective has its own unique requirements, the following sections explore each category in
more depth.
System Performance Monitoring
System performance monitoring is normally done in response to a performance problem. Either the system is
running too slowly, or programs (and sometimes even the entire system) fail to run at all. In either case,
performance monitoring is normally done as the first and last steps of a three-step process:
i. Monitoring to identify the nature and scope of the resource shortages that are causing the performance
problems
ii. The data produced from monitoring is analyzed and a course of action (normally performance tuning and/or
the procurement of additional hardware) is taken to resolve the problem

System and Network Administration [Compiled By: Atnafu G(MSc)] 50

iii. Monitoring to ensure that the performance problem has been resolved
Because of this, performance monitoring tends to be relatively short-lived in duration and more detailed in
scope.
Note: System performance monitoring is an iterative process, with these steps being repeated several times to arri
best possible system performance. The primary reason for this is that system resources and their utilization te
highly interrelated, meaning that often the elimination of one resource bottleneck uncovers another one.

Monitoring System Capacity

Monitoring system capacity is done as part of an ongoing capacity planning program. Capacity planning
uses long-term resource monitoring to determine rates of change in the utilization of system resources. Once
these rates of change are known, it becomes possible to conduct more accurate long- term planning
regarding the procurement of additional resources.
Monitoring done for capacity planning purposes is different from performance monitoring in two ways:
 The monitoring is done on a more-or-less continuous basis
 The monitoring is usually not as detailed
The reason for these differences stems from the goals of a capacity planning program. Capacity planning
requires a “big picture” viewpoint; short-term or anomalous resource usage is of little concern. Instead, data
is collected over a period of time, making it possible to categorize resource utilization in terms of changes in
workload. In more narrowly-defined environments, (where only one application is run, for example) it is
possible to model the application’s impact on system resources. This can be done with sufficient accuracy to
make it possible to determine, for example, the impact of 5 more customer service representatives running
the customer service application during the busiest time of the day.
4.1.1. What to Monitor?
As stated earlier, the resources present in every system are CPU power, bandwidth, memory, and storage. At
first glance, it would seem that monitoring would need only consist of examining these four different things.
Unfortunately, it is not that simple. For example, consider a disk drive. What things might you want to know
about its performance?
 How much free space is available?
 How many I/O operations on average does it perform each second?
 How long on average does it take each I/O operation to be completed?
 How many of those I/O operations are reads? How many are writes?
 What is the average amount of data read/written with each I/O?
There are more ways of studying disk drive performance; these points have only scratched the surface.
The main concept to keep in mind is that there are many different types of data for each resource.
The following subsections explore the types of utilization information that would be helpful for each of the
major resource types.

System and Network Administration [Compiled By: Atnafu G(MSc)] 51

 4.1.1.1. Monitoring CPU Power
In its most basic form, monitoring CPU power can be no more difficult than determining if CPU utilization
ever reaches 100%. If CPU utilization stays below 100%, no matter what the system is doing, there is
additional processing power available for more work.
However, it is a rare system that does not reach 100% CPU utilization at least some of the time. At that point
it is important to examine more detailed CPU utilization data. By doing so, it becomes possible to start
determining where the majority of your processing power is being consumed. Here are some of the more
popular CPU utilization statistics:
 User Versus System
o Context Switches
 Interrupts
 Runnable Processes
A process may be in different states. For example, it may be:
 Waiting for an I/O operation to complete
 Waiting for the memory management subsystem to handle a page fault In these cases, the process
has no need for the CPU.
However, eventually the process state changes, and the process becomes runnable. As the name implies, a
runnable process is one that is capable of getting work done as soon as it is scheduled to receive CPU time.
However, if more than one process is runnable at any given time, all but one (assuming a single-processor
computer system) of the runnable processes must wait for their turn at the CPU. By monitoring the number
of runnable processes, it is possible to determine how CPU-bound your system is.
Other performance metrics that reflect an impact on CPU utilization tend to include different services the
operating system provides to processes. They may include statistics on memory management, I/O
processing, and so on. These statistics also reveal that, when system performance is monitored, there are no
boundaries between the different statistics. In other words, CPU utilization statistics may end up pointing to
a problem in the I/O subsystem, or memory utilization statistics may reveal an application design flaw.
Therefore, when monitoring system performance, it is not possible to examine any one statistic in complete
isolation; only by examining the overall picture it is possible to extract meaningful information from any
performance statistics you gather.
4.1.1.2. Monitoring Bandwidth
Monitoring bandwidth is more difficult than the other resources described here. The reason for this is due to
the fact that performance statistics tend to be device-based, while most of the places where bandwidth is
important tend to be the buses that connect devices. In those instances where more than one device shares a
common bus, you might see reasonable statistics for each device, but the aggregate load those devices place
on the bus would be much greater.

System and Network Administration [Compiled By: Atnafu G(MSc)] 52

 Another challenge to monitoring bandwidth is that there can be circumstances where statistics for the
devices themselves may not be available. This is particularly true for system expansion buses and datapaths.
However, even though 100% accurate bandwidth-related statistics may not always be available, there is
often enough information to make some level of analysis possible, particularly when related statistics are
taken into account.
Some of the more common bandwidth-related statistics are:
 Bytes received/sent: Network interface statistics provide an indication of the bandwidth utilization of one of
the more visible buses — the network.
 Interface counts and rates: These network-related statistics can give indications of excessive
collisions, transmit and receive errors, and more. Through the use of these statistics (particularly if
the statistics are available for more than one system on your network), it is possible to perform a
modicum of network troubleshooting even before the more common network diagnostic tools are
used.
 Transfers per Second: Normally collected for block I/O devices, such as disk and high-
performance tape drives, this statistic is a good way of determining whether a particular device’s
bandwidth limit is being reached. Due to their electromechanical nature, disk and tape drives can
only perform so many I/O operations every second; their performance degrades rapidly as this limit
is reached.
4.1.1.3. Monitoring Memory
If there is one area where a wealth of performance statistics can be found, it is in the area of monitoring
memory utilization. Due to the inherent complexity of today’s demand-paged virtual memory operating
systems, memory utilization statistics are many and varied. It is here that the majority of a system
administrator’s work with resource management takes place.
The following statistics represent a cursory overview of commonly-found memory management statistics:
 Page Ins/Page Outs: These statistics make it possible to gauge the flow of pages from system memory to
attached mass storage devices (usually disk drives). High rates for both of these statistics can mean that the
system is short of physical memory and is thrashing, or spending more system resources on moving pages
into and out of memory than on actually running applications.
o Active/Inactive Pages: These statistics show how heavily memory-resident pages are used.
A lack of inactive pages can point toward a shortage of physical memory.

 Free, Shared, Buffered, and Cached Pages: These statistics provide additional detail over the more
simplistic active/inactive page statistics. By using these statistics, it is possible to determine the overall mix
of memory utilization.

System and Network Administration [Compiled By: Atnafu G(MSc)] 53

 o Swap Ins/Swap Outs: These statistics show the system’s overall swapping behavior. Excessive rates
here can point to physical memory shortages.
Successfully monitoring memory utilization requires a good understanding of how demand-paged virtual
memory operating systems work, which alone could take up an entire book.
4.1.1.4. Monitoring Storage
Monitoring storage normally takes place at two different levels:
 Monitoring for sufficient disk space
 Monitoring for storage-related performance problems
The reason for this is that it is possible to have dire problems in one area and no problems whatsoever in the
other. For example, it is possible to cause a disk drive to run out of disk space without once causing any kind
of performance-related problems. Likewise, it is possible to have a disk drive that has 99% free space, yet is
being pushed past its limits in terms of performance.
However, it is more likely that the average system experiences varying degrees of resource shortages in both
areas. Because of this, it is also likely that — to some extent — problems in one area impact the other. Most
often this type of interaction takes the form of poorer and poorer I/O performance as a disk drive nears 0%
free space although, in cases of extreme I/O loads, it might be possible to slow I/O throughput to such a level
that applications no longer run properly.
In any case, the following statistics are useful for monitoring storage:

 Free Space: Free space is probably the one resource all system administrators watch closely; it would be a
rare administrator that never checks on free space (or has some automated way of doing so).
o File System-Related Statistics: These statistics (such as number of files/directories, average file size, etc.)
provide additional detail over a single free space percentage. As such, these
statistics make it possible for system administrators to configure the system to give the best performance, as
the I/O load imposed by a file system full of many small files is not the same as that imposed by a file
system filled with a single massive file.

 Transfers per Second: This statistic is a good way of determining whether a particular device’s bandwidth
limitations are being reached.
 Reads/Writes per Second: A slightly more detailed breakdown of transfers per second, these
statistics allow the system administrator to more fully understand the nature of the I/O loads a storage
device is experiencing. This can be critical, as some storage technologies have widely different
performance characteristics for read versus write operations.

System and Network Administration [Compiled By: Atnafu G(MSc)] 54

4.1.2. Monitoring Tools
As your organization grows, so does the number of servers, devices, and services you depend on. The
term system covers all of the computing resources of your organization. Each element in the system
infrastructure relies on underlying services or provides services to components that are closer to user.
In networking, it is typical to think of a system as a layered stack. User software sits at the top of the stack
and system applications and services on the next layer down. Beneath the services and applications, you will
encounter operating systems and firmware. The performance of software elements needs to be monitored as
an application stack.
Users will notice performance problems with the software that they use, but those problems rarely arise
within that software. All layers of the application stack need to be examined to find the root cause of
performance issues. You need to head off problems with real-time status monitoring before they
occur. Monitoring tools help you spot errors and service failures before they start to impact users.
The system stack continues on below the software. Hardware issues can be prevented through hardware
monitoring. You will need to monitor servers, network devices, interface performance, and network link
capacity. You need to monitor many different types of interacting system elements to keep your IT services
running smoothly.
Why do System Performance Monitoring?
Knowing whether a computer has issues is fairly straightforward when the computer is right in front of
you. Knowing what’s causing the problem? That’s harder. But a computer sitting by itself is not as
useful as it could be. Even the smallest small-office/home-office network has multiple nodes: laptops,
desktops, tablets, WiFi access points, Internet gateway, smartphones, file servers and/or media servers,
printers, and so on. That means you are in charge of “infrastructure” rather than just “equipment.” Any
component might start misbehaving and could cause issues for the others.
You most likely rely on off-premises servers and services, too. Even a personal website raises the nagging
question, “Is my site still up?” And when your ISP has problems, your local network’s usefulness suffers.
You need an activity monitor. Organizations rely more and more on servers and services hosted in the
cloud: SaaS applications (email, office apps, business packages, etc); file storage; cloud hosting for your
own databases and apps; and so on. This requires sophisticated monitoring capabilities that can handle
hybrid environments.
Bandwidth monitoring tools and NetFlow and sFlow based traffic analyzers help you stay aware of the
activity, capacity, and health of your network. They allow you to watch traffic as it flows through routers
and switches, or arrives at and leaves hosts.
But what of the hosts on your network, their hardware, and the services and applications running there?
Monitoring activity, capacity, and health of hosts and applications is the focus of system monitoring.

System and Network Administration [Compiled By: Atnafu G(MSc)] 55

 System Monitoring Software Essentials
In order to keep your system fit for purpose, your monitoring activities need to cover the following
priorities:
 Acceptable delivery speeds  Data integrity
 Constant availability  Security monitoring
 Preventative maintenance  Attack mitigation
 Software version monitoring and patching  Virus prevention and detection
 Intrusion detection
Lack of funding may cause you to compromise on monitoring completeness. The expense of monitoring can
be justified because of it:
 reduces user/customer support costs
 prevents loss of income caused by system outages or attack vulnerability
 prevents data leakage leading to litigation
 prevents hardware damage and loss of business-critical data
Minimum system monitoring software capabilities
More sophisticated system monitoring package provides a much broader range of capabilities, such
as:
 Monitoring multiple servers. Handling servers from various vendors running various operating systems.
Monitoring servers at multiple sites and in cloud environments.
 Monitoring a range of server metrics: availability, CPU usage, memory usage, disk space, response time,
and upload/download rates. Monitoring CPU temperature and power supply voltages.
 Monitoring applications. Using deep knowledge of common applications and services to monitor key
server processes, including web servers, database servers, and application stacks.
 Automatically alerting you of problems, such as servers or network devices that are overloaded or down,
or worrisome trends. Customized alerts that can use multiple methods to contact you – email, SMS text
messages, pager, etc.
 Triggering actions in response to alerts, to handle certain classes of problems automatically.
 Collecting historical data about server and device health and behavior.
 Displaying data. Crunching the data and analyzing trends to display illuminating visualizations of the data.
 Reports. Besides displays, generating useful predefined reports that help with tasks like forecasting
capacity, optimizing resource usage, and predicting needs for maintenance and upgrades.
 Customizable reporting. A facility to help you create custom reports.
 Easy configurability, using methods like auto-discovery and knowledge of server and application types.

System and Network Administration [Compiled By: Atnafu G(MSc)] 56

 Non-intrusive: imposing a low overhead on your production machines and services. Making smart use of
agents to offload monitoring where appropriate.
 Scalability: Able to grow with your business, from a small or medium business (SMB) to a large enterprise.
4.1.2.1. Windows Task Manager
Task Manager (old name Windows Task Manager) is a task manager, system monitor, and startup manager
included with all versions of Microsoft Windows since Windows NT 4.0 and Windows 2000.
Windows Task Manager provides information about computer performance and shows detailed information
about the programs and processes running on the computer, including name of running processes, CPU load,
commit charge, I/O details, logged-in users, and Windows services; if connected to the network, you can
also view the network status and quickly understand how the network works.
Microsoft improves the task manager between each version of Windows, sometimes quite dramatically.
Specifically, the task managers in Windows 10 and Windows 8 are very different from those in Windows
7and Windows Vista, and the task managers in Windows 7 and Vista are very different from those in
Windows XP. A similar program called Tasks exists in Windows 98 and Windows 95.
How to Open the Task Manager
Starting Task Manager is always a concern for many of you. Now we will list some easy and quick ways for
you to open it. Some of them might come in handy if you don’t know how to open a Task Manager or you
can’t open Task Manager the way you’re used to.
You are probably familiar with the way that pressing Ctrl+Alt+Delete on your keyboard. Before Windows
Vista was released, this way can bring you directly to Task Manager. Starting with Windows Vista,
pressing Ctrl+Alt+Delete now leads to the Windows Security interface, which provides options for locking
your PC, switching users, signing out, changing a password, and running Task Manager. The quickest way
to start Task Manager is to press Ctrl+Shift+Esc, and it will take you directly to it.
If you prefer using a mouse over a keyboard, one of the quickest ways to launch Task Manager is to
right-click on any blank area on the taskbar and select Task Manager. Just need two clicks.
You can also run Task Management by hitting Windows+R to open the Run box, typing taskmgr and then
hitting Enter or clicking OK.
In fact, you can also open the Task Manager by Star menu, Windows Explorer, or creating a shortcut…
While we have listed these four convenient ways which are totally enough for you.

System and Network Administration [Compiled By: Atnafu G(MSc)] 57

 Figure 4.1. How to
Start Task Manager
Explanation of the Tabs in Task Manager
Now we are going to discuss all the useful tabs you can find in the Task Manager nowadays, mostly in
Windows 8 and Windows 10.

Figure 4.2. Sample Screen Shot of a Task Manager Window

System and Network Administration [Compiled By: Atnafu G(MSc)] 58

Processes
The Processes tab contains a list of all running programs and applications on your computer (listed under
Apps), as well as any background processes and Windows processes that are running.
In this tab, you can close running programs, see how each program uses your computer resources, and more.
The Processes tab is available in all versions of Windows. Starting with Windows 8, Microsoft has
combined the Applications and Processes tab into the Processes tab, so Windows 8/10 displays all running
programs in addition to processes and services.
Performance
The Performance tab is available in all versions of Windows that is a summary of what’s going on, overall,
with your major hardware components, including CPU, memory, disk drive, Wi-Fi, and network usage. It
displays how much the computer’s available system resources are being used, so you can check the valuable
information.
For example, this tab makes it easy to see your CPU model and maximum speed, RAM slots in use, disk
transfer rate, your IP address…Newer versions of Windows also display usage charts. What’s more? There
is a quick link to the Resource Monitor at the bottom of this tab.
App History
The App History tab displays the CPU usage and network utilization that each Windows app has used from
the date listed on the screen until the time you enter Task Manager. App History is only available in Task
Manager in Windows 10 and Windows 8.
Startup
The Startup tab shows every program that is launched automatically each time you start your computer,
along with several important details about each program, including the Publisher, Status, and Startup impact
which is the most valuable information – shows the impact rating of high, medium or low.
This tab is great for identifying and then disabling programs that you don’t need them to run automatically.
Disabling Windows auto-start programs is a very simple way to speed up your computer. Startup tab is only
available in Task Manager in Windows 10 and Windows 8.
Users
The Users tab shows users currently signed in to the computer and the processes are running within each.
The Users tab is available in all Windows versions of Task Manager but only shows processes that each user
is running in Windows 10 and Windows 8.
Details
The Details tab contains full details of each process running on your computer. The information provided in
this tab is useful during advanced troubleshooting. Details tab is available in Task Manager in Windows 10
and Windows 8, and the features of the Processes tab are similar to Details in earlier versions of Windows.

System and Network Administration [Compiled By: Atnafu G(MSc)] 59

 Services
The Services tab is available in Task Manager in Windows 10, 8, 7, and Vista that shows all of the Windows
Services currently running on the computer with the Description and Status. The status is Running or
Stopped, and you can change it.
What to Do in the Task Manager?
Task manager always gives you some limited control over those running tasks, like set process priorities,
processor affinity, start and stop services, and forcibly terminate processes.
Well, one of the most common things done in Task Manager is to use End Task to prevent programs from
running. If a program no longer responds, you can select End Task from the Task Manager to close the
program without restarting the computer.
4.1.1.1. Windows Resource Monitoring (Resmon)
Resource Monitor (Resmon) is a system application included in Windows Vista and later versions of
Windows that allows users to look at the presence and allocation of resources on a computer. This
application allows administrators and other users determine how system resources are being used by a
particular hardware setup.
How to start Resource Monitor
Users and administrators have several options to start Resource Monitor. It is included in several versions of
Windows, and some options to start the tool are only available in select versions of the operating system.
The first two methods should work on all versions of Windows that are supported by Microsoft.
1. Windows-R to open the run box. Type resmon.exe, and hit the Enter-key.
2. Windows-R to open the run box. Type perfmon.exe /res, and hit the Enter-key.
3. On Windows 10: Start → All Apps → Windows Administrative Tools → Resource Monitor
4. Old Windows: Start → All Programs → Accessories → System Tools → Resource Monitor
5. Open Task Manager with Ctrl+Shift+Esc→ Performance tab, click open Resource Monitor.

Figure 4.3. Opening Resource Monitor from Task Manager

System and Network Administration [Compiled By: Atnafu G(MSc)] 60

The Resource Monitor interface looks the same on Windows 7, 8.1 and 10. The program uses tabs to
separate data, it loads an overview when you start it, including CPU, Memory, Disk, and Network are the
five tabs of the program including all the processes that use the resources.
The sidebar displays graphs that highlight the CPU, Disk, Network, and Memory use over a period of 60
seconds.
You can hide and show elements with a click on the arrow icon in title bars. Another option that you have to
customize the interface is to move the mouse cursor over dividers in the interface to drag the visible area.
Use it to increase or decrease the visible area of the element.
You may want to hide the graphs, for instance, to make more room for more important data and run the
Resource Monitor window in as large of a resolution as possible.
The overview tab is a good starting point, as it gives you an overview of the resource usage. It highlights
CPU and memory usage, disk utilization, and network use in real-time.
Each particular listing offers a wealth of information. The CPU box lists process names and IDs, the network
box IP addresses and data transfers, the memory box hard faults, and the disk box read and write operations.
One interesting option that you have right here and there is to select one or multiple processes under CPU to
apply filters to the Disk, Network and Memory tab.
If you select a particular process under CPU, Resource Monitor lists the disk, network and memory usage of
that process only in its interface. This is one of the differences to the Task Manager, as you cannot do
something like that in the tool.

Figure 4.4. Sample Screen Shot of Resource Monitor

System and Network Administration [Compiled By: Atnafu G(MSc)] 61

 Monitor CPU Usage with Resource Monitor
You need to switch to the CPU tab if you want to monitor CPU utilization in detail. You find the processes
listing of the overview page there, and also the three new listings Services, Associated Handles and
Associated Modules.
You can filter by processes to display data only for those processes. This is quite handy, as it is a quick way
to see links between processes, and services and other files on the system. Note that the graphs are different
to the ones displayed before. The graphs on the CPU tab lists the usage of each core, Service CPU usage,
and total CPU usage.
Associated Modules lists files such as dynamic link libraries that are used by a process. Associated Handles
point to system resources such as files or Registry values. These offer specific information but are useful at
times. You can run a search for handles, for instance, to find out why you can’t delete a file at that point in
time.
Resource Monitor gives you some control over processes and services on the CPU tab. Right-click on any
process to display a context menu with options to end the selected process or entire process tree, to suspend
or resume processes, and to run a search online.
The Services context menu is limited to starting, stopping and restarting services, and to search online for
information.
Processes may be displayed using colors. A red process indicates that it is not responding, and a blue one
that it is suspended
Memory in Resource Monitor
The memory tab lists processes just like the CPU tab does, but with a focus on memory usage. It features a
physical memory view on top of that that visualizes the distribution of memory on the Windows machine.
If this is your first time accessing the information, you may be surprised that quite a bit of memory may be
hardware reserved. The graphs highlight the used physical memory, the commit charge, and the hard faults
per second. Each process is listed with its name and process ID, the hard faults, and various memory related
information.
 Commit: Amount of virtual memory reserved by the operating system for the process.
 Working Set: Amount of physical memory currently in use by the process.
 Shareable: Amount of physical memory in use by the process that can be shared with other processes.
 Private: Amount of physical memory in use by the process that cannot be used by other processes.
Disk Activity information
The Disk tab of the Windows Resource Monitor lists the disk activity of processes and storage information.
It visualizes the disk usage in total and for each running process. You get a reading of each processes’ disk
read and write activity, and can use the filtering options to filter by a particular process or several processes.

System and Network Administration [Compiled By: Atnafu G(MSc)] 62

The Storage listing at the bottom lists all available drives, the available and total space on the drive, as well
as the active time. The graphs visualize the disk queue length. It is an indicator for requests of that particular
disk and is a good indicator to find out if disk performance cannot keep up with I/O operations.
Network Activity in Resource Monitor
The Network tab lists network activity, TCP connections and listening ports. It lists network activity of any
running process in detail. It is useful, as it tells you right away if processes connect to the Internet.
You do get TCP connection listings that highlight remote servers that processes connect to, the bandwidth
use, and the local listening ports.
Bandwidth
Bandwidth describes the maximum data transfer rate of a network. It measures how much data can be sent
over a specific connection in a given amount of time. For example, a gigabit Ethernet connection has a
bandwidth of 1,000 Mbps (125 megabytes per second). An Internet connection via cable modem may
provide 25 Mbps of bandwidth.
While bandwidth is used to describe network speeds, it does not measure how fast bits of data move from
one location to another. Since data packets travel over electronic or fiber optic cables, the speed of each bit
transferred is negligible. Instead, bandwidth measures how much data can flow through a specific
connection at one time.
When visualizing bandwidth, it may help to think of a network connection as a tube and each bit of data as a
grain of sand. If you pour a large amount of sand into a skinny tube, it will take a long time for the sand to
flow through it. If you pour the same amount of sand through a wide tube, the sand will finish flowing
through the tube much faster. Similarly, a download will finish much faster when you have a high-
bandwidth connection rather than a low-bandwidth connection.
Data often flows over multiple network connections, which means the connection with the smallest
bandwidth acts as a bottleneck. Generally, the Internet backbone and connections between servers have the
most bandwidth, so they rarely serve as bottlenecks. Instead, the most common Internet bottleneck is your
connection to your ISP.
Bandwidth vs. Speed
Internet speed is a major vice to any Internet user. Even though Internet speed and data transfer mostly
revolve around bandwidth, your Internet speed can also be different from the Internet bandwidth
expectations. What tends to make it complicated is that the terms bandwidth, speed, and bandwidth speed are
used interchangeably, but they are actually different things. Most people refer to speed as how long it takes
to upload and download files, videos, livestreams, and other content.

System and Network Administration [Compiled By: Atnafu G(MSc)] 63

Bandwidth is the size of the pipe or the overall capacity for data. Keep in mind that you could have great
bandwidth and not so great speed if your end system, your network, can’t handle all of the flow of
information.
They key is making sure everything matches up. If you want to know more about your Internet performance,
you can use an Internet speed test. This could help you see if your Internet service provider is providing the
actual Internet connection that you are expecting, or if there are problems at the network level with being
able to handle the data.
Network bandwidth
Use of bandwidth can also be monitored by a network bandwidth monitor. Network bandwidth is a fixed
commodity. There are several ways to use network bandwidth. First, you can control the data flow in your
Internet connection. That is you can streamline data from one point to another point. Next, you can also
optimize data so that it consumes less bandwidth from what is allocated.
In summary, bandwidth is the amount of information and Internet connection can handle in a given period.
An Internet connection operates much faster or slower depending on whether the bandwidth is large or
small. With a larger bandwidth, the set of data transmission is much faster than an Internet connection with a
lower bandwidth.
4.1.1. Network Printers
Network printing allows us to efficiently use printing resources. With network printing we first connect all
of our work stations to a network and then we implement a network printer. In general there are two ways
this can be done. In first method we take a regular printer and plug it into the back of one of the PCs. On the
picture below that PC is named Workstation 1. Then we share that printer on the network by going to the
printer properties in Windows.

Figure 4.5. Sample Shared Printer through a workstation

In this configuration other hosts on the network can send the print job through the network to the
Workstation 1, which then sends the print job to the print device. This is the cheaper method, but we depend
on the Workstation 1, which has to be turned on all the time. If someone is using that computer, then we
depend on that person too. This method is used in home or small office scenarios. To connect to the shared
printer we can use the UNC path in the format: \\computername\sharename.

System and Network Administration [Compiled By: Atnafu G(MSc)] 64

UNC (Universal Naming Convention) path is a standard for identifying servers, printers and other
resources in a network. It uses double slashes (for Unix and Linux) or backslashes (for Windows) to
precede the name of the computer. //servername/path Unix\\servername\path DOS/Windows

In second method we implement the type of printer that has its own network interface installed (either wired
or wireless). This way we can connect our printer directly to the network so the print jobs can be sent from
workstations directly to that network printer.

Figure 4.6. Shared printer with its own dedicated NIC (Network Interface Card)
The print job doesn’t have to go through the workstation such as in the first case. To connect to a network
attached printer we can create a printer object using a TCP/IP port. We use the IP address and port name
information to connect to the printer.
Print Port
When a client needs to send a print job to the network printer, client application formats the print job and
sends it to the print driver. Just as a traditional print job, it’s saved on the local work station in the
spool. Then the job is sent from the spool to the printer. In traditional set up the computer will send the job
through the parallel or USB cable to the printer. In the network printing set up, the job is redirected. The
print job goes out through the network board, then the network, and then arrives at the destination network
printer.
Drivers
Each network host that wants to use the network printer must have the corresponding printer driver installed.
When we share a printer in Windows, the current printer driver is automatically delivered to clients that
connect to the shared printer. If the client computers run a different version of Windows, we can add the
necessary printer drivers to the printer object. To add drivers for network users we can use the ‘Advanced’
and ‘Sharing’ tab in printer properties.
Print Server
An important component of any network printer that we have is the print server. The print server manages
the flow of documents sent to the printer. Using a print server lets us customize when and how documents
print. There are different types of print servers. In the first scenario where we have attached ordinary printer
to our workstation, the printer has no print server hardware built in. In this case the operating system running

System and Network Administration [Compiled By: Atnafu G(MSc)] 65

on Workstation 1 functions as a print server. It receives the jobs from the other clients, saves them locally
in a directory on the hard drive and spools them off to the printer one at a time as the printer becomes ready.
The computer can fill other roles on the network in addition to being the print server. Most operating
systems include print server software.
Some printers, like our printer from the second scenario, have a built in print server that’s integrated into the
hardware of the printer itself. It receives the print jobs from the various clients, queues them up, gives them
priority and sends them on through the printing mechanism as it becomes available. We often refer to this
type of print server as internal print server. We use special management software to connect to this kind of
print server and manage print jobs.
Print servers can also be implemented in another way. We can purchase an external print server. The
external print server has one interface that connects to the printer (parallel or USB interface), and it also has
a network jack that plugs into our HUB or switch. It provides all the print server functions but it’s
all built into the hardware of the print server itself. So, when clients send a job to the printer, the jobs are
sent through the network to the hardware print server which then formats, prioritizes, saves them in the
queue, and then spools them off to the printer one at a time as the printer becomes available. Different
operating systems implement servers in different ways, and different external or internal print servers also
function in different ways. Because of that we need to check our documentation to see how to set it up with
our specific hardware or software.
Remember: We can share our existing printers on the network or we can set up a printer which has its
own NIC and which is then directly connected to the network. Print server formats, prioritizes, queues
and then spools print jobs.

4.2. Remote Administration

Remote administration is an approach being followed to control either a computer system or a network or an
application or all three from a remote location. Simply put, Remote administration refers to any method of
controlling a computer from a remote location. A remote location may refer to a computer in the next room
or one on the other side of the world. It may also refer to both legal and illegal remote administration.
Generally, remote administration is essentially adopted when it is difficult or impractical to a person to be
physically present and do administration on a system’s terminal.

4.1.1. Requirements to Perform Remote Administration

Internet connection
One of the fundamental requirements to perform remote administration is network connectivity. Any
computer with an Internet connection, TCP/IP or on a Local Area Network can be remotely administered.

System and Network Administration [Compiled By: Atnafu G(MSc)] 66

 For non-malicious administration, the user must install or enable server software on the host system in order
to be viewed. Then the user/client can access the host system from another computer using the installed
software.

Usually, both systems should be connected to the Internet, and the IP address of the host/server system must
be known. Remote administration is therefore less practical if the host uses a dial-up modem, which is not
constantly online and often has a Dynamic IP.

Connecting

When the client connects to the host computer, a window showing the Desktop of the host usually appears.
The client may then control the host as if he/she were sitting right in front of it.

Windows has a built-in remote administration package called Remote Desktop Connection. A free cross-
platform alternative is VNC, which offers similar functionality.

4.1.2. Common Tasks/Services for which Remote Administration is Used

Generally, remote administration is needed for user management, file system management, software
installation/configuration, network management, Network Security/Firewalls, VPN, Infrastructure Design,
Network File Servers, Auto-mounting etc. and kernel optimization/ recompilation. The following are some
of the tasks/ services for which remote administration need to be done:
 General
o Controlling one’s own computer from a remote location (e.g. to access the software or data on a personal
computer from an Internet café).
 ICT Infrastructure Management
o Remote administration essentially needed to administer the ICT infrastructure such as the servers, the
routing and switching components, the security devices and other such related.
 Shutdown
 Shutting down or rebooting a computer over a network.
 Accessing Peripherals

 Using a network device, like printer

 retrieving streaming data, much like a CCTV system.

 Modifying
 Editing another computer’s Registry settings,
 remotely connect to another machine to troubleshoot issues

System and Network Administration [Compiled By: Atnafu G(MSc)] 67

  modifying system services,
 installing software on another machine,
 modifying logical groups.
 Viewing
 remotely run a program or copy a file
 remotely assisting others,
 supervising computer or Internet usage (monitor the remote computers activities)
 access to a remote system’s “Computer Management” snap-in.
 Hacking
 Computers infected with malware, such as Trojans, sometimes open back doors into computer
systems which allow malicious users to hack into and control the computer. Such users
may then add, delete, modify or execute files on the computer to their own ends.

4.1.3. Remote Desktop Solutions

Most people who are used to a Unix-style environment know that a machine can be reached over the
network at the shell level using utilities like telnet or ssh. And some people realize that X Windows output
can be redirected back to the client workstation. But many people don’t realize that it is easy to use an entire
desktop over the network. The following are some of proprietary and open source applications that can be
used to achieve this.

SSH (Secure Shell)

Secure Shell (SSH) is a proprietary cryptographic network tool for secure data communication between two
networked computers that connects, via a secure channel over an insecure network, a server and a client
(running SSH server and SSH client programs, respectively). The protocol specification distinguishes
between two major versions that are referred to as SSH-1 and SSH-2.

The best-known application of the tool is for access to shell accounts on Unix-like operating systems-
GNU/Linux, OpenBSD, FreeBSD, but it can also be used in a similar fashion for accounts on Windows.

SSH is generally used to log into a remote machine and execute commands. It also supports tunneling,
forwarding TCP ports and X11 connections, it can transfer files using the associated SSH file transfer
(SFTP) or secure copy (SCP) protocols. SSH uses the client-server model.

System and Network Administration [Compiled By: Atnafu G(MSc)] 68

 SSH is important in cloud computing to solve connectivity problems, avoiding the security issues of
exposing a cloud-based virtual machine directly on the Internet. An SSH tunnel can provide a secure path
over the Internet, through a firewall to a virtual machine.

OpenSSH (OpenBSD Secure Shell)

OpenSSH is a tool providing encrypted communication sessions over a computer network using the SSH
protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered
by SSH Communications Security.
Telnet
Telnet is used to connect a remote computer over network. It provides a bidirectional interactive text-
oriented communication facility using a virtual terminal connection on internet or local area networks.
Telnet provides a command-line interface on a remote host. Most network equipment and operating systems
with a TCP/IP stack support a Telnet service for remote configuration (including systems based on Windows
NT). Telnet is used to establish a connection to Transmission Control Protocol (TCP) on port number 23,
where a Telnet server application (telnetd) is listening.
Experts in computer security, recommend that the use of Telnet for remote logins should be
discontinued under all normal circumstances, for the following reasons:
 Telnet, by default, does not encrypt any data sent over the connection (including passwords), and so it is often
practical to eavesdrop on the communications and use the password later for malicious purposes; anybody who has
access to a router, switch, hub or gateway located on the network between the two hosts where Telnet is being used
can intercept the packets passing by and obtain login, password and whatever else is typed with a packet analyzer.
 Most implementations of Telnet have no authentication that would ensure communication is carried out between the
two desired hosts and not intercepted in the middle.
 Several vulnerabilities have been discovered over the years in commonly used Telnet daemons.
rlogin
rlogin is an utility for Unix-like computer operating systems that allows users to log in on another host
remotely through network, communicating through TCP port 513.
rlogin has several serious security problem- all information, including passwords is transmitted in
unencrypted mode. rlogin is vulnerable to interception. Due to serious security problems, rlogin was rarely
used across distrusted networks (like the public Internet) and even in closed networks.
rsh
The remote shell (rsh) can connect a remote host across a computer network. The remote system to which
rsh connects runs the rsh daemon (rshd). The daemon typically uses the well-known Transmission Control
Protocol (TCP) port number 514. In security point of view, it is not recommended.

System and Network Administration [Compiled By: Atnafu G(MSc)] 69

VNC (Virtual Network Computing)
VNC is a remote display system which allows the user to view the desktop of a remote machine anywhere
on the Internet. It can also be directed through SSH for security.

Install VNC server on a computer (server) and install client on local PC. Setup is extremely easy and server
is very stable. On client side, set the resolution and connect to IP of VNC server.

FreeNX
FreeNX allows to access desktop from another computer over the Internet. One can use this to login
graphically to a desktop from a remote location. One example of its use would be to have a FreeNX server
set up on home computer, and graphically logging in to the home computer from work computer, using a
FreeNX client.

Wireless Remote Administration

Remote administration software has recently started to appear on wireless devices such as the BlackBerry,
Pocket PC, and Palm devices, as well as some mobile phones.

Generally these solutions do not provide the full remote access seen on software such as VNC or Terminal
Services, but do allow administrators to perform a variety of tasks, such as rebooting computers, resetting
passwords, and viewing system event logs, thus reducing or even eliminating the need for system
administrators to carry a laptop or be within reach of the office.

AetherPal and Netop are some of the tools used for full wireless remote access and administration on
Smartphone devices.
Wireless remote administration is usually the only method to maintain man-made objects in space.
Remote Desktop Connection (RDC)
Remote Desktop Connection (RDC) is a Microsoft technology that allows a local computer to connect to and
control a remote PC over a network or the Internet. It is done through a Remote Desktop Service (RDS) or a
terminal service that uses the company’s proprietary Remote Desktop Protocol (RDP). Remote Desktop
Connection is also known simply as Remote Desktop.

Typically, RDC requires the remote computer to enable the RDS and to be powered on. The connection is
established when a local computer requests connection to a remote computer using an RDC-enabled
software. On authentication, the local computer has full or restricted access to the remote computer. Besides
desktop computers, servers and laptops, RDC also supports connecting to virtual machines. This technology
was introduced in Windows XP.

System and Network Administration [Compiled By: Atnafu G(MSc)] 70

 Alternatively referred to as remote administration, remote admin is way to control another computer without
physically being in front of it. Below are examples of how remote administration could be used.
 Remotely run a program or copy a file.
 Remotely connect to another machine to troubleshoot issues.
 Remotely shutdown a computer.
 Install software to another computer.
 Monitor the remote computers activity.
Remote Admin allows system administrators or support personnel to remotely access Officelinx Admin from
their own workstation, eliminating the need to be in front of the server in order to perform administrative
functions.

4.1.4. Disadvantages of Remote Administration

Remote administration has many disadvantages too apart from its advantages. The first and foremost
disadvantage is the security. Generally, certain ports to be open at Server level to do remote administration.
Due to open ports, the hackers/attackers takes advantage to compromise the system. It is advised that remote
administration to be used only in emergency or essential situations only to do administration remotely. In
normal situations, it is ideal to block the ports to avoid remote administration.

4.3. Performance
 Redundant Array of Inexpensive (or Independent) Disks (RAID)
RAID is a data storage virtualization technology that combines multiple physical disk drive components
into one or more logical units for the purposes of data redundancy, performance improvement, or both.
This was in contrast to the previous concept of highly reliable mainframe disk drives referred to as Single
Large Expensive Disk (SLED).
Data is distributed across the drives in one of several ways, referred to as RAID levels, depending on the
required level of redundancy and performance. The different schemes, or data distribution layouts, are
named by the word “RAID” followed by a number, for example RAID 0 or RAID 1. Each scheme, or
RAID level, provides a different balance among the key goals: reliability, availability, performance,
and capacity. RAID levels greater than RAID 0 provide protection against unrecoverable sector read errors,
as well as against failures of whole physical drives.
4.3.1.1. Standard levels
Originally, there were five standard levels of RAID, but many variations have evolved, including several
nested levels and many non-standard levels (mostly proprietary). RAID levels and their associated data
formats are standardized by the Storage Networking Industry Association (SNIA) in the Common RAID
Disk Drive Format (DDF) standard:

System and Network Administration [Compiled By: Atnafu G(MSc)] 71

RAID 0 consists of striping, but no mirroring or parity. Compared to a spanned volume, the capacity of a
RAID 0 volume is the same; it is the sum of the capacities of the drives in the set. But because striping
distributes the contents of each file among all drives in the set, the failure of any drive causes the entire
RAID 0 volume and all files to be lost. In comparison, a spanned volume preserves the files on the
unfailing drives. The benefit of RAID 0 is that the throughput of read and write operations to any file is
multiplied by the number of drives because, unlike spanned volumes, reads and writes are done
concurrently.
The cost is increased vulnerability to drive failures—since any drive in a RAID 0 setup failing causes entire
volume to be lost, the average failure rate of the volume rises with the number of attached drives.

Figure 4.1. RAID 0 setup

NOTES: In data storage, data striping is the technique of segmenting logically sequential data, slike a file,
so that consecutive segments are stored on different physical storage devices. It is useful when processor
requests data more quickly than single storage device can provide it. By spreading segments across multiple
devices which can be accessed concurrently, total data throughput is increased.
In data storage, disk mirroring is the replication of logical disk volumes onto separate physical hard disks in
real time to ensure continuous availability. It is most commonly used in RAID 1. A mirrored volume is a
complete logical representation of separate volume copies.

Parity stripe or parity disk in a RAID array provides error-correction. Parity bits are written at the rate of
one parity bit per n bits, where n is the number of disks in the array. When a read error occurs, each bit in the
error region is recalculated from its set of n bits. In this way, using one parity bit creates “redunancy” for a
region from the size of one bit to the size of one disk.

RAID 1 consists of data mirroring, without parity or striping . Data is written identically to two or more
drives, thereby producing a “mirrored set” of drives. Thus, any read request can be serviced by any drive in
the set. If a request is broadcast to every drive in the set, it can be serviced by the drive that accesses the data
first (depending on its seek time and rotational latency), improving performance. Sustained read throughput,
if the controller or software is optimized for it, approaches the sum of throughputs of every drive in the set,
just as for RAID 0.

Actual read throughput of most RAID 1 implementations is slower than the fastest drive. Write throughput is
always slower because every drive must be updated, and the slowest drive limits the write performance. The
array continues to operate as long as at least one drive is functioning.

System and Network Administration [Compiled By: Atnafu G(MSc)] 72

 Figure 4.2. RAID 1 setup Figure 4.3. RAID 2 setup
RAID 2 consists of bit-level striping with dedicated Hamming-code parity. All disk spindle rotation is
synchronized and data is striped such that each sequential bit is on a different drive. Hamming-code parity is
calculated across corresponding bits and stored on at least one parity drive. This level is of historical
significance only; as of 2014 it is not used by any commercially available system.

RAID 3 consists of byte-level striping with dedicated parity. All disk spindle rotation is synchronized and
data is striped such that each sequential byte is on a different drive. Parity is calculated across corresponding
bytes and stored on a dedicated parity drive. Although implementations exist, RAID 3 is not commonly used
in practice. The following figure shows a RAID 3 setup of 6-byte blocks and two parity bytes, shown are
blocks of data in different colors.

Figure 4.4. RAID 3 setup

RAID 4 consists of block-level striping with dedicated parity. The main advantage of RAID 4 over RAID
2 and 3 is I/O parallelism: in RAID 2 and 3, a single read I/O operation requires reading the whole group of
data drives, while in RAID 4 one I/O read operation does not have to spread across all data drives. As a
result, more I/O operations can be executed in parallel, improving the performance of small transfers. The
figure below shows a setup of RAID 4 with dedicated parity disk with each color representing the group of
blocks in the respective parity block (a strip).

Figure 4.5. RAID 4 setup

RAID 5 consists of block-level striping with distributed parity. Unlike RAID 4, parity information is
distributed among the drives, requiring all drives but one to be present to operate. Upon failure of a single
drive, subsequent reads can be calculated from the distributed parity such that no data is lost.

System and Network Administration [Compiled By: Atnafu G(MSc)] 73

RAID 5 requires at least three disks. Like all single-parity concepts, large RAID 5 implementations are
susceptible to system failures because of trends regarding array rebuild time and the chance of drive failure
during rebuild. Rebuilding an array requires reading all data from all disks, opening a chance for a second
drive failure and the loss of the entire array. The figure below shows a setup of RAID 5 layout with each
color represent the group of data blocks and associated party block (a stripe).

Figure 4.6. RAID 5 layout

RAID 6 consists of block-level striping with double distributed parity. Double parity provides
fault tolerance up to two failed drives. This makes larger RAID groups more practical, especially for high-
availability systems, as large-capacity drives take longer to restore. RAID 6 requires a minimum of four
disks. As with RAID 5, a single drive failure results in reduced performance of the entire array until the
failed drive has been replaced. With a RAID 6 array, using drives from multiple sources and
manufacturers, it is possible to mitigate most of the problems associated with RAID 5. The larger the drive
capacities and the larger the array size, the more important it becomes to choose RAID 6 instead of RAID 5.
RAID 10 also minimizes these problems. The figure below shows a RAID 6 setup, which is identical to
RAID 5 other than the addition of a second parity block.

Figure 4.7. RAID 6 setup

System and Network Administration [Compiled By: Atnafu G(MSc)] 74

 Chapter 5: Security
5.1. Introduction
 What is Unix/Linux?
The Unix OS is a set of programs that act as a link between the computer and the user. The computer
programs that allocate the system resources and coordinate all the details of the computer’s internals is
called the operating system or the kernel. Users communicate with the kernel through a program known as
the shell. The shell is a command line interpreter; it translates commands entered by the user and converts
them into a language that is understood by the kernel.

Linux is a community of open-source Unix like operating systems that are based on the Linux Kernel. It was
initially released by Linus Torvalds on September 17, 1991. It is a free and open-source operating system
and the source code can be modified and distributed to anyone commercially or non- commercially under the
GNU General Public License (GNU/GPL).

Initially, Linux was created for personal computers and gradually it was used in other machines like servers,
mainframe computers, supercomputers, etc. Nowadays, Linux is also used in embedded systems like routers,
automation controls, televisions, digital video recorders, video game consoles, smartwatches, etc. The
biggest success of Linux is Android (operating system) which is based on the Linux kernel that is running on
smartphones and tablets. Due to android OS, Linux has the largest installed base of all general-purpose
operating systems. Linux is generally packaged in a Linux distribution.
 5.1.2. Linux Distribution
Linux distribution is an operating system that is made up of a collection of software based on Linux kernel
or you can say distribution contains the Linux kernel and supporting libraries and software. And you can get
Linux based operating system by downloading one of the Linux distributions and these distributions are
available for different types of devices like embedded devices, personal computers, etc. Around 600+ Linux
Distributions are available and some of the popular Linux distributions are:
 MX Linux  Ubuntu  OpenSUSE

 Manjaro  Debian  Arch Linux

 Linux Mint  Solus  Kubuntu

 Elementary  Fedora

System and Network Administration [Compiled By: Atnafu G(MSc)] 75

 5.1.3. Unix/Linux Architecture
Here is a basic block diagram of a Unix system.

Figure 5.1. Block diagram of Unix system

The main concept that unites all the versions of Unix is the following four basics:
 Kernel: The kernel is the heart of the operating system. It interacts with the hardware and most of the tasks like
memory management, task scheduling and file management.
 Shell: The shell is the utility that processes your requests. When you type in a command at your terminal, the shell
interprets the command and calls the program that you want. The shell uses standard syntax for all commands. C Shell,
Bourne Shell and Korn Shell are the most famous shells which are available with most of the Unix variants.
 Commands and Utilities: There are various commands and utilities which you can make use of in your day-to-day
activities. cp, mv, cat and grep, etc. are few examples of commands and utilities. There are over 250 standard
commands plus numerous others provided through 3rd party software. All the commands come along with various
options.
 Files and Directories: All the data of Unix is organized into files. All files are then organized into directories. These
directories are further organized into a tree-like structure called the filesystem.
o 5.1.4 Open Source
The idea behind Open Source software is rather simple: when programmers can read, distribute and change
code, the code will mature. People can adapt it, fix it, debug it, and they can do it at a speed that dwarfs the
performance of software developers at conventional companies. This software will be more flexible and of a
better quality than software that has been developed using the conventional channels, because more people
have tested it in more different conditions than the closed software developer ever can.

While Linux is probably the most well-known Open Source initiative, there is another project that
contributed enormously to the popularity of the Linux operating system. This project is called SAMBA, and

System and Network Administration [Compiled By: Atnafu G(MSc)] 76

 its achievement is the reverse engineering of the Server Message Block (SMB)/Common Internet File
System (CIFS) protocol used for file- and print-serving on PC-related machines, natively supported by MS
Windows NT and OS/2, and Linux. Packages are now available for almost every system and provide
interconnection solutions in mixed environments using MS Windows protocols: Windows-compatible (up to
and including WinXP) file- and print-servers.

Maybe even more successful than the SAMBA project is the Apache HTTP server project. The server runs
on UNIX, Windows NT and many other operating systems. Apache has been shown to be substantially
faster, more stable and more feature-full than many other web servers. Apache is run on sites that get
millions of visitors per day, and while no official support is provided by the developers, the Apache user
community provides answers to all your questions. Commercial support is now being provided by a number
of third parties.

The Open Source community, consisting largely of people who have been contributing for over half a
decade, assures Linux’ position as an important player on the desktop market as well as in general IT
application. Paid employees and volunteers alike are working diligently so that Linux can maintain a
position in the market. The more users, the more questions. The Open Source community makes sure
answers keep coming, and watches the quality of the answers with a suspicious eye, resulting in ever more
stability and accessibility.
Listing all the available Linux software is beyond the scope of this course (let alone the chapter), as there are
tens of thousands of packages.

 5.1.5 Properties of Linux

Linux Pros
A lot of the advantages of Linux are a consequence of Linux’ origins, deeply rooted in UNIX, except
for the first advantage, of course:
 Linux is free: If you want to spend absolutely nothing, Linux can be downloaded in its entirety from the Internet
completely for free. No registration fees, no costs per user, free updates, and freely available source code in case you
want to change the behavior of your system. The license commonly used is the GNU Public License (GPL), and it
says anybody who may want to do so, has the right to change Linux and eventually to redistribute a changed version,
on the one condition that the code is still available after redistribution. In practice, you are free to grab a kernel
image, for instance to add support for Amharic voice recognition and sell your new code, as long as your customers
can still have a copy of that code.

System and Network Administration [Compiled By: Atnafu G(MSc)] 77

 Linux is portable to any hardware platform: A vendor who wants to sell a new type of computer and who doesn’t
know what kind of OS his new machine will run (say the CPU in your car or washing machine), can take a Linux
kernel and make it work on his hardware, because documentation related to this activity is freely available.
 Linux was made to keep on running: a Linux system expects to run without rebooting all the time. That is why a lot
of tasks are being executed at night or scheduled automatically for other calm moments, resulting in higher availability
during busier periods and a more balanced use of the hardware. This property allows for Linux to be applicable also in
environments where people don’t have the time or the possibility to control their systems night and day.
 Linux is secure and versatile: The security model used in Linux is based on the UNIX idea of security, which is
known to be robust and of proven quality. But Linux is not only fit for use as a fort against enemy attacks from the
Internet: it will adapt equally to other situations, utilizing the same high standards for security. Your development
machine or control station will be as secure as your firewall.
 Linux is scalable: From a Palmtop with 2 MB of memory to a petabyte storage cluster with hundreds of nodes: add or
remove the appropriate packages and Linux fits all. You don’t need a supercomputer anymore, because you can use
Linux to do big things using the building blocks provided with the system. If you want to do little things, such as
making an operating system for an embedded processor or just recycling your old 486, Linux will do that as well.
 The Linux OS and most Linux applications have very short debug-times: Because Linux has been developed and
tested by thousands of people, both errors and people to fix them are usually found rather quickly. It sometimes
happens that there are only a couple of hours between discovery and fixing of a bug.
Linux Cons
 There are far too many different distributions: At first glance, the amount of Linux distributions can be frightening,
or ridiculous, depending on your point of view. But it also means that everyone will find what he or she needs. You
don’t need to be an expert to find a suitable release.
When asked, generally every Linux user will say that the best distribution is the specific version he is using.
So which one should you choose? Don’t worry too much about that: all releases contain more or less the
same set of basic packages. On top of the basics, special third party software is added making, for example,
TurboLinux more suitable for the small and medium enterprise, RedHat for servers and SuSE for
workstations. However, the differences are likely to be very superficial. The best strategy is to test a couple
of distributions; unfortunately not everybody has the time for this. Luckily, there is plenty of advice on the
subject of choosing your Linux. A quick search on Google, using the keywords “choosing your distribution”
brings up tens of links to good advice. The Installation HOWTO also discusses choosing your distribution.

 Linux is not very user friendly and confusing for beginners: It must be said that Linux, at least the core system, is
less user friendly to use than MS Windows and certainly more difficult than MacOS, but… In light of its popularity,

System and Network Administration [Compiled By: Atnafu G(MSc)] 78

 considerable effort has been made to make Linux even easier to use, especially for new users. More information is
being released daily to help fill the gap for documentation available to users at all levels.
 Is an Open Source product trustworthy? How can something that is free also be reliable? Linux users have the
choice whether to use Linux or not, which gives them an enormous advantage compared to users of proprietary
software, who don’t have that kind of freedom. After long periods of testing, most Linux users come to the conclusion
that Linux is not only as good, but in many cases better and faster than the traditional solutions. If Linux were not
trustworthy, it would have been long gone, never knowing the popularity it has now. Now users can influence their
systems and share their remarks with the community, so the system gets better and better every day. It is a project that
is never finished, that is true, but in an ever changing environment, Linux is also a project that continues to strive for
perfection.
 5.1.6. Linux and GNU
Although there are a large number of Linux implementations, you will find a lot of similarities in the
different distributions. Linux may appear different depending on the distribution, your hardware and
personal taste, but the fundamentals on which all graphical and other interfaces are built, remain the same.
The Linux system is based on GNU tools (Gnu’s Not UNIX), which provide a set of standard ways to
handle and use the system.

All GNU tools are open source, so they can be installed on any system. Most distributions offer pre-
compiled packages of most common tools, such as RPM packages on RedHat and Debian packages (also
called deb or dpkg) on Debian, so you needn’t be a programmer to install a package on your system.
However, if you are and like doing things yourself, you will enjoy Linux all the better, since most
distributions come with a complete set of development tools, allowing installation of new software purely
from source code. This setup also allows you to install software even if it does not exist in a pre-packaged
form suitable for your system.

The Linux kernel (the bones of your system) is not part of the GNU project but uses the same license as
GNU software. A great majority of utilities and development tools (the meat of your system), which are
not Linux-specific, are taken from the GNU project. Because any usable system must contain both
the kernel and at least a minimal set of utilities, some people argue that such a system should be called
a GNU/Linux system.
 5.1.7. About Linux Files and the File System
A simple description of the UNIX system, also applicable to Linux, is this: “On a UNIX system, everything
is a file; if something is not a file, it is a process.” This statement is true because there are special files that
are more than just files (named pipes and sockets, for instance), but to keep things simple, saying
that everything is a file is an acceptable generalization. A Linux system, just like UNIX, makes no

System and Network Administration [Compiled By: Atnafu G(MSc)] 79

difference between a file and a directory, since a directory is just a file containing names of other files.
Programs, services, texts, images, and so forth, are all files. Input and output devices, and generally all
devices, are considered to be files, according to the system.
Sorts of Files
Most files are just files, called regular files; they contain normal data, for example text files, executable files
or programs, input for or output from a program and so on. The -l option to ls displays the file type, using the
first character of each input line:
hello@it4th:~$ ls -l -rw-r–r– 1 root root 405 May 12 2020 drwxrwxr-x 6 hello hello 4096 July 19 18:25
Android -rw-rw-r– 1 hello hello 260 Nov 12 11:39 hello.vbs

The following table gives an overview of the characters determining the file type:
Symbol Meaning
– Reglar file
d Directory
l Link
c Special file
s Socket
p Named pipe
b Block device
Linux File System
For convenience, the Linux file system is usually thought of in a tree structure as shown below:

Figure 5.2. Linux file system layout

This is a layout from a sample Linux system. Depending on the system administrator, the operating system
and the mission of the UNIX machine, the structure may vary, and directories may be left out or added at
will. The names are not even required; they are only a convention.

The tree of the file system starts at the trunk or slash, indicated by a forward slash (/). This directory,
containing all underlying directories and files, is also called root directory or “the root” of the file system.

Directory Content
/bin Common programs, shared by the system, the system administrator and the users.
/boot The startup files and the kernel, vmlinuz. In some recent distributions also grub data. Grub is
the GRand Unified Boot loader and is an attempt to get rid of the many different boot-loaders we know
today.

System and Network Administration [Compiled By: Atnafu G(MSc)] 80

/dev Contains references to all the CPU peripheral hardware, which are represented as files with special
properties.
/etc Most important system configuration files are in /etc, this directory contains data similar to those in the
Control Panel in Windows.
/home Home directories of the common users.
/lib Library files, includes files for all kinds of programs needed by the system and the users.
/lost+found Every partition has a lost+found for files that were saved during failures are here.
/misc For miscellaneous purposes.
/mnt Standard mount point for external file systems, e.g. a CD-ROM or a digital camera.
/opt Typically contains extra and third party software.
/proc Virtual file system containing system resources information. You can type man proc command on terminal
to see more information about the meaning of the files in proc.
/root The administrative user’s home directory. Mind the difference between /, the root directory and /root, the
home directory of the root user.
/sbin Programs for use by the system and the system administrator.
/tmp Temporary space to be used by the system, and its contents will be cleaned upon reboot, so don’t use this
for saving any work!
/usr Programs, libraries, documentation etc. for all user-related programs.
/var Storage for all variable and temporary files created by users, such as log files, temporary files downloaded
from the Internet, or to keep an image of a CD before burning it.
Table 5.1. Subdirectories of the root directory
Absolute/Relative Pathnames
Directories are arranged in a hierarchy with root (/) at the top. The position of any file within the hierarchy is
described by its pathname. Elements of a pathname are separated by a single / (forward slash). A pathname
is absolute, if it is described in relation to root, thus absolute pathnames always begin with a / (forward
slash). Following are some examples of absolute filenames:
/etc/passwd
/home/hello/programming/notes
A pathname can also be relative to your current working directory. Relative pathnames never begin with
/. Relative to user hello’s home directory, some pathnames might look like this:
programming/notes personal/reserved
To determine where you are within the filesystem hierarchy at any time, enter the command pwd to print the
current working directory:
$pwd
/home/hello/Desktop
NOTE: There are two kinds of major partitions on a Linux system:
Data partition: normal Linux system data, including the root partition containing all the
data to start up and run the system; and
Swap partition: expansion of the computer’s physical memory, extra memory on hard disk.

The file system in reality

For most users and for most common system administration tasks, it is enough to accept that files and
directories are ordered in a tree-like structure. The computer, however, doesn’t understand a thing about
trees or tree-structures. Every partition has its own file system. By imagining all those file systems together,
we can form an idea of the tree-structure of the entire system, but it is not as simple as that. In a file system,

System and Network Administration [Compiled By: Atnafu G(MSc)] 81

a file is represented by an inode, a kind of serial number containing information about the actual data that
makes up the file: to whom this file belongs, and where is it located on the hard disk. Every partition has its
own set of inodes; throughout a system with multiple partitions, files with the same inode number can exist.
Each inode describes a data structure on the hard disk, storing the properties of a file, including the physical
location of the file data. When a hard disk is initialized to accept data storage, usually during the initial
system installation process or when adding extra disks to an existing system, a fixed number of inodes per
partition is created. This number will be the maximum amount of files, of all types (including directories,
special files, links etc.) that can exist at the same time on the partition. We typically count on having 1 inode
per 2 to 8 kilobytes of storage.
At the time a new file is created, it gets a free inode. In that inode is the following information:
 Owner and group owner of the file
 File type (regular, directory, …)
 Permissions on the file
 Date and time of creation, last read and change
 Date and time this information has been changed in the inode
 Number of links to this file
 File size
 An address defining the actual location of the file data.

The only information not included in an inode, is the file name and directory. These are stored in the special
directory files. By comparing file names and inode numbers, the system can make up a tree- structure that
the user understands. Users can display inode numbers using the -i option to ls (ls -i). The inodes have their
own separate space on the disk.

5.2. Linux Systems and Network Concepts

What is Networking?
A network consists of multiple machines (computers) that are connected together and share each other all
kinds of information. This connection between the network can be developed through waves and signals or
wires, depending on which is most convenient for work and the type of information that needs to be shared.
In the network multiple machines (host) are connected to the communication sub-net that allows the dialog
between them. They can communicate in two basic ways:
 Through channels point to point (PPP)

 Through broadcast channels

For communicating machines that aren’t able to communicate by themselves, routers (intermediate
machines) are used. Moreover, the protocols are a set of rules known by the entities exchanging data
through the communications network. The protocols used by the machines are organized in different layers
or levels, in such a way that: each layer offers services to a higher level, and each layer is supported by
services offered by a lower level Each level in a machine “talks with” his twin in another. The rules
governing this “conversation” form the protocol of that level (layer).

System and Network Administration [Compiled By: Atnafu G(MSc)] 82

 When we talk about Network Architecture, we are talking about the set of levels and protocols of a
computers network.

5.2.1. Network Configuration and Information

5.2.1.1. Configuration of network interfaces

All the big, user-friendly Linux distributions come with various graphical tools, allowing for easy setup of
the computer in a local network, for connecting it to an Internet Service Provider or for wireless access.
These tools can be started up from the command line or from a menu:

 Ubuntu configuration is done selecting System→Administration→Networking.

o RedHat Linux comes with redhat-config-network, which has both a graphical and a text mode interface.

 Suse’s YAST or YAST2 is an all-in-one configuration tool.

o Mandrake/Mandriva comes with a Network and Internet Configuration Wizard, which is preferably started
up from Mandrake’s Control Center.
 On Gnome systems: gnome-network-preferences.
Your system documentation provides plenty of advice and information about availability and use of tools.
Information that you will need to provide:

 For connecting to the local network, i.e. with your home computers, or at work: hostname, domainname and
IP address. If you want to set up your own network, best do some more reading first. At work, this
information is likely to be given to your computer automatically when you boot up. When in doubt, it is
better not to specify any information than making it up.
o For connecting to the Internet: username and password for your ISP, telephone number when using a
modem. Your ISP usually automatically assigns you an IP address and all the other things necessary for your
Internet applications to work.
o 5.2.1.2. Network configuration files
The graphical helper tools edit a specific set of network configuration files, using a couple of basic
commands. The exact names of the configuration files and their location in the file system is largely
dependent on your Linux distribution and version. However, a couple of network configuration files are
common on all UNIX systems:
/etc/hosts
The /etc/hosts file always contains the localhost IP address, 127.0.0.1, which is used
for interprocess communication. Never remove this line! Sometimes contains addresses of additional
hosts, which can be contacted without using an external naming service such as DNS (the Domain Name
Server).
A sample hosts file for a small home network:

System and Network Administration [Compiled By: Atnafu G(MSc)] 83

 # Do not remove the following line, or various programs # that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
192.168.1.130 iud.edu.et IUD
Read more in man hosts.

/etc/resolv.conf
The /etc/resolv.conf file configures access to a DNS server. This file contains your domain name and the
name server(s) to contact:
search mylan.com nameserver 193.134.20.4
Read more in the resolv.conf man page.

/etc/nsswitch.conf
The /etc/nsswitch.conf file defines the order in which to contact different name services. For Internet use, it
is important that dns shows up in the “hosts” line:

$ grep hosts /etc/nsswitch.conf hosts: files dns

This instructs your computer to look up hostnames and IP addresses first in the /etc/hosts file, and to
contact the DNS server if a given host does not occur in the local hosts file. Other possible name services to
contact are LDAP, NIS and NIS+.

More in man nsswitch.conf.

 5.2.1.3. Network configuration commands

The ip Command
The distribution-specific scripts and graphical tools are front-ends to ip (or ifconfig and route on older
systems) to display and configure the kernel’s networking configuration. The ip command is used for
assigning IP addresses to interfaces, for setting up routes to the Internet and to other networks, for displaying
TCP/IP configurations etcetera. The following commands show IP address and routing information:

Things to note:
 two network interfaces, even on a system that has only one network interface card:
o “lo” is the local loop, used for internal network communication;
✗ Don’t ever change local loop configuration, or your machine will start malfunctioning!

System and Network Administration [Compiled By: Atnafu G(MSc)] 84

 “eth0” is a common name for a real interface.
o Wireless interfaces are usually defined as “wlan0“;
 modem interfaces as “ppp0“, but there might be other names as well.
 IP addresses, marked with “inet“:
 the local loop always has 127.0.0.1,
 the physical interface can have any other combination.
 The hardware address of your interface, which might be required as part of the authentication procedure to
connect to a network, is marked with “ether“. The local loop has 6 pairs of all zeros, the physical loop has
6 pairs of hexadecimal characters, of which the first 3 pairs are vendor-specific.

The ifconfig Command

While ip is the most novel way to configure a Linux system, ifconfig is still very popular. Use it without
option for displaying network interface information:

Here, too, we note the most important aspects of the interface configuration:

 The IP address is marked with “inet addr“.

o The hardware address follows the “HWaddr” tag.
Both ifconfig and ip display more detailed configuration information and a number of statistics about each
interface and, maybe most important, whether it is “UP” and “RUNNING“.

System and Network Administration [Compiled By: Atnafu G(MSc)] 85

Network Interface Names
On a Linux machine, the device name lo or the local loop is linked with the internal 127.0.0.1 address. The
computer will have a hard time making your applications work if this device is not present; it is always
there, even on computers which are not networked.

The first ethernet device, eth0 in the case of a standard network interface card, points to your local LAN IP
address. Normal client machines only have one network interface card. Routers, connecting networks
together, have one network device for each network they serve. If you use a modem to connect to the
Internet, your network device will probably be named ppp0.

There are many more names, for instance for Virtual Private Network interfaces (VPNs), and multiple
interfaces can be active simultaneously, so that the output of the ifconfig or ip commands might become
quite extensive when no options are used. Even multiple interfaces of the same type can be active. In that
case, they are numbered sequentially: the first will get the number 0, the second will get a suffix of 1, the
third will get 2, and so on. This is the case on many application servers, on machines which have
a failover configuration, on routers, firewalls and many more.

Checking the Host Configuration with netstat Apart from the ip command for displaying the network
configuration, there’s the common netstat command which has a lot of options and is generally useful on
any UNIX system. Routing information can be displayed with the -nr option to the netstat command:

When this machine tries to contact a host that is on another network than its own, indicated by the line
starting with 0.0.0.0, it will send the connection requests to the machine (router) with IP address
192.168.42.1, and it will use its primary interface, eth0, to do this.

Hosts that are on the same network, the line starting with 192.168.42.0, will also be contacted through the
primary network interface, but no router is necessary, the data are just put on the network.

System and Network Administration [Compiled By: Atnafu G(MSc)] 86

Machines can have much more complicated routing tables than this one, with lots of different “Destination-
Gateway” pairs to connect to different networks. If you have the occasion to connect to an application
server, for instance at work, it is most educating to check the routing information.
The host Command
To display information on hosts or domains, use the host command:

The ping Command

To check if a host is alive, use ping. If your system is configured to send more than one packet, interrupt
ping with the Ctrl+C key combination:

The traceroute Command

To check the route that packets follow to a network host, use the traceroute command:

System and Network Administration [Compiled By: Atnafu G(MSc)] 87

 5.3. Linux User Administration
The Privileged root Account
For many tasks, the system administrator needs special privileges. Accordingly, he can make use of a special
user account called root. As root, a user is the so-called super user. In brief: He may do anything.
The normal file permissions and security precautions do not apply to root. He has allowing him nearly
unbounded access (unlimited privileges) to all data, devices and system components. He can institute system
changes that all other users are prohibited from by the Linux kernel’s security mechanisms. This means that,
as root , you can change every file on the system no matter who it belongs to.
Obtaining Administrator Privileges
There are two ways of obtaining administrator privileges:
1. You can log in as user root directly. After entering the correct root password you will obtain a shell with
administrator privileges. However, you should avoid logging in to the GUI as root, since then all graphical
applications would run with root privileges, which is not necessary and can lead to security problems. Nor
should direct root logins be allowed across the network.
2. You can, from a normal shell, use the su command to obtain a new shell with administrator privileges. su ,
like login , asks for a password and opens the root shell only after the correct root password has been input.
In GUIs like KDE there are similar methods.
Even if a Linux system is used by a single person only, it makes sense to create a normal account for this
user. During everyday work on the system as root, most of the kernel’s normal security precautions are

System and Network Administration [Compiled By: Atnafu G(MSc)] 88

 circumvented. That way errors can occur that impact on whole system. You can avoid this danger by
logging into your normal account and starting a root shell via “/bin/su – ” if and when required.
The second method is preferable to the first for another reason, too: If you use the su command to
become root after logging in to your own account, su creates a message like

Dec 1 08:18:21 HOST su: (to root) hello on /dev/tty2

in the system log (such as /var/log/messages). This entry means that user hello successfully executed su to
become root on terminal 2. If you log in as root directly, no such message is logged; there is no way of
figuring out which user has fooled around with the root account. On a system with several administrators it
is often important to retrace who entered the su command when.

On many systems, the shell prompt differs between root and the other users. The classic root prompt
contains a hash mark (#), while other users see a prompt containing a dollar sign ($) or greater-than sign
(>). The # prompt is supposed to remind you that you are root with all ensuing privileges.
 5.3.1. Why Users?
Computers used to be large and expensive, but today an office workplace without its own PC (“personal
computer”) is nearly inconceivable, and a computer is likely to be encountered in most domestic “dens” as
well. And while it may be sufficient for a family to agree that Dad, Mom and the

kids will put their files into different directories, this will no longer do in companies or universities — once
shared disk space or other facilities are provided by central servers accessible to many users, the computer
system must be able to distinguish between different users and to assign different access rights to them.
After all, Ms Abebech from the ICT department has as little business looking at the company’s payroll data
as Mr Abebe from Human Resources has accessing the detailed plans for next year’s products. And a
measure of privacy may be desired even at home— some adult contents should not be open to prying eyes as
a matter of course.
The second reason for distinguishing between different users follows from the fact that various aspects of the
system should not be visible, much less changeable, without special privileges. Therefore Linux manages a
separate user identity (root) for the system administrator, which makes it possible to keep information such
as users’ passwords hidden from “common” users. The bane of older Windows systems—programs obtained
by e-mail or indiscriminate web surfing that then wreak havoc on the entire system—will not plague you on
Linux, since anything you can execute as a common user will not be in a position to wreak system-wide
havoc.
Therefore, generally when a computer is used by many people it is usually necessary to differentiate between
the users, for example, so that their private files can be kept private. This is important even if the computer

System and Network Administration [Compiled By: Atnafu G(MSc)] 89

 can only be used by a single person at a time, as with most microcomputers. Thus, each user is given a
unique username, and that name is used to log in.

Linux distinguishes between different users by means of different user accounts. The common distributions
typically create two user accounts during installation, namely root for administrative tasks and another
account for a “normal” user. You (as the administrator) may add more accounts later, or, on a client PC in a
larger network, they may show up automatically from a user account database stored elsewhere.

Under Linux, every user account is assigned a unique number, the so-called user ID (or UID, for short).
Every user account also features a textual user name (such as root or abebe) which is easier to remember
for humans. In most places where it counts—e. g., when logging in, or in a list of files and their owners—
Linux will use the textual name whenever possible.

NOTE: Linux kernel doesn’t know anything about textual user names; process data and the ownership data
in the filesystem use the UID exclusively. This may lead to difficulties if a user is deleted while he still
owns files on the system, and the UID is reassigned to a different user. That user “inherits” the previous
UID owner’s files.
NOTE: There is no technical problem with assigning the same (numerical) UID to different user names.
These users have equal access to all files owned by that UID, but every user can have his own password.
You should not actually use this (or if you do, use it only with great circumspection).
 Users and Groups
To work with a Linux computer you need to log in first. This allows the system to recognise you and to
assign you the correct access rights (of which more later). Everything you do during your session (from
logging in to logging out) happens under your user account. In addition, every user has a home directory,
where only they can store and manage their own files, and where other users often have no read permission
and very emphatically no write permission. (Only the system administrator – root – may read and write all
files.)
Several users who want to share access to certain system resources or files can form a group. Linux
identifies group members either fixedly by name or transiently by a login procedure similar to that for users.
Groups have no “home directories” like users do, but as the administrator you can of course create arbitrary
directories meant for certain groups and having appropriate access rights.
Groups, too, are identified internally using numerical identifiers (“group IDs” or GIDs).
NOTE: Group names relate to GIDs as user names to UIDs: The Linux kernel only knows about the former
and stores only the former in process data or the file system.
Every user belongs to a primary group and possibly several secondary or additional groups. In a corporate
setting it would, for example, be possible to introduce project-specific groups and to assign the people
collaborating on those projects to the appropriate group in order to allow them to manage common data in a
directory only accessible to group members.

System and Network Administration [Compiled By: Atnafu G(MSc)] 90

For the purposes of access control, all groups carry equivalent weight—every user always enjoys all rights
deriving from all the groups that he is a member of. The only difference between the primary and secondary
groups is that files newly created by a user are usually 2 assigned to his primary group.

NOTE: Up to (and including) version 2.4 of the Linux kernel, a user could be a member of at most 32
additional groups; since Linux 2.6 the number of secondary groups is unlimited.
You can find out a user account’s UID, the primary and secondary groups and the corresponding GIDs by
means of the id program:

You can use the last command to find who logged into your computer and when (and, in the case of logins
via the network, from where):

You might be bothered (and rightfully so!) by the fact that this somewhat sensitive information is apparently
made available on a casual basis to arbitrary system users. If you (as administrator) want to protect your
users’ privacy better than your Linux distribution does by default, you can use the

$ chmod or /var/log/wtmp # make sure that you have admin privileges

System and Network Administration [Compiled By: Atnafu G(MSc)] 91

 command to remove general read permissions from the file that last consults for the telltale data. Users
without administrator privileges then get to see something like

$ last last: /var/log/wtmp: Permission denied

People and Pseudo-Users

Besides “natural” persons—the system’s human users—the user and group concept is also used to allocate
access rights to certain parts of the system. This means that, in addition to the personal accounts of the “real”
users like you, there are further accounts that do not correspond to actual human users but are assigned to
administrative functions internally. They define functional “roles” with their own accounts and groups.

After installing Linux, you will find several such pseudo-users and groups in the /etc/passwd and

/etc/group files. The most important role is that of the root user (which you know) and its eponymous group.
The UID and GID of root are 0 (zero).

root ’s privileges are tied to UID 0; GID 0 does not confer any additional access privileges.
Further pseudo-users belong to certain software systems (e. g., news for Usenet news using INN, or postfix
for the Postfix mail server) or certain components or devices (such as printers, tape or floppy drives). You
can access these accounts, if necessary, like other user accounts via the su command. These pseudo-users
pseudo-users for privileges are helpful as file or directory owners, in order to fit the access rights tied to file
ownership to special requirements without having to use the root account. The same applies to groups; the
members of the disk group, for example, have block-level access to the system’s disks.

 5.3.2. User and Group Information

The /etc/passwd File
The /etc/passwd file is the system user database. There is an entry in this file for every user on the system—
a line consisting of attributes like the Linux user name, “real” name, etc. After the system is first installed,
the file contains entries for most pseudo-users.
⟨user name⟩ : ⟨password⟩ : ⟨UID⟩ : ⟨GID⟩ : ⟨GECOS⟩ : ⟨home directory⟩ : ⟨shell⟩
 User name: This name should consist of lowercase letters and digits; the first character should be a letter.
Unix systems often consider only the first eight characters—Linux does not have this limitation but in
heterogeneous networks you should take it into account.

NB: Resist the temptation to use special characters in user names, even if the system lets you do so—not all
tools that create new user accounts are picky, and you could of course edit /etc/passwd by hand. What seems
to work splendidly at first glance may lead to problems elsewhere later. You should also stay away from user
names consisting of only uppercase letters or only digits.

System and Network Administration [Compiled By: Atnafu G(MSc)] 92

 Password: Traditionally, this field contains the user’s encrypted password. Today, most Linux distributions
use “shadow passwords”; instead of storing the password in the publicly readable /etc/passwd file, it is
stored in /etc/shadow which can only be accessed by the administrator and some privileged programs. In
/etc/passwd , a “ x ” calls attention to this circumstance. Every user can avail himself of the passwd program
to change his password.
 UID: The numerical user identifier—a number between 0 and 232 − 1. By convention, UIDs from 0 to 99 are
reserved for the system, UIDs from 100 to 499 are for use by software packages if they need pseudo-user
accounts. With most popular distributions, real users’ UIDs start from 500 (or 1000).
o Precisely because the system differentiates between users not by name but by UID, the kernel treats two
accounts as completely identical if they contain different user names but the same UID—at least as far as the
access privileges are concerned.
 GID: The GID of the user’s primary group after logging in. By virtue of the assignment in
/etc/passwd, every user must be a member of at least one group. The user’s secondary groups (if applicable)
are determined from entries in the /etc/group file.
Many distros, such as Red Hat or Debian GNU/Linux, create new group whenever a new account is
created, with the GID equalling the account’s UID. The idea behind this is to allow more sophisticated
assignments of rights than with the approach that puts all users into the same group users. Consider the
following situation: Abu personal assistant of CEO Kebede (user name Abu & Kebe respectively)Abu
sometimes needs to access files stored inside Kebe’s home directory that other users should not be able to
get at.The method used by Red Hat, Debian & co., “one group per user”, makes it straightforward to put
user Abu into group Kebe and to arrange for Kebe’s files to be readable for all group members (default
case) but not others. With the “one group for everyone” approach it would have been necessary to
introduce a new group completely from scratch, and to reconfigure the Abe and Kebe accounts
accordingly.
 GECOS: This is the comment field, also known as the “GECOS field”. GECOS stands
for General Electric Comprehensive Operating System” and has nothing whatever to do with Linux, except
that in the early days of Unix this field was added to /etc/passwd in order to keep compatibility data for a
GECOS remote job entry service.
o This field contains various bits of information about the user, in particular his “real” name and optional data
such as the office number or telephone number. This information is used by programs such as mail.
 home directory: This directory is that user’s personal area for storing his own files. A newly created home
directory is by no means empty, since a new user normally receives a number of “profile” files as his basic
equipment. When a user logs in, his shell uses his home directory as its current directory, i.e., immediately
after logging in the user is deposited there.
 shell: The name of the program to be started by login after successful authentication — this is usually a
shell. The seventh field extends through the end of the line.

System and Network Administration [Compiled By: Atnafu G(MSc)] 93

 Some of the fields shown here may be empty. Absolutely necessary are only the user name, UID, GID and
home directory. For most user accounts, all the fields will be filled in, but pseudo-users might use only part
of the fields.

NB: as an administrator you should not edit /etc/passwd by hand. There is a number of programs that will
help you create and maintain user accounts.
The /etc/shadow File
For security, nearly all current Linux distributions store encrypted user passwords in the /etc/shadow file
(“shadow passwords”). This file is unreadable for normal users; only root may write to it, while members of
the shadow group may read it in addition to root . If you try to display the file as a normal user an error
occurs. Use of /etc/shadow is not mandatory but highly recommended.
This file contains one line for each user, with the following format:
⟨user name⟩:⟨password⟩:⟨change⟩:⟨min⟩:⟨max⟩:⟨warn⟩:⟨grace⟩:⟨lock⟩:⟨reserved⟩

Here is the meaning of the individual fields:

 user name: This must correspond to an entry in the /etc/passwd file. This field joins the two files.
 password: The user’s encrypted password. An empty field generally means that the user can log in without
a password. An asterisk or an exclamation point prevent the user in question from logging in. It is common
to lock user’s accounts without deleting them entirely by placing an asterisk or exclamation point at the
beginning of the corresponding password.
You might think that if passwords are encrypted they can also be decrypted again. This would open all of
the system’s accounts to a clever cracker who manages to obtain a copy of /etc/shadow. However, in
reality this is not the case, since password “encryption” is a oneway street. It is impossible to recover the
decrypted representation of a Linux password from the “encrypted” form because the method used for
encryption prevents this. The only way to “crack” the encryption is by encrypting likely passwords and
checking whether they match what is in /etc/shadow .
 change: The date of the last password change, in days since 1 January 1970.
 min: The minimal number of days that must have passed since the last password change before the password
may be changed again.
 max: The maximal number of days that a password remains valid without having to be changed. After this
time has elapsed the user must change his password.
 warn: The number of days before the expiry of the ⟨max⟩ period that the user will be warned about having
to change his password. Generally, the warning appears when logging in.
 grace: The number of days, counting from the expiry of the ⟨max⟩ period, after which the account will be
locked if the user doesn’t change his password. (During the time from expiry of ⟨max⟩ period and the expiry
of this grace period the user may log in but must immediately change his password.)
 lock: The date on which the account will be definitively locked, again in days since 1 January 1970.

System and Network Administration [Compiled By: Atnafu G(MSc)] 94

 The /etc/group File
By default, Linux keeps group information in the /etc/group file. This file contains one-line entry for each
group in the system, which consists of fields separated by colons (:). More precisely, /etc/group contains
four fields per line.
⟨group name⟩ : ⟨password⟩ : ⟨GID⟩ : ⟨members⟩
Their meaning is as follows:
 group name: The name of the group, for use in directory listings, etc.
 password: An optional password for this group. This lets users who are not members of the group
via /etc/shadow or /etc/group assume membership of the group using newgrp. A “*” as an invalid character
prevents normal users from changing to the group in question. A “x” refers to the separate password
file /etc/gshadow.
 GID: The group’s numerical group identifier.
 members: A comma-separated list of user names. This list contains all users who have this group as a
secondary group, i.e., who are members of this group but have a different value in the GID field of
their /etc/passwd entry. (Users with this group as their primary group may also be listed here but that is
unnecessary.)
o 5.3.3. Managing User Accounts and Group Information
After a new Linux distribution has been installed, there is often just the root account for the system
administrator and the pseudo-users’ accounts. Any other user accounts must be created first (and most
distributions today will gently but firmly nudge the installing person to create at least one “normal” user
account).
As the administrator, it is your job to create and manage the accounts for all required users (real and pseudo).
To facilitate this, Linux comes with several tools for user management. With them, this is mostly a
straightforward task, but it is important that you understand the background.
Creating User Accounts
The procedure for creating a new user account is always the same (in principle) and consists of the following
steps:
1. You must create entries in the /etc/passwd (and possibly /etc/shadow) files.
 If necessary, an entry (or several) in the /etc/group file is necessary.
 You must create the home directory, copy a basic set of files into it, and transfer ownership of the lot to the
new user.
 If necessary, you must enter the user in further databases, e. g., for disk quotas, database access privilege
tables and special applications.

System and Network Administration [Compiled By: Atnafu G(MSc)] 95

All files involved in adding a new account are plain text files. You can perform each step manually using a
text editor. However, as this is a job that is as tedious as it is elaborate, it behooves you to let the system help
you, by means of the useradd program.

Refer to the labmanual and man page (of useradd) on how to create new users

After new user has been created using useradd, the new account is not yet accessible; the system
administrator must first set up a password.
The passwd Command
The passwd command is used to set up passwords for users. If you are logged in as root , then asks for a
new password for new_user (You must enter it twice as it will not be echoed to the screen).

$ passwd new_user
The passwd command is also available to normal users, to let them change their own passwords (changing
other users’ passwords is root ’s prerogative):
$ passwd Changing password for Hello. (current) UNIX password: # just type, it will not be echoed to
the screen Enter new UNIX password:
Retype new UNIX password: passwd: password updated successfully

On the side, passwd serves to manage various settings in /etc/shadow. For example, you can look at a user’s
“password state” by calling the passwd command with the -S option:
$ passwd S hello hello P 12/11/2021 0 99999 7 1

From the above output, the first field is th user name, followed by the password state (‘PS’ or ‘P’ if
password is set, ‘LK’ or ‘L’ for a locked account, and ‘NP’ for an account with no password at all). The
other fields are the date of the last password change (third), the minimum and maximum interval for
changing the password (fourth and fifth), the expiry warning interval (sixth), and the “grace period” before
the account is locked completely after the password has expired (last) respectively.
You can change some of these settings by means of passwd options. Here are a few examples:
$ passwd l hello # lock the account
$ passwd u hello # unlock the account
$ passwd n 7 hello # Password change at most every 7 days
$ passwd x 30 hello # Password change at least every 30 days
$ passwd w 3 hello # 3 days grace period before password expires
Changing the remaining settings in /etc/shadow requires the chage command:
$ chage E 2021/12/21 hello # Lock the account from 21 December 2021
$ chage E l hello # Cancel expiry date
$ chage I 7 hello # Grace period 1 week from password expiry
$ chage m 7 hello # Like passwd n
$ chage M 7 hello # Like passwd x
$ chage W 3 hello # Like passwd w
You cannot retrieve a clear-text password even if you are the administrator. Even
checking /etc/shadow doesn’t help, since this file stores all passwords already encrypted. If a user forgets
their password, it is usually sufficient to reset their password using the passwd command.

System and Network Administration [Compiled By: Atnafu G(MSc)] 96

Should you have forgotten root password and not be logged in as root by any chance, your last option is to
boot Linux to a shell, or boot from a rescue disk or CD. After that, you can use an editor to clear the
⟨password⟩ field of the root entry in /etc/passwd.

Deleting User Accounts

To delete a user account, you need to remove the user’s entries from /etc/passwd and /etc/shadow, delete all
references to that user in /etc/group, and remove the user’s home directory as well as all other files created
or owned by that user. If the user has, e.g., a mail box for incoming messages in
/var/mail, that should also be removed.
There is a suitable command to automate these steps. The userdel command removes a user account
completely. Its syntax:
userdel [ r ] ⟨user name⟩
The -r option ensures that the user’s home directory (including its content) and his mail box in
/var/mail will be removed; other files belonging to the user—e. g., crontab files—must be delete manually.
A quick way to locate and remove files belonging to a certain user is the command.
find / uid ⟨UID⟩ delete
Without the -r option, only the user information is removed from the user database; the home directory
remains in place.
Changing User Accounts and Group Assignment
User accounts and group assignments are traditionally changed by editing the /etc/passwd and
/etc/group files. However, many systems contain commands like usermod and groupmod for the same
purpose, and you should prefer these since they are safer and—mostly—more convenient to use.
The usermod program accepts mostly the same options as useradd, but changes existing user accounts
instead of creating new ones. For example, with you could change a user’s primary group.
usermod g ⟨group⟩ ⟨user name⟩
Caution! If you want to change an existing user account’s UID, you could edit the ⟨UID⟩ field in
/etc/passwd directly.
However, you should at the same time transfer that user’s files to the new UID using chown : “chown -R
hello /home/hello” re-confers ownership of all files below user hello’s home directory to user hello, after
you have changed the UID for that account. If “ls -l” displays a numerical
UID instead of a textual name, this implies that there is no user name for the UID of these files. You can fix
this using chown.
Changing User Information Directly— vipw
The vipw command invokes an editor (vi or a different one) to edit /etc/passwd directly. At the same time,
the file in question is locked in order to keep other users from simultaneously changing the file using, e.
g., passwd (which changes would be lost).

System and Network Administration [Compiled By: Atnafu G(MSc)] 97

 Creating, Changing and Deleting Groups
Like user accounts, you can create groups using any of several methods. The “manual” method is much less
tedious here than when creating new user accounts: Since groups do not have home directories, it is usually
sufficient to edit the /etc/group file using any text editor, and to add a suitable new line. When group
passwords are used, another entry must be added to /etc/gshadow.
Incidentally, there is nothing wrong with creating directories for groups. Group members can place the fruits
of their collective labour there. The approach is similar to creating user home directories, although no basic
set of configuration files needs to be copied.
For group management, there are, by analogy to useradd, usermod, and userdel,
the groupadd, groupmod, and groupdel programs that you should use in favour of editing /etc/group and
/etc/gshadow directly. With groupadd you can create new groups simply by giving the correct command
parameters:
groupadd [ g ⟨GID⟩] ⟨group name⟩
The -g option allows you to specify a given group number, which is a positive integer. The values up to 99
are usually reserved for system groups. If -g is not specified, the next free GID is used.
You can edit existing groups with groupmod without having to write to /etc/group directly:
groupmod [ g ⟨GID⟩] [ n ⟨name⟩] ⟨group name⟩

The “-g ⟨GID⟩” option changes the group’s GID. Unresolved file group assignments must be adjusted
manually. The “-n ⟨name⟩” option sets a new name for the group without changing the GID; manual
adjustments are not necessary.
There is also a tool to remove group entries. This is unsurprisingly called groupdel:
groupdel ⟨group name⟩

5.4. Linux Service/Server Administration

5.4.1 Supporting a Windows Network – through SAMBA

o 5.4.1.1. What Samba is All About [From samba.org]

The commercialization of the Internet over the past few years has created something of a modern melting
pot. It has brought business-folk and technologists closer together than was previously thought possible. As a
side effect, Windows and Unix systems have been invading each others’ turf, and people expect that they
will not only play together nicely, but that they will share.

A lot of emphasis has been placed on peaceful coexistence between Unix and Windows. The Usenix
Association (http://www.usenix.org/) has even created an annual conference around this theme.
Unfortunately, the two systems come from very different cultures and they have difficulty getting along
without mediation. and that, of course, is Samba’s job. Samba runs on Unix platforms, but speaks to

System and Network Administration [Compiled By: Atnafu G(MSc)] 98

 Windows clients like a native. It allows a Unix system to move into a Windows “Network Neighborhood”
without causing a stir. Windows users can happily access file and print services without knowing or caring
that those services are being offered by a Unix host.
All of this is managed through a protocol suite which is currently known as the “Common Internet File
System“, or CIFS. This name was introduced by Microsoft, and provides some insight into their hopes for
the future. At the heart of CIFS is the latest incarnation of the Server Message Block (SMB) protocol, which
has a long and tedious history. Samba is an open source CIFS implementation, and is available for free from
the http://samba.org/ mirror sites.

Samba and Windows are not the only ones to provide CIFS networking. OS/2 supports SMB file and print
sharing, and there are commercial CIFS products for Macintosh and other platforms (including several
others for Unix). Samba has been ported to a variety of non-Unix operating systems, including VMS,
AmigaOS, & NetWare. CIFS is also supported on dedicated file server platforms from a variety of vendors.
In other words, this stuff is all over the place.
 5.1.1.2. History
It started a long time ago, in the early days of the PC, when IBM and Sytec co-developed a simple
networking system designed for building small LANs. The system included something called NetBIOS,
or Network Basic Input Output System. NetBIOS was a chunk of software that was loaded into memory to
provide an interface between programs and the network hardware. It included an addressing scheme that
used 16-byte names to identify workstations and network-enabled applications. Next, Microsoft added
features to DOS that allowed disk I/O to be redirected to the NetBIOS interface, which made disk space
sharable over the LAN. The file-sharing protocol that they used eventually became known as SMB, and
now CIFS.
Lots of other software was also written to use the NetBIOS API (Application Programmer’s Interface),
which meant that it would never, ever, ever go away. Instead, the workings beneath the API were cleverly
gutted and replaced. NetBEUI (NetBIOS Enhanced User Interface), introduced by IBM, provided a
mechanism for passing NetBIOS packets over Token Ring and Ethernet. Others developed NetBIOS LAN
emulation over higher-level protocols including DECnet, IPX/SPX and, of course, TCP/IP.

NetBIOS and TCP/IP made an interesting team. The latter could be routed between interconnected networks
(internetworks), but NetBIOS was designed for isolated LANs. The trick was to map the 16- byte NetBIOS
names to IP addresses so that messages could actually find their way through a routed IP network. A
mechanism for doing just that was described in the Internet RFC1001 and RFC1002 documents. As
Windows evolved, Microsoft added two additional pieces to the SMB package. These were service

System and Network Administration [Compiled By: Atnafu G(MSc)] 99

 announcement, which is called “browsing”, and a central authentication and authorization service known as
Windows NT Domain Control.
Meanwhile, on the Other Side of the Planet…
Andrew Tridgell, who is both tall and Australian, had a bit of a problem. He needed to mount disk space
from a Unix server on his DOS PC. Actually, this wasn’t the problem at all because he had an NFS
(Network File System) client for DOS and it worked just fine. Unfortunately, he also had an application that
required the NetBIOS interface. Anyone who has ever tried to run multiple protocols under DOS knows that
it can be…er…quirky.
So Andrew chose the obvious solution. He wrote a packet sniffer, reverse engineered the SMB protocol, and
implemented it on the Unix box. Thus, he made the Unix system appear to be a PC file server, which
allowed him to mount shared filesystems from the Unix server while concurrently running NetBIOS
applications. Andrew published his code in early 1992. There was a quick, but short succession of bug-fix
releases, and then he put the project aside. Occasionally he would get E’mail about it, but he otherwise
ignored it. Then one day, almost two years later, he decided to link his wife’s Windows PC with his own
Linux system. Lacking any better options, he used his own server code. He was actually surprised when it
worked.
Through his E’mail contacts, Andrew discovered that NetBIOS and SMB were actually (though nominally)
documented. With this new information at his fingertips he set to work again, but soon ran into another
problem. He was contacted by a company claiming trademark on the name that he had chosen for his server
software. Rather than cause a fuss, Andrew did a quick scan against a spell- checker dictionary, looking for
words containing the letters “smb”. “Samba” was in the list. Curiously, that same word is not in the
dictionary file that he uses today. (Perhaps they know it’s been taken.)

The Samba project has grown mightily since then. Andrew now has a whole team of programmers, scattered
around the world, to help with Samba development. When a new release is announced, thousands of copies
are downloaded within days. Commercial systems vendors, including Silicon Graphics, bundle Samba with
their products. There are even Samba T-shirts available. Perhaps one of the best measures of the success of
Samba is that it was listed in the “Halloween Documents”, a pair of internal Microsoft memos that were
leaked to the Open Source community. These memos list Open Source products which Microsoft considers
to be competitive threats. The absolutely best measure of success, though, is that Andrew can still share the
printer with his wife.

 5.1.1.3. General Overview

System and Network Administration [Compiled By: Atnafu G(MSc)] 100

SMB (Server Message Block) is the protocol used by Windows systems to share files and printers across a
network, just like the NFS and LPR protocols are used by Unix systems. Any time you use the Network
Neighborhood, My Network Places, or map network drive features of Windows, the SMB protocol is being
used. Because it is the standard method of file sharing on Windows systems, it has become the most
commonly used method of sharing files on local networks.

Even though SMB is thought of as a Windows protocol, it was originally developed by DEC and has been
implemented by many different companies and in many products. These days it is often referred to as CIFS
(the Common Internet File System), even though the protocol itself has not changed. In fact, many ancient
clients will still be able to access modern SMB servers like Samba.

An SMB server is a system that has files or printers that it wants to allow other hosts access to. An SMB
client is a system that wants to read or write files on a server, or print to a server’s printer. A single system
can be both a client and a server, and all releases of Windows from 95 onwards include software for these
purposes. However, on a typical organization’s network there is a single large server system and many
smaller clients that access files on it.

Every host that uses the SMB protocol has a hostname, which is typically the same as its DNS name. A
server host can have multiple shares, each of which has a unique name and corresponds to a directory or
local printer on the server system. Shares are referred to using the \\hostname\sharename notation, such
as \\WCU\documents. On Windows clients, file shares are normally mapped to drive letters such as S: so
that they can be more easily referred to. All Windows applications can read and write files on a server in
exactly the same way that they would for local files.
Shared printers accessed by a client are not assigned a drive letter, but may be connected to a fake printer
port such as lpt2:. Clients can send jobs to the printer, view those that are currently waiting to be printed and
cancel jobs submitted by the same user. Unlike the Unix LPR protocol, clients using a remote printer must
have the appropriate driver installed, and must send data to the server in the format that the printer actually
accepts.
Fortunately, it is possible for Linux and Unix systems to participate in SMB file and printer sharing as well.
The software that makes this all possible is called Samba, a completely free re-implementation of the SMB
protocol for Unix systems. Samba has been available and under development for many years, ever since the
SMB protocol first started to be used on DOS systems. It allows a Unix system to do as good a job of
serving Windows clients as a real Windows server would – in fact, some would say that it is even better.

System and Network Administration [Compiled By: Atnafu G(MSc)] 101

 Samba uses two daemon processes, named smbd and nmbd. The first handles actual file or printer share
requests from clients, while the second responds to SMB name lookup requests. Both daemons use
the smb.conf configuration file, which is usually found in the /etc directory. Any change made to this file
(either manually or by using Webmin) will be immediately detected by both daemons, and will take effect at
once. Unlike most other Unix server processes, they do not need to be signaled to re-read the configuration
file if it changes.
Unfortunately, there are some complexities that arise when sharing files between Unix and Windows
systems. The SMB protocol has no support for concepts such as file ownership or permissions, at least not in
the form that they exist on Unix systems. NTFS filesystem access control lists (used on Windows NT, 2000,
XP and Vista) are supported instead, which are incompatible with normal Unix permissions. Samba does
have some support for them, but setting it up is complex and not covered in this page.
The SMB protocol supports authentication, so that clients can be forced to provide a valid username and
password to the server before they can access a share. The Samba server uses the standard Unix user
database to validate clients, although actual Unix passwords cannot be used (for reasons explained later).
When a client logs in to a Samba server, it accesses files with the permissions of the Unix user that it
authenticated as – just as an FTP client would. This means that all the normal file permission and ownership
rules apply.
Samba can be compiled on every version of Unix supported by Webmin, and has the same features on all of
them. This means that the module’s user interface is the same as well, although differences in the default
configuration may cause some features to be initially inaccessible.
 5.1.1.4. What Samba Does
Samba consists of two key programs (see above for detail), plus a bunch of other stuff that we’ll get to later.
The two key programs are smbd and nmbd. Their job is to implement the four basic modern-day CIFS
services, which are:
1. File & print services 3. Name resolution
2. Authentication and Authorization 4. Service announcement (browsing)
File and print services are, of course, the cornerstone of the CIFS suite. These are provided by smbd,
the SMB Daemon. Smbd also handles “share mode” and “user mode” authentication and

authorization. That is, you can protect shared file and print services by requiring passwords. In share mode,
the simplest and least recommended scheme, a password can be assigned to a shared directory or printer
(simply called a “share”). This single password is then given to everyone who is allowed to use the share.
With user mode authentication, each user has their own username and password and the System
Administrator can grant or deny access on an individual basis.

System and Network Administration [Compiled By: Atnafu G(MSc)] 102

The Windows NT Domain system provides a further level of authentication refinement for CIFS. The basic
idea is that a user should only have to log in once to have access to all of the authorized services on the
network. The NT Domain system handles this with an authentication server, called a Domain Controller.
An NT Domain (which should not be confused with a Domain Name System (DNS) Domain) is basically a
group of machines which share the same Domain Controller.

The NT Domain system deserves special mention because, until the release of Samba version 2, only
Microsoft owned code to implement the NT Domain authentication protocols. With version 2, Samba
introduced the first non-Microsoft-derived NT Domain authentication code. The eventual goal, of course, it
to completely mimic a Windows NT Domain Controller.

The other two CIFS pieces, name resolution and browsing, are handled by nmbd. These two services
basically involve the management and distribution of lists of NetBIOS names.

Name resolution takes two forms: broadcast and point-to-point. A machine may use either or both of these
methods, depending upon its configuration. Broadcast resolution is the closest to the original NetBIOS
mechanism. Basically, a client looking for a service named Trillian will call out “Yo! Trillian! Where are
you?”, and wait for the machine with that name to answer with an IP address. This can generate a bit of
broadcast traffic (a lot of shouting in the streets), but it is restricted to the local LAN so it doesn’t cause too
much trouble.

The other type of name resolution involves the use of an NBNS (NetBIOS Name Service) server. (Microsoft
called their NBNS implementation WINS, for Windows Internet Name Service, and that acronym is more
commonly used today.) The NBNS works something like the wall of an old fashioned telephone booth.
Machines can leave their name and number (IP address) for others to see.
Hi, I’m node Gaga. Call me for a good time! 192.168.100.101
It works like this: The clients send their NetBIOS names & IP addresses to the NBNS server, which keeps
the information in a simple database. When a client wants to talk to another client, it sends the other client’s
name to the NBNS server. If the name is on the list, the NBNS hands back an IP address. You’ve got the
name, look up the number.

Clients on different subnets can all share the same NBNS server so, unlike broadcast, the point-to-point
mechanism is not limited to the local LAN. In many ways the NBNS is similar to the DNS, but the NBNS
name list is almost completely dynamic and there are few controls to ensure that only authorized clients can
register names. Conflicts can, and do, occur fairly easily.

System and Network Administration [Compiled By: Atnafu G(MSc)] 103

 Finally, there’s browsing. This is a whole ‘nother kettle of worms (difficult sitation), but Samba’s nmbd
handles it anyway. This is not the web browsing we know and love, but a browsable list of services (file and
print shares) offered by the computers on a network.

On a LAN, the participating computers hold an election to decide which of them will become the Local
Master Browser (LMB). The “winner” then identifies itself by claiming a special NetBIOS name (in addition
to any other names it may have). The LMBs job is to keep a list of available services, and it is this list that
appears when you click on the Windows “Network Neighborhood” icon.

In addition to LMBs, there are Domain Master Browsers (DMBs). DMBs coordinate browse lists across NT
Domains, even on routed networks. Using the NBNS, an LMB will locate its DMB to exchange and
combine browse lists. Thus, the browse list is propagated to all hosts in the NT Domain. Unfortunately, the
synchronization times are spread apart a bit. It can take more than an hour for a change on a remote subnet to
appear in the Network Neighborhood.
Other Stuff
Samba comes with a variety of utilities. The most commonly used are:
 smbclient: A simple SMB client, with an interface similar to that of the FTP utility. It can be used from a
Unix system to connect to a remote SMB share, transfer files, and send files to remote print shares (printers).
 nmblookup: A NetBIOS name service client. Nmblookup can be used to find NetBIOS names on a
network, lookup their IP addresses, and query a remote machine for the list of names the machine believes it
ownes.
 swat: The Samba Web Administration Tool. Swat allows you to configure Samba remotely, using a web
browser.
There are more, of course, but describing them would require explaining even more bits and pieces of CIFS,
SMB, and Samba. That’s where things really get tedious, so we’ll leave it alone for now.

 5.1.1.5. SMB Filesystems for Linux

One of the cool things that you can do with a Windows box is use an SMB file share as if it were a hard disk
on your own machine. The N: drive can look, smell, feel, and act like your own disk space, but it’s really
disk space on some other computer somewhere else on the network.
Linux systems can do this too, using the smbfs filesystem. Built from Samba code, smbfs (which stands
for SMB Filesystem) allows Linux to map a remote SMB share into its directory structure. So, for example,
the /mnt/zarquon directory might actually be an SMB share, yet you can read, write, edit, delete, and copy
the files in that directory just as you would local files.

System and Network Administration [Compiled By: Atnafu G(MSc)] 104

 The smbfs is nifty, but it only works with Linux. In fact, it’s not even part of the Samba suite. It is
distributed with Samba as a courtesy and convenience. A more general solution is the new smbsh (SMB
shell). This is a cool gadget. It is run like a Unix shell, but it does some funky fiddling with calls to Unix
libraries. By intercepting these calls, smbsh can make it look as though SMB shares are mounted. All of the
read, write, etc. operations are available to the smbsh user. Another feature of smbsh is that it works on a
per-user, per shell basis, while mounting a filesystem is a system-wide operation. This allows for much
finer-grained access controls.

 5.1.1.6. Setup and Management [Configurations will be covered in Lab]

Samba is configured using the smb.conf file. This is a simple text file designed to look a lot like those
*.ini files used in Windows. The goal, of course, is to give network administrators familiar with Windows
something comfortable to play with. Over time, though, the number of things that can be

configured in Samba has grown, and the percentage of Network Admins willing to edit a Windows *.ini file
has shrunk. For some people, that makes managing the smb.conf file a bit daunting.

Still, learning the ins and outs of smb.conf is a worth-while penance. Each of the smb.conf variables has a
purpose, and a lot of fine tuning can be accomplished. The file structure contents are fully documented, so as
to give administrators a running head start, and smb.conf can be manipulated using swat, which at least
makes it nicer to look at.

 5.1.2. Mail Server

Electronic mail (email or e-mail) is a method of exchanging messages (“mail”) between people using
electronic devices. Email was thus conceived as the electronic (digital) version of, or counterpart to, mail, at
a time when “mail” meant only physical mail (hence e- + mail). Email later became a ubiquitous (very
widely used) communication medium, to the point that in current use, an e-mail address is often treated as a
basic and necessary part of many processes in business, commerce, government, education, entertainment,
and other spheres of daily life in most countries. Email is the medium, and each message sent therewith is
called an email (mass/count distinction).
Email’s earliest development began in the 1960s, but at first users could send e-mail only to other users of
the same computer. Some systems also supported a form of instant messaging,
where sender and receiver needed to be online simultaneously. The history of modern Internet email
services reaches back to the early ARPANET, with standards for encoding email messages published as
early as 1973 (RFC 561). An email message sent in the early 1970s is similar to a basic email sent today.
Ray Tomlinson is credited as the inventor of networked email; in 1971, he developed the first system able to

System and Network Administration [Compiled By: Atnafu G(MSc)] 105

 send mail between users on different hosts across the ARPANET, using the @ sign to link the user name
with a destination server. By the mid-1970s, this was the form recognized as email. At the time, though,
email, like most computing, was mostly just for “computer geeks” in certain environments, such as
engineering and the sciences. During the 1980s and 1990s, use of email became common in the worlds of
business management, government, universities, and defense/military industries, but much of the public did
not use it yet. Starting with the advent of web browsers in the mid-1990s, use of email began to extend to the
rest of the public, no longer something only for geeks in certain professions or industries. By the 2010s,
webmail (the web-era form of email) had gained its ubiquitous status.

Email operates across computer networks, primarily the Internet. Today’s email systems are based on
a store-and-forward model. Email servers accept, forward, deliver, and store messages. Neither the users
nor their computers are required to be online simultaneously; they need to connect, typically to a mail
server or a webmail interface to send or receive messages or download it.

Originally an ASCII text-only communications medium, Internet email was extended by Multipurpose
Internet Mail Extensions (MIME) to carry text in other character sets and multimedia content attachments.
International email, with internationalized email addresses using UTF-8, is standardized but not widely
adopted.

 5.1.2.1. Origin
Computer-based mail and messaging became possible with the advent of time-sharing computers in the early
1960s, and informal methods of using shared files to pass messages were soon expanded into the first mail
systems. Most developers of early mainframes and minicomputers developed similar, but generally
incompatible, mail applications. Over time, a complex web of gateways and routing systems linked many of
them. Many US universities were part of the ARPANET (created in the late 1960s), which aimed at software
portability between its systems. In 1971 the first ARPANET network email was sent, introducing the now-
familiar address syntax with the ‘@’ symbol designating the user’s system address. The Simple Mail
Transfer Protocol (SMTP) protocol was introduced in 1981.
For a time in the late 1980s and early 1990s, it seemed likely that either a proprietary commercial system or
the X.400 email system, part of the Government Open Systems Interconnection Profile (GOSIP), would
predominate. However, once the final restrictions on carrying commercial traffic over the Internet ended in
1995, a combination of factors made the current Internet suite of SMTP, POP3 and IMAP email protocols
the standard.

 5.1.2.2. Operation

System and Network Administration [Compiled By: Atnafu G(MSc)] 106

 The following is a typical sequence of events that takes place when sender Alice transmits a message using a
mail user agent (MUA) addressed to the email address of the recipient, Bob.

1. The MUA formats the message in email format and uses the submission protocol, a profile of the Simple
Mail Transfer Protocol (SMTP), to send the message content to the local mail submission agent (MSA), in
this case smtp.a.org.

 The MSA determines the destination address provided in the SMTP protocol (not from the message header)
— in this case, [email protected] — which is a fully qualified domain address (FQDA). The part before the @
sign is the local part of the address, often the username of the recipient, and the part after the @ sign is
a domain name. The mail submission agent (MSA) resolves a domain name to determine the fully qualified
domain name of the mail server in the Domain Name System (DNS).
 The DNS server for the domain b.org (ns.b.org) responds with any MX records listing the mail exchange
servers for that domain, in this case mx.b.org, a message transfer agent (MTA) server run by the recipient’s
ISP.
 smtp.a.org sends the message to mx.b.org using SMTP. This server may need to forward the message to
other MTAs before the message reaches the final message delivery agent (MDA).
 The MDA delivers it to the mailbox of user bob.

 Bob’s MUA picks up the message using either the Post Office Protocol (POP3) or the Internet Message
Access Protocol (IMAP).
Message format
The basic Internet message format used for email is defined by RFC 5322, with encoding of non-ASCII data
and multimedia content attachments defined in RFC 2045 through RFC 2049, collectively
called Multipurpose Internet Mail Extensions or MIME. The extensions in International email apply only
to email. RFC 5322 replaced the earlier RFC 2822 in 2008, then RFC 2822 in 2001 replaced RFC 822 – the
standard for Internet email for decades. Published in 1982, RFC 822 was based on the earlier RFC 733 for
the ARPANET.

Internet email messages consist of two sections, ‘header‘ and ‘body‘. These are known as ‘content‘.
The header is structured into fields such as From, To, CC, Subject, Date, and other information about the
email. In the process of transporting email messages between systems, SMTP communicates delivery
parameters and information using message header fields. The body contains the message, as unstructured
text, sometimes containing a signature block at the end. The header is separated from the body by a blank
line.

System and Network Administration [Compiled By: Atnafu G(MSc)] 107

 Message header
RFC 5322 specifies the syntax of the email header. Each email message has a header, comprising a number
of fields. Each field has a name (“field name”), followed by the separator character “:”, and a value (“field
body” or “header field body”).
The message header must include at least the following fields:
 From: The email address, and, optionally, the name of the author(s). Some email clients are changeable
through account settings.
 Date: The local time and date the message was written.
 To: The email address(es), and optionally name(s) of the message’s recipient(s). Indicates primary recipients
(multiple allowed), for secondary recipients see Cc: and Bcc: below.
 Subject: A brief summary of the topic of the message. Certain abbreviations are commonly used in the
subject, including “RE:” and “FW:”.
 Cc (Carbon copy): Many email clients mark email in one’s inbox differently depending on whether they are
in the To: or Cc: list.
 Bcc (Blind carbon copy): addresses are usually only specified during SMTP delivery, and not usually listed
in the message header.
 Content-Type: Information about how the message is to be displayed, usually a MIME type.
 Precedence: commonly with values “bulk”, “junk”, or “list”; used to indicate automated “vacation” or “out
of office” responses should not be returned for this mail, e.g. to prevent vacation notices from sent to all
other subscribers of a mailing list. Sendmail uses this field to affect prioritization of queued email, with
“Precedence: special-delivery” messages delivered sooner. With modern high-bandwidth networks, delivery
priority is less of an issue than it was.
 Message-ID: Also an automatic-generated field to prevent multiple deliveries and for reference in In-Reply-
To: (see below).
 In-Reply-To: Message-ID of the message this is a reply to. Used to link related messages together. This
field only applies to reply messages.
 References: Message-ID of the message this is a reply to, and the message-id of the message the previous
reply was a reply to, etc.
 Reply-To: Address should be used to reply to the message.
 Sender: Address of the sender acting on behalf of the author listed in the From: field.
 Archived-At: A direct link to the archived form of an individual email message.

System and Network Administration [Compiled By: Atnafu G(MSc)] 108