Scroll Top

IT Made EZ – Episode 2: The Basics of a Network

Welcome to IT Made EZ where we take you from zero to proficient in information technology focused on a helpdesk position.

Check out the video and take the quiz below to see what you’ve learned!

If you prefer to read instead of watch videos, you can read the entire script below the video.

Starting from the outside in, we have:

The modem – it’s short for modulator demodulator. This brings internet into the building from your Internet Service Provider also called the ISP. Some examples of internet service providers are Comcast and Verizon.

Different types of connections include cable modems, where data is sent over coax like old television service, and then there’s DSL which has its data sent over a phone line, and finally the fastest connection available is fiber optics which converts data to light and then back to data once it reaches your building.

Next up, the firewall or router – it protects computers from outside threats and allows multiple computers on a network to share an internet connection.

Moving onto the switch – everything on the network ultimately gets plugged into a switch. If a computer or device, also called a node, needs to talk to another computer or device, it needs to be plugged into a switch or connected wirelessly — more on that in just a moment.

The most common size for a small business is 48 ports, but switches can be daisychained together if more are needed. Or, if you only need to add a few extra ports, you could connect a small 5 port switch in the equipment room or at someone’s desk.

Next, we have the patch panel. Most companies have a network jack on the wall for devices to plug into. The other end of that wire goes through the walls, sometimes through the ceiling, and ultimately into a patch panel. Wires from the patch panel then plug into the switch.

Now let’s talk about the server – this is where company data and sometimes software is hosted. It’s usually a large, central computer with redundant power supplies, hard drives, and processors to maximize the reliability and uptime of the system.

What network would be complete without some desktop computers and laptops – these access information on a server, on the local hard drive, and/or on the internet. IT professionals try to avoid having anything stored exclusively on the computer’s hard drive so a backup doesn’t need to be set up on every single device.

Yes, we live in the digital age, but some people still prefer, or still need information on paper which of course requires printers. A printer can be connected directly to a computer or connected to the network for easy access from all devices and the ability to centrally manage them.

The two main types of printers are inkjet and laser.

Inkjet printers are cheaper, but they have lower quality results which can often smear on the page, especially if you use a highlighter. Inkjet cartridges use liquid ink that can easily dry out even when not being used because the cartridges are not airtight. Fortunately, some manufacturers are now storing a printer’s ink inside a sealed reservoir, so it doesn’t dry up when not in use.

Laser printers provide a more professional result and the ink doesn’t smear because there is a heating element inside that fuses the ink to the page. Laser printers use powdered ink called toner which has a much longer shelf life because it’s already dry.

Moving onto Wireless Access Points, often abbreviated as W-A-P. They allow connectivity for devices that have or require wireless access.

Multiple wireless access points can be spread out across a large building for full coverage and will allow connection to the same network no matter what access point your device connects to.

In a home environment, most people have one wireless router, depending on the size of their house. In most businesses, however, several access points are needed to ensure the signal reaches everywhere it needs to.

There are also plenty of other devices that require a network connection, such as a postage scale, credit card reader, door controllers—you name it. If it needs to be accessible from more than one place or a certain function would benefit from central management, it can and should be found on a network.

Now that we’ve mentioned all of the equipment, I’ll explain some common ways that it all gets used.

We’ll skip over the modem because its only job is to bring internet into the building. That brings us to the router or firewall.

A router can be configured to hand out a unique private IP address to every device on the network. For example, look no further than the wireless router in your home. This is known as Dynamic Host Configuration Protocol or DHCP for short. For small businesses, there is usually one device responsible for providing DHCP, and in many cases, it’s the server that’s doing it instead of the router. Large companies have multiple DHCP servers that work together, and the first one to receive the request will give out the address.

Most routers have a single public IP address that is shared with the whole network, along with a private IP address that is used to communicate with all of the equipment in the building. An example of a private IP address is 192.168.100.1 and an example of public IP address is 142.251.33.206. If that just sounds like a bunch of random numbers to you, just remember that a private IP address will almost always begin with 192.168, 172.16, or 10.0. These IP address ranges are reserved for private use while every other combination can be found out on the internet.

A router can also be configured to hand out DNS, which stands for Domain Name System, but much like DHCP, this is usually handled by the server in a business environment. More on that later.

Some routers can also be used to restrict internet access to certain websites or website categories. This is often referred to as content filtering. There is also third-party software available that can be installed on devices to accomplish the same thing, but if a user has administrative rights on their computer, he or she would have the ability to remove it, so there’s an advantage to using the firewall or another external device for this reason.

Another router function is allowing specific services through specific ports to access specific destinations on the network, such as the ability to watch the office security cameras from the CEO’s house. This is done through what’s called port forwarding. The more specific the settings are, the more secure the connection is. If accessing cameras remotely sounds like a security concern, that’s because it is. The best-case scenario for this situation is to use a VPN, and routers can actually be used for that.

VPN stands for virtual private network. It can be configured to allow access to all of the same network resources as if the computer was at the office. However, it only works well if both internet connections are very fast. Even then, the access is not nearly as quick or reliable as when the computer is in the office.

One last thing to note about firewalls is that most companies will disable the Windows Firewall which is built into the OS, so they don’t have to manage exceptions in multiple places.

Next up, the switch. There are two different kinds: basic switches known as unmanaged switches, as well as smart switches which are also called managed switches.

Basic switches are very simple. Anything can be plugged into any port and communicate with anything else on the network.

A managed switch has a bunch of advanced features. For example:

  • VLAN, which stands for virtual local area network, is a way to use the same physical switch, but have multiple networks that are completely separated from each other.
  • Another feature is Power over Ethernet, also called PoE. This has the ability to deliver power to some devices using just a network cable. It’s convenient for devices without an easily accessible outlet nearby.
  • The last feature we’ll mention is all the additional information you’ll get from each device, such as IP address, hostname, and MAC Address. More on the latter two items in just a moment. A smart switch will help you determine what’s plugged into which port, as well as the ability to disable specific ports for added security.

As for the patch panel, this is not even an electronic device, so there’s nothing more to say about it other than I strongly recommend labeling each network wall jack with a number that matches up with a number on the patch panel. This will make it way easier if you ever need to locate which port a device is plugged into. It’s especially critical if the company is using unmanaged switches as the location cannot be found without an additional tool called a wire tracer.

Moving onto the server. As we mentioned before, servers are usually responsible for handing out DHCP and DNS.

DHCP servers will almost never hand out the same IP address to multiple devices, so a duplicate address would only happen if someone manually enters network information into a device, and the DHCP server doesn’t know about it. Or, IP conflicts can happen if someone accidentally plugs in an additional device that has a DHCP server in it, and it’s not configured to work with the existing one. If two devices on the network do end up with the same IP address, one or both devices will experience communication problems.

If an IP address changes from time to time, this is known as a dynamic IP address. Communication with a device using a dynamic address is often done using its hostname. All hostnames have an IP address, but not all IP addresses have a hostname. To check for a hostname, you can open a command prompt window, type P-I-N-G, put a space, a hyphen followed by the letter a, another space, and then the IP address in question. Your reply will often include the hostname if the device has one. Most equipment does have a hostname and sometimes you can even change what it is, but in rare cases, communication can only be done using an IP address or a DNS record. More on that in a moment.

If you need an IP address to stay the same, you can create a reservation or manually enter the network information into the device. This is called a static IP address. If you do manually enter an IP address into a piece of equipment, make sure you create a DHCP reservation as a placeholder to avoid a conflict.

Every device also has a MAC Address which is also known as the physical address. This is a series of 12 numbers and letters which is unique to just about every device in the world. Because there are a limited number, it is possible you will find a repeat on your network, but the chances are like winning the lottery.

A MAC Address is what you need to properly reserve an IP address in DHCP. If you don’t know the MAC Address, you can enter all zeroes as a placeholder. To acquire the proper MAC Address, first ping the address using command prompt. Enter the word ping followed by a space and then the IP address. After you receive the responses, type the letters AR-P followed by a space and then a hyphen in front of the letter A. This will show you a list of IP addresses your computer has recently communicated with alongside their physical addresses.

Equipment made by the same manufacturer will have the same starting characters in their MAC Address. Third-party IP scanning software will often be able to tell you what MAC Address belongs to what manufacturer which is super helpful when trying to find a printer that someone randomly plugged into the network without getting IT involved.

Next up, DNS. It allows you to communicate with an-easy-to-remember name instead of a string of numbers. For example, mail.contoso.com could resolve to 192.168.100.10 inside your network, but resolve to a public IP address when you’re outside of the office. A request made from home, for example, would be handled by public DNS through the internet. This is the difference between internal and external DNS. Servers maintain a list of records for destinations on the network, and anything not listed will be sent to the external DNS provider. Common external or public DNS hosts include GoDaddy and Network Solutions. The most common DNS entry is an A record which resolves google.com to 172.217.164.174. One thing to note is that an A record is always an IP address. If you need to create a DNS record that resolves a hostname to different hostname, a CNAME record would be used. Another super important DNS record type is an MX record which is used to deliver messages to an email server. If a company uses Microsoft 365 to host email for contoso.com, their MX record would be contosocom.mail.protection.outlook.com, but an MX record could also just be a public IP address. If an MX record gets removed or is entered incorrectly, any mail sent to your company during that time would be permanently lost. Users could request that its recent contacts resend any mail from that time period, but in most cases, the senders would have received a rejection message.

Another primary server function is user authentication.

Active Directory is a database of user accounts that are allowed to log into computers on the network and access its resources. If someone’s password expires or they forget what it is, this is the software you would use to reset it. This is also where you go to update someone’s last name, whether or not their password expires, and what groups they belong to.

You can grant individual users access to folders, or grant access to everyone in specific groups called Security Groups.

  • Granting a user access to a file or folder takes effect right away, but adding someone to a Security Group will only take effect once the user has logged off and then logged back in.
  • The immediacy of granting individual users access to data may sound tempting, but using Security Groups is a way more organized method, especially when it comes to employee changes. If a Security Group has access to a hundred different folders, adding a user to that group takes care of all those permissions in just that one step.
  • You can also organize users and groups into what’s called an Organizational Unit, often abbreviated as OU. Its primary function is organization, but you can also assign specific policies to every user inside an OU, so that’s something to be mindful of when moving user accounts.

It is worth noting that the server maintaining Active Directory is not necessarily the same server that’s hosting data. You can have any number of servers on the same domain. We mentioned domains previously, but that was in the public context. Now we’re going to discuss local domains.

In a small business, Active Directory is responsible for all of the users in one particular domain.

Your website and email addresses might end with contoso.com, but your local domain could end with contoso.local. It is actually advantageous for your public and private domain names to be different, because if they match, the server would need to maintain additional DNS records for the company website. For example, contoso.com is more than likely hosted on the internet and will resolve to a public IP address. However, all of the computers on the network would need contoso.com to resolve to an internal IP address in order for communication with Active Directory and other network resources to work. This would require a www record to be manually added to DNS and have it match the www record hosted on your public registrar like GoDaddy or Network Solutions.

The next server function we’ll talk about is data hosting.

Every folder shared on a server has two sets of permissions. Share permissions and Folder Permissions.

To share a new folder on a server, right-click the folder in question and choose Properties. Then, go to the Sharing tab and click “Advanced Sharing”. Put a checkmark next to “Share this folder” and click the Permissions button. By default, Everyone is listed under Share permissions with only the ability to read. I recommend giving Everyone Full Control of the share, because restrictions will be enforced under the Folder Permissions. You wouldn’t have any issues if Share Permissions matched Folder Permissions exactly, but it’s a lot of extra unnecessary work to make both of them the same when it comes time to make changes. If Everyone has Full Control of the Share, you never have to revisit the share permissions again for that particular share. You will only have to focus on Folder Permissions.

To view or change Folder Permissions, right-click the folder in question and choose Properties again. This time, click on the Security tab. This will bring up the list of all users and Security Groups that have access to that folder. By default, Folder Permissions are inherited from the folder above it, known as the parent folder, and the permissions listed cannot be changed directly from the first screen. For new server shares, you will most likely want to disable inheritance to specify which users and groups should have access to that folder. On the Security tab, click on Advanced at the bottom right. Then click “Disable inheritance” on the bottom left. You will be prompted to convert all inherited permissions to explicit permissions, or completely remove all inherited permissions. If you only want to remove one or two items from the list, it makes the most sense to convert the inherited permissions.

There are a few ways desktops and laptops access these shares and along with other information on a server, such as via mapped drives, shortcuts, folder redirection, and database access.

A mapped drive, also called a network drive, presents itself as a drive letter underneath Network locations in Windows Explorer under what’s called This PC. Mapped drives are a convenient way for multiple users at a company to share the same set of folders.

A shortcut is another method. This would be a direct network link, using an IP address or hostname, called a UNC path. UNC stands universal naming convention. If you want to see all of the folders or printers that are shared from a PC or server, type two backslashes followed by the IP address or hostname in any Windows Explorer address bar and hit Enter on the keyboard. Most computers also have a hidden share of the C drive that you can only access manually by typing two backslashes, the hostname or IP address, another backslash, and then the letter C followed by a dollar sign. You can also add a dollar sign to any share name if you have a reason to hide it from the list of shares. Remember to still set the proper folder permissions on a hidden share in case someone learns about it that shouldn’t have access.

Another common data access method is folder redirection. This is often integrated into a computer without the end-users even knowing about it. They might think they are working on their desktop, but the desktop could be pointing to a folder on a server. Folder redirection is primarily used on desktop computers rather than laptops, because if the laptop leaves the network such as when the user takes it home, lots of stuff will stop working. If the desktop folder is redirected and the server connection is lost, the computer will become unusable for the average person. One solution to this is a feature called Offline Files. It takes the contents of a mapped drive or redirected folder and stores it on a laptop’s local hard drive. If the connection is severed, the local cache is used, and functionality remains. When connection to the server is restored, such as bringing the laptop back into the office, it synchronizes all changes you made when you were offline. It sounds great in concept, but it does not work well. There are a bunch of unsupported file types, frequent sync errors, and conflicts that refuse to resolve. More on other solutions later.

The last data hosting method we’ll talk about is database access. Microsoft SQL is a common database language that can integrate with your Active Directory account and grant access to certain applications. Some programs that use SQL can even find the database on the network automatically during the software setup.

Another thing to note with network access is that it’s possible for a laptop to not be joined to the domain, and still be able to access network resources. However, the person would still need an Active Directory account, and the credentials on the laptop need to match the username and password exactly. Otherwise, they will be prompted for credentials when trying to open something on the network. Windows 10 makes matched credentials a little more difficult by insisting that home users log into a computer with a Microsoft account instead of a local account. If the computer detects an internet connection, sometimes there is no option to create a local account when you first turn on a new computer. In my experience, it’s best to pretend that you don’t have Wi-Fi, and then connect to the internet once your account has logged in for the first time. If the computer is already logged in with a Microsoft account and you want to create a local account instead, use control userpasswords2 for Windows 10 Home edition and compmgmt.msc for Windows 10 Professional.

Moving onto printers. They are commonly installed on a server and then shared from there, because this makes the installation process a lot easier when multiple computers need access to a certain printer. Users can simply browse to the server hosting the printers using its UNC path, right-click the printer name, and choose Connect. All Printing defaults can be pre-configured as well, such as printing in Black and White, double-sided pages, and which tray is default. The process of deploying printers can also be automated using Group Policy.

Group Policy has the ability to automate the setup or restriction of just about any computer setting as long as the person is logged in with a domain account.

To join a computer to a domain, right-click on This PC and go to Properties. If you make the window large enough, you will see “Rename this PC (Advanced)” on the right side. Enter the full domain name in the field and click OK. You will then be prompted for Domain Administrator credentials. After authenticating, you will be prompted to reboot. Before doing so, it’s a good idea to decide whether or not you want the user to have administrative rights on their computer, such as the ability to install software or change system-wide settings. This won’t give them special rights on the network, but anything on their own computer would be fair game. If their supervisor is okay with that, open compmgmt.msc again and expand the Users and Groups area. Click on Groups, and then double-click on Administrators. Click Add at the bottom left and it will already be able to query any user or group on the domain. If you want everyone to have local admin rights, type in Domain Users and click OK. If you only want one or two users to have admin permissions, you can manually specify which users or groups can go in the list. When you click OK, you will be prompted for Domain Admin credentials again. Reboot the PC and any Domain User will then be able to log in with their username and password.

Group Policy can also automatically map network drives, redirect profile folders to network locations, and deploy printers, among countless other settings using its built-in templates or custom registry settings. I like to describe the registry as the backstage of Windows. You might set a preference using Control Panel, but Windows will often change a value in the registry from a zero to a one or vice versa. The registry can be a dangerous place if you don’t know exactly what values to change, but it can also be a powerful tool as you can automate any number of settings with a simple double-click of a preconfigured reg file, or by entering the registry values using Group Policy. Sometimes it’s best to manually configure software or settings on one computer, and then find and export the registry settings for future automation.

Mapped drive deployment can be found in Group Policy under User Configuration > Preferences > Windows Settings > Drive Maps. Rightclick a blank area and select New > Mapped drive. Enter the UNC path as the Location, the name you want it to have in the “Label as” field, and then choose a drive letter next to “Use”. It’s always best to select “Create” as the Action at the top, because “Replace” will disconnect the mapped drive multiple times throughout the day, closing all Windows Explorer windows, and creating errors in any software that relies on that mapped drive.

Redirected folders are configured in Group Policy under User Configuration > Windows Settings > Folder Redirection. Right-click the profile folder you want to redirect and choose Properties. Next to “Setting”, most companies will use the Basic option. For the Target folder location, select “Create a folder for each user under the root path” to automate the setup of all future users.

Printer deployment in Group Policy is in User Configuration > Preferences > Control Panel Settings > Printers. Right-click a blank space and select “New > Shared Printer”. Select “Create” for the Action again and then click the three dots next to “Share path”. This will show you a list of printers that are shared from all of your servers as long as “List in the directory” is checked in the Sharing tab of the printer itself.

To finalize your Group Policy settings, it’s best to run gpudate forward slash force from a command prompt on the server as well as the destination computers. Or, you can simply reboot the PCs as Group Policy updates are processed during a restart.

It’s worth noting that Group Policy Objects, or GPOs, get created and are then linked under specific OUs. If you want to apply a GPO to the entire company, you would like it under the domain name. The higher up in the list it’s linked, the more users it will apply to. If you want to give a specific mapped drive to only one department, you would link the GPO to that department’s OU.

The last server function we’ll talk about is Remote Access.

I already mentioned that a router can be configured for VPN access, but a Windows Server can accomplish the same thing using a feature called Routing and Remote Access.

We also noted the requirements for a reliable VPN connection, so if your home internet speed isn’t very fast, the best alternative is Remote Desktop as long as the job doesn’t involve a lot of graphics-intensive work. The Remote Desktop Protocol, often abbreviated as RDP, is the remote controlling of a PC or Server. RDP works while you’re on the same network, using a VPN connection, or with what’s called RD Gateway.

RD Gateway requires an SSL Certificate and an A record in your external DNS provider pointing to an internal website on the server. SSL stands for Secure Sockets Layer, and a secure certificate is a way for a trusted third-party to vouch for the authenticity of a destination. The destination in this case would be a website running on a Windows server hosted in IIS, which stands for Internet Information Services.

Right-click the Default Web Site and choose “Edit Bindings”. Click on https and then Edit. This will show you what SSL Certificate is currently in-use as well as the ability to select a new one.

A new SSL Certificate can be purchased from a registrar like GoDaddy. IIS is also where you will create the certificate request as well as where you’ll finalize the process.

Another IT setup worth mentioning is a Terminal Server environment. Instead of everyone having a desktop or laptop, users have what’s called a thin client. A thin client runs a striped-down version of Windows, or its own proprietary OS and its sole purpose is to simply connect to a Terminal Server using RDP. A Terminal Server is preconfigured to mimic a PC as far as the applications that get installed. It usually contains all software and settings that anyone in the company would need to do their job. The cost of a thin client is way cheaper than a full-blown computer, because it only has the resources to run RDP and not much else. Performance is then handled by the resources that the Terminal Server has available which usually includes plenty of processing power, memory, and hard drive space. If RD Gateway is configured, users can have virtually the same great experience at home as they do at the office. Plus, setting up a new device is often a breeze as any Windows computer just needs a single icon placed on the desktop.

The last remote access method we’ll discuss is technically an alternative. In lieu of folder redirection and Offline Files, you could avoid the server altogether by putting all of a user’s important data in Microsoft OneDrive. This is especially useful if their primary computer is a laptop. There is also a backup function built-into OneDrive that automatically redirects the Desktop, Documents, and Pictures folders. If the hard drive crashes, all of the data would be recoverable from the cloud. If most of a company’s users work remotely, or if the business is not large enough to have an in-house server, Microsoft 365 can be configured to use Azure Active Directory with SharePoint as its data host. The advantage here is that computers don’t need to be in the office to receive policies, custom configurations, or access company files, as OneDrive can be set up to open SharePoint data as long as they’re connected to the internet.

Leave a comment