Date: Fri, 22 Sep 1995 10:59:20 -0600 From: Joe Doupnik Subject: Win95 IPX SAP issue As astute readers are aware, Windows 95 has the ability to advertize itself with IPX SAP (service advertizing protocol) packets on the wire when file/printer services are shared peer to peer. Such SAPs say the machine is offering NetWare file services, and it shows up in SLIST etc. Much has been said privately on the situation, and the matter has been taken up in the trade publications a number of times. To clarify what Windows 95 does I asked a member of the development team at MS to comment upon the subject, and he has kindly done so in the attached document. I suggest you read it and think about the matter as it pertains to your site. I am posting this message as informational, not to argue a position. Aaron has given permission to reproduce the document intact. Joe D. -------------- ----TEAR HERE---- I am one of the developers that worked on developing Microsoft File and Print Services for Netware Networks for Windows 95, not to be confused with FPNW for Windows NT. In order to clear up some confusion over how File and Print Services for Netware Networks works and some problems administrators should look out for when running this service, I have written the following technical note. I hope this information helps clear up some confusion and addresses some administrators concerns. This is NOT an official Microsoft document. Microsoft makes no claim to the completeness or accuracy of the information contained herein. Aaron Ogus (aarono@microsoft.com) Windows 95 File and Print Services for Netware Networks ======================================================= 1. Terminology NWSERVER - Component that provides Microsoft File and Print Sharing for Netware Networks. NWREDIR - The Microsoft requester for accessing Netware Servers and NWSERVER peer services using the NCP protocol. VSERVER - Component that provides Microsoft File and Print Sharing for Microsoft Networks using the SMB protocol. VREDIR - The Microsoft Redirector used to access NT WFW, LAN MANAGER and Windows 95 network servers using the NCP protocol. SMB - Server Message Block. An application level protocol for communicating between a client and server computer. Can be thought of as a hard wired RPC mechanism with fixed fields and command codes. SMB runs over many different transport protocols including: NetBIOS, IPX, IP NCP - Netware Core Protocol. Like SMB, only the definition of fields is different. NCP has clasically only been run over IPX but recently has been hosted on IP in Netware implementations. SAP - Service Advertising Protocol. A protocol that defines a packet format for adveristing services available in a service provider. SAPs are repeated every minute on the network. Bindery - a Database on a Netware server that can be used to access the list of available services on the network. Also may store User, Group or Application specific information. NSCL - Netware Services Client. A component used to discover NWSERVERS and real Netware servers regardless of the advertising mechanism they use. This component also controls advertising for NWSERVER whether using SAP or the browse model. pass through server - NWSERVER validates users against the user database on a true netware server. The server must support the Bindery NCPs. If it is a Netware 4.x server it must have bindery emulation turned ON. The pass through server must also have an account called WINDOWS_PASSTHRU setup on it. This account only needs BINDERY access. Overview -------- Windows 95 suppports 2 types of file and print services. One using SMB, for Microsoft and IBM type networks and one using NCP, for Netware networks. Although the SMB server (VSERVER) could be run on a Netware network to provide peer services, it requires that the clients load an additional redirector. This can be a significant memory and performance hit on smaller 4 Mbyte machines. In an effort to provide peer services for Netware networks on par with those for SMB networks we decided we should provide a service that uses the NCP protocol to provide peer services in order to avoid the extra memory overhead. There are many problems associated with running many (>1000) NCP servers on a network. Some of these problems are related to problems with the SAP advertising scheme used by Netware 2.x Netware 3.x and Netware 4.x. Future versions of Netware will replace this mechanism with NLSP, a new protocol that does not suffer from many of the problems associated with SAP. In order to avoid the SAP advertising problems, NWSERVER uses its own name resolution and service advertising mechanism. By default this is the mode that NWSERVER is configured in. NWSERVER also allows the user to reconfigure it to use SAP advertising. This allows VLM and NETX clients to access the peer server, as well as Windows 95 clients running the Microsoft Client for Netware (NWREDIR). This note will discuss the problems with SAP advertising and also describe the "other" advertising mechanism used in Windows 95. It will also discuss problems you may enounter if you turn SAP advertising ON on an NWSERVER. SAP advertising =============== Every Netware server (not running NLSP) advertises itself and its services on the network every minute. It does so by send a SAP packet to the broadcast address. All other servers and routers listen for these packets and accumulate them in their internal tables. The SAP broadcasts are restricted to the segment (subnet) they are broadcast on. In order to allow the entire network to "see" all the services available, the routers repeat SAPs seen on one subnet to the other subnets they route between. The upshot of this scheme is that every SAPing SERVER causes SAP packets to be broadcast across the ENTIRE IPX network. Also each entry must be remembered by every router and every server on the network. Although this system works quite well for a small number of servers (less than 1000), as the number grows larger the bandwidth requirements and resource requirements in servers and routers get very large. NWSERVER Browse Model ===================== On a large network (such as the Microsoft Network) that contains in excess of 15,000 peer servers it would not be practical to use SAP advertising as the method of advertising server services. Instead Microsoft has created a component called NSCL that is used to implement browsing for large Netware networks. Each Windows 95 computer is assigned to a workgroup. A workgroup is a collection of related computers. The relationship of computers in a workgroup is casual. That is they could be arranged geographically, or functionally. The only important thing is that the computers are grouped. When an NWSERVER starts up, it registers its name and workgroup with NSCL. NSCL looks at the workgroup name and attempts to find the "master" for the workgroup. It does this by searching the default Netware server's bindery. If it finds no workgroup master in the Bindery it elects itself master and advertises itself using SAP. Any client coming up subsequently in the workgroup will find this server registered as the browse master by scanning its' default server's bindery. (There is a recovery mechanism if the master goes down but this is beyond the scope of this document). Say NSCL found the browse master. It will then send the browse master a packet describing itself. In this way the browse master will accumulate the list of servers in the workgroup. This scheme reduces the SAP overhead from 1 SAP entry per server to 1 SAP entry per workgroup. (2 for large workgroups because a backup master will be elected). Clearly then it is critical that workgroup names be meaningful and co-ordinated. If every server has its own workgroup the SAP overhead will be just as bad as if every server were advertising. When a Windows 95 client is asked to attach to a server on a Netware network, say the server RED_311 the NSCL component first scans the bindery of the default Netware server to find out if it is searching for a server that SAPs as SAP type 0004 (the server SAP type). We commonly refer to these as flat servers since they appear at the top level of the browse list when browsing the entire network. If the server to attach to is NOT found in the flat list then a request is sent to the browse master for the workgroup to see if it can resolve the name to an IPX address. If this fails, a broadcast is sent to all workgroup masters (using the type 20 IPX packet) to resolve the name. If this query fails it is assumed that the requested server does not exist. It should be noted that browse masters and backups DO NOT USE TYPE 0004 SAP. The masters SAP using SAP type 0x067B, backups use 0x067C. It should be stressed that this is the default and RECOMMENDED configuration for running NWSERVER. In this mode there should be no VLM/NETX interaction issues with running the peer services on a large network. ***If type 20 packets are not propogated through routers you will be unable to attach to NWSERVER machines not in your workgroup that are across a router. VLM and NETX startup ==================== At this point a discussion of the startup process for VLM and NETX is in order: When a VLM or NETX client (Netware client) starts up, one of the first things it does is send out a "Get Nearest Server" request. Routers and servers will respond to this request by sending DIRECTED SAP packets to the starting node. The first response is accepted by the client, the client connects to this server and it becomes the default server. If a preffered server is specified, the client will then read the address of the preffered server out of the bindery of the default server and attempt to attach to that server and use it as the starting point for running LOGIN.EXE. Any server advertising as SAP type 0004 may become the default server. ***You should NEVER SPECIFY AN NWSERVER AS A PREFFERED SERVER. ***It is highly recommended that you specify a preffered server for a VLM or NETX client. ***It is highly recommended that you specify a preffered server for NWREDIR clients. NWSERVER SAP ADVERTISING ======================== NWSERVER will allow you to turn on SAP advertising. When this capability is turned on, the NWSERVER will advertise itself using SAP type 0004. This makes the server appear in the Netware SLIST and allows VLM and NETX clients to MAP drives and print to the NWSERVER. It also means that clients may attach to NWSERVER as the default server during the initialization process. ***You cannot LOGIN to an NWSERVER. When you turn on SAP advertising, NWSERVER will automatically share out a SYS volume which will correspond to the directory: WINDOWSDIR\NWSYSVOL, e.g. C:\WINDOWS\NWSYSVOL This directory will have the subdirectory LOGIN containing the file LOGIN.EXE. This directory will be given WORLD read access (anyone can access it for read regardless of being logged in). If a client is started on the network with no preffered server set it may wind up attached to the NWSERVER and find itself in this directory. Running the login program from this directory will log you into any real Netware server if specified. If not specified you will be logged into the NWSERVER's passthru server. If the NWSERVER's passthru server is down you must specify a server name to log into. e.g. Q:\LOGIN>LOGIN RED_311 This LOGIN program in the SYS volume of an NWSERVER will only run if the default server is an NWSERVER. If you are already logged into a Netware server you cannot run the LOGIN program off of an NWSERVER (it will fail). If you turn on SAP advertising on NWSERVER you should make sure of the following: 1. You must make sure that the pass through server that the NWSERVER uses for security validation is a reliable server. If it is not you may encounter the following problem when the pass through server is down. IFF a client starts up and has no preffered server set, and the pass through server is down for a SAPing NWSERVER the client MAY connect to the NWSERVER and the LOGIN command WILL fail if the LOGIN command does not specify a server. Remedy. If the client specifies the server to be logged into she should be able to log into the server. A non-specific login will continue to fail until the pass through server is back up. In this case the user will wind up logged into the passthru server. M:\SYS>LOGIN this may continue to fail M:\SYS>LOGIN RED_311 this will ALWAYS work if you wound up with a default NWSERVER. Remedy. If the client has a preffered server set it will never wind up with an NWSERVER as its default server. 2. You must make sure that SAPs are being propogated onto the network segments that NWSERVERs are running on. Some network configurations separate clients and servers on different subnets and configure the routers NOT to pass SAP information onto the client only subnet. If you do this any Netware server advertising type 0004 (including true Netware) will become a black hole on the network. It will be closer than any server on the server sub-net and thus the router will respond on the servers behalf to GetNearestServer requests from clients that are coming up on the client only subnet. Once the client is connnected to the server on the client only subnet it will be unable to connect to any server on the server subnet since the server it is attached to will not have the names and addresses of the server on the server net. THIS SHOULD BE AN EXTREMELY RARE CONFIGURATION. Unless you have some hot-shot network manager that is trying to play wierd games with the routers, this should not be a problem. 3. Make sure the name of the NWSERVER and the other Netware and SAPing NWSERVER on your network do not overlap. OTHER REMEDIES ============== On any large campus network we strongly recommend you use user profiles. With this you can disable SAP advertising for all NWSERVER's on the network or you can disable the NWSERVER service completely. Do not run SAP advertising. It is disabled by default. Modifications for future versions of NWSERVER ============================================= The following recommendations have already been made to avoid the above problems. We MAY implement some of these in future versions. 1. Don't allow the server to start if there is already a server with the same name. 2. If the passthru server is down, do not allow the NWSERVER's SAP Advertising to start. 3. Remove the SAP advertising control from the server control panel and banish it to an obscure registry setting so naive users do not turn it on accidentally. 4. Have the NWSERVER get its SAP information from the passthru server rather than accumulating it itself. This eliminates the "no SAPs on this segment problem" ---TEAR HERE---