Creating, Configuring, and Monitoring Connections
Each connection in the Network and Dial-up Connections folder contains a set of features that you can use to create a link between your computer and another computer or network. Outgoing connections contact a remote access or VPN server by using a configured access method (LAN, dial-up modem, ISDN line, and so on) to establish a connection with the network. Conversely, an incoming connection enables a computer running Windows 2000 Professional to be contacted by other computers, effectively turning your computer into a dial-in server. Whether you are connected locally (by a LAN), remotely (by dial-up, ISDN, and so on), or both, you can configure a connection so that it performs any network function that you want. For example, you can print to network printers, access network drives and files, browse other networks, and access the Internet. If you have upgraded to Windows 2000 Professional, Network and Dial-up Connections, shown in Figure 21.2, detects Windows 98 and Windows NT 4.0 Dial-up Networking phonebooks and creates a connection for each phonebook entry.

Figure 21.2 Network and Dial-up Connections
The Make New Connection wizard always appears in the Network and Dial-up Connections folder. It launches the Network Connection Wizard, which guides you through the process of creating all connection types, except for local area connections. Figure 21.3 shows the Network Connection Wizard.

Figure 21.3 Network Connection Wizard
The steps in the wizard guide you through the selection of the configuration options that are required for each type of connection. The wizard enables you to select among five common tasks to create a connection type. Each connection type is then automatically configured with the most appropriate defaults for most cases. The following types of connections are available:Dial-up to private networkThis type of connection enables you to connect to a corporate network, rather than the Internet. File and Printer Sharing is enabled.Dial-up to the InternetThis type of connection enables you to connect to the Internet. It launches the Internet Connection Wizard. File and Printer Sharing for Microsoft Networks is disabled. This protects your computer's file and print share from computers on the Internet.The Internet Connection Wizard automatically connects you to the Microsoft Referral Service to help you select an ISP if you choose Dial-up to the Internet and either:
I want to sign up for a new Internet account. (My telephone line is connected to my modem.) I want to transfer my existing Internet account to this computer. (My telephone line is connected to my modem.)
The Microsoft Referral Service automates the process and provides the phone numbers to you.
NOTEConnect to a private network through the InternetThis type of connection enables you to create a VPN. By default, it is set to automatically detect whether to create a VPN using L2TP or PPTP.Accept incoming connectionsThis type of connection enables other users to dial into your computer.Connect directly to another computerThis type of connection enables you to connect through a serial port, parallel port, or infrared.
Before you create an Internet connection, check with your Internet service provider (ISP) to verify the required connection settings. A connection to your ISP might require one or more of the following settings:
A specific IP address.An IP header compression (for PPP).A DNS addresses and domain names.Other optional settings, such as Internet Protocol security (IPSec).
NOTE
Local area connections cannot be created, because they are automatically created when the Plug and Play service detects network adapters. However, local area connections can be configured at any time.
Accessing Network Resources
Network and Dial-up Connections provides data communications-level access to your network, based on the user name and password credentials that you supply. This access does not imply privilege to use resources on the network. The network authorization process confirms your access rights to any network resource each time that you attempt to access it. For more information about authentication and authorization methods, see "Authentication" later in this chapter.After you have connected to your network, access to resources is further controlled by various administrative controls on both your own computer and on the servers you are trying to access. These include File and Printer Sharing, Local Group Policy, and Group Policy through the Active DirectoryTM directory service.The way network authentication credentials are processed depends on whether you use the Log on using dial-up connection option when you log on. The authentication process can be streamlined and made more complete by using this option.
NOTE
If your computer is connecting to a domain-protected network, you must have a user account on that network before you can be granted access to network resources.
Log On Using Dial-Up Connection
You can connect to your network using a dial-up or VPN connection, and log on to the network simultaneously by using the Log on using dial-up connection option. If your remote access server user name and password are the same as your domain user name and password, which they usually are, then you can provide a single set of credentials, and simultaneously log on to your network and provide information needed to access network resources. This provides maximum network access. Your computer and user accounts are authenticated, applicable computer and user account policies are invoked, and logon scripts are run.If you do not choose the Log on using dial-up connection option, but log on to the computer and then invoke a connection after logon, you can be connected to the remote network if your credentials are acceptable to the remote access (dial-in) server, but your access to network resources may be limited. Consider the following cases:In one case, if you logged onto your computer using domain credentials, then these credentials enable access to most network resources. However, your functionality might not be complete because your domain policy settings (such as IPSec policies) were not applied, and domain logon scripts were not run.In another case, if you logged onto your computer using the account of a local user on the computer, then your logon credentials will not be appropriate for network access, so you will be challenged to provide domain credentials each time you attempt to access a network resource. As before, your access may be further limited by the fact that domain policy settings were not applied and that domain logon scripts were not run.
NOTE
If you are in a local area network environment, you can also simultaneously log on to your local computer and your network domain by logging on with domain credentials. For more information, see "Interactive Logon Process" later in this chapter.
Administrative Controls That Affect Network Access
After you have connected to your network, access to network resources such as files and printers might be affected by one or more administrative controls.File and Printer Sharing is established by each resource, and permissions depend on user name or group membership.Group Policy enforces specified requirements for your users' environments. For example, by using Group Policy, you can enforce local and domain security options, specify logon and logoff scripts, and redirect user folder storage to a network location. Local Group Policy can be applied at the local computer or workgroup level. In the domain environment, Local Group Policy, and Group Policy can be applied by means of Active Directory.For more information about Group Policy in Windows 2000, see "Security" in this book.
What Can I Configure?
Your ability to configure connections depends on several factors, including your administrative rights, whether a connection was created by using Only for myself or For all users, and depending on what Group Policy settings are applied to you. If you have rights to configure your connections, you can modify settings on the General, Options, Security, Networking, and Sharing properties pages.
Configuration Privileges
If you are logged on with administrator-level rights, the Network Connection Wizard prompts you to choose whether a connection that you are creating is to be made available For all users, or Only for myself. If a connection is For all users, then this connection is available to any user who logs on to that computer, and only an administrator-level user who is logged on to that computer can modify the connection. If a user creates a connection Only for myself, then only the creator of that connection can modify or use it.
NOTEGroup policy settings, which are designed to help manage large numbers of users in enterprise environments, can be used to control access to the Network and Dial-up Connections folder, and the connections in it. Settings can be used that enable or disable the ability to create connections, delete connections, or modify connection properties. For more information about these Group Policy settings, see "Local Group Policy Settings" later in this chapter.
If you choose Log on using dial-up connection when you start your Windows 2000 session, you only see the connections that are made available For all users. This is because before you log on, you are not authenticated to the network and your identity has not been verified. After you have logged on and proven your identity, you see the connections available as Only for myself.
Property Pages
When a connection is created, its default properties are appropriate for most uses; however, property pages are available for any connection-specific settings you need to make. All of the following property pages apply to dial-up, VPN, and direct connections. A local area connection has General and Sharing property pages only.To configure dialing devices, phone numbers, host address, country/region codes, or dialing rules, click the General tab,shown in Figure 21.4.
Figure 21.4 General Tab of the Dial-up Connection Properties Page
To configure dialing and redialing options, multilink configuration, or X.25 parameters, click the Options tab, shown in Figure 21.5. If you are connecting to a network that is protected by a domain controller, check the Include Windows logon domain box so you are prompted for the domain name.
Figure 21.5 Options Tab of the Dial-up Connection Properties Page
To configure identity authentication, data encryption, or terminal window and scripting options, click the Security tab, shown in Figure 21.6. The Typical option is appropriate for most connections. Using that option, you can determine how your credentials are passed by selecting Validate my identity as follows. You can also use your logon credentials as credentials for this connection by selecting Automatically use my Windows logon name and password.You only need to use the Advanced settings if you need more precise encryption and authentication settings. It is used for Extensible Authentication Protocol (EAP), discussed in "Remote Security" later in this chapter.
Figure 21.6 Security Tab of the Dial-up Connection Properties Page
To configure the dial-up server and protocols used for this connection, click the Networking tab, shown in Figure 21.7. This tab provides access to more advanced configuration, allowing you to install, uninstall, and configure protocols. For a VPN connection, you would use this tab to manually select PPTP or L2TP rather than allowing these VPN protocols to be selected automatically.
Figure 21.7 Networking Tab of the Dial-up Connection Properties Page
To enable or disable Internet Connection Sharing and on-demand dialing, click the Sharing tab, shown in Figure 21.8. By selecting Enable Internet Connection Sharing, you enable sharing and enable this computer to become your default gateway and name server for your network.
Figure 21.8 Sharing Tab of the Dial-up Connection Properties Page
Local Area Connections
A local area connection is automatically created for each network adapter in your computer that is detected by the Plug and Play service. After a card is physically installed, it is detected by the Plug and Play service. Network and Dial-up Connections enumerates the adapter and populates the Network and Dial-up Connections folder with a local area connection. Because local area connections are dependent upon a network card being recognized in the computer, they cannot be created by using Make New Connection.For the adapter to be detected and the connection created, the Plug and Play service, Network and Dial-up Connections service, and Remote Procedure Call (RPC) services must be started. All of these services start automatically, no user interaction is required.If a local area connection does not appear in the Network and Dial-up Connections, there might be several reasons:
The network adapter was removed. (A local area connection only appears if an adapter is detected.)The installed network adapter is malfunctioning.If your network adapter is a legacy adapter that is not detected by the Add New Hardware wizard or the Plug and Play service, then you might need to set up the adapter manually in Device Manager before you see a local area connection in the Network and Dial-up Connections folder.If the driver is not recognized, the adapter appears in Device Manager but you cannot see a local area connection.
If your network adapter driver needs to be updated, use the Update Driver feature in the adapter's properties.If your computer has one network adapter, but you need to connect to multiple LANs (for example, when traveling to a regional office), your local area connection network components need to be reconfigured each time you connect to a different LAN. However, you do not need to restart when you change TCP/IP or other connection settings.
TIP
Use the network adapters that are listed in the Hardware Compatibility List link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.
Also, use network adapter drivers that are supported by Windows 2000 Professional.
Clients, Services, and Protocols
By default, the following clients, services, and protocols are installed by default with a local area connection:
Clients: Client for Microsoft Networks (allows you to access file and print shares of other Windows computers).Services: File and Print Sharing for Microsoft Networks (allows you to share your own computer resources).Protocols: TCP/IP, with automatic addressing enabled.
Any other clients, services, and protocols, including Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), must be installed separately.To configure TCP/IP for a local area connection
In Network and Dial-up Connections, shown in Figure 21.9, right-click the local area connection, and then click Properties.

Figure 21.9 Network and Dial-up Connections
In Local Area Connection Properties, shown in Figure 21.10, select Internet Protocol (TCP/IP), and then click Properties.
Figure 21.10 Local Area Connection Properties
Do one of the following:
If you want IP settings to be assigned automatically, click Obtain an IP address automatically, and then click OK.If you want to specify an IP address or a DNS server address, do the following in the Internet Protocol (TCP/IP) Properties dialog box, shown in Figure 21.11:
Click Use the following IP address, and in the IP address field, type the IP address.Click Use the following DNS server addresses, and in Preferred DNS server and Alternate DNS server, type the IP addresses of the preferred and alternate DNS servers.
Figure 21.11 Internet Protocol (TCP/IP) Properties
To configure advanced TCP/IP options, such as multiple DNS server addresses, WINS addresses, and other options, click Advanced.
Whenever possible, use automated TCP/IP settings, such as automatic addressing, for the following reasons:
Automatic addressing is enabled by default.If your location changes, you do not have to modify your IP settings.Automated IP settings are used for all connections, and they eliminate the need to configure settings such as DNS, WINS, and so on.
Limiting Protocols to Enhance Network Performance
Limiting the number of protocols on your computer enhances network performance and reduces network traffic. Windows 2000 attempts to establish connectivity by using every network protocol that is installed. By only installing and enabling the protocols that your system can use, Windows 2000 does not attempt to connect with additional protocols and creates connections more efficiently.
Local Area Connection Status
Like other connections, the appearance of the local area connection icon changes according to the status of the connection. The icon appears in the Network and Dial-up Connections folder, or if the network cable is disconnected, an additional icon appears in the taskbar. By design, if a network adapter is not detected by your computer, a local area connection icon does not appear in the Network and Dial-up Connections folder. Table 21.4 describes the different local area connection icons.Table 21.4 Local Area Connection icons
Icon | Description | Location |
---|---|---|
The local area connection is active. | Network and Dial-up Connections folder | |
The cable is unplugged from your computer, or from the wall or hub. | Network and Dial-up Connections folder | |
The cable is unplugged from your computer, or from the wall or hub. | Taskbar | |
The driver is disabled. | Network and Dial-up Connections folder | |
None | The network adapter was not detected. | No icon appears in the Network and Dial-up Connections folder |
Right-click the local area connection, and then click Status.To automatically enable the Status monitor each time the connection is active, right-click the local area connection, click Properties, and then select the Show icon in taskbar when connected check box. By default, the Status monitor is disabled for local area connections, but enabled for all other types of connections.
WAN Adapters
Permanent connection WAN adapters such as T1, Frame Relay, and ATM, also appear in the Network and Dial-up Connections folder as local area connections. For these adapters, some settings are autodetected, and some need to be configured. For example, for a Frame Relay adapter, the appropriate management protocol, Committed Information Rates (CIR), Data Link Connection Identifiers (DLCIs), and line signaling, must be configured. For these settings, refer to the product documentation included with the adapter or contact the manufacturer. Defaults might vary according to the adapter.
Configuring Remote Connections
Because all services and communication methods are configured within the connection, you do not need to use external management tools to configure dial-up, VPN, or direct connections. For example, the settings for a dial-up connection include the features to be used before, during, and after connecting. These include the modem you use to dial, the type of password authentication and data encryption you use upon connecting, and the remote network protocols you use after you connect.Because settings are established per connection, you can create different connections that apply to different connection scenarios and their specific needs. For example, if you use a reserved TCP/IP address when you dial into your corporate office, you can configure a connection with a static TCP/IP address. You might also have a connection configured for an ISP. If your ISP allocates TCP/IP addresses using PPP, that connection's TCP/IP settings are set to Obtain an IP address automatically.Connection status, which includes the duration and speed of a connection, is viewed from the connection itself; you do not need to use an external status tool. For more information about configuring connections, see Windows 2000 Help.All connections are configured by right-clicking the connection, and then clicking Properties.
Configuring Advanced Settings
The settings in Advanced apply to all Network and Dial-up Connections. You can specify manual dialing preferences, network identification options such as your computer name or the domain to which your computer belongs, and you can install optional networking components such as the Simple Network Management Protocol (SNMP) service or the TCP/IP Print Server. You can also modify the order in which connections are accessed by network services, or the order in which your computer accesses network information.
Operator-Assisted Dialing
If you choose this setting, automatic dial-up settings are overridden where intervention is required. For example, if you are using a dial-up connection where you have to call through a manually operated switchboard.
Dial-Up Preferences
The settings in Dial-up Preferences affect connection creation privileges, Autodial options, and callback options.You can enable or disable the Dial-up Preferences menu on your users' desktops by using the Enable the Dial-up Preferences item on the Advanced menu Group Policy setting. For more information, see "Local Group Policy Settings" later in this chapter.AutodialThis preferences lists the available locations where you can enable Autodial. Autodial maps and maintains network addresses to connection destinations, which allows the destinations to be automatically dialed when referenced, whether from an application or from a command prompt. To enable Autodial for a location, select the check box next to the location. To disable Autodial for a connection, clear the check box next to the location.The following is an example of how Autodial works:
You are not connected to your ISP, and you click on an Internet address which is embedded in a word processing document.You are asked to choose which connection is used to reach your ISP, that connection is dialed, and then you access the Internet address.The next time you are not connected to your ISP and you click on the Internet address in the word processing document, the connection that you selected the first time is automatically dialed.
The Autodial feature works only when the Remote Access Auto Connection Manager service is started.To start the Remote Access Auto Connection Manager service
Right-click My Computer, and then click Manage.In the console tree, double-click Services and Applications, and then click Services.In the details pane, right-click Remote Access Auto Connection Manager, and then click Start. Started displays in the Status column.
CallbackThe settings in Callback indicate the conditions under which you want to use the feature. For example, you can configure callback to prompt you for a phone number during the dialing process, or you can specify that callback always call you back at a specific number.Callback options are also configured by your remote access server system administrator on a per-user basis. The Always Callback to server setting overrides Network and Dial-up Connections settings. Therefore, if you have specified Ask me during dialing when the server offers in Network and Dial-up Connections, but your account on the remote access server designates Always Callback to (with a corresponding phone number), callback does not prompt you for a number when you dial in; it always calls you back at the number specified on the server.
NOTEHow Callback WorksCallback behavior is determined by a combination of the settings that you specify in Network and Dial-up Connections, and by the remote access server settings designated by your system administrator.After your call reaches the remote access server, the server determines whether your user name and password are correct. If they are, what happens next depends upon the settings that you have specified in Network and Dial-up Connections, and your remote access server callback settings. Table 21.5 illustrates callback behavior based on these settings.Table 21.5 Callback Behavior
If you have specified No callback, but the remote access server is set to Always Callback to, you cannot connect. With this combination of settings, the remote access server requests callback, your computer refuses, and then the remote access server disconnects your connection.
Your Computer's Callback Setting | Remote Access Server Callback Setting | Behavior |
---|---|---|
No callback | No callback | The connection stays up. |
No callback | Set by caller | The remote access server offers callback, the client declines, the connection stays up. |
No callback | Always callback to | The remote access server offers callback, the client declines, the remote access server disconnects the connection. |
Ask me during dialing when the server offers | No callback | The connection stays up. |
Ask me during dialing when the server offers | Set by caller | The Callback dialog box appears on your computer. You then type the current calback number in the dialog box and wait for the server to disconnect and return the call. Optionally, you can press Esc at this point to cancel the callback process and remain connected. |
Ask me during dialing when the server offers | Always callback to | The remote access server disconnects and then returns the call, using the number specified on the remote access server. |
Always call me back at the number(s) below | No callback | The connection stays up. |
Always call me back at the number(s) below | Set by caller | The remote access server disconnects and then returns the call, using the number specified in Network and Dial-up Connections. |
Always call me back at the number(s) below | Always callback to | The remote access server disconnects and then returns the call, using the number specified on the remote access server. |
NOTE
If your computer is configured to accept incoming connections, you can enforce callback options on that computer.
Network Identification
Network Identification displays your computer name, and the workgroup or domain to which the computer belongs. You can change the name of your computer, or join a domain by clicking Properties.
Advanced Settings
Windows 2000 uses network providers and bindings in the order specified in Advanced Settings. By changing your provider order, and by changing the order of protocols bound to those providers, you can improve performance. For example, if your LAN connection is enabled to access NetWare and Microsoft Windows networks, which use IPX and TCP/IP, but your primary connection is to a Microsoft Windows network that uses TCP/IP, you can move Microsoft Windows Network to the top of the Network providers list on the Provider Order tab, and move Internet Protocol (TCP/IP) to the top of the File and Printer Sharing for Microsoft Networks binding on the Adapters and Bindings tab.You can enable or disable the Advanced Settings option on the Advanced menu by using the Enable the Advanced Settings item on the Advanced menu setting in Group Policy. For more information, see "Local Group Policy Settings" later in this chapter.
Optional Networking Components
Optional networking components support network operations performed by Windows 2000 that are not automatically installed with Windows 2000. Some of these components include the Route Listening Service, Simple TCP/IP Services, SNMP Services, and Print Services for UNIX.