Configuring and Troubleshooting a Windows Server ... - CREDIS

O F F I C I A L

M I C R O S O F T

L E A R N I N G

P R O D U C T

6421B Configuring and Troubleshooting a Windows Server® 2008 Network Infrastructure

Configuring and Troubleshooting a Windows Server® 2008 Network Infrastructure

ix


Contents Module 1: Planning and Configuring IPv4 Lesson 1: Planning an IPv4 Network Infrastructure Lesson 2: Overview of Name Resolution Services in an IPv4 Network Infrastructure Lesson 3: Configuring and Troubleshooting IPv4 Lab: Planning and Configuring IPv4

1-3 1-8 1-14 1-26

Module 2: Configuring and Troubleshooting DHCP Lesson 1: Overview of the DHCP Server Role Lesson 2: Configuring DHCP Scopes Lesson 3: Configuring DHCP Options Lesson 4: Managing a DHCP Database Lesson 5: Monitoring and Troubleshooting DHCP Lesson 6: Configuring DHCP Security Lab: Configuring and Troubleshooting the DHCP Server Role

2-3 2-11 2-18 2-24 2-35 2-43 2-47

Module 3: Configuring and Troubleshooting DNS Lesson 1: Installing the DNS Server Role Lesson 2: Configuring the DNS Server Role Lesson 3: Configuring DNS Zones Lesson 4: Configuring DNS Zone Transfers Lesson 5: Managing and Troubleshooting DNS Lab: Configuring and Troubleshooting DNS

3-3 3-14 3-25 3-34 3-39 3-50

Module 4: Configuring and Troubleshooting IPv6 TCP/IP Lesson 1: Overview of IPv6 Lesson 2: IPv6 Addressing Lesson 3: Coexistence with IPv6 Lesson 4: IPv6 Transition Technologies Lab A: Configuring an ISATAP Router Lesson 5: Transitioning from IPv4 to IPv6 Lab B: Converting the Network to Native IPv6

4-3 4-12 4-22 4-28 4-35 4-41 4-46

xi

xii


Module 5: Configuring and Troubleshooting Routing and Remote Access Lesson 1: Configuring Network Access Lesson 2: Configuring VPN Access Lesson 3: Overview of Network Policies Lesson 4: Overview of the Connection Manager Administration Kit Lesson 5: Troubleshooting Routing and Remote Access Lab A: Configuring and Managing Network Access Lesson 6: Configuring DirectAccess Lab B: Configuring and Managing DirectAccess

5-3 5-12 5-22 5-28 5-33 5-43 5-50 5-65

Module 6: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Lesson 1: Installing and Configuring a Network Policy Server Lesson 2: Configuring RADIUS Clients and Servers Lesson 3: NPS Authentication Methods Lesson 4: Monitoring and Troubleshooting a Network Policy Server Lab: Configuring and Managing Network Policy Server

6-3 6-10 6-20 6-29 6-37

Module 7: Implementing Network Access Protection Lesson 1: Overview of Network Access Protection Lesson 2: How NAP Works Lesson 3: Configuring NAP Lesson 4: Monitoring and Troubleshooting NAP Lab: Implementing NAP into a VPN Remote Access Solution

7-3 7-12 7-19 7-26 7-33

Module 8: Increasing Security for Windows Servers Lesson 1: Windows Security Overview Lesson 2: Configuring Windows Firewall with Advanced Security Lesson 3: Deploying Updates with Windows Server Update Services Lab: Increasing Security for Windows Servers

8-3 8-9 8-15 8-23

Module 9: Increasing Security for Network Communication Lesson 1: Overview of IPsec Lesson 2: Configuring Connection Security Rules Lesson 3: Configuring IPsec NAP Enforcement Lesson 4: Monitoring and Troubleshooting IPsec Lab: Increasing Security for Network Communication

9-3 9-11 9-20 9-26 9-33


Module 10: Configuring and Troubleshooting Network File and Print Services Lesson 1: Configuring and Troubleshooting File Shares Lesson 2: Encrypting Network Files with EFS Lesson 3: Encrypting Partitions with BitLocker Lesson 4: Configuring and Troubleshooting Network Printing Lab: Configuring and Troubleshooting Network File and Print Services

10-3 10-12 10-17 10-22 10-29

Module 11: Optimizing Data Access for Branch Offices Lesson 1: Branch Office Data Access Lesson 2: DFS Overview Lesson 3: Overview of DFS Namespaces Lesson 4: Configuring and Troubleshooting DFS Replication Lab A: Implementing DFS Lesson 5: Configuring BranchCache Lab B: Implementing BranchCache

11-3 11-6 11-18 11-25 11-33 11-39 11-49

Module 12: Controlling and Monitoring Network Storage Lesson 1: Monitoring Network Storage Lesson 2: Controlling Network Storage Utilization Lesson 3: Managing File Types on Network Storage Lab: Controlling and Monitoring Network Storage

12-3 12-10 12-16 12-28

Module 13: Recovering Network Data and Servers Lesson 1: Recovering Network Data with Shadow Copies Lesson 2: Recovering Network Data and Servers with Windows Server Backup Lab: Recovering Network Data and Servers

13-3 13-9 13-17

Module 14: Monitoring Windows Server 2008 Network Infrastructure Servers Lesson 1: Monitoring Tools Lesson 2: Using Performance Monitor Lesson 3: Monitoring Event Logs Lab: Monitoring Windows Server 2008 Network Infrastructure Servers

14-3 14-12 14-21 14-26

xiii

xiv


Lab Answer Keys Module 1 Lab: Planning and Configuring IPv4 L1-1 Module 2 Lab: Configuring and Troubleshooting the DHCP Server Role L2-7 Module 3 Lab: Configuring and Troubleshooting DNS L3-13 Module 4 Lab A: Configuring an ISATAP Router L4-19 Module 4 Lab B: Converting the Network to Native IPv6 L4-25 Module 5 Lab A: Configuring and Managing Network Access L5-29 Module 6 Lab B: Implementing DirectAccess L5-36 Module 6 Lab: Configuring and Managing Network Policy Server L6-53 Module 7 Lab: Implementing NAP into a VPN Remote Access Solution L7-59 Module 8 Lab: Increasing Security for Windows Servers L8-69 Module 9 Lab: Increasing Security for Network Communication L9-73 Module 10 Lab: Configuring and Troubleshooting Network File and Print Services L10-79 Module 11 Lab A: Implementing DFS L11-87 Module 11 Lab B: Implementing BranchCache L11-92 Module 12 Lab: Controlling and Monitoring Network Storage L12-101 Module 13 Lab: Recovering Network Data and Servers L13-107 Module 14 Lab: Monitoring Windows Server 2008 Network Infrastructure Servers L14-113

About This Course

xv

About This Course This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.

Course Description The purpose of this five-day course is to the skills and knowledge required to configure and troubleshoot a Windows Server® 2008 and Windows Server 2008 R2 Sp1 Network Infrastructure. It will cover networking technologies most commonly used with Windows Server 2008 and Windows Server 2008 R2 Sp1 such as DNS, DHCP, IPv4 and IPv6 network addressing, Network Policy server and Network Access Protection, configuring secure network access. It also covers fault tolerant storage technologies, Network Storage and routing and remote access as well as many other relevant technologies. After completing this course, students will be able to configure and troubleshoot Windows Server 2008 and Windows Sever 2008 R2 Sp1 network infrastructures.

Audience This course will be of interest and benefit to attendees with different back grounds and career aspirations. It will be of interest to Network Administrators who currently are, or will be, working with Windows Server 2008 servers. It will also be of interest and benefit to Active Directory technology specialists who aspire to be Enterprise Administrators (Tier 4 day-to-day network operations) or experienced Server Administrators who aspire to be Enterprise Administrators. Storage Area Network Administrators who need to understand this information to deploy or extend their current storage infrastructure and Operations Managers who need this information to support troubleshooting efforts and business decisions would also benefit from this course.

Student Prerequisites This course requires that you meet the following prerequisites: •

Intermediate understanding of Windows operating systems. You should have an intermediate understanding of Windows Server operating systems such as Windows Server® 2003, Windows Server 2008 or Windows Server 2008 R2 and Windows client operating systems such as Windows Vista or Windows 7. Client operating system knowledge equivalent to the below certifications would be of benefit. Exam 70-680: TS: Windows 7, Configuration or Exam 70-620: TS: Windows Vista, Configuring

•

Basic understanding of networking. You should understand how TCP/IP functions and also have a basic understanding of addressing, name resolution (Domain Name System [DNS]/Windows® Internet Name Service [WINS]), connection methods (wired, wireless, virtual private network [VPN]), and NET+ or equivalent knowledge.

xvi

About This Course

•

An awareness of security best practices. You should understand file system permissions, authentication methods, workstation, and server hardening methods, and so forth. The minimum level of knowledge required in the above three bullet points, excluding the client experience, can be covered by having knowledge equivalent to the moc course 6420B: Fundamentals of Windows Server 2008 or by obtaining the Microsoft Technology Associate (MTA) certifications listed below.

•

•

98-365: Windows Server Fundamentals

•

98-366: Networking Fundamentals

•

98-367: Security Fundamentals

Basic knowledge of Active Directory® would also be of benefit.

Course Objectives After completing this course, students will be able to: •

Plan and configure an IPv4 network infrastructure.

•

Implement DHCP within their organization.

•

Configure and troubleshoot DNS.

•

Configure, transition to, and troubleshoot IPv6.

•

Configure and troubleshoot routing and remote network access.

•

Install, configure, and troubleshoot the Network Policy Server Role service.

•

Implement Network Access Protection.

•

Implement security features to help improve the security of Windows Server 2008 and Windows Server 2008 R2 Sp1.

•

Implement security features within Windows Server that help to secure network communications.

•

Configure and troubleshot file and print services.

•

Enable and configure services to optimize branch office data access.

•

Control and monitor network storage.

•

Recover data on Windows Server 2008 and Windows Server 2008 R2 Sp1 servers.

•

Monitor Windows Server 2008 and Windows Server 2008 R2 Sp1 network infrastructure services.

About This Course

xvii

Course Outline This section provides an outline of the course: Module 1: Planning and Configuring IPv4. To deploy and configure networking services in your organization, it is important that you understand the fundamentals that underpin many of these services. This module explains how to implement an IPv4 addressing scheme, determine which name services to deploy, and troubleshoot network-related problems. Module 2: Configuring and Troubleshooting DHCP. Dynamic Host Configuration Protocol (DHCP) plays an important role in the Windows Server 2008 R2 infrastructure. It is the primary means of distributing important network configuration information to network clients, and it provides configuration information to other network-enabled services, including Windows Deployment Services (WDS) and Network Access Protection (NAP). To support and troubleshoot a Windows Server-based network infrastructure, it is important that you understand how to deploy, configure, and troubleshoot the DHCP Server Role. Module 3: Configuring and Troubleshooting DNS. The Domain Name System (DNS) is the foundation name service in Windows Server 2008 R2. It is vital that you understand how to deploy, configure, manage, and troubleshoot this critical service. Module 4: Configuring and Troubleshooting IPv6 TCP/IP. IPv6 is a technology that will help ensure that the Internet can support a growing user base and the increasingly large number of IP-enabled devices. The current Internet Protocol Version 4 (IPv4) has served as the underlying Internet protocol for almost thirty years. Its robustness, scalability, and limited feature set is now challenged by the growing need for new IP addresses, due in large part to the rapid growth of new network-aware devices. Module 5: Configuring and Troubleshooting Routing and Remote Access. To support your organization’s distributed workforce, you must become familiar with technologies that enable remote users to connect to your organization’s network infrastructure. These technologies include virtual private networks (VPNs) and DirectAccess. It is important that you understand how to configure and secure your remote access clients by using network policies. This module explores these remote access technologies. Module 6: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service. NPS provides support for the Remote Authentication Dial-In User Service (RADIUS) protocol, and can be configured as a RADIUS server or proxy. Additionally, NPS provides functionality that is essential for the implementation of Network Access Protection (NAP). To support remote clients and to implement NAP, it is important that you know how to install, configure, and troubleshoot NPS. Module 7: Implementing Network Access Protection. Network Access Protection (NAP) enables you to create customized health-requirement policies to validate computer health before allowing access or communication. NAP also automatically updates compliant computers to ensure ongoing compliance and can limit the access of noncompliant computers to a restricted network until they become compliant. Module 8: Increasing Security for Windows Servers. Security is an essential consideration for networking with Windows Server 2008. No system is ever completely secure, but you can implement various methods to increase security. Windows Firewall with Advanced Security is one of the features in Windows Server 2008 that is used to increase security. You can also use Windows Server Update Services to ensure that approved security updates are applied to servers in a timely way.

xviii

About This Course

Module 9: Increasing Security for Network Communication. Internet Protocol security (IPsec) is a framework of open standards for protecting communications over IP networks through cryptographic security services. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. The Microsoft IPsec implementation is based on standards that the Internet Engineering Task Force (IETF) IPsec working group developed. To help increase security for network communications within your organization, it is important that you understand how to implement, configure, and troubleshoot IPsec. Module 10: Configuring and Troubleshooting Network File and Print Services. File and print services are some of the most commonly implemented network services for end users. Unlike infrastructure services like DNS, file and print services are highly visible to the end users. You need to understand how to configure and troubleshoot file and print services to provide high quality service to end users. In addition to basic file and print services, both EFS and BitLocker can be used to increase the security of files that are located in file shares. Module 11: Optimizing Data Access for Branch Offices. Many organizations maintain a large number of file resources that need to be organized and made highly available to users. These file resources are often stored on servers and provided to users who are distributed geographically in widespread locations. In this situation, you need to find an efficient solution to help users locate the most recent files quickly. Managing multiple data sites often introduces additional challenges, such as limiting network traffic over slow wide area network (WAN) connections, ensuring the availability of files during WAN or server failures, and backing up file servers that are located at smaller branch offices. Module 12: Controlling and Monitoring Network Storage. Network storage for users is a finite resource that must be managed appropriately to ensure that it remains available for all users. If network storage is not monitored and managed, it can become filled with irrelevant data, such as personal music or movies. Irrelevant data increases network storage costs and in some cases can prevent useful data from placement on the network storage. File Server Resource Manager (FSRM) can be used to monitor and manage network storage. Module 13: Recovering Network Data and Servers. There are a variety of scenarios where a network data or a server that provides networks services can be lost. Volume shadow copies can be used to restore previous versions of files when a file is accidentally deleted or modified on a computer that is running Windows Server 2008. Windows Server Backup can be used to back up and restore data files or an entire server. Module 14: Monitoring Windows Server 2008 Network Infrastructure Servers. When a system failure or an event that affects system performance occurs, you need to be able to repair the problem or resolve the issue quickly and efficiently. With so many variables and possibilities in the modern network environment, the ability to determine the root cause quickly often depends on having an effective performance monitoring methodology and toolset. Performance-monitoring tools are used to identify components that require additional tuning and troubleshooting. By identifying components that require additional tuning, you can improve the efficiency of your servers.

xxii

About This Course

Course Materials The following materials are included with your kit: •

Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. •

Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience.

•

Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module.

•

Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention.

•

Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’s needed.

Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. •

Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.

•

Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN® and Microsoft Press®.

Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. •

Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. •

To provide additional comments or feedback on the course, send e-mail to [email protected]. To inquire about the Microsoft Certification Program, send e-mail to [email protected].

1-1

Module 1 Planning and Configuring IPv4 Contents: Lesson 1: Planning an IPv4 Network Infrastructure

1-3

Lesson 2: Overview of Name Resolution Services in an IPv4 Network Infrastructure

1-8

Lesson 3: Configuring and Troubleshooting IPv4

1-14

Lab: Planning and Configuring IPv4

1-25

1-2


Module Overview

To deploy and configure networking services in your organization, it is important that you understand the fundamentals that underpin many of these services. In this module, you will see how to implement an IPv4 addressing scheme, determine which name services to deploy, and troubleshoot network-related problems.

Objectives After completing this module, you will be able to: •

Plan an IPv4 addressing scheme.

•

Determine which name services you must deploy.

•

Configure and troubleshoot an IPv4 network.

Planning and Configuring IPv4

1-3

Lesson 1

Planning an IPv4 Network Infrastructure

To properly implement network services you should have a thorough understanding of IPv4 addressing. A good understanding of IPv4 addressing enables you to make appropriate decisions about the configuration and placement of network servers within your IPv4 infrastructure.

Objectives After completing this lesson, you will be able to: •

Describe an IPv4 subnet.

•

Plan an IPv4 addressing scheme.

•

Select an appropriate IPv4 addressing scheme.

1-4


What Is an IPv4 Subnet?

A subnet is a network’s physical segment that a router or routers separate from the rest of the network. When your Internet service provider (ISP) assigns your network an address range, you often must subdivide the range to match your network’s physical layout; in other words, you subdivide a large network into logical subnets. Note Most organizations use private IP addresses within their networks, using public addresses only for Internet-facing computers. When you subdivide a network into subnets, you create a unique ID for each subnet, which you derive from the main network ID. To create subnets, you must allocate some of the bits in the host ID to the network ID, which enables you to create more networks. By using subnets, you can perform the following tasks: •

Use a single Class A, B, or C network across multiple physical locations. Class

•

First octet

Default subnet mask

Number of networks

Number of hosts per network

A

1-127

255.0.0.0

126

16,777,214

B

128-191

255.255.0.0

16,384

65,534

C

192-223

255.255.255.0

2,097,152

254

Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.

A subnet mask specifies which part of an IPv4 address is the network ID and which is the host ID. A subnet mask has four octets, similar to an IPv4 address. In simple IPv4 networks, the subnet mask defines full octets as part of the network ID and host ID. A 255 represents an octet that is part of the network ID, and a 0 represents an octet that is part of the host ID.


1-5

In complex networks, you might subdivide one octet with some bits that are for the network ID and some for the host ID. Classless addressing, or Classless Inter-Domain Routing (CIDR), is when you use more or less than a whole octet for subnetting. This type of subnetting uses a different notation, as shown in the following example. 172.16.16.1/255.255.240.0

The following example shows the more common representation of classless IPv4 addressing. 172.16.16.1/20

The /20 represents how many subnet bits are in the mask, and this notation is Variable Length Subnet Masking (VLSM); this is also known as network prefix length notation. Private IP addresses are commonly used for local area networks (LANs). These private IP address ranges are non-routed on the global Internet. An organization needing a private address space can use these addresses without approval from an ISP. Private address ranges are shown in the following table. Class

Mask

Range

A

10.0.0.0/8

10.0.0.0-10.255.255.255

B

172.16.0.0/12

172.16.0.0-172.31.255.255

C

192.168.0.0/16

192.168.0.0-192.168.255.255

Additional Reading •

For more information, see Address Allocation for Private Internets: http://go.microsoft.com/fwlink/?LinkID=163880&clcid=0x409

1-6


Plan an IPv4 Addressing Scheme

Selecting an appropriate addressing scheme for your organization includes the following tasks: •

Choosing whether to use public or private IPv4 addresses.

•

Calculating the number of subnets required. You can calculate the number of subnet bits by determining how many you need in your network. Use the formula 2^n, where n is the number of bits. The result must be at least the number of subnets that your network requires.

•

Calculating the number of hosts in each subnet. You can calculate the number of host bits that are required by using the formula 2^n-2, where n is the number of bits.

•

Selecting an appropriate subnet mask(s).

When you have determined these factors, you must then perform the following: •

Calculate the subnet network IDs. To determine network IDs quickly, you can use the lowest value bit in the subnet mask. For example, if you choose to subnet the network 172.16.0.0 with the subnet mask 255.255.0.0 by using 3 bits, this would mean using 255.255.224.0 as the subnet mask. The decimal 224 is 11100000 in binary, and the lowest bit set to 1 has a value of 32, so that will be the increment between each subnet address.

•

Determine the range of host addresses within each subnet. You can calculate each subnet’s range of host addresses by using the following process: the first host is one binary digit higher than the current subnet ID, and the last host is two binary digits lower than the next subnet ID.

•

Implement the planned addressing scheme. Question: What is the subnet address for the following host: 192.168.16.17/28?


Discussion: Selecting an Appropriate Addressing Scheme

Question: Contoso.com has implemented IPv4 throughout the organization. It is currently implementing a new head office building. The office will host 5,000 computers that are distributed fairly evenly across 10 floors of these offices. What address class would suit this scenario? Question: Analysis of the network traffic at the existing head office shows that the maximum number of hosts for each subnet should be around 100. How many subnets are required, and assuming a network address for the whole site of 172.16.0.0/16, what mask should you use to ensure sufficient support for the required subnets? Question: Assuming the network address for the head office is 172.16.0.0/19, what mask would you assign to each subnet? Question: How many hosts can you have in each subnet based on your selected mask? Question: Assuming you implement the mask that you determined for each subnet, what would the first subnet address be? Question: What are the first and last host addresses for the first subnet?

1-7

1-8


Lesson 2

Overview of Name Resolution Services in an IPv4 Network Infrastructure

Name resolution provides the foundation for many network services. Microsoft® networking services have relied upon two name resolution services in the past. The Windows Internet Name Service (WINS) provides NetBIOS names to IP address mappings and is used to support legacy NetBIOS applications. The Domain Name System (DNS) has been widely adopted as the standard for name resolution in IP networks. In this lesson, you will consider which name services you are likely to need to deploy in your organization’s network to support the network services that you have implemented.


Describe name resolution.

•

Describe DNS.

•

Determine the need for WINS.


1-9

What Is Name Resolution?

Name resolution is the process of determining the IP addresses that is associated with computer names. Name resolution is an essential part of computer networking because it is easier for users to remember names than abstract numbers such as an IPv4 address. Windows hosts support two types of names: a host name and a NetBIOS name. In Windows operating systems, applications can request network services through Windows Sockets, Winsock Kernel, or NetBIOS. If an application requests network services through Windows Sockets or Winsock Kernel, it uses host names. If an application requests services through NetBIOS, it uses a NetBIOS name. Note NetBIOS is a session management protocol used in earlier versions of Microsoft network operating systems. Windows® 7 and Windows Server 2008 R2 provide support for NetBIOS. Many current applications, including Internet applications, use Windows Sockets to access network services. Newer applications designed for Windows 7 and Windows Server 2008 R2 use Winsock Kernel. Earlier applications use NetBIOS.

Name Resolution Process The Domain Name System (DNS) is the Microsoft standard for resolving host names to IP Addresses. Applications also use DNS to do the following: •

Locate domain controllers and global catalog servers. This is used when you are logging on to the Active Directory Domain Services (AD DS).

•

Resolve IP addresses to host names. This is useful when a log file contains only a host’s IP address.

•

Locate a mail server for email delivery. This is used for the delivery of all Internet email.

WINS provides a centralized database for registering dynamic mappings of a network’s NetBIOS names. Support is retained for WINS to provide backward compatibility.

1-10


In addition to using WINS, you can resolve NetBIOS names by using the following: •

Broadcast messages. Broadcast messages do not work well on large networks because routers do not propagate broadcasts.

•

Lmhosts file on all computers. Using an Lmhosts file for NetBIOS name resolution is a high maintenance solution because you must maintain the file manually on all computers.

Host Name Resolution Process When an application specifies a host name and uses Windows Sockets, TCP/IP uses the DNS resolver cache, DNS, and Link-Local Multicast Name Resolution (LLMNR) when attempting to resolve the host name. The hosts file is loaded into the DNS resolver cache. If NetBIOS over TCP/IP is enabled, TCP/IP also uses NetBIOS name resolution methods when resolving single-label, unqualified host names. Windows resolves host names by performing the following actions: 1.

Checking whether the host name is the same as the local host name.

2.

Searching the DNS resolver cache.

3.

Searching the Hosts file.

4.

Sending a DNS request to its configured DNS servers.

Windows resolves hosts names that are single-label, unqualified names, by performing the following actions: 1.

Using LLMNR on the local subnet. Note LLMNR enables hosts in a network to resolve one another's computer names without using a name server and without relying on broadcasting.

2.

Converting the host name to a NetBIOS name and checking the local NetBIOS name cache.

3.

Sending a DNS request to its configured WINS servers.

4.

Broadcasting as many as three NetBIOS Name Query Request messages on the subnet that is directly attached.

5.

Searching the Lmhosts file. Note You can exert control over the precise order used to resolve names. For example, if you disable NetBIOS over TCP/IP, none of the NetBIOS name resolution methods are attempted. Alternatively, you can modify the NetBIOS node type which results in a change to the precise order in which the NetBIOS name resolution methods are attempted.


1-11

Name Resolution with DNS

DNS is the Microsoft standard for resolving host names to IP Addresses. DNS is a service that manages the resolution of FQDN-based host names to IP addresses. TCP/IP identifies source and destination computers by their IPv4 or IPv6 addresses. However, since it is easier for users to remember names than numbers, common or user-friendly names are assigned to the computer’s IP address. The most common type of name used is a host name. When DNS names are resolved on the Internet, an entire system of computers is used rather than just a single server. There are 13 root servers on the Internet that are responsible for managing the overall structure of DNS resolution. When registering a domain name on the Internet, you are paying for the privilege of being part of this system. The name resolution process for the name www.microsoft.com is as follows: 1.

A workstation on the Internet queries its configured DNS server for the IP address of www.microsoft.com.

2.

If the configured DNS server does not have the information, then it queries a root DNS server for the location of the .com DNS servers.

3.

The local DNS server queries a .com DNS server for the location of the Microsoft.com DNS servers.

4.

The local DNS server queries the Microsoft.com DNS server for the IP address of www.microsoft.com.

5.

The IP address of www.microsoft.com is returned to the workstation.

You can modify the name resolution process by configuring the following: •

Caching: After a local DNS server resolves a DNS name, it will cache the results for approximately 24 hours. Subsequent resolution requests for the DNS name are given the cached information.

•

Forwarding: A DNS server can be configured to forward DNS requests to another DNS server instead of querying root servers. For example, requests for all Internet names can be forwarded to a DNS server at an ISP.

1-12


Name Resolution with WINS

WINS provides a centralized database for registering dynamic mappings of a network’s NetBIOS names. Support is retained for WINS to provide backward compatibility. WINS might remain necessary on your organization’s network for several reasons. The main reason is because some applications still use NetBIOS to provide functionality to users. WINS is required for the following reasons: •

Older versions of Microsoft operating systems rely on WINS for name resolution.

•

Some applications, typically older ones, rely on NetBIOS names.

•

You might need dynamic registration of single-label names.

•

Users might rely on the Network Neighborhood or My Network Places network browser features.

•

You might not be using Windows Server 2008 to provide your DNS infrastructure.

You must configure a WINS server with a static IP address because client computers contact the WINS server by using an IP address. Note

WINS is an IPv4-only service, and it will not work in an IPv6-only environment.

In addition to WINS, NetBIOS names can be resolved by broadcast messages or by implementing LMHOSTS files on all computers. Broadcast messages do not work well on large networks because routers do not pass broadcasts. Using an LMHOSTS file for NetBIOS name resolution is a high-maintenance solution because the file must be constantly updated on the computers.


1-13

GlobalNames Zone The GlobalNames Zone (GNZ) is a new feature of Windows Server 2008. The GNZ provides single-label name resolution for large enterprise networks that do not deploy WINS. Some networks might require the ability to resolve static, global records with single-label names that WINS currently provides. These single-label names refer to well-known and widely used servers with statically assigned IP addresses. A GNZ is manually created and is not available for dynamic registration of records. GNZ is intended to help customers migrate to DNS for all name resolution; the DNS Server role in Windows Server 2008 supports the GNZ feature. GNZ is intended to assist in the migration from WINS; however, it is not a replacement for WINS. GNZ is not intended to support the single-label name resolution of records that are registered in WINS dynamically and those that are not managed by IT administrators typically. Support for these dynamically registered records is not scalable, especially for larger customers with multiple domains and/or forests. The recommended GNZ deployment is by using an AD DS–integrated zone, named GlobalNames, that is distributed globally. Instead of using the GNZ, you can choose to configure DNS and WINS integration. Do this by configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The advantage of this approach is that you can configure client computers to only use a single name service, DNS, and still be able to resolve NetBIOS-compliant names.

Best Practice If your organization relies heavily on NetBIOS applications, continue to use WINS. If you plan to migrate from WINS to DNS, implement WINS integration on your DNS zones. When you have decommissioned most of your NetBIOS applications, or only have a few NetBIOS applications, use the GNZ to manage static, single-label names.

1-14


Lesson 3

Configuring and Troubleshooting IPv4

Often, problems with network services originate with the underlying network configuration. Consequently, you must be able to configure IPv4 and troubleshoot fundamental IPv4 network-related problems.


Configure IPv4 manually to provide a static configuration for a server.

•

Configure a server so that it obtains an IPv4 configuration automatically.

•

Use IPv4 troubleshooting tools.

•

Develop troubleshooting methodology to help to resolve fundamental IPv4 problems.

•

Describe the function of Network Monitor.

•

Use Network Monitor to capture and analyze network traffic.


1-15

Configuring IPv4 Manually

You can configure static IPv4 configuration manually for each of your network’s computers. IPv4 configuration includes the following: •

IPv4 address

•

Subnet mask

•

Default gateway

•

DNS server

Static configuration requires that you visit each computer and input the IPv4 configuration. This method of computer management is time-consuming if your network has more than 20 users. Additionally, making a large number of manual configurations heightens the risk of mistakes. There are times when assigning a static IPv4 configuration is recommended; for example, a name server— DNS or WINS—should have a static IPv4 configuration to enable client resolvers to locate it. In addition, Internet-facing servers might have statically assigned IPv4 addresses, provided to your organization from an ISP or telecom provider. For example, to implement DirectAccess, your Internetfacing DirectAccess server must have two consecutive public IPv4 addresses. Use the following procedure to configure Windows with a manually assigned IPv4 configuration: 1.

Open the Network and Sharing Center, and then select Change adapter settings.

2.

Right-click the appropriate network connection and then click Properties.

3.

Double-click Internet Protocol Version 4 (TCP/IPv4) and then enter the appropriate configuration.

Alternatively, you can use the netsh.exe command line tool. For example, the following command configures the interface named Local Area Connection with the static IP address 172.16.16.3, the subnet mask of 255.255.255.0, and a default gateway of 172.16.16.1. Netsh interface ipv4 set address name="Local Area Connection" source=static addr=172.16.16.3 mask=255.255.255.0 gateway=172.16.16.1

1-16


Configuring IPv4 Automatically

DHCP for IPv4 enables you to assign automatic IPv4 configurations for large numbers of computers without having to assign each one individually. The DHCP service receives requests for IPv4 configuration from computers that you configure to obtain an IPv4 address automatically. It also assigns additional IPv4 settings from scopes that you define for each of your network’s subnets. The DHCP service identifies the subnet from which the request originated and assigns IP configuration from the relevant scope. DHCP helps simplify the IP configuration process, but you must be aware that if you use DHCP to assign IPv4 information and the service is business-critical, you must do the following: •

Include resilience into your DHCP service design so that the failure of a single server does not prevent the service from functioning.

•

Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole network and prevent communication.

If you use a laptop to connect to multiple networks, such as at work and at home, each network might require a different IP configuration. Windows supports the use of APIPA and an alternate static IP address for this situation. When you configure Windows computers to obtain an IPv4 address from DHCP, use the Alternate Configuration tab to control the behavior if a DHCP server is not available. By default, Windows uses APIPA to assign itself an IP address automatically from the 169.254.0.0 to 169.254.255.255 address range, but with no default gateway or DNS server; this enables limited functionality. APIPA is useful for troubleshooting DHCP; if the computer has an address from the APIPA range, it is an indication that the computer cannot communicate with a DHCP server.


1-17

IPv4 Troubleshooting Tools

Windows Server 2008 includes a number of utilities that help you to diagnose network problems.

IPConfig IPConfig displays the current TCP/IP network configuration. Additionally, you can use IPConfig to refresh DHCP and DNS settings. The following table describes the command-line options for IPConfig.exe. Command

Purpose

IPConfig /all

View detailed configuration information

IPConfig /release

Release the leased configuration back to the DHCP server

IPConfig /renew

Renew the leased configuration

IPConfig /flushdns

Purge the DNS resolver cache

IPConfig /displaydns

View the DNS resolver cache entries

Ping Ping might verify IP-level connectivity to another TCP/IP computer. Ping sends Internet Control Message Protocol (ICMP) Echo Request messages and displays the receipt of corresponding Echo Reply messages. Ping is the primary TCP/IP command used to troubleshoot connectivity; however, firewalls might block the ICMP messages.

Tracert Tracert determines the path taken to a destination computer by sending a series of ICMP Echo Requests. The path displayed is the list of router interfaces between a source and a destination. This tool also determines which router has failed and what the latency, or speed, is. These results might not be accurate if the router is busy since the ICMP packets are assigned a low priority by the router.

1-18


Pathping Pathping traces a route through the network in a manner similar to Tracert. However, Pathping provides more detailed statistics on the individual steps, or hops, through the network. Pathping can provide greater detail because it sends 100 packets for each router, which enables it to establish trends.

NSlookup NSlookup displays information that you can use to diagnose the DNS infrastructure. You can use NSlookup to confirm connection to the DNS server and that the required records exist.

NBTSTAT NBSTAT is a command-line NetBIOS name resolution and troubleshooting tool. This tool enables you to determine NetBIOS names in the NetBIOS name cache, and to clear the NetBIOS name cache.

Telnet You can install the Telnet Client feature and use it to verify whether a server port is listening. For example, Telnet.exe 10.10.0.10:25 attempts to open a dialog with the destination server, 10.10.0.10, on port 25, SMTP. If the port is active and listening, it should return a message to the Telnet client.

Netstat Netstat is a command-line tool that enables you to view network connections and statistics.

Windows Network Diagnostics Use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a Windows Server networking problem, the Diagnose Connection Problems option helps diagnose and repair the problem. A possible description of the problem and a potential remedy are presented. The solution might need manual intervention from the user.

Event Viewer Event logs are files that record significant events on a computer, such as when a process encounters an error. IP conflicts will be reflected in the system log and might prevent services from starting. When these events occur, Windows records the event in an appropriate event log. You can use Event Viewer to read the log. When you troubleshoot errors on Windows Server, view the events in the Event Logs to determine the cause of the problem.


1-19

Troubleshooting Process

If you experience network connectivity problems while using Windows Server, use Window Network Diagnostics to start the troubleshooting process. If Windows Network Diagnostics cannot resolve the problem, follow a troubleshooting process that uses the available Windows Server tools and consists of the following steps: 1.

Consult Windows Network Diagnostics.

2.

Use IPConfig to check local IP configuration.

3.

Use Ping to diagnose two-way communication with a remote system.

4.

Use Tracert to identify each hop, or router, between two systems.

5.

Use NSlookup to verify DNS configuration and operation.

6.

Check the events logs.

General Network Diagnostics When Windows Server encounters a network-connection problem, use Windows Network Diagnostics to perform diagnostic procedures. Windows Network Diagnostics analyzes the problem and, if possible, presents a solution or a list of possible causes. Windows Network Diagnostics either completes the solution automatically or requires that the user perform steps to resolve the problem. These steps might require the user to complete several configuration changes to the computer. In many cases, this capability might resolve network problems without the user requiring additional support. If Windows Network Diagnostics cannot fix the problem, you might need to use additional diagnostic tools.

1-20


Checking Local IP Configuration You can use IPConfig with the /all switch to display the computer’s IP configuration. Study the configuration carefully and remember the following: •

If the IP address is invalid, transmission can fail.

•

If the subnet mask is incorrect, the computer has an incorrect Network ID; therefore, transmission fails, especially to remote subnets.

•

If the default gateway is incorrect or missing, the computer cannot transmit data with remote subnets.

•

If the DNS server is incorrect or missing, the computer might not be able to resolve names and communication can fail.

Diagnosing Two-Way Communication with Remote Systems The Ping (or Pathping) utility confirms two-way communication between two computers. This means that if the Ping utility fails, the local computer’s configuration might not be the cause of the problem. Use Ping to ensure transmission using a logical process, such as the following: 1.

Ping the remote computer.

2.

Ping the local gateway.

3.

Ping the local IP address.

4.

Ping the loopback address 127.0.0.1.

When using the Ping utility, remember the following: •

You can Ping both the name and the computer’s IP address.

•

If you successfully Ping the IP address, but not the name, name resolution is failing.

•

If you successfully Ping the computer name, but the response does not resolve the FQDN name, resolution has not used DNS. This means a process such as broadcasts or WINS has been used to resolve the name and applications that require DNS might fail.

•

“Request Timed Out” indicates that the ICMP messages were successfully sent, but one or more computers or routers along the path, including the source and destination, are not configured to forward the messages correctly.

•

“Destination Host Unreachable” indicates that the system cannot find a route in its local routing table to the destination system, and therefore, does not know where to transmit the packet to on the next hop.

•

ICMP traffic used by Ping can be blocked by a firewall on the network or at a windows computer.

Identifying Each Hop between Two Systems You can use Tracert to identify each hop between the source and destination systems. If communication fails, use Tracert to identify how many hops are successful and at which hop system communication fails.


1-21

Verifying DNS Configuration The primary tools for troubleshooting host name resolution are IPConfig.exe and NSlookup.exe. When you troubleshoot name resolution, you must understand what name resolution methods the computer is using, and in what order the computer uses them. Be sure to clear the DNS resolver cache between resolution attempts. If you cannot connect to a remote host and suspect a name resolution problem, troubleshoot name resolution as follows: 1.

Open an elevated command prompt, and then clear the DNS resolver cache by typing the following command: IPConfig /flushdns

2.

Attempt to ping the remote host by its IP address. This helps identify whether the issue is related to name resolution. If the ping succeeds with the IP address but fails by its host name, then the problem is related to name resolution.

3.

Attempt to ping the remote host by its hostname. For accuracy, use the FQDN with a trailing period. For example, enter the following command at the command prompt: Ping nyc-dc1.contoso.com.

4.

If the ping is successful, then the problem is probably not related to name resolution. If the ping is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file using an elevated instance of Notepad.exe, and add the appropriate entry to the end of the file. For example, add this line and save the file: 10.10.0.10nyc-dc1.contoso.com

5.

Now perform the Ping-by-host-name test once more. Name resolution should now be successful. Verify that the name resolved correctly by examining the DNS resolver cache; use the following command at a command prompt: IPConfig /displaydns

6.

Remove the entry that you added to the hosts file, and then clear the DNS resolver cache once more.

7.

At the command prompt, type the following command, and then examine the contents of the filename.txt file to identify the failed stage in name resolution: Nslookup.exe –d2 nyc-dc1.contoso.com. > filename.txt

You should understand how to interpret the output so that you can identify whether the name resolution problem lies with the client computer’s configuration, the name server, or the configuration of records within the name server zone database.

1-22


What Is Network Monitor?

Network Monitor is a packet analyzer that enables you to capture and examine network packets on the network to which your computer is connected. Capturing packets is an advanced troubleshooting technique, and helps you to identify more unusual network problems and work towards a resolution. You can download Network Monitor from the Microsoft download website and install it on either a Windows workstation that is running Windows 7, or else Windows Server. Once installed, Network Monitor binds to the local network adapters. When you launch Network Monitor, you can either view existing captures or else begin a new capture.

Using Network Monitor Once you have captured network packets, you must be able to interpret what is going on, and whether the behavior is as expected or not. To help you, Network Monitor displays the packets in a summarized list in the Frame Summary pane. The Frame Summary displays all captured packets, providing the following information: •

Time and date: this enables you to determine in which order the packets were transmitted.

•

Source and destination: this provides the source and destination IP addresses so that you can determine which computers are involved in the dialog.

•

Protocol name: the highest-level protocol that Network Monitor can identify is listed. For example, Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), Server Message Block (SMB), and others. Knowing the high-level protocol enables you to pinpoint which services might be experiencing or causing the problem that you are troubleshooting.


1-23

When you select a frame in the summary pane, the Frame Details pane updates with the contents of that particular frame. You can step through the frame’s details, examining the content of each element as you proceed. Note Remember that each layer in the network architecture, from the application on down, encapsulates its data in the container of the layer below. In other words, the ICMP: Echo Request Message is encapsulated in an IPv4 packet, which in turn, is encapsulated in an Ethernet frame. When you have gathered a large amount of data, it can be difficult to determine which frames are relevant to your specific problem. You can use filtering to show only those frames of interest. Use the Display Filter pane to load standard or to create custom filters. For example, if you want to view frames that originate from a specific IP address, use the following procedure: 1.

In Microsoft Network Monitor, in the Display Filter pane, click Load Filter.

2.

Point to Standard Filters, click Addresses, and then click IPv4 Addresses. The standard filter loads into the text box.

3.

Scroll through the text and locate the IPv4.Address = = 192.168.0.100 line. Edit the IPv4 address to match the address that you are interested in.

4.

On the menu in the Display Filter pane, click Apply.

5.

In the Frame Summary pane, the filtered results are displayed.

You can use standard filters to filter on a variety of properties, including the following: •

Addresses

•

DNS

•

NetBIOS

•

SMB

•

TCP

•

Authentication traffic

•

Name resolution Note When you apply one filter after you have applied another, the two are cumulative. To apply a new filter in place of an existing filter, click Clear text before you load and apply the new filter.

1-24


Demonstration: How to Capture and Analyze Network Traffic Using Network Monitor

This demonstration shows how to: •

Capture traffic with Network Monitor.

•

Analyze the captured traffic.

•

Filter the traffic.

•

Save the captured data.


1-25


Lab Setup For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V™ Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Log on using the following credentials:

5.

•

User name: Administrator

•

Password: Pa$$w0rd

•

Domain: Contoso

Repeat steps 2 to 4 for 6421B-NYC-RTR, 6421B-NYC-SVR2, and 6421B-NYC-CL2.

Lab Scenario You are a network engineer for Contoso Ltd. You must select a suitable IPv4 addressing scheme for a branch office deployment and then implement elements of the scheme. The branch will initially use manually assigned IPv4 addresses, although it is planned that they will implement DHCP in the future. Once you have determined the appropriate configuration, you are required to configure the client workstations according to your plan. For this project, you must complete the following tasks: •

Plan a suitable IPv4 subnet scheme for branch offices.

•

Implement and verify the IPv4 subnet scheme.

1-26


Exercise 1: Selecting an IPv4 Addressing Scheme for Branch Offices Scenario Contoso has created a new regional sales force. As a result, branch offices are being rented and fitted-out with office equipment and computers. You have been tasked with designing an IPv4 addressing scheme to support the western region branch offices. There are 10 new offices, three in this region, and each with around 100 computers. The main tasks for this exercise are as follows: 1.

Read the supporting documentation.

2.

Update the proposal document with your planned course of action.

3.

Examine the suggested proposals in the Lab Answer Key.

Supporting Documentation Charlotte Weiss From: Ed Meadows [[email protected]] Sent: 04 Feb 2011 09:05 To: [email protected] Subject: Re: Contoso branch office deployments Attachments: Contoso Branch Network Plan.vsd Charlotte, Each branch will be connected via a router to the head office; I've attached a basic schematic of the regional offices. We've allocated the network address 172.16.16.0/20 for all branches in this region. In terms of traffic, the database synchronization takes place overnight so should not impact traffic overly. I think the traffic in the head office sales subnets right now should be fairly indicative. Rather than sending you the output, I'll just say that we figure on around 50 computers per subnet. Regards, Ed ----- Original Message ----From: Charlotte Weiss [[email protected]] Sent: 03 Feb 2011 08:45 To: [email protected] Subject: Contoso branch office deployments Ed, Do you have any information about network traffic at the new branches? I understand there is to be a database with regional replicas. Do you have any information on that? I'm trying to figure out the number of subnets I'm going to need per branch. Any other information gratefully received! Charlotte


1-27

Contoso Branch Network Plan.vsd

X Task 1: Read the supporting documentation •

Read the supporting documentation.

X Task 2: Update the proposal document with your planned course of action •

Answer the questions in the Branch Office Network Infrastructure Plan: IPv4 Addressing document, shown as follows. Branch Office Network Infrastructure Plan: IPv4 Addressing Document Reference Number: GW00602/1 Document Author Date

Charlotte Weiss 6th February

Requirements Overview Design an IPv4 addressing scheme for the Contoso branch sales offices, shown in the exhibit. The block address 172.16.16.0/20 has been reserved for this region. You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25 percent growth of hosts in each branch. For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet.

1-28


(continued) Branch Office Network Infrastructure Plan: IPv4 Addressing Additional Information You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch. Proposals 1. How many subnets do you envisage requiring for this region? 2. How many hosts will you deploy in each subnet? 3. What subnet mask will you use for each branch? 4. What are the subnet addresses for each branch? 5. What range of host addresses are in each branch?

X Task 3: Examine the suggested proposals in the Lab Answer Key •

Examine the completed Branch Office Network Infrastructure plan in the Lab Answer Key and be prepared to discuss your solutions with the class.

Results: At the end of this exercise, you should have a completed IP addressing plan for the Contoso branch offices.


1-29

Exercise 2: Implementing and Verifying IPv4 in the Branch Office Scenario In this exercise, you will implement the IPv4 addressing scheme that you selected in the previous exercise. The main tasks for this exercise are as follows: 1.

Determine the current IPv4 configuration of the router.

2.

Determine the IPv4 configuration of NYC-SVR2.

3.

Determine the configuration of the NYC-CL2 computer.

4.

Reconfigure the NYC-CL2 computer.

5.

Verify the configuration.

6.

Capture and analyze network traffic using Network Monitor.

X Task 1: Determine the current IPv4 configuration of the router 1.

Switch to the NYC-RTR computer.

2.

Using Ipconfig.exe, determine what the IPv4 address and subnet mask of NYC-RTR is that starts with 172.16 and write it down. What subnet is this? What would the last host address in this subnet be?

X Task 2: Determine the IPv4 configuration of NYC-SVR2 1.

On the NYC-SVR2 computer, determine what the IPv4 address and subnet mask of NYC-SVR2 is that starts with 172.16 and write it down.

2.

Locate and identify the following: What is the IPv4 address and subnet mask? What subnet is this? What is the default gateway? What is the DNS Servers entry?

3.

Leave the command prompt open.

X Task 3: Determine the configuration of the NYC-CL2 computer 1.

On the NYC-CL2 computer, run the Reconfigure.cmd batch file that is located in E:\Labfiles\Mod01.

2.

Determine the IPv4 configuration of NYC-CL2 and write it down.

3.

Locate and identify the following: What is the IPv4 address and subnet mask? What does the previous answer tell you?

1-30


X Task 4: Reconfigure the NYC-CL2 computer 1.

Reconfigure the IPv4 settings to be appropriate for the subnet that the client resides within. A suggested answer appears in the Lab Answer Key.

2.

Write down the configuration that you have used: •

IP address:

•

Subnet mask:

•

Default gateway:

•

Preferred DNS server:

X Task 5: Verify the configuration 1.

Using Ipconfig.exe, verify the address configuration. What is the IPv4 address and subnet mask?

2.

Ping NYC-DC1, and then using Ipconfig.exe, examine the DNS resolver cache.

X Task 6: Capture and analyze network traffic using Network Monitor 1.

Open Microsoft Network Monitor 3.4.

2.

Start a new capture and then switch to the command prompt.

3.

From the command prompt, using Ipconfig.exe, purge the DNS resolver cache and then ping nyc-dc1.

4.

View the DNS resolver cache and verify the presence of the NYC-DC1 record.

5.

In Network Monitor, stop the capture. What type of frames can you see?

6.

Create a filter to show frames with an IPv4 address of 10.10.0.10.

7.

Examine the filtered frames and then clear the filter.

8.

Create a new filter for DNSQueryName, where the server=Contoso. Apply the filter and then examine the filtered frames. What do the records show?

9.

Close Network Monitor.

Results: At the end of this exercise, you will have configured the branch office subnet.

X Preparing for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1.

On the host computer, start Hyper-V Manager.

2.

Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat these steps for 6421B-NYC-RTR, 6421B-NYC-SVR2, and 6421B-NYC-CL2.


1-31

Module Review and Takeaways

Review Questions 1.

Your organization intends to use IPv4 for its branch offices. There are a large number of hosts and subnets required. Which private network address would you recommend?

2.

Your organization has a line of business application that uses NetBIOS names. Relatively few people use this application and you are reluctant to implement WINS. What alternative does Windows Server 2008 provide?

3.

Your Windows 7 client is unable to properly connect to a Windows Server. You suspect a name resolution problem. What two utilities enable you to troubleshoot name resolution from a client computer?

Tools Tool

Use for

Where to find it

Ping.exe

Verifying basic IP connectivity

Command-line

IPConfig.exe

Viewing and troubleshooting the IP configuration

Command-line

Tracert.exe

Verifying network routing

Command-line

PathPIng

Combines Functionality of Tracer and Ping

Command-Line

NSLookup.exe

Troubleshooting DNS resolver functionality

Command-line

NBTSTAT.exe

Troubleshooting NetBIOS

Command-line

Netsh.exe

View and configure network settings

Command-line

NetStat

View network connections and statistics

Command-Line

2-1

Module 2 Configuring and Troubleshooting DHCP Contents: Lesson 1: Overview of the DHCP Server Role

2-3

Lesson 2: Configuring DHCP Scopes

2-11

Lesson 3: Configuring DHCP Options

2-18

Lesson 4: Managing a DHCP Database

2-24

Lesson 5: Monitoring and Troubleshooting DHCP

2-35

Lesson 6: Configuring DHCP Security

2-43

Lab: Configuring and Troubleshooting the DHCP Server Role

2-47

2-2


Module Overview

Dynamic Host Configuration Protocol (DHCP) plays an important role in the Windows Server® 2008 R2 infrastructure. It is the primary means of distributing important network configuration information to network clients, and it provides configuration information to other network-enabled services, including Windows Deployment Services (WDS) and Network Access Protection (NAP). To support and troubleshoot a Windows Server-based network infrastructure, it is important that you understand how to deploy, configure, and troubleshoot the DHCP Server Role.


Describe the function of the DHCP Server Role.

•

Configure DHCP scopes.

•

Configure DHCP options.

•

Manage a DHCP database.

•

Monitor and troubleshoot the DHCP Server Role.

•

Configure security the DHCP Server Role.

Configuring and Troubleshooting DHCP

Lesson 1

Overview of the DHCP Server Role

Using DHCP can help to simplify client computer configuration. This lesson describes the benefits of DHCP, explains how the DHCP protocol works, and discusses how to control DHCP in a Windows Server 2008 R2 Active Directory® domain services (AD DS) network.


Describe the purpose and benefits of DHCP.

•

Explain how DHCP allocates addresses to network clients.

•

Describe how DHCP lease generation allocates addresses to clients.

•

Illustrate how the DHCP lease renewal process works.

•

Explain how a DHCP server role is authorized.

•

Add and authorize the DHCP Server Role.

2-3

2-4


Benefits of Using DHCP

The DHCP protocol simplifies configuration of Internet Protocol (IP) clients in a network environment. Before DHCP was used widely, each time you added a client to a network, you had to configure it with information about the network on which you installed it, including the IP address, the network’s subnet mask, and the default gateway for access to other networks. When you need to manage many computers in a network, it becomes time-consuming to manage them manually. Many corporations manage thousands of computer devices, including handhelds, desktop computers, and laptops. It is not feasible to manually manage the IP configuration of networks of this size. With the DHCP Server role, you can help to ensure that all clients have appropriate configuration information; this helps to eliminate human error during configuration. When key configuration information changes in the network, you can update it using the DHCP Server role without having to change the information directly on each computer. DHCP is also a key service for mobile users who change networks often. DHCP enables network administrators to offer complex network-configuration information to nontechnical users, without users having to deal with their network-configuration details. The DHCP role on Microsoft Windows Server 2008 supports several new features: •

DHCPv6 stateful and stateless configuration is supported for configuring clients in an IPv6 environment. Stateful configuration occurs when the DHCPv6 server assigns the IPv6 address to the client, along with additional DHCP data. Stateless configuration occurs when the IPv6 is assigned automatically by the subnet router, and the DHCPv6 server only assigns other IPv6 configuration settings.


2-5

•

NAP with DHCP helps isolate potentially malware-infected computers from the corporate network. NAP is part of a new toolset that can prevent full access to the intranet for computers that do not comply with system health requirements. DHCP NAP enables administrators to ensure that DHCP clients are compliant with internal security policies. For example, all network clients must be up-to-date and have a valid, up-to-date antivirus program installed before they are assigned an IP configuration that allows full access to the intranet.

•

You can install DHCP as a role on a Windows Server 2008 Server Core installation. A Server Core installation allows you to create a server with a reduced attack surface. To manage DHCP from the Core server, you must install and configure the role from the command-line interface. You also can manage the Core DHCP role from a graphical user interface (GUI)-based console where the DHCP role is already installed.

2-6


How DHCP Allocates IP Addresses

DHCP allocates IP addresses on a dynamic basis; this is known as a lease. Although you can set the lease duration to unlimited, typically, the value is not more than a few hours or days. The default lease time for wired clients is eight days and three days for wireless clients. DHCP uses IP broadcasts to initiate communications. Therefore, DHCP servers are limited to communication within their IP subnet. This means that in many networks, there is a DHCP server for each IP subnet. If there are a large number of subnets, it might be expensive to deploy servers for every subnet. A single DHCP server might service collections of smaller subnets. For the DHCP server to respond to a DHCP client request, it must be able to receive DHCP requests. You can enable this by configuring a DHCP relay agent on each subnet. The DHCP relay agent allows DHCP broadcast packets to be relayed into another IP subnet across a router. Then, you can configure the agent in the subnet that requires IP addresses. Additionally, you can configure the agent with the IP address of the DHCP server. This allows the agent to capture the client broadcasts and forward them to the DHCP server in another subnet. You can also relay DHCP packets into other subnets using a router that is compatible with RFC 1542.


2-7

How DHCP Lease Generation Works

The DHCP protocol lease-generation process includes four steps that enable a client to obtain an IP address. Understanding how each step works will help you to troubleshoot problems when clients cannot obtain an IP address: 1.

The DHCP client broadcasts a DHCPDISCOVER packet. This is a message that is broadcast to every computer in the subnet. The only computer that will respond is the computer that has the DHCP server role or a computer or router is running a DHCP relay agent. In the latter case, the DHCP relay agent will forward the message to the DHCP server with which it is configured.

2.

A DHCP Server responds with a DHCPOFFER packet. This packet will provide the client with a potential address.

3.

The client receives the DHCPOFFER packet. It might receive packets from multiple servers. If the client receives offers from more than one server, it usually will choose the server that made the fastest response to its DHCPDISCOVER. This typically is the DHCP server closest to the client. Then, the client will broadcast a DHCPREQUEST. The DHCPREQUEST contains a server identifier. This informs the DHCP servers that receive the broadcast which server the client has chosen to accept the DHCPOFFER.

4.

The DHCP servers receive the DHCPREQUEST. Those servers that the DHCPREQUEST message does not accept use the message as notification that the client has declined that server’s offer. The chosen server stores the IP address client information in the DHCP database and responds with a DHCPACK message. If for some reason the DHCP server cannot provide the address that was offered in the initial DHCPOFFER, the DHCP server will send a DHCPNAK message.

2-8


How DHCP Lease Renewal Works

When the DHCP lease has reached 50 percent of the lease time, the client will attempt to renew the lease. This is an automatic process that occurs in the background. Computers might have the same IP address for a long period of time if they operate continually on a network without being shut down. To renew the IP address lease, the client broadcasts a DHCPREQUEST message. The server that leased the IP address originally sends a DHCPACK message back to the client that contains any new parameters that have changed since the original lease was created. Client computers also attempt renewal during the startup process. This is because client computers might have been moved while they were offline; for example, a laptop computer might be plugged into a new subnet. If renewal is successful, the lease period is reset. If the renewal is unsuccessful, the client computer attempts to contact the configured Default Gateway. If the gateway does not respond, the client assumes that it is on a new subnet and enters the Discovery phase, attempting to obtain an IP configuration from any DHCP server.


2-9

DHCP Server Authorization

DHCP allows a client computer to acquire configuration information about the network in which it is started. DHCP communication occurs before any authentication of the user or computer; and because the DHCP protocol is based on IP broadcasts, an incorrectly configured DHCP server in a network can provide invalid information to clients. To avoid this, the server must be authorized.

Active Directory Requirements You must authorize the Windows Server 2008 R2 DHCP Server role in AD DS before it can begin leasing IP addresses. It is possible to have a single DHCP server providing IP addresses for subnets that contain multiple AD DS domains. Therefore, an Enterprise Administrator account must authorize the DHCP server. Note An Enterprise Administrator is required in all domains with the exception of the forest root domain; in this instance, members of the Domain Admins group have adequate privilege to authorize a DHCP server.

Stand-Alone DHCP Server Considerations A stand-alone DHCP server is a computer running Windows Server 2008 R2 that is not part of an AD DS domain, and that has the DHCP Server role installed and configured. If the stand-alone DHCP server detects an authorized DHCP server in the domain, it will not lease IP addresses and will shut down automatically.

Rogue DHCP Servers Many network devices have built-in DHCP server software. Many routers can act as a DHCP server, but it is often the case that these servers do not recognize DHCP-authorized servers and might lease IP addresses to clients.

2-10


Demonstration: How to Add the DHCP Server Role


Install and authorize the DHCP server role.


2-11

Lesson 2

Configuring DHCP Scopes

You must configure the DHCP scopes after the DHCP role is installed on a server. A DHCP scope is the primary method by which you can configure options for a group of IP addresses. A DHCP scope is based on an IP subnet and can have settings specific to hardware or custom groups of clients. This lesson explains the scopes, superscopes, multicast scopes, and how to manage scopes.


Describe the purpose of a DHCP scope.

•

Describe superscopes and multicast scopes.

•

Configure DHCP scopes to allocate IP addresses to network clients.

•

Explain what a DHCP reservation is.

•

Explain DHCP sizing and availability.

2-12


What Are DHCP Scopes?

A DHCP scope is a range of IP addresses that are available for lease. A scope typically is confined to the IP addresses in a given subnet. For example, a scope for the network 192.168.1.0/24 (subnet mask of 255.255.255.0), supports a range of 192.168.1.1 through 192.168.1.254. When a computer or device in the 192.168.1.0/24 subnet requests an IP address, the scope that defined the range in this example would allocate an address between 192.168.1.1 and 192.168.1.254. Note Remember that the DHCP server, if deployed to the same subnet, consumes an IPv4 address. This should be excluded from the address range. To configure a scope, you must define the following properties: •

Name and description: this identifies the scope.

•

IP address range: the range of addresses that can be offered for lease and usually the entire range of addresses for a given subnet.

•

Subnet mask: this is used by the client computers to determine their location in the organization’s network infrastructure.

•

Exclusions: single addresses or blocks of addresses that fall within the IP address range but that will not be offered for lease.

•

Delay: the amount of time to delay before making DHCPOFFER.

•

Lease duration: use shorter durations for scopes with limited IP addresses, and longer durations for more static networks.

•

Options: you can configure many options on a scope, but typically you will configure option 003 – Router (the default gateway for the subnet), 006 – DNS Servers, and option 015 – DNS suffix.


2-13

IPv6 scopes You can configure the IPv6 scope options, as a separate scope, in the DHCP console’s IPv6 node. There are several different options and an enhanced lease mechanism. When configuring a DHCPv6 scope, you must define the following properties: •

Name and description: this identifies the scope.

•

Prefix: the IPv6 address prefix is analogous to the IPv4 address range; in essence, it defines the network address.

•

Exclusions: single addresses or blocks of addresses that fall within the IPv6 prefix but will not be offered for lease.

•

Preferred life times: define how long leased addresses are valid.

•

Options: as with IPv4, you can configure many options.

2-14


What Are Superscopes and Multicast Scopes?

A superscope is a collection of scopes that are grouped together into an administrative whole. This allows clients to receive an IP address from multiple logical subnets, even when they are on the same physical subnet.

Benefits of Superscopes A superscope is useful in several situations. For example, if a scope has been depleted of addresses, and you cannot add more addresses from the subnet, you can add a new subnet to the DHCP server. This scope will lease addresses to clients in the same physical network, but clients will be in a separate network logically. This is known as multineting. It is important to configure routers to recognize the new subnet to ensure local communications in the physical network. A superscope also is useful when there is a need to move clients gradually into a new IP-numbering scheme. By having both numbering schemes coexist for the original lease’s duration, you can move clients into the new subnet transparently. When you have renewed all client leases in the new subnet, you can retire the old one.

Multicast Scopes A multicast scope is a collection of multicast addresses from the class D IP address range of 224.0.0.0 to 239.255.255.255 (224.0.0.0/3). These addresses are used when applications need to efficiently communicate with numerous clients simultaneously. This is accomplished with multiples hosts that listen to traffic for the same IP address. A multicast scope is referred to commonly as a Multicast Address Client Allocation Protocol (MADCAP) scope. Applications that request addresses from these scopes need to support the MADCAP application programming interface (API). Multicast scopes allow applications to reserve a multicast IP address to deliver data or content.


2-15

Demonstration: How to Configure DHCP Scopes

You can create scopes either using the Microsoft Management Consoles (MMC) for the DHCP Server role or by using the Netsh network-configuration command. This allows you to manage scopes remotely if the DHCP server is running on a Server Core installation of Windows Server 2008 R2. The Netsh command also is useful for scripting and automating server provisioning. This demonstration shows how to: •

Create an IPv4 scope.

2-16


What Is a DHCP Reservation?

A DHCP reservation occurs when an IP address within a scope is set aside for use with a specific DHCP client. It often is desirable to provide servers and printers with a predetermined IP address. Using a reservation ensures that the IP addresses you want to assign to these devices from a configured scope are not assigned to another device. This also ensures that devices with reservations are guaranteed to have an IP address if a scope is depleted of addresses. Configuring reservations enables you to centralize management of fixed IP addresses.

Configuring DHCP Reservations To configure a reservation, you must know the device’s Media Access Control (MAC) or physical address. This address indicates to the DHCP server that the device should have a reservation. You can acquire a network interface’s MAC address by using the ipconfig/all command. Typically, MAC addresses for network printers and other network devices are printed on the device. Most laptop computers also note this information on the bottom of their chassis.


2-17

DHCP Sizing and Availability

When configuring DHCP scopes and related settings, you must consider how many IP addresses to assign and how you will implement fault tolerance. It is a best practice to have more than one DHCP server in the network. In the event that one server fails, a backup server is in place to lease IP addresses.

Sizing a Scope The scope should include as many IP addresses as there are network clients. Typically, the scope will have 20 percent more addresses than there are clients that require IP addresses.

80/20 Rule When a network has two DHCP servers, it is a best practice to spread the IP addresses in the subnet across both servers. This is commonly referred to as the “80/20” rule. In this rule, a scope on the first server defines 80 percent of the IP addresses for lease, while the second server defines 20 percent of the addresses. This improves the availability of the DHCP service if one of the servers fails. To implement the 80/20 rule, you must create duplicate scopes on each of two DHCP servers, each excluding a separate range of addresses. For example, for subnet 192.168.0.0/24: •

•

•

On DHCP server 1, placed in 192.168.0.0/24: •

Create a scope with a range of addresses from 192.168.0.2 through 192.168.0.254.

•

Create an exclusion range comprising of the upper 20 percent of the address range; that is, 192.168.0.200 to 192.168.0.254.

On DHCP server 2, placed in 192.168.1.0/24: •

Create a scope with a range of addresses from 192.168.0.2 through 192.168.0.254.

•

Create an exclusion range comprising of the lower 80 percent of the address range; that is, 192.168.0.2 to 192.168.0.199.

Ensure that you implement a router that supports DHCP relaying for the 192.168.1.0/24 subnet.

2-18


Lesson 3

Configuring DHCP Options

DHCP options enable you to configure settings aside from the IP address and subnet mask. For example, you can use DHCP to allocate a DNS suffix, DNS server addresses, and NetBIOS settings. It is important that you are familiar with the process of configuring options.


Explain what DHCP options are.

•

Describe the use of DHCP Class-Level options.

•

Explain how options are applied to client computers.

•

Configure DHCP scope, server, and class options.


2-19

What Are DHCP Options?

DHCP servers can configure more than just an IP address; they also provide information about network resources, such as DNS servers and the default gateway. You can apply DHCP options at the server, scope, user, and vendor levels. An option code identifies the DHCP options, and most option codes come from the Request for Comments (RFC) documentation found on the Internet Engineering Task Force (IETF) website.

Common DHCP Options The following table lists the common option codes that Windows-based DHCP clients request. Option code

Name

1

Subnet mask

3

Router

6

DNS servers

15

DNS domain name

44

WINS/NBNS servers

46

WINS/NetBT node type

47

NetBIOS scope ID

51

Lease time

58

Renewal (T1) time value

2-20


(continued) Option code

Name

59

Rebinding (T2) time value

31

Perform router discovery

33

Static route

43

Vendor-specific information

249

Classless static routes


2-21

What Are DHCP Class-Level Options?

DHCP options can be applied at a several different levels, such as at the DHCP server and scope levels. You might need to apply scope options to custom types of computers or specific groups of users. You can specify class-level options when you need to configure a device belonging to a particular class in a specific way. A class is a logically defined group based on attributes of the IP-based device. This can be based on vendor-specific data or it can be user-defined. Class-level options include: •

Vendor class: Microsoft’s DHCP server role offers special options based on the vendor class. An example of using DHCP with a vendor class is disabling NetBIOS over TCP/IP for clients with a vendor class matching Windows 2000 or Windows XP. Another example is configuring specific options for a certain computer brand.

•

User class: You can specify user-class options when you want to set options for a certain class of users, such as users from a particular physical location. User classes are set on the client’s workstation using the IPconfig /setclassid command.

2-22


How DHCP Options Are Applied

If you have configured DHCP options at multiple levels (server, scope, class, and reservation levels), DHCP applies options to client computers in the following order: 1.

Server level

2.

Scope level

3.

Class level

4.

Reserved-client level

It is important to understand these options when you are troubleshooting DHCP. If you configure custom DHCP options for reservations, these settings will override all other DHCP options that you configure at higher levels.


Demonstration: How to Configure DHCP Options


Configure scope options.

•

Configure server options.

•

Create a user class for options.

•

Enable scope and configure client computer user class.

2-23

2-24


Lesson 4

Managing a DHCP Database

The DHCP database stores information about the IP address leases. It is important to understand how to back up the database and resolve database issues if there is a problem. This lesson explains how to manage the database and its data.


Describe management tasks related to DHCP.

•

Explain DHCP server configuration options.

•

Describe the DHCP database.

•

Describe how the DHCP database is backed up and restored.

•

Explain how a DHCP database is reconciled.

•

Explain how to move the DHCP Server role to another server.

•

Describe how to manage a DHCP database.


2-25

Overview of DHCP Management Scenarios

The DHCP server database contains configuration data about the DHCP server and information about client IP leases. If this information becomes corrupt or inconsistent, it can lead to network configuration errors on clients’ computers. It also can lead to the same IP address being offered to multiple clients. Management scenarios might include: •

Managing DHCP database growth: The DHCP database is based on a Microsoft Jet database. Jet databases need to be compacted on a regular basis.

•

Protecting the DHCP database: Information in the DHCP database is important to maintain. If the DHCP server database becomes corrupt or gets lost, it could lead to significant IP configuration issues.

•

Ensuring DHCP database consistency: The database needs to be accurate. If lease data in the DHCP database does not match the client’s lease information, issues such as duplicate IP addresses can occur on the network.

•

Adding clients: You might need to reconfigure scopes to support additional network clients.

•

Adding new network service servers: You might need to create reservations or exclusions to support statically configured servers.

•

Adding new subnets: Adding subnets can lead to changes in how the DHCP database is used. These changes require database monitoring and might require new maintenance actions.

2-26


DHCP Server Configuration Options

The DHCP server-configuration options define server-wide behaviors. Certain configurations also affect the scopes that the server hosts.

General Options General options enable the administrator to set DHCP debugging and troubleshooting statistics.

DNS Options Configuring the DNS options is important if there are devices or operating systems that do not update their DNS information automatically. You can configure the DHCP server to update the DNS server if the client is unable to do so. Typically, it is only legacy client operating systems and earlier Windows versions that cannot dynamically update DNS. For example, Windows 95 client computers cannot update DNS. It is therefore possible to configure DHCP to register legacy clients’ names with DNS.

Network Access Protection Options Network Access Protection options enable you to configure NAP to be enforced for one or more scopes. NAP enables you to verify that machines requesting an IP address meet your organization’s computer health requirements. For example, client computers requesting (and being granted) an IP configuration must have the latest security updates, run a firewall, and have an updated antivirus program installed and running.

Filters Options You can use the filters to define to which MAC addresses leases are offered, or to which MAC addresses leases are not offered. In addition, the Advanced options enable you to define which physical devices are exempted from filtering.


2-27

Advanced Options Advanced options enable the administrator to force the DHCP server to check for IP conflicts when a DHCP client requests a particular IP address. This benefits older clients that do not perform their own checks. However, this process also causes overhead. Therefore, the recommended configuration is to turn off this setting. The IP binding allows the administrator to specify the IP address on which the DHCP server should listen for incoming DHCP messages.

2-28


What Is a DHCP Database?

The DHCP database contains data that relates to scopes, address leases, and reservations. The database holds the data file that stores the DHCP configuration information and the lease data for clients that have leased an IP address from the DHCP Server. By default, the DHCP database files are stored in the %systemroot%\System32\Dhcp folder.

DHCP Service Database Files The following table describes the DHCP service database files. File

Description

Dhcp.mdb

The DHCP server database file.

Dhcp.tmp

A temporary file that the DHCP database uses as a swap file during databaseindex maintenance operations. This file sometimes remains in the Systemroot\System32\Dhcp directory after a system failure.

J50.log and J50#####.log

A log of all database transactions. The DHCP database uses this file to recover data when necessary.

J50.chk

A checkpoint file.

Important You should not remove or alter the following files: J50.log, J50#####.log, Dhcp.mdb, and Dhcp.tmp. The DHCP server database is dynamic and updates as DHCP clients are assigned or as they release their TCP/IP configuration parameters. Because the DHCP database is not a distributed database like the Windows Internet Naming Service (WINS) server database, maintaining the DHCP server database is less complex.


The DHCP database and related registry entries are backed up automatically at specific intervals (60 minutes by installation default). You can change this installation default by changing the value of BackupInterval in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters

2-29

2-30


How a DHCP Database Is Backed Up and Restored

You can back up a DHCP database manually or configure it to backup automatically. An automatic backup is called a synchronous backup. A manual backup is called an asynchronous backup.

Automatic (Synchronous) Backup The default backup path for the DHCP back is: systemroot\System32\Dhcp\Backup. As a best practice, you can modify this path in the server properties to point to another volume.

Manual (Asynchronous) Backup If you have an immediate need to create a backup, you can run the manual backup option in the DHCP console. This action requires administrative-level permissions. The user account also can be a member of the DHCP administrators group.

What Is Backed Up? When a synchronous or asynchronous backup occurs, the entire DHCP database is saved, including the following: •

All scopes, including superscopes and multicast scopes

•

Reservations

•

Leases

•

All options, including server options, scope options, reservation options, and class options

•

All registry keys and other configuration settings (for example, audit log settings and folder location settings) set in DHCP server properties. These settings are stored in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters To back up this key, open Registry Editor and save the specified key to a text file. Note The DNS dynamic update credentials (user name, domain, and password) that the DHCP server uses when registering DHCP client computers in DNS are not backed up with any backup method.


2-31

Restore Process If you need to restore the database, use the Restore function in the DHCP server console. You will be prompted for the backup’s location. Once you have selected the location, the DHCP service will stop and the database will be restored. To restore the database, the user account must have administrative-level permissions or must be a member of the DHCP administrators group.

Backup Security When the DHCP database file is backed up, it should be in a protected location that only the DHCP administrators can access. This ensures that any network information in the backup files remains protected.

Using Netsh You also can use commands in the Netsh dhcp context to back up the database; this is useful for backing up the database to a remote location using a script file. An example of a script that you can use to export the file is shown below. This command will back up the DHCP data for all scopes. From the Netsh DHCP prompt, type the following: export "c:\My Folder\Dhcp Configuration" all

To restore the DHCP database, use the following command: import "c:\My Folder\Dhcp Configuration" all

Note This Netsh context does not exist on server computers without the DHCP Server role installed.

2-32


How a DHCP Database Is Reconciled

Reconciling scopes can fix inconsistencies that can affect client computers. The DHCP Server service stores scope IP address-lease information in two forms: •

Detailed IP address lease information, which the DHCP database stores

•

Summary IP address lease information, which the server’s Registry stores

When you are reconciling scopes, the detail and summary entries are compared to find inconsistencies. To correct and repair these inconsistencies, you must reconcile any scope inconsistencies. After you select and reconcile scope inconsistencies, the DHCP service either restores those IP addresses to the original owner or creates a temporary reservation for those addresses. These reservations are valid for the lease time that is assigned to the scope. When the lease time expires, the addresses are recovered for future use.


2-33

Moving a DHCP Database

In the event that you must move the DHCP Server role to another server, it is also advisable to move the database to the new server; this ensures that client leases are retained and reduces the likelihood of client-configuration issues. You move the database initially by backing it up on the old DHCP server. Then, shut down the DHCP service on the old DHCP server. You must then copy the DHCP database to the new server, where you can restore it using the normal database restore procedure.

2-34


Demonstration: How to Manage a DHCP Database


Examine the backup interval.

•

Back up the DHCP database.

•

Reconcile the scope data.


2-35

Lesson 5

Monitoring and Troubleshooting DHCP

DHCP is a core service in many organization’s network environments. If the DHCP service is not working properly, or if there is a situation that is causing problems with the DHCP server, it is important that you can identify the problem and determine potential causes to resolve the problem.


Describe methods for monitoring DHCP.

•

Discuss common troubleshooting issues that are possible with DHCP.

•

Explain how to monitor DHCP statistics.

•

Describe how to monitor audit logging.

•

Explain how to monitor DHCP server performance.

•

Monitor DHCP statistics and performance.

2-36


Overview of Monitoring DHCP

DHCP is a dynamic protocol. Changes in the network environment usually require that you make DHCP server changes to accommodate the new network environment. These changes might arise because there are more clients on the network, which can cause a greater traffic load on the DHCP server, or because the DHCP server has exhausted its address pool. Monitoring these operations enables you to address new needs proactively as they arise; this keeps service outages to a minimum and reduces downtime. DHCP has three sources of information that you can use for monitoring: •

DHCP statistics

•

DHCP events in Event Viewer

•

DHCP performance data


2-37

Discussion: Common DHCP Issues

The following table describes, and provides examples of, common DHCP issues. Issue

Description

Example

Address conflicts

The same IP address is offered to two different clients.

An administrator deletes a lease. However, the client who had the lease still believes the lease is valid. If the DHCP server does not verify the IP, it might lease the IP to another machine, causing an address conflict. This also can occur if two DHCP servers have overlapping scopes.

Failure to obtain a DHCP address

The client does not receive a DHCP address and instead receives an Automatic Private IP Addressing (APIPA) self-assigned address.

If a client’s network card driver is configured incorrectly, it might cause a failure to obtain a DHCP address. Additionally, the DHCP server or relay agent on the client’s subnet.

Address obtained from incorrect scope

The client is obtaining an IP address from the wrong scope, causing it to experience communications problems.

This often occurs because the client is connected to the wrong network or the DHCP relay agent is incorrectly configured.

DHCP database suffers data corruption or loss

The DHCP database become unreadable or is lost due to a hardware failure.

A hardware failure can cause the database to become corrupted.

DHCP server exhausts its IP address pool

The DHCP server’s IP scopes have been depleted. Any new client requesting an IP address will be refused.

All the IPs assigned to a scope are leased.

2-38


What Are DHCP Statistics?

DHCP statistics provide information about DHCP activity and use. You can use this console to determine quickly whether there is a problem with the DHCP service or with the network’s DHCP clients. An example in which statistics might be useful is if the administrator notices an excessive amount of negative acknowledgement (NACK) packets, which might indicate that the server is not providing the correct data to clients. You can configure the refresh rate for the statistics in the server properties General tab.

DHCP Server Statistics Server statistics provide an overview of DHCP server usage. You can use this data to quickly understand the state of the DHCP server. Information such as number of offers, number of requests, total in use addresses, and total available can help to provide a picture of the server’s health.

DHCP Scope Statistics Scope statistics provide much fewer details, such as total addresses in the scope, how many addresses are in use, and how many are available. If you notice a low number of addresses available in the server statistics, it might only be one scope that is near its depletion point. By using scope statistics, an administrator can quickly determine the status of the particular scope with respect to the addresses available.


2-39

What Is a DHCP Audit Log File?

The audit log provides a traceable log of DHCP server activity. You can use this log to track lease requests, grants, and denials, and this information allows you to troubleshoot DHCP server performance. The log files are stored in the %systemroot%\system32\dhcp folder by default. You can configure the log file in the server’s Properties dialog box. The files are named based on the weekday that the file was created. For example, if audit logging is enabled on a Monday, the file name is DhcpSrvLog-Mon.log.

Fields That Make Up a DHCP Audit Log The following table describes the fields in a DHCP audit log. File

Description

ID

A DHCP server event ID code.

Date

The date on which this entry was logged on the DHCP server.

Time

The time at which this entry was logged on the DHCP server.

Description

A description of this DHCP server event.

IP Address

The IP address of the DHCP client.

Host Name

The host name of the DHCP client.

MAC Address

The MAC address used by the network adapter hardware of the client.

2-40


Common Event ID Codes Common event ID codes include: •

ID,Date,Time,Description,IP Address,Host Name,MAC Address

•

00,06/22/99,22:35:10,Started,,,,

•

56, 06/22/99,22:35:10,Authorization failure, stopped servicing,,domain1.local,,

•

55, 06/22/99,22:45:38,Authorized(servicing),,domain1.local


2-41

Monitoring DHCP Server Performance

DHCP performance counters become available after you install the DHCP Server role. You can then use Performance Monitor to load the performance counters. Typically, a DHCP server should not come under a heavy network load. However, if you notice the queue lengths are logging consistently high values, check the server for bottlenecks that could be slowing DHCP performance. The following table lists common performance counters and provides recommendations about what to look for after you establish a baseline. Performance counters

Recommendation

Packets received/second

Monitor for sudden increases or decreases, which could reflect network problems.

Packets expired/second

Monitor for sudden increases. A large number indicates that the server is either taking too long to process some packets while other packets are queued and becoming stale, or traffic on the network is too high for the server to manage.

Requests/second

Monitor for sudden increases or decreases, which could reflect network problems.

Milliseconds per packet

Monitor for sudden increases. A sudden or unusual increase might indicate a problem, either with the input/output (I/O) subsystem becoming slower or because of an intrinsic processing overhead on the server computer.

Active queue length

Monitor for sudden and gradual increases, which could reflect increased load or decreased server capacity.

Duplicates dropped/second

Monitor for any activity that could indicate that more than one request is being transmitted on behalf of clients.

2-42


Demonstration: How to Monitor DHCP


View server statistics.

•

View the log files.

•

Use Network Monitor to monitor DHCP.


2-43

Lesson 6

Configuring DHCP Security

DHCP protocol has no built-in method for authenticating users. This means that if you do not take precautions, IP leases could be granted to devices and users who have malicious intent. This lesson explains how to prevent unauthorized users from obtaining a lease, how to manage rogue DHCP servers, and how to configure DHCP servers so that a specific group can manage them.


Restrict an unauthorized user from obtaining a lease.

•

Restrict unauthorized DHCP servers from leasing IP addresses to DHCP clients.

•

Restrict who can administer the DHCP server role.

2-44


Preventing an Unauthorized Computer from Obtaining a Lease

DHCP by itself can be difficult to secure. This is because the protocol is designed to work before the necessary information is in place for a client computer to authenticate with a domain controller. Basic precautions that you should take to limit unauthorized access include: •

Make sure that you reduce physical access: If users can access an active network connection in the network, their computers are likely to be able to obtain an IP address. If a network port is not being used, you should disconnect it physically from the switching infrastructure.

•

Enable audit logging on all DHCP servers: This can provide an historical view of activity, in addition to allowing you to trace when a potentially malicious user obtained an IP address in the network. Make sure to schedule time at regular intervals to review the audit logs.

•

Require authenticated Layer 2 connections to the network: Most enterprise hardware switches now support Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X authentication. This allows for port-level user authentication. Secure wireless standards, such as WPA Enterprise and WPA2 Enterprise, also use 802.1X authentication.

•

Implement NAP: NAP allows administrators to validate that a client computer is compliant with system health requirements, such as running all the latest Windows updates or running an up-to-date antivirus client. If a user who does not meet security requirements tries to access the network, he or she will receive an IP address configuration to access a remediation network where he or she can receive the necessary updates. The administrator can restrict access to the network by allowing only healthy computers access to the internal local area network (LAN).


2-45

Restricting Unauthorized, Non-Microsoft DHCP Servers from Leasing IP Addresses

Many devices and network operating systems have DHCP server implementations. Networks are almost never homogeneous in nature; therefore; it is possible that at some point, a DHCP server that does not check for Active Directory-authenticated servers will be enabled on the network. In this case, clients might obtain incorrect configuration data. To eliminate an unauthorized DHCP server, you must locate and disable it from communicating on the network either physically or by disabling the DHCP service. If users complain that they do not have connectivity to the network, check the IP address of their DHCP server. Use the ipconfig /all command to check the IP address of the DHCP Server field. If the IP address is not the IP address of an authorized DHCP server, there is probably a rogue server in the network. You can use the DHCP Server Locator utility (Dhcploc.exe) to locate the DHCP servers that are active on a subnet.

2-46


Restricting DHCP Administration

It is important to ensure that only authorized persons can administer the DHCP server role. You can do this by performing either of the following tasks: •

Limiting the membership of the DHCP Administrators group

•

Assigning users that require read-only access to DHCP membership of the DHCP Users group

The DHCP Administrators group is in the built-in groups on domain controllers or on local servers because the DHCP Administrators local group is used to restrict and grant access to administer DHCP servers.

Permissions Required to Authorize and Administer DHCP Authorization of a DHCP service is only available to Enterprise administrators. If the need exists for a down-level administrator to authorize the domain, it can be done using Active Directory delegation.

DHCP Administrators Any user in the DHCP Administrators group can manage the server’s DHCP service.

DHCP Users Any user in the DHCP Users group can have read-only access to the console.


2-47




2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso

Repeat steps 2 to 4 for 6421B-NYC-RTR, 6421B-NYC-SVR2, and 6421B-NYC-CL2.

2-48


Lab Scenario Contoso is deploying DHCP to their branch offices. Fault tolerance is important, and you are tasked with configuring the DHCP services in the head office and branch offices to support the requirements. For this project, you must complete the following tasks: •

Plan suitable DHCP configuration

•

Install the DHCP server role on NYC-SVR2

•

Configure scopes at head office and branch office DHCP servers

•

Test client functionality with primary DHCP server online, and then simulate a connection failure with the head office

•

Troubleshoot common DHCP issues

Contoso Branch Network Plan.vsd


2-49

Exercise 1: Selecting a Suitable DHCP Configuration Scenario In this exercise, you will select a suitable DHCP configuration to support the branch office environment. The main tasks for this exercise are as follows: 1.

Read the following Branch Office Network Infrastructure Plan: DHCP document.

2.


3.


Branch Office Network Infrastructure Plan: DHCP Document Reference Number: CW0703/1 Document Author Date

Charlotte Weiss 7th March

Requirements Specify how you plan to implement DHCP to support your branch office requirements. Additional Information It is important that any router, server, or communications link failure does not adversely affect users. Proposals 1. How many DHCP servers do you propose to deploy in the region? 2. Where do you propose to deploy these servers? 3. How do you propose to provide for fault tolerance of IP address allocation? 4. How will clients in a branch obtain an IP configuration if their DHCP server is offline?

X Task 1: Read the Branch Office Network Infrastructure Plan: DHCP requirements •

Study the network diagram and then read the Branch Office Network Infrastructure Plan: DHCP document requirements section.


Answer the questions in the Branch Office Network Infrastructure Plan: DHCP document.


Examine the completed Branch Office Network Infrastructure Plan: DHCP document in the Lab Answer Key and be prepared to discuss your solutions with the class.

Results: At the end of this exercise, you will have determined the appropriate DHCP configuration for Contoso.

2-50


Exercise 2: Implementing DHCP Scenario In this exercise, you will implement the branch office DHCP configuration that you selected. The main tasks for this exercise are as follows: 1.

Install the DHCP role on NYC-SVR2.

2.

Enable DHCP Relay.

3.

Authorize the DHCP Server role on NYC-SVR2.

4.

Create the required scope for branch.

X Task 1: Install the DHCP role on NYC-SVR2 1.

Switch to NYC-SVR2.

2.

Open Server Manager and install the DHCP Server role. Accept all defaults during the Add Role wizard, except:

3.

•

Disable DHCPv6 stateless mode for this server

•

Skip authorization of this DHCP server in AD DS

Close Server Manager.

X Task 2: Enable DHCP Relay 1.

Switch to NYC-RTR.

2.

Open Routing and Remote Access.

3.

Use the following steps to add the DHCP Relay agent to the router:

4.

•

In the navigation pane, expand IPv4, right-click General and then click New Routing Protocol.

•

In the Routing protocols list, click DHCP Relay Agent and then click OK.

•

In the navigation pane, right-click DHCP Relay Agent and then click New Interface.

•

In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK.

•

In the DHCP Relay Properties – Local Area Connection 2 Properties dialog box, click OK.

•

Repeat these steps for Local Area Connection 3.

•

Right-click DHCP Relay Agent and then click Properties.

•

In the DHCP Relay Agent Properties dialog box, in the Server address box, type 10.10.0.10, click Add, and then click OK.

Close Routing and Remote Access.

X Task 3: Authorize the DHCP Server role on NYC-SVR2 1.

Switch to NYC-SVR2.

2.

Open DHCP.

3.

Authorize the nyc-svr2.contoso.com server in AD DS.


2-51

X Task 4: Create the required scope for branch 1.

In DHCP, in the navigation pane, expand nyc-svr2.consoto.com, expand IPv4, right-click IPv4, and then click New Scope.

2.

Create a new scope with the following properties: •

Name: Branch Office

•

IP Address range: 172.16.16.4 > 172.16.16.254

•

Subnet mask: 255.255.255.0

•

Exclusions: 172.16.16.200 > 172.16.16.254

•

Other settings use default values

•

Configure options:

•

•

Router: 172.16.16.1

•


Activate scope

Results: At the end of this exercise, you will have configured the branch office DHCP server.

2-52


Exercise 3: Reconfiguring DHCP in the Head Office Scenario In this exercise, you will reconfigure the DHCP server in the head office to provide a scope for clients in the branch office. The main tasks for this exercise are as follows: 1.

Add the branch office scope on NYC-DC1.

X Task 1: Add the branch office scope on NYC-DC1 1.

Switch to NYC-DC1.

2.

Open DHCP.

3.

In DHCP, in the navigation pane, expand nyc-dc1.consoto.com, expand IPv4, right-click IPv4, and then click New Scope.

4.

Create a new scope with the following properties: •

Name: Branch Office Backup Scope

•

IP Address range: 172.16.16.4 > 172.16.16.254

•

Subnet mask: 255.255.255.0

•

Exclusions: 172.16.16.4 > 172.16.16.199

•


•

Configure options:

•

•

Router: 172.16.16.1

•


Activate scope

Results: At the end of this exercise, you will have created the required scopes on both DHCP servers.


2-53

Exercise 4: Testing the Configuration Scenario In this exercise, you will verify that client computers can obtain an IP configuration from the local branch DHCP server. The main tasks for this exercise are as follows: 1.

Configure NYC-CL2 for DHCP.

2.

Examine DHCP packets.

X Task 1: Configure NYC-CL2 for DHCP 1.

Switch to NYC-CL2.

2.

Open Network Monitor 3.4.

3.

Start a new capture.

4.

Reconfigure the Local Area Connection 3: •

Configure Internet Protocol Version 4 (TCP/IPv4): •

Obtain an IP address automatically

•

Obtain DNS server address automatically

X Task 2: Examine DHCP packets 1.

Switch to Network Monitor.

2.

Stop the capture.

3.

Apply a filter as follows: •

Click Load Filter, point to Standard Filters, point to Basic Examples, and then click Protocol Filter – DNS.

•

In the Display Filter text box, locate the text that reads DNS and change it to DHCP. Click Apply.

4.

Now examine the captured frames. In the Frame Summary, click the frame with Destination of 255.255.255.255 and the Description that contains OFFER.

5.

In the Frame Details pane, expand Dhcp. What is the ServerIP? Which server is this?

Results: At the end of this exercise, you will have configured the client to obtain an IP address dynamically from the local branch server.

2-54


Exercise 5: Troubleshooting DHCP Issues Scenario In this exercise, you will simulate a branch office server failure and verify that clients are able to obtain an IP configuration through the router from the head office DHCP server. The main tasks for this exercise are as follows: 1.

Shut down the DHCP server on NYC-SVR2.

2.

Renew the IP address on NYC-CL2.

X Task 1: Shut down the DHCP server on NYC-SVR2 1.

Switch to NYC-SVR2.

2.

In DHCP, right-click nyc-svr2.contoso.com, click All Tasks, and then click Stop.

X Task 2: Renew the IP address on NYC-CL2 1.

Switch to NYC-CL2.

2.

Open a command prompt, and at the command prompt, type Ipconfig.exe /release and press ENTER.

3.

Switch to Network Monitor and start a new capture.

4.

At the command prompt, type ipconfig /renew and then press ENTER.

5.

Stop the capture.

6.

Apply a filter as follows: •


•


7.


8.

In the Frame Details pane, expand Dhcp. What is the ServerIP? Which server is this?

Results: At the end of this exercise, you will have verified that the client can obtain an IP address from the head office when the local server is unavailable.




2.


3.


4.

Repeat these steps for 6421B-NYC-SVR2, 6421B-NYC-RTR, and 6421B-NYC-CL2.

2-55

2-56



Review Questions 1.

You have two subnets in your organization and want to use DHCP to allocate addresses to client computers in both subnets. You do not want to deploy two DHCP Servers. What factors must you consider?

2.

Your organization has grown and your IPv4 scope has almost run out of addresses. What could you do?

3.

What information do you require to configure a DHCP reservation?

4.

Is it advisable to configure options 003 – Router as a Server-level DHCP scope option?

Tools Tool

Use for

Where to find it

IPConfig.exe

Managing and troubleshooting client IP settings

Command-line

Netsh.exe

Configuring both client and server-side IP settings, including those for DHCP Server role

Command-line

Regedit.exe

Editing and fine-tuning settings, including those for the DHCP Server role

Windows interface

DHCPLoc.exe

Locate DHCP servers on the local subnet

Command-line

Network Monitor

Capture and analyze DHCP traffic on a subnet

Windows interface

3-1

Module 3 Configuring and Troubleshooting DNS Contents: Lesson 1: Installing the DNS Server Role

3-3

Lesson 2: Configuring the DNS Server Role

3-14

Lesson 3: Configuring DNS Zones

3-25

Lesson 4: Configuring DNS Zone Transfers

3-34

Lesson 5: Managing and Troubleshooting DNS

3-39

Lab: Configuring and Troubleshooting DNS

3-50

3-2


Module Overview

The Domain Name System (DNS) is the foundation name service in Windows Server 2008 R2. It is vital that you understand how to deploy, configure, manage, and troubleshoot this critical service.


Install the DNS server role.

•

Configure the DNS server role.

•

Create and configure DNS zones.

•

Configure zone transfers.

•

Manage and troubleshoot DNS.

Configuring and Troubleshooting DNS

Lesson 1

Installing the DNS Server Role

To support the network services within your organization, you must be able to install and configure the Windows Server 2008 R2 DNS Server role.


Explain the role and benefits of DNS in the network infrastructure.

•

Explain what a DNS namespace is.

•

Describe new abilities provided in the Windows Server 2008 version of DNS.

•

Describe new abilities provided in the Windows Server 2008 R2 version of DNS.

•

Install the DNS Server Role.

•

Describe points to consider when deploying a DNS Server.

3-3

3-4


Overview of the Domain Name System Role

DNS is a name-resolution service that resolves names to IP addresses. The DNS service is a hierarchical, distributed database. The database is separated logically, allowing many different servers to host the worldwide database of DNS names.

How DNS Supports the Internet Naming Scheme Foundation DNS is a worldwide service that allows you to type in a domain name (for example, Microsoft.com), which the computer resolves to an IP address. The benefit is that IPv4 addresses may be long and difficult to remember (for example, 131.107.0.32), while a domain name typically is easier to remember. In addition, you can use host names that do not change while the underlying IP addresses can be changed to suit your organizational needs. Originally, there was one file on the Internet that contained a list of all the domain names and their corresponding IP addresses. This list quickly became too long to manage and distribute. DNS was developed to solve the problems associated with using a single file. With the adoption of IPv6, DNS will become even more critical because IPv6 addresses (for example, 2001:db8:4136:e38c:384f:3764:b59c:3d97) are more complex than IPv4 addresses.

How DNS Supports an Organization’s Active Directory Domain-Naming Scheme Foundation DNS is responsible for resolving resources in an Active Directory® Domain Services (AD DS) domain. You must install the DNS role to install AD DS. DNS provides information to workstation clients to enable them to log on to the network. DNS resolves resources in the domain such as servers, workstations, printers, and shared folders. A DNS server that is configured incorrectly can be the source of many AD DS problems.


3-5

Overview of the DNS Namespace

The DNS Namespace facilitates how a DNS resolver locates a computer. The namespace is organized hierarchically to distribute information across many servers.

Root Domain The root domain is represented by a period (.) that you do not type into a web browser typically because the period (.) is assumed. The next time you type an address into a computer, try adding the period at the end (for example, www.microsoft.com.). There are 13 root domain servers worldwide. Note When troubleshooting DNS, it is usual to specify the trailing period.

Top-Level Domain The top-level domain is the first level of the DNS name space. Examples of top-level domains on the Internet include .com, .net, .org, .biz, and .ca. The most recognized domains are .com, .net, .org, and for the U.S. government, .gov. Many more domain names are at this level, and new ones are added occasionally. There also is a top-level domain (TLD) for each country. For example, Canada is .ca and the United Kingdom is .co.uk. The body that regulates these domains is called the Internet Corporation for Assigned Names and Numbers (ICANN).

Second-Level Domain The second-level domain name is the portion of the domain name that appears before the TLD. An example of a second-level domain name is “microsoft” in the www.microsoft.com domain. The organizations that register second-level domain names control them. Anyone may register a second-level domain name through an Internet registry service. Many second-level domains have special rules about whom or what may register a domain name. For example, only nonprofit organizations may use .org.

Subdomain The subdomain is listed before the second-level and top-level domains. An example of a subdomain is www in the www.microsoft.com domain name. Subdomains are defined in the DNS server of the organization that holds the second-level DNS server.

3-6


Fully Qualified Domain Name A fully qualified domain name (FQDN) is the explicit DNS name that includes the computer name and the subdomains to the root domain. For example, if the computer is designated as Server1 in the sales.south.contoso.com domain, the FQDN for that computer is server1.sales.south.contoso.com.

DNS Naming Standards The following characters are valid for DNS names: •

A through Z

•

a through z

•

0 through 9

•

Hyphen (-) Note The underscore (_) is a reserved character.


3-7

DNS Improvements for Windows Server 2008

You will realize some of the advantages of using Windows Server 2008 with the new features that it includes for the DNS server role. These features include background zone loading, support for IPv6 and for read-only domain controllers, and global single names.

Background Zone Loading DNS servers that host large DNS zones that Active Directory Domain Services (AD DS) stores are able to respond to client queries more quickly upon restart because zone data now loads in the background.

IPv6 Support The DNS Server service now supports querying and dynamic registration of IP version 6 (IPv6) host and pointer records over IPv6. An IPv6 host record is known as an “AAAA” record.

Support for RODCs The DNS Server role in Windows Server 2008 provides primary read-only zones on read-only domain controllers (RODCs). Students should understand that this is a new role that allows for domain controllers and DNS servers to be deployed to remote sites that lack physical security. An RODC cannot write information back to the full Active Directory servers and DNS servers. Note When a domain controller is deployed as an RODC, a read-only copy of the Domain DNS zone and the Enterprise DNS zone is replicated to the RODC. A DNS zone on an RODC cannot be modified.

Global Single Names The DNS Server service in Windows Server 2008 provides a new zone type, the GlobalNames zone, which you can use to hold single-label names that are unique across an entire forest. This eliminates the need to use the NetBIOS-based Windows Internet Name Service (WINS) to provide support for single-label names.

3-8


Global Query Block List The dynamic update feature of Windows Server DNS makes it possible for DNS resolver computers to register and dynamically update their resource records with their configured DNS server whenever necessary. However, this convenient behavior can allow a malicious user to take over a special name and divert certain types of network traffic to that malicious user's computer. To help prevent such a takeover, the DNS server role in Windows Server 2008 includes a global query block list that can help prevent a malicious user from taking over DNS names that have special significance.


3-9

DNS Improvements for Windows Server 2008 R2

Windows Server 2008 R2 introduces some additional functionality over the features that are added in Windows Server 2008.

DNS Security Extensions Windows Server 2008 R2 zones now support DNS Security Extensions (DNSSEC); this means that you can sign and host DNSSEC-signed zones to provide additional security for your name resolution infrastructure. DNSSEC are extensions to the DNS protocol, defined in RFC 4033, 4034, and 4035; these extensions add origin authority, data integrity, and authenticated denial of existence to DNS. These changes enable your DNS zones and the records contained within them to be digitally signed.

DNS Devolution With DNS devolution, a DNS resolver, such as Internet Explorer, appends the parent suffix to an incomplete DNS fully qualified domain name (FQDN). For example, if the user entered http://server1 in the address bar in Internet Explorer, assuming the primary suffix of the client that is running Internet Explorer is sales.contoso.com, this is appended. If resolution is unsuccessful, then the parent of Contoso.com is appended and so on. Devolution is the behavior in AD DS that enables client computers that are members of a child domain to access resources in the parent domain without the need to explicitly provide the FQDN of the resource. The DNS resolver client in Windows Server 2008 R2 and Windows 7 introduces devolution levels; these provide control of the label where devolution stops. Previously, the effective devolution level was two. You can now specify the devolution level, allowing for precise control of the organizational boundary in your AD DS domain when clients attempt to resolve resources within the domain.

DNS Cache Locking When you enable cache locking, the DNS server does not allow cached records to be overwritten for the duration of the time to live (TTL) value. Cache locking provides improved security against cache poisoning attacks.

3-10


DNS Socket Pool Instead of using a predetermined source port (TCP or UDP 53) when issuing queries, the DNS server uses a random port number selected from a pool, known as the socket pool. The socket pool makes cache poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS query in addition to a random transaction ID to successfully execute an attack.

Name Resolution Policy Table To separate Internet traffic from intranet traffic for DirectAccess, Windows Server 2008 R2 and Windows 7 include the Name Resolution Policy Table (NRPT), a feature that allows DNS servers to be defined for each DNS namespace, rather than for each interface. The NRPT stores a list of rules. Each rule defines a DNS namespace and configuration settings that describe the DNS client’s behavior for that namespace. When a DirectAccess client is on the Internet, each name query request is compared against the namespace rules stored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT rule.


Demonstration: How to Install the DNS Server Role

This demonstration shows how to install the DNS Server role.

3-11

3-12


Considerations for Deploying the DNS Server Role

When you are planning to deploy DNS, there are several considerations that you must review: •

How many DNS zones will you configure on the server and how many DNS records will each zone contain? Typically, zones map on a one-to-one basis with domains in your name space. When you have a large number of records, it might make more sense to break the records down into multiple zones.

•

How many DNS clients will be communicating with the server on which you configure the DNS role? The more client resolvers there are, the more load is placed on the server. When you anticipate additional load, consider deploying additional DNS servers.

•

Where will you place DNS servers? For example, will you place the servers centrally or does it make more sense to locate DNS servers in branch offices? If there are few clients at a branch office, most DNS requests could be satisfied by using a central DNS server or by implementing a caching only server. A large number of users at a branch might benefit from a local DNS server with appropriate zone data.

How you answer the preceding questions will determine how many DNS servers you must deploy, and where you should place them.

Active Directory Integration The Windows Server 2008 DNS role can store the DNS database two different ways, as shown in the following table: Storage Method

Description

Text File

The DNS server role stores the DNS entries in a text file, which you can edit with a text editor.

Active Directory

The DNS server role stores the DNS entries in the Active Directory database; this database can be replicated to other domain controllers, even if they do not run the Windows Server 2008 DNS role. You cannot use a text editor to edit DNS data that Active Directory stores.


3-13

Active Directory integrated zones are easier to manage than traditional text-based zones, and are more secure. The replication of zone data occurs as part of Active Directory replication.

DNS Server Placement Typically, you will deploy the DNS role on all domain controllers. If you decide to implement some other strategy, keep the following points in mind: •

How will client computers resolve names in the event of their usual DNS server becoming unavailable?

•

What will the impact on network traffic be if client computers start to use an alternate DNS server, perhaps located remotely?

•

How will you implement zone transfers? Active Directory integrated zones use Active Directory replication to transfer the zone to all other domain controllers. If you implement non–Active Directory integrated zones, you must plan the zone transfer mechanism yourself.

3-14


Lesson 2

Configuring the DNS Server Role

The DNS infrastructure is the basis for name resolution on the Internet and in Windows Server 2008 Active Directory domains. This lesson provides guidance and information about what is required to configure the DNS server role, and explains the basic functions of a DNS server.


List the components of a DNS solution.

•

Describe DNS resource records.

•

Explain how root hints work.

•

Describe how various types of DNS query work.

•

Explain how forwarding and conditional forwarding works.

•

Explain how DNS server caching works.

•

Configure the DNS Server role properties.


3-15

What Are the Components of a DNS Solution?

The components of a DNS solution include DNS servers, DNS servers on the Internet, and DNS resolvers, or clients.

DNS Servers A DNS server answers recursive and iterative DNS queries. DNS servers also can host one or more zones of a particular domain. Zones contain different resource records. DNS servers also can cache lookups to save time for common queries.

DNS Servers on the Internet DNS servers on the Internet are accessible publicly. They host public zone information and the root server, and other common TLDs such as .COM, .NET, .EDU.

DNS Resolvers The DNS resolver generates and sends iterative or recursive queries to the DNS Server. A DNS resolver can be any computer performing a DNS lookup that requires interaction with the DNS server. DNS servers also can issue DNS requests to other DNS servers.

3-16


DNS Resource Records

The DNS zone file stores resource records. Resource records specify a resource type and the IP address to locate the resource. The most common resource record is an A resource record. This is a simple record that resolves a hostname to an IP address. The host can be a workstation, server, or another network device, such as a router. Resource records also help find resources for a particular domain. For instance, when an Exchange server needs to find the server that is responsible for delivering mail for another domain, it will request the Mail Exchanger (MX) record for that domain. This record points to the “A” record of the host that is running the Simple Mail Transfer Protocol (SMTP) mail service. Resource records also can contain custom attributes. MX records, for instance, have a preference attribute, which is useful if an organization has multiple mail servers. This will tell the sending server which mail server the receiving organization prefers. SRV records also contain information regarding on which port the service is listening and the protocol that you should use to communicate with the service. The following table describes the most common resource records. DNS Resource Records

Description

SOA

Start of authority (SOA) resource record. Identifies the primary name server for a DNS zone.

A

Host address (A) resource record. The main record that resolves a host name to an IPv4 address.

CNAME

Canonical name (CNAME) resource record. An alias record type that maps one name to another (for example, www.microsoft.com is a CNAME of the A record microsoft.com).

MX

Mail exchanger (MX) resource record. Used to specify an email server for a particular domain.


3-17

(continued) DNS Resource Records

Description

SRV

Service locator (SRV) resource record. Identifies a service that is available in the domain. Active Directory uses these records extensively.

NS

Name Server (NS) resource record. Identifies all of the name servers in a domain.

AAAA

The main record that resolves a host name to an IPv6 address.

PTR

Pointer (PTR) resource record. Used to look up and map an IP address to a domain name. The reverse lookup zone stores the names.

3-18


What Are Root Hints?

Root hints are the list of the 13 servers on the Internet that your DNS server uses if it cannot resolve a DNS query by using a DNS forwarder or its own cache. The root hints are the highest servers in the DNS hierarchy and can provide the necessary information for a DNS server to perform an iterative query to the next lowest layer of the DNS namespace. Root Servers are automatically installed when you install the DNS role. They are copied from the cache.dns file that the DNS role setup files include. You also can add root hints to a DNS server to support lookups for non-contiguous domains within a forest. When a DNS server communicates with a root hints server, it uses only an iterative query. If you select the Do Not Use Recursion For This Domain option, the server will not be able to perform queries on the root hints. If you configure the server using a forwarder, it will attempt to send a recursive query to its forwarding server. If the forwarding server does not answer this query, the server will respond that the host could not be found. It is important to understand that recursion on a DNS server and a recursive queries are not the same thing. Recursion on a server means that the server will use its root hints and try to resolve a DNS query. The next topics will discuss Iterative and Recursive queries in more detail.


3-19

What Are DNS Queries?

A DNS query is the method that you use to request name resolution in which a query is sent to a DNS Server. There are two types of responses to DNS queries: authoritative and nonauthoritative. It is important to note that DNS servers also can act as DNS resolvers and send DNS queries to other DNS servers. A DNS server can be either authoritative or nonauthoritative for the query’s namespace. A DNS server is authoritative when it hosts a primary or secondary copy of a DNS zone. The two types of queries are: •

An authoritative query is one for which the server can return an answer that it knows is correct because the request is directed to the authoritative server that manages the domain.

•

A DNS server that contains in its cache the domain being requested answers a non-authoritative query by using forwarders or root hints. However, the answer provided might not be accurate because only the authoritative DNS server for the given domain can issue that information.

If the DNS server is authoritative for the query’s namespace, the DNS server will check the zone and then do one of the following: •

Return the requested address.

•

Return an authoritative “No, that name does not exist.” Note An authoritative answer can be given only by the server with direct authority for the queried name.

If the local DNS server is non-authoritative for the query’s namespace, the DNS server will do one of the following: •

Check its cache and return a cached response.

•

Forward the unresolvable query to a specific server called a forwarder.

•

Use well-known addresses of multiple root servers to find an authoritative DNS server to resolve the query. This process uses root hints.

3-20


Recursive Queries A recursive query can have two possible results: •

It returns the IP address of the host requested.

•

The DNS server cannot resolve an IP address.

For security reasons, it sometimes is necessary to disable recursive queries on a DNS server. In doing so, the DNS server in question will not attempt to forward its DNS requests to another server. This can be useful when you do not want a particular DNS server communicating outside its local network.

Iterative Queries Iterative queries provide a mechanism for accessing domain name information that resides across the DNS system, and enable servers to quickly and efficiently resolve names across many servers. When a DNS server receives a request that it cannot answer using its local information or its cached lookups, it makes the same request to another DNS server by using an iterative query. When a DNS server receives an iterative query, it might answer with either the IP address for the domain name (if known), or with a referral to the DNS servers that are responsible for the domain being queried.


3-21

What Is Forwarding?

A forwarder is a network DNS server that forwards DNS queries for external DNS names to DNS servers outside that network. You also can use conditional forwarders to forward queries according to specific domain names. A network DNS server is designated a forwarder when other DNS servers in the network forward to it the queries that they cannot resolve locally. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for your network’s computers. The server that is forwarding requests in the network must be able to communicate with the DNS server that is located on the Internet. This means either you configure it to forward requests to another DNS server or it uses root hints to communicate.

Best Practice Use a central forwarding DNS server for Internet name resolution. This can improve performance, simplify troubleshooting, and is a security best practice. You can isolate the forwarding DNS server in a perimeter network, which ensures that no server within the network is communicating directly to the Internet.

Conditional Forwarding A conditional forwarder is a DNS server on a network that forwards DNS queries according to the query’s DNS domain name. For example, you can configure a DNS server to forward all queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. This can be useful when you have multiple DNS name spaces in a forest.

3-22


Conditional Forwarding in Windows Server 2008 R2 In Windows Server 2008 R2, the conditional forwarders configuration has been moved to a node in the DNS configuration console. You also can replicate this information to other DNS servers through Active Directory integration.

Best Practice Use conditional forwarders if you have multiple internal namespaces. This provides faster name resolution.


3-23

How DNS Server Caching Works

DNS caching increases the performance of the organization’s DNS system by decreasing the time it takes to provide DNS lookups. When a DNS server resolves a DNS name successfully, it adds the name to its cache. Over time, this builds a cache of domain names and their associated IP addresses for the most common domains that the organization uses or accesses. Note The default time to cache DNS data is one hour. You can configure this by changing the SOA record for the appropriate DNS zone. A caching-only server will not host any DNS zone data; it only answers lookups for DNS clients. This is the ideal type of DNS server to use as a forwarder. The DNS client cache is a DNS cache that the DNS Client service stores on the local computer. To illustrate client-side caching, run the ipconfig /displaydns command at the command prompt. This shows the local DNS client cache. If you need to clear the local cache, you can use ipconfig /flushdns.

3-24


Demonstration: How to Configure the DNS Server Role


Configure DNS server properties.

•

Configure conditional forwarding.

•

Clear the DNS cache.


3-25

Lesson 3

Configuring DNS Zones

DNS zones are an important concept in DNS infrastructure because they enable DNS domains to be logically separated and managed. This lesson provides the foundation for understanding about how zones relate to DNS domains and information about the different types of DNS zones that are available in the Windows Server 2008 R2 DNS role.


Explain what a DNS Zone is.

•

Explain the various DNS Zone Types available in Windows Server 2008.

•

Explain the purpose of forward and reverse lookup zones.

•

Explain the purpose of stub zones.

•

Create and configure DNS Zones.

•

Explain how DNS Zone delegation is used.

3-26


What Is a DNS Zone?

A DNS zone hosts all or a portion of a domain and its subdomains. The slide illustrates how subdomains can belong to the same zone as their parents or be delegated to another zone. The Microsoft.com domain is separated into two zones. The first zone hosts www.microsoft.com and ftp.microsoft.com. Example.microsoft.com is delegated to a new zone, which hosts the example.microsoft.com and its subdomains ftp.example.microsoft.com and www.example.microsoft.com. Important The zone that hosts a root of the domain (Microsoft.com) must delegate the subdomain (example.microsoft.com) to the second zone. If this does not occur, example.microsoft.com will be treated as if it were part of the first zone. Zone data can be replicated to more than one server. This adds redundancy to a zone because the information needed to find resources in the zone now exists on two servers. The level of redundancy that is needed is one reason to create zones. If you have a zone that hosts critical server resource records, it is likely that this zone will have a higher level of redundancy than a zone in which noncritical devices are defined. Many companies create a separate DNS zone for workstations and another for servers. Administrators then can choose different strategies when defining how the zones will replicate.

Characteristics of a DNS Zone Zone data is maintained on a DNS server and is stored in one of two ways: •

In a flat zone file that contains mapping lists

•

Integrated into Active Directory

A DNS server is authoritative for a zone if it hosts the resource records for the names and addresses that the clients request in the zone file.


3-27

What Are the DNS Zone Types?

The four DNS zone types are: •

Primary

•

Secondary

•

Stub

•

Active Directory integrated

Primary Zone When a zone that a DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone and stores the master copy of zone data in a local file or in AD DS. When the DNS server stores the zone in a file, the primary zone file is named zone_name.dns by default and is located in the %windir%\System32\Dns folder on the server. When the zone is not stored in Active Directory, this is the only DNS server that has a writable copy of the database.

Secondary Zone When a zone that a DNS server hosts is a secondary zone, the DNS server is a secondary source for the zone information. The zone at this server must be obtained from another remote DNS server that also hosts the zone. This DNS server must have network access to the remote DNS server to receive updated zone information. Because a secondary zone is a copy of a primary zone that another server hosts, it cannot be stored in AD DS. Secondary zones can be useful if you are replicating data from non-Windows DNS zones.

Stub Zone Windows Server 2003 introduced stub zones, which solve several problems with large DNS name spaces and multiple tree forests. A multiple tree forest is an Active Directory forest that contains two different domain names.

3-28


Active Directory-Integrated Zone If Active Directory stores the zone, DNS can take advantage of the multimaster replication model to replicate the primary zone. This enables you to edit zone data on more than one DNS server. Windows Server 2008 introduced a new concept called a read-only domain controller. Active Directory-integrated zone data can be replicated to domain controllers, even if the DNS role is not installed on the domain controller. If the server is a read-only domain controller, a local process cannot write to the data.


3-29

What Are Forward and Reverse Lookup Zones?

Zones can be either forward or reverse, sometimes known as inverse zones.

Forward Lookup Zone The forward lookup zone resolves host names to IP addresses and hosts the common resource records: A, CNAMES, SRV, MX, SOA, and NS.

Reverse Lookup Zone The reverse lookup zone resolves an IP address to a domain name and hosts SOA, NS, and PTR records. A reverse zone functions in the same manner as a forward zone, but the IP address is the part of the query while the host name is the returned information. Reverse zones are not always configured, but you should configure them to reduce warning and error messages. Many standard Internet protocols rely on reverse zone lookup data to validate forward zone information. For example, if the forward lookup indicates that training.contoso.com is resolved to 192.168.2.45, you can use a reverse lookup to confirm that 192.168.2.45 is associated with training.contoso.com. Having a reverse zone is important if you have applications that rely on looking up hosts by their IP addresses. Many applications will log this information in security or event logs. If you see suspicious activity from a particular IP address, you can resolve the host using the reverse zone information. Many email security gateways use reverse lookups to validate that the IP address that is sending messages is associated with a domain.

3-30


What Are Stub Zones?

A stub zone is a replicated copy of a zone that contains only those resource records necessary to identify that zone’s authoritative DNS servers. A stub zone resolves names between separate DNS namespaces, which might be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces. A stub zone consists of the following: •

The delegated zone’s SOA resource record, NS resource records, and A resource records.

•

The IP address of one or more master servers that you can use to update the stub zone.

The master servers for a stub zone are one or more DNS servers that are authoritative for the child zone, usually the DNS server that is hosting the primary zone for the delegated domain name.

Stub Zone Resolution When a DNS resolver performs a recursive query operation on a DNS server that is hosting a stub zone, the DNS server uses the resource records in the stub zone to resolve the query. The DNS server sends an iterative query to the authoritative DNS servers that the stub zone’s NS resource records specify as if it were using NS resource records in its cache. If the DNS server cannot find the authoritative DNS servers in its stub zone, the DNS server that is hosting the stub zone attempts standard recursion using root hints. The DNS server will store the resource records it receives from the authoritative DNS servers that a stub zone in its cache lists, but it will not store these resource records in the stub zone itself. Only the SOA, NS, and glue A resource records returned in response to the query are stored in the stub zone. The resource records that the cache stores are cached according to the Time-to-Live (TTL) value in each resource record. The SOA, NS, and glue A resource records, which are not written to cache, expire according to the expire interval that the stub zone’s SOA record specifies. During the stub zone’s creation, the SOA record is created. SOA record updates occur during transfers to the stub zone from the original, primary zone. If the query was an iterative query, the DNS server returns a referral containing the servers that the stub zone specifies.


3-31

Communication between DNS Servers Hosting Parent and Child Zones A DNS server that delegates a domain to a child zone on a different DNS server is made aware of new authoritative DNS servers for the child zone only when resource records for them are added to the parent zone that the DNS server hosts. This is a manual process and requires that administrators for the different DNS servers communicate often. With stub zones, a DNS server that is hosting a stub zone for one of its delegated domains can obtain updates of the authoritative DNS servers for the child zone when the stub zone is updated. The update is performed from the DNS server that is hosting the stub zone, and the administrator for the DNS server that is hosting the child zone does not need to be contacted.

Contrasting Stub Zones and Conditional Forwarders There might be some confusion about when to use conditional forwarders rather than stub zones because both DNS features allow a DNS server to respond to a query with a referral for, or by forwarding to, a different DNS server. However, these settings have different purposes: •

A conditional forwarder setting configures the DNS server to forward a query it receives to a DNS server depending on the DNS name that the query contains.

•

A stub zone keeps the DNS server that is hosting a parent zone aware of all the DNS servers that are authoritative for a child zone.

3-32


Demonstration: How to Create Zones


Create a reverse lookup zone.

•

Create a forward lookup zone.


3-33

DNS Zone Delegation

DNS is a hierarchical system, and zone delegation connects the DNS layers together. A zone delegation points to the next hierarchical level down and identifies the name servers that are responsible for lowerlevel domain. When deciding whether to divide the DNS namespace to make additional zones, consider the following reasons to use additional zones: •

You need to delegate management of part of the DNS namespace to another organizational location or department.

•

You need to divide one large zone into smaller zones so you can distribute traffic loads among multiple servers, which improves DNS name-resolution performance and creates a more fault-tolerant DNS environment.

•

You need to extend the namespace by adding numerous subdomains at once to accommodate the opening of a new branch or site.

3-34


Lesson 4

Configuring DNS Zone Transfers

DNS zone transfers are how the DNS infrastructure moves DNS zone information from one server to another. This lesson covers the different methods that the DNS Server role uses when transferring zones.


Describe how DNS zone transfers work.

•

Configure zone transfer security.

•

Create and configure DNS Zones.


3-35

What Is a DNS Zone Transfer?

A zone transfer occurs when you transfer the DNS zone that is on one server to another DNS server. Zone transfers synchronize primary and secondary DNS server zones. This is how DNS builds its resilience on the Internet. It is important that DNS zones remain updated on primary and secondary servers. Discrepancies in primary and secondary zones can cause service outages and host names that are resolved incorrectly. A full zone transfer occurs when you copy the entire zone from one DNS server to another. A full zone transfer is known as an All Zone Transfer (AXFR). An incremental zone transfer occurs when there is an update to the DNS server and only the resource records that were changed are replicated to the other server. This is an Incremental Zone Transfer (IXFR). Windows DNS servers also perform “Fast transfers,” which is a type of zone transfer that uses compression and sends multiple resource records in each transmission. Not all DNS server implementations support incremental and fast zone transfers. When integrating a Windows 2008 DNS server with a Berkeley Internet Name Domain (BIND) DNS server, you must ensure that the features you need are supported by the BIND version that is installed. The following table lists the features that various DNS servers support. DNS Server

Full Zone (AXFR)

Incremental Zone (IXFR) Fast Transfer

BIND Older than 4.9.4

Supported

Not supported

Not Supported

BIND 4.9.4 – 8.1

Supported

Not supported

Supported

BIND 8.2

Supported

Supported

Supported

Windows 2000 SP3

Supported

Supported

Supported

Windows 2003 (R2)

Supported

Supported

Supported

Windows 2008 and R2

Supported

Supported

Supported

3-36


Active Directory Integrated zones replicate using multimaster replication. This means that any standard domain controller that also holds the DNS role can update the DNS zone information, which then replicates to all DNS servers that host the DNS zone.

DNS Notify DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur; this is useful in a time-sensitive environment, where data accuracy is important.


3-37

Configuring Zone Transfer Security

Zone information provides organizational data, so you should take precautions to ensure it is secure from malicious access and that it cannot be overwritten with bad data (known as DNS poisoning). One way in which you can protect the DNS infrastructure is to secure the zone transfers and use secure dynamic updates. On the Zone Transfers tab in the Zone Properties dialog box, you can specify the list of allowed DNS servers. You also can use these options to disallow zone transfer. By default, zone transfers are turned off. While the option that specifies the servers that might request zone data provides security by limiting the data recipients, it does not secure that data while it is being transmitted. If the zone information is highly confidential, we recommend that you use an Internet Protocol Security (IPsec) policy to secure the transmission or replicate the zone data over a virtual private network (VPN) tunnel. This prevents packet sniffing to determine information in the data transmission. Using Active Directory-integrated zones replicates the zone data as part of normal AD DS replications. Therefore, if DNS zone traffic in Active Directory-integrated zones needs to be secure, it also is necessary to secure the AD DS replication data.

3-38


Demonstration: How to Configure DNS Zone Transfers


Enable DNS zone transfers.

•

Update the secondary zone from the master server.

•

Update the primary zone and verify the change on the secondary zone.


3-39

Lesson 5

Managing and Troubleshooting DNS

DNS is a crucial service in the Active Directory infrastructure. When the DNS service experiences problems, it is important to know how to troubleshoot them and identify the common issues that can occur in a DNS infrastructure. This lesson covers the common problems that occur in DNS, the common areas for gathering DNS information, and the tools that you can use to troubleshoot problems.


Explain how TTL, aging, and scavenging help to manage DNS records.

•

Manage TTL, aging, and scavenging for DNS records.

•

Identify problems with DNS using DNS tools.

•

Troubleshoot DNS using DNS tools.

•

Monitor DNS using the DNS Event Log and Debug Logging.

3-40


What Is Time to Live, Aging, and Scavenging?

Time to Live (TTL), aging, and scavenging help manage DNS resource records in the zone files. Zone files can change over time, so there needs to be a way to manage DNS records that are updated or that are not valid because the hosts they represent are no longer on the network. The following table describes the DNS tools that help to maintain a DNS database. Tool

Description

Time to Live (TTL)

Indicates how long a DNS record remains valid. The TTL can vary depending on the kind of DNS resource record. For example, an MX record has a much longer TTL than a host record for a laptop.

Aging

Occurs when records inserted into the DNS server reach their expiration and are removed. This keeps the zone database accurate. During normal operations, aging should take care of stale DNS resource records.

Scavenging

Performs DNS server resource record grooming for old records in DNS. If resource records have not been aged, an administrator can scavenge the zone database for stale records to force a database cleanup.

If left unmanaged, the presence of stale resource records in zone data might cause problems. For example: •

If a large number of stale resource records remain in server zones, they eventually can use up server disk space and cause unnecessarily long zone transfers.

•

A DNS server that is loading zones with stale resource records might use outdated information to answer client queries, which could cause the client computers to experience name resolution or connectivity problems on the network.

•

The accumulation of stale resource records on the DNS server might degrade its performance and responsiveness.

•

In some cases, the presence of a stale resource record in a zone could prevent another computer or host device from using a DNS domain name.


3-41

To solve these problems, the DNS Server service has the following features: •

Time stamping, based on the current date and time that is set at the server computer, for any resource records that are added dynamically to primary-type zones. Additionally, time stamps are recorded in standard primary zones where you enable aging and scavenging.

•

For resource records that you add manually, you use a time-stamp value of zero to indicate that the aging process does not affect these records and that they can remain without limitation in zone data unless you otherwise change their time stamp or delete them.

•

Aging of resource records in local data, based on a specified refresh time period, for any eligible zones.

•

Only primary type zones that the DNS Server service loads are eligible to participate in this process.

•

Scavenging for any resource records that persist beyond the specified refresh period.

When a DNS server performs a scavenging operation, it can determine that resource records have aged to the point of becoming stale and remove them from zone data. You can configure servers to perform recurring scavenging operations automatically, or you can initiate an immediate scavenging operation at the server. Caution By default, the aging and scavenging mechanism for the DNS Server service is disabled. You should enable it only when all parameters are understood fully. Otherwise, you could configure the server to delete records accidentally that should not be deleted. If a record is deleted accidentally, not only will users fail to resolve queries for that record, but any user can create the record and take ownership of it, even on zones that you configure for secure dynamic update. The server uses the contents of each resource record-specific time stamp, along with other aging and scavenging properties that you can adjust or configure, to determine when it scavenges records.

Prerequisites for Aging and Scavenging Before you can use the aging and scavenging features of DNS, several conditions must be met: •

You must enable scavenging and aging at the DNS server and on the zone. By default, aging and scavenging of resource records is disabled.

•

You must add resource records to zones dynamically or manually modify them for use in aging and scavenging operations.

Typically, only those resource records that you add dynamically using the DNS dynamic update protocol are subject to aging and scavenging. For records that you add to zones by loading a text-based zone file from another DNS server or by manually adding them to a zone, a time stamp of zero is set. This makes these records ineligible for use in aging and scavenging operations. To change this default, you can administer these records individually to reset and permit them to use a current (nonzero) time-stamp value. This enables these records to become aged and scavenged.

3-42


Demonstration: How to Manage DNS Records


Configure TTL.

•

Enable and configure scavenging and aging.


3-43

Tools That Identify Problems with DNS

Issues can occur when you do not configure the DNS server, and its zones and resource records, properly. When resource records are causing issues, it can sometimes be more difficult to identify the issue because configuration problems are not always obvious. The following table lists possible configuration issues that can cause DNS problems. Issue

Result

Missing records

Records for a host are not in the DNS server. They might have been scavenged prematurely. This can result in workstations not being able to connect with each other.

Incomplete records

Records that are missing information required to locate the resource they represent can cause clients requesting the resource to use invalid information. For example, a service record that does not contain a needed port address is an example of an incomplete record.

Incorrectly configured records

Records that are pointing to an invalid IP address or have invalid information in their configuration also will cause problems when DNS clients try to find resources.

The tools used to troubleshoot these and other configuration issues are: •

Nslookup: Use this to query DNS information. The tool is flexible and can provide a lot of valuable information about DNS server status. You also can use it to look up resource records and validate their configuration. Additionally, you can test zone transfers, security options, and MX record resolution. Note If you are using Nslookup on a DirectAccess client that has active Name Resolution Policy Table (NRPT) entries, you might need to specify the address of the DNS server. For more information, refer to http://go.microsoft.com/fwlink/?LinkID=214829&clcid=0x409.

3-44


•

Dnscmd: Manage the DNS Server service with this command-line interface. This utility is useful in scripting batch files to help automate routine DNS management tasks or to perform simple unattended setup and configuration of new DNS servers on your network. Note You can find out about the command-line syntax for Dnscmd.exe at the Microsoft website: http://go.microsoft.com/fwlink/?LinkID=214830&clcid=0x409.

•

Dnslint: Use this to diagnose common DNS issues. This command-line utility diagnoses configuration issues in DNS quickly and also can generate a report in HTML format regarding the status of the domain that you are testing. Note You can find out about the command-line syntax for Dnslint.exe at the Microsoft website: http://go.microsoft.com/fwlink/?LinkID=214831&clcid=0x409.

•

IPconfig: Use this command to view and modify IP configuration details that the computer uses. This utility includes additional command-line options that you can use to troubleshoot and support DNS clients. You can view the client local DNS cache using the command ipconfig/displaydns, and you can clear the local cache using ipconfig/flushdns.

•

Monitoring on DNS server: In the DNS server Monitoring tab, you can configure a test that allows the DNS server to determine whether it can resolve simple local queries and perform a recursive query to ensure that the server can communicate with upstream servers. You also can schedule these tests for regular intervals. These are basic tests, but they provide a good place to start troubleshooting the DNS service. Possible causes for a test to fail include: •

The DNS Server Service has failed.

•

The upstream server is not available on the network.


Demonstration: How to Test the DNS Server Configuration


Capture DNS network traffic.

•

Filter and analyze captured traffic.

•

Use NSLookup.exe to test DNS.

3-45

3-46


Monitoring DNS Using the DNS Event Log

The DNS server has its own category in the event log. As with any event log in Windows Event Viewer, you should review the event log periodically.

Common DNS Events The following table describes common DNS events. Event ID

Description

2

The DNS server has started. This message generally appears at startup when either the server computer or the DNS Server service are started.

3

The DNS server has shut down. This message generally appears when either the server computer is shut down or the DNS Server service is stopped manually.

408

The DNS server could not open socket for address [IPaddress]. Verify that this is a valid IP address for the server computer. To correct the problem, you can do the following: 1. If the specified IP address is not valid, remove it from the list of restricted interfaces for the server and restart the server. 2. If the specified IP address is no longer valid and was the only address enabled for the DNS server to use, the server might not have started as a result of this configuration error. To correct this problem, delete the following value from the registry and restart the DNS server: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters\ListenAddress 3. If the IP address for the server computer is valid, verify that no other application that would attempt to use the same DNS server port (such as another DNS server application) is running. By default, DNS uses TCP port 53.


3-47

(continued) Event ID

Description

413

The DNS server sends requests to other DNS servers on a port other than its default port (TCP port 53). This DNS server is multihomed and has been configured to restrict DNS Server service to only some of its configured IP addresses. For this reason, there is no assurance that DNS queries that this server makes to other remote DNS servers will be sent using one of the IP addresses that was enabled for the DNS server. This might prevent query answer responses that these servers return from being received on the DNS port that the server is configured to use. To avoid this problem, the DNS server sends queries to other DNS servers using an arbitrary non-DNS port, and the response is received regardless of the IP address used. If you want to limit the DNS server to using only its configured DNS port for sending queries to other DNS servers, use the DNS console to perform one of the following changes in server properties configuration on the Interfaces tab: • Select All IP addresses to enable the DNS server to listen on all configured server IP addresses. • Select Only the following IP addresses to limit the IP address list to a single server IP address.

414

The server computer currently has no primary DNS suffix configured. Its DNS name currently is a single label host name. For example, its configured name is “host” rather than “host.example.microsoft.com” or another fully qualified name. While the DNS server has only a single label name, default resource records created for its configured zones use only this single label name when mapping the host name for this DNS server. This can lead to incorrect and failed referrals when clients and other DNS servers use these records to locate this server by name. In general, you should reconfigure the DNS server with a full DNS computer name that is appropriate for its domain or workgroup use on your network.

708

The DNS server did not detect any zones of either primary or secondary type. It will run as a caching-only server but will not be authoritative for any zones.

3150

The DNS server wrote a new version of zone [zonename] to file [filename]. You can view the new version number by clicking the Record Data tab. This event should appear only if you configure the DNS server to operate as a root server.

6527

Zone [zonename] expired before it could obtain a successful zone transfer or update from a master server that is acting as its source for the zone. The zone has been shut down. This event ID might appear when you configure the DNS server to host a secondary copy of the zone from another DNS server that is acting as its source or master server. Verify that this server has network connectivity to its configured master server. If the problem continues, consider one or more of the following options: 1. Delete the zone and recreate it, specifying either a different master server or an updated and corrected IP address for the same master server. 2. If zone expiration continues, consider adjusting the expiration interval.

3-48


Monitoring DNS Using Debug Logging

Sometimes it might be necessary to get more details about a DNS problem than the Event viewer provides. In this instance, you can use debug logging to provide additional information. The following DNS debug logging options are available: •

•

•

•

Direction of packets •

Send: The DNS server log file logs packets that the DNS server sends.

•

Receive: The log file logs packets that the DNS server receives.

Content of packets •

Standard query: Specifies that packets containing standard queries (according to Request for Comments (RFC) 1034) are logged in the DNS server log file.

•

Updates: Specifies that packets containing dynamic updates (according to RFC 2136) are logged in the DNS server log file.

•

Notifies: Specifies that packets containing notifications (according to RFC 1996) are logged in the DNS server log file.

Transport protocol •

UDP: Specifies that packets sent and received over User Datagram Protocol (UDP) are logged in the DNS server log file.

•

TCP: Specifies that packets sent and received over TCP are logged in the DNS server log file.

Type of packet •

Request: Specifies that request packets are logged in the DNS server log file (a request packet is characterized by a Query/Response (QR) bit set to 0 in the DNS message header).

Note A QR bit is a one-bit field that specifies whether this message is a query (0) or a response.


•

3-49

Response: Specifies that response packets are logged in the DNS server log file (a response packet is characterized by a QR bit set to 1 in the DNS message header).

•

Enable filtering based on IP address: Provides additional filtering of packets that are logged in the DNS server log file. Allows logging of packets that are sent from specific IP addresses to a DNS server or from a DNS server to specific IP addresses.

•

Log file maximum size limit: Allows you to set the maximum file size for the DNS server log file. When the DNS server log file reaches its specified maximum size, the DNS server overwrites the oldest packet information with new information. Note If you do not specify a maximum log-file size, the DNS server log file can consume a large amount of hard-disk space.

By default, all debug logging options are disabled. When you enable them selectively, the DNS Server service can perform additional trace-level logging of selected types of events or messages for general troubleshooting and server debugging. Debug logging can be resource intensive, affecting overall server performance and consuming disk space. Therefore, you should use it only on a temporary basis, when you need more detailed server-performance information. Note Dns.log contains debug logging activity. By default, it is located in the %systemroot%\System32\Dns folder.

3-50





2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso

Repeat steps 2 to 4 for 6421B-NYC-SVR1 and 6421B-NYC-CL1.

Lab Scenario Contoso is planning to improve their DNS infrastructure due to complaints from users about poor performance. In addition, Contoso is partnering with A Datum and name resolution must be optimized between these two organizations. Your task is to plan and implement the required changes. For this project, you must complete the following tasks: •

Plan an appropriate DNS configuration.

•

Configure a suitable DNS configuration.

•

Verify and troubleshoot DNS.


3-51

Exercise 1: Selecting a DNS Configuration Scenario In this exercise, you will read the documentation from your manager and then answer the questions in the proposals section. The main tasks for this exercise are as follows: 1.

Read the following Contoso Name Resolution Plan document.

2.


3.


X Task 1: Read the Contoso Name Resolution Plan document •

Read the following Contoso Name Resolution Plan document.


Answer the questions in the Contoso Name Resolution Plan document. Contoso Name Resolution Plan Document Reference Number: GW1203/1 Document Author Date


Requirements Overview 1. Your manager is concerned that the single name server that supports the Contoso.com domain is under strain while servicing name resolution requests. You are tasked with determining a course of action to allay his concerns. 2. Contoso is working with a partner organization, A Datum. It is important that name resolution for servers in the Adatum.com domain is performed without recourse to root name servers. Additional Information 1. No additional domain controllers are planned for the Contoso domain. 2. Changes to the Adatum.com DNS configuration should not impact the DNS configuration in Contoso; in other words, changes in Adatum.com should not result in administrative effort in Contoso. Proposals 1. How will you modify the DNS configuration for Contoso to address the first requirement? 2. How will you modify the DNS configuration for Contoso to address the second requirement? 3. Does either of the points in the additional information section raise any issues? 4. What is your proposed action plan for this project? 5. How will you distribute load among DNS servers?


Compare your solution to the proposed solution in the Contoso Name Resolution Plan document in the Lab Answer Key and be prepared to discuss your solution with the class.

Results: At the end of this exercise, you will have selected a suitable DNS configuration for Contoso.

3-52


Exercise 2: Deploying and Configuring DNS Scenario In this exercise, you will deploy and configure the DNS role on NYC-SVR1. The main tasks for this exercise are as follows: 1.

Install the DNS role on NYC-SVR1.

2.

Create and configure a stub zone on NYC-DC1.

3.

Create and configure secondary zones on NYC-SVR1.

4.

Enable and configure zone transfers for Contoso.com.

5.

Update secondary zone data from master server.

6.

Configure clients to use the new name server.

X Task 1: Install the DNS role on NYC-SVR1 1.

Switch to the NYC-SVR1 computer.

2.

Open Server Manager.

3.

Add the DNS Server role.

X Task 2: Create and configure a stub zone on NYC-DC1 1.

Switch to the NYC-DC1 computer.

2.

Open DNS.

3.

Create a new forward lookup zone with the following properties: •

Zone type: Stub

•

Zone name: Adatum.com

•

Master server: 131.107.1.2 Note

Validation will fail. The server is not online.

X Task 3: Create and configure secondary zones on NYC-SVR1 1.

Switch to NYC-SVR1.

2.

Open a command prompt.

3.

At the command prompt, type Dnscmd.exe /zoneadd Contoso.com /secondary 10.10.0.10 and press ENTER.

4.

At the command prompt, type Dnscmd.exe /zoneadd Adatum.com /secondary 10.10.0.10 and press ENTER.

5.

Open DNS and verify that the two zones are created.


3-53

X Task 4: Enable and configure zone transfers for Contoso.com 1.

Switch to NYC-DC1.

2.


3.

At the command prompt, type Dnscmd.exe /zoneresetsecondaries Contoso.com /notify /notifylist 10.10.0.24 and press ENTER.

4.

Open DNS.

5.

Verify that NYC-SVR1’s IPv4 address is listed on the Notify list on the Zone transfers tab in the Contoso.com zone property sheet. Note It might take a few minutes to appear.

X Task 5: Update secondary zone data from master server 1.

Switch to NYC-SVR1.

2.

In DNS, refresh the display and verify that the zone data has transferred from the master for the Contoso.com secondary zone.

3.

Close all open windows. Note

You will not receive data for Adatum.com.

X Task 6: Configure clients to use the new name server 1.

Switch to NYC-DC1.

2.

Open DHCP.

3.

Modify the DHCP Server options as follows: •

4.

006 DNS Servers: 10.10.0.24

Close all open windows.

Results: At the end of this exercise, you will have implemented the requirements outlined in the Contoso Name Resolution Plan document.

3-54


Exercise 3: Troubleshooting DNS Scenario In this exercise, you will use monitoring and troubleshooting tools to test and verify the DNS configuration. The main tasks for this exercise are as follows: 1.

Test simple and recursive queries.

2.

Verify SOA records with Nslookup.

3.

Use Dnslint to verify name server records.

4.

View performance statistics with Performance Monitor.

X Task 1: Test simple and recursive queries 1.

On NYC-DC1, in DNS, open the NYC-DC1 properties.

2.

On the Monitoring tab, perform a simple query against the DNS server. This is successful.

3.

Perform simple and recursive queries against this and other servers. The recursive test fails because there are no forwarders configured.

4.

Stop the DNS service and repeat the previous tests. They fail because no DNS server is available.

5.

Restart the DNS service and repeat the tests. The simple test is successful.

6.

Close the NYC-DC1 Properties dialog box.

X Task 2: Verify SOA records with Nslookup 1.


2.

Type nslookup.exe and then enter the following two commands:

3.

•

Set querytype=SOA

•

Contoso.com

View the results and close the command prompt.

X Task 3: Use Dnslint to verify name server records 1.

Switch to NYC-CL1.

2.

From a command prompt, change to the D:\Labfiles\Mod03 folder.

3.

At the command prompt, type Dnslint /s 10.10.0.10 /d Contoso.com and press ENTER.

4.

View the output and then close the command prompt.

X Task 4: View performance statistics with Performance Monitor 1.

Switch to NYC-DC1.

2.

Open Performance Monitor from Server Manager. In the list pane of the Server Manager window, expand Diagnostics, expand Performance, expand Monitoring Tools, and then click Performance Monitor.

3.

In the center pane, click the green plus icon.

4.

In the Available counters list, double-click DNS.


5.

Select Total Query Received and then click Add.

6.

Select Total Query Received/sec, click Add, and then click OK.

7.

Click Start, click Administrative tools, and then click DNS.

8.

In the left pane, right-click NYC-DC1 and then click Properties.

9.

Click the Monitoring tab.

3-55

10. On the Monitoring tab, select A simple query against this DNS Server and A recursive query to other DNS servers and then click Test Now several times. 11. Clear the Simple and Recursive test check boxes and then click OK. Close the DNS management tool. 12. Return to the Server Manager console. The graph reflects the queries on the server. 13. In the Server Manager console, press CTRL+G and then press CTRL+G again. This report lists the total number of queries that the server has received. 14. Close Server Manager. Results: At the end of this exercise, you will have verified the functionality of DNS with troubleshooting tools.



2.


3.


4.

Repeat these steps for 6421B-NYC-SVR1 and 6421B-NYC-CL1.

3-56



Review Questions 1.

You are presenting to a potential client about the advantages of using Windows Server 2008 R2. What are the new features that you would point out when discussing the Windows Server 2008 R2 DNS server role?

2.

You are deploying DNS servers into an Active Directory domain, and your customer requires that the infrastructure is resistant to single points of failure. What must you consider while planning the DNS configuration?

3.

What is the difference between recursive and iterative queries?

4.

What must you configure before a DNS zone can be transferred to a secondary DNS server?

5.

You are the administrator of a Windows Server 2008 R2 DNS environment. Your company recently acquired another company. You want to replicate their primary DNS zone. The acquired company is using Bind 4.9.4 to host their primary DNS zones. You notice a significant amount of traffic between the Windows Server 2008 R2 DNS server and the Bind server. What is one possible reason for this?

6.

You must automate a DNS server configuration process so that you can automate the deployment of Windows Server 2008 R2. What DNS tool can you use to do this?


3-57

Tools Tool

Use for

Where to find it

Dnscmd.exe

Configure DNS server role

Command-line

Dnslint.exe

Test DNS server

Download from the Microsoft website and the use from the command-line

Nslookup.exe

Test DNS name resolution

Command-line

Ping.exe

Simple test of DNS name resolution

Command-line

Ipconfig.exe

Verify and test IP functionality and view or clear the DNS client resolver cache

Command-line

4-1

Module 4 Configuring and Troubleshooting IPv6 TCP/IP Contents: Lesson 1: Overview of IPv6

4-3

Lesson 2: IPv6 Addressing

4-12

Lesson 3: Coexistence with IPv6

4-22

Lesson 4: IPv6 Transition Technologies

4-28

Lab A: Configuring an ISATAP Router

4-35

Lesson 5: Transitioning from IPv4 to IPv6

4-41

Lab B: Converting the Network to Native IPv6

4-46

4-2


Module Overview

Support for Internet Protocol version 6 (IPv6), a new suite of standard protocols for the Internet’s Network layer, is built into Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. IPv6 is a technology that will help ensure that the Internet can support a growing user base and the increasingly large number of IP-enabled devices. The current Internet Protocol Version 4 (IPv4) has served as the underlying Internet protocol for almost thirty years. Its robustness, scalability, and limited feature set is now challenged by the growing need for new IP addresses, due in large part to the rapid growth of new network-aware devices.


Describe the features and benefits of IPv6.

•

Implement IPv6 addressing.

•

Implement an IPv6 coexistence strategy.

•

Describe and select a suitable IPv6 transition solution.

•

Transition from IPv4 to IPv6.

•

Troubleshoot an IPv6-based network.

Configuring and Troubleshooting IPv6 TCP/IP

4-3

Lesson 1

Overview of IPv6

IPv6 is becoming more common, but while adoption is slow, it is important to understand how this technology affects current networks and how to integrate IPv6 into those networks. The following lesson will cover the benefits of IPv6 and how it compares with IPv4.


Describe the benefits of IPv6.

•

Describe the differences between IPv4 and IPv6.

•

Describe the IPv6 address space.

•

Convert between binary and hexadecimal.

4-4


Benefits of IPv6

The IPv6 protocol provides the following benefits: •

Large address space: A 32-bit address space allows for 2^32 or 4,294,967,296 possible addresses; a 128-bit address space allows for 2^128 or 340,282,366,920,938,463,463,374,607,431,768,211,456 (or 3.4x10^38 or 340 undecillion) possible addresses.

•

Hierarchical addressing and routing infrastructure: The IPv6 address space is designed to be more efficient for routers, which means that even though there are many more addresses, routers can process data much more efficiently because of address optimization.

•

Stateless and Stateful address configuration: IPv6 has auto-configure capability without a Dynamic Host Configuration Protocol (DHCP), and it can discover router information so that hosts can access the Internet; this is a Stateless address configuration. A Stateful address configuration is when you use the DHCPv6 protocol. Stateful configuration has two additional configuration levels: one in which DHCP provides all the information, including the IP address and configuration settings, and another that provides just configuration settings.

•

Required support for IPsec: The IPv6 standards require support for the AH and ESP headers that are defined by IPsec. Although support for specific IPsec authentication methods and cryptographic algorithms are not specified, IPsec is defined from the start as the way to protect IPv6 packets.

•

Restores end-to-end communication: The global addressing model for IPv6 traffic means that translation between different types of addresses is not needed, such as the translation done by NAT devices for IPv4 traffic. This simplifies communication because you do not need to use NAT devices. For example, video conferencing and other peer to peer applications.

•

Prioritized delivery: IPv6 contains a field in the packet that allows network devices to determine that the packet should be processed at a specified rate; this allows traffic prioritization. For example, when you are streaming video traffic, it is critical that the packets arrive in a timely manner. You can set this field to ensure that network devices determine that the packet delivery is time-sensitive.


4-5

•

Support for single-subnet environments: IPv6 has much better support of automatic configuration and operation on networks consisting of a single subnet. You can use this to create temporary ad-hoc networks through which you can connect and share information.

•

Extensibility: IPv6 has been designed so that you can extend it with much fewer constraints than IPv4.

4-6


Differences Between IPv4 and IPv6

When the IPv4 address space was designed, it was unimaginable that it could be exhausted. However, due to changes in technology and an allocation practice that did not anticipate the explosion of Internet hosts, the IPv4 address space became so consumed that by 1992, it was clear that a replacement would be necessary. With IPv6, it is hard to conceive that the IPv6 address space will be consumed. The decision to make the IPv6 address 128 bits in length was designed so it can be subdivided into hierarchical routing domains that reflect the modern-day Internet’s topology. The use of 128 bits allows for multiple levels of hierarchy and flexibility in designing hierarchical addressing and routing that is currently lacking on the IPv4-based Internet. Note

The IPv6 addressing architecture is described in Request for Comments (RFC) 4291.

IPv4 and IPv6 Comparison The following table highlights the differences between IPv4 and IPv6: IPv4

IPv6

Source and destination addresses are 32 bits (4 bytes) in length.

Source and destination addresses are 128 bits (16 bytes) in length.

IPsec support is optional.

Support for IPsec headers and trailers is required.

No identification of packet flow for Quality of Service (QoS) handling by routers is present within the IPv4 header.

Packet-flow identification for QoS handling by routers is included in the IPv6 header using the Flow Label field.

Fragmentation is done by both routers and the sending host.

Fragmentation is not done by routers, only by the sending host.


4-7

(continued) IPv4

IPv6

Header includes a checksum.

Header does not include a checksum.

Header includes options.

All optional data is moved to IPv6 extension headers.

Address Resolution Protocol (ARP) uses broadcast ARP Request frames to resolve an IPv4 address to a link-layer address.

ARP Request frames are replaced with multicast Neighbor Solicitation messages.

Internet Group Management Protocol (IGMP) is used to manage local subnet group membership.

IGMP is replaced with Multicast Listener Discovery (MLD) messages.

Internet Control Message Protocol (ICMP) Router Discovery, which is optional, is used to determine the IPv4 address of the best default gateway.

ICMP Router Discovery is replaced with required ICMPv6 Router Solicitation and Router Advertisement messages.

Broadcast addresses are used to send traffic to all nodes on a subnet.

There are no IPv6 broadcast addresses. Instead, a linklocal scope all-nodes multicast address is used.

Must be configured either manually or through DHCP.

Does not require manual configuration or DHCP.

Uses host address (A) resource records in the Domain Name System (DNS) to map host names to IPv4 addresses.

Uses host address (AAAA) resource records in DNS to map host names to IPv6 addresses.

Uses pointer (PTR) resource records in the INADDR.ARPA DNS domain to map IPv4 addresses to host names.

Uses PTR resource records in the IP6.ARPA DNS domain to map IPv6 addresses to host names.

Must support a 576-byte packet size (possibly fragmented).

Must support a 1280-byte packet size (without fragmentation).

IPv6 Equivalents to IPv4 The following table highlights the IPv6 equivalents to IPv4: IPv4 Address

IPv6 Address

Internet address classes

Not applicable in IPv6

Multicast addresses (224.0.0.0/4)

IPv6 multicast addresses (FF00::/8)

Broadcast addresses

Not applicable in IPv6

Unspecified address is 0.0.0.0

Unspecified address is ::

Loopback address is 127.0.0.1

Loopback address is ::1

Public IP addresses

Global unicast addresses

Private IP addresses (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16)

Unique-local addresses (FD00::/8)

4-8


(continued) IPv4 Address

IPv6 Address

Autoconfigured addresses (169.254.0.0/16)

Link-local addresses (FE80::/64)

Text representation: Dotted decimal notation

Text representation: Colon hexadecimal format with suppression of leading zeros and zero compression

Network bits representation: Subnet mask in dotted decimal notation or prefix length

Network bits representation: Prefix length notation only

DNS name resolution: IPv4 host address (A) resource record

DNS name resolution: IPv6 host address (AAAA) resource record

DNS reverse resolution: IN-ADDR.ARPA domain

DNS reverse resolution: IP6.ARPA domain


4-9

IPv6 Address Space

The most obvious distinguishing feature of IPv6 is its use of much larger addresses. IPv4 addresses are expressed in four groups of decimal numbers, such as 192.168.1.1. Each grouping of numbers represents a binary octet. In binary, the preceding number is as follows: 11000000.10101000.00000001.00000001 (4 octets = 32 Bits)

The size of an address in IPv6 is four times larger than an IPv4 address. IPv6 addresses are expressed in hexadecimal (hex). 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

This might seem complex for end users, but the assumption is that users will rely on DNS names to resolve hosts and rarely will type IPv6 addresses manually. The IPv6 address in hex is also easier to convert to binary and vice versa. This simplifies working with subnets, and calculating hosts and networks.

Hexadecimal Numbering System (Base 16) When dealing with hex numbers, hex 10 is equal to decimal 16. In the Hexadecimal Numbering System, some letters represent numbers because in the hex system (base16), there must be 16 unique symbols for each position. Because 10 symbols (0 through 9) already exist, there must be six new symbols for the hex system; hence, A through F are used. Note Use the Windows calculator in Windows 7 and Windows Server 2008 to work with hex and binary. Open the calculator, click the View menu, and then click Programmer. Type 16, and then click Hex. The calculator will display 10. This aspect of hexadecimal can be complex. After reaching hex 9, the next number is hex “A” (decimal 10), and then “B” (decimal 11) up to “F” or (decimal 15). Notice in the calculator that in hex mode, the buttons A through F appear along the left of the number pad. In Hex mode, click F, and then click Dec. The result is decimal 15.

4-10


To convert an IPv6 binary address that is 128 bits in length, break it into eight groups of 16 bits. Convert each of these eight groupings of 16 bits into four hex characters. For each of the 16 bits, evaluate four bits at a time to derive each hex number. You should number each set of four binary numbers 1, 2, 4, and 8, starting from the right and moving left. The first bit [0010] is assigned the value of 1, the second bit [0010] is assigned the value of 2, the third bit [0010] is assigned the valued of 4, and finally, the fourth [0010] bit is assigned the value of 8. To derive the hexadecimal value for this section of four bits, add up the values that are assigned to each bit where the bits are set to 1. In the example of 0010, the only bit that is set to 1 is the bit assigned the 2 value. The rest are set to zero. The hex value of these bits is 2.

Converting From Binary to Hexadecimal The following table describes the 16-bit binary number portion of a 128-bit IP address: [0010][1111][0011][1011]

Binary

0010

1111

Values of each binary position

8421

8421

Adding values where the bit = 1

0+0+2+0 = 2

8 + 4 + 2 + 1 = 15 or hex F

The following example is a single IPv6 address in binary form. Note that the binary representation of the IP address is quite long. The following two lines of binary numbers is one IP address: 0010000000000001000011011011100000000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010

The 128-bit address is divided along 16-bit boundaries (eight blocks of 16 bits). 0010000000000001 0000001010101010

0000110110111000 0000000011111111

0000000000000000 1111111000101000

0010111100111011 1001110001011010

Each boundary is further broken into sets of four bits. Applying the methodology as previously described, convert the IPv6 address. The following table shows the binary and corresponding hexadecimal values for each set of four bits: Binary

Hexadecimal

[0010][0000][0000][0001]

[2][0][0][1]

[0000][1101][1011][1000]

[0][D][B][8]

[0000][0000][0000][0000]

[0][0][0][0]

[0010][1111][0011][1011]

[2][F][3][B]

[0000][0010][1010][1010]

[0][2][A][A]

[0000][0000][1111][1111]

[0][0][F][F]

[1111][1110][0010][1000]

[F][E][2][8]

[1001][1100][0101][1010]

[9][C][5][A]


4-11

Each 16-bit block is expressed as four hex characters, and is then delimited with colons. The result is as follows: 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A

You can simplify IPv6 representation further by removing the leading zeros within each 16-bit block. However, each block must have at least a single digit. With leading zero suppression, the address representation becomes the following: 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

Compressing Zeros When multiple contiguous zero blocks occur, you can compress these and represent them in the address as a double-colon (::); this simplifies the IPV6 notation. The computer recognizes “::” and substitutes it with the number of blocks necessary to make the appropriate IPv6 address. In the following example, the address is expressed using zero compression: 2001:DB8::2F3B:2AA:FF:FE28:9C5A

To determine how many 0 bits are represented by the “::”, you can count the number of blocks in the compressed address, subtract this number from eight, and then multiply the result by 16. Using the previous example, there are seven blocks. Subtract seven from eight, and then multiply the result (one) by 16. Thus, there are 16 bits or 16 zeros in the address where the double colon is located. You can use zero compression only once in a given address. Otherwise, you cannot determine the number of 0 bits represented by each instance of a double-colon (::). To convert an address into binary, use the reverse of the method described previously: 1.

Add in zeros using zero compression.

2.

Add leading zeros.

3.

Convert each hex number into its binary equivalent.

4-12


Lesson 2

IPv6 Addressing

To enable devices with IPv6, you must know how to configure and assign IPv6 addresses to devices within your organization’s network.


Describe IPv6 prefixes.

•

Describe Unicast IPv6.

•

Describe zone IDs.

•

Describe address autoconfiguration for IPv6.

•

Configure IPv6 Settings on a network client.


4-13

IPv6 Prefixes

Like the IPv4 address space, the IPv6 address space is divided by allocating portions of the available address space for various IP functions. The high-order bits (bits that are at the beginning of the 128-bit IPv6 address) define areas statically in the IP space. The high-order bits and their fixed values are known as a format prefix. Internet Assigned Numbers Authority (IANA) manages IPv6. Additionally, it has defined how the IPv6 address space will be divided initially, and specified the format prefixes.

IPv6 Format Prefixes The following table shows the IPv6 address-space allocation by format prefixes: Prefix Binary Value

Begins With

Fraction of the address space

Reserved

0000 0000

-

1/256

Global unicast addresses

001

2 or 3

1/8

Link-local unicast addresses

1111 1110 1000

FE8

1/1024

Unique local unicast addresses

1111 1100

FD

1/256

Multicast addresses

1111 1111

FF

1/256

Allocation

The remaining IPv6 address space is unassigned. The current set of unicast addresses that you can use with IPv6 nodes consists of global unicast addresses, unique-local addresses, and link-local unicast addresses.

4-14


IPv6 Prefixes The prefix is the part of the address that indicates the bits that have fixed values or that are the subnet prefix’s bits. Prefixes for IPv6 subnets, routes, and address ranges are expressed in the same way as Classless Inter-Domain Routing (CIDR) notation for IPv4. An IPv6 prefix is written in address/prefix-length notation. For example, 2001:DB8::/48 and 2001:DB8:0:2F3B::/64 are IPv6 address prefixes. Note IPv4 implementations commonly use a dotted decimal representation of the network prefix known as the subnet mask. IPv6 does not use a subnet mask; it supports only the prefix-length notation.


4-15

Unicast IPv6 Address Types

A unicast address identifies a single interface within the scope of the unicast address type. With the appropriate unicast routing topology, packets addressed to a unicast address are delivered to a single interface.

Global Unicast Addresses Global unicast addresses are equivalent to public IPv4 addresses. They are routable and reachable globally on the IPv6 portion of the Internet. The fields in the global unicast address are: •

Fixed portion set to 001: The three high-order bits are set to 001. The address prefix for currently assigned global addresses is 2000::/3. Therefore, all global unicast addresses begin with either 2 or 3.

•

Global Routing Prefix: Indicates the global routing prefix for a specific organization’s site. The combination of the three fixed bits and the 45-bit Global Routing Prefix is used to create a 48-bit site prefix, which is assigned to an organization’s individual site. Once the assignment occurs, routers on the IPv6 Internet forward IPv6 traffic that matches the 48-bit prefix to the routers of the organization’s site.

•

Subnet ID: The Subnet ID is used within an organization’s site to identify subnets. This field’s size is 16 bits. The organization’s site can use these 16 bits within its site to create 65,536 subnets or multiple levels of addressing hierarchy and an efficient routing infrastructure.

•

Interface ID: Indicates the interface on a specific subnet within the site. This field’s size is 64 bits. This is either randomly generated or assigned by DHCPv6. In the past was based on the Media Access Control (MAC) address of the network interface card to which the address was bound.

4-16


Link-Local Unicast Addresses Link-local addresses are local-use unicast addresses with the following properties: •

Link-local addresses are used between on-link neighbors and for Neighbor Discovery processes. This allows a computer to request further IPv6 configuration information from IPv6 routers and IPv6 DHCP servers.

•

Link-local is the equivalent to Automatic Private IP Addressing (APIPA) addresses in IPv4.

•

Link-local addresses always begin with FE8. With the 64-bit interface identifier, the prefix for link-local addresses is always FE80::/64. An IPv6 router never forwards link-local traffic beyond the link. Note The loopback concept is followed through for IPv6: an unspecified address is 0:0:0:0:0:0:0:0, or ::, while the loopback address is 0:0:0:0:0:0:0:1 or ::1.

Unique Local IPv6 Unicast Addresses Unique local addresses provide an equivalent to the private IPv4 address space for organizations without the overlap in address space when organizations combine. The first seven bits have the fixed binary value of 1111110. All unique local addresses have the address prefix FC00::/7. The Local (L) flag is set 1 to indicate a local address. The L flag value set to 0 has not yet been defined. Therefore, unique local addresses with the L flag set to 1 have the address prefix of FD::/8. The next 40 bits must be randomly assigned to give the resulting 48-bit unique local prefix relative uniqueness between organizations. Note These address types are not mutually exclusive as with IPv4. All hosts get a link-local address on each interface and could also have global unicast addresses, and unique local IPv6 unicast addresses.


4-17

Zone IDs

Unlike global addresses, you can reuse local-use addresses. Link-local addresses are reused on each link. Link-local addresses are ambiguous because of this address-reuse capability.

Zone IDs for Local-Use Addresses You need an additional identifier to specify on which link an address is assigned or located. This additional identifier is a zone identifier (ID), also known as a scope ID, and identifies a connected portion of a network that has a specified scope. The syntax specified in RFC 4007 for identifying the zone that is associated with a local-use address is as follows: Address%zone_ID

Address is a local-use address and zone_ID is an integer value representing the zone. The values of the zone ID are defined relative to the sending host. Therefore, different hosts might determine different zone ID values for the same physical zone. For example, Host A might use 3 to represent the zone ID of an attached link and Host B might use 4 to represent the same link. For Windows-based IPv6 hosts, the zone IDs for link-local addresses are defined as follows. For link-local addresses, the zone ID typically is the interface index of the interface that is either assigned the address or is to be used as the sending interface for a link-local destination. The interface index is an integer starting at 1 that is assigned to IPv6 interfaces, which include a loopback and one or multiple tunnel or local area network (LAN) interfaces. You can view the list of interface indexes by using the netsh interface ipv6 show interface command. The following is an example of using Windows tools and the zone ID: ping fe80::2b0:d0ff:fee9:4143%3

In this case, 3 is the interface index of the interface that is attached to the link that contains the destination address. In Windows, the Ipconfig.exe tool displays the zone ID of local-use IPv6 addresses. The following is an excerpt from the display of the ipconfig command.

4-18


Ethernet adapter Local Area Connection: Connection-specific IP Address. . . . . Subnet Mask . . . . IP Address. . . . . IP Address. . . . . IP Address. . . . . Default Gateway . .

DNS . . . . . . . . . . . .

Suffix . . . . . . . . . . . . . . . . . . . . . . . .

: : : : : : :

wcoast.example.com 157.60.14.219 255.255.255.0 2001:db8:2a1c:2:1cc8:ef1d:1dd9:8066 2001:db8:2a1c:204:5aff:fe56:f5b fe80::204:5aff:fe56:f5b%4 157.60.14.1 fe80::20a:42ff:feb0:5400%4

For the link-local addresses that are in the display of the ipconfig command, the zone ID indicates the interface index of the interface that is assigned either the address (for IP Address) or is the interface through which an address is reachable (for Default Gateway).


4-19

Address Autoconfiguration for IPv6

The host can proceed through several states as it goes through the autoconfiguration process, and there are several ways to assign an IPv6 address and other configuration settings. Based on how the router is set up, a client might use stateless configuration (no DHCPv6 service), or stateful with a DHCPv6 server involved, to either assign an IP address and other configuration settings, or just assign other configuration settings. The other configuration settings can include DNS servers and domain names.

Autoconfigured Address States Autoconfigured addresses are in one or more of the following states: •

Tentative: Verification is occurring to determine if the address is unique. Duplicate address detection performs verification. A node cannot receive unicast traffic to a tentative address.

•

Valid: The address has been verified as unique, and can send and receive unicast traffic.

•

Preferred: The address enables a node to send and receive unicast traffic to and from it.

•

Deprecated: The address is valid but its use is discouraged for new communication.

•

Invalid: The address no longer allows a node to send or receive unicast traffic.

Types of Autoconfiguration Types of autoconfiguration include: •

Stateless: Address configuration is only based on the receipt of Router Advertisement messages.

•

Stateful: Configuration is based on the use of a stateful address configuration protocol such as DHCPv6 to obtain addresses and other configuration options:

•

•

A host uses stateful address configuration when it receives instructions to do so in Router Advertisement messages.

•

A host also will use a stateful address configuration protocol when there are no routers present on the local link.

Both: Configuration is based on receipt of Router Advertisement messages and DHCPv6.

4-20


Why Use Stateful Configuration? Using stateful configuration allows the organizations to control how IPv6 addresses are assigned using DHCPv6. If there are any specific scope options that you need to configure, such as the IPv6 addresses of DNS servers, then a DHCPv6 server is necessary.

Communication with DHCP Server When IPv6 attempts to communicate with a DHCP server, it will use multicast IPv6 addresses to communicate with the DHCP server. This is different than with IPv4, which uses broadcast IPv4 addresses.


Demonstration: How to Configure IPv6 Client Settings


Configure a DHCP Scope for IPv6 Clients.

•

Configure the client computer.

4-21

4-22


Lesson 3

Coexistence with IPv6

From its inception, IPv6 was designed to have the ability to coexist, long term, with IPv4. This lesson provides an overview of the technologies that support the two IP protocols’ coexistence. In addition the lesson describes different node types and IP stack implementations of IPv6, and then explains how DNS resolves names to IPv6 addresses, and the various types of IPv6 transition technologies.


Describe IP node types.

•

Describe methods to provide coexistence of IPv4 and IPv6.

•

Configure DNS to support IPv6.

•

Explain IPv6 transition technologies.


4-23

What Are Node Types?

When planning an IPv6 network, you should know what kind of nodes or hosts are on the network. Describing the nodes in the following ways helps to define their abilities on the network. This is important for tunneling because certain kinds of tunnels require specific node types, including the following: •

IPv4-only node: A node that implements only IPv4 (and has only IPv4 addresses) and does not support IPv6. Most hosts and routers installed today are IPv4-only nodes.

•

IPv6-only node: A node that implements only IPv6 (and has only IPv6 addresses) and does not support IPv4. This node is able to communicate only with IPv6 nodes and applications, and is not common today. However, it might become more prevalent as smaller devices, such as cellular phones and handheld computers, use the IPv6 protocol exclusively.

•

IPv6/IPv4 node: A node that implements both IPv4 and IPv6.

•

IPv4 node: A node that implements IPv4. It can be an IPv4-only node or an IPv6/IPv4 node.

•

IPv6 node: A node that implements IPv6. It can be an IPv6-only node or an IPv6/IPv4 node.

For coexistence to occur, the largest number of nodes (IPv4 or IPv6 nodes) can communicate using an IPv4 infrastructure, an IPv6 infrastructure, or an infrastructure that is a combination of IPv4 and IPv6. You will achieve true migration when all IPv4 nodes are converted to IPv6-only nodes. However, for the foreseeable future, you can achieve practical migration when as many IPv4-only nodes as possible are converted to IPv6/IPv4 nodes. IPv4-only nodes can communicate with IPv6-only nodes only when you are using an IPv4-to-IPv6 proxy or translation gateway.

4-24


IPv4 and IPv6 Coexistence

To coexist with an IPv4 infrastructure and provide an eventual transition to an IPv6-only infrastructure, you can use the following mechanisms.

Dual IP Layer Architecture A dual IP layer architecture, implemented in Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, contains both IPv4 and IPv6 Internet layers with a single implementation of transport layer protocols, such as TCP and UDP. A dual IP layer architecture contains both IPv4 and IPv6 Internet layers with a single implementation of transport layer protocols, such as TCP and UDP. Dual stack allows for easier migration to IPv6. There are fewer files to maintain to provide IPv6 connectivity. IPv6 is also available without adding any new protocols in the network-card configuration. Types of packets include: •

IPv4 packets

•

IPv6 packets

•

IPv6 over IPv4 packets (IPv6 packets encapsulated with an IPv4 header)

Dual Stack Architecture Dual stack architecture contains both IPv4 and IPv6 Internet layers with separate protocol stacks that contain separate implementations of transport layer protocols, such as TCP and UDP. The IPv6 protocol driver in Windows Server 2003 and Windows XP, Tcpip6.sys, contains a separate implementation of TCP and UDP.


4-25

Types of packets include: •

IPv4 packets

•

IPv6 packets

•

IPv6 over IPv4 packets

DNS Infrastructure Requirements You need a DNS infrastructure for successful coexistence because of the prevalent use of names rather than addresses to refer to network resources. Upgrading the DNS infrastructure consists of populating the DNS servers with records to support IPv6 name-to-address and address-to-name resolutions. After you obtain the addresses using a DNS name query, the sending node must select which addresses to use for communication. Upgrading the DNS infrastructure consists of populating the DNS servers with records to support IPv6 name-to-address and address-to-name resolutions: •

A records for IPv4 nodes

•

AAAA records for IPv6 nodes

•

PTR records for IPv4 and IPv6 addresses

When using IPv6, DNS can return several addresses of different types for the same host. The set of source and destination addresses that the host decides to use for communications is based on default address selection rules, which you can configure on the host. To view the prefix policies that determine addressselection behavior, open a command prompt and type: netsh interface ipv6 show prefixpolicies. The following represents typical output from this command: Precedence ---------50 40 30 20 10 5

Label ----0 1 2 3 4 5

Prefix -------------------------------::1/128 ::/0 2002::/16 ::/96 ::ffff:0:0/96 2001::/32

IPv6 Over IPv4 Tunneling IPv6 over IPv4 tunneling is the encapsulation of IPv6 packets with an IPv4 header so that IPv6 packets can be sent over an IPv4 infrastructure; this is discussed in a subsequent topic and in the next lesson.

4-26


Demonstration: How to Configure DNS to Support IPv6


Configure the bindings for the DNS service.

•

Verify the presence of AAAA records in Contoso.com.


4-27

What Is IPv6 Over IPv4 Tunneling?

IPv6 over IPv4 tunneling is the encapsulation of IPv6 packets with an IPv4 header so that IPv6 packets can be sent over an IPv4-only infrastructure. Within the IPv4 header: •

The IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.

•

The Source and Destination fields are set to IPv4 addresses of the tunnel endpoints. You can configure tunnel endpoints manually as part of the tunnel interface or they are derived automatically. Note Unlike tunneling for the Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP), there is no exchange of messages for tunnel setup, maintenance, or termination. Additionally, IPv6 over IPv4 tunneling does not provide security for tunneled IPv6 packets. This means that when you use IPv6 tunneling, it does not need to establish a protected connection first.

4-28


Lesson 4

IPv6 Transition Technologies

An eventual successful transition to IPv6 requires interim coexistence of IPv6 nodes in today’s predominantly IPv4 environment. To support this, IPv6 packets are tunneled automatically over IPv4-only routing infrastructures, enabling IPv6 clients to communicate with each other by using Teredo, 6to4, or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) addresses and tunneling IPv6 packets across IPv4 networks. This lesson provides information about the different transition technologies that are available in Windows. The IPv6 transition technologies include: •

ISATAP: Local intranets use ISATAP tunneling, which takes advantage of autoconfiguration and is the primary way in which IPv6 nodes communicate over an IPv4-only intranet.

•

6to4: Allows IPv6 hosts with public IPv4 addresses to communicate over the IPv4-only Internet.

•

Teredo: Teredo allows IPv6 hosts with private IPv4 addresses and located behind NATs to communicate over the IPv4-only Internet.


Explain ISATAP.

•

Explain 6to4.

•

Explain Teredo.

•

Describe PortProxy.


4-29

What Is ISATAP?

ISATAP is an address-assignment technology that you can use to provide unicast IPv6 connectivity between IPv6/IPv4 hosts across an IPv4 intranet. ISATAP hosts do not require any manual configuration and can create ISATAP addresses using standard address autoconfiguration mechanisms. You mainly use ISATAP within an organizations’ site, and although the ISATAP component is enabled by default, it only assigns ISATAP-based addresses if it can resolve the name ISATAP on your network. Note An ISATAP address based on a private IPv4 address is formatted like this: [64-bit unicast prefix]:0:5EFE:w.x.y.z, while an ISATAP address based on a public IPv4 address is formatted like this: [64-bit unicast prefix]:200:5EFE:w.x.y.z. For example, FE80::5EFE:192.168.137.133 (private) and FE80::200:5EFE:131.107.137.133 (public).

What Is an ISATAP Router? ISATAP allows IPv6 clients on an IPv4-only intranet to communicate without additional manual configuration. An ISATAP router advertises an IPv6 prefix and can allow the clients to communicate with other IPv6 clients on other IPv6 subnets.

How ISATAP Tunneling Works ISATAP tunneling can be initiated in several ways. The ISATAP router can be located by resolving the name “ISATAP” to an IPv4 address by using the Netsh Interface IPv6 ISATAP set Router command, or, for Windows 7 and Windows Server 2008 R2, configure the ISATAP Router Name Group Policy setting. To resolve ISATAP in the naming infrastructure, you must define the name ISATAP in DNS, Windows Internet Name Service (WINS), or in the hosts/lmhosts files of the hosts. After locating the router, the host communicates with it using IPv4. The router provides the host with information about the IPv6 ISATAP prefix and whether it (the router) is a default router.

4-30


Note It is important to plan ISATAP implementation carefully; all nodes will be connected to the same IPv6 subnet and AD DS site awareness configured with the Active Directory Sites and Services snap-in will be lost unless also configured for ISATAP-equivalent subnets. For this reason and others, Microsoft recommends that you use ISATAP only for limited testing, rather than for Intranet wide deployment, and instead deploy native IPv6 support for your intranet.


4-31

What Is 6to4?

6to4 is a technology that you can use to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 treats the entire IPv4 Internet as a single link. In a 6to4 address (2002:WWXX:YYZZ:Subnet_ID:Interface_ID), WWXX:YYZZ is the colon-hexadecimal representation of w.x.y.z, a public IPv4 address.

6to4 Router Functionality in Windows When you enable Internet Connection Sharing (ICS) on a computer running Windows, the following occurs: •

Enables IPv6 forwarding on the 6to4 tunneling and private interfaces.

•

The private interface connects to a single-subnet intranet and uses private IPv4 addresses from the 192.168.0.0/24 prefix.

•

Determines a 64-bit IPv6 subnet prefix to advertise on the private intranet.

•

The 6to4 component derives the intranet subnet prefix from 2002:WWXX:YYZZ:InterfaceIndex::/64, in which InterfaceIndex is the private interface’s index.

•

Sends router advertisement messages on the private interface.

The router advertisement messages advertise the Internet Connection Sharing (ICS) computer as a default router and contain the derived 6to4 subnet prefix.

4-32


How 6to4 Tunneling Works Within a site, local IPv6 routers advertise 2002:WWXX:YYZZ:Subnet_ID::/64 subnet prefixes so that hosts autoconfigure 6to4 addresses. IPv6 routers within the site deliver traffic between 6to4 hosts. Hosts on individual subnets are configured automatically with a 64-bit subnet route for direct delivery to neighbors and a default route with the next-hop address of the advertising router. IPv6 traffic that does not match any of the subnet prefixes that the site uses is forwarded to a 6to4 router on the site border. The 6to4 router on the site border has a 2002::/16 route that forwards traffic to other 6to4 sites and a default route (::/0) that forwards traffic to a 6to4 relay on the IPv4 Internet.

Example In the example network shown in the slide, Host A and Host B can communicate with each other because of a default route using the next-hop address of the 6to4 router in Site 1. When Host A communicates with Host C in another site, Host A sends the traffic to the 6to4 router in Site 1 as IPv6 packets. The 6to4 router in Site 1, using the 2002::/16 route in its routing table and the 6to4 tunnel interface, encapsulates the traffic with an IPv4 header and tunnels it to the 6to4 router in Site 2. The 6to4 router in Site 2 receives the tunneled traffic, removes the IPv4 header and, using the subnet prefix route in its routing table, forwards the IPv6 packet to Host C. For example, Host A resides on subnet 1 within Site 1 that uses the public IPv4 address of 157.60.91.123. Host C resides on subnet 2 within Site 2 that uses the public IPv4 address of 131.107.210.49. The table that appears in the slide, lists the addresses in the IPv4 and IPv6 headers when the 6to4 router in Site 1 sends the IPv4-encapsulated IPv6 packet to the 6to4 router in Site 2.


4-33

What Is Teredo?

Teredo tunneling enables you to tunnel across the IPv4-only Internet when the clients are behind an IPv4 NAT. Teredo was created because many Internet connections use private IPv4 addresses behind a NAT. Teredo is a last-resort transition technology for IPv6 connectivity. If native IPv6, ISATAP, or 6to4 connectivity is present between communicating nodes, Teredo is not used. As more IPv4 NATs are upgraded to support 6to4, and IPv6 connectivity becomes ubiquitous, Teredo will be used less frequently, until eventually it is not used at all.

Teredo Components The Teredo components are as follows: •

Teredo client: Supports a Teredo tunneling interface through which packets are tunneled to other Teredo clients or nodes on the IPv6 Internet through a Teredo relay.

•

Teredo server: Connects to both the IPv4 and IPv6 Internet. The role of the Teredo server is to assist in the initial Teredo client configuration and facilitate the initial communication between Teredo clients in different sites or between Teredo clients and IPv6-only hosts on the IPv6 Internet.

•

Teredo relay: Forwards packets between Teredo clients on the IPv4 Internet and IPv6-only hosts on the IPv6 Internet.

•

Teredo host-specific relay: Has interfaces on, and connects to, the IPv4 and IPv6 Internet. Additionally, it can communicate directly with Teredo clients over the IPv4 Internet without needing an intermediate Teredo relay. The connectivity to the IPv4 Internet can be through a public IPv4 address or through a private IPv4 address and a neighboring NAT. The connectivity to the IPv6 Internet can be through a direct connection to the IPv6 Internet or through an IPv6 transition technology, such as 6to4.

4-34


What Is PortProxy?

You can use the PortProxy service as an application-layer gateway for nodes or applications that do not support IPv6. PortProxy facilitates the communication between nodes or applications that cannot connect using a common address type, Internet layer protocol (IPv4 or IPv6), and TCP port. This service’s primary purpose is to allow IPv6 nodes to communicate with IPv4-only TCP applications. PortProxy can proxy only TCP data, and it supports only application-layer protocols that do not embed address or port information inside the application-layer data. PortProxy cannot change address information at the application level and is not flexible. Additionally, you will fare better using other tunneling technologies to address many of the issues you typically would address by using PortProxy. Some areas where PortProxy can be helpful and provide solutions during a transition phase include: •

An IPv4-only node can access an IPv6-only node.

•

An IPv6-only node can access an IPv4-only node.

•

An IPv6 node can access an IPv4-only service that is running on a PortProxy computer.


4-35




2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso

Repeat steps 2 to 4 for 6421B-NYC-RTR and 6421B-NYC-CL2.

Lab Scenario Contoso has decided to begin the process of migrating their network to IPv6. Your initial task is to prove the principle of the migration by configuring a single client computer for IPv6. For this project, you must complete the following tasks: •

Configure a new IPv6 network and client.

•

Configure an ISATAP Router to enable communication between an IPv4 network and an IPv6 network.

4-36


Exercise 1: Configuring a New IPv6 Network and Client Scenario In this exercise, you will configure NYC-CL2 as an IPv6-only client. The main tasks for this exercise are as follows: 1.

Configure IPv4 Routing.

2.

Enable IP routing on NYC-RTR and confirm IPv4 connectivity.

3.

Disable IPv6 on NYC-DC1.

4.

Disable IPv4 on NYC-CL2.

5.

Configure an IPv6 router advertisement for the global address 2001:db8:0:1::/64 network on NYC-RTR.

6.

Check the IP configuration on NYC-CL2 to ensure that it is configured with an IPv6 global address in the 2001:db8:0:1::/64 network.

X Task 1: Configure IPv4 Routing 1.

Switch to NYC-CL2.

2.

Verify the Local Area Connection 3 properties: •

IP address: 172.16.16.3

•

Subnet mask: 255.255.255.0

•

Default gateway: 172.16.16.1

•

Preferred DNS server: 10.10.0.10

3.


4.

Switch to NYC-DC1.

5.


6.



X Task 2: Enable IP Routing on NYC-RTR and Confirm IPv4 Connectivity 1.

Switch to NYC-RTR.

2.

Open the Registry editor.

3.

Configure the HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Tcpip > Parameters > IPEnableRouter value as 1.

4.

Close the Registry editor.

5.

Restart NYC-RTR.

6.

After NYC-RTR restarts, log on with the following credentials: •


•

Password: Pa$$w0rd


4-37

Note At this point, only IPv4 traffic is routed through the IPv4 routing infrastructure. Because ICMPv4 traffic is blocked by the Windows Firewall by default, you cannot test connectivity with ping.

X Task 3: Disable IPv6 on NYC-DC1 1.

Switch to NYC-DC1.

2.

Disable IPv6 on the Local Area Connection 2 by clearing the Internet Protocol Version 6 (TCP/IPv6) check box in the Local Area Connection 2 Properties.

X Task 4: Disable IPv4 on NYC-CL2 1.

Switch to NYC-CL2.

2.


3.

Open a command prompt, type ipconfig, and then press ENTER. Note The output should be a link-local IPv6 address that starts with fe80.

X Task 5: Configure an IPv6 router advertisement for the global address 2001:db8:0:1::/64 network on NYC-RTR 1.

Switch to NYC-RTR.

2.

Open a command prompt, and then type the following commands. netsh interface ipv6 set interface "Local Area Connection 3" forwarding=enabled advertise=enabled netsh interface ipv6 add route 2001:db8:0:1::/64 "Local Area Connection 3" publish=yes

X Task 6: Check the IP configuration on NYC-CL2 to ensure that it is configured with an IPv6 global address in the 2001:db8:0:1::/64 network 1.

Switch to NYC-CL2.

2.

At the command prompt, type ipconfig and then press ENTER. Note The output should be a link-local IPv6 address that starts with fe80. Two global IP addresses starting with 2001:db8:0:1: should also be included in the output.

3.

Close the command prompt.

Results: At the end of this exercise, you will have configured NYC-CL2 for IPv6 only.

4-38


Exercise 2: Configuring an ISATAP Router to Enable Communication Between an IPv4 Network and an IPv6 Network Scenario In this exercise, you will configure ISATAP to enable connectivity between the new IPv6 client and the remaining IPv4 clients, including NYC-DC1. The main tasks for this exercise are as follows: 1.

Add the ISATAP entry in the DNS zone on NYC-DC1.

2.

Configure the ISATAP router on NYC-RTR.

3.

Enable the ISATAP interface on NYC-DC1.

4.

Test connectivity.

X Task 1: Add the ISATAP entry in the DNS zone on NYC-DC1 1.

Switch to NYC-DC1.

2.

Add a new host record in DNS: •

Zone: Contoso.com

•

Name: ISATAP

•

IP address: 10.10.0.1

X Task 2: Configure the ISATAP router on NYC-RTR Note When substituting the following Interface_Index, ensure that you type your Interface_Index with the brackets {} on either side. 1.

Switch to NYC-RTR.

2.

Switch to the command prompt. Type each of the following commands and then press ENTER after each command: Netsh interface ipv6 isatap set router 10.10.0.1 ipconfig

3.

Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) – you will need it in a moment. Interface index:

4.

Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER: netsh interface ipv6 set interface “isatap.Interface_Index” forwarding=enabled advertise=enabled


5.

At the command prompt, type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER: netsh interface ipv6 add route 2001:db8:0:10::/64 “isatap.Interface_Index” publish=yes

6.

7.

4-39

Restart NYC-RTR and then log on using the following credentials: •


•

Password: Pa$$w0rd

Open a command prompt and type ipconfig and press ENTER. Note The Tunnel adapter associated with the 10.10.0.0/16 network will display an IPv6 address in the 2001:db8:0:10 range.

X Task 3: Enable the ISATAP interface on NYC-DC1 1.

Switch to NYC-DC1.

2.

Open a command prompt and then type the following commands: Netsh interface isatap set router 10.10.0.1 ipconfig

Note The Tunnel adapter isatap {Interface_Index} (which is the ISATAP adapter) has automatically received an IPv6 address from the ISATAP router.

X Task 4: Test connectivity 1.

On NYC-DC1, open Windows Firewall with Advanced Security.

2.

Create a new inbound rule with the following properties: •

Rule Type: Custom

•

Program: Default

•

Protocols and Ports: Protocol > ICMPv4

•

Scope: Default

•

Action: Default

•

Profile: Default

•

Name: Allow PING

3.

Switch to NYC-CL2.

4.

Open a command prompt and then type the following commands: Ping 2001:db8:0:10:0:5efe:10.10.0.10 ipconfig

What is the IPv6 address? Record it here.

4-40


5.

Open Windows Firewall with Advanced Security.

6.

Create a new inbound rule with the following properties: •

Rule Type: Custom

•

Program: Default

•


•

Scope: Default

•

Action: Default

•

Profile: Default

•

Name: Allow PING

7.

Switch to NYC-DC1.

8.

Open a command prompt, type Ping IPv6_address, and then press ENTER. Where IPv6_address is the IPv6 address on NYC-CL2 you noted earlier.

Results: At the end of this exercise, you will have configured ISATAP.

X Preparing for the next lab •

Do not turn off the virtual machines at this time because you will need them to complete the next lab.


4-41

Lesson 5

Transitioning from IPv4 to IPv6

The transition from IPv4 to IPv6 is expected to take years. IPv4 remains the IP standard for the majority of applications and Internet services in use today. However, more and more networks and applications might function well in an IPv6-capable environment, as Windows 7 and Windows Server 2008 R2 are adopted more widely. In this lesson, you will learn about the issues that you must consider when transitioning to IPv6 and review the necessary steps for transitioning to an IPv6-capable infrastructure.


Describe considerations for migrating from IPv4 to IPv6.

•

Describe a process for effectively transitioning to native IPv6.

•

Troubleshoot an IPv6-based network.

4-42


Discussion: Considerations for Migrating from IPv4 to IPv6

When migrating from IPv4 to IPv6, you must consider the applications that you will use, your network devices, and potential device upgrades that might occur.


4-43

Process for Transitioning to IPv6-only

The migration from IPv4 to IPv6 is expected to take considerable time. This was taken into consideration when designing IPv6 and as a result, the transition plan for IPv6 is a multistep process that allows for extended coexistence. To achieve the goal of a pure IPv6 environment, use the following general guidelines: •

Upgrade your applications to be independent of IPv6 or IPv4. For example, applications can be changed to use new Windows Sockets application programming interfaces (APIs) so that name resolution, socket creation, and other functions are independent regardless of whether you are using IPv4 or IPv6.

•

Update the DNS infrastructure to support IPv6 address and PTR records. You might have to upgrade the DNS infrastructure to support the new AAAA records (required) and PTR records in the IP6.ARPA reverse domain (optional). Additionally, ensure that the DNS servers support DNS traffic over IPv6 and DNS dynamic update for AAAA records so that IPv6 hosts can register their names and IPv6 addresses automatically.

•

Upgrade hosts to IPv6/IPv4 nodes. You must upgrade hosts to use both IPv4 and IPv6. You also must add DNS resolver support to process DNS query results that contain both IPv4 and IPv6 addresses. You can deploy ISATAP in a limited capacity to test IPv6 and DNS functionality.

•

Upgrade routing infrastructure for native IPv6 routing. You must upgrade routers to support native IPv6 routing and IPv6 routing protocols.

4-44


Troubleshooting IPv6

To troubleshoot IPv6, depending on the problem, you can: •

Start at the bottom of the stack and move up.

•

Start at the top of the stack and move down.

When starting at the top of the stack, the methods you can use to troubleshoot IPv6 include: •

Verify IPv6 connectivity.

•

Verify DNS name resolution for IPv6 addresses.

•

Verify IPv6-based TCP sessions.

Verifying IPv6 Connectivity You can use the following tasks to troubleshoot problems with IPv6 connectivity: •

Verify configuration

•

Verify reachability •

Check packet filtering

•

View and manage the IPv6 routing table

•

Verify router reliability

Verify Configuration Ipconfig shows both IPv4 and IPv6. Commands in the Netsh interface IPv6 context only show IPv6 data. You also can use the Netsh.exe to view another computer’s IPv6 configuration data. You can obtain significant information using NETSH.exe, and use it to configure most IPv6 settings. To access the NETSH IPv6 configuration prompt, type: netsh –c “interface ipv6”.

Verify Reachability If a device’s network card has changed, it is possible that the hardware address was not updated in the cache of the computer that is trying to connect.


4-45

Ping also has been updated for IPv6. If you need to ping an IPv6 router using its link-local address, you should also supply a zone ID for that router (this is listed when you perform an Ipconfig). In addition to verifying reachability, you can: •

Check packet filtering: •

Check for IPsec policies

•

Check the configuration of firewalls

•

Check routers and intermediate firewalls for port filters

•

View the IPv6 routing table. This is a fairly advanced step that allows you to discern where your computer is trying to send specific network data.

•

Verify the routing path taken using the Tracert tool.

•

Verify router reliability using the Pathping tool. This is a method to detect bottlenecks or badly configured network hardware.

Verifying DNS Name Resolution for IPv6 Addresses When verifying network services connectivity, you use many of the same tools and software as with IPv4. When checking for DNS configuration and name resolution, you can verify the DNS configuration using the following tools: •

Ipconfig/all: The display of the ipconfig/all command includes IPv6 addresses, default routers, and DNS settings for all interfaces. The Ipconfig tool only works on the local computer.

•

Ipconfig/displaydns and Ipconfig/flushdns: Use these commands to display and flush the DNS client-resolver cache. Note This is the same for IPv4.

•

Ping: Use the Ping tool to test DNS name resolution. Make sure to ping the IPv6 name.

•

Nslookup: Use the Nslookup tool to view DNS server responses. Set the query to look for AAAA records with the type=AAAA option.

Verifying IPv6-Based TCP Connections To verify IPv6-based TCP connections: •

Check for packet filtering: This is the same process as it is for verifying IPv6 connectivity, but sometimes packet filtering will block one type of incoming connection, such as File Transfer Protocol (FTP), but allow port 80 (HTTP). It could also block ping requests.

•

Verify TCP connection establishment (Telnet): To verify a TCP connection in certain circumstances, such as those previously mentioned, use the Microsoft Telnet Client to directly connect to the address and port of the service being investigated. For example: telnet 2001:db8::1 80.

4-46



Lab Setup For this lab, you will use the available virtual machine environment. The virtual machines must be running following the completion of Lab A.

Lab Scenario The pilot went well. Your manager has asked you to convert the network to IPv6. Your task is to disable ISATAP and enable native IPv6 routing. For this project, you must transition to a native IPv6 Network.


4-47

Exercise 1: Transitioning to a Native IPv6 Network Scenario In this exercise, you will disable ISATAP and IPv4, and then enable IPv6. The main tasks for this exercise are as follows: 1.

Disable the ISATAP router on NYC-RTR.

2.

Configure the native IPv6 router on NYC-RTR.

3.

Disable IPv4 connectivity.

4.

Test connectivity between each IPv6 subnet.

X Task 1: Disable the ISATAP router on NYC-RTR Note When substituting the following Interface_Index, ensure that you type your Interface_Index with the brackets {} on either side. 1.

Switch to NYC-RTR.

2.

Open a command prompt and then type the following commands. ipconfig

3.

Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) – you will need it in a moment. Interface index:

4.

Type the following commands, replacing Interface_Index with the number (and brackets {}) that you recorded earlier. netsh interface ipv6 set interface “isatap.Interface_Index” forwarding=disabled advertise=disabled netsh interface ipv6 delete route 2001:db8:0:10::/64 “isatap.Interface_Index”

X Task 2: Configure the native IPv6 router on NYC-RTR •

Open a command prompt and then type the following commands. netsh interface ipv6 set interface “Local Area Connection 2” forwarding=enabled advertise=enabled netsh interface ipv6 add route 2001:db8:0:0::/64 “Local Area Connection 2” publish=yes

X Task 3: Disable IPv4 connectivity 1.


2.

Switch to NYC-DC1.

4-48


3.


4.

Enable IPv6 on the Local Area Connection 2 by selecting the Internet Protocol Version 6 (TCP/IPv6) check box in the Local Area Connection 2 Properties.

X Task 4: Test connectivity between each IPv6 subnet 1.


2.

Create a new inbound rule with the following properties:

3.

•

Rule Type: Custom

•

Program: Default

•


•

Scope: Default

•

Action: Default

•

Profile: Default

•

Name: Allow PING for IPv6

At the command prompt, type ipconfig and then press ENTER. Note the new IPv6 address (global address begins with 2001:) assigned to the Local Area Connection 2. Write down the IPv6 address in the space below. NYC-DC1 IPv6 address: _____________________________________________

4.

Switch to NYC-CL2.

5.

Open a command prompt, type Ping global_IP_address, and then press ENTER. Where global_IP_address is the NYC-DC1 address that you noted previously.

6.

At the command prompt, type ipconfig /all and then press ENTER: Note the IPv6 address (global address begins with 2001:) assigned to the Local Area Connection 2. Write down the IPv6 address in the space below. NYC-CL2 IPv6 address: _____________________________________________

7.

Switch to NYC-DC1 and switch to the Command Prompt.

8.

Open a command prompt, type Ping global_IP_address, and then press ENTER Where global_IP_address is the NYC-CL2 address that you noted previously.

Results: At the end of this exercise, you will have configured an IPv6 only network.



2.


3.


4.

Repeat these steps for 6421B-NYC-RTR and 6421B-NYC-CL2.


4-49


Review Questions 1.

What are the different types of unicast IPv6 addresses?

2.

What are the main reasons why IPv6 is necessary?

3.

What is the process called when a client configures itself with an IPv6 address?

4.

What kind of IP address does every IPv6 client automatically assign itself?

5.

How does the scope of an address affect its ability to communicate on a locally attached subnet?

6.

What is the main purpose of Teredo?

Tools Tool

Use for

IPconfig

Provides overview data for IPv4 and IPv6.

Route

Provides basic information about IPv4 and IPv6 routing tables.

Netsh

Provides detailed information about the IPv6 configuration, and it is the primary tool used to configure IPv6 in Windows Server 2008 and Windows Vista. You also can use this command-line tool to configure an IPv6 router.

5-1

Module 5 Configuring and Troubleshooting Routing and Remote Access Contents: Lesson 1: Configuring Network Access

5-3

Lesson 2: Configuring VPN Access

5-12

Lesson 3: Overview of Network Policies

5-22

Lesson 4: Overview of the Connection Manager Administration Kit

5-28

Lesson 5: Troubleshooting Routing and Remote Access

5-33

Lab A: Configuring and Managing Network Access

5-43

Lesson 6: Configuring DirectAccess

5-50

Lab B: Configuring and Managing DirectAccess

5-65

5-2


Module Overview

To support your organization’s distributed workforce, you must become familiar with technologies that enable remote users to connect to your organization’s network infrastructure. These technologies include virtual private networks (VPNs) and DirectAccess. It is important that you understand how to configure and secure your remote access clients by using network policies. This module explores these remote access technologies.


Configure network access.

•

Create and configure a VPN solution.

•

Describe the role of network policies.

•

Use the Connection Manager Administration Kit to create and configure client connection profiles.

•

Troubleshoot routing and remote access.

•

Implement DirectAccess.

Configuring and Troubleshooting Routing and Remote Access

Lesson 1

Configuring Network Access

It is important that you are able to install and configure the required components that support network access in a Windows Server 2008 R2 network.


Describe the components of a Network Access Services Infrastructure.

•

Describe the Network Policy and Access Services Role.

•

Describe Routing and Remote Access.

•

Explain network access authentication and authorization.

•

Explain the types of authentication methods that are used for network access.

•

Explain how DHCP servers are used with Routing and Remote Access Service.

5-3

5-4


Components of a Network Access Services Infrastructure

The underlying infrastructure in a complete Network Access Services infrastructure in Windows Server 2008 R2 typically includes the following components: •

VPN Server: Provides remote access connectivity based on various VPN tunneling protocols over a public network, such as the Internet.

•

Active Directory® Domain Services (AD DS): Services authentication requests from remote access client connection attempts.

•

Dynamic Host Configuration Protocol (DHCP) Server: Supplies accepted inbound remote access connections with an IP configuration for network connectivity to the corporate local area network (LAN).

•

Network Policy Server: Provides authentication services for other network access components.

•

Network Access Protection (NAP) components: •

NAP Health Policy Server: Evaluates system health against configured health policies that describe health requirements and enforcement behaviors, such as requiring that connecting clients must be compliant before they gain access to the network.

•

Health Registration Authority: Obtains health certificates for clients that pass the health policy verification.

•

Remediation Servers: Provide remediation services to those clients that do not meet the health requirements for the corporate network. Remediation Servers are special servers on a limited network.


5-5

What Is the Network Policy and Access Services Role?

The Network Policy and Access Services role in Windows Server 2008 R2 provides the following network connectivity solutions: •

Enforce health policies: Establish and automatically enforce health policies, which can include software requirements, security update requirements, required computer configurations, and other settings.

•

Help to secure wireless and wired access: When you deploy 802.1X wireless access points, secure wireless access provides wireless users with a secure certificate or password-based authentication method that is simple to deploy. When you deploy 802.1X authenticating switches, wired access allows you to secure your network by ensuring that intranet users are authenticated before they can connect to the network or obtain an IP address using DHCP.

•

Provide remote access solutions: With remote access solutions, you can provide users with VPN and traditional dial-up access to your organization’s network. You also can connect branch offices to your network with VPN solutions, deploy full-featured software routers on your network, and share Internet connections across the intranet.

•

Centralize network policy management with RADIUS server and proxy: Rather than configuring network access policy at each network access server, such as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers, you can create policies in a single location that specify all aspects of network connection requests, including who is allowed to connect, when they can connect, and the level of security they must use to connect to your network.

5-6


What Is Routing and Remote Access?

With Routing and Remote Access, you can deploy: •

VPN and dial-up remote access services

•

Multiprotocol LAN-to-LAN, LAN-to-wide area network (WAN), VPN, and network address translation (NAT) routing services

You can deploy the following technologies during the installation of the Routing and Remote Access Service role: •

Remote Access Service: Using Routing and Remote Access, you can deploy VPN connections to provide end users with remote access to your organization’s network. You also can create a site-tosite VPN connection between two servers at different locations. Configure each server with Routing and Remote Access to send private data securely. The connection between the two servers can be persistent (always on) or on demand (demand-dial). Remote Access also provides traditional dial-up remote access to support mobile users or home users who are dialing in to an organization’s intranets, although this is less commonly used today.

•

Routing: This provides a full-featured software router and an open platform for routing and internetworking. It offers routing services to businesses in LAN and WAN environments. When you choose routing, you can also choose to use Network Address Translation (NAT). When you deploy NAT, the server that is running Routing and Remote Access is configured to share an Internet connection with computers on the private network and to translate traffic between its public address and the private network. By using NAT, the computers on the private network gain some measure of protection because the router on which you configure NAT does not forward traffic from the Internet into the private network, unless a private network client requests it or traffic is allowed explicitly. When you deploy VPN and NAT, you configure the server that is running Routing and Remote Access to provide NAT for the private network and to accept VPN connections. Computers on the Internet will not be able to determine the IP addresses of computers on the private network. However, VPN clients will be able to connect to computers on the private network as if they were physically attached to the same network.


5-7

Network Authentication and Authorization

The distinction between authentication and authorization is important in understanding why connection attempts are accepted or denied: •

Authentication is the verification of the connection attempt’s credentials. This process consists of sending the credentials from the remote access client to the remote access server in either plaintext or encrypted form by using an authentication protocol.

•

Authorization is the verification that the connection attempt is allowed. Authorization occurs after successful authentication.

For a connection attempt to be accepted, the connection attempt must be authenticated and authorized. It is possible for the connection attempt to be authenticated by using valid credentials, but not authorized; in this case, the connection attempt is denied. If you configure a remote access server for Windows Authentication, the security features of Windows Server 2008 R2 verify the authentication credentials, while the user account’s dial-in properties and locally stored remote-access policies authorize the connection. If the connection attempt is both authenticated and authorized, the connection attempt is accepted. If you configure the remote access server for RADIUS authentication, the connection attempt’s credentials are passed to the RADIUS server for authentication and authorization. If the connection attempt is both authenticated and authorized, the RADIUS server sends an accept message back to the remote access server and the connection attempt is accepted. If the connection attempt is either not authenticated or not authorized, the RADIUS server sends a reject message back to the remote access server and the connection attempt is rejected.

5-8


Types of Authentication Methods

The authentication of access clients is an important security concern. Authentication methods typically use an authentication protocol that is negotiated during the connection establishment process.

PAP Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. It typically is negotiated if the remote access client and remote access server cannot negotiate a more secure form of validation. PAP is included in Microsoft Windows Server® 2008 R2 for the following reasons: •

Remote access clients that are running Microsoft Windows® 32-bit operating systems can connect to older remote access servers that do not support a secure authentication protocol.

•

Remote access clients that are running Microsoft® operating systems that do not support a secure remote access protocol can connect to remote access servers that are running Windows 32-bit operating systems.

CHAP The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. Various vendors of network access servers and clients use CHAP. A server that is running Routing and Remote Access supports CHAP so that remote access clients that require CHAP are authenticated. Because CHAP requires the use of a reversibly encrypted password, you should consider using another authentication protocol, such as MS-CHAP version 2.


5-9

MS-CHAP V2 Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2) is a one-way, encrypted password, mutual-authentication process that works as follows: 1.

The authenticator (the remote access server or the computer that is running Network Policy Server) sends a challenge to the remote access client that consists of a session identifier and an arbitrary challenge string.

2.

The remote access client sends a response that contains a one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user password.

3.

The authenticator checks the response from the client and sends back a response containing an indication of the success or failure of the connection attempt and an authenticated response based on the sent challenge string, the peer challenge string, the client’s encrypted response, and the user password.

4.

The remote access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection.

Extensible Authentication Protocol With the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism authenticates a remote access connection. The remote access client and the authenticator (either the remote access server or the Remote Authentication Dial-In User Service (RADIUS) server) negotiate the exact authentication scheme to be used. Routing and Remote Access includes support for EAP-Transport Level Security (EAPTLS) by default. You can plug in other EAP modules to the server that is running Routing and Remote Access to provide other EAP methods.

Using Smart Cards for Remote Access Using smart cards for user authentication is the strongest form of authentication in the Windows Server 2008 family. For remote access connections, you must use EAP with the smart card or other certificate (TLS) EAP type, also known as EAP-TLS. To use smart cards for remote access authentication, you must: •

Configure remote access on the remote access server.

•

Install a computer certificate on the remote access server computer.

•

Configure the smart card or other certificate (TLS) EAP type in network policies.

•

Enable smart card authentication on the dial-up or VPN connection on the remote access client.

5-10


Integrating DHCP Servers with Routing and Remote Access Service

You can deploy the DHCP Server service with the Routing and Remote Access service to provide remote access clients with a dynamically assigned IP address during connection. When you use these services together on the same server, the information provided during dynamic configuration is provided in a way that is different from typical DHCP configuration for LAN-based clients. In LAN environments, DHCP clients negotiate and receive the following configuration information, based entirely on settings that you configure in the DHCP console for the DHCP server: •

A leased IP address provided from an available address pool of an active scope on the DHCP server. The DHCP server directly manages and distributes the address to the LAN-based DHCP client.

•

Additional parameters and other configuration information that assigned DHCP options in the address lease provided. The values and list of options correspond to option types that you configure and assign on the DHCP server.

When a Routing and Remote Access server provides dynamic configuration for dial-up clients, it first performs the following steps: •

When the server that is running Routing and Remote Access starts with the Use DHCP to assign remote TCP/IP addresses option, it instructs the DHCP client to obtain 10 IP addresses from a DHCP server.

•

The remote access server uses the first of these 10 IP addresses that are obtained from the DHCP server for the remote access server interface.

•

The remaining nine addresses are allocated to TCP/IP-based clients as they dial in to establish a session with the remote access server.

IP addresses that are freed when remote access clients disconnect are reused. When all 10 IP addresses are used, the remote access server obtains 10 more from a DHCP server. When the Routing and Remote Access service stops, all IP addresses that were obtained through DHCP are released.


5-11

When the Routing and Remote Access server uses this type of proactive caching of DHCP address leases for dial-up clients, it records the following information for each lease response that it obtains from the DHCP server: •

The IP address of the DHCP server

•

The client-leased IP address (for later distribution to the Routing and Remote Access client)

•

The time at which the lease was obtained

•

The time at which the lease expires

•

The lease duration

All other DHCP option information that the DHCP server returns—such as server, scope, or reservation options—is discarded. When the client dials in to the server and requests an IP address (that is, when Server Assigned IP Address is selected), it uses a cached DHCP lease to provide the dial-up client with dynamic IP address configuration. When the IP address is provided to the dial-up client, the client is unaware that the IP address has been obtained through this intermediate process between the DHCP server and the Routing and Remote Access server. The Routing and Remote Access server maintains the lease on the client’s behalf. Therefore, the only information that the client receives from the DHCP server is the IP address. In dial-up environments, DHCP clients negotiate and receive dynamic configuration using the following modified behavior: •

A leased IP address from the Routing and Remote Access server cache of DHCP scope addresses. The Routing and Remote Access server obtains and renews its cached address pool with the DHCP server.

•

If the DHCP server typically provides the additional parameters and other configuration information that currently is provided through assigned DHCP options in the address lease, this information is returned to the Routing and Remote Access client based on TCP/IP properties that are configured on the Routing and Remote Access server. Note DHCP servers that are running Windows Server 2008 R2 provide a predefined user class, the Default Routing and Remote Access Class, for assigning options that are provided only to Routing and Remote Access clients.

5-12


Lesson 2

Configuring VPN Access

A VPN provides a point-to-point connection between components of a private network through a public network, such as the Internet. Tunneling protocols enable a VPN client to establish and maintain a connection to a VPN server’s listening virtual port. To properly implement and support a VPN environment within your organization, it is important that you understand how to select a suitable tunneling protocol, configure VPN authentication, and configure the Network Policy and Access Services server role to support your chosen configuration.


Describe how a VPN connection is used to connect remote network clients.

•

Describe the tunneling protocols used for a VPN connection.

•

Describe VPN Reconnect.

•

Describe configuration requirements for a VPN connection.

•

Create a new Connection Request Policy.

•

Describe additional tasks that can be completed after configuring a VPN server.


5-13

What Is a VPN Connection?

To emulate a point-to-point link, the data is encapsulated, or wrapped, and prefixed with a header; this header provides routing information that enables the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted to ensure confidentiality. Packets that are intercepted on the shared or public network are indecipherable without encryption keys. The link in which the private data is encapsulated and encrypted is known as a VPN connection. There are two types of VPN connections: •

Remote access

•

Site-to-site

Remote Access VPN Remote access VPN connections enable your users working at home, customer site, or from a public wireless access point to access a server on your organization’s private network using the infrastructure that a public network provides, such as the Internet. From the user’s perspective, the VPN is a point-to-point connection between the computer, the VPN client, and your organization’s server. The exact infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link.

Site-to-Site VPN Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your organization to have routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. When networks connect over the Internet, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link.

5-14


A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router (the VPN client) authenticates itself to the answering router (the VPN server), and for mutual authentication, the answering router authenticates itself to the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.

Properties of VPN Connections VPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP) have the following properties. Note These tunneling protocols are discussed in the next few topics. •

Encapsulation: With VPN technology, private data is encapsulated with a header that contains routing information that allows the data to traverse the transit network.

•

Authentication: Authentication for VPN connections takes the following three different forms: •

User-level authentication by using Point-to-Point Protocol (PPP) authentication. To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the connection by using a PPP user-level authentication method and verifies that the VPN client has the appropriate authorization. If you use mutual authentication, the VPN client also authenticates the VPN server, which provides protection against computers that are masquerading as VPN servers.

•

Computer-level authentication by using Internet Key Exchange (IKE). To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol to exchange either computer certificates or a pre-shared key. In either case, the VPN client and server authenticate each other at the computer level. We recommend computer-certificate authentication because it is a much stronger authentication method. Computer-level authentication is only performed for L2TP/IPsec connections.

•

Data origin authentication and data integrity. To verify that the data sent on the VPN connection originated at the connection’s other end and was not modified in transit, the data contains a cryptographic checksum based on an encryption key known only to the sender and the receiver. Data origin authentication and data integrity are only available for L2TP/IPsec connections.

•

Data encryption: To ensure the confidentiality of data as it traverses the shared or public transit network, the sender encrypts the data and the receiver decrypts it. The encryption and decryption processes depend on both the sender and the receiver using a common encryption key. Intercepted packets sent along the VPN connection in the transit network are unintelligible to anyone who does not have the common encryption key. The encryption key’s length is an important security parameter. You can use computational techniques to determine the encryption key. However, such techniques require more computing power and computational time as the encryption keys get larger. Therefore, it is important to use the largest possible key size to ensure data confidentiality.


5-15

Tunneling Protocols for a VPN Connection

PPTP, L2TP, and SSTP depend heavily on the features originally specified for PPP. PPP was designed to send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets within PPP frames and then transmits the encapsulated PPP packets across a point-to-point link. PPP was defined originally as the protocol to use between a dial-up client and a network access server.

PPTP PPTP enables you to encrypt and encapsulate in an IP header multi-protocol traffic that then is sent across an IP network or a public IP network, such as the Internet. You can use PPTP for remote access and site-to-site VPN connections. When using the Internet as the VPN public network, the PPTP server is a PPTP-enabled VPN server with one interface on the Internet and a second interface on the intranet. •

Encapsulation: PPTP encapsulates PPP frames in IP datagrams for network transmission. PPTP uses a Transmission Control Protocol (TCP) connection for tunnel management and a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. Payloads of the encapsulated PPP frames can be encrypted, compressed, or both.

•

Encryption: The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using encryption keys that are generated from the MS-CHAPv2 or EAP-TLS authentication process. VPN clients must use the MS-CHAPv2 or EAP-TLS authentication protocol so that the payloads of PPP frames are encrypted. PPTP is taking advantage of the underlying PPP encryption and encapsulating a previously encrypted PPP frame.

L2TP Layer 2 Tunneling Protocol (L2TP) enables you to encrypt multi-protocol traffic to send over any medium that supports point-to-point datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a combination of PPTP and Layer 2 Forwarding (L2F). L2TP represents the best features of PPTP and L2F.

5-16


Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP datagrams. L2TP relies on IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as L2TP/IPsec. Both the VPN client and server must support L2TP and IPsec. Client support for L2TP is built in to the Windows XP, Windows Vista, and Windows 7 remote access clients, and VPN server support for L2TP is built in to members of the Windows Server 2008 and Windows Server 2003 family. •

Encapsulation: Encapsulation for L2TP/IPsec packets consists of two layers: •

First layer: L2TP encapsulation A PPP frame (an IP datagram) is wrapped with an L2TP header and a User Datagram Protocol (UDP) header.

•

Second layer: IPsec encapsulation The resulting L2TP message is wrapped with an IPsec Encapsulating Security Payload (ESP) header and trailer, an IPsec Authentication trailer that provides message integrity and authentication, and a final IP header. The IP header contains the source and destination IP address that corresponds to the VPN client and server.

•

Encryption: The L2TP message is encrypted with either Advanced Encryption Standard (AES) or Triple DES (3DES) by using encryption keys that the IKE negotiation process generates.

SSTP Secure Socket Tunneling Protocol (SSTP) is a tunneling protocol that uses the Secure Hypertext Transfer Protocol (HTTPS) protocol over TCP port 443 to pass traffic through firewalls and web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking. When a client tries to establish a SSTP-based VPN connection, SSTP first establishes a bidirectional HTTPS layer with the SSTP server. Over this HTTPS layer, the protocol packets flow as the data payload: •

Encapsulation: SSTP encapsulates PPP frames in IP datagrams for transmission over the network. SSTP uses a TCP connection (over port 443) for tunnel management and as PPP data frames.

•

Encryption: The SSTP message is encrypted with the SSL channel of the HTTPS protocol.

IKEv2 Internet Key Exchange version 2 (IKEv2) uses the IPsec Tunnel Mode protocol over UDP port 500. Because of its support for mobility (MOBIKE), IKEv2 is much more resilient to changing network connectivity, making it a good choice for mobile users who move between access points and even switch between wired and wireless connections. An IKEv2 VPN provides resilience to the VPN client when the client moves from one wireless hotspot to another or when it switches from a wireless to a wired connection; this ability is a requirement of VPN Reconnect.


5-17

The use of IKEv2 and IPsec enables support for strong authentication and encryption methods. •

Encapsulation: IKEv2 encapsulates datagrams by using IPsec ESP or AH headers for transmission over the network.

•

Encryption: The message is encrypted with one of the following protocols by using encryption keys that are generated from the IKEv2 negotiation process: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms. IKEv2 is supported only on computers that are running Windows 7 and Windows Server 2008 R2. Note IKEv2 is the default VPN tunneling protocol in Windows 7.

5-18


What Is VPN Reconnect?

In dynamic business scenarios, users must be able to securely access data anytime, from anywhere, and access it continuously, without interruption. For example, users might want to securely access data on the company’s server in the head office, from a branch office, or while on the road. To meet this requirement, you can configure the VPN Reconnect feature that is available in Windows Server 2008 R2 and Windows 7. With this feature, users can access the company’s data by using a VPN connection, which will automatically reconnect if connectivity is interrupted. It also enables roaming between different networks. VPN Reconnect uses the Internet Key Exchange version 2 (IKEv2) technology to provide seamless and consistent VPN connectivity. VPN Reconnect automatically re-establishes a VPN connection when Internet connectivity is available again. Users who connect with a wireless mobile broadband benefit most from this capability. Consider a user with a laptop that is running Windows 7. When the user travels to work in a train, he or she connects to the Internet with a wireless mobile broadband card and then establishes a VPN connection to the company’s network. When the train passes through a tunnel, the Internet connection is lost. After the train emerges from the tunnel, the wireless mobile broadband card automatically reconnects to the Internet. With earlier versions of Windows client and server operating systems, VPN did not reconnect automatically. Therefore, the user needed to manually repeat the multistep process of connecting to the VPN. This was time-consuming for mobile users with intermittent connectivity. With VPN Reconnect, Windows Server 2008 R2 and Windows 7 automatically re-establish active VPN connections when the Internet connectivity is re-established. Even though the reconnection might take several seconds, users stay connected and have uninterrupted access to internal network resources. The system requirements for using the VPN Reconnect feature are as follows: •

Windows Server 2008 R2 as a VPN server

•

Windows 7 or Windows Server 2008 R2 client

•

Public Key Infrastructure (PKI), because a computer certificate is required for a remote connection with VPN Reconnect. Certificates issued by either an internal or public CA can be used.


5-19

Configuration Requirements

Before deploying your organization’s VPN solution, consider the following factors: •

Your VPN server requires two network interfaces; determine which network interface connects to the Internet and which network interface connects to your private network. During configuration, you will be asked to choose which network interface connects to the Internet. If you specify the incorrect interface, your remote access VPN server will not operate correctly.

•

Determine whether remote clients receive IP addresses from a Dynamic Host Configuration Protocol (DHCP) server on your private network or from the remote access VPN server that you are configuring. If you have a DHCP server on your private network, the remote access VPN server can lease ten addresses at a time from the DHCP server and assign those addresses to remote clients. If you do not have a DHCP server on your private network, the remote access VPN server can generate and assign IP addresses automatically to remote clients. If you want the remote access VPN server to assign IP addresses from a range that you specify, you must determine what that range should be.

•

Determine whether you want connection requests from VPN clients to be authenticated by a RADIUS server or by the remote access VPN server that you are configuring. Adding a RADIUS server is useful if you plan to install multiple remote access VPN servers, wireless access points, or other RADIUS clients to your private network.

•

Determine whether VPN clients can send DHCPINFORM messages to the DHCP server on your private network. If a DHCP server is on the same subnet as your remote access VPN server, DHCPINFORM messages from VPN clients will be able to reach the DHCP server after the VPN connection is established. If a DHCP server is on a different subnet from your remote access VPN server, make sure that the router between subnets can relay DHCP messages between clients and the server. If your router is running Windows Server 2008 or Windows Server 2008 R2, you can configure the DHCP Relay Agent service on the router to forward DHCPINFORM messages between subnets.

•

Ensure that the individual responsible for the deployment of your VPN solution has the necessary administrative group memberships to install the server roles and configure the necessary services; membership of the local Administrators group is required to perform these tasks.

5-20


Demonstration: How to Configure VPN Access


Configure user dial-in settings.

•

Configure Routing and Remote Access as a VPN server.

•

Configure a VPN client.


5-21

Completing Additional Tasks

After you complete the steps in the Add Roles Wizard and complete the configuration in Routing and Remote Access, your server is ready for use as a remote access VPN server. The following are the additional tasks that you can perform on your remote access/VPN server: •

Configure static packet filters. Add static packet filters to better protect your network.

•

Configure services and ports. Choose which services on the private network you want to make available for remote access users.

•

Adjust logging levels. Configure the level of event details that you want to log. You can decide which information you want to track in log files.

•

Configure the number of VPN ports. Add or remove VPN ports.

•

Create a Connection Manager profile for users. Manage the client connection experience for users, and simplify configuration and troubleshooting of client connections.

•

Add Active Directory Certificate Services (AD CS). Configure and manage a certification authority (CA) on a server for use in a PKI.

•

Increase remote access security. Protect remote users and the private network by enforcing use of secure authentication methods, requiring higher levels of data encryption, and more.

•

Increase VPN security. Protect remote users and the private network by requiring use of secure tunneling protocols, configuring account lockout, and more.

•

Consider implementing VPN Reconnect. VPN Reconnect uses IKEv2 technology to provide seamless and consistent VPN connection, automatically re-establishing a VPN when users temporarily lose their Internet connections.

5-22


Lesson 3

Overview of Network Policies

Network policies determine whether a connection attempt is successful, and if such an attempt is successful, the network policy defines connection characteristics, such as day and time restrictions, session idle-disconnect times, and other settings. Understanding how to configure network policies is essential if you are to successfully implement VPNs based on the Network Policy and Access Services Server role within your organization.


Explain what a Network Policy is.

•

Describe the process for creating a new network policy.

•

Create a network policy for VPN connections.

•

Explain how Network Policies are processed.


5-23

What Is a Network Policy?

Network policies are sets of conditions, constraints, and settings that enable you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. Additionally, when you deploy NAP, health policy is added to the network policy configuration so that NPS performs client health checks during the authorization process. You can view network policies as rules; each rule has a set of conditions and settings. NPS compares the rule’s conditions to the properties of connection requests. If a match occurs between the rule and the connection request, the settings that you define in the rule are applied to the connection. When you configure multiple network policies in NPS, they are an ordered set of rules. NPS checks each connection request against the list’s first rule, then the second, and so on, until a match is found. Note Once a matching rule is determined, further rules are disregarded. It is important to order your network policies appropriately. Each network policy has a Policy State setting that allows you to enable or disable the policy. When you disable a network policy, NPS does not evaluate the policy when authorizing connection requests.

Network Policy Properties Each network policy has four categories of properties: •

Overview: These properties allow you to specify whether the policy is enabled, whether the policy grants or denies access, and whether a specific network connection method or type of network access server is required for connection requests. Overview properties also enable you to specify whether to ignore the dial-in properties of user accounts in AD DS. If you select this option, NPS uses only the network policy’s settings to determine whether to authorize the connection.

5-24


•

Conditions: These properties allow you to specify the conditions that the connection request must have to match the network policy. If the conditions configured in the policy match the connection request, NPS applies the network-policy settings to the connection. For example, if you specify the network access server IPv4 address (NAS IPv4 Address) as a condition of the network policy, and NPS receives a connection request from a NAS that has the specified IP address, the condition in the policy matches the connection request.

•

Constraints: Constraints are additional parameters of the network policy that are required to match the connection request. If the connection request does not match a constraint, NPS automatically rejects the request. Unlike the NPS response to unmatched conditions in the network policy, if a constraint is not matched, NPS does not evaluate additional network policies. The connection request is denied.

•

Settings: These properties allow you to specify the settings that NPS applies to the connection request if all of the policy’s network policy conditions are matched and the request is accepted.

When you add a new network policy using the NPS MMC snap-in, you must use the New Network Policy Wizard. After you have created a network policy using the wizard, you can customize the policy by double-clicking it in NPS to obtain the policy properties. Note The default policies on the NPS block network access. After creating your own policies, you should change the priority, disable, or remove these default policies.


5-25

Process for Creating and Configuring a Network Policy

NPS uses network policies and the dial-in properties of user accounts to determine whether to authorize a connection request to your network. You can configure a new network policy in either the NPS MMC snap-in or the Routing and Remote Access Service MMC snap-in.

Creating Your Policy When you use the New Network Policy Wizard to create a network policy: •

The value that you specify as the network connection method is used to configure the Policy Type condition automatically. If you keep the default value of Unspecified, NPS evaluates the network policy that you create for all network connection types through any type of network access server. If you specify a network connection method, NPS evaluates the network policy only if the connection request originates from the type of network access server that you specify. For example, if you specify Remote Desktop Gateway, NPS evaluates the network policy only for connection requests that originate from Remote Desktop Gateway servers.

•

On the Specify Access Permission page, you must select Access granted if you want the policy to allow users to connect to your network. If you want the policy to prevent users from connecting to your network, select Access denied. If you want user account dial-in properties in AD DS to determine access permission, you can select the Access is determined by User Dial-in properties (which override NPS policy) check box.

Configuring Your Policy Once you have created your policy, you can use the properties dialog box for the policy to view or reconfigure its settings.

5-26


Demonstration: How to Create a Network Policy

This demonstration shows how to create a VPN policy and test it.

Demonstration Steps •

Create a VPN policy based on Windows Groups condition.

•

Test the VPN.


5-27

How Are Network Policies Processed?

When NPS performs authorization of a connection request, it compares the request with each network policy in the ordered list of policies, starting with the first policy and moving down the list. If NPS finds a policy in which the conditions match the connection request, NPS uses the matching policy and the dial-in properties of the user account to perform authorization. If you configure the dial-in properties of the user account to grant or control access through network policy, and the connection request is authorized, NPS applies the settings that you configure in the network policy to the connection: •

If NPS does not find a network policy that matches the connection request, NPS rejects the connection unless the dial-in properties on the user account are set to grant access.

•

If the dial-in properties of the user account are set to deny access, NPS rejects the connection request.

5-28


Lesson 4

Overview of the Connection Manager Administration Kit

The Connection Manager Administration Kit (CMAK) allows you to customize users’ remote-connection options by creating predefined connections to remote servers and networks. The CMAK wizard creates an executable file, which you can distribute in many ways or include during deployment activities as part of the operating-system image.


Describe the features and benefits of the CMAK.

•

Describe the process for configuring a connection profile.

•

Create a connection profile using CMAK.

•

Describe methods to distribute a connection profile to users.


What Is the Connection Manager Administration Kit?

Connection Manager is a client network-connection tool that allows a user to connect to a remote network, such as an Internet Service Provider (ISP) or a corporate network protected by a VPN server. The CMAK is a tool that you can use to customize the remote connection experience for users on your network by creating predefined connections to remote servers and networks. Use the CMAK wizard to create and customize a connection for your users. CMAK is an optional component that is not installed by default. You must install CMAK to create connection profiles that your users can install to access remote networks.

5-29

5-30


Process for Configuring a Connection Profile

You can configure a new or existing connection profile using the CMAK wizard. Each page of the wizard allows you to complete another step of the process. The options presented in the CMAK wizard are: •

Select the Target Operating System

•

Create or Modify a Connection Profile

•

Specify the Service Name and the File Name

•

Specify a Realm Name

•

Merge Information from Other Connection Profiles

•

Add Support for VPN Connections

•

Add a Custom Phone Book

•

Configure Dial-up Networking Entries

•

Specify Routing Table Updates

•

Configure Proxy Settings for Internet Explorer

•

Add Custom Actions

•

Display Custom Bitmaps and Icons

•

Customize the Notification Area Shortcut Menu

•

Include a Custom Help File

•

Display Custom Support Information

•

Include Connection Manager Software with the Connection Profile

•

Display a Custom License Agreement

•

Install Additional Files with the Connection Profile

•

Build the Connection Profile and its Installation Program

•

Make Advanced Customizations

•

Your Connection Profile is Complete and Ready to Distribute


Demonstration: How to Create a Connection Profile


Install the CMAK feature.

•

Create a connection profile.

•

Examine the profile.

5-31

5-32


Distributing the Connection Profile to Users

The CMAK wizard compiles the connection profile into a single executable file with an .exe file name extension. You can deliver this file to users through any method that is available to you. Some methods to consider are: •

Include the connection profile as part of the image that is included with new computers. You can install your connection profile as part of the client computer images that are installed on your organization’s new computers.

•

Deliver the connection profile on removable media for the user to install manually. You can deliver the connection profile installation program on a floppy disk, CD-ROM, USB flash drive, or any other removable media that you permit your users to access. Some removable media support “autorun” capabilities, which allow you to start the installation when the user inserts the media into the client computer.

•

Deliver the connection profile with automated software distribution tools. Many organizations use a desktop-management and software-deployment tool like Microsoft System Center Configuration Manager (previously called Systems Management Server). Configuration Manager provides the ability to package and deploy software intended for your client computers. The installation can be invisible to your users, and you can configure it to report back to the management console whether the installation was successful.


5-33

Lesson 5

Troubleshooting Routing and Remote Access

Troubleshooting the Routing and Remote Access Service can be a time-consuming task. The issues might be varied and not easily identified. Given that you might be using dial-up, dedicated, leased, or publicbased networks to satisfy your remote-connectivity solution, you must perform troubleshooting in a methodical, step-by-step process. In some cases, you can identify and resolve the problem quickly, while in other cases, it might test your understanding of all the available tools to help you determine the issue’s source so that you can resolve it in a timely fashion.


Describe how Authentication and Accounting Logging can be used to troubleshoot connection issues.

•

Describe how to configure remote access logging.

•

Describe how to configure remote access tracing.

•

Resolve general VPN connectivity problems.

•

Describe common troubleshooting solutions regarding remote access.

5-34


Authentication and Accounting Logging

You can configure NPS to perform RADIUS accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates. You can use this procedure to configure the log files in which you want to store the accounting data.

Configuring Accounting To prevent the log files from using up hard-drive space, we strongly recommend that you keep them on a separate partition from the system partition. The following list provides more information about configuring NPS accounting: •

You can send the log-file data for collection by another process by configuring IAS to write to a named pipe. To use named pipes, set the log-file folder to \\.\pipe or \\ComputerName\pipe. The named pipe server program creates a named pipe called \\.\pipe\iaslog.log to accept the data. In the Local file Properties dialog box, in Create a new log file, select Never (unlimited file size) when you use named pipes.

•

You can create the log-file directory by using system environment variables (instead of user variables), such as %systemdrive%, %systemroot%, and %windir%. For example, if you enter the path using the environment variable %windir%, it locates the log file at the system directory in the subfolder \System32\Logs (that is, %windir%\System32\Logs\).

•

You can switch log-file formats without causing the creation of a new log. If you change log-file formats, the file that is active at the time of the change will contain a mixture of the two formats (records at the start of the log will have the previous format, while records at the log’s end will have the new format).

•

You cannot browse the directory structure if you are administering an NPS server remotely. If you need to log accounting information to a remote server, specify the log-file name by typing a Universal Naming Convention (UNC) name, such as \\MyLogServer\LogShare.


5-35

•

NPS in Windows Server 2008 stops processing connection requests if RADIUS accounting fails due to a full hard-disk drive or other causes. This prevents users from accessing network resources. NPS in Windows Server 2008 R2 can be configured to continue processing connections request when logging fails.

•

NPS can log to a SQL Server database in addition to, or instead of, logging to a local file. Note If you do not supply a full-path statement in Log File Directory, the default path is used. For example, if you type NPSLogFile in Log File Directory, the file is located at systemroot\System32\NPSLogFile.

Configuring Logs with the Windows Interface To configure log-file properties using the Windows interface: 1.

Open the Network Policy Server MMC snap-in.

2.

In the console tree, click Accounting.

3.

In the details pane, right-click Local File Logging, and then click Configure Local File Logging. The Local File Logging dialog box opens.

4.

On the Log File tab, in Directory, type the location where you want to store NPS log files. The default location is the systemroot\System32\LogFiles folder.

5.

In Format, click Database-compatible. Alternatively, if you want to keep your log files in IAS format, click IAS.

6.

To configure NPS to start new log files at specified intervals, click the interval that you want to use:

7.

•

For heavy transaction volume and logging activity, click Daily.

•

For lesser transaction volumes and logging activity, click Weekly or Monthly.

•

To store all transactions in one log file, click Never (unlimited file size).

•

To limit the size of each log file, click When log file reaches this size, and then type a file size, after which a new log is created. The default size is 10 MB.

To configure NPS to delete log files automatically when the disk is full, click When disk is full delete older log files. If the oldest log file is the current log file, it is not deleted. Note To complete this procedure, you must be a member of the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer.

5-36


Configuring Remote Access Logging

To configure remote-access logging, open the Routing and Remote Access Service console, right-click servername, and then click Properties. Click the Logging tab to view the available options for, and the location of, the tracing log. Initially, it might be best to specify more logging options than you might necessarily need, rather than specifying too few options. Once you determine the logging level that is most useful for troubleshooting your infrastructure, you can change the options and/or level of logging at your discretion. Four logging levels are available on the Logging tab in the VPN server properties in the Routing and Remote Access snap-in. Select Log all events, and then try the connection again. After the connection fails, check the system event log for events that were logged during the connection process. After you are done viewing remote access events, select the Log errors and warnings option on the Logging tab to conserve system resources. The following table describes the four levels of event logging that Windows Server 2008 R2 Routing and Remote Access Service makes available. Dialogue Box Element

Description

Log Errors Only

Specifies that only errors are logged in the system log in Event Viewer.

Log Errors and Warnings

Specifies that errors and warnings are logged in the system log in Event Viewer.

Log all events

Specifies that the maximum amount of information is logged in the system log in Event Viewer.

Do not log any events

Specifies that no events are logged in the system log in Event Viewer.

The Log additional Routing and Remote Access Information check box enables you to specify whether the events in the PPP connection-establishment process for remote access and demand-dial routing connections are written to the PPP.LOG file that is stored in the systemroot\Tracing folder (the default location).


5-37

Configuring Remote Access Tracing

The Routing and Remote Access service in Windows Server 2008 R2 has an extensive tracing capability that you can use to troubleshoot complex network problems. You can enable the components in Windows Server 2008 R2 to log tracing information to files using the Netsh command or through the Registry.

Enabling Tracing with the Netsh Command You can use the Netsh command to enable and disable tracing for specified components or for all components. To enable and disable tracing for a specific component, use the following syntax: netsh ras set tracing component enabled|disabled

Where component is a component in the list of Routing and Remote Access service components found in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. For example, to enable tracing for the RASAUTH component, the command is as follows: netsh ras set tracing rasauth enabled

To enable tracing for all components, use the following command: netsh ras set tracing * enabled

Enabling Tracing through the Registry You also can configure the tracing function by changing settings in the Registry under the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing

You can enable tracing for each Routing and Remote Access service component by setting the appropriate Registry values. You can enable and disable tracing for components while the Routing and Remote Access service is running. Each component is capable of tracing and appears as a subkey under the preceding Registry key.

5-38


To enable tracing for each component, you can configure the following Registry entries for each protocol key: EnableFileTracing REG_DWORD Flag

You can enable logging tracing information to a file by setting EnableFileTracing to 1. The default value is 0. You can change the default location of the tracing files by setting FileDirectory to the path that you want. The log file’s file name is the component name for which tracing is enabled. By default, log files are placed in the SystemRoot\Tracing folder. FileDirectory REG_EXPAND_SZ Path

FileTracingMask determines how much tracing information is logged to the file. The default value is 0xFFFF0000. FileTracingMask REG_DWORD LevelOfTracingInformationLogged

You can change the log-file size by setting different values for MaxFileSize. The default value is 0x10000 (64K). MaxFileSize REG_DWORD SizeOfLogFile

Note Tracing consumes system resources, and you should use it sparingly to help identify network problems. After you capture the trace or identify the problem, you should disable tracing immediately. Do not leave tracing enabled on multiprocessor computers. Tracing information can be complex and detailed; typically, only Microsoft support professionals or network administrators who are experienced with the Routing and Remote Access service find this information useful. You can save tracing information as files and send it to Microsoft support for analysis.


5-39

Resolving General VPN Problems

To resolve general problems with establishing a remote access VPN connection, perform the following tasks: •

Using the ping command, verify that the host name is being resolved to its correct IP address. The ping itself might not be successful due to packet filtering that is preventing the delivery of ICMP messages to and from the VPN server.

•

Verify that the credentials of the VPN client—which consist of user name, password, and domain name—are correct and that the VPN server can validate them.

•

Verify that the user account of the VPN client is not locked out, expired, disabled, or that the time that the connection is being made does not correspond to the configured logon hours. If the password on the account has expired, verify that the remote access VPN client is using MS-CHAP v2. MS-CHAP v2 is the only authentication protocol that Windows Server 2008 R2 provides that allows you to change an expired password during the connection process.

•

For an administrator-level account with an expired password, reset the password using another administrator-level account.

•

Verify that the user account has not been locked out due to remote access account lockout.

•

Verify that the Routing and Remote Access service is running on the VPN server.

•

Verify that the VPN server is enabled for remote access from the General tab in the properties of a VPN server in the Routing and Remote Access snap-in.

•

Verify that the WAN Miniport (PPTP) and WAN Miniport (L2TP) devices are enabled for inbound remote access from the properties of the Ports object in the Routing and Remote Access snap-in.

•

Verify that the VPN client, the VPN server, and the network policy that correspond to VPN connections are configured to use at least one common authentication method.

•

Verify that the VPN client and the network policy that correspond to VPN connections are configured to use at least one common encryption strength.

•

Verify that the connection’s parameters have permission through network policies.

5-40


Troubleshooting Other Issues

This topic lists common issues that you might encounter when using Windows Server 2008 R2 Remote Access.

Error 800: VPN Server is Unreachable •

Cause: PPTP/L2TP/SSTP packets from the VPN client cannot reach the VPN server.

•

Solution: Ensure that the appropriate ports are open on the firewall. •

PPTP: For PPTP traffic, configure the network firewall to open TCP port 1723 and to forward IP protocol 47 for GRE traffic to the VPN server.

•

L2TP: For L2TP traffic, configure the network firewall to open UDP port 1701 and to allow IPsec ESP formatted packets (IP protocol 50).

•

SSTP: For SSTP, enable TCP 443.

Error 721: Remote Computer is Not Responding •

Cause: This issue can occur if the network firewall does not permit GRE traffic (IP protocol 47). PPTP uses GRE for tunneled data.

•

Solution: Configure the network firewall between the VPN client and the server to permit GRE. Additionally, make sure that the network firewall permits TCP traffic on port 1723. Both of these conditions must be met to establish VPN connectivity by using PPTP. Note

The firewall might be on, or in front of, the VPN client, or in front of the VPN server.


5-41

Error 741/742: Encryption Mismatch Error •

Cause: These errors occur if the VPN client requests an invalid encryption level or if the VPN server does not support an encryption type that the client requests.

•

Solution: Check the properties on the Security tab of the VPN connection on the VPN client. If Require data encryption (disconnect if none) is selected, clear the selection and retry the connection. If you are using NPS, check the encryption level in the network policy in the NPS console or policies on other RADIUS servers. Ensure that the encryption level that the VPN client requested is selected on the VPN server.

L2TP/IPsec Authentication Issues The following list describes the most common reasons that L2TP/IPsec connections fail: •

No certificate: By default, L2TP/IPsec connections require that, for IPsec peer authentication, an exchange of computer certificates occur between the remote access server and remote access client. Check the Local Computer certificate stores of the remote access client and remote access server that are using the Certificates snap-in to ensure that a suitable certificate exists.

•

Incorrect certificate: The VPN client must have a valid computer certificate installed that was issued by a CA that follows a valid certificate chain from the issuing CA to a root CA that the VPN server trusts. Additionally, the VPN server must have a valid computer certificate installed that was issued by a CA that follows a valid certificate chain from the issuing CA to a root CA that the VPN client trusts.

•

A NAT device exists between the remote access client and remote access server: If there is a NAT between a Windows 2000, Windows Server 2003, or Windows XP-based L2TP/IPsec client, and a Windows Server 2008 L2TP/IPsec server, you cannot establish an L2TP/IPsec connection unless the client and server support IPsec NAT-T.

•

A firewall exists between the remote access client and remote access server: If there is a firewall between a Windows L2TP/IPsec client and a Windows Server 2008 R2 L2TP/IPsec server, and you cannot establish an L2TP/IPsec connection, verify that the firewall allows forwarding of L2TP/IPsec traffic.

EAP-TLS Authentication Issues When you use EAP-TLS for authentication, the VPN client submits a user certificate and the authenticating server (the VPN server or the RADIUS server) submits a computer certificate. To enable the authenticating server to validate the VPN client’s certificate, the following must be true for each certificate in the certificate chain that the VPN client sends: •

The current date must be within the certificate’s validity dates. When certificates are issued, they are issued with a range of valid dates, before which they cannot be used and after which they are considered expired.

•

The certificate has not been revoked. Issued certificates can be revoked at any time. Each issuing CA maintains a list of certificates that are not considered valid by publishing an up-to-date certificate revocation list (CRL). By default, the authenticating server checks all certificates in the VPN clients’ certificate chain (the series of certificates from the VPN client certificate to the root CA) for revocation. If any of the chain’s certificates have been revoked, certificate validation fails.

5-42


•

The certificate has a valid digital signature. CAs digitally sign certificates that they issue. The authenticating server verifies the digital signature of each certificate in the chain, with the exception of the root CA certificate, by obtaining the public key from the certificates’ issuing CA and mathematically validating the digital signature. For the VPN client to validate the authenticating server’s certificate for either EAP-TLS authentication, the following must be true for each certificate in the certificate chain that the authenticating server sends: •

The current date must be within the certificate’s validity dates. When certificates are issued, they are issued with a range of valid dates, before which they cannot be used and after which they are considered expired.

•

The certificate must have a valid digital signature. CAs digitally sign certificates that they issue. The VPN client verifies the digital signature of each certificate in the chain, with the exception of the root CA certificate, by obtaining the public key from the certificates’ issuing CA and mathematically validating the digital signature.


5-43




2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso

Repeat steps 2 to 4 for 6421B-NYC-EDGE1 and 6421B-NYC-CL1.

Lab Scenario Contoso, Ltd. wants to implement a remote access solution for its employees so they can connect to the corporate network while away from the office. Contoso requires a network policy mandating that VPN connections are encrypted for security reasons. You are required to enable and configure the necessary server services to facilitate this remote access. For this project, you must complete the following tasks: •

Configure Routing and Remote Access as a VPN remote access solution.

•

Configure a custom Network Policy.

•

Create and distribute a CMAK profile.

5-44


Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution Scenario In this exercise, you will install and configure the Network Policy and Access Services role to support the requirements of the Contoso, Ltd. workforce. The main tasks for this exercise are as follows: 1.

Install the Network Policy and Access Services role on 6421B-NYC-EDGE1.

2.

Configure 6421B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients.

3.

Configure available VPN ports on the (RRAS) server to allow 25 PPTP, 25 L2TP, and 25 SSTP connections.

X Task 1: Install the Network Policy and Access Services role on 6421B-NYC-EDGE1 1.

Switch to the NYC-EDGE1 virtual server.

2.

Open Server Manager.

3.

Add the Network Policy and Access Services role with the following role services: a.

Network Policy Server

b.

Routing and Remote Access Services

X Task 2: Configure 6421B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients 1.

On NYC-EDGE1, open Routing and Remote Access.

2.

In the list pane, select and right-click NYC-EDGE1 (Local) and then click Configure and Enable Routing and Remote Access.

3.

Use the following settings to configure the service: a.

On the Configuration page, accept the defaults.

b.

On the Remote Access page, select the VPN check box.

c.

On the VPN Connection page, select the Public interface.

d.

On the IP Address Assignment page, select the From a specified range of addresses option.

e.

On the Address Range Assignment page, create an address pool with 75 entries with a start address of 10.10.0.60.

f.

On the Managing Multiple Remote Access Servers page, accept the defaults.

g.

Accept any messages by clicking OK.


5-45

X Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25 L2TP connections 1.

In the Routing and Remote Access management tool interface, expand NYC-EDGE1, select and then right-click Ports, and then click Properties.

2.

Use the following information to complete the configuration process: a.

Number of WAN Miniport (SSTP) ports: 25

b.

Number of WAN Miniport (PPTP) ports: 25

c.

Number of WAN Miniport (L2TP) ports: 25

3.

Click OK to confirm any prompts.

4.

Close the Routing and Remote Access tool.

Results: At the end of this exercise, you will have enabled routing and remote access on the NYC-EDGE1 server.

5-46


Exercise 2: Configuring a Custom Network Policy Scenario In this exercise, you will create and verify a custom network policy in accordance with the requirements of Contoso, Ltd. The main tasks for this exercise are as follows: 1.

Open the Network Policy Server management tool on 6421B-NYC-EDGE1.

2.

Create a new network policy for RRAS clients.

3.

Create and Test a VPN Connection.

X Task 1: Open the Network Policy Server management tool on 6421B-NYC-EDGE1 1.

Switch to the NYC-EDGE1 virtual computer.

2.

Open the Network Policy Server tool.

X Task 2: Create a new network policy for RRAS clients 1.

In the Network Policy Server console, create a new policy with the following settings: a.

Name: Secure VPN

b.

Type of network access server: Remote Access Server (VPN-Dial up)

c.

Conditions: Tunnel Type = L2TP ,PPTP, SSTP

d.

Access permission: Access granted

e.

Authentication methods: Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)

f.

Constraints: Day and time restrictions = Weekends Denied

g.

Settings: Encryption = Strongest encryption (MPPE 128-bit)

2.

Ensure that the Secure VPN policy is the first in the list of any policies.

3.

Close the Network Policy Server tool.

X Task 3: Create and test a VPN connection 1.

Switch to the NYC-CL1 computer.

2.

Open Network and Sharing Center.

3.

Change the network adapter settings as follows:

4.

a.

IP Address: 131.107.0.20

b.

Subnet mask: 255.255.255.0

c.


Create a VPN with the following settings: a.

Internet address to connect to: 131.107.0.2

b.

Name: Contoso VPN


5.

Connect with the new VPN properties as follows: a.


b.

Password: Pa$$w0rd

c.

Domain: Contoso

Note The VPN connects successfully. 6.

Disconnect the VPN and close all open windows.

Results: At the end of this exercise, you will have created and tested a VPN connection.

5-47

5-48


Exercise 3: Create and Distribute a CMAK Profile Scenario In this exercise, you will create a 32-bit Windows 7 CMAK profile. The main tasks for this exercise are as follows: 1.

Install the CMAK feature on NYC-CL1.

2.

Create the connection profile.

3.

Distribute the profile.

X Task 1: Install the CMAK feature on NYC-CL1 1.

On NYC-CL1, open Control Panel.

2.

From Turn Windows features on or off in Control Panel, install the RAS Connection Manager Administration Kit (CMAK) feature.

3.

Close the Programs and Control Panel.

X Task 2: Create the connection profile •

Open Connection Manager Administration Kit to launch the Connection Manager Administration Kit wizard. Create a connection profile with the following properties: •

Target operating system: Windows 7

•

Based on New profile

•

Service name: Contoso HQ

•

File name: Contoso

•

Do not add a realm name to the user name

•

Add Support for VPN Connections: Phone book from this profile

•

VPN server name or IP address: 131.107.0.2

•

Add a Custom Phone Book: clear Automatically download phone book updates

•

Other settings: default values

X Task 3: Distribute the profile 1.

Switch to NYC-DC1.

2.

Create a folder called D:\Contoso Profile.

3.

Share the folder using Advanced Sharing: •

Use the default name

•

Grant Administrators the Full Control permission and Everyone the Read permission

4.

Switch to NYC-CL1 and connect the Contoso VPN.

5.

Copy the contents of C:\Program Files\CMAK\Profiles\Windows 7 and Windows Vista\Contoso to \\nyc-dc1\Contoso Profile.


6.

Run \\nyc-dc1\Contoso Profile\Contoso.exe and complete the wizard as follows: •

Make this connection available for =All users

•

Add a shortcut on the desktop =true

7.

Disconnect the Contoso VPN.

8.

On the Desktop, double-click Contoso HQ – Shortcut.

9.

Connect with the following credentials: •


•

Password: Pa$$w0rd

•

Domain: Contoso

The VPN connects successfully. 10. Disconnect and close all open windows. Results: At the end of this exercise, you will have created and distributed a CMAK profile.

X Preparing for the next lab When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1.


2.


3.


4.

Repeat these steps for 6421B-NYC-EDGE1 and 6421B-NYC-CL1.

5-49

5-50


Lesson 6

Configuring DirectAccess

Organizations often rely on VPN connections to provide remote users with secure access to data and resources on the corporate network. VPN connections are easy to configure and are supported by different clients. However, VPN connections must be first initiated by the user and could require additional configuration on the corporate firewall. Also, VPN connections usually enable remote access to the entire corporate network. Moreover, organizations cannot effectively manage remote computers unless they are connected. To overcome such limitations in VPN connections, organizations can implement DirectAccess, available in Windows Server 2008 R2 and Windows 7, to provide a seamless connection between the internal network and the remote computer on the Internet. With DirectAccess, organizations can effortlessly manage remote computers because they are always connected.


Discuss challenges of typical VPN connections.

•

Describe the features and benefits of DirectAccess.

•

Describe the components required to implement DirectAccess.

•

Describe the use of the Name Resolution Policy Table.

•

Describe how DirectAccess Works.

•

Describe the use of the Name Resolution Policy Table.

•

Configure DirectAccess.

•

Install and configure DirectAccess.


Discussion: Complexities of Managing VPNs

What are some of the challenges you face when implementing VPNs?

5-51

5-52


What Is DirectAccess?

Windows Server 2008 R2 and Windows 7 include a feature called DirectAccess that enables seamless remote access to intranet resources without establishing the VPN connection first. The DirectAccess feature also ensures seamless connectivity to application infrastructure for internal users and remote users. Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess enables any IPv6-capable application on the client computer to have complete access to intranet resources. DirectAccess also enables you to specify resources and client-side applications that are restricted for remote access. Organizations benefit from DirectAccess because remote computers can be managed as if they are local computers—using the same management and update servers—to ensure they are always up-to-date and in compliance with security and system health policies. You can also define more detailed access control policies for remote access when compared with defining access control policies in VPN solutions. DirectAccess has the following features: •

Connects automatically to corporate intranet when connected to the Internet.

•

Uses various protocols, including HTTPS, to establish IPv6 connectivity. HTTPS is typically allowed through firewalls and proxy servers.

•

Supports selected server access and end-to-end IPsec authentication with intranet network servers.

•

Supports end-to-end authentication and encryption with intranet network servers.

•

Supports management of remote client computers.

•

Allows remote users to connect directly to intranet servers.


5-53

DirectAccess is designed with the following benefits: •

Always-on connectivity: Whenever the user connects the client computer to the Internet, the client computer is connected to the intranet also. This connectivity enables remote client computers to access and update applications more easily. It also makes intranet resources always available, and enables users to connect to the corporate intranet from anywhere and anytime, thereby improving their productivity and performance.

•

Seamless connectivity: DirectAccess provides a consistent connectivity experience whether the client computer is local or remote. This allows users to focus more on productivity and less on connectivity options and process. This consistency can reduce training costs for users, with fewer support incidents.

•

Bidirectional access: DirectAccess can be configured so that DirectAccess clients not only have access to intranet resources, but you can also have access from the intranet to those DirectAccess clients. DirectAccess thus can be bidirectional so that DirectAccess users have access to intranet resources, and you can have access to DirectAccess clients when they are connecting over a public network. This ensures that the client computers are always updated with recent security patches, the domain Group Policy is enforced, and there is no difference whether users are on the corporate intranet or on the public network. This bidirectional access also results in: •

Decreased update time

•

Increased security

•

Decreased update miss rate

•

Improved compliance monitoring

•

Improved security: Unlike traditional VPNs, DirectAccess offers many levels of access control to network resources. This tighter degree of control allows security architects to precisely control remote users who access specified resources. IPsec encryption is used for protecting DirectAccess traffic so that users can ensure that their communication is safe. You can use a granular policy to define who can use DirectAccess, and from where.

•

Integrated solution: DirectAccess fully integrates with Server and Domain Isolation and NAP solutions, resulting in the seamless integration of security, access, and health requirement policies between the intranet and remote computers.

5-54


Components of DirectAccess

To deploy and configure DirectAccess, your organization must support the following infrastructure components.

DirectAccess Server On the DirectAccess server, you can install the DirectAccess Management Console feature by using Server Manager. You can use the DirectAccess Management Console to configure DirectAccess settings for the DirectAccess server and clients, and monitor the status of the DirectAccess server. You might need more than one DirectAccess server, depending on the deployment and scalability requirements. To deploy DirectAccess components on the server, the server must: •

Be joined to an Active Directory domain.

•

Have Windows Server 2008 R2 running.

•

Have at least two physical network adapters installed—one connected to the Internet and the other to the intranet.

•

The server must have at least two consecutive static, public IPv4 addresses assigned to the network adapter that is connected to the Internet.

•

The server should not be placed behind a NAT.

Generally installed in the perimeter network, the DirectAccess servers provide intranet connectivity for DirectAccess clients on the Internet.


5-55

DirectAccess Clients To deploy DirectAccess, you also need to ensure that the client meets certain requirements: •

The client must be joined to an Active Directory domain.

•

The client must be running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or Windows Server 2008 R2.

•

Internal network resources must be available through IPv6. For clients that are connected to the Internet, IPv6 transition technologies such as 6to4 and Teredo can be used. Note Clients that are running Windows Vista, Windows Server 2008, or other earlier versions of Windows operating systems do not support DirectAccess.

Network Location Server DirectAccess clients use the Network Location Server (NLS) to determine their location. If the client can connect with HTTPS, then the client assumes it is on the intranet and disables DirectAccess components. If the NLS is not contactable, the client assumes it is on the Internet. The NLS server is installed with the web server role. Note The URL for the NLS is distributed by using GPO.

Active Directory Domain You must deploy at least one Active Directory domain with at least one Windows Server 2008 R2 or Windows Server 2008-based domain controller, although it is not necessary to raise the domain or forest functional levels to Windows Server 2008 R2.

Group Policy Group Policy is required for centralized administration and deployment of DirectAccess settings. The DirectAccess Setup Wizard creates a set of Group Policy objects and settings for DirectAccess clients, the DirectAccess server, and selected servers.

PKI You must implement a PKI to issue computer certificates for authentication, and where desirable, health certificates when using NAP. You need not implement public certificates.

DNS Server When using ISATAP, you must use Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix (http://go.microsoft.com/fwlink/?LinkID=159951), Windows Server 2008 SP2 or later, or a thirdparty DNS server that supports DNS message exchanges over the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP).

5-56


What Is the Name Resolution Policy Table?

To separate Internet traffic from Intranet traffic for DirectAccess, Windows Server 2008 R2 and Windows 7 include the Name Resolution Policy Table (NRPT), a feature that allows DNS servers and settings to be defined for each DNS namespace, rather than for each interface. The NRPT stores a list of rules. Each rule defines a DNS namespace and configuration settings that describe the DNS client’s behavior for that namespace. When a DirectAccess client is on the Internet, each name query request is compared against the namespace rules that are stored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT rule. If a name query request does not match a namespace that is listed in the NRPT, the request is sent to the DNS servers that are configured in the TCP/IP settings. For a remote client, the DNS servers will typically be the Internet DNS servers that are configured through the Internet service provider (ISP). For a DirectAccess client on the intranet, the DNS servers will typically be the intranet DNS servers that are configured through Dynamic Host Configuration Protocol (DHCP). Single-label names—for example, http://internal—will typically have configured DNS search suffixes that are appended to the name before they are checked against the NRPT. If no DNS search suffixes are configured and the single-label name does not match any other single-label name entry in the NRPT, the request will be sent to the DNS servers that are specified in the client’s TCP/IP settings. Namespaces—for example, internal.contoso.com—are entered into the NRPT, followed by the DNS servers to which requests matching that namespace should be directed. If an IP address is entered for the DNS server, all DNS requests will be sent directly to the DNS server over the DirectAccess connection. You need not specify any additional security for such configurations. However, if a name is specified for the DNS server, such as dns.contoso.com in the NRPT, the name must be publicly resolvable when the client queries the DNS servers that are specified in its TCP/IP settings.


5-57

The NRPT allows DirectAccess clients to use intranet DNS servers for name resolution of internal resources and Internet DNS servers for name resolution of other resources. Dedicated DNS servers are not required for name resolution. DirectAccess helps to prevent the exposure of your intranet namespace to the Internet. Some names need to be treated differently with regard to name resolution; these names should not be resolved by using intranet DNS servers. To ensure that these names are resolved with the DNS servers that are specified in the client’s TCP/IP settings, you must add them as NRPT exemptions. NRPT is controlled through Group Policy. When the computer is configured to use NRPT, the name resolution mechanism first tries to use the local name cache, which includes the entries in the hosts file, then NRPT, and finally sends the query to the DNS servers that are specified in the TCP/IP settings.

5-58


How DirectAccess Works for Internal Clients

The DirectAccess connection process happens automatically, without requiring user intervention. DirectAccess clients use the following process to connect to intranet resources: 1.

The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the network location server URL. Because the FQDN of the network location server URL corresponds to an exemption rule in the NRPT, the DirectAccess client sends the DNS query to a locally-configured DNS server (an intranet-based DNS server). The intranet DNS server resolves the name.

2.

The DirectAccess client accesses the HTTPS-based URL of the network location server, during which process it obtains the certificate of the network location server.

3.

Based on the Certificate Revocation List (CRL) Distribution Points field of the network location server’s certificate, the DirectAccess client checks the CRL revocation files in the CRL distribution point to determine if the network location server’s certificate has been revoked.

4.

Based on an HTTP 200 Success of the network location server URL (successful access and certificate authentication and revocation check), the DirectAccess client removes the DirectAccess rules in the NRPT.

5.

The DirectAccess client computer attempts to locate and log on to the AD DS domain using its computer account. Because there are no longer any DirectAccess rules in the NRPT, all DNS queries are sent through interface-configured DNS servers (intranet DNS servers).

6.

Based on the successful computer logon to the domain, the DirectAccess client assigns the Domain profile to the attached network. Because the DirectAccess connection security tunnel rules are scoped for the Public and Private profiles, they are removed from the list of active Connection Security rules. The DirectAccess client has successfully determined that it is connected to its intranet and does not use DirectAccess settings (NRPT rules or Connection Security tunnel rules). It can access intranet resources normally. It can also access Internet resources through normal means, such as a proxy server (not shown).


5-59

How DirectAccess Works for External Clients

When a DirectAccess client starts, it assumes that it is not connected to the intranet. The NRPT has DirectAccess-based rules, and Connection Security rules for DirectAccess tunnels are active. Internetconnected DirectAccess clients use the following process to connect to intranet resources:

DirectAccess Client Attempts To Access the Network Location Server 1.

The client tries to resolve the FQDN of the network location server URL. Because the FQDN of the network location server URL corresponds to an exemption rule in the NRPT, the DirectAccess client sends the DNS query to a locally-configured DNS server (an Internet-based DNS server). The Internet DNS server cannot resolve the name.

2.

The DirectAccess client keeps the DirectAccess rules in the NRPT.

3.

Because the network location server was not found, the DirectAccess client applies the Public or Private profile to the attached network.

4.

The Connection Security tunnel rules for DirectAccess, scoped for the Public and Private profiles, remain.

The DirectAccess client has the NRPT rules and Connection Security rules to access intranet resources across the Internet through the DirectAccess server.

DirectAccess Client Attempts To Locate a Domain Controller After starting up and determining its network location, the DirectAccess client attempts to locate and log on to a domain controller. This process creates the infrastructure tunnel to the DirectAccess server. 1.

The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS name query that is addressed to the IPv6 address of the intranet DNS server and hands it off to the TCP/IP stack for sending.

2.

Before sending the packet, the TCP/IP stack checks to determine whether there are Windows Firewall outgoing rules or Connection Security rules for the packet.

5-60


3.

Because the destination IPv6 address in the DNS name query matches a Connection Security rule that corresponds with the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client authenticates itself with its installed computer certificate and its NTLM credentials.

4.

The DirectAccess client sends the DNS name query through the infrastructure tunnel to the DirectAccess server.

5.

The DirectAccess server forwards the DNS name query to the intranet DNS server, which responds. The DNS name query response is sent back to the DirectAccess server and back through the infrastructure tunnel to the DirectAccess client.

Subsequent domain logon traffic goes through the infrastructure tunnel. When the user on the DirectAccess client logs on, the domain logon traffic goes through the infrastructure tunnel.

DirectAccess Client Attempts To Access Intranet Resources The first time that the DirectAccess client sends traffic to an intranet location that is not on the list of destinations for the infrastructure tunnel (such as an email server), the following occurs: 1.

The application or process that attempts to communicate constructs a message or payload and hands it off to the TCP/IP stack for sending.

2.


3.

Because the destination IPv6 address matches the Connection Security rule that corresponds with the intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess server. The DirectAccess client authenticates itself with its installed computer certificate and the user account’s Kerberos credentials.

4.

The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.

5.

The DirectAccess server forwards the packet to the intranet resources, which responds. The response is sent back to the DirectAccess server and back through the intranet tunnel to the DirectAccess client.

Subsequent intranet access traffic, which does not match an intranet destination in the infrastructure tunnel Connection Security rule, goes through the intranet tunnel.

DirectAccess Client Attempts To Access Internet Resources When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an Internet web server), the following occurs: 1.

The DNS Client service passes the DNS name for the Internet resource through the NRPT. There are no matches. The DNS Client service constructs the DNS name query that is addressed to the IP address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for sending.

2.


3.

Because the destination IP address in the DNS name query does not match the Connection Security rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query normally.


5-61

4.

The Internet DNS server responds with the IP address of the Internet resource.

5.

The user application or process constructs the first packet to send to the Internet resource. Before sending the packet, the TCP/IP stack checks to determine whether there are Windows Firewall outgoing rules or Connection Security rules for the packet.

6.

Because the destination IP address in the DNS name query does not match the Connection Security rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.

Subsequent Internet resource traffic, which does not match a destination in either the infrastructure intranet tunnel Connection Security rules, is sent and received normally.

5-62


Configuring DirectAccess

To configure DirectAccess, you need to complete the following tasks.

X Task 1: Configure the AD DS domain controller and DNS To prepare the AD DS and DNS environment, complete the following tasks: •

Create a security group to hold computers that will be DirectAccess clients.

•

Create a DNS host record for the Network Location Server for intranet DirectAccess clients.

•

Create a DNS host record for the server that hosts the certificate revocation list in the intranet.

•

On your public DNS server, create a DNS host record for the host that will provide access to the certificate revocation list for Internet-based DirectAccess clients.

X Task 2: Configure the PKI environment To prepare the PKI environment, complete the following tasks: •

Add and configure the Certificate Authority server role.

•

Configure the certificate revocation list distribution settings.

•

Publish the CRL to the designated intranet location.

•

Create the certificate template and configure security settings on the template so that Authenticated Users can enroll the certificate.

•

Distribute the computer certificates. You can use Group Policy to do this by enabling autoenrollment.

X Task 3: Configure the DirectAccess clients and test Intranet access To prepare the DirectAccess clients and test the DirectAccess environment, complete the following tasks: •

Verify that DirectAccess clients have the computer certificate that is required for DirectAccess authentication; this should have been distributed with Group Policy.

•

Verify that the client can connect to intranet resources.


5-63

X Task 4: Configure the DirectAccess server To configure the DirectAccess server, complete the following tasks: •

Install two network interface cards in the DirectAccess server.

•

Install the web server role on the DirectAccess server.

•

Create a virtual directory to host the CRL.

•

Publish the CRL to the virtual directory.

•

Install the DirectAccess Management Console feature.

•

Run the DirectAccess Management wizard to configure DirectAccess.

X Task 5: Verify DirectAccess functionality To verify the DirectAccess functionality, move DirectAccess clients to the Internet and verify connectivity to intranet resources.

5-64


Demonstration: How to Install and Configure DirectAccess


Configure the AD DS domain controller and DNS

•

Configure the PKI environment

•

Configure the DirectAccess clients and test Intranet and Internet access

•

Configure the DirectAccess server

•

Verify DirectAccess Functionality Note To observe how to perform these tasks, download and extract the supplemental content file 6421B-ENU-Companion.zip from the http://www.microsoft.com/learning /en/us/training/companionmoc.aspx site and view the following media files: 6421B_DirectAccessDemo_Task1.WMV 6421B_DirectAccessDemo_Task2.WMV 6421B_DirectAccessDemo_Task3.WMV 6421B_DirectAccessDemo_Task4.WMV 6421B_DirectAccessDemo_Task5.WMV To view the transcript for the demonstration, see 6421B_DirectAccessDemo_Transcript_and_Steps.PDF.


5-65

Lab B: Configuring and Managing DirectAccess



2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso

Repeat steps 2 to 4 for 6421B-NYC-SVR1, 6421B-NYC-EDGE1, 6421B-INET1, and 6421B-NYC-CL1.

Lab Scenario You are server administrator at Contoso, Ltd. Your organization consists of a large mobile workforce that carries laptops to stay connected. Your organization wants to provide a secure solution to protect data transfer. To do this, you will use DirectAccess to enable persistent connectivity, central administration, and management of remote computers. For this project, you must complete the following tasks: •

Configure AD DS and DNS to support DirectAccess.

•

Configure the PKI environment.

•

Configure the DirectAccess clients and test Intranet and Internet Access.

•

Configure the DirectAccess server.

•

Verify DirectAccess functionality.

5-66


Lab Instructions Due to the complexity of the steps involved in enabling and configuring DirectAccess, refer to the steps provided in the Lab Answer Key.

Exercise 1: Configure the AD DS Domain Controller and DNS Results: At the end of this exercise, you prepared AD DS and DNS to support the deployment of DirectAccess.

Exercise 2: Configure the PKI Environment Results: At the end of this exercise, you will have configured the public key infrastructure in Contoso to support the deployment of DirectAccess.

Exercise 3: Configure the DirectAccess Clients and Test Intranet Access Results: At the end of this exercise, you tested Intranet access.

Exercise 4: Configure the DirectAccess Server Results: At the end of this exercise, you will have successfully configured NYC-EDGE1 as a DirectAccess server.

Exercise 5: Verify DirectAccess Functionality Results: At the end of this exercise, you will have successfully implemented, verified, and tested DirectAccess.



2.


3.


4.

Repeat these steps for 6421B-NYC-SVR1, 6421B-NYC-EDGE1, 6421B- INET1, and 6421B-NYC-CL1.


5-67


Review Questions 1.

Your organization wants to implement a cost effective solution that interconnects two branch offices with your head offices. In what way could VPNs play a role in this scenario?

2.

The IT manager at your organization is concerned about opening too many firewall ports to facilitate remote access from users that are working from home through a VPN. How could you meet the expectations of your remote users while allaying your manager’s concerns?

3.

You have a VPN server with two configured network policies. The first has a condition that grants access to members of the Contoso group, to which everyone in your organization belongs, but has a constraint of Day and time restrictions for office hours only. The second policy had a condition of membership of the Domain Admins group and no constraints. Why are administrators being refused connections out of office hours and what can you do about it?

Windows Server 2008 R2 Features Introduced in this Module Windows Server 2008 R2 feature

Description

DirectAccess

DirectAccess is a feature in the Windows 7 and Windows Server 2008 R2 operating systems that provides users with a seamless connection to their organization’s private network from a computer with an Internet connection.

VPN Reconnect

Although DirectAccess can replace VPN connections as a preferred remote access solution for many organizations, smaller organizations might not meet the infrastructure requirements for DirectAccess. Consequently, Microsoft is improving VPN usability in Windows 7 with VPN Reconnect. VPN Reconnect uses IKEv2 technology to provide seamless and consistent VPN connectivity, automatically re-establishing a VPN when users temporarily lose their Internet connections. This is particularly beneficial for users that implement wireless broadband solutions.

5-68


Tools Tool

Use for

Where to find it

Services.msc

Managing Windows services

Administrative Tools, or else launch from Run

Gpedit.msc

Editing the Local Group Policy

Launch from Run

Mmc.exe

Management Console creation and management

Launch from Run

Gpupdate.exe

Managing group policy application

Run from command-line

Napclcfg.msc

Manage client computer NAP enforcement settings

Launch from Run

6-1

Module 6 Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Contents: Lesson 1: Installing and Configuring a Network Policy Server

6-3

Lesson 2: Configuring RADIUS Clients and Servers

6-10

Lesson 3: NPS Authentication Methods

6-20

Lesson 4: Monitoring and Troubleshooting a Network Policy Server

6-29

Lab: Configuring and Managing Network Policy Server

6-37

6-2


Module Overview

The Network Policy Server (NPS) role in Windows Server 2008 replaces the Internet Authentication Service (IAS) from earlier Windows Server versions. NPS provides support for the Remote Authentication Dial-In User Service (RADIUS) protocol, and can be configured as a RADIUS server or proxy. Additionally, NPS provides functionality that is essential for the implementation of Network Access Protection (NAP). To support remote clients and to implement NAP, it is important that you know how to install, configure, and troubleshoot NPS.


Install and configure NPS.

•

Configure RADIUS clients and servers.

•

Describe NPS authentication methods.

•

Monitor and troubleshoot NPS.

Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Lesson 1

Installing and Configuring a Network Policy Server

NPS is implemented as a server role in Windows Server 2008 and Windows Server 2008 R2. You must understand how to install and configure the NPS role to support your RADIUS infrastructure.


Describe the Network Policy Server role service.

•

Install the Network Policy Server.

•

Describe the tools used to manage a Network Policy server.

•

Configure general NPS settings.

6-3

6-4


What Is a Network Policy Server?

NPS allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization. You also can use NPS as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to NPS or other RADIUS servers that you configure in remote RADIUS server groups. NPS allows you to centrally configure and manage network access authentication, authorization, and client health policies with any combination of the following three functions: •

RADIUS server: NPS performs centralized connection authentication, authorization, and accounting for wireless, authenticating switch, and dial-up and virtual private network (VPN) connections. When using NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server® database. NPS is the Microsoft implementation of a RADIUS server. As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, dial-up and VPN remote access, and router-to-router connections. NPS enables the use of a heterogeneous set of wireless, switch, remote access, or VPN equipment. You can use NPS with the Routing and Remote Access service, which is available in Microsoft Windows 2000 and more recent versions of Windows Server. When an NPS server is a member of an Active Directory® Domain Services (AD DS) domain, NPS uses AD DS as its user-account database and provides single sign-on; users use the same set of credentials for network access control (authenticating and authorizing access to a network) as they do to access resources within the AD DS domain.


6-5

Internet service providers (ISPs) and organizations that maintain network access have the increased challenge of managing all types of network access from a single administration point, regardless of the type of network-access equipment they use. The RADIUS standard supports this functionality in homogeneous and heterogeneous environments. RADIUS is a client-server protocol that enables network-access equipment, used as RADIUS clients, to submit authentication and accounting requests to a RADIUS server. A RADIUS server has access to user account information and can check network access authentication credentials. If the user’s credentials are authentic, and RADIUS authorizes the connection attempt, the RADIUS server then authorizes the user’s access based on specified conditions and logs the networkaccess connection in an accounting log. Using RADIUS allows the network-access user authentication, authorization, and accounting data to be collected and maintained in a central location, rather than on each access server. •

RADIUS proxy: When using NPS as a RADIUS proxy, you configure connection request policies that indicate which connection requests that the NPS server will forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You also can configure NPS to forward accounting data for logging by one or more computers in a remote RADIUS server group. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS supports the Internet Engineering Task Force (IETF) standards for RADIUS that are described in Request for Comments (RFC) 2865 and 2866. With NPS, your organization can also outsource remote access infrastructure to a service provider while retaining control over user authentication, authorization, and accounting. You can create different NPS configurations for the following solutions:

•

•

Wireless access

•

Organization dial-up or VPN remote access

•

Outsourced dial-up or wireless access

•

Internet access

•

Authenticated access to extranet resources for business partners

NAP policy server: When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoHs) sent by NAP-capable client computers that attempt to connect to the network. NPS also acts as a RADIUS server when it is configured with NAP, performing authentication and authorization for connection requests. You can configure NAP policies and settings in NPS, including system health validators (SHVs), health policy, and Remediation Server Groups that allow client computers to update their configuration to become compliant with your organization’s network policy. Windows 7 and Windows Server 2008 include NAP, which helps protect access to private networks by ensuring that client computers are configured in accordance with organization network health policies before they can connect to network resources. Additionally, NAP monitors client computer compliance with administrator-defined health policy while the computer is connected to the network. Noncompliant computers can be updated automatically using NAP auto-remediation, which brings them into compliance with health policy so that they can connect successfully to the network.

6-6


System administrators define network health policies and create these policies using NAP components that either NPS provides, depending on your NAP deployment, or that third-party companies provide. Health policies can include software requirements, security-update requirements, and requiredconfiguration settings. NAP enforces health policies by inspecting and assessing the health of client computers, restricting network access when client computers are deemed unhealthy, and remediating unhealthy client computers for full network access.


Demonstration: How to Install the Network Policy Server


Install the NPS role.

•

Register NPS in AD DS.

6-7

6-8


Tools Used for Managing a Network Policy Server

After you install the Network Policy Server role, you can open the NPS Administrative tool from the Administrative Tools menu, or you can add the snap-in to create a custom Microsoft Management Console (MMC) tool. You also can use netsh commands to manage and configure the NPS role. The following tools enable you to manage the Network Policy and Access Services server role: •

NPS MMC snap-in: Use the NPS MMC to configure a RADIUS server, RADIUS proxy, or NAP technology.

•

Netsh commands for NPS: The netsh commands for NPS provide a command set that is fully equivalent to all configuration settings that are available through the NPS MMC snap-in. You can run netsh commands manually at the netsh prompt or in administrator scripts.

One example of using netsh is that after you install and configure NPS, you can save the configuration by using the netsh nps show config > path\file.txt command; save the NPS configuration with this command each time you make a change.


Demonstration: How to Configure General NPS Settings


Configure a RADIUS server for VPN connections.

•

Save the configuration.

6-9

6-10


Lesson 2

Configuring RADIUS Clients and Servers

RADIUS is an industry-standard authentication protocol used by many vendors to support the exchange of authentication information between elements of a remote access solution. It is important that you understand how to configure NPS as either a RADIUS server or proxy to support the remote authentication needs of your organization.


Describe what a RADIUS client is.

•

Describe what a RADIUS Proxy is.

•

Configure a RADIUS client.

•

Describe the use of a Connection Request Policy.

•

Describe and configure connection request processing for a RADIUS proxy environment.

•

Create a new Connection Request Policy.


6-11

What Is a RADIUS Client?

A network access server (NAS) is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure also is a RADIUS client, originating connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting. Important Client computers, such as wireless laptop computers and other computers that are running client-operating systems, are not RADIUS clients. RADIUS clients are network access servers—including wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as NPS servers. To deploy NPS as a RADIUS server, a RADIUS proxy, or a NAP policy server, you must configure RADIUS clients in NPS.

RADIUS Client Examples Examples of network access servers include the following: •

Network access servers that provide remote access connectivity to an organization network or the Internet, such as a computer that is running the Windows Server 2008 R2 operating system and the Routing and Remote Access service that provides either traditional dial-up or VPN remote access services to an organization’s intranet.

•

Wireless access points that provide physical-layer access to an organization’s network using wirelessbased transmission and reception technologies.

•

Switches that provide physical-layer access to an organization’s network, using traditional local area network (LAN) technologies, such as Ethernet.

•

NPS-based RADIUS proxies that forward connection requests to RADIUS servers that are members of a remote RADIUS server group that you configure on the RADIUS proxy, or other RADIUS proxies.

6-12


What Is a RADIUS Proxy?

You can use NPS as a RADIUS proxy to route RADIUS messages between RADIUS clients (access servers) and RADIUS servers that perform user authentication, authorization, and accounting for the connection attempt. When you use NPS as a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and accounting messages flow. NPS records information in an accounting log about forwarded messages. You can use NPS as a RADIUS proxy when: •

You are a service provider who offers outsourced dial, VPN, or wireless network access services to multiple customers. Your network access servers send connection requests to the NPS RADIUS proxy. Based on the user name’s realm portion in the connection request, the NPS RADIUS proxy forwards the connection request to a RADIUS server that the customer maintains, and can authenticate and authorize the connection attempt.

•

You want to provide authentication and authorization for user accounts that are not members of the domain in which the NPS server is a member, or of a domain that has a two-way trust with the NPS server’s member domain. This includes accounts in untrusted domains, one-way trusted domains, and other forests. Instead of configuring your access servers to send their connection requests to an NPS RADIUS server, you can configure them to send their connection requests to an NPS RADIUS proxy. The NPS RADIUS proxy uses the realm-name portion of the user name and forwards the request to an NPS server in the correct domain or forest. Connection attempts for user accounts in one domain or forest can be authenticated for network access servers in another domain or forest.


•

6-13

NPS supports authentication across forests, without a RADIUS proxy, when the two forests contain only domains that consist of domain controllers that are running Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, and Windows Server 2003 Datacenter Edition. The forest functional level must be Windows Server 2003, and there must be a two-way trust relationship between forests. However, if you use Extensible Authentication Protocol (EAP)-Transport Level Security (TLS) with certificates as your authentication method, you must use a RADIUS proxy for authentication across forests that consist of Windows Server 2003 domains.

•

You want to perform authentication and authorization by using a database that is not a Windows account database. In this case, NPS forwards connection requests that match a specified realm name to a RADIUS server, which has access to a different database of user accounts and authorization data. Examples of other user databases include Novell Directory Services (NDS) and Structured Query Language (SQL) databases.

•

You want to process a large number of connection requests. In this case, instead of configuring your RADIUS clients to attempt to balance their connection and accounting requests across multiple RADIUS servers, you can configure them to send their connection and accounting requests to an NPS RADIUS proxy. The NPS RADIUS proxy dynamically balances the load of connection and accounting requests across multiple RADIUS servers, and it increases processing of large numbers of RADIUS clients and authentications each second.

•

You want to provide RADIUS authentication and authorization for outsourced service providers and minimize intranet firewall configuration. An intranet firewall is between your perimeter network (the network between your intranet and the Internet) and intranet. By placing an NPS server on your perimeter network, the firewall between your perimeter network and intranet must allow traffic to flow between the NPS server and multiple domain controllers. When replacing the NPS server with an NPS proxy, the firewall must allow only RADIUS traffic to flow between the NPS proxy and one or multiple NPS servers within your intranet.

6-14


Demonstration: How to Configure a RADIUS Client


Configure a RADIUS client.


6-15

What Is a Connection Request Policy?

Connection request policies are sets of conditions and settings that allow network administrators to designate which RADIUS servers perform authentication and authorization of connection requests that the NPS server receives from RADIUS clients. You can configure connection request policies to designate which RADIUS servers to use for RADIUS accounting. Important When you deploy NAP using the VPN or 802.1X enforcement methods with Protected Extensible Authentication Protocol (PEAP) authentication, you must configure PEAP authentication in connection request policy even when connection requests are processed locally. You can create a series of connection request policies so that some RADIUS request messages sent from RADIUS clients are processed locally (NPS is a RADIUS server) and other types of messages are forwarded to another RADIUS server (NPS is a RADIUS proxy). With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy, based on a variety of factors, including: •

The time of day and day of the week

•

The realm name in the connection request

•

The connection type you are requesting

•

The RADIUS client’s IP address

Conditions Connection request policy conditions are one or more RADIUS attributes that are compared to the attributes of the incoming RADIUS Access-Request message. If multiple conditions exist, then all of the conditions in the connection request message and in the connection request policy must match for NPS to enforce the policy.

6-16


Settings Connection request policy settings are a set of properties that are applied to an incoming RADIUS message. Settings consist of the following groups of properties: •

Authentication

•

Accounting

•

Attribute manipulation

•

Advanced

Default Connection Request Policy When you install NPS, a default connection request policy is created with the following conditions: •

Authentication is not configured.

•

Accounting is not configured to forward accounting information to a remote RADIUS server group.

•

Attribute manipulation is not configured with rules that change attributes in forwarded connection requests.

•

Forwarding Request is configured so that the local NPS server authenticates and authorizes connection requests.

•

Advanced attributes are not configured.

The default connection request policy uses NPS as a RADIUS server. To configure an NPS server to act as a RADIUS proxy, you also must configure a remote RADIUS server group. You can create a new remote RADIUS server group while you are creating a new connection request policy with the New Connection Request Policy Wizard. You can either delete the default connection request policy or verify that the default connection request policy is the last policy processed. Note If NPS and the Routing and Remote Access service are installed on the same computer, and the Routing and Remote Access service is configured for Windows authentication and accounting, it is possible for Routing and Remote Access service authentication and accounting requests to be forwarded to a RADIUS server. This can occur when Routing and Remote Access service authentication and accounting requests match a connection request policy that is configured to forward them to a remote RADIUS server group.


6-17

Configuring Connection Request Processing

The default connection-request policy uses NPS as a RADIUS server and processes all authentication requests locally.

Considerations for Configuring Connection Request Processing When configuring connection request processing, consider the following: •

To configure an NPS server to act as a RADIUS proxy and forward connection requests to other NPS or RADIUS servers, you must configure a remote RADIUS server group and add a new connection request policy that specifies conditions and settings that the connection requests must match.

•

You can create a new remote RADIUS server group during the process of creating a new connection request policy with the New Connection Request Policy Wizard.

•

If you do not want the NPS server to act as a RADIUS server and process connection requests locally, you can delete the default connection request policy.

•

If you want the NPS server to act as both a RADIUS server (processes connection requests locally) and as a RADIUS proxy (forwards some connection requests to a remote RADIUS server group), then you should add a new policy and then verify that the default connection-request policy is the last policy processed.

Ports for RADIUS and Logging By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for Internet Protocol version 6 (IPv6) and IPv4 for all installed network adapters. Note If you disable either IPv4 or IPv6 on a network adapter, NPS does not monitor RADIUS traffic for the uninstalled protocol. The values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined in RFCs 2865 and 2866. However, by default, many access servers use ports 1645 for authentication requests and 1646 for accounting requests. When you are deciding on what port numbers to use, make sure that NPS and the access server are configured to use the same port numbers.

6-18


Important If you do not use the RADIUS default port numbers, you must configure exceptions on the firewall for the local computer to enable RADIUS traffic on the new ports.

Configuring NPS User Datagram Protocol Port Information You can use the following procedure to configure the ports that NPS uses for RADIUS authentication and accounting traffic. Note To complete this procedure, you must be a member of the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer. To configure NPS User Datagram Protocol (UDP) port information using the Windows interface: 1.

Open the NPS console.

2.

Right-click Network Policy Server and then click Properties.

3.

Click the Ports tab, and then examine the settings for ports. If your RADIUS authentication and RADIUS accounting UDP ports vary from the provided default values (1812 and 1645 for authentication, and 1813 and 1646 for accounting), type your port settings in Authentication and Accounting. Note To use multiple port settings for authentication or accounting requests, separate the port numbers with commas.


Demonstration: How to Create a New Connection Request Policy


Create a VPN connection request policy.

6-19

6-20


Lesson 3

NPS Authentication Methods

When users attempt to connect to your network through network access servers—also called RADIUS clients—such as wireless access points, 802.1X authenticating switches, dial-up servers, and VPN servers, NPS authenticates and authorizes the connection request before allowing or denying access. Because authentication is the process of verifying the identity of the user or computer that is attempting to connect to the network, NPS must receive proof of identity from the user or computer in the form of credentials. Some authentication methods implement the use of password-based credentials. For example, Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) requires users to type in a user name and password. The network access server then passes these credentials to the NPS server, which verifies the credentials against the user accounts database. Other authentication methods implement the use of certificate-based credentials for the user, the client computer, the NPS server, or some combination. Certificate-based authentication methods provide strong security and are recommended over password-based authentication methods. When you deploy NPS, you can specify the required type of authentication method for access to your network.


Describe password-based authentication methods for an NPS Server.

•

Describe how certificates are used to provide authentication for network clients.

•

Describe the types of certificates that are needed for various authentication methods.

•

Describe how to deploy certificates for PEAP and EAP.


6-21

Password-Based Authentication Methods

Each authentication method has advantages and disadvantages in terms of security, usability, and breadth of support. However, password-based authentication methods do not provide strong security and are not recommended. We recommend that you use a certificate-based authentication method for all network access methods that support certificate use. This is especially true for wireless connections, for which we recommend the use of PEAP-MS-CHAP v2 or PEAP-TLS. The authentication method you require is determined by the configuration of the network access server, the client computer, and network policy on the NPS server. Consult your access server documentation to determine which authentication methods are supported. You can configure NPS to accept multiple authentication methods. You also can configure your network access servers, also called RADIUS clients, to attempt to negotiate a connection with client computers by requesting the use of the most secure protocol first, then the next most secure, and so on, down to the least secure. For example, the Routing and Remote Access service tries to negotiate a connection using EAP first, then MS-CHAP v2, then MS-CHAP, then Challenge Handshake Authentication Protocol (CHAP), then Shiva Password Authentication Protocol (SPAP), and then Password Authentication Protocol (PAP). When EAP is chosen as the authentication method, the negotiation of the EAP type occurs between the access client and the NPS server.

MS-CHAP Version 2 MS-CHAP v2 provides stronger security for network access connections than MS-CHAP, its predecessor.

MS-CHAP MS-CHAP, also known as MS-CHAP version 1, is a nonreversible, encrypted password-authentication protocol. MS-CHAP v2 provides stronger security for network access connections than MS-CHAP. You should consider using MS-CHAP v2 instead of MS-CHAP.

CHAP The CHAP is a challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response.

6-22


PAP PAP uses plaintext passwords and is the least secure authentication protocol. It typically is negotiated if the access client and network access server cannot negotiate a more secure authentication method.

Unauthenticated Access With unauthenticated access, user credentials (a user name and password) are not required. Although there are some situations in which unauthenticated access is useful, in most cases, we do not recommend that you deploy unauthenticated access to your organization’s network.


6-23

Using Certificates for Authentication

Certificates are digital documents that certification authorities (CAs) issue, such as Active Directory Certificate Services (AD CS) or the VeriSign public CA. You can use certificates for many purposes, such as code signing and securing email communication. However, with NPS, you use certificates for network access authentication because they provide strong security for authenticating users and computers, and eliminate the need for less secure, password-based authentication methods. NPS servers use EAP-TLS and PEAP to perform certificate-based authentication for many types of network access, including VPN and wireless connections.

Authentication Methods Two authentication methods, when you configure them with certificate-based authentication types, use certificates: EAP and PEAP. With EAP, you can configure the authentication type TLS (EAP-TLS), and with PEAP, you can configure the authentication types TLS (PEAP-TLS) and MS-CHAP v2 (PEAP-MS-CHAP v2). These authentication methods always use certificates for server authentication. Depending on the authentication type that you configure with the authentication method, you also might use certificates for user authentication and client computer authentication. Note Using certificates for VPN connection authentication is the strongest form of authentication available in Windows Server 2008 R2. You must use certificates for IPsec authentication on VPN connections that are based on Layer Two Tunneling protocol over Internet protocol security (L2TP/IPsec). PPTP connections do not require certificates, although you can configure PPTP connections to use certificates for computer authentication when you use EAP-TLS as the authentication method. For wireless clients (computing devices with wireless network adapters, such as your portable computer or personal digital assistant), use PEAP with EAP-TLS and smart cards or certificates for authentication.

Deploying Certificates for Use with NPS You can deploy certificates for use with NPS by installing and configuring the AD CS server role.

6-24


Mutual Authentication When you use EAP with a strong EAP type (such as TLS with smart cards or certificates), the client and the server use certificates to verify their identities to each other. This process is called mutual authentication. Certificates must meet specific requirements to allow the server and the client to use them for mutual authentication. One such requirement is that the certificate is configured with one or more purposes in Extend Key Usage (EKU) extensions that correlate to the certificate use. For example, you must configure a certificate that you use for a client’s authentication with the Client Authentication purpose. Similarly, you must configure a certificate that you use for a server’s authentication with the Server Authentication purpose. When you use certificates for authentication, the authenticator examines the client certificate, seeking the correct purpose object identifier in EKU extensions. For example, the object identifier for the Client Authentication purpose is 1.3.6.1.5.5.7.3.2. When you use a certificate for client computer authentication, this object identifier must be present in the EKU extensions of the certificate or authentication will fail.

Certificate Templates Certificate Templates is an MMC snap-in that enables customization of certificates that AD CS issues. Customization possibilities include how certificates are issued and what the certificates contain, including their purposes. In Certificate Templates, you can use a default template, such as the Computer template, to define the template that the CA uses to assign certificates to computers. You also can create a certificate template and assign purposes to it in EKU extensions. By default, the Computer template includes the Client Authentication purpose and the Server Authentication purpose in EKU extensions. The certificate template that you create can include any purpose for which you will use the certificate. For example, if you use smart cards for authentication, you can include the Smart Card Logon purpose in addition to the Client Authentication purpose. When using NPS, you can configure NPS to check certificate purposes before granting network authorization. NPS can check additional EKUs and Issuance Policy purposes (also known as Certificate Policies). Note Some non-Microsoft CA software might contain a purpose named All, which represents all possible purposes. This is indicated by a blank (or null) EKU extension. Although All is intended to mean "all possible purposes," you cannot substitute the Allpurpose for the Client Authentication purpose, the Server Authentication purpose, or any other purpose that is related to network access authentication.


6-25

Required Certificates for NPS Authentication Methods

The following table details the certificates that are required to deploy each of the listed certificate-based authentication methods successfully: Certificate

Required for EAP-TLS and PEAP-TLS?

Required for PEAP-MSCHAP v2?

Details

CA certificate in the Trusted Root Certification Authorities certificate store for the Local Computer and Current User

Yes. The CA certificate is enrolled automatically for domain member computers. For non-domain member computers, you must import the certificate manually into the certificate store.

Yes. This certificate is enrolled automatically for domain member computers. For nondomain member computers, you must import the certificate manually into the certificate store.

For PEAP-MS-CHAP v2, this certificate is required for mutual authentication between client and server.

Client computer certificate in the certificate store of the client

Yes. Client computer certificates are required unless user certificates are distributed on smart cards. Client certificates are enrolled automatically for domain member computers. For nondomain member computers, you must import the certificate manually or obtain it with the Web-enrollment tool.

No. User authentication is performed with password-based credentials, not certificates.

If you deploy user certificates on smart cards, client computers do not need client certificates.

6-26


(continued) Certificate

Required for EAP-TLS and PEAP-TLS?

Required for PEAP-MSCHAP v2?

Details

Server certificate in the certificate store of the NPS server

Yes. You can configure AD CS to auto-enroll server certificates to members of the RAS and IAS servers group in Active Directory.

Yes. In addition to using AD CS for server certificates, you can purchase server certificates from other CAs that client computers already trust.

The NPS server sends the server certificate to the client computer. The client computer uses the certificate to authenticate the NPS server.

User certificate on a smart card

No. This certificate is required only if you choose to deploy smart cards rather than autoenrolling client computer certificates.

No. User authentication is performed with password-based credentials, not certificates.

For EAP-TLS and PEAP-TLS, if you do not auto-enroll client computer certificates, user certificates on smart cards are required.

Important Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X authentication provides authenticated access to 802.11 wireless networks and wired Ethernet networks. 802.1X provides support for secure EAP types, such as TLS with smart cards or certificates. You can configure 802.1X with EAP-TLS in a variety of ways. If you configure the Validate server certificate option on the client, the client authenticates the server by using its certificate. Client computer and user authentication is accomplished using certificates from the client certificate store or a smart card, providing mutual authentication. With wireless clients, you can use PEAP-MS-CHAP v2 as the authentication method. PEAP-MS-CHAP v2 is a password-based user authentication method that uses TLS with server certificates. During PEAP-MS-CHAP v2 authentication, the NPS server supplies a certificate to validate its identity to the client (if the Validate server certificate option is configured on the Windows 7 client). Client computer and user authentication is accomplished with passwords, which eliminates some of the difficulty of deploying certificates to wireless client computers.


6-27

Deploying Certificates for PEAP and EAP

All certificates that you use for network access authentication with EAP-TLS and PEAP must meet the requirements for X.509 certificates and work for connections that use Secure Sockets Layer-Transport Layer Security (SSL/TLS). After this minimum requirement is met, both client and server certificates have additional requirements.

Minimum Server Certificate Requirements You can configure clients to validate server certificates by using the Validate server certificate option. With PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS as the authentication method, the client accepts the server authentication attempt when the certificate meets the following requirements: •

The Subject name contains a value. If you issue a certificate to your NPS server that has a blank Subject, the certificate is not available to authenticate your NPS server.

•

The computer certificate on the server chains to a trusted root CA and does not fail any of the checks that CryptoAPI performs and that the remote access or network policies specify.

•

The NPS or VPN server computer certificate is configured with the Server Authentication purpose in EKU extensions (the object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1).

•

The server certificate is configured with a required algorithm value of RSA.

•

The Subject Alternative Name (SubjectAltName) extension, if you use it, must contain the server’s FQDN.

With PEAP and EAP-TLS, NPS servers display a list of all installed certificates in the computer certificate store, except the following: •

Certificates that do not contain the Server Authentication purpose in EKU extensions

•

Certificates that do not contain a subject name

•

Registry-based and smart card-logon certificates

6-28


Minimum Client Certificate Requirements With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements: •

An enterprise CA issued the client certificate or it is mapped to an Active Directory user or computer account.

•

The user or computer certificate on the client chains to a trusted-root CA; includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2); and fails neither the checks that CryptoAPI performs, which the remote access or network policies specify, nor the Certificate object identifier checks that the NPS network policies specify.

•

The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.

•

For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).

•

For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client’s FQDN, also known as the DNS name.

With PEAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, with the following exceptions: •

Wireless clients do not display registry-based and smart card-logon certificates.

•

Wireless clients and VPN clients do not display password-protected certificates.

•

Certificates that do not contain the Client Authentication purpose in EKU extensions.


6-29

Lesson 4

Monitoring and Troubleshooting a Network Policy Server

You can monitor NPS by configuring and using logging for events and user authentication and accounting requests. Event logging enables you to record NPS events in the system and security event logs. You can use request logging for connection analysis and billing purposes. The information that the log files collect is useful for troubleshooting connection attempts and for security investigation.


Describe methods for monitoring NPS.

•

Describe how to configure log file properties.

•

Describe how to configure SQL Server Logging in NPS.

•

Describe how to configure NPS events to be recorded in the Event Viewer.

6-30


Methods Used to Monitor NPS

The two types of accounting, or logging, that you can use to monitor NPS are: •

Event logging for NPS: You can use event logging to record NPS events in the system and security event logs. You use this primarily for auditing and troubleshooting connection attempts.

•

Logging user authentication and accounting requests: You can log user authentication and accounting requests to log files in text format or database format, or you can log to a stored procedure in a SQL Server database. Use request logging primarily for connection analysis and billing purposes, and as a security investigation tool, because it enables you to identify an attacker’s activity.

To make the most effective use of NPS logging: •

Turn on logging (initially) for authentication and accounting records. Modify these selections after you determine what is appropriate for your environment.

•

Ensure that you configure event logging with sufficient capacity to maintain your logs.

•

Back up all log files on a regular basis, because they cannot be recreated when damaged or deleted.

•

Use the RADIUS Class attribute to track usage and simplify identification of which department or user to charge for usage. Although the Class attribute, which is generated automatically, is unique for each request, duplicate records might exist in cases where the reply to the access server is lost and the request is re-sent. You might need to delete duplicate requests from your logs to track usage accurately.

•

To provide failover and redundancy with SQL Server logging, place two computers that are running SQL Server on different subnets. Use the SQL Server Create Publication Wizard to set up database replication between the two servers. For more information, refer to SQL Server documentation. Note To interpret logged data, view the information on the Microsoft TechNet website: http://go.microsoft.com/fwlink/?LinkID=214832&clcid=0x409.


6-31

Logging NPS Accounting

You can configure NPS to perform RADIUS accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates. You can use this procedure to configure the log files where you want to store the accounting data.

Considerations for Configuring Accounting for NPS The following list provides more information about configuring NPS accounting: •

To send the log file data for collection by another process, you can configure NPS to write to a named pipe. To use named pipes, set the log file folder to \\.\pipe or \\ComputerName\pipe. The named pipe server program creates a named pipe called \\.\pipe\iaslog.log to accept the data. In the Local File Properties dialog box, in Create a new log file, select Never (unlimited file size) when you use named pipes.

•

To create the log file directory, use system environment variables (instead of user variables), such as %systemdrive%, %systemroot%, and %windir%. For example, the following path, using the environment variable %windir%, locates the log file at the system directory in the subfolder \System32\Logs (that is, %windir%\System32\Logs\).

•

Switching log file formats does not cause a new log to be created. If you change log file formats, the file that is active when the change occurs will contain a mixture of the two formats (records at the log’s start will have the previous format, and records at the log’s end will have the new format).

•

If you are administering an NPS server remotely, you cannot browse the directory structure. If you need to log accounting information to a remote server, specify the log file name by typing a Universal Naming Convention (UNC) name, such as \\MyLogServer\LogShare.

•

If RADIUS accounting fails due to a full hard-disk drive or other causes, NPS in Windows Server 2008, and by default in Windows Server 2008 R2, stops processing connection requests, which prevents users from accessing network resources.

6-32


•

NPS enables you to log to a SQL Server database in addition to, or instead of, logging to a local file. Note If you do not supply a full path statement in Log File Directory, the default path is used. For example, if you type NPSLogFile in Log File Directory, the file is located at %systemroot%\System32\NPSLogFile.

Configuring Log File Properties To configure log file properties using the Windows interface, perform the following tasks: 1.


2.


3.

In the details pane, in Log File Properties, click Change Log File Properties. The Local File Properties dialog box opens.

4.

On the Log File tab, in Directory, type the location where you want to store NPS log files. The default location is the systemroot\System32\LogFiles folder.

5.

In Format, select from DTS Compliant, ODBC (Legacy), and IAS (Legacy).

6.

To configure NPS to start new log files at specified intervals, click the interval that you want to use:

7.

•

For heavy transaction volume and logging activity, click Daily.

•

For lesser transaction volumes and logging activity, click Weekly or Monthly.

•

To store all transactions in one log file, click Never (unlimited file size).

•

To limit the size of each log file, click When log file reaches this size, and then type a file size, after which a new log is created. The default size is 10 megabytes (MB).

To configure NPS to delete log files automatically when the disk is full, click When disk is full delete older log files. If the oldest log file is the current log file, it is not deleted. Note To complete this procedure, you must be a member of the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer.


6-33

Configuring SQL Server Logging

You can configure NPS to perform RADIUS accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates. You can use this procedure to configure logging properties and the connection to the server—running SQL Server—that stores your accounting data. The SQL Server database can be on the local computer or on a remote server. Note NPS formats accounting data as an XML document that it sends to the report_event stored procedure in the SQL Server database that you designate in NPS. For SQL Server logging to function properly, you must have a stored procedure named report_event in the SQL Server database that can receive and parse the XML documents from NPS.

Configuring SQL Server Logging in NPS To configure SQL Server logging in NPS using the Windows interface, perform the following tasks: 1.


2.


3.

In the details pane, in SQL Server Logging Properties, click Change SQL Server Logging Properties. The SQL Server Logging dialog box opens.

4.

In Log the following information, select the information that you want to log:

5.

•

To log all accounting requests, select Accounting requests.

•

To log authentication requests, select Authentication requests.

•

To log periodic status, such as interim accounting requests, select Periodic accounting status.

•

To log periodic status, such as interim authentication requests, select Periodic authentication status.

To configure the number of concurrent sessions that you want to allow between the NPS server and the SQL Server database, type a number in Maximum number of concurrent sessions.

6-34


6.

7.

To configure the SQL Server data source, click Configure. The Data Link Properties dialog box opens. On the Connection tab, specify the following: •

To specify the server’s name on which the database is stored, type or select a name in Select or enter a server name.

•

To specify the authentication method with which to log on to the server, click Use Windows NT integrated security. Or, click Use a specific user name and password and then type credentials in User name and Password.

•

To allow a blank password, select Blank password.

•

To store the password, select Allow saving password.

•

To specify to which database to connect on the computer running SQL Server, click Select the database on the server and then select a database name from the list.

To test the connection between the NPS server and the computer that is running SQL Server, click Test Connection. Note To complete this procedure, you must be a member of the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer.


6-35

Configuring NPS Events to Record in the Event Viewer

You can configure NPS event logging to record connection-request failure and success events in the Event Viewer system log.

Configuring NPS Event Logging To configure NPS event logging using the Windows interface, perform the following tasks: 1.

Open the Network Policy Server (NPS) snap-in.

2.

Right-click NPS (Local) and then click Properties.

3.

On the General tab, select each of the following options, as required, and then click OK. •

Rejected authentication requests

•

Successful authentication requests

Note To complete this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group. Using the event logs in Event Viewer, you can monitor NPS errors and other events that you configure NPS to record. NPS records connection-request failure events in the System and Security event logs by default. Connection-request failure events consist of requests that NPS rejects or discards. Other NPS authentication events are recorded in the Event Viewer system log on the basis of settings that you specify in the NPS snap-in. Therefore, the Event Viewer security log might record some events containing sensitive data.

6-36


Connection-Request Failure Events Although NPS records connection-request failure events by default, you can change the configuration according to your logging needs. NPS rejects or ignores connection requests for a variety of reasons, including the following: •

The RADIUS message is not formatted according to RFCs 2865 or 2866.

•

The RADIUS client is unknown.

•

The RADIUS client has multiple IP addresses and sent the request on an address other than the one defined in NPS.

•

The message authenticator (also known as a digital signature) that the client sent is invalid because the shared secret is invalid.

•

NPS was unable to locate the user name’s domain.

•

NPS was unable to connect to the user name’s domain.

•

NPS was unable to access the user account in the domain.

When NPS rejects a connection request, the information in the event text includes the user name, access server identifiers, the authentication type, the name of the matching network policy, the reason for the rejection, and other information.

Connection Request Success Events Although NPS records connection request success events by default, you can change the configuration according to your logging needs. When NPS accepts a connection request, the information in the event text includes the user name, access server identifiers, the authentication type, and the name of the first matching network policy.

Logging Schannel Events Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security protocols, such as SSL and TLS. These protocols provide identity authentication and secure, private communication through encryption. Logging of client-certificate validation failures is a secure channel event and is not enabled on the NPS server by default. You can enable additional secure channel events by changing the following registry key value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003). HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogg ing


6-37




2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso


Lab Scenario Contoso Ltd. is expanding its remote-access solution to all branch office employees. This will require multiple Routing and Remote Access servers that are located at different points to provide connectivity for its employees. You must use RADIUS to centralize authentication and accounting for the remoteaccess solution. You have been tasked with installing and configuring Network Policy Server into an existing infrastructure to be used for NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy. For this project, you must complete the following tasks: •

Install and configure the Network Policy Server role service

•

Configure a RADIUS Client

•

Configure Certificate auto-enrollment

•

Configure and test a VPN

6-38


Exercise 1: Installing and Configuring the Network Policy Server Role Service Scenario In this exercise, you will install the Network Policy Server role to enable RADIUS on the NYC-DC1 computer. The main tasks for this exercise are as follows: 1.

Install the Network Policy and Access Services role.

2.

Register NPS in AD DS.

3.

Configure NYC-DC1as a RADIUS server for VPN connections.

X Task 1: Install the Network Policy and Access Services role 1.

Switch to NYC-DC1 and open Server Manager.

2.

Add the Network Policy and Access Services role: •

3.

Select only the Network Policy Server role service.


X Task 2: Register NPS in AD DS 1.

Open the Network Policy Server console.

2.

Register the local server in AD DS.

3.

Do not close the console.

X Task 3: Configure NYC-DC1 as a RADIUS server for VPN connections 1.

2.

Configure NYC-DC1 as a RADIUS server by using the Network Policy Server management tool. In the Network Policy Server management tool, in the Getting Started details pane, open the drop-down list under Standard Configuration, and then click RADIUS server for Dial-Up or VPN Connections. Use the following details to complete the process: •

Radius server for Dial-Up or VPN Connections = Configure VPN or Dial-Up

•

Type: Virtual Private Network (VPN) Connections

•

Name: default

•

Add a RADIUS client: •

Friendly name: NYC-EDGE1

•

Shared secret: Pa$$w0rd

•

Authentication methods: MS-CHAPv2 and EAP

•

Encryption settings: Strongest only

Close the console.

Results: At the end of this exercise, you will have configured NYC-DC1 as a RADIUS server by installing and configuring the NPS Server role.


6-39

Exercise 2: Configuring a RADIUS Client Scenario In this exercise, you will configure NYC-EDGE1 as a RADIUS client and VPN server. The main tasks for this exercise are as follows: 1.

Install Routing and Remote Access Services on NYC-EDGE1.

2.

Configure NYC-EDGE1as a VPN Server.

X Task 1: Install Routing and Remote Access Services on NYC-EDGE1 1.

Switch to the NYC-EDGE1 server.

2.

Open Server Manager and install the Network Policy and Access Services role: •

3.

Role services: Routing and Remote Access Services


X Task 2: Configure NYC-EDGE1 as a VPN Server 1.


2.

In the list pane, select and right-click NYC-EDGE1 (Local) and then click Configure and Enable Routing and Remote Access.

3.

Use the following settings to configure the service: a. b. c. d. e. f.

g.

On the Configuration page, accept the defaults. On the Remote Access page, select the VPN check box. On the VPN Connection page, select the network interface with the IP address of 131.107.0.2, 131.107.0.3. On the IP Address Assignment page, select the From a specified range of addresses option. On the Address Range Assignment page, create an address pool with 75 entries with a start address of 10.10.0.60. On the Managing Multiple Remote Access Servers page, choose Yes, set up this server to work with a RADIUS server. •

Primary RADIUS server: NYC-DC1

•

Shared secret: Pa$$w0rd

Accept any messages by clicking OK.

Results: At the end of this exercise, you will have configured NYC-EDGE1 as a VPN server.

6-40


Exercise 3: Configuring Certificate Auto-Enrollment Scenario In this exercise, you will enable certificate auto-enrollment and verify that the certificate has been deployed to NYC-CL1. The main tasks for this exercise are as follows: 1.

Configure automatic enrollment with group policy.

X Task 1: Configure automatic enrollment with group policy 1.

Switch to NYC-DC1.

2.

Open Group Policy Management, and open the Default Domain Policy for editing. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings.

3.

Create a new Automatic Certificate Request for the Computer certificate template.

4.


5.

Switch to NYC-CL1 and restart the computer.

6.


7.

•


•

Password: Pa$$w0rd

•

Domain: Contoso

Verify the presence of a suitable certificate in the Computer\Personal store on NYC-CL1.

Results: At the end of this exercise, you will have configured the appropriate certificate settings for your VPN solution.


6-41

Exercise 4: Configuring and Testing the VPN Scenario In this exercise, you will move NYC-CL1 to the public network and then create and test a VPN connection. The main tasks for this exercise are as follows: 1.

Reconfigure the NYC-CL1 computer onto the public network.

2.

Create and test a VPN connection.

X Task 1: Reconfigure the NYC-CL1 computer onto the public network •

On NYC-CL1, configure the following IP address settings and then click OK: •

IP Address: 131.107.0.20

•

Subnet mask: 255.255.255.0

•



2.

3.

Create a VPN with the following settings: •


•

Name: Contoso VPN

Modify the default settings of the new VPN connection: •

Type of VPN: Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec)

•

Data encryption: Maximum strength encryption (disconnect if server declines)

Connect with the new VPN properties as follows: •


•

Password: Pa$$w0rd

•

Domain: Contoso Note The VPN connects successfully.

4.

Disconnect the VPN and close all open windows.

Results: At the end of this exercise, you will have verified the VPN solution.



2.


3.


4.


6-42



Review Questions 1.

Why must you register the NPS server in Active Directory?

2.

How can you make the most effective use of the NPS logging features?

3.

What considerations are there if you choose to use a nonstandard port assignment for RADIUS traffic?

Tools Tool

Use for

Where to find it

Network Policy Server

Managing and creating Network Policy

Network Policy Server on the Administrative Tools menu

Netsh commandline tool

Creating administrative scripts for configuring and managing the Network Policy Server role

From a command window, type netsh –c nps to administer from a command prompt

Event Viewer

Viewing logged information from application, system, and security events

Event Viewer on the Administrative Tools menu

7-1

Module 7 Implementing Network Access Protection Contents: Lesson 1: Overview of Network Access Protection

7-3

Lesson 2: How NAP Works

7-12

Lesson 3: Configuring NAP

7-19

Lesson 4: Monitoring and Troubleshooting NAP

7-26

Lab: Implementing NAP into a VPN Remote Access Solution

7-33

7-2


Module Overview

Your network is only as secure as the least-secure computer attached to it. Many programs and tools exist to help you to secure your network-attached computers, such as antivirus or malware detection software; however, if the software on some of your computers is not up-to-date, or worse, not enabled or configured correctly, then these computers still pose a security risk. Computers that remain within the office environment and are always connected to the same network are relatively easy to keep configured and updated. Computers that connect to different networks, especially unmanaged networks, are less easy to control—for example, laptop computers that are connected to customer networks, or to public Wi-Fi hotspots. In addition, unmanaged computers seeking to connect remotely to your network —such as users’ home computers—pose a challenge. Network Access Protection (NAP) enables you to create customized health-requirement policies to validate computer health before allowing access or communication. NAP also automatically updates compliant computers to ensure ongoing compliance and can limit the access of noncompliant computers to a restricted network until they become compliant.


Describe how NAP can help protect your network.

•

Describe the various NAP enforcement processes.

•

Configure NAP.

•

Monitor and troubleshoot NAP.

Implementing Network Access Protection

7-3

Lesson 1

Overview of Network Access Protection

NAP is a policy-enforcement platform that is built into the Windows 7, Windows Vista, Windows XP operating system with Service Pack 3 (SP3), Windows Server® 2008, and Windows Server 2008 R2 operating systems. NAP allows you to more strongly protect network assets by enforcing compliance with system-health requirements. NAP provides the necessary software components to help ensure that computers connected or connecting to your network remain manageable so they do not become a security risk to the network and other attached computers. Understanding the functionality and limitations of NAP will help you protect your network from the security risks posed by non-compliant computers.


Explain how Network Access Protection can be used to enforce computer health requirements.

•

Describe where you would use Network Access Protection.

•

Describe NAP enforcement methods.

•

Describe the architecture of a NAP-enabled network infrastructure.

7-4


What Is Network Access Protection?

Network Access Protection (NAP) for Windows Server 2008, Windows Server 2008 R2, Windows 7, and Windows Vista provides components and an application programming interface (API) that help you to enforce compliance with your organization’s health-requirement policies for network access or communication. NAP enables you to create solutions for validating computers that connect to your networks, in addition to providing needed updates or access to needed health update resources, and limiting the access or communication of noncompliant computers. You can integrate NAP’s enforcement features with software from other vendors or with custom programs. You can customize the health-maintenance solution that developers within your organization might develop and deploy, whether for monitoring the computers accessing the network for health policy compliance, automatically updating computers with software updates to meet health policy requirements, or limiting the access to a restricted network of computers that do not meet health policy requirements. It is important to remember that NAP does not protect a network from malicious users. Rather, it helps you maintain the health of your organization’s networked computers automatically, which in turn helps maintain your network’s overall integrity. For example, if a computer has all the software and configuration settings that the health policy requires, the computer is compliant and will have unlimited network access. However, NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.

Aspects of NAP NAP has three important and distinct aspects: •

Health state validation: When a computer attempts to connect to the network, the computer’s health state is validated against the health-requirement policies that the administrator defines. You also can define what to do if a computer is not compliant. In a monitoring-only environment, all computers have their health state evaluated and the compliance state of each computer is logged for analysis. In a limited access environment, computers that comply with the health-requirement policies have unlimited network access. Computers that do not comply with health-requirement policies could find their access limited to a restricted network.


7-5

•

Health policy compliance: You can help ensure compliance with health-requirement policies by choosing to update noncompliant computers automatically with missing software updates or configuration changes through management software, such as Microsoft® System Center Configuration Manager. In a monitoring-only environment, computers will have network access before they are updated with required updates or configuration changes. In a limited access environment, noncompliant computers have limited access until the updates and configuration changes are complete. In both environments, computers that are compatible with NAP can become compliant automatically and you can define exceptions for computers that are not NAP compatible.

•

Limited access: You can protect your networks by limiting the access of noncompliant computers. You can base limited network access on a specific amount of time, or on what resources that the noncompliant computer can access. In the latter case, you define a restricted network that contains health update resources, and the limited access will last until the noncompliant computer comes into compliance. You also can configure exceptions so that computers that are not compatible with NAP do not have limited network access.

7-6


NAP Scenarios

NAP provides a solution for the common scenarios described in this section. Depending on your needs, you can configure a solution to address any or all of these scenarios for your network.

Roaming Laptops Portability and flexibility are two primary laptop advantages, but these features also present a system health threat. Users frequently connect their laptops to other networks. While users are away from your organization, their laptops might not receive the most recent software updates or configuration changes. Additionally, exposure to unprotected networks, such as the Internet, could introduce security-related threats to the laptops. NAP allows you to check any laptop’s health state when it reconnects to the organization’s network, whether through a virtual private network (VPN), DirectAccess connection, or the workplace network connection.

Desktop Computers Although desktop computers are usually not taken out of the company building, they still can present a threat to your network. To minimize this threat, you must maintain these computers with the most recent updates and required software. Otherwise, these computers are at risk of infection from websites, email, files from shared folders, and other publicly accessible resources. NAP allows you to automate health state checks to verify each desktop computer’s compliance with health-requirement policies. You can check log files to determine which computers do not comply. Additionally, using management software allows you to generate automatic reports and automatically update noncompliant computers. When you change health-requirement policies, computers can be provisioned automatically with the most recent updates.

Visiting Laptops Organizations frequently need to allow consultants, business partners, and guests to connect to their private networks. The laptops that these visitors bring into your organization might not meet system health requirements and can present health risks. NAP enables you to determine which visiting laptops are noncompliant and limit their access to restricted networks. Typically, you would not require or provide any updates or configuration changes for visiting laptops. You can configure Internet access for visiting laptops, but not for other organizational computers that have limited access.


7-7

Unmanaged Home Computers Unmanaged home computers that are not a member of the company’s Active Directory® domain can connect to a managed company network through VPN. Unmanaged home computers provide an additional challenge because you cannot physically access these computers. Lack of physical access makes enforcing compliance with health requirements—such as the use of antivirus software—more difficult. However, NAP enables you to verify the health state of a home computer every time it makes a VPN connection to the company network, and to limit its access to a restricted network until it meets system health requirements.

7-8


NAP Enforcement Methods

Components of the NAP infrastructure—known as enforcement clients and enforcement servers—require health-state validation, and enforce limited network access for noncompliant computers. Windows 7, Windows Vista, Windows XP with SP3, Windows Server 2008, and Windows Server 2008 R2 include NAP support for the following network access or communication methods: •

IPsec-protected traffic: IPsec enforcement confines communication to compliant computers after they have connected successfully and obtained a valid IP address configuration. IPsec enforcement is the strongest form of limited network access or communication in NAP.

•

Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated network connections: With IEEE 802.1X enforcement, a computer must be compliant to obtain unlimited network access through an IEEE 802.1X-authenticated network connection, such as to an authenticating Ethernet switch, or an IEEE 802.11 wireless access point (AP).

•

Remote access VPN connections: With VPN enforcement, a computer must be compliant to obtain unlimited network access through a remote access VPN connection. For noncompliant computers, network access is limited through a set of IP packet filters that the VPN server applies to the VPN connection.

•

DirectAccess connections: For DirectAccess connections, a computer must be compliant to obtain unlimited network access through a DirectAccess server. For noncompliant computers, network access is limited to the set of computers that are defined as infrastructure servers using the infrastructure tunnel. Compliant computers can create the separate intranet tunnel that provides unlimited access to intranet resources. DirectAccess connections use IPsec enforcement.

•

Dynamic Host Configuration Protocol (DHCP) address configurations: With DHCP enforcement, a computer must be compliant to obtain an unlimited access Internet Protocol version 4 (IPv4) address configuration from a DHCP server. For noncompliant computers, network access is restricted with an IPv4 address configuration that limits access to the restricted network.


7-9

These network access or communication methods are known as NAP enforcement methods. You can use them separately or together to limit noncompliant computer access or communication. A server that is running Network Policy Server (NPS) in Windows Server 2008—the replacement for Internet Authentication Server (IAS) in Windows Server 2003—acts as a health policy server for all of these NAP enforcement methods.

7-10


NAP Platform Architecture

The components of a NAP-enabled network infrastructure are described in the following table. Components

Description

NAP clients

Computers that support the NAP platform for system health-validated network access or communication.

NAP enforcement points

Computers or network-access devices that use NAP or that you can use with NAP to require evaluation of a NAP client’s health state, and then provide restricted network access or communication. NAP enforcement points use a Network Policy Server (NPS) that is acting as a NAP health policy server to evaluate: the health state of NAP clients, whether network access or communication is allowed, and the set of remediation actions that a noncompliant NAP client must perform. NAP enforcement points include the following: • HRA: a computer that runs Windows Server 2008 and Internet Information Services (IIS), and that obtains health certificates from a certification authority (CA) for compliant computers. • VPN server: a computer that runs Windows Server 2008 and Routing and Remote Access, and that enables remote access VPN intranet connections through remote access. • DHCP server: a computer that runs Windows Server 2008 and the DHCP Server service, and that provides automatic Internet Protocol version 4 (IPv4) address configuration to intranet DHCP clients. • Network access devices: Ethernet switches or wireless access points that support IEEE 802.1X authentication.


7-11

(continued) Components

Description

NAP health policy servers

These are computers that run Windows Server 2008 and the NPS service, and that store health-requirement policies and provide health-state validation for NAP. NPS is the replacement for the Internet Authentication Service (IAS), and the Remote Authentication Dial-In User Service (RADIUS) server and proxy that Windows Server 2003 provides. NPS also acts as an authentication, authorization, and accounting (AAA) server for network access. When acting as an AAA server or NAP health policy server, NPS typically runs on a separate server for centralized configuration of network access and health-requirement policies. The NPS service also runs on Windows Server 2008-based NAP enforcement points that do not have a built-in RADIUS client, such as an HRA or DHCP server. However, in these configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUS messages with a NAP health policy server.

Health requirement servers

These are computers that provide the current system health state for NAP health policy servers. An example of these would be a health-requirement server for an antivirus program that tracks the latest version of the antivirus signature file.

AD DS

This Windows directory service stores account credentials and properties, and stores Group Policy settings. Although not required for health-state validation, Active Directory is required for IPsec-protected communications, 802.1X-authenticated connections, and remote access VPN connections.

Restricted network

This is a separate logical or physical network that contains: • Remediation servers: computers that contain health update resources that NAP clients can access to remediate their noncompliant state. Examples include antivirus signature distribution servers and software update servers. • NAP clients with limited access: computers that are placed on the restricted network when they do not comply with health-requirement policies.

7-12


Lesson 2

How NAP Works

When a client attempts to access or communicate on the network, it must present its system health state or proof-of-health compliance. If a client cannot prove that it is compliant with system-health requirements—for example, that it has the latest operating system and antivirus updates installed—its access to, or communication on, the network can be limited to a restricted network that contains server resources until the health-compliance issues are remedied. After the updates are installed, the client requests access to the network or attempts the communication again. If compliant, the client is granted unlimited access to the network or the communication is allowed.


Describe the general NAP enforcement process.

•

Discuss IPsec enforcement.

•

Describe 802.1x enforcement.

•

Explain VPN enforcement.

•

Discuss DHCP enforcement.


7-13

NAP Enforcement Processes

Whatever form of NAP enforcement you select, many of the client-server communications are common. The following points summarize these communications. •

Between a NAP client and a Health Registration Authority (HRA)

•

Depending upon the type of enforcement selected, the following communication occurs: •

Between a NAP client and an 802.1X network access device

•

Between a NAP client and a VPN server

•

Between a NAP client and a DHCP server

•

Between a NAP client and a remediation server

•

Between an HRA and a NAP health policy server

•

Between an 802.1X network access device and a NAP health policy server

•

Between a VPN server and a NAP health policy server

•

Between a DHCP server and a NAP health policy server

•

Between a NAP health policy server and a health-requirement server

7-14


IPsec Enforcement

With IPsec enforcement, a computer must be compliant to initiate communications with other compliant computers. Because IPsec enforcement is leveraging IPsec, you can define requirements for protected communications with compliant computers using one of the following parameters: •

Per-IP address

•

Per Transmission Control Protocol (TCP)

•

User Datagram Protocol (UDP) port number

IPsec enforcement confines communication to compliant computers after they have connected successfully and obtained a valid IP address configuration. IPsec enforcement is the strongest form of limited network access or communication in NAP. The components of IPsec enforcement consist of an HRA that is running Windows Server 2008 R2 and an IPsec enforcement client (EC) in one of the following operating systems: •

Windows 7

•

Windows Vista

•

Windows XP Service Pack 3

•

Windows Server 2008

•

Windows Server 2008 R2

The HRA obtains X.509 certificates for NAP clients when the clients have proven that they are compliant. These health certificates then are used to authenticate NAP clients when they initiate IPsec-protected communications with other NAP clients on an intranet.


7-15

IPsec enforcement limits communication for IPsec-protected NAP clients by dropping incoming communication attempts sent from computers that cannot negotiate IPsec protection using health certificates. Unlike 802.1X and VPN enforcement, in which enforcement occurs at the network entry point, each individual computer performs IPsec enforcement. Because you can take advantage of IPsec policy settings, the enforcement of health certificates can be done for all computers in a domain, specific computers on a subnet, a specific computer, a specific set of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports, or for a set of TCP or UDP ports on a specific computer. IPsec enforcement divides a physical network into three logical networks. A computer can be a member of only one logical network at any time. The logical networks are defined in terms of which computers have health certificates and which require IPsec authentication with health certificates for incoming communication attempts. The logical networks allow for limited network access and remediation, and provide compliant computers with a level of protection from noncompliant computers. IPsec enforcement defines the following logical networks: •

Secure network: The set of computers that have health certificates and that require that incoming communication attempts use health certificates for IPsec authentication. On a managed network, most server and client computers that are members of the Active Directory domain would be in the secure network.

•

Boundary network: The set of computers that have health certificates, but which do not require that incoming communication attempts use health certificates for IPsec authentication. Computers in the boundary network must be accessible to the entire network of computers.

•

Restricted network: The set of computers that do not have health certificates that include noncompliant NAP client computers, guests on the network, or computers that are not NAP-capable, such as computers running Windows versions that do not support NAP, or Apple Macintosh or UNIXbased computers.

7-16


802.1x Enforcement

With 802.1X enforcement, a computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection, such as to an authenticating Ethernet switch or an IEEE 802.11 wireless access point (AP). For noncompliant computers, network access is limited through a restricted access profile that the Ethernet switch or wireless AP places on the connection. The restricted access profile can specify either IP packet filters, or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network. 802.1X enforcement imposes health policy requirements every time a computer attempts an 802.1Xauthenticated network connection. 802.1X enforcement also actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant. The components of 802.1X enforcement consist of NPS in Windows Server 2008 R2 and an EAPHost EC in Windows 7, Windows Vista, Windows XP Service Pack 3, Windows Server 2008, and Windows Server 2008 R2. 802.1X enforcement provides strong limited network access for all computers that access the network through an 802.1X-authenticated connection.


7-17

VPN Enforcement

VPN enforcement imposes health policy requirements every time a computer attempts to obtain a remote access VPN connection to the network. VPN enforcement also actively monitors the health status of the NAP client and applies the restricted network’s IP packet filters to the VPN connection if the client becomes noncompliant. The components of VPN enforcement consist of NPS in Windows Server 2008 and a VPN EC that is part of the remote access client in: •

Windows 7

•

Windows Vista

•


•

Windows Server 2008

•


VPN enforcement provides strong limited network access for all computers that access the network through a remote access VPN connection.

7-18


DHCP Enforcement

DHCP enforces health policy requirements every time a DHCP client attempts to lease or renew an IP address configuration. DHCP enforcement also actively monitors the NAP client’s health status and, if the client becomes noncompliant, renews the IPv4 address configuration for access only to the restricted network. The components of DHCP enforcement consist of a DHCP ES that is part of the DHCP Server service in Windows Server 2008 R2 and a DHCP EC that is part of the DHCP Client service in: •

Windows 7

•

Windows Vista

•


•

Windows Server 2008

•


Because DHCP enforcement relies on a limited IPv4 address configuration that a user who has administrator-level access can override, it is the weakest form of limited network access in NAP. DHCP address configuration limits network access for the DHCP client through its IPv4 routing table. DHCP enforcement sets the DHCP Router option value to 0.0.0.0, so the noncompliant computer does not have a configured default gateway. DHCP enforcement also sets the subnet mask for the allocated IPv4 address to 255.255.255.255 so that there is no route to the attached subnet. To allow the noncompliant computer to access the restricted network’s remediation servers, the DHCP server assigns the Classless Static Routes DHCP option. This option contains host routes to the restricted network’s computers, such as the DNS and remediation servers. The end result of DHCP limited network access is a configuration and routing table that allows connectivity only to specific destination addresses that correspond to the restricted network. Therefore, when an application attempts to send to a unicast IPv4 address other than those supplied by the Classless Static Routes option, the TCP/IP protocol returns a routing error.


7-19

Lesson 3

Configuring NAP

To get the best from NAP, you must understand how to configure the various elements of a NAP solution.


Describe what System Health Validators are.

•

Explain what a health policy is.

•

Discuss the use of Remediation Server Groups.

•

Describe NAP client configuration requirements.

•

Enable and configure NAP.

7-20


What Are System Health Validators?

System Health Agents (SHAs) and System Health Validators (SHVs), which are NAP infrastructure components, provide health-state status and validation. Windows 7 includes a Windows Security Health Validator SHA that monitors the Windows Security Center settings. Windows Server 2008 R2 includes a corresponding Windows Security Health Validator SHV. NAP is designed to be flexible and extensible, and interoperates with any vendor’s software that provides SHAs and SHVs that use the NAP API. An SHV receives an SoH and compares the system health status information in the SoH with the required system health state. For example, if the SoH is from an antivirus SHA and contains the last virus-signature file version number, the corresponding antivirus SHV can check with the antivirus health requirement server for the latest version number to validate the NAP client’s SoH. The SHV returns an SoHR to the NAP Administration Server. The SoHR can contain remediation information about how the corresponding SHA on the NAP client can meet current system-health requirements. For example, the SoHR that the antivirus SHV sends could instruct the NAP client’s antivirus SHA to request the latest version, by name or IP address, of the antivirus signature file from a specific antivirus signature server.


7-21

What Is a Health Policy?

Health policies consist of one or more SHVs and other settings that allow you to define client-computer configuration requirements for the NAP-capable computers that attempt to connect to your network. When NAP-capable clients attempt to connect to the network, the client computer sends an SoH to the NPS. The SoH is a report of the client configuration state, and NPS compares the SoH to the requirements that the health policy defines. If the client configuration state does not match the requirements that the health policy defines, NPS takes one of the following actions, depending on the NAP configuration: •

Rejecting the connection request.

•

Placing the NAP client on a restricted network where it can receive updates from remediation servers that bring the client into compliance with health policy. After the NAP client achieves compliance and resubmits its new health state, NPS enables it to connect.

•

Allowing the NAP client to connect to the network despite its noncompliance with health policy.

You can define NPS client-health policies by adding one or more SHVs to the health policy. After you configure a health policy with one or more SHVs, you can add it to the Health Policies condition of a network policy that you want to use to enforce NAP when client computers attempt connection to your network.

7-22


What Are Remediation Server Groups?

A remediation server group is a list of restricted network servers that provide resources that bring noncompliant NAP-capable clients into compliance with your defined client health policy. A remediation server hosts the updates that a NAP agent can use to bring noncompliant client computers into compliance with health policy, as NPS defines. For example, a remediation server can host antivirus signatures. If health policy requires that client computers have the latest antivirus definitions, then the following work together to update noncompliant computers: an antivirus SHA, an antivirus SHV, an antivirus policy server, and the remediation server.


7-23

NAP Client Configuration

Remember these basic guidelines when you configure NAP clients: •

Some NAP deployments that use Windows Security Health Validator require that you enable Security Center. Security Center is not included with Windows Server 2008 or Windows Server 2008 R2.

•

You must enable the Network Access Protection Client service when you deploy NAP to NAP-capable client computers.

•

You must configure the appropriate NAP enforcement clients on the NAP-capable computers.

Enable Security Center in Group Policy You can use the Enable Security Center in Group Policy procedure to enable Security Center on NAPcapable clients using Group Policy. Some NAP deployments that use Windows Security Health Validator require Security Center. Note To complete this procedure, you must be a member of the Domain Admins, the Enterprise Admins group, or the Administrators group on the local computer. To enable Security Center in Group Policy: 1.

Open the Group Policy Management console and then click Add.

2.

In the Select Group Policy Object dialog box, click Finish and then click OK.

3.

In the console tree, double-click Local Computer Policy, double-click Computer Configuration, double-click Administrative Templates, double-click Windows Components, and then double-click Security Center.

4.

Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.

7-24


Enable the Network Access Protection Service on Clients You can use the Enable the Network Access Protection Service on Clients procedure to enable and configure NAP service on NAP-capable client computers. When you deploy NAP, enabling this service is required. Note To complete this procedure, you must be a member of the Domain Admins group, the Enterprise Admins group, or the Administrators group on the local computer. To enable the Network Access Protection service on client computers: 1.

Click Start, click Control Panel, click System and Security, click Administrative Tools, and then double-click Services.

2.

In the services list, scroll down to and then double-click Network Access Protection Agent.

3.

In the Network Access Protection Agent Properties dialog box, change Startup Type to Automatic and then click OK.

Enable and Disable NAP Enforcement Clients You can use the Enable and Disable NAP Enforcement Clients procedure to enable or disable one or more NAP enforcement clients on NAP-capable computers. These clients can include: •

DHCP Enforcement Client

•

Remote Access Enforcement Client

•

EAP Enforcement Client

•

IPsec Enforcement Client (also used for DirectAccess connections)

•

TS Gateway Enforcement Client

To enable and disable NAP Enforcement Clients: 1.

Open the NAP client configuration console, click Start, click All Programs, click Accessories, click Run, type NAPCLCFG.MSC, and then click OK.

2.

Click Enforcement Clients. In the details pane, right-click the enforcement client that you want to enable or disable and then click Enable or Disable. Note To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider performing this procedure using the Run as command.


Demonstration: How to Configure Network Access Protection


Install the NPS server role.

•

Configure NPS as a NAP health policy server.

•

Configure health policies.

•

Configure network policies for compliant computers.

•

Configure network policies for noncompliant computers.

•

Configure the DHCP server role for NAP.

•

Configure client NAP settings.

•

Test NAP.

7-25

7-26


Lesson 4

Monitoring and Troubleshooting NAP

Troubleshooting and monitoring NAP is an important administrative task because of different technology levels, including varied expertise and prerequisites, for each NAP enforcement method. Trace logs are available for NAP, but are disabled by default. These logs serve two purposes: troubleshooting and evaluating a network’s health and security.


Describe how NAP Tracing can help monitor and troubleshoot NAP.

•

Configure NAP Tracing.

•

Troubleshoot NAP with Netsh.

•

Use the NAP event log to troubleshoot NAP.


7-27

What Is NAP Tracing?

Aside from the preceding general guidelines, you can use the NAP Client Configuration snap-in to configure NAP tracing. Tracing records NAP events in a log file, and is useful for troubleshooting and maintenance. Additionally, you can use tracing logs to evaluate your network’s health and security. You can configure three levels of tracing: Basic, Advanced, and Debug. Enable NAP tracing when: •

Troubleshooting NAP problems.

•

Evaluating the overall health and security of your organization’s computers.

In addition to trace logging, you can view NPS accounting logs. These logs could contain useful NAP information. By default, NPS accounting logs are located in %systemroot%\system32\logfiles. The following logs might contain NAP-related information: •

IASNAP.LOG: this contains detailed data about NAP processes, NPS authentication, and NPS authorization.

•

IASSAM.LOG: this contains detailed data about user authentication and authorization. Note For information about the format of NPS accounting log files, refer to the Microsoft TechNet website: http://go.microsoft.com/fwlink/?LinkId=136631).

7-28


Demonstration: How to Configure NAP Tracing

Two tools are available for configuring NAP tracing. The NAP Client Configuration console is part of the Windows user interface, and netsh is a command-line tool.

Using the Windows User Interface You can use the Windows user interface to enable or disable NAP tracing and to specify the level of recorded detail by performing the following steps: 1.

Open the NAP Client Configuration console by running napclcfg.msc.

2.

In the console tree, right-click NAP Client Configuration (Local Computer) and then click Properties.

3.

In the NAP Client Configuration (Local Computer) Properties dialog box, choose Enabled or Disabled. Note To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. As a security best practice, consider performing this operation using the Run as command.

4.

If Enabled is chosen, under Specify the level of detail at which the tracing logs are written, select Basic, Advanced, or Debug.

Using a Command-Line Tool To use a command-line tool to enable or disable NAP tracing and specify the level of recorded detail, perform the following steps: 1.

Open an elevated command prompt.

2.

To enable or disable NAP tracing, do one of the following: •

To enable NAP tracing and configure for basic or advanced logging, type: netsh nap client set tracing state=enable level =[advanced or basic]


7-29

•

To enable NAP tracing for debug information, type: netsh nap client set tracing state=enable level =verbose

•

To disable NAP tracing, type: netsh nap client set tracing state=disable

Note To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. As a security best practice, consider performing this operation using the Run As command.

Viewing Log Files To view the log files, navigate to the %systemroot%\tracing\nap directory and open the particular trace log that you want to view.

Demonstration This demonstration shows how to: •

Configure tracing from the GUI.

•

Configure tracing from the command-line.

7-30


Troubleshooting NAP with Netsh

You can use the following tools to help troubleshoot NAP.

Netsh Commands Use the netsh NAP command to help troubleshoot NAP issues. The following commands are particularly useful. netsh NAP client show state

This command displays the status of a NAP client, including the following: •

Restriction state

•

Status of enforcement clients

•

Status of installed SHAs

•

Trusted server groups that have been configured netsh NAP client show config

This command displays the local configuration settings on a NAP client, including: •

Cryptographic settings

•

Enforcement client settings

•

Trusted server groups settings

•

Client tracing settings that have been configured


netsh NAP client show group

This command displays the Group Policy configuration settings on a NAP client, including: •

Cryptographic settings

•

Enforcement client settings

•

Trusted server groups settings

•

Client tracing settings that have been configured Note You can find out more about the relevant Netsh commands from the Microsoft TechNet website: http://go.microsoft.com/fwlink/?LinkID=128797.

7-31

7-32


Troubleshooting NAP with Event Logs

NAP services record NAP-related events into the Windows event logs. The following events provide information about NAP services that are running on an NPS server. To view these events, open Event Viewer and select Custom Views, select Server Roles, and then select Network Policy and Access Services. •

Event ID 6272: Network Policy Server granted access to a user. Occurs when a NAP client is successfully authenticated and, depending on its health state, obtains full or restricted access to the network.

•

Event ID 6273: Network Policy Server denied access to a user. Occurs when a problem occurs with authentication or authorization and is associated with a reason code.

•

Event ID 6274: Network Policy Server discarded the request for a user. Occurs if there is a configuration problem. It can occur if RADIUS client settings are incorrect or if NPS cannot create accounting logs.

•

Event ID 6276: Network Policy Server quarantined a user. Occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow limited access.

•

Event ID 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. Occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow full network access for a limited time when the date specified in the policy has passed.

•

Event ID 6278: Network Policy Server granted full access to a user because the host met the defined health policy. Occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow full network access.


7-33




2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso


Lab Scenario Contoso, Ltd. is required to extend their virtual private network solution to include Network Access Protection (NAP). As a Contoso, Ltd. technology specialist, you need to establish a way to bring client computers automatically into compliance. You will do this by using Network Policy Server, creating client compliance policies, and configuring a NAP server to check the current health of computers. For this project, you must complete the following tasks: •

Configure NAP Server Components

•

Configure NAP for VPN clients

7-34


Exercise 1: Configuring NAP Components Scenario In this exercise, you will configure the required server-side components to support the Contoso, Ltd. requirement. The main tasks for this exercise are as follows: 1.

Configure a computer certificate.

2.

Configure NYC-EDGE1 with NPS functioning as a health policy server.

3.

Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server.

4.

Allow ping on NYC-EDGE1.

X Task 1: Configure a computer certificate 1.

Switch to the NYC-DC1 virtual server.

2.

Open the Certification Authority tool.

3.

From the Certificate Templates Console, open the properties of the Computer certificate template.

4.

On the Security tab, grant the Authenticated Users group the Allow Enroll permission.

5.

Close the Certification Authority tool.

X Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server 1.

Switch to the NYC-EDGE1 computer.

2.

Create a management console by running mmc.exe.

3.

Add the Certificates snap-in with the focus on the local computer account.

4.

Navigate to the Personal certificate store and Request New Certificate.

5.

On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and then click Next.

6.

Enroll the Computer certificate that is listed.

7.

Close the console and do not save the console settings.

8.

Using Server Manager, install the NPS Server with the following role services: Network Policy Server and Remote Access Service.

9.

Open the Network Policy Server tool.

10. Under Network Access Protection, open the Default Configuration for the Windows Security Health Validator. 11. On the Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for all network connections. 12. Create a health policy with the following settings: •

Name: Compliant

•

Client SHV checks: Client passes all SHV checks

•

SHVs used in this health policy: Windows Security Health Validator


7-35

13. Create a health policy with the following settings: •

Name: Noncompliant

•

Client SHV checks: Client fails one or more SHV checks

•

SHVs used in this health policy: Windows Security Health Validator

14. Disable all existing network policies. 15. Configure a new network policy with the following settings: •

Name: Compliant-Full-Access

•

Conditions: Health Policies = Compliant

•

Access permissions: Access granted

•

Settings: NAP Enforcement = Allow full network access

16. Configure a new network policy with the following settings: •

Name: Noncompliant-Restricted

•

Conditions: Health Policies = Noncompliant

•

Access permissions: Access granted

Note A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients that match these conditions. •

Settings: i. NAP Enforcement = Allow limited access is selected and Enable auto-remediation of client computers is not selected. ii. IP Filters = IPv4 input filter, Destination network = 10.10.0.10/255.255.255.255 and IPv4 output filter, Source network = 10.10.0.10/255.255.255.255.

17. Disable existing connection request policies. 18. Create a new Connection Request Policy with the following settings: •

Policy name: VPN connections

•

Type of network access server: Remote Access Server (VPN-Dial up)

•

Conditions: Tunnel type = L2TP, SSTP, and PPTP

•

Authenticate requests on this server = true

•

Authentication methods: i. Select Override network policy authentication settings ii. Add Microsoft: Protected EAP (PEAP) iii. Add Microsoft: Secured password (EAP-MSCHAP v2)

•

Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is enabled.

19. Close the Network Policy Server console.

7-36


X Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server 1.


2.

Select Configure and Enable Routing and Remote Access.

3.

Use the following settings to complete configuration: a.

Select Remote access (dial-up or VPN).

a.

Select the VPN check box.

b.

Choose the interface called Public and clear the Enable security on the selected interface by setting up static packet filters check box.

c.

IP Address Assignment: From a specified range of addresses: •

d.

10.10.0.100 > 10.10.0.110

Complete the process by accepting defaults when prompted and confirming any messages by clicking OK.

4.

In the Network Policy Server, click the Connection Request Policies node and disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled.

5.

Close Network Policy Server management console and the Routing and Remote Access console.

X Task 4: Allow ping on NYC-EDGE1 1.


2.

Create an Inbound Rule with the following properties: •

Type: Custom

•

All programs

•

Protocol type: Choose ICMPv4 and then click Customize •

3.

Specific ICMP types: Echo Request

•

Default scope

•

Action: Allow the connection

•

Default profile

•

Name: ICMPv4 echo request

Close the Windows Firewall with Advanced Security console.

Results: At the end of this exercise, you will have configured and enabled a VPN-enforced NAP scheme.


7-37

Exercise 2: Configuring Client Settings to Support NAP Scenario In this exercise, you will implement a VPN on NYC-CL1 and test the computer’s health against the NAP configuration you previously created. The main tasks for this exercise are as follows: 1.

Configure Security Center.

2.

Enable client NAP enforcement.

3.

Move the client to the Internet.

4.

Create a VPN on NYC-CL1.

X Task 1: Configure Security Center 1.


2.

Open the Local Policy Editor (gpedit.msc) and enable the Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center/Turn on Security Center (Domain PCs only) setting.

3.

Close the Local Group Policy Editor.

X Task 2: Enable client NAP enforcement 1.

Run the NAP Client Configuration tool (napclcfg.msc).

2.

Under Enforcement Clients, enable the EAP Quarantine Enforcement Client.

3.

Close the NAP Client Configuration tool.

4.

Run services.msc and configure the Network Access Protection Agent service for automatic startup.

5.

Start the service.

6.

Close the services console.

X Task 3: Move the client to the Internet 1.

2.

Reconfigure the network settings of NYC-CL1 by changing the following Local Area Connection Internet Protocol Version 4 (TCP/IPv4) settings: •

IP address: 131.107.0.20

•

Subnet mask: 255.255.255.0

•

Default gateway: blank

•

Preferred DNS server: blank

Verify that you can successfully ping 131.107.0.2.

X Task 4: Create a VPN on NYC-CL1 1.

Create a new VPN connection with the following properties: •


•

Destination name: Contoso VPN

•

Allow other people to use this connection: true

7-38


2.

•

User name: administrator

•

Password: Pa$$w0rd

•

Domain: CONTOSO

Once you have created the VPN, modify its settings by viewing the properties of the connection and then selecting the Security tab. Use the following settings to reconfigure the VPN: •

Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled).

•

Properties of this authentication type: i. Validate server certificate: true ii. Connect to these servers: false iii. Authentication method: Secured password (EAP-MSCHAP v2) iv. Enable Fast Reconnect: false v. Enforce Network Access Protection: true

3.

4.

Test the VPN connection: a.

In the Network Connections window, right-click the Contoso VPN connection and then click Connect.

b.

In the Connect Contoso VPN window, click Connect.

c.

View the details of the Windows Security Alert. Verify that the correct certificate information is displayed and then click Connect.

Verify that your computer meets the health requirements of the NAP policy: a.

Use IPCONFIG /all to verify that the System Quarantine State is Not Restricted.

b.

Ping 10.10.0.10.

5.


6.

Configure Windows Security Health Validator to require an antivirus application: a.

Switch to NYC-EDGE1 and open Network Policy Server.

b.

Modify the Default Configuration of the Windows Security Health Validator so that An antivirus application is on check box is enabled on the Windows 7/Windows Vista selection.

7.

Switch back to NYC-CL1 and reconnect the VPN.

8.

Verify that your computer does not meet the health requirements of the NAP policy:

9.

a.

Verify that a message is displayed in the Action Center stating that the computer does not meet security standards.

b.

Use IPCONFIG /all to verify that the System Quarantine State is Restricted.

Disconnect the VPN.

Results: At the end of this exercise, you will have enabled and configured a VPN NAP enforcement policy for Contoso.




2.


3.


4.


7-39

7-40



Review Questions 1.

What are the three main client configurations that you need to configure for most NAP deployments?

2.

You want to evaluate the overall health and security of the NAP enforced network. What do you need to do to start recording NAP events?

3.

On a client computer, what steps must you perform to ensure that it can be assessed for health?

Tools Tool

Use For

Where to find it

Services

Enable and configure the NAP service on client computers.

Click Start, click Control Panel, click System and Maintenance, click Administrative Tools, and then click double-click Services.

Netsh nap

Using netsh, you can create scripts to automatically configure a set of NAP and display the configuration and status of the NAP client service.

Open a command window with administrative rights and type netsh –c nap. You can type help to get a full list of available commands.

Group policy

Some NAP deployments that use Windows Security Health Validator require that Security Center is enabled.

Enable the Turn on Security Center (Domain PCs only) setting in the Computer Configuration, Administrative Templates, Windows Components, and Security Center sections of Group Policy.

Configure NAP with a wizard

Used to create the health policies, connection request policies, and Network Access Protection (NAP) with Network Policy Server.

Open the NPS (Local) console. In Getting Started and Standard Configuration, select Network Access Protection (NAP) policy server. The text and links below the text change to reflect your selection. Click Configure NAP with a wizard.

8-1

Module 8 Increasing Security for Windows Servers Contents: Lesson 1: Windows Security Overview

8-3

Lesson 2: Configuring Windows Firewall with Advanced Security

8-9

Lesson 3: Deploying Updates with Windows Server Update Services

8-15

Lab: Increasing Security for Windows Servers

8-23

8-2


Module Overview

Security is an essential consideration for networking with Windows Server 2008. No system is ever completely secure, but you can implement various methods to increase security. Windows Firewall with Advanced Security is one of the features in Windows Server 2008 that is used to increase security. You can also use Windows Server Update Services to ensure that approved security updates are applied to servers in a timely way.


Describe a process for increasing the security of Windows Server 2008.

•

Configure Windows Firewall with Advanced Security.

•

Describe Windows Server Update Services and how to use it.

Increasing Security for Windows Servers

8-3

Lesson 1

Windows Security Overview

Securing computer systems is an ongoing process. You need to assess security risks and the costs associated with those risks to make informed decisions about implementing measures to mitigate those risks. One thing to consider during the planning process is defense-in-depth, which dictates that multiple layers of security should be used to defend your systems.

Objectives After this lesson, you will be able to: •

Describe security risks for Windows Server 2008 and the costs associated with them.

•

Describe how the defense-in-depth model addresses security.

•

Describe best practices for increasing the security of Windows Server 2008.

8-4


Discussion: Identifying Security Risks and Costs

The first step in defending your systems is identifying the potential risks and their costs. Then you can make intelligent decisions about how to allocate resources to mitigate those risks. Question: What are some of the risks and associated costs to Windows-based networks?


8-5

Applying Defense-in-Depth to Increase Security

After you discover and document the risks that your organization faces, the next step is to examine and organize the defenses that you will use to provide a security solution. The defense-in-depth security model is an excellent starting point. This model identifies seven levels of security defenses that should be addressed. The layers of defense provide a view of your environment, area by area, that you should consider when designing your network’s security defenses. The layers of the defense-in-depth security model are: •

Data: This layer is concerned with access to organizational data such as documents, database content, or customer information. Potential defenses include NTFS permissions, database permissions, and permissions within applications.

•

Application: This layer is concerned with risks to a running application. Typically, this would be some type of malware that takes advantage of a vulnerability in an application. Potential defenses include ensuring that the latest updates are applied to applications and reducing the number of applications if possible.

•

Host: This layer is concerned with risks to the operating system and operating system services. Typically, this would be some type of malware that takes advantage of a vulnerability in the operating system. The best defenses are limiting services to only those that are required and applying security updates quickly. Windows Firewall can also be used to prevent network access to running services that are not authorized.

•

Internal network: This layer is concerned with risks to data on the internal network. The primary concern is unauthorized access to data while it is on the network. Various methods can be used to ensure that clients are properly authenticated before being granted access to the network. Network data can also be encrypted by using IPsec.

•

Perimeter network: This layer is concerned with risks that arise from accessing resources in the perimeter network from the Internet. Firewall configuration is the primary method of defense at this layer, but other methods such as intrusion detection systems can also be used.

8-6


•

Physical security: This layer is concerned with physical access to devices and the risks associated with that. Some physical risks include USB devices with malware and booting systems in an alternate operating system to access data.

•

Policies, procedures, and awareness: This layer surrounds all other layers because it impacts them all. The policies and procedures that your organization implements are critical to prevent security risks at every layer. In addition, awareness of those policies and procedures is required to ensure that they are followed.


Best Practices for Increasing Security

Consider the following best practices for increasing security: •

Apply all available security updates quickly after they are released. You should strive to implement security updates as quickly as possible to ensure that your systems are protected from known vulnerabilities. Microsoft publicly releases the details of known vulnerabilities after an update has been released which can lead to an increased volume of malware attempting to exploit the vulnerability. However, you must still ensure that you adequately test updates before they are applied widely within your organization.

•

Follow the principle of least privilege. Provide users and service accounts with the lower permission levels required to complete their necessary tasks. This ensures that any malware using those credentials is limited in its impact. It also limits the ability to accidentally delete data or modify critical operating system settings.

•

Restrict console logon. Logging on locally at a console is a greater risk to a server than accessing data remotely. This is because some malware can only infect a computer by using a user session at the desktop. If you allow administrators to use Remote Desktop for server administration, ensure that enhanced security features like user account control are enabled.

•

Restrict physical access. If someone has physical access to your servers, that person has virtually unlimited access to the data on that server. A wide number of tools can be used to quickly reset the password on local administrator accounts and allow local access. In addition, an unauthorized person could use a USB drive to introduce malware.

8-7

8-8


Security Configuration Wizard

The Security Configuration Wizard (SCW) is a tool included in Windows Server 2008 to help increase security. SCW analyzes the configuration of your server and provides recommendations. You have the opportunity to review and modify the recommendations before saving them as a security policy that can be applied to the current server or other servers. If you encounter problems after applying a security policy, you can use SCW to roll back the most recently applied security policy. The first step that SCW performs is identifying the server roles and features that are installed. You have the option to review and verify that the installed roles and features are correct. You can also add or remove server roles and features. The recommendations provided by SCW include: •

Service to enable or disable

•

Windows Firewall rules to enable or disable

•

Registry settings such as compatibility with Windows NT 4.0

•

Audit policy


Lesson 2

Configuring Windows Firewall with Advanced Security

Windows Firewall with Advanced Security is an important tool for enhancing the security of Windows Server 2008. It helps to prevent several different security issues, such as port scanning or malware. Windows Firewall with Advanced Security has multiple firewall profiles, each of which applies unique settings to different types of network. Firewall rules can be configured manually on each server or centrally by using Group Policy.


Describe the features of Windows Firewall with Advanced Security.

•

Describe why a host-based firewall is important.

•

Describe Firewall Profiles.

•

Configure Firewall Profiles.

•

Describe how to deploy Windows Firewall rules.

8-9

8-10


What Is Windows Firewall with Advanced Security?

Windows Firewall with Advanced Security is a host-based firewall that is included as a feature in Windows Server 2008. It is a firewall that runs on the local computer and restricts network access to and from that computer. Unlike a perimeter firewall, which provides protection only from threats on the Internet, a hostbased firewall provides protection from threats on the internal network.

Inbound and Outbound Rules Inbound rules control communication with the computer that is initiated by another device or computer on the network. By default, all inbound communication is blocked except the traffic that is explicitly allowed by an inbound rule. Outbound rules control communication that is initiated by the computer and destined for a device or computer on the network. By default, all outbound communication is allowed except the traffic that is explicitly blocked by an outbound rule. If you choose to block all outbound communication except the traffic that is explicitly allowed, you must have carefully cataloged the software that is allowed to run on that computer and the network communication that it requires. Inbound and outbound rules can be created based on UDP and TCP ports. They can also be created to allow a specific executable network access regardless of the port number being used.

Connection Security Rules Connection Security Rules are used to configure IPsec for Windows Server 2008. When these rules are configured, you can authenticate communication between computers and use that information to create firewall rules based on specific user and computer accounts.


Discussion: Why Is a Host-Based Firewall Important?

Windows Firewall with Advanced Security is enabled by default on all recent versions of Windows Server 2008. Question: Why is it important to use a host-based firewall like Windows Firewall with Advanced Security?

8-11

8-12


Firewall Profiles

Windows Firewall with Advanced Security uses firewall profiles to provide a consistent configuration for networks of a specific type. Windows Server 2008 allows a network to be defined as a domain network, public network, or private network. Windows Firewall with Advanced Security allows you to define a configuration set for each type of network; each configuration set is a firewall profile. Firewall rules are activated only for specific firewall profiles. A network is automatically configured as a domain network if it provides connectivity to domain controllers. In most cases, Windows Server 2008 uses the domain firewall profile. If a server is in a location where it does not have access to a domain, such as a perimeter network, then a server will use the public firewall profile or private firewall profile. This is determined by an administrator that has defined the network as either public or private. Windows Server 2008 R2 allows multiple firewall profiles to be active on a server at the same time. This means that a multi-homed server that is connected to both the internal network and the perimeter network can apply the domain firewall profile to the internal network and the public or private firewall profile to the perimeter network.


Demonstration: How to Configure Firewall Profiles


Configure firewall profiles.

8-13

8-14


Deploying Windows Firewall Rules

How you deploy Windows Firewall rules is an important consideration. Choosing the appropriate method ensures that rules are deployed accurately and with minimum effort. You can deploy Windows Firewall rules in the following ways: •

Manually: You can individually configure firewall rules on each server. However, in an environment with more than a few servers, this is labor intensive and prone to error. This method is typically used only during testing and troubleshooting.

•

Using Group Policy: The preferred way to distribute firewall rules is by using Group Policy. After creating and testing a Group Policy object with the required firewall rules, you can quickly and accurately deploy the firewall rules to a large number of computers.

•

Exporting and importing firewall rules: Windows Firewall with Advanced Security also gives you the option to import and export firewall rules. Exporting firewall rules is useful to create a backup before manually configuring firewall rules during troubleshooting. When you import firewall rules, they are treated as a complete set and replace all currently configured firewall rules.


8-15

Lesson 3

Deploying Updates with Windows Server Update Services

Windows Server Update Services (WSUS) improves security by applying security updates to servers in a timely way. It provides the infrastructure to download, test, and approve security updates. Applying security updates quickly helps prevent security incidents that are a result of known vulnerabilities.


Describe Windows Server Update Services.

•

Explain the WSUS process.

•

Identify the server requirements for WSUS.

•

Describe how to configure automatic updates to use WSUS.

•

Explain how WSUS is administered.

•

Identify computer groups in WSUS.

•

Describe the options for approving WSUS updates.

8-16


What Is Windows Server Update Services?

WSUS is a server role included in Windows Server 2008 that downloads and distributes updates to Windows clients and servers. It can obtain updates that are applicable to the operating system and common Microsoft applications such as Microsoft Office and SQL Server. In the simplest configuration, a small organization can have a single WSUS server that downloads updates from Microsoft Update. The WSUS server then distributes the updates to computers that are configured to obtain automatic updates from the WSUS server. Updates must be approved before clients can download them. Larger organizations can create a hierarchy of WSUS servers where a single centralized WSUS server obtains updates from Microsoft Update and other WSUS servers obtain updates from the centralized WSUS server. Computers can be organized into groups to simplify the approval of updates. For example, a pilot group can be configured as the first set of computers that are used for testing updates. WSUS can generate reports to help with monitoring of update installation. These reports can identify which computers have not applied recently approved updates. Then, you can investigate why the updates are not being applied.


8-17

Windows Server Update Services Process

The update management process is used to manage and maintain WSUS and the updates retrieved by WSUS. It is a continuous cycle that allows you to reassess and adjust the WSUS deployment to meet changing needs.

Assess Phase The goal for the assess phase is to set up a production environment that supports update management for routine and emergency scenarios. The assess phase is an ongoing process that you use to determine the most efficient topology for scaling the WSUS components. As your organization changes, you might identify a need to add more WSUS servers in different locations.

Identify Phase The identify phase is concerned with identifying new updates that are available and determining whether they are relevant to the organization. You have the option to configure WSUS to automatically retrieve all updates or only specific types of updates. WSUS also identifies which updates are relevant to registered computers.

Evaluate and Plan Phase After relevant updates have been identified, you need to evaluate whether they work properly in your environment. It is always possible that the specific combination of software in your environment might have problems with an update. To evaluate updates, you should have a test environment that you can apply updates in to verify proper functionality. At this time, you might identify dependencies that allow an update to function properly and you can plan what changes need to be made.

Deploy Phase After you have thoroughly tested an update and determined any dependencies, you can approve it for deployment in the production network. Ideally, you should approve the update for a pilot group of computers before approving the update for the entire organization.

8-18


Server Requirements for WSUS

To install and configure WSUS for Windows Server 2008, use Server Manager to install the Windows Server Update Services role. Your server must meet some minimum hardware and software requirements for you to be able to implement SWUS. The software required for WSUS 3.0 SP2 includes: •

Windows Server 2008 R2, Windows Server 2008 SP1 or later, Windows Server 2003 SP1 or later, Windows Small Business Server 2008, or Windows Small Business Server 2003

•

Internet Information Services (IIS) 6.0 or later

•

Microsoft .NET Framework 2.0 or later.

•

Microsoft Management Console 3.0

•

Microsoft Report Viewer Redistributable 2008

•

SQL Server 2008, SQL Server 2005 SP2, or Windows Internal Database

The minimum hardware requirements for WSUS are approximately the same as the minimum hardware requirements for Windows. However, you must consider disk space as part of your deployment. A WSUS server requires enough disk space to hold all of the updates that are being downloaded. At least 30 GB of disk space should be allocated for the downloaded updates. A single WSUS server can support thousands of clients. For example, a single WSUS server with 4GB of RAM and dual quad-core CPUs can support up to 100,000 clients. However, in most cases, an organization with that many clients will likely have multiple WSUS servers to reduce the load on WAN links.


8-19

Configuring Automatic Updates

When Automatic Updates is enabled on a server, the default configuration automatically downloads updates from Microsoft Update and installs them. After you have implemented WSUS, your servers should obtain updates from the WSUS server instead. The location that Automatic Updates obtains updates from is controlled by a registry key. While it is possible to manually configure the registry key by using RegEdit, this is not recommended except when the computer is not in a domain. If a computer is in a domain, it is much more efficient to create a Group Policy object that configures the registry key. In addition to configuring the source for updates, you can also use a GPO to configure the following settings: •

How often updates are detected

•

When updates are installed

•

When updates are rescheduled if the updates could not be installed at the scheduled time

•

Whether the computer will automatically restart if required by an update

•

A computer group that the computer will be registered in during initial registration with WSUS

8-20


WSUS Administration

The Update Services administrative tool is an MMC 3.0 plug-in that is used to administer WSUS. You can use this tool to: •

Identify and download updates

•

Approve updates for deployment

•

Organize computers into groups

•

Review the update status of computers

•

Generate reports

Monitoring is an essential part of maintaining a service. WSUS logs detailed health information to the event log. In addition, you can download a management pack to facilitate monitoring in System Center Operations Manager. Note To conserve disk space on a WSUS server, you should use the Server Cleanup Wizard that is available in Options. This wizard removes updates that are expired or superseded.


8-21

What Are Computer Groups?

Computer groups are way to organize the computers that a WSUS server deploys updates to. The two computer groups that exist by default are All Computers and Unassigned Computers. New computers that contact the WSUS server are automatically assigned to both of these groups. You can create custom computer groups for controlling how updates are applied. Typically, custom computer groups contain computers with similar characteristics. For example, you might create a custom computer group for each department in your organization. You can also create a custom computer group for a test lab where you first deploy updates for testing. You would also typically separate servers from client computers. When you manually assign new computers to a custom computer group, it is called server-side targeting. You can also use client-side targeting to assign computers to a custom computer group. To use client-side targeting, you need to configure a registry key or Group Policy object for the computer that specified the custom computer group to be joined during initial registration with the WSUS server.

8-22


Approving Updates

The default configuration for WSUS does not automatically approve updates for application to computers. Although it is possible to automatically approve updates, it is not recommended. The recommended process for approving updates is to first test updates in a lab environment, then a pilot group, and only then finally to the production environment. This process reduces the risk of an update causing an unexpected problem in your production environment. You would perform this process by approving updates for specific groups of computers before approving the update for the All Computers group. Some updates are not considered critical and do not have any security implications. You might decide not to implement some of these updates. For any updates that you decide not to implement, you can decline the update. After an update is declined, it is removed from the list of updates on the WSUS server in the default view. If you apply an update and find that it is causing problems, you can use WSUS to remove that update. However, the update can be removed only if that specific update supports removal. Most updates support removal. When you look at the details of an update, it will indicate if the update is superseded by another update. Superseded updates are typically no longer required because a newer update includes the changes in this update and more. Superseded updates are not declined by default because in some cases they are still required. For example, the older update might be required if some servers are not running the latest service pack.


8-23




2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso

Repeat steps 2 to 4 for 6421B-NYC-SVR1.

Lab Scenario You are a server administrator for Contoso and have been assigned two security related tasks. First, you must deploy a Windows Firewall rule to support new monitoring software that is used for your servers. Second, you must configure servers to start using updates that are distributed by a WSUS server.

8-24


Exercise 1: Deploying a Windows Firewall Rule Scenario Your organization has implemented new software for monitoring client computers and servers. This software is already installed on the computers, but your central monitoring console is unable to initiate communication with the software. The installation routine for the software did not open the necessary port in Windows Firewall. You need to deploy a Windows Firewall rule that allows all computers in the organization to respond to communication attempts from the centralized monitoring console that runs on port 10005. Documentation from the product vendor indicates that you can test this port by using a web browser to view an XML file. The main tasks for this exercise are as follows: 1.

Create a Group Policy object with a firewall rule.

2.

Apply Group Policy settings to NYC-SVR1.

3.

Test access to the monitoring client.

X Task 1: Create a Group Policy object with a firewall rule 1.

On NYC-DC1, open Group Policy Management from the Administrative Tools menu.

2.

Create a new GPO named Firewall that is linked to Contoso.com.

3.

Edit the Firewall GPO and browse to Computer Configuration\Policies\Windows Settings \Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules.

4.

Create an inbound new rule with the following characteristics:

5.

•

Rule type: Port

•

Protocol: TCP

•

Specific local port: 10005

•

Action: Allow the connection

•

Profile: Domain

•

Name: Monitoring

Close the Group Policy Management Editor and then close the Group Policy Management tool.

X Task 2: Apply Group Policy settings to NYC-SVR1 1.

On NYC-SVR1, open a command prompt.

2.

At the command prompt, type gpupdate /force and then press ENTER.

3.

Close the command window on NYC-SVR1.


8-25

X Task 3: Test access to the monitoring client 1.

On NYC-DC1, open Internet Explorer.

2.

Connect to http://nyc-svr1.contoso.com:10005/status.xml.

Results: After this exercise, you should have created a Windows Firewall rule that allows communication to port 10005.

8-26


Exercise 2: Implementing WSUS Scenario In the past, management of updates for clients and servers in your organization has been ad hoc. Some servers have not had updates applied, while others are applying updates immediately. This has resulted in an insecure environment. You are implementing WSUS to begin implementing a controlled process for applying updates to clients and servers. The main tasks for this exercise are as follows: 1.

Create a GPO for configuring WSUS clients.

2.

Review the configuration settings for a WSUS server.

3.

Create a computer group for servers.

4.

View the update report for NYC-DC1.

5.

Approve an update for the HO Servers computer group.

X Task 1: Create a GPO for configuring WSUS clients 1.

On NYC-DC1, open Group Policy Management from the Administrative Tools menu.

2.

Create a new GPO named WSUS that is linked to Contoso.com.

3.

In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Administrative Templates\Windows Components\Windows Update.

4.

Configure the Configure Automatic Updates setting as follows:

5.

6.

•

Enabled

•

Configure automatic updating: 4 – Auto download and schedule the install

Configure the Specify intranet Microsoft update service location setting as follows: •

Enabled

•

Set the intranet update service for detecting updates: http://NYC-SVR1

•

Set the intranet statistics server: http://NYC-SVR1

Configure the Automatic Updates detection frequency setting as follows: •

Enabled

•

Check for updates at the following interval (hours): 22

7.

Close the Group Policy Management Editor and then close the Group Policy Management tool.

8.

On NYC-DC1, open a command prompt.

9.


10. At the command prompt, type wuauclt /detectnow and then press ENTER. 11. Close the command window on NYC-DC1.


8-27

X Task 2: Review the configuration settings for a WSUS server 1.

On NYC-SVR1, open Windows Server Update Services from the Administrative Tools menu.

2.

In the Update Services window, in the list pane under NYC-SVR1, click Options.

3.

Using the details pane, view the configuration settings available in WSUS and click Cancel for each item when complete.

X Task 3: Create a computer group for servers 1.

Browse to Computers\All Computers.

2.

Create a new computer group named HO Servers.

3.

Change membership of the nyc-dc1.contoso.com computer object so that it is a part of the HO Servers group.

X Task 4: View the update report for NYC-DC1 1.

View the membership of the HO Servers computer group. Use the status of Any when viewing the members.

2.

Right-click nyc-dc1.contoso.com and view a status report.

3.

Read the number of updates that have not been installed.

4.

Change the report to include only updates with a status of Needed and then run the report again.

5.

View the second page of the report to determine the updates that are needed.

6.

Leave this report open for the next task.

X Task 5: Approve an update for the HO Servers computer group 1.

In the Computers Report for NYC-SVR1, for the first update listed, click the Not approved status.

2.

Approve the update to install for the HO Servers computer group.

3.

Read the information in the Approval Progress window before closing all windows. Note Notice that a message appears stating that the update is approved, but must be downloaded to complete. This is due to the configuration of the lab environment.

Results: After this exercise, you should have approved an update for NYC-DC1.



2.


3.


4.

Repeat these steps for 6421B-NYC-SVR1.

8-28



Review Questions 1.

Does the defense-in-depth model prescribe specific technologies that should be used to protect Windows servers?

2.

Your company is concerned about security and has implemented Windows Firewall to block outbound communication by default on client computers. You are implementing a new program that randomly selects a port number for communication on the network. How can you allow this program to function without opening up ports that are unnecessary?

3.

You are creating a GPO with standardized firewall rules for the servers in your organization. You tested the rules on a standalone server in your test lab. The rules appear on the servers after the GPO is applied, but they are not taking effect. What is the most likely cause of this problem?

4.

A colleague has argued that all Windows updates should be applied automatically when they are released. Do you have an alternative process that you recommend?

Tools Tool

Use for

Where to find it

Windows Firewall with Advanced Security

Configuring Windows Firewall profiles, rules, and connection security rules

Administrative Tools

Update Services

Administrative tool for managing WSUS


Wuauclt.exe

Manually triggering the Windows Update client

Command prompt

9-1

Module 9 Increasing Security for Network Communication Contents: Lesson 1: Overview of IPsec

9-3

Lesson 2: Configuring Connection Security Rules

9-11

Lesson 3: Configuring IPsec NAP Enforcement

9-20

Lesson 4: Monitoring and Troubleshooting IPsec

9-26

Lab: Increasing Security for Network Communication

9-33

9-2


Module Overview

Internet Protocol security (IPsec) is a framework of open standards for protecting communications over IP networks through cryptographic security services. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. The Microsoft IPsec implementation is based on standards that the Internet Engineering Task Force (IETF) IPsec working group developed. The following operating systems support IPsec: Windows® 2000, Microsoft Windows XP, Windows Vista™, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. Additionally, IPsec integrates with the Active Directory® Domain Service (AD DS). You can assign IPsec policies through Group Policy, which allows you to configure IPsec settings at the domain, site, organizational unit (OU), or security group level. To help to increase security for network communications within your organization, it is important that you understand how to implement, configure, and troubleshoot IPsec.


Describe when and how to use IPsec.

•

Configure Connection Security rules.

•

Configure IPsec with NAP Enforcement.

•

Describe how to monitor and troubleshoot IPsec.

Increasing Security for Network Communication

9-3

Lesson 1

Overview IPsec

IPsec is a suite of protocols that can help protect data in transit through a network by using security services and, optionally, digital certificates with public and private keys. Because of its design, IPsec helps provide much better security than previous protection methods. Network administrators who use it do not have to configure security for individual programs.


Describe the benefits of IPsec.

•

Discuss ways that IPsec can be used.

•

Describe the tools used to configure IPsec.

•

Configure IPsec settings.

9-4


Benefits of IPsec

You can use IPsec to attain confidentiality, integrity, and authentication in the data transport across insecure channels. Though its original purpose was to secure traffic across public networks, many organizations have chosen to implement IPsec to address perceived weaknesses in their own private networks that might be susceptible to exploitation. If you implement it properly, IPsec provides a private channel for sending and exchanging potentially sensitive or vulnerable data, whether it is email, File Transfer Protocol (FTP) traffic, news feeds, partner and supply-chain data, medical records, or any other type of TCP/IP-based data. IPsec has the following benefits: •

Offering mutual authentication before and during communications

•

Forcing both parties to identify themselves during the communication process

•

Enabling confidentiality through IP traffic encryption and digital packet authentication

IPsec Modes IPsec has two modes: •

Encapsulating Security Payload (ESP): Encrypts data through one of several available algorithms.

•

Authentication Header (AH): Signs traffic, but does not encrypt it.

Providing IP Traffic Integrity by Rejecting Modified Packets ESP and AH verify the integrity of all IP traffic. If a packet has been modified, the digital signature will not match, and the packet will be discarded. ESP in tunnel mode encrypts the source and destination addresses as part of the payload. In tunnel mode, a new IP header is added to the packet, specifying the tunnel endpoints’ source and destination addresses. ESP can make use of Data Encryption Standard (DES), triple Data Encryption Standard DES (3DES), Advanced Encryption Standard (AES), and DES encryption algorithms in Windows Server 2008 R2. You should not use DES unless the clients cannot support the stronger encryption that AES or 3DES offer.


9-5

Providing Protection from Replay Attacks ESP and AH use sequence numbers, so any packets that are captured for later replay are using numbers out of sequence. Using sequenced numbers ensures that an attacker cannot reuse or replay captured data to establish a session or gain information illegally. Using sequenced numbers also protects against attempts to intercept a message and use it to access resources illegally, possibly months later.

9-6


Ways to Use IPsec

Some network environments are well suited to IPsec as a security solution, while others are not. We recommend IPsec for the following uses: •

Packet filtering: IPsec provides limited firewall capabilities for end systems. You can permit or block inbound or outbound traffic using IPsec with the Network Address Translation (NAT)/Basic Firewall component of the Routing and Remote Access Service.

•

Securing host-to-host traffic on specific paths: You can use IPsec to provide protection for traffic between servers or other static IP addresses or subnets. For example, IPsec can secure traffic between domain controllers in different sites, or between web servers and database servers.

•

Securing traffic to servers: You can require IPsec protection for all client computers that access a server. Additionally, you can set restrictions on which computers can connect to a server that is running Windows Server 2008 R2.

•

Layer 2 Tunneling Protocol (L2TP)/IPsec for VPN connections: You can use the combination of the L2TP and IPsec (L2TP/IPsec) for all VPN scenarios. This does not require that you configure and deploy IPsec policies.

•

Site-to-site (gateway-to-gateway) tunneling: You can use IPsec in tunnel mode for site-to-site (gateway-to-gateway) tunnels when you need interoperability with third-party routers, gateways, or end systems that do not support L2TP/IPsec or Point-to-Point Tunneling Protocol (PPTP) connections.

•

Enforcing logical networks (server/domain isolation): In a Microsoft Windows-based network, you can isolate server and domain resources logically to limit access to authenticated and authorized computers. For example, you can create a logical network inside the existing physical network where computers share common requirements for secure communications. To establish connectivity, each computer in this logically isolated network must provide authentication credentials to other computers. This isolation prevents unauthorized computers and programs from gaining inappropriate access to resources. Requests from computers that are not part of the isolated network are ignored. Server and domain isolation can help protect specific high-value servers and data, and protect managed computers from unmanaged or rogue computers and users.


9-7

You can protect a network with two types of isolation: •

Server isolation: To isolate a server, you configure specific servers to require IPsec policy to accept authenticated communications from other computers. For example, you might configure the database server to accept connections from the web application server only.

•

Domain isolation: To isolate a domain, you use Active Directory domain membership to ensure that computers that are domain members accept only authenticated and secured communications from other domain-member computers. The isolated network consists only of that domain’s member computers, and domain isolation uses IPsec policy to protect traffic that is sent between domain members, including all client and server computers.

Note Because IPsec depends on IP addresses for establishing secure connections, you cannot specify dynamic IP addresses. It often is necessary for a server to have a static IP address in IPsec policy filters. In large network deployments, and in some mobile user cases, using dynamic IP addresses at both ends of the connection can increase the complexity of IPsec policy design.

IPsec Uses That Are Not Recommended IPsec can reduce processing performance and increase network bandwidth consumption. Additionally, IPsec policies can be complex to configure and manage. Finally, the use of IPsec can introduce application compatibility issues. For these reasons, we do not recommend IPsec for the following uses: •

Securing communication between domain members and their domain controllers. This reduces network performance. Additionally, we do not recommend using IPsec for this scenario because the required IPsec policy configuration and management is complex.

•

Securing all network traffic. This reduces network performance, and we do not recommend using IPsec for this scenario because of the following reasons: •

IPsec cannot negotiate security for multicast and broadcast traffic.

•

Traffic from real-time communications, applications that require Internet Control Message Protocol (ICMP), and peer-to-peer applications might be incompatible with IPsec.

•

Network management functions that must inspect the TCP, UDP, and protocol headers are less effective or cannot function at all due to IPsec encapsulation or IP payload encryption.

Additionally, the IPsec protocol and implementation have characteristics that require special consideration when you perform the following tasks: •

Protect traffic over wireless 802.11 networks: You can use IPsec transport mode to protect traffic that is sent over 802.11 networks. However, we do not recommend IPsec for providing security for corporate 802.11 wireless local area networks (LANs). Instead, we recommend that you use 802.11 WPA2 or WPA encryption and Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X authentication. Support for IPsec, configuration management, and trust are required on client computers and servers. Because many computers on a network do not support IPsec or they are not managed, it is not appropriate to use IPsec alone to protect all 802.11 corporate wireless LAN traffic. Additionally, IPsec tunnel mode policies are not optimized for mobile clients with dynamic IP addresses, nor does IPsec tunnel mode support dynamic address assignment or user authentication, which is needed for remote-access virtual private network (VPN) scenarios.

9-8


Use L2TP/IPsec VPN connections to secure remote access traffic to organizational networks when that traffic is sent over public wireless networks that are connected to the Internet. •

Use IPsec in tunnel mode for remote access VPN connections: We do not recommend that you use IPsec in tunnel mode for remote access VPN scenarios for Windows-based VPN clients and servers. Instead, use L2TP/IPsec or PPTP.


9-9

Tools Used to Configure IPsec

There are several ways to configure Windows Firewall and IPsec settings and options, including the following: •

Using the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in. The Windows Firewall with Advanced Security snap-in enables you to configure firewall settings and security (IPsec) settings in one interface. You also can view the currently applied policy, rules, and other information in the Monitor node.

•

Using the IP Security Policy MMC snap-in. This MMC snap-in enables you to configure IPsec policies that apply to computers that are running earlier Windows versions and to computers that are running the current version of Windows. This MMC snap-in is useful for environments where computers that are running these Windows versions coexist. You cannot use this snap-in to configure Windows Firewall with Advanced Security settings. Using Netsh commands: •

Netsh is a command-line tool that you can use to configure network-component settings. Windows Firewall with Advanced Security provides the netsh advfirewall context, which you can use to configure Windows Firewall with Advanced Security settings.

•

You also can use the netsh ipsec commands to configure connection security rules.

9-10


Demonstration: How to Configure IPsec Settings (optional)


View existing IPsec policies in Group Policy.

•

Create a custom IPsec policy.

•

Create a security rule.

•

Create a new IP filter.

•

Complete the Security Rule Wizard.

•

Complete the IP Security Rule Wizard.


9-11

Lesson 2

Configuring Connection Security Rules

You can use Connection Security rules to configure IPsec settings for specific connections between this computer and others. Windows Firewall with Advanced Security uses the rule to evaluate network traffic and then blocks or allows messages based on the criteria that you establish in the rule. In some circumstances, Windows Firewall with Advanced Security will block the communication. If you configure settings that require security for a connection (in either direction), and the two computers cannot authenticate each other, the connection is blocked.


Describe Connection Security Rules.

•

Describe tunnel and transport modes for IPsec.

•

Describe how to select authentication requirements.

•

Describe and select an authentication method that can be used for IPsec.

•

Configure a Connection Security Rule.

•

Explain the communication process used by domain isolation.

9-12


What Are Connection Security Rules?

A connection security rule forces authentication between two peer computers before they can establish a connection and transmit secure information. Windows Firewall with Advanced Security uses IPsec to enforce these rules. The configurable rules are: •

Isolation: An isolation rule isolates computers by restricting connections that are based on credentials such as domain membership or health status. Isolation rules allow you to implement an isolation strategy for servers or domains.

•

Authentication Exemption: You can use an authentication exemption to designate connections that do not require authentication. You can designate computers by a specific IP address, an IP address range, a subnet, or a predefined group such as a gateway.

•

Server to Server: A server-to-server rule protects connections between specific computers. This type of rule usually protects connections between servers. When creating the rule, you specify the network endpoints between which communications are protected. You then designate requirements and the authentication you want to use.

•

Tunnel: A tunnel rule allows you to protect connections between gateway computers, and typically, you use it when connecting across the Internet between two security gateways.

•

Custom: Use a custom rule to authenticate connections between two endpoints when you cannot set up authentication rules that you need by using the other rules available in the new Connection Security Rule wizard.

How Firewall Rules and Connection Security Rules Are Related Firewall rules allow traffic through the firewall, but do not secure that traffic. To secure traffic with IPsec, you can create connection security rules. However, when you create a connection security rule, this does not allow the traffic through the firewall. You must create a firewall rule to do this, if the traffic is not allowed by the firewall’s default behavior. Connection security rules are not applied to programs and services. They are applied between the computers that make up the two endpoints.


9-13

What Are Tunnel and Transport Modes?

Computer endpoints are the computers or the group of computers that form peers for the connection. You can specify a single computer, a group of computers (such as a subnet or computers in an IP address range), or one of the predefined computers: Default Gateway, Windows Internet Name Service (WINS) servers, DHCP servers, Domain Name System (DNS) servers, or the local subnet. The local subnet is the collection of all computers that are available to this computer, except for any public IP addresses (interfaces). This includes both LAN and wireless addresses. IPsec tunnel mode protects an entire IP packet by treating it as an Authentication Header (AH) or Encapsulating Security Protocol (ESP) payload. With tunnel mode, an entire IP packet is encapsulated with an AH or ESP header and an additional IP header. The IP addresses of the outer IP header are the tunnel endpoints, and the IP addresses of the encapsulated IP header are the ultimate source and destination addresses. ESP encrypts packets and applies a new unencrypted header to facilitate routing. Beyond providing encryption, ESP does not guarantee the header data’s authenticity. ESP functions in two modes, as determined by the required functionality and the capability of the IPsecaware hosts or routers: •

Transport mode, in which data payload is encrypted, but header data is unchanged. Transport mode encrypts data between two hosts that are IPsec-aware and capable of decrypting the payload data directly.

•

Tunnel mode, in which the entire original packet is encrypted and becomes the payload of a new packet, which then is transmitted between IPsec-aware routers. Tunnel mode enables IPsec-aware routers to encapsulate and encrypt network traffic from non-IPsec-aware hosts, transmit it over an unsecure network, and then decrypt it for use on the destination network by other hosts that are not IPsec-aware.

9-14


Choosing Authentication Requirements

While using the Connection Security Rule wizard to create a new rule, you can use the Authentication Requirements wizard page to specify how authentication is applied to inbound and outbound connections. If you request authentication, this enables communications when authentication fails. If you require authentication, this causes the connection to drop if authentication fails.

Request Authentication for Inbound and Outbound Connections Use the Request authentication for inbound and outbound connections option to specify that all inbound and outbound traffic is authenticated, but to allow the connection if authentication fails. If authentication succeeds, that traffic is protected. You typically use this option in either low-security environments or in an environment where computers must be able to connect but cannot perform the types of authentication that is available with Windows Firewall with Advanced Security.

Require Authentication for Inbound Connections and Request Authentication for Outbound Connections Use the Require authentication for inbound connections, and request authentication for outbound connections option if you want to require that all inbound traffic either is authenticated or else blocked. Outbound traffic can be authenticated, but it is allowed if authentication fails. If authentication succeeds for outbound traffic, that traffic is authenticated. You typically use this option in most IT environments in which the computers that need to connect can perform the authentication types that are available with Windows Firewall with Advanced Security.

Require Authentication for Inbound and Outbound Connections Use the Require authentication for inbound and outbound connections option if you want to require that all inbound and outbound traffic either is authenticated or else blocked. You typically use this option in higher-security IT environments where you must protect and control traffic flow, and in which the computers that must be able to connect can perform the authentication types that are available with Windows Firewall with Advanced Security.


9-15

Choosing an Authentication Method

The Connection Security Rule wizard has a page where you can set up the Authentication Method to configure the authentication credentials used. If the rule exists already, you can use the Authentication tab of the Connection Security Properties dialog box of the rule that you wish to edit.

Default Select the Default option to use the authentication method as configured on the IPsec Settings tab of the Windows Firewall with Advanced Security Properties dialog box.

Computer and User (Kerberos V5) The Computer and User (Kerberos V5) method uses both computer and user authentication, which means that you can request or require both the user and the computer to authenticate before communications continue. You can use the Kerberos version 5 authentication protocol only if both computers and users are a domain’s members.

Computer (Kerberos V5) The Computer (Kerberos V5) method requests or requires the computer to authenticate using the Kerberos version 5 authentication protocol. You can use the Kerberos version 5 authentication protocol only if both computers are a domain’s members.

User (Kerberos V5) The User (Kerberos V5) method requests or requires the user to authenticate using the Kerberos version 5 authentication protocol. You can use the Kerberos version 5 authentication protocol only if the user is a domain’s member.

Computer Certificate The Computer Certificate method requests or requires a valid computer certificate to authenticate, and you must have at least one CA to do this. Use this method if the computers are not part of the same AD DS domain.

9-16


Only Accept Health Certificates The Only accept health certificates method requests or requires a valid health certificate to authenticate. Health certificates declare that a computer has met system health requirements, as determined by a NAP health policy server, such as all software and other updates that network access requires. These certificates are distributed during the NAP health evaluation process. Use this method only for supporting NAP.

Advanced You can configure any available method, and you can specify methods for First Authentication and Second Authentication. First Authentication methods include Computer Kerberos, computer certificate, and a preshared key (not recommended). Second Authentication methods include User Kerberos, User NTLM (Windows NT Challenge/Response protocol), user certificates, and computer health certificates. Second authentication methods are only supported by computers that are running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2.


Demonstration: How to Configure a Connection Security Rule


Enable ICMP traffic on NYC-SVR1.

•

Create a server to server rule on NYC-SVR1.

•

Create a server to server rule on NYC-CL1.

•

Test the rule.

9-17

9-18


How Domain Isolation Works

By configuring appropriate Connection Security rules, you can use IPsec to configure Domain Isolation. Domain isolation enforces a situation where domain member computers are isolated from non-domain member computers. Domain isolation uses an AD DS domain, domain membership, and Group Policy settings to create and enforce a network policy that requires domain member computers to accept incoming communication requests only from computers that can authenticate themselves with domain credentials. By using domain isolation, you provide an additional layer of protection for your network traffic. Domain isolation: •

Restricts incoming connections to domain member computers

•

Supplements other security mechanisms that are designed to prevent unwanted communications

•

Encourages domain membership

•

Protects traffic between domain member computers

To deploy domain isolation, you configure Group Policy settings to require that all incoming connection requests and subsequent data be authenticated and protected by using Internet Protocol security (IPsec); this is easiest to achieve by using Connection Security rules. To isolate a domain, configure the following components: •

An AD DS domain

•

Member computers

•

Group Policy settings

•

Connection Security rules


9-19

In a simplified domain isolation deployment, you configure and activate a Connection Security rule that uses an Isolation policy. Then, activate the policy for the appropriate AD DS containers, such as sites, domains, and OUs. The member computers in the Active Directory containers to which the Group Policy settings apply automatically download the Group Policy settings. You can also use IPsec policies for this purpose; while this provides more granular control over specific traffic types to be isolated, it is more complex to configure.

9-20


Lesson 3

Configuring IPsec NAP Enforcement

NAP enforcement for IPsec policies for Windows Firewall is deployed with a NAP CA, a Health Registration Authority (HRA) server, a computer running Network Policy Server (NPS), and an IPsec enforcement client. The NAP CA issues X.509 certificates with the System Health OID to NAP clients when they are determined to be compliant. These certificates then are used to authenticate NAP clients when they initiate IPsec communications with other IPsec clients on an intranet. IPsec enforcement confines your network’s communication to compliant clients and provides the strongest NAP implementation available. Because this enforcement method uses IPsec, you can define requirements for secure communications on a per-IP address or per-TCP/UDP port number basis.


Describe how NAP with IPsec enforcement for logical networks functions.

•

Explain how IPsec NAP enforcement works.

•

Describe the requirements for deploying NAP with IPsec enforcement.


9-21

IPsec Enforcement for Logical Networks

IPsec enforcement divides a physical network into three logical networks. A computer is a member of only one logical network at any time. The logical networks are defined by which computers have health certificates and which computers require IPsec authentication with health certificates for incoming communication attempts. The logical networks allow for limited network access and remediation, and provide compliant computers with protection from noncompliant computers. IPsec enforcement defines the following logical networks: •

Secure network: The set of computers that have health certificates and require that incoming communication attempts use health certificates for IPsec authentication. On a managed network, most server and client computers that are members of the Active Directory domain would be in the secure network.

•

Boundary network: The set of computers that have health certificates, but which do not require that incoming communication attempts use health certificates for IPsec authentication. Computers in the boundary network must be accessible to computers on the entire network.

•

Restricted network: The set of computers that do not have health certificates. This includes noncompliant NAP client computers, guests on the network, or computers that are not NAP-capable such as computers that are running versions of Windows that do not support NAP, Apple Macintosh, or UNIX-based computers.

Based on the three logical networks, the following types of initiated communications are possible.

Secure Network Computers in the secure network can initiate communications with computers in all three logical networks. Communications initiated to computers in the secure network or boundary network are authenticated with IPsec and health certificates. Communications initiated to computers in the restricted network are not authenticated with IPsec. Computers in the secure network will accept communications initiated from computers in the secure and boundary networks that IPsec authenticates, but will not accept communications initiated from computers in the restricted network.

9-22


For example, a client computer in the secure network can request a webpage from a web server in the secure network. However, a client computer in the restricted network cannot. You can configure the requirements for initiated communication on a TCP or UDP port basis to limit specific traffic. For example, it is possible to require IPsec authentication with health certificates for Remote Procedure Call (RPC) traffic, but not web traffic. In this case, a client computer in the restricted network could request a webpage from a web server in the secure network, but not be able to use RPC to connect to that same server.

Boundary Network Computers in the boundary network can initiate communications with computers in the secure or boundary networks that are authenticated with IPsec and health certificates or with computers in the restricted network that IPsec does not authenticate. Computers in the boundary network will accept communications initiated from computers in the secure and boundary networks that are authenticated with IPsec and health certificates, and from computers in the restricted network that IPsec does not authenticate. Boundary network members typically consist only of the HRA and NAP remediation servers. Servers in the boundary network must be accessible from noncompliant NAP clients in the restricted network to perform initial remediation functions and obtain health certificates. Additionally, they must be accessible from compliant computers in the secure network to perform ongoing remediation functions, renew health certificates, and manage computers in the boundary network). A computer is a member of the secure or boundary network for the time specified in the health certificate’s validity period. Before the health certificate expires, the IPsec-protected NAP client contacts the HRA to obtain a new health certificate. You can configure the validity time for health certificates on the HRA. It typically spans hours rather than years, in the case of computer or user certificates.

Restricted Network Computers in the restricted network can initiate communications with computers in the restricted and boundary networks. Computers in the restricted network cannot initiate communications to computers in the secure network, unless they are allowed specifically through the IPsec policy settings of the secure network’s computers. Computers in the restricted network can accept communications initiated from computers in all three logical networks.


9-23

How IPsec NAP Enforcement Works

To obtain a health certificate and become a secure network member, a NAP client using IPsec enforcement starts on the network and uses the following process: 1.

When the computer starts, the host-based firewall is enabled but does not allow any exceptions, so that no other computer can initiate communications with it. At this point, the computer is in the restricted network because it does not have a health certificate. The computer can communicate with other computers in the restricted and boundary networks, and can access the Internet. However, it cannot initiate communications with the secure network’s computers.

2.

The NAP client obtains network access and an IP address configuration.

3.

The IPsec NAP enforcement client (EC) sends its credentials and System Statement Of Health (SSoH) to the HRA using Hypertext Transfer Protocol (HTTP) or a protected HTTP over Secure Sockets Layer (SSL) session.

4.

The HRA passes the SSoH to the NAP health policy server in a Remote Authentication Dial-In User Service (RADIUS) Access-Request message.

5.

The NPS service on the NAP health policy server receives the RADIUS Access-Request message, extracts the SSoH, and passes it to the NAP Administration Server component.

6.

The NAP Administration Server receives the SSoH and forwards the Statements of Health (SoHs) to the appropriate System Health Validators (SHVs).

7.

The SHVs analyze their SoHs and return Statement of Health Responses (SoHRs) to the NAP Administration server.

8.

The NAP Administration server passes the SoHRs to the NPS service.

9.

The NPS service compares the SoHRs to the configured health policies and creates the System Statement of Health Response (SSoHR).

9-24


10. The NPS service constructs and sends a RADIUS Access-Accept message with the SSoHR as a RADIUS vendor specific attribute (VSA) to the HRA. 11. The HRA sends the SSoHR back to the IPsec NAP EC. If the NAP client is compliant, the HRA also issues a health certificate. The NAP client removes any existing health certificates, if necessary, and adds the newly-issued health certificate to its computer certificate store. The IPsec NAP EC configures IPsec settings to authenticate using the health certificate for IPsec-protected communications and configures the host-based firewall to allow incoming communications from any peer that uses a health certificate for IPsec authentication. The NAP client now belongs to the secure network. The IPsec NAP EC performs steps 3 through 11 whenever new SoH information arrives at the NAP Agent or when the health certificate is about to expire.

Noncompliant NAP Client If the NAP client is noncompliant, the NAP client does not have a health certificate and cannot initiate communication with computers in the secure network. The NAP client performs the following remediation process to become a secure network member: 1.

The IPsec NAP EC passes the SSoHR to the NAP Agent.

2.

The NAP Agent passes the SoHRs in the SSoHR to the appropriate SHAs.

3.

Each SHA analyzes its SoHR and, based on the contents, performs the remediation as needed to correct the NAP client’s system health state.

4.

Each SHA that required remediation passes an updated SoH to the NAP Agent.

5.

The NAP Agent collects the updated SoHs from all of the SHAs that required remediation, creates a new SSoH, and passes it to the IPsec NAP EC.

6.

The IPsec NAP EC uses HTTP or a protected HTTP over SSL session to send its new SSoH to the HRA.

7.

The HRA receives the SSoH and sends it to the NAP health policy server in a RADIUS Access-Request message.

8.

The NPS service on the NAP health policy server receives the RADIUS Access-Request message, extracts the SSoH, and passes it to the NAP Administration Server.

9.

The NAP Administration Server receives the SSoH and forwards the SoHs to the appropriate SHVs.

10. The SHVs analyze the contents of their SoHs and return SoHRs to the NAP Administration Server. 11. The NAP Administration Server passes the SoHRs to the NPS service. 12. The NPS service compares the SoHRs to the configured set of health policies and creates the SSoHR. 13. The NPS service constructs and sends a RADIUS Access-Accept message containing the SSoHR to the HRA. 14. The HRA receives the RADIUS Access-Accept message, extracts the SSoHR, and sends it to the NAP client using HTTP or the HTTP over SSL session. Because the NAP client now is compliant, the HRA issues the NAP client a health certificate.


9-25

Deploying NAP with IPsec Enforcement

To deploy NAP with IPsec and HRA, you must configure the following: 1.

Install and configure Active Directory Certificate Services (AD CS) and certificate templates.

2.

In NPS, configure the connection request policy, network policy, and NAP health policy. You can configure these policies individually using the NPS console, or you can use the new Network Access Protection wizard.

3.

Enable the NAP IPsec enforcement client and the NAP service on NAP-capable client computers.

4.

Install and configure the HRA on the local computer or on a remote computer server.

5.

Configure Group Policy and any other settings that your deployment requires.

6.

Configure the Windows Security Health Validator (WSHV), or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.

For the HRA server, you need to configure the following: •

Install NPS on the computer that is running HRA.

•

Configure NPS on the HRA server as a RADIUS proxy to forward connection requests to the NPS server.

9-26


Lesson 4

Monitoring and Troubleshooting IPsec

Once you have enabled and configured IPsec, it is important that you know how to monitor, and if necessary, troubleshoot IPsec.


Describe how to monitor IPsec by using Windows Firewall with Advanced Security.

•

Explain how to monitor IPsec by using IP Security Monitor.

•

Discuss how to troubleshoot IPsec connections.


9-27

Monitoring IPsec by Using Windows Firewall with Advanced Security

Windows Firewall with Advanced Security is a stateful, host-based firewall that blocks incoming and outgoing connections based on its configuration. While a typical end-user Windows Firewall configuration still takes place through the Windows Firewall Control Panel tool, advanced configuration now takes place in an MMC snap-in named Windows Firewall with Advanced Security. The inclusion of this snap-in not only provides an interface for configuring Windows Firewall locally, but also for configuring Windows Firewall on remote computers and through Group Policy. Firewall functions now integrate with IPsec protection settings, reducing the possibility of conflict between the two protection mechanisms.

Windows Firewall with Advanced Security Monitoring Options You can use the Windows Firewall with Advanced Security console to monitor security policies that you create in the Connection Security Rules node. However, you cannot view the policies you create using the IP Security Policy snap-in. These security options are for use with Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. For older operating systems (such as Windows XP and Windows 2000), you must use IP Security Monitor to view SAs and connections.

Monitoring Connection Security Rules The Connection Security folder lists all of the enabled connection security rules with detailed information about their settings. Connection security rules define which authentication, key exchange, data integrity, or encryption you can use to form an SA. The SA defines the security that is used to protect the communication from the sender to the recipient.

Monitoring Security Associations The Security Associations folder lists all of the Main Mode and Quick Mode SAs with detailed information about their settings and endpoints.

9-28


Main Mode Main mode statistics provide data about the total number of SAs created, in addition to invalid packet information.

Quick Mode Quick mode provides more detailed information about connections. If you are having issues with an IPsec connection, quick mode statistics can provide insight into the problem.


9-29

Monitoring IPsec by Using IP Security Monitor

You can implement IP Security Monitor as is an MMC snap-in, and it includes enhancements that allow you to view details about an active IPsec policy that is applied by the domain or locally. Additionally, you can view quick mode and main mode statistics, and active IPsec SAs. IP Security Monitor also allows you to search for specific main mode or quick mode filters. To troubleshoot complex IPsec policy designs, you can use IP Security Monitor to search for all matches for filters of a specific traffic type.

Changing Default Settings You can change the IP Security Monitor default settings, such as automatic refresh and Domain Name System (DNS) name resolution. For example, you can specify the time that elapses between IPsec data refreshes. Additionally, you can enable DNS name resolution for the IP addresses that you are monitoring. Note that there are some issues to consider when enabling DNS. For example, it works only in a specific filter view for quick mode and in SAs view for quick mode and main mode monitoring. There also is the possibility that you can affect the server’s performance if several items in the view require name resolution. Finally, the DNS record name resolution requires a proper Pointer Record (PTR) in DNS.

Adding a Computer to Monitor You can monitor computers remotely from a single console, but you must modify a Registry value so that the remote system accepts a console connection. Setting the HKLM\system\currentcontrolset\services\policyagent\EnableRemoteMgmt Registry value to 1 prevents the “IPsec service is not running” error when you manage a computer remotely.

Obtaining Information About the Active Policy You can get basic information about the current IP security policy in the Active Policy node of the IP Security Monitoring MMC. This is useful during troubleshooting to identify which policy is being applied to the server. Information such as the policy location and when it was modified last provide key details when you are determining the current policy in place. Additionally, use the following command to identify installed policies: netsh ipsec static show gpoassignedpolicy.

9-30


Main Mode SA and Quick Mode SA The Main Mode SA is the initial SA that is established between two computers. This negotiates a set of cryptographic protection suites between both hosts. This initial SA allows quick mode key exchange to occur in a protected environment. The Main Mode SA also is known as the Internet Security Association and Key Management Protocol (ISAKMP) or Phase 1 SA. Main Mode establishes the secure environment to other exchange keys as required by the IPsec policy. A Quick Mode SA depends on the successful establishment of a Main Mode SA. A Quick Mode SA also is known as an IPsec or Phase 2 SA. This process establishes keys based on the information that the policy specifies. Quick Mode SAs establish protected transmission channels for the actual application IP data as specified in the policy.


9-31

Troubleshooting IPsec

Use the following process to troubleshoot IPsec: 1.

Stop the IPsec Policy Agent and use the ping command to verify communications.

2.

Verify firewall settings.

3.

Start the IPsec Policy Agent and use IP Security Monitor to determine if a security association exists.

4.

Verify that the policies are assigned.

5.

Review the policies and ensure that they are compatible.

6.

Use IP Security Monitor to ensure that any changes are applied.

Additional considerations for troubleshooting IPsec include checking the firewall configuration and enabling IKE logging.

Verifying IP Network Configuration Issues often arise with IPsec because one of its dependent services is affected. Some core required services include network connectivity with domain controllers, DNS servers, and client-server path connectivity for IPsec-related protocols. Stop the IPsec Policy Agent, and then test connectivity and service availability. You can use Ping, Net View, and telnet to test connectivity to these servers.

Verifying Appropriate Local and External Firewall Configurations Checking the firewall rules in the Windows Firewall with Advanced Security MMC reveals rules that are in use, and identifies blocking protocols and possible configuration errors in the connection security rules. Recall that the rules specified in the IP Security policy console will not appear in Windows Firewall with Advanced Security snap-in.

Verifying Group Policy and IPsec Policy To verify the correct application of Group Policy and IPsec policy on the client and the server, you can use Resultant Set of Policy (RSOP) snap-in to view the applied policy. Make sure the computer is within the scope of the Group Policy that has been applied to the Group Policy object (GPO), and ensure that the computer is in the correct GPO to receive the IPsec policy.

9-32


Ensuring Policy Compatibility Review the policies and ensure they are compatible. The client and the server must have complementing security policies in place, and it is important to ensure that the policies work together correctly.

Additional Considerations Additional considerations for troubleshooting IPsec include: •

•

•

Check firewall configuration: •

Ensure that User Datagram Protocol (UDP) port 500 and 4500 is not blocked.

•

Ensure that IPsec-protected traffic (IP protocol 50 and 51) is not blocked, and ensure that the network devices support IPsec.

When more detailed information is required, enable (set the HKEY_LOCAL_MACHINE\System \CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging registry setting to 1) and analyze the Oakley.log: •

Stored in the %systemroot%\Debug\ folder

•

Maximum 50,000 lines

When you troubleshoot IKE events, ensure that both computers have the same time settings.


9-33




2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso


Lab Scenario Contoso Ltd. has implemented a new web-based Research application that contains confidential information such as product information. The application is secured by authenticating users by using a username and password. To enhance security, the director of Research wants the application to be accessible only from computers in the Research department. To meet the requirements specified by the director of Research, you will create a connection security rule that authenticates the computers in the Research department. Then, you will create a firewall rule that ensures only authenticated computers from the Research department can access the application. For this project, you must complete the following tasks: •

Configure IPsec to authenticate network communication for an application.

•

Test implementation of IPsec to authenticate network communication for an application.

9-34


Exercise 1: Selecting a Network Security Configuration Scenario In this exercise, you will read the supporting documentation and then answer the questions in the proposals section. The main tasks for this exercise are as follows: 1.

Read the Research application security document.

2.


3.


Task 1: Read the Research application security document •

Read the Research application security document.

Task 2: Update the proposal document with your planned course of action •

Answer the questions in the Research application security document. Research application security Document Reference Number: GW1605/1 Document Author Date

Charlotte Weiss 16th May

Requirements Overview Contoso Ltd. has implemented a new web-based Research application that contains confidential information such as product information. To improve security, you must: 1. Create a connection security rule that authenticates the computers in the Research department. 2. Create a firewall rule that ensures only authenticated computers from the Research department can access the application. Additional Information 1. The application exists on NYC-SVR1. 2. The application is not configured to use SSL. 3. NYC-SVR1 and NYC-CL1, both computers in the Research department, are stored in the AD DS Computers container. Proposals 1. How will you accomplish requirement 1? 2. How will you accomplish requirement 2? 3. Are there any additional tasks that you must perform?

Task 3: Examine the suggested proposals in the Lab Answer Key •

Compare your solution to the proposed solution in the Research application security document in the Lab Answer Key. Be prepared to discuss your solution with the class.

Results: At the end of this exercise, you will have selected a suitable IPsec configuration to support the needs of the Research department.


9-35

Exercise 2: Configuring IPsec to Authenticate Computers Scenario In this exercise, you will deploy and configure a firewall and connection security rule to meet the requirements of the Research department. The main tasks for this exercise are as follows: 1.

Move the NYC-SVR1 and NYC-CL1 computers into the Research OU.

2.

Create a GPO and link to the Research OU.

3.

Create the required connection security rule.

4.

Create the firewall rule.

5.

Refresh the Group Policy on client computers.

Task 1: Move the NYC-SVR1 and NYC-CL1 computers into the Research OU 1.

Switch to NYC-DC1.

2.

Open Active Directory Users and Computers.

3.

Move NYC-CL1 and NYC-SVR1 from the Computers built-in container to the Research OU.

Task 2: Create a GPO and link to the Research OU 1.

Open Group Policy Management.

2.

Create and link a new GPO called Research Department Application Security Policy to the Research OU.

Task 3: Create the required connection security rule 1.

Open Research Department Application Security Policy for editing.

2.

In Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security – LDAP://CN={GUID} > Connection Security Rules.

3.

Create a new Connection Security Rule with the following properties: •

Rule type: Custom

•

Endpoints: Default

•

Requirements: Require authentication for inbound connections and request authentication for outbound connections

•

Authentication method: Computer and user (Kerberos V5)

•

Protocol and Ports: Endpoint 1: TCP port 80, Endpoint 2: default

•

Profile: Domain

•

Name: Research Department Application Security rule

9-36


Task 4: Create the firewall rule •

Create a new Inbound firewall rule with the following properties: •

Rule type: Custom

•

Program: Default

•

Protocol and Ports: Local port: TCP 80

•

Scope: Default

•

Action: Allow the connection if it is secure: Allow the connection if it is authenticated and integrity-protected

•

Users: Default

•

Computers: Only allow connections from these computers: NYC-CL1; NYC-SVR1

•

Profile: Domain

•

Name: Research Department Application Firewall rule

Task 5: Refresh the Group Policy on client computers 1.

Switch to NYC-CL1.

2.

Open a command prompt, type gpupdate /force, and press ENTER.

3.

Restart the computer.

4.

Switch to NYC-SVR1.

5.

Open a command prompt, type gpupdate /force, and press ENTER.

6.

Restart the computer.

Results: At the end of this exercise, you will have successfully configured the connection security rule and firewall rule that are required to secure the Research department application.


9-37

Exercise 3: Testing IPsec Authentication Scenario In this exercise, you will verify that only authorized users are allowed to connect to the Research application and monitor IPsec connections using Windows Firewall with Advanced Security and IP Security Monitor. The main tasks for this exercise are as follows: 1.

Attempt to connect to the web server on NYC-SVR1.

2.

Verify settings with Windows Firewall with Advanced Security.

3.

Verify settings with IP Security Monitor.

Task 1: Attempt to connect to the web server on NYC-SVR1 1.

Switch to NYC-CL1.

2.

Log on using the following information:

3.

•


•

Password: Pa$$w0rd

•

Domain: Contoso

Open Internet Explorer and attempt to open the webpage at http://nyc-svr1. This is successful.

Task 2: Verify settings with Windows Firewall with Advanced Security 1.


2.

Open Monitoring > Security Associations > Main Mode.

3.

Double-click any associations listed. What is the First authentication method?

4.

Expand Quick Mode.

5.

In the right pane, double-click the item listed. What is the Remote port?

Task 3: Verify settings with IP Security Monitor 1.

Open a new management console and add the IP Security Monitor snap-in.

2.

Open IP Security Monitor > NYC-CL1 > Main Mode > Security Associations.

3.

In the right pane, double-click the item listed. What is the encryption method?

Results: At the end of this exercise, you will have verified IPsec settings.

9-38


Preparing for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1.


2.


3.


4.



9-39


Review Questions 1.

You need to ensure that traffic passing between a computer in the perimeter network and one deployed in the internal network is encrypted and authenticated. The computer in the perimeter is not a member of your AD DS forest. What authentication methods could you use if you attempted to establish a Connection Security rule between these two computers?

2.

To enable NAP with IPsec enforcement, what policies must you configure on your NPS server?

3.

You are responsible for monitoring computers that are participating in an IPsec-secured network. You want to do this remotely, but are having difficulty in connecting to remote computers from the IP Security Monitor console. What do you need to do?

Tools Tool

Use for

Where to find it

IP Security Monitor

Viewing and verifying IPsec policies

Management console

Gpupdate.exe

Use for refreshing GPO

Command-line

Netsh.exe

Configuring network settings

Command-line

10-1

Module 10 Configuring and Troubleshooting Network File and Print Services Contents: Lesson 1: Configuring and Troubleshooting File Shares

10-3

Lesson 2: Encrypting Network Files with EFS

10-12

Lesson 3: Encrypting Partitions with BitLocker

10-17

Lesson 4: Configuring and Troubleshooting Network Printing

10-22

Lab: Configuring and Troubleshooting Network File and Print Services

10-29

10-2


Module Overview

File and print services are some of the most commonly implemented network services for end users. Unlike infrastructure services like DNS, file and print services are highly visible to the end users. You need to understand how to configure and troubleshoot file and print services to provide high quality service to end users. In addition to basic file and print services, both EFS and BitLocker can be used to increase the security of files that are located in file shares.


Describe how to manage file share security.

•

Explain how to encrypt network files with EFS.

•

Describe how to encrypt partitions with BitLocker.

•

Discuss how to configure and troubleshoot network printing.

Configuring and Troubleshooting Network File and Print Services

10-3

Lesson 1

Configuring and Troubleshooting File Shares

Configuring file shares consists primarily of configuring share and NTFS permissions to ensure that only authorized users have access to files. You can optimize access to network files by implementing AccessBased Enumeration to ensure that users are able to view only folders that they have access to within a file share. Finally, Windows Server 2008 introduces SMB 2.0 as the protocol that is used for file sharing. This protocol is much more efficient than previous versions of SMB.


Describe file shares.

•

Create a file share.

•

Describe NTFS permissions.

•

Configure NTFS permissions.

•

Explain how to troubleshoot network file access permissions.

•

Discuss Access-Based Enumeration.

•

Describe file access enhancements in Windows Server 2008.

10-4


What Is a File Share?

One of the basic services that users expect on a network file a centralized location for storing files that all authorized users can access. You can create a centralized store for files on a network by creating a file share. A file share is a folder on a server that has been configured for access over the network. To configure a file share on a computer that is running Windows Server 2008, install the File Service server role. When you install the File Service server role, Windows Firewall is configured to allow file sharing. Share and Storage Management is a new tool in Windows Server 2008 that is used to create and configure file shares. You can also use the same Computer Management tool that was available in previous versions of Windows Server. Finally, you can create files shares at a command prompt with the net use command.

File Share Permissions Control access to files in a file share by configuring file share permissions. The permissions that are available to be assigned vary depending on how you assign them. The advanced file sharing properties lets you configure share permissions without affecting NTFS permissions. You can allow or deny the following share permission for users or groups of users: •

Full Control

•

Change

•

Read

The simplified file sharing dialog box introduced in Windows Server 2008 controls file share and NTFS permissions through a single interface. In Windows Server 2008 R2, the Full control share permission is applied and only NTFS permissions are modified by this wizard. In Windows Server 2008, the wizard attempted to synchronize permissions for share permissions and NTFS permissions.


10-5

Accessing File Shares After permissions for a file share have been configured, users can begin storing and accessing files. Users can access the files from the following locations: •

A UNC path

•

A mapped drive letter

10-6


Demonstration: How to Create a File Share

When you create a file share, additional options are available beyond configuring security. You can also specify multiple share names and configure caching options. This demonstration shows how to: •

Create a file share by using simplified interface.

•

Create a file share by using advanced sharing.

•

Configure advanced sharing for a file share.


10-7

What Are NTFS Permissions?

NTFS permissions are used to control which users or groups can access or modify files and folders on NTFS formatted partitions. These permissions are much more flexible than share permissions because they can be assigned individually for each file or folder as required. To modify NTFS permissions, you must be given the full control NTFS permission for a folder or file. The one exception is for file and folder owners. The owner of a file or folder can modify NTFS permissions even if they do not have any current NTFS permissions. Administrators are able to take ownership of files and folders to make modifications to NTFS permissions. The two types of NTFS permissions are basic and advanced. Basic permissions are most commonly used. Advanced NTFS permissions allow you to have detailed control over access to files and folders, but are complex to manage. The basic NTFS permissions are: •

Full control: allows all permissions including the ability to modify NTFS permissions and take ownership.

•

Modify: allows all file and folder modification activities except modification of NTFS permissions and taking ownership.

•

Read & Execute: allows execution of a file. When applied to folders, it also allows the listing of folder contents.

•

List folder contents: allows the contents of a folder to be listed. This applies only to folders.

•

Read: allows the reading of file contents and attributes.

•

Write: allows the modification of file contents and attributes, but not NTFS permissions or ownership. Deletion of the file is also not allowed. For a folder, this allows the creation of new files in the folder.

10-8


Demonstration: How to Configure NTFS Permissions


Configure NTFS permissions.

•

View advanced NTFS permissions.

•

View inherited permissions.


10-9

Troubleshooting Network File Access Permissions

If a client computer is properly connected to the network, then most network file access problems are related to incorrectly configured permissions. This is most likely to occur for new users or during the creation of new file shares. The first troubleshooting step you should perform is checking the effective NTFS permissions for the user. If the effective permissions are not as expected, you need to identify how that user should be assigned those permissions. In most cases, a group is assigned the appropriate NTFS permissions. Verify that the user is a member of the correct groups. When you are evaluating NTFS permissions, be aware that the deny permission overrides the allow permission. For example, if your group is given Modify permission and a user in that group is denied the Modify permission, the user will be denied access. If the effective NTFS permissions are correct, then you should verify that share permissions are configured correctly. Share permissions can limit users’ ability to access and modify files, even if the appropriate NTFS permissions are assigned. For example, if a group is assigned the Read share permission and the Modify NTFS permission, members of the group will be limited to Read permission. To simplify the interaction of share and NTFS permissions, many organizations assign the Everyone group Full Control share permission. Access to files is then controlled only by NTFS permissions. Some administrators prefer to use the Authenticated Users group rather than the Everyone group to assign permissions. These are functionally the same unless the Guest account is enabled. The Guest account is included in the Everyone group, but not the Authenticated Users group. Question: If a user is assigned Full Control share permission and Read NTFS permission, what permission will the user have to access data in the share?

10-10


What Is Access-Based Enumeration?

Access-based Enumeration (ABE) is a feature for file shares in Windows Server 2008 that prevents users from seeing files and folders that they do not have permission to access. When ABE is not used, users will see a list of all files and folders in the current directory, regardless of their permissions to those files and folders. ABE simplifies file browsing for users. It also prevents frustration caused when users receive errors when trying to access files and folders that they do not have access to. When you create a file share by using the simplified interface, ABE is automatically enabled for a file share. If you use Advanced Sharing, then ABE is not enabled. You can enable and disable ABE for a share by using the Share and Storage Management administrative tool.


10-11

File Access Enhancements in Windows Server 2008

Windows Server 2008 introduced the Server Message Block (SMB) 2.0 protocol for file sharing. This protocol is also used by Windows Vista clients. SMB 2.0 performs significantly better over slow networks due to a reduced number of packets that are required to accomplish the same task when compared with SMB 1. Packets are reduced by the following: •

Combining multiple commands into a single request

•

Allowing larger reads and writes

Also useful in SMB 2.0 is support for durable handles. This allows a client that is using SMB 2.0 to silently reconnect to a file server after a minor network interruption. This is particularly useful for wireless connections and remote access users.

SMB 2.1 Windows Server 2008 R2 and Windows 7 introduced the SMB 2.1 protocol. Previous versions of Windows do not support SMB 2.1. This version of SMB improves performance with the following: •

Client oplock leasing: This feature allows client computers to perform more opportunistic locking when accessing shared files. This allows the client to cache more file related information and reduce network traffic. It also increases the scalability of file servers.

•

Large MTU support: The Maximum Transmission Unit (MTU) size for SMB 2.1 has been increased from 64 KB to 1 MB. This allows up to 1 MB to be transmitted in a single packet. This significantly improves the transfer of large files over high speed low latency networks such as 10Gbps Ethernet.

•

Better support for sleep modes: Windows 7 computers are now able to sleep in a wider range of scenarios when the integrity of data is not affected. For example, when a file is open but there are no unsaved changes.

10-12


Lesson 2

Encrypting Network Files with EFS

Encrypting File System (EFS) can be used to encrypt files, including files stored on a network share. It is important that you understand how EFS works and the recovery process for EFS if the users on your network begin encrypting files. If you do not understand how to recover EFS encrypted files, your organization could lose access to encrypted data.


Describe Encrypting File System.

•

Explain how EFS works.

•

Describe how to recover EFS encrypted files.

•

Encrypt a file by using EFS.


10-13

What Is Encrypting File System?

Encrypting File System (EFS) is a feature that can encrypt files that are stored on an NTFS formatted partition. By default, this option is available to all users. Files on a file share can also be encrypted by using EFS. After a file is encrypted by using EFS, it can only be accessed by authorized users. If a user is authorized, then access to the file is transparent and it can be opened like an unencrypted file. If a user is not authorized, attempts to open the file will result in an access denied message. EFS encryption acts as an additional layer of security in addition to NTFS permissions. If users are given NTFS permission to read a file, they must still be authorized by EFS to decrypt the file. The default configuration of EFS requires no administrative effort. Users can begin encrypting files immediately and EFS automatically generates a user certificate with a key pair for a user if one does not exist. Using a certification authority (CA) to issue user certificate enhances manageability of the certificates. You can disable EFS on client computers by using Group Policy. In the Properties of the policy Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Polices \Encrypting Files System, select Don’t allow. Note If you are not using certificates from a certification authority and you want to allow EFS to be used on a file share, then you must configure the file server computer account to be trusted for delegation. Domain controllers are trusted for delegation by default.

10-14


How EFS Works

EFS uses a combination of public-key and symmetric-key encryption to ensure that files are protected from all but the most computationally impracticable methods of attack. A symmetric key is used to encrypt the file. Public-key encryption is used to protect the symmetric key. Symmetric encryption uses the same key to encrypt a file and decrypt a file. This type of encryption is faster and stronger than public key encryption. However, the difficulty of securing the key during a crossnetwork transfer requires additional security for the symmetric key. Symmetric encryption is the typical method of encrypting large amounts of data. EFS uses public key encryption to protect the symmetric key that is required to decrypt the file contents. Each user certificate contains a public key that is used to encrypt the symmetric key and a private key. Only the user with the certificate and its private key can decrypt the symmetric key. The file encryption process is described as follows: 1.

When a user encrypts a file, EFS generates a file-encryption key (FEK) to encrypt the data. The FEK is encrypted with the user’s public key, and the encrypted FEK is then stored with the file. This ensures that only the user who holds the matching EFS Encryption private key can decrypt the file. After a user encrypts a file, the file remains encrypted for as long as it is stored on the disk.

2.

To decrypt files, the user can open the file, remove the encryption attribute, or decrypt the file by using the cipher command. When this occurs, EFS decrypts the FEK with the user’s private key, and then decrypts the data by using the FEK. Note In addition to the user that encrypted the file, additional copies of the symmetric key are encrypted with the public key of the recovery agent and any other authorized users.


10-15

Recovering EFS Encrypted Files

If the private key of a user that encrypted a file by using EFS is lost for any reason, then you need a method for recovering the EFS encrypted file. The private key is part of a user certificate that is used for encryption. Backing up a user certificate provides one method for recovering EFS encrypted files. The user certificate can be imported into another profile and be used to decrypt the file. However, this method is difficult to implement when there are many users. A better method is to implement a recovery agent. A recovery agent is an individual who is authorized to decrypt all EFS encrypted files. The default recovery agent is the domain administrator. However, this can be delegated to any user. When a new recovery agent is added through Group Policy, it is automatically added to all newly encrypted files. However, it is not automatically added to existing encrypted files. The recovery agent for a file is set at the time that the file is encrypted. Therefore, an encrypted file must be accessed and saved to update the recovery agent. You can also use the cipher command to force the recovery agent to be updated. The certificate for a recovery agent should always be exported with the private key and kept in a secure location to back it up. The two reasons to back up the recovery key are: •

To secure against system failure. The domain administrator key that is used by default for EFS recovery is stored only on the first domain controller in the domain. If anything were to happen to this domain controller, then EFS recovery would be impossible.

•

To make the recovery key portable. The recovery key is not automatically available to the recovery agent on all computers. The recovery key must be installed in the recovery agent’s profile. If roaming profiles are not used, then exporting and importing the recovery key is a method to update the recovery agent’s profile on a particular computer.

10-16


Demonstration: How to Encrypt a File by Using EFS


Verify that a computer account supports EFS on a network share.

•

Use EFS to encrypt a file on a network share.

•

View the certificate that is used for encryption.

•

Test access to an encrypted file.


10-17

Lesson 3

Encrypting Partitions with BitLocker

BitLocker is a new feature introduced in Windows Server 2008 to encrypt data stored on a particular partition. BitLocker is transparent to users accessing a file share. If you use BitLocker to protect data on network servers, it is important that you understand how to recover data from a BitLocker encrypted drive. Proper planning ensures that you are able to recover the data without restoring from backup.


Describe BitLocker.

•

Explain how BitLocker works.

•

Describe how to recover a BitLocker encrypted drive.

•

Encrypt a partition by using BitLocker.

10-18


What Is BitLocker?

BitLocker is a feature in Windows Server 2008 that allows you to encrypt entire partitions. The primary purpose of BitLocker is to protect the data on a hard drive that has been removed from a server, but it also protects the integrity of boot files. BitLocker can be useful for any server, but particularly for remote offices with limited physical security for servers. Some benefits of BitLocker are as follows: •

Data protection for stolen drives: Even file servers are sometimes stolen from a physical location. When BitLocker is used, the local Administrator account password cannot be reset by using boot utilities.

•

Safe shipping of preconfigured servers: BitLocker protects the data stored on servers being shipped in the same way that it protects data in stolen servers.

•

Easier decommissioning of drives: The data on a BitLocker encrypted drive cannot be accessed by mounting it another computer. This significantly reduces the risk associated with disposing of a failed hard drive, or repurposing drives.

•

Maintaining system integrity: When BitLocker is enabled, the startup files for Windows Server 2008 are monitored. If the startup files are modified, then the system will not start. This prevents a rootkit from being installed on the unencrypted partition that is used during startup.

Windows Server 2008 R2 also includes BitLocker to Go, which is capable of encrypting external USB drives. The encrypted drive is secured by a password or smart card. This can be useful for shipping data to a remote office.


10-19

How BitLocker Works

To enable BitLocker, a server must have at least two partitions. The system volume contains the boot files for Windows Server 2008 and the boot volume contains the operating system files. Windows Server 2008 R2 automatically creates this type of partition structure during installation unless an unattended installation file provides alternate instructions. BitLocker uses several encryption keys to protect the partitions that BitLocker has been enabled on. The key that is used to encrypt the partition is the Full Volume Encryption Key (FVEK). After the FVEK for a partition is created, it does not change because it would take too long to re-encrypt the partition. Each FVEK is encrypted and stored in the metadata of the encrypted volume. The FVEKs are encrypted with the Volume Master Key (VMK). The VMK is required during startup to decrypt the volumes and allow Windows to start. An encrypted copy of the VMK is stored on the system partition. The VMK is encrypted by a key that is typically stored in a Trusted Platform Module (TPM). A TPM is a chip on a computer system board for storing encryption keys and certificates. During startup, the key is retrieved from the TPM and used to decrypt the VMK which is then used to access the encrypted volumes. If your server does not have a TPM, the key for encrypting the VMK can also be stored on removable media.

10-20


Recovering BitLocker Encrypted Drives

BitLocker encrypted drives become inaccessible if the FVEK for a computer system can no longer be accessed. This can occur if the TPM in a computer fails, the drives are moved to a different computer, or removable media that contains the FVEK is lost. When you turn on BitLocker, a 256-bit recovery key and 48 digit recovery password are generated. You are provided the option to print the recovery password key, save the recovery password to a file, or save both to a USB flash drive. Either the recovery key or the recovery password can be used to decrypt the drive when the FVEK key is no longer available. The recovery password can also be stored in Active Directory. To do this, you need to enable the option by using Group Policy. This is a scalable solution, and much better than requiring administrators to store the recovery password during the encryption process. Recovery passwords for BitLocker are stored in the properties of the computer account. To retrieve the recovery password from Active Directory, you need to use the BitLocker Recovery Password Viewer. This tool can be downloaded from the Microsoft website and integrates into Active Directory Users and Computers. To recover an encrypted operating system drive, you must use the recovery console. In the recovery console, you can provide the USB flash drive with the recovery key or type the recovery password. If you are typing the recovery password, you typically need to use the function keys. For example, F1 is equivalent to 1. Non-operating system drives will prompt you for the recovery information when you attempt to use them from within the operating system. A final option for recovering BitLocker encrypted drives is by using a data recovery agent. Similar to a recovery agent in EFS, a data recovery agent for BitLocker has a certificate that is used to access encrypted drives. You can configure a data recovery agent by importing the certificate of the data recovery agent into a Group Policy object.


Demonstration: How to Encrypt a Partition by Using BitLocker


Install the BitLocker feature.

•

Configure BitLocker to not require a TPM.

•

Enable BitLocker when a TPM is unavailable.

•

Access the recovery password.

10-21

10-22


Lesson 4

Configuring and Troubleshooting Network Printing

Along with file shares, network printing is one of the most commonly used network services. You need to understand how to configure and secure network printing, in addition to deploying printers to client computers.


Describe the benefits of network printing.

•

Discuss security options for network printing.

•

Create multiple configurations for a single print device.

•

Describe printer pooling.

•

Explain the options that are available for deploying printers to client computers.

•

Discuss common problems with network printing and their resolution.


10-23

Benefits of Network Printing

Windows Server 2008 can be configured as a print server for users. In this configuration, client computers submit print jobs to the printer server for delivery to a printer that is connected to the network. The biggest benefit of using Windows Server 2008 as a print server is centralized management of printing. Instead of managing client connections to many individual devices, you are managing their connection to the server. Printer drivers are installed centrally on the server and distributed to workstations. By centralizing printing on a printer, you also simplify troubleshooting. It is relatively easy to determine whether printing problems are the printer, server, or client computer based on where print jobs are queued. A network printer is more expensive than those typically used for local printing but has significantly lower consumables costs and better quality printing. The cost of printing is still minimized because the initial cost of the printer is spread over all the computers that connect to that printer. For example, a single network printer could service 100 users or more. Network printers can also be listed in Active Directory. This allows users to search for printers.

10-24


Security Options for Network Printing

When a printer is shared over the network, in many cases, no security is required. The printer is considered to be open access and everyone is allowed to print. This is the default configuration for a printer that is shared on a Windows server. The permissions that are available for shared printing include: •

Print: This permission allows users to print documents on the printer. By default, the Everyone group is assigned this permission.

•

Manage this printer: This permission allows users to modify printer settings, including updating drivers. By default, this permission is given to Administrators, Server Operators, and Print Operators.

•

Manage documents: This permission allows users to modify and delete print jobs in the queue. This permission is assigned to CREATOR OWNER. This allows anyone that creates a print job to manage that job. Administrators, Server Operators, and Print Operators have this permission for all print jobs.


10-25

Demonstration: How to Create Multiple Configurations for a Print Device

When there is only a single physical printer, you can set up multiple configurations by creating multiple printers on the print servers. This allows you to configure different priorities and printing options for different groups of users. Using multiple configurations, you can have one printer that defaults to black and white printing and another that defaults to color printing. You can also have configurations that include default paper trays, duplexing, and varying schedules for batch printing of large jobs. This demonstration shows how to: •

Create a shared printer.

•

Create a second printer using the same port.

•

Increase the priority of the second printer.

10-26


What Is Printer Pooling?

Printer pooling is a way to combine multiple physical printers into a single logical unit. To client computers, the printer pool appears to be a single printer. When jobs are submitted to the printer pool, they can be processed by any available printer in the printer pool. The scalability and availability of network printing is increased by using a printer pool. If one printer in the pool is unavailable, all jobs are sent to the remaining printers. And if a printer pool does not have sufficient capacity, you can add another printer to the printer pool without performing any client configuration. A printer pool is configured on a server by specifying multiple ports for a printer. Each port is the location of one physical printer. In most cases, the ports are an IP address on the network instead of Line Printer Terminal (LPT) port. The requirements for a printer pool are as follows: •

Printers must use the same driver: The clients use a single printer driver for generating print jobs. All printers must accept print jobs in the same format. In many cases, this means that a single printer model is used.

•

Printers should be in the same location: The printers in a printer pool should be located physically close together. When users retrieve their print jobs, they must check all printers in the printer pool to find their document. There is no way for users to know which printer has printed their document.


10-27

Deploying Printers to Clients

Deploying printers is a critical part of managing printing services on the network. A well designed system for deploying printers is scalable and can be used to manage hundreds or thousands of computers. The options for deploying printers are: •

Group Policy preferences: You can use Group Policy preferences to deploy shared printers to Windows XP, Windows Vista, and Windows 7 clients. The printer can be associated with the user account or computer account and can also be targeted by group. For Windows XP computers, you must install the Group Policy Preference Client Extension.

•

Group Policy object created by Print Management: The Print Management administrative tool can add printers to a Group Policy for distribution to client computers based on user account or computer account. Windows XP computers must be configured to run pushprinterconnections.exe.

•

Manual installation: Each user can manually add printers by either browsing the network or using the add printer wizard; however, this is not efficient. Network printers that are manually installed are available only to the user that installed them. If multiple users share a computer, they must each install the printer manually.

10-28


Discussion: Troubleshooting Network Printing

Network printing is a basic network service that all users expect to be available. It is important that you understand common network printing problems and their resolutions. Question: What are some common network printing problems and their resolutions?


10-29




2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso

Repeat steps 2 to 4 for 6421B-NYC-CL1.

Lab Scenario As a server administrator for Contoso, you are responsible for configuring the file and print services that are available to users. You have been assigned several tasks to perform: 1.

Create and configure a new file share for multiple departments.

2.

Configure a recovery agent for EFS encrypted files.

3.

Configure a printer pool to enhance printing capacity.

10-30


Exercise 1: Creating and Configuring a File Share Scenario You are configuring a new file server that will hold files that are shared by multiple departments. The first two departments scheduled to move their files to this location are the Marketing and Production departments. You need to configure the file share so that each department has access to view and modify only their own files. In addition, users should not see files and folders that they do not have access to. The main tasks for this exercise are as follows: 1.

Create the folder structure for the share.

2.

Configure NTFS permissions on the folder structure.

3.

Create the share.

4.

Enable access-based enumeration.

5.

Verify that permissions are properly configured.

X Task 1: Create the folder structure for the share 1.

On NYC-DC1, create the folder C:\Share.

2.

Create the folder C:\Share\Marketing.

3.

Create the folder C:\Share\Production.

X Task 2: Configure NTFS permissions on the folder structure 1.

On NYC-DC1, use Windows Explorer to open the properties of the C:\Share folder and verify that Users have Read permission on the Security tab.

2.

In the properties of the Marketing folder, open the Advanced NTFS permissions.

3.

Change the permissions to remove inheritable permissions from this object’s parent and add the existing permissions.

4.

Remove permissions for the Users group.

5.

Add the Marketing group with Modify permission.

6.

In the properties of the Production folder, open the Advanced NTFS permissions.

7.

Change the permissions to remove inheritable permissions from this object’s parent and add the existing permissions.

8.

Remove permissions for the Users group.

9.

Add the Production group with Modify permission.

X Task 3: Create the share 1.

On NYC-DC1, in Windows Explorer, open the properties of C:\Share.

2.

Use Advanced sharing to share the folder.

3.

Give the Everyone group Full Control permission for the share.


X Task 4: Enable access-based enumeration 1.

On NYC-DC1, open the Share and Storage Management administrative tool.

2.

Open the properties of Share and enable access-based enumeration.

X Task 5: Verify that permissions are properly configured 1.

On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd.

2.

Open \\NYC-DC1\Share.

3.

Read the folders that are listed.

4.

Create a new text file named AdamFile in the Marketing folder.

Results: After this exercise, you should have created and configured a file share.

10-31

10-32


Exercise 2: Encrypting and Recovering Files Scenario Your organization wants to allow users to start encrypting files with EFS. However, there are concerns about recoverability. To enhance the management of the certificates used for EFS, you are going to configure an internal certification authority to issue certificates to users. You will also configure a recovery agent for EFS and verify that the recovery agent can recover files. The main tasks for this exercise are as follows: 1.

Update the recovery agent certificate for EFS.

2.

Update Group Policy on the computers.

3.

Obtain a certificate for EFS.

4.

Encrypt a file.

5.

Use the recovery agent to open the file.

X Task 1: Update the recovery agent certificate for EFS 1.

On NYC-DC1, open the Group Policy Management administrative tool.

2.

Edit the Default Domain Policy that is linked to Contoso.com.

3.

In the Group Policy Management Editor, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Public Key Policies\Encrypting File System.

4.

Delete the existing Administrator certificate.

5.

Create a new Data Recovery Agent.

6.

Read the information about the new certificate and verify that it was issued by ContosoCA.

X Task 2: Update Group Policy on the computers 1.

On NYC-DC1, run gpupdate /force at a command prompt.

2.

On NYC-CL1, run gpupdate /force at a command prompt.

X Task 3: Obtain a certificate for EFS 1.


2.

Run mmc.exe to open an empty MMC console.

3.

Add the Certificates snap-in to the MMC console.

4.

In the console, right-click Personal and request a new certificate.

5.

Select a Basic EFS certificate.

6.

Verify that the new certificate was issued by ContosoCA.

7.

Close the console and do not save the changes.


X Task 4: Encrypt a file 1.

On NYC-CL1, browse to \\NYC-DC1\Share\Marketing.

2.

Open the properties of AdamFile.

3.

Enable encryption in the advanced attributes of AdamFile.

4.

Close Windows Explorer.

X Task 5: Use the recovery agent to open the file 1.

On NYC-DC1, browse to C:\Share\Marketing.

2.

Open AdamFile.txt, modify the contents and save the file.

Results: After this exercise, you should have encrypted and recovered a file.

10-33

10-34


Exercise 3: Creating and Configuring a Printer Pool Scenario The Marketing department has a single central copy room that stores the printer for the entire floor. Over the last year, the capacity of your printer has become a concern. In particular, when a user prints a large job, it prevents other users from obtaining their print jobs for 10 or 15 minutes. To resolve this problem, you have purchased two new identical printers to configure as a printer pool for the Marketing department. The main tasks for this exercise are as follows: 1.

Install the Print Management role.

2.

Create two IP printer ports.

3.

Create a printer.

4.

Make the new printer into a printer pool.

5.

Distribute the printer pool to users.

6.

Verify printer distribution to a marketing user.

X Task 1: Install the Print Management role 1.

On NYC-DC1, open the Server Manager administrative tool.

2.

Add the Print and Document Services role with the Print Server role service.

X Task 2: Create two IP printer ports 1.

Open the Print Management administrative tool.

2.

In the NYC-DC1 print server, view the ports.

3.

Create a new port with the following properties:

4.

•

Standard TCP/IP Port

•

IP Address: 10.10.0.98

•

Generic Network Card

Create a second port with the following properties: •

Standard TCP/IP Port

•

IP Address: 10.10.0.99

•

Generic Network Card

X Task 3: Create a printer •

In Print Management, under NYC-DC1 (local), create a new printer with the following properties: •

Use an existing port: 10.10.0.98

•

Printer driver: default

•

Printer name: PrinterPool

•

Share name: PrinterPool


10-35

X Task 4: Make the new printer into a printer pool 1.

In Print Management, open the properties of PrinterPool.

2.

On the Ports tab, enable printer pooling.

3.

Select the port 10.10.0.99 as second port.

X Task 5: Distribute the printer pool to users 1.

Open the Group Policy Management administrative tool.

2.

Browse to the Marketing OU, right-click, and create a new GPO in the domain that is linked here. •

Name: MarketingGPO

3.

Right-click MarketingGPO and edit.

4.

Browse to \User Configuration\Preferences\Control Panel Settings\Printers.

5.

Create a new shared printer with the following properties: •

Share path: \\NYC-DC1\PrinterPool

•

Set this printer as the default printer

X Task 6: Verify printer distribution to a marketing user 1.


2.

Open a command prompt and run gpupdate /force.

3.

On the Start menu, open Devices and Printers to verify that PrinterPool on NYC-DC1 appears and is configured as the default printer.

Results: After this exercise, you should have created a printer pool and distributed it to Marketing users.



2.


3.


4.

Repeat these steps for 6421B-NYC-CL1.

10-36



Review Questions 1.

You are planning the configuration of NTFS and share permissions on a new file server. One of your colleagues suggests that share permissions should be limited to the minimum possible rather than assigning the EVERYONE group Full Control. Why is this not a concern when NTFS permissions are used?

2.

Your organization has a mix of roaming users with Windows XP and Windows 7 laptops. Roaming users access files remotely over a VPN. A user that was recently upgraded to Windows 7 remarked that file access over the VPN is much faster now. Why is this occurring?

3.

You are planning to enable BitLocker on the servers that are located in remote offices to increase security. One of your colleagues is concerned that this will increase complexity for users that are accessing file shares on those servers. Why is this not a valid concern?

4.

Some users have been starting to encrypt files that are stored on network shares to protect them from other departmental users with NTFS permissions to those files. Is this an effective way to prevent users from viewing and modifying those files?

5.

One department in your organization has been manually adding printers on computers that perform direct IP printing to the physical printer. They are doing this so that all users automatically get access to the printer after it is installed. Can you configure a printer server and still make printers available to all users?


10-37

Tools Tool

Use for

Where to find it

Server Manager

Adding server roles


Share and Storage Management

Configure shares


Group Policy Management

Create and configure group policy objects


Certificates snap-in

Request and view certificates

Microsoft Management Console

Cipher

Manage EFS encrypted files

Command-line

Print Management

Manage print servers and printers


11-1

Module 11 Optimizing Data Access for Branch Offices Contents: Lesson 1: Branch Office Data Access

11-3

Lesson 2: DFS Overview

11-6

Lesson 3: Configuring DFS Namespaces

11-18

Lesson 4: Configuring and Troubleshooting DFS Replication

11-25

Lab A: Implementing DFS

11-33

Lesson 5: Configuring BranchCache

11-39

Lab B: Implementing BranchCache

11-49

11-2


Module Overview

Many organizations maintain a large number of file resources that need to be organized and made highly available to users. These file resources are often stored on servers and provided to users who are distributed geographically in widespread locations. In this situation, you need to find an efficient solution to help users locate the most recent files quickly. Managing multiple data sites often introduces additional challenges, such as limiting network traffic over slow wide area network (WAN) connections, ensuring the availability of files during WAN or server failures, and backing up file servers that are located at smaller branch offices.


Describe the challenges experienced when providing data access to branch offices.

•

Identify the basic components of DFS.

•

Describe DFS namespaces.

•

Explain how to configure DFS replication.

•

Discuss how to configure BranchCache.

Optimizing Data Access for Branch Offices

11-3

Lesson 1

Branch Office Data Access

Branch offices have unique management challenges. A branch office typically has slow connectivity to the enterprise network and limited infrastructure for securing servers. Therefore, the challenge is being able to provide efficient access to network resources for users in branch offices.


Discuss challenges of branch office data access.

•

Describe how branch offices are connected to an enterprise network.

11-4


Discussion: Challenges of Branch Office Data Access

Usually, a head office is a central communication hub for branch offices. Each branch office has fewer users than the head office. Additionally, each branch office has slow connectivity to the head office. For example, a chain of retail stores has a head office with many employees and fast internal network connectivity. The branch offices are remotely located with few employees in each location and slow connectivity to the data in the head office. Question: Why are network connections between branch offices and the head office slow and unreliable? Question: How does slow and unreliable network connectivity affect the users in branch offices? Question: How does management of computer systems in branch offices compare with the management of computer systems in the head office? Question: How does system security in branch offices compare with system security in the head office?


11-5

Branch Office Connectivity

The following features of Windows Server® 2008 R2 can help branch offices improve their slow and less reliable connectivity: •

Distributed File System (DFS)

•

BranchCache

DFS Distributed File System (DFS) is a Windows Server 2008 R2 role service that is included with the File Server role. The DFS role service can be used to logically combine shared folders that are located on different servers into a virtual namespace. Users only need to know the name of the virtual namespace to access the shared folder structure. DFS also implements a replication technology to ensure high-availability of configured elements in the namespace.

BranchCache Accessing files stored at the head office can be slow for users in branch offices. BranchCache helps speed up access to files by caching them on a local computer or on a local server in the branch office. If a file has not been modified in the head office and is accessed from the branch office, the file’s cached copy in the branch office is opened rather than the copy from the head office. In addition to providing faster file access, BranchCache decreases the overall WAN use because only new and modified files are copied over the WAN. This keeps the WAN free for other activities.

11-6


Lesson 2

DFS Overview

This lesson introduces the Distributed File System (DFS) solution that you can use to meet the challenges of managing data for branch offices by providing fault-tolerant access and WAN-friendly replication of files that are located throughout an enterprise.


Describe DFS.

•

Describe a DFS namespace.

•

Discuss DFS Replication.

•

Explain how DFS Namespaces and DFS replication work.

•

Describe scenarios where DFS can be used.

•

Identify enhancements to DFS in Windows Server 2008 R2.

•

Install the DFS role.


11-7

What Is DFS?

To access a typical file share, users typically require the Universal Naming Convention (UNC) name to access the shared folder content. Many large organizations might have hundreds of file servers that are dispersed geographically throughout an organization. This introduces a number of challenges for users to find and access files efficiently. Through the use of a namespace, DFS can simplify the UNC folder structure. In addition, another benefit of DFS is the ability to replicate the virtual namespace and the shared folders to multiple servers within the organization. This can ensure that the shares are located as close as possible to users, thereby providing an additional benefit of fault tolerance for the network shares. DFS includes two technologies that are implemented as role services. These technologies are: DFS Namespaces (DFS-N): Allows administrators to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. The subfolders typically point to shared folders that are located on various servers in multiple geographical sites throughout the organization. DFS Replication (DFS-R): Is a multi-master replication engine that is used to synchronize files between servers for local and WAN network connections. DFS-R supports replication scheduling, bandwidth throttling, and uses Remote Differential Compression (RDC) to update only the portions of files that have changed since the last replication. DFS-R can be used in conjunction with DFS Namespaces or as a standalone file replication mechanism.

11-8


What Is a DFS Namespace?

You can create either a domain-based or stand-alone namespace. Each type has different characteristics.

Domain-Based Namespace A domain-based namespace can be used when: •

Namespace high availability is required, which is accomplished by replicating the namespace to multiple namespace servers.

•

You need to hide the name of the namespace servers from users. This also makes it easier to replace a namespace server or migrate the namespace to a different server. Users will then access the \\domainname\namespace format as opposed to the \\servername\namespace format.

If choosing to deploy a domain-based namespace, you will also need to choose whether to use the Microsoft Windows® 2000 Server mode or the Windows Server 2008 mode. Windows Server 2008 mode provides additional benefits such as support for access-based enumeration, and it increases the number of folder targets from 5,000 to 50,000. With access-based Enumeration, you can hide folders that users do not have permission to view. To use Windows Server 2008 mode, the following requirements must be met: •

The Active Directory forest must be at Microsoft Windows Server® 2003 or higher forest functional level.

•

The Active Directory domain must be at the Microsoft Windows Server 2008 domain functional level.

•

All namespace servers must be Windows Server 2008. Note You can migrate a domain-based namespace from Windows 2000 Server mode to Windows Server 2008 mode by using the DFSutil command-line tool. You can also enable or disable Access-based Enumeration by using the Share and Storage Management MMC.


11-9

Stand-Alone Namespace A stand-alone namespace is used when: •

An organization has not implemented AD DS.

•

An organization does not meet the requirements for a Windows Server 2008 mode, domain-based namespace, and there are requirements for more than 5,000 DFS folders. Stand-alone DFS namespaces support up to 50,000 folders with targets.

11-10


What Is DFS Replication?

DFS Replication (DFS-R) provides a way to keep folders synchronized between servers across wellconnected and limited bandwidth connections. Take note of the following key points related to DFS-R: •

DFS-R uses Remote Differential Compression (RDC). RDC is a client-server protocol that can be used to efficiently update files over a limited bandwidth network. RDC detects data insertions, removals, and re-arrangements in files, enabling DFS-R to replicate only the changed file blocks when files are updated. RDC is only used for files that are 64 kilobytes (KB) or larger by default. DFS-R also supports cross-file RDC, which allows DFS replication to use RDC, even when a file with the same name does not exist at the client. Cross-file RDC can determine files that are similar to the file that needs to be replicated, and it uses blocks of similar files that are identical to the replicating file to minimize the amount of data that needs to be replicated.

•

DFS-R uses a hidden staging folder to stage a file before sending or receiving it. Staging folders act as caches for new and changed files to be replicated from sending members to receiving members. The sending member begins staging a file when it receives a request from the receiving member. The process involves reading the file from the replicated folder and building a compressed representation of the file in the staging folder. After it has been constructed, the staged file is sent to the receiving member; if remote differential compression is used, only a fraction of the staging file might be replicated. The receiving member downloads the data and builds the file in its staging folder. After the file download is completed on the receiving member, DFS-R decompresses the file and installs it into the replicated folder. Each replicated folder has its own staging folder, which by default is located under the local path of the replicated folder in the DfsrPrivate\Staging folder.

•

DFS-R detects changes on the volume by monitoring the update sequence number (USN) journal and replicates changes only after the file is closed.


11-11

•

DFS-R uses a version vector exchange protocol to determine which files need to be synchronized. The protocol sends less than 1 KB per file across the network to synchronize the metadata associated with changed files on the sending and receiving members.

•

DFS-R uses a conflict resolution heuristic of “last writer wins” for files that are in conflict (that is, a file that is updated at multiple servers simultaneously) and “earliest creator wins” for name conflicts. Files and folders that lose the conflict resolution are moved to a folder known as the Conflict and Deleted folder. You can also configure the service to move deleted files to the Conflict and Deleted folder for retrieval, should the file or folder be deleted. Each replicated folder has its own hidden Conflict and Deleted folder, which is located under the local path of the replicated folder in the DfsrPrivate\ConflictandDeleted folder.

•

DFS-R is self-healing and can automatically recover from USN journal wraps, USN journal loss, or DFS Replication database loss.

•

DFS-R uses a Windows Management Instrumentation (WMI) provider that provides interfaces to obtain configuration and monitoring information from the DFS Replication service.

11-12


How DFS Namespaces and DFS Replication Work

Even though DFS Namespaces and DFS Replication are separate role services, they can be used together to provide high availability and data redundancy. The following process describes how DFS Namespaces and DFS Replication work together: 1.

User accesses folder in the virtual namespace. When a user attempts to access a folder in a namespace, the client computer contacts the server that is hosting the namespace root. The host server can be a stand-alone server that is hosting a stand-alone namespace, or a domain-based configuration that is stored in Microsoft® Active Directory® Domain Services (AD DS) and then replicated to various locations to provide high availability. The namespace server sends back to the client computer a referral containing a list of servers that host the shared folders (called folder targets) that are associated with the folder being accessed.

2.

Client computer accesses the first server in the referral. The client computer caches the referral information and then contacts the first server in the referral. This referral typically is a server in the client’s own site, unless there is no server located within the client’s site. In this case, the administrator can configure the target priority.

For example, in the slide, the Marketing folder that is published within the namespace actually contains two folder targets. One share is located on a file server in New York, and the other share is located on a file server in London. The shared folders are kept synchronized by DFS-R. Even though multiple servers host the source folders, this fact is transparent to users, who only access a single folder in the namespace. If one of the target folders becomes unavailable, users can be redirected to the remaining targets within the namespace.


11-13

DFS Scenarios

Several key scenarios can benefit from DFS Namespaces and DFS Replication. These scenarios include: •

Sharing files across branch offices

•

Data collection

•

Data distribution

Sharing Files Across Branch Offices Large organizations that have many branch offices often have to share files or collaborate between these locations. DFS-R can help replicate files between branch offices or from a branch office to a hub site. Having files in multiple branch offices also benefits users who travel from one branch office to another. The changes that users make to their files in one branch office are replicated back to their branch office. Note This scenario is recommended only if users can tolerate some file inconsistencies as changes are replicated throughout the branch servers. Also, note that DFS-R only replicates a file after it is closed. Therefore, DFS-R is not recommended for replicating database files or any files that are held open for long periods of time.

Data Collection DFS technologies can collect files from a branch office and replicate them to a hub site, thus allowing the files to be used for a number of specific purposes. Critical data can be replicated to a hub site by using DFS-R and then backed up at the hub site by using standard backup procedures. This increases the branch office data recoverability if a server fails, because files will be available in two separate locations and backed up. Additionally, companies can reduce branch office costs by eliminating backup hardware and onsite information technology (IT) personnel expertise. Replicated data can also be used to make branch office file shares fault tolerant. If the branch office server fails, clients in the branch office can access the replicated data at the hub site.

11-14


Data Distribution You can use DFS-N and DFS-R to publish and replicate documents, software, and other line-of-business data throughout your organization. DFS-N and folder targets can increase data availability and distribute client load across various file servers.


11-15

DFS Enhancements in Windows Server 2008 R2

Microsoft Windows Server 2008 R2 provides a number of enhancements and new features to both DFS-N and DFS-R. The following sections discuss these new capabilities.

Updates to DFS Namespaces The following improvements have been made to the way DFS namespaces work: •

Performance improvements: The DFS Namespaces service takes less time to start, which increases performance especially with large domain-based namespaces with 5,000 or more folder targets. Windows Server 2008 R2 also includes three new performance counters that can be used to monitor DFS Namespaces: •

DFS Namespace Service API Queue: Displays the number of requests in the queue that are waiting to be processed by the DFS Namespace service.

•

DFS Namespace Service API Requests: Provides a number of objects showing the information of DFS requests as average response time, requests processed, requests failed, and requests processed per second.

•

DFS Namespace Service Referrals: Provides a number of objects showing the information of referral requests that are processed by the DFS Namespace service. Information includes average response time, requests processed, requests failed, and requests processed per second.

11-16


•

New DFS Management tool support: A number of enhancements to the DFS Management tool include the following: •

Access–based enumeration management improvements: When access-based enumeration is enabled on a shared folder or DFS folder, users will only see folders and files for which they have Read (or equivalent) permissions. Previously, access-based enumeration could only be enabled on a shared folder using Share and Storage Management or by using the Dfsutil command for DFS folders. Windows Server 2008 R2 provides an additional enhancement by allowing you to enable and configure access-based enumeration for a namespace by using the DFS Management tool.

•

Support for selectively enabling or disabling namespace root referrals: The DFS Management tool provides the ability to enable or disable namespace servers. This allows you to control whether a server is available for referrals.

•

Improvements to the Dfsdiag.exe command-line tool: Windows Server 2008 R2 includes changes to the Dfsdiag.exe command-line tool’s help text. When you type Dfsdiag /?, the help and error message text has been rewritten to provide more clear and descriptive information.

Updates to DFS Replication The following improvements have been made to DFS Replication: •

Failover cluster support: The DFS Replication service in Windows Server 2008 R2 is now designed to coordinate with a Windows Server 2008 R2-based failover cluster. You can add a failover cluster as a member of a replication group.

•

Read-only replicated folders: Prior to Windows Server 2008 R2, the only way to configure a readonly replicated folder was to manually set share permissions and access control lists on the folders, which required additional administrative effort. Windows Server 2008 R2 provides the ability to configure a replicated folder as a read-only or a read-write member. You can use either the DFS Management tool or the Dfsradmin command-line tool to configure read-only replicated folders. Note Read-only domain controllers based upon Windows Server 2008 R2 use read-only replicated folders to secure the SYSVOL folder.

•

Improvements to the Dfsrdiag.exe command-line tool: Windows Server 2008 R2 includes changes to the Dfsrdiag.exe command-line tool. The following switches provided enhanced diagnostic capabilities: •

Replstate: Displays a summary of the replication status across all connections on the specified replication group member.

•

IdRecord: Displays the DFS Replication ID record and version of a specified file or folder. You can use this information to determine if a file has replicated properly to another member.

•

FileHash: Computes and displays a hash value for a particular file. This can be used to compare two files to ensure that they are identical.


Demonstration: How to Install the DFS Role

This demonstration shows how to install the DFS role.

11-17

11-18


Lesson 3

Configuring DFS Namespaces

Configuring a DFS Namespace consists of several tasks, including creating the namespace structure, creating folders within the namespace, and adding folder targets. You can also choose to perform additional management tasks, such as configuring the referral order, enabling client fail back, and implementing DFS replication. This lesson provides information on how to complete these configuration and management tasks to deploy an effective DFS solution.


Describe the process for deploying namespaces to publish content.

•

Describe permissions that are required to create and manage a namespace.

•

Create and configure DFS namespaces and folder targets.

•

Describe the options for optimizing a namespace.


11-19

Deploying Namespaces for Publishing Content

Most DFS implementations primarily consist of content that is published within the DFS namespace. To configure a namespace for publishing content to users, perform the following procedures: 1.

Create a namespace. Use the New Namespace Wizard to create the namespace from within the DFS Management console. When a new namespace is created, you must provide the name of the server that you want to use as the namespace server, and namespace name and type (either domain-based or stand-alone). You can also specify whether the namespace is enabled for Windows Server 2008 mode.

2.

Create a folder in the namespace. After the namespace is created, add a folder in the namespace that will be used to contain the content that you want to publish. During the folder creation, you have the option to add folder targets, or you can perform a separate task to add, edit, or remove folder targets later.

3.

Add folder targets. After a folder is created within the namespace, the next task is to create folder targets. The folder target is a shared folder’s UNC path on a specific server. You can browse for shared folders on remote servers and create shared folders as needed. Additionally, you can add multiple folder targets to increase the folder’s availability in the namespace. If you add multiple folder targets, consider using DFS-R to ensure that the content is the same between the targets.

4.

Set the ordering method for targets in referrals. A referral is an ordered list of targets that a client computer receives from the namespace server when a user accesses a namespace root or folder. When a client receives the referral, the client attempts to access the first target in the list. If the target is not available, the next target is attempted. By default, targets in the client’s site are always listed first in the referral. You can configure the method for ordering targets outside the client’s site on the Referrals tab of the Namespace Properties dialog box. You have the choice of configuring the lowest cost, random order, or configuring the ordering method to exclude targets outside the client’s site.

11-20


Note Folders inherit referral settings from the namespace root. You can override the namespace settings on the Referrals tab of the Folder Properties dialog box by excluding targets outside the client’s site.

Optional Management Tasks A number of optional management tasks that you can consider include: •

Set target priority to override referral ordering: You can have a specific folder target that you want everyone to use from all site locations, or a specific folder target that should be used last among all targets. You can configure these scenarios by overriding the referral ordering on the Advanced tab of the Folder Target Properties dialog box.

•

Enable client failback: If a client cannot access a referred target, the next target is selected. Client failback will ensure that clients “fail back” to the original target after it is restored. You can configure client failback on the Referrals tab of the Namespace Properties dialog box by selecting the check box next to Clients fail back to preferred targets. All folders and folder targets inherit this option. However, you can also override a specific folder to enable or disable client failback features if required.

•

Replicate folder targets using DFS-R: You can use DFS-R to keep the contents of folder targets in sync. The “Permissions Required to Create and Manage a Namespace” lesson discusses DFS-R in detail.


11-21

Permissions Required to Create and Manage a Namespace

To perform DFS namespace management tasks, a user either has to be a member of an administrative group or has to be delegated specific permission to perform the task. You can right-click the namespace and then click Delegate Management Permissions to delegate the required permissions. The following table describes the groups that can perform DFS administration by default and the method for delegating the ability to perform DFS management tasks: Task

Groups that can perform the task by default

Delegation method

Create a domain-based namespace.

Domain admins

Delegate Management Permissions. Add users to local administrators group on the namespace server.

Add a namespace server to a domain-based namespace.

Domain admins

Delegate Management Permissions. Add users to local administrators group on the namespace server.

Manage a domainbased namespace.

Local administrators on each namespace server

Delegate Management Permissions.

Create a stand-alone namespace.


Add users to local administrators group on the namespace server.

Manage a stand-alone namespace.



Create a replication group or enable DFS replication on a folder.

Domain admins


11-22


Demonstration: How to Create Namespaces


Create a namespace.

•

Create a new folder and folder target.


11-23

Optimizing a Namespace

Namespaces have a number of configuration options with which you can optimize its usability and performance.

Rename or Move a Folder You can rename or move a folder in a namespace. This allows you to reorganize the hierarchy of folders to best suit your organization’s users. For example, when your company reorganizes, you can reorganize the namespace to match the new structure.

Disable Referrals to a Folder A referral is a list of targets that a client computer receives from a domain controller or namespace server when the user accesses a root or folder with namespace targets. By disabling a folder target’s referral, you prevent client computers from accessing that folder target in the namespace. This is useful when you are moving data between servers.

Specify Referral Cache Duration Clients do not contact a namespace server for a referral each time they access a folder in a namespace; namespace root referrals are cached. Clients that use a cached referral will renew the cache duration value of the referral each time a file or folder is accessed using the referral. This means that the clients will use the referral indefinitely until the client’s referral cache is cleared or the client is restarted. You can customize the referral cache duration. The default is 300 seconds.

11-24


Configure Namespace Polling To maintain a consistent domain-based namespace across namespace servers, namespace servers must poll Active Directory periodically to obtain the most current namespace data. The two modes for namespace polling are: •

Optimize for consistency: Namespace servers poll the PDC emulator each time a namespace change occurs. This is the default.

•

Optimize for scalability: Each namespace server polls its closest domain controller at periodic intervals.


11-25

Lesson 4

Configuring and Troubleshooting DFS Replication

To configure DFS-R effectively, it is important to understand the terminology and requirements that are associated with the feature. This lesson provides information on the specific elements, requirements, and scalability considerations as they relate to DFS-R and provides a process for configuring an effective replication topology.


Describe replication groups and replicated folders.

•

Describe the initial replication process.

•

Configure DFS namespaces and replication.

•

Troubleshoot DFS.

11-26


Replication Groups and Replicated Folders

A replication group comprises a set of member servers that participate in replicating one or more replicated folders. Two main types of replication groups are: •

Multipurpose replication group: Helps to configure replication between two or more servers for publication, content sharing, or other scenarios.

•

Replication group for data collection: Configures a two-way replication between two servers, such as a branch office server and a hub server. This group type is used to collect data from the branch office server to the hub server. You can then use standard backup software to back up the hub server data.

A replicated folder is synchronized between each member server. Creating multiple replicated folders within a single replication group helps to simplify the following for the entire group: •

Replication Group type

•

Topology

•

Hub and spoke configuration

•

Replication schedule

•

Bandwidth throttling

The replicated folders stored on each member can be located on different volumes in the member. Replicated folders do not need to be shared folders or part of a namespace, though the DFS Management snap-in makes it easy to share replicated folders, and optionally, publish them in an existing namespace.


11-27

Replication Topologies When configuring a replication group, you must define its topology. You can select between the following: •

Hub and spoke: To select this option, you require at least three member servers in the replication group. This topology works well in publication scenarios where data originates at the hub and is replicated to members at the spokes.

•

Full mesh: If ten or fewer members are in the replication group, this topology works well, with each member replicating to all others, as required.

•

No topology: Choose this option if you want to manually configure a custom topology after creating the replication group.

11-28


Initial Replication Process

When you first configure replication, choose a primary member that has the most updated files to be replicated; this server is considered authoritative for any conflict resolution that occurs when the receiving members have files that are older or newer when compared to the same files on the primary member. Consider the following concepts about the initial replication process: 1.

Initial replication does not begin immediately. The topology and DFS Replication settings must be replicated to all domain controllers, and each member in the replication group must poll its closest domain controller to obtain these settings. Active Directory replication latency and the long polling interval (60 minutes) on each member determine the amount of time this takes.

2.

Initial replication always occurs between the primary member and its receiving replication partners. After a member has received all files from the primary member, that member will replicate files to its receiving partners. In this way, replication for a new replicated folder starts from the primary member and then progresses out to the other replication group members.

3.

When receiving files from the primary member during initial replication, the receiving members that contain files that are not present on the primary member will move those files to their respective DfsrPrivate\PreExisting folder. If a file is physically identical to a file on the primary member, the file is not replicated. If the version of a file on the receiving member is different from the primary member’s version, the receiving member’s version is moved to the Conflict and Deleted folder, and remote differential compression (RDC) can be used to download only the changed blocks.

4.

To determine whether files are identical on the primary member and receiving member, DFS replication compares the files using a hash algorithm. If the files are identical, only minimal metadata is transferred.


5.

11-29

After the initialization of the replicated folder, the “primary member” designation is removed. (Initialization takes place after all files that exist before DFS replication picks up the configuration are added to the DFS replication database.) That member then is treated like any other member and its files are no longer considered authoritative over other members that have completed initial replication. Any member that has completed initial replication is considered authoritative over members that have not completed initial replication.

11-30


Demonstration: How to Configure DFS Replication

To use DFS-R, you must be aware of the following specific replication requirements. •

Ensure that the Active Directory schema has been updated to include the new DFS replication objects. If you plan to use DFS Replication, the Active Directory schema must be updated to at least the version equivalent to Microsoft Windows Server® 2003 R2 so that it includes the Active Directory classes and attributes that DFS Replication uses. To use read-only replicated folders, the schema must include the Windows Server 2008 or newer schema additions. To upgrade the schema, on the schema operations master, run adprep.exe /forestprep. This tool is available in the Windows\sources\adprep folder of the Windows Server 2008 installation media.

•

All Servers in a replication group must be in the same forest. You cannot enable replication across servers in different forests.

•

The servers that will participate in DFS Replication must run a Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 operating system. You must install the DFS Replication service role on each server that will take part in replication, and you must install the DFS Management snap-in on one server to manage replication. DFS replication is supported on all editions of Windows Server 2008 R2 and only x64 editions of Windows Server 2008.

•

To support failover clustering, the failover cluster server must be running Windows Server 2008 R2.

•

Antivirus software must be compatible with DFS Replication in that antivirus software can cause excessive replication if their scanning activities alter the timestamp on files in a replicated folder. Contact your antivirus software vendor to check for compatibility.


Create a new folder target for replication.

•

Create a new replication group.


11-31

Troubleshooting DFS

Windows Server 2008 provides a number of tools that can be used to monitor and troubleshoot DFS-R. The tools include: •

Diagnostic Reports: Use to run a diagnostic report for the following: •

Health Report: Shows extensive replication statistics and reports on replication health and efficiency.

•

Propagation Test: Generates a test file in a replicated folder to be used to verify replication and provide statistics for the propagation report.

•

Propagation Report: Provides information about the progress for a test file that is generated during a propagation test. This report will ensure that replication is functional.

•

Verify Topology: Use to verify and report on the status of the replication group topology. This will report any members that are disconnected.

•

Dfsrdiag.exe: This command-line utility can be used to monitor the replication state of the DFS replication service.

Troubleshooting DFS DFS problems generally fall into one of the following categories: •

Unable to access the DFS namespace: Ensure that both the Netlogon and DFS services are running on all servers that are hosting the namespace.

•

Inability to find shared folders: If clients cannot connect to a shared folder, use standard troubleshooting techniques to ensure that the folder is accessible and that clients have permissions. Remember that clients connect to the shared folder directly.

11-32


•

Unable to access DFS links and shared folders: Verify that the underlying folder is available and that the client has permissions on it. If a replica exists, verify whether the problem is related to replication latency (refer to the following “replication latency” description).

•

Security-related issue: Remember that the client accesses the shared folder directly; therefore, you must verify the shared folder and ACL permissions on the folder.

•

Replication latency: Remember that the DFS replication topology is stored in the domain's AD DS; consequently, there is some latency before any modification to the DFS namespace is replicated to all domain controllers.

Additional Information For additional information, go to the Microsoft TechNet website: http://technet.microsoft.com/en-us/library/cc962144.aspx.


11-33




2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso


Lab Scenario Contoso has deployed a new branch office. This office has a single server. To support branch staff requirements, you must configure DFS. To avoid the need to perform backups remotely, a departmental file share in the branch office will be replicated back to the head office for centralized backup. Data replicated to the head office should be read only. For this project, you must complete the following tasks: •

Install the DFS role service

•

Configure the required namespace

•

Configure DFS replication

11-34


Exercise 1: Installing the DFS Role Service Scenario In this exercise, you will install the DFS role service on NYC-SVR1 and NYC-DC1. The main tasks for this exercise are as follows: 1.

Install the DFS Role Service on NYC-SVR1.

2.

Install the DFS Role Service on NYC-DC1.

X Task 1: Install the DFS Role Service on NYC-SVR1 1.

Switch to NYC-SVR1.

2.

Open Server Manager and add the Distributed File System role service. Ensure that you select DFS Namespaces and DFS Replication.

3.


X Task 2: Install the DFS Role Service on NYC-DC1 1.

Switch to NYC-DC1.

2.

Open Server Manager and add the Distributed File System role service. Ensure that you select DFS Namespaces and DFS Replication.

3.


Results: At the end of this exercise, you will have installed the required role services on both servers.


11-35

Exercise 2: Configuring the Required Namespace Scenario In this exercise, you will configure a namespace to support the branch office distributed data requirement. The branch offices require two folders: one for research templates and another for data files. The main tasks for this exercise are as follows: 1.

Use the New Namespace Wizard to create the BranchDocs namespace.

2.

Enable access-based enumeration for the BranchDocs namespace.

3.

Add the ResearchTemplates folder to the BranchDocs namespace.

4.

Add the DataFiles folder to the BranchDocs namespace.

5.

Verify the BranchDocs namespace.

X Task 1: Use the New Namespace Wizard to create the BranchDocs namespace 1.

Switch to NYC-SVR1.

2.

Open DFS Management.

3.

Create a new namespace with the following properties:

4.

•

Server: NYC-SVR1

•

Name: BranchDocs

•

Namespace type: Domain-based namespace, and select Enable Windows Server 2008 mode

Verify that the namespace has been created.

X Task 2: Enable access-based enumeration for the BranchDocs namespace •

In DFS Management, in the \\Contoso.com\BranchDocs Properties dialog box, on the Advanced tab, select the Enable access-based enumeration for this namespace check box.

X Task 3: Add the ResearchTemplates folder to the BranchDocs namespace •

Add a new folder to the BranchDocs namespace: •

Folder name: ResearchTemplates

•

Add a folder target: •

Path: \\NYC-DC1\ResearchTemplates

•

Create share

•

Local path: C:\BranchDocs\ResearchTemplates

•

Permissions: All users have read and write permissions

•

Create folder

11-36


X Task 4: Add the DataFiles folder to the BranchDocs namespace •

Add a new folder to the BranchDocs namespace: •

Folder name: DataFiles

•

Add a folder target: •

Path: \\NYC-SVR1\DataFiles

•

Create share

•

Local path: C:\BranchDocs\DataFiles

•


•

Create folder

X Task 5: Verify the BranchDocs namespace 1.

On NYC-SVR1, click Start, and then in the Search programs and files box, type \\Contoso.com\BranchDocs and then press ENTER.

2.

Verify that both ResearchTemplates and DataFiles are visible and then close the window.

Results: At the end of this exercise, you will have created and verified the DFS namespace.


11-37

Exercise 3: Configuring DFS Replication Scenario In this exercise, you will configure DFS replication between NYC-SVR1 and NYC-DC1. You will also make the copy of the data files on NYC-DC1 read-only. The main tasks for this exercise are as follows: 1.

Create another Folder Target for DataFiles.

2.

Configure Replication for the namespace.

X Task 1: Create another Folder Target for DataFiles 1.

In DFS Management, expand Contoso.com\BranchDocs and then click DataFiles. In the details pane, notice that there is currently only one folder target.

2.

Add a new folder target:

3.

•

Path to target: \\NYC-DC1\DataFiles

•

Create share

•

Local path: C:\BranchDocs\DataFiles

•


•

Create folder

In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.

X Task 2: Configure Replication for the namespace 1.

2.

3.

Complete the Replicate Folder Wizard: •

Primary member: NYC-SVR1

•

No topology

•

Use defaults elsewhere and accept any messages

Create a new replication topology for the namespace: •

Type: Full mesh

•

Schedule and bandwidth: defaults

In the details pane, on the Memberships tab, verify that the replicated folder is shown on NYC-DC1 and NYC-SVR1. Right-click NYC-DC1 and then click Make read-only.

Results: At the end of this exercise, you will have successfully configured DFS replication.

11-38




2.


3.


4.



11-39

Lesson 5

Configuring BranchCache

BranchCache is a new feature in Windows Server 2008 R2 that reduces WAN link utilization for branch offices. In some cases, it can also improve application performance for branch office users that access data in the head office. Branch office client computers use a data cache in the branch office to reduce traffic over a WAN link. If you configure client computers to use the Distributed Cache mode, the cached content is distributed across client computers. If you configure client computers to use the Hosted Cache mode, the cached content is maintained on a server computer on the branch office network. You can customize BranchCache settings and perform additional configuration tasks after configuring BranchCache. You can also monitor BranchCache events, work, and performance and query BranchCache infrastructure to verify the configuration of servers and cache use.


Describe how BranchCache works.

•

Describe BranchCache requirements.

•

Configure server-side BranchCache settings.

•

Configure client-side BranchCache settings.

•

Configure BranchCache Mode.

•

Monitor BranchCache.

11-40


How Does Branch Cache Work?

One of the challenges that branch offices face is improving the performance of intranet resources that are accessed from head offices or regional data centers. Typically, branch offices are connected by WANs, which usually have slower data rates than the intranet. Reducing the network utilization on the WAN connection provides more bandwidth for other applications and services. The BranchCache feature in Windows Server 2008 R2 and Windows 7 reduces the network utilization on WAN connections between branch offices and headquarters by locally caching frequently used files on computers in the branch office. BranchCache improves the performance of applications that use one of the following protocols: •

HTTP or HTTPS: Protocols used by web browsers and other applications.

•

SMB, including signed SMB traffic: Protocol used for accessing shared folders.

•

Background Intelligent Transfer Service (BITS): A Windows component that distributes content from a server to clients by using only idle network bandwidth.

BranchCache retrieves data from a server when the client requests the data. Because BranchCache is a passive cache, it will not increase the WAN use. BranchCache only caches the read requests and will not interfere when a user saves a file. BranchCache improves the responsiveness of common network applications that access intranet servers across slow WAN links. Because BranchCache does not require additional infrastructure, you can improve the performance of remote networks by deploying Windows 7 to client computers and Windows Server 2008 R2 to server computers, and by enabling the BranchCache feature. BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL), SMB Signing, and end-to-end IP Security (IPsec). You can use BranchCache to reduce the network bandwidth utilization and improve application performance, even if the content is encrypted.


11-41

You can configure BranchCache to use the Hosted Cache mode or the Distributed Cache mode. •

Hosted Cache: This mode operates by deploying a computer that is running Windows Server 2008 R2 as a host in the branch office. Client computers are configured with the fully qualified domain name (FQDN) of the host computer so that they can retrieve content from the Hosted Cache when available. If the content is not available in the Hosted Cache, the content is retrieved from the content server by using a WAN link and then provided to the Hosted Cache so that the subsequent client requests can get it from there.

•

Distributed Cache: You can configure BranchCache in the Distributed Cache mode for small remote offices without requiring a Windows Server 2008 R2-based server. In this mode, local Windows 7 clients keep a copy of the content and make it available to other authorized clients that request the same data. This eliminates the need to have a server in the branch office. However, unlike the Hosted Cache mode, this configuration works across a single subnet only. In addition, clients who hibernate or disconnect from the network will not be able to provide content to other requesting clients.

When BranchCache is enabled on the client computer and the server computer, the client computer performs the following process to retrieve data when using the HTTP, HTTPS, or SMB protocol: 1.

The client computer that is running Windows 7 connects to a content server computer that is running Windows Server 2008 R2 in the head office and requests content similar to the way it would retrieve content without using BranchCache.

2.

The content server computer in the head office authenticates the user and verifies that the user is authorized to access the data.

3.

The content server computer in the head office returns identifiers or hashes of the requested content to the client computer instead of sending the content itself. The content server computer sends that data over the same connection that the content would have normally been sent.

4.

Using retrieved identifiers, the client computer does the following: •

If configured to use Distributed Cache, the client computer multicasts on the local subnet to find other client computers that have already downloaded the content.

•

If configured to use Hosted Cache, the client computer searches for the content on the configured Hosted Cache.

5.

If the content is available in the branch office, either on one or more clients or on the Hosted Cache, the client computer retrieves the data from within the branch office and ensures that the data is updated and has not been tampered with or corrupted.

6.

If the content is not available in the remote office, the client computer retrieves the content directly from the server computer across the WAN link. The client computer then either makes it available on the local network to other requesting client computers (Distributed Cache mode) or sends it to the Hosted Cache, where it is made available to other client computers.

11-42


BranchCache Requirements

BranchCache optimizes traffic flow between head office and branch offices, and only Windows Server 2008 R2 servers and Windows 7 clients can benefit from it. The earlier versions of Windows operating systems will not benefit from this feature. You can cache only the content that is stored on Windows Server 2008 R2 file servers or web servers by using BranchCache.

Requirements for Using BranchCache To use BranchCache, you must perform the following tasks: •

Install the BranchCache feature or the BranchCache for Network Files role service on the Windows Server 2008 R2 server that is hosting the data.

•

Configure clients either by using Group Policy or the netsh branchcache set service command.

If you want to use BranchCache for caching content from the web server, you must install the BranchCache feature on the web server. Additional configurations are not needed. If you want to use BranchCache to cache content from the file server, you must install the BranchCache for the Network Files role service on the file server, configure hash publication for BranchCache, and create BranchCacheenabled file shares. BranchCache is supported on Full Installation of Windows Server 2008 R2 and on Server Core.

Requirements for Distributed Cache and Hosted Cache Modes In the Distributed Cache mode, BranchCache works across a single subnet only. If client computers are configured to use the Distributed Cache mode, any client computer can search locally for the computer that has already downloaded and cached the content by using a multicast protocol called WS-Discovery. In the Distributed Cache mode, content servers across the WAN link must run Windows Server 2008 R2, and the clients in the branch must run Windows 7 or Windows Server 2008 R2. You should configure the client firewall to allow incoming traffic, HTTP, and WS-Discovery.


11-43

In the Hosted Cache mode, the client computers are configured with the FQDN of the host server to retrieve content from the Hosted Cache. Therefore, the BranchCache host server must have a digital certificate, which is used to encrypt communication with client computers. In the Hosted Cache mode, content servers across the WAN link must run Windows Server 2008 R2. Hosted Cache in the branch must run Windows Server 2008 R2 and the client in the branch must run Windows 7. You must configure a firewall to allow incoming HTTP traffic from the Hosted Cache server. In both cache modes, BranchCache uses the HTTP protocol for data transfer between client computers and the computer that is hosting the cached data.

11-44


Configuring BranchCache Server Settings

You can use BranchCache to cache web content, which is delivered by HTTP or HTTPS, and to cache shared folder content, which is delivered by the SMB protocol. By default, BranchCache is not installed on Windows Server 2008 R2. The following table lists the servers that you can configure for BranchCache: Server

Description

Web server or BITS server

To configure a Windows Server 2008 R2 web server or an application server that uses the BITS protocol, install the BranchCache feature. Ensure that the BranchCache service has started. Then, configure clients who will use the BranchCache feature; no additional configuration of the web server is needed.

File server

The BranchCache for the Network Files role service of the File Services server role needs to be installed before you can enable BranchCache for any file shares. After you install the BranchCache for the Network Files role service, use Group Policy to enable BranchCache on the server. Finally, you need to configure each individual file share to enable BranchCache. You also need to configure clients who will use the BranchCache feature.

Hosted Cache server

For the Hosted Cache mode, you must add the BranchCache feature to the Windows Server 2008 R2 server that you are configuring as a Hosted Cache server. To secure communication, client computers use Transport Layer Security (TLS) when communicating with the Hosted Cache server. To support authentication, the Hosted Cache server must be provisioned with a certificate that is trusted by clients and is suitable for server authentication. By default, BranchCache allocates five percent of disk space on the active partition for hosting cache data. However, you can change this value by using Group Policy or the netsh tool.


11-45

Configuring BranchCache Client Settings

You do not need to install the BranchCache feature in Windows 7 because BranchCache is already included in Windows 7. However, BranchCache is disabled by default on client computers. To enable and configure BranchCache, you need to perform the following steps: 1.

Enable BranchCache.

2.

Enable the Distributed Cache mode or Hosted Cache mode.

3.

Configure the client firewall to allow BranchCache protocols.

Enabling BranchCache If you enable the Distributed Cache or Hosted Cache mode without enabling the overall BranchCache feature, the BranchCache feature will still be disabled on the client computers. However, you can enable the BranchCache feature on a client computer without enabling the Distributed Cache mode or the Hosted Cache mode. In this configuration, the client computer uses only the local cache and does not attempt to download from other BranchCache clients on the same subnet or from a Hosted Cache server. Therefore, multiple users of a single computer can benefit from a shared local cache in this local caching mode.

Enabling the Distributed Cache Mode or Hosted Cache Mode You can enable the BranchCache feature on client computers by using group policy or the netsh branchcache set service command. To configure BranchCache settings by using group policy, perform the following steps for a domain-based Group Policy object: 1.

Open the Group Policy Management console.

2.

Browse to Computer Configuration->Policies->Administrative Templates->Network, and then click BranchCache.

3.

Turn on BranchCache and set either the Distributed Cache or Hosted Cache mode.

11-46


To configure BranchCache settings by using the netsh branchcache set service command, perform the following steps: 1.

Use the following netsh syntax for the distributed mode: netsh branchcache set service mode=distributed

2.

Use the following netsh syntax for the hosted mode: netsh branchcache set service mode=hostedclient location=

Configuring the Client Firewall To Allow BranchCache Protocols In the Distributed Cache mode, BranchCache clients use the HTTP protocol for data transfer between client computers and the WS-Discovery protocol for cached content discovery. You should configure the client firewall to allow the following incoming rules: •

BranchCache–Content Retrieval (Uses HTTP)

•

BranchCache–Peer Discovery (Uses WSD)

In the Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client computers, but it does not use the WS-Discovery protocol. In the Hosted Cache mode, you should configure the client firewall to allow the incoming rule, BranchCache–Content Retrieval (Uses HTTP).

Additional Configuration Tasks for BranchCache After you configure BranchCache, clients can access the cached data in BranchCache-enabled content servers, available locally in the branch office, and not across a slow WAN link. You can modify BranchCache settings and perform additional configuration tasks, such as: •

Setting the cache size

•

Setting the location of the Hosted Cache server

•

Clearing the cache

•

Creating and replicating a shared key for using in a server cluster


Demonstration: How to Configure BranchCache Mode


Enable BranchCache on a file server.

11-47

11-48


Monitoring BranchCache

After the initial configuration, you might want to verify that BranchCache is configured correctly and functioning properly. You can use the netsh branchcache show status all command to display the BranchCache service status. On client and Hosted Cache servers, additional information such as the location of the local cache, the size of the local cache, and the status of the firewall rules for HTTP and WS-Discovery protocols that BranchCache uses is shown. You can also use the following tools to monitor BranchCache: •

Event Viewer: Monitor BranchCache events in Event Viewer.

•

Performance counters: Monitor BranchCache work and performance by using the BranchCache performance monitor counters. BranchCache performance monitor counters are useful debugging tools for monitoring BranchCache effectiveness and health. You can also use BranchCache performance monitor for determining the bandwidth savings in the Distributed Cache mode or in the Hosted Cache mode. If you have System Center Operations Manager 2007 SP2 implemented in the environment, you can use BranchCache Management Pack for System Center Operations Manager 2007.


11-49


Lab Setup Important You must reconfigure the 6421B-NYC-CL2 computer onto the Private Network. Instructions are provided for this. For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1.


2.


3.


4.

Log on using the following credentials: •


•

Password: Pa$$w0rd

•

Domain: Contoso

5.

In Hyper-V™ Manager, click 6421B-NYC-CL2, and in the Actions pane, click Settings.

6.

In the Settings for 6421B-NYC-CL2 dialog box, in the navigation pane, click Network Adapter.

7.

In the Results pane, in the Network drop down list, click Private Network and then click OK.

11-50


Lab Scenario Contoso has deployed a new branch office. This office has a single server. To support branch staff requirements, you must configure BranchCache. Data is centralized at the head office. To reduce WAN utilization out to the branch office, BranchCache will be configured for these data. For this project, you must complete the following tasks: •

Perform initial configuration tasks for BranchCache

•

Configure BranchCache clients

•

Configure BranchCache on the branch server

•

Monitor and verify BranchCache


11-51

Exercise 1: Performing Initial Configuration Tasks for BranchCache Scenario In this exercise, you will prepare the network environment for BranchCache. The main tasks for this exercise are as follows: 1.

Configure NYC-DC1 to use BranchCache.

2.

Simulate slow link to the branch office.

3.

Enable a file share for BranchCache.

4.

Configure client firewall rules for BranchCache.

X Task 1: Configure NYC-DC1 to use BranchCache 1.

Switch to NYC-DC1.

2.

Open Server Manager and install the BranchCache for network files role service.

3.

Open the local group policy editor (gpedit.msc).

4.

Navigate to and open Computer Configuration > Administrative Templates > Network > Lanman Server > Hash Publication for BranchCache. Enable this setting and then select Allow hash publication only for shared folders on which BranchCache is enabled.

X Task 2: Simulate slow link to the branch office 1.

Navigate to Computer Configuration > Windows Settings > Policy-based QoS.

2.

Create a new policy:

3.

•

Name: Limit to 100Kbps

•

Specify Outbound Throttle Rate: 100


X Task 3: Enable a file share for BranchCache 1.

Create a new folder called C:\Share.

2.

Share this folder with the following properties: •

Sharename: Share

•

Permissions: default

•

Caching: Enable BranchCache

3.

Copy C:\Windows\System32\mspaint.exe to this new folder.

4.


X Task 4: Configure client firewall rules for BranchCache 1.

Open Group Policy Management.

2.

Navigate to Forest: Contoso.com > Domains > Contoso.com > Default Domain Policy. Open the policy for editing.

3.

Navigate to Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.

11-52


4.

5.

Create a new inbound firewall rule with the following properties: •

Rule type: predefined

•

Use BranchCache – Content Retrieval (Uses HTTP)

•

Action: Allow

Create a new inbound firewall rule with the following properties: •

Rule type: predefined

•

Use BranchCache – Peer Discovery (Uses WSD)

•

Action: Allow

Results: At the end of this exercise, you will have prepared the network environment for BranchCache.


11-53

Exercise 2: Configuring BranchCache Clients Scenario In this exercise, you will configure NYC-CL1 and NYC-CL2 with the required settings to enable BranchCache. The main task for this exercise is: 1.

Configure clients to use BranchCache in hosted cache mode.

X Task 1: Configure clients to use BranchCache in hosted cache mode 1.

In Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Network > BranchCache.

2.

Enable the Turn on BranchCache value.

3.

Enable the Set BranchCache Hosted Cache mode value and then configure the Enter the location of hosted Cache value: NYC-SVR1.contoso.com.

4.

Enable the Configure BranchCache for network files value and then configure the Enter the round trip network latency value in milliseconds above which network files must be cached in the branch office value: 0.

5.

Close Group Policy Management Editor and Group Policy Management console.

6.

Start the 6421B-NYC-CL1 virtual machine and log on as Contoso\Administrator with the password of Pa$$w0rd. Open a command prompt and refresh the group policy settings (gpupdate /force).

7.

At the command prompt window, type netsh branchcache show status all and then press ENTER.

8.

Start the 6421B-NYC-CL2 virtual machine and log on as Contoso\Administrator with the password of Pa$$w0rd.

9.

Reconfigure the computer to obtain an IPv4 address automatically.

10. Restart the computer. Log on as Contoso\Administrator with the password of Pa$$w0rd. 11. Open a command prompt and refresh the group policy settings (gpupdate /force). 12. At the command prompt window, type netsh branchcache show status all and then press ENTER. Results: At the end of this exercise, you will have configured the client computers for BranchCache.

11-54


Exercise 3: Configuring BranchCache on the Branch Server Scenario In this exercise, you will configure BranchCache on NYC-SVR1. The main tasks for this exercise are as follows: 1.

Install the BranchCache feature on NYC-SVR1.

2.

Request a certificate and link it to BranchCache.

3.

Start the BranchCache Host Server.

X Task 1: Install the BranchCache feature on NYC-SVR1 1.

Start 6421B-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd.

2.

Open Server Manager and add the BranchCache feature.

3.


X Task 2: Request a certificate and link it to BranchCache 1.

Using the Certificates snap-in, request a new Computer certificate.

2.

Open the newly issued certificate (in the Personal store).

3.

On the Details tab, view the Thumbprint field. Copy the text from the details section to the paste buffer.

4.


5.

Run the following command, replacing certifcatehashvalue with the contents from the paste buffer— leaving out spaces. netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}

6.

At the command prompt window, type netsh branchcache show status all and then press ENTER.

X Task 3: Start the BranchCache Host Server 1.

Switch to NYC-DC1.

2.

Open Active Directory Users and Computers. Create a new OU called BranchCacheHost and move NYC-SVR1 into this OU.

3.

Open Group Policy Management and block GPO inheritance on the BranchCacheHost OU.

4.


5.

Switch to NYC-SVR1 and restart the computer.

6.

Log on as Contoso\Administrator with the password of Pa$$w0rd.

7.

At the command prompt window, type netsh branchcache set service hostedserver and then press ENTER.

Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.


11-55

Exercise 4: Monitoring BranchCache Scenario In this exercise, you will monitor and verify the BranchCache service. The main tasks for this exercise are as follows: 1.

Configure Performance Monitor on NYC-SVR1.

2.

View Performance statistics on NYC-CL1.

3.

View performance statistics on NYC-CL2.

4.

Test BranchCache in hosted caching mode.

X Task 1: Configure Performance Monitor on NYC-SVR1 1.

Open Performance Monitor.

2.

In the navigation pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor. Remove existing counters, change to a report view, and then add the BranchCache object to the report.

X Task 2: View Performance statistics on NYC-CL1 1.

Switch to NYC-CL1.

2.


3.


X Task 3: View performance statistics on NYC-CL2 1.

Switch to NYC-CL2.

2.


3.


X Task 4: Test BranchCache in hosted caching mode 1.

Switch to NYC-CL1.

2.

Open \\NYC-DC1.contoso.com\share and copy the executable file to the local desktop. This could take a few minutes due to the simulated slow link.

3.

Read the performance statistics on NYC-CL1. This file was retrieved from the NYC-DC1 (Retrieval: Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes Served).

4.

Switch to NYC-CL2.

5.

Open \\NYC-DC1.contoso.com\share and copy the executable file to the local desktop. This should not take long because the file is cached.

11-56


6.

Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval: Bytes from Cache).

7.

Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted Cache: Client file segment offers made).

Results: At the end of this exercise, you will have verified the function of BranchCache.



2.


3.


4.

Repeat these steps for 6421B-NYC-SVR1, 6421B-NYC-CL1 and 6421B-NYC-CL2.


11-57


Review Questions 1.

How can you use DFS in your File Services deployment?

2.

What does the Primary Member configuration do when setting up replication?

3.

What kind of compression technology is used by Windows Server 2008 DFS?

4.

How does BranchCache differ from DFS?

5.

Why would you want to implement BranchCache in hosted cache mode rather than distributed cache mode?

Windows Server 2008 R2 Features Introduced in This Module Windows Server 2008 R2 feature

Description

Read-only replicated folders

Ability to configure read-only replicated folders from the DFS Management console

Failover cluster support

Failover cluster support for DFS

BranchCache

Helps speed up access to files by caching them on a local computer or on a server in the branch office

11-58


Tools Tool

Use for

Where to find it

Dfsutil

Performing advanced operations on DFS namespaces

On a namespace server, type Dfsutil at the command prompt.

Dfsdiag

Configure and monitor DFS

On a namespace server, type Dfsdiag at the command prompt.

Dfsrdiag

Monitoring replication

On a namespace server, type Dfsrdiag at the command prompt.

Dfscmd.exe

Scripting basic DFS tasks such as configuring DFS roots and targets

On a namespace server, type Dfscmd at the command prompt.

DFS Management

Performing tasks related to DFS namespaces and replication

Click Start, point to Administrative Tools, and then click DFS Management.

Netsh

Configuring network settings, including those relevant for BranchCache, and displaying BranchCache status

Command-line

12-1

Module 12 Controlling and Monitoring Network Storage Contents: Lesson 1: Monitoring Network Storage

12-3

Lesson 2: Controlling Network Storage Utilization

12-10

Lesson 3: Managing File Types on Network Storage

12-16

Lab: Controlling and Monitoring Network Storage

12-28

12-2


Module Overview

Network storage for users is a finite resource that must be managed appropriately to ensure that it remains available for all users. If network storage is not monitored and managed, it can become filled with irrelevant data, such as personal music or movies. Irrelevant data increases network storage costs and in some cases can prevent useful data from placement on the network storage. File Server Resource Manager (FSRM) can be used to monitor and manage network storage.


Describe how to monitor network storage by using FSRM.

•

Explain how to manage quotas by using FSRM.

•

Describe how to implement file screening, classification management, and file management tasks by using FSRM.

Controlling and Monitoring Network Storage

12-3

Lesson 1

Monitoring Network Storage

FSRM is a server role for Windows Server 2008 that helps you monitor and control network storage. To monitor network storage, FSRM includes a number of reports that you can use to identify storage growth and other issues that are related to network storage. The reports can be scheduled or created on-demand.


Explain storage management challenges.

•

Describe File Server Resource Manager.

•

Discuss storage reports.

•

Describe the ways to generate storage reports.

•

Install and configure File Server Resource Manager.

12-4


Discussion: Storage Management Challenges

Storage management is the process of planning, implementing, analyzing, and optimizing the methods, tools, and components that are used in the organization’s storage environment. As the size and complexity of the data increases, the need for capacity management also increases. To effectively meet the storage needs of your organization, you need to track how much storage capacity is available, how much storage space you need for future expansion, and how you are using the environment’s storage. Question: What are some of the storage management challenges in your organization?


12-5

What Is File Server Resource Manager?

File Server Resource Manager (FSRM) is a role service of the File Services role in Windows Server 2008 that acts as a storage management solution for file servers. It provides a robust set of tools and capabilities that allow you to effectively manage and monitor your server’s storage capacity. FSRM contains five components that work together to provide a capacity management solution: •

Quotas: The quota functionality in FSRM allows you set storage limits on volumes or folders. You can use this to control the storage that is used by individuals or departments.

•

File screening: The file screening capability in FSRM allows you control what types of files can be stored on a file share. Files types are identified by file extension.

•

Storage Report: The storage reports in FSRM can be used to identify quota usage, file screening activity, and more. These reports can help you identify areas of concern that need to be addressed.

•

Classification: The classification capabilities in FSRM allow files to be identified as a particular type or classification. The file can then be managed based on the classification. This functionality is available only in Windows Server 2008 R2.

•

File Management: The file management functionality in FSRM allows you to automatically expire files or perform custom file management tasks that are defined by a script. This functionality is available only in Windows Server 2008 R2.

12-6


What Are Storage Reports?

FSRM can generate reports that help you understand file storage usage on a file server. You can use the storage reports to monitor disk usage patterns (by file type or user), identify duplicate files and dormant files, track quota usage, and audit file screening. Most storage reports have configurable parameters that determine the content in the report. For example, some reports allow you to select specific volumes or folders on which to report. The following table describes each available storage report: Report

Description

Duplicate Files

Lists files that appear to be duplicates (files with the same size and lastmodified time). Use this report to identify and reclaim disk space that is wasted due to duplicate files.

File Screening Audit

Lists file screening events that have occurred on the server for a specific number of days. Use this report to identify users or applications that violate screening policies.

Files by File Group

Lists files that belong to specific file groups. Use this report to identify file group usage patterns and file groups that occupy large amounts of disk space. This can help you determine which file screens to configure on the server.

Files by Owner

Lists files that are grouped by file owners. Use this report to analyze usage patterns on the server and users who consume large amounts of disk space.

Files by Property

Lists files by the values of a particular classification property. Use this report to observe file classification usage patterns.


12-7

(continued) Report

Description

Large Files

Lists files that are of a specific size or larger. Use this report to identify files that are consuming the most disk space on the server. This can help you quickly reclaim large quantities of disk space.

Least Recently Accessed Files

Lists files that have not been accessed for a specific number of days. This can help you identify seldom-used data that might be archived and removed from the server.

Most Recently Accessed Files

Lists files that have been accessed within a specified number of days. Use this report to identify frequently used data that must be highly available.

Quota Usage

Lists quotas for which the quota usage is higher than a specified percentage. Use this report to identify quotas with high usage levels so that you can take appropriate action.

12-8


Ways to Generate Reports

You can create scheduled or on-demand reports. Reports can also be generated automatically to notify you when a user exceeds a quota threshold or saves an unauthorized file. Scheduled reports are generated by a report task. A report task is a set of storage management reports that run based on a schedule. The report task specifies which reports to generate and what parameters to use, which volumes and folders to report on, how often to generate the reports, and which file formats to save them in. On-demand reports are generated by an administrator who is selecting the option to Generate Reports Now. Typically, this type of report is used for troubleshooting or for quickly checking on storage information that is not included in a scheduled report. Automatically generated reports are configured as part of file screening or quota management. As part of the file screening and quota management configuration, you can choose to have reports automatically generated when users save inappropriate files or exceed their quota. Regardless of how you generate a report, or whether you choose to view the report immediately, the report is saved on the disk. Incident reports are saved in the Dynamic HTML (DHTML) format. You can save scheduled and on-demand reports in DHTML, HTML, XML, CSV, and text formats. Scheduled reports, on-demand reports, and incident reports are saved in separate subdirectories of the %Systemdrive%\StorageReports\ folder.


Demonstration: How to Install and Configure FSRM


Install FSRM.

•

View FSRM configuration options.

12-9

12-10


Lesson 2

Controlling Network Storage Utilization

One of the ways that you can ensure that adequate storage is available for users is by setting and monitoring quotas. The quota management provided by FSRM allows you monitor and limit the size of individual folders. This is unlike NTFS quotas that are based only on which user owns files. To simplify the implementation of quotas, you can use quota templates.


Describe quota management.

•

Explain how FSRM quotas are different from NTFS quotas.

•

Describe quota templates.

•

Create and configure a quota.

•

Explain how to monitor quota usage.


12-11

What Is Quota Management?

You can use quota management to limit the disk space that is allocated to volumes or folders on file servers. Using quotas, you can manage capacity restrictions in a variety of ways. For example, you can use a quota to ensure that individual users do not consume excessive amounts of storage with their home drives, or limit the amount of space consumed the shared folder that is used by a particular department. Two different types of quotas can be created: •

A hard quota prevents users from saving files after the space limit is reached, and it generates notifications when the volume of data reaches each configured threshold.

•

A soft quota does not enforce the quota limit, but it generates all the configured notifications.

To determine what happens when the quota limit approaches, you can configure notification thresholds. For each threshold that you define, you can send email notifications, log an event, run a command or script, or generate storage reports. For example, you might want to notify the administrator and the user who saved the file when a folder reaches 85 percent of its quota limit and then send another notification when the quota limit is reached. In some cases, you might want to run a script that raises the quota limit automatically when a threshold is reached.

12-12


FSRM Quotas vs. NTFS Disk Quotas

NTFS quotas allow an administrator to declare a general storage limit on an individual user basis for an NTFS formatted volume on a file server. This method governs a user’s storage consumption across the volume, regardless of which folder it is in. NTFS quotas do not account for NTFS compression, which means that even though a compressed file might take up less physical room than if it were uncompressed, the quota will be applied based on the file’s uncompressed size. NTFS disk quotas are based on file ownership, so operating system accounts are not immune to disk quotas. System accounts, such as the Local System, are also susceptible to running out of disk space due to disk quotas having been set. FSRM quota management introduces some key advantages over NTFS quotas. The following table outlines the key difference between FSRM-based quota management and using NTFS disk quotas: Quota Feature

NTFS Quotas

FSRM Quotas

Quota Tracking

Per user on a volume

By folder or by volume

Disk usage calculation

Logical file size reported by NTFS

Actual disk space

Notification mechanisms

Event logs only

Email, custom reports, running commands or scripts, event logs


12-13

What Are Quota Templates?

A quota template defines a space limit, the quota type (hard or soft), and a set of notifications to be generated when the quota limit is approached or exceeded. Quota templates simplify the creation and maintenance of quotas. Using a quota template, you can apply a standard storage limit and a standard set of notification thresholds to many volumes and folders on servers throughout your organization. If basing your quotas on a template, you can update all quotas that are based on the template by editing that template. This feature simplifies updating the properties of quotas by providing a central point where IT administrators can make all changes. For example, you can create a User Quota template that you use to place a 200 MB limit on the personal folder of each user. For each user, you would then create a quota based on the User Quota template and assign it to the user’s folder. If you later decide to allow each user additional space on the server, you only change the space limit in the User Quota template and choose to update each quota that is based on that quota template. FSRM can also generate quotas automatically. When you configure an auto-apply quota, you apply a quota template to a parent volume or folder. Then, a quota that is based on the template is created for each of the existing subfolders, and a quota is automatically generated for each new subfolder that is created.

12-14


Demonstration: How to Create and Configure a Quota


Create a new quota template.

•

Create a new quota based on a quota template.

•

Generate a quota notification.


12-15

Monitoring Quota Usage

In addition to the information in the notifications that is sent by quotas, you can find quota usage by viewing the quotas in the FSRM console, by generating a Quota Usage report, or by creating soft quotas for monitoring the overall disk usage. Use the Quota Usage report to identify quotas that might soon be exceeded so that you can take the appropriate action. To monitor the overall disk usage, you can create soft quotas for volumes or shares. FSRM provides the following default templates that you can use (or adapt) for this purpose: •

Monitor 200 GB Volume Usage

•

Monitor 500 MB Share

12-16


Lesson 3

Managing File Types on Network Storage

In addition to controlling the volume of storage used on a file server that is using quotas, you might want to control the types of files that are stored on the server. FSRM includes file screening, classification, and file management to help control what content is allowed on a server and manage that content.


Describe file screening.

•

Describe file screening components.

•

Configure file screening.

•

Describe classification management.

•

Describe how classification rules are used to automatically assign classification properties.

•

Configure classification management.

•

Describe file management.


12-17

What Is File Screening?

File screening allows you to create file screens to block files from being saved on a volume or in a folder tree. A file screen affects all folders in the designated path. You use file groups to control the types of files that file screens manage. For example, you might create a file screen to prevent users from storing audio and video files in their personal folders on the server. Like all components of FSRM, you can choose to generate email or other notifications when a file screening event occurs.

File Screen Types A file screen can be active or passive: •

Active screening prevents users from saving unauthorized file types on the server and generates configured notifications when they attempt to do so.

•

Passive screening sends configured notifications to users who are saving specific file types, but it does not prevent users from saving those files. Note A file screen does not prevent users and applications from accessing files that were saved to the path before the file screen was created, regardless of whether the files are members of blocked file groups.

12-18


File Screening Components

To configure file screening, you need to understand the different components that can be configured. File screening relies on the configuration file groups, file screening templates, and file screening exceptions.

File Groups A file group consists of a set of file name patterns, which are grouped as files to include and files to exclude. Typically, the file name patterns are based on file extensions, such as *.mp3 or *.doc. A file screen includes a list of file groups that it applies to. FSRM provides several default file groups, which you can view in File Screening Management by clicking the File Groups node. You can define additional file groups or change the files to include and exclude. Any change that you make to a file group affects all existing file screens, templates, and reports to which the file group has been added.

File Screen Templates To simplify file screen management, you can create your file screens based on file screen templates. By creating file screens exclusively from templates, you can manage your file screens centrally by updating the templates instead of individual file screens. A file screen template defines the following: •

File groups to block

•

Screening types to perform

•

Notifications to be generated


12-19

File Screen Exceptions Occasionally, you need to allow exceptions to file screening. For example, you might want to block video files from a file server, but you need to allow your training group to save video files for their computerbased training. To allow files that other file screens are blocking, create a file screen exception. A file screen exception is a special type of file screen that you can create to override any file screening that would otherwise apply to a folder and all its subfolders in a designated exception path. That is, it creates an exception to any rules that are derived from a parent folder. To determine which file types that the exception will allow, file groups are assigned.

12-20


Demonstration: How to Implement File Screening


Create a file group.

•

Create a file screen template.

•

Create a file screen by using a file screen template.

•

Test the file screen.


12-21

What Is File Classification?

File classification defines properties and values for files. You can then manage files based on those properties and values. You can use this functionality on file servers to classify the document into categories and then manage the documents based on those categories. Most applications manage files based on their location or the folder in which they are contained. This leads to complicated folder structure that often negatively affects the usability of the files and folders and increases administrative requirements. To reduce the cost and risk associated with this type of data management, the File Classification infrastructure uses a platform that allows administrators to classify files and apply policies based on that classification. The storage layout is unaffected by data management requirements, and the organization can adapt more easily to a changing business and regulatory environment. Files can be classified in a variety of ways. In most scenarios, classification is performed manually. The file classification in Windows Server 2008 R2 allows organizations to convert these manual processes into automated policies. For example, files of a specific type can be expired after a specified period of time. Administrators can specify file management policies based on a file’s classification and apply corporate requirements for managing data based on business value. Additionally, administrators can modify the policies and use tools that support classification to manage their files. Classification properties are used to assign values to files. You define the name of the classification property and the valid values for that property. There are many property types that you can choose from, including: number, string, and multiple choice list. Classification properties are assigned by using classification rules.

12-22


Some considerations for file classification are: •

File classification properties are stored in NTFS alternate data streams. As a consequence, if you move a classified file to a non-NTFS formatted drive, the file will lose the classification properties.

•

File classification properties for Microsoft Office documents are stored in the document as custom document properties. The classification properties stored in a Microsoft Office document are retained, regardless of where the file is moved.

•

Content inside of container files, such as .zip or .vhd files, cannot be classified.

•

Content inside of encrypted files cannot be classified. Note File classification is only available on file servers that are running Windows Server 2008 R2.


12-23

What Are Classification Rules?

Classification rules assign classification properties to files. Each classification rule includes information that defines which files the rule applies to and the classification property to be assigned. You include the specific classification property and value of the property in the rule. You use the scope in a classification rule to specify one or more folders that the classification rule will apply to. On a file server, you can have different classification rules for each department and apply departmental rules only to folders containing data for that department. Each rule contains a classification mechanism that determines how matching files for the rule are selected. The folder classifier selects files based on the path that the file is stored in. The content classifier searches for strings or regular expressions in the file content. The content classifier uses classification parameters to define the pattern searched for in file content. You can define one of these classification parameters: •

RegularExpression: Match a regular expression by using the .NET syntax. For example, “\d\d\d” will match any three-digit number.

•

StringCaseSensitive: Match a case-sensitive string. For example, Confidential will only match Confidential and not confidential or CONFIDENTIAL.

•

String: Match a string, regardless of case. For example, confidential will match both Confidential and CONFIDENTIAL.

Classification Scheduling You can run classification rules in two ways: on-demand or based on a schedule. Either way you choose, each time you run classification, it uses all rules that you have left in the Enabled state. Configuring a schedule for classification allows you to specify a regular interval at which file classification rules will run, ensuring that your server’s files are regularly classified and up to date with the latest classification properties.

12-24


Classification Rule Conflicts When multiple classification rules apply to a single file, in most cases the properties are combined. However, in cases of conflict for a single classification property, the following behaviors will apply: •

For Yes or No properties, a Yes value takes priority over a No value.

•

For ordered list properties, the highest property value takes priority.

•

For multiple choice properties, the property sets are combined into one set.

•

For multiple string properties, a multistring value is set that contains all the unique strings of the individual property values.

•

For other property types, an error occurs.


Demonstration: How to Configure File Classification


Create a classification property.

•

Create a classification rule.

•

Create a file containing the word payroll.

•

Modify the classification schedule.

12-25

12-26


What Are File Management Tasks?

File management tasks are automated processes that are scheduled to apply to specific group of files. For example, a file management task can delete files that have not been accessed for three years. You can define files that will be processed by a file management task through the following properties: •

Location

•

Classification properties

•

Creation time

•

Modification time

•

Last accessed time

•

File name

You can also configure file management tasks to notify file owners of any impending policy that will be applied to their files.

File Expiration Tasks File expiration tasks are used to automatically move all files that match certain criteria to a specified expiration directory, where an administrator can back up those files and delete them. When a file expiration task is run, a new directory is created within the expiration directory. The new directory is grouped by the server name on which the task was run, and it is named according to the name of the file management task and the time it was run. When an expired file is found, it is moved into the new directory, while preserving its original directory structure.


12-27

Custom File Management Tasks Expiration is not always a desired action to be performed on files. File management tasks also allow you to run custom commands. A custom command runs an executable file or script to perform an operation on the files within the scope of the file management task. For example, you could create a custom file management task that runs cipher.exe with options to update the recovery agent on all encrypted files.

12-28





2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso


Lab Scenario Contoso has recently decided to implement private home folders for each user. These folders will be an alternative storage location to centralized departmental file shares. Users can save documents in their home folders when there is no need for other users to access the files. For example, some users prefer not to show anyone reports until they are completed. For this project, you must complete the following tasks: •

Configure FSRM quotas to limit the size of home folders.

•

Configure file screening to prevent storage of media files.

•

Configure file classification and file management to remove official documents.


12-29

Exercise 1: Configuring FSRM Quotas Scenario To control the size of home folders, you are implementing FSRM quotas. Each home folder is limited to 500MB. To ensure that users are not surprised about their home folders running out of space, a message is sent by email, notifying them when their quota exceeds 75 percent. An event is also written to the event log so that it can be tracked by administrators. 1.

Create the home share.

2.

Install FSRM.

3.

Create a quota template for home folders.

4.

Configure an SMTP server for FSRM notifications.

5.

Configure quotas on Home share folders.

6.

Create a home folder for a user.

7.

Verify that the quota is applied.

X Task 1: Create the home share 1.

On NYC-SVR1, create the folder C:\Home.

2.

Share C:\Home as Home with the share permissions Full Control for the Everyone group.

X Task 2: Install FSRM •

On NYC-SVR1, use Server Manager to add the File Server Resource Manager role service.

X Task 3: Create a quota template for home folders 1.

On NYC-SVR1, open File Server Resource Manager.

2.

Under Quota Management, create a quota template with the following settings: •

Template name: Home Folders

•

Description: Template for user home folders

•

Limit: 500 MB

•

Hard quota: Do not allow users to exceed limit

•

Notification threshold: •

Generate notification when usage reaches (%): 75

•

Send e-mail notification to the user who exceeded the threshold

•

Send warning to event log message

X Task 4: Configure an SMTP server for FSRM notifications •

On NYC-SVR1, in File Server Resource Manager, configure the following options for email notifications: •

SMTP server name or IP address: mail.contoso.com

•

Default administrator recipients: [email protected]

12-30


X Task 5: Configure quotas on Home share folders •

On NYC-SVR1, in File Server Resource Manager, in the Quotas node, create a new quota with the following settings: •

Quota path: C:\Home

•

Auto apply template and create quotas on existing and new subfolders

•

Derive properties from this quota template: Home Folders

X Task 6: Create a home folder for a user 1.

On NYC-DC1, open Active Directory Users and Computers.

2.

Open the properties of Adam Carter.

3.

Use the Profile tab of Adam Carter to configure a home folder: •

Drive letter: H:

•

Path: \\NYC-SVR1\Home\Adam

X Task 7: Verify that the quota is applied 1.

On NYC-CL1, log on as Adam with a password of Pa$$w0rd.

2.

Use Windows Explorer to view the properties of H: and verify that the size is limited to 500 MB.

Results: After this exercise, you will have created and applied quotas to home folders.


12-31

Exercise 2: Configuring File Screening Scenario Managers in Contoso are concerned that users will begin storing large media files in the newly created home folders. Even though the size of each home folder is limited to 500 MB by quotas, the managers want to prevent space from being wasted by video, audio, and graphics files, including a new audio format with the file extension audx. You are implementing file screening to prevent media files from being stored in home folders. The main tasks for this exercise are as follows: 1.

Add AUDX to a file group.

2.

Create a file screen template.

3.

Configure a file screen for C:\Home.

4.

Verify that the file screen is applied.

X Task 1: Add AUDX files to a file group 1.


2.

In the File Screening Management node, edit the Audio and Video Files file group and add *.audx.

X Task 2: Create a file screen template •

On NYC-SVR1, use File Server Resource Manager to create a file screen template with the following settings: •

Template name: Home Folder Media

•

Active Screening: Do not allow users to save unauthorized files

•

File groups: Audio and Video Files and Image Files

•

Send warning to event log

X Task 3: Configure a file screen for C:\Home •

On NYC-SVR1, use File Server Resource Manager to create a file screen with the following settings: •

File screen path: C:\Home

•

Derive properties from the file screen template: Home Folder Media

X Task 4: Verify that the file screen is applied 1.


2.

Use Windows Explorer to copy the Wildlife video from Libraries\Videos\Sample Videos to H:\.

3.

Verify that you cannot place the file on H:.

Results: After this exercise, you will have configured file screening to prevent media files from being placed in home folders.

12-32


Exercise 3: Configuring File Classification and File Management Scenario After implementing home folders for all users, you have found that a large amount of disk space is being used by Official Documents that are stored on the Contoso Intranet. There is no need for users to copy these files into their home folders and it is wasting storage space on the file server. All official documents contain a heading with an official document number. You are configuring file classification to identify official documents on the Home share and then using file management to remove them. To ensure that legitimate documents are not accidentally deleted, files are being expired and placed in C:\Expired Documents where they can be retrieved if necessary. The main tasks for this exercise are as follows: 1.

Create a classification property for official documents.

2.

Create a classification rule for official documents.

3.

Create a file management task to expire official documents.

4.

Verify that official documents are expired.

X Task 1: Create a classification property for official documents 1.


2.

In the Classification Management node, create a new classification property with the following settings: •

Property name: Official Document

•

Property type: Yes/No

X Task 2: Create a classification rule for official documents •

On NYC-SVR1, use File Server Resource Manager to create a classification rule with the following settings: •

Rule name: Official Documents

•

Scope C:\Home

•

Classification mechanism: Content Classifier

•

Property name: Official Document

•

Property value: Yes

•

Advanced: Additional Classification Parameters •

Name: RegularExpression

•

Value: Document#\d\d\d\d-\d\d\d


12-33

X Task 3: Create a file management task to expire official documents •

On NYC-SVR1, use File Server Resource Manager to create a file management task with the following settings: •

Task name: Remove Official Documents

•

Scope: C:\Home

•

Expiration Directory: C:\Expired Documents

•

Property Condition: Official Document equals Yes

•

Schedule: Weekly, Sun 9:00 PM

X Task 4: Verify that official documents are expired 1.


2.

Use Windows Explorer to create a Microsoft Word document named Test Document on H:\.

3.

Edit Test Document and add the following content: •

Document#2011-001

4.

Close Microsoft Word.

5.

On NYC-SVR1, in File Server Resource Manager, at the Classification Rules node, run the classification rules now.

6.

Review the Automatic Classification Report that is generated to verify that one official document is found.

7.

Run the Remove Official Documents file management task.

8.

Review the File Management Task Report and verify that one file was expired.

9.

Use Windows Explorer to browse the contents of C:\Expired Documents and verify that Test Document is there.

Results: After this exercise, you will have configured a classification rule for official documents and a file management task that expires official documents.



2.


3.


4.


12-34



Review Questions 1.

You want to use file classification and file management to expire certain documents on all the file servers in your organization. Are there any limitations on where you can file classifications and file management?

2.

You want to use file management to expire old documents on departmental file shares. A colleague is concerned that deleting files without authorization will generate complaints from the departments. Is your colleague correct to be concerned?

3.

You have implemented file screening to prevent users from storing video files in the shared data volume that contains departmental folders. However, the Marketing department needs to store video files in their departmental folder. How can you allow this?

4.

You have proposed that FSRM quotas be used to control the size of departmental file shares. A colleague has experience with NTFS quotas and does not think that quotas are practical to use because they are based on file ownership. What can you tell your colleague about FSRM quotas to overcome this objection?

5.

The data in a departmental file share has grown by 10 GB in a single day. Typically, growth is less than 1 GB. You are concerned that a user has placed several large files in the departmental file share. How can you confirm this?


Windows Server 2008 R2 Features Introduced in this Module Windows Server 2008 R2 feature

Description

File classification

FSRM in Windows Server 2008 has added file classification to automatically classify files based on location or contents.

File management

FSRM in Windows Server 2008 has added file management to automate file management tasks such as expiration.

Tools Tool File Server Resource Manager

Use for Configure file screening, quotas, file classification, and file management

Where to find it Administrative Tools

12-35

13-1

Module 13 Recovering Network Data and Servers Contents: Lesson 1: Recovering Network Data with Shadow Copies

13-3

Lesson 2: Recovering Network Data and Servers with Windows Server Backup

13-9

Lab: Recovering Network Data and Servers

13-17

13-2


Module Overview

There are a variety of scenarios where a network data or a server that provides networks services can be lost. Volume shadow copies can be used to restore previous versions of files when a file is accidentally deleted or modified on a computer that is running Windows Server 2008. Windows Server Backup can be used to back up and restore data files or an entire server.


Describe how to configure and use volume shadow copies.

•

Describe how to configure and use Windows Server Backup.

Recovering Network Data and Servers

13-3

Lesson 1

Recovering Network Data with Shadow Copies

Shadow copies are used to restore previous versions of files and folders. It is much faster to restore a previous version of a file from a shadow copy than from a traditional backup. A traditional backup might be stored offsite. Snapshots of volumes are taken on a schedule that you can configure. Files and folders can be recovered by administrators or directly by end users.


Describe shadow copies.

•

Describe the considerations for scheduling shadow copies.

•

Configure shadow copies.

•

Describe ways to restore data from a shadow copy.

•

Restore data from a shadow copy.

13-4


What Are Shadow Copies?

Shadow copies is a feature in Windows Server 2008 that take snapshots of a volume. After a snapshot is taken, you and the users can access previous versions of files and folders that existed at the time that the snapshot was taken. A shadow copy does not take a complete copy of all files for each snapshot. Instead, after a snapshot is taken, Windows Server 2008 tracks disk changes to the volume. A specific amount of disk space is allocated for tracking the changed disk blocks. When you access a previous version of a file, some of the content might be in the current version of the file and some might be in the snapshot. By default, the changed disk blocks are stored on the same volume as the original file, but this can be modified. You can define how much disk space is allocated for shadow copies. Multiple snapshots are retained until the allocated disk space is full, after which, older snapshots are removed to make room for new snapshots. The amount of disk space used by a snapshot is based on the size of disk changes between snapshots. Because a snapshot is not a complete copy of files, it cannot be used as a complete replacement for traditional backups. If the disk containing a volume is lost, then the snapshots of that volume are also lost. Shadow copies are suitable for recovering data files, but not more complex data like databases that need to be logically consistent before a backup is performed. A database that is restored from previous versions is likely to be corrupt and require database repairs. Note The System Restore feature in Windows Server 2008 is dependent on shadow copies being enabled.


13-5

Considerations for Scheduling Shadow Copies

Shadow copies are enabled by default for all drives. The default schedule for creating shadow copies is Monday through Friday at 07:00 A.M. and noon. You can modify the default schedule as desired for your organization. When scheduling shadow copies: •

Consider that increasing the frequency of shadow copies increases the load on the server. You should not schedule volume shadow copies more than once each hour.

•

Increase the frequency of shadow copies for frequently changing data. This increases the likelihood that recent file changes are captured.

•

Increase the frequency of shadow copies for important data. This increases the likelihood that recent file changes are captured.

•

Consider that if you increase the frequency of shadow copies, you might need to increase the disk space allocated for volume shadow copies. By default, 10 percent of disk space is allocated for volume shadow copies.

13-6


Demonstration: How to Configure Shadow Copies


Enable shadow copies on C:.

•

View settings for shadow copies.


13-7

Ways to Restore Data from a Shadow Copy

Previous versions of files can be restored by users or administrators. In most cases, users are not aware that this capability exists and they will need to be provided with instructions on how to restore a previous version of a file. Administrators can access previous versions of files directly on the server that stores the files. Users can access previous versions of files over the network from a file share. In both cases, previous versions are accessed in the properties of the file or folder. When viewing previous versions of a folder, you can browse the available files and select only the file that you need. Also, if multiple versions of files are available, you can review each version before deciding which one to restore. Finally, you can copy a previous version to an alternate location instead of restoring to prevent overwriting the current file version. Windows Vista and Windows 7 clients are capable of accessing previous versions of files without installing any additional software. For Windows XP clients, you must install the Previous Versions client.

13-8


Demonstration: How to Restore Data from a Shadow Copy


Create a new file.

•

Create a shadow copy.

•

Modify the file.

•

Restore a previous version.


13-9

Lesson 2

Recovering Network Data and Servers with Windows Server Backup

Windows Server 2008 includes Windows Server Backup to perform backups to local disks or network shares. You can use Windows Server Backup to protect server data and restore it when a file is lost or a server fails.


Describe Windows Server Backup.

•

Describe the available backup types.

•

Identify the differences between Windows Server Backup in Windows Server 2008 and Windows Server 2008 R2.

•

Identify who can back up data.

•

Describe system state data.

•

Explain the available recovery options.

13-10


What Is Windows Server Backup?

Windows Server Backup is a feature that is included with Windows Server 2008 to back up and recover files and folders or an entire server. The feature includes a graphical user interface and a command-line interface (wbadmin.exe). Most large organizations have purchased additional software for backup and recovery such as System Center Data Protection Manager. These software packages typically have more advanced features than Windows Server Backup for centrally managing backups on multiple servers. Windows Server Backup is typically used by smaller organizations or for scenarios when a backup is needed quickly and other software is not available. You can use Windows Server Backup to back up to either a disk or network share. Tape backups are not supported by Windows Server Backup. Backup jobs can be scheduled in Windows Server backup. It is important to schedule backup jobs on a regular basis to ensure that you have backups of recent file changes.


13-11

Types of Backup

Traditionally, backups have been full, incremental, or differential: •

A full backup copies all specified files.

•

A differential backup copies all files that have changed since the last full backup.

•

An incremental backup copies all files that have changed since the last full or incremental backup.

The backups in Windows Server Backup are different because they use shadow copies as part of the backup process and for storing backups. Windows Server Backup uses the terms full backup and incremental backup in a different way: •

The first full backup copies all specified files from the source and stores them in the destination.

•

The second full backup, and any further full backups, copies all specified files from the source, but only stores disk blocks that have changed in the destination.

•

An incremental backup uses a volume shadow copy on the source to back up only changed disk blocks and copy them to the destination.

Incremental backups are faster because less data is moved during the backup process. However, server performance is reduced because of the processing that is required to create the shadow copy on the source. Note The option for full or incremental backup is only applicable if full volumes are being backed up.

13-12


Regardless of the whether full or incremental backups are selected, only changes from the previous backup are stored on the destination. However, when you review the contents of a backup, all backups appear as full backups with the data that appeared on the source at that point in time. Note Backups that are stored on network storage are always a full backup and only a single copy of the files is maintained. Windows Server Backup also allows you to select between VSS full Backup and VSS copy Backup. The VSS full backup clears application log files for which there is a VSS provider installed and clears the archive attribute on files. A cleared archive attribute indicates that the file has been backed up and is used to indicate that a file does not need to be backed up again the next time a backup is performed. The VSS copy backup does not clear application log files or clear the archive attribute on files.


13-13

Differences between Versions of Windows Server Backup

Windows Server Backup is included in Windows Server 2008 and Windows Server 2008 R2. However, there are significant differences between the two versions. The following table lists differences between Windows Server Backup versions: Windows Server 2008


Back up only full volumes.

Back up full volumes or specific files and folders.

Dedicated backup volumes are required.

Backups can be stored on volumes shared with other data.

Does not support scripting with PowerShell.

Supports scripting with PowerShell.

Critical volumes containing system state data are backed up.

System state backup can be specified.

Scheduled backups must be created on local storage.

Scheduled backups can be stored on a network share.

13-14


Who Can Back Up Data?

You can control the ability to back up files and folders on a server by using the Back up files and directories user rights assignment in the local security policy of a server. This can also be set by using Group Policy. The default groups with permission to perform backups on workstations and member servers are Administrators and Server Operators. On domain controllers, Backup Operators are also given permission to perform backups. To delegate the ability to perform backups, you can assign the Back up files and directories user right to additional users or groups. Assigning this right is approximately equivalent to assigning the following file system permissions to the entire file system: •

Traverse Folder/Execute File

•

List Folder/Read Data

•

Read Attributes

•

Read Extended Attributes

•

Read Permissions

You can control the ability to restore files and folders on a server by using the Restore files and directories user rights assignment. Note

Only trusted administrators should be given the ability to back up or restore files.


13-15

What Is System State Data?

Windows Server Backup can back up and restore the system state data for Windows Server 2008. This is essential when you are performing a full restore of a computer system. It can also be useful to recover from configuration errors and corruption of system state data. The system components that make up system state data for Windows Server 2008 depend on the server roles that are installed on the computer. System state data includes at least the following data, plus additional data depending on the server roles that are installed: •

Registry

•

COM+ Class Registration database

•

Boot files, which consists of the Bootmgr file and the Boot Configuration Data (BCD) store

•

Active Directory Certificate Services (AD CS) database

•

Active Directory Domain Services (AD DS) database

•

SYSVOL directory

•

Cluster service information

•

Microsoft Internet Information Services (IIS) metadirectory

•

System files that are under Windows Resource Protection

For Windows Server 2008, all volumes containing system state data are called critical volumes and must be backed up to perform a system state restore. For Windows Server 2008 R2, you can select to back up only the system state data rather than critical volumes. The system state data is 7-10 GB depending on the configuration of the server.

13-16


Recovery Options

When you use Windows Server Backup to take a back up of your server, you can restore the entire server or just some data on the server. The following restore options are available: •

Files and folders: This option allows you to select specific files and folders to recover. The files can be restored to their original location or an alternate location.

•

Volumes: This option allows you to restore entire volumes to their state when the backup was taken.

•

Applications: This option allows you to recover application data files from the backup if a VSS writer for the application was installed at the time of the backup. For example, you could restore an Exchange Server database.

•

System state: This option allows you to restore just the system state for a computer. This can be useful if you believe that the system files have become corrupted and do not want to restore data files. If you select the Perform an authoritative restore of Active Directory files option on a domain controller, then the restored SYSVOL files will be authoritative and replicate to other domain controllers. Objects in Active Directory are not selected as authoritative.

If you have a full backup of your server, you can perform a bare-metal recovery by starting up from the Windows Server 2008 R2 installation DVD. Select the option System Image Recovery. A similar process is available for Windows Server 2008.


13-17




2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso


Lab Scenario Recently, a new file server was implemented for the marketing department. Somehow in the planning process, no one considered how data on the server would be protected. You need to configure volume shadow copies on the server to simplify recovery of files. You also need to configure a scheduled backup for disaster recovery.

13-18


Exercise 1: Configuring Shadow Copies Scenario The new file server for the marketing department has been implemented without shadow copies. The technician that configured the server was under the incorrect idea that shadow copies create a large processing load on the server. You need to configure shadow copies on the server and verify that they are functioning properly. The data for the marketing department changes frequently. In the last two months, several high profile incidents occurred, where documents were changed incorrectly and a recent copy could only be obtained from backup. The marketing department wants to be able to recover a file’s version for each hour. 1.

Configure shadow copies on NYC-SVR1.

2.

Create a file share.

3.

Create multiple shadow copies of a file.

4.

Recover a deleted file from a shadow copy.

X Task 1: Configure shadow copies on NYC-SVR1 1.

On NYC-SVR1, open Windows Explorer and Configure Shadow Copies for Local Disk (C:).

2.

Enable shadow copies for C:\.

3.

Configure a schedule for the shadow copies.

4.

Remove the two default scheduled tasks.

5.

Use the advanced schedule options to create a new Daily schedule with the following configuration: •

Repeat every 1 hour

•

Duration of 24 hours

X Task 2: Create a file share 1.

On NYC-SVR1, use Windows Explorer to create the folder C:\Marketing.

2.

Share the C:\Marketing folder with the Marketing group and give them Read/Write permission.

X Task 3: Create multiple shadow copies of a file 1.


2.

Browse to \\NYC-SVR1\Marketing and create a new Microsoft Office Word document named Budget Planning.

3.

Open Budget Planning and add the following items in a bulleted list: •

2011 - $1,000

•

2012 - $1,100

•

2013 - $1,200

4.

Save the Budget Planning document.

5.

On NYC-SVR1, create a new shadow copy of C:\.


6.

13-19

On NYC-CL1, add the following bullets to the Budget Planning document: •

2014 - $1,500

•

2015 - $2,000

7.

Save the Budget Planning document.

8.

On NYC-SVR1, create a new shadow copy of C:\.

9.

On NYC-CL1, delete the Budget Planning Document.

X Task 4: Recover a deleted file from a shadow copy 1.

On NYC-CL1, navigate to the Previous Versions tab in the Properties of the Marketing share.

2.

Open the second most recent version of the folder and then open Budget Planning.

3.

Verify that this is not the most recent version of the file (because there are only three bullets) and then close it.

4.

Open the most recent version of the folder and then open Budget Planning.

5.

Verify that this is the most recent version of the file (because there are five bullets) and then close it.

6.

Restore the Marketing share from the most recent shadow copy.

7.

Verify that the restored file is located in \\NYC-SVR1\Marketing.

Results: After this exercise, you will have enabled shadow copies for the Marketing file server.

13-20


Exercise 2: Configuring a Scheduled Backup Scenario The new file server for the marketing department has been implemented without a backup solution. A backup solution is important in case of a hardware failure or volume corruption. In the long run, a new license will be purchased for Data Protection Manager to allow this server to be centrally backed up like other servers in Contoso. However, until that license is purchased, you are using Windows Server Backup and an external USB hard drive (D:) to perform the backup, which will be scheduled daily at 23:00. You also need to verify that the drive can hold at least two full backups and perform a test restore. 1.

Install the Windows Server Backup feature.

2.

Create a scheduled backup.

3.

Verify that two backups fit on the destination disk.

4.

Perform a test restore of a file.

X

Task 1: Install the Windows Server Backup feature

•

On NYC-SVR1, use Server Manager to install the Windows Server Backup feature, including the Command-line Tools.

X Task 2: Create a scheduled backup 1.

On NYC-SVR1, open the Windows Server Backup administrative tool.

2.

Create a backup schedule with the following settings: •

Full server

•

Once a day at 11:00 PM

•

Back up to a hard disk that is dedicated for backups (use D:) •

Remove D: from the backup when requested

•

Confirm that data on D: will be removed

X Task 3: Verify that two backups fit on the destination disk 1.

On NYC-SVR1, in Windows Server Backup, verify that the Destination usage area indicates that approximately 32 GB are available for backups and that 0 GB are used.

2.

Perform a one-time backup using the scheduled backup options.

3.

Read the information in the Destination usage area. There is approximately 32 GB of total disk space and approximately 7.4 GB used.

4.

Perform a second one-time backup using the scheduled backup options.

5.

Read the information in the Destination usage area. There is approximately 32 GB of total disk space and still approximately 7.4 GB used.


13-21

X Task 4: Perform a test restore of a file 1.

2.

On NYC-SVR1, in Windows Server Backup, use the Recover option to restore C:\Marketing\Budget Planning.docx. •

Source: This server (NYC-SVR1)

•

Backup date: The most recent backup

•

Recovery type: Files and folders

•

Items to recover: C:\Marketing\Budget Planning.docx

•

Recovery options: default

Open Windows Explorer and browse to C:\Marketing to verify that the file is restored.

Results: After this exercise, you will have configured a scheduled backup and tested backup functionality.



2.


3.


4.


13-22



Review Questions 1.

All of the file servers in your organization are using the default configuration for shadow copies. A user accidentally deleted content from a file and then saved it at 11:00. Can you restore the correct version from a shadow copy?

2.

All of the file servers in your organization are using the default configuration for shadow copies. A user accidentally deleted a file several weeks ago, but did not realize it until today. Is it possible to recover this file from a shadow copy?

3.

Your organization has determined that four hours each week are used restoring user files from backup or shadow copy. A colleague has suggested training users to perform their own restores from shadow copies to reduce the workload of the help desk. Is this a good idea?

4.

Your organization has opened a new branch office with a single server. The server has a SQL database that is used by a local application. Can Windows Server Backup be used to back up and restore the database?

5.

You have configured a new server to perform a daily backup to a network share on another server. This is a temporary solution until your standard backup software is in place. After several days, you need to restore a file, but there is only the most recent backup to select from, not multiple days as you expected. Why did this occur?


13-23

Windows Server 2008 R2 Features Introduced in this Module Windows Server 2008 R2 feature Windows Server Backup

Description Windows Server Backup has been updated in Windows Server 2008 R2 to allow backups of specific files and folders. It also allows scheduled backups to a network folder.

Tools Tool

Use for

Where to find it

Previous Versions

Recovering files and folders from a shadow copy

Properties of the file or folder

Windows Server Backup

Managing Windows Server Backup


WBadmin.exe

Managing Windows Server Backup

Command-line

14-1

Module 14 Monitoring Windows Server 2008 Network Infrastructure Servers Contents: Lesson 1: Monitoring Tools

14-3

Lesson 2: Using Performance Monitor

14-12

Lesson 3: Monitoring Event Logs

14-21

Lab: Monitoring Windows Server 2008 Network Infrastructure Servers

14-26

14-2


Module Overview

When a system failure or an event that affects system performance occurs, you need to be able to repair the problem or resolve the issue quickly and efficiently. With so many variables and possibilities in the modern network environment, the ability to determine the root cause quickly often depends on having an effective performance monitoring methodology and toolset. Performance-monitoring tools are used to identify components that require additional tuning and troubleshooting. By identifying components that require additional tuning, you can improve the efficiency of your servers.

Objectives •

After completing this module, you will be able to:

•

Describe monitoring tools for Windows Server 2008 R2.

•

Describe how to use performance monitor.

•

Describe how to monitor event logs.

Monitoring Windows Server 2008 Network Infrastructure Servers

14-3

Lesson 1

Monitoring Tools

Windows Server 2008 R2 provides a range of tools to monitor the operating system and applications. You can use these tools to tune your system for efficiency and troubleshoot problems. You should use these tools and complement them where necessary with your own tools.


Describe Performance Monitor.

•

Describe Resource Monitor.

•

Describe Reliability Monitor.

•

Describe Event Viewer.

14-4


What Is Performance Monitor?

Performance Monitor enables you to view current performance statistics, or to view historical data that is gathered through the use of Data Collector Sets. With Windows Server 2008 R2, you can monitor operating system performance through performance objects and counters in the objects. Windows Server 2008 R2 collects data from counters in various ways, including: •

A real-time snapshot value

•

The total since the last computer startup

•

An average over a specific time interval

•

An average of last values

•

Number per second

•

Maximum value

•

Minimum value

Performance Monitor works by providing you with a collection of objects and counters that record data about computer resource usage. There are many counters that you can research and consider monitoring to meet your specific requirements.


14-5

Primary Processor Counters CPU counters are a feature of the computer’s CPU that stores the count of hardware-related events. •

Processor>% Processor Time displays the percentage of elapsed time that a given thread used the processor to run instructions. An instruction is the basic unit of execution in a processor, and a thread is the object that executes instructions. Included in this count is code that handles some hardware interrupts and trap conditions.

•

Processor>Interrupts/sec displays the rate, in incidents per second, at which the processor received and serviced hardware interrupts.

•

System>Processor Queue Length displays an approximate number of threads that each processor is servicing. The processor queue length—sometimes called processor queue depth—reported by this counter is an instantaneous value that is representative only of a current snapshot of the processor, so you must observe this counter over a long period of time to notice trends in data. Also, the System\Processor Queue Length counter is reporting a total queue length for all processors, not a length for each processor.

Primary Memory Counters The Memory performance object consists of counters that describe the behavior of physical and virtual memory on the computer. Physical memory is the amount of RAM on the computer. Virtual memory consists of space in physical memory and on disk. Many of the memory counters monitor paging, which is the movement of pages of code and data between disk and physical memory. •

Memory>Pages/sec. displays the number of hard page faults per second. A hard page fault occurs when the requested memory page cannot be located in RAM because it currently exists in the paging file. An increase in this counter indicates that more paging is occurring, which in turn suggests a lack of physical memory.

Primary Disk Counters The Physical Disk performance object consists of counters that monitor hard or fixed disk drives. Disks are used to store file, program, and paging data; they are read to retrieve these items, and are written to record changes to them. The total values of physical disk counters are the total of all the values of the logical disks (or partitions) into which they are divided. •

The Physical Disk>%Disk time counter indicates how busy a particular disk is. A counter approaching 100 percent indicates that the disk is busy nearly all of the time, and a performance bottleneck is possibly imminent.

•

The Physical Disk>Average Disk Queue Length counter indicates how many disk requests are waiting to be serviced by the I/O manager in Windows 7 at a given moment. The longer the queue is, the less satisfactory the disk throughput. Note Throughput is the total amount of traffic that passes a given point on a network connection for each unit of time. Workload is the amount of processing that the computer does at a given time.

14-6


Primary Network Counters Most workloads require access to production networks to ensure communication with other applications and services, and to communicate with users. Network requirements include elements such as throughput and the presence of multiple network connections. Workloads might require access to several different networks that must remain secure. Examples include connections for: •

Public network access

•

Networks for performing backups and other maintenance tasks

•

Dedicated remote-management connections.

•

Network adapter teaming for performance and failover

•

Connections to the physical host computer

•

Connections to network-based storage arrays

By monitoring the network performance counters, you can evaluate your network’s performance. •

The Network Interface>Current Bandwidth counter indicates the current bandwidth being consumed on the network interface in bits per second (bps). Most network topologies have maximum potential bandwidths quoted in megabits per second (Mbps). For example, Ethernet can operate at bandwidths of 10 Mbps, 100 Mbps, 1 Gigabit per second (Gbps), and higher. To interpret this counter, divide the value given by 1,048,576 for Mbps. If the value approaches the maximum potential bandwidth of the network, consider implementing a switched network or upgrading to a network that supports higher bandwidths.

•

The Network Interface >Output Queue Length counter indicates the current length of the output packet queue on the selected network interface. A growing value, or one that is consistently higher than two, could indicate a network bottleneck and should be investigated.


14-7

What Is Resource Monitor?

The Resource Monitor interface Windows Server 2008 R2 provides an in-depth look at the real time performance of your server. You can use Resource Monitor to monitor the use and performance of CPU, disk, network, and memory resources in real time. This allows for resource conflicts and bottlenecks to be identified and resolved. By expanding the monitored elements, system administrators can identify which processes are using which resources. In addition, Resource Monitor allows you to select a process or processes to track by selecting their check boxes. When a process is selected, it remains selected in every pane of Resource Monitor, providing the information you require regarding that process at the top of the screen, no matter where you are in the interface.

14-8


What Is Reliability Monitor?

The Reliability Monitor reviews the computer’s reliability and problem history. The Reliability Monitor can be used to obtain several kinds of reports and charts that can help you identify the source of reliability issues. Access the Reliability Monitor by clicking View System History on the Maintenance tab in the Action Center. The following topics explain the main features of the Reliability Monitor.

System Stability Chart The System Stability Chart summarizes system stability, for the past year, in daily increments. This chart indicates any information, error, or warning messages, and simplifies the task of identifying issues and the date on which they occurred.

Installation and Failure Reports The System Stability Report also provides information about each event in the chart. These reports include the following events: •

Software Installs

•

Software Uninstalls

•

Application Failures

•

Hardware Failures

•

Windows Failures

•

Miscellaneous Failures


14-9

Records Key Events in a Timeline The Reliability Monitor tracks key events about the system configuration, such as the installation of new applications, operating-system patches, and drivers. It also tracks the following events to help you identify the reasons for reliability issues. •

Memory problems

•

Hard disk problems

•

Driver problems

•

Application failures

•

Operating system failures

The Reliability Monitor is a useful tool that provides a timeline of system changes and reports the system’s reliability. You can use this timeline to determine whether a particular system change correlates with the start of system instability.

Problem Reports and Solutions Tool The Problem Reports and Solutions tool in Reliability Monitor helps users track problem reports and any solution information that they have received. The Problem Reports and Solutions tool only helps the user to store information. All Internet communication related to problem reports and solutions is handled by Windows Error Reporting. The Problem Report and Solution tool provides a list of the attempts made to diagnose your computers’ problems. If an error occurs while an application is running, Windows Error Reporting Services prompts the user to select whether to send error information to Microsoft over the Internet. If information is available that can help the user resolve this problem, Windows displays a message to the user with a link to the resolving information. You can use the Problem Reports and Solutions tool to track resolving information and recheck to find new solutions. You can start the Problem Reports and Solutions tools from the Reliability Monitor. The following tools are available: •

Save Reliability history

•

View Problems and Responses

•

Check for Solutions to all problems

•

Clear the solution and problem history

14-10


What Is Event Viewer?

Windows Server 2008 R2 Event Viewer is an application that enables you to view and manage event logs. Windows logs record significant events on your computer. Event Viewer is often the starting point for any troubleshooting activities. Event Viewer contains many features that are not available in earlier operating systems, such as: •

The inclusion of several new logs. Access logs for many individual components and subsystems.

•

The ability to view multiple logs. Filter for specific events across multiple logs, simplifying your ability to investigate issues and troubleshoot problems that might appear in several logs.

•

The inclusion of customized views. Use filtering to narrow searches to only events in which you are interested. These filtered views can be saved.

•

The ability to configure tasks scheduled to run in response to events. You can automate responses to events. Event Viewer is integrated with Task Scheduler.

•

The ability to create and manage event subscriptions. Collect events from remote computers and then store them locally. Note To collect events from remote computers, you must create an inbound rule in Windows Firewall to permit Windows Event Log Management.

Event Viewer tracks information in several different logs. These logs provide detailed information that includes: •

A description of the event

•

An event ID number

•

The component or subsystem that generated the event

•

Information, Warning, or Error status

•

The time of the occurrence


•

The user’s name on whose behalf the event occurred

•

The computer on which the event occurred

•

A link to Microsoft TechNet for more information about the event

14-11

Windows Server Logs The Event Viewer has many built-in logs, including those in the following table. Built-In Log

Description and Use

Application log

This log contains errors, warnings, and informational events that are related to the operation of applications such as Microsoft Exchange Server, the SMTP service, and other applications.

Security log

This log reports the results of auditing, if auditing is enabled. Audit events are described as successful or failed, depending on the event, for instance, whether a user trying to access a file was successful or not.

Setup log

This log contains events related to application setup.

System log

General events are logged by Windows components and services, and are classified as error, warning, or information. Events logged by system components are predetermined by Windows.

Forwarded events

This log stores events that are collected from remote computers. To collect events from remote computers, you must create an event subscription.

Applications and Services logs is a new category of event logs. These logs store events from a single application or component rather than events that might have system-wide impact. This category of logs includes four subtypes: •

Admin

•

Operational

•

Analytic

•

Debug

Admin logs are of interest to IT professionals who use the Event Viewer to troubleshoot problems. These logs provide guidance about how to respond to issues, and are primarily targeted at end users, administrators, and support personnel. The events found in the Admin channels indicate a problem and a well-defined solution that an administrator can act on. Events in the Operational log are also useful for IT professionals, but they are likely to require more interpretation. Operational events are used for analyzing and diagnosing a problem or occurrence. You can use them to trigger tools or tasks based on the problem or occurrence. Analytic and Debug logs are not as user friendly. Analytic logs store events that trace an issue, and they often log a high volume of events. Debug logs are used by developers when they are debugging applications. Note By default, both Analytic and Debug logs are hidden and disabled.

14-12


Lesson 2

Using Performance Monitor

Being able to collect, analyze, and interpret performance-related data about your organization’s servers enables you to make informed capacity planning decisions.


Describe a baseline.

•

Describe Data collector sets.

•

Capture counter data with a data collector set.

•

Configure an Alert.

•

Describe Performance Monitor Reports.

•

Identify the key parameters to track for monitoring network infrastructure services.


14-13

Why Use a Baseline?

Calculating performance baselines for your server environment allows you to more accurately interpret real-time monitoring information. A baseline for your server’s performance tells you what the performance monitoring statistics look like under normal use. A baseline is established by monitoring performance statistics over a period of time. When an issue or symptom occurs in real time, you can use your baseline statistics to compare to your real time statistics and identify any anomalies.

Trends You should give careful consideration to the value of performance data to ensure that it reflects the real server environment. Additionally, you should consider performance analysis alongside business or technology growth and upgrade plans. It is possible to reduce the number of servers in operation after you have measured performance and assessed the required environment. By analyzing performance trends, you can predict when existing capacity is likely to be exhausted. Review historical analysis with consideration to your business and use this to determine when additional capacity is required. Some peaks are associated with one-time activities such as extremely large orders. Other peaks occur on a regular basis, such as a monthly payroll, and these peaks could require increased capacity to meet an increasing number of employees. Planning for future server capacity is a requirement for all organizations. Business planning often requires additional server capacity to meet targets. By aligning your IT strategy with the strategy of the business, you can support the business objectives. You should plan the server capacity to maximize the use of available space, power, and cooling. Furthermore, you should consider virtualizing your environment to reduce the number of physical servers that are required. You can consolidate servers by implementing 64-bit computing and utilizing Hyper-V™ in the Windows Server 2008 R2 environment.

14-14


Capacity Planning Capacity planning focuses on assessing server workload, the number of users that a server can support, and how to scale systems to support additional workload and users in the future. New server applications and services affect the performance of your IT infrastructure. These services could receive dedicated hardware although they often use the same local area network (LAN) and wireless area network (WAN) infrastructure. Planning for future capacity should include all hardware components and how new servers, services, and applications affect the existing infrastructure. Factors such as power, cooling, and rack space are often overlooked during initial exercises to plan capacity expansion. You should consider how your servers can scale up and out to support an increased workload. Tasks such as upgrading to Windows Server 2008 R2 and updating operating systems might affect your servers and network. It is not unknown for an update to cause a problem with an application. Careful performance monitoring before and after updates are applied can identify problems. An expanding business requires you to provide support for more users. You should consider business requirements when purchasing hardware. This consideration will ensure that you can meet future business requirements through increasing the number of servers or by adding capacity to existing hardware. Capacity requirements include: •

More servers

•

Additional hardware

•

Reducing application loads

•

Reducing users

Understanding Bottlenecks A performance bottleneck occurs when a computer is unable to service the current requests for a specific resource. The resource might be a key component, such as a disk, memory, processor, or network. Alternatively, the bottleneck might be caused by the shortage of a component within an application package. By using performance monitoring tools on a regular basis, and comparing the results to your baseline and to historical data, you can identify performance bottlenecks before they impact users. Once you identify a bottleneck, you must decide how to remove it. Your options for removing a bottleneck include: •

Running fewer applications

•

Adding additional resources to the computer

A computer suffering from a severe resource shortage might stop processing user requests, which requires immediate attention. However, if your computer experiences a bottleneck but still operates within acceptable limits, you might decide to defer any changes until the situation is resolved, or until you have an opportunity to take corrective action.


14-15

What Are Data Collector Sets?

A Data Collector Set is the foundation of Windows Server performance monitoring and reporting in Performance Monitor. Data Collector Sets enable you to gather performance-related and other system statistics for analysis together with other tools within Performance Monitor, or with third-party tools. While it is useful to analyze current performance activity on a server computer, you might find it more useful to collect performance data over a period of time and then analyze and compare it with previouslygathered data. This data comparison enables you to make determinations about resource usage to plan for growth and to identify potential performance problems. Data Collector Sets can contain the following types of data collectors: •

Performance counters: provides server performance data.

•

Event trace data: provides information about system activities and events—often useful for troubleshooting.

•

System configuration information: allows you to record the current state of registry keys and to record changes to those keys.

You can create a Data Collector Set from a template, from an existing set of data collectors in a Performance Monitor view, or by selecting individual data collectors and setting each individual option in the Data Collector Set properties.

14-16


Demonstration: How to Capture Counter Data with a Data Collector Set


Create a data collector set.

•

Create a disk load on the server.

•

Analyze the resulting data in a report.


Demonstration: How to Configure an Alert


Create a data collector set with an alert counter.

•

Generate a load on the server to exceed configured threshold.

•

Examine event log for resulting event.

14-17

14-18


Demonstration: How to View Performance Monitor Reports


View a performance report.


14-19

Monitoring Network Infrastructure Services

Because network infrastructure services are an essential foundation of many other server-based services, it is important that not only are they configured correctly, but that they are running optimally. Gathering performance-related data on your network infrastructure services will benefit your organization in the following ways: •

Helping to optimize network infrastructure server performance. By providing performance baseline and trend data, you can help your organization optimize network infrastructure server performance.

•

Troubleshooting servers. Where server performance has degraded, either over time or during periods of peak activity, you can help to identify possible causes and take corrective action to ensure that you can bring the service back within the limits of your Service Level Agreement (SLA).

•

You can use Performance Monitor to gather and analyze the relevant data.

Monitoring DNS DNS provides name resolution services on your network. You can monitor the Windows Server 2008 R2 DNS Server role to determine the following aspects of your DNS infrastructure: •

General DNS server statistics, including the number of overall queries and responses that are processed by the DNS server.

•

User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) counters, for measuring DNS queries and responses that are processed respectively using either of these transport protocols.

•

Dynamic update and secure dynamic update counters, for measuring registration and update activity that is generated by dynamic clients.

•

Memory usage counters, for measuring system memory usage and memory allocation patterns that are created by operating the server computer as a DNS server.

14-20


•

Recursive lookup counters, for measuring queries and responses when the DNS Server service uses recursion to look up and fully resolve DNS names on behalf of requesting clients.

•

Zone transfer counters, including specific counters for measuring the following: all zone transfer (AXFR), incremental zone transfer (IXFR), and DNS zone update notification activity.

Monitoring DHCP The DHCP service provides dynamic IP configuration services on your network. You can monitor the Windows Server 2008 R2 DHCP Server role to determine the following aspects of your DHCP server: •

The Average Queue Length indicates the current length of the internal message queue of the DHCP server; this number represents the number of unprocessed messages that are received by the server. A large number might indicate heavy server traffic.

•

The Milliseconds per packet (Avg.) counter is the average time in milliseconds that is used by the DHCP server to process each packet it receives; this number varies depending on the server hardware and its I/O subsystem. A spike could indicate a problem, either with the I/O subsystem becoming slower or because of an intrinsic processing overhead on the server.


14-21

Lesson 3

Monitoring Event Logs

Event Viewer provides a convenient and accessible location for you to view events that occur and are recorded by Windows Server. Events are recorded into one of several log files based on the type of event that has occurred. To support your users, you should know how to access event information quickly and conveniently, and know how to interpret the data in the event log.


Describe a custom view.

•

Create a custom view.

•

Describe event subscriptions.

•

Describe how to configure an event subscription.

14-22


What Is a Custom View?

Event logs contain vast amounts of data, and it could challenge you to narrow the set of events to just those that interest you. In previous Windows versions, you could apply filters to logs, but you could not save those filters. Custom views allow you to query and sort just the events that you want to analyze. You can also save, export, import, and share these custom views. Event Viewer allows you to filter for specific events across multiple logs, and display all events that are potentially related to an issue that you are investigating. To specify a filter that spans multiple logs, you need to create a custom view. Create custom views from the Action pane in Event Viewer. You can filter custom views based on multiple criteria, including: •

The time that the event was logged

•

Event level to display, such as errors or warnings

•

Logs from which to include events

•

Specific Event IDs to include or exclude

•

User context of the event

•

Computer on which the event occurred


Demonstration: How to Create a Custom View


View Server Roles custom views.

•

Create a custom view.

14-23

14-24


What Are Event Subscriptions?

Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events that are stored in multiple logs on multiple computers. Event Viewer provides the ability to collect copies of events from multiple remote computers and then store them locally. To specify which events to collect, create an event subscription. After a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Using the event-collecting feature requires that you configure the forwarding and the collecting computers. The functionality depends on the Windows Remote Management (WinRM) and the Windows Event Collector services (Wecsvc). Both of these services must be running on computers that are participating in the forwarding and collecting process.

Enabling Subscriptions To enable subscriptions, perform the following tasks: •

On each source computer, run the following command at an elevated command prompt to enable WinRM: winrm quickconfig

•

On the collector computer, type the following command at an elevated command prompt to enable the Wecsvc: wecutil qc

•

Add the computer account of the collector computer to the local Administrators group on each of the source computers.


Demonstration: How to Configure an Event Subscription


Configure the source computer.

•

Configure the collector computer.

•

Create and view the subscribed log.

14-25

14-26





2.


3.


4.


5.

•


•

Password: Pa$$w0rd

•

Domain: Contoso


Lab Scenario Having recently deployed some new servers, it is important to establish a performance baseline with a typical load for these new servers. You are tasked with undertaking this project. In addition, to make the process of performance monitoring easier, you decide to implement a subscribed log for the new servers so that you can effortlessly determine server health. For this project, you must complete the following tasks: •

Establish a performance baseline for NYC-SVR1 under typical load conditions.

•

Use Performance Monitor to identify resources that are affected by a new application that is running on NYC-SVR1.

•

Centralize events logs within Contoso.


14-27

Exercise 1: Establishing a Performance Baseline Scenario In this exercise, you will use Performance Monitor on the server and create a baseline using typical performance counters. The main tasks for this exercise are as follows: 1.

Create a Data Collector Set.

2.

Start the Data Collector Set.

3.

Create workload on the server.

4.

Analyze collected data.

X Task 1: Create a Data Collector Set 1.


2.


3.

Create a new user defined data collector set using the following information to complete the process:

4.

•

Name: NYC-SVR1 Performance

•

Create: Create manually (Advanced)

•

Type of data: Performance counter

•

Select the following counters: •

Memory, Pages/sec

•

Network Interface, Bytes Total/sec

•

PhysicalDisk, %Disk Time

•

PhysicalDisk, Avg. Disk Queue Length

•

Processor, %Processor Time

•

System, Processor Queue Length

•

Sample interval: 1 second

•

Where to store data: default value

Save and close the data collector set.

X Task 2: Start the Data Collector Set •

In Performance Monitor, in the Results pane, right-click NYC-SVR1 Performance and then click Start.

14-28


X Task 3: Create workload on the server 1.

Open a command prompt and run the following commands, pressing ENTER after each command: Fsutil file createnew bigfile 104857600 Copy bigfile \\nyc-dc1\c$ Copy \\nyc-dc1\c$\bigfile bigfile2 Del bigfile*.* Del \\nyc-dc1\c$\bigfile*.*

2.

Do not close the command prompt.

X Task 4: Analyze collected data 1.

Switch to Performance Monitor.

2.

Stop the NYC-SVR1 Performance data collector set.

3.

In Performance Monitor, in the navigation pane, click Performance Monitor.

4.

On the toolbar, click View Log Data.

5.

In the Performance Monitor Properties dialog box, on the Source tab, click Log files and then click Add.

6.

In the Select Log File dialog box, double-click Admin.

7.

Double-click NYC-SVR1 Performance, double-click the NYC-SVR1_date-000001 folder and then double-click DataCollector01.blg.

8.

Click the Data tab and then click Add.

9.


Memory, Pages/sec

•


•


•


•


•


10. On the toolbar, click the down arrow and then click Report. 11. Record the values that are listed in the report for analysis later. Recorded values: •

Memory, Pages/sec

•


•


•


•


•


Results: After this exercise, you should have established a baseline.


14-29

Exercise 2: Identifying the Source of a Performance Problem Scenario In this exercise, you will now simulate a load to represent the system in live usage, gather performance data using your data collector set, and determine the potential cause of the performance problem. The main tasks for this exercise are as follows: 1.

Load a new program on the server.

2.

Configure the load on the server.

3.

Start the data collector set again.

4.

Stop the running program.

5.

View performance data.

6.

Analyze results and draw a conclusion.

X Task 1: Load a new program on the server 1.

On NYC-SVR1, switch to the command prompt.

2.

Change to the C:\Labfiles folder.

X Task 2: Configure the load on the server •

On NYC-SVR1, run StressTool.exe 95.

X Task 3: Start the data collector set again 1.


2.

In Performance Monitor, click User Defined, in the results pane, right-click NYC-SVR1 Performance, and then click Start.

3.

Wait one minute for data to be captured.

X Task 4: Stop the running program •

At the command prompt, press CTRL+ C and then close the command prompt.

X Task 5: View performance data 1.


2.

Stop the data collector set.

3.


4.

On the toolbar, click View log data.

5.

In the Performance Monitor Properties dialog box, on the Source tab, click Log files and then click Remove.

6.

Click Add.

7.

In the Select Log File dialog box, click Up One Level.

14-30


8.

Double-click the NYC-SVR1_date-000002 folder and then double-click DataCollector01.blg.

9.

Click the Data tab and then click OK. Note If you receive an error at this point, or the values in your report are zero, repeat steps 4-9.

Recorded values: •

Memory, Pages/sec

•


•


•


•


•


X Task 6: Analyze results and draw a conclusion 1.

Compared with your previous report, which values have changed?

2.

What would you recommend?

Results: After this exercise, you should have identified a potential bottleneck.


14-31

Exercise 3: Centralizing Events Logs Scenario In this exercise, you will use NYC-DC1 to collect event logs from NYC-SVR1; specifically, you will use this process to gather performance-related alerts from your network servers. The main tasks for this exercise are as follows: 1.

Configure the source computer.

2.

Configure the collector computer.

3.

Create a subscribed log.

4.

Create a data collector set with an alert counter.

5.

Check the subscribed log for performance-related alerts.

X Task 1: Configure the source computer 1.

Switch to NYC-SVR1.

2.

At a command prompt, run winrm quickconfig to enable the administrative changes that are necessary on a source computer.

3.

Add the NYC-DC1 computer to the local Administrators group.

X Task 2: Configure the collector computer 1.

Switch to NYC-DC1.

2.

At a command prompt, run wecutil qc to enable the administrative changes that are necessary on a collector computer.

X Task 3: Create a subscribed log 1.

Open Event Viewer.

2.

Create a new subscription with the following properties: •

Computers: NYC-SVR1

•

Name: NYC-SVR1 Events

•

Collector Initiated

•

Events: Critical, Warning, Information, Verbose, and Error

•

Logged: last 7 days

•

Logs: Windows Logs

X Task 4: Create a data collector set with an alert counter 1.

Switch to NYC-SVR1.

2.


3.

Create a new user defined data collector set using the following information to complete the process: •

Name: NYC-SVR1 Alert

•

Create: Create manually (Advanced)

14-32


•

Type of data: Performance counter Alert

•


Processor, %Processor Time above 10%

•

Sample interval: 1 second

•

Where to store data: default value

•

Alert Action: Log an entry in the application event log

4.

Start the NYC-SVR1 Alert data collector set.

5.

Switch to the command prompt.

6.

Change to the C:\Labfiles and run StressTool.exe 95.

7.

Wait one minute for data to be captured, and then at the command prompt, press CTRL+ C and then close the command prompt.

8.


X Task 5: Check the subscribed log for performance-related alerts 1.

Switch to NYC-DC1.

2.

In performance monitor, are there any performance-related alerts in the subscribed application log?

Results: At the end of this exercise, you will have centralized event logs.



2.


3.


4.




Review Questions 1.

What significant counters should you monitor in Windows Server Performance Monitor?

2.

Why is it important to monitor server performance periodically?

3.

Why use Performance alerts?

Tools Tool

Use for

Where to find it

Fsutil.exe

Configure and manage the file system

Command line

Performance Monitor

Monitoring and analyzing real-time and logged performance data

Start Menu

Logman.exe

Managing and scheduling performance counter and event trace log collections

Command line

14-33

14-34


Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

L1-1

Module 1: Planning and Configuring IPv4

Lab: Planning and Configuring IPv4 Exercise 1: Selecting an IPv4 Addressing Scheme for Branch Offices X Task 1: Read the supporting documentation •

Read the supporting documentation located beneath the Exercise scenario in the main module document.


Answer the questions in the Update the Branch Office Network Infrastructure Plan: IPv4 Addressing document. Branch Office Network Infrastructure Plan: IPv4 Addressing Document Reference Number: GW00602/1 Document Author Date

Charlotte Weiss 6th February

Requirements Overview Design an IPv4 addressing scheme for the Contoso branch sales offices, shown in the exhibit. The block address 172.16.16.0/20 has been reserved for this region. You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25 percent growth of hosts in each branch. For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet. Additional Information You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch. Proposals 1. How many subnets do you envisage requiring for this region? Answer: There are 300 computers in the region. The specification states that around 50 computers should be deployed in each subnet. You also need to plan for growth of around 25 percent. Six subnets are required in the region to host computers, but an additional subnet for each location should be planned for to host the growth in computers. This is a total of nine subnets. 2. How many hosts will you deploy in each subnet? Answer: The specification states that you must deploy a maximum of 50 host computers for each subnet. 3. What subnet mask will you use for each branch? Answer: The current network address for the region is 172.16.16.0/20. This leaves 12 bits to allocate to subnets and hosts. To express 9 subnets, you would require 4 bits, since 3 bits only provides for 8 subnets. Four bits actually provides for 16 subnets, which is plenty. This is a decimal mask of 255.255.255.0.

L1-2


(continued) Branch Office Network Infrastructure Plan: IPv4 Addressing 4. What are the subnet addresses for each branch? Answer: Branch 1: 172.16.16.0/24 172.16.17.0/24 172.16.18.0/24 Branch 2: 172.16.19.0/24 172.16.20.0/24 172.16.21.0/24 Branch 3: 172.16.22.0/24 172.16.23.0/24 172.16.24.0/24 5. What range of host addresses are in each branch? Answer: Branch 1: 172.16.16.1 > 172.16.16.254 172.16.17.1 > 172.16.17.254 172.16.18.1 > 172.16.18.254 Branch 2: 172.16.19.1 > 172.16.19.254 172.16.20.1 > 172.16.20.254 172.16.21.1 > 172.16.21.254 Branch 3: 172.16.22.1 > 172.16.22.254 172.16.23.1 > 172.16.23.254 172.16.24.1 > 172.16.24.254


Examine the completed Branch Office Network Infrastructure plan in the Lab Answer Key and be prepared to discuss your solutions with the class.

Results: At the end of this exercise, you should have a completed an IP addressing plan for the Contoso branch offices.


Exercise 2: Implementing and Verifying IPv4 in the Branch Office X Task 1: Determine the current IPv4 configuration of the router 1.

Switch to the NYC-RTR computer.

2.

Click Start, and in the Search box, type cmd.exe and press ENTER.

3.

At the command prompt, type the following command and then press ENTER: Ipconfig /all

4.

What is the IPv4 address and subnet mask listed that starts 172.16? Answer: 172.16.16.1/255.255.255.0

5.

What subnet is this? Answer: 172.16.16.0/24

6.

What would the last host address in this subnet be? Answer: 172.16.16.254

7.


X Task 2: Determine the IPv4 configuration of NYC-SVR2 1.


2.


3.


4.

What is the IPv4 address and subnet mask? Answer: 172.16.16.2/255.255.255.0

5.

What subnet is this? Answer: 172.16.16.0/24

6.

What is the default gateway? Answer: 172.16.16.1

7.

What is the DNS Servers entry? Answer: 10.10.0.10

8.

Leave the command prompt open.

X Task 3: Determine the configuration of the NYC-CL2 computer 1.


2.

Click Start, click Computer, and then double-click Allfiles (E:).

3.

In Windows Explorer, double-click Labfiles and then double-click Mod01.

L1-3

L1-4


4.

Double-click Reconfigure.cmd.

5.

Close Explorer.

6.


7.


8.

What is the IPv4 address and subnet mask? Answer: 169.254.x.y – the answer will vary.

9.

What does this tell you? Answer: The client is attempting to obtain an IP address dynamically and has failed to connect to a DHCP server.

X Task 4: Reconfigure the NYC-CL2 computer 1.

Click Start, click Control Panel, and then click Network and Internet.

2.

In Network and Internet, click Network and Sharing Center.

3.

In Network and Sharing Center, click Change adapter settings.

4.

In Network Connections, right-click Local Area Connection 3 and then click Properties.

5.

Double-click Internet Protocol Version 4 (TCP/IPv4).

6.

In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address.

7.

Use the following information to complete the configuration, and then click OK. •

IP address: 172.16.16.3

•

Subnet mask: 255.255.255.0

•


•


8.

In the Local Area Connection 3 Properties dialog box, click Close.

9.

If prompted with the Set Network Location dialog box, click Work network, and then click Close.

X Task 5: Verify the configuration 1.


2.


3.

What is the IPv4 address and subnet mask? Answer: 172.16.16.x/255.255.255.0 – answers might vary.

4.

At the command prompt, type the following command and then press ENTER: Ping nyc-dc1


5.

L1-5

At the command prompt, type the following command and then press ENTER: Ipconfig /displaydns

6.


X Task 6: Capture and analyze network traffic using Network Monitor 1.

On the desktop, double-click Microsoft Network Monitor 3.4.

2.

In the Microsoft Update Opt-In dialog box, click No.

3.

In Microsoft Network Monitor 3.4, in the Recent Captures pane, click New capture tab.

4.

On the Capture 1 tab, on the menu bar, click Start.

5.


6.

At the command prompt, type the following command and then press ENTER: Ipconfig /flushdns

7.

At the command prompt, type the following command and then press ENTER: Ping nyc-dc1

8.

At the command prompt, type the following command and then press ENTER: Ipconfig /displaydns

9.

In Network Monitor, on the menu, click Stop.

10. What type of frames can you see? Answer: Might vary, but may include BROWSER, ARP, TCP, and ICMP frames. 11. In Microsoft Network Monitor, in the Display Filter pane, click Load Filter. 12. Point to Standard Filters, click Addresses, and then click IPv4 Addresses. 13. Scroll through the text and locate the IPv4.Address = = 192.168.0.100 line. Edit the IPv4 address to read 10.10.0.10. 14. On the menu in the Display Filter pane, click Apply. 15. Examine the filtered records. 16. Click Clear Text and click Remove. 17. In Microsoft Network Monitor, in the Display Filter pane, click Load Filter. 18. Point to Standard Filters, click DNS, and then click DnsQueryName. 19. Scroll through the text and locate the DNS.Qrecord.QuestionName.contains = = (“server”) line. Edit the server name to read (“contoso”) 20. On the menu in the Display Filter pane, click Apply. 21. Examine the filtered records.

L1-6


22. What do the records show? Answer: A query for a site name. (Answers might vary) 23. Close Network Monitor. Results: At the end of this exercise, you will have configured the branch office subnet.



2.


3.


4.

Repeat these steps for 6421B-NYC-RTR, 6421B-NYC-SVR2 and 6421B-NYC-CL2.

L2-7

Module 2: Configuring and Troubleshooting DHCP

Lab: Configuring and Troubleshooting the DHCP Server Role Exercise 1: Selecting a Suitable DHCP Configuration X Task 1: Read the Branch Office Network Infrastructure Plan: DHCP requirements •

Study the network diagram and then read the Branch Office Network Infrastructure Plan: DHCP document requirements section in the module document beneath the Exercise 1 scenario.


Answer the questions in the Branch Office Network Infrastructure Plan: DHCP document. Branch Office Network Infrastructure Plan: DHCP Document Reference Number: CW0703/1 Document Author Date


Requirements Specify how you plan to implement DHCP to support your branch office requirements. Additional Information It is important that any router, server, or communications link failure does not adversely affect users. Proposals 1. How many DHCP servers do you propose to deploy in the region? Answer: Assuming that the routers are all RFC-compliant, there is no need to deploy DHCP servers in each subnet. However, for fault tolerance, each branch should have a DHCP server with duplicate scopes configured at the head office DHCP server, with appropriate exclusions to support the 80/20 rule; this would provide for addressing fault tolerance. 2. Where do you propose to deploy these servers? Answer: One DHCP server in each branch office and one in the head office. 3. How do you propose to provide for fault tolerance of IP address allocation? Answer: Configure the scopes to support the 80/20 rule. 4. How will clients in a branch obtain an IP configuration if their DHCP server is offline? Answer: They will obtain an IP configuration from the head office server. This requires a DHCP relay on the router that connects the head office to the branch.


Examine the completed Branch Office Network Infrastructure Plan: DHCP document in the Lab Answer Key and be prepared to discuss your solutions with the class.

Results: At the end of this exercise, you will have determined the appropriate DHCP configuration for Contoso.

L2-8


Exercise 2: Implementing DHCP X Task 1: Install the DHCP role on NYC-SVR2 1.

Switch to NYC-SVR2.

2.

On the taskbar, click Server Manager.

3.

In Server Manager, in the navigation pane, click Roles, and then in the right-pane, click Add Roles.

4.

In the Add Roles Wizard, click Next.

5.

On the Select Server Roles page, select the DHCP Server check box and then click Next.

6.

On the Introduction to DHCP Server page, click Next.

7.

On the Select Network Connection Bindings page, click Next.

8.

On the Specify IPv4 DNS Server Settings page, click Next.

9.

On the Specify IPv4 WINS Server Settings page, click Next.

10. On the Add or Edit DHCP Scopes page, click Next. 11. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server and then click Next. 12. On the Authorize DHCP Server page, click Skip authorization of this DHCP server in AD DS and then click Next. 13. On the Confirm Installation Selections page, click Install. 14. On the Installation Results page, click Close and then close Server Manager.

X Task 2: Enable DHCP Relay 1.

Switch to NYC-RTR.

2.

Click Start, point to Administrative Tools, and then click Routing and Remote Access.

3.

In the navigation pane, expand NYC-RTR (local), expand IPv4, right-click General, and then click New Routing Protocol.

4.

In the Routing protocols list, click DHCP Relay Agent, and then click OK.

5.


6.


7.

In the DHCP Relay Properties – Local Area Connection 2 Properties dialog box, click OK.

8.


9.


10. In the DHCP Relay Properties – Local Area Connection 3 Properties dialog box, click OK. 11. Right-click DHCP Relay Agent and then click Properties. 12. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 10.10.0.10, click Add, and then click OK. 13. Close Routing and Remote Access.


L2-9

X Task 3: Authorize the DHCP Server role on NYC-SVR2 1.

Switch to NYC-SVR2.

2.

Click Start, point to Administrative Tools, and then click DHCP.

3.

In DHCP, expand nyc-svr2.contoso.com.

4.

Right-click nyc-svr2.contoso.com and then click Authorize.

X Task 4: Create the required scope for branch 1.

In DHCP, in the navigation pane, click nyc-svr2.consoto.com, expand IPv4, right-click IPv4, and then click New Scope.

2.

In the New Scope Wizard, click Next.

3.

On the Scope Name page, in the Name box, type Branch Office, and then click Next.

4.

On the IP Address Range page, complete the page using the following information and then click Next:

5.

•

Start IP address: 172.16.16.4

•

End IP address: 172.16.16.254

•

Length: 24

•

Subnet mask: 255.255.255.0

On the Add Exclusions and Delay page, complete the page using the following information, click Add, and then click Next: •


•


6.

On the Lease Duration page, click Next.

7.

On the Configure DHCP Options page, click Next.

8.

On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next.

9.

On the Domain Name and DNS Servers page, click Next.

10. On the WINS Servers page, click Next. 11. On the Activate Scope page, click Next. 12. On the Completing the New Scope Wizard page, click Finish. Results: At the end of this exercise, you will have configured the branch office DHCP server.

L2-10


Exercise 3: Reconfiguring DHCP in the Head Office X Task 1: Add the branch office scope on NYC-DC1 1.

Switch to NYC-DC1.

2.


3.

In DHCP, expand nyc-dc1.contoso.com.

4.

In DHCP, in the navigation pane, expand IPv4, right-click IPv4, and then click New Scope.

5.

In the New Scope Wizard, click Next.

6.

On the Scope Name page, in the Name box, type Branch Office Backup Scope and then click Next.

7.

On the IP Address Range page, complete the page using the following information and then click Next:

8.

9.

•


•


•

Length: 24

•

Subnet mask: 255.255.255.0

On the Add Exclusions and Delay page, complete the page using the following information, click Add, and then click Next: •


•


On the Lease Duration page, click Next.

10. On the Configure DHCP Options page, click Next. 11. On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next. 12. On the Domain Name and DNS Servers page, click Next. 13. On the WINS Servers page, click Next. 14. On the Activate Scope page, click Next. 15. On the Completing the New Scope Wizard page, click Finish. Results: At the end of this exercise, you will have created the required scopes on both DHCP servers.


L2-11

Exercise 4: Testing the Configuration X Task 1: Configure NYC-CL2 for DHCP 1.


2.

On the desktop, click Microsoft Network Monitor 3.4.

3.

In the Microsoft Update Opt-in dialog box, click No.

4.

In Microsoft Network Monitor 3.4, in the Recent Captures pane, click New capture tab.

5.


6.

Click Start, and in the Search box, type Network and Sharing and then press ENTER.

7.


8.


9.

In the Local Area Connection 3 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).

10. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically. 11. Click Obtain DNS server address automatically and then click OK. 12. In the Local Area Connection 3 Properties dialog box, click OK.

X Task 2: Examine DHCP packets 1.

Switch to Network Monitor.

2.

In Microsoft Network Monitor 3.4, on the menu, click Stop.

3.


4.


5.


6.

In the Frame Details pane, expand Dhcp.

7.

What is the ServerIP? Answer: 172.16.16.2

8.

Which server is this? Answer: NYC-SVR2

Results: At the end of this exercise, you will have configured the client to obtain an IP address dynamically from the local branch server.

L2-12


Exercise 5: Troubleshooting DHCP Issues X Task 1: Shut down the DHCP server on NYC-SVR2 1.

Switch to NYC-SVR2.

2.

In DHCP, right-click nyc-svr2.contoso.com, click All Tasks, and then click Stop.

X Task 2: Renew the IP address on NYC-CL2 1.

Switch to NYC-CL2.

2.


3.

At the command prompt, type the following command and then press ENTER: Ipconfig /release

4.

In Microsoft Network Monitor 3.4, click New Capture.

5.


6.

At the command prompt, type the following command and then press ENTER: Ipconfig /renew

7.

In Microsoft Network Monitor 3.4, on the menu, click Load Filter, point to Standard Filters, point to Basic Examples, and then click Protocol Filter – DNS.

8.


9.


10. In the Frame Details pane, expand Dhcp. 11. What is the ServerIP? Answer: 10.10.0.10 12. Which server is this? Answer: NYC-DC1 Results: At the end of this exercise, you will have verified that the client can obtain an IP address from the head office when the local server is unavailable.



2.


3.


4.

Repeat these steps for 6421B-NYC-SVR2, 6421B-NYC-RTR, and 6421B-NYC-CL2.

L3-13

Module 3: Configuring and Troubleshooting DNS

Lab: Configuring and Troubleshooting DNS Exercise 1: Selecting a DNS Configuration X Task 1: Read the Contoso Name Resolution Plan document •

Read the Contoso Name Resolution Plan document in Task 2 of the main module document.


Answer the questions in the Contoso Name Resolution Plan document. Contoso Name Resolution Plan Document Reference Number: GW1203/1 Document Author Date


Requirements Overview 1.

Your manager is concerned that the single name server that supports the Contoso.com domain is under strain while servicing name resolution requests. You are tasked with determining a course of action to allay his concerns.

2.

Contoso is working with a partner organization, A Datum. It is important that name resolution for servers in the Adatum.com domain is performed without recourse to root name servers.

Additional Information 1.

No additional domain controllers are planned for the Contoso domain.

2.

Changes to the Adatum.com DNS configuration should not impact the DNS configuration in Contoso; in other words, changes in Adatum.com should not result in administrative effort in Contoso.

Proposals 1.

How will you modify the DNS configuration for Contoso to address the first requirement?

2.

How will you modify the DNS configuration for Contoso to address the second requirement?

Answer: Add a DNS server. Answer: Create either a stub zone for Adatum.com or configure conditional forwarding for Adatum.com. 3.

Does either of the points in the additional information section raise any issues? Answer: •

AD-integrated zones are inappropriate for this scenario; if no additional domain controllers are planned, secondary zones should be configured.

•

Stub zones require less administrative effort in the event of changes in the DNS configuration of the target DNS domain.

L3-14


(continued) Contoso Name Resolution Plan 4.

What is your proposed action plan for this project? Answer:

5.

•

Deploy the DNS role to NYC-SVR1.

•

Create a secondary zone on NYC-SVR1 for Contoso.com.

•

Enable and configure zone transfers to NYC-SVR1.

•

Ensure that the zone data transfers successfully.

How will you distribute load among DNS servers? Answer: Configure DHCP to allocate both DNS server addresses to clients


Examine the completed Contoso Name Resolution Plan document in the Lab Answer Key and be prepared to discuss your solutions with the class.

Results: At the end of this exercise, you will have selected a suitable DNS configuration for Contoso.


L3-15

Exercise 2: Deploying and Configuring DNS X Task 1: Install the DNS role on NYC-SVR1 1.

Switch to NYC-SVR1, and on the Taskbar, click Server Manager.

2.

In Server Manager, in the navigation pane, click Roles, and in the right pane, click Add Roles.

3.

In the Add Roles Wizard, on the Before You Begin page, click Next.

4.

On the Select Server Roles page, in the Roles list, select the DNS Server check box and then click Next.

5.

On the DNS Server page, click Next.

6.

On the Confirm Installation Selections page, click Install.

7.

On the Installation Results page, click Close.

X Task 2: Create and configure a stub zone on NYC-DC1 1.

Switch to NYC-DC1.

2.

Click Start, point to Administrative Tools, and then click DNS.

3.

In DNS Manager, expand NYC-DC1, expand and then right-click Forward Lookup Zones, and then click New Zone.

4.

In the New Zone Wizard, click Next.

5.

On the Zone Type page, click Stub zone and then click Next.

6.

On the Active Directory Zone Replication Scope page, click Next.

7.

On the Zone Name page, in the Zone name box, type Adatum.com and then click Next.

8.

On the Master DNS Servers page, in the Master Servers list, type 131.107.1.2 and press ENTER. Note

9.

Validation will fail. The server is not online.

Click Next, and on the Completing the New Zone Wizard page, click Finish.

X Task 3: Create and configure secondary zones on NYC-SVR1 1.

Switch to NYC-SVR1.

2.


3.

At the command prompt, type the following command and then press ENTER: Dnscmd.exe /zoneadd Contoso.com /secondary 10.10.0.10

4.

At the command prompt, type the following command and then press ENTER: Dnscmd.exe /zoneadd Adatum.com /secondary 10.10.0.10

5.


6.

In DNS Manager, in the navigation pane, expand NYC-SVR1 and then click Forward Lookup Zones. Notice the two zones.

L3-16


X Task 4: Enable and configure zone transfers for Contoso.com 1.

Switch to NYC-DC1.

2.


3.

At the command prompt, type the following command and then press ENTER: Dnscmd.exe /zoneresetsecondaries Contoso.com /notify /notifylist 10.10.0.24

4.

In DNS Manager, in the navigation pane, expand Forward Lookup Zones, expand Contoso.com.

5.

Right-click Contoso.com and then click Properties.

6.

In the Contoso.com Properties dialog box, click the Zone Transfers tab.

7.

Click Notify, and verify that the server 10.10.0.24 is listed.

8.

Click Cancel. Note It might take a few minutes to appear.

X Task 5: Update secondary zone data from master server 1.

Switch to NYC-SVR1.

2.

In DNS Manager, press F5. The zone data should appear. If not, then expand Forward Lookup Zones, and then expand Contoso.com.

3.

Right-click Contoso.com and then click Transfer from Master.

4.

Close all open windows. Note You will not receive data for Adatum.com, but Contoso.com should be populated with DNS records.

X Task 6: Configure clients to use the new name server 1.

Switch to NYC-DC1.

1.


2.

In DHCP, expand nyc-dc1.contoso.com.

3.

Expand IPv4 and then click Server Options.

4.

In the right-pane, double-click 006 DNS Servers.

5.

In the Server Options dialog box, click Remove.

6.

In the IP address box, type 10.10.0.24, click Add, and then click OK.

7.


Results: At the end of this exercise, you will have implemented the requirements outlined in the Contoso Name Resolution Plan document.


L3-17

Exercise 3: Troubleshooting DNS X Task 1: Test simple and recursive queries 1.

On NYC-DC1, click Start, click Administrative tools, and then click DNS.

2.

In the navigation pane, right-click NYC-DC1 and then click Properties.

3.

Click the Monitoring tab.

4.

On the Monitoring tab, select A simple query against this DNS server and then click Test Now.

5.

On the Monitoring tab, ensure that A recursive query to other DNS servers is selected and then click Test Now. Notice that the Recursive test fails for NYC-DC1, which is normal given that there are no forwarders configured for this DNS server to use.

6.

Click Start, and in the Search box, type sc stop dns and then press ENTER.

7.

In DNS Manager, in the NYC-DC1 Properties dialog box, on the Monitoring tab, click Test Now. Now, both Simple and Recursive tests fail because no DNS server is available.

8.

Click Start, and in the Search box, type sc start dns and then press ENTER.

9.

On the Monitoring tab, click Test Now. The Simple test completes successfully.

10. Close the NYC-DC1 Properties dialog box.

X Task 2: Verify SOA records with Nslookup 1.

On NYC-DC1, click Start, and in the Search box, type cmd.exe and then press ENTER

2.

At the command prompt, type the following command and then press ENTER: nslookup.exe

3.

At the command prompt, type the following command and then press ENTER: set querytype=SOA

4.

At the command prompt, type the following command and then press ENTER: Contoso.com

5.


X Task 3: Use Dnslint to verify name server records 1.

Switch to NYC-CL1.

2.

Click Start, and in the Search box, type cmd.exe and then press ENTER.

3.

In the command prompt, type the following command and then press ENTER: D:

4.

In the command prompt, type the following command and then press ENTER: Cd\Labfiles\Mod03

L3-18


5.

In the command prompt, type the following command and then press ENTER: dnslint /s 10.10.0.10 /d Contoso.com

6.

Read through the report results and then close the report window.

7.


X Task 4: View performance statistics with Performance Monitor 1.

Switch to NYC-DC1.

2.

Click Start, right-click Computer, and then click Manage.

3.

In the list pane of the Server Manager window, expand Diagnostics, expand Performance, expand Monitoring Tools, and then click Performance Monitor.

4.

In the center pane, click the green Plus icon.

5.

In the Available counters list, double-click DNS.

6.

Select Total Query Received and then click Add.

7.

Select Total Query Received/sec, click Add, and then click OK.

8.

Click Start, click Administrative tools, and then click DNS.

9.

In the left pane, right-click NYC-DC1, and then click Properties.

10. Click the Monitoring tab. 11. On the Monitoring tab, select A simple query against this DNS Server and A recursive query to other DNS servers, and then click Test Now several times. 12. Clear the Simple and Recursive test check boxes and then click OK. Close the DNS management tool. 13. Return to the Server Manager console. The graph reflects the queries on the server. 14. In the Server Manager console, press CTRL+G and then press CTRL+G again. This report lists the total number of queries that the server has received. 15. Close the Server Manager console. Results: At the end of this exercise, you will have verified the functionality of DNS with troubleshooting tools.



2.


3.


4.


L4-19

Module 4: Configuring and Troubleshooting IPv6 TCP/IP

Lab A: Configuring an ISATAP Router Exercise 1: Configuring a New IPv6 Network and Client X Task 1: Configure IPv4 routing 1.

Switch to NYC-CL2.

2.

Click Start, and in the Search box, type Network and sharing and then press ENTER.

3.


4.


5.


6.


IP address: 172.16.16.3

•

Subnet mask: 255.255.255.0

•


•


7.

In the Local Area Connection 3 Properties box, click OK.

8.

Close all open windows on NYC-CL2.

9.

Switch to NYC-DC1.

10. Click Start, and in the Search box, type Network and sharing and then press ENTER. 11. In Network and Sharing Center, click Change adapter settings. 12. In Network Connections, right-click Local Area Connection 2 and then click Properties. 13. Double-click Internet Protocol Version 4 (TCP/IPv4). 14. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, verify that the Default gateway is 10.10.0.1. Click OK. 15. In the Local Area Connection 2 Properties box, click OK and then close all open windows on NYC-DC1.

X Task 2: Enable IP routing on NYC-RTR and confirm IPv4 connectivity 1.

Switch to NYC-RTR.

2.

Click Start, and in the Search box, type Regedit and then press ENTER.

3.

Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ Parameters.

4.

Double-click IPEnableRouter, and then in the Value data box, type 1. Click OK.

5.

Close the Registry Editor and then restart NYC-RTR.

L4-20


6.

After NYC-RTR restarts, log on with the following credentials: •


•

Password: Pa$$w0rd

Note At this point, only IPv4 traffic is routed through the IPv4 routing infrastructure. Because ICMPv4 traffic is blocked by the Windows Firewall by default, you cannot test connectivity with ping.

X Task 3: Disable IPv6 on NYC-DC1 1.

Switch to NYC-DC1.

2.


3.


4.


5.

In the Local Area Connections 2 Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box and then click OK.

X Task 4: Disable IPv4 on NYC-CL2 1.

Switch to NYC-CL2.

2.


3.


4.


5.

In the Local Area Connection 3 Properties dialog box, clear the Internet Protocol Version 4 (TCP/IPv4) check box and then click OK.

6.


7.

At the command prompt, type the following command and then press ENTER: ipconfig

Note The output should be a link-local IPv6 address that starts with fe80.


L4-21

X Task 5: Configure an IPv6 router advertisement for the global address 2001:db8:0:1::/64 network on NYC-RTR 1.

Switch to NYC-RTR.

2.


3.

At the command prompt, type the following command and then press ENTER: netsh interface ipv6 set interface "Local Area Connection 3" forwarding=enabled advertise=enabled

4.

At the command prompt, type the following command and then press ENTER: netsh interface ipv6 add route 2001:db8:0:1::/64 "Local Area Connection 3" publish=yes

X Task 6: Check the IP configuration on NYC-CL2 to ensure that it is configured with an IPv6 global address in the 2001:db8:0:1::/64 network 1.

Switch to NYC-CL2.

2.


Note The output should be a link-local IPv6 address that starts with fe80. Two global IP addresses starting with 2001:db8:0:1: should also be included in the output. 3.


Results: At the end of this exercise, you will have configured NYC-CL2 for IPv6 only.

L4-22


Exercise 2: Configuring an ISATAP Router to Enable Communication between an IPv4 Network and an IPv6 Network X Task 1: Add the ISATAP entry in the DNS zone on NYC-DC1 1.

Switch to NYC-DC1.

2.

Click Start, click Administrative Tools, and then click DNS.

3.

In the left pane, expand NYC-DC1.

4.

Expand Forward Lookup Zones, select and then right-click Contoso.com, and then click New host (A or AAAA).

5.

In the New Host dialog box, type ISATAP in the Name text box, and then type the IP address 10.10.0.1 (for NYC-RTR).

6.

Click Add Host and then click OK.

7.

Click Done and then close the DNS Manager.

X Task 2: Configure the ISATAP router on NYC-RTR Note When substituting the following Interface_Index, ensure that you type your Interface_Index with the brackets {} on either side. 1.

Switch to NYC-RTR.

2.


3.

At the command prompt, type the following command and then press ENTER: Netsh interface ipv6 isatap set router 10.10.0.1

4.


5.

Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) – you will need it in a moment. Interface_Index: ___________________________

6.

Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER: netsh interface ipv6 set interface “isatap.Interface_Index” forwarding=enabled advertise=enabled

7.

At the command prompt, type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER: netsh interface ipv6 add route 2001:db8:0:10::/64 “isatap.Interface_Index” publish=yes

8.

Restart NYC-RTR.


9.

L4-23

Log on using the following credentials: •


•

Password: Pa$$w0rd

10. Click Start, and in the Search box, type cmd.exe and then press ENTER. 11. At the command prompt, type the following command and then press ENTER: ipconfig

Note The Tunnel adapter associated with the 10.10.0.0/16 network will display an IPv6 address in the 2001:db8:0:10 range.

X Task 3: Enable the ISATAP interface on NYC-DC1 1.

Switch to NYC-DC1.

2.


3.

At the command prompt, type the following command and then press ENTER: Netsh interface isatap set router 10.10.0.1

4.


Note The Tunnel adapter isatap {Interface_Index} (which is the ISATAP adapter) has automatically received an IPv6 address from the ISATAP router.

X Task 4: Test connectivity 1.

Click Start, and in the Search box, type Windows Firewall and then press ENTER.

2.

In Windows Firewall with Advanced Security, click Inbound Rules, right-click Inbound Rules and then click New Rule.

3.

In the New Inbound Rule Wizard, on the Rule Type page, click Custom and then click Next.

4.

On the Program page, click Next.

5.

On the Protocols and Ports page, in the Protocol type list, click ICMPv4 and then click Next.

6.

On the Scope page, click Next.

7.

On the Action page, click Next.

8.

On the Profile page, click Next.

9.

On the Name page, in the Name box, type Allow PING and then click Finish.

10. Switch to NYC-CL2. 11. Click Start, and in the Search box, type cmd.exe and then press ENTER.

L4-24


12. At the command prompt, type the following command and then press ENTER: Ping 2001:db8:0:10:0:5efe:10.10.0.10

13. At the command prompt, type the following command and then press ENTER: ipconfig

14. What is the IPv6 address? Answer: Answers vary, but will start 2001:db8:0:1:. 15. Click Start, and in the Search box, type Windows Firewall and then press ENTER. 16. In Windows Firewall with Advanced Security, click Inbound Rules, right-click Inbound Rules and then click New Rule. 17. In the New Inbound Rule Wizard, on the Rule Type page, click Custom and then click Next. 18. On the Program page, click Next. 19. On the Protocols and Ports page, in the Protocol type list, click ICMPv6 and then click Next. 20. On the Scope page, click Next. 21. On the Action page, click Next. 22. On the Profile page, click Next. 23. On the Name page, in the Name box, type Allow PING and then click Finish. 24. Switch to NYC-DC1. 25. At the command prompt, type the following command, and then press ENTER: Ping IPv6_address

Where IPv6_address is the IPv6 address on NYC-CL2 you noted earlier. Results: At the end of this exercise, you will have configured ISATAP.

Preparing for the Next Lab Do not turn off the virtual machines at this time because you will need them to complete the next lab.

L4-25

Lab B: Converting the Network to Native IPv6 Exercise 1: Transitioning to a native IPv6 Network X Task 1: Disable the ISATAP router on NYC-RTR Note When substituting the following Interface_Index, ensure that you type your Interface_Index with the brackets {} on either side. 1.

Switch to NYC-RTR.

2.


3.


4.

Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) – you will need it in a moment. Interface_Index: ______________________________

5.

Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier: netsh interface ipv6 set interface “isatap.Interface_Index” forwarding=disabled advertise=disabled

6.

Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier: netsh interface ipv6 delete route 2001:db8:0:10::/64 “isatap.Interface_Index”

X Task 2: Configure the native IPv6 router on NYC-RTR 1.

At the command prompt, type the following command and then press ENTER: netsh interface ipv6 set interface “Local Area Connection 2” forwarding=enabled advertise=enabled

2.

At the command prompt, type the following command and then press ENTER: netsh interface ipv6 add route 2001:db8:0:0::/64 “Local Area Connection 2” publish=yes

X Task 3: Disable IPv4 connectivity 1.

Click Start, and in the Search box, type network and sharing and then press ENTER.

2.

In the Network and Sharing Center, click Change adapter settings.

3.

In the Network Connections box, right-click Local Area Connection 2 and then click Properties.

L4-26


4.

In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 4 (TCP/IPv4) check box, and then click OK. Close all open windows.

5.

Switch to NYC-DC1.

6.

Click Start, and in the Search box, type network and sharing and then press ENTER.

7.

In the Network and Sharing Center, click Change adapter settings.

8.

In the Network Connections box, right-click Local Area Connection 2 and then click Properties.

9.

In the Local Area Connection 2 Properties dialog box, clear the Internet Protocol Version 4 (TCP/IPv4) check box.

10. Select the Internet Protocol Version 6 (TCP/IPv6) check box and then click OK. Close all open windows.

X Task 4: Test connectivity between each IPv6 subnet 1.

Click Start, and in the Search box, type Windows Firewall and then press ENTER.

2.

In the Windows Firewall with Advanced Security window, click Inbound Rules, right-click Inbound Rules and then click New Rule.

3.

In the New Inbound Rule Wizard, on the Rule Type page, click Custom and then click Next.

4.


5.

On the Protocols and Ports page, in the Protocol type list, click ICMPv6 and then click Next.

6.

On the Scope page, click Next.

7.

On the Action page, click Next.

8.

On the Profile page, click Next.

9.

On the Name page, in the Name box, type Allow PING for IPv6 and then click Finish.

10. Click Start, and in the Search box, type cmd.exe and then press ENTER. 11. At the command prompt, type the following command and then press ENTER: ipconfig

Note the new IPv6 address (global address begins with 2001:) assigned to the local area connection. Write down the IPv6 address in the space below. NYC-DC1 IPv6 address: _____________________________________________ 12. Switch to NYC-CL2. 13. Click Start, and in the Search box, type cmd.exe and then press ENTER. 14. At the command prompt, type the following command and then press ENTER: Ping global_IP_address

Where global_IP_address is the NYC-DC1 address that you noted previously.


L4-27

15. At the command prompt, type the following command and then press ENTER: Ipconfig /all

Note the IPv6 address (global address begins with 2001:) assigned to the local area connection. Write down the IPv6 address in the space below. NYC-CL2 IPv6 address: _____________________________________________ 16. Switch to NYC-DC1 and switch to the Command Prompt. 17. At the command prompt, type the following command and then press ENTER: Ping global_IP_address

Where global_IP_address is the NYC-CL2 address that you noted previously. Results: At the end of this exercise, you will have configured an IPv6 only network.



2.

Right-click 6421B-NYC-DC1 in the Virtual Machines list, and then click Revert.

3.


4.

Repeat these steps for 6421B-NYC-RTR and 6421B-NYC-CL2.

L5-29

Module 5: Configuring and Troubleshooting Routing and Remote Access

Lab A: Configuring and Managing Network Access Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution X Task 1: Install the Network Policy and Access Services role on 6421B-NYC-EDGE1 1.

On NYC-EDGE1, if Server Manager does not open automatically, from the Administrative Tools menu, click Server Manager. The Server Manager opens.

2.

In the Server Manager (NYC-EDGE1) list pane, right-click Roles and click Add Roles from the context menu. The Add Roles Wizard appears. Click Next.

3.

On the Select Server Roles page, select Network Policy and Access Services and then click Next.

4.

On the Network Policy and Access Services introduction page, click Next.

5.

On the Select Role Services page, select the Network Policy Server and Routing and Remote Access Services check boxes, and then click Next.

6.


7.

On the Installation Results page, verify that Installation succeeded appears in the details pane and then click Close.

8.

Close the Server Manager. The Network Policy and Routing and Remote Access Services roles are installed on 6421B-NYC-EDGE1.

X Task 2: Configure 6421B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients 1.

On NYC-EDGE1, click Start and then click Administrative Tools.

2.

From the Administrative Tools menu, click Routing and Remote Access. The Routing and Remote Access administrative tool appears.

3.

In the list pane, select and right-click NYC-EDGE1 (Local), and then click Configure and Enable Routing and Remote Access.

4.

Click Next on the wizard Welcome page.

5.

On the Configuration page, leave the default Remote Access (dial-up or VPN) selected and click Next.

6.

On the Remote Access page, select the VPN check box and click Next.

7.

On the VPN Connection page, select the Public interface and then click Next.

8.

On the IP Address Assignment page, select From a specified range of addresses and then click Next.

9.

On the Address Range Assignment page, click New, and in the Start IP address box, type the value of 10.10.0.60. In the Number of addresses box, type the value of 75 and click OK. Click Next.

L5-30


10. On the Managing Multiple Remote Access Servers page, leave the default selection No, use Routing and Remote Access to authenticate connection requests and click Next. Click Finish. 11. In the Routing and Remote Access dialog box, click OK. 12. In the Routing and Remote Access dialog box regarding the DHCP Relay agent, click OK. The Routing and Remote Access service starts.

X Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25 L2TP connections 1.

In the Routing and Remote Access management tool interface, expand NYC-EDGE1 (local), select and then right-click Ports, and then click Properties.

2.

In the Ports Properties dialog box, double-click WAN Miniport (SSTP).

3.

In the Configure Device – WAN Miniport (SSTP) dialog box, assign a value of 25 in the Maximum ports box and then click OK.

4.

In the Routing and Remote Access dialog box, click Yes to continue.

5.

In the Ports Properties dialog box, double-click WAN Miniport (PPTP), and in the Configure Device – WAN Miniport (PPTP) dialog box, assign a value of 25 in the Maximum ports box and then click OK.

6.

In the Routing and Remote Access dialog box, click Yes to continue.

7.

Repeat this procedure, with the same value (25), for WAN Miniport (L2TP).

8.

Click OK in the Ports Properties dialog box.

9.

Close the Routing and Remote Access administrative tool.

Results: At the end of this exercise, you will have enabled routing and remote access on the NYC-EDGE1 server.


L5-31

Exercise 2: Configuring a Custom Network Policy X

Task 1: Open the Network Policy Server management tool on 6421B-NYC-EDGE1

1.

On NYC-EDGE1, click Start and then click Administrative Tools.

2.

On the Administrative Tools menu, click Network Policy Server. The Network Policy Server administrative tool appears.

X

Task 2: Create a new network policy for RRAS clients

1.

In the list pane, expand Policies, right-click Network Policies, and then click New.

2.

On the New Network Policy – Specify Network Policy Name and Connection Type page, type Secure VPN in the Policy name text box, and in the Type of network access server drop-down list, click Remote Access Server (VPN-Dial up) and then click Next.

3.

On the Specify Conditions page, click Add. On the Select Condition dialog box, scroll down and double-click Tunnel Type.

4.

In the Tunnel Type dialog box, select L2TP, PPTP, and SSTP, click OK, and then click Next.

5.

On the Specify Access Permission page, leave the default of Access granted and click Next.

6.

On the Configure Authentication Methods page, clear Microsoft Encrypted Authentication (MSCHAP) and then click Next.

7.

On the Configure Constraints page, under Constraints, click Day and time restrictions, and in the details pane, select Allow access only on these days and at these times, and click Edit.

8.

In the Day and time restrictions dialog box, click on the first blue rectangle in the left hand corner that represents Sunday midnight to 1AM. Hold the mouse button and drag your mouse to highlight all of Sunday. Click Denied. Repeat this procedure for all of Saturday. Click OK, and then click Next.

9.

On the Configure Settings page, under Settings, click Encryption, and in the details pane, clear all settings except Strongest encryption (MPPE 128-bit). Click Next and then click Finish.

10. In the list pane of the Network Policy Server tool, click the Network Policies node. 11. If necessary, right-click the Secure VPN policy and then click Move Up. Repeat this step to make the policy the first in the list. 12. Close the Network Policy Server tool.

X

Task 3: Create and Test a VPN connection

1.


2.

Click Start and then click Control Panel.

3.

In the Control Panel window, under Network and Internet, click View network status and tasks.

4.

In the Network and Sharing Center window, click Change adapter settings.

5.

Right-click Local Area Connection 3 and then click Properties.

6.

Select Internet Protocol Version 4 (TCP/IPv4) and then click Properties.

7.

In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address.

L5-32


8.

9.

Configure the following IP address settings and then click OK: •

IP Address: 131.107.0.20

•

Subnet mask: 255.255.255.0

•


Click Close and then click the Back button to return to the Network and Sharing Center.

10. In the Network and Sharing Center window, under Change your networking settings, click Set up a new connection or network. In the Choose a connection option dialog box, click Connect to a workplace and then click Next. 11. In the Connect to a workplace dialog box, select the Use my Internet connection (VPN) option. When prompted, select I’ll set up an Internet connection later. 12. In the Type the Internet address to connect to dialog box, specify an Internet address of 131.107.0.2 and a Destination Name of Contoso VPN, and then click Next. 13. On the Type your user name and password page, leave the user name and password blank and then click Create. 14. Click Close in the Connect to a Workplace dialog box. 15. In the Network and Sharing Center window, click Change adapter settings. 16. On the Network Connections page, right-click Contoso VPN and then click Connect. 17. Use the following information in the Connect Contoso VPN text boxes and then click Connect: •


•

Password: Pa$$w0rd

•

Domain: Contoso The VPN connects successfully.

18. Right-click Contoso VPN and click Disconnect. The VPN disconnects. 19. Close all open windows on NYC-CL1. Results: At the end of this exercise, you will have created and tested a VPN connection.


L5-33

Exercise 3: Create and Distribute a CMAK Profile X Task 1: Install the CMAK feature on NYC-CL1 1.


2.

In Control Panel, click Programs.

3.

In Programs, click Turn Windows features on or off.

4.

In the Windows Features list, select the RAS Connection Manager Administration Kit (CMAK) check box and then click OK.

5.

Close Programs and close Control Panel.

X Task 2: Create the connection profile 1.

Click Start, and in the Search box, type Connection Manager Administration Kit, and then click in the Programs (1) list, click Connection Manager Administration Kit.

2.

In the Connection Manager Administration Kit Wizard, click Next.

3.

On the Select the Target Operating System page, click Windows 7 or Windows Vista and then click Next.

4.

On the Create or Modify a Connection Manager profile page, click New Profile and then click Next.

5.

On the Specify the Service Name and the File Name page, in the Service name box, type Contoso HQ, in the File name box type Contoso and then click Next.

6.

On the Specify a Realm Name page, click Do not add a realm name to the user name and then click Next.

7.

On the Merge Information from Other Profiles page, click Next.

8.

On the Add Support for VPN Connections page, select the Phone book from this profile check box.

9.

In the VPN server name or IP address box, type 131.107.0.2 and then click Next.

10. On the Create or Modify a VPN Entry page, click Next. 11. On the Add a Custom Phone Book page, clear the Automatically download phone book updates check box and then click Next. 12. On the Configure Dial-up Networking Entries page, click Next. 13. On the Specify Routing Table Updates page, click Next. 14. On the Configure Proxy Settings for Internet Explorer page, click Next. 15. On the Add Custom Actions page, click Next. 16. On the Display a Custom Logon Bitmap page, click Next. 17. On the Display a Custom Phone Book Bitmap page, click Next. 18. On the Display Custom Icons page, click Next. 19. On the Include a Custom Help File page, click Next. 20. On the Display Custom Support Information page, click Next.

L5-34


21. On the Display a Custom License Agreement page, click Next. 22. On the Install Additional Files with the Connection Manager profile page, click Next. 23. On the Build the Connection Manager Profile and Its Installation Program page, click Next. 24. On the Your Connection Manager Profile is Complete and Ready to Distribute page, click Finish.

X Task 3: Distribute the profile 1.

Switch to NYC-DC1.

2.

Click Start, click Computer, and then double-click Allfiles (D:).

3.

In Windows Explorer, on the menu, click New folder, type Contoso Profile, and then press ENTER.

4.

Right-click Contoso Profile and then Properties.

5.

On the Sharing tab, click Advanced Sharing.

6.

In the Advanced Sharing dialog box, select the Share this folder check box and then click Permissions.

7.

In the Permissions for Contoso Profile dialog box, click Add.

8.

In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type administrators and then click OK.

9.

In the Permissions for Contoso Profile dialog box, in the Permissions for Administrators list, select the Full Control Allow check box and then click OK.

10. In the Advanced Sharing dialog box, click OK. 11. In the Contoso Profile Properties dialog box, click Close. 12. Switch to NYC-CL1. 13. Click Start, and in the Search box, type Network and Sharing and then press ENTER. 14. In the Network and Sharing Center window, click Change adapter settings. 15. On the Network Connections page, right-click Contoso VPN and then click Connect. 16. Use the following information in the Connect Contoso VPN text boxes and then click Connect: •


•

Password: Pa$$w0rd

•

Domain: Contoso

The VPN connects successfully. 17. Click Start, and in the Search box, type \\nyc-dc1\Contoso Profile and press ENTER. 18. Click Start, and in the Search box, type C:\Program Files\CMAK\Profiles\Windows 7 and Windows Vista\Contoso. 19. Highlight all files in the open Explorer window and then press CTRL + C. 20. Switch to the \\NYC-DC1\Contoso Profile folder and press CTRL + V. 21. Close all open windows. 22. Click Start, and in the Search box, type \\nyc-dc1\Contoso Profile and press ENTER.


L5-35

23. Double-click the Contoso application. 24. In the Contoso HQ dialog box, click Yes. 25. On the Make this connection available for page, click All users, select the Add a shortcut on the desktop, and then click OK. 26. In the Contoso HQ dialog box, click Cancel. 27. In Network Connections, right-click Contoso VPN and click Disconnect. 28. On the desktop, double-click Contoso HQ – Shortcut. 29. Use the following information in the Connect Contoso HQ text boxes and then click Connect: •


•

Password: Pa$$w0rd

•

Domain: Contoso The VPN connects successfully.

30. Right-click Contoso HQ - Shortcut and click Disconnect. The VPN disconnects. 31. Close all open windows on NYC-CL1. Results: At the end of this exercise, you will have created and distributed a CMAK profile.

X

Preparing for the next lab

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1.


2.


3.


4.


L5-36

Lab B: Implementing DirectAccess Exercise 1: Configure the AD DS Domain Controller and DNS X Task 1: Create a security group for DirectAccess computers 1.

Switch to NYC-DC1.

2.

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3.

In the Active Directory Users and Computers console tree, expand Contoso.com, right-click Users, point to New, and then click Group.

4.

In the New Object - Group dialog box, under Group name, type DA_Clients.

5.

Under Group scope, select Global, under Group type, choose Security, and then click OK.

6.

In the details pane, double-click DA_Clients.

7.

In the DA_Clients Properties dialog box, click the Members tab and then click Add.

8.

In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types, click the Computers check box, and then click OK.

9.

Under Enter the object names to select (examples), type NYC-CL1 and then click OK.

10. Verify that NYC-CL1 is displayed below Members and then click OK. 11. Close the Active Directory Users and Computers console. Question: Why did you create the DA_Clients group? Answer: To enable the application of DirectAccess security settings to DirectAccess computers that are a member of this security group.

X Task 2: Configure firewall rules for ICMPv6 traffic Note This task is performed to enable subsequent testing of DirectAccess in the lab environment. 1.

Click Start, click Administrative Tools, and then click Group Policy Management.

2.

In the console tree, open Forest: Contoso.com\Domains\contoso.com.

3.

In the console tree, right-click Default Domain Policy and then click Edit.

4.

In the console tree of the Group Policy Management Editor, open Computer Configuration \Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security \Windows Firewall with Advanced Security.

5.

In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.

6.

On the Rule Type page, click Custom and then click Next.

7.


8.

On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.

9.

In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.

Lab B: Implementing DirectAccess

L5-37

10. Click Next. 11. On the Scope page, click Next. 12. On the Action page, click Next. 13. On the Profile page, click Next. 14. On the Name page, for Name, type Inbound ICMPv6 Echo Requests and then click Finish. 15. In the console tree, click Outbound Rules, right-click Outbound Rules, and then click New Rule. 16. On the Rule Type page, click Custom and then click Next. 17. On the Program page, click Next. 18. On the Protocols and Ports page, for Protocol type, click ICMPv6 and then click Customize. 19. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK. 20. Click Next. 21. On the Scope page, click Next. 22. On the Action page, click Allow the connection and then click Next. 23. On the Profile page, click Next. 24. On the Name page, for Name, type Outbound ICMPv6 Echo Requests and then click Finish. 25. Close the Group Policy Management Editor and Group Policy Management consoles.

X Task 3: Create required DNS records on NYC-DC1 1.


2.

In the console tree of DNS Manager, expand NYC-DC1\Forward Lookup Zones\contoso.com.

3.

Right-click contoso.com and then click New Host (A or AAAA).

4.

In the Name box, type nls. In the IP address box, type 10.10.0.24. Click Add Host and then click OK.

5.

In the New Host dialog box, type CRL in Name (uses parent domain name if blank). In the IP address box, type 10.10.0.15 and then click Add Host.

6.

In the DNS dialog box informing you that the record was created, click OK.

7.

Click Done in the New Host dialog box.

8.

Close the DNS Manager console. Question: What is the purpose of the nls.contoso.com DNS host record that you associated with an internal IP address? Answer: To enable intranet-based DirectAccess clients to locate the Network Location Server while in the intranet.

L5-38


X Task 4: Remove ISATAP from DNS global query block list 1.

Click Start, click All Programs, click Accessories, and then click Command Prompt.

2.

In the command prompt window, type the following command and then press ENTER: dnscmd /config /globalqueryblocklist wpad

3.

Close the command prompt window.

Results: At the end of this exercise, you prepared AD DS and DNS to support the deployment of DirectAccess.


L5-39

Exercise 2: Configure the PKI Environment X Task 1: Configure the CRL distribution settings 1.

On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority.

2.

In the details pane, right-click ContosoCA and then click Properties.

3.

In the ContosoCA Properties dialog box, click the Extensions tab.

4.

On the Extensions tab, click Add. In the Location box, type http://crl.contoso.com/crld/.

5.

In Variable, click and then click Insert.

6.


7.


8.

In Location, type .crl at the end of the Location string and then click OK.

9.

Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates, and then click Apply. Click No in the dialog box asking you to restart Active Directory Certificate Services.

10. Click Add. 11. In Location, type \\nyc-Edge1\crldist$\. 12. In Variable, click and then click Insert. 13. In Variable, click and then click Insert. 14. In Variable, click and then click Insert. 15. In Location, type .crl at the end of the string and then click OK. 16. Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click OK. 17. Click Yes to restart Active Directory Certificate Services. 18. Close the Certification Authority console. Question: What is the purpose of the certificate revocation list? Answer: To enable DirectAccess clients and servers to determine whether issued certificates (used for authentication) have been revoked.

X Task 2: Configure the DNS suffix on Edge1 1.

Switch to NYC-Edge1.

2.

Click Start, and in the Search box, type Network and Sharing Center and then press ENTER.

3.

Click Change adapter settings.

4.


5.


6.

In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click Advanced.

7.

On the DNS tab, in the DNS suffix for this connection box, type Contoso.com and then click OK.

8.

In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click OK.

L5-40


9.


10. Close Network Connections.

X Task 3: Install the web server role on Edge1 1.

On NYC-Edge1, switch to Server Manager.

2.

In the console tree of Server Manager, click Roles. In the details pane, click Add Roles and then click Next.

3.

On the Select Server Roles page, click Web Server (IIS) and then click Next three times.

4.

Click Install.

5.

Verify that all installations were successful and then click Close.

6.

Leave the Server Manager window open.

X Task 4: Create CRL distribution point on NYC-EDGE1 1.

Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2.

In the console tree, browse to NYC-EDGE1\Sites\Default Web Site, right-click Default Web Site, and then click Add Virtual Directory.

3.

In the Add Virtual Directory dialog box, in the Alias box, type CRLD. Next to Physical path, click the ellipsis “…” button.

4.

In the Browse for Folder dialog box, click Local Disk (C:) and then click Make New Folder.

5.

Type CRLDist and then press ENTER. Click OK in the Browse for Folder dialog box.

6.

Click OK in the Add Virtual Directory dialog box.

7.

In the middle pane of the console, double-click Directory Browsing and in the details pane, click Enable.

8.

In the console tree, click the CRLD folder.

9.

In the middle pane of the console, double-click the Configuration Editor icon.

10. Click the down-arrow for the Section drop-down list, and then browse to system.webServer\security\requestFiltering. 11. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True. 12. In the details pane, click Apply. 13. Close Internet Information Services (IIS) Manager. Question: Why do you make the CRL available on the DirectAccess server in the perimeter network? Answer: So that Internet DirectAccess clients can access the CRL.


L5-41

X Task 5: Share and secure the CRL distribution point Note

You perform this step to assign permissions to the CRL distribution point.

1.

Click Start and then click Computer.

2.

Double-click Local Disk (C:).

3.

In the details pane of Windows Explorer, right-click the CRLDist folder and click Properties.

4.

In the CRLDist Properties dialog box, click the Sharing tab and then click Advanced Sharing.

5.

In the Advanced Sharing dialog box, select Share this folder.

6.

In Share name, add a dollar sign ($) to the end so that the share name is CRLDist$.

7.

In the Advanced Sharing dialog box, click Permissions.

8.

In the Permissions for CRLDist$ dialog box, click Add.

9.

In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.

10. In the Object Types dialog box, select Computers and then click OK. 11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type NYC-DC1 and then click Check Names. Click OK. 12. In the Permissions for CRLDist$ dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from the Group or user names list. In the Permissions for NYC-DC1 section, select Allow for Full control. Click OK. 13. In the Advanced Sharing dialog box, click OK. 14. In the CRLDist Properties dialog box, click the Security tab. 15. On the Security tab, click Edit. 16. In the Permissions for CRLDist dialog box, click Add. 17. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types. 18. In the Object Types dialog box, select Computers. Click OK. 19. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type NYC-DC1, click Check Names, and then click OK. 20. In the Permissions for CRLDist dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from the Group or user names list. In the Permissions for NYC-DC1 section, select Allow for Full control and then click OK. 21. In the CRLDist Properties dialog box, click Close. 22. Close the Windows Explorer window.

X Task 6: Publish the CRL to NYC-EDGE1 Note This step makes the CRL available on the edge server for Internet-based DirectAccess clients. 1.

Switch to NYC-DC1.

2.

Click Start, point to Administrative Tools, and then click Certification Authority.

L5-42


3.

In the console tree, open ContosoCA, right-click Revoked Certificates, point to All Tasks, and then click Publish.

4.

In the Publish CRL dialog box, click New CRL, and then click OK.

5.

Click Start, type \\NYC-EDGE1\CRLDist$, and press ENTER.

6.

In the Windows Explorer window, you should see the ContosoCA and ContosoCA+ files.

7.

Close the Windows Explorer window.

8.

Close the Certification Authority console.

X Task 7: Configure permissions on the web server certificate template Note Users require the Enroll permission on the certificate. 1.

Click Start, type certtmpl.msc, and then press ENTER.

2.

In the contents pane, right-click the Web Server template and then click Properties.

3.

Click the Security tab and then click Authenticated Users.

4.

In the Permissions for Authenticated Users window, click Enroll under Allow and then click OK.

5.

Close the Certificate Templates console

X Task 8: Configure computer certificate auto-enrollment 1.

Click Start, click Administrative Tools, and then click Group Policy Management.

2.

In the console tree, expand Forest: Contoso.com, expand Domains, and then click Contoso.com.

3.

In the details pane, right-click Default Domain Policy and then click Edit.

4.

In the console tree of the Group Policy Management Editor, open Computer Configuration \Policies\Windows Settings\Security Settings\Public Key Policies.

5.

In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

6.

In the Automatic Certificate Request Setup Wizard, click Next.

7.

On the Certificate Template page, click Computer, click Next, and then click Finish.

8.

Close the Group Policy Management Editor and close the Group Policy Management console. Question: Why would you use GPO to configure certificate deployment? Answer: To more quickly and effortlessly deploy the required certificates to DirectAccess client computers.

Results: At the end of this exercise, you will have configured the public key infrastructure in Contoso to support the deployment of DirectAccess.


L5-43

Exercise 3: Configure the DirectAccess Clients and Test Intranet Access X Task 1: Create a shared folder Note This step is required to provide some data that both intranet and Internet clients can access. 1.

Switch to NYC-SVR1.

2.


3.

Double-click Local Disk (C:).

4.

Click New folder, type Files, and then press ENTER. Leave the Local Disk window open.

5.

Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as administrator.

6.

In the Untitled – Notepad window, type This is a shared file.

7.

Click File, click Save, double-click Computer, double-click Local Disk (C:), and then double-click the Files folder.

8.

In File name, type example.txt, and then click Save. Close the Notepad window.

9.

In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific people.

10. Click Share and then click Done. 11. Close the Local Disk window.

X Task 2: Request a certificate for NYC-SVR1 1.

Click Start, type cmd, and then press ENTER.

2.


3.


4.

Click Start, type mmc, and then press ENTER.

5.

Click File and then click Add/Remove Snap-in.

6.

Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK.

7.

In the console tree of the Certificates snap-in, open Certificates (Local Computer) \Personal\Certificates.

8.

Right-click Certificates, point to All Tasks, and then click Request New Certificate.

9.

Click Next twice.

10. On the Request Certificates page, click Web Server and then click More information is required to enroll for this certificate. 11. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common name. 12. In Value, type nls.contoso.com and then click Add.

L5-44


13. Click OK, click Enroll, and then click Finish. 14. In the details pane of the Certificates snap-in, verify that a new certificate with the name nls.contoso.com was enrolled with Intended Purposes of Server Authentication. 15. Close the console window. When you are prompted to save settings, click No.

X Task 3: Change the HTTPS bindings 1.

Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2.

In the console tree of Internet Information Services (IIS) Manager, open NYC-SVR1/Sites and then click Default Web site.

3.

In the Actions pane, click Bindings. Click Add.

4.

In the Add Site Bindings dialog box, click https, in SSL Certificate, click the certificate with the name nls.contoso.com, click OK, and then click Close.

5.

Close the Internet Information Services (IIS) Manager console.

X Task 4: Install a certificate on the client computer 1.

Switch to NYC-CL1.

2.

Click Start, type cmd, and then press ENTER.

3.


4.


5.


6.

Click File and then click Add/Remove Snap-in.

7.

Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK.

8.

In the console tree, expand Certificates (Local Computer)\Personal\Certificates.

9.


10. Click Next twice. 11. Select Computer, and then click Enroll. Click Finish. 12. In the details pane, verify that a certificate with the name NYC-CL1.contoso.com is present with Intended Purposes of Client Authentication and Server Authentication. 13. Close the console window. When you are prompted to save settings, click No. Question: Why did you install a certificate on the client computer? Answer: Without a certificate, the client cannot identify and authenticate itself to the DirectAccess server.


L5-45

X Task 5: Test intranet access 1.

From the taskbar, click the Internet Explorer icon.

2.

In the Address bar, type http://nyc-svr1.contoso.com/ and then press ENTER. You should see the default IIS 7 web page for NYC-SVR1.

3.

In the Address bar, type https://nls.contoso.com/ and then press ENTER. You should see the default IIS 7 web page for NYC-SVR1.

4.

Leave the Internet Explorer window open.

5.

Click Start, type \\NYC-SVR1\Files, and then press ENTER.

6.

You should see a folder window with the contents of the Files shared folder.

7.

In the Files shared folder window, double-click the example.txt file. You should see the contents of the example.txt file.

8.


Results: At the end of this exercise, you tested Intranet access.

L5-46


Exercise 4: Configure the DirectAccess Server X Task 1: Obtain required certificates for NYC-EDGE1 1.

Switch to NYC-Edge1.

2.


3.

Click File and then click Add/Remove Snap-ins.

4.

Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.

5.

In the console tree of the Certificates snap-in, open Certificates (Local Computer) \Personal\Certificates.

6.


7.

Click Next twice.

8.

On the Request Certificates page, click Web Server and then click More information is required to enroll for this certificate.

9.

On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common name.

10. In the Value box, type nyc-edge1.contoso.com and then click Add. 11. Click OK, click Enroll, and then click Finish. 12. In the details pane of the Certificates snap-in, verify that a new certificate with the name nyc-edge1.contoso.com was enrolled with Intended Purposes of Server Authentication. 13. Right-click the certificate and then click Properties. 14. In Friendly Name, type IP-HTTPS Certificate, and then click OK. 15. Close the console window. If you are prompted to save settings, click No.

X Task 2: Install DirectAccess feature on NYC-EDGE1 1.

Switch to Server Manager.

2.

In the main window, under Features Summary, click Add features.

3.

On the Select Features page, select DirectAccess Management Console.

4.

In the Add Features Wizard window, click Add Required Features.

5.

On the Select Features page, click Next.

6.


7.



L5-47

X Task 3: Run DirectAccess setup wizard on NYC-EDGE1 Note This step configures NYC—EDGE1 as a DirectAccess server. 1.

Open a command prompt and type the following command, and then press ENTER: GPUpdate /force

2.


3.

Click Start, point to Administrative Tools, and then click DirectAccess Management.

4.

In the console tree, click Setup. In the details pane, click Configure for step 1.

5.

On the DirectAccess Client Setup page, click Add.

6.

In the Select Group dialog box, type DA_Clients, click OK, and then click Finish.

7.

Click Configure for step 2.

8.

On the Connectivity page, for Interface connected to the Internet, select the interface named Public. For Interface connected to the internal network, select the Local Area Connection 2, and then click Next. Note If you receive a warning that the local area connection network adapter must be connected to a Domain network, close the Direct Access Management console. Open Server Manager and click Configure Network Connections. Disable the Local Area Connection and re-enable it. Restart the Direct Access Management console.

9.

On the Certificate Components page, for Select the root certificate to which remote client certificates must chain, click Browse. In the list of certificates, click the ContosoCA root certificate and then click OK.

10. For Select the certificate that will be used to secure remote client connectivity over HTTPS, click Browse. In the list of certificates, click the certificate named IP-HTTPS Certificate, click OK, and then click Finish. 11. Click Configure for step 3. 12. On the Location page, click Network Location server is run on a highly available server, type https://nls.contoso.com, click Validate, and then click Next. 13. On the DNS and Domain Controller page, note the entry for the name contoso.com with the IPv6 address 2002:836b:2:1:0:5efe:10.10.0.10. This IPv6 address is assigned to NYC-DC1 and is composed of a 6to4 network prefix (2002:836b:2:1::/64) and an ISATAP-based interface identifier (::0:5efe:10.10.0.10). Click Next. 14. On the Management page, click Finish. 15. Click Configure for step 4. On the DirectAccess Application Server Setup page, click Finish. 16. Click Save and then click Finish. 17. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy Configuration message box, click OK. Results: At the end of this exercise, you will have successfully configured NYC-EDGE1 as a DirectAccess server.

L5-48


Exercise 5: Verify DirectAccess Functionality X Task 1: Create DNS records on INET1 Note Typically, you would configure this record on your public facing DNS servers. 1.

Switch to INET1.

2.


3.

In the console tree, expand Forward Lookup Zones, right-click contoso.com, and then click New Host (A or AAAA).

4.

In the Name box, type crl. In IP address, type 131.107.0.2.

5.

Click Add Host, click OK, and then click Done.

6.

Close the DNS console.

X Task 2: Update IPv6 configuration on NYC-SVR1 and NYC-DC1 Note These steps enable the required IPv6 settings to support DirectAccess. 1.

Switch to NYC-SVR1.

2.


3.

At the command prompt, type the following command and then press ENTER: net stop iphlpsvc

4.

At the command prompt, type the following command and then press ENTER: net start iphlpsvc

5.

At the command prompt, type the following command and then press ENTER. Verify that the server has been issued an ISATAP address that ends with 10.10.0.24. ipconfig

6.

Close the command prompt window.

7.

Switch to NYC-DC1.

8.


9.


10. At the command prompt, type the following command and then press ENTER: net start iphlpsvc


L5-49

11. At the command prompt, type the following command and then press ENTER. Verify that the server has been issued an ISATAP address that ends with 10.10.0.10. ipconfig

12. Close the command prompt window.

X Task 3: Update GPO and IPv6 settings on NYC-CL1 1.

Switch to NYC-CL1.

2.

Restart NYC-CL1 and then log back on as Contoso\Administrator with the password of Pa$$w0rd. This is to ensure that the NYC-CL1 computer connects to the domain as a member of the DA_Clients security group.

3.


4.

At the command prompt, type the following command and then press ENTER: gpupdate /force

5.


6.

At the command prompt, type the following command and then press ENTER: net start iphlpsvc

7.

At the command prompt, type the following command and then press ENTER. Verify that the client has been issued an ISATAP address that ends with 10.10.10.1. ipconfig

8.

At the command prompt, type the following command and then press ENTER: Gpresult -R

9.

Verify that one Direct Access Group Policy object is being applied to the client computer. If the policy is not being applied, run the gpupdate /force command again. If the policy is still not being applied, restart NYC-CL1. After the computer restarts, log on as Administrator and run the Gpresult –R command again.

X Task 4: Verify ISATAP connectivity 1.

At the command prompt, type the following command and then press ENTER: Ipconfig /flushdns

2.

At the command prompt, type the following command and then press ENTER: ping 2002:836b:2:1::5efe:10.10.0.10

3.

At the command prompt, type the following command and then press ENTER: ping 2002:836b:2:1::5efe:10.10.0.24

L5-50


4.

At the command prompt, type the following command and then press ENTER: ping NYC-DC1.contoso.com

5.

At the command prompt, type the following command and then press ENTER: ping NYC-SVR1.contoso.com

6.

All these commands should result in a successful response.

X Task 5: Move NYC-CL1 to the Internet Note To verify functionality, you must move the client computer to the Internet. 1.

On NYC-CL1, click Start, click Control Panel, and then click Network and Internet.

2.

Click Network and Sharing Center.

3.

Click Change Adapter Settings.

4.


5.

In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).

6.

In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address. Fill in the following information, and then click OK. •

IP address: 131.107.0.10

•

Subnet mask: 255.255.0.0

•


•


7.


8.

In Network Connections, right-click Local Area Connection 3 and then click Disable.

9.

In Network Connections, right-click Local Area Connection 3 and then click Enable.

10. In the Set Network Location dialog box, click Public network and then click Close.

X Task 6: Verify connectivity to Internet resources 1.

At the command prompt, type the following command and then press ENTER: ping inet1.isp.example.com

2.

From the taskbar, click the Internet Explorer icon.

3.

In the Address bar, type http://inet1.isp.example.com/ and then press ENTER. You should see the default IIS 7 Web page for INET1.


L5-51

X Task 7: Verify access to web-based and shared folder resources 1.

At the command prompt, type the following command and then press ENTER: ping NYC-SVR1

2.

In Internet Explorer, in the Address bar, type http://NYC-SVR1.contoso.com/, press ENTER, and then press F5. You should see the default IIS 7 web page for NYC-SVR1.

3.

Close Internet Explorer.

4.

Click Start, type \\NYC-SVR1\files, and then press ENTER. You should see a folder window with the contents of the Files shared folder.

5.

In the Files shared folder window, double-click the example.txt file.

6.

Close the example.txt - Notepad window and the Files shared folder window.

X Task 8: Examine NYC-CL1 IPv6 configuration 1.


2.

From the display of the Ipconfig.exe tool, notice that an interface named Tunnel adapter 6TO4 Adapter has an IPv6 address that begins with 2002:836b:. This is a 6to4 address based on an IPv4 address that begins with 131.107. Notice that this tunnel interface has a default gateway of 2002:836b:2::836b:2, which corresponds to the 6to4 address of EDGE1 (131.107.0.2 in colonhexadecimal notation is 836b:2). NYC-CL1 uses 6to4 and this default gateway to tunnel IPv6 traffic to EDGE1.

Results: At the end of this exercise, you will have successfully implemented, verified, and tested DirectAccess.



2.


3.


4.

Repeat these steps for 6421B-NYC-SVR1, 6421B-NYC-EDGE1, 6421B-NYC-INET1, and 6421BNYC-CL1.

L6-53

Module 6: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Lab: Configuring and Managing Network Policy Server Exercise 1: Installing and Configuring the Network Policy Server Role Service X Task 1: Install the Network Policy and Access Services role 1.

Switch to NYC-DC1.

2.

On the Taskbar, click Server Manager.

3.

In the Server Manager navigation pane, click Roles.

4.

In the right pane, click Add Roles.

5.


6.

On the Select Server Roles page, select the Network Policy and Access Services check box and then click Next.

7.

On the Network Policy and Access Services Introduction page, click Next.

8.

On the Select Role Services page, select the Network Policy Server check box and then click Next.

9.


10. On the Installation Results page, click Close. 11. Close Server Manager.

X Task 2: Register NPS in AD DS 1.

Click Start, point to Administrative Tools, and then click Network Policy Server.

2.

In the navigation pane, right-click NPS (Local) and then click Register server in Active Directory.

3.

In the Network Policy Server message box, click OK.

4.

Click OK again in the subsequent Network Policy Server message box.

X Task 3: Configure NYC-DC1 as a RADIUS server for VPN connections 1.

In the Network Policy Server management tool, in the Getting Started details pane, open the drop-down list under Standard Configuration and then click RADIUS server for Dial-Up or VPN Connections.

2.

Under Radius server for Dial-Up or VPN Connections, click Configure VPN or Dial-Up.

3.

In the Configure VPN or Dial-Up Wizard, click Virtual Private Network (VPN) Connections, accept the default name, and then click Next.

4.

On the RADIUS clients page, click Add.

5.

In the New RADIUS Client dialog box, in the Friendly Name box, type NYC-EDGE1 and then click Verify.

L6-54


6.

In the Verify Address dialog box, in the address box, type NYC-EDGE1, click Resolve, and then click OK.

7.

In the New RADIUS Client dialog box, in the Shared secret and Confirm shared secret boxes, type Pa$$w0rd and then click OK.

8.

On the Specify Dial-Up or VPN Server page, click Next.

9.

On the Configure Authentication Methods page, select the Extensible Authentication Protocol and Microsoft Encrypted Authentication version 2 (MS-CHAPv2) check boxes and then click Next.

10. On the Specify User Groups page, click Next. 11. On the Specify IP Filters page, click Next. 12. On the Specify Encryption Settings page, clear the Basic encryption and Strong encryption check boxes and then click Next. 13. On the Specify a Realm Name page, click Next. 14. On the Completing New Dial-Up or Virtual Private Network Connections and RADIUS clients page, click Finish. 15. Close the Network Policy Server administrative tool. Results: At the end of this exercise, you will have configured NYC-DC1 as a RADIUS server by installing and configuring the NPS Server role.


L6-55

Exercise 2: Configuring a RADIUS Client X Task 1: Install Routing and Remote Access Services on NYC-EDGE1 1.

Switch to NYC-EDGE1.

2.

On the Taskbar, click Server Manager.

3.

In the Server Manager navigation pane, click Roles, and then in the right pane, click Add Roles.

4.

On the Before You Begin page, click Next.

5.

On the Select Server Roles page, select the Network Policy and Access Services check box and then click Next.

6.

On the Network Policy and Access Services page, click Next.

7.

On the Select Role Services page, select the Routing and Remote Access Services check box and then click Next.

8.


9.


10. Close the Server Manager window.

X Task 2: Configure NYC-EDGE1 as a VPN Server 1.

Click Start, point to Administrative Tools, and then click Routing and Remote Access.

2.

In the navigation pane, select NYC-EDGE1 (local).

3.

Right-click NYC-EDGE1 (local) and then click Configure and Enable Routing and Remote Access.

4.

In the Routing and Remote Access Server Setup Wizard, on the Welcome page, click Next.

5.

On the Configuration page, click Remote Access (dial-up or VPN) and click Next.

6.

On the Remote Access page, select the VPN check box and click Next.

7.

On the VPN Connection page, select the network interface with the IP address of 131.107.0.2, 131.107.0.3 and then click Next.

8.


9.

On the Address Range Assignment page, click New, and in the Start IP address box, type the value of 10.10.0.60. In the Number of addresses box, type the value of 75 and click OK. Click Next.

10. On the Managing Multiple Remote Access Servers page, select Yes, set up this server to work with a RADIUS server and then click Next. 11. On the RADIUS Server Selection page, in the Primary RADIUS server box, type NYC-DC1 12. In the Shared secret box, type Pa$$w0rd and then click Next. 13. Click Finish. 14. In the Routing and Remote Access dialog box, click OK. The Routing and Remote Access service starts. Results: At the end of this exercise, you will have configured NYC-EDGE1 as a VPN server.

L6-56


Exercise 3: Configuring Certificate Auto-Enrollment X Task 1: Configure automatic enrolment with group policy 1.

Switch to NYC-DC1.

2.

Click Start, point to Administrative Tools, and then click Group Policy Management.

3.

In the Group Policy Management list pane, expand Forest: Contoso.com, expand Domains, and then expand Contoso.com.

4.

In the list pane, under Contoso.com, right-click Default Domain Policy and then click Edit.

5.

In Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.

6.

In the navigation pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

7.

In the Welcome to the Automatic Certificate Request Setup Wizard, click Next.

8.

On the Certificate Template page, accept the default setting of Computer and then click Next.

9.

On the Completing the Automatic Certificate Request Setup Wizard page, click Finish.

10. Close the Group Policy Management Editor. 11. Close the Group Policy Management tool. 12. Switch to NYC-CL1. 13. Restart the computer and then log on using the following credentials: •


•

Password: Pa$$w0rd

•

Domain: Contoso

14. Click Start, type MMC in the Search box, and then press ENTER. 15. In the Console1 window, click File and then click Add/Remove Snap-in. 16. In the Add or Remove Snap-ins box, select Certificates and then click Add. 17. In the Certificates snap-in box, select Computer account and then click Next. 18. In the Select Computer box, select Local computer and then click Finish. 19. Click OK to close the Add or Remove Snap-ins box. 20. In the Console1 window, expand Certificates (Local Computer). 21. Expand Personal, and then click Certificates. Notice that NYC-CL1.Contoso.com is displayed. You now can use this certificate as an authentication mechanism. Results: At the end of this exercise, you will have configured the appropriate certificate settings for your VPN solution.


L6-57

Exercise 4: Configuring and Testing the VPN X Task 1: Reconfigure the NYC-CL1 computer onto the public network 1.


2.

In Control Panel, under Network and Internet, click View network status and tasks.

3.


4.


5.

Select Internet Protocol Version 4 (TCP/IPv4) and then click Properties.

6.

Configure the following IP address settings and then click OK:

7.

•

IP Address: 131.107.0.20

•

Subnet mask: 255.255.255.0

•


Click Close and then click the Back button to return to the Network and Sharing Center.


In the Network and Sharing Center window, under Change your networking settings, click Set up a new connection or network. In the Choose a connection option dialog box, click Connect to a workplace and then click Next.

2.

In the Connect to a workplace dialog box, select the Use my Internet connection (VPN) option. When prompted, select I’ll set up an Internet connection later.

3.

In the Type the Internet address to connect to dialog box, specify an Internet address of 131.107.0.2 and a Destination Name of Contoso VPN, and then click Next.

4.

On the Type your user name and password page, leave the user name and password blank and then click Create.

5.

Click Close in the Connect to a Workplace dialog box.

6.


7.

On the Network Connections page, right-click Contoso VPN and then click Properties.

8.

In the Contoso VPN Properties dialog box, click the Security tab.

9.

In the Type of VPN list, click Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).

10. In the Data encryption list, click Maximum strength encryption (disconnect if server declines) and then click OK. 11. On the Network Connections page, right-click Contoso VPN and then click Connect. 12. Use the following information in the Connect Contoso VPN text boxes and then click Connect: •


•

Password: Pa$$w0rd

•

Domain: Contoso

The VPN connects successfully.

L6-58


13. Right-click Contoso VPN and click Disconnect. The VPN disconnects. 14. Close all open windows on NYC-CL1. Do not save Console 1. Results: At the end of this exercise, you will have verified the VPN solution.



2.


3.


4.


L7-59

Module 7: Configuring Network Access Protection

Lab: Implementing NAP into a VPN Remote Access Solution Exercise 1: Configuring NAP Components X Task 1: Configure a Computer Certificate 1.

On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority.

2.

In the certsrv management console, expand ContosoCA, right-click Certificate Templates, and then select Manage from the context menu.

3.

In the Certificate Templates Console details pane, right-click Computer and then choose Properties from the context menu.

4.

Click on the Security tab in the Computer Properties dialog box and then select Authenticated Users.

5.

In the Permissions for Authenticated Users, select the Allow check box for the Enroll permission and then click OK.

6.

Close the Certificate Templates Console and then close the certsrv management console.

X Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server 1.

Switch to the NYC-EDGE1 computer.

2.

Obtain the computer certificate and install on NYC-EDGE1 for server-side PEAP authentication: a.

Click Start, click Run, type mmc, and then press ENTER.

b.

On the File menu, click Add/Remove Snap-in.

c.

In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.

d.

Click OK to close the Add or Remove Snap-ins dialog box.

e.

In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.

f.

The Certificate Enrollment dialog box opens. Click Next.

g.

On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and then click Next.

h.

Select the Computer check box and then click Enroll.

i.

Verify the status of certificate installation as Succeeded and then click Finish.

j.

Close the Console1 window.

k.

Click No when prompted to save console settings.

L7-60


3.

4.

5.

6.

Install the NPS Server role: a.

On NYC-EDGE1, switch to Server Manager.

b.

Click Roles, and then under Roles Summary, click Add Roles and then click Next.

c.

Select the Network Policy and Access Services check box and then click Next twice.

d.

Select the Network Policy Server and Remote Access Service check boxes, click Next, and then click Install.

e.

Verify that the installation was successful and then click Close.

f.

Close the Server Manager window.

Configure NPS as a NAP health policy server: a.

Click Start, point to Administrative Tools, and then click Network Policy Server.

b.

Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings.

c.

In the right pane under Name, double-click Default Configuration.

d.

On the Windows 7/Windows Vista selection, clear all check boxes except the A firewall is enabled for all network connections check box.

e.

Click OK to close the Windows Security Health Validator dialog box.

Configure health policies: a.

Expand Policies.

b.

Right-click Health Policies and then click New.

c.

In the Create New Health Policy dialog box, under Policy name, type Compliant.

d.

Under Client SHV checks, verify that Client passes all SHV checks is selected.

e.

Under SHVs used in this health policy, select the Windows Security Health Validator check box.

f.

Click OK.

g.

Right-click Health Policies and then click New.

h.

In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.

i.

Under Client SHV checks, select Client fails one or more SHV checks.

j.

Under SHVs used in this health policy, select the Windows Security Health Validator check box.

k.

Click OK.

Configure network policies for compliant computers: a.

Ensure that Policies is expanded.

b.

Click Network Policies.

c.

Disable the two default policies found under Policy Name by right-clicking the policies and then clicking Disable.

d.

Right-click Network Policies and then click New.


L7-61

e.

In the Specify Network Policy Name And Connection Type window, under Policy name, type Compliant-Full-Access and then click Next.

f.

In the Specify Conditions window, click Add.

g.

In the Select condition dialog box, double-click Health Policies.

h.

In the Health Policies dialog box, under Health policies, select Compliant, and then click OK.

i.

In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant and then click Next.

j.

In the Specify Access Permission window, verify that Access granted is selected.

k.

Click Next three times.

l.

In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected and then click Next.

m. In the Completing New Network Policy window, click Finish. 7.

Configure network policies for noncompliant computers: a.

Right-click Network Policies and then click New.

b.

In the Specify Network Policy Name And Connection Type window, under Policy name, type Noncompliant-Restricted and then click Next.

c.


d.

In the Select condition dialog box, double-click Health Policies.

e.

In the Health Policies dialog box, under Health policies, select Noncompliant and then click OK.

f.

In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant and then click Next.

g.

In the Specify Access Permission window, verify that Access granted is selected.

Note A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients that match these conditions. h.

Click Next three times.

i.

In the Configure Settings window, click NAP Enforcement. Select Allow limited access and remove the check box next to Enable auto-remediation of client computers.

j.

In the Configure Settings window, click IP Filters.

k.

Under IPv4, click Input Filters and then click New.

l.

In the Add IP Filter dialog box, select Destination network. Type 10.10.0.10 next to IP address and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from noncompliant clients can reach only NYC-DC1.

m. Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below in the Inbound Filters dialog box. n.

Click OK to close the Inbound Filters dialog box.

L7-62


8.

o.

Under IPv4, click Output Filters and then click New.

p.

In the Add IP Filter dialog box, select Source network. Type 10.10.0.10 next to IP address and then type 255.255.255.255 next to Subnet mask.

q.

Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below in the Outbound Filters dialog box. This step ensures that only traffic from NYC-DC1 can be sent to noncompliant clients.

r.

Click OK to close the Outbound Filters dialog box.

s.

In the Configure Settings window, click Next.

t.

In the Completing New Network Policy window, click Finish.

Configure connection request policies: a.

Click Connection Request Policies.

b.

Disable the default Connection Request policy that is found under Policy Name by right-clicking the policy and then clicking Disable.

c.

Right-click Connection Request Policies and then click New.

d.

In the Specify Connection Request Policy Name And Connection Type window, under Policy name, type VPN connections.

e.

Under Type of network access server, select Remote Access Server (VPN-Dial up) and then click Next.

f.


g.

In the Select Condition window, double-click Tunnel Type, select PPTP, SSTP, and L2TP. Click OK and then click Next.

h.

In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected and then click Next.

i.

In the Specify Authentication Methods window, select Override network policy authentication settings.

j.

Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP) and then click OK.

k.

Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2) and then click OK.

l.

Under EAP Types, click Microsoft: Protected EAP (PEAP) and then click Edit.

m. Verify that Enforce Network Access Protection is selected and then click OK. n. 9.

Click Next twice and then click Finish.

Close the Network Policy Server console.


L7-63

X Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server 1.

On NYC-EDGE1, click Start, point to Administrative Tools, and then click Routing and Remote Access.

2.

In the Routing and Remote Access console, right-click NYC-EDGE1 (local) and then click Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard.

3.

Click Next, select Remote access (dial-up or VPN), and then click Next.

4.

Select the VPN check box and then click Next.

5.

Click the network interface called Public. Clear the Enable security on the selected interface by setting up static packet filters check box and then click Next. This ensures that NYC-EDGE1 will be able to ping NYC-DC1 when it is attached to the Internet subnet without requiring that you configure additional packet filters for Internet Control Message Protocol (ICMP) traffic.

6.


7.

On the Address Range Assignment page, click New. Type 10.10.0.100 next to Start IP address and 10.10.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses were assigned for remote clients and then click Next.

8.

On the Managing Multiple Remote Access Servers page, ensure that No, use Routing and Remote Access to authenticate connection requests is already selected and then click Next.

9.

Click Finish.

10. Click OK twice and wait for the Routing and Remote Access Service to start. 11. In the Network Policy Server, click the Connection Request Policies node and disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled. 12. Click Connection Request Policies, and in the results pane, right-click the Microsoft Routing and Remote Access Service Policy and then click Disable. 13. Close the Network Policy Server management console. 14. Close Routing and Remote Access.

X Task 4: Allow ping on NYC-EDGE1 1.

Click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.

2.

Click on Inbound Rules, right-click Inbound Rules, and then click New Rule.

3.

Select Custom and then click Next.

4.

Select All programs and then click Next.

5.

Next to Protocol type, select ICMPv4 and then click Customize.

6.

Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next.

7.

Click Next to accept the default scope.

L7-64


8.

In the Action window, verify that Allow the connection is selected and then click Next.

9.

Click Next to accept the default profile.

10. In the Name window, under Name, type ICMPv4 echo request and then click Finish. 11. Close the Windows Firewall with Advanced Security console. Results: At the end of this exercise, you will have configured and enabled a VPN-enforced NAP scheme.


L7-65

Exercise 2: Configuring Client Settings to Support NAP X Task 1: Configure Security Center 1.


2.

Configure NYC-CL1 so that Security Center is always enabled: a.

Click Start, point to All Programs, click Accessories, and then click Run.

b.

Type gpedit.msc and then press ENTER.

c.

In the console tree, click Local Computer Policy/Computer Configuration /Administrative Templates/Windows Components/Security Center.

d.

Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.

e.


X Task 2: Enable client NAP enforcement 1.

2.

Enable the remote-access, quarantine-enforcement client: a.

Click Start, click All Programs, click Accessories, and then click Run.

b.

Type napclcfg.msc and then press ENTER.

c.

In the console tree, click Enforcement Clients.

d.

In the details pane, right-click EAP Quarantine Enforcement Client and then click Enable.

e.

Close the NAP Client Configuration window.

Enable and start the NAP agent service: a.

Click Start, click Control Panel, click System and Security, and then click Administrative Tools.

b.

Double-click Services.

c.

In the Services list, double-click Network Access Protection Agent.

d.

In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic and then click Start.

e.

Wait for the NAP Agent service to start and then click OK.

f.

Close the Services console and then close the Administrative Tools and System and Security windows.

X Task 3: Move the client to the Internet 1.

Configure NYC-CL1 for the Internet network segment: a.


b.


c.

Click Change adapter settings.

d.


e.

Click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.

L7-66


2.

f.

Click Use the following IP address. Next to IP address, type 131.107.0.20. Next to Subnet mask, type 255.255.0.0. Do not configure the Default gateway.

g.

Click Use the following DNS server addresses.

h.

Click OK and then click Close to close the Local Area Connection 3 Properties dialog box.

i.

Close the Network Connections window.

Verify network connectivity for NYC-CL1: a.

Click Start, click All Programs, click Accessories, and then click Run.

b.

Type cmd and then press ENTER.

c.

At the command prompt, type ping 131.107.0.2 and press ENTER.

d.

Verify that the response reads “Reply from 131.107.0.2”.

e.

Close the command window.

X Task 4: Create a VPN on NYC-CL1 1.

Configure a VPN connection: a.


b.


c.

Click Set up a new connection or network.

d.

On the Choose a connection option page, click Connect to a workplace and then click Next.

e.

On the How do you want to connect page, click Use my Internet connection (VPN).

f.

Click I’ll set up an Internet connection later.

g.

On the Type the Internet address to connect to page, next to Internet address, type 131.107.0.2. Next to Destination name, type Contoso VPN. Select the Allow other people to use this connection check box and then click Next.

h.

On the Type your user name and password page, type administrator next to User name and type Pa$$w0rd next to Password. Select the Remember this password check box, type Contoso next to Domain (optional), and then click Create.

i.

On The connection is ready to use page, click Close.

j.

In the Network And Sharing Center window, click Change adapter settings.

k.

Right-click the Contoso VPN connection, click Properties, and then click the Security tab.

l.

Under Authentication, click Use Extensible Authentication Protocol (EAP).

m. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft: Protected EAP (PEAP) (encryption enabled) and then click Properties. n.

Ensure that the Validate server certificate check box is already selected. Clear the Connect to these servers check box, and then ensure that Secured password (EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast Reconnect check box and then select the Enforce Network Access Protection check box.

o.

Click OK twice to accept these settings.


2.

L7-67

Test the VPN connection: a. In the Network Connections window, right-click the Contoso VPN connection and then click Connect.

3.

4.

b.

In the Connect Contoso VPN window, click Connect.

c.

You are presented with a Windows Security Alert window the first time that this VPN connection is used. Click Details and verify that Certificate Information states that the certificate was issued to NYC-EDGE1.Contoso.com by ContosoCA. Click Connect.

d.

Wait for the VPN connection to be made. Because NYC-CL1 is compliant, it should have unlimited access to the intranet subnet.

e.


f.

Type ipconfig /all and view the IP configuration. System Quarantine State should be Not Restricted.

g.

In the Command window, type ping 10.10.0.10 and then press ENTER. This should be successful. The client now meets the requirement for VPN full connectivity.

h.

Disconnect from the Contoso VPN.

Configure Windows Security Health Validator to require an antivirus application: a.

On NYC-EDGE1, open Network Policy Server.

b.

Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings.

c.

In the right pane under Name, double-click Default Configuration.

d.

On the Windows 7/Windows Vista selection, select the An antivirus application is on check box and then click OK.

Verify that the client is placed on the restricted network: a.

On NYC-CL1, in the Network Connections window, right-click the Contoso VPN and then click Connect.

b.

Click Connect.

c.

Wait for the VPN connection to be made. Verify that a message appears in the Action Center stating that the computer does not meet security standards.

d.


e.

Type ipconfig /all and view the IP configuration. System Quarantine State should be Restricted. The client does not meet the requirements for the network, and therefore is placed on the restricted network.

f.


Results: At the end of this exercise, you will have enabled and configured a VPN NAP enforcement policy for Contoso.

L7-68




2.


3.


4.


L8-69

Module 8: Increasing Security for Windows Servers

Lab: Increasing Security for Windows Servers Exercise 1: Deploying a Windows Firewall Rule X Task 1: Create a Group Policy object with a firewall rule 1.

On NYC-DC1, click Start, point to Administrative Tools, and click Group Policy Management.

2.

In the Group Policy Management window, expand Forest: Contoso.com, expand Domains, and click Contoso.com.

3.

Right-click Contoso.com and click Create a GPO in this domain, and Link it here.

4.

In the New GPO window, in the Name box, type Firewall and click OK.

5.

On the Linked Group Policy Objects tab, right-click Firewall and click Edit.

6.

In the Group Policy Management Editor window, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and click Inbound Rules.

7.

Right-click Inbound Rules and click New Rule.

8.

In the New Inbound Rule Wizard window, click Port and click Next.

9.

On the Protocol and Ports page, click TCP and click Specific local ports.

10. In the Specific local ports box, type 10005 and then click Next. 11. On the Action page, confirm that Allow the connection is selected and click Next. 12. On the Profile page, clear the Private and Public check boxes and then click Next. 13. On the Name page, in the Name box, type Monitoring and then click Finish.

X Task 2: Apply Group Policy settings to NYC-SVR1 1.


2.


3.

Close the command window on NYC-SVR1.

X Task 3: Test access to the monitoring client 1.

On NYC-DC1, click Start, point to All Programs, and click Internet Explorer.

2.

In the Internet Explorer address bar, type http://nyc-svr1.contoso.com/status.xml and press ENTER.

Results: After this exercise, you should have created a Windows Firewall rule that allows communication to port 10005.

L8-70

Module 8: Increasing Security for Windows Servers

Exercise 2: Implementing WSUS X Task 1: Create a GPO for configuring WSUS clients 1.


2.

In the Group Policy Management window, right-click Contoso.com and click Create a GPO in this domain, and Link it here.

3.

In the New GPO window, in the Name box, type WSUS and click OK.

4.

On the Linked Group Policy Objects tab, right-click WSUS and click Edit.

5.

In the Group Policy Management Editor window, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update.

6.

In the details pane, double-click Configure Automatic Updates.

7.

In the Configure Automatic Updates dialog box, click Enabled.

8.

In the Configure automatic updating drop-down list, click 4 - Auto download and schedule the install and then click Next Setting.

9.

On the Specify intranet Microsoft update service location page, select Enabled.

10. Under Set the intranet update service for detecting updates and under Set the intranet statistics server, type http://NYC-SVR1 in the text boxes and then click Next Setting. 11. On the Automatic Updates detection frequency page, click Enabled and then click OK. 12. Close the Group Policy Management Editor and the Group Policy Management Console. 13. Click Start, type cmd, and press ENTER. 14. At the command prompt, type gpupdate /force and press ENTER. 15. At the command prompt, type wuauclt /detectnow and press ENTER. 16. Close the command prompt.

X Task 2: Review the configuration settings for a WSUS server 1.

On NYC-SVR1, click Start, point to Administrative Tools, and click Windows Server Update Services.

2.

In the Update Services window, in the left pane, click Options.

3.

Read the list of options available for configuration.

X Task 3: Create a computer group for servers 1.

On NYC-SVR1, in the Update Services window, in the left pane, expand Computers, expand All Computers, and click All Computers.

2.

In the Actions pane, click Add Computer Group.

3.

In the Add Computer Group window, in the Name box, type HO Servers and click Add.

4.

Click the Unassigned Computers computer group.

5.

In the center pane, in the Status box, select Any and then click Refresh.


6.

Right-click NYC-DC1.contoso.com, and click Change Membership.

7.

In the Set Computer Group Membership box, select the HO Servers check box and click OK.

L8-71

X Task 4: View the update report for NYC-DC1 1.

On NYC-SVR1, in the Update Services window, click the HO Servers computer group.

2.

In the center pane, in the Status box, select Any and then click Refresh.

3.

Right-click nyc-dc1.contoso.com and click Status Report.

4.

Read the Status Summary for nyc-dc1.contoso.com. Notice that four updates have not been installed.

5.

At the top of the report, beside Include updates that have a status of, click Any.

6.

In the Choose Update Status window, clear all check boxes except Needed and then click OK.

7.

In the top menu, click Run Report.

8.

Click the right arrow to view the second page of the report.

9.

Read the list of updates that are needed. Notice that they are not approved.

10. Leave this report open for the next task.

X Task 5: Approve an update for the HO Servers computer group 1.

On NYC-SVR1, in the Computers Report for NYC-SVR1, for the first update listed, click Not approved.

2.

In the Approve Updates window, click the down arrow to the left of HO Servers and click Approved for Install.

3.

Read the warning message at the bottom of the Window. This file is not downloaded due to the configuration of the lab environment.

4.

Click OK.

5.

In the Approval Progress window, read the actions that were performed and then click Close.

6.

Close all open windows. Note Notice that a message appears stating that the update is approved, but must be downloaded to complete. This is due to the configuration of the lab environment.

Results: After this exercise, you should have approved an update for NYC-DC1.



2.


3.


4.


L9-73

Module 9: Increasing Security for Network Communication

Lab: Increasing Security for Network Communication Exercise 1: Selecting a Network Security Configuration f Task 1: Read the Research application security document •

Read the Research application security document located in task 2 in the main module document.

f Task 2: Update the proposal document with your planned course of action •

Answer the questions in the Research application security document. Research application security Document Reference Number: GW1605/1 Document Author Date

Charlotte Weiss 16th May

Requirements Overview Contoso Ltd. has implemented a new web-based Research application that contains confidential information such as product information. To improve security, you must: 1.

Create a connection security rule that authenticates the computers in the Research department.

2.

Create a firewall rule that ensures only authenticated computers from the Research department can access the application.

Additional Information 1.

The application exists on NYC-SVR1.

2.

The application is not configured to use SSL.

3.

NYC-SVR1 and NYC-CL1, both computers in the Research department, are stored in the AD DS Computers container.

Proposals 1.

How will you accomplish requirement 1? Answer:

2.

•

Configure a Connection Security Rule that requires Kerberos authentication for connections to TCP port 80 (web server).

•

Restrict authentication to specific users and computers.

How will you accomplish requirement 2? Answer: Create a firewall rule that enables communication over port 80 if authenticated.

L9-74


Research application security 3.

Are there any additional tasks that you must perform? Answer: •

Create a GPO that is linked to the Research OU.

•

Configure the Connection Security rule and Firewall Rule as part of this policy.

•

Move both NYC-SVR1 and NYC-CL1 to the Research OU.

•

Refresh the GPO on the client computers from NYC-DC1.

f Task 3: Examine the suggested proposals in the Lab Answer Key •

Compare your solution to the proposed solution in the Research application security document in the Lab Answer Key. Be prepared to discuss your solution with the class.

Results: At the end of this exercise, you will have selected a suitable IPsec configuration to support the needs of the Research department.


L9-75

Exercise 2: Configuring IPsec to Authenticate Computers f Task 1: Move the NYC-SVR1 and NYC-CL1 computers into the Research OU 1. Switch to NYC-DC1. 2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 3. In Active Directory Users and Computers, expand Contoso.com and then click Computers. 4. Right-click NYC-CL1 and then click Move. 5. In the Move dialog box, click Research and then click OK. 6. Right-click NYC-SVR1 and then click Move. 7. In the Move dialog box, click Research and then click OK. 8. In the navigation pane, click Research.

f Task 2: Create a GPO and link to the Research OU 1. Click Start, point to Administrative Tools, and then click Group Policy Management. 2. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Research. 3. Right-click Research and then click Create a GPO in this domain, and link it here. 4. In the New GPO dialog box, in the Name box, type Research Department Application Security Policy and then click OK.

f Task 3: Create the required connection security rule 1. In Group Policy Management, expand Research. 2. Right-click Research Department Application Security Policy and then click Edit. 3. In Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security – LDAP://CN={GUID}, and then click Connection Security Rules. 4. Right-click Connection Security Rules and then click New Rule. 5. In the New Connection Security Rule Wizard, on the Rule Type page, click Custom and then click Next. 6. On the Endpoints page, click Next. 7. On the Requirements page, click Require authentication for inbound connections and request authentication for outbound connections and then click Next. 8. On the Authentication Method page, click Computer and user (Kerberos V5) and then click Next. 9. On the Protocol and Ports page, in the Protocol type list, click TCP. 10. In the Endpoint 1 port list, click Specific Ports and in the text box, type 80 and then click Next. 11. On the Profile page, clear the Private and Public check boxes and then click Next. 12. On the Name page, in the Name box, type Research Department Application Security rule and then click Finish.

L9-76


f Task 4: Create the firewall rule 1. In Group Policy Management Editor, click Inbound Rules. 2. Right-click Inbound Rules and then click New Rule. 3. In the New Inbound Rule Wizard, on the Rule Type page, click Custom and then click Next. 4. On the Program page, click Next. 5. On the Protocol and Ports page, in the Protocol type list, click TCP. 6. In the Local port list, click Specific Ports and in the text box, type 80 and then click Next. 7. On the Scope page, click Next. 8. On the Action page, click Allow the connection if it is secure and then click Customize. Ensure that Allow the connection if it is authenticated and integrity-protected is selected and click OK. 9. Click Next. 10. On the Users page, click Next. 11. On the Computers page, select Only allow connections from these computers and then click Add. 12. In the Select Computers, or Groups dialog box, in the Enter the object names to select (examples) box, type NYC-CL1; NYC-SVR1, click Check Names, click OK, and then click Next. 13. On the Profile page, clear the Private and Public check boxes and then click Next. 14. On the Name page, in the Name box, type Research Department Application Firewall rule and then click Finish.

f Task 5: Refresh the Group Policy on client computers 1. Switch to NYC-CL1. 2. Click Start, and in the Search box, type cmd.exe and press ENTER. 3. In the command prompt, type the following command and then press ENTER: Gpupdate /force

4.

In the command prompt, type the following command and then press ENTER: Shutdown /r

5. Switch to NYC-SVR1. 6. Click Start, and in the Search box, type cmd.exe and press ENTER. 7. In the command prompt, type the following command and then press ENTER: Gpupdate /force

8. In the command prompt, type the following command and then press ENTER: Shutdown /r

Results: At the end of this exercise, you will have successfully configured the connection security rule and firewall rule that are required to secure the Research department application.


L9-77

Exercise 3: Testing IPsec Authentication f Task 1: Attempt to connect to the web server on NYC-SVR1 1. Switch to NYC-CL1. 2. Log on using the following information: •


•

Password: Pa$$w0rd

•

Domain : Contoso

3. On the Taskbar, click Internet Explorer. 4. In the Address bar, type http://nyc-svr1 and press ENTER. The default IIS 7 webpage displays.

f Task 2: Verify settings with Windows Firewall with Advanced Security 1. Click Start, and in the Search box, type Windows Firewall with Advanced Security and press ENTER. 2. In Windows Firewall with Advanced Security, in the navigation pane, expand Monitoring, expand Security Associations, and then click Main Mode. 3. In the right pane, double-click the item listed. 4. What is the First authentication method? Answer: Computer (Kerberos V5) 5. Click OK. 6. Expand Quick Mode. 7. In the right pane, double-click the item listed. 8. What is the Remote port? Answer: TCP 80 9. Click OK.

f Task 3: Verify settings with IP Security Monitor 1. Click Start, and in the Search box, type mmc.exe and then press ENTER. 2. In Console1 – [Console Root] window, click File and then click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, in the Snap-in list, click IP Security Monitor, click Add, and then click OK. 4. Expand IP Security Monitor, expand NYC-CL1, expand Main Mode, and then click Security Associations. 5. In the right pane, double-click the item listed. 6. What is the encryption method? Answer: None. No encryption was required, merely authentication.

L9-78


7. Close all open windows. Do not save changes to Console 1. Results: At the end of this exercise, you will have verified IPsec settings.

f Preparing for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat these steps for 6421B-NYC-SVR1 and 6421B-NYC-CL1.

L10-79

Module 10: Configuring and Troubleshooting Network File and Print Services

Lab: Configuring and Troubleshooting Network File and Print Services Exercise 1: Creating and Configuring a File Share X Task 1: Create the folder structure for the share 1.

On NYC-DC1, click Start and click Computer.

2.

In Windows Explorer, double-click Local Disk (C:) and click New folder on the top menu bar.

3.

Type Share and press ENTER to rename the folder.

4.

Double-click Share and click New folder.

5.

Type Marketing and press ENTER to rename the folder.

6.

Click New folder.

7.

Type Production and press ENTER to rename the folder.

X Task 2: Configure NTFS permissions on the folder structure 1.

On NYC-DC1, in Windows Explorer, browse to C:\.

2.

Right-click Share and click Properties.

3.

In the Share Properties window, click the Security tab. Notice that Users have read access to the Share folder.

4.

Click Cancel.

5.

In Windows Explorer, double-click Share.

6.

Right-click Marketing and click Properties.

7.

In the Marketing Properties window, on the Security tab, click Advanced.

8.

In the Advanced Security Settings For Marketing window, click Change Permissions.

9.

Clear the Include inheritable permissions from this object’s parent check box.

10. In the Windows security window, click Add. 11. Use Ctrl+click to select both entries for Users and then click Remove. 12. Click OK twice to close both Advanced Security Settings For Marketing windows. 13. In the Marketing Properties window, click Edit. 14. In the Permissions For Marketing window, click Add, type Marketing, and click OK. 15. With Marketing selected, click the Allow Modify permission and click OK. 16. In the Marketing Properties windows, click OK.

L10-80


17. Right-click Production and click Properties. 18. In the Production Properties window, on the Security tab, click Advanced. 19. In the Advanced Security Settings For Production window, click Change Permissions. 20. Clear the Include inheritable permissions from this object’s parent check box. 21. In the Windows security window, click Add. 22. Use Ctrl+click to select both entries for Users and then click Remove. 23. Click OK twice to close both Advanced Security Settings For Production windows. 24. In the Production Properties window, click Edit. 25. In the Permissions For Production window, click Add, type Production and then click OK. 26. With Production selected, click the Allow Modify permission and click OK. 27. In the Production Properties window, click OK.

X Task 3: Create the share 1.

On NYC-DC1, in Windows Explorer, browse to C:\.

2.

Right-click Share and click Properties.

3.

In the Share Properties window, on the Sharing tab, click Advanced Sharing.

4.

In the Advanced Sharing window, select the Share this folder check box and click Permissions.

5.

In the Permissions For Share window, with Everyone selected, select the Full Control Allow permission and click OK.

6.

In the Advanced Sharing window, click OK.

7.

In the Share Properties window, click Close.

8.


X Task 4: Enable Access-Based Enumeration 1.

On NYC-DC1, click Start, point to Administrative Tools, and click Share and Storage Management.

2.

In Share and Storage Management, right-click Share, and click Properties.

3.

In the Share Properties window, click Advanced.

4.

In the Advanced window, on the User Limits tab, select the Enable Access-based enumeration check box and click OK.

5.

In the Share Properties window, click OK.

6.

Close Share and Storage Management.


X Task 5: Verify that permissions are properly configured 1.

On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd. Adam is a member of Marketing.

2.

Click Start, type \\nyc-dc1\share, and press ENTER.

3.

Read the folders that are available and double-click Marketing.

4.

Right-click an open area, point to New, and click Text Document.

5.

Type AdamFile and press ENTER to rename the file.

6.


Results: After this exercise, you should have created and configured a file share.

L10-81

L10-82


Exercise 2: Encrypting and Recovering Files X Task 1: Update the recovery agent certificate for EFS 1.


2.

In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and click Default Domain Policy.

3.

In the Group Policy Management Console dialog box, click OK to clear the message.

4.

Right-click Default Domain Policy and click Edit.

5.

In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Public Key Policies, and click Encrypting File System.

6.

Right-click the Administrator certificate and click Delete.

7.

In the Certificates window, click Yes.

8.

Right-click Encrypting File System and click Create Data Recovery Agent.

9.

Read the information for the new certificate that was created. Notice that this certificate was obtained from ContosoCA.

10. Close Group Policy Management Editor. 11. Close Group Policy Management.

X Task 2: Update Group Policy on the computers 1.

On NYC-DC1, click Start, type cmd, and press ENTER.

2.

At the command prompt, type gpupdate /force and press ENTER.

3.


4.

On NYC-CL1, click Start, type cmd, and press ENTER.

5.


6.


X Task 3: Obtain a certificate for EFS 1.


2.

Click Start, type mmc, and press ENTER.

3.

In Console1, click File and click Add/Remove Snap-in.

4.

In the list of available snap-ins, click Certificates and click Add.

5.

In the Add Or Remove Snap-ins window, click OK.

6.

In the left pane, click Certificates – Current User, then right-click Personal, point to All Tasks, and click Request New Certificate.

7.

In the Certificate Enrollment window, click Next.


L10-83

8.

On the Select Certificate Enrollment Policy page, click Next to use the Active Directory Enrollment Policy.

9.

On the Request Certificates page, select the Basic EFS check box and click Enroll.

10. On the Certificate Installation Results page, click Finish. 11. In the Console1 window, in the left pane, expand Certificates – Current User, expand Personal, and click Certificates. 12. Read the list of certificates and note the one that was issued by ContosoCA. 13. Close Console1 and do not save the settings.

X Task 4: Encrypt a file 1.

On NYC-CL1, click Start, type \\NYC-DC1\Share\Marketing, and press ENTER.

2.

Right-click AdamFile and click Properties.

3.

On the General tab, click Advanced.

4.

In the Advanced Attributes window, select the Encrypt contents to secure data check box and click OK.

5.

In the AdamFile Properties window, click OK.

6.

In the Encryption Warning window, click Encrypt the file only and then click OK. Wait a few seconds for the file to be encrypted.

7.

Look at the color of the file name.

8.


X Task 5: Use the recovery agent to open the file 1.

On NYC-DC1, click Start and click Computer.

2.

Browse to C:\Share\Marketing.

3.

Double-click AdamFile.txt.

4.

Add some text to the file, click File, and then click Save.

5.

Close Notepad and Windows Explorer.

Results: After this exercise, you should have encrypted and recovered a file.

L10-84


Exercise 3: Creating and Configuring a Printer Pool X Task 1: Install the Print Management role 1.

On NYC-DC1, click Start, point to Administrative Tools, and click Server Manager.

2.

In the left pane, click Roles and then click Add Roles.

3.

Click Next to start the Add Roles Wizard.

4.

On the Select Server Roles page, select the Print and Document Services check box and click Next.

5.

On the Print and Document Services page, click Next.

6.

On the Select Role Services page, verify that Print Server is selected and click Next.

7.


8.


9.


X Task 2: Create two IP printer ports 1.

Click Start, point to Administrative Tools, and click Print Management.

2.

In Print Management, expand Print Servers, expand NYC-DC1 (local), and click Ports.

3.

Right-click Ports and click Add Port.

4.

In the Printer Ports window, click Standard TCP/IP Port and click New Port.

5.

Click Next to start the Add Standard TCP/IP Printer Port Wizard.

6.

In the Printer Name or IP Address box, type 10.10.0.98 and click Next. It will take a minute or two while Windows Server 2008 R2 attempts to detect the type of device at that IP address.

7.

On the Additional port information required page, click Next to accept the default settings of a Generic Network Card.

8.

Click Finish to complete the wizard.

9.

In the Printer Ports window, click Standard TCP/IP Port and click New Port.

10. Click Next to start the Add Standard TCP/IP Printer Port Wizard. 11. In the Printer Name or IP Address box, type 10.10.0.99 and click Next. It will take a minute or two while Windows Server 2008 R2 attempts to detect the type of device at that IP address. 12. On the Additional port information required page, click Next to accept the default settings of a Generic Network Card. 13. Click Finish to complete the wizard. 14. In the Printer Ports window, click Close.

X Task 3: Create a printer 1.

In Print Management, under NYC-DC1 (local), click Printers.

2.

Right-click Printers and click Add Printer.


L10-85

3.

On the Printer Installation page, click Add a new printer using an existing port, click 10.10.0.98, and click Next.

4.

On the Printer Driver page, click Install a new driver and click Next.

5.

On the Printer Installation page, click Next to accept the default driver.

6.

On the Printer Name and Sharing Settings page, in the Printer Name and Share Name boxes, type PrinterPool and click Next.

7.

On the Printer Found page, click Next.

8.

Click Finish to complete the wizard.

X Task 4: Make the new printer into a printer pool 1.

In Print Management, right-click PrinterPool and click Properties.

2.

In the PrinterPool Properties window, on the Ports tab, select the Enable printer pooling check box.

3.

In the list of ports, select the 10.10.0.99 check box and click OK. Notice that two ports are selected.

4.

Close Print Management

X Task 5: Distribute the printer pool to users 1.

Click Start, point to Administrative Tools, and click Group Policy Management.

2.

Right-click the Marketing OU and click Create a GPO in this domain, and Link it here.

3.

In the New GPO window, in the Name box, type MarketingGPO and click OK.

4.

Right-click MarketingGPO and click Edit.

5.

Under User Configuration, expand Preferences, expand Control Panel Settings, and click Printers.

6.

Right-click Printers, point to New, and click Shared Printer.

7.

In the New Shared Printer Properties windows, in the Share path box, type \\NYC-DC1\PrinterPool.

8.

Select the Set this printer as the default printer check box, and click OK.

9.

Close Group Policy Management Editor.

10. Close Group Policy Management.

X Task 6: Verify printer distribution to a marketing user 1.


2.

Click Start, type cmd, and press ENTER.

3.


4.


5.

Click Start and click Devices and Printers.

6.

Confirm that PrinterPool on NYC-DC1 appears and is configured as the default printer.

Results: After this exercise, you should have created a printer pool and distributed it to Marketing users.

L10-86




2.


3.


4.

Repeat these steps for 6421B-NYC-CL1.

L11-87

Module 11: Optimizing Data Access for Branch Offices

Lab A: Implementing DFS Exercise 1: Installing the DFS Role Service f Task 1: Install the DFS Role Service on NYC-SVR1 1.

Switch to NYC-SVR1.

2.


3.

In the navigation pane, click Roles.

4.

In the details pane, under the File Services section, click Add Role Services. The Add Role Services wizard opens.

5.

On the Select Role Services page, select the check box next to Distributed File System. Ensure that the File Server, DFS Namespaces and DFS Replication options are also selected. Click Next.

6.

On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager and then click Next.

7.


8.


9.


f Task 2: Install the DFS Role Service on NYC-DC1 1.

Switch to NYC-DC1.

2.


3.


4.

In the details pane, click Add Roles.

5.


6.

On the Select Server Roles page, select the File Services check box and then click Next.

7.

On the File Services page, click Next.

8.

On the Select Role Services page, select the check box next to Distributed File System. Ensure that the File Server, DFS Namespaces, and DFS Replication options are also selected. Click Next.

9.

On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager and then click Next.

10. On the Confirm Installation Selections page, click Install. 11. On the Installation Results page, click Close. 12. Close Server Manager. Results: At the end of this exercise, you will have installed the required role services on both servers.

L11-88


Exercise 2: Configuring the Required Namespace f Task 1: Use the New Namespace Wizard to create the BranchDocs namespace 1.

Switch to NYC-SVR1.

2.

Click Start, point to Administrative Tools, and then click DFS Management.

3.

In the navigation pane, click Namespaces.

4.

Right-click Namespaces and then click New Namespace. The New Namespace Wizard starts.

5.

On the Namespace Server page, under Server, type NYC-SVR1 and then click Next.

6.

On the Namespace Name and Settings page, under Name, type BranchDocs and then click Next.

7.

On the Namespace Type page, ensure that Domain-based namespace is selected. Take note that the namespace will be accessed by \\Contoso.com\BranchDocs.

8.

Ensure that the check box next to Enable Windows Server 2008 mode is selected and then click Next.

9.

On the Review Settings and Create Namespace page, click Create.

10. On the Confirmation page, ensure that the Create namespace task is successful and then click Close. 11. In the navigation pane, under Namespaces, click \\Contoso.com\BranchDocs. 12. In the details pane, click the Namespace Servers tab and ensure that there is one entry that is enabled for \\NYC-SVR1\BranchDocs.

f Task 2: Enable access-based enumeration for the BranchDocs namespace 1.

In the navigation pane, under Namespaces, right-click \\Contoso.com\BranchDocs and then click Properties.

2.

In the \\Contoso.com\BranchDocs Properties dialog box, click the Advanced tab.

3.

On the Advanced tab, select the check box next to Enable access-based enumeration for this namespace and then click OK.

f Task 3: Add the ResearchTemplates folder to the BranchDocs namespace 1.

In DFS Management, right-click Contoso.com\BranchDocs and then click New Folder. The New Folder dialog box opens.

2.

In the New Folder dialog box, under Name, type ResearchTemplates.

3.

In the New Folder dialog box, click Add. The Add Folder Target dialog box opens.

4.

In the Add Folder Target dialog box, type \\NYC-DC1\ResearchTemplates and then click OK.

5.

In the Warning dialog box, click Yes.

6.

In the Create Share dialog box, in the Local path of shared folder box, type C:\BranchDocs\ResearchTemplates.

7.

Click All users have read and write permissions and then click OK.

8.


9.

Click OK again to close the New Folder dialog box.


L11-89

f Task 4: Add the DataFiles folder to the BranchDocs namespace 1.

In DFS Management, right-click Contoso.com\BranchDocs and then click New Folder. The New Folder dialog box opens.

2.

In the New Folder dialog box, under Name, type DataFiles.

3.

In the New Folder dialog box, click Add. The Add Folder Target dialog box opens.

4.

In the Add Folder Target dialog box, type \\NYC-SVR1\DataFiles and then click OK.

5.


6.

In the Create Share dialog box, in the Local path of shared folder box, type C:\BranchDocs\DataFiles.

7.

Click All users have read and write permissions and then click OK. The permissions will be configured later.

8.


9.

Click OK again to close the New Folder dialog box.

f Task 5: Verify the BranchDocs namespace 1.

On NYC-SVR1, click Start, and then in the Search programs and files box, type \\Contoso.com\BranchDocs. Press ENTER.

2.

In the BranchDocs window, verify that both ResearchTemplates and DataFiles are visible.

3.

Close the BranchDocs window.

Results: At the end of this exercise, you will have created and verified the DFS namespace.

L11-90


Exercise 3: Configuring DFS Replication f Task 1: Create another Folder Target for DataFiles 1.

In DFS Management, expand Contoso.com\BranchDocs and then click DataFiles. In the details pane, notice that there is currently only one folder target.

2.

Right-click DataFiles and then click Add Folder Target.

3.

In the New Folder Target dialog box, under Path to folder target, type \\NYC-DC1\DataFiles and then click OK.

4.

In the Warning dialog box, click Yes to create the shared folder on NYC-DC1.

5.

In the Create Share dialog box, under Local path of shared folder, type C:\BranchDocs\DataFiles.

6.

In the Create Share dialog box, under Shared folder permissions, select All users have read and write permissions and then click OK.

7.

In the Warning dialog box, click Yes to create the folder on NYC-DC1.

8.

In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.

f Task 2: Configure Replication for the namespace 1.

In DFS Management, in the Replicate Folder Wizard, on the Replication Group and Replicated Folder Name page, accept the default settings and then click Next.

2.

On the Replication Eligibility page, click Next.

3.

On the Primary Member page, select NYC-SVR1 and then click Next.

4.

On the Topology Selection page, select No topology and then click Next.

5.

In the Warning dialog box, click OK.

6.

On the Review Settings and Create Replication Group page, click Create.

7.

On the Confirmation page, click Close.

8.

In the Replication Delay dialog box, click OK.

9.

In the DFS Management console, expand Replication and then click contoso.com\BranchDocs\DataFiles.

10. In the action pane, click New Topology. 11. In the New Topology Wizard, on the Topology Selection page, click Full mesh and then click Next. 12. On the Replication Group Schedule and Bandwidth page, click Next. 13. On the Review Settings and Create Topology page, click Create. 14. On the Confirmation page, click Close, and in the Replication Delay dialog box, click OK. 15. In the details pane, on the Memberships tab, verify that the replicated folder is shown on both NYC-DC1 and NYC-SVR1. 16. On the Memberships tab, right-click NYC-DC1 and then click Make read-only. This setting will automatically configure the replicated copy to be read-only. Results: At the end of this exercise, you will have successfully configured DFS replication.


f Preparing for the next lab When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1.


2.


3.


4.


L11-91

L11-92

Lab B: Implementing BranchCache Exercise 1: Performing Initial Configuration Tasks for BranchCache f Task 1: Configure NYC-DC1 to use BranchCache 1.

Switch to NYC-DC1.

2.

Click Start, point to Administrative Tools, and then click Server Manager.

3.


4.

In the details pane, click Add Roles and then click Next.

5.

In the Add Roles Wizard, on the Select Server Roles page, select the File Services check box and then click Next.

6.

On the File Services page, click Next.

7.

On the Select Role Services page, in the Role services list, select the BranchCache for network files check box and then click Next.

8.


9.


10. Close Server Manager. 11. Click Start, and in the Search box, type gpedit.msc and then press ENTER. 12. In the navigation pane of the Local Group Policy Editor console, under Computer Configuration, expand Administrative Templates, expand Network, and then click Lanman Server. 13. In the Setting list of the Lanman Server result pane, right-click Hash Publication for BranchCache and then click Edit. 14. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication actions list, select Allow hash publication only for shared folders on which BranchCache is enabled, and then click OK.

f Task 2: Simulate slow link to the branch office 1.

In the navigation pane of the Local Group Policy Editor console, under Computer Configuration, expand Windows Settings, right-click Policy-based QoS, and then click Create new policy.

2.

On the Create a QoS policy page of the Policy-based QoS Wizard, in the Policy name box, type Limit to 100 KBps, select the Specify Outbound Throttle Rate: check box, type 100, and then click Next.

3.

On the This QoS policy applies to page, click Next.

4.

On the Specify the source and destination IP addresses page, click Next.

5.

On the Specify the protocol and port numbers page, click Finish.

6.


f Task 3: Enable a file share for BranchCache 1.


2.

In the Computer window, browse to Local Disk (C:).


L11-93

3.

On the menu, click New Folder.

4.

Type Share and then press ENTER

5.

Right-click Share and then click Properties.

6.

On the Sharing tab of the Share Properties dialog box, click Advanced Sharing.

7.

Select the Share this folder check box and then click Caching.

8.

In the Offline Settings dialog box, select the Enable BranchCache check box and then click OK.

9.

In the Advanced Sharing dialog box, click OK.

10. In the Share Properties dialog box, click Close. 11. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 12. At the command prompt window, type the following command and then press ENTER: Copy C:\windows\system32\mspaint.exe c:\share

13. Close the command prompt. 14. Close Windows Explorer.

f Task 4: Configure client firewall rules for BranchCache 1.

Click Start, point to Administrative Tools, and then click Group Policy Management.

2.

In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, right-click Default Domain Policy, and then click Edit.

3.

In the navigation pane of the Group Policy Management Editor console, under Policies, expand Windows Settings, expand Security Settings, and then expand Windows Firewall with Advanced Security.

4.

In the navigation pane, under Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security and then click Inbound Rules.

5.

On the Action menu of the Group Policy Management Editor console, click New Rule.

6.

On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache – Content Retrieval (Uses HTTP), and then click Next.

7.

On the Predefined Rules page, click Next.

8.

On the Action page, click Finish to create the firewall inbound rule.

9.

Click Inbound Rules, and then on the Action menu of the Group Policy Management Editor console, select New Rule.

10. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache – Peer Discovery (Uses WSD), and then click Next. 11. On the Predefined Rules page, click Next. 12. On the Action page, click Finish. Results: At the end of this exercise, you will have prepared the network environment for BranchCache.

L11-94


Exercise 2: Configuring BranchCache Clients f Task 1: Configure clients to use BranchCache in hosted cache mode 1.

In the navigation pane of the Group Policy Management Editor console, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then click BranchCache.

2.

In the Setting list of the BranchCache result pane, right-click Turn on BranchCache and then click Edit.

3.

In the Turn on BranchCache dialog box, click Enabled and then click OK.

4.

In the Setting list of the BranchCache result pane, right-click Set BranchCache Hosted Cache mode and then click Edit.

5.

In the Set BranchCache Hosted Cache mode dialog box, click Enabled, in the Enter the location of hosted Cache box, type NYC-SVR1.contoso.com, and then click OK.

6.

In the Setting list of the BranchCache result pane, right-click Configure BranchCache for network files and then click Edit.

7.

In the Configure BranchCache for network files dialog box, click Enabled, in the Enter the round trip network latency value in milliseconds above which network files must be cached in the branch office box, type 0, and then click OK. This setting is required to simulate access from a branch office and is not typically required.

8.

Close the Group Policy Management Editor console.

9.

Close the Group Policy Management console.

10. Start 6421B-NYC-CL1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 11. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 12. At the command prompt window, type the following command and then press ENTER: gpupdate /force

13. At the command prompt window, type the following command and then press ENTER: netsh branchcache show status all

14. Start 6421B-NYC-CL2. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 15. Click Start, and in the Search box, type Network and Sharing and then press ENTER. 16. In Network Connections, click Change adapter settings. 17. Right-click Local Area Connection 3 and then click Properties. 18. In the Local Area Connection 3 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). 19. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically.


20. Click Obtain DNS server address automatically and then click OK. 21. In the Local Area Connection 3 Properties dialog box, click OK. 22. Restart the computer. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 23. Click Start, point to All Programs, click Accessories, and then click Command prompt. 24. At the command prompt window, type the following command and then press ENTER: gpupdate /force

25. At the command prompt window, type the following command and then press ENTER: netsh branchcache show status all

Results: At the end of this exercise, you will have configured the client computers for BranchCache.

L11-95

L11-96


Exercise 3 Configuring BranchCache on the Branch Server f Task 1: Install the BranchCache feature on NYC-SVR1 1.

Start 6421B-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd.

2.

Click Start, point to Administrative Tools, and then click Server Manager.

3.

In the navigation pane of the Server Manager console, right-click Features and then click Add Features.

4.

On the Select Features page of the Add Features Wizard, select the BranchCache check box and then click Next.

5.


6.


7.


f Task 2: Request a certificate and link it to BranchCache 1.

On the Start menu of NYC-SVR1, click Run.

2.

In the Open box of the Run dialog box, type mmc and then click OK.

3.

On the File menu of the Console1 – [Console Root] console, click Add/Remove Snap-ins.

4.

In the Available snap-ins area of the Add or Remove Snap-ins dialog box, click Certificates and then click Add.

5.

In the This snap-in will always manage certificates for page of the Certificates Snap-in Wizard, click Computer account and then click Next.

6.

On the Select the computer you want this snap-in to manage page, click Finish.

7.

In the Add or Remove Snap-ins dialog box, click OK.

8.

In the navigation pane of the Console1 – [Console Root] console, expand Certificates (Local Computer), right-click Personal, point to All Tasks, and then click Request New Certificate.

9.

On the Before You Begin page of the Certificate Enrollment Wizard, click Next.

10. On the Select Certificate Enrollment Policy page, click Next. 11. On the Request Certificates page, select the Computer check box and then click Enroll. 12. On the Certificate Installation Results page, click Finish. 13. In the navigation pane of the Console1 – [Console Root] console, under Personal, click Certificates. 14. In the Issued To result pane, right-click NYC-SVR1.Contoso.com and then click Open. 15. On the Details tab of the Certificate dialog box, in the Field list, click Thumbprint, select thumbprint values in the details section, press Ctrl+C to copy the values to the Clipboard, and then click OK. 16. On the Start menu, click All Programs, click Accessories, and then click Command Prompt.


L11-97

17. At the command prompt window, type the following command and then press Enter. You can paste the certificatehashvalue from the certificate, but you must remove the spaces. netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}

18. At the command prompt, type the following command and then press ENTER: netsh branchcache show status all

f Task 3: Start the BranchCache Host Server 1.

Switch to NYC-DC1.

2.

Click Start, point to Administrative Tools, and click Active Directory Users and Computers.

3.

Right-click Contoso.com, point to New, and click Organizational Unit.

4.

In the New Object - Organization Unit window, type BranchCacheHost and then click OK.

5.

Click the Computers container.

6.

Click NYC-SVR1 and drag it to BranchCacheHost.

7.

Click Yes to clear the warning about moving objects.

8.

Close Active Directory Users and Computers.

9.

Click Start, point to Administrative Tools, and click Group Policy Management.

10. Under Domains, expand Contoso.com, right-click BranchCacheHost, and click Block Inheritance. 11. On NYC-DC1, close all open windows. 12. Restart NYC-SVR1 and log on as Contoso\Administrator with the password of Pa$$w0rd. 13. On NYC-SVR1, open a command prompt, type the following command, and then press ENTER: netsh branchcache set service hostedserver

14. Close the command prompt. Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.

L11-98


Exercise 4: Monitoring BranchCache f Task 1: Configure Performance Monitor on NYC-SVR1 1.

Click Start, and in the Search box, type Performance and then press ENTER.

2.

In the navigation pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor.

3.

In the Performance Monitor result pane, click the Delete (Delete Key) icon.

4.

In the Performance Monitor result pane, click the Add (Ctrl+N) icon.

5.

In the Add Counters dialog box, under Select counters from computer, click BranchCache, click Add, and then click OK.

6.

Change graph type to Report.

f Task 2: View Performance statistics on NYC-CL1 1.

Switch to NYC-CL1.

2.

On the Start menu, in the Search programs and files box, type Performance and then press ENTER.

3.


4.


5.


6.


7.

Change graph type to Report. Notice that the value of all performance statistics is zero.

f Task 3: View performance statistics on NYC-CL2 1.

Switch to NYC-CL2.

2.

On the Start menu, in the Search programs and files box, type Performance and then press ENTER.

3.


4.


5.


6.


7.

Change graph type to Report. Notice that the value for all performance statistics is zero.

f Task 4: Test BranchCache in hosted caching mode 1.

Switch to NYC-CL1.

2.

Click Start, and in the Search box, type \\NYC-DC1.contoso.com\Share and then press ENTER.

3.

In the Name list of the Share window, right-click mspaint.exe and then click Copy.

4.

In the Share window, click Minimize.


L11-99

5.

In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize.

6.

On the desktop, right-click anywhere and then click Paste.

7.

Read the performance statistics on NYC-CL1. This file was retrieved from NYC-DC1 (Retrieval: Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes Served)

8.

On the Start menu of NYC-CL2, in the Search programs and files box, type \\NYC-DC1.contoso.com\Share and then press ENTER.

9.

In the Name list of the Share window, right-click mspaint.exe and then click Copy.

10. In the Share window, click Minimize. 11. In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize. 12. On the desktop, right-click anywhere and then click Paste. 13. Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval: Bytes from Cache). 14. Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted Cache: Client file segment offers made). Results: At the end of this exercise, you will have verified the function of BranchCache.

f Prepare for the next module When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1.


2.


3.


4.

Repeat these steps for 6421B-NYC-SVR1, 6421B-NYC-CL1 and 6421B-NYC-CL2.

L12-101

Module 12: Controlling and Monitoring Network Storage

Lab: Controlling and Monitoring Network Storage Exercise 1: Configuring FSRM Quotas X Task 1: Create the Home share 1.

On NYC-SVR1, click Start, type cmd, and press ENTER.

2.

At the command prompt, type md C:\Home and press ENTER.

3.

At the command prompt, type net share Home=C:\Home /grant:everyone,full and press ENTER.

4.


X Task 2: Install FSRM 1.

On NYC-SVR1, click Start, point to Administrative Tools, and click Server Manager.

2.

In Server Manager, in the left pane, expand Roles, click File Services, and then click Add Role Services.

3.

In the Add Role Services window, select the File Server Resource Manager check box and click Next.

4.

On the Configure Storage Usage Monitoring page, click Next.

5.


6.


X Task 3: Create a quota template for home folders 1.

On NYC-SVR1, click Start, point to Administrative Tools, and click File Server Resource Manager.

2.

In File Server Resource Manager, expand Quota Management and click Quota Templates.

3.

In the Actions pane, click Create Quota Template.

4.

In the Create Quota Template window, in the Template name box, type Home Folders.

5.

In the Description box, type Template for user home folders.

6.

In the Space limit area, in the Limit box, type 500.

7.

Verify that Hard quota: Do not allow users to exceed limit is selected.

8.

In the Notification thresholds area, click Add.

9.

In the Add Threshold window, in the Generate notifications when usage reaches (%) box, type 75.

10. On the E-mail Message tab, select the Send e-mail to the user who exceeded the threshold check box. 11. Click the Event log tab and click Yes in the warning window. 12. On the Event Log tab, select the Send warning to event log check box. 13. Click OK and click Yes to close the warning window.

L12-102


14. Click OK to close the Create Quota Template window.

X Task 4: Configure an SMTP server for FSRM notifications 1.

In File Server Resource Manager, right-click File Server Resource Manager (Local) and click Configure Options.

2.

In the File Server Resource Manager Options window, on the Email Notifications tab, in the SMTP server name or IP address box, type mail.contoso.com.

3.

In the Default administrator recipients box, type [email protected] and click OK.

X Task 5: Configure quotas on Home share folders 1.

In File Server Resource Manager, click Quotas.

2.

In the Actions pane, click Create Quota.

3.

In the Create Quota window, in the Quota path box, type C:\Home.

4.

Click Auto apply template and create quotas on existing and new subfolders.

5.

In the Quota properties area, click Derive properties form this quota template (recommended) and select Home Folders.

6.

Click Create.

7.

Close File Server Resource Manager.

X Task 6: Create a home folder for a user 1.

On NYC-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers.

2.

In Active Directory Users and Computers, expand Contoso.com and click Marketing.

3.

Right-click Adam Carter and click Properties.

4.

In the Adam Carter Properties window, on the Profile tab, in the Home folder area, click Connect, select H:, and type \\NYC-SVR1\Home\Adam.

5.

Click OK to save the changes.

6.

Close Active Directory Users and Computers.

X Task 7: Verify that the quota is applied 1.


2.

Click Start and click Computer.

3.

Verify that H: is mapped to \\NYC-SVR1\Home\Adam.

4.

Right-click Adam (\\NYC-SVR1\Home) (H:) and click Properties.

5.

In the Adam (\\NYC-SVR1\Home) (H:) Properties window, read the size of H: and notice that it corresponds to the size of the quota that has been assigned.

6.


Results: After this exercise, you will have created and applied quotas to home folders.


L12-103

Exercise 2: Configuring File Screening X Task 1: Add AUDX files to a file group 1.


2.

In File Server Resource Manager, expand File Screening Management and click File Groups.

3.

Right-click Audio and Video Files and click Edit File Group Properties.

4.

In the File Group Properties For Audio And Video Files window, in the Files to include box, type *.audx and click Add.

5.

Click OK to close the File Group Properties For Audio And Video Files window.

X Task 2: Create a file screen template 1.

On NYC-SVR1, in File Server Resource Manager, click File Screen Templates.

2.

In the Actions pane, click Create File Screen Template.

3.

In the Create File Screen Template window, on the Settings tab, in the Template name box, type Home Folder Media.

4.

If necessary, click Active Screening: Do not allow users to save unauthorized files.

5.

In the File groups area, select the Audio and Video Files check box and the Image Files check box.

6.

On the Event log tab, select the Send warning to event log check box and then click OK.

X Task 3: Configure a file screen for C:\Home 1.

On NYC-SVR1, in File Server Resource Manager, click File Screens.

2.

In the Actions pane, click Create File Screen.

3.

In the Create File Screen window, in the File screen path box, type C:\Home.

4.

If necessary, click Derive properties from this file screen template (recommended) and select Home Folder Media.

5.

Click Create.

6.

Close File Server Resource Manager.

X Task 4: Verify that the file screen is applied 1.


2.

Click Start and click Computer.

3.

In the left pane, under Libraries, click Videos and then double-click Sample Videos.

4.

Right-click Wildlife and click Copy.

5.

Browse to H:\, right-click an open area, and click Paste.

6.

In the Destination Folder Access Denied window, click Cancel.

7.


Results: After this exercise, you will have configured file screening to prevent media files from being placed in home folders.

L12-104


Exercise 3: Configuring File Classification and File Management X Task 1: Create a classification property for official documents 1.


2.

In File Server Resource Manager, expand Classification Management and click Classification Properties.

3.

In the Actions pane, click Create Property.

4.

In the Create Classification Property Definition window, in the Property name box, type Official Document.

5.

In the Description box, type Official document that is available in the web archive.

6.

In the Property type box, select Yes/No and then click OK.

X Task 2: Create a classification rule for official documents 1.

In File Server Resource Manager, click Classification Rules.

2.

In the Actions pane, click Create a New Rule.

3.

In the Classification Rule Definitions window, on the Rule Settings tab, in the Rule name box, type Official Documents.

4.

In the Scope area, click Add.

5.

In the Browse For Folder window, expand Local Disk (C:), click Home, and click OK.

6.

In the Classification Rule Definitions window, on the Classification tab, in the Classification mechanism area, select Content Classifier.

7.

In the Property name area, select Official Document.

8.

In the Property value area, select Yes and then click Advanced.

9.

In the Additional Rule Parameters window, on the Additional Classification Parameters tab, in the Name box, type RegularExpression.

10. In the Value box, type Document#\d\d\d\d-\d\d\d and then click OK. 11. Click OK to close the Classification Rule Definitions window.

X Task 3: Create a file management task to expire official documents 1.

In File Server Resource Manager, click File Management Tasks.

2.

In the Actions page, click Create File Management Task.

3.

In the Create File Management Task window, on the General tab, in the Task name box, type Remove Official Documents.

4.

In the Scope area, click Add.

5.

In the Browse For Folder window, expand Local Disk (C:), click Home, and click OK.

6.

In the Create File Management Task window, on the Action tab, in the Type box, select File expiration.

7.

To the right of the Expiration Directory box, click the Browse button.


L12-105

8.

In the Browse For Folder window, click Local Disk (C:), click Make New Folder, type Expired Documents, press ENTER, and click OK.

9.

In the Create File Management Task window, on the Condition tab, in the Property conditions area, click Add.

10. In the Property Condition window, in the Property box, select Official Document. 11. In the Operator box, select Equal. 12. In the Value box, select Yes and click OK. 13. In the Create File Management Task window, on the Schedule tab, click Create. 14. In the Schedule window, click New. 15. In the Schedule Task box, select Weekly. 16. In the Start time box, type 9:00 PM. 17. In the Schedule Task Weekly area, select only the Sun check box and then click OK. 18. Click OK to close the Create File Management Task window.

X Task 4: Verify that official documents are expired 1.


2.

Click Start, click Computer, and browse to H:\.

3.

In Windows Explorer, right-click an empty area, point to New, and click Microsoft Office Word Document.

4.

Type Test Document and press ENTER.

5.

Double-click Test Document, click OK to close the Microsoft Office Word window, and then click OK to set the user name.

6.

In Microsoft Word, type Document#2011-001 and press ENTER.

7.

Click the Save button and close Microsoft Word. If the document is open in Word, then FSRM is not able to expire the document.

8.

On NYC-SVR1, in File Server Resource Manager, click Classification Rules.

9.

In the Actions pane, click Run Classification With All Rules Now.

10. In the Run Classification window, click Wait for classification to complete execution and click OK. 11. Review the Automatic Classification Report in Internet Explorer and verify that one Official Document was found. 12. Close Internet Explorer. 13. In File Server Resource Manager, click File Management Tasks, right-click Remove Official Documents, and click Run File Management Task Now. 14. In the Run File Management Task window, click Wait for the task to complete execution and click OK. 15. Review the File Management Task Report and verify that one file was expired. 16. Click Start, click Computer, and browse to C:\Expired Documents\NYC-SVR1.Contoso.com \Remove Official Documents_datetime\c$\Home\Adam.

L12-106


17. Review the list of expired files and verify that Test Document.docx is there. 18. Close all open windows. Results: After this exercise, you will have configured a classification rule for official documents and a file management task that expires official documents.



2.


3.


4.


L13-107

Module 13: Recovering Network Data and Servers

Lab: Recovering Network Data and Servers Exercise 1: Configuring Shadow Copies X Task 1: Configure shadow copies on NYC-SVR1 1.

On NYC-SVR1, click Start and click Computer.

2.

Right-click Local Disk (C:) and click Configure Shadow Copies.

3.

In the Shadow Copies window, click C:\ and then click Enable.

4.

In the Enable Shadow Copies window, click Yes.

5.

In the Shadow Copies window, click Settings.

6.

In the Settings window, click Schedule.

7.

In the C:\ window, click Delete twice to remove the default schedule.

8.

Click New and then click Advanced.

9.

In the Advanced Schedule Options window, select the Repeat task check box.

10. In the Every box, type 1 and select hours. 11. In the Duration box, type 24 hours. 12. Click OK to close the Advanced Schedule Options window. 13. Click OK to close the C:\ window. 14. Click OK to close the Settings window. 15. Click OK to close the Shadow Copies window.

X Task 2: Create a file share 1.

On NYC-SVR1, in Windows Explorer, browse to C:\ and click New folder.

2.

Type Marketing and press ENTER to rename the folder.

3.

Right-click Marketing, point to Share with, and click Specific people.

4.

In the File Sharing window, type Marketing and click Add.

5.

With Marketing selected, in the Permission Level column, select Read/Write.

6.

Click Share.

7.

Take note of the share path and click Done.

L13-108


X Task 3: Create multiple shadow copies of a file 1.


2.

Click Start, type \\NYC-SVR1\Marketing, and press ENTER.

3.

In Windows Explorer, in an open area, right-click, point to New, and click Microsoft Office Word Document.

4.

Type Budget Planning and press ENTER to rename the document.

5.

Double-click Budget Planning and click OK to close the error message.

6.

In the User Name box, click OK.

7.

In Microsoft Word, type the following items in a bulleted list: •

2011 - $1,000

•

2012 - $1,100

•

2013 - $1,200

8.

Click the Save button.

9.

On NYC-SVR1, in Windows Explorer, right-click Local Disk (C:) and click Configure Shadow Copies.

10. In the Shadow Copies window, with C:\ selected, click Create Now. 11. On NYC-CL1, add the following bullets to the document: •

2014 - $1,500

•

2015 - $2,000

12. Click the Save button and close Microsoft Word. 13. On NYC-SVR1, in the Shadow Copies window, click Create Now. 14. Click OK to close the Shadow Copies window and close Windows Explorer. 15. On NYC-CL1, right-click Budget Planning and click Delete. 16. In the Delete File window, click Yes.

X Task 4: Recover a deleted file from a shadow copy 1.

On NYC-CL1, in Windows Explorer, right-click an open area and click Properties.

2.

In the Marketing (\\NYC-SVR1) Properties window, on the Previous Versions tab, double-click the second most recent folder version of Marketing.

3.

In the newly opened window, double-click Budget Planning.

4.

Verify that this is not the correct version of Budget Planning, close Word, and close the window containing Budget Planning.

5.

In the Marketing (\\NYC-SVR1) Properties window, on the Previous Versions tab, double-click the most recent folder version of Marketing.

6.

In the newly opened window, double-click Budget Planning.


L13-109

7.

Verify that this is the correct version of Budget Planning, close Word, and close the window containing Budget Planning.

8.

In the Marketing (\\NYC-SVR1) Properties window, on the Previous Versions tab, with the most recent folder version of Marketing selected, click Restore.

9.

In the warning window, click Restore.

10. Click OK to clear the success message. 11. Click OK to close the Marketing (\\NYC-SVR1) Properties window. 12. In Windows Explorer, double-click Budget Planning to view the restored file. 13. Close all open windows. Results: At the end of this exercise, you will have enabled shadow copies for the Marketing file server.

L13-110


Exercise 2: Configuring a Scheduled Backup X Task 1: Install the Windows Server Backup feature 1.

On NYC-SVR1, click Start, point to Administrative Tools, and click Server Manager.

2.

In Server Manager, click Features and click Add Features.

3.

In the Add Features Wizard, expand Windows Server Backup Features.

4.

Under Windows Server Backup Features, select the Windows Server Backup and Command-line Tools check boxes.

5.

Click Next and then click Install.

6.

On the Results page, click Close.

7.


X Task 2: Create a scheduled backup 1.

On NYC-SVR1, click Start, point to Administrative Tools, and click Windows Server Backup.

2.

In Windows Server Backup, in the Actions pane, click Backup Schedule.

3.

In the Backup Schedule Wizard, click Next.

4.

On the Select Backup Configuration page, click Full server and then click Next.

5.

On the Specify Backup Time page, click Once a day, select 11:00 PM, and click Next.

6.

On the Specify Destination Type page, click Back up to a hard disk that is dedicated for backups (recommended) and click Next.

7.

On the Select Destination Disk page, click Show All Available Disks, select the Disk 1 check box, and click OK.

8.

Select the Disk 1 check box and click Next.

9.

Click OK to remove D: from the backup.

10. Click Yes to confirm that data on D: will be removed. 11. On the Confirmation page, click Finish. 12. On the Summary page, click Close.

X Task 3: Verify that two backups fit on the destination disk 1.

On NYC-SVR1, in Windows Server Backup, read the information in the Destination usage area. There is approximately 32 GB of total disk space and 0 GB used.

2.

In the Actions pane, click Backup Once.

3.

On the Backup Options page, click Scheduled Backup options and click Next.

4.

On the Confirmation page, click Backup.

5.

Wait while the backup completes. This will take about five minutes.

6.

When the backup is complete, click Close.

7.

Read the information in the Destination usage area. There is approximately 32 GB of total disk space and approximately 7.4 GB used.


8.

In the Actions pane, click Backup Once.

9.

On the Backup Options page, click Scheduled Backup options and click Next.

L13-111

10. On the Confirmation page, click Backup. 11. Wait while the backup completes. This will take about one minute. 12. When the backup is complete, click Close. 13. Read the information in the Destination usage area. There is approximately 32 GB of total disk space and approximately 7.4 GB used.

X Task 4: Perform a test restore of a file 1.

On NYC-SVR1, in Windows Server Backup, in the Actions pane, click Recover.

2.

On the Getting Started page, click This server (NYC-SVR1) and click Next.

3.

On the Select Backup Date page, select today’s date and the most recent time, and then click Next.

4.

On the Select Recovery Type page, click Files and folders and click Next.

5.

On the Select Items to Recover page, browse to C:\Marketing, click Budget Planning.docx, and click Next.

6.

On the Specify Recovery Options page, review the default options and click Next.

7.

On the Confirmation page, click Recover.

8.

After the recovery is complete, click Close.

9.

Close Windows Server Backup.

10. Click Start and click Computer. 11. In Windows Explorer, browse to C:\Marketing and verify that the file is restored. 12. Close Windows Explorer. Results: At the end of this exercise, you will have configured a scheduled backup and tested backup functionality.



2.


3.


4.


L14-113

Module 14: Monitoring Windows Server 2008 Network Infrastructure Servers

Lab: Monitoring Windows Server 2008 Network Infrastructure Servers Exercise 1: Establishing a Performance Baseline X Task 1: Create a Data Collector Set 1.


2.

Click Start, point to Administrative Tools, and then click Performance Monitor.

3.

In Performance Monitor, in the navigation pane, expand Data Collector Sets and then click User Defined.

4.

Right-click User Defined, point to New, and then click Data Collector Set.

5.

In the Create new Data Collector Set Wizard, in the Name box, type NYC-SVR1 Performance.

6.

Click Create manually (Advanced) and then click Next.

7.

On the What type of data do you want to include? page, select the Performance counter check box and then click Next.

8.

On the Which performance counters would you like to log? page, click Add.

9.

In the Available counters list, expand Processor, click %Processor Time, and then click Add >>.

10. In the Available counters list, expand Memory, click Pages/sec, and then click Add >>. 11. In the Available counters list, expand PhysicalDisk, click %Disk Time, and then click Add >>. 12. Click Avg. Disk Queue Length and then click Add >>. 13. In the Available counters list, expand System, click Processor Queue Length, and then click Add >>. 14. In the Available counters list, expand Network Interface, click Bytes Total/sec, click Add >>, and then click OK. 15. On the Which performance counters would you like to log? page, in the Sample interval box, type 1 and then click Next. 16. On the Where would you like the data to be saved? page, click Next. 17. On the Create the data collector set? page, click Save and close and then click Finish.

X Task 2: Start the Data Collector Set •

In Performance Monitor, in the Results pane, right-click NYC-SVR1 Performance and then click Start.

L14-114


X Task 3: Create workload on the server 1.


2.

At the command prompt, type the following command and press ENTER: Fsutil file createnew bigfile 104857600

3.

At the command prompt, type the following command and press ENTER: Copy bigfile \\nyc-dc1\c$

4.

At the command prompt, type the following command and press ENTER: Copy \\nyc-dc1\c$\bigfile bigfile2

5.

At the command prompt, type the following command and press ENTER: Del bigfile*.*

6.

At the command prompt, type the following command and press ENTER: Del \\nyc-dc1\c$\bigfile*.*

7.

Do not close the command prompt.

X Task 4: Analyze collected data 1.


2.

In the navigation pane, right-click NYC-SVR1 Performance and then click Stop.

3.


4.

On the toolbar, click View Log Data.

5.

In the Performance Monitor Properties dialog box, on the Source tab, click Log files and then click Add.

6.

In the Select Log File dialog box, double-click Admin.

7.

Double-click NYC-SVR1 Performance, double-click the NYC-SVR1_date-000001 folder, and then double-click DataCollector01.blg.

8.

Click the Data tab and then click Add.

9.

In the Add Counters dialog box, in the Available counters list, expand Memory, click Pages/sec, and then click Add >>.

10. Expand Network Interface, click Bytes Total/sec, and then click Add >>. 11. Expand PhysicalDisk, click %Disk Time, and then click Add >>. 12. Click Avg. Disk Queue Length and then click Add >>. 13. Expand Processor, click %Processor Time, and then click Add >>.


14. Expand System, click Processor Queue Length, click Add >>, and then click OK. 15. In the Performance Monitor Properties dialog box, click OK. 16. On the toolbar, click the down arrow and then click Report. 17. Record the values listed in the report for analysis later. Results: After this exercise, you should have established a baseline.

L14-115

L14-116


Exercise 2: Identifying the Source of a Performance Problem X Task 1: Load a new program on the server 1.

On NYC-SVR1, switch to the command prompt.

2.

At the command prompt, type the following command and press ENTER: C:

3.

At the command prompt, type the following command and press ENTER: Cd\Labfiles

X Task 2: Configure the load on the server •

At the command prompt, type the following command and press ENTER: StressTool 95

X Task 3: Start the data collector set again 1.


2.

In Performance Monitor, click User Defined, in the results pane, right-click NYC-SVR1 Performance, and then click Start.

3.

Wait for one minute to allow data to be captured.

X Task 4: Stop the running program 1.

After one minute, switch to the command prompt.

2.

Press Ctrl+C.

3.


X Task 5: View performance data 1.


2.

In the navigation pane, right-click NYC-SVR1 Performance and then click Stop.

3.


4.

On the toolbar, click View log data.

5.

In the Performance Monitor Properties dialog box, on the Source tab, click Log files and then click Remove.

6.

Click Add.

7.

In the Select Log File dialog box, click Up One Level.

8.

Double-click the NYC-SVR1_date-000002 folder and then double-click DataCollector01.blg.

9.

Click the Data tab and then click OK. Note If you receive an error at this point, or the values in your report are zero, repeat steps 4-9.


X Task 6: Analyze results and draw a conclusion Question: Compared with your previous report, which values have changed? Answer: Memory and disk activity are reduced; however, processor activity has increased significantly. Question: What would you recommend? Answer: Continue to monitor the server to ensure that the processor workload does not reach capacity. Results: After this exercise, you should have identified a potential bottleneck.

L14-117

L14-118


Exercise 3: Centralizing Events Logs X Task 1: Configure the source computer 1.


2.

At the command prompt, type the following command and then press ENTER: winrm quickconfig

3.

When prompted, type Y and press ENTER.

4.

Click Start, right-click Computer, and then click Manage.

5.

In Server Manager, in the navigation pane, expand Configuration, expand Local Users and Groups, and then click Groups.

6.

In the results pane, double-click Administrators.

7.

Click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, click Object Types.

8.

In the Object Types dialog box, select the Computers check box, and then click OK.

9.

In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object names to select box, type nyc-dc1 and then click OK.

10. In the Administrators Properties dialog box, click OK.

X Task 2: Configure the collector computer 1.

Switch to NYC-DC1.

2.


3.

At the command prompt, type the following command and then press ENTER: Wecutil qc

4.

When prompted, type Y and press ENTER.

X Task 3: Create a subscribed log 1.

Click Start, point to Administrative Tools, and then click Event Viewer.

2.

In the Event Viewer, in the navigation pane, click Subscriptions.

3.

Right-click Subscriptions and then click Create Subscription.

4.

In the Subscription Properties dialog box, in the Subscription name box, type NYC-SVR1 Events.

5.

Click Collector Initiated and then click Select Computers.

6.

In the Computers dialog box, click Add Domain Computers.

7.

In the Select Computer dialog box, in the Enter the object name to select box, type NYC-SVR1 and then click OK.

8.

In the Computers dialog box, click OK.

9.

In the Subscription Properties – NYC-SVR1 Events dialog box, click Select Events.


L14-119

10. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check boxes. 11. In the Logged list, click Last 7 days. 12. In the Event logs list, select Windows Logs. Click the mouse back in the Query Filter dialog box and then click OK. 13. In the Subscription Properties – NYC-SVR1 Events dialog box, click OK.

X Task 4: Create a data collector set with an alert counter 1.


2.

In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User Defined.

3.

Right-click User Defined, point to New, and then click Data Collector Set.

4.

In the Create new Data Collector Set Wizard, in the Name box, type NYC-SVR1 Alert.

5.

Click Create manually (Advanced) and then click Next.

6.

On the What type of data do you want to include? page, click Performance Counter Alert and then click Next.

7.

On the Which performance counters would you like to monitor? page, click Add.

8.

In the Available counters list, expand Processor, click %Processor Time, click Add >>, and then click OK.

9.

On the Which performance counters would you like to monitor? page, in the Alert when list, click Above.

10. In the Limit box, type 10 and then click Next. 11. On the Create the data collector set? page, click Finish. 12. In the navigation pane, expand the User Defined node, and then click NYC-SVR1 Alert. 13. In the Results pane, right-click DataCollector01 and then click Properties. 14. In the DataCollector01 Properties dialog box, in the Sample interval box, type 1 and then click the Alert Action tab. 15. Select the Log an entry in the application event log check box and then click OK. 16. In the navigation pane, right-click NYC-SVR1 Alert and then click Start. 17. Click Start, and then in the Search box, type cmd.exe and press ENTER. 18. At the command prompt, type the following command and press ENTER: C:

19. At the command prompt, type the following command and press ENTER: Cd\Labfiles

20. At the command prompt, type the following command and press ENTER: StressTool 95

L14-120


21. Wait for one minute to allow for alerts to be generated. 22. Press Ctrl+C. 23. Close the command prompt.

X Task 5: Check the subscribed log for performance-related alerts 1.

Switch to NYC-DC1.

2.

In Event Viewer, in the navigation pane, expand Windows Logs.

3.

Click Forwarded Events. Question: Are there any performance-related alerts? Answer: Answers may vary, but there should be some events that relate to the imposed workload on NYC-SVR1.

Results: At the end of this exercise, you will have centralized event logs.



2.


3.


4.


End of File

Configuring and Troubleshooting a Windows Server ... - CREDIS

Configuring and Troubleshooting a Windows Server ... - CREDIS

Suggest Documents

Configuring and Troubleshooting DHCP

Configuring Advanced Windows Server 2012 Services - Pearsoncmg

Configuring Windows Server 2016.pdf - Google Drive

Configuring and Troubleshooting VoIP Monitoring

70-410: Installing and configuring Windows Server 2012

Epub Free 70-410 Installing and Configuring Windows Server 2012 ...

PDF 70-410 Installing and Configuring Windows Server ... - Google Sites

70 410 Installing and Configuring Windows Server ... - Google Sites

Ebook Exam Ref 70-410: Installing and Configuring Windows Server ...

[PDF] Download 70-410 Installing and Configuring Windows Server ...

70 410 Installing and Configuring Windows Server ... - Google Sites

Epub Free Exam 70-410 Installing and Configuring Windows Server ...

PdF 70-410 Installing and Configuring Windows Server ... - Google Sites

70-410 Installing and Configuring Windows Server ... - Google Sites

Download 70-410 Installing and Configuring Windows Server 2012 ...

70-410 installing and configuring windows server 2012 r2 (microsoft ...

70-410 installing and configuring windows server 2012 ... - Google Sites

70 410 Installing and Configuring Windows Server ... - Google Sites

[PDF] Download 70-410 Installing and Configuring Windows Server ...

MS 20410 Installing and Configuring Windows Server 2012

Installing and Configuring Microsoft Windows Server 2012 (70-410)

PDF 70-410 Installing and Configuring Windows Server ... - Google Sites

70-410 installing and configuring windows server 2012 ... - Google Sites

[PDF Download] 70-410 Installing and Configuring Windows Server ...