Lab Instructions and Answer Key: Configuring and Troubleshooting A Windows Server® 2008 Network Infrastructure

OFFICIAL MICROSOFT LEARNING PRODUCT
6421A
Lab Instructions and Answer Key:
Configuring and Troubleshooting a
Windows Server® 2008 Network
Infrastructure
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, ActiveX, BitLocker, ESP, Hyper-V, Internet Explorer, MS-DOS,
Outlook, PowerPoint, SharePoint, SQL Server, Windows, Windows Server and Windows Vista are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
All other trademarks are property of their respective owners.
Technical Reviewer: Stan Reimer
Product Number: 6421A

Part Number: X14-69052
Released: 05/2008
Lab Instructions: Installing and Configuring Servers 1
Module 1
Lab Instructions: Installing and Configuring
Servers
Contents:
Exercise 1: Identifying Server Types 4
Exercise 2: Installing and Configuring Server Roles
and Features 5
Exercise 3: Configuring Server Core and Performing
Basic Management Tasks 8
2 Lab Instructions: Installing and Configuring Servers
Lab: Installing and Configuring Servers and

Server Roles
Objectives
After completing this lab, you will be able to:
• Describe the appropriate server type needed for a usage scenario
• Install and configure server roles and features
• Configure Server Core and perform basic management tasks
Scenario
You must install two new servers for your corporate infrastructure in the
WoodgroveBank.com domain. The new servers are needed to increase DNS name-
resolution services for a newly acquired company, Contoso.com, and to provide
Terminal Services for some line-of-business applications that will be available to
employees from their desktop computers and from their homes after hours. You
also need to install backup capacity for the Terminal Services server in case it is
necessary for disaster recovery purposes.
For security purposes, the DNS service should be available on only one of the new
servers and will be administered completely through remote management tools
after initial configuration. You need to ensure that the firewall configuration on the
DNS server is correct for the ports required to respond to DNS name-resolution
requests and for remote administration.
Exercise 1: Identifying Server Types

Exercise Overview
In this exercise, you will analyze the scenario and answer the following questions
related to a possible server type and role deployment.
Question: After reading the scenario, which installation type, Core or Standard,
would be suitable for Terminal Services? Why?
Question: Would the Core installation be suitable for the DNS server? If so, are
there any shortcomings to configuring the server to host this role?
Question: What benefits would you realize by using the Core installation option
for the DNS server role?
Question: What roles and features are needed on the servers to meet the given
scenario’s requirements?
Exercise 2: Installing and Configuring Server Roles and

Features
In this exercise, you will install the Terminal Services role and Server Backup
feature by using the Server Manager administrative tool.
The main tasks are as follows:
1. Start the virtual machines, and log on.
2. Ensure that you have completed the steps in the Lab Setup.
3. Start the Server Manager console.
4. From Server Manager, install the Terminal Services role.
5. View the installation results.
6. Install the Server Backup feature from the Server Manager console.
7. Verify the Terminal Services and Windows Server Backup tools are installed.
f Task 1: Start the virtual machines, and log on

1. On the host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6421A. The Lab Launcher starts.
2. In the Lab Launcher, next to 6421A-NYC-DC1, click Launch.
3. In the Lab Launcher, next to 6421A-NYC-SVR1, click Launch.
4. Log on to both virtual machines as Woodgrovebank\Administrator with the
password Pa$$w0rd.
5. Minimize the Lab Launcher window.
f Task 2: Start the Server Manager console

• On NYC-SVR1, start the Server Manager console.
f Task 3: From Server Manager, install the Terminal Services role

1. Install the Terminal Services role using the following options:
• Server Roles: Terminal Services
• Role Services: Terminal Server
• Authentication method: Do not require Network Level Authentication
• Licensing Mode: Configure later
• User Groups: Administrators
2. Restart as required.
f Task 4: View the Installation Results

1. Log on to NYC-SVR1 with the user name Woodgrovebank\administrator
and the password Pa$$w0rd.
Upon successful logon, Server Manager opens, and the Terminal Services
configuration resumes.
2. Once complete, Installation succeeded appears in the details pane. Click
Close to exit the Installation Results page. Do not close Server Manager.
f Task 5: Install the Server Backup feature from the Server Manager
console
1. In the Server Manager list pane, right-click Features, and then click Add
Features. The Add Features Wizard appears.
2. Install the Windows Server Backup Features option.
3. On the Installation Results page, verify Installation succeeded appears in the
details pane, and then click Close. Do not close Server Manager.
The Windows Server Backup feature is installed.
f Task 6: Verify the Terminal Services and Windows Server Backup tools
are installed
1. In the list pane of Server Manager, verify that Server Manager (NYC-SVR1) is
selected.
2. Using the scroll bar in the details pane, scroll down until the Roles Summary
is visible, and verify that Terminal Services is listed.
3. Scroll down to Features Summary, and verify that Windows Server Backup
appears.
4. Close Server Manager.
Exercise 3: Configuring Server Core and Performing Basic

Management Tasks
In this exercise, you will configure a Core installation of Windows Server 2008 and
install the DNS server role using command-line tools. You then will connect to the
Core server from a remote Windows Server 2008 computer using a custom MMC
to configure the DNS server role.
The 6421A-NYC-DC1 and 6421A-NYC-SVR1 virtual machines must be running to
complete the exercise. Be sure to start the virtual machines prior to beginning this
exercise.
1. Start the 6421A-NYC-SVR2 virtual machine.
2. Log on to the Server Core installation.
3. Use command-line tools to set parameters in the Server Core virtual machine.
4. Connect the server to the WoodgroveBank.com domain.
5. Log on to the Server Core installation.
6. Verify the firewall configuration.
7. Use the netsh command to open ports.
8. View the current status of roles, and install the DNS server role.
9. Manage the server by using DNS Manager from a remote computer.
10. Close all virtual machines, and delete the changes.
f Task 1: Start the 6421A-NYC-SVR2 virtual machine

1. Restore the Lab Launcher window.
f Task 2: Log on to the Server Core installation

• Log on to NYC-SVR2 as Administrator with a password of Pa$$w0rd.
f Task 3: Use command line tools to set parameters in the Server Core
virtual machine
• Computername=NYC-DNSSVR2
• IP address=10.10.0.12
• Mask=255.255.0
• Gateway=10.10.0.1
• DNS=10.10.0.10
1. To determine the current default assigned computer name, type set in the
command window.
2. Locate the computer name attribute, and write it down.
3. To change the computer name, type the following command, and then press
ENTER:
Netdom renamecomputer NYC-SVR2 /NewName:NYC-DNSSVR2
4. When prompted, type y for yes, and then press ENTER.
5. In the command window, type the following command to set the static IP
address: Netsh interface ipv4 set address name= “local area connection”
source=static address=10.10.0.12 mask=255.255.0.0 gateway=10.10.0.1
and then press ENTER.
6. In the command window, type the following command to set the primary DNS
server, and then press ENTER:
Netsh interface ip set dns “local area connection” static 10.10.0.10 primary
7. At the command prompt, type ipconfig /all and then press ENTER to verify
the IP address assignment.
8. On the keyboard, press RIGHT-ALT+DELETE.
9. Choose to restart the computer by clicking Shutdown options in the lower
right-hand pane of the window, and then click Restart.
10. In the Shutdown Event Tracker window, click Operating System:
Reconfiguration (Planned), and then click OK. The server restarts.
11. Log on to the server with the user name Administrator and a password of
Pa$$w0rd.
f Task 4: Connect the server to the WoodgroveBank.com domain

1. In the command window type the following command, and then press
ENTER.
netdom join NYC-DNSSVR2 /domain:WoodgroveBank.com
/Userd:Administrator /passwordD:*
2. At the command prompt, type the following command, and then press
ENTER:
Pa$$w0rd
Note: Your keystrokes will not be reflected on the screen. You will receive a message
that the command completed successfully and that the computer needs to be
restarted.
3. At the command prompt, press RIGHT-ALT+DELETE, click the Shut down

options icon, and then click Restart. The Shut Down Windows dialog box
appears.
4. In the Option box of the Shut Down Windows dialog box, click Operating
System: Reconfiguration (Planned), and then click OK.

• Log on to the server with the user name Administrator and a password of
Pa$$w0rd.
f Task 6: Verify the firewall configuration

• Use the netsh command to view the current firewall configuration. Type the
following command in the command window, and then press ENTER:
Netsh firewall show state
Note: Notice that the Firewall status shows that the Operational mode is set to
Enable This means that the Windows Firewall is enabled but no specific ports have
been opened.
f Task 7: Use the Netsh command to open ports

ENTER:
netsh firewall add portopening ALL 53 DNS-server
ENTER:
netsh firewall add portopening TCP 135 remote-admin
ENTER:
netsh firewall add portopening UDP 137 netbios-ns
ENTER:
netsh firewall add portopening UDP 138 netbios-dgm
ENTER:
netsh firewall add portopening TCP 139 netbios-ssn
ENTER:
netsh firewall add portopening TCP 445 netbios-ns
ENTER:
netsh firewall show config
Note: Notice that in the Service configuration for Domain profile, File and Printer
Sharing and Remote Desktop services are set to enable, and both TCP and UDP port
53 are open for the DNS server.
f Task 8: View the current status of roles, and install the DNS server role
1. In the command prompt window, at the command prompt, type the following
command, and then press ENTER:
oclist
Note: Verify that no server roles are installed.
2. Use the Ocsetup.exe and oclist commands to install the DNS server. To do
this, type the following at the command prompt, and then press ENTER:
start /w ocsetup DNS-Server-Core-Role
Note: The server role name is case sensitive.
ENTER:
oclist
Note: Verify that the DNS-Server-Core-Role is installed.

f Task 9: Manage the server by using DNS Manager from a remote

computer
1. On NYC-DC1, open the DNS Manager console.
2. From the DNS console, connect to NYC-DNSSVR2.
3. Use the DNS console to create a forward lookup zone for Contoso.com:
a. In the Console Root tree pane of the DNS Manager, expand
NYC-DNSSVR2, and then click Forward Lookup Zones.
b. Right-click Forward Lookup Zones, and then click New Zone.
c. Click Next in the Welcome to the New Zone wizard.
d. Click Next in the Zone Type dialog box, using the defaults to create a
Primary zone.
e. In the Zone Name window, type Contoso.com, and then click Next.
f. Click Next to accept the default name for the DNS zone file.
g. In the Dynamic Update window, click Next to accept the defaults.
h. In the Completing the New Zone Wizard dialog box, click Finish to
create the new zone.
i. Close the DNS Manager console.
f Task 10: Close all virtual machines, and discard undo disks
1. For each virtual machine that is running, close the Virtual Machine Remote
Control window.
2. In the Close box, select Turn off machine and discard changes, and then
click OK.
3. Close the 6421A Lab Launcher.
Lab Instructions: Configuring and Troubleshooting DNS 1
Module 2
Lab Instructions: Configuring and
Troubleshooting DNS
Contents:
Exercise 1: Configuring a DNS Infrastructure 3
Exercise 2: Monitoring and Troubleshooting DNS 6
2 Lab Instructions: Configuring and Troubleshooting DNS
Lab: Configuring and Verifying a DNS Solution
Objectives
• Configure a DNS Infrastructure to include a secondary zone, stub zone, and
secure zone transfers
• Monitor DNS
Exercise 1: Configuring a DNS Infrastructure

Scenario
You are the primary DNS administrator for Woodgrove Bank. You have received a
request to create two new DNS zones. The Nwtraders.msft zone is for a division in
the bank that requires its own DNS domain. This division will also have a group of
administrators that administer the zone’s resource records. Contoso is a company
that Woodgrove Bank recently acquired. To begin integration testing, you must
define a DNS domain called contoso.msft and test different zone configurations.
You also need to test the zone to ensure it is resilient to failure.
Exercise Overview:
In this exercise, you will configure the DNS server role on a member server, and
configure the contoso.msft and nwtraders.msft zones. You then will create
secondary zones for each domain and create a stub zone for Nwtraders.msft.
1. Start the virtual machines and log on.
2. Configure the DNS Server role on NYC-SVR1.
3. Configure the Contoso.msft zone on NYC-SVR1.
4. Configure the Nwtraders.msft zone on NYC-DC1.
5. Configure zone transfer security.
6. Configure secondary zones for each domain on NYC-SVR1 and NYC-DC1.
7. Configure a stub zone for Nwtraders.msft on NYC-SVR2.
8. Configure administrative options for the Nwtradters.msft domain.

1. On your host machine, click Start, point to All Programs, point to Microsoft
password Pa$$w0rd.
f Task 2: Configure the DNS Server role on NYC-SVR1

• On NYC-SVR1, in the Server Manager console, add the DNS Server role.
f Task 3: Configure the Contoso.msft zone on NYC-SVR1

1. On NYC-SVR1, open the DNS console (found in Administrative Tools).
2. Create a primary forward lookup zone named Contoso.msft.
3. Use the default options in the New Zone Wizard.
f Task 4: Configure the nwtraders.msft zone on NYC-DC1

1. On NYC-DC1, open the DNS console (found in Administrative Tools).
2. Create an Active Directory-integrated primary forward lookup zone named
nwtraders.msft.
3. Use the default options in the New Zone Wizard.
f Task 5: Configure zone transfers

1. On NYC-DC1 configure nwtraders.msft to allow zone transfers to NYC-SVR1:
• NYC-SVR1 IP address is 10.10.0.24.
2. On NYC-SVR1 configure contoso.msft to allow zone transfers to NYC-DC1.
• NYC-DC1 IP address is 10.10.0.10.
3. Answer the following question:
Question: Why do you need to configure zone transfers?

f Task 6: Configure secondary zones for each domain

1. On NYC-DC1, use the DNS console to configure a secondary forward zone for
Contoso.msft:
• The address of the primary zone server for Contoso.msft is 10.10.0.24.
2. On NYC-SVR1, use the DNS console to configure a secondary forward zone
for nwtraders.msft:
• The address of the primary zone server for nwtraders.com is 10.10.0.10.
f Task 7: Configure a stub zone for WoodgroveBank.com

1. On NYC-SVR1, use the DNS console to configure a stub zone for
WoodgroveBank.com:
• The address of the primary zone server for WoodgroveBank.com is
10.10.0.10.
2. Click WoodgroveBank.com and take note of the records listed.
3. On NYC-DC1, in the DNS console, click WoodgroveBank.com, and verify that
there are additional records that are not included in a stub zone.
4. Answer the following question:
Question: Why use a stub zone instead of conditional forwarders?
f Task 8: Configure administrative options for the nwtradters.msft

domain
1. On NYC-DC1, use the DNS console to add the DL Nwtraders DNS Admins
group to the nwtraders.msft access control list.
2. Grant the Read, Write, Create all Child objects, and Delete all child objects
permissions to the DL Nwtraders DNS Admins group.
Exercise 2: Monitoring and Troubleshooting DNS

Scenario
Some users have complained that they are having trouble resolving domain names.
You have to analyze the DNS infrastructure to ensure that there are no problems.
Exercise Overview
In this exercise, you will perform several tests to ensure the DNS infrastructure is
working properly. You will use several DNS troubleshooting tools to validate DNS
configuration and responses.
1. Test simple and recursive queries.
2. Verify SOA records by using Nslookup.
3. Use the Dnslint command to verify name server records.
4. View performance statistics by using the Performance console.
5. Verify DNS replication.
6. Close all virtual machines and discard undo disks.
f Task 1: Test simple and recursive queries

• On NYC-DC1, in the DNS console, use the DNS Server Monitoring function to
perform A simple query against this DNS Server.
f Task 2: Verify SOA records by using Nslookup

1. On NYC-DC1, open a command prompt, and type nslookup.exe.
2. Configure a query type of SOA (Start of Authority).
3. Look up the SOA resource records for nwtraders.msft and contoso.msft.
f Task 3: Use the Dnslint command to verify name server records

1. On NYC-DC1, open a command prompt, and run the dnslint.exe command
for the nwtraders.msft domain on the 10.10.0.10 IP address:
• The dnslint.exe file is located in d:\Labfiles\dnslint.
2. Generate a Dnslint report html file:
• The /s switch specifies that Dnslint will not refer to the Internet for the
specified domain.
• The /d switch specifies the domain to be searched.
Note: Consult the Help documentation if you need guidance.
f Task 4: View performance statistics by using the Performance console

1. On NYC-DC1, use the Computer Management console to open Performance
Monitor.
2. Add the A simple query against this DNS Server and A recursive query
against this DNS Server DNS counters.
3. Use the Monitoring feature in the DNS Server properties to generate requests
to the DNS server.
4. Review the data that the requests generate in Performance Monitor. Alternate
between the graph and report views.
f Task 5: Verify DNS replication

1. On NYC-DC1, use the DNS console to add an A resource record called Test to
the nwtraders.msft zone. Use the IP address of 10.10.0.15.
2. Verify that the A resource record created on NYC-DC1 has replicated on NYC-
SVR1.
3. If the A resource record does not appear, manually force replication to occur.
f Task 6: Close all virtual machines and discard undo disks
Note: Do not turn off the virtual machines until you have completed the Lab Review
questions.
Control (VMRC) window.
click OK.
Lab Instructions: Configuring and Managing WINS 1
Module 3
Lab Instructions: Configuring and Managing
WINS
Contents:
Exercise 1: Installing WINS 4
Exercise 2: Configuring WINS Burst Handling 6
Exercise 3: Configuring WINS Replication 8
Exercise 4: Migrating from WINS to DNS 9
2 Lab Instructions: Configuring and Managing WINS
Lab: Configuring a WINS Infrastructure
Objectives
• Install WINS
• Configure WINS burst handling
• Configure WINS replication
• Migrate from WINS to DNS
Scenario
You are tasked with installing a second WINS server for the Woodgrovebank
domain for fault tolerance and use as a secondary WINS server resolver for domain
clients. The database consistency and convergence speed are of the utmost
importance. Replication must be set up to make sure records replicate on change
vector or time vector, whichever happens to occur first.
After successfully implementing the secondary WINS server, management

wants you to test the new GlobalNames zone use in Windows Server 2008 DNS
to help retire WINS servers that the Woodgrovebank domain uses. IT staff are
finding the task of maintaining the domain name suffix-search list difficult, and
Woodgrovebank domains still use single-label names for internal web server
names. Install and verify that this new option in DNS will help in decommissioning
the existing WINS servers.
Exercise 1: Installing WINS

Exercise Overview:
In this exercise, you will install the WINS feature on 6421A-NYC-SVR1.
2. Open the Server Manager console.
3. Install the WINS feature.

password Pa$$w0rd.
f Task 2: On 6421A-NYC-SVR1, launch the Server Manager console

1. Open Administrative Tools.
2. Launch Server Manager.
Result: The Server Manager console opens.

f Task 3: From the Server Manager console, install the WINS feature
1. In Server Manager, use the Add Features Wizard to install the WINS feature
on 6421A-NYC-SVR1.
2. On the Installation Results page, verify that the installation succeeded before
closing the wizard.
Result: The WINS feature is installed on 6421A-NYC-SVR1.
Important: Do not log off or shut down the virtual machines at this point.
Exercise 2: Configuring WINS Burst Handling

Exercise Overview:
In this exercise, you will configure burst handling, create a static record, configure
scavenging intervals, and configure clients to use the WINS servers for NetBIOS
resolution.
1. Configure the WINS server for burst handling.
2. Create a static entry in the WINS database.
3. Configure scavenging on the WINS server.
4. Configure NYC-DC1 to use the WINS server for NetBIOS resolution.
5. Test NetBIOS name resolution.
f Task 1: Configure the WINS server for burst handling

1. On NYC-SVR1, start the WINS console.
2. Configure Burst Handling with the option of Low.
f Task 2: Create a static entry in the WINS database

1. In the WINS console, create a New Static Mapping with the following
properties:
• Computer name of HRWEB
• IP address of 10.10.0.10
2. Use Active Registrations to verify the new static entry exists.
Note: Do not close the WINS console.

f Task 3: Configure scavenging on the WINS server to take place once

every seven days
• In the WINS Properties dialog box for NYC-SVR1, use the Intervals tab to set
the Extinction timeout value to 7 Days.
f Task 4: Configure 6421A-NYC-DC1 to use the WINS server for

NetBIOS resolution
1. On NYC-DC1, open Network Connections and open the properties of the
Local Area Connection.
2. In the Local Area Connection Properties dialog box, under This Connection
Uses the Following Items, open the properties of TCP/IPv4.
3. Click Advanced and configure the computer to use the WINS server (IP
address of 10.10.0.24).
f Task 5: Test the NetBIOS name resolution capabilities

• On NYC-DC1, in a command window, type ping hrweb.
The name resolution should be successful and resolve to 10.10.0.10.
Exercise 3: Configuring WINS Replication

Exercise Overview:
In this exercise, you will configure the WINS feature on 6421A-NYC-SVR1 and
6421A-NYC-DC1 to be push/pull replication partners to maintain consistency of
WINS records.
1. Configure push and pull replication on NYC-DC1.
2. Configure push and pull replication on NYC-SVR1.
3. Verify replication.
f Task 1: Configure push and pull replication on NYC-DC1

1. Open WINS from the Administrative Tools menu.
2. In the WINS Administrative Tool window, use Replication Partners to select
a new replication partner with the IP address of 10.10.0.24.
The Replication Partners details pane lists NYC-SVR1 as a Push/Pull partner.
f Task 2: Configure push and pull replication on NYC-SVR1

1. Open WINS from the Administrative Tools menu.
2. In the WINS Administrative Tool window, use Replication Partners to select
a new replication partner with the IP address of 10.10.0.10.
The Replication Partners details pane lists NYC-DC1 as a Push/Pull partner.
f Task 3: Verify replication

1. On NYC-SVR1, force replication, and then verify that records appear from both
10.10.0.10 and 10.10.0.24 as owners.
2. On NYC-DC1, force replication, and then verify that records appear from both
10.10.0.10 and 10.10.0.24 as owners.
Exercise 4: Migrating from WINS to DNS

Exercise Overview:
In this exercise, you will migrate single-label name resolution from WINS to the
GlobalNames zone in DNS.
1. Create a GlobalNames zone, and enable GNZ functionality.
2. Create an Alias record for a single-label name resource.
3. Decommission WINS.
4. Verify GlobalNames single-label name resolution.
5. Close all virtual machines, and discard undo disks.
f Task 1: Create a GlobalNames zone, and enable GNZ functionality

1. On NYC-DC1, open the DNS console from the Administrative Tools menu.
2. Create a new forward lookup zone with a name of GlobalNames, a replication
scope that is forest wide and do not allow dynamic updates.
3. Open an administrative command prompt.
4. Type Dnscmd NYC-DC1 /config /Enableglobalnamessupport 1 and then
press ENTER.
f Task 2: Create the Alias record for the single-label name resource
1. In the DNS Manager console, create a New Alias (CNAME) record in the
GlobalNames forward lookup zone with an alias name of HRWEB and a
FQDN of NYC-DC1.Woodgrovebank.com.
2. Close the DNS Manager console.
f Task 3: Decommission WINS on NYC-DC1 and NYC-SVR1

1. On both NYC-DC1 and NYC-SVR1, launch the Server Manager console from
the Administrative Tools menu.
2. Remove the WINS feature from both NYC-DC1 and NYC-SVR1. Restart as
necessary.
f Task 4: Verify GlobalNames single-label name resolution

1. Log on to NYC-DC1 as administrator with the password Pa$$w0rd.
2. Log on to NYC-SVR1 as administrator with the password Pa$$w0rd.
3. Complete the WINS removal as required on both servers.
4. On NYC-DC1, open a command prompt, and then type ping hrweb.
The ping command is successful and resolves to nyc-dc1.woodgrovebank.com.

click OK.
Lab Instructions: Configuring and Troubleshooting DHCP 1
Module 4
Troubleshooting DHCP
Contents:
Exercise 1: Installing and Authorizing the DHCP Server Role 3
Exercise 2: Configuring a DHCP Scope 5
Exercise 3: Troubleshooting Common DHCP Issues 7
2 Lab Instructions: Configuring and Troubleshooting DHCP
Lab: Configuring and Troubleshooting the

DHCP Server Role
Exercise 1: Installing and Authorizing the DHCP Server Role

Scenario
You are the Network Administrator at Woodgrove Bank, which recently opened a
new division that needs a DHCP service configured for approximately 200 clients.
You must configure a DHCP server for the new division.
Exercise Overview
In this exercise, you will install the DHCP role and then authorize the server in the
woodgrovebank.com domain.
1. Start the 6421A-NYC-DC1 and 6421A-NYC-CL1 Virtual Machines, and log on
as Administrator.
2. Configure the DHCP Server role on NYC-DC1.
3. Authorize the DHCP Server role on NYC-DC1.
f Task 1: Start the 6421A-NYC-DC1 and 6421A-NYC-CL1 Virtual

Machines, and log on as Administrator
3. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch.
password Pa$$w0rd.
f Task 2: Configure the DHCP Server Role on NYC-DC1

• On NYC-DC1, use Server Manager to add the DHCP Server role:
• Bind the DHCP service to the IP: 10.10.0.10.
• Use default values for all steps except Disable DHCPv6 for Applications
on this network.
• Make sure to Skip Authorization of this DHCP server in AD DS.
f Task 3: Authorize the DHCP Server Role on NYC-DC1

• On NYC-DC1, use the DHCP console to authorize the NYC-
DC1.woodgrovebank.com DHCP server.
Exercise 2: Configuring a DHCP Scope

Scenario
You need to configure a DHCP scope for approximately 200 clients. The scope
must provide information concerning the DNS server and the default gateway as
part of the information that clients receive when they request a DHCP address.
Exercise Overview
In this exercise, you will configure a new DHCP scope, activate the scope, and
configure scope options so that clients receive the correct information when they
lease an IP address.
1. Configure a DHCP scope.
2. Configure DHCP scope options.
3. Test the scope using a client workstation.
f Task 1: Configure a DHCP scope

1. On NYC-DC1, use the Server Manager console to create a new DHCP IPv4
scope:
• Name of the scope: Head Office Network Scope
• The IP address range for the scope: 10.10.0.1 - 10.10.0.254 using a
subnet mask of 255.255.0.0
• An exclusions range of 10.10.0.1 - 10.10.0.30 should be added for servers
and other devices that use a static IP address
• Lease duration of one hour
• Do not configure any additional scope options
2. On NYC-CL1, set the Local Area Connection properties for DHCP

configuration on IPv4 properties for both IP address and DNS resolver
configuration. Restart NYC-CL1 and then log on as Administrator with the
password of Pa$$w0rd.
3. Make sure the client computer can obtain an IP address. Verify that the client
is configured with a default gateway.
Question: Why does the DHCP-configured Local Area Connection not have a
default gateway?
f Task 2: Configure DHCP scope options

• On NYC-DC1, use the DHCP console to configure the 003 Router DHCP
scope option to point to 10.10.0.1.
Note: Make sure to configure the scope options and not the server options.
f Task 3: Test the scope using a client workstation

• On NYC-CL1, use the command prompt and the ipconfig utility to test
whether the client is able to obtain an IP address and a default gateway, as the
previous task specifies.
Exercise 3: Troubleshooting Common DHCP Issues

Scenario
The DHCP server now is configured. To ensure minimal downtime, your
department has requested that the DHCP administration team troubleshoot several
potential configuration problem scenarios.
Exercise Overview
You will run a script that will configure the DHCP server so that it will not work
properly. Using the available information, you then will fix the configuration
problems that the script caused.
1. Verify DHCP lease information.
2. Modify DHCP Server configuration using scripts to simulate configuration
issues.
3. Check the client’s ability to lease an IP address.
4. Determine why the DHCP server is not allocating IP addresses.
5. Identify information that has been changed.
6. Configure the DHCP server with the correct router information.
7. Configure the DHCP server with the correct DNS server information.
8. Configure the DHCP with the proper lease period.
9. Verify the information being leased to the client.
f Task 1: Verify DHCP lease information

• On NYC-CL1, verify lease information, and note the following settings:
• IPv4 Address
• Subnet Mask
• Default Gateway
• Lease Duration
f Task 2: Modify DHCP Server configuration using scripts to simulate

configuration issues
• At a command prompt, run the D:\Labfiles\Module4\DHCP.vbs script.
f Task 3: Check the client’s ability to lease an IP address

• On NYC-CL1, use ipconfig to determine the most critical issue affecting the
DHCP server.
f Task 4: Determine why the DHCP server is not allocating IP addresses

• On NYC-DC1, determine if the DHCP scope is activated.
f Task5: Identify information that has changed

• On NYC-CL1, identify the information that has changed. Compare settings to
those noted before running the DHCP.VBS script.
f Task 6: Configure the DHCP server with the correct router information
• On NYC-DC1, verify the router information configured in the scope options.
f Task 7: Configure the DHCP server with the correct DNS server
information
• On NYC-DC1, verify the DNS server information configured in the scope
options.
f Task 8: Configure the DHCP with the proper lease period

• On NYC-DC1, check that the lease period configured in the scope properties is
correct.
f Task 9: Verify the information being leased to the client

• On NYC-CL1, use ipconfig to ensure that the client is configured as it was
before running the DHCP.VBS script.
click OK.
Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP 1
Module 5
Troubleshooting IPv6 TCP/IP
Contents:
Lab A: Configuring an ISATAP Router
Exercise 1: Configuring a New IPv6 Network and Client 4
Exercise 2: Configuring an ISATAP Router to
Enable Communications Between an IPv4 Network and an
IPv6 Network 7
Lab B: Converting the Network
Exercise 1: Transitioning to an IPv6-Only Network 10
2 Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP
Objectives
• Configure a new IPv6 network and client
• Configure an ISATAP router to enable communications between the IPv4
network and the IPv6 network
Before you begin:

To be able to simulate multiple networks, you must configure the following before
starting the virtual machines:
1. On the host machine, open the Virtual Server Administration Web site.
2. In the left pane, under Virtual Networks, click Add. In the details pane, next to
Existing configuration (.vnc) file, type the following: C:\Program Files
\Microsoft Learning\6421\Drives\6421A-NYC-VN2_IPv6, and then click
Add again.
3. In the left pane, under Virtual Machines, point to Configure, and then click
6421A-NYC-SVR1.
4. Under “6421A-NYC-SVR1” Configuration, click Network adapters.
5. Under Virtual network adapter 2, click the drop-down arrow, select 6421A-
NYC-VN2_IPv6, and then click OK.
6421A-NYC-CL1.
7. Under “6421A-NYC-CL1” Configuration, click Network adapters.
Logon Information
For this lab, you will log on to the 6421A-NYC-DC1, 6421A-NYC-SVR1, and
6421A-NYC-CL1 virtual machines using the following information:
• User Name: Administrator
• Password: Pa$$w0rd
Exercise 1: Configuring a New IPv6 Network and Client

Scenario
You must design and implement an IPv6 network. For your initial proof of
concept, you must deploy only one client.
Exercise Overview
In this exercise, you will prepare the current environment to work with IPv6, and
deploy an IPv6 client and IPv6 subnet.
1. Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-CL1 virtual
machines.
2. Configure IPv4 routing.
3. Enable IP Routing on NYC-SVR1 and confirm IPv4 Connectivity.
4. Disable IPv6 on NYC-DC1.
5. Disable IPv4 on NYC-CL1.
6. Check the IP configuration on NYC-CL1, and ensure that it is not configured
with an IPv4 IP address.
7. Configure an IPv6 router advertisement for the global address
2001:db8:0:1::/64 network on NYC-SVR1.
8. Check the IP configuration on NYC-CL1 to ensure it is configured with an IPv6
global address in the 2001:db8:0:1::/64 network.
f Task 1: Start the 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-

CL1 virtual machines
4. In the Lab Launcher, next to 6421A-NYC-CL1, click Launch
5. Log on to each virtual machine as Woodgrovebank\Administrator with the
password Pa$$w0rd.
f Task 2: Configure IPv4 routing

1. On NYC-CL1, in the Network Connections window, configure the following:
• IP Address: 192.168.1.20
• Subnet Mask: 255.255.255.0
• Default Gateway: 192.168.1.10
2. On NYC-DC1, in the Network Connections window, configure the following:
f Task 3: Enable IP Routing on NYC-SVR1, and confirm IPv4 connectivity

1. On NYC-SVR1, use the Registry Editor (Regedit.exe) to configure the
following:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters
• IPEnableRouter=1
2. Restart NYC-SVR1, and log on as Administrator with the password
Pa$$w0rd.
3. On NYC-CL1, use the ping command for NYC-DC1 to verify connectivity.
4. On NYC-DC1, use the ping command for 192.168.1.20 to verify connectivity.
Note: At this point, only IPv4 traffic is routed through the IPv4 routing
infrastructure.
f Task 4: Disable IPv6 on NYC-DC1

• On NYC-DC1, in the Network Connections window, disable IPv6
connectivity.
f Task 5: Disable IPv4 on NYC-CL1

• On NYC-CL1, in the Network Connections window, disable IPv4
connectivity.
f Task 6: Check the IP configuration on NYC-CL1, and ensure that it is

not configured with an IPv4 IP address
• Validate that the IP address on NYC-CL1 is a valid link-local IP address that
starts with fe80.
f Task 7: Configure an IPv6 router advertisement for the global address

2001:db8:0:1::/64 network on NYC-SVR1
1. On NYC-SVR1, using the command line and the netsh command, configure
Local Area Connection 2 to forward packets and to advertise subnet prefixes.
2. Add an IPv6 route to Local Area connection 2 of 2001:db8:0:1::/64. Make
sure to publish this route.
f Task 8: Check the IP configuration on NYC-CL1 to ensure it is

configured with an IPv6 global address in the 2001:db8:0:1::/64
network
• Validate that NYC-CL1 has configured itself using the global prefix assigned to
the network.
Exercise 2: Configuring an ISATAP Router to Enable

Communications Between an IPv4 Network and an IPv6
Network
Scenario
Now that you have configured your IPv6 client, you must enable IPv4 client
connectivity to the IPv6 network. Your evaluation of current IPv6 tunneling
technologies has led you to choose to implement an ISATAP router.
Exercise Overview
In this exercise, you will enable and configure an ISATAP router interface that will
allow two-way communications between the IPv4 and IPv6 networks.
1. Add the ISATAP entry in the DNS zone.
2. Configure the ISATAP router on NYC-SVR1.
3. Enable the ISATAP interface on NYC-DC1.
4. Test connectivity with the IPv6 client.
f Task 1: Add the ISATAP entry in the DNS zone on NYC-DC1

• On NYC-SVR1, in the Woodgrovebank.com zone, create a new host record
called ISATAP, and configure it with the IPv4 address of NYC-SVR1
(10.10.0.24).
f Task 2: Configure the ISATAP router on NYC-SVR1

1. On NYC-SVR1, using the netsh command, enable the isatap router set as
10.10.0.24.
2. Using the netsh command, enable forwarding and prefix advertise for the
ISATAP interface. (Hint: Local Area Connection* 8)
3. Using the netsh command, publish a new route for the ISATAP subnet using
2001:db8:0:10:/64.
4. Restart NYC-SVR1 and log on as Administrator with the password Pa$$w0rd.

5. Open a command prompt, and use the ipconfig command to verify that the
tunnel adapter Local Area Connection* 8 displays an IPv6 address in the
2001:db8:0:10 range.
f Task 3: Enable the ISATAP interface on NYC-DC1

1. On NYC-DC1, click Start, and then click Command Prompt.
2. At the command prompt, type the following commands:
• Netsh interface isatap set router 10.10.0.24
• Ipconfig
Note: Notice that the tunnel adapter Local Area Connection 8 (which is the ISATAP
adapter) has received an IPv6 address automatically from the ISATAP router.
f Task 4: Test connectivity with the IPv6 client

• Verify that you can ping NYC-DC1 from NYC-CL1 and that you can ping NYC-
SVR1. Finally, verify that you can ping NYC-CL1 from NYC-DC1.
Note: If the IP addresses do not resolve, reboot the servers, starting with NYC-DC1,
NYC-SVR1, and then NYC-CL1.
Important: Do not turn off the virtual machines at this time because you need them
to complete the next lab.
Objective
• Transition the network into an IPv6-only network.
Scenario
You are responsible for testing the IPv6 transition plan. To accomplish this, you
will transition the computers from the previous network that uses both IPv4 and
IPv6, and transition them to an IPv6-only network.
Exercise 1: Transitioning to an IPv6-Only Network

Exercise Overview
In this exercise, you will migrate the IPv4 network to be a fully capable IPv6
network.
1. Disable the ISATAP router on NYC-SVR1.
2. Configure the native IPv6 router on NYC-SVR1.
3. Disable IPv4 connectivity.
4. Test connectivity between each IPv6 subnet.
f Task 1: Disable the ISATP router on NYC-SVR1

• On NYC-SVR1, disable the ISATAP router, and delete the static route subnet
prefix that was defined previously for the ISATAP subnet.
f Task 2: Configure the native IPv6 router on NYC-SVR1

• Configure an IPv6 router in the Local Area Connection interface on NYC-
SVR1. Make sure that forwarding and prefix advertising are enabled. Also add
and publish the subnet prefix: 2001:db8:0:0::/64.
f Task 3: Disable IPv4 connectivity

1. On NYC-SVR1, disable all remaining IPv4 interfaces.
2. On NYC-DC1, enable the IPv6 interface, and then disable the IPv4 interface.
f Task 4: Test connectivity between each IPv6 subnet

• Make sure you can ping between NYC-DC1 and NYC-CL1. Also make sure that
NYC-SVR1 is able to ping both servers.
Note: If the IP addresses do not resolve, reboot the servers starting with NYC-DC1,
NYC-SVR1, and then NYC-CL1.
f Task 5: Reconfigure the Network Adapters

To have the appropriate setup for future labs, you must configure the following
before starting the virtual machines:
6421A-NYC-SVR1.
4. Under Virtual network adapter 2, click the drop-down arrow, select Internal
Network, and then click OK.
6421A-NYC-CL1.

click OK.
Lab Instructions: Configuring and Troubleshooting Routing and Remote Access 1
Module 6
Troubleshooting Routing and Remote Access
Contents:
Exercise 1: Configuring Routing and Remote Access
as a VPN Remote Access Solution 4
Exercise 2: Configuring a Custom Network Policy 7
Exercise 3: Configuring Logging 8
Exercise 4: Configuring a Connection Profile 10
2 Lab Instructions: Configuring and Troubleshooting Routing and Remote Access
Lab: Configuring and Managing Network

Access
Objectives
• Configure the Routing and Remote Access service as a VPN remote access
solution.
• Configure a custom Network Policy.
• Configure logging.
• Configure a connection profile.
Scenario
Woodgrove Bank would like to implement a remote access solution for its
employees so they can connect to the corporate network while away from the
office. Woodgrove Bank requires a network policy that mandates that VPN
connections are encrypted for security reasons.
The IT department of Woodgrove Bank does not want the Remote Access solution
to cause a dramatic increase in support calls to the Help Desk for configuration
issues regarding VPN connection objects that need to be created on the client
computer.
Exercise 1: Configuring Routing and Remote Access as a

VPN Remote Access Solution
Exercise Overview
In this exercise, you will configure the Routing and Remote Access Service role as a
VPN Remote Access solution. The VPN server should use IP address allocation for
clients from a static pool of IP addresses that is configured on the Remote Access
server. The Remote Access server should only accept PPTP and L2TP connections,
with 25 connections allowed for each.
machines.
2. Install the Network Policy and Access Services role.
3. Configure 6421A-NYC-SVR1 as a VPN server with a static address pool for
Remote Access clients.
4. Configure available VPN ports on the Routing and Remote Access Service
server to allow 25 PPTP and 25 L2TP connections.

password Pa$$w0rd.
f Task 2: Install the Network Policy and Access Services role on 6421A-
NYC-SVR1
1. Open Server Manager on NYC-SVR1, and click Add Roles.
2. In Server Manager, on the Server Roles page, scroll down, select Network
Policy and Access Services, and then click Next.
3. On the Select Role Services page, select Network Policy Server and Routing
and Remote Access Services, and then click Next.
4. On the Confirm Installation Selections page, click Install.
details pane, and then click Close.
The Network Policy and Routing and Remote Access Services roles are
installed on NYC-SVR1.
Note: Do not log off or shut down the virtual machines at this point.
f Task 3: Configure 6421A-NYC-SVR1 as a VPN server with a static

address pool for Remote Access clients
1. From Administrative Tools, open Routing and Remote Access.
2. In the list pane, select and right-click NYC-SVR1 (Local), and then click
Configure and Enable Routing and Remote Access.
3. Ensure that the default setting, Remote Access (dial-up or VPN), is selected,
and then on the Remote Access page, select the VPN option.
4. On the VPN Connection page, select the Local Area Connection 2 interface.
5. On the IP Address Assignment page, select From a specified range of
addresses.
6. Use the range of 192.168.1.100 with 75 available addresses for the static pool.
7. Accept the default settings for the remainder of the configuration process.
f Task 4: Configure available VPN ports on the Routing and Remote

Access Service server to allow 25 PPTP and 25 L2TP connections
1. In the Routing and Remote Access administrative tool interface, right-click
Ports, and then click Properties.
2. In the Ports Properties dialog box, configure L2TP and PPTP to have 25
available connectors. Specify 0 for SSTP.
3. In the Ports Properties dialog box, click OK.
4. Close the Routing and Remote Access administrative tool.
Exercise 2: Configuring a Custom Network Policy

Exercise Overview
In this exercise, you will create a network policy to allow secure connections to the
Routing and Remote Access Service server.
1. Open the Network Policy Server administrative tool on 6421A-NYC-SVR1.
2. Create a new network policy for Routing and Remote Access Service clients.
f Task 1: Open the Network Policy Server management tool on 6421A-

NYC-SVR1
• From the Administrative Tools menu, click Network Policy Server.
The Network Policy Server administrative tool appears.
f Task 2: Create a new network policy for Routing and Remote Access
Service clients
1. In the list pane of the Network Policy Server administrative tool, expand
Policies, right-click Network Policies, and then click New.
2. In the New Network Policy wizard, specify the following settings, and accept
the default values for all other settings:
• Network Policy Name: Secure VPN
• Type of network access server: Remote Access Server (VPN-Dial up)
• Specify Conditions: Tunnel Type: PPTP and L2TP
• Configure Authentication Methods: Deselect MS-CHAP
• Configure Constraints: Day and Time: deny access Mon thru Fri 11PM to
6AM
• Configure Settings: Under Encryption, clear all settings except Strongest
encryption
3. Close the Network Policy Server administrative tool.
Exercise 3: Configuring Logging

Exercise Overview
In this exercise, you will enable logging in Routing and Remote Access.
1. Configure Routing and Remote Access Service logging on 6421A-NYC-SVR1 to
log all events to the system log.
2. Test logging levels.
f Task 1: Configure Routing and Remote Access Service Logging on

6421A-NYC-SVR1 to log all events to the System log
1. Click Start, point to Administrative Tools, and then click Routing and
Remote Access.
2. Right-click NYC-SVR1, and then click Properties.
3. In the NYC-SVR1 (local) Properties dialog box, click the Logging tab, click
Log all events, and then click OK.
f Task 2: Test logging levels

1. Log on to NYC-CL1 with a user name of administrator and the password
Pa$$w0rd.
2. Click Start, click Network, and then in the Network window, click Network
and Sharing Center.
3. Under Tasks, click Set up a connection or network to create a new VPN
connection object.
4. In the Type the Internet address to connect to dialog box, specify an Internet
address of 10.10.0.24 and a Destination Name of Woodgrovebank VPN.
5. Accept the defaults for the remainder of the wizard settings.
6. After the VPN connection object is created, connect to WoodgroveBank VPN
from the Network Connections page.
7. Use the following information in the Connect Woodgrovebank VPN text

boxes:
• User name: Administrator
• Domain: Woodgrovebank
The VPN connects successfully.
8. Right-click Woodgrovebank VPN, and then click Disconnect. The VPN
disconnects.
9. On NYC-SVR1, click Start, point to Administrative Tools, and then click
Event Viewer.
10. Use Event Viewer on NYC-SVR1, and review the entries from the
RemoteAccess source in the System log to see the logged data.
11. Close Event Viewer.
Exercise 4: Configuring a Connection Profile

Exercise Overview
In this exercise, you will configure a Connection Profile by using the CMAK tool to
create connection objects for mobile computer users.
1. Install the Connection Manager Administration Kit.
2. Use the CMAK to create a distributable executable that automates creation of
connection objects for users.
3. Install and test the CMAK profile.
4. Close all virtual machines, and delete the changes.
f Task 1: Install the Connection Manager Administration Kit

1. On NYC-SVR1, click Start, and then click Server Manager.
2. Select the Connection Manager Administration Kit feature, and then click
Install.
3. Close Server Manager on 6421A-NYC-SVR1.
f Task 2: Use the CMAK to create a distributable executable that

automates creation of connection objects for users
1. Click Start, point to Administrative Tools, and then click Connection
Manager Administration Kit.
2. On the Welcome page of the Connection Manager Administration Kit wizard,
click Next. Specify the following settings in the wizard interface, and accept
the default values for the other settings:
• On the Specify the Service Name and the File Name page, use
WOODGROVEBANK VPN for the Service name and CORP_VPN for the
File name.
• In Add Support for VPN Connections, select Phone book from this
profile, and specify to always use the same VPN server with an IP
address of 10.10.0.24.
• In Add a custom Phone Book, deselect Automatically download phone
book updates.
3. On the Your Connection Manager Profile is Complete and Ready to
Distribute page, click Finish.
4. From NYC-SVR1, copy the CORP_VPN folder from the C:\Program
Files\CMAK\Profiles\Vista\ location to the \\NYC-DC1\Module6 location.
f Task 3: Install and test the CMAK profile

1. On 6421A-NYC-CL1, in the \\NYC-DC1\module6\ share, run
CORP_VPN.exe to create the VPN connection object.
The WOODGROVEBANK VPN connection object opens.
2. In the WOODGROVEBANK VPN connection object, type the following
credentials and then click Connect:
• Logon Domain: Woodgrovebank
3. Set the Network Location to Work.
4. Verify the VPN connects successfully in Network Connections. Right-click the
connection icon, and then click Disconnect.

click OK.
Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 1
Module 7
Lab Instructions: Installing, Configuring, and
Troubleshooting the Network Policy Server Role
Service
Contents:
Exercise 1: Installing and Configuring the Network
Policy Server Role Service 4
Exercise 2: Configuring a RADIUS Client 6
Exercise 3: Configuring Certificate Auto-Enrollment 8
2 Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Lab: Configuring and Managing Network

Policy Server
Objectives
• Install the Network Policy Server role service and configure Network Policy
Server settings
• Configure a RADIUS client
• Configure certificate autoenrollment
Scenario
Woodgrove Bank is expanding its remote-access solution to all its branch office
employees. This will require multiple Routing and Remote Access servers located
at different points to provide connectivity for its employees. You will use RADIUS
to centralize authentication and accounting for the remote-access solution.
The Windows Infrastructure Services Technology Specialist has been tasked with
installing and configuring Network Policy Server into an existing infrastructure to
be used for NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy.
Exercise 1: Installing and Configuring the Network Policy

Server Role Service
Exercise Overview
In this exercise, you will install and configure the Network Policy Server role.
2. Open the Server Manager tool on 6421A-NYC-DC1.
3. Install the Network Policy and Access Services role.
4. Register NPS in Active Directory.
5. Configure 6421A-NYC-DC1 to be a RADIUS server for dial-up or VPN
connections.

password Pa$$w0rd.
f Task 2: Install the Network Policy and Access Services role

1. On NYC-DC1, in the Server Manager list pane, right-click Roles, and then
click Add Roles.
2. Install the Network Policy Server role service from the Network Policy and
Access Services role.
The Network Policy Server role is installed on 6421A-NYC-DC1.
4. Do not log off or shut down the virtual PCs at this point.
f Task 3: Register NPS in Active Directory

1. Open Network Policy Server from the Administrative Tools menu.
2. Using the NPS tool, register NPS in Active Directory.
The Network Policy server is registered in Active Directory.
f Task 4: Configure 6421A-NYC-DC1 to be a RADIUS server for dial-up

or VPN connections
1. In the Network Policy Server management tool list pane, click NPS (Local).
2. In the details pane under Standard Configuration, click RADIUS server for
Dial-Up or VPN Connections.
3. Under Radius server for Dial-Up or VPN Connections, click Configure VPN
or Dial-Up, specify Virtual Private Network (VPN) Connections, and accept
the default name.
4. In the RADIUS clients dialog box, add NYC-SVR1 as a RADIUS client with an
address of 10.10.0.24.
5. In the New RADIUS Client dialog box, specify and confirm the shared secret
of Pa$$w0rd, and then click OK.
6. In the Specify Dial-Up or VPN Server dialog box, accept the default setting.
7. In the Configure Authentication Methods dialog box, select Extensible
Authentication Protocol and MS-CHAPv2.
8. On the Specify User Groups page, accept the default settings.
9. On the Specify IP Filters page, accept the default settings.
10. On the Specify Encryption Settings page, deselect Basic encryption and
Strong encryption.
11. On the Specify a Realm Name page, accept the default settings and finish the
wizard.
Exercise 2: Configuring a RADIUS Client

Exercise Overview
In this exercise, you will configure 6421A-NYC-SVR1 to host Routing and Remote
Access Services and configure 6421A-NYC-SVR1 as a RADIUS client.
1. Open the Server Manager tool on 6421A-NYC-SVR1.
2. Install the Routing and Remote Access Services role.
3. Configure 6421A-NYC-SVR1 as a VPN server with a static address pool for
Remote Access clients, and specify RADIUS authentication and accounting.
f Task 1: Open the Server Manager tool on 6421A-NYC-SVR1

• On 6421A-NYC-SVR1, open Server Manager from the Administrative Tools
menu.
f Task 2: Install the Routing and Remote Access Services role on 6421A-
NYC-SVR1
1. Using Server Manager, install the Network Policy and Access Services role
with the role service of Routing and Remote Access.
The Routing and Remote Access Services role is installed on 6421A-NYC-
SVR1.

address pool for Remote Access clients, and specify RADIUS
authentication and accounting
1. Open the Routing and Remote Access Services administrative tool, and click
2. Configure the default Remote Access (dial-up or VPN), and on the Remote
Access page, select the VPN option.
3. On the VPN Connection page, select the Local Area Connection 2 interface.
addresses.
5. Use the range of 192.168.1.100 with 75 available addresses for the static pool.
6. On the Managing Multiple Remote Access Servers page, select Yes, set up
this server to work with a RADIUS server, and then click Next.
7. Configure the following settings:
• Primary RADIUS server: NYC-DC1
• Shared secret for the RADIUS server: Pa$$w0rd
• Accept the default settings for the remainder of the configuration process
8. Close the Routing and Remote Access Services administrative tool.
Exercise 3: Configuring Certificate Auto-Enrollment

Exercise Overview
In this exercise, you will configure Certificate Auto-Enrollment for computers to
use advanced authentication.
1. Install and configure Certificate Services on NYC-DC1.
2. Open the Group Policy Management tool on 6421A-NYC-DC1 and configure
automatic certificate enrollment.
3. Close all virtual machines, and delete changes.
f Task 1: Install and Configure Certificate services on NYC-DC1

1. On NYC-DC1, start Server Manager from the Administrative Tools menu.
2. Install the Active Directory Certificate Services role using the defaults except
for the following:
• CA Name = WoodGroveBank-CA
3. On the Installation Results page, click Close.
4. From the Administrative Tools menu, open the Certification Authority
management tool.
5. Right-click Certificate Templates, and then select Manage from the context
menu.
6. Change the security on the Computer template to allow Authenticated Users
the Enroll permission.
7. Close the Certificate Template and certsrv management consoles.
f Task 2: Open the Group Policy Management tool on 6421A-NYC-DC1,

and configure automatic certificate enrollment
1. On 6421A-NYC-DC1, open Group Policy Management from the
Administrative Tools menu.
2. In the Group Policy Management tool, expand Forest: WoodgroveBank.com,
expand Domains, and expand WoodgroveBank.com.
3. Right-click Default Domain Policy, and then click Edit.
4. Expand Computer Configuration, expand Policies, expand Window
Settings, expand Security Settings, and then expand Public Key Policies.
5. Right-click Automatic Certificate Request Settings, click New, and then click
Automatic Certificate Request.
6. Accept the default settings throughout the wizard.
7. Close the Group Policy Management Editor.
8. Close the Group Policy Management tool.
Automatic certificate enrollment now is configured for the WoodgroveBank
domain’s computers.
9. Start 6421A-NYC-CL1 and log on as Administrator with the password
Pa$$w0rd.
10. Create a new MMC console with the Certificates snap-in. Focus the snap-in to
the Computer Account.
11. In the MMC console, verify that the computer account has enrolled the
certificate from WoodGroveBank-CA.

click OK.
Lab Instructions: Configuring Network Access Protection 1
Module 8
Lab Instructions: Configuring Network Access
Protection
Contents:
Exercise 1: Configuring NAP for DHCP Clients 3
Exercise 2: Configuring NAP for VPN Clients 11
2 Lab Instructions: Configuring Network Access Protection
Lab: Configuring NAP for DHCP and VPN
Objectives
• Configure NAP for DHCP clients
• Configure NAP for VPN clients
Scenario
As the Woodgrove Bank technology specialist, you need to establish a way to bring
client computers automatically into compliance. You will do this by using Network
Policy Server, creating client compliance policies, and configuring a NAP server to
check the current health of computers.
Exercise 1: Configuring NAP for DHCP Clients

In this exercise, you will configure and test NAP for DHCP clients.
machines.
2. Open the Server Manager tool on 6421A-NYC-SVR1.
3. Install the DHCP and NPS server roles.
4. Configure NYC-SVR1 as a NAP health policy server.
5. Configure DHCP service for NAP enforcement.
6. Configure NYC-CL1 as a DHCP and NAP client.
7. Test NAP enforcement.
8. Shut down the virtual machines, and do not save changes.

password Pa$$w0rd.

menu.
f Task 3: Install the NPS and DHCP server roles

1. On NYC-SVR1, open Server Manager.
2. Right-click Roles, and then click Add Roles.
3. On the Select Server Roles page, select the DHCP Server and Network Policy
and Access Services check boxes.
4. On the Select Role Services page, select the Network Policy Server.
5. On the Select Network Connection Bindings page, verify that 10.10.0.24 is
selected. Remove the check mark next to 192.168.1.10.
6. On the Specify DNS Server Settings page, verify that woodgrovebank.com is
listed under Parent domain.
7. Type 10.10.0.10 under Preferred DNS server IP address, and click Validate.
Verify that the result returned is Valid.
8. On the Specify WINS Server Settings page, accept the default setting.
9. On the Add or Edit DHCP Scopes page, click Add.
10. In the Add Scope dialog box, type NAP Scope next to Scope Name. Next to
Starting IP Address, type 10.10.0.50; next to Ending IP Address, type
10.10.0.199; and next to Subnet Mask, type 255.255.0.0.
11. Select the Activate this scope check box, and then click OK.
12. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6
stateless mode for this server.
13. On the Authorize DHCP Server page, select Use current credentials. Verify
that Woodgrovebank\administrator is displayed next to Username, and
then click Next.
15. Verify the installation was successful, and then click Close.
16. Close the Server Manager window.
f Task 4: Configure NYC-SVR1 as a NAP health policy server

1. Open the Network Policy Server administrative tool from the Start Menu,
Administrative Tools location.
2. Configure SHVs:
a. Expand Network Access Protection, and then click System Health
Validators.
b. Configure the System Health Validator. On the Windows Vista tab, clear
all check boxes except A firewall is enabled for all network connections.
3. Configure remediation server groups:
a. In the console tree, under Network Access Protection, right-click
Remediation Server Groups, and then click New.
b. Create a new remediation group with a group name of Rem1, and add the
IP address of 10.10.0.10.
4. Configure health policies:
a. Expand Policies.
b. Right-click Health Policies, and then click New.
c. Create a new health policy called Compliant that specifies the Client
passes all SHV checks and uses the Windows Security Health Validator.
d. Right-click Health Policies, and then click New.
e. Create a new health policy called NonCompliant that specifies the Client
fails one or more SHV checks and uses the Windows Security Health
Validator.
5. Configure a network policy for compliant computers:
a. In the console tree, under Policies, click Network Policies.
b. Disable the two default policies under Policy Name.
c. Create a new Network Policy called Compliant-Full-Access.
d. In the Specify Conditions window, click Add.
e. In the Select condition dialog box, double-click Health Policies, select
Compliant, and then click OK.
f. In the Specify Access Permission window, verify that Access granted is

selected.
g. In the Configure Authentication Methods window, select the Perform
machine health check only check box. Clear all other check boxes.
h. In the Configure Settings window, click NAP Enforcement. Verify that
Allow full network access is selected.
i. In the Completing New Network Policy window, click Finish to
complete configuration of your network policy for compliant client
computers.
6. Configure a network policy for Noncompliant computers:
a. Right-click Network Policies, and then click New.
b. Create a new Network Policy called NonCompliant-Restricted.
c. In the Specify Conditions window, click Add.
d. In the Select condition dialog box, double-click Health Policies, select
Noncompliant, and then click OK.
e. In the Specify Access Permission window, verify that Access granted is
selected, and then click Next.
Important: A setting of Access granted does not mean that noncompliant clients
are granted full network access. It specifies that clients matching these conditions
will be granted an access level that the policy determines.
f. In the Configure Authentication Methods window, select the Perform

machine health check only check box. Clear all other check boxes.
g. In the Configure Constraints window, click Next.
h. In the Configure Settings window, click NAP Enforcement. Select Allow
limited access and verify that Enable auto-remediation of client
computers is selected.
i. Click Next, and then click Finish. This completes configuration of your
NAP network policies. Close the Network Policy Server console.
f Task 5: Configure DHCP service for NAP enforcement

DHCP.
2. In the DHCP Management console, expand NYC-SVR1.woodgrovebank.com,
and then expand IPv4.
3. Open the Properties for the Scope. On the Network Access Protection tab,
verify Use default Network Access Protection profile is selected, and then
click OK.
4. In the DHCP Management console, configure Scope Options.
5. On the Advanced tab, verify that Default User Class is chosen next to User
class.
6. Under Available Options, select the 003 Router check box, type 10.10.0.1 in
IP Address, select the 015 DNS Domain Name check box, type
Woodgrovebank.com in String value, and then click OK. The
Woodgrovebank.com domain is a full-access network assigned to compliant
NAP clients.
7. In the DHCP Management console, configure Scope Options.
8. On the Advanced tab, next to User class, choose Default Network Access
Protection Class.
9. Select the 006 DNS Servers check box, type 10.10.0.10 in IP Address, select
the 015 DNS Domain Name check box, type
restricted.Woodgrovebank.com in String value, and then click OK. The
restricted.woodgrovebank.com domain is a restricted-access network assigned
to noncompliant NAP clients.
f Task 6: Configure NYC-CL1 as a DHCP and NAP client

1. On NYC-CL1, enable Security Center:
a. Click Start, point to All Programs, click Accessories, and then click Run.
b. Type gpedit.msc, and then press ENTER.
c. In the console tree, open Local Computer Policy/Computer
Configuration/Administrative Templates/Windows
Components/Security Center.
d. Double-click Turn on Security Center (Domain PCs only), click
Enabled, and then click OK.
e. Close the console window. When prompted to save settings, click No.
2. Enable the DHCP enforcement client:
a. Click Start, click All Programs, click Accessories, and then click Run.
b. Type napclcfg.msc, and then press ENTER.
c. In the console tree, click Enforcement Clients.
d. Enable the DHCP Quarantine Enforcement Client.
e. Close the NAP Client Configuration console.
3. Enable and start the NAP agent service:
b. Type services.msc, and then press ENTER.
c. In the services list, set Network Access Protection Agent Startup type to
Automatic, and start the service.
d. Wait for the NAP agent service to start, and then click OK.
e. Close the Services console.
4. Configure NYC-CL1 for DHCP address assignment:

a. Click Start, and then click Control Panel.
b. Click Network and Internet, click Network and Sharing Center, and
then click Manage network connections.
c. Configure Local Area Connection properties with the following:
• Clear the Internet Protocol Version 6 (TCP/IPv6) check box.
• Set properties of Internet Protocol Version 4 (TCP/IPv4) to Obtain
an IP address automatically and Obtain DNS server address
automatically.
d. Click OK, and then click Close to close the Local Area Connection
Properties dialog box.
5. Close the Network Connections and Network and Sharing Center windows.
6. Restart NYC-CL1. After the computer restarts, log on as Administrator with
the password Pa$$w0rd.
f Task 7: Test NAP Enforcement

1. Verify the DHCP assigned address and current Quarantine State:
a. On NYC-CL1, open an administrative command prompt using the Run As
Administrator command.
b. At the command prompt, type ipconfig /all.
c. Verify that the connection-specific DNS suffix is Woodgrovebank.com
and the Quarantine State is Not Restricted.
2. Configure the System Health Validator policy to require antivirus software:
a. On NYC-SVR1, in the Network Policy Server console, open NPS (Local),
open Network Access Protection, and then open System Health
Validators.
b. Configure Windows Security Health Validator so that Virus Protection is
set to An antivirus application is on.
c. Click OK, and then click OK again to close the Windows Security Health
Validator Properties window.
3. Verify the restricted network on NYC-CL1:

a. On NYC-CL1, open an administrative command prompt using the Run As
Administrator command.
b. At the command prompt, type ipconfig /release.
c. At the command prompt, type ipconfig /renew.
d. Verify the connection-specific DNS suffix is now
restricted.woodgrovebank.com.
e. Close the command window, and double-click the Network Access
Protection icon in the system tray. Notice it tells you the computer is not
compliant with the network’s requirements.
f. Click Close.
f Task 8: Shutdown virtual machines and do not save any changes

click OK.
3. For Exercise 2, start 6421A-NYC-DC1 and 6421A-NYC-CL1.
4. Log on to each as WoodgroveBank\administrator with the password
Pa$$w0rd.
Exercise 2: Configuring NAP for VPN Clients

In this exercise, you will configure NAP for VPN Clients. This exercise uses the
Windows Security Health Agent and Windows Security Health Validator to require
that client computers have Windows Firewall enabled and have an antivirus
application installed.
You will create two network policies in this exercise. A compliant policy grants full
network access to an intranet network segment. A noncompliant policy
demonstrates network restriction by applying IP filters to the VPN tunnel interface
that only allow client access to a single remediation server.
1. Configure NYC-DC1 as an Enterprise Root CA.
2. Configure NYC-SVR1 with NPS functioning as a health policy server.
3. Configure NYC-SVR1 with the Routing and Remote Access service configured
as a VPN server.
4. Allow ping on NYC-SVR1.
5. Configure NYC-CL1 as a VPN client and a NAP client.
f Task 1: Configure NYC-DC1 as an Enterprise Root CA

1. On NYC-DC1, click Start, point to Administrative Tools, and then click
Server Manager.
2. Under Roles Summary, click Add Roles.
3. On the Before you Begin page, click Next.
4. Select the Active Directory Certificate Services check box, and configure the
wizard with the following:
a. On the Specify Setup Type page, select Enterprise.
b. On the Configure CA Name page, specify a name of Root CA.
c. On the Confirm Installation Selections page, click Install.
5. On the Installation Results page, verify the installation succeeded, and then
click Close.
7. From the Administrative Tools menu, open the Certification Authority

management tool.
8. Right-click Certificate Templates, and then choose Manage from the context
menu.
9. Change the security on the Computer template to allow Authenticated Users
the Enroll permission.
10. Close the Certificate Template and certsrv management consoles.
f Task 2: Configure NYC-SVR1 with NPS functioning as a health policy

server
1. Start 6421A-NYC-SVR1, and then log on as Woodgrovebank\administrator
with the password Pa$$w0rd.
2. Obtain a computer certificate on NYC-SVR1 for server-side PEAP
authentication:
a. Create a custom MMC console that includes the Certificates snap-in for
Computer Account.
b. In the console tree, double-click Certificates, right-click Personal, point to
All Tasks, and then click Request New Certificate.
c. The Certificate Enrollment dialog box opens. Click Next.
d. Select the Computer check box, and then click Enroll.
e. Verify the status of certificate installation as Succeeded, and then click
Finish.
f. Close the Console1 window.
g. Click No when prompted to save console settings.
3. Install the NPS Server role:
a. On NYC-SVR1, click Start, click Administrative Tools, and then click
Server Manager.
b. Use Add Roles to install Network Policy and Access Services.
c. Verify the installation was successful, and then click Close.
d. Close the Server Manager window.
4. Configure NPS as a NAP health policy server:

a. Click Start, click Run, type nps.msc, and then press ENTER.
b. Expand Network Access Protection, and then click System Health
Validators.
c. In the middle pane under Name, double-click Windows Security Health
Validator.
d. Configure the Windows Security Health Validator properties so all check
boxes except A firewall is enabled for all network connections are
cleared.
e. Click OK to close the Windows Security Health Validator dialog box,
and then click OK to close the Windows Security Health Validator
a. Expand Policies.
b. Create a new health policy called Compliant.
c. Under Client SHV checks, verify that the Client passes all SHV checks
check box is selected.
d. Under SHVs used in this health policy, select the Windows Security
Health Validator check box.
e. Click OK.
f. Create a new health policy called Noncompliant.
g. Under Client SHV checks, select Client fails one or more SHV checks.
h. Under SHVs used in this health policy, select the Windows Security
i. Click OK.
6. Configure network policies for compliant computers:
a. Expand Policies.
b. Click Network Policies.
c. Disable the two default policies under Policy Name.
d. Create a new network policy called Compliant-Full-Access.
e. In the Specify Conditions window, click Add.
f. In the Select condition dialog box, double-click Health Policies.

g. In the Health Policies dialog box, under Health policies, select
Compliant.
h. In the Specify Access Permission window, verify that Access granted is
selected.
i. In the Configure Settings window, click NAP Enforcement. Verify that
Allow full network access is selected.
j. In the Completing New Network Policy window, click Finish.
7. Configure network policies for noncompliant computers:
a. Create a new network policy called Noncompliant-Restricted.
b. In the Specify Conditions window, click Add.
c. In the Select condition dialog box, double-click Health Policies.
d. In the Health Policies dialog box, under Health policies, select
e. In the Specify Conditions window, verify that Health Policy is specified
under Conditions with a value of Noncompliant, and then click Next.
f. In the Specify Access Permission window, verify that Access granted is
selected.
Important: A setting of Access granted does not mean that noncompliant clients
are granted full network access. It specifies that the policy should continue to
evaluate clients matching these conditions.
g. In the Configure Settings window, click NAP Enforcement. Select Allow

limited access and select Enable auto-remediation of client computers.
h. In the Configure Settings window, click IP Filters.
i. Under IPv4, create a new input filter for Destination network with the
following values:
• IP address: 10.10.0.10
• Subnet mask: 255.255.255.255
This step ensures that traffic from noncompliant clients can reach only
DC1.
j. Click OK to close the Add IP Filter dialog box, and then select Permit
only the packets listed below in the Inbound Filters dialog box.
k. Under IPv4, create a new outbound filter with the following source
network values:
• IP address: 10.10.0.10
• Subnet mask: 255.255.255.255
l. Click OK to close the Add IP Filter dialog box, and then select Permit
only the packets listed below in the Outbound Filters dialog box. This
ensures that only traffic from DC1 can be sent to noncompliant clients.
m. In the Completing New Network Policy window, click Finish.
8. Configure connection request policies:
a. Click Connection Request Policies.
b. Disable the default Connection Request policy found under Policy Name.
c. Create a new Connection Request policy called VPN connections.
d. Under Type of network access server, select Remote Access Server
(VPN-Dial up).
f. In the Select Condition window, double-click Tunnel Type, select PPTP
and L2TP, and then click OK.
g. In the Specify Connection Request Forwarding window, verify that
Authenticate requests on this server is selected.
h. In the Specify Authentication Methods window, select Override network
policy authentication settings.
i. Under EAP Types, click Add. In the Add EAP dialog box, under
Authentication methods, click Microsoft: Protected EAP (PEAP).
j. Under EAP Types, click Add. In the Add EAP dialog box, under
Authentication methods, click Microsoft: Secured password (EAP-
MSCHAP v2).
k. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click
Edit.
l. Verify that Enable Quarantine checks is selected, and then click OK.
m. Click Next twice, and then click Finish.
f Task 3: Configure NYC-SVR1 with the Routing and Remote Access

service configured as a VPN server
1. Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
2. In the Routing and Remote Access management console, configure and
enable Routing and Remote Access with the role Remote access (dial-up or
VPN).
3. Select the VPN check box, and then click Next.
4. Click the network interface with an IP address of 192.168.1.10. Clear the
Enable security on the selected interface by setting up static packet filters
check box, and then click Next. This ensures that NYC-SVR1 will be able to
ping NYC-DC1 when attached to the Internet subnet without having to
configure additional packet filters for ICMP traffic.
addresses, and on the Address Range Assignment page, specify a range of
10.10.0.100 to 10.10.0.110.
6. On the Managing Multiple Remote Access Servers page, select No, use
Routing and Remote Access to authenticate connection requests.
7. Click Next, and then click Finish.
8. Click OK, and wait for the Routing and Remote Access service to start.
9. Open the Network Policy Server console from the Administrative Tools
menu, expand Policies, select Connection Request Policies, and then disable
the Microsoft Routing and Remote Access Service Policy by right-clicking the
policy and choosing Disable.
10. Close the Network Policy Server management console.
f Task 4: Allow ping on NYC-SVR1

1. Click Start, click Administrative Tools, and then click Windows Firewall
with Advanced Security.
2. Create a custom inbound rule for All Programs with the protocol type of
ICMPv4 and ICMP type of Echo Request for the default scope options.
3. In the Action window, verify that Allow the connection is selected, and then
click Next.
4. Click Next to accept the default profile.

5. In the Name window, under Name, type ICMPv4 echo request, and then click
Finish.
f Task 5: Configure NYC-CL1 as a VPN client and a NAP client

1. Configure NYC-CL1 so that Security Center is always enabled:
a. Open the Local Group Policy Object Editor using the Run command with
gpedit.msc.
b. In the console tree, open Local Computer Policy/Computer
c. Double-click Turn on Security Center (Domain PCs only), click
d. Close the Local Group Policy Object Editor console.
2. Enable the remote access quarantine enforcement client:
a. Launch the NAP Client Configuration tool using the Run command with
napclcfg.msc.
b. Enable the Remote Access Quarantine Enforcement Client.
c. Close the NAP Client Configuration window.
a. Open the Services console using services.msc in the Run command.
b. In the Services list, double-click Network Access Protection Agent.
c. Change the startup type to Automatic, and then click Start.
d. Wait for the NAP agent service to start, and then click OK.
e. Close the Services console.
4. Configure NYC-CL1 for the Internet network segment:

a. Configure Local Area Connection Properties with Internet Protocol
Version 4 (TCP/IPv4) set for the following:
• IP address: 192.168.1.20
• Subnet mask: 255.255.255.0
• Remove Preferred DNS server setting of 10.10.0.10
b. Click OK, and then click Close to close the Local Area Connection
c. Close the Network Connections window.
5. Verify network connectivity for NYC-CL1:
a. Open a command prompt and type ping 192.168.1.10.
b. Verify that the response reads “Reply from 192.168. 1.10”.
c. Close the command window.
6. Configure a VPN connection:
a. Using the Network and Sharing Center, create a new Connect to a
workplace with the Use my Internet Connection (VPN) option.
b. Click I’ll set up an Internet connection later.
c. On the Type the Internet address to connect to page, next to Internet
address, type 192.168. 1.10. Next to Destination name, type
Woodgrovebank. Select the Allow other people to use this connection
check box, and then click Next.
d. On the Type your user name and password page, type administrator
next to User name, and type the password for the administrator account
next to Password. Select the Remember this password check box, type
Woodgrovebank next to Domain (optional), and then click Create.
e. In the Network and Sharing Center window, click Manage Network
Connections.
f. Under Virtual Private Network, right-click the Contoso connection, click
Properties, and then click the Security tab.
g. Select Advanced (custom settings), and then click Settings.
h. Under Logon security, select Use Extensible Authentication Protocol
(EAP), and then choose Protected EAP (PEAP) (encryption enabled).
i. Click Properties.
j. Select the Validate server certificate check box. Clear the Connect to
these servers check box, and then select Secured Password (EAP-
MSCHAP v2) under Select Authentication Method. Clear the Enable
Fast Reconnect check box, and then select the Enable Quarantine
checks check box.
k. Click OK three times to accept these settings.
7. Test the VPN connection:
a. In the Network Connections window, use the Woodgrovebank
connection object to initiate the VPN connection.
b. Verify that administrator account credentials are entered and that the Save
this user name and password for future use check box is selected, and
then click OK.
c. You are presented with a Validate Server Certificate window the first
time this VPN connection is used. Click View Server Certificate, and
verify Certificate Information states that the certificate was issued to
NYC-SVR1.Woodgrovebank.com by Root CA. Click OK to close the
Certificate window, and then click OK again.
d. Wait for the VPN connection to be made. Because NYC-CL1 is compliant,
it should have unlimited access to the intranet subnet.
e. Open a command prompt and type ipconfig /all to view the
configuration.
f. View the IP configuration. System Quarantine State should be Not
Restricted.
The client now meets the requirement for VPN full connectivity.
g. Disconnect from the Woodgrovebank VPN.
8. Configure Windows Security Health Validator to require an antivirus
application:
a. On NYC-SVR1, open Network Policy Server.
Validators.
c. Configure the Windows Security Health Validator to require virus

protection by selecting the check box next to An antivirus application is
on.
d. Click OK, and then click OK again to close the Windows Security Health
9. Verify the client is placed on the restricted network:
a. On NYC-CL1, in the Network Connections window, right-click the
Woodgrovebank connection, and then click Connect.
b. Wait for the VPN connection to be made. You might see a message in the
notification area that indicates the computer does not meet health
requirements. This message is displayed because antivirus software has
not been installed.
c. Open a command prompt and type ipconfig /all to view the IP
Configuration. System Quarantine State should be Restricted.
The client does not meet the requirements for the network and therefore
is placed on the restricted network.
Try to ping 10.10.0.24. This should be unsuccessful.
Try to ping 10.10.0.10. This is the only server to which the policy allows
access.
d. Disconnect from Woodgrovebank VPN.

click OK.
Lab Instructions: Configuring IPsec 1
Module 9
Lab Instructions: Configuring IPsec
Contents:
Exercise 1: Preparing the Network Environment
for IPsec NAP Enforcement 3
Exercise 2: Configuring and Testing IPsec NAP
Enforcement 9
2 Lab Instructions: Configuring IPsec
Lab: Configuring IPsec NAP Enforcement
Objectives:
• Prepare the network environment for IPsec NAP enforcement
• Configure and test IPsec enforcement
Scenario
Due to recent security related incidents on the internal network, Woodgrove Bank
wants to implement IPsec policies to mitigate security risks through encryption,
and use Network Access Protection to verify the health of communicating parties
prior to data transmission. The Woodgrove Bank Information Services (IS)
Manager wants you to configure an IPsec Network Access Protection enforcement
environment to mitigate any related future network security issues.
Exercise 1: Preparing the Network Environment for IPsec

NAP Enforcement
Exercise Overview
In this exercise, you will prepare the environment for IPsec NAP enforcement.
1. Start the 6421A-NYC-DC1, 6421A-NYC-CL1, and 6421A-NYC-CL2 virtual
machines.
3. Install the NPS, HRA, and CA server roles.
4. Configure HRA with permissions.
5. Configure CA properties on HRA.
6. Configure NPS as a NAP health policy server.
7. Configure system health validators.
8. Configure Certificate AutoEnrollment in Default Domain Group Policy.
9. Configure NYC-CL1 and NYC-CL2 so that Security Center always is enabled.
10. Enable the IPsec enforcement client and configure client health registration
settings.
11. Configure and start the NAP Agent service.
12. Allow ICMP through Windows Firewall.
f Task 1: Start the 6421A-NYC-DC1, 6421A-NYC-CL1, and 6421A-NYC-


password Pa$$w0rd.
f Task 2: Open the Server Manager tool on 6421A-NYC-DC1

• If necessary, on NYC-DC1, open Server Manager from the Administrative
Tools menu.
f Task 3: Install the NPS, HRA, and CA server roles

1. In Server Manager, add the Network Policy and Access Services role.
2. On the Select Role Services page, select the Health Registration Authority
check box, and then click Add Required Role Services.
3. Select Install a local CA to issue health certificates for this HRA server with
the No, allow anonymous requests for health certificates option.
4. Select Don’t use SSL or Choose a certificate for SSL encryption later.
5. On the Select Role Services page, verify that only the Certification Authority
check box is selected.
6. Install Certificate Services as a Standalone Root CA.
7. Accept the default private key and cryptographic settings.
8. Name the CA Woodgrovebank-RootCA,
9. Accept the default settings for the remainder of the settings and then click
Install.
10. On the Installation Results page, notice that the Network Policy and Access
Services installation succeeded with errors. This is because the CA was
installed after the role was installed, so it could not be reached. Verify that all
other installations were successful, and then click Close.
f Task 4: Configure HRA with permissions

1. Open the Certification Authority administrative tool.
2. Open the properties of the WoodgroveBank-RootCA from the list pane.
3. Click the Security tab, click to add the Network Service account, and select
the Allow check boxes for Issue and Manage Certificates, Manage CA, and
Request Certificates.
4. On the Policy Module tab, click Properties, and select Follow the settings in
the certificate template, if applicable. Otherwise, automatically issue the
certificate.
5. Restart the Certification Authority.
6. Close the Certification Authority console.
f Task 5: Configure CA properties on HRA

1. On NYC-DC1, create a custom MMC and add the Health Registration
Authority snap-in.
2. In the Health Registration console, right-click Certificate Authority, and add
WoodGroveBank-RootCA by clicking Add Certificate authority.
3. Click Certificate Authority, and verify that \\NYC-
DC1.Woodgrovebank.com\Woodgrovebank-RootCA is displayed in the
details pane.
4. Right-click Certification Authority in the list pane and open the Properties to
verify that Use standalone certification authority is selected.
5. Close the Health Registration Authority console.
f Task 6: Configure NPS as a NAP health policy server

1. On NYC-DC1, open the Network Policy Server console.
2. Under Standard Configuration, click Configure NAP.
3. On the Select Network Connection Method for Use with NAP page, select
IPsec with Health Registration Authority (HRA).
4. On the Specify NAP Enforcement Servers Running HRA page and Configure
User Groups and Machine Groups pages, accept the defaults.
5. On the Define NAP Health Policy page, verify that the Windows Security
Health Validator and Enable auto-remediation of client computers check
boxes are selected, and then click Finish on the Completing New Network
Access Protection Policies and RADIUS clients page.
6. Leave the NPS console open for the following task.
f Task 7: Configure system health validators

1. In the NPS console tree, click Network Access Protection, and then click
Configure System Health Validators in the details pane.
2. In the details pane, under Name, double-click Windows Security Health
Validator.
3. Click Configure.
4. Clear all check boxes except A firewall is enabled for all network
connections.
5. Click OK twice to close the Windows Security Health Validator and the
Windows Security Health Validator Properties dialog boxes.
6. Close the NPS console.
f Task 8: Configure Certificate AutoEnrollment in Default Domain Group

Policy
1. On NYC-DC1, open the Group Policy Management console.
2. Edit the Default Domain Policy.
3. Under Computer Configuration, Windows Settings, Security Settings, select
Public Key Policies.
4. Double-click Certificate Services Client – Auto-Enrollment.
5. In the Define Policy Settings dialog box set the following:

• Configuration Model: Enabled
• Select Renew expired certificates, update pending certificates, and
remove revoked certificates
• Select Update certificates that use certificate templates
6. Click OK, and close the Group Policy Management Editor.
7. Close the Group Policy Management console.
f Task 9: Configure NYC-CL1 and NYC-CL2 so that Security Center is

always enabled
1. Log on to NYC-CL1 as Woodgrovebank\administrator with the password
Pa$$w0rd.
2. Open the Local Group Policy Editor by typing gpedit.msc in the Start Search
text box.
3. Using the Group Policy Object Editor, open Local Computer
Policy/Computer Configuration/Administrative Templates/Windows
4. Double-click Turn on Security Center (Domain PCs only), click Enabled,
and then click OK.
5. Close the Local Group Policy Object Editor console.
6. Repeat steps 1 through 5 on NYC-CL2.
f Task 10: Enable the IPsec enforcement client and configure client
health registration settings
1. On NYC-CL1, open the NAP Client Configuration console by typing
napclcfg.msc in the Start Search text box.
2. Enable IPsec Relying Party in the Enforcement Clients details pane.
3. In the NAP Client Configuration console tree, double-click Health
Registration Settings.
4. Add two new Trusted Server Groups, select do not require server
verification, and then click New.
5. Under Add URLs of the health registration authority that you want the
client to trust, type http://nyc-
dc1.woodgrovebank.com/domainhra/hcsrvext.dll, and then click Add. Type
http://nyc-dc1.woodgrovebank.com /nondomainhra/hcsrvext.dll, click
Add, and then Finish.
6. In the console tree, click Trusted Server Groups, and verify that the URLs are
entered correctly.
7. Close the NAP Client Configuration window.
f Task 11: Configure and start the NAP Agent service

1. On NYC-CL1, open the Services console, set the startup properties of
Network Access Protection Agent Properties to Automatic, and then start
the service.
2. Wait for the NAP agent service to start, and then click OK.
3. Close the Services console.
4. Repeat steps 1 through 3 for NYC-CL2.
f Task 12: Allow ICMP through the Windows Firewall

1. On NYC-CL1, click Start and in the Start Search text box, type wf.msc and
then press ENTER.
2. Create a new Custom Inbound Rule for All programs that specifies ICMPv4
Echo Request that uses the default scope with the Action of Allow the
connection. Accept the default profile and name the rule ICMPv4 Echo
Request.
3. Close the Windows Firewall with Advanced Security console.
Exercise 2: Configuring and Testing IPsec NAP Enforcement

Exercise Overview
In this exercise, you will configure and test IPsec NAP Enforcement.
1. Create an IPsec Secure Organizational Unit in Active Directory.
2. Create IPsec policies for secure health enforcement.
3. Move NYC-CL1 and NYC-CL2 to the IPsec Secure OU.
4. Apply group policies.
5. Verify health certificate status.
6. Verify clients can communicate securely.
7. Demonstrate Network Restriction.
f Task 1: Create an IPsec Secure Organizational Unit in Active Directory

1. On NYC-DC1, open Active Directory Users and Computers and create a new
root-level OU named IPsec Secure.
2. Leave the Active Directory Users and Computers console open.
f Task 2: Create IPsec policies for the IPsec Secure OU

1. On NYC-DC1, open the Group Policy Management console.
2. Create and link a new Group Policy Object for the IPsec Secure OU and name
the policy Secure Policy.
3. Edit the Secure Policy to create IPsec policies for all profile states.
a. Open Secure Policy [nyc-dc1.woodgrovebank.com] Policy\Computer
Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security, and open the properties of Windows
Firewall with Advanced Security – LDAP.
b. On the Domain Profile tab, next to Firewall state, select On
(recommended). Next to Inbound connections, select Block (default).
Next to Outbound connections, select Allow (default). The same settings
will be used for the private and public profiles.
4. In the Group Policy Management Editor console tree, under Windows
Firewall with Advanced Security - LDAP, right-click Connection Security
Rules, and create a new rule that has Isolation and Require authentication
for inbound connections and request authentication for outbound
connections selected.
5. On the Authentication Method page, select Computer certificate, select the
Only accept health certificates check box, and specify WoodgroveBank-
RootCA.
6. On the Profile page, verify that the Private, Public, and Domain check boxes
are selected. On the Name page type Secure Rule, and then click Finish.
7. Right-click Inbound Rules, and then create a new rule using the predefined
File and Printer Sharing rule with only the Allow the connection if it is
secure option.
8. Close the Group Policy Management Editor console.
f Task 3: Move NYC-CL1 and NYC-CL2 into the IPsec Secure OU

1. On NYC-DC1, open Active Directory Users and Computers.
2. Open the Computers container, select NYC-CL1 and NYC-CL2 and drag and
drop into the IPsec Secure OU.
3. Close the Active Directory Users and Computers console.
f Task 4: Apply group policies

1. On NYC-CL1 and NYC-CL2, use gpupdate /force to reapply the changed
Group Policy settings.
2. Verify that the response reads User Policy update has completed
successfully and Computer Policy update has completed successfully.
3. Leave the command windows open for the following procedures.
f Task 5: Verify Health certificate status

1. On NYC-CL1, create a custom MMC tool that includes the Certificates snap-in
with Computer account certificates specified for the Local Computer.
2. In the MMC console tree, double-click Certificates (Local Computer),
double-click Personal, and then click Certificates. In the details pane, under
Issued By, verify that WoodGroveBank-RootCA is displayed. Verify that
Intended Purposes shows System Health Authentication.
3. Close the MMC console, and do not save changes.
f Task 6: Verify clients can communicate securely

1. On NYC-CL1, click Start, and in the Start Search text box, type \\NYC-CL2\
2. Confirm that the command completed successfully.
3. Verify that you can view the contents of the share.
4. Open Windows Firewall with Advanced Security on NYC-CL1.
5. In the Windows Firewall with Advanced Security console list pane, expand
Monitoring, expand Security Associations and select Main Mode.
6. In the details pane, you should see an entry for secure communications
between NYC-CL1 and NYC-CL2. Double-click the entry and review at the
contents of the General tab. You should see Computer certificate for First
Authentication, Encryption using AES-128 and Integrity accomplished
using SHA1.
7. Close the dialog box, and close Windows Firewall with Advanced Security.
f Task 7: Demonstrate Network Restriction
Note: Automatic updates will be required for NAP compliance by enabling this
system health check in the Windows Security Health Validator.
1. On NYC-DC1, open Network Access Protection, and then click System

Health Validators.
2. Configure the Windows Security Health Validator, under Automatic
Updating, select the Automatic updating is enabled check box, and then
click OK twice.
Note: To demonstrate network restriction of noncompliant clients, auto-remediation

of client computers must be disabled in the noncompliant network policy.
3. In the Network Policy Server console tree, click Network Policies.

4. In the details pane, double-click NAP IPsec with HRA Noncompliant.
5. Click the Settings tab, click NAP Enforcement, clear the Enable auto-
remediation of client computers check box, and then click OK.
6. Close the Network Policy Server console.
7. On NYC-CL1, in the command window, type ping -t NYC-CL2, and then press
ENTER. A continuous ping will run from NYC-CL1 to NYC-CL2. This should
be successful.
8. On NYC-CL2, on the Security control panel, select Turn automatic updating
on or off, select Never check for updates (not recommended), and then click
OK. This setting causes NYC-CL2 to be noncompliant with network health
policy. Because auto-remediation has been disabled, NYC-CL2 will remain in a
noncompliant state and will be placed on the restricted network.
Note: Do not close the Security control panel on NYC-CL2. You will use it to
reenable Windows Update in a future step.
9. On NYC-CL1, verify that the response in the command window has changed
to Request timed out.
and verify the share is inaccessible.
11. On NYC-CL2, in the Security control panel under Windows Update, click
Turn automatic updating on or off, select Install updates automatically
(recommended), and then click OK. This setting will cause NYC-CL2 to send
a new SoH that indicates it is compliant with network health requirements,
and NYC-CL2 will be granted full network access.
12. On NYC-CL1, verify that the response in the command window changes to
Reply from 10.10.0.60. It might take a minute before you see the change in
status.
13. Verify that you can browse the share of NYC-CL2 (\\NYC-CL2\).
14. Close all open windows.

click OK.
Lab Instructions: Monitoring and Troubleshooting IPSec 1
Module 10
Lab Instructions: Monitoring and
Troubleshooting IPSec
Contents:
Exercise 1: Monitoring IPSec Connectivity 3
Exercise 2: Configuring Connection Security 5
Exercise 3: Troubleshooting IPSec 7
2 Lab Instructions: Monitoring and Troubleshooting IPSec
Lab: Monitoring and Troubleshooting IPSec
Objectives
• Monitor IPsec connectivity
• Configure connection security
• Troubleshoot IPsec
Scenario:
The Windows Infrastructure Services Technology Specialist has been tasked with
extending an existing network infrastructure to include the IPsec functionality.
Using the IP Security Monitor and Windows Firewall with Advanced Security snap-
ins, you can view IP security statistics and policies, determine if IPsec is failing
negotiations, and monitor IPsec statistics. Troubleshooting escalations are being
sent to you.
Exercise 1: Monitoring IPSec Connectivity

Exercise Overview
In this exercise, you will enable an IPsec policy and then view the connection using
IP Security Monitor.
1. Start the 6421A-NYC-DC1 and 6421A-NYC-SVR1 virtual machines.
2. Create an IPsec negotiation policy on NYC-DC1.
3. Export the policy from NYC-DC1.
4. Import the security policy to NYC-SVR1.
5. Use IP Security Monitor to validate that the negotiation policy is working.
f Task 1: Start the 6421A-NYC-DC1 and 6421A-NYC-SVR1 virtual

machines
password Pa$$w0rd.
f Task 2: Create an IPSec negotiation policy on NYC-DC1

1. Configure a couple of IPsec policies that secures TCP and UDP traffic by using
the Local Security Policy MMC found in Administrative Tools.
• Source Port: 445
• Destination Port: Any
2. Filter for IP traffic coming from any IP address going to any IP address.
f Task 3: Export the policy from NYC-DC1

• In the Local Security Policy MMC console, export the IPSec policies to a file on
NYC-SVR1 (save to D:\LabFiles\Module10\IPSecurityPolicy.ipsec).
f Task 4: Import the security policy to NYC-SVR1

• On NYC-SVR1, import the IPSec policies using the Local Security Policy MMC.
f Task 5: Use IP Security Monitor to validate that the negotiation policy

is working
1. Enable the IP Security Policies on both computers.
2. Using the Run command, load a blank console and add the IP Security
Monitor snap-in.
3. Establish a file connection share between NYC-SVR1 and NYC-DC1.
4. Monitor the secure connection information in the IP Security Monitor console.
Exercise 2: Configuring Connection Security

Exercise Overview
In this exercise, you will configure a connection security rule in Windows Firewall
and Advanced Security, and then use the Security Associations mode to monitor
the connection.
1. Disable the IP Security Policy that you created in the previous exercise.
2. Configure a Security Association rule in the Windows Firewall with Advanced
Security MMC.
3. Monitor the connection using the Security Association node.
f Task 1: Disable the IP Security Policy that you created in the previous
exercise
1. Disable the IP Security Policy on NYC-DC1.
2. Disable the IP Security Policy on NYC-SVR1.
f Task 2: Configure a Security Association rule in the Windows Firewall

with Advanced Security MMC
1. On NYC-DC1, open Windows Firewall with Advanced Security.
2. Create a new rule in Connection Security Rules.
3. Select a Server-to-Server rule with Any IP Address for Endpoints.
4. Select Require authentication for inbound and outbound connections.
5. Select PreShared Key with a password of Pa$$w0rd.
6. Apply the rule to the Domain, Private, and Public profiles.
7. Create the same rule on NYC-SVR1 and use the same Preshared Key.
f Task3: Monitor the connection using the Security Association node.

1. Establish communication between NYC-SVR1 and NYC-DC1.
2. Review the Main Mode and Quick Mode nodes to view the status of the
Connection Security rule.

click OK.
Exercise 3: Troubleshooting IPSec

Exercise Overview
In this exercise, you will review scenarios outlining common issues that can occur
when troubleshooting IPsec, and then you will discuss possible solutions.
Scenario 1
An administrator is attempting to connect to a remote computer and monitor its
IPsec connectivity. The administrator reports that he is unable to monitor the
remote server. You ask him use the Event Viewer to identify the problem, and in
doing so, the administrator notes the following error: “The IPsec server is
unavailable or incompatible with the IPsec monitor.”
Question: What can you do to resolve this issue?
Scenario 2
An administrator has configured and enabled an IPsec Security policy on a file
server that stores sensitive data files. The administrator also has created an Active
Directory-based policy and applied it to the organizational unit (OU) of clients that
are permitted access to the secure server. The next day, the Backup Administrator,
who must back up the secure server, reports that he was unable to access the
secure server from the backup server. The backup server’s computer account is
stored in an administrative OU separate from the client’s OU.
Question: Based on the information provided, why is the backup server unable to
access the secure server?
Lab Instructions: Configuring and Managing Distributed File System 1
Module 11
Distributed File System
Contents:
Exercise 1: Installing the Distributed File
System Role Service 4
Exercise 2: Creating a DFS Namespace 6
Exercise 3: Configuring Folder Targets and Folder
Replication 8
Exercise 4: Viewing Diagnostic Reports for
Replicated Folders 12
2 Lab Instructions: Configuring and Managing Distributed File System
Lab: Configuring DFS
Objectives
• Install the Distributed File System Role Service
• Create a DFS Namespace
• Configure Folder Targets and Folder Replication
• View Diagnostic Reports
Logon Information
• Virtual Machines: 6421A-NYC-DC1 and 6421A-NYC-SVR1
• User Name: WoodgroveBank\Administrator
Scenario
You are a Windows Infrastructure Services Technology Specialist for Woodgrove
Bank. To simplify file access for users and provide high availability and
redundancy, you will implement a DFS solution for a number of disparate file
shares. For this project, you must complete the following tasks:
• Install the Distributed Files System role service to include DFS namespaces
and DFS replication.
• Create a domain-based DFS namespace called CorpDocs with NYC-DC1 and
NYC-SVR1 as host namespace servers.
• Add the following Folders to the CorpDocs namespace:
• HRTemplates - folder target located on NYC-DC1
• PolicyFiles - folder target located on NYC-SVR1
• Configure availability and redundancy by adding additional folder targets and
replicating the folder targets in the CorpDocs namespace.
• Provide reports on the health of the CorpDocs folder replication.
Exercise 1: Installing the Distributed File System Role

Service
In this exercise, you will install the Distributed File System Role Service on both
NYC-DC1 and NYC-SVR1. This will provide redundancy for the CorpDocs
namespace and allow clients to contact the namespace server within their own site.
The main tasks for this exercise are as follows:
1. Start each virtual machine and log on.
2. Disable Local Area Connection 2 on NYC-SVR1.
3. Install the Distributed File System Role Service on NYC-DC1.
4. Install the Distributed File System Role Service on NYC-SVR1.
f Task 1: Start each virtual machine and log on

password Pa$$w0rd.
f Task 2: Disable Local Area Connection 2 on NYC-SVR1

• On NYC-SVR1, disable the network adapter named Local Area Connection 2.
f Task 3: Install the Distributed File System Role Service on NYC-DC1

1. On NYC-DC1, start Server Manager.
2. Use the Add Roles Wizard to add the Distributed File System Role Service
including the DFS Namespaces and DFS Replication options.
3. Using the Server Manager Roles pane, verify that File Server, Distributed File
System, DFS Namespaces, and DFS Replication are installed.
f Task 4: Install the Distributed File System Role Service on NYC-SVR1

1. On NYC-SVR1, start Server Manager.
2. Use the Add Roles Wizard to add the Distributed File System Role Service
including the DFS Namespaces and DFS Replication options.
3. Using the Server Manager Roles pane, verify that File Server, Distributed File
System, DFS Namespaces, and DFS Replication are all installed.
Exercise 2: Creating a DFS Namespace

In this exercise, you will create the CorpDocs DFS namespace. You also will
configure both NYC-DC1 and NYC-SVR1 to host the CorpDocs namespace to
provide redundancy.
1. Raise the domain functional level.
2. Use the New Namespace Wizard to create a new namespace.
3. Add an additional namespace server to host the namespace.
f Task 1: Raise the domain functional level

• On NYC-DC1, open Active Directory Users and Computers, and raise the
domain functional level to Windows Server 2008.
f Task 2: Use the New Namespace Wizard to create a new namespace

1. On NYC-DC1, start the DFS Management console.
2. Use the New Namespaces Wizard to create a namespace with the following
options:
• Namespace Server: NYC-DC1
• Namespace Name and Settings: CorpDocs
• Namespace Type: Domain-based namespace
3. In the left pane, click the plus sign next to Namespaces, and then click
\\WoodgroveBank.com\CorpDocs.
4. Verify that the CorpDocs namespace has been created on NYC-DC1.
f Task 3: Add an additional namespace server to host the namespace

1. On NYC-DC1, in the DFS Management console, use the Add Namespace
Server Wizard to add a new namespace server with the following options:
• Namespace server: NYC-SVR1
• Click Yes to start the Distributed File System service

Replication
In this exercise, you initially will create folder targets on two separate servers and
then verify that the CorpDocs namespace functions correctly. You then will add
availability and redundancy by creating additional folder targets and configuring
replication.
1. Create the HRTemplates folder, and configure a folder target on NYC-DC1.
2. Create the PolicyFiles folder, and configure a folder target on NYC-SVR1.
3. Verify the CorpDocs namespace functionality.
4. Create additional folder targets for the HRTemplates folder, and then
configure folder replication.
5. Create additional folder targets for the PolicyFiles folder, and then configure
folder replication.
f Task 1: Create the HRTemplates folder, and configure a folder target

on NYC-DC1
1. On NYC-DC1, in the DFS Management console, right-click
2. Create a new folder called HRTemplates.
3. Add a new folder target called HRTemplateFiles using the following options:
• Click the New Shared Folder button.
• Share Name: HRTemplateFiles
• Local path of shared folder: C:\HRTemplateFiles
• Shared Folder Permissions: Administrators have full access; other users
have read-only permissions
4. In the console tree, click \\WoodgroveBank.com\CorpDocs.
5. In the details pane, click the Namespace tab. Notice that HRTemplates is
listed as an entry in the namespace.
6. In the console tree, expand \\WoodgroveBank.com\CorpDocs and then

click HRTemplates. In the details pane, notice that on the Folder Targets tab,
one folder target is configured.
7. Click the Replication tab, and notice that replication is not configured.
f Task 2: Create the PolicyFiles folder, and configure a folder target on

NYC-SVR1
1. On NYC-DC1, in the DFS Management console, right-click
2. Create a new folder called PolicyFiles.
3. Add a new Folder target called PolicyFiles using the following options:
• Click the New Shared Folder button.
• Share Name: PolicyFiles
• Local path of shared folder: C:\Policyfiles
• Shared Folder Permissions: Administrators have full access; other users
4. In the console tree, expand \\WoodgroveBank.com\CorpDocs and then
click PolicyFiles. In the details pane, notice that on the Folder Targets tab,
f Task 3: Verify the CorpDocs namespace functionality

1. On NYC-DC1, click Start and then click Run.
2. Access the \\WoodgroveBank\CorpDocs namespace, and verify that both
HRTemplates and PolicyFiles are visible. (If they are not visible, wait for
approximately five minutes to complete.)
3. In the HRTemplates folder, create a new Rich Text Document file called
VacationRequest.
4. In the PolicyFiles folder, create a new Rich Text Document file called
OrderPolicies.
f Task 4: Create additional folder targets for the HRTemplates folder,

and then configure folder replication
1. On NYC-DC1, in the DFS Management console, add a folder target with the
following options:
• Path to folder target: \\NYC-SVR1\HRTemplates
• Create share: Yes
• Local Path of shared folder: C:\HRTemplates
• Shared folder permissions: Administrators have full access; other users
• Replication group: Yes
• Replication Group name: woodgrovebank.com\corpdocs\hrtemplates
• Replicated folder name: HRTemplates
• Primary member: NYC-DC1
• Topology: Full mesh
• Replication schedule: default
2. In the console tree, expand the Replication node, and then click
woodgrovebank.com\corpdocs\hrtemplates.
3. In the details pane, on the Memberships tab, verify that both NYC-DC1 and
NYC-SVR1 are listed and enabled.
f Task 5: Create additional folder targets for the PolicyFiles folder, and
then configure folder replication
1. On NYC-DC1, in the DFS Management console, add a folder target with the
following options:
• Path to folder target: \\NYC-DC1\PolicyFiles
• Create share: Yes
• Local Path of shared folder: C:\PolicyFiles
• Shared folder permissions: Administrators have full access; other users
• Replication group: Yes
• Replication Group name: woodgrovebank.com\corpdocs\policyfiles
• Replicated folder name: PolicyFiles
• Primary member: NYC-SVR1
• Topology: Full mesh
• Replication schedule: default
woodgrovebank.com\corpdocs\PolicyFiles.
Exercise 4: Viewing Diagnostic Reports for Replicated

Folders
In this exercise, you will generate a diagnostic report to view the folder replication
status.
1. Create a diagnostic report for woodgrovebank.com\corpdocs\hrtemplates.
f Task 1: Create a diagnostic report for

woodgrovebank.com\corpdocs\hrtemplates
1. On NYC-DC1, create a diagnostic report for
woodgrovebank.com\corpdocs\hrtemplates based upon the following
options:
• Type of Diagnostic Report or Test: health report
• Path and Name: default
• Members to include: NYC-DC1 and NYC-SVR1
• Options: Backlogged files enabled; Count replicated files enabled
2. Read through the report and take note of any errors or warnings. When you
are finished, close the Microsoft Internet Explorer® window.
3. Create a diagnostic report for the policyfiles replication group. Read through
the report and take note of any errors or warnings. When you are finished,
close the Internet Explorer window. Note that there may be errors reported if
replication has not yet begun or finished.

click OK.
Lab Instructions: Configuring and Managing Storage Technologies 1
Module 12
Storage Technologies
Contents:
Exercise 1: Installing the FSRM Role Service 4
Exercise 2: Configuring Storage Quotas 5
Exercise 3: Configuring File Screening 7
Exercise 4: Generating Storage Reports 8
2 Lab Instructions: Configuring and Managing Storage Technologies
Lab: Configuring and Managing Storage

Technologies
Objectives
• Install the FSRM role service
• Configure storage quotas
• Configure file screening
• Generate storage reports using FSRM
Logon Information
• Virtual Machines: 6421A-NYC-DC1 and 6421A-NYC-SVR1
Scenario
As the Windows Infrastructure Services (WIS) Technology Specialist, you have
been tasked with configuring storage on a server to comply with corporate
standards. You must create the storage with minimal long-term management by
utilizing file screening and quota management.
Exercise 1: Installing the FSRM Role Service

In this exercise, you will install the FSRM role service.
1. Start the NYC-DC1 and NYC-SVR1 virtual machines.
2. Install the FSRM server role on NYC-SVR1.
f Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines

password Pa$$w0rd.
f Task 2: Install the FSRM server role on NYC-SVR1

• Using Server Manager, install the File System Resource Manager role service.
The role service is located under the File Services role.
Exercise 2: Configuring Storage Quotas

In this exercise, you must configure a quota template that allows users a maximum
of 100 MB of data in their user folders. When users exceed 85 percent of the quota,
or when they attempt to add files larger than 100 MB, an event should be logged to
the Event Viewer on the server.
1. Create a quota template.
2. Configure a quota based on the quota template.
3. Test that the quota is working by generating several large files.
f Task 1: Create a quota template

• In the File Server Resource Manager console, use the Quota Templates node
to configure a template that sets a hard limit of 100 MB on the maximum
folder size. Make sure this template also notifies the Event Viewer when the
folder reaches 85 percent and 100 percent capacity.
f Task 2: Configure a quota based on the quota template

1. Use the File Server Resource Manager console and the Quotas node to create
a quota in the D:\Labfiles\Module12\Users folder by using the quota
template that you created in Task 1.
2. Create an additional folder named User4 in the D:\Labfiles\Module12\Users
folder, and ensure that the new folder is listed in the quotas list.
f Task 3: Test that the Quota is working by generating several large files
1. Open a command prompt and use the fsutil file createnew file1.txt
89400000 command to create a file in the
D:\Labfiles\Module12\Users\User1 folder.
2. Check the Event Viewer for an Event ID of 12325.
3. Test that the quota works by attempting to create a file that is 16,400,000
bytes, and then press ENTER.
4. Enable NTFS folder compression for the D:\Labfiles\Module12\Users folder.
Check to see what effect this has in the Quota console. Try again to create a
file that is 16,400,000 bytes.
Exercise 3: Configuring File Screening

In this exercise, you will configure file screening to monitor executable files.
1. Create a file screen.
2. Test the file screen.
f Task 1: Create a file screen

1. On NYC-SVR1, in the File Server Resource Manager console, use the File
Screens node to create a file screen that monitors executable files in the
D:\Labfiles\Module12\Users folder. When an executable is dropped into the
folder, the file screen will log an 8215 event in the Event Viewer.
2. Test the file screen by copying example.bat from D:\Labfiles\Module12 to
the D:\Labfiles\Module12\Users\User1 folder. Verify that the file screen is
working in the Event Viewer.
f Task 2: Test the file screen

1. Copy and paste D:\Labfiles\Module12\example.bat to
D:\Labfiles\Module12\Users\user1.
2. Open the Event Viewer and check the application log for Event ID 8215.
Exercise 4: Generating Storage Reports

In this exercise, you will generate an on-demand storage report.
1. Generate an on-demand storage report.
f Task 1: Generate an on-demand storage report

• In the File Server Resource Manager console, use the Generate reports now
option in the Reports node to generate a File Screening Audit and Quota
Usage report on the D:\Labfiles\Module12\Users folder.

click OK.
Lab Instructions: Configuring Availability of Network Resources and Content 1
Module 13
Lab Instructions: Configuring Availability of
Network Resources and Content
Contents:
Exercise 1: Configuring Windows Server Backup and
Restore 3
Exercise 2: Configuring Shadow Copying 6
Exercise 3: Configuring Network Load Balancing 8
2 Lab Instructions: Configuring Availability of Network Resources and Content
Lab: Configuring Availability of Network

Resources
Objectives
• Configure Windows Server Backup and Restore
• Configure shadow copies
• Configure and test Network Load Balancing
Scenario
The Windows Infrastructure Services (WIS) Technology Specialist has been tasked
with configuring disaster recovery restore and availability for all critical services.

Restore
In this exercise, you will configure Windows Server Backup.
1. Start the virtual machines, and then log on.
3. Install the Windows Server Backup feature.
4. Create a share on 6421A-NYC-SVR.
5. Manually back up files to a network location.
6. Restore files from a network location.
f Task 1: Start the virtual machines, and then log on

password Pa$$w0rd.

• If necessary, on 6421A-NYC-DC1, open Server Manager from the
f Task 3: Install the Windows Server Backup feature

1. On NYC-DC1, open Server Manager.
2. Using Server Manager, install the Windows Server Backup feature.
3. On the Installation Results page, verify that the Windows Server Backup
installation succeeded, and then click Close.
f Task 4: Create a share on 6421A-NYC-SVR1

1. On NYC-SVR1, open the Computer Management administrative tool.
2. In the Computer Management list pane, expand Shared Folders, and then
right-click Shares.
3. In the context menu that appears, click New Share.
4. Using the New Share Wizard, create a new share on the C:\ drive called
NetBackup.
5. On the Shared Folder Permissions page, select Administrators have full
access; other users have no access, and then click Finish.
f Task 5: Manually back up files to a network location

1. On NYC-DC1, open the Windows Server Backup administrative tool from the
Start menu, Administrative Tools location.
2. On the Actions pane of the Windows Server Backup (Local) window, select
Backup Once.
3. On the Backup Options page of the Backup Once Wizard, click Next.
4. On the Specify backup type page, select Custom, and then click Next.
5. On the Select backup items page, clear the Enable system recovery and
Local Disk (C:), checkboxes, select Allfiles (D:), and then click Next.
6. On the Specify destination type page, select Remote Shared Folder, and then
click Next.
7. On the Specify Remote Folder page, type the path \\NYC-SVR1\NetBackup,
and then click Next.
8. On the Specify VSS backup type page, select VSS full backup, and then click
Next.
9. On the Confirmation page, click Backup.
10. On the Backup Progress page, verify the status is Backup Completed, and
then click Close.
f Task 6: Restore files from a network location

1. Click Start, click Computer, and then double-click Allfiles (D:).
2. In the details pane of the Allfiles (D:) window, delete the AllFiles directory,
and then close the Allfiles (D:) window.
3. On the Windows Server Backup page, under Actions, select Recover.
4. On the Recovery Wizard, Getting started page, select Another server, and
then click Next.
5. On the Specify Location Type page, select Remote shared folder, and then
click Next.
6. On the Specify remote folder page, type \\NYC-SVR1\NetBackup, and then
click Next.
7. On the Select backup date page, click today’s date (in bold), and then click
Next.
8. On the Select recovery type page, accept the default of Files and folders, and
then click Next.
9. On the Select Items to Recover page, expand NYC-DC1, expand Allfiles (D:),
select Labfiles, and then click Next.
10. On the Specify recovery options page, accept the default settings, and then
click Next.
11. On the Confirmation page, click Recover.
12. In the Recovery Progress window, verify the status is Restore of Files
completed, and then click Close.
13. Close the Windows Server Backup tool.
Exercise 2: Configuring Shadow Copying

In this exercise, you will configure and test shadow copies.
1. Enable shadow copies on a volume.
2. Change a file in a share location.
3. Manually create a shadow copy.
4. View the file previous versions, and restore to a previous version.
f Task 1: Enable shadow copies on a volume

1. On NYC-DC1, open the Computer Management console.
2. In the Computer Management window console tree, right-click Shared
Folders, point to All Tasks, and then click Configure Shadow Copies.
3. In the Shadow Copies dialog box, select volume D:\, and then click Enable.
4. In the Enable Shadow Copies dialog box that appears, click Yes, and then
click OK.
5. Do not close the Computer Management console.
f Task 2: Change a file in a share location

1. On NYC-CL1, click Start, and in the search text box type \\NYC-
DC1\shadow.
A window will open with the Shadow share contents visible.
2. Open the shadowtest.txt file.
3. Add the following text to the end of the text file:
This is my text that I am adding to the file.
4. Save and close the shadowtest.txt file.
f Task 3: Manually create a shadow copy

1. On NYC-DC1, in the Computer Management console, right-click Shared
2. In the Shadow Copies dialog box, select volume D:\, and then click Create
Now.
The shadow copies of the selected volume should have two entries listed.
3. Close the Computer Management console.
f Task 4: View the previous file versions, and restore to a previous

version
1. On NYC-CL1, click Start, type \\NYC-DC1\shadow in the Search text box,
2. Right-click shadowtest.txt and select Properties from the context menu.
3. In the shadowtest Properties dialog box, click the Previous Versions tab.
4. Under File Versions, you will see the last shadow copy that you created. Click
Open to view the file contents. The file you are viewing should be the previous
file version that you modified with text.
5. Close the file and select Restore from the Previous Versions window to
restore the file to its previous state before any changes were made.
6. In the Previous Versions dialog box, click OK.
7. Click OK to close the shadowtest Properties dialog box.
Exercise 3: Configuring Network Load Balancing

In this exercise, you will configure Network Load Balancing.
1. Install the Network Load Balancing feature on NYC-DC1 and NYC-SVR1.
2. Configure Network Load Balancing on NYC-DC1 and NYC-SVR1.
3. Install and share an IP-based printer on both NYC-DC1 and NYC-SVR1.
4. Use NYC-CL1 to connect to the NLB virtual IP address.
f Task 1: Install the Network Load Balancing feature on NYC-DC1 and

NYC-SVR1
1. On NYC-DC1, open Server Manager.
2. In the Server Manager list pane, right-click Features, and install Network
Load Balancing.
3. On the Results page, verify the installation succeeded, and then close the Add
Features Wizard.
4. Repeat steps 1 through 3 for NYC-SVR1.
5. Close Server Manager on both NYC-DC1 and NYC-SVR1.
f Task 2: Configure Network Load Balancing on NYC-DC1 and NYC-

SVR1
1. On NYC-DC1, open Network Load Balancing Manager.
2. In the Network Load Balancing Manager console, right-click Network Load
Balancing Clusters in the list pane, and then click New Cluster.
3. In the New Cluster: Connect dialog box, type the hostname NYC-DC1, and
then click Connect. You should see the Interface Name section populate with
that interface’s Local Area Connection and IP address. Click Next.
4. In the New Cluster: Host Parameters dialog box, verify the default state is
Started, and then click Next.
5. In the New Cluster: Cluster IP Addresses dialog box, click Add, and specify
an IPv4 cluster IP of 10.10.0.100 with a Subnet Mask of 255.255.0.0, and
then click OK.
6. In the New Cluster: Cluster Parameters dialog box, type a Full Internet
Name of printSVR.woodgrovebank.com. Specify a cluster operation mode of
Multicast, and then click Next.
7. In the New Cluster: Port Rules dialog box, click Finish.
8. In the Network Load Balancing Manager console list pane, right-click
printSVR.woodgroovebank.com, and then click Add Host to Cluster from
the context menu.
9. In the Add Host to Cluster: Connect dialog box, specify the host as NYC-
SVR1, and then click Connect.
10. In the Interfaces available for configuring the cluster, click Local Area
Connection, and then click Next.
11. In the Add Host to Cluster: Host Parameters dialog box, accept the default
settings, and then click Next.
12. In the Add Host to Cluster: Port Rules, accept the default settings, and then
click Finish.
13. Close the Network Load Balancing Manager console window.
f Task 3: Install and share an IP-based printer on both NYC-DC1 and

NYC-SVR1
1. On NYC-DC1, click Start, click Control Panel, and then double-click the
Printers applet.
2. In the Printers console details pane, double-click Add Printer.
3. Add a local printer with a Standard TCP/IP Port with an address of
10.10.0.80. Clear the Query the printer and automatically select the driver
to use check box, and then click Next.
4. Wait for the detection of the TCP/IP port to complete, and then in the
Additional Port information Required dialog box, click Next.
5. In the Install the printer driver dialog box, specify the manufacturer of HP
and the printer model of LaserJet 6MP, and then click Next.
6. In the Type a printer name dialog box, accept the default settings, and then
click Next.
7. In the Printer Sharing dialog box, accept the default name, and then click
Next.
8. In the You’ve successfully added HP LaserJet 6MP dialog box, click Finish.
9. Close the Printers control panel applet.
10. Repeat steps 1 through 9 on NYC-SVR1.
f Task 4: Use NYC-CL1 to connect to the NLB virtual IP address

1. On NYC-CL1, click Start, type \\10.10.0.100 in the Start Search text box,
2. Take note of the available NLB cluster resources.

click OK.
Lab Instructions: Configuring Server Security Compliance 1
Module 14
Lab Instructions: Configuring Server Security
Compliance
Contents:
Exercise 1: Configuring and Analyzing Security 3
Exercise 2: Analyzing Security Templates 5
Exercise 3: Configuring Windows Software Update
Services 7
2 Lab Instructions: Configuring Server Security Compliance
Lab: Configuring Server Security Compliance
Objectives
• Configure and analyze security using the Security Configuration Wizard
(SCW).
• Use the Security Configuration and Analysis Wizard to analyze security
templates.
• Configure Windows Software Update Services (WSUS).
Scenario
As the Windows Infrastructure Services Technology Specialist, you have been
tasked with configuring and managing server and client security patch compliance.
You must ensure systems maintain compliance with corporate standards.
Exercise 1: Configuring and Analyzing Security

In this exercise, you will configure and analyze security using the Security
Configuration Wizard.
1. Start the virtual machines, and then log on.
2. Open the Security Configuration Wizard on 6421A-NYC-SVR1, and use the
wizard to configure security for a particular server role.

password Pa$$w0rd.
f Task 2: Open the Security Configuration Wizard on NYC-SVR1

1. On NYC-SVR1, open the Security Configuration Wizard from the
2. On the Welcome to the Security Configuration Wizard page, click Next.
3. On the Configuration Action page, under Select the action you want to
perform, ensure that Create a new security policy is selected, and then click
Next.
4. On the Select Server page, verify the server specified in the Server text box is
NYC-SVR1, and then click Next.
5. On the Processing Security Configuration Database page, wait for the
process to complete, and then select View Configuration Database.
6. When the Security Configuration Wizard (SCW) Viewer opens, a Microsoft

Internet Explorer® message box may appear asking for permission to allow an
Active X control. Click Yes in this message box.
7. Scroll through and read the list of Server Roles, Client Features,
Administration and Other Options, Services and Windows Firewall.
8. Close SCW Viewer, and then click Next.
9. On the Role-Based Service Configuration, Select Server Roles, Select Client
Features, Select Administration and Other Options, and Select Additional
Services pages, accept the default settings, and then click Next.
10. On the Handling Unspecified Services page, verify that Do not change the
startup mode of the service is selected, and then click Next.
11. On the Confirm Service Changes page, scroll through the list and note which
ones are being disabled, and then click Next.
12. On the Network Security page, click Next to start configuring network
security.
13. On the Network Security Rules page, scroll through the list of ports that will
be opened, and then click Next.
14. On the Registry Settings and Audit Policy pages, select Skip this section, and
then click Next.
15. On the Save Security Policy page, click Next.
16. On the Security Policy File Name page, specify a name of
NewMemberSVR.xml at the end of the
C:\Windows\Security\msscw\Policies path that is listed, and then click
Next.
17. On the Apply Security Policy page, select Apply Now, and then click Next.
The Applying Security Policy page appears, and the wizard prepares and
applies the policy.
19. When Application Complete appears above the status bar, click Next.
20. On the Completing the Security Configuration Wizard page, click Finish.
Exercise 2: Analyzing Security Templates

In this exercise, you will analyze security templates.
1. Create a customized Microsoft Management Console (MMC).
2. Analyze current computer settings against secure template settings.
3. Configure the computer with the secure template settings.
f Task 1: Create a customized Microsoft Management Console (MMC)

1. On NYC-SVR1, create a custom MMC with the Security Templates and
Security Configuration and Analysis snap-ins.
2. Using the Console1 MMC created above, create a new template with a name of
Secure.
3. Expand the Secure policy, expand Local Policies, and then select Security
Options.
4. Double-click Interactive Logon: Do not display last user name.
5. Select the Define this policy setting in the template check box, click
6. Save the Secure template.
7. Leave the Console1 MMC open for the next task.
f Task 2: Analyze current settings against secure template settings

1. In the Console1 MMC list pane, right-click Security Configuration and
Analysis, and then click Open Database.
2. In the Open Database dialog box, type a file name of Secure, and then click
Open.
3. In the Import Template dialog box, select the Secure template, and then click
Open.
4. In the Console1 MMC list pane, right-click Security Configuration and
Analysis, and then click Analyze Computer Now.
5. In the Perform Analysis dialog box, click OK to accept the default log name.
6. When the analysis is complete, in the list pane, expand Security

Configuration and Analysis, expand Local Policies, and then select Security
Options.
7. Scroll down to Interactive Logon: Do not display last user name and
compare the database setting to the computer setting. You should see a red “x”
on the item, which indicates that the settings are different between the
computer and database settings.
f Task 3: Configure the computer with the secure template settings

1. In the Console1 MMC window list pane, right-click Security Configuration
and Analysis, and then select Configure Computer Now from the available
options.
The template is applied to the computer.
2. From the list pane of the Console1 MMC, right-click Security Configuration
and Analysis, and then select Analyze Computer Now.
3. In the Perform Analysis dialog box, click OK to accept the default log.
4. When the analysis is complete, expand Local Policies, and then select
Security Options.
5. Scroll down to Interactive Logon: Do not display last user name, and verify
that a check mark appears indicating that the database and computer settings
are the same.
6. Close the Console1 MMC window.
Exercise 3: Configuring Windows Software Update Services

In this exercise, you will configure WSUS.
1. Use the Group Policy Management Console to create and link a GPO to the
domain to configure client updates.
2. Use the WSUS administration tool to configure WSUS properties.
3. Create a computer group, and add NYC-CL2 to the new group.
4. Approve an update for Windows Vista clients.
f Task 1: Use the Group Policy Management Console to create and link
a GPO to the domain to configure client updates
1. On NYC-DC1, open Group Policy Management from the Administrative
Tools menu.
2. In the list pane, right-click WoodGroveBank.com, click Create a GPO in this
domain, and Link it here, and name the GPO WSUS.
3. Right-click the WSUS GPO link under WoodGroveBank.com, and then click
Edit.
4. In the Group Policy Management Editor window, expand Computer
Configuration, expand Policies, expand Administrative Templates, expand
Windows Components, and then click Windows Update.
5. In the details pane, double-click Configure Automatic Updates.
6. In the Configure Automatic Updates Properties dialog box, on the Settings
tab, select Enabled. In the Configure automatic updating drop-down list,
click 4 - Auto download and schedule the install, and then click Next
Setting.
7. On the Specify intranet Microsoft update service location Properties page,
on the Settings tab, select Enabled. Under Set the intranet update service for
detecting updates and under Set the intranet statistics server, type
http://NYC-SVR1 in the text boxes, and then click Next Setting.
8. On the Automatic Updates detection frequency Properties page, select
9. Close the Group Policy Management Editor, and then close the Group Policy
Management tool.
10. On NYC-CL2, open a command prompt.
11. At the command prompt, type gpupdate /force, and then press ENTER.
12. At the command prompt, type wuauclt /detectnow, and then press ENTER.
13. Close the command window on NYC-CL2.
f Task 2: Use the WSUS administration tool to configure WSUS

properties
1. On NYC-SVR1, open Microsoft Windows Server Update Services 3.0 SP1 from
the Administrative Tools menu.
2. In the Update Services administrative tool window, in the list pane under
NYC-SVR1, click Options.
3. Using the details pane, view the configuration settings available in WSUS, and
click Cancel for each item when complete.
f Task 3: Create a computer group, and add NYC-CL2 to the new group
1. In the list pane, expand Computers, and then select All Computers.
2. In the Actions pane, click Add Computer Group, and name the group HO
Computers.
3. Change membership of the nyc-cl2.woodgrovebank.com computer object so
that it is a part of the HO Computers group.
f Task 4: Approve an update for Vista clients

1. In the Update Services administrative tool, in the list pane, expand Updates,
and then click Critical Updates.
2. In the details pane, change both the Approval and Status filters to Any, and
then click Refresh. Notice all of the updates available.
3. In the Critical Updates details pane, right-click Update for Windows Vista
(KB936357), and then select Approve from the context menu.
4. In the Approve Updates window that appears, click the arrow next to All
Computers, select Approved for Install, and then click OK.
5. On the Approval Progress page, when the process is complete, click Close.
Note: Notice that a message appears stating that the update is approved, but must
be downloaded to complete.
6. In the Update Services console, click Reports.

7. View the various WSUS reports available, and determine how many updates
NYC-CL2 requires.

click OK.
Lab Answer Key: Installing and Configuring Servers 1
Module 1
Lab Answer Key: Installing and Configuring
Servers
Contents:
Exercise 1: Identifying Server Types 2
Exercise 2: Installing and Configuring Server Roles
and Features 3
Exercise 3: Configuring Server Core and Performing
Basic Management Tasks 5
2 Lab Answer Key: Installing and Configuring Servers
Lab: Installing and Configuring

Servers and Server Roles
Note: If you have already logged on to a virtual machine, skip the
logon task for that particular virtual machine.
Exercise 1: Identifying Server Types

Question: After reading the scenario, which installation type best suits Terminal
Services--Core or Standard? Why?
Answer: The Standard install is the only suitable choice since there is no graphical
user interface (GUI) available when you install Terminal Services on a Core
installation.
Question: Would the Core installation be suitable for the Domain Name System
(DNS) server? If so, are there any shortcomings to configuring the server to host
this role?
Answer: Yes, given the scenario where remote administration will be used and
security is a concern, the Core installation offers both requirements. The
shortcomings would be that the administrators need to be command-line savvy to
install, configure, and maintain the installed Roles and Features on a Core
installation.
Question: What benefits would you realize by using the Core installation option
for the DNS server role?
Answer: Benefits could include reduced administrative effort, reduced
maintenance because only a portion of the operating system is installed, and lastly,
a very small attack footprint would exist for the Core installation.
Question: What roles and features are needed on the servers to meet the given
scenario’s requirements?
Answer: For the Standard install, you need to install the Terminal Services Role
and the Windows Server Backup feature. For the Core install, the DNS Server Core
role needs to be installed. Exercise 1: Title.
Note: You also must configure the server for remote administration and open the
ports necessary for the installed Roles and Features.
Exercise 2: Installing and Configuring Server Roles and

Features
password Pa$$w0rd.
f Task 2: Start the Server Manager console

• On NYC-SVR1, click Start, point to Administrative Tools, and then click
Server Manager.
f Task 3: From Server Manager, install the Terminal Services role.

1. In the Server Manager list pane, right-click Roles, and click Add Roles from
the context menu. The Add Roles Wizard starts.
2. On the Before You Begin page, click Next.
3. On the Select Server Roles page, select the Terminal Services check box, and
then click Next.
4. On the Terminal Services page, click Next.
5. On the Select Role Services page, select the Terminal Server check box, and
then click Next.
6. On the Uninstall and Reinstall Applications for Compatibility page, click
Next.
7. On the Specify Authentication Method for Terminal Server page, click Do
not require Network Level Authentication, and then click Next.
8. On the Specify Licensing Mode page, click Next to accept the default setting
to configure later.
9. On the Select User Groups Allowed Access To This Terminal Server, click
Next.
The Terminal Services Role installation begins.
11. On the Installation Results page, click Close, and then click Yes in the Do
you want to restart now? dialog box.
f Task 4: View the Installation Results

1. Log on to NYC-SVR1 with the user name Woodgrovebank\administrator
and the password Pa$$w0rd.
Upon successful logon, Server Manager opens, and the Terminal Services
configuration resumes.
2. Once complete, Installation succeeded appears in the details pane. Click
Close to exit the Installation Results page. Do not close Server Manager.
f Task 5: Install the Server Backup feature from the Server Manager
console
Features. The Add Features Wizard appears.
2. On the Select Features page, select the Windows Server Backup Features
3. On the Confirm Installation Selections page of the wizard, click Install.
Installation of the chosen feature begins.
details pane, and then click Close. Do not close Server Manager.
The Windows Server Backup feature is installed.
f Task 6: Verify the Terminal Services and Windows Server Backup tools
are installed by using the Roles Summary and Features Summary in
Server Manager
1. In the list pane of Server Manager, verify that Server Manager (NYC-SVR1) is
selected.
2. Using the scroll bar in the details pane, scroll down until the Roles Summary
is visible, and verify that Terminal Services is listed.
3. Scroll down to Features Summary, and verify that Windows Server Backup
appears.
Exercise 3: Configuring Server Core and Performing Basic

Management Tasks
f Task 1: Start the 6421A-NYC-SVR2 virtual machine
1. Restore the Lab Launcher window.

1. On the keyboard, press RIGHT-ALT+DELETE.
2. In the Password text box, type Pa$$w0rd, and then click the arrow.
f Task 3: Use command-line tools to set parameters in the Server Core

virtual machine
• Computername=NYC-DNSSVR2
• IP address=10.10.0.12
• Mask=255.255.0.0
• Gateway=10.10.0.1
• DNS=10.10.0.10
1. To determine the current default assigned computer name, type set in the
command window.
2. Locate the computer name attribute, and write it down.
3. To change the computer name, type the following command, and then press
ENTER: Netdom renamecomputer NYC-SVR2 /NewName:NYC-DNSSVR2
4. When prompted, type y for yes, and then press ENTER.
5. In the command window, type the following command to set the static IP
address: Netsh interface ipv4 set address name= “local area connection”
source=static address=10.10.0.12 mask=255.255.0.0 gateway=10.10.0.1,
6. In the command window, type the following command to set the primary DNS
server, and then press ENTER: Netsh interface ip set dns “local area
connection” static 10.10.0.10 primary.
7. At the command prompt, type ipconfig /all, and then press ENTER to verify
the IP address assignment.
8. On the keyboard press RIGHT-ALT+DELETE
9. Choose to restart the computer by clicking Shutdown options in the lower
right-hand pane of the window, and click Restart.
10. In the Shutdown Event Tracker window, click Operating System:
Reconfiguration (Planned), and then click OK. The server restarts.
11. Log on to the server with the user name Administrator and a password of
Pa$$w0rd.
f Task 4: Connect the server to the WoodgroveBank.com domain

command, and then press ENTER: netdom join NYC-DNSSVR2
/domain:WoodgroveBank.com /Userd:Administrator /passwordD:*
ENTER: Pa$$w0rd
Note: Your keystrokes will not be reflected on the screen. You will receive a
message that the command completed successfully and that you need to restart
the computer.
3. At the command prompt, press RIGHT-ALT+DELETE, click the Shut down

options icon, and then click Restart. The Shut Down Windows dialog box
appears.
4. In the Option box of the Shut Down Windows dialog box, click Operating
System: Reconfiguration (Planned), and then click OK.
f Task 5: Log in to the Server Core installation

1. Press RIGHT-ALT+DELETE.
2. Specify the password Pa$$w0rd for the administrator, and then click
Forward.
3. You are now logged on.
f Task 6: Verify the firewall configuration

• Use the netsh command to view the current firewall configuration. Type the
following command in the command window, and then press ENTER: Netsh
firewall show state
Note: Notice that the Firewall status shows that the Operational mode is set to
Enable. This means that the Windows Firewall is enabled, but no specific ports are
open.
f Task 7: Use the Netsh command to open ports

ENTER: netsh firewall add portopening ALL 53 DNS-server
ENTER: netsh firewall add portopening TCP 135 remote-admin
ENTER: netsh firewall add portopening UDP 137 netbios-ns
ENTER: netsh firewall add portopening UDP 138 netbios-dgm
ENTER: netsh firewall add portopening TCP 139 netbios-ssn
ENTER: netsh firewall add portopening TCP 445 netbios-ns
ENTER: netsh firewall show config
Note: Notice that in the Service configuration for Domain profile, File and Printer
Sharing and Remote Desktop services are set to enable, and both TCP and UDP
port 53 are open for the DNS server.
f Task 8: View the current status of roles, and install the DNS server role
command, and then press ENTER: oclist
Note: Verify that no server roles are installed.
2. Use the Ocsetup.exe and oclist commands to install the DNS server by typing
the following at the command prompt and then press ENTER: start /w
ocsetup DNS-Server-Core-Role
Note: The server role name is case sensitive.
ENTER: oclist
Note: Verify that the DNS-Server-Core-Role is installed.

f Task 9: Manage the server by using DNS Manager from a remote

computer
1. On NYC-DC1, click Start, point to Administrative Tools, and then click DNS.
2. Right-click DNS, and then click Connect to DNS Server.
3. On the Connect to DNS Server box, select the option next to The following
computer, and then type NYC-DNSSVR2. Click OK.
4. Use the DNS console to create a forward lookup zone for Contoso.com:
click OK.
Note: After you have completed the lab exercises closing the VM’s and selecting
undo disk is not required for hosted labs. Click the Quit button to exit.
Lab Answer Key: Configuring and Troubleshooting DNS 1
Module 2
Lab Answer Key: Configuring and
Troubleshooting DNS
Contents:
Exercise 1: Configuring a DNS Infrastructure 2
Exercise 2: Monitoring and Troubleshooting DNS 6
2 Lab Answer Key: Configuring and Troubleshooting DNS
Lab: Configuring and Verifying a

DNS Solution
Exercise 1: Configuring a DNS Infrastructure

f Task 1: Start the virtual machines and log on
password Pa$$w0rd.
f Task 2: Configure the DNS Server role on NYC-SVR1

2. In the Server Manager console, click Roles.
3. In the details pane, click Add Roles.
4. In the Add Roles Wizard, click Next.
5. On the Select Server Roles page, select the DNS Server check box, and then
click Next.
6. Click Next, and then click Install.
7. After the installation procedure is complete, click Close.
8. Close the Server Manager console.
f Task 3: Configure the Contoso.msft zone on NYC-SVR1

1. On NYC-SVR1, click Start, point to Administrative tools, and then click DNS.
2. In the list pane, expand NYC-SVR1, and then click Forward Lookup Zones.
3. Right-click Forward Lookup Zones, and then click New Zone.
4. In the New Zone Wizard, click Next.
5. Ensure that Primary zone is selected, and then click Next.
6. Type Contoso.msft in the Zone name text box, and then click Next.
7. Leave the default options in the Zone File dialog box, and then click Next.
8. Leave the default options in the Dynamic Update dialog box, and then click
Next.
9. Review the settings, and then click Finish.
f Task 4: Configure the Nwtraders.msft zone on NYC-DC1

1. On NYC-DC1, If Server Manager console is already open, then close the Server
Manager console.
2. Click Start, point to Administrative tools, and then click DNS.
3. In the list pane, ensure NYC-DC1 is expanded, and ensure that Forward
Lookup Zones is already clicked.
6. Ensure Primary Zone is selected, ensure that Store the zone in Active
directory is selected, and then click Next.
7. Leave the default options in the Active Directory Zone Replication Scope
dialog box, and then click Next.
8. Type nwtraders.msft in the Zone name text box, and then click Next.
9. Leave the default options in the Dynamic Update dialog box, and then click
Next.
10. Review the settings, and then click Finish.
f Task 5: Configure zone transfer security

1. On NYC-DC1, in the DNS console, expand NYC-DC1, and then expand
Forward Lookup Zones.
2. Click nwtraders.msft.
3. Right-click nwtraders.msft, and then click Properties.
4. In the nwtraders.msft properties dialog box, click Zone Transfers.
5. Select Allow zone transfers, and then select Only to the following servers.
6. Click the Edit button, and in the Allow Zone Transfers dialog box, click Click
here to add, type: 10.10.0.24, and then press ENTER. Click OK.
7. Click OK to close the nwtraders.msft Properties dialog box.
9. In the left-hand pane, expand NYC-SVR1, and then expand Forward Lookup
Zones. Click Contoso.msft.
10. Right-click Contoso.msft, and then click Properties.
11. In the Contoso.msft Properties dialog box, click Zone Transfers.
12. Ensure Allow zone transfers is selected, and then select Only to the
following servers.
13. Click Edit, and in the Allow Zone Transfers dialog box, click Click Here to
add, type: 10.10.0.10, and then press ENTER. Click OK.
14. Click OK to close the Contoso.msft Properties dialog box.
f Task 6: Configure secondary zones for each domain

1. On NYC-DC1, in the DNS console, click Forward Lookup Zones.
4. Select Secondary zone, and then click Next.
5. Type Contoso.msft in the text box, and then click Next.
6. Type 10.10.0.24, the address of the primary zone server for contoso.msft,
press ENTER, and then click Next.
7. On the last page of the New Zone Wizard, click Finish.

8. Click Contoso.msft, and verify that records appear in the details pane. Notice
that NYC-SVR1 is shown as the Start of Authority.
9. On NYC-SVR1, in the DNS console, click Forward Lookup Zones.
12. Select Secondary zone, and click Next.
13. Type nwtraders.msft in the text box, and then click Next.
14. Type 10.10.0.10, the address of the primary zone server for nwtraders.msft,
16. Click nwtraders.msft, and verify that records appear in the details pane.
Notice that NYC-DC1 is shown as the Start of Authority.
f Task 7: Configure a stub zone for WoodgroveBank.com

1. On NYC-SVR1, in the DNS console, click Forward Lookup Zones.
4. Select Stub zone, and then click Next.
5. Type WoodgroveBank.com in the text box, and then click Next.
6. Leave the default options in the Zone File dialog box, and then click Next.
7. Type 10.10.0.10, the address of the DNS server for WoodgroveBank.com,
f Task 8: Configure administrative options for the Nwtraders.msft

domain
1. On NYC-DC1, in the DNS console, click Forward Lookup Zones.
2. In the list pane, ensure Forward Lookup Zones is already expanded.
3. Right-click on nwtraders.msft, and then click Properties.

4. In the nwtraders.msft Properties dialog box, click Security, and then click
Add.
5. In the Select Users, Computers, or Groups dialog box, type DL Nwtraders
DNS Admins, and then click OK.
6. Select DL Nwtraders DNS Admins in the top pane. In the lower pane, select
Read, Write, Create all Child objects, and Delete all child objects, and then
click OK.
7. Close the DNS Manager console on NYC-DC1.
Exercise 2: Monitoring and troubleshooting DNS

f Task 1: Test simple and recursive queries
1. On NYC-DC1, click Start, click Administrative tools, and then click DNS.
2. In the list pane, right-click NYC-DC1, and then click Properties.
3. Click the Monitoring tab.
4. On the Monitoring tab, select A simple query against this DNS Server, and
then click Test Now.
5. On the Monitoring tab, ensure A recursive query to other DNS servers is
selected, and then click Test Now. Notice the Recursive test fails for NYC-DC1,
which is normal given that there are no forwarders configured for this DNS
server to use.
6. Click Start, click Run, type: sc stop dns, and then click OK.
7. On the Monitoring tab, click Test Now. Now, both Simple and Recursive tests
fail.
8. Click Start, click run, type: sc start dns, and then click OK.
9. On the Monitoring tab, click Test Now. The Simple test completes
successfully.
10. Close the NYC-DC1 Properties dialog box.
f Task 2: Verify SOA records by using Nslookup

2. At the command prompt, type nslookup.exe, and then press ENTER.
3. In the command window, at the nslookup prompt, type set querytype=SOA,
4. In the command window, at the nslookup prompt, type nwtraders.msft, and
then press ENTER.
5. In the command window, at the nslookup prompt, type contoso.msft, and
then press ENTER.
6. Close the command prompt.
f Task 3: Use Dnslint to verify name server records

1. On NYC-DC1 click Start, and then click Command Prompt.
2. At the command prompt, type D:, and then press ENTER.
3. At the command prompt, type CD Labfiles, and then press ENTER.
4. At the command prompt, type dnslint, and then press ENTER. Notice the
command-line help associated with dnslint.
5. At the command prompt, type dnslint /s 10.10.0.10 /d nwtraders.msft, and
then press ENTER.
6. Read through the report results, and then close the report window.
f Task 4: View performance statistics by using the Performance console

1. On NYC-DC1, click Start, right-click Computer, and then click Manage.
2. In the list pane of the Server Manager window, expand Diagnostics, expand
Reliability and Performance, expand Monitoring Tools, and then click
Performance Monitor.
3. In the center pane, click the green plus icon.
4. In the Available counters list, double-click DNS.
5. Select Total Query Received, and then click Add.

6. Select Total Query Received/sec, click Add, and then click OK.
7. Click Start, click Administrative tools, and then click DNS.
8. In the left pane, right-click NYC-DC1, and then click Properties.
9. Click the Monitoring tab.
10. On the Monitoring tab, select A simple query against this DNS Server and A
recursive query to other DNS servers, and click Test Now several times.
11. Clear the Simple and Recursive test check boxes, and then click OK. Close the
DNS management tool.
12. Return to the Server Manager console. The graph reflects the queries on the
server.
13. In the Server Manager console, type CTRL-G and then type CTRL-G again.
This report lists the total number of queries the server has received.
f Task 5: Verify DNS replication

1. On NYC-DC1, click Start, click Administrative tools, and then click DNS.
2. In the left pane, ensure NYC-DC1 is expanded, and then expand Forward
Lookup Zones.
3. Select and right-click nwtraders.msft, and then click New host (A or AAAA).
4. In the New Host dialog box, type test in the Name text box. Type 10.10.0.15
in the IP Address text box, and then click Add Host. Click OK, and then click
Done.
5. In the left pane ,click nwtraders.msft,and then right click nwtraders.msft and
click
Properties and then click zone Transfers in the nwtraders.msft Properties.
6. In the Zone Transfers click Notify in that Click here to add an IP Adress or
DNS
Name type NYC-SVR1 press Enter and click OK.
8. In the left pane, ensure NYC-SVR1 is expanded, and then expand Forward
Lookup Zones.
9. Click the nwtraders.msft secondary zone. Verify that the new A record has
been replicated.
10. If the record does not appear, right-click nwtraders.msft, and then click
Refresh.

click OK.
Lab Answer Key: Configuring and Managing WINS 1
Module 3
Lab Answer Key: Configuring and Managing
WINS
Contents:
Exercise 1: Installing WINS 2
Exercise 2: Configuring WINS Burst Handling 3
Exercise 3: Configuring WINS Replication 5
Exercise 4: Migrating from WINS to DNS 6
2 Lab Answer Key: Configuring and Managing WINS
Lab: Configuring a WINS

Infrastructure
Exercise 1: Installing WINS

password Pa$$w0rd.
f Task 2: On 6421A-NYC-SVR1, launch the Server Manager console

1. Click Start, and then point to Administrative Tools.
2. On the Administrative Tools menu, click Server Manager.
3. The Server Manager console opens.
f Task 3: From the Server Manager console, install the WINS feature
Features on the context menu. The Add Features Wizard opens.
2. On the Select Features page, scroll down and click the check box next to
WINS Server, and then click Next.
4. On the Installation Results page, verify that Installation succeeded appears

in the details pane, and then click Close.
The Windows Internet Name Service (WINS) feature is installed on 6421A-
NYC-SVR1.
Exercise 2: Configuring WINS Burst Handling

f Task 1: Configure the WINS server on 6421A-NYC-SVR1 for burst
handling
1. On NYC-SVR1, click Start, and then point to Administrative Tools.
2. On the Administrative Tools menu, click WINS.
The WINS console opens.
3. In the list pane, select and then right-click NYC-SVR1 [10.10.0.24]. Click
Properties.
4. On the NYC-SVR1 [10.10.0.24] Properties dialog box, click the Advanced
tab.
5. In the Enable burst handling section, select the Low option, and then click
OK.
f Task 2: Create a static entry in the WINS database

1. In the WINS console list pane, right-click Active Registrations, and then click
New Static Mapping.
2. In the New Static Mapping dialog box, configure the following, and then click
OK:
a. Computer name: HRWEB
b. Type: Unique
c. IP address: 10.10.0.10
3. Right-click Active Registrations, click Display Records.

4. In the Display Records dialog box, click Find Now. If necessary, click the
Active Registrations node to view the results.
5. Verify that the static record for HRWEB exists. Do not close the WINS console.
f Task 3: Configure scavenging on the WINS server to take place once

every seven days
1. In the WINS console list pane, right-click NYC-SVR1 [10.10.0.24], and then
click Properties.
2. In the Properties dialog box, click the Intervals tab.
3. Set the Extinction timeout value to 7 in Days text box, and then click OK.
f Task 4: Configure NYC-DC1 to use the WINS server for NetBIOS

resolution
1. On NYC-DC1, click Start, right-click Network, and then click Properties.
2. In the Network and Sharing Center window, click Manage network
connections from the Tasks list.
3. Right-click Local Area Connection, and then click Properties.
4. In the Local Area Connection Properties dialog box, under This connection
uses the following items, click Internet Protocol Version 4 (TCP/IPv4), and
then click Properties.
5. In the Internet Protocol Version 4 Properties dialog box, click Advanced.
6. In the Advanced TCP/IP Settings dialog box, click the WINS tab, and under
WINS addresses, in order of use section, click Add.
7. Specify the WINS server address (IP address of 10.10.0.24), and then click
Add.
8. In the Advanced TCP/IP Settings dialog box, click OK.
9. In the Internet Protocol Version 4 Properties dialog box, click OK, and then
close the Local Area Connection Properties dialog box.
10. Close the Network Connections window.
11. Close the Network and Sharing Center window.
f Task 5: Test the NetBIOS name resolution capabilities

2. In a command window, type ping hrweb, and then press ENTER
3. The name resolution should be successful and resolve to 10.10.0.10.
4. Close the command window.
Exercise 3: Configuring WINS Replication

f Task 1: Configure Push and Pull replication on NYC-DC1
WINS.
2. In the WINS console list pane, expand NYC-DC1 [10.10.0.10].
3. Right-click Replication Partners, and then click New Replication Partner.
4. In the New Replication Partner dialog box, specify the IP address of NYC-
SVR1 (10.10.0.24), and then click OK.
The Replication Partners details pane lists NYC-SVR1 as a Push/Pull partner.
f Task 2: Configure Push and Pull replication on NYC-SVR1

1. On NYC-SVR1, in the WINS console list pane, right-click Replication
Partners, and then click New Replication Partner.
2. In the New Replication Partner dialog box, specify the IP address of NYC-
DC1 (10.10.0.10), and then click OK.
The Replication Partners details pane lists NYC-DC1 as a Push/Pull partner.
f Task 3: Verify Replication

1. On NYC-SVR1, in the WINS console right-click Replication Partners, and
then click Replicate Now. Click Yes to start replication now, and then click
OK.
2. In the WINS console, right-click Active Registrations, and then click Refresh.
3. Click the Active Registrations node. Notice that records from both 10.10.0.10
and 10.10.0.24 are listed as owners.
4. On NYC-DC1, in the WINS console right-click Replication Partners, and then

click Replicate Now. Click Yes to start replication now, and then click OK.
5. Right-click Active Registrations, and then click Display Records.
6. In the Display Records dialog box, click Find Now.
7. Click the Active Registrations node. Notice that records from both 10.10.0.10
and 10.10.0.24 are listed as owners.
8. Close the WINS console on both NYC-DC1 and NYC-SVR1.
Exercise 4: Migrating from WINS to DNS

f Task 1: Create the GlobalNames zone in Domain Name System (DNS)
1. On NYC-DC1, Start, point to Administrative Tools, and then click DNS.
2. In the list pane, right-click NYC-DC1, and then click New Zone on the context
menu.
3. On the Welcome to the New Zone Wizard page, click Next.
4. On the Zone Type page, accept the defaults, and then click Next.
5. On the Active Directory Zone Replication Scope page, select To all DNS
servers in this forest: WoodgroveBank.com, and then click Next.
6. On the Forward or Reverse Lookup Zone page, accept the defaults, and then
click Next.
7. In the Zone name text box, type GlobalNames, and then click Next.
8. On the Dynamic Update page, select Do not allow dynamic updates, and
then click Next.
9. On the Completing the New Zone Wizard page, click Finish.
10. Click Start, right-click Command Prompt, and then click Run As
administrator.
11. Type Dnscmd NYC-DC1 /config /Enableglobalnamessupport 1, and then
press ENTER.
f Task 2: Create the Alias record for the single-label name resource
1. In the DNS Manager console, ensure NYC-DC1 is expanded, expand Forward
Lookup Zones, and then select GlobalNames from the list.
2. Right-click GlobalNames, and select New Alias (CNAME) from the context
menu.
3. In the New Resource Record dialog box, specify an Alias name of HRWEB
and fully qualified domain name (FQDN) for target host of
NYC-DC1.Woodgrovebank.com, and then click OK.
4. Close the DNS Manager console.
f Task 3: Decommission WINS on NYC-DC1 and NYC-SVR1

2. In the list pane, right-click Features, and then click Remove Features from the
context menu.
3. On the Select Features page, scroll down and remove the check mark next to
WINS Server, and then click Next.
4. On the Confirm Removal Selections page, click Remove.
5. On the Removal Results page, click Close, and then click Yes when prompted
to restart the computer.
6. Repeat steps 1-5, and remove the WINS feature from NYC-DC1.
f Task 4: Verify GlobalNames single-label name resolution

1. Log on to NYC-DC1 as administrator with the password Pa$$w0rd. The
WINS removal continues. Click Close.
2. Log on to NYC-SVR1 as administrator with the password Pa$$w0rd. The
WINS removal continues. Click Close.
3. On NYC-DC1, close the Server Manager.
5. At the command prompt, type ping hrweb, and then press ENTER.
The ping command is successful, and resolves to
nyc-dc1.woodgrovebank.com.

click OK.
Lab Answer Key: Configuring and Troubleshooting DHCP 1
Module 4
Troubleshooting DHCP
Contents:
Exercise 1: Installing and Authorizing the DHCP Server Role 2
Exercise 2: Configuring a DHCP Scope 3
Exercise 3: Troubleshooting Common DHCP Issues 6
2 Lab Answer Key: Configuring and Troubleshooting DHCP
Lab: Configuring and

Troubleshooting the DHCP Server
Role
Exercise 1: Installing and Authorizing the Dynamic Host

Configuration Protocol (DHCP) Server Role
f Task 1: Start the 6421A-NYC-DC1 and 6421A-NYC-CL1 virtual
machines, and log on as Administrator
password Pa$$w0rd.
f Task 2: Configure the DHCP Server Role on NYC-DC1

1. On NYC-DC1, if the Server Manager console is not showing, click Start.
2. Click Server Manager.
3. In the Server Manager console, click Roles.
4. Click Add Roles.
5. In the Add Roles Wizard, click Next.
6. Select the DHCP Server check box, and then click Next.
7. Read the information concerning the installation of the DHCP Server role, and
then click Next.
8. In the Select Network Connection Bindings dialog box, make sure that the
static IP address 10.10.0.10 is selected, and then click Next.
9. In the Specify IPv4 DNS Server Settings dialog box, accept the default values,
and click Next.
10. In the Specify IPv4 WINS Server Settings, ensure WINS is not required for
applications on this network is selected and then click Next.
11. In Add or Edit DHCP Scopes, click Next.
12. In Configure DHCPv6 Stateless Mode, select Disable DHCPv6 stateless
mode for this server, and then click Next.
13. In Authorize DHCP Server, select Skip authorization of this DHCP server in
AD DS.
14. Click Next, and then click Install.
15. After the installation procedure is complete, click Close.
16. Close Server Manager on NYC-DC1.
f Task 3: Authorize the DHCP Server Role on NYC-DC1

1. On NYC-DC1, click Start, point to Administrative tools, and then click
DHCP.
2. In the list pane, expand and then right-click NYC-DC1.woodgrovebank.com.
3. Click Authorize.
4. In the list pane, expand IPv4. The IPv4 server icon should have a green “up”
arrow.
Exercise 2: Configuring a DHCP Scope

f Task 1: Configure a DHCP scope
1. On NYC-DC1, the DHCP management console should still be open. If not,
click Start, point to Administrative Tools, and then click DHCP.
2. In the left pane, ensure NYC-DC1.woodgrovebank.com is expanded.
3. Right-click the IPv4 server icon, and click New Scope.
4. In the New Scope Wizard, on the Welcome page, click Next.
5. In the Scope Name dialog box, type a name and description for the scope. For
example, Name: Head Office Network Scope and Description: WoodGrove
Bank employee scope. Click Next.
6. In the IP Address Range dialog box, type 10.10.0.1 for the Start IP address
and type 10.10.0.254 for the End IP address. Type 16 in the Length text box.
This will cause the Subnet mask text box to display 255.255.0.0.
7. Click Next.
8. In the Add Exclusions dialog box, type 10.10.0.1 for the Start IP address and
type 10.10.0.30 for the End IP address, click Add, and then click Next.
9. In the Lease Duration dialog box, change the value to 1 hour, and then click
Next.
10. In the Configure DHCP Scope Options dialog box, select No, I will configure
these options later, and then click Next.
11. Click Finish.
12. A new scope will appear under IPv4. The scope appears with a red “down”
arrow. Select and then right-click [10.10.0.0] Head Office Network Scope,
and then click Activate.
13. Close the DHCP console.
14. On NYC-CL1, click Start, right-click Network, and then click Properties. The
Network and Sharing Center window appears.
15. Under Tasks, click Manage network connections. The Network Connections
window appears.
16. Right-click Local Area Connection, and choose Properties from the context
menu.
17. In the Local Area Connection Properties dialog box, click Internet Protocol
Version 4 (TCP/IPv4), and click Properties.
18. In the Internet Protocol Version 4(TCP/IPv4) Properties box, select Obtain
an IP address automatically and Obtain DNS server address automatically,
and then click OK.
19. In the Local Area Connection Properties dialog box, click Close.
20. Close the Network Connections window, and then close the Network and
Sharing Center window.
21. Restart NYC-CL1. After the computer is restarted, log on as Administrator
with the password of Pa$$w0rd.
22. On NYC-CL1, click Start, point to All Programs, point to Accessories, right-
click Command Prompt, and then click Run as Administrator.
23. At the command prompt, type ipconfig, and then press ENTER.
24. At the command prompt, type ipconfig /release, and then press ENTER
25. At the command prompt, type ipconfig /renew, and then press ENTER.
26. At the command prompt, type ipconfig /all, and then press ENTER. Notice
that along with other information, the IP address of the DHCP Server is
displayed.
27. Under Ethernet adapter Local Area Connection, notice that the connection
does not have a default gateway.
Question: Why does the DHCP configured Local Area Connection not have a
default gateway?
Answer: Because the ROUTER DHCP option has not been configured on the
DHCP server. There is no default gateway option in DHCP..
.
f Task 2: Configure DHCP scope options

1. On NYC-DC1, click Start, point to Administrative tools, and then click
DHCP.
2. In the list pane, expand NYC-DC1.woodgrovebank.com, and then expand
IPv4.
3. Expand Scope [10.10.0.0].
4. Select and then right-click Scope Options, and then click Configure Options.
5. In the Scope Options dialog box, select 003 Router.
6. In the Scope Options dialog box, type 10.10.0.1 in the IP Address text box,
click Add, and then click OK.
f Task 3: Test the scope using a client workstation

2. At the command prompt, type ipconfig /release, and then press ENTER.
the default gateway is now listed.
Exercise 3: Troubleshooting Common DHCP Issues

f Task 1: Verify DHCP lease information
1. If necessary, on NYC-CL1, click Start, point to All Programs, point to
Accessories, right-click Command Prompt, and then click Run as
Administrator.
2. At the command prompt, type ipconfig /all, and then press ENTER.
3. Take note of the following items:
• IPv4 Address
• Subnet Mask
• Default Gateway
• Lease Duration
f Task 2: Modify DHCP Server configuration using scripts to simulate

configuration issues
1. On NYC-DC1, click Start, point to All Programs, point to Accessories, right-
2. At a command prompt, type D:\Labfiles\Module4\DHCP.vbs, and then
press ENTER.
3. Close the command prompt window.
f Task 3: Check the client’s ability to lease an IP address

1. On NYC-CL1, at the command prompt, type ipconfig /release, and then press
ENTER.
the client is not receiving an IP address, and you have been allocated a
169.254 address.
f Task 4: Determine why the DHCP server is not allocating IP addresses

1. On NYC-DC1, determine whether the DHCP scope is activated.
2. To activate the DHCP scope, expand the nyc-dc1.woodgrovebank.com node,
expand the IPv4 node, select and then right-click the 10.10.0.0 scope, and
then click Activate.
f Task 5: Identify information that has been changed

• IPv4 Address
• Subnet Mask
• Default Gateway
• Lease Duration
f Task 6: Configure the DHCP server with the correct router information
1. On NYC-DC1, verify the router information that is configured in the scope
options.
2. Expand the nyc-dc1.woodgrovebank.com node, expand the IPv4 node,
expand the 10.10.0.0 scope node, click Scope Options, and then in the right
pane, double-click 003 Router.
3. In the Scope Options dialog box, click the invalid router address
192.168.10.3, and then click Remove.
4. In the Scope Options dialog box, click in the IP address text box. Replace
192.168.10.3 with 10.10.0.1, click Add, and then click OK
f Task 7: Configure the DHCP server with the correct DNS server
information
1. On NYC-DC1, verify the DNS information that is configured in the scope
options.
2. Expand the nyc-dc1.woodgrovebank.com node, expand the IPv4 node,
expand the 10.10.0.0 scope node, right-click Scope Options, and then click
Configure Options.
3. In the Available Options window, select 006 DNS Servers.
4. In the Scope Options dialog box, click in the IP address text box, type
10.10.0.10, and then click Add. Again, in the IP address text box, type
10.10.0.21, click Add, and then click OK.
f Task 8: Configure the DHCP with the proper lease period

1. On NYC-DC1, verify the router information that is configured in the scope
options is correct. (It should be 1 hour.)
2. Expand the nyc-dc1.woodgrovebank.com node, expand the IPv4 node, right-
click the 10.10.0.0 scope, and then click Properties.
3. In the Scope Properties dialog box, in the Lease duration for DHCP clients
section, change the lease to 1 hour instead of 8 days, and then click OK.
f Task 9: Verify the information being leased to the client

• IPv4 Address
• Subnet Mask
• Default Gateway
• Lease Duration
click OK.
Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP 1
Module 5
Troubleshooting IPv6 TCP/IP
Contents:
Exercise 1: Configuring a New IPv6 Network and Client 3
Exercise 2: Configuring an ISATAP Router to
Enable Communications Between an IPv4 Network and an
IPv6 Network 7
Exercise 1: Transitioning to an IPv6-Only Network 10
2 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP
Lab A: Configuring an ISATAP

Router
Before you begin:

To be able to simulate multiple networks, you must configure the following before
starting the virtual machines:
2. In the left pane, under Virtual Networks, click Add. In the details pane, next
to Existing configuration (.vnc) file type the following: C:\Program
Files\Microsoft Learning\6421\Drives\6421A-NYC-VN2_IPv6, and then
click Add again.
6421A-NYC-SVR1.
6421A-NYC-CL1.
Logon Information:
• Virtual Machines: 6421A-NYC-DC1, 6421A-NYC-SVR1, and 6421A-NYC-CL1
Estimated time: 60 minutes

Exercise 1: Configuring a New IPv6 Network and Client

Scenario
You must design and implement an IPv6 network. For your initial proof of
concept, you must deploy only one client.
Exercise Overview
In this exercise, you will prepare the current environment to work with IPv6, and
deploy an IPv6 client and an IPv6 subnet.

machines.
2. Configure IPv4 Routing.
3. Enable IP Routing on NYC-SVR1 and Confirm IPv4 Connectivity.
4. Disable IPv6 on NYC-DC1.
5. Disable IPv4 on NYC-CL1.
6. Check the IP configuration on NYC-CL1 and ensure that it is not configured
with an IPv4 IP address.
7. Configure an IPv6 router advertisement for the global address
2001:db8:0:1::/64 network on NYC-SVR1.
8. Check the IP configuration on NYC-CL1 to ensure it is configured with an IPv6
global address in the 2001:db8:0:1::/64 network


password Pa$$w0rd.
f Task 2: Configure IPv4 Routing

1. On NYC-CL1, click Start, and then click Control Panel.
2. In Control Panel, click Network and Internet, and then click View network
status and tasks.
3. In the left pane, click Manage network connections.
4. In the Network Connections window, right-click Local Area Connection, and
5. Select Internet Protocol Version 4 (TCP/IPv4) , and then click Properties.
6. Change the IP settings to the following and then click OK:
• IP Address: 192.168.1.20
• Subnet Mask: 255.255.255.0
7. In the Local Area Connection Properties box, click Close.
8. When the Set Network Location box opens, click Work, and then click Close.
9. Close all open windows on NYC-CL1.
10. On NYC-DC1, in the Server Manager, click View Network Connections.
12. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
13. Change the IP settings to the following, and then click OK:
14. In the Local Area Connection Properties box, click Close, and then close all
open windows on NYC-DC1.
f Task 3: Enable IP Routing on NYC-SVR1 and Confirm IPv4 Connectivity

1. On NYC-SVR1, click Start, and then in the Start Search box, type Regedit,
2. Browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters
3. Double-click IPEnableRouter and then in the Value data box type 1. Click
OK.
4. Close the Registry Editor and then restart NYC-SVR1.
5. After NYC-SVR1 restarts, log on as Administrator with the password of
Pa$$w0rd.
6. On NYC-CL1, click Start, type cmd, and then press ENTER.
7. At the command prompt, type ping NYC-DC1, and then press ENTER. You
should have four successful replies from 10.10.0.10, which is NYC-DC1.
8. On NYC-DC1, click Start, click Command Prompt and then type ping
192.168.1.20. Press ENTER. You should have four successful replies from
192.168.1.20 which is NYC-CL1.
Note: At this point, only IPv4 traffic is routed through the IPv4 routing
infrastructure.
f Task 4: Disable IPv6 on NYC-DC1

1. On NYC-DC1, click Start, and then click Control Panel.
2. In Control Panel, double-click Network and Sharing Center.
5. Clear the Internet Protocol Version 6 (TCP/IPv6) check box and then click
OK.
6. Close all open windows on NYC-DC1.
f Task 5: Disable IPv4 on NYC-CL1

1. On NYC-CL1, click Start, and then click Control Panel.
2. In Control Panel, click Network and Internet, and then click View network
status and tasks.
5. Clear the Internet Protocol Version 4 (TCP/IPv4) check box and then click
OK.
f Task 6: Check the IP configuration on NYC-CL1 and ensure that it is

not configured with an IPv4 IP address
1. Click Start, click All Programs, click Accessories, and then click Command
prompt.
2. At the command prompt, type ipconfig and then press ENTER. The output
should be a link-local IPv6 address that starts with fe80.
3. Close the Command Prompt window.
f Task 7: Configure an IPv6 router advertisement for the global address

2001:db8:0:1::/64 network on NYC-SVR1
1. On NYC-SVR1, click Start and then click Command Prompt.
2. At the command prompt, type the following commands, and then press
ENTER:
• netsh interface ipv6 set interface "Local Area Connection 2"
forwarding=enabled advertise=enabled
• netsh interface ipv6 add route 2001:db8:0:1::/64 "Local Area
Connection 2" publish=yes
f Task 8: Check the IP configuration on NYC-CL1 to ensure it is

configured with an IPv6 global address in the 2001:db8:0:1::/64
network
1. On NYC-CL1, click Start, click All Programs, click Accessories, and then click
Command prompt.
2. At the command prompt, type: ipconfig and then press ENTER. The output
should be a link-local IPv6 address that starts with fe80. Two global IP
addresses starting with 2001:db8:0:1: should also be included in the output.
3. Close the Command Prompt window.
Exercise 2: Configuring an ISATAP Router to Enable

Communication Between an IPv4 Network and an IPv6
Network
Scenario
Now that you have configured your IPv6 client, you must enable IPv4 client
connectivity to the IPv6 network. You have evaluated current IPv6 tunneling
technologies and have decided to implement an ISATAP router.
Exercise Overview
In this exercise, you will enable and configure an ISATAP router interface that will
allow two-way communication between the IPv4 and IPv6 networks.

1. Add the ISATAP entry in the Domain Name System (DNS) zone.
2. Configure the ISATAP router on NYC-SVR1.
3. Enable the ISATAP interface on NYC-DC1.
4. Test connectivity.
f Task 1: Add the ISATAP entry in the DNS zone on NYC-DC1

1. On NYC-DC1, click Start, click Administrative Tools, and then click DNS.
2. In the left pane, expand NYC-DC1.
3. Expand Forward Lookup Zones, select and then right-click
Woodgrovebank.com, and then click New host (A or AAAA).
4. In the New Host dialog box, type ISATAP in the Name text box, and then type
the IP address 10.10.0.24 (for NYC-SVR1).
5. Click Add Host and then click OK.
6. Click Done and then close the DNS Manager.
f Task 2: Configure the ISATAP router on NYC-SVR1

2. At the command prompt, type the following commands, and then press
ENTER:
• Netsh interface ipv6 isatap set router 10.10.0.24
• netsh interface ipv6 set interface “Local Area Connection* 8”
• netsh interface ipv6 add route 2001:db8:0:10::/64 “Local Area
Connection* 8” publish=yes
(This represents the route for the logical ISATAP network.)
3. Restart NYC-SVR1 and then log on as Administrator with the password of
Pa$$w0rd.
4. Click Start and then click Command Prompt.
5. At the command prompt, type ipconfig and then press ENTER. The Tunnel
adapter Local Area Connection* 8 will display an IPv6 address in the
2001:db8:0:10 range.
f Task 3: Enable the ISATAP interface on NYC-DC1

1. On NYC-DC1, click Start, and then click Command prompt.
• Netsh interface isatap set router 10.10.0.24
• Ipconfig
Notice that the Tunnel adapter Local Area Connection 8 (which is the ISATAP
adapter) has automatically received an IPv6 address from the ISATAP router.
f Task 4: Test connectivity

Command prompt.
• Ping 2001:db8:0:10:0:5efe:10.10.0.10
• IPconfig
Note the IPv6 address (global address begins with 2001:)
3. On NYC-SVR!,click Start,,click Control Panel,and then double click

Networking and Sharing,in left pane click Manage Network Connections in
that Network Connection,click Local Area Connection and right click
Properties in that Properties window enable Internet Protocol Version
6(TCP/IPv6) and click OK.
4. In the Network Connections click Local Area Connection 2 and Right click
and click Properties in that Local Area Connection Properties window enable
Internet
Protocol version 4(TCP/IPv4)and click OK.
5. On NYC-DC1, click Start, click All Programs, click Accessories, and then
click Command prompt.
6. At the command prompt, type the following command:
• Ping IPv6 address
(Where IPv6 address is the IPv6 address that was noted in Step 2.)
Note: If the IP addresses do not resolve, reboot the servers starting with NYC-
DC1, NYC-SVR1, and then NYC-CL1.
Important: Do not turn off the virtual machines at this time because you will
need them to complete the next lab.

Exercise 1: Transitioning to an IPv6-Only Network
Scenario
You are responsible for performing a test of the IPv6 transition plan. To
accomplish this, you will transition computers from the previous network, which
uses both IPv4 and IPv6, to an IPv6-only network.
Exercise Overview
In this exercise, you will migrate the IPv4 network to be fully IPv6 capable.

1. Disable the ISATAP router on NYC-SVR1.
2. Configure the native IPv6 router on NYC-SVR1.
3. Disable IPv4 connectivity.
4. Test connectivity between each IPv6 subnet.
5. Reconfigure the network adapters.
f Task 1: Disable the ISATAP router on NYC-SVR1

• netsh interface ipv6 set interface “Local Area Connection* 8”

forwarding=disabled advertise=disabled
• netsh interface ipv6 delete route 2001:db8:0:10::/64 “ Local Area
Connection* 8”
f Task 2: Configure the native IPv6 router on NYC-SVR1

• On NYC-SVR1, at the command prompt, type the following commands:
• netsh interface ipv6 set interface “Local Area Connection”
• netsh interface ipv6 add route 2001:db8:0:0::/64 “Local Area
Connection” publish=yes
f Task 3: Disable IPv4 connectivity

1. On NYC-SVR1, click Start and then click Control Panel.
4. In the Network Connections box, right-click Local Area Connection and
5. Clear the Internet Protocol Version 4 (TCP/IPv4) check box, and then click
OK. Close all open windows.
6. On NYC-DC1, click Start, and then click Control Panel.
9. In the Network Connections box, right-click Local Area Connection, and
10. Enable the check box next to Internet Protocol Version 6 (TCP/IPv6).
11. Clear the Internet Protocol Version 4 (TCP/IPv4) check box, and then click
OK. Close all open windows.
f Task 4: Test connectivity between each IPv6 subnet

• IPconfig/all
Note the new IPv6 address (global address begins with 2001:) assigned to the
local area connection. Write down the IPv6 address in the space below:
NYC-DC1 IPv6 address: _____________________________________________
Command prompt.
• Ping global IP address
(Where global IP address is the global IP address that was noted in Step
2.)
• IPconfig/all
Note the IPv6 address (global address begins with 2001:) assigned to the local
area connection. Write down the IPv6 address in the space below:
NYC-CL1 IPv6 address: _____________________________________________
• Ping global IP address
(Where global IP address is the global IPv6 address that was noted in
Step 4.)
Note: If the IP addresses do not resolve, reboot the servers starting with NYC-
DC1, NYC-SVR1, and then NYC-CL1.
f Task 5: Reconfigure the Network Adapters

1. To have the appropriate setup for future labs, you must configure the
following before starting the virtual machines:
6421A-NYC-SVR1.
6421A-NYC-CL1.

Control window.
click OK.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access 1
Module 6
Troubleshooting Routing and Remote Access
Contents:
Exercise 1: Configuring Routing and Remote Access
as a VPN Remote Access Solution 2
Exercise 2: Configuring a Custom Network Policy 4
Exercise 3: Configuring Logging 6
Exercise 4: Configuring a Connection Profile 7
2 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
Lab: Configuring and Managing

Network Access
Exercise 1: Configuring Routing and Remote Access as a

VPN Remote Access Solution
password Pa$$w0rd.
f Task 2: Install the Network Policy and Access Services role on 6421A-
NYC-SVR1
1. On NYC-SVR1, click Start, and then click Administrative Tools.
2. From the Administrative Tools menu, click Server Manager. The Server
Manager opens.
3. In the Server Manager (NYC-SVR1) list pane, right-click Roles and click Add
Roles from the context menu. The Add Roles Wizard appears. Click Next.
4. On the Select Server Roles page, select Network Policy and Access Services
5. On the Network Policy and Access Service introduction page, click Next.
6. On the Select Role Services page, select Network Policy Server and Routing
and Remote Access Services, and then click Next.
9. Close the Server Manager. The Network Policy and Routing and Remote
Access Services roles are installed on 6421A-NYC-SVR1.

address pool for Remote Access clients
2. From the Administrative Tools menu, click Routing and Remote Access. The
Routing and Remote Access administrative tool appears.
3. In the list pane, select and right-click NYC-SVR1 (Local), and then click
4. Click Next on the wizard Welcome page.
5. On the Configuration page, leave the default Remote Access (dial-up or
VPN) selected, and click Next.
6. On the Remote Access page, select the VPN option, and click Next.
7. On the VPN Connection page, select the Local Area Connection 2 interface,
addresses, and then click Next.
9. On the Address Range Assignment page, click New, and in the Start IP
address box, type the following value 192.168.1.100. In the Number of
addresses box, type the value of 75, and click OK. Click Next.
10. On the Managing Multiple Remote Access Servers page, leave the default
selection No, use Routing and Remote Access to authenticate connection
requests, and click Next. Click Finish.
11. In the Routing and Remote Access dialog box, click OK.
12. In the Routing and Remote Access dialog box regarding the DHCP Relay
agent, click OK. The Routing and Remote Access service starts.
f Task 4: Configure available VPN ports on the (RRAS) server to allow 25

PPTP and 25 L2TP connections
1. In the Routing and Remote Access management tool interface, expand NYC-
SVR1, select and then right-click Ports, and then click Properties.
2. In the Ports Properties dialog box, double-click WAN Miniport (SSTP).
3. In the Configure Device – WAN Miniport (SSTP) dialog box, assign a value
of 0 in the Maximum ports box, and then click OK.
4. In the Routing and Remote Access dialog box, click Yes to continue.
5. In the Ports Properties dialog box, double-click WAN Miniport (PPTP), and
in the Configure Device – WAN Miniport (PPTP) dialog box, assign a value
of 25 in the Maximum ports box, and then click OK.
6. In the Routing and Remote Access dialog box, click Yes to continue.
7. Repeat this procedure, with the same value (25), for WAN Miniport (L2TP).
8. Click OK in the Ports Properties dialog box.
9. Refresh the details pane to view the results.
Exercise 2: Configuring a Custom Network Policy

f Task 1: Open the Network Policy Server management tool on 6421A-
NYC-SVR1
2. On the Administrative Tools menu, click Network Policy Server. The
Network Policy Server administrative tool appears.
f Task 2: Create a new network policy for RRAS clients

1. In the list pane, expand Policies, right-click Network Policies, and then click
New.
2. On the New Network Policy – Specify Network Policy Name and
Connection Type page, type Secure VPN in the Policy Name text box, and in
the Type of network access server drop-down list, click Remote Access
Server (VPN-Dial up), and then click Next.
3. On the Specify Conditions page, click Add. On the Select Condition dialog
box, scroll down and double-click Tunnel Type. In the Tunnel Type dialog
box, select L2TP and PPTP, click OK, and then click Next.
4. On the Specify Access Permission page, leave the default of Access Granted,
and click Next.
5. On the Configure Authentication Methods page, deselect Microsoft
Encrypted Authentication (MS-CHAP), and then click Next.
6. On the Configure Constraints page, under Constraints, select Day and time
restrictions, and in the details pane, select Allow access only on these days
and at these times, and click Edit. Change the Time of day constraints to
deny access from 11PM to 6AM Monday thru Friday, click OK, and then
click Next.
7. In the Configure Settings dialog box, under Settings, click Encryption, and in
the details pane, deselect all settings except Strongest encryption (MPPE 128-
bit). Click Next, and then click Finish.
8. In the list pane of the Network Policy Server tool, click the Network Policies
node.
9. Right-click the Secure VPN policy, and then click Move Up. Repeat this step to
make the policy the first in the list.
10. Close the Network Policy Server tool.
Exercise 3: Configuring Logging

f Task 1: Configure RRAS Logging on 6421A-NYC-SVR1 to log all events
to the System log
Routing and Remote Access.
2. In the Routing and Remote Access window list pane, right-click NYC-SVR1,
and then click Properties.
3. In the NYC-SVR1 (local) Properties dialog box, click the Logging tab.
4. On the Logging tab, click Log all events, and then click OK.
5. Close the Routing and Remote Access console.
f Task 2: Test logging levels

1. Log on to NYC-CL1 with a user name of Woodgrovebank\administrator and
the password Pa$$w0rd.
2. Click Start, and then click Network.
3. In the Network window, click Network and Sharing Center.
4. In the Network and Sharing Center window, under Tasks, click Set up a
connection or network. In the Choose a connection option dialog box, click
Connect to a workplace, and then click Next.
5. In the Connect to a workplace dialog box, select the Use my Internet
connection (VPN) option. When prompted, select I’ll set up an Internet
connection later.
6. In the Type the Internet address to connect to dialog box, specify an Internet
address of 10.10.0.24 and a Destination Name of Woodgrovebank VPN, and
then click Next.
7. On the Type your user name and password page, leave the user name and
password blank, and then click Create.
8. Click Close in the Connect to a Workplace dialog box.
9. Under Tasks in the Network and Sharing Center window, click Manage
network connections.
10. On the Network Connections page, under Virtual Private Network, right-
click WoodgroveBank VPN, and then click Connect.
11. Use the following information in the Connect Woodgrovebank VPN text
boxes, and then click Connect:
• Domain: Woodgrovebank
The VPN connects successfully.
12. Right-click Woodgrovebank VPN, and click Disconnect. The VPN
disconnects.
Event Viewer.
15. In Event Viewer, expand Windows Logs, and select System from the list pane.
Review the entries from the source RemoteAccess to see the logged data.
16. Close Event Viewer on NYC-SVR1.
Exercise 4: Configuring a Connection Profile

f Task 1: Install the Connection Manager Administration Kit
Server Manager.
2. In the list pane of Server Manager, right-click Features, and click Add
Features.
3. On the Select Features page, select Connection Manager Administration Kit,
and click Next.
6. Close Server Manager on NYC-SVR1.
f Task 2: Use the CMAK to create a distributable executable to

automate creation of connection objects for users
Connection Manager Administration Kit.
2. On the Welcome page of the Connection Manager Administration Kit wizard,
click Next.
3. On the Select the Target Operating System page, leave the default setting of
Windows Vista, and then click Next.
4. On the Create or Modify a Connection Manager profile page, click Next.
5. On the Specify the Service Name and the File Name page, use
WOODGROVEBANK VPN for the Service name and CORP_VPN for the File
name. Click Next.
6. On the Specify a Realm Name page, click Next.
7. On the Merge Information from Other Profiles page, click Next.
8. On the Add Support for VPN Connections page, select Phone book from
this profile, and specify to Always use the same VPN server with an IP
address of 10.10.0.24, and then click Next.
9. On the Create or Modify a VPN Entry page, click Next.
10. On the Add a custom Phone Book page, deselect Automatically download
phone book updates, and then click Next.
11. On the Configure Dial-up Networking Entries page, click Next.
12. On the Specify Routing Table Updates page, click Next.
13. On the Configure Proxy Settings for Internet Explorer page, click Next.
14. On the Add Custom Actions page, click Next.
15. On the Display a Custom Logon Bitmap page, click Next.
16. On the Display a Custom Phone Book Bitmap, click Next.
17. On the Display Custom Icons page, click Next.
18. On the Include a Custom Help File page, click Next.
19. On the Display Custom Support Information page, click Next.
20. On the Display a Custom License Agreement page, click Next.
21. On the Install Additional Files with the Connection Manager profile page,
click Next.
22. On the Build the Connection Manager Profile and its Installation Program
page, click Next.
23. On the Your Connection Manager Profile is Complete and Ready to
Distribute page, click Finish.
24. On NYC-SVR1, copy the CORP_VPN folder from the
C:\Program Files\CMAK\Profiles\Vista\ location to the \\NYC-
DC1\Module6 location.
To do this On NYC‐SVR1 goto, Start/Computer/Local Disk (C:)/
Program Files/CMAK/Profiles/Vista/ CORP_VPN and select
CORP_VPN folder, and right‐click select copy and then Click Start, in
the Start Search box type \\NYC‐DC1\Module6 and press Enter. In the
Module6(\\NYC‐DC1) page right‐click and select paste
f Task 3: Install and test the CMAK profile

1. On NYC-CL1, click Start, point to All Programs, point to Accessories, and
then click Run. In the Run dialog box, type \\NYC-DC1\Module6\, and then
click OK.
2. In the CORP_VPN folder, double-click CORP_VPN.exe.
3. In the Do you wish to install WOODGROVEBANK VPN? dialog box, click
Yes.
4. In the WOODGROVEBANK VPN dialog box, select All users and Add a
shortcut on the desktop, and then click OK. The WOODGROVEBANK VPN
connection object opens.
5. In the WOODGROVEBANK VPN connection object, use the following
criteria, and then click Connect:
• Logon Domain: Woodgrovebank
6. On the Set Network Location page, click Work, and then click Close.
7. Verify that the VPN connects successfully in Network Connections. After the
connection is successful, right-click the network icon, and then click
Disconnect.

click OK.
Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 1
Module 7
Lab Answer Key: Installing, Configuring, and
Troubleshooting the Network Policy Server Role
Service
Contents:
Exercise 1: Installing and Configuring the Network
Policy Server Role Service 2
Exercise 2: Configuring a RADIUS Client 4
Exercise 3: Configuring Certificate Auto-Enrollment 6
2 Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Network Policy Server
Exercise 1: Installing and Configuring the Network Policy

Server Role Service
password Pa$$w0rd.
f Task 2: Install the Network Policy and Access Services role

1. On NYC-DC1, in the Server Manager list pane, right-click Roles, and select
Add Roles from the context menu. The Add Roles Wizard appears. Click Next.
2. On the Select Server Roles page, select Network Policy and Access Services,
3. On the Network Policy and Access Services welcome page, click Next.
4. On the Select Role Services page, select Network Policy Server, and then
click Next.
details pane, and then click Close. The Network Policy Server role is installed
on NYC-DC1.
7. Close the Server Manager.
f Task 3: Register NPS in Active Directory®

1. On NYC-DC1, click Start, and then click Administrative Tools.
2. On the Administrative Tools menu, click Network Policy Server. The
Network Policy Server administrative tool appears.
3. In the list pane, select and right-click NPS (Local), and then click Register
server in Active Directory.
4. Click OK in the Network Policy Server message box.
5. Click OK again in the Network Policy Server message box. The Network
Policy server is registered in Active Directory.
f Task 4: Configure 6421A-NYC-DC1 to be a Remote Authentication

Dial-In User Service (RADIUS) server for dial-up or VPN connections
1. In the Network Policy Server management tool list pane, click NPS (Local).
2. In the Getting Started details pane, open the drop-down list under Standard
Configuration, and then click RADIUS server for Dial-Up or VPN
Connections.
3. Under Radius server for Dial-Up or VPN Connections, click Configure VPN
or Dial-Up.
4. In the Configure VPN or Dial-Up dialog box, select Virtual Private Network
(VPN) Connections, accept the default name, and then click Next.
5. In the RADIUS clients dialog box, click Add.
6. In the New RADIUS Client dialog box, type NYC-SVR1 in the Friendly Name
text box, and then click Verify.
7. In the Verify Client dialog box, type the address NYC-SVR1, click Resolve,
and then click OK.
8. In the New RADIUS Client dialog box, specify and confirm the shared secret
of Pa$$w0rd, and then click OK.
9. In the Specify Dial-Up or VPN Server dialog box, click Next.
10. In the Configure Authentication Methods dialog box, select Extensible
Authentication Protocol and MS-CHAPv2, and then click Next.
11. On the Specify User Groups page, click Next.

12. On the Specify IP Filters page, click Next.
13. On the Specify Encryption Settings page, deselect Basic encryption and
Strong encryption, and then click Next.
14. On the Specify a Realm Name page, click Next.
15. On the Completing New Dial-Up or Virtual Private Connections and
RADIUS clients page, click Finish.
Exercise 2: Configuring a RADIUS Client

2. On the Administrative Tools menu, click Server Manager. The Server
Manager tool appears.
f Task 2: Install the Routing and Remote Access Services (RRAS) role
1. In the Server Manager list pane, click Roles, and then click Add Roles. The
Add Roles Wizard appears.
2. On the Before You Begin page, click Next.
3. On the Select Server Roles page, select Network Policy and Access Services,
4. On the Network Policy and Access Services page, click Next.
5. On the Select Role Services page, select Routing and Remote Access
Services, and then click Next.
details pane, and then click Close. The Routing and Remote Access Services
role is installed on NYC-SVR1.

address pool for Remote Access clients, and specify RADIUS
authentication and accounting
2. On the Administrative Tools menu, click Routing and Remote Access. The
Routing and Remote Access tool appears.
3. In the list pane, select and right-click NYC-SVR1, and then click Configure
and Enable Routing and Remote Access.
4. On the Welcome page of the wizard, click Next.
5. On the Configuration page, leave the default Remote access (dial-up or
VPN) selected, and click Next.
6. On the Remote Access page, select the VPN option, and then click Next.
7. On the VPN Connection page, select the Local Area Connection 2 interface,
9. On the Address Range Assignment page, click New, and in the Start IP
address box, type 192.168.1.100. In the Number of addresses box, type 75.
Click OK, and then click Next.
10. On the Managing Multiple Remote Access Servers page, select Yes, set up
this server to work with a RADIUS server, and then click Next.
11. On the RADIUS Server Selection page, specify NYC-DC1 for the Primary
RADIUS server, specify Pa$$w0rd as the shared secret for the RADIUS server,
12. On the Completing the Routing and Remote Access Server Setup Wizard
page, click Finish.
13. In the Routing and Remote Access message box, click OK. The Routing and
Remote Access service starts. NYC-SVR1 is configured as a VPN server with
RADIUS configured.
Exercise 3: Configuring Certificate Auto-Enrollment

f Task 1: Install and Configure Certificate Services on NYC-DC1
Server Manager.
2. In Server Manager, right-click Roles, and then click Add Roles from the
context menu.
3. In the Add Roles Wizard window, click Next.
4. On the Select Server Roles page, select Active Directory Certificate Services,
5. On the Introduction to Active Directory Certificate Services page, click Next.
6. On the Select Role Services page, click Next.
7. On the Specify Setup Type page, click Next.
8. On the Specify CA Type page, click Next.
9. On the Set Up Private Key page, click Next.
10. On the Configure Cryptography for CA page, click Next.
11. On the Configure CA Name page, specify a name of WoodGroveBank-CA,
12. On the Set Validity Period page, click Next.
13. On the Configure Certificate Database page, click Next.
Certification Authority.
18. In the certsrv management console, expand WoodGroveBank-CA.
19. Right-click Certificate Templates, and then select Manage from the context
menu.
20. In the Certificate Templates Console details pane, right-click Computer, and
then choose Properties from the context menu.
21. In the Computer Properties dialog box, click the Security tab, and then select
Authenticated Users.
22. In the Permissions for Authenticated Users, select the Allow check box for
the Enroll permission, and then click OK.
23. Close the Certificate Template console, and then close the certsrv
management console.
f Task 2: Open the Group Policy Management tool on 6421A-NYC-DC1

and configure automatic certificate enrollment
1. On NYC-DC1, click Start, and then click Administrative Tools.
2. On the Administrative Tools menu, click Group Policy Management. The
Group Policy Management tool appears.
3. In the Group Policy Management list pane, expand Forest:
WoodgroveBank.com, expand Domains, and then expand
WoodgroveBank.com.
4. In the list pane, under WoodgroveBank.com, right-click Default Domain
Policy and then click Edit.
5. On the Group Policy Management Editor page, under Computer
Configuration, expand Policies, expand Windows Settings, expand Security
Settings, and then expand Public Key Policies.
6. Right-click Automatic Certificate Request Settings, point to New, and then
click Automatic Certificate Request.
7. In the Welcome to the Automatic Certificate Request Setup Wizard dialog
box, click Next.
8. On the Certificate Template page, accept the default setting of Computer,
9. On the Completing the Automatic Certificate Request Setup Wizard page,
click Finish.
10. Close the Group Policy Management Editor.
11. Close the Group Policy Management tool. Automatic certificate enrollment
now is configured for domain computers in the WoodgroveBank domain.
12. To verify automatic certificate enrollment, restart the 6421A-NYC-CL1 virtual
computer.
13. Log on as Administrator with the password Pa$$w0rd.

14. Click Start, type MMC in the Search box, and then press ENTER.
15. In the Console1 window, click File, and then click Add/Remove Snap-in.
16. In the Add or Remove Snap-ins box, select Certificates, and then click Add.
17. In the Certificates snap-in box, select Computer account, and then click
Next.
18. In the Select Computer box, select Local computer, and then click Finish.
19. Click OK to close the Add or Remove Snap-ins box.
20. In the Console1 window, expand Certificates (Local Computer).
21. Expand Personal, and then click Certificates. Notice that NYC-
CL1.WoodgroveBank.com is displayed. Also notice that WoodGroveBank-
CA issued the certificate. You now can use this certificate as an authentication
mechanism.

click OK.
Lab Answer Key: Configuring Network Access Protection 1
Module 8
Lab Answer Key: Configuring Network Access
Protection
Contents:
Exercise 1: Configuring NAP for DHCP Clients 2
Exercise 2: Configuring NAP for VPN Clients 10
2 Lab Answer Key: Configuring Network Access Protection
Lab: Configuring NAP for DHCP

and VPN
Note: If you have already logged on to a virtual machine,
skip the logon task for that particular virtual machine.
Exercise 1: Configuring Network Access Protocol (NAP) for

Dynamic Host Configuration Protocol (DHCP) Clients
password Pa$$w0rd.

menu.
f Task 3: Install the Network Policy Server (NPS) and Dynamic Host
Configuration Protocol (DHCP) server roles
1. On NYC-SVR1, in Server Manager, right-click Roles, and then select Add Roles
from the context menu.
3. On the Select Server Roles page, select the DHCP Server and Network Policy
and Access Services check boxes, and then click Next twice.
4. On the Select Role Services page, select the Network Policy Server check
box, and then click Next twice.
5. On the Select Network Connection Bindings page, verify that 10.10.0.24 is
selected, remove the check mark next to 192.168.1.10, and then click Next.
6. On the Specify DNS Server Settings page, verify that WoodGroveBank.com is
listed under Parent domain.
7. Type 10.10.0.10 under Preferred DNS server IP address, and then click
Validate. Verify that the result returned is Valid, and then click Next.
8. On the Specify IPv4 WINS Server Settingspage, accept the default setting of
WINS is not required for applications on this network, and then click Next.
9. On the Add or Edit DHCP Scopes page, click Add.
10. In the Add Scope dialog box, type NAP Scope next to Scope Name. Next to
Starting IP Address, type 10.10.0.50; next to Ending IP Address, type
10.10.0.199; and next to Subnet Mask, type 255.255.0.0.
11. Select the Activate this scope check box, click OK, and then click Next.
12. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6
stateless mode for this server, and then click Next.
13. On the Authorize DHCP Server page, select Use current credentials. Verify
that WOODGROVEBANK\Administrator is displayed next to Username,
15. Verify the installation was successful, and then click Close.
f Task 4: Configure NYC-SVR1 as a NAP health policy server

1. On NYC-SVR1, open the Network Policy Server Management console from
the Start Menu, Administrative Tools location.
2. Configure SHVs:
a. Expand Network Access Protection, and then click System Health
Validators.
b. In the middle pane under Name, double-click Windows Security Health
Validator.
c. In the Windows Security Health Validator Properties dialog box, click

Configure.
d. On the Windows Vista™ tab, clear all check boxes except A firewall is
enabled for all network connections.
e. Click OK to close the Windows Security Health Validator dialog box,
3. Configure remediation server groups:
a. In the console tree, under Network Access Protection, right-click
Remediation Server Groups, and then click New.
b. Under Group Name, type Rem1.
c. Next to Remediation Servers, click Add.
d. In the Add New Server dialog box, under IP address or DNS name, type
10.10.0.10, and then click OK twice.
a. Expand Policies.
c. In the Create New Health Policy dialog box, under Policy Name, type
Compliant.
d. Under Client SHV checks, verify that Client passes all SHV checks is
selected.
e. Under SHVs used in this health policy, select the Windows Security
Health Validator check box, and then click OK.
f. Right-click Health Policies, and then click New.
g. In the Create New Health Policy dialog box, under Policy Name, type
Noncompliant.
h. Under Client SHV checks, select Client fails one or more SHV checks.
i. Under SHVs used in this health policy, select the Windows Security
Health Validator check box, and then click OK.
5. Configure a network policy for compliant computers:
a. In the console tree, under Policies, click Network Policies.
b. Disable the two default policies under Policy Name by right-clicking the
policies, and then clicking Disable for each.
c. Right-click Network Policies, and then click New.
d. In the Specify Network Policy Name and Connection Type window,
under Policy name, type Compliant-Full-Access, and then click Next.
f. In the Select condition dialog box, double-click Health Policies.
g. In the Health Policies dialog box, under Health Policies, select
h. In the Specify Conditions window, verify that Health Policy is specified
under Conditions with a value of Compliant, and then click Next.
i. In the Specify Access Permission window, verify that Access granted is
j. In the Configure Authentication Methods window, select Perform
machine health check only. Clear all other check boxes, and then click
Next.
k. In the Configure Constraints window, click Next.
l. In the Configure Settings window, click NAP Enforcement. Verify that
Allow full network access is selected, and then click Next.
m. In the Completing New Network Policy window, click Finish to
complete configuration of your network policy for compliant client
computers.
6. Configure a network policy for noncompliant computers:
b. In the Specify Network Policy Name and Connection Type window,
under Policy name, type Noncompliant-Restricted, and then click Next.
d. In the Select condition dialog box, double-click Health Policies.
e. In the Health Policies dialog box, under Health policies, select
f. In the Specify Conditions window, verify that Health Policy is specified

g. In the Specify Access Permission window, verify that Access granted is
Note: A setting of Access granted does not mean that noncompliant clients
are granted full network access. It specifies that clients matching these
conditions will be granted an access level that the policy determines.
h. In the Configure Authentication Methods window, select Perform

machine health check only. Clear all other check boxes, and then click
Next.
i. In the Configure Constraints window, click Next.
j. In the Configure Settings window, click NAP Enforcement. Select Allow
limited access, and verify that Enable auto-remediation of client
computers is selected.
k. Click Next, and then click Finish. This completes configuration of your
NAP network policies. Close the Network Policy Server console.
f Task 5: Configure DHCP service for NAP enforcement

DHCP.
2. In the DHCP console, expand nyc-svr1.woodgrovebank.com, and then
expand IPv4.
3. Select and then right-click Scope[10.10.0.0]NAP Scope, and then click
Properties.
4. On the Network Access Protection tab, select Enable for this scope, and
verify that Use default Network Access Protection profile is selected, and
then click OK.
5. In the DHCP console, expand Scope[10.10.0.0]NAP Scope, select and right-
click Scope Options, and then click Configure Options.
6. On the Advanced tab, next to User class, verify that Default User Class is
selected.
7. Under Available Options, select the 003 Router check box, type 10.10.0.1 in
IP Address, and then click Add.
8. Select the 015 DNS Domain Name check box, type Woodgrovebank.com in
String value, and then click OK. The Woodgrovebank.com domain is a full-
access network assigned to compliant NAP clients.
9. In the DHCP console, right-click Scope Options, and then click Configure
Options.
10. On the Advanced tab, next to User class, select Default Network Access
Protection Class.
11. Select the 006 DNS Servers check box, type 10.10.0.10 in IP Address, and
then click Add.
12. Select the 015 DNS Domain Name check box, type
restricted.Woodgrovebank.com in String value, and then click OK. The
restricted.woodgrovebank.com domain is a restricted-access network assigned
to noncompliant NAP clients.
13. Close the DHCP console.
f Task 6: Configure NYC-CL1 as DHCP and NAP client

1. On NYC-CL1, enable Security Center:
b. Type mmc, and then press ENTER.
c. On the File menu, click Add/Remove Snap-in.
d. In the Add or Remove Snap-ins dialog box, under Available snap-ins,
click Group Policy Object Editor, and then click Add.
e. In the Select Group Policy Object dialog box, click Finish, and then click
OK.
f. In the console tree, expand Local Computer Policy/Computer
g. Double-click Turn on Security Center (Domain PCs only), click
h. Close the console window. When prompted to save settings, click No.
2. Enable the DHCP enforcement client:

b. Type napclcfg.msc, and then press ENTER
d. In the details pane, right-click DHCP Quarantine Enforcement Client,
and then click Enable.
e. Close the NAP Client Configuration console.
a. Click Start, click Control Panel, click System and Maintenance, and then
click Administrative Tools.
b. Double-click Services.
c. In the services list, double-click Network Access Protection Agent.
d. In the Network Access Protection Agent Properties(Local Computer)
dialog box, change the Startup type to Automatic, and then click Start.
e. Wait for the NAP agent service to start, and then click OK.
f. Close the Services console, and then close the Administrative Tools and
System and Maintenance windows.
4. Configure NYC-CL1 for DHCP address assignment:
a. Click Start, and then click Control Panel.
b. Click Network and Internet, click Network and Sharing Center, and
then click Manage network connections.
c. Right-click Local Area Connection, and then click Properties.
d. In the Local Area Connection Properties dialog box, clear the Internet
Protocol Version 6 (TCP/IPv6) check box. This reduces the lab’s
complexity, particularly for those who are not familiar with IPv6.
e. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
f. Verify that Obtain an IP address automatically and Obtain DNS server
address automatically are selected.
g. Click OK, and then click Close to close the Local Area Connection
h. Close the Network Connections and Network and Sharing Center

windows.
i. Restart NYC-CL1. After the computer restarts, log on as Administrator
with the password of Pa$$w0rd.
f Task 7: Test NAP Enforcement

1. Verify DHCP assigned address and current Quarantine State:
a. On NYC-CL1, click Start, click All Programs, click Accessories, right-click
Command Prompt, and then click Run as administrator.
b. At the command prompt, type ipconfig /all, and then press ENTER.
c. Verify the connection-specific DNS suffix of Woodgrovebank.com and a
Quarantine State of Not Restricted.
2. Configure the System Health Validator policy to require antivirus software:
a. On NYC-SVR1, open the Network Policy Server console.
Validators.
c. Under Name, in the details pane, double-click Windows Security Health
Validator.
d. In the Windows Security Health Validator Properties dialog box, click
Configure.
e. In the Windows Security Health Validator dialog box, under Virus
Protection, select the An antivirus application is on check box.
f. Click OK, and then click OK again to close the Windows Security Health
3. Verify the restricted network on NYC-CL1:
a. On NYC-CL1, click Start, click All Programs, click Accessories, right-click
Command Prompt, and then click Run as administrator.
b. At the command prompt, type ipconfig /release.
c. At the command prompt, type ipconfig /renew.
d. Verify the Connection-specific DNS suffix is now
restricted.woodgrovebank.com.
e. Close the command window, and double-click the Network Access

Protection icon in the system tray. Notice it tells you the computer is not
compliant with requirements of the network.
f. Click Close.
Note: Click the Reset button before starting Exercise 2 and Log on to each
virtual machine as Woodgrovebank\Administrator with the password
Pa$$w0rd
Exercise 2: Configuring NAP for VPN Clients

f Task 1: Configure NYC-DC1 as an Enterprise Root CA
Server Manager.
2. Under Roles Summary, click Add Roles.
4. Select the Active Directory Certificate Services check box, and then click
Next twice.
5. On the Select Role Services page, click Next.
6. On the Specify Setup Type page, select Enterprise, and then click Next.
7. On the Specify CA Type page, select Root CA, and then click Next.
8. On the Set Up Private Key page, click Next.
9. On the Configure Cryptography for CA page, click Next.
10. On the Configure CA Name page, specify a name of Root CA, and then click
Next.
12. On the Configure Certificate Database page, click Next.

14. On the Installation Results page, verify the installation succeeded, and then
click Close.
Certification Authority.
17. In the certsrv management console, expand Root CA, right-click Certificate
Templates, and then select Manage from the context menu.
18. In the Certificate Templates console details pane, right-click Computer, and
then choose Properties from the context menu.
19. Click on the Security tab in the Computer Properties dialog box, and then
select Authenticated Users.
20. In the permissions for Authenticated Users, select the Allow check box for
the Enroll permission, and then click OK.
21. Close the Certificate Template Console, and then close the certsrv
management console.
f Task 2: Configure NYC-SVR1 with NPS functioning as a health policy

server
1. Restart NYC-SVR1 and logon as Woodgrovebank\administrator with the
password Pa$$w0rd.
2. Obtain computer certificate on NYC-SVR1 for server-side PEAP authentication:
a. Click Start, click Run, type mmc, and then press ENTER.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, click Certificates, click Add,
select Computer account, click Next, and then click Finish.
d. Click OK to close the Add or Remove Snap-ins dialog box.
e. In the console tree, expand Certificates, right-click Personal, point to All
Tasks, and then click Request New Certificate.
f. The Certificate Enrollment dialog box opens. Click Next.
g. Select the Computer check box, and then click Enroll.

h. Verify the status of certificate installation as Succeeded, and then click
Finish.
i. Close the Console1 window.
j. Click No when prompted to save console settings.
3. Install the NPS Server role:
a. On NYC-SVR1, click Start, click Administrative Tools, and then click
Server Manager.
b. Under Roles Summary, click Add Roles, and then click Next.
c. Select the Network Policy and Access Services check box, and then click
Next twice.
d. Select the Network Policy Server and Remote Access Service check
boxes, click Next, and then click Install.
e. Verify the installation was successful, and then click Close.
f. Close the Server Manager window.
4. Configure NPS as a NAP health policy server:
a. Click Start, click Run, type nps.msc, and then press ENTER.
Validators.
c. In the middle pane under Name, double-click Windows Security Health
Validator.
d. In the Windows Security Health Validator Properties dialog box, click
Configure.
e. On the Windows Vista tab, clear all check boxes except A firewall is
enabled for all network connections.
f. Click OK to close the Windows Security Health Validator dialog box,

a. Expand Policies.
c. In the Create New Health Policy dialog box, under Policy Name, type
Compliant.
d. Under Client SHV checks, verify that Client passes all SHV checks is
selected.
e. Under SHVs used in this health policy, select the Windows Security
f. Click OK.
g. Right-click Health Policies, and then click New.
h. In the Create New Health Policy dialog box, under Policy Name, type
Noncompliant.
i. Under Client SHV checks, select Client fails one or more SHV checks.
j. Under SHVs used in this health policy, select the Windows Security
k. Click OK.
6. Configure network policies for compliant computers:
a. Ensure Policies is expanded.
b. Click Network Policies.
c. Disable the two default policies found under Policy Name by right-
clicking the policies, and then clicking Disable.
d. Right-click Network Policies, and then click New.
e. In the Specify Network Policy Name and Connection Type window,
under Policy name, type Compliant-Full-Access, and then click Next.
f. In the Specify Conditions window, click Add.
g. In the Select condition dialog box, double-click Health Policies.
h. In the Health Policies dialog box, under Health policies, select
i. In the Specify Conditions window, verify that Health Policy is specified
under Conditions with a value of Compliant, and then click Next.
j. In the Specify Access Permission window, verify that Access granted is

selected.
k. Click Next three times.
l. In the Configure Settings window, click NAP Enforcement. Verify that
Allow full network access is selected, and then click Next.
m. In the Completing New Network Policy window, click Finish.
7. Configure network policies for noncompliant computers:
b. In the Specify Network Policy Name and Connection Type window,
under Policy name, type Noncompliant-Restricted, and then click Next.
d. In the Select condition dialog box, double-click Health Policies.
e. In the Health Policies dialog box, under Health policies, select
f. In the Specify Conditions window, verify that Health Policy is specified
g. In the Specify Access Permission window, verify that Access granted is
selected.
Note: A setting of Access granted does not mean that noncompliant clients
are granted full network access. It specifies that the policy should continue to
evaluate the clients matching these conditions.
h. Click Next three times.

i. In the Configure Settings window, click NAP Enforcement. Select Allow
limited access, and ensure Enable auto-remediation of client computers
is already selected.
j. In the Configure Settings window, click IP Filters.
k. Under IPv4, click Input Filters, and then click New.
l. In the Add IP Filter dialog box, select Destination network. Type
10.10.0.10 next to IP address, and then type 255.255.255.255 next to
Subnet mask. This step ensures that traffic from noncompliant clients can
reach only NYC-DC1.
m. Click OK to close the Add IP Filter dialog box, and then select Permit
only the packets listed below in the Inbound Filters dialog box.
n. Click OK to close the Inbound Filters dialog box.
o. Under IPv4, click Output Filters, and then click New.
p. In the Add IP Filter dialog box, select Source network. Type 10.10.0.10
next to IP address, and then type 255.255.255.255 next to Subnet mask.
q. Click OK to close the Add IP Filter dialog box, and then select Permit
only the packets listed below in the Outbound Filters dialog box. This
step ensures that only traffic from NYC-DC1 can be sent to noncompliant
clients.
r. Click OK to close the Outbound Filters dialog box.
s. In the Configure Settings window, click Next.
t. In the Completing New Network Policy window, click Finish.
8. Configure connection request policies:
a. Click Connection Request Policies.
b. Disable the default Connection Request policy found under Policy Name
by right-clicking the policy, and then clicking Disable.
c. Right-click Connection Request Policies, and then click New.
d. In the Specify Connection Request Policy Name and Connection Type
window, under Policy name, type VPN connections.
e. Under Type of network access server, select Remote Access Server
(VPN-Dial up), and then click Next.
f. In the Specify Conditions window, click Add.
g. In the Select condition window, double-click Tunnel Type, select PPTP
and L2TP, click OK, and then click Next.
h. In the Specify Connection Request Forwarding window, verify that
Authenticate requests on this server is selected, and then click Next.
i. In the Specify Authentication Methods window, select Override network
policy authentication settings.
j. Under EAP Types, click Add. In the Add EAP dialog box, under
Authentication methods, click Microsoft: Protected EAP (PEAP), and
then click OK.
k. Under EAP Types, click Add. In the Add EAP dialog box, under
Authentication methods, click Microsoft: Secured password (EAP-
MSCHAP v2), and then click OK.
l. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click
Edit.
m. Verify that Enable Quarantine checks is selected, and then click OK.
n. Click Next twice, and then click Finish.
f Task 3: Configure NYC-SVR1 with the Routing and Remote Access

Service (RRAS) configured as a VPN server
1. On NYC-SVR1, click Start, click Run, type rrasmgmt.msc, and then press
ENTER.
2. In the Routing and Remote Access console, right-click NYC-SVR1, and then
click Configure and Enable Routing and Remote Access. This starts the
Routing and Remote Access Server Setup Wizard.
3. Click Next, select Remote access (dial-up or VPN), and then click Next.
4. Select the VPN check box, and then click Next.
5. Click the network interface with an IP address of 192.168.1.10. Clear the
Enable security on the selected interface by setting up static packet filters
check box, and then click Next. This ensures that NYC-SVR1 will be able to
ping NYC-DC1 when attached to the Internet subnet without requiring that
you configure additional packet filters for Internet Control Message Protocol
(ICMP) traffic.
7. On the Address Range Assignment page, click New. Type 10.10.0.100 next
to Start IP address and 10.10.0.110 next to End IP address, and then click
OK. Verify that 11 IP addresses were assigned for remote clients, and then
click Next.
8. On the Managing Multiple Remote Access Servers page, ensure No, use
Routing and Remote Access to authenticate connection requests is already
selected and then click Next.
9. And then click Finish.
10. Click OK twice, and wait for the Routing and Remote Access Service to start.
11. Open the Network Policy Server console from the Administrative Tools
menu, ensure Policies is expanded select Connection Request Policies, and
then disable the Microsoft Routing and Remote Access Service Policy by
right-clicking the policy and choosing Disable.
12. Close the Network Policy Server management console.
13. Close Routing and Remote Access.
f Task 4: Allow ping on NYC-SVR1

1. Click Start, click Administrative Tools, and then click Windows Firewall
with Advanced Security.
2. Click on Inbound Rules and then Right-click Inbound Rules, and then click
New Rule.
3. Select Custom, and then click Next.
4. Select All programs, and then click Next.
5. Next to Protocol type, select ICMPv4, and then click Customize.
6. Select Specific ICMP types, select the Echo Request check box, click OK, and
then click Next.
7. Click Next to accept the default scope.
8. In the Action window, verify that Allow the connection is selected, and then
click Next.
Finish.
f Task 5: Configure NYC-CL1 as a VPN and NAP client

1. Configure NYC-CL1 so that Security Center is always enabled:
b. Type gpedit.msc, and then press ENTER.
c. In the console tree, click Local Computer Policy/Computer
d. Double-click Turn on Security Center (Domain PCs only), click
e. Close the Local Group Policy Object Editor console.
2. Enable the remote-access, quarantine-enforcement client:
b. Type napclcfg.msc, and then press ENTER.
d. In the details pane, right-click Remote Access Quarantine Enforcement
Client, and then click Enable.
e. Close the NAP Client Configuration window.
a. Click Start, click Control Panel, click System and Maintenance, and then
click Administrative Tools.
b. Double-click Services.
c. In the Services list, double-click Network Access Protection Agent.
d. In the Network Access Protection Agent Properties dialog box, change
the Startup type to Automatic, and then click Start.
e. Wait for the NAP Agent service to start, and then click OK.
f. Close the Services console, and then close the Administrative Tools, and
System and Maintenance windows.
4. Configure NYC-CL1 for the Internet network segment:

a. Click Start, right-click Network, and then click Properties.
b. Click Manage Network Connections.
c. Right-click Local Area Connection, and then click Properties.
d. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
e. Ensure Use the following IP address is already clicked. Next to IP
address, type 192.168.1.20. Next to Subnet mask, type 255.255.255.0.
Remove the Default gateway.
f. Next to Preferred DNS server, remove 10.10.0.10.
g. Click OK, and then click Close to close the Local Area Connection
h. Close the Network Connections window.
5. Verify network connectivity for NYC-CL1:
b. Type cmd, and then press ENTER.
c. At the command prompt, type ping 192.168.1.10
d. Verify that the response reads “Reply from 192.168.1.10”
e. Close the command window.
6. Configure a VPN connection:
a. Click Start, click Control Panel, click Network and Internet, and then
click Network and Sharing Center.
b. Click Set up a connection or network.
c. On the Choose a connection option page, click Connect to a workplace,
d. On the How do you want to connect page, click Use my Internet
connection (VPN).
e. Click I’ll set up an Internet connection later.
f. On the Type the Internet address to connect to page, next to Internet
address, type 192.168.1.10. Next to Destination name, type
Woodgrovebank. Select the Allow other people to use this connection
g. On the Type your user name and password page, type administrator
next to User name, and type Pa$$w0rd next to Password. Select the
Remember this password check box, type Woodgrovebank next to
Domain (optional), and then click Create.
h. On The connection is ready to use page, click Close.
i. In the Network and Sharing Center window, click Manage Network
Connections.
j. Under Virtual Private Network, right-click the WoodGroveBank
connection, click Properties, and then click the Security tab.
k. Select Advanced (custom settings), and then click Settings.
l. Under Logon security, select Use Extensible Authentication Protocol
(EAP), and then select Protected EAP (PEAP) (encryption enabled).
m. Click Properties.
n. Ensure that Validate server certificate check box is already selected.
Clear the Connect to these servers check box, and then Ensure that
Secured Password (EAP-MSCHAP v2) is already selected, under Select
Authentication Method. Clear the Enable Fast Reconnect check box, and
then select the Enable Quarantine checks check box.
o. Click OK three times to accept these settings.
7. Test the VPN connection:
a. In the Network Connections window, right-click the Woodgrovebank
connection, and then click Connect.
b. In the Connect Woodgrovebank window, click Connect.
c. Verify that the administrator account credentials are entered and that the
Save this user name and password for future use check box is selected,
and then click OK.
d. You are presented with a Validate Server Certificate window the first
time this VPN connection is used. Click View Server Certificate, and
verify that Certificate Information states that the certificate was issued to
NYC-SVR1.Woodgrovebank.com by Root CA. Click OK to close the
Certificate window, and then click OK.
e. Wait for the VPN connection to be made. Because NYC-CL1 is compliant,
it should have unlimited access to the intranet subnet.
f. Click Start, click All Programs, click Accessories, and then click
Command Prompt.
g. Type ipconfig /all, and view the IP configuration. System Quarantine
State should be Not Restricted.
h. In the Command window, type ping 10.10.0.10. This should be
successful. Type ping 10.10.0.24. This also should be successful. The
client now meets the requirement for VPN full connectivity.
i. Disconnect from the Woodgrovebank VPN.
8. Configure Windows Security Health Validator to require an antivirus
application:
a. On NYC-SVR1, open Network Policy Server.
Validators.
c. Double-click Windows Security Health Validator, and then click
Configure.
d. In the Windows Security Health Validator dialog box, under Virus
Protection, select the An antivirus application is on check box.
e. Click OK, and then click OK again to close the Windows Security Health
9. Verify the client is placed on the restricted network:
a. On NYC-CL1, in the Network Connections window, right-click the
WoodGroveBank connection, and then click Connect.
b. Click Connect, and then click OK.
c. Wait for the VPN connection to be made. You might see a message in the
notification area that indicates the computer does not meet health
requirements. This message is displayed because antivirus software has
not been installed.
d. Click Start, click All Programs, click Accessories, and then click
Command Prompt.
e. Type ipconfig /all, and view the IP configuration. System Quarantine

State should be Restricted.
The client does not meet the requirements for the network, and therefore
is placed on the restricted network.
Try to ping 10.10.0.24. This should be unsuccessful.
Try to ping 10.10.0.10. This is the only server to which the policy allows
access.
f. Disconnect from Woodgrovebank VPN.

click OK.
Lab Answer Key: Configuring IPsec 1
Module 9
Lab Answer Key: Configuring IPsec
Contents:
Exercise 1: Preparing the Network Environment
for IPsec NAP Enforcement 2
Exercise 2: Configuring and Testing IPsec NAP
Enforcement 9
2 Lab Answer Key: Configuring IPsec
Lab: Configuring IPsec NAP

Enforcement
Exercise 1: Preparing the Network Environment for Internet

Protocol security (IPsec) Network Access Protection (NAP)
Enforcement
f Task 1: Start the 6421A-NYC-DC1, 6421A-NYC-CL1, and 6421A-NYC-
password Pa$$w0rd.

Tools menu.
f Task 3: Install the Network Policy Services (NPS), Health Registration

Authority (HRA), and Certificate Authority (CA) server roles
1. In Server Manager, right-click Roles, and then click Add Roles on the context
menu.
2. Click Next on the Before you Begin page, and on the Select Server Roles
page, select the Network Policy and Access Services check box. Then click
Next twice.
3. On the Select Role Services page, select the Health Registration Authority
check box, click Add Required Role Services in the Add Roles Wizard
window that appears, and then click Next.
4. Select Install a local CA to issue health certificates for this HRA server, and
then click Next.
5. Select No, allow anonymous requests for health certificates, and then click
Next. This choice allows computers to be enrolled with health certificates in a
workgroup environment.
6. Select Don’t use SSL or Choose a certificate for SSL encryption later, and
then click Next twice. We recommend Secure Sockets Layer (SSL), but it is not
required for HRA to function.
7. On the Select Role Services page, verify that only the Certification Authority
check box is selected, and then click Next.
8. On the Specify Setup Type page, select Standalone, and then click Next.
9. On the Specify CA Type page, select Root CA, and then click Next.
10. Click Next twice to accept the default private key and cryptographic settings.
11. On the Configure CA Name page, under Common name for this CA, type
Woodgrovebank-RootCA, and then click Next.
13. In the Configure Certificate Database window, click Next twice.
14. On the Select Role Services page for the Web Server, click Next.
16. On the Installation Results page, notice that the Network Policy and Access
Services installation succeeded with errors. This is because you installed the
CA after the HRA role, so it could not be reached. Verify that all other
installations were successful, and then click Close.
f Task 4: Configure HRA with permissions

1. Open the Certification Authority administrative tool from the Start Menu,
Administrative Tools location.
2. In the Certification Authority console tree, right-click WoodgroveBank-
RootCA, and then click Properties.
3. Click the Security tab, and then click Add.
4. Under Enter the object names to select (examples), type Network Service,
and then click OK.
5. Click Network Service, and select the Allow checkboxes for Issue and
Manage Certificates, Manage CA, and Request Certificates.
6. Click the Policy Module tab, and then click Properties. Select Follow the
settings in the certificate template, if applicable. Otherwise, automatically
issue the certificate, and then click OK.
7. At the message prompt, click OK to restart Active Directory® Certificate
Services.
8. Click OK to close the Properties dialog box.
9. In the list pane of the Certification Authority tool, right-click WoodgroveBank-
RootCA, point to All Tasks, and then click Stop Service. After it stops, restart
the service by clicking Start Service.
10. Close the Certification Authority console.
f Task 5: Configure CA properties on HRA

1. On NYC-DC1, click Start, click Run, type MMC, and then click OK.
2. In the Console1 Microsoft Management Console (MMC) window, click File,
and then click Add/Remove Snap-in. From the available snap-ins, select
Health Registration Authority, and then click Add. In the Health
Registration Authority dialog box, click OK to accept the default Local
Computer.
3. Click OK to close the Add or Remove Snap-ins window.
4. In the Health Registration Authority console tree, select and then right-click
Certification Authority, and then click Add certification authority.
5. Click Browse, click WoodGroveBank-RootCA, and then click OK.
6. Click OK, and then verify that \\NYC-

DC1.Woodgrovebank.com\Woodgrovebank-RootCA is displayed in the
details pane.
7. In the list pane, right-click Certification Authority, and select Properties from
the context menu.
8. Verify that Use standalone certification authority is selected, and then click
OK.
9. Close the Health Registration Authority console. Do not save changes to the
console.
f Task 6: Configure NPS as a NAP health-policy server

1. Click Start, click Run, type nps.msc, and then press ENTER.
2. In the details pane, under Standard Configuration, click Configure NAP.
3. On the Select Network Connection Method for Use with NAP page, under
Network connection method, select IPsec with Health Registration
Authority (HRA), and then click Next.
4. On the Specify NAP Enforcement Servers Running HRA page, click Next.
Because this NAP health policy server has HRA installed locally, you do not
need to add Remote Authentication Dial-In User Service (RADIUS) clients.
5. On the Configure User Groups and Machine Groups page, click Next.
6. On the Define NAP Health Policy page, verify that the Windows Security
Health Validator and Enable auto-remediation of client computers check
boxes are selected, and then click Next.
7. On the Completing NAP Enforcement Policy and RADIUS Client
Configuration page, click Finish.
8. Leave the Network Policy Server console open for the following task.
f Task 7: Configure system health validators

1. In the NPS console tree, click Network Access Protection, and then in the
details pane, click Configure System Health Validators.
2. In the details pane, under Name, double-click Windows Security Health
Validator.
3. In the Windows Security Health Validator Properties dialog box, click

Configure.
4. On the Windows Vista tab, clear all check boxes, except A firewall is enabled
for all network connections.
5. Click OK to close the Windows Security Health Validator dialog box, and
then click OK to close the Windows Security Health Validator Properties
dialog box.
f Task 8: Configure Computer Certificate AutoEnrollment in Group

Policy
1. On NYC-DC1, click Start and in the Start Search text box, type GPMC.msc,
2. In the Group Policy Management console, expand Forest, expand Domains,
and then expand Woodgrovebank.com.
3. Right-click the Default Domain Policy, and then click Edit.
4. Under Computer Configuration, expand Policies, expand Windows
Settings, expand Security Settings, and select Public Key Policies.
5. In the details pane, double-click Certificate Services Client – Auto-
Enrollment.
6. In the Define Policy Settings dialog box, set the following:
a. Configuration Model: Enabled
b. Select Renew expired certificates, update pending certificates, and
remove revoked certificates
c. Select Update certificates that use certificate templates
7. Click OK, and close the Group Policy Management Editor.
8. Close the Group Policy Management console.
f Task 9: Configure NYC-CL1 and NYC-CL2 so that Security Center

always is enabled
1. Log on to NYC-CL1 as Woodgrovebank\administrator with the password
Pa$$w0rd.
2. Click Start and in the Search text box, type gpedit.msc, and then press
ENTER.
3. In the Local Group Policy Object Editor console tree, expand Local
Computer Policy/Computer Configuration/Administrative
Templates/Windows Components/Security Center.
4. In the details pane, double-click Turn on Security Center (Domain PCs
only), click Enabled, and then click OK.
5. Close the Local Group Policy Object Editor console.
f Task 10: Enable the IPsec enforcement client, and configure client
health-registration settings
1. On NYC-CL1, click Start and in the Start Search text box, type napclcfg.msc,
2. In the NAP Client Configuration console tree, click Enforcement Clients.
3. In the details pane, right-click IPsec Relying Party, and then click Enable.
4. In the NAP Client Configuration console tree, double-click Health
Registration Settings.
5. Right-click Trusted Server Groups, and then click New.
6. Under Group Name, type Trusted HRA Servers, and then click Next.
7. Clear the Require server verification (https) for all servers in this group
check box.
client to trust, type http://nyc-
dc1.woodgrovebank.com/domainhra/hcsrvext.dll, and then click Add.
client to trust, type http://nyc-dc1.woodgrovebank.com
/nondomainhra/hcsrvext.dll, and then click Add.
10. Click Finish to complete the process of adding HRA trusted server groups.
11. In the console tree, click Trusted Server Groups, and then in the details pane,
click Trusted HRA Servers.
12. Verify that the URLs you typed are entered correctly in the details pane under
Properties. You must enter the URLs correctly or the client computer will be
unable to obtain a health certificate, and it will be denied access to the IPsec-
protected network.
13. Close the NAP Client Configuration window.
f Task 11: Configure and start the NAP Agent service

1. On NYC-CL1, click Start, and in the Start Search text box, type services.msc,
2. In the list of services, double-click Network Access Protection Agent.
3. In the Network Access Protection Agent Properties dialog box, change the
value of Startup type from Manual to Automatic.
4. Under Service status, click Start.
5. Wait for the NAP agent service to start, and then click OK.
6. Close the Services console.
7. Repeat steps 1 through 6 for NYC-CL2.
f Task 12: Allow ICMP through the Windows Firewall

1. On NYC-CL1, click Start and in the Start Search text box, type wf.msc, and
then press ENTER.
2. In the console tree, select and right-click Inbound Rules, and then click New
Rule.
3. Select Custom, and then click Next.
4. Select All programs, and then click Next.
5. Next to Protocol type, select ICMPv4, and then click Customize.
6. Select Specific ICMP types, select the Echo Request check box, click OK, and
then click Next.
7. Click Next to accept the default scope.
8. On the Action page, verify that Allow the connection is chosen, and then click
Next.

Finish.
Exercise 2: Configuring and Testing IPsec NAP Enforcement

f Task 1: Create an IPsec Secure Organizational Unit in Active Directory
Active Directory Users and Computers.
2. In the console tree, right-click WoodgroveBank.com, point to New, and then
click Organizational Unit.
3. Under Name, type IPsec Secure, and then click OK.
4. Leave the Active Directory Users and Computers console open.
f Task 2: Create IPsec policies for the IPsec Secure OU

1. On NYC-DC1, click Start, and then click Run.
2. Type gpmc.msc, and then press ENTER.
3. Expand Forest, expand Domains, expand Woodgrovebank.com, and right-
click the IPsec Secure organizational unit.
4. From the context menu, select Create a GPO in this domain, and Link it
here.
5. In the New GPO dialog box, in the Name text box, type Secure Policy, and
then click OK.
6. Expand IPsec Secure in the list pane, right-click Secure Policy, and then click
Edit.
7. The Group Policy Management Editor console opens. In the console tree,
open Secure Policy [nyc-dc1.woodgrovebank.com] Policy\Computer
Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security – LDAP.
8. Right-click Windows Firewall with Advanced Security - LDAP, and then click
Properties.
9. On the Domain Profile tab, next to Firewall state, select On
(recommended). Next to Inbound connections, select Block (default). Next
to Outbound connections, select Allow (default). The private and public
profiles will use the same settings.
10. Click the Private Profile tab. Next to Firewall state, select On
to Outbound connections, select Allow (default).
11. Click the Public Profile tab. Next to Firewall state, select On
to Outbound connections, select Allow (default), and then click OK.
Firewall with Advanced Security - LDAP, select and then right-click
Connection Security Rules, and then click New Rule.
13. In the New Connection Security Rule Wizard, on the Rule Type page, verify
that Isolation is selected, and then click Next.
14. On the Requirements page, select Require authentication for inbound
connections and request authentication for outbound connections, and
then click Next.
15. On the Authentication Method page, select Computer certificate, select the
Only accept health certificates check box, and then click Browse.
16. Click WoodGroveBank-RootCA, click OK, and then click Next.
17. On the Profile page, verify that the Private, Public, and Domain check boxes
are selected, and then click Next.
18. On the Name page, under Name, type Secure Rule, and then click Finish.
Firewall with Advanced Security - LDAP, select and then right-click Inbound
Rules, and then click New Rule.
20. Choose Predefined, select File and Printer Sharing from the list of rules, and
then click Next twice.
21. On the Action page, select Allow the connection if it is secure, click Next,
and then click Finish.
22. Close the Group Policy Management Editor console.
f Task 3: Move NYC-CL1 and NYC-CL2 into the IPsec Secure OU

2. In the Active Directory Users and Computers console tree, open
Woodgrovebank.com, and then click Computers.
3. Right-click NYC-CL1, and then click Move.
4. In the Move dialog box, click IPsec Secure, and then click OK.
5. Right-click NYC-CL2, and then click Move.
6. In the Move dialog box, click IPsec Secure, and then click OK.
7. Close the Active Directory Users and Computers console.
f Task 4: Apply Group Policies

1. On NYC-CL1 and NYC-CL2, click Start, point to All Programs, point to
Accessories, and then click Command Prompt.
2. In the command window, type gpupdate /force, and then press ENTER.
3. Verify that the response reads User Policy update has completed
successfully and Computer Policy update has completed successfully.
4. Leave the command windows open for the following tasks.
f Task 5: Verify health certificate status

1. On NYC-CL1, click Start, in the Start Search text box, type MMC, and then
press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Click Certificates, click Add, select Computer account, and then click Next.
4. Verify that Local computer: (the computer this console is running on) is
selected, click Finish, and then click OK.
5. In the console tree, double-click Certificates (Local Computer), double-click
Personal, and then click Certificates.
6. In the details pane, under Issued By, verify Woodgrovebank-RootCA is

displayed. Verify that Intended Purposes shows System Health
Authentication.
7. Close the MMC console, and do not save changes.
f Task 6: Verify clients can communicate securely

1. On NYC-CL1, click Start, and in the Start Search text box, type \\NYC-CL2\,
2. Verify that the share’s contents appear in the window.
3. Click Start, in the Start Search text box, type wf.msc, and then press ENTER.
4. In the Windows Firewall with Advanced Security console list pane, expand
Monitoring, expand Security Associations, and select Main Mode.
5. In the details pane, you should see an entry for secure communications
between NYC-CL1 and NYC-CL2. Double-click the entry, and review the
contents of the General tab. You should see Computer certificate for First
Authentication, Encryption using AES-128 and Integrity accomplished
using SHA1.
6. Close the dialog box, and then close Windows Firewall with Advanced
Security.
7. Close the nyc-cl2 window.
f Task 7: Demonstrate Network Restriction
Note: NAP compliance will require automatic updates by enabling this system
health check in the Windows Security Health Validator.
1. On NYC-DC1, click Start, click Run, type nps.msc, and then press ENTER.
2. In the console tree, open Network Access Protection, and then click System
Health Validators.
3. In the details pane, double-click Windows Security Health Validator, and
then click Configure.
4. In the Windows Security Health Validator dialog box, under Automatic

Updating, select the Automatic updating is enabled check box, and then
click OK twice.
Note: To demonstrate network restriction of noncompliant clients, you must

disable auto remediation of client computers in the noncompliant network policy.
5. In the Network Policy Server console tree, expand Policies, and then click
Network Policies.
6. In the details pane, double-click NAP IPsec with HRA Noncompliant.
7. Click the Settings tab, click NAP Enforcement, clear the Enable auto-
remediation of client computers check box, and then click OK.
9. On NYC-CL1, in the command window, type ping -t NYC-CL2, and then press
ENTER. A continuous ping will run from NYC-CL1 to NYC-CL2. This should
be successful
10. On NYC-CL2, click Start, click Control Panel, and then click Security.
11. Under Windows Update, click Turn automatic updating on or off.
12. Select Never check for updates (not recommended), and then click OK.
Note: If it is already selected, select Check for updates, click OK, and then select
Never check for updates.
This setting causes NYC-CL2 to be noncompliant with network health policy.

Because auto remediation has been disabled, NYC-CL2 will remain in a
noncompliant state and will be placed on the restricted network.
13. Do not close the Security control panel on NYC-CL2. It will be used to re-
enable Windows Update.
14. On NYC-CL1, verify that the response in the command window has changed
to Request timed out.
and verify that the share is inaccessible.
16. On NYC-CL2, in the Security control panel under Windows Update, click
Turn automatic updating on or off.
17. Select Install updates automatically (recommended), and then click OK.
This setting will cause NYC-CL2 to send a new Statement of Health (SoH) that
indicates it is compliant with network health requirements, and NYC-CL2 will
be granted full network access.
18. On NYC-CL1, verify that the response in the command window changes to
Reply from 10.10.0.60. It might take a minute before you see the change in
status.
19. Verify that you can browse the share of NYC-CL2 (\\NYC-CL2\).
20. Close all open windows.

click OK.
Lab Answer Key: Monitoring and Troubleshooting IPSec 1
Module 10
Lab Answer Key: Monitoring and
Troubleshooting IPSec
Contents:
Exercise 1: Monitoring IPSec Connectivity 2
Exercise 2: Configuring Connection Security 6
Exercise 3: Troubleshooting IPSec 8
2 Lab Answer Key: Monitoring and Troubleshooting IPSec
Lab: Monitoring and

Troubleshooting IPsec
Exercise 1: Monitoring Internet Protocol security (IPsec)

Connectivity
f Task 1: Start the 6421A-NYC-DC1 and 6421A-NYC-SVR1 virtual
machines
password Pa$$w0rd.
f Task 2: Create an IPsec Negotiation policy on NYC-DC1

1. On NYC-DC1, click Start, click All Programs, click Administrative Tools, and
then click Local Security Policy.
2. Right-click the IP Security Policies on Local Computer node, and then click
Create IP Security Policy.
3. On the Welcome screen of the IP Security Policy Wizard, click Next.
4. In the Name box, type SecureFileSharing. In the Description field, type
Policy to encrypt SMB, and then click Next.
5. Ensure that Activate the default response rule is not selected, and then click
Next.
6. In the Completing the IP Security Policy Wizard dialog box, ensure that Edit
properties is selected, and then click Finish.
7. In the SecureFileSharing Properties dialog box, click Add.

8. In the Welcome to the Create IP Security Rule Wizard, click Next.
9. In the Tunnel Endpoint dialog box, ensure that This rule does not specify a
tunnel is clicked. Click Next.
10. In the Network Type dialog box, click All network connections, and then
click Next.
11. In the IP Filter List dialog box, click Add.
12. A new dialog box that also is called IP Filter List appears. Type
SecureSMBTCP, and then Add.
13. On the Welcome screen of the IP Filter Wizard, click Next.
14. In the Description text box, type SMB IPsec Filter. Click Next.
15. In the IP Traffic Source dialog box, ensure that Any IP Address is clicked, and
then click Next.
16. In the IP Traffic Destination dialog box, ensure that Any IP Address is
clicked, and then click Next.
17. In the IP Protocol Type dialog box, click TCP in the drop-down list, and then
click Next.
18. In the IP Protocol Port dialog box, select From this port, type 445 in the text
box, ensure that To Any port is selected, and then click Next.
19. On the Completing the IP Filter Wizard screen, click Finish, and then click
OK.
20. In the IP Filter List dialog box, click Add.
21. A new dialog box that also is called IP Filter List appears. Type
SecureSMBUDP, and then click Add.
22. On the Welcome screen of the IP Filter Wizard, click Next.
23. In the Description text box, type SMB IPsec Filter, and then click Next.
24. In the IP Traffic Source dialog box, ensure that Any IP Address is clicked, and
then click Next.
25. In the IP Traffic Destination dialog box, ensure that Any IP Address is
clicked, and then click Next.
26. In the IP Protocol Type dialog box, click UDP in the drop-down list, and then
click Next.
27. In the IP Protocol Port dialog box, select From this port, type 445 in the text
box, ensure that To Any port is selected, and then click Next.
28. On the Completing the IP Filter Wizard screen, click Finish, and then click
OK.
29. In the IP Filter list, select SecureSMBTCP, and then click Next.
30. In the Filter Action dialog box, click Add.
31. In the Filter Action Wizard dialog box, click Next.
32. In the Filter Action Name dialog box, type SecureTransmissionFilter, and
then click Next.
33. In the Filter Action General Options dialog box, ensure Negotiate Security is
34. In the Communicating with computers that do not support IPsec dialog
box, ensure Do not allow unsecured communication is selected, and then
click Next.
35. In the IP Traffic Security dialog box, ensure that Integrity and encryption is
36. On the Completing the IP Security Filter Action Wizard screen, click Finish.
37. In the Filter Action dialog box, select SecureTransmissionFilter, and then
click Next.
38. In the Authentication Method dialog box, ensure Active Directory default
(Kerberos V5 protocol) is selected, and then click Next.
39. On the Completing the Security Rule Wizard screen, click Finish.
40. In the SecureFileSharing Properties dialog box, click OK.
f Task 3: Export the policy from NYC-DC1

1. In the Local Security Policy Microsoft Management Console (MMC) console,
right-click IP Security Policies on Local Computer, click All Tasks, and then
click Export Policies.
2. In the Save As dialog box, type
D:\LabFiles\Module10\IPsecurityPolicy.ipsec, and then click Save.
f Task 4: Import the security policy to NYC-SVR1

1. On NYC-SVR1, open the local security policy. To do this, click Start, click
Administrative Tools, and then click Local Security Policy.
2. Right-click IP Security Policies on Local Computer, click All Tasks, and then
click Import Policies.
3. Read the IP Security Import warning, and then click Yes.
4. In the Open dialog box, navigate to \\NYC-DC1\Module10, and then double-
click IPsecurityPolicy.ipsec.
f Task 5: Use the IP Security Monitor to validate that the negotiation

policy is working
1. On NYC-SVR1, click IP Security Policies on Local Computer.
2. In the details pane, right-click SecureFileSharing, and then click Assign.
3. Repeat steps 1 and 2 on NYC-DC1.
5. In the Run dialog box, type MMC, and then press ENTER.
6. In the blank MMC window, click File, and then click Add/Remove Snap-in.
7. In the Available snap-ins list, scroll down the list, and select IP Security
Monitor.
8. Click Add, and then click OK.
9. The blank MMC window now will include an IP Security Monitor node.
10. Expand the IP Security Monitor node, and then expand the NYC-DC1 node.
Notice the Main Mode and Quick Mode nodes. Browse through both nodes,
and note the different statistics and information.
11. On NYC-SVR1, establish a network file-share session by accessing a share on
NYC-DC1. To do this, click Start, click Run, type \\NYC-DC1\Module10, and
then press ENTER.
12. After the connection is established, review the updated statistics in the IP
Security Monitoring node, which is open on NYC-DC1.
Exercise 2: Configuring Connection Security

f Task 1: Disable the IP Security Policy that you created in the previous
exercise
1. On NYC-DC1, open the local security policy. To do this, click Start, click
Administrative Tools, and then click Local Security Policy.
2. Click IP Security Policies on Local Computer.
3. In the details pane, right-click SecureFileSharing, and then click Un-assign.
5. Close all windows on both NYC-DC1 and NYC-SVR1 and do not save changes
to the console.
f Task 2: Configure a Security Association rule in the Windows Firewall

with Advanced Security MMC
1. On NYC-DC1, click Start, click Administrative Tools, and then click
Windows Firewall with Advanced Security.
2. Select and then right-click Connection Security Rules, and then click New
Rule.
3. In the New Connection Security Rule Wizard, select Server-to-server, and
then click Next.
4. In the Endpoints dialog box, ensure that Any IP Address is selected for both
options, and then click Next.
5. In the Requirements dialog box, select Require authentication for inbound
and outbound connections, and then click Next.
6. In the Authentication Method dialog box, select Preshared key, type
Pa$$w0rd in the text box, and then click Next.
7. On the Profile page, verify that the Domain, Private, and Public options are
8. In the Name box, type SecureServerAuthenticationRule, and then click
Finish.
9. Perform steps 1 through 8 on NYC-SVR1.
f Task 3: Monitor the connection using the Security Association node

1. On NYC-SVR1, establish a file-connection share session to NYC-DC1. To do
this, click Start, click Run, and then ensure that \\NYC‐DC1\Module10 is
typed. Click OK.
2. In the Windows Firewall with Advanced Security console, expand the
Monitoring node, and then expand the Security Associations node.
3. Review the Main Mode and Quick Mode nodes to view the status of the
Connection Security Rule.

click OK.
Exercise 3: Troubleshooting IPsec

Exercise Overview
In this exercise, you will review scenarios outlining common issues that can occur
when you troubleshoot IPsec, and then you will discuss possible solutions.
Scenario 1
An administrator is attempting to connect to a remote computer and monitor its
IPsec connectivity. The administrator reports that he is unable to monitor the
remote server. You ask him use the Event Viewer to identify the problem. In doing
so, the administrator notes the following error: “The IPsec server is unavailable or
incompatible with the IPsec monitor.”
Question: What can you do to resolve this issue?
Answer: The Administrator has not enabled remote IPsec monitoring on the
computer he wants to monitor. You can enable remote monitoring by configuring
the enableremotemgmt Registry key.
Scenario 2
An administrator has configured and enabled an IPsec Security policy on a file
server that stores sensitive data files. The administrator also created an Active
Directory-based policy and applied it to the organizational unit (OU) of clients that
are permitted access to the secure server. The next day, the Backup Administrator,
who is responsible for backing up the secure server, reports he was unable to
access the server from the backup server. The backup server’s computer account is
stored in an administrative OU separate from the client’s OU.
Question: Based on the information provided, why is the backup server unable to
access the secure server?
Answer: The backup server does not have an IPsec policy defined that allows it to
communicate with the secure server. The clients received an IPsec policy via a
Group Policy object (GPO). However, because the backup server was in a separate
OU, it did not receive the secure policy.
Lab Answer Key: Configuring and Managing Distributed File System 1
Module 11
Distributed File System
Contents:
Exercise 1: Installing the Distributed File
System Role Service 2
Exercise 2: Creating a DFS Namespace 4
Replication 5
Exercise 4: Viewing Diagnostic Reports for
Replicated Folders 10
2 Lab Answer Key: Configuring and Managing Distributed File System
Lab: Configuring DFS

Exercise 1: Installing the Distributed File System (DFS) Role

Service
f Task 1: Start each virtual machine and log on
password Pa$$w0rd.
f Task 2: Disable Local Area Connection 2 on NYC-SVR1

1. On NYC-SVR1, click Start, right-click Network, and then click Properties.
2. In the Tasks list, click Manage network connections.
3. Right-click Local Area Connection 2, and then click Disable.
4. Close all open windows on NYC-SVR1.
f Task 3: Install the Distributed File System Role Service on NYC-DC1

1. On NYC-DC1, if necessary, click Start, and then click Server Manager. The
Server Manager opens.
2. In the left pane, click Roles.
3. In the details pane, under Roles Summary, notice that the File Services role
has been installed. You now must add specific role services for this role.
4. Scroll down to the File Services section, and then under Role Services, click
Add Role Services. The Add Role Services wizard starts.
5. On the Select Role Services page, select the Distributed File System check
box. Ensure that the File Server, Distributed File System, DFS Namespaces,
and DFS Replication check boxes all are selected, and then click Next.
6. On the Create a DFS Namespace page, click Create a namespace later using
the DFS Management snap-in in Server Manager, and then click Next.
8. After the installation is complete, click Close.
9. In Server Manager, verify that File Server, Distributed File System, DFS
Namespaces, and DFS Replication all are installed.
f Task 4: Install the Distributed File System Role Service on NYC-SVR1

1. On NYC-SVR1, click Start, and then click Server Manager. The Server
Manager opens.
2. In the left pane, click Roles.
3. In the details pane, under Roles Summary, notice that the File Services role
has been installed. You now must add specific role services for this role.
4. Scroll down to the File Services section, and then under Role Services, click
Add Role Services. The Add Role Services wizard starts.
5. On the Select Role Services page, select the Distributed File System check
box. Ensure that the File Server, Distributed File System, DFS Namespaces,
and DFS Replication check boxes all are selected, and then click Next.
6. On the Create a DFS Namespace page, click Create a namespace later using
the DFS Management snap-in in Server Manager, and then click Next.
9. In Server Manager, verify that File Server, Distributed File System, DFS
Namespaces, and DFS Replication are all installed.
Exercise 2: Creating a DFS Namespace

f Task 1: Raise the domain functional level
2. Click WoodgroveBank.com.
3. Right-click WoodgroveBank.com, and then click Raise domain functional
level. The Raise domain functional level page opens.
4. On the Raise domain functional level page, under Select an available
domain functional level, ensure that Windows Server 2008 is selected, and
then click Raise.
5. In the Raise domain functional level message box, click OK.
6. In the second message box, click OK.
7. Close Active Directory Users and Computers.
f Task 2: Use the New Namespace Wizard to create a new namespace

1. On NYC-DC1, click Start, point to Administrative Tools, and then click DFS
Management.
2. In the left pane, click Namespaces.
3. Right-click Namespaces, and then click New Namespace. The New
Namespace Wizard opens.
4. On the Namespace Server page, under Server, type NYC-DC1, and then click
Next.
5. On the Namespace Name and Settings page, under Name, type CorpDocs,
6. On the Namespace Type page, ensure that Domain-based namespace is
7. On the Review Settings and Create Namespace page, review the settings, and
then click Create.
8. On the Confirmation page, ensure that the Status column shows Success,
and then click Close. The CorpDocs namespace has now been created.
10. In the details pane, click the Namespace Servers tab. Notice that the
CorpDocs namespace is hosted on a single namespace server (NYC-DC1).
f Task 3: Add an additional namespace server to host the namespace

1. On NYC-DC1, in the DFS Management console tree, right-click
\\WoodgroveBank.com\CorpDocs, and then click Add Namespace Server.
2. In the Add Namespace Server box, under Namespace server, type NYC-
SVR1, and then click OK. A progress message is displayed.
3. In the warning box, click Yes to start the Distributed File System service and
to set the service start state to Automatic.
4. In the left pane, click the plus sign next to Namespaces, and then ensue that
\\WoodgroveBank.com\CorpDocs is already clicked.
5. In the details pane, ensure Namespace Servers tab is selected. Notice that the
CorpDocs namespace is now hosted on both NYC-DC1 and NYC-SVR1.

Replication
f Task 1: Create the HRTemplates folder, and configure a folder target
on NYC-DC1
\\WoodgroveBank.com\CorpDocs, and then click New Folder.
2. In the New Folder dialog box, under Name, type HRTemplates.
3. To add a new folder target, click Add.
4. In the Add Folder Target box, click Browse.
5. In the Browse for Shared Folders box, click New Shared Folder.
6. In the Create Share box, under Share name, type HRTemplateFiles.
7. Under Local path of shared folder, type C:\HRTemplateFiles.
8. Under Shared folder permissions, select Administrators have full access;
other users have read-only permissions, and then click OK.
9. In the Warning box, click Yes to create the C:\HRTemplateFiles folder.
10. In the Browse for Shared Folders box, click OK.
11. In the Add Folder Target box, ensure that the path shows \\NYC-
DC1\HRTemplateFiles, and then click OK.
12. In the New Folder box, ensure that HRTemplates is listed for the Name and
\\NYC-DC1\HRTemplateFiles is listed for the Folder targets, and then click
OK.
13. In the console tree, click \\WoodgroveBank.com\CorpDocs.
14. In the details pane, click the Namespace tab. Notice that HRTemplates is
listed as an entry in the namespace.
15. In the console tree, expand \\WoodgroveBank.com\CorpDocs, and then
click HRTemplates. In the details pane, notice that on the Folder Targets tab,
16. Click the Replication tab, and notice that replication is not configured.
f Task 2: Create the PolicyFiles folder, and configure a folder target on

NYC-SVR1
\\WoodgroveBank.com\CorpDocs, and then click New Folder.
2. In the New Folder dialog box, under Name, type PolicyFiles.
3. To add a new folder target, click Add.
4. In the Add Folder Target box, click Browse.
5. In the Browse for Shared Folders box, under Server, type NYC-SVR1, and
then click Show Shared Folders.
6. Click New Shared Folder.
7. In the Create Share box, under Share name, type PolicyFiles.
8. Under Local path of shared folder, type C:\PolicyFiles.
10. In the Warning box, click Yes to create the C:\PolicyFiles folder.
11. In the Browse for Shared Folders box, click OK.
12. In the Add Folder Target box, ensure that the path shows \\NYC-
SVR1\PolicyFiles, and then click OK.
13. In the New Folder box, ensure that PolicyFiles is listed for the Name and
\\NYC-SVR1\PolicyFiles is listed for the Folder targets, and then click OK.
14. In the tree pane, ensure that \\WoodgroveBank.com\CorpDocs is expanded,
and then click PolicyFiles. In the details pane, notice that on the Folder
Targets tab, one folder target is configured.
f Task 3: Verify the functionality of the CorpDocs namespace

2. In the Run box, type \\WoodgroveBank.com\CorpDocs, and then click OK.
Notice that the HRTemplates and PolicyFiles folders both are visible. (If they
are not visible, wait approximately five minutes to complete.)
3. Double-click the HRTemplates folder.
4. Right-click within the HRTemplates folder, point to New, and then click Rich
Text Document.
5. Name the document VacationRequest.
6. In the Navigation bar, click the Back button.
7. Double-click the PolicyFiles folder.
8. Right-click within the PolicyFiles folder, point to New, and then click Rich
Text Document.
9. Name the document OrderPolicies.
10. Close the PolicyFiles window.
11. On NYC-SVR1, click Start, and then click Run.
12. In the Run box, type \\WoodgroveBank.com\CorpDocs, and then click OK.
Notice that the HRTemplates and PolicyFiles folders both are visible.
13. Browse both folders and verify that you can access the files. Close the window
when complete.
f Task 4: Create additional folder targets for the HRTemplates folder,

and configure folder replication
1. On NYC-DC1, in the DFS Management console tree, right-click HRTemplates,
and then click Add Folder Target.
2. In the New Folder Target box, under Path to folder target, type \\NYC-
SVR1\HRTemplates, and then click OK.
3. In the Warning box, click Yes to create the \\NYC-SVR1\HRTemplates
shared folder.
4. In the Create Share box, under Local path of shared folder, type
C:\HRTemplates.
6. In the Warning box, click Yes to create the C:\HRTemplates folder.
7. In the Replication message box, click Yes to create a replication group. A
progress bar appears followed by the Replicate Folder Wizard.
8. In the Replicate Folder Wizard, on the Replication Group and Replicated
Folder Name page, ensure that woodgrovebank.com\corpdocs\hrtemplates
is listed as the Replication group name and that HRTemplates is listed as the
Replicated folder name, and then click Next.
9. On the Replication Eligibility page, ensure that both NYC-DC1 and NYC-
SVR1 are listed, and then click Next.
10. On the Primary Member page, select NYC-DC1, and then click Next.
11. On the Topology Selection page, ensure Full mesh is selected, and then click
Next.
12. On the Replication Group Schedule and Bandwidth page, ensure that
Replicate continuously is selected with Full Bandwidth, and then click Next.
13. On the Review Settings and Create Replication Group page, review the
settings, and then click Create.
14. On the Confirmation page, ensure that all tasks are successful, and then click
Close.
15. Read the Replication Delay message, and then click OK.
woodgrovebank.com\corpdocs\hrtemplates.
f Task 5: Create additional folder targets for the PolicyFiles folder, and
configure folder replication
1. On NYC-DC1, in the DFS Management console tree, right-click PolicyFiles,
and then click Add Folder Target.
2. In the New Folder Target box, under Path to folder target, type \\NYC-
DC1\PolicyFiles, and then click OK.
3. In the Warning box, click Yes to create the \\NYC-DC1\PolicyFiles shared
folder.
4. In the Create Share box, under Local path of shared folder, type
C:\PolicyFiles.
6. In the Warning box, click Yes to create the C:\PolicyFiles folder.
7. In the Replication message box, click Yes to create a replication group. A
progress bar appears, followed by the Replicate Folder Wizard.
8. In the Replicate Folder Wizard, on the Replication Group and Replicated
Folder Name page, ensure that woodgrovebank.com\corpdocs\policyfiles is
listed as the Replication group name and that PolicyFiles is listed as the
Replicated folder name, and then click Next.
9. On the Replication Eligibility page, ensure that both NYC-DC1 and NYC-
SVR1 are listed, and then click Next.
10. On the Primary Member page, select NYC-SVR1, and then click Next.
11. On the Topology Selection page, select Full mesh, and then click Next.
12. On the Replication Group Schedule and Bandwidth page ensure that
Replicate continuously using the specified bandwidth is selected, with Full
Bandwidth, and then click Next.
13. On the Review Settings and Create Replication Group page, review the
settings, and then click Create.
14. On the Confirmation page, ensure that all tasks are successful, and then click
Close.
15. Read the Replication Delay message, and then click OK.
16. In the tree pane, ensure that the Replication node is expanded, and then click
woodgrovebank.com\corpdocs\policyfiles.
Exercise 4: Viewing Diagnostic Reports for Replicated

Folders
f Task 1: Create a diagnostic report for
woodgrovebank.com\corpdocs\hrtemplates
1. On NYC-DC1, in the DFS Management console tree, under the Replication
node, right-click woodgrovebank.com\corpdocs\hrtemplates, and then click
Create Diagnostic Report. The Diagnostic Report Wizard starts.
2. On the Type of Diagnostic Report or Test page, ensure that health report is
3. On the Path and Name page, accept the default entries, and then click Next.
4. On the Members to include page, ensure that both NYC-DC1 and NYC-SVR1
are listed in the Included members column, and then click Next.
5. On the Options page, ensure that Yes, count backlogged files in this report
is selected, select the Count the replicated files and their sizes on each
member check box, and then click Next.
6. On the Review Settings and Create Report page, review the settings, and then
click Create.
7. In the Internet Explorer message, click Add. In the Trusted site box, click
Add again, and then click Close.
The DFS Replication Health Report Web page opens.
8. Read through the report and take note of any errors or warnings. Errors will
appear if replication is still in process or has not taken place yet. When you are
finished, close the Microsoft® Internet Explorer® window.
9. Create a diagnostic report for the policyfiles replication group. Read through
the report, and take note of any errors or warnings. When you are finished,
close the Internet Explorer window. Note that there may be errors reported if
replication has not begun or finished yet.

click OK.
Lab Answer Key: Configuring and Managing Storage Technologies 1
Module 12
Contents:
Exercise 1: Installing the FSRM Role Service 2
Exercise 2: Configuring Storage Quotas 3
Exercise 3: Configuring File Screening 5
Exercise 4: Generating Storage Reports 6
2 Lab Answer Key: Configuring and Managing Storage Technologies

Exercise 1: Installing the File Server Resource Manager

(FSRM) Role Service
f Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines
password Pa$$w0rd.
f Task 2: Install the FSRM role service on NYC-SVR1

2. In the Server Manager console, click Roles. The File Services role already has
been installed.
3. Under the File Services section, next to Role Services, click Add Role
Services.
4. In the Select Role Services dialog box, select File Server Resource Manager,
5. In the Configure Storage Usage Monitoring dialog box, select the
AllFiles(D:) drive, and then click Next.
6. In the Set Report Options dialog box, accept the default options, and then
click Next.
7. In the Confirm Installation Selections dialog box, click Install.

9. Close the Server Manager.
Exercise 2: Configuring Storage Quotas

f Task 1: Create a quota template
1. On NYC-SVR1, open the File Server Resource Manager. To do this, click Start,
click Administrative tools, and then click File Server Resource Manager.
2. In the File Server Resource Manager console, expand Quota Management,
and then click the Quota Templates node.
3. Right-click the Quota Templates node, and then click Create Quota
Template.
4. In the Template Name box, type 100 MB Limit Log to Event Viewer.
5. Under Notifications Thresholds, click Add.
6. In the Add Threshold dialog box, click Event log. Select the Send warning to
event log option, and then click OK.
7. Click Add again. Type 100 in the Generate notification when the usages
reaches(%) text box, and then repeat Step 6 to enable the warning to be sent
to the event log.
8. In the Add Threshold dialog box, click OK. Click OK again to save the
template.
f Task 2: Configure a quota based on the quota template

1. In the File Server Resource Manager console, click the Quotas node.
2. Right-click the Quotas node, and then click Create Quota.
3. In the Create Quota dialog box, in the Quota path box, type
D:\Labfiles\Module12\Users click Auto apply template and create quotas
on existing and new subfolders, under How do you want to configure quota
properties?, in the Derive properties from this quota template
(recommended) box, click 100 MB Limit Log to Event Viewer, and then
click Create.
4. Verify that each subfolder under D:\Labfiles\Module12\Users has been

configured with its own quota entry. You may have to refresh the Quotas
folder to view the changes.
5. In Windows Explorer, create a new subfolder under
D:\Labfiles\Module12\Users named User4.
6. In the File Server Resource Manager console, refresh the view in the Quotas
tab. The newly created folder will appear in the list.
f Task 3: Test that the Quota is working by generating several large files
1. Open a command prompt. To do this, click Start, and then click Command
Prompt.
2. Change to the Users folder by typing D:, and then pressing ENTER. Type
cd \labfiles\module12\users\user1, and then press ENTER.
3. At the D:\labfiles\module12\users\user1 prompt, type: fsutil file createnew
file1.txt 89400000, and then press ENTER. This creates a file that is over 85
megabytes (MB), which generates a warning in Event Viewer.
4. Check the Event Viewer. To do this, click Start, click Administrative tools,
and then click Event Viewer. Expand Windows Logs, and then click on
Application. Note the event with Event ID of 12325.
5. Switch to the command prompt. Type fsutil file createnew file2.txt
16400000, and then press ENTER. The file cannot be created because it
would surpass the quota limit.
6. In Windows Explorer, navigate to the D:\Labfiles\Module12\Users folder.
Right-click the folder, and then click Properties.
7. In the Users Properties dialog box, click Advanced. Select Compress
contents to save disk space, click OK, and then click OK again. At the
Confirm Attribute Changes box, ensure that Apply changes to this folder,
subfolders and files is selected and then click OK.
8. In the File Server Resource Manager console, in the Quotas node, click
Refresh. Notice that the amount of used space is reduced significantly.
9. Switch to the command prompt. Type fsutil file createnew file2.txt
16400000, and then press ENTER. The file now is created.
10. Close the command prompt window.
Important: When creating files, you are specifying the number of bytes they will be.
This is why they are not exactly 85000000, because a byte is only eight bits.
Important: In Step 7, when the Users folder is compressed, you reduced the file’s
actual space. If you were to specify this using NTFS file system quotas, the actual file
size would be calculated and not the compressed size.
Exercise 3: Configuring File Screening

f Task 1: Create a File screen
1. On NYC-SVR1, in the File Server Resource Manager console, expand the File
Screening Management node.
2. Select and then right-click the File Screens node, and then click Create File
Screen.
3. In the Create File Screen dialog box, click Browse and navigate to the
D:\Labfiles\Module12\Users folder, and then click OK.
4. Select Define custom file screen properties, and then click Custom
Properties.
5. In the File Screen Properties D:\Labfiles\Module12\Users dialog box, select
Passive screening, and then select Executable files from the list.
6. Click the Event Log tab, select the Send warning to event log check box, and
then click OK.
7. In the Create File Screen dialog box, click Create.
8. The Save Custom Properties as a Template dialog box appears. Type
Monitor Executables, and then click OK.
f Task 2: Test the file screen

1. Open Windows Explorer, and navigate to the D:\Labfiles\Module12 folder.
2. Right-click the example.bat file, and then click Copy.
3. Browse to the D:\Labfiles\Module12\Users\user1 folder. Right-click in the
right pane of the Windows Explorer window, and then click Paste.
4. Check the Event Viewer. To do this, click Start, click Administrative tools,
and then click Event Viewer. Expand Windows Logs, and then click
Application. Note the event with Event ID of 8215.
5. Close the Event Viewer, and then close Windows Explorer.
Exercise 4: Generating Storage Reports

f Task 1: Generate an on-demand storage report
1. In the File Server Resource Manager console, click Storage Reports
Management.
2. Right-click and then click Generate Reports Now.
3. In the Storage Reports Task Properties dialog box, in the Scope section, click
Add.
4. Navigate to the D:\Labfiles\Module12\Users folder, and then click OK.
5. In the Report data section, select File Screening Audit, select Quota Usage,
and then click OK.
6. In the dialog box that appears and asks how you want to proceed, keep Wait
for reports to be generated and then display them selected, and then click
OK.
7. Review the generated reports.

click OK.
Lab Answer Key: Configuring Availability of Network Resources and Content 1
Module 13
Lab Answer Key: Configuring Availability of
Network Resources and Content
Contents:
Restore 2
Exercise 2: Configuring Shadow Copying 5
Exercise 3: Configuring Network Load Balancing 7
2 Lab Answer Key: Configuring Availability of Network Resources and Content
Lab: Configuring Availability of

Network Resources

Restore
password Pa$$w0rd.

Tools menu.
To do this On NYC-DC1, click Start, and click Server Manager.
f Task 3: Install the Windows Server Backup feature

1. In Server Manager, right-click Features, and then in the context menu, click
Add Features.
2. On the Select Features page, select the Windows Server Backup Features
check box.
3. Click Next.
5. On the Installation Results page, verify that the Windows Server Backup
installation succeeded, and then click Close.
f Task 4: Create a share on 6421A-NYC-SVR1

1. On NYC-SVR1, click Start, point to Administrative Tools, and click
Computer Management.
2. In the Computer Management list pane, expand Shared Folders, and then
right-click Shares.
3. From the context menu that appears, click New Share.
4. On the Welcome to the Create a Shared Folder Wizard, click Next.
5. On the Folder path page, click the Browse button.
6. On the Browse for Folder page, select Local Disk (C:), click Make New
Folder, name the folder NetBackup, click OK, and then click Next.
7. On the Name, Description, and Settings page, click Next.
8. On the Shared Folder Permissions page, select Administrators have full
access; other users have no access, and then click Finish.
9. In the Create a Shared folder Wizard box, click Finish.
f Task 5: Manually back up files to a network location

1. On NYC-DC1, click Start, point to Administrative Tools, and click Windows
Server Backup.
2. On the Actions pane of the Windows Server Backup (Local) window, select
Backup Once.
3. On the Backup Options page of the Backup Once Wizard, click Next.
4. On the Select backup configuration page, select Custom, and then click
Next.
5. On the Select backup items page, clear the Enable system recovery
checkbox, select Allfiles (D:), and then click Next.
6. On the Specify destination type page, select Remote Shared Folder, and then
click Next.
7. On the Specify remote folder page, type the path
\\NYC-SVR1\NetBackup on the text path and then click Next.
8. On the Specify advanced option page, select VSS full backup, and then click
Next.
9. On the Confirmation page, click Backup.
10. On the Backup Progress page, verify the status is Backup Completed, and
then click Close.
f Task 6: Restore files from a network location

1. On NYC-DC1, click Start, click Computer, and then double-click Allfiles (D:).
2. In the details pane of the Allfiles (D:) window, delete the Labfiles directory,
and then close the Allfiles (D:) window.
3. On the Windows Server Backup page, under Actions, select Recover.
4. On the Recovery Wizard, Getting started page, select Another server, and
then click Next.
5. On the Specify location type page, select Remote shared folder, and then
click Next.
6. On the Specify remote folder page, type \\NYC-SVR1\NetBackup, and then
click Next.
7. On the Select backup date page, click today’s date (in bold), and then click
Next.
8. On the Select recovery type page, accept the default of Files and folders, and
then click Next.
9. On the Select items to recover page, expand NYC-DC1, expand Allfiles (D:),
select Labfiles, and then click Next.
10. On the Specify recovery options page, accept the default settings, and then
click Next.
11. On the Confirmation page, click Recover.

12. In the Recovery progress window, verify the status is Restore of Files
completed, and then click Close.
13. Close the Windows Server Backup tool.
Exercise 2: Configuring Shadow Copying

f Task 1: Enable shadow copies on a volume
Computer Management.
2. In the Computer Management window console tree, right-click Shared
3. In the Shadow Copies dialog box, select Volume D:\, and then click Enable.
In the Enable Shadow Copies dialog box that appears, click Yes, and then
click OK.
4. Leave the Computer Management console open.
f Task 2: Change a file in a share location

1. On NYC-CL1, click Start, and in the search text box, type \\NYC-
DC1\shadow, and then press ENTER.
A window will open with the Shadow share contents visible.
2. Double-click the shadowTest.txt file.
3. Add the following line of text to the end of the text file:
• This is my text that I am adding to the file.
4. Save and close the shadowTest.txt file.
5. Close the shadow window.
f Task 3: Manually create a shadow copy

1. On NYC-DC1, in the Computer Management console, right-click Shared
2. In the Shadow Copies dialog box, select volume D:\, and then click Create
Now.
The shadow copies of selected volume should have two entries listed. Click
OK.
f Task 4: View the previous file versions, and restore to a previous

version
1. On NYC-CL1, click Start, type \\NYC-DC1\shadow in the Search text box,
2. Right-click shadowTest.txt, and select Properties from the context menu.
3. In the shadowTest Properties dialog box, click the Previous Versions tab.
4. Under File versions, you should see the last shadow copy that was created.
Click Open to view the file contents. The file you are viewing should be the
version previous to the file you modified with text.
5. Close the file, and select Restore from the Previous Versions window to
restore the file to its previous state, before any changes were made.
6. In the Previous Versions dialog box, click Restore, and then click OK.
7. Click OK to close the ShadowTest Properties dialog box.
8. Close the shadow window.
Exercise 3: Configuring Network Load Balancing

f Task 1: Install the Network Load Balancing (NLB) feature on NYC-DC1
and NYC-SVR1
Server Manager.
Features.
3. On the Select Features page, select Network Load Balancing, and then click
Next.
5. On the Results page, verify that the installation succeeded, and then close the
Add Features Wizard.
6. Repeat steps 1 through 5 for NYC-SVR1.
7. Close Server Manager on both NYC-DC1 and NYC-SVR1.
f Task 2: Configure Network Load Balancing on NYC-DC1 and NYC-

SVR1
Network Load Balancing Manager.
2. In the Network Load Balancing Manager console, right-click Network Load
Balancing Clusters in the list pane, and then click New Cluster.
3. In the New Cluster: Connect dialog box, type the hostname NYC-DC1, and
then click Connect. Verify that the Interface name section is populated with
that interface’s Local Area Connection and IP address, and click Next.
4. In the New Cluster: Host Parameters dialog box, verify the default state is
Started, and then click Next.
5. In the New Cluster: Cluster IP Addresses dialog box, click Add and specify
an IPv4 cluster IP of 10.10.0.100 with a Subnet Mask of 255.255.0.0, click
OK, and then click Next.
6. In the New Cluster: Cluster Parameters dialog box, type a Full Internet
name of printsrv.woodgrovebank.com. Specify a Cluster operation mode of
Multicast, and then click Next.
7. In the New Cluster: Port Rules dialog box, click Finish.

8. In the Network Load Balancing Manager console list pane, right-click
printsrv.woodgrovebank.com, and then from the context menu, click Add
Host to Cluster.
9. In the Add Host to Cluster: Connect dialog box, specify the host as NYC-
SVR1, and then click Connect.
10. In the Interfaces available for configuring the cluster, click Local Area
Connection, and then click Next.
11. In the Add Host to Cluster: Host Parameters dialog box, accept the default
settings, and then click Next.
12. In the Add Host to Cluster: Port Rules, accept the default settings, and then
click Finish. After a few moments NYC-SVR1 will come online.
13. Close the Network Load Balancing Manager console window.
f Task 3: Install and share an IP-based printer on both NYC-DC1 and

NYC-SVR1
1. On NYC-DC1, click Start, click Control Panel, and then double-click the
Printers applet.
2. In the Printers console details pane, double-click Add Printer.
3. In the Add Printer dialog box, select Add a local printer.
4. In the Choose a printer port dialog box, select Create a new port, select
Standard TCP/IP Port from the drop-down list, and then click Next.
5. In the Type a printer hostname or IP Address dialog box, for Device type,
select TCP/IP device from the drop-down list, and specify the Hostname or IP
Address of 10.10.0.80.
6. Clear the Query the printer and automatically select the driver to use check
box, and then click Next.
7. Wait for the detection of the TCP/IP port to complete, and then click Next in
the Additional Port information Required dialog box.
8. In the Install the printer driver dialog box, specify the manufacturer of HP
and the printer model of HP LaserJet 6MP, and then click Next.
9. In the Type a printer name dialog box, accept the default settings, and then
click Next.
10. In the Printer Sharing dialog box, accept the default name, and then click
Next.
11. In the You’ve successfully added HP LaserJet 6MP dialog box, click Finish.
12. Close the Printers control panel applet.
f Task 4: Use NYC-CL1 to connect to the NLB virtual IP address

1. On NYC-CL1, click Start, type \\10.10.0.100 in the Start Search text box,
2. Take note of the available NLB cluster resources.

click OK.
Lab Answer Key: Configuring Server Security Compliance 1
Module 14
Lab Answer Key: Configuring Server Security
Compliance
Contents:
Exercise 1: Configuring and Analyzing Security 2
Exercise 2: Analyzing Security Templates 4
Exercise 3: Configuring Windows Software Update
Services 6
2 Lab Answer Key: Configuring Server Security Compliance
Lab: Configuring Server Security

Compliance
Exercise 1: Configuring and Analyzing Security

password Pa$$w0rd.
f Task 2: Open the Security Configuration Wizard (SCW) on NYC-SVR1

Security Configuration Wizard.
2. On the Welcome to the Security Configuration Wizard page, click Next.
3. On the Configuration Action page, under Select the action you want to
perform, ensure that Create a new security policy is selected, and then click
Next.
4. On the Select Server page, verify the server specified in the Server text box is
NYC-SVR1, and then click Next.
5. On the Processing Security Configuration Database page, wait for the
process to complete, and then click View Configuration Database.
6. When the SCW Viewer opens, a Microsoft® Internet Explorer® message box
may appear asking for permission to allow an ActiveX® control. Click Yes in
this message box.
7. Scroll through and read the list of Server Roles, Client Features,
Administration and Other Options, Services, and Windows Firewall.
8. Close SCW Viewer, and then click Next.
9. On the Role-Based Service Configuration page, click Next.
10. On the Select Server Roles page, click Next.
11. On the Select Client Features page, click Next.
12. On the Select Administration and Other Options page, click Next.
13. On the Select Additional Services page, click Next.
14. On the Handling Unspecified Services page, verify that Do not change the
startup mode of the service is selected, and then click Next.
15. On the Confirm Service Changes page, scroll through the list and note which
ones are being disabled, and then click Next.
16. On the Network Security page, click Next to start configuring network
security.
17. On the Network Security Rules page, scroll through the list of ports that will
be opened, and then click Next.
18. On the Registry Settings page, select Skip this section, and then click Next.
19. On the Audit Policy page, select Skip this section, and then click Next.
20. On the Save Security Policy page, click Next.
21. On the Security Policy File Name page, specify a name of
NewMemberSrv.xml at the end of the
C:\Windows\Security\msscw\Policies path that is listed, and then click
Next.
22. On the Apply Security Policy page, select Apply now, and then click Next.
23. The Applying Security Policy page appears, and the wizard prepares and
applies the policy.
24. When Application Complete appears above the status bar, click Next.
25. On the Completing the Security Configuration Wizard page, click Finish.
Exercise 2: Analyzing Security Templates

f Task 1: Create a customized Microsoft Management Console (MMC)
1. On NYC-SVR1, click Start, click Run, type MMC in the Open text box, and
then press ENTER.
2. In the Console1 MMC window, click File on the menu bar, and then click
Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, under Available snap-ins, scroll
down and select Security Templates, and then click Add.
4. In the Add or Remove Snap-ins window, under Available snap-ins, scroll
down and select Security Configuration and Analysis, click Add, and then
click OK.
5. In the Console1 MMC list pane, expand Security Templates, right-click the
template path displayed in the list pane, and then click New Template.
6. In the template dialog box that appears, specify a template name of Secure,
and then click OK.
7. In the list pane, expand the Secure policy, expand Local Policies, and then
click Security Options.
8. In the details pane, scroll down and double-click Interactive Logon: Do not
display last user name.
9. Select the Define this policy setting in the template check box, click
10. Right-click the Secure template, and then click Save.
f Task 2: Analyze current settings against secure template settings

1. In the list pane, right-click Security Configuration and Analysis, and then
click Open Database.
2. In the Open Database dialog box, type a file name of Secure, and then click
Open.
3. In the Import Template dialog box, select the Secure.inf template, and then
click Open.
click Analyze Computer Now.
5. In the Perform Analysis dialog box, click OK to accept the default log name.
6. When the analysis is complete, in the list pane, expand Security
Configuration and Analysis, expand Local Policies, and then select Security
Options.
7. Scroll down to Interactive Logon: Do not display last user name, and
compare the database setting to the computer setting. You should see a red “x”
on the item, which indicates that the settings are different between the
computer and database settings.
f Task 3: Configure the computer with the secure template settings

select Configure Computer Now from the available options. Click OK in the
Configure System box.
The template is applied to the computer.
2. From the list pane, right-click Security Configuration and Analysis, and then
select Analyze Computer Now.
3. In the Perform Analysis dialog box, click OK to accept the default log.
4. When the analysis is complete, expand Local Policies, and then select
Security Options.
5. Scroll down to Interactive Logon: Do not display last user name, and verify
that a check mark appears indicating that the database setting and computer
setting are the same.
6. Close the Console1 MMC window. Do not save changes.
Exercise 3: Configuring Windows Software Update Services

(WSUS)
f Task 1: Use the Group Policy Management Console to create and link
a Group Policy Object (GPO) to the domain to configure client
updates
Group Policy Management.
2. In the Group Policy Management MMC list pane, expand Forest:
woodgrovebank.com, expand Domains, and then expand
WoodGroveBank.com.
3. Right-click WoodGroveBank.com in the list pane, and then click Create a
GPO in this domain, and Link it here.
4. In the New GPO dialog box, specify a name of WSUS, and then click OK.
5. Right-click the WSUS GPO link under WoodGroveBank.com, and then click
Edit.
6. In the Group Policy Management Editor window, ensure Computer
Configuration is expanded, expand Policies, expand Administrative
Templates, expand Windows Components, and then click Windows Update.
7. In the details pane, double-click Configure Automatic Updates.
8. In the Configure Automatic Updates Properties dialog box, on the Setting
tab, select Enabled. In the Configure automatic updating drop-down list,
click 4 - Auto download and schedule the install, and then click Next
Setting.
9. On the Specify intranet Microsoft update service location Properties page,
on the Settings tab, select Enabled. Under Set the intranet update service for
detecting updates and under Set the intranet statistics server, type
http://NYC-SVR1 in the text boxes, and then click Next Setting.
10. On the Automatic Updates detection frequency Properties page, select
11. Close the Group Policy Management Editor, and then close the Group Policy
Management tool.
12. On NYC-CL2, click Start, click All Programs, click Accessories, and then
click Run.
13. In the Run dialog box, type cmd, and then press ENTER.
14. At the command prompt, type gpupdate /force, and then press ENTER.
15. At the command prompt, type wuauclt /detectnow, and then press ENTER.
16. Close the command window on NYC-CL2.
f Task 2: Use the WSUS administration tool to configure WSUS

properties
Microsoft Windows Server Update Services 3.0 SP1.
2. In the Update Services administrative tool window, in the list pane under
NYC-SVR1, click Options.
3. In the details pane, click Update Source and Proxy Server.
4. View the options on both tabs, and then click Cancel.
5. In the details pane, click Products and Classifications.
6. View the options for product support and update classifications, and then
click Cancel.
7. In the details pane, click Update Files and Languages.
8. View the options for downloading updates and support for languages, and
then click Cancel.
9. In the details pane, click Synchronization Schedule, view the options for
synchronizing content, and then click Cancel.
f Task 3: Create a computer group, and add NYC-CL2 to the new group
1. In the list pane, expand Computers, and then select All Computers.
2. In the Actions pane, click Add Computer Group.
3. In the Add Computer Group dialog box, specify a computer group name of
HO Computers, and then click Add.
4. In the Update Services list pane, under Computers and All Computers, click
Unassigned Computers.
5. In the Unassigned Computers details pane, specify Any in the Status drop-
down list, and then click Refresh.
6. Right-click nyc-cl2.woodgrovebank.com, and then click Change

Membership.
7. In the Set Computer Group Membership dialog box, select the HO
Computers check box, and then click OK.
f Task 4: Approve an update for Microsoft Vista™ clients

1. In the Update Services administrative tool, in the list pane, expand Updates,
and then click Critical Updates.
2. In the details pane, change the Approval filter to Any Except Declined and
Status filters to Any, and then click Refresh. Notice all of the updates
available.
3. In the Critical Updates details pane, right-click Update for Windows Vista
(KB936357), and then select Approve from the context menu.
4. In the Approve Updates window that appears, click the arrow next to All
Computers, select Approved for Install, and then click OK.
5. On the Approval Progress page, when the process is complete, click Close.
Important: Notice that a message appears stating that the update is approved,
but must be downloaded to complete.
6. In the Update Services console, click Reports.

7. View the various reports available in WSUS. Determine how many updates
NYC-CL2 requires.

click OK.

Lab Instructions and Answer Key: Configuring and Troubleshooting A Windows Server® 2008 Network Infrastructure

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Lab Instructions and Answer Key: Configuring and Troubleshooting A Windows Server® 2008 Network Infrastructure

Transféré par

Droits d'auteur :

Formats disponibles

OFFICIAL MICROSOFT LEARNING PRODUCT

All other trademarks are property of their respective owners.

Technical Reviewer: Stan Reimer

Product Number: 6421A

Lab: Installing and Configuring Servers and

Exercise 1: Identifying Server Types

Exercise 2: Installing and Configuring Server Roles and

f Task 1: Start the virtual machines, and log on

f Task 2: Start the Server Manager console

f Task 3: From Server Manager, install the Terminal Services role

f Task 4: View the Installation Results

Exercise 3: Configuring Server Core and Performing Basic

f Task 1: Start the 6421A-NYC-SVR2 virtual machine

f Task 2: Log on to the Server Core installation

f Task 4: Connect the server to the WoodgroveBank.com domain

3. At the command prompt, press RIGHT-ALT+DELETE, click the Shut down

f Task 5: Log on to the Server Core installation

f Task 6: Verify the firewall configuration

f Task 7: Use the Netsh command to open ports

Note: Verify that no server roles are installed.

Note: The server role name is case sensitive.

Note: Verify that the DNS-Server-Core-Role is installed.

f Task 9: Manage the server by using DNS Manager from a remote

Lab: Configuring and Verifying a DNS Solution

Exercise 1: Configuring a DNS Infrastructure

f Task 1: Start the virtual machines, and log on

f Task 2: Configure the DNS Server role on NYC-SVR1

f Task 3: Configure the Contoso.msft zone on NYC-SVR1

f Task 4: Configure the nwtraders.msft zone on NYC-DC1

f Task 5: Configure zone transfers

Question: Why do you need to configure zone transfers?

f Task 6: Configure secondary zones for each domain

f Task 7: Configure a stub zone for WoodgroveBank.com

Question: Why use a stub zone instead of conditional forwarders?

f Task 8: Configure administrative options for the nwtradters.msft

Exercise 2: Monitoring and Troubleshooting DNS

f Task 1: Test simple and recursive queries

f Task 2: Verify SOA records by using Nslookup

f Task 3: Use the Dnslint command to verify name server records

Note: Consult the Help documentation if you need guidance.

f Task 4: View performance statistics by using the Performance console

f Task 5: Verify DNS replication

f Task 6: Close all virtual machines and discard undo disks

Lab: Configuring a WINS Infrastructure

After successfully implementing the secondary WINS server, management

Exercise 1: Installing WINS

f Task 1: Start the virtual machines, and log on

f Task 2: On 6421A-NYC-SVR1, launch the Server Manager console

Result: The Server Manager console opens.

Result: The WINS feature is installed on 6421A-NYC-SVR1.

Exercise 2: Configuring WINS Burst Handling

f Task 1: Configure the WINS server for burst handling

f Task 2: Create a static entry in the WINS database

Note: Do not close the WINS console.

f Task 3: Configure scavenging on the WINS server to take place once

f Task 4: Configure 6421A-NYC-DC1 to use the WINS server for

f Task 5: Test the NetBIOS name resolution capabilities

Exercise 3: Configuring WINS Replication

f Task 1: Configure push and pull replication on NYC-DC1

f Task 2: Configure push and pull replication on NYC-SVR1

f Task 3: Verify replication

Exercise 4: Migrating from WINS to DNS