Académique Documents
Professionnel Documents
Culture Documents
Abstract
This Microsoft Test Lab Guide (TLG) provides you with step-by-step instructions to create the Base Configuration test lab, upon which you can build test labs based on other TLGs from Microsoft and published in the TechNet Wiki, perform TLG extensions in the TechNet Wiki, or create a test lab of your own design that can include Microsoft or non-Microsoft products. For a test lab based on physical computers, you can image the drives for future test labs. For a test lab based on virtualized computers, you can create snapshots of the base configuration virtual machines. This enables you to easily return to the base configuration test lab, where most of the routine infrastructure and networking services have already been configured, so that you can focus on building a test lab for the product, technology, or solution of interest.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. The Test Lab Guide: Base Configuration is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. 2010 Microsoft Corporation. All rights reserved. Date of last update: March 9, 2011 Microsoft, Windows, Active Directory, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Test Lab Guide: Base Configuration.........................................................................................1 Abstract.................................................................................................................................1 Contents..........................................................................................................................................3 Introduction.....................................................................................................................................5 In this guide.................................................................................................................................5 Test lab overview.........................................................................................................................6 Hardware and software requirements..........................................................................................7 Steps for Configuring the Corpnet Subnet......................................................................................8 Step 1: Configure DC1.................................................................................................................8 Install the operating system on DC1.........................................................................................9 Configure TCP/IP properties....................................................................................................9 Configure DC1 as a domain controller and DNS server.........................................................10 Install and configure the DHCP server role on DC1...............................................................11 Install an enterprise root CA on DC1......................................................................................11 Configure the CRL distribution settings..................................................................................12 Create a DNS record for crl.corp.contoso.com.......................................................................12 Create a user account in Active Directory..............................................................................13 Configure computer certificate auto-enrollment......................................................................13 Configure computer account maximum password age...........................................................14 Step 2: Configure APP1.............................................................................................................14 Install the operating system on APP1.....................................................................................15 Configure TCP/IP properties..................................................................................................15 Join APP1 to the CORP domain.............................................................................................15 Install the Web Server (IIS) role on APP1...............................................................................16 Create a web-based CRL distribution point............................................................................16 Configure the HTTPS security binding...................................................................................17 Configure permissions on the CRL distribution point file share..............................................17 Publish the CRL to APP1 from DC1.......................................................................................18 Create a shared folder on APP1.............................................................................................19 Step 3: Configure CLIENT1.......................................................................................................19 Install the operating system on CLIENT1...............................................................................19 User account control..............................................................................................................20 Join CLIENT1 to the CORP domain.......................................................................................20 Verify the computer certificate................................................................................................20 Test access to intranet resources from the Corpnet subnet...................................................21 Steps for Configuring the Internet Subnet.....................................................................................21 Step 1: Configure EDGE1..........................................................................................................21
Install the operating system on EDGE1..................................................................................22 Configure TCP/IP properties..................................................................................................22 Join EDGE1 to the CORP domain..........................................................................................23 Step 2: Configure INET1............................................................................................................24 Install the operating system on INET1....................................................................................24 Configure TCP/IP properties..................................................................................................24 Rename the computer............................................................................................................25 Install the Web Server (IIS) and DNS server roles.................................................................25 Create DNS records...............................................................................................................26 Install and configure the DHCP server role on INET1............................................................26 Configure the NCSI web site..................................................................................................27 Test access to Internet resources from the Internet subnet....................................................27 Snapshot the Configuration...........................................................................................................28 Additional Resources....................................................................................................................29 Appendices...................................................................................................................................29 Appendix A: Set UAC Behavior of the Elevation Prompt for Administrators...............................29 Appendix B: Resulting Configuration.........................................................................................29 Computers..............................................................................................................................30 DC1.....................................................................................................................................30 APP1...................................................................................................................................31 EDGE1................................................................................................................................31 CLIENT1.............................................................................................................................32 INET1..................................................................................................................................32 Active Directory and DNS infrastructure.................................................................................33 Web infrastructure..................................................................................................................33 PKI.........................................................................................................................................34
Introduction
Test Lab Guides (TLGs) allow you to get valuable hands-on experience with new products and technologies using a pre-defined and tested methodology that results in a working configuration. When you use a TLG to create a test lab, instructions define what servers to create, how to configure the operating systems and system services, and how to install and configure any additional products or technologies. A TLG experience enables you to see all of the components and the configuration steps on both the front-end and back-end that are required for a product or technology or for a multi-product or technology solution. A challenge in creating useful TLGs is to enable their reusability and extensibility. Because creating a test lab can represent a significant investment of time and resources, your ability to reuse and extend the work required to create test labs is important. An ideal test lab environment would enable you to create a basic lab configuration, save that configuration, and then build out multiple test labs in the future by starting with the base configuration. The purpose of this TLG is to enable you to create the Base Configuration test lab, upon which you can build a test lab based on other TLGs from Microsoft or published in the TechNet Wiki, perform TLG extensions in the TechNet Wiki, or create a test lab of your own design that can include Microsoft or non-Microsoft products. Depending on how you deploy your test lab environment, you can image the drives for the Base Configuration test lab if you are using physical computers or you can create snapshots of the Base Configuration test lab virtual machines. This enables you to easily return to baseline configuration where most of the routine client, server, and networking services have already been configured so that you can focus on building out a test lab for the products or technologies of interest. For this reason, make sure that you create disk images or virtual machine snapshots after completing all the steps in this TLG. The Base Configuration TLG is just the beginning of the test lab experience. Other TLGs or TLG extensions in the TechNet Wiki focus on Microsoft products or platform technologies, but all of them use this Base Configuration TLG as a starting point.
In this guide
This document contains instructions for setting up the Base Configuration test lab by deploying four server computers running Windows Server 2008 R2 Enterprise Edition and one client computer running Windows 7 Enterprise or Ultimate. The resulting configuration simulates a private intranet and the Internet. Important The following instructions are for configuring the Base Configuration test lab. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production
5
network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
This document describes how to build out the Base Configuration test lab in two sections: Steps for configuring the Corpnet subnet (DC1, APP1, and CLIENT1) Steps for configuring the Internet subnet (EDGE1 and INET1)
Some TLGs require only the Corpnet subnet. However, it is strongly recommended that you build out both subnets if you ever plan to test technologies, products, or solutions that include access to intranet servers and services from the Internet. The Base Configuration test lab environment consisting of both subnets can be saved and reused for other TLGs. By building out both the Corpnet and Internet subnets, you will have a reusable snapshot of the entire Base Configuration test lab that can be used for intranet and Internet-based TLGs, which has the starting Base Configuration test lab in a unified and consistent state.
For an evaluation copy of Windows Server 2008 R2 Enterprise Edition in download and virtual hard disk (VHD) form, see Windows Server 2008 R2 Evaluation Free 180-Day Trial (http://go.microsoft.com/fwlink/?LinkID=102582). The product disc or files for Windows 7 Enterprise or Ultimate. For an evaluation copy of Windows 7 Enterprise in download form, see Windows 7 Enterprise 90-day Trial (http://go.microsoft.com/fwlink/?LinkID=180603). Four computers that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise Edition. One of these computers (EDGE1) has two network adapters installed. One computer that meets the minimum hardware requirements for Windows 7 Enterprise or Ultimate. If you wish to deploy the Base Configuration test lab in a virtualized environment, your virtualization solution must support Windows Server 2008 R2 Enterprise Edition and Windows 7 Enterprise or Ultimate 64-bit virtual machines. The server hardware must support the amount of RAM required to run the virtual operating systems included in the Base Configuration test lab and any other virtual machines required by additional TLGs. Important Run Windows Update on all computers or virtual machines either during the installation or immediately after installing the operating systems. After running Windows Update, you can isolate your physical or virtual test lab from your production network.
A domain controller for the corp.contoso.com Active Directory Domain Services (AD DS) domain. A DNS server for the corp.contoso.com DNS domain. A DHCP server for the Corpnet subnet. An enterprise root CA for the corp.contoso.com domain. Install the operating system. Configure TCP/IP. Install Active Directory and DNS. Install DHCP. Install an enterprise root CA. Configure the CRL settings for the enterprise root CA. Create a DNS entry for crl.corp.contoso.com. Create a user account in Active Directory. Configure computer certificate auto-enrollment. Configure computer account maximum password age.
mask, type 255.255.255.0. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1. 5. Click Advanced, and then click the DNS tab. 6. In DNS suffix for this connection, type corp.contoso.com, click OK twice, and then click Close. 7. Close the Network Connections window. 8. In Initial Configuration Tasks, click Provide computer name and domain. 9. In System Properties, click Change. In Computer name, type DC1, click OK twice, and then click Close. When you are prompted to restart the computer, click Restart Now. 10. After restarting, login using the local administrator account. 11. In Initial Configuration Tasks, click Do not show this window at logon, and then click Close.
8. On the Cryptography page, click Next. 9. On the CA Name page, click Next. 10. On the Validity Period page, click Next. 11. On the Certificate Database page, click Next. 12. On the Confirm Installation Selections page, click Install. 13. On the Results page, click Close.
To create a DNS record for crl.corp.contoso.com on DC1 1. On DC1, click Start, point to Administrative Tools, and then click DNS. 2. In the DNS Manager console, expand DC1 and then expand Forward Lookup Zones. Right-click corp.contoso.com and click New Host (A or AAAA). 3. In the New Host dialog box, type CRL in Name (uses parent domain name if blank). In IP address, type 10.0.0.3. Click Add Host. 4. In the DNS dialog box informing you that the record was created, click OK. 5. Click Done in the New Host dialog box. 6. Close the DNS Manager console.
13
To configure computer certificate auto-enrollment in Group Policy 1. Click Start, click Administrative Tools, and then click Group Policy Management. 2. In the console tree, open Forest: corp.contoso.com\Domains\corp.contoso.com. 3. In the details pane, right-click Default Domain Policy, and then click Edit. 4. In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. 5. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request. 6. In the Automatic Certificate Request Wizard, click Next. 7. On the Certificate Template page, click Computer, click Next, and then click Finish. 8. Leave the Group Policy Management Editor and Group Policy Management consoles open for the next procedure.
Publish the CRL to APP1 from DC1. Create a shared folder on APP1.
15
To join APP1 to the CORP domain 1. In Initial Configuration Tasks, click Provide Computer Name and Domain. 2. In the System Properties dialog box, on the Computer Name tab, click Change. 3. In Computer Name, type APP1. In Member of, click Domain, and then type corp.contoso.com. 4. Click OK. 5. When you are prompted for a user name and password, type User1 and its password, and then click OK. 6. When you see a dialog box welcoming you to the corp.contoso.com domain, click OK. 7. When you are prompted that you must restart the computer, click OK. 8. On the System Properties dialog box, click Close. 9. When you are prompted to restart the computer, click Restart Now. 10. After the computer restarts, click Switch User, and then click Other User and log on to the CORP domain with the User1 account. 11. In Initial Configuration Tasks, click Do not show this window at logon, and then click Close.
path, click the ellipsis button. 4. In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder. 5. Type CRLDist, and then press ENTER. Click OK in the Browse for Folder dialog box. 6. Click OK in the Add Virtual Directory dialog box. 7. In the middle pane of the console, double-click Directory Browsing. 8. In the details pane, click Enable. 9. In the console tree, click the CRLD folder. 10. In the middle pane of the console, double-click the Configuration Editor icon. 11. Click the down-arrow for the Section drop-down list, and then navigate to system.webServer\security\requestFiltering. 12. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True. 13. In the details pane, click Apply.
5. In the Advanced Sharing dialog box, select Share this folder. 6. In Share name, add a $ to the end so that the share name is CRLDist$. 7. In the Advanced Sharing dialog box, click Permissions. 8. In the Permissions for CRLDist$ dialog box, click Add. 9. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types. 10. In the Object Types dialog box, select Computers, and then click OK. 11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in Enter the object names to select, type DC1, and then click Check Names. Click OK. 12. In the Permissions for CRLDist$ dialog box, select DC1 (CORP\DC1$) from the Group or user names list. In the Permissions for DC1 section, select Allow for Full control. Click OK. 13. In the Advanced Sharing dialog box, click OK. 14. In the CRLDist Properties dialog box, click the Security tab. 15. On the Security tab, click Edit. 16. In the Permissions for CRLDist dialog box, click Add. 17. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types. 18. In the Object Types dialog box, select Computers. Click OK. 19. In the Select Users, Computers, Service Accounts, or Groups dialog box, in Enter the object names to select, type DC1, and then click Check Names. Click OK. 20. In the Permissions for CRLDist dialog box, select DC1 (CORP\DC1$) from the Group or user names list. In the Permissions for DC1 section, select Allow for Full control. Click OK. 21. Click Close in the CRLDist Properties dialog box. 22. Close the Windows Explorer window.
6. Close the Windows Explorer window. 7. Close the Certification Authority console.
5. When you are prompted for your computer's current location, click Work. 6. Connect CLIENT1 to a network that has Internet access and run Windows Update to install the latest updates for Windows 7. 7. Connect CLIENT1 to the Corpnet subnet.
4. In the console tree, open Certificates (Local Computer)\Personal\Certificates. 5. In the details pane, verify that a certificate with the name CLIENT1.corp.contoso.com is present with Intended Purposes of Client Authentication and Server Authentication. 6. Close the console window. When you are prompted to save settings, click No.
15. Click Advanced. On the IP Settings tab, click Add for IP Addresses. In the TCP/IP Address section, type 131.107.0.3 in IP address, type 255.255.255.0 in Subnet mask, and then click Add. 16. Click the DNS tab. 17. In DNS suffix for this connection, type isp.example.com, and then click OK three times. 18. Close the Network Connections window. 19. To check network communication between EDGE1 and DC1, click Start, click All Programs, click Accessories, and then click Command Prompt. 20. In the Command Prompt window, type ping dc1.corp.contoso.com. 21. Verify that there are four responses from 10.0.0.1. 22. Close the Command Prompt window. Tip You need to configure two consecutive public IPv4 addresses on the Internet interface of EDGE1 to support test lab guides that use EDGE1 as a DirectAccess server, so that Teredo-based DirectAccess clients can detect the type of NAT behind which they are located. For more information, see Teredo Overview (http://go.microsoft.com/fwlink/? LinkId=169500).
Programs, click Accessories, and then click Command Prompt. 10. In the Command Prompt window, type ping 131.107.0.2. 11. Verify that there are four failures from 131.107.0.2 indicating that the request timed out. The reason is that Windows Firewall with Advanced Security on EDGE1 blocks the incoming ping messages. At the command prompt, run the arp g command and confirm that a Physical Address is associated with the Internet Address of 131.107.0.2. This confirms reachability to 131.107.0.2. 12. Close the Command Prompt window. 13. Click Start, right-click Network, and then click Properties. 14. In the Network and Sharing Center window, click Change advanced sharing settings. 15. In the Advanced sharing settings window, click Turn on file and printer sharing, and then click Save changes. 16. Close the Network and Sharing Center window.
4. Verify that all installations were successful, and then click Close.
To install and configure the DHCP server role 1. Click Start, point to Administrative Tools, and then click Server Manager. 2. Under Roles Summary, click Add roles, and then click Next. 3. On the Select Server Roles page, select DHCP Server, and then click Next twice. 4. On the Select Network Connection Bindings page, verify that 131.107.0.1 is selected, and then click Next. 5. On the Specify IPv4 DNS Server Settings page, type isp.example.com in Parent domain. 6. Type 131.107.0.1 under Preferred DNS server IP address, and click Validate. Verify that the result returned is Valid, and then click Next. 7. On the Specify WINS Server Settings page, accept the default setting of WINS is not required on this network, and then click Next. 8. On the Add or Edit DHCP Scopes page, click Add. 9. In the Add Scope dialog box, in Scope Name, type Internet. In Starting IP Address, type 131.107.0.100. In Ending IP Address, type 131.107.0.150. In Subnet Mask, type 255.255.255.0. In Default gateway (optional), type 131.107.0.1. 10. Select Activate this scope, click OK, and then click Next. 11. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6 stateless mode for this server, and then click Next. 12. On the Confirm Installation Selections page, click Install. 13. Verify that the installation was successful, and then click Close.
To test access to Internet resources from the Internet subnet 1. Move CLIENT1 from Corpnet subnet to the Internet subnet. Note that after network detection is complete, the warning symbol on the network icon in the system notification area no longer appears. Hover over the network icon in the system notification area and notice that it indicates Internet access. 2. From the taskbar, click the Internet Explorer icon. 3. In the Address bar, type http://inet1.isp.example.com/, and then press ENTER. You should see the default IIS 7 web page. 4. Close the Internet Explorer window. 5. Open a command prompt window. Type ping inet1 and press ENTER. You should see four responses from 131.107.0.1. Type ping edge1.contoso.com and press ENTER. You should see four failures from 131.107.0.2 indicating that the request timed out. Recall that Windows Firewall with Advanced Security on EDGE1 blocks the ping messages. At the command prompt, run the arp g command and confirm that a Physical Address is associated with the Internet Address of 131.107.0.2. 6. Move CLIENT1 from the Internet subnet to the Corpnet subnet. 7. From the command prompt window, type ping inet1, and then press ENTER. You should see a could not find host inet1 message and no responses. Type ping 131.107.0.1, and then press ENTER. You should see transmit failed messages and no responses. This indicates that there is no connectivity between the Corpnet subnet and the Internet subnet. Although EDGE1 is connected to both the Internet and Corpnet subnets, it is not providing any routing, address translation, or proxying services to allow computers on the Corpnet subnet to access resources on the Internet subnet. An additional test lab guide will configure Internet subnet access from the Corpnet subnet as needed.
28
Additional Resources
For a list of additional Microsoft TLGs, see Test Lab Guides (http://go.microsoft.com/fwlink/? LinkId=202817) in the TechNet Wiki. For an evaluation copy of Windows Server 2008 R2 Enterprise Edition in download and virtual hard disk (VHD) form, see Windows Server 2008 R2 Evaluation Free 180-Day Trial (http://go.microsoft.com/fwlink/?LinkID=102582). For an evaluation copy of Windows 7 Enterprise in download form, see Windows 7 Enterprise 90day Trial (http://go.microsoft.com/fwlink/?LinkID=180603). To get your questions about this test lab answered, see the Network Infrastructure Servers TechNet Forum (http://go.microsoft.com/fwlink/?LinkId=192175). To provide the authors of this guide with feedback or suggestions for improvement, send an email message to tlgfb@microsoft.com.
Appendices
Appendix A: Set UAC Behavior of the Elevation Prompt for Administrators
This appendix describes how to change the default User Account Control (UAC) behavior in Windows Server 2008 R2 and Windows 7. By default, UAC is enabled in Windows Server 2008 R2 and Windows 7. This service will prompt for permission to continue during several of the configuration tasks described in this guide. In all cases, you can click Continue in the UAC dialog box to grant this permission, or you can use the following procedure to change the UAC behavior of the elevation prompt for administrators. To set UAC behavior of the elevation prompt for administrators 1. Click Start, point to All Programs, click Accessories, and then click Run. 2. Type secpol.msc, and press ENTER. 3. In the console tree, open Local Policies, and then click Security Options. 4. In the contents pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. 5. Click Elevate without prompting in the list, and then click OK. 6. Close the Local Security Policy window.
Computers
The Base Configuration test lab contains the following computers: DC1 APP1 EDGE1 INET1 CLIENT1
DC1
Operating system Domain membership TCP/IP configuration on the Corpnet subnet network adapter Windows Server 2008 R2 Enterprise Member of the corp.contoso.com domain IP address: 10.0.0.1 Subnet mask: 255.255.255.0 No default gateway Connection specific DNS suffix: corp.contoso.com Roles
Enterprise root certification authority (CA) for corp.contoso.com, configured through Group Policy for autoenrollment of computer certificates
Installed certificates Computer certificate: dc1.corp.contoso.com
30
APP1
Operating system Domain membership TCP/IP configuration on the Corpnet subnet network adapter Windows Server 2008 R2 Enterprise Member of the corp.contoso.com domain IP address: 10.0.0.3 Subnet mask: 255.255.255.0 DNS server: 10.0.0.1 No default gateway Connection specific DNS suffix: corp.contoso.com Roles
HTTPS (SSL bound to app1.corp.contoso.com certificate) CRLD virtual web site mapped to the CRLDist folder to store CRL files
File server
CRLDist$ share, DC1 has full control NTFS and Share permissions Files share that contains the Example.txt file Installed certificates Computer certificate: app1.corp.contoso.com
EDGE1
Operating system Domain membership TCP/IP configuration on the Corpnet subnet network adapter Windows Server 2008 R2 Enterprise Member of the corp.contoso.com domain IP address: 10.0.0.2 Subnet mask: 255.255.255.0 DNS server: 10.0.0.1 No default gateway Connection specific DNS suffix: corp.contoso.com TCP/IP configuration on the Internet subnet network adapter IP address: 131.107.0.2 and 131.107.0.3 Subnet mask: 255.255.255.0 No default gateway Connection specific DNS suffix:
31
Note that EDGE1 is not configured to provide Internet connectivity for hosts on the Corpnet subnet or intranet connectivity for CLIENT1 when it is connected to the Internet subnet. Subsequent modular TLGs can provide this functionality.
CLIENT1
Operating system Domain membership TCP/IP configuration on the network adapter Installed certificates Windows 7 Enterprise or Ultimate Member of the corp.contoso.com domain Automatic (DHCP client) Computer certificate: client1.corp.contoso.com
INET1
Operating system Domain membership TCP/IP configuration on the Internet subnet network adapter Windows Server 2008 R2 Enterprise None (standalone) IP address: 10.0.0.1 Subnet mask: 131.107.0.1 No default gateway Connection specific DNS suffix: isp.example.com Roles
DNS server
Does not accept dynamic updates. Manual Host (A) records: inet1.isp.example.com at the IPv4 address 131.107.0.1 edge1.contoso.com at the IPv4 address 131.107.0.2 www.msftncsi.com at the IPv4 address 131.107.0.1 dns.msftncsi.com at the IPv4 address 131.107.255.255
DHCP server
Scope: 131.107.0.0.100-131.107.0.150/24 Router scope option: 131.107.0.1 DNS domain name option: isp.example.com DNS server option: 131.107.0.1 Installed certificates None
The example Contoso Corporation uses a split-DNS configuration: contoso.com on the Internet and corp.contoso.com on the intranet. DC1 has the following manually created Host (A) records: crl.corp.contoso.com with the IP address 10.0.0.3 Resolves the URL of the CRL distribution point to APP1. INET1 has the following manually created Host (A) records: inet1.isp.example.com with the IP address 131.107.0.1 edge1.contoso.com with the IP address 131.107.0.2 www.msftncsi.com with the IP address 131.107.0.1 dns.msftncsi.com with the IP address 131.107.255.255 Resolves the inet1.isp.example.com name to INET1s address. Resolves the Internet name of EDGE1 to its Internet address. Resolves the www.msftncsi.com name to INET1s address for Internet detection. Resolves the dns.msftncsi.com name to the expected address for Internet detection.
Web infrastructure
On the Corpnet subnet, APP1 is a Web server with the IIS server role and supports unprotected (http://app1.corp.contoso.com) and protected Web pages (https://app1.corp.contoso.com). The SSL binding is configured for the auto-enrolled computer certificate with the subject name app1.corp.contoso.com. On the Internet subnet, INET1 is a Web server with the IIS server role and supports unprotected Web pages (http://inet1.isp.example.com). To provide support for Network Connectivity Status Indicator (NCSI) Internet detection, INET1 is also known as www.msftncsi.com and hosts the Ncsi.txt file in the WWWRoot folder.
33
PKI
The PKI in the base configuration test lab consists of the following: DC1 acting as an Enterprise Root CA for the corp.contoso.com domain The default Group Policy object configured for computer certificate autoenrollment
All of the domain member computers have a computer certificate installed (DC1, APP1, EDGE1, CLIENT1), with the Subject field set the FQDN of the computer name and with the Server Authentication and Client Authentication OIDs AD CS on DC1 is configured to store the CRL files on the \\app1\crldist$ share, which corresponds to the CRLD virtual web site on APP1 Certificates issued by DC1 are configured with the additional CRL distribution point of http://crl.corp.contoso.com/crld/corp-DC1-CA.crl. When performing certificate revocation on the Corpnet subnet, a computer attempts to access the path http://crl.corp.contoso.com/crld/corp-DC1-CA.crl. The manually configured Host (A) record on DC1 resolves crl.corp.contoso.com to 10.0.0.3, the IP address of APP1.
34