6421BD ENU LabManual

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6421B And Lab Answer Key: Lab Instructions

Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2011 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
Product Number: 6421B Part Number: X17-66521 Released: 05/2011
Lab Instructions: Planning and Configuring IPv4
Module 1
Contents:
Exercise 1: Selecting an IPv4 Addressing Scheme for Branch Offices Exercise 2: Implementing and Verifying IPv4 in the Branch Office 3 6
Lab: Planning and Configuring IPv4
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Repeat steps 2 to 4 for 6421B-NYC-RTR, 6421B-NYC-SVR2, and 6421B-NYC-CL2.
Lab Scenario
You are a network engineer for Contoso Ltd. You must select a suitable IPv4 addressing scheme for a branch office deployment and then implement elements of the scheme. The branch will initially use manually assigned IPv4 addresses, although it is planned that they will implement DHCP in the future. Once you have determined the appropriate configuration, you are required to configure the client workstations according to your plan. For this project, you must complete the following tasks: Plan a suitable IPv4 subnet scheme for branch offices. Implement and verify the IPv4 subnet scheme.
Exercise 1: Selecting an IPv4 Addressing Scheme for Branch Offices

Scenario
Contoso has created a new regional sales force. As a result, branch offices are being rented and fitted-out with office equipment and computers. You have been tasked with designing an IPv4 addressing scheme to support the western region branch offices. There are 10 new offices, three in this region, and each with around 100 computers. The main tasks for this exercise are as follows: 1. 2. 3. Read the supporting documentation. Update the proposal document with your planned course of action. Examine the suggested proposals in the Lab Answer Key.
Supporting Documentation Charlotte Weiss

From: Ed Meadows [Ed@contoso.com] Sent: 04 Feb 2011 09:05 To: Charlotte@contoso.com Subject: Re: Contoso branch office deployments Attachments: Contoso Branch Network Plan.vsd Charlotte, Each branch will be connected via a router to the head office; I've attached a basic schematic of the regional offices. We've allocated the network address 172.16.16.0/20 for all branches in this region. In terms of traffic, the database synchronization takes place overnight so should not impact traffic overly. I think the traffic in the head office sales subnets right now should be fairly indicative. Rather than sending you the output, I'll just say that we figure on around 50 computers per subnet. Regards, Ed ----- Original Message ----From: Charlotte Weiss [Charlotte@contoso.com] Sent: 03 Feb 2011 08:45 To: Ed@contoso.com Subject: Contoso branch office deployments Ed, Do you have any information about network traffic at the new branches? I understand there is to be a database with regional replicas. Do you have any information on that? I'm trying to figure out the number of subnets I'm going to need per branch. Any other information gratefully received! Charlotte
Contoso Branch Network Plan.vsd
Task 1: Read the supporting documentation

Read the supporting documentation.
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Infrastructure Plan: IPv4 Addressing document, shown as follows. Branch Office Network Infrastructure Plan: IPv4 Addressing Document Reference Number: GW00602/1 Document Author Date Charlotte Weiss 6th February
Requirements Overview Design an IPv4 addressing scheme for the Contoso branch sales offices, shown in the exhibit. The block address 172.16.16.0/20 has been reserved for this region. You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25 percent growth of hosts in each branch. For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet.
(continued) Branch Office Network Infrastructure Plan: IPv4 Addressing Additional Information You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch. Proposals 1. How many subnets do you envisage requiring for this region? 2. How many hosts will you deploy in each subnet? 3. What subnet mask will you use for each branch? 4. What are the subnet addresses for each branch? 5. What range of host addresses are in each branch?
Task 3: Examine the suggested proposals in the Lab Answer Key

Examine the completed Branch Office Network Infrastructure plan in the Lab Answer Key and be prepared to discuss your solutions with the class.
Results: At the end of this exercise, you should have a completed IP addressing plan for the Contoso branch offices.
Exercise 2: Implementing and Verifying IPv4 in the Branch Office

Scenario
In this exercise, you will implement the IPv4 addressing scheme that you selected in the previous exercise. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Determine the current IPv4 configuration of the router. Determine the IPv4 configuration of NYC-SVR2. Determine the configuration of the NYC-CL2 computer. Reconfigure the NYC-CL2 computer. Verify the configuration. Capture and analyze network traffic using Network Monitor.
Task 1: Determine the current IPv4 configuration of the router

1. 2. Switch to the NYC-RTR computer. Using Ipconfig.exe, determine what the IPv4 address and subnet mask of NYC-RTR is that starts with 172.16 and write it down. What subnet is this? What would the last host address in this subnet be?
Task 2: Determine the IPv4 configuration of NYC-SVR2

1. 2. On the NYC-SVR2 computer, determine what the IPv4 address and subnet mask of NYC-SVR2 is that starts with 172.16 and write it down. Locate and identify the following: What is the IPv4 address and subnet mask? What subnet is this? What is the default gateway? What is the DNS Servers entry? 3. Leave the command prompt open.
Task 3: Determine the configuration of the NYC-CL2 computer

1. 2. 3. On the NYC-CL2 computer, run the Reconfigure.cmd batch file that is located in E:\Labfiles\Mod01. Determine the IPv4 configuration of NYC-CL2 and write it down. Locate and identify the following: What is the IPv4 address and subnet mask? What does the previous answer tell you?
Task 4: Reconfigure the NYC-CL2 computer

1. 2. Reconfigure the IPv4 settings to be appropriate for the subnet that the client resides within. A suggested answer appears in the Lab Answer Key. Write down the configuration that you have used: IP address: Subnet mask: Default gateway: Preferred DNS server:
Task 5: Verify the configuration

1. Using Ipconfig.exe, verify the address configuration. What is the IPv4 address and subnet mask? 2. Ping NYC-DC1, and then using Ipconfig.exe, examine the DNS resolver cache.
Task 6: Capture and analyze network traffic using Network Monitor

1. 2. 3. 4. 5. Open Microsoft Network Monitor 3.4. Start a new capture and then switch to the command prompt. From the command prompt, using Ipconfig.exe, purge the DNS resolver cache and then ping nyc-dc1. View the DNS resolver cache and verify the presence of the NYC-DC1 record. In Network Monitor, stop the capture. What type of frames can you see? 6. 7. 8. Create a filter to show frames with an IPv4 address of 10.10.0.10. Examine the filtered frames and then clear the filter. Create a new filter for DNSQueryName, where the server=Contoso. Apply the filter and then examine the filtered frames. What do the records show? 9. Close Network Monitor.
Results: At the end of this exercise, you will have configured the branch office subnet.
Preparing for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-RTR, 6421B-NYC-SVR2, and 6421B-NYC-CL2.
Lab Instructions: Configuring and Troubleshooting DHCP
Module 2
Contents:
Exercise 1: Selecting a Suitable DHCP Configuration Exercise 2: Implementing DHCP Exercise 3: Reconfiguring DHCP in the Head Office Exercise 4: Testing the Configuration Exercise 5: Troubleshooting DHCP Issues 4 5 7 8 9
Lab: Configuring and Troubleshooting the DHCP Server Role
Lab Setup
Repeat steps 2 to 4 for 6421B-NYC-RTR, 6421B-NYC-SVR2, and 6421B-NYC-CL2.
Lab Scenario
Contoso is deploying DHCP to their branch offices. Fault tolerance is important, and you are tasked with configuring the DHCP services in the head office and branch offices to support the requirements. For this project, you must complete the following tasks: Plan suitable DHCP configuration Install the DHCP server role on NYC-SVR2 Configure scopes at head office and branch office DHCP servers Test client functionality with primary DHCP server online, and then simulate a connection failure with the head office Troubleshoot common DHCP issues
Contoso Branch Network Plan.vsd
Exercise 1: Selecting a Suitable DHCP Configuration

Scenario
In this exercise, you will select a suitable DHCP configuration to support the branch office environment. The main tasks for this exercise are as follows: 1. 2. 3. Read the following Branch Office Network Infrastructure Plan: DHCP document. Update the proposal document with your planned course of action. Examine the suggested proposals in the Lab Answer Key.
Branch Office Network Infrastructure Plan: DHCP Document Reference Number: CW0703/1 Document Author Date Charlotte Weiss 7th March
Requirements Specify how you plan to implement DHCP to support your branch office requirements. Additional Information It is important that any router, server, or communications link failure does not adversely affect users. Proposals 1. How many DHCP servers do you propose to deploy in the region? 2. Where do you propose to deploy these servers? 3. How do you propose to provide for fault tolerance of IP address allocation? 4. How will clients in a branch obtain an IP configuration if their DHCP server is offline?
Task 1: Read the Branch Office Network Infrastructure Plan: DHCP requirements
Study the network diagram and then read the Branch Office Network Infrastructure Plan: DHCP document requirements section.
Answer the questions in the Branch Office Network Infrastructure Plan: DHCP document.

Examine the completed Branch Office Network Infrastructure Plan: DHCP document in the Lab Answer Key and be prepared to discuss your solutions with the class.
Results: At the end of this exercise, you will have determined the appropriate DHCP configuration for Contoso.
Exercise 2: Implementing DHCP

Scenario
In this exercise, you will implement the branch office DHCP configuration that you selected. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install the DHCP role on NYC-SVR2. Enable DHCP Relay. Authorize the DHCP Server role on NYC-SVR2. Create the required scope for branch.
Task 1: Install the DHCP role on NYC-SVR2

1. 2. Switch to NYC-SVR2. Open Server Manager and install the DHCP Server role. Accept all defaults during the Add Role wizard, except: 3. Disable DHCPv6 stateless mode for this server Skip authorization of this DHCP server in AD DS
Close Server Manager.
Task 2: Enable DHCP Relay

1. 2. 3. Switch to NYC-RTR. Open Routing and Remote Access. Use the following steps to add the DHCP Relay agent to the router: 4. In the navigation pane, expand IPv4, right-click General and then click New Routing Protocol. In the Routing protocols list, click DHCP Relay Agent and then click OK. In the navigation pane, right-click DHCP Relay Agent and then click New Interface. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK. In the DHCP Relay Properties Local Area Connection 2 Properties dialog box, click OK. Repeat these steps for Local Area Connection 3. Right-click DHCP Relay Agent and then click Properties. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 10.10.0.10, click Add, and then click OK.
Close Routing and Remote Access.
Task 3: Authorize the DHCP Server role on NYC-SVR2

1. 2. 3. Switch to NYC-SVR2. Open DHCP. Authorize the nyc-svr2.contoso.com server in AD DS.
Task 4: Create the required scope for branch

1. 2. In DHCP, in the navigation pane, expand nyc-svr2.consoto.com, expand IPv4, right-click IPv4, and then click New Scope. Create a new scope with the following properties: Name: Branch Office IP Address range: 172.16.16.4 > 172.16.16.254 Subnet mask: 255.255.255.0 Exclusions: 172.16.16.200 > 172.16.16.254 Other settings use default values Configure options: Router: 172.16.16.1 Other settings use default values
Activate scope
Results: At the end of this exercise, you will have configured the branch office DHCP server.
Exercise 3: Reconfiguring DHCP in the Head Office

Scenario
In this exercise, you will reconfigure the DHCP server in the head office to provide a scope for clients in the branch office. The main tasks for this exercise are as follows: 1. Add the branch office scope on NYC-DC1.
Task 1: Add the branch office scope on NYC-DC1

1. 2. 3. 4. Switch to NYC-DC1. Open DHCP. In DHCP, in the navigation pane, expand nyc-dc1.consoto.com, expand IPv4, right-click IPv4, and then click New Scope. Create a new scope with the following properties: Name: Branch Office Backup Scope IP Address range: 172.16.16.4 > 172.16.16.254 Subnet mask: 255.255.255.0 Exclusions: 172.16.16.4 > 172.16.16.199 Other settings use default values Configure options: Router: 172.16.16.1 Other settings use default values
Activate scope
Results: At the end of this exercise, you will have created the required scopes on both DHCP servers.
Exercise 4: Testing the Configuration

Scenario
In this exercise, you will verify that client computers can obtain an IP configuration from the local branch DHCP server. The main tasks for this exercise are as follows: 1. 2. Configure NYC-CL2 for DHCP. Examine DHCP packets.
Task 1: Configure NYC-CL2 for DHCP

1. 2. 3. 4. Switch to NYC-CL2. Open Network Monitor 3.4. Start a new capture. Reconfigure the Local Area Connection 3: Configure Internet Protocol Version 4 (TCP/IPv4): Obtain an IP address automatically Obtain DNS server address automatically
Task 2: Examine DHCP packets

1. 2. 3. Switch to Network Monitor. Stop the capture. Apply a filter as follows: 4. 5. Click Load Filter, point to Standard Filters, point to Basic Examples, and then click Protocol Filter DNS. In the Display Filter text box, locate the text that reads DNS and change it to DHCP. Click Apply.
Now examine the captured frames. In the Frame Summary, click the frame with Destination of 255.255.255.255 and the Description that contains OFFER. In the Frame Details pane, expand Dhcp. What is the ServerIP? Which server is this?
Results: At the end of this exercise, you will have configured the client to obtain an IP address dynamically from the local branch server.
Exercise 5: Troubleshooting DHCP Issues

Scenario
In this exercise, you will simulate a branch office server failure and verify that clients are able to obtain an IP configuration through the router from the head office DHCP server. The main tasks for this exercise are as follows: 1. 2. Shut down the DHCP server on NYC-SVR2. Renew the IP address on NYC-CL2.
Task 1: Shut down the DHCP server on NYC-SVR2

1. 2. Switch to NYC-SVR2. In DHCP, right-click nyc-svr2.contoso.com, click All Tasks, and then click Stop.
Task 2: Renew the IP address on NYC-CL2

1. 2. 3. 4. 5. 6. Switch to NYC-CL2. Open a command prompt, and at the command prompt, type Ipconfig.exe /release and press ENTER. Switch to Network Monitor and start a new capture. At the command prompt, type ipconfig /renew and then press ENTER. Stop the capture. Apply a filter as follows: 7. 8. Click Load Filter, point to Standard Filters, point to Basic Examples, and then click Protocol Filter DNS. In the Display Filter text box, locate the text that reads DNS and change it to DHCP. Click Apply.
Now examine the captured frames. In the Frame Summary, click the frame with Destination of 255.255.255.255 and the Description that contains OFFER. In the Frame Details pane, expand Dhcp. What is the ServerIP? Which server is this?
Results: At the end of this exercise, you will have verified that the client can obtain an IP address from the head office when the local server is unavailable.
10

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-SVR2, 6421B-NYC-RTR, and 6421B-NYC-CL2.
Lab Instructions: Configuring and Troubleshooting DNS
Module 3
Contents:
Exercise 1: Selecting a DNS Configuration Exercise 2: Deploying and Configuring DNS Exercise 3: Troubleshooting DNS 3 4 6
Lab: Configuring and Troubleshooting DNS
Lab Setup
Repeat steps 2 to 4 for 6421B-NYC-SVR1 and 6421B-NYC-CL1.
Lab Scenario
Contoso is planning to improve their DNS infrastructure due to complaints from users about poor performance. In addition, Contoso is partnering with A Datum and name resolution must be optimized between these two organizations. Your task is to plan and implement the required changes. For this project, you must complete the following tasks: Plan an appropriate DNS configuration. Configure a suitable DNS configuration. Verify and troubleshoot DNS.
Exercise 1: Selecting a DNS Configuration

Scenario
In this exercise, you will read the documentation from your manager and then answer the questions in the proposals section. The main tasks for this exercise are as follows: 1. 2. 3. Read the following Contoso Name Resolution Plan document. Update the proposal document with your planned course of action. Examine the suggested proposals in the Lab Answer Key.
Task 1: Read the Contoso Name Resolution Plan document

Read the following Contoso Name Resolution Plan document.
Answer the questions in the Contoso Name Resolution Plan document. Contoso Name Resolution Plan Document Reference Number: GW1203/1 Document Author Date Charlotte Weiss 12th March
Requirements Overview 1. Your manager is concerned that the single name server that supports the Contoso.com domain is under strain while servicing name resolution requests. You are tasked with determining a course of action to allay his concerns. 2. Contoso is working with a partner organization, A Datum. It is important that name resolution for servers in the Adatum.com domain is performed without recourse to root name servers. Additional Information 1. No additional domain controllers are planned for the Contoso domain. 2. Changes to the Adatum.com DNS configuration should not impact the DNS configuration in Contoso; in other words, changes in Adatum.com should not result in administrative effort in Contoso. Proposals 1. How will you modify the DNS configuration for Contoso to address the first requirement? 2. How will you modify the DNS configuration for Contoso to address the second requirement? 3. Does either of the points in the additional information section raise any issues? 4. What is your proposed action plan for this project? 5. How will you distribute load among DNS servers?

Compare your solution to the proposed solution in the Contoso Name Resolution Plan document in the Lab Answer Key and be prepared to discuss your solution with the class.
Results: At the end of this exercise, you will have selected a suitable DNS configuration for Contoso.
Exercise 2: Deploying and Configuring DNS

Scenario
In this exercise, you will deploy and configure the DNS role on NYC-SVR1. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Install the DNS role on NYC-SVR1. Create and configure a stub zone on NYC-DC1. Create and configure secondary zones on NYC-SVR1. Enable and configure zone transfers for Contoso.com. Update secondary zone data from master server. Configure clients to use the new name server.
Task 1: Install the DNS role on NYC-SVR1

1. 2. 3. Switch to the NYC-SVR1 computer. Open Server Manager. Add the DNS Server role.
Task 2: Create and configure a stub zone on NYC-DC1

1. 2. 3. Switch to the NYC-DC1 computer. Open DNS. Create a new forward lookup zone with the following properties: Zone type: Stub Zone name: Adatum.com Master server: 131.107.1.2 Note Validation will fail. The server is not online.
Task 3: Create and configure secondary zones on NYC-SVR1

1. 2. 3. 4. 5. Switch to NYC-SVR1. Open a command prompt. At the command prompt, type Dnscmd.exe /zoneadd Contoso.com /secondary 10.10.0.10 and press ENTER. At the command prompt, type Dnscmd.exe /zoneadd Adatum.com /secondary 10.10.0.10 and press ENTER. Open DNS and verify that the two zones are created.
Task 4: Enable and configure zone transfers for Contoso.com

1. 2. 3. 4. 5. Switch to NYC-DC1. Open a command prompt. At the command prompt, type Dnscmd.exe /zoneresetsecondaries Contoso.com /notify /notifylist 10.10.0.24 and press ENTER. Open DNS. Verify that NYC-SVR1s IPv4 address is listed on the Notify list on the Zone transfers tab in the Contoso.com zone property sheet. Note It might take a few minutes to appear.
Task 5: Update secondary zone data from master server

1. 2. 3. Switch to NYC-SVR1. In DNS, refresh the display and verify that the zone data has transferred from the master for the Contoso.com secondary zone. Close all open windows. Note You will not receive data for Adatum.com.
Task 6: Configure clients to use the new name server

1. 2. 3. Switch to NYC-DC1. Open DHCP. Modify the DHCP Server options as follows: 4. 006 DNS Servers: 10.10.0.24
Close all open windows.
Results: At the end of this exercise, you will have implemented the requirements outlined in the Contoso Name Resolution Plan document.
Exercise 3: Troubleshooting DNS

Scenario
In this exercise, you will use monitoring and troubleshooting tools to test and verify the DNS configuration. The main tasks for this exercise are as follows: 1. 2. 3. 4. Test simple and recursive queries. Verify SOA records with Nslookup. Use Dnslint to verify name server records. View performance statistics with Performance Monitor.
Task 1: Test simple and recursive queries

1. 2. 3. 4. 5. 6. On NYC-DC1, in DNS, open the NYC-DC1 properties. On the Monitoring tab, perform a simple query against the DNS server. This is successful. Perform simple and recursive queries against this and other servers. The recursive test fails because there are no forwarders configured. Stop the DNS service and repeat the previous tests. They fail because no DNS server is available. Restart the DNS service and repeat the tests. The simple test is successful. Close the NYC-DC1 Properties dialog box.
Task 2: Verify SOA records with Nslookup

1. 2. Open a command prompt. Type nslookup.exe and then enter the following two commands: 3. Set querytype=SOA Contoso.com
View the results and close the command prompt.
Task 3: Use Dnslint to verify name server records

1. 2. 3. 4. Switch to NYC-CL1. From a command prompt, change to the D:\Labfiles\Mod03 folder. At the command prompt, type Dnslint /s 10.10.0.10 /d Contoso.com and press ENTER. View the output and then close the command prompt.
Task 4: View performance statistics with Performance Monitor

1. 2. Switch to NYC-DC1. Open Performance Monitor from Server Manager. In the list pane of the Server Manager window, expand Diagnostics, expand Performance, expand Monitoring Tools, and then click Performance Monitor. In the center pane, click the green plus icon. In the Available counters list, double-click DNS.
3. 4.
5. 6. 7. 8. 9.
Select Total Query Received and then click Add. Select Total Query Received/sec, click Add, and then click OK. Click Start, click Administrative tools, and then click DNS. In the left pane, right-click NYC-DC1 and then click Properties. Click the Monitoring tab.
10. On the Monitoring tab, select A simple query against this DNS Server and A recursive query to other DNS servers and then click Test Now several times. 11. Clear the Simple and Recursive test check boxes and then click OK. Close the DNS management tool. 12. Return to the Server Manager console. The graph reflects the queries on the server. 13. In the Server Manager console, press CTRL+G and then press CTRL+G again. This report lists the total number of queries that the server has received. 14. Close Server Manager. Results: At the end of this exercise, you will have verified the functionality of DNS with troubleshooting tools.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-SVR1 and 6421B-NYC-CL1.
Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP
Module 4
Contents:
Lab A: Configuring an ISATAP Router Exercise 1: Configuring a New IPv6 Network and Client Exercise 2: Configuring an ISATAP Router to Enable Communication Between an IPv4 Network and an IPv6 Network Lab B: Converting the Network to Native IPv6 Exercise 1: Transitioning to a Native IPv6 Network 9 3 5
Lab A: Configuring an ISATAP Router
Lab Setup
Repeat steps 2 to 4 for 6421B-NYC-RTR and 6421B-NYC-CL2.
Lab Scenario
Contoso has decided to begin the process of migrating their network to IPv6. Your initial task is to prove the principle of the migration by configuring a single client computer for IPv6. For this project, you must complete the following tasks: Configure a new IPv6 network and client. Configure an ISATAP Router to enable communication between an IPv4 network and an IPv6 network.
Exercise 1: Configuring a New IPv6 Network and Client

Scenario
In this exercise, you will configure NYC-CL2 as an IPv6-only client. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Configure IPv4 Routing. Enable IP routing on NYC-RTR and confirm IPv4 connectivity. Disable IPv6 on NYC-DC1. Disable IPv4 on NYC-CL2. Configure an IPv6 router advertisement for the global address 2001:db8:0:1::/64 network on NYC-RTR. Check the IP configuration on NYC-CL2 to ensure that it is configured with an IPv6 global address in the 2001:db8:0:1::/64 network.
Task 1: Configure IPv4 Routing

1. 2. Switch to NYC-CL2. Verify the Local Area Connection 3 properties: 3. 4. 5. IP address: 172.16.16.3 Subnet mask: 255.255.255.0 Default gateway: 172.16.16.1 Preferred DNS server: 10.10.0.10
Close all open windows. Switch to NYC-DC1. Verify the Local Area Connection 2 properties: Default gateway: 10.10.0.1
6.
Task 2: Enable IP Routing on NYC-RTR and Confirm IPv4 Connectivity

1. 2. 3. 4. 5. 6. Switch to NYC-RTR. Open the Registry editor. Configure the HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Tcpip > Parameters > IPEnableRouter value as 1. Close the Registry editor. Restart NYC-RTR. After NYC-RTR restarts, log on with the following credentials: User name: Administrator Password: Pa$$w0rd
Note At this point, only IPv4 traffic is routed through the IPv4 routing infrastructure. Because ICMPv4 traffic is blocked by the Windows Firewall by default, you cannot test connectivity with ping.
Task 3: Disable IPv6 on NYC-DC1

1. 2. Switch to NYC-DC1. Disable IPv6 on the Local Area Connection 2 by clearing the Internet Protocol Version 6 (TCP/IPv6) check box in the Local Area Connection 2 Properties.
Task 4: Disable IPv4 on NYC-CL2

1. 2. 3. Switch to NYC-CL2. Disable IPv4 on the Local Area Connection 3 by clearing the Internet Protocol Version 4 (TCP/IPv4) check box in the Local Area Connection 3 Properties. Open a command prompt, type ipconfig, and then press ENTER. Note The output should be a link-local IPv6 address that starts with fe80.
Task 5: Configure an IPv6 router advertisement for the global address 2001:db8:0:1::/64 network on NYC-RTR
1. 2. Switch to NYC-RTR. Open a command prompt, and then type the following commands.
netsh interface ipv6 set interface "Local Area Connection 3" forwarding=enabled advertise=enabled netsh interface ipv6 add route 2001:db8:0:1::/64 "Local Area Connection 3" publish=yes
Task 6: Check the IP configuration on NYC-CL2 to ensure that it is configured with an IPv6 global address in the 2001:db8:0:1::/64 network
1. 2. Switch to NYC-CL2. At the command prompt, type ipconfig and then press ENTER. Note The output should be a link-local IPv6 address that starts with fe80. Two global IP addresses starting with 2001:db8:0:1: should also be included in the output. 3. Close the command prompt.
Results: At the end of this exercise, you will have configured NYC-CL2 for IPv6 only.
Exercise 2: Configuring an ISATAP Router to Enable Communication Between an IPv4 Network and an IPv6 Network
Scenario
In this exercise, you will configure ISATAP to enable connectivity between the new IPv6 client and the remaining IPv4 clients, including NYC-DC1. The main tasks for this exercise are as follows: 1. 2. 3. 4. Add the ISATAP entry in the DNS zone on NYC-DC1. Configure the ISATAP router on NYC-RTR. Enable the ISATAP interface on NYC-DC1. Test connectivity.
Task 1: Add the ISATAP entry in the DNS zone on NYC-DC1

1. 2. Switch to NYC-DC1. Add a new host record in DNS: Zone: Contoso.com Name: ISATAP IP address: 10.10.0.1
Task 2: Configure the ISATAP router on NYC-RTR

Note When substituting the following Interface_Index, ensure that you type your Interface_Index with the brackets {} on either side. 1. 2. Switch to NYC-RTR. Switch to the command prompt. Type each of the following commands and then press ENTER after each command:
Netsh interface ipv6 isatap set router 10.10.0.1 ipconfig
3.
Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) you will need it in a moment. Interface index:
4.
Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER:
netsh interface ipv6 set interface isatap.Interface_Index forwarding=enabled advertise=enabled
5.
At the command prompt, type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER:
netsh interface ipv6 add route 2001:db8:0:10::/64 isatap.Interface_Index publish=yes
6.
Restart NYC-RTR and then log on using the following credentials: User name: Administrator Password: Pa$$w0rd
7.
Open a command prompt and type ipconfig and press ENTER. Note The Tunnel adapter associated with the 10.10.0.0/16 network will display an IPv6 address in the 2001:db8:0:10 range.
Task 3: Enable the ISATAP interface on NYC-DC1

1. 2. Switch to NYC-DC1. Open a command prompt and then type the following commands:
Netsh interface isatap set router 10.10.0.1 ipconfig
Note The Tunnel adapter isatap {Interface_Index} (which is the ISATAP adapter) has automatically received an IPv6 address from the ISATAP router.
Task 4: Test connectivity

1. 2. On NYC-DC1, open Windows Firewall with Advanced Security. Create a new inbound rule with the following properties: 3. 4. Rule Type: Custom Program: Default Protocols and Ports: Protocol > ICMPv4 Scope: Default Action: Default Profile: Default Name: Allow PING
Switch to NYC-CL2. Open a command prompt and then type the following commands:
Ping 2001:db8:0:10:0:5efe:10.10.0.10 ipconfig
What is the IPv6 address? Record it here.
5. 6.
Open Windows Firewall with Advanced Security. Create a new inbound rule with the following properties: Rule Type: Custom Program: Default Protocols and Ports: Protocol > ICMPv6 Scope: Default Action: Default Profile: Default Name: Allow PING
7. 8.
Switch to NYC-DC1. Open a command prompt, type Ping IPv6_address, and then press ENTER. Where IPv6_address is the IPv6 address on NYC-CL2 you noted earlier.
Results: At the end of this exercise, you will have configured ISATAP.
Preparing for the next lab

Do not turn off the virtual machines at this time because you will need them to complete the next lab.
Lab B: Converting the Network to Native IPv6
Lab Setup
For this lab, you will use the available virtual machine environment. The virtual machines must be running following the completion of Lab A.
Lab Scenario
The pilot went well. Your manager has asked you to convert the network to IPv6. Your task is to disable ISATAP and enable native IPv6 routing. For this project, you must transition to a native IPv6 Network.
Exercise 1: Transitioning to a Native IPv6 Network

Scenario
In this exercise, you will disable ISATAP and IPv4, and then enable IPv6. The main tasks for this exercise are as follows: 1. 2. 3. 4. Disable the ISATAP router on NYC-RTR. Configure the native IPv6 router on NYC-RTR. Disable IPv4 connectivity. Test connectivity between each IPv6 subnet.
Task 1: Disable the ISATAP router on NYC-RTR

Note When substituting the following Interface_Index, ensure that you type your Interface_Index with the brackets {} on either side. 1. 2. Switch to NYC-RTR. Open a command prompt and then type the following commands.
ipconfig
3.
Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) you will need it in a moment. Interface index:
4.
Type the following commands, replacing Interface_Index with the number (and brackets {}) that you recorded earlier.
netsh interface ipv6 set interface isatap.Interface_Index forwarding=disabled advertise=disabled netsh interface ipv6 delete route 2001:db8:0:10::/64 isatap.Interface_Index
Task 2: Configure the native IPv6 router on NYC-RTR

Open a command prompt and then type the following commands.
netsh interface ipv6 set interface Local Area Connection 2 forwarding=enabled advertise=enabled netsh interface ipv6 add route 2001:db8:0:0::/64 Local Area Connection 2 publish=yes
Task 3: Disable IPv4 connectivity

1. 2. Disable IPv4 on the Local Area Connection 2 by clearing the Internet Protocol Version 4 (TCP/IPv4) check box in the Local Area Connection 2 Properties. Switch to NYC-DC1.
10
3. 4.
Disable IPv4 on the Local Area Connection 2 by clearing the Internet Protocol Version 4 (TCP/IPv4) check box in the Local Area Connection 2 Properties. Enable IPv6 on the Local Area Connection 2 by selecting the Internet Protocol Version 6 (TCP/IPv6) check box in the Local Area Connection 2 Properties.
Task 4: Test connectivity between each IPv6 subnet

1. 2. Open Windows Firewall with Advanced Security. Create a new inbound rule with the following properties: 3. Rule Type: Custom Program: Default Protocols and Ports: Protocol > ICMPv6 Scope: Default Action: Default Profile: Default Name: Allow PING for IPv6
At the command prompt, type ipconfig and then press ENTER. Note the new IPv6 address (global address begins with 2001:) assigned to the Local Area Connection 2. Write down the IPv6 address in the space below. NYC-DC1 IPv6 address: _____________________________________________
4. 5.
Switch to NYC-CL2. Open a command prompt, type Ping global_IP_address, and then press ENTER. Where global_IP_address is the NYC-DC1 address that you noted previously.
6.
At the command prompt, type ipconfig /all and then press ENTER: Note the IPv6 address (global address begins with 2001:) assigned to the Local Area Connection 2. Write down the IPv6 address in the space below. NYC-CL2 IPv6 address: _____________________________________________
7. 8.
Switch to NYC-DC1 and switch to the Command Prompt. Open a command prompt, type Ping global_IP_address, and then press ENTER Where global_IP_address is the NYC-CL2 address that you noted previously.
Results: At the end of this exercise, you will have configured an IPv6 only network.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-RTR and 6421B-NYC-CL2.
Lab Instructions: Configuring and Troubleshooting Routing and Remote Access
Module 5
Contents:
Lab A: Configuring and Managing Network Access Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution Exercise 2: Configuring a Custom Network Policy Exercise 3: Create and Distribute a CMAK Profile Lab B: Configuring and Managing DirectAccess Exercise 1: Configure the AD DS Domain Controller and DNS Exercise 2: Configure the PKI Environment Exercise 3: Configure the DirectAccess Clients and Test Intranet Access Exercise 4: Configure the DirectAccess Server Exercise 5: Verify DirectAccess Functionality 10 10 10 10 10 3 5 7
Lab A: Configuring and Managing Network Access
Lab Setup
Repeat steps 2 to 4 for 6421B-NYC-EDGE1 and 6421B-NYC-CL1.
Lab Scenario
Contoso, Ltd. wants to implement a remote access solution for its employees so they can connect to the corporate network while away from the office. Contoso requires a network policy mandating that VPN connections are encrypted for security reasons. You are required to enable and configure the necessary server services to facilitate this remote access. For this project, you must complete the following tasks: Configure Routing and Remote Access as a VPN remote access solution. Configure a custom Network Policy. Create and distribute a CMAK profile.
Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution
Scenario
In this exercise, you will install and configure the Network Policy and Access Services role to support the requirements of the Contoso, Ltd. workforce. The main tasks for this exercise are as follows: 1. 2. 3. Install the Network Policy and Access Services role on 6421B-NYC-EDGE1. Configure 6421B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients. Configure available VPN ports on the (RRAS) server to allow 25 PPTP, 25 L2TP, and 25 SSTP connections.
Task 1: Install the Network Policy and Access Services role on 6421B-NYC-EDGE1
1. 2. 3. Switch to the NYC-EDGE1 virtual server. Open Server Manager. Add the Network Policy and Access Services role with the following role services: a. b. Network Policy Server Routing and Remote Access Services
Task 2: Configure 6421B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients
1. 2. 3. On NYC-EDGE1, open Routing and Remote Access. In the list pane, select and right-click NYC-EDGE1 (Local) and then click Configure and Enable Routing and Remote Access. Use the following settings to configure the service: a. b. c. d. e. f. g. On the Configuration page, accept the defaults. On the Remote Access page, select the VPN check box. On the VPN Connection page, select the Public interface. On the IP Address Assignment page, select the From a specified range of addresses option. On the Address Range Assignment page, create an address pool with 75 entries with a start address of 10.10.0.60. On the Managing Multiple Remote Access Servers page, accept the defaults. Accept any messages by clicking OK.
Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25 L2TP connections
1. 2. In the Routing and Remote Access management tool interface, expand NYC-EDGE1, select and then right-click Ports, and then click Properties. Use the following information to complete the configuration process: a. b. c. 3. 4. Number of WAN Miniport (SSTP) ports: 25 Number of WAN Miniport (PPTP) ports: 25 Number of WAN Miniport (L2TP) ports: 25
Click OK to confirm any prompts. Close the Routing and Remote Access tool.
Results: At the end of this exercise, you will have enabled routing and remote access on the NYC-EDGE1 server.
Exercise 2: Configuring a Custom Network Policy

Scenario
In this exercise, you will create and verify a custom network policy in accordance with the requirements of Contoso, Ltd. The main tasks for this exercise are as follows: 1. 2. 3. Open the Network Policy Server management tool on 6421B-NYC-EDGE1. Create a new network policy for RRAS clients. Create and Test a VPN Connection.
Task 1: Open the Network Policy Server management tool on 6421B-NYC-EDGE1

1. 2. Switch to the NYC-EDGE1 virtual computer. Open the Network Policy Server tool.
Task 2: Create a new network policy for RRAS clients

1. In the Network Policy Server console, create a new policy with the following settings: a. b. c. d. e. f. g. 2. 3. Name: Secure VPN Type of network access server: Remote Access Server (VPN-Dial up) Conditions: Tunnel Type = L2TP ,PPTP, SSTP Access permission: Access granted Authentication methods: Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) Constraints: Day and time restrictions = Weekends Denied Settings: Encryption = Strongest encryption (MPPE 128-bit)
Ensure that the Secure VPN policy is the first in the list of any policies. Close the Network Policy Server tool.
Task 3: Create and test a VPN connection

1. 2. 3. Switch to the NYC-CL1 computer. Open Network and Sharing Center. Change the network adapter settings as follows: a. b. c. 4. IP Address: 131.107.0.20 Subnet mask: 255.255.255.0 Default gateway: 131.107.0.1
Create a VPN with the following settings: a. b. Internet address to connect to: 131.107.0.2 Name: Contoso VPN
5.
Connect with the new VPN properties as follows: a. b. c. User name: Administrator Password: Pa$$w0rd Domain: Contoso The VPN connects successfully.
Note 6.
Disconnect the VPN and close all open windows.
Results: At the end of this exercise, you will have created and tested a VPN connection.
Exercise 3: Create and Distribute a CMAK Profile

Scenario
In this exercise, you will create a 32-bit Windows 7 CMAK profile. The main tasks for this exercise are as follows: 1. 2. 3. Install the CMAK feature on NYC-CL1. Create the connection profile. Distribute the profile.
Task 1: Install the CMAK feature on NYC-CL1

1. 2. 3. On NYC-CL1, open Control Panel. From Turn Windows features on or off in Control Panel, install the RAS Connection Manager Administration Kit (CMAK) feature. Close the Programs and Control Panel.
Task 2: Create the connection profile

Open Connection Manager Administration Kit to launch the Connection Manager Administration Kit wizard. Create a connection profile with the following properties: Target operating system: Windows 7 Based on New profile Service name: Contoso HQ File name: Contoso Do not add a realm name to the user name Add Support for VPN Connections: Phone book from this profile VPN server name or IP address: 131.107.0.2 Add a Custom Phone Book: clear Automatically download phone book updates Other settings: default values
Task 3: Distribute the profile

1. 2. 3. Switch to NYC-DC1. Create a folder called D:\Contoso Profile. Share the folder using Advanced Sharing: 4. 5. Use the default name Grant Administrators the Full Control permission and Everyone the Read permission
Switch to NYC-CL1 and connect the Contoso VPN. Copy the contents of C:\Program Files\CMAK\Profiles\Windows 7 and Windows Vista\Contoso to \\nyc-dc1\Contoso Profile.
6.
Run \\nyc-dc1\Contoso Profile\Contoso.exe and complete the wizard as follows: Make this connection available for =All users Add a shortcut on the desktop =true
7. 8. 9.
Disconnect the Contoso VPN. On the Desktop, double-click Contoso HQ Shortcut. Connect with the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
The VPN connects successfully. 10. Disconnect and close all open windows. Results: At the end of this exercise, you will have created and distributed a CMAK profile.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-EDGE1 and 6421B-NYC-CL1.
Lab B: Configuring and Managing DirectAccess
Lab Setup
Repeat steps 2 to 4 for 6421B-NYC-SVR1, 6421B-NYC-EDGE1, 6421B-INET1, and 6421B-NYC-CL1.
Lab Scenario
You are server administrator at Contoso, Ltd. Your organization consists of a large mobile workforce that carries laptops to stay connected. Your organization wants to provide a secure solution to protect data transfer. To do this, you will use DirectAccess to enable persistent connectivity, central administration, and management of remote computers. For this project, you must complete the following tasks: Configure AD DS and DNS to support DirectAccess. Configure the PKI environment. Configure the DirectAccess clients and test Intranet and Internet Access.
10
Configure the DirectAccess server. Verify DirectAccess functionality.
Lab Instructions
Due to the complexity of the steps involved in enabling and configuring DirectAccess, refer to the steps provided in the Lab Answer Key.
Exercise 1: Configure the AD DS Domain Controller and DNS

Results: At the end of this exercise, you prepared AD DS and DNS to support the deployment of DirectAccess.
Exercise 2: Configure the PKI Environment

Results: At the end of this exercise, you will have configured the public key infrastructure in Contoso to support the deployment of DirectAccess.
Exercise 3: Configure the DirectAccess Clients and Test Intranet Access

Results: At the end of this exercise, you tested Intranet access.
Exercise 4: Configure the DirectAccess Server

Results: At the end of this exercise, you will have successfully configured NYC-EDGE1 as a DirectAccess server.
Exercise 5: Verify DirectAccess Functionality

Results: At the end of this exercise, you will have successfully implemented, verified, and tested DirectAccess.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-SVR1, 6421B-NYC-EDGE1, 6421B- INET1, and 6421B-NYC-CL1.
Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Module 6
Contents:
Exercise 1: Installing and Configuring the Network Policy Server Role Service Exercise 2: Configuring a RADIUS Client Exercise 3: Configuring Certificate Auto-Enrollment Exercise 4: Configuring and Testing the VPN
3 4 5 6
Lab: Configuring and Managing Network Policy Server
Lab Setup
Lab Scenario
Contoso Ltd. is expanding its remote-access solution to all branch office employees. This will require multiple Routing and Remote Access servers that are located at different points to provide connectivity for its employees. You must use RADIUS to centralize authentication and accounting for the remoteaccess solution. You have been tasked with installing and configuring Network Policy Server into an existing infrastructure to be used for NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy. For this project, you must complete the following tasks: Install and configure the Network Policy Server role service Configure a RADIUS Client Configure Certificate auto-enrollment
Configure and test a VPN
Exercise 1: Installing and Configuring the Network Policy Server Role Service
Scenario
In this exercise, you will install the Network Policy Server role to enable RADIUS on the NYC-DC1 computer. The main tasks for this exercise are as follows: 1. 2. 3. Install the Network Policy and Access Services role. Register NPS in AD DS. Configure NYC-DC1as a RADIUS server for VPN connections.
Task 1: Install the Network Policy and Access Services role

1. 2. Switch to NYC-DC1 and open Server Manager. Add the Network Policy and Access Services role: 3. Select only the Network Policy Server role service.
Task 2: Register NPS in AD DS

1. 2. 3. Open the Network Policy Server console. Register the local server in AD DS. Do not close the console.
Task 3: Configure NYC-DC1 as a RADIUS server for VPN connections

1. Configure NYC-DC1 as a RADIUS server by using the Network Policy Server management tool. In the Network Policy Server management tool, in the Getting Started details pane, open the drop-down list under Standard Configuration, and then click RADIUS server for Dial-Up or VPN Connections. Use the following details to complete the process: Radius server for Dial-Up or VPN Connections = Configure VPN or Dial-Up Type: Virtual Private Network (VPN) Connections Name: default Add a RADIUS client: 2. Friendly name: NYC-EDGE1 Shared secret: Pa$$w0rd Authentication methods: MS-CHAPv2 and EAP Encryption settings: Strongest only
Close the console.
Results: At the end of this exercise, you will have configured NYC-DC1 as a RADIUS server by installing and configuring the NPS Server role.
Exercise 2: Configuring a RADIUS Client

Scenario
In this exercise, you will configure NYC-EDGE1 as a RADIUS client and VPN server. The main tasks for this exercise are as follows: 1. 2. Install Routing and Remote Access Services on NYC-EDGE1. Configure NYC-EDGE1as a VPN Server.
Task 1: Install Routing and Remote Access Services on NYC-EDGE1

1. 2. Switch to the NYC-EDGE1 server. Open Server Manager and install the Network Policy and Access Services role: 3. Role services: Routing and Remote Access Services
Task 2: Configure NYC-EDGE1 as a VPN Server

1. 2. 3. On NYC-EDGE1, open Routing and Remote Access. In the list pane, select and right-click NYC-EDGE1 (Local) and then click Configure and Enable Routing and Remote Access. Use the following settings to configure the service: a. b. c. d. e. f. On the Configuration page, accept the defaults. On the Remote Access page, select the VPN check box. On the VPN Connection page, select the network interface with the IP address of 131.107.0.2, 131.107.0.3. On the IP Address Assignment page, select the From a specified range of addresses option. On the Address Range Assignment page, create an address pool with 75 entries with a start address of 10.10.0.60. On the Managing Multiple Remote Access Servers page, choose Yes, set up this server to work with a RADIUS server. g. Primary RADIUS server: NYC-DC1 Shared secret: Pa$$w0rd
Accept any messages by clicking OK.
Results: At the end of this exercise, you will have configured NYC-EDGE1 as a VPN server.
Exercise 3: Configuring Certificate Auto-Enrollment

Scenario
In this exercise, you will enable certificate auto-enrollment and verify that the certificate has been deployed to NYC-CL1. The main tasks for this exercise are as follows: 1. Configure automatic enrollment with group policy.
Task 1: Configure automatic enrollment with group policy

1. 2. Switch to NYC-DC1. Open Group Policy Management, and open the Default Domain Policy for editing. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings. Create a new Automatic Certificate Request for the Computer certificate template. Close all open windows. Switch to NYC-CL1 and restart the computer. Log on using the following credentials: 7. User name: Administrator Password: Pa$$w0rd Domain: Contoso
3. 4. 5. 6.
Verify the presence of a suitable certificate in the Computer\Personal store on NYC-CL1.
Results: At the end of this exercise, you will have configured the appropriate certificate settings for your VPN solution.
Exercise 4: Configuring and Testing the VPN

Scenario
In this exercise, you will move NYC-CL1 to the public network and then create and test a VPN connection. The main tasks for this exercise are as follows: 1. 2. Reconfigure the NYC-CL1 computer onto the public network. Create and test a VPN connection.
Task 1: Reconfigure the NYC-CL1 computer onto the public network

On NYC-CL1, configure the following IP address settings and then click OK: IP Address: 131.107.0.20 Subnet mask: 255.255.255.0 Default gateway: 131.107.0.1

1. Create a VPN with the following settings: 2. Internet address to connect to: 131.107.0.2 Name: Contoso VPN
Modify the default settings of the new VPN connection: Type of VPN: Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) Data encryption: Maximum strength encryption (disconnect if server declines)
3.
Connect with the new VPN properties as follows: User name: Administrator Password: Pa$$w0rd Domain: Contoso Note The VPN connects successfully.
4.
Disconnect the VPN and close all open windows.
Results: At the end of this exercise, you will have verified the VPN solution.

Lab Instructions: Implementing Network Access Protection
Module 7
Contents:
Exercise 1: Configuring NAP Components Exercise 2: Configuring Client Settings to Support NAP 3 6
Lab: Implementing NAP into a VPN Remote Access Solution
Lab Setup
Lab Scenario
Contoso, Ltd. is required to extend their virtual private network solution to include Network Access Protection (NAP). As a Contoso, Ltd. technology specialist, you need to establish a way to bring client computers automatically into compliance. You will do this by using Network Policy Server, creating client compliance policies, and configuring a NAP server to check the current health of computers. For this project, you must complete the following tasks: Configure NAP Server Components
Configure NAP for VPN clients
Exercise 1: Configuring NAP Components

Scenario
In this exercise, you will configure the required server-side components to support the Contoso, Ltd. requirement. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure a computer certificate. Configure NYC-EDGE1 with NPS functioning as a health policy server. Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server. Allow ping on NYC-EDGE1.
Task 1: Configure a computer certificate

1. 2. 3. 4. 5. Switch to the NYC-DC1 virtual server. Open the Certification Authority tool. From the Certificate Templates Console, open the properties of the Computer certificate template. On the Security tab, grant the Authenticated Users group the Allow Enroll permission. Close the Certification Authority tool.
Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-EDGE1 computer. Create a management console by running mmc.exe. Add the Certificates snap-in with the focus on the local computer account. Navigate to the Personal certificate store and Request New Certificate. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and then click Next. Enroll the Computer certificate that is listed. Close the console and do not save the console settings. Using Server Manager, install the NPS Server with the following role services: Network Policy Server and Remote Access Service. Open the Network Policy Server tool.
10. Under Network Access Protection, open the Default Configuration for the Windows Security Health Validator. 11. On the Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for all network connections. 12. Create a health policy with the following settings: Name: Compliant
Client SHV checks: Client passes all SHV checks SHVs used in this health policy: Windows Security Health Validator
13. Create a health policy with the following settings: Name: Noncompliant Client SHV checks: Client fails one or more SHV checks SHVs used in this health policy: Windows Security Health Validator
14. Disable all existing network policies. 15. Configure a new network policy with the following settings: Name: Compliant-Full-Access Conditions: Health Policies = Compliant Access permissions: Access granted Settings: NAP Enforcement = Allow full network access
16. Configure a new network policy with the following settings: Name: Noncompliant-Restricted Conditions: Health Policies = Noncompliant Access permissions: Access granted
Note A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients that match these conditions. Settings: i. NAP Enforcement = Allow limited access is selected and Enable auto-remediation of client computers is not selected. ii. IP Filters = IPv4 input filter, Destination network = 10.10.0.10/255.255.255.255 and IPv4 output filter, Source network = 10.10.0.10/255.255.255.255. 17. Disable existing connection request policies. 18. Create a new Connection Request Policy with the following settings: Policy name: VPN connections Type of network access server: Remote Access Server (VPN-Dial up) Conditions: Tunnel type = L2TP, SSTP, and PPTP Authenticate requests on this server = true Authentication methods: i. Select Override network policy authentication settings ii. Add Microsoft: Protected EAP (PEAP) iii. Add Microsoft: Secured password (EAP-MSCHAP v2)
Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is enabled.
19. Close the Network Policy Server console.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server
1. 2. 3. On NYC-EDGE1, open Routing and Remote Access. Select Configure and Enable Routing and Remote Access. Use the following settings to complete configuration: a. a. b. c. Select Remote access (dial-up or VPN). Select the VPN check box. Choose the interface called Public and clear the Enable security on the selected interface by setting up static packet filters check box. IP Address Assignment: From a specified range of addresses: d. 4. 10.10.0.100 > 10.10.0.110
Complete the process by accepting defaults when prompted and confirming any messages by clicking OK.
In the Network Policy Server, click the Connection Request Policies node and disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled. Close Network Policy Server management console and the Routing and Remote Access console.
5.
Task 4: Allow ping on NYC-EDGE1

1. 2. Open Windows Firewall with Advanced Security. Create an Inbound Rule with the following properties: Type: Custom All programs Protocol type: Choose ICMPv4 and then click Customize 3. Specific ICMP types: Echo Request
Default scope Action: Allow the connection Default profile Name: ICMPv4 echo request
Close the Windows Firewall with Advanced Security console.
Results: At the end of this exercise, you will have configured and enabled a VPN-enforced NAP scheme.
Exercise 2: Configuring Client Settings to Support NAP

Scenario
In this exercise, you will implement a VPN on NYC-CL1 and test the computers health against the NAP configuration you previously created. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure Security Center. Enable client NAP enforcement. Move the client to the Internet. Create a VPN on NYC-CL1.
Task 1: Configure Security Center

1. 2. Switch to the NYC-CL1 computer. Open the Local Policy Editor (gpedit.msc) and enable the Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center/Turn on Security Center (Domain PCs only) setting. Close the Local Group Policy Editor.
3.
Task 2: Enable client NAP enforcement

1. 2. 3. 4. 5. 6. Run the NAP Client Configuration tool (napclcfg.msc). Under Enforcement Clients, enable the EAP Quarantine Enforcement Client. Close the NAP Client Configuration tool. Run services.msc and configure the Network Access Protection Agent service for automatic startup. Start the service. Close the services console.
Task 3: Move the client to the Internet

1. Reconfigure the network settings of NYC-CL1 by changing the following Local Area Connection Internet Protocol Version 4 (TCP/IPv4) settings: 2. IP address: 131.107.0.20 Subnet mask: 255.255.255.0 Default gateway: blank Preferred DNS server: blank
Verify that you can successfully ping 131.107.0.2.
Task 4: Create a VPN on NYC-CL1

1. Create a new VPN connection with the following properties: Internet address to connect to: 131.107.0.2 Destination name: Contoso VPN Allow other people to use this connection: true
2.
User name: administrator Password: Pa$$w0rd Domain: CONTOSO
Once you have created the VPN, modify its settings by viewing the properties of the connection and then selecting the Security tab. Use the following settings to reconfigure the VPN: Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled). Properties of this authentication type: i. Validate server certificate: true ii. Connect to these servers: false iii. Authentication method: Secured password (EAP-MSCHAP v2) iv. Enable Fast Reconnect: false v. Enforce Network Access Protection: true
3.
Test the VPN connection: a. b. c. In the Network Connections window, right-click the Contoso VPN connection and then click Connect. In the Connect Contoso VPN window, click Connect. View the details of the Windows Security Alert. Verify that the correct certificate information is displayed and then click Connect.
4.
Verify that your computer meets the health requirements of the NAP policy: a. b. Use IPCONFIG /all to verify that the System Quarantine State is Not Restricted. Ping 10.10.0.10.
5. 6.
Disconnect the Contoso VPN. Configure Windows Security Health Validator to require an antivirus application: a. b. Switch to NYC-EDGE1 and open Network Policy Server. Modify the Default Configuration of the Windows Security Health Validator so that An antivirus application is on check box is enabled on the Windows 7/Windows Vista selection.
7. 8.
Switch back to NYC-CL1 and reconnect the VPN. Verify that your computer does not meet the health requirements of the NAP policy: a. b. Verify that a message is displayed in the Action Center stating that the computer does not meet security standards. Use IPCONFIG /all to verify that the System Quarantine State is Restricted.
9.
Disconnect the VPN.
Results: At the end of this exercise, you will have enabled and configured a VPN NAP enforcement policy for Contoso.

Lab Instructions: Increasing Security for Windows Servers
Module 8
Contents:
Exercise 1: Deploying a Windows Firewall Rule Exercise 2: Implementing WSUS 3 5
Lab: Increasing Security for Windows Servers
Lab Setup
Repeat steps 2 to 4 for 6421B-NYC-SVR1.
Lab Scenario
You are a server administrator for Contoso and have been assigned two security related tasks. First, you must deploy a Windows Firewall rule to support new monitoring software that is used for your servers. Second, you must configure servers to start using updates that are distributed by a WSUS server.
Exercise 1: Deploying a Windows Firewall Rule

Scenario
Your organization has implemented new software for monitoring client computers and servers. This software is already installed on the computers, but your central monitoring console is unable to initiate communication with the software. The installation routine for the software did not open the necessary port in Windows Firewall. You need to deploy a Windows Firewall rule that allows all computers in the organization to respond to communication attempts from the centralized monitoring console that runs on port 10005. Documentation from the product vendor indicates that you can test this port by using a web browser to view an XML file. The main tasks for this exercise are as follows: 1. 2. 3. Create a Group Policy object with a firewall rule. Apply Group Policy settings to NYC-SVR1. Test access to the monitoring client.
Task 1: Create a Group Policy object with a firewall rule

1. 2. 3. On NYC-DC1, open Group Policy Management from the Administrative Tools menu. Create a new GPO named Firewall that is linked to Contoso.com. Edit the Firewall GPO and browse to Computer Configuration\Policies\Windows Settings \Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules. Create an inbound new rule with the following characteristics: 5. Rule type: Port Protocol: TCP Specific local port: 10005 Action: Allow the connection Profile: Domain Name: Monitoring
4.
Close the Group Policy Management Editor and then close the Group Policy Management tool.
Task 2: Apply Group Policy settings to NYC-SVR1

1. 2. 3. On NYC-SVR1, open a command prompt. At the command prompt, type gpupdate /force and then press ENTER. Close the command window on NYC-SVR1.
Task 3: Test access to the monitoring client

1. 2. On NYC-DC1, open Internet Explorer. Connect to http://nyc-svr1.contoso.com:10005/status.xml.
Results: After this exercise, you should have created a Windows Firewall rule that allows communication to port 10005.
Exercise 2: Implementing WSUS

Scenario
In the past, management of updates for clients and servers in your organization has been ad hoc. Some servers have not had updates applied, while others are applying updates immediately. This has resulted in an insecure environment. You are implementing WSUS to begin implementing a controlled process for applying updates to clients and servers. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Create a GPO for configuring WSUS clients. Review the configuration settings for a WSUS server. Create a computer group for servers. View the update report for NYC-DC1. Approve an update for the HO Servers computer group.
Task 1: Create a GPO for configuring WSUS clients

1. 2. 3. 4. On NYC-DC1, open Group Policy Management from the Administrative Tools menu. Create a new GPO named WSUS that is linked to Contoso.com. In the Group Policy Management Editor window, browse to Computer Configuration\Policies \Administrative Templates\Windows Components\Windows Update. Configure the Configure Automatic Updates setting as follows: 5. Enabled Configure automatic updating: 4 Auto download and schedule the install
Configure the Specify intranet Microsoft update service location setting as follows: Enabled Set the intranet update service for detecting updates: http://NYC-SVR1 Set the intranet statistics server: http://NYC-SVR1
6.
Configure the Automatic Updates detection frequency setting as follows: Enabled Check for updates at the following interval (hours): 22
7. 8. 9.
Close the Group Policy Management Editor and then close the Group Policy Management tool. On NYC-DC1, open a command prompt. At the command prompt, type gpupdate /force and then press ENTER.
10. At the command prompt, type wuauclt /detectnow and then press ENTER. 11. Close the command window on NYC-DC1.
Task 2: Review the configuration settings for a WSUS server

1. 2. 3. On NYC-SVR1, open Windows Server Update Services from the Administrative Tools menu. In the Update Services window, in the list pane under NYC-SVR1, click Options. Using the details pane, view the configuration settings available in WSUS and click Cancel for each item when complete.
Task 3: Create a computer group for servers

1. 2. 3. Browse to Computers\All Computers. Create a new computer group named HO Servers. Change membership of the nyc-dc1.contoso.com computer object so that it is a part of the HO Servers group.
Task 4: View the update report for NYC-DC1

1. 2. 3. 4. 5. 6. View the membership of the HO Servers computer group. Use the status of Any when viewing the members. Right-click nyc-dc1.contoso.com and view a status report. Read the number of updates that have not been installed. Change the report to include only updates with a status of Needed and then run the report again. View the second page of the report to determine the updates that are needed. Leave this report open for the next task.
Task 5: Approve an update for the HO Servers computer group

1. 2. 3. In the Computers Report for NYC-SVR1, for the first update listed, click the Not approved status. Approve the update to install for the HO Servers computer group. Read the information in the Approval Progress window before closing all windows. Note Notice that a message appears stating that the update is approved, but must be downloaded to complete. This is due to the configuration of the lab environment.
Results: After this exercise, you should have approved an update for NYC-DC1.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-SVR1.
Lab Instructions: Increasing Security for Network Communication
Module 9
Contents:
Exercise 1: Selecting a Network Security Configuration Exercise 2: Configuring IPsec to Authenticate Computers Exercise 3: Testing IPsec Authentication 3 4 6
Lab: Increasing Security for Network Communication
Lab Setup
Lab Scenario
Contoso Ltd. has implemented a new web-based Research application that contains confidential information such as product information. The application is secured by authenticating users by using a username and password. To enhance security, the director of Research wants the application to be accessible only from computers in the Research department. To meet the requirements specified by the director of Research, you will create a connection security rule that authenticates the computers in the Research department. Then, you will create a firewall rule that ensures only authenticated computers from the Research department can access the application. For this project, you must complete the following tasks: Configure IPsec to authenticate network communication for an application.
Test implementation of IPsec to authenticate network communication for an application.
Exercise 1: Selecting a Network Security Configuration

Scenario
In this exercise, you will read the supporting documentation and then answer the questions in the proposals section. The main tasks for this exercise are as follows: 1. 2. 3. Read the Research application security document. Update the proposal document with your planned course of action. Examine the suggested proposals in the Lab Answer Key.
Task 1: Read the Research application security document

Read the Research application security document.
Answer the questions in the Research application security document. Research application security Document Reference Number: GW1605/1 Document Author Date Charlotte Weiss 16th May
Requirements Overview Contoso Ltd. has implemented a new web-based Research application that contains confidential information such as product information. To improve security, you must: 1. Create a connection security rule that authenticates the computers in the Research department. 2. Create a firewall rule that ensures only authenticated computers from the Research department can access the application. Additional Information 1. The application exists on NYC-SVR1. 2. The application is not configured to use SSL. 3. NYC-SVR1 and NYC-CL1, both computers in the Research department, are stored in the AD DS Computers container. Proposals 1. How will you accomplish requirement 1? 2. How will you accomplish requirement 2? 3. Are there any additional tasks that you must perform?

Compare your solution to the proposed solution in the Research application security document in the Lab Answer Key. Be prepared to discuss your solution with the class.
Results: At the end of this exercise, you will have selected a suitable IPsec configuration to support the needs of the Research department.
Exercise 2: Configuring IPsec to Authenticate Computers

Scenario
In this exercise, you will deploy and configure a firewall and connection security rule to meet the requirements of the Research department. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Move the NYC-SVR1 and NYC-CL1 computers into the Research OU. Create a GPO and link to the Research OU. Create the required connection security rule. Create the firewall rule. Refresh the Group Policy on client computers.
Task 1: Move the NYC-SVR1 and NYC-CL1 computers into the Research OU
1. 2. 3. Switch to NYC-DC1. Open Active Directory Users and Computers. Move NYC-CL1 and NYC-SVR1 from the Computers built-in container to the Research OU.
Task 2: Create a GPO and link to the Research OU

1. 2. Open Group Policy Management. Create and link a new GPO called Research Department Application Security Policy to the Research OU.
Task 3: Create the required connection security rule

1. 2. Open Research Department Application Security Policy for editing. In Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security LDAP://CN={GUID} > Connection Security Rules. Create a new Connection Security Rule with the following properties: Rule type: Custom Endpoints: Default Requirements: Require authentication for inbound connections and request authentication for outbound connections Authentication method: Computer and user (Kerberos V5) Protocol and Ports: Endpoint 1: TCP port 80, Endpoint 2: default Profile: Domain Name: Research Department Application Security rule
3.
Task 4: Create the firewall rule

Create a new Inbound firewall rule with the following properties: Rule type: Custom Program: Default Protocol and Ports: Local port: TCP 80 Scope: Default Action: Allow the connection if it is secure: Allow the connection if it is authenticated and integrity-protected Users: Default Computers: Only allow connections from these computers: NYC-CL1; NYC-SVR1 Profile: Domain Name: Research Department Application Firewall rule
Task 5: Refresh the Group Policy on client computers

1. 2. 3. 4. 5. 6. Switch to NYC-CL1. Open a command prompt, type gpupdate /force, and press ENTER. Restart the computer. Switch to NYC-SVR1. Open a command prompt, type gpupdate /force, and press ENTER. Restart the computer.
Results: At the end of this exercise, you will have successfully configured the connection security rule and firewall rule that are required to secure the Research department application.
Exercise 3: Testing IPsec Authentication

Scenario
In this exercise, you will verify that only authorized users are allowed to connect to the Research application and monitor IPsec connections using Windows Firewall with Advanced Security and IP Security Monitor. The main tasks for this exercise are as follows: 1. 2. 3. Attempt to connect to the web server on NYC-SVR1. Verify settings with Windows Firewall with Advanced Security. Verify settings with IP Security Monitor.
Task 1: Attempt to connect to the web server on NYC-SVR1

1. 2. Switch to NYC-CL1. Log on using the following information: 3. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Open Internet Explorer and attempt to open the webpage at http://nyc-svr1. This is successful.
Task 2: Verify settings with Windows Firewall with Advanced Security

1. 2. 3. Open Windows Firewall with Advanced Security. Open Monitoring > Security Associations > Main Mode. Double-click any associations listed. What is the First authentication method? 4. 5. Expand Quick Mode. In the right pane, double-click the item listed. What is the Remote port?
Task 3: Verify settings with IP Security Monitor

1. 2. 3. Open a new management console and add the IP Security Monitor snap-in. Open IP Security Monitor > NYC-CL1 > Main Mode > Security Associations. In the right pane, double-click the item listed. What is the encryption method? Results: At the end of this exercise, you will have verified IPsec settings.

Lab Instructions: Configuring and Troubleshooting Network File and Print Services
Module 10
Contents:
Exercise 1: Creating and Configuring a File Share Exercise 2: Encrypting and Recovering Files Exercise 3: Creating and Configuring a Printer Pool 3 5 7
Lab: Configuring and Troubleshooting Network File and Print Services
Lab Setup
Repeat steps 2 to 4 for 6421B-NYC-CL1.
Lab Scenario
As a server administrator for Contoso, you are responsible for configuring the file and print services that are available to users. You have been assigned several tasks to perform: 1. 2. 3. Create and configure a new file share for multiple departments. Configure a recovery agent for EFS encrypted files. Configure a printer pool to enhance printing capacity.
Exercise 1: Creating and Configuring a File Share

Scenario
You are configuring a new file server that will hold files that are shared by multiple departments. The first two departments scheduled to move their files to this location are the Marketing and Production departments. You need to configure the file share so that each department has access to view and modify only their own files. In addition, users should not see files and folders that they do not have access to. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Create the folder structure for the share. Configure NTFS permissions on the folder structure. Create the share. Enable access-based enumeration. Verify that permissions are properly configured.
Task 1: Create the folder structure for the share

1. 2. 3. On NYC-DC1, create the folder C:\Share. Create the folder C:\Share\Marketing. Create the folder C:\Share\Production.
Task 2: Configure NTFS permissions on the folder structure

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, use Windows Explorer to open the properties of the C:\Share folder and verify that Users have Read permission on the Security tab. In the properties of the Marketing folder, open the Advanced NTFS permissions. Change the permissions to remove inheritable permissions from this objects parent and add the existing permissions. Remove permissions for the Users group. Add the Marketing group with Modify permission. In the properties of the Production folder, open the Advanced NTFS permissions. Change the permissions to remove inheritable permissions from this objects parent and add the existing permissions. Remove permissions for the Users group. Add the Production group with Modify permission.
Task 3: Create the share

1. 2. 3. On NYC-DC1, in Windows Explorer, open the properties of C:\Share. Use Advanced sharing to share the folder. Give the Everyone group Full Control permission for the share.
Task 4: Enable access-based enumeration

1. 2. On NYC-DC1, open the Share and Storage Management administrative tool. Open the properties of Share and enable access-based enumeration.
Task 5: Verify that permissions are properly configured

1. 2. 3. 4. On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd. Open \\NYC-DC1\Share. Read the folders that are listed. Create a new text file named AdamFile in the Marketing folder.
Results: After this exercise, you should have created and configured a file share.
Exercise 2: Encrypting and Recovering Files

Scenario
Your organization wants to allow users to start encrypting files with EFS. However, there are concerns about recoverability. To enhance the management of the certificates used for EFS, you are going to configure an internal certification authority to issue certificates to users. You will also configure a recovery agent for EFS and verify that the recovery agent can recover files. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Update the recovery agent certificate for EFS. Update Group Policy on the computers. Obtain a certificate for EFS. Encrypt a file. Use the recovery agent to open the file.
Task 1: Update the recovery agent certificate for EFS

1. 2. 3. 4. 5. 6. On NYC-DC1, open the Group Policy Management administrative tool. Edit the Default Domain Policy that is linked to Contoso.com. In the Group Policy Management Editor, browse to Computer Configuration\Policies \Windows Settings\Security Settings\Public Key Policies\Encrypting File System. Delete the existing Administrator certificate. Create a new Data Recovery Agent. Read the information about the new certificate and verify that it was issued by ContosoCA.
Task 2: Update Group Policy on the computers

1. 2. On NYC-DC1, run gpupdate /force at a command prompt. On NYC-CL1, run gpupdate /force at a command prompt.
Task 3: Obtain a certificate for EFS

1. 2. 3. 4. 5. 6. 7. On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd. Run mmc.exe to open an empty MMC console. Add the Certificates snap-in to the MMC console. In the console, right-click Personal and request a new certificate. Select a Basic EFS certificate. Verify that the new certificate was issued by ContosoCA. Close the console and do not save the changes.
Task 4: Encrypt a file

1. 2. 3. 4. On NYC-CL1, browse to \\NYC-DC1\Share\Marketing. Open the properties of AdamFile. Enable encryption in the advanced attributes of AdamFile. Close Windows Explorer.
Task 5: Use the recovery agent to open the file

1. 2. On NYC-DC1, browse to C:\Share\Marketing. Open AdamFile.txt, modify the contents and save the file.
Results: After this exercise, you should have encrypted and recovered a file.
Exercise 3: Creating and Configuring a Printer Pool

Scenario
The Marketing department has a single central copy room that stores the printer for the entire floor. Over the last year, the capacity of your printer has become a concern. In particular, when a user prints a large job, it prevents other users from obtaining their print jobs for 10 or 15 minutes. To resolve this problem, you have purchased two new identical printers to configure as a printer pool for the Marketing department. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Install the Print Management role. Create two IP printer ports. Create a printer. Make the new printer into a printer pool. Distribute the printer pool to users. Verify printer distribution to a marketing user.
Task 1: Install the Print Management role

1. 2. On NYC-DC1, open the Server Manager administrative tool. Add the Print and Document Services role with the Print Server role service.
Task 2: Create two IP printer ports

1. 2. 3. Open the Print Management administrative tool. In the NYC-DC1 print server, view the ports. Create a new port with the following properties: 4. Standard TCP/IP Port IP Address: 10.10.0.98 Generic Network Card
Create a second port with the following properties: Standard TCP/IP Port IP Address: 10.10.0.99 Generic Network Card
Task 3: Create a printer

In Print Management, under NYC-DC1 (local), create a new printer with the following properties: Use an existing port: 10.10.0.98 Printer driver: default Printer name: PrinterPool Share name: PrinterPool
Task 4: Make the new printer into a printer pool

1. 2. 3. In Print Management, open the properties of PrinterPool. On the Ports tab, enable printer pooling. Select the port 10.10.0.99 as second port.
Task 5: Distribute the printer pool to users

1. 2. Open the Group Policy Management administrative tool. Browse to the Marketing OU, right-click, and create a new GPO in the domain that is linked here. 3. 4. 5. Name: MarketingGPO
Right-click MarketingGPO and edit. Browse to \User Configuration\Preferences\Control Panel Settings\Printers. Create a new shared printer with the following properties: Share path: \\NYC-DC1\PrinterPool Set this printer as the default printer
Task 6: Verify printer distribution to a marketing user

1. 2. 3. On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd. Open a command prompt and run gpupdate /force. On the Start menu, open Devices and Printers to verify that PrinterPool on NYC-DC1 appears and is configured as the default printer.
Results: After this exercise, you should have created a printer pool and distributed it to Marketing users.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-CL1.
Lab Instructions: Optimizing Data Access for Branch Offices
Module 11
Contents:
Lab A: Implementing DFS Exercise 1: Installing the DFS Role Service Exercise 2: Configuring the Required Namespace Exercise 3: Configuring DFS Replication Lab B: Implementing BranchCache Exercise 1: Performing Initial Configuration Tasks for BranchCache Exercise 2: Configuring BranchCache Clients
Exercise 3: Configuring BranchCache on the Branch Server Exercise 4: Monitoring BranchCache
3 4 6
10 12
13 14
Lab A: Implementing DFS
Lab Setup
Lab Scenario
Contoso has deployed a new branch office. This office has a single server. To support branch staff requirements, you must configure DFS. To avoid the need to perform backups remotely, a departmental file share in the branch office will be replicated back to the head office for centralized backup. Data replicated to the head office should be read only. For this project, you must complete the following tasks: Install the DFS role service Configure the required namespace Configure DFS replication
Exercise 1: Installing the DFS Role Service

Scenario
In this exercise, you will install the DFS role service on NYC-SVR1 and NYC-DC1. The main tasks for this exercise are as follows: 1. 2. Install the DFS Role Service on NYC-SVR1. Install the DFS Role Service on NYC-DC1.
Task 1: Install the DFS Role Service on NYC-SVR1

1. 2. 3. Switch to NYC-SVR1. Open Server Manager and add the Distributed File System role service. Ensure that you select DFS Namespaces and DFS Replication. Close Server Manager.
Task 2: Install the DFS Role Service on NYC-DC1

1. 2. 3. Switch to NYC-DC1. Open Server Manager and add the Distributed File System role service. Ensure that you select DFS Namespaces and DFS Replication. Close Server Manager.
Results: At the end of this exercise, you will have installed the required role services on both servers.
Exercise 2: Configuring the Required Namespace

Scenario
In this exercise, you will configure a namespace to support the branch office distributed data requirement. The branch offices require two folders: one for research templates and another for data files. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Use the New Namespace Wizard to create the BranchDocs namespace. Enable access-based enumeration for the BranchDocs namespace. Add the ResearchTemplates folder to the BranchDocs namespace. Add the DataFiles folder to the BranchDocs namespace. Verify the BranchDocs namespace.
Task 1: Use the New Namespace Wizard to create the BranchDocs namespace
1. 2. 3. Switch to NYC-SVR1. Open DFS Management. Create a new namespace with the following properties: 4. Server: NYC-SVR1 Name: BranchDocs Namespace type: Domain-based namespace, and select Enable Windows Server 2008 mode
Verify that the namespace has been created.
Task 2: Enable access-based enumeration for the BranchDocs namespace

In DFS Management, in the \\Contoso.com\BranchDocs Properties dialog box, on the Advanced tab, select the Enable access-based enumeration for this namespace check box.
Task 3: Add the ResearchTemplates folder to the BranchDocs namespace

Add a new folder to the BranchDocs namespace: Folder name: ResearchTemplates Add a folder target: Path: \\NYC-DC1\ResearchTemplates Create share Local path: C:\BranchDocs\ResearchTemplates Permissions: All users have read and write permissions Create folder
Task 4: Add the DataFiles folder to the BranchDocs namespace

Add a new folder to the BranchDocs namespace: Folder name: DataFiles Add a folder target: Path: \\NYC-SVR1\DataFiles Create share Local path: C:\BranchDocs\DataFiles Permissions: All users have read and write permissions Create folder
Task 5: Verify the BranchDocs namespace

1. 2. On NYC-SVR1, click Start, and then in the Search programs and files box, type \\Contoso.com\BranchDocs and then press ENTER. Verify that both ResearchTemplates and DataFiles are visible and then close the window.
Results: At the end of this exercise, you will have created and verified the DFS namespace.
Exercise 3: Configuring DFS Replication

Scenario
In this exercise, you will configure DFS replication between NYC-SVR1 and NYC-DC1. You will also make the copy of the data files on NYC-DC1 read-only. The main tasks for this exercise are as follows: 1. 2. Create another Folder Target for DataFiles. Configure Replication for the namespace.
Task 1: Create another Folder Target for DataFiles

1. 2. In DFS Management, expand Contoso.com\BranchDocs and then click DataFiles. In the details pane, notice that there is currently only one folder target. Add a new folder target: 3. Path to target: \\NYC-DC1\DataFiles Create share Local path: C:\BranchDocs\DataFiles Permissions: All users have read and write permissions Create folder
In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.
Task 2: Configure Replication for the namespace

1. Complete the Replicate Folder Wizard: 2. Primary member: NYC-SVR1 No topology Use defaults elsewhere and accept any messages
Create a new replication topology for the namespace: Type: Full mesh Schedule and bandwidth: defaults
3.
In the details pane, on the Memberships tab, verify that the replicated folder is shown on NYC-DC1 and NYC-SVR1. Right-click NYC-DC1 and then click Make read-only.
Results: At the end of this exercise, you will have successfully configured DFS replication.

Lab B: Implementing BranchCache
Lab Setup
Important You must reconfigure the 6421B-NYC-CL2 computer onto the Private Network. Instructions are provided for this. For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. 6. 7. User name: Administrator Password: Pa$$w0rd Domain: Contoso
In Hyper-V Manager, click 6421B-NYC-CL2, and in the Actions pane, click Settings. In the Settings for 6421B-NYC-CL2 dialog box, in the navigation pane, click Network Adapter. In the Results pane, in the Network drop down list, click Private Network and then click OK.
Lab Scenario
Contoso has deployed a new branch office. This office has a single server. To support branch staff requirements, you must configure BranchCache. Data is centralized at the head office. To reduce WAN utilization out to the branch office, BranchCache will be configured for these data. For this project, you must complete the following tasks: Perform initial configuration tasks for BranchCache Configure BranchCache clients Configure BranchCache on the branch server Monitor and verify BranchCache
10
Exercise 1: Performing Initial Configuration Tasks for BranchCache

Scenario
In this exercise, you will prepare the network environment for BranchCache. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure NYC-DC1 to use BranchCache. Simulate slow link to the branch office. Enable a file share for BranchCache. Configure client firewall rules for BranchCache.
Task 1: Configure NYC-DC1 to use BranchCache

1. 2. 3. 4. Switch to NYC-DC1. Open Server Manager and install the BranchCache for network files role service. Open the local group policy editor (gpedit.msc). Navigate to and open Computer Configuration > Administrative Templates > Network > Lanman Server > Hash Publication for BranchCache. Enable this setting and then select Allow hash publication only for shared folders on which BranchCache is enabled.
Task 2: Simulate slow link to the branch office

1. 2. Navigate to Computer Configuration > Windows Settings > Policy-based QoS. Create a new policy: 3. Name: Limit to 100Kbps Specify Outbound Throttle Rate: 100
Close the Local Group Policy Editor.
Task 3: Enable a file share for BranchCache

1. 2. Create a new folder called C:\Share. Share this folder with the following properties: 3. 4. Sharename: Share Permissions: default Caching: Enable BranchCache
Copy C:\Windows\System32\mspaint.exe to this new folder. Close all open windows.
Task 4: Configure client firewall rules for BranchCache

1. 2. 3. Open Group Policy Management. Navigate to Forest: Contoso.com > Domains > Contoso.com > Default Domain Policy. Open the policy for editing. Navigate to Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
11
4.
Create a new inbound firewall rule with the following properties: Rule type: predefined Use BranchCache Content Retrieval (Uses HTTP) Action: Allow
5.
Create a new inbound firewall rule with the following properties: Rule type: predefined Use BranchCache Peer Discovery (Uses WSD) Action: Allow
Results: At the end of this exercise, you will have prepared the network environment for BranchCache.
12
Exercise 2: Configuring BranchCache Clients

Scenario
In this exercise, you will configure NYC-CL1 and NYC-CL2 with the required settings to enable BranchCache. The main task for this exercise is: 1. Configure clients to use BranchCache in hosted cache mode.
Task 1: Configure clients to use BranchCache in hosted cache mode

1. 2. 3. 4. In Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Network > BranchCache. Enable the Turn on BranchCache value. Enable the Set BranchCache Hosted Cache mode value and then configure the Enter the location of hosted Cache value: NYC-SVR1.contoso.com. Enable the Configure BranchCache for network files value and then configure the Enter the round trip network latency value in milliseconds above which network files must be cached in the branch office value: 0. Close Group Policy Management Editor and Group Policy Management console. Start the 6421B-NYC-CL1 virtual machine and log on as Contoso\Administrator with the password of Pa$$w0rd. Open a command prompt and refresh the group policy settings (gpupdate /force). At the command prompt window, type netsh branchcache show status all and then press ENTER. Start the 6421B-NYC-CL2 virtual machine and log on as Contoso\Administrator with the password of Pa$$w0rd. Reconfigure the computer to obtain an IPv4 address automatically.
5. 6. 7. 8. 9.
10. Restart the computer. Log on as Contoso\Administrator with the password of Pa$$w0rd. 11. Open a command prompt and refresh the group policy settings (gpupdate /force). 12. At the command prompt window, type netsh branchcache show status all and then press ENTER. Results: At the end of this exercise, you will have configured the client computers for BranchCache.
13
Exercise 3: Configuring BranchCache on the Branch Server

Scenario
In this exercise, you will configure BranchCache on NYC-SVR1. The main tasks for this exercise are as follows: 1. 2. 3. Install the BranchCache feature on NYC-SVR1. Request a certificate and link it to BranchCache. Start the BranchCache Host Server.
Task 1: Install the BranchCache feature on NYC-SVR1

1. 2. 3. Start 6421B-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. Open Server Manager and add the BranchCache feature. Close Server Manager.
Task 2: Request a certificate and link it to BranchCache

1. 2. 3. 4. 5. Using the Certificates snap-in, request a new Computer certificate. Open the newly issued certificate (in the Personal store). On the Details tab, view the Thumbprint field. Copy the text from the details section to the paste buffer. Open a command prompt. Run the following command, replacing certifcatehashvalue with the contents from the paste buffer leaving out spaces.
netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}
6.
At the command prompt window, type netsh branchcache show status all and then press ENTER.
Task 3: Start the BranchCache Host Server

1. 2. 3. 4. 5. 6. 7. Switch to NYC-DC1. Open Active Directory Users and Computers. Create a new OU called BranchCacheHost and move NYC-SVR1 into this OU. Open Group Policy Management and block GPO inheritance on the BranchCacheHost OU. Close all open windows. Switch to NYC-SVR1 and restart the computer. Log on as Contoso\Administrator with the password of Pa$$w0rd. At the command prompt window, type netsh branchcache set service hostedserver and then press ENTER.
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
14
Exercise 4: Monitoring BranchCache

Scenario
In this exercise, you will monitor and verify the BranchCache service. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure Performance Monitor on NYC-SVR1. View Performance statistics on NYC-CL1. View performance statistics on NYC-CL2. Test BranchCache in hosted caching mode.
Task 1: Configure Performance Monitor on NYC-SVR1

1. 2. Open Performance Monitor. In the navigation pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor. Remove existing counters, change to a report view, and then add the BranchCache object to the report.
Task 2: View Performance statistics on NYC-CL1

1. 2. 3. Switch to NYC-CL1. Open Performance Monitor. In the navigation pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor. Remove existing counters, change to a report view, and then add the BranchCache object to the report.
Task 3: View performance statistics on NYC-CL2

1. 2. 3. Switch to NYC-CL2. Open Performance Monitor. In the navigation pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor. Remove existing counters, change to a report view, and then add the BranchCache object to the report.
Task 4: Test BranchCache in hosted caching mode

1. 2. 3. Switch to NYC-CL1. Open \\NYC-DC1.contoso.com\share and copy the executable file to the local desktop. This could take a few minutes due to the simulated slow link. Read the performance statistics on NYC-CL1. This file was retrieved from the NYC-DC1 (Retrieval: Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes Served). Switch to NYC-CL2. Open \\NYC-DC1.contoso.com\share and copy the executable file to the local desktop. This should not take long because the file is cached.
4. 5.
15
6. 7.
Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval: Bytes from Cache). Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted Cache: Client file segment offers made).
Results: At the end of this exercise, you will have verified the function of BranchCache.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-SVR1, 6421B-NYC-CL1 and 6421B-NYC-CL2.
Lab Instructions: Controlling and Monitoring Network Storage
Module 12
Contents:
Exercise 1: Configuring FSRM Quotas Exercise 2: Configuring File Screening Exercise 3: Configuring File Classification and File Management 3 5 6
Lab: Controlling and Monitoring Network Storage
Lab Setup
Lab Scenario
Contoso has recently decided to implement private home folders for each user. These folders will be an alternative storage location to centralized departmental file shares. Users can save documents in their home folders when there is no need for other users to access the files. For example, some users prefer not to show anyone reports until they are completed. For this project, you must complete the following tasks: Configure FSRM quotas to limit the size of home folders. Configure file screening to prevent storage of media files. Configure file classification and file management to remove official documents.
Exercise 1: Configuring FSRM Quotas

Scenario
To control the size of home folders, you are implementing FSRM quotas. Each home folder is limited to 500MB. To ensure that users are not surprised about their home folders running out of space, a message is sent by email, notifying them when their quota exceeds 75 percent. An event is also written to the event log so that it can be tracked by administrators. 1. 2. 3. 4. 5. 6. 7. Create the home share. Install FSRM. Create a quota template for home folders. Configure an SMTP server for FSRM notifications. Configure quotas on Home share folders. Create a home folder for a user. Verify that the quota is applied.
Task 1: Create the home share

1. 2. On NYC-SVR1, create the folder C:\Home. Share C:\Home as Home with the share permissions Full Control for the Everyone group.
Task 2: Install FSRM

On NYC-SVR1, use Server Manager to add the File Server Resource Manager role service.
Task 3: Create a quota template for home folders

1. 2. On NYC-SVR1, open File Server Resource Manager. Under Quota Management, create a quota template with the following settings: Template name: Home Folders Description: Template for user home folders Limit: 500 MB Hard quota: Do not allow users to exceed limit Notification threshold: Generate notification when usage reaches (%): 75 Send e-mail notification to the user who exceeded the threshold Send warning to event log message
Task 4: Configure an SMTP server for FSRM notifications

On NYC-SVR1, in File Server Resource Manager, configure the following options for email notifications: SMTP server name or IP address: mail.contoso.com Default administrator recipients: Administrator@contoso.com
Task 5: Configure quotas on Home share folders

On NYC-SVR1, in File Server Resource Manager, in the Quotas node, create a new quota with the following settings: Quota path: C:\Home Auto apply template and create quotas on existing and new subfolders Derive properties from this quota template: Home Folders
Task 6: Create a home folder for a user

1. 2. 3. On NYC-DC1, open Active Directory Users and Computers. Open the properties of Adam Carter. Use the Profile tab of Adam Carter to configure a home folder: Drive letter: H: Path: \\NYC-SVR1\Home\Adam
Task 7: Verify that the quota is applied

1. 2. On NYC-CL1, log on as Adam with a password of Pa$$w0rd. Use Windows Explorer to view the properties of H: and verify that the size is limited to 500 MB.
Results: After this exercise, you will have created and applied quotas to home folders.
Exercise 2: Configuring File Screening

Scenario
Managers in Contoso are concerned that users will begin storing large media files in the newly created home folders. Even though the size of each home folder is limited to 500 MB by quotas, the managers want to prevent space from being wasted by video, audio, and graphics files, including a new audio format with the file extension audx. You are implementing file screening to prevent media files from being stored in home folders. The main tasks for this exercise are as follows: 1. 2. 3. 4. Add AUDX to a file group. Create a file screen template. Configure a file screen for C:\Home. Verify that the file screen is applied.
Task 1: Add AUDX files to a file group

1. 2. On NYC-SVR1, open File Server Resource Manager. In the File Screening Management node, edit the Audio and Video Files file group and add *.audx.
Task 2: Create a file screen template

On NYC-SVR1, use File Server Resource Manager to create a file screen template with the following settings: Template name: Home Folder Media Active Screening: Do not allow users to save unauthorized files File groups: Audio and Video Files and Image Files Send warning to event log
Task 3: Configure a file screen for C:\Home

On NYC-SVR1, use File Server Resource Manager to create a file screen with the following settings: File screen path: C:\Home Derive properties from the file screen template: Home Folder Media
Task 4: Verify that the file screen is applied

1. 2. 3. On NYC-CL1, log on as Adam with a password of Pa$$w0rd. Use Windows Explorer to copy the Wildlife video from Libraries\Videos\Sample Videos to H:\. Verify that you cannot place the file on H:.
Results: After this exercise, you will have configured file screening to prevent media files from being placed in home folders.
Exercise 3: Configuring File Classification and File Management

Scenario
After implementing home folders for all users, you have found that a large amount of disk space is being used by Official Documents that are stored on the Contoso Intranet. There is no need for users to copy these files into their home folders and it is wasting storage space on the file server. All official documents contain a heading with an official document number. You are configuring file classification to identify official documents on the Home share and then using file management to remove them. To ensure that legitimate documents are not accidentally deleted, files are being expired and placed in C:\Expired Documents where they can be retrieved if necessary. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a classification property for official documents. Create a classification rule for official documents. Create a file management task to expire official documents. Verify that official documents are expired.
Task 1: Create a classification property for official documents

1. 2. On NYC-SVR1, open File Server Resource Manager. In the Classification Management node, create a new classification property with the following settings: Property name: Official Document Property type: Yes/No
Task 2: Create a classification rule for official documents

On NYC-SVR1, use File Server Resource Manager to create a classification rule with the following settings: Rule name: Official Documents Scope C:\Home Classification mechanism: Content Classifier Property name: Official Document Property value: Yes Advanced: Additional Classification Parameters Name: RegularExpression Value: Document#\d\d\d\d-\d\d\d
Task 3: Create a file management task to expire official documents

On NYC-SVR1, use File Server Resource Manager to create a file management task with the following settings: Task name: Remove Official Documents Scope: C:\Home Expiration Directory: C:\Expired Documents Property Condition: Official Document equals Yes Schedule: Weekly, Sun 9:00 PM
Task 4: Verify that official documents are expired

1. 2. 3. On NYC-CL1, log on as Adam with a password of Pa$$w0rd. Use Windows Explorer to create a Microsoft Word document named Test Document on H:\. Edit Test Document and add the following content: 4. 5. 6. 7. 8. 9. Document#2011-001
Close Microsoft Word. On NYC-SVR1, in File Server Resource Manager, at the Classification Rules node, run the classification rules now. Review the Automatic Classification Report that is generated to verify that one official document is found. Run the Remove Official Documents file management task. Review the File Management Task Report and verify that one file was expired. Use Windows Explorer to browse the contents of C:\Expired Documents and verify that Test Document is there.
Results: After this exercise, you will have configured a classification rule for official documents and a file management task that expires official documents.

Lab Instructions: Recovering Network Data and Servers
Module 13
Contents:
Exercise 1: Configuring Shadow Copies Exercise 2: Configuring a Scheduled Backup 3 5
Lab: Recovering Network Data and Servers
Lab Setup
Lab Scenario
Recently, a new file server was implemented for the marketing department. Somehow in the planning process, no one considered how data on the server would be protected. You need to configure volume shadow copies on the server to simplify recovery of files. You also need to configure a scheduled backup for disaster recovery.
Exercise 1: Configuring Shadow Copies

Scenario
The new file server for the marketing department has been implemented without shadow copies. The technician that configured the server was under the incorrect idea that shadow copies create a large processing load on the server. You need to configure shadow copies on the server and verify that they are functioning properly. The data for the marketing department changes frequently. In the last two months, several high profile incidents occurred, where documents were changed incorrectly and a recent copy could only be obtained from backup. The marketing department wants to be able to recover a files version for each hour. 1. 2. 3. 4. Configure shadow copies on NYC-SVR1. Create a file share. Create multiple shadow copies of a file. Recover a deleted file from a shadow copy.
Task 1: Configure shadow copies on NYC-SVR1

1. 2. 3. 4. 5. On NYC-SVR1, open Windows Explorer and Configure Shadow Copies for Local Disk (C:). Enable shadow copies for C:\. Configure a schedule for the shadow copies. Remove the two default scheduled tasks. Use the advanced schedule options to create a new Daily schedule with the following configuration: Repeat every 1 hour Duration of 24 hours
Task 2: Create a file share

1. 2. On NYC-SVR1, use Windows Explorer to create the folder C:\Marketing. Share the C:\Marketing folder with the Marketing group and give them Read/Write permission.
Task 3: Create multiple shadow copies of a file

1. 2. 3. On NYC-CL1, log on as Adam with a password of Pa$$w0rd. Browse to \\NYC-SVR1\Marketing and create a new Microsoft Office Word document named Budget Planning. Open Budget Planning and add the following items in a bulleted list: 4. 5. 2011 - $1,000 2012 - $1,100 2013 - $1,200
Save the Budget Planning document. On NYC-SVR1, create a new shadow copy of C:\.
6.
On NYC-CL1, add the following bullets to the Budget Planning document: 2014 - $1,500 2015 - $2,000
7. 8. 9.
Save the Budget Planning document. On NYC-SVR1, create a new shadow copy of C:\. On NYC-CL1, delete the Budget Planning Document.
Task 4: Recover a deleted file from a shadow copy

1. 2. 3. 4. 5. 6. 7. On NYC-CL1, navigate to the Previous Versions tab in the Properties of the Marketing share. Open the second most recent version of the folder and then open Budget Planning. Verify that this is not the most recent version of the file (because there are only three bullets) and then close it. Open the most recent version of the folder and then open Budget Planning. Verify that this is the most recent version of the file (because there are five bullets) and then close it. Restore the Marketing share from the most recent shadow copy. Verify that the restored file is located in \\NYC-SVR1\Marketing.
Results: After this exercise, you will have enabled shadow copies for the Marketing file server.
Exercise 2: Configuring a Scheduled Backup

Scenario
The new file server for the marketing department has been implemented without a backup solution. A backup solution is important in case of a hardware failure or volume corruption. In the long run, a new license will be purchased for Data Protection Manager to allow this server to be centrally backed up like other servers in Contoso. However, until that license is purchased, you are using Windows Server Backup and an external USB hard drive (D:) to perform the backup, which will be scheduled daily at 23:00. You also need to verify that the drive can hold at least two full backups and perform a test restore. 1. 2. 3. 4.
Install the Windows Server Backup feature. Create a scheduled backup. Verify that two backups fit on the destination disk. Perform a test restore of a file.
Task 1: Install the Windows Server Backup feature

On NYC-SVR1, use Server Manager to install the Windows Server Backup feature, including the Command-line Tools.
Task 2: Create a scheduled backup

1. 2. On NYC-SVR1, open the Windows Server Backup administrative tool. Create a backup schedule with the following settings: Full server Once a day at 11:00 PM Back up to a hard disk that is dedicated for backups (use D:) Remove D: from the backup when requested Confirm that data on D: will be removed
Task 3: Verify that two backups fit on the destination disk

1. 2. 3. 4. 5. On NYC-SVR1, in Windows Server Backup, verify that the Destination usage area indicates that approximately 32 GB are available for backups and that 0 GB are used. Perform a one-time backup using the scheduled backup options. Read the information in the Destination usage area. There is approximately 32 GB of total disk space and approximately 7.4 GB used. Perform a second one-time backup using the scheduled backup options. Read the information in the Destination usage area. There is approximately 32 GB of total disk space and still approximately 7.4 GB used.
Task 4: Perform a test restore of a file

1. On NYC-SVR1, in Windows Server Backup, use the Recover option to restore C:\Marketing\Budget Planning.docx. 2. Source: This server (NYC-SVR1) Backup date: The most recent backup Recovery type: Files and folders Items to recover: C:\Marketing\Budget Planning.docx Recovery options: default
Open Windows Explorer and browse to C:\Marketing to verify that the file is restored.
Results: After this exercise, you will have configured a scheduled backup and tested backup functionality.

Lab Instructions: Monitoring Windows Server 2008 Network Infrastructure Servers
Module 14
Contents:
Exercise 1: Establishing a Performance Baseline Exercise 2: Identifying the Source of a Performance Problem Exercise 3: Centralizing Events Logs 4 6 8
Lab: Monitoring Windows Server 2008 Network Infrastructure Servers
Lab Setup
Lab Scenario
Having recently deployed some new servers, it is important to establish a performance baseline with a typical load for these new servers. You are tasked with undertaking this project. In addition, to make the process of performance monitoring easier, you decide to implement a subscribed log for the new servers so that you can effortlessly determine server health. For this project, you must complete the following tasks: Establish a performance baseline for NYC-SVR1 under typical load conditions.
Use Performance Monitor to identify resources that are affected by a new application that is running on NYC-SVR1. Centralize events logs within Contoso.
Exercise 1: Establishing a Performance Baseline

Scenario
In this exercise, you will use Performance Monitor on the server and create a baseline using typical performance counters. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a Data Collector Set. Start the Data Collector Set. Create workload on the server. Analyze collected data.
Task 1: Create a Data Collector Set

1. 2. 3. Switch to the NYC-SVR1 computer. Open Performance Monitor. Create a new user defined data collector set using the following information to complete the process: Name: NYC-SVR1 Performance Create: Create manually (Advanced) Type of data: Performance counter Select the following counters: 4. Memory, Pages/sec Network Interface, Bytes Total/sec PhysicalDisk, %Disk Time PhysicalDisk, Avg. Disk Queue Length Processor, %Processor Time System, Processor Queue Length
Sample interval: 1 second Where to store data: default value
Save and close the data collector set.
Task 2: Start the Data Collector Set

In Performance Monitor, in the Results pane, right-click NYC-SVR1 Performance and then click Start.
Task 3: Create workload on the server

1. Open a command prompt and run the following commands, pressing ENTER after each command:
Fsutil file createnew bigfile 104857600 Copy bigfile \\nyc-dc1\c$ Copy \\nyc-dc1\c$\bigfile bigfile2 Del bigfile*.* Del \\nyc-dc1\c$\bigfile*.*
2.
Do not close the command prompt.
Task 4: Analyze collected data

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to Performance Monitor. Stop the NYC-SVR1 Performance data collector set. In Performance Monitor, in the navigation pane, click Performance Monitor. On the toolbar, click View Log Data. In the Performance Monitor Properties dialog box, on the Source tab, click Log files and then click Add. In the Select Log File dialog box, double-click Admin. Double-click NYC-SVR1 Performance, double-click the NYC-SVR1_date-000001 folder and then double-click DataCollector01.blg. Click the Data tab and then click Add. Select the following counters: Memory, Pages/sec Network Interface, Bytes Total/sec PhysicalDisk, %Disk Time PhysicalDisk, Avg. Disk Queue Length Processor, %Processor Time System, Processor Queue Length
10. On the toolbar, click the down arrow and then click Report. 11. Record the values that are listed in the report for analysis later. Recorded values: Memory, Pages/sec Network Interface, Bytes Total/sec PhysicalDisk, %Disk Time PhysicalDisk, Avg. Disk Queue Length Processor, %Processor Time System, Processor Queue Length
Results: After this exercise, you should have established a baseline.
Exercise 2: Identifying the Source of a Performance Problem

Scenario
In this exercise, you will now simulate a load to represent the system in live usage, gather performance data using your data collector set, and determine the potential cause of the performance problem. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Load a new program on the server. Configure the load on the server. Start the data collector set again. Stop the running program. View performance data. Analyze results and draw a conclusion.
Task 1: Load a new program on the server

1. 2. On NYC-SVR1, switch to the command prompt. Change to the C:\Labfiles folder.
Task 2: Configure the load on the server

On NYC-SVR1, run StressTool.exe 95.
Task 3: Start the data collector set again

1. 2. 3. Switch to Performance Monitor. In Performance Monitor, click User Defined, in the results pane, right-click NYC-SVR1 Performance, and then click Start. Wait one minute for data to be captured.
Task 4: Stop the running program

At the command prompt, press CTRL+ C and then close the command prompt.
Task 5: View performance data

1. 2. 3. 4. 5. 6. 7. Switch to Performance Monitor. Stop the data collector set. In Performance Monitor, in the navigation pane, click Performance Monitor. On the toolbar, click View log data. In the Performance Monitor Properties dialog box, on the Source tab, click Log files and then click Remove. Click Add. In the Select Log File dialog box, click Up One Level.
8. 9.
Double-click the NYC-SVR1_date-000002 folder and then double-click DataCollector01.blg. Click the Data tab and then click OK. Note If you receive an error at this point, or the values in your report are zero, repeat steps 4-9.
Recorded values:
Memory, Pages/sec Network Interface, Bytes Total/sec PhysicalDisk, %Disk Time PhysicalDisk, Avg. Disk Queue Length Processor, %Processor Time System, Processor Queue Length
Task 6: Analyze results and draw a conclusion

1. 2. Compared with your previous report, which values have changed? What would you recommend?
Results: After this exercise, you should have identified a potential bottleneck.
Exercise 3: Centralizing Events Logs

Scenario
In this exercise, you will use NYC-DC1 to collect event logs from NYC-SVR1; specifically, you will use this process to gather performance-related alerts from your network servers. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Configure the source computer. Configure the collector computer. Create a subscribed log. Create a data collector set with an alert counter. Check the subscribed log for performance-related alerts.
Task 1: Configure the source computer

1. 2. 3. Switch to NYC-SVR1. At a command prompt, run winrm quickconfig to enable the administrative changes that are necessary on a source computer. Add the NYC-DC1 computer to the local Administrators group.
Task 2: Configure the collector computer

1. 2. Switch to NYC-DC1. At a command prompt, run wecutil qc to enable the administrative changes that are necessary on a collector computer.
Task 3: Create a subscribed log

1. 2. Open Event Viewer. Create a new subscription with the following properties: Computers: NYC-SVR1 Name: NYC-SVR1 Events Collector Initiated Events: Critical, Warning, Information, Verbose, and Error Logged: last 7 days Logs: Windows Logs
Task 4: Create a data collector set with an alert counter

1. 2. 3. Switch to NYC-SVR1. Open Performance Monitor. Create a new user defined data collector set using the following information to complete the process: Name: NYC-SVR1 Alert Create: Create manually (Advanced)
Type of data: Performance counter Alert Select the following counters: Processor, %Processor Time above 10%
4. 5. 6. 7. 8.
Sample interval: 1 second Where to store data: default value Alert Action: Log an entry in the application event log
Start the NYC-SVR1 Alert data collector set. Switch to the command prompt. Change to the C:\Labfiles and run StressTool.exe 95. Wait one minute for data to be captured, and then at the command prompt, press CTRL+ C and then close the command prompt. Close the command prompt.
Task 5: Check the subscribed log for performance-related alerts

1. 2. Switch to NYC-DC1. In performance monitor, are there any performance-related alerts in the subscribed application log?
Results: At the end of this exercise, you will have centralized event logs.

Lab Answer Key: Planning and Configuring IPv4
Module 1
Contents:
Exercise 1: Selecting an IPv4 Addressing Scheme for Branch Offices Exercise 2: Implementing and Verifying IPv4 in the Branch Office 2 4
Lab: Planning and Configuring IPv4

Exercise 1: Selecting an IPv4 Addressing Scheme for Branch Offices
Task 1: Read the supporting documentation
Read the supporting documentation located beneath the Exercise scenario in the main module document.
Answer the questions in the Update the Branch Office Network Infrastructure Plan: IPv4 Addressing document. Branch Office Network Infrastructure Plan: IPv4 Addressing Document Reference Number: GW00602/1 Document Author Date Charlotte Weiss 6th February
Requirements Overview Design an IPv4 addressing scheme for the Contoso branch sales offices, shown in the exhibit. The block address 172.16.16.0/20 has been reserved for this region. You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25 percent growth of hosts in each branch. For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet. Additional Information You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch. Proposals 1. How many subnets do you envisage requiring for this region? Answer: There are 300 computers in the region. The specification states that around 50 computers should be deployed in each subnet. You also need to plan for growth of around 25 percent. Six subnets are required in the region to host computers, but an additional subnet for each location should be planned for to host the growth in computers. This is a total of nine subnets. 2. How many hosts will you deploy in each subnet? Answer: The specification states that you must deploy a maximum of 50 host computers for each subnet. 3. What subnet mask will you use for each branch? Answer: The current network address for the region is 172.16.16.0/20. This leaves 12 bits to allocate to subnets and hosts. To express 9 subnets, you would require 4 bits, since 3 bits only provides for 8 subnets. Four bits actually provides for 16 subnets, which is plenty. This is a decimal mask of 255.255.255.0.
(continued) Branch Office Network Infrastructure Plan: IPv4 Addressing 4. What are the subnet addresses for each branch? Answer: Branch 1: 172.16.16.0/24 172.16.17.0/24 172.16.18.0/24 Branch 2: 172.16.19.0/24 172.16.20.0/24 172.16.21.0/24 Branch 3: 172.16.22.0/24 172.16.23.0/24 172.16.24.0/24 5. What range of host addresses are in each branch? Answer: Branch 1: 172.16.16.1 > 172.16.16.254 172.16.17.1 > 172.16.17.254 172.16.18.1 > 172.16.18.254 Branch 2: 172.16.19.1 > 172.16.19.254 172.16.20.1 > 172.16.20.254 172.16.21.1 > 172.16.21.254 Branch 3: 172.16.22.1 > 172.16.22.254 172.16.23.1 > 172.16.23.254 172.16.24.1 > 172.16.24.254

Examine the completed Branch Office Network Infrastructure plan in the Lab Answer Key and be prepared to discuss your solutions with the class.
Results: At the end of this exercise, you should have a completed an IP addressing plan for the Contoso branch offices.
Exercise 2: Implementing and Verifying IPv4 in the Branch Office

Task 1: Determine the current IPv4 configuration of the router
1. 2. 3. Switch to the NYC-RTR computer. Click Start, and in the Search box, type cmd.exe and press ENTER. At the command prompt, type the following command and then press ENTER:
Ipconfig /all
4.
What is the IPv4 address and subnet mask listed that starts 172.16? Answer: 172.16.16.1/255.255.255.0
5.
What subnet is this? Answer: 172.16.16.0/24
6.
What would the last host address in this subnet be? Answer: 172.16.16.254
7.
Close the command prompt.
Task 2: Determine the IPv4 configuration of NYC-SVR2

1. 2. 3. Switch to the NYC-SVR2 computer. Click Start, and in the Search box, type cmd.exe and press ENTER. At the command prompt, type the following command and then press ENTER:
Ipconfig /all
4.
What is the IPv4 address and subnet mask? Answer: 172.16.16.2/255.255.255.0
5.
What subnet is this? Answer: 172.16.16.0/24
6.
What is the default gateway? Answer: 172.16.16.1
7.
What is the DNS Servers entry? Answer: 10.10.0.10
8.
Leave the command prompt open.
Task 3: Determine the configuration of the NYC-CL2 computer

1. 2. 3. Switch to the NYC-CL2 computer. Click Start, click Computer, and then double-click Allfiles (E:). In Windows Explorer, double-click Labfiles and then double-click Mod01.
4. 5. 6. 7.
Double-click Reconfigure.cmd. Close Explorer. Click Start, and in the Search box, type cmd.exe and press ENTER. At the command prompt, type the following command and then press ENTER:
Ipconfig /all
8.
What is the IPv4 address and subnet mask? Answer: 169.254.x.y the answer will vary.
9.
What does this tell you? Answer: The client is attempting to obtain an IP address dynamically and has failed to connect to a DHCP server.
Task 4: Reconfigure the NYC-CL2 computer

1. 2. 3. 4. 5. 6. 7. Click Start, click Control Panel, and then click Network and Internet. In Network and Internet, click Network and Sharing Center. In Network and Sharing Center, click Change adapter settings. In Network Connections, right-click Local Area Connection 3 and then click Properties. Double-click Internet Protocol Version 4 (TCP/IPv4). In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address. Use the following information to complete the configuration, and then click OK. 8. 9. IP address: 172.16.16.3 Subnet mask: 255.255.255.0 Default gateway: 172.16.16.1 Preferred DNS server: 10.10.0.10
In the Local Area Connection 3 Properties dialog box, click Close. If prompted with the Set Network Location dialog box, click Work network, and then click Close.
Task 5: Verify the configuration

1. 2. Switch to the command prompt. At the command prompt, type the following command and then press ENTER:
Ipconfig /all
3.
What is the IPv4 address and subnet mask? Answer: 172.16.16.x/255.255.255.0 answers might vary.
4.
At the command prompt, type the following command and then press ENTER:
Ping nyc-dc1
5.
Ipconfig /displaydns
6.
Task 6: Capture and analyze network traffic using Network Monitor

1. 2. 3. 4. 5. 6. On the desktop, double-click Microsoft Network Monitor 3.4. In the Microsoft Update Opt-In dialog box, click No. In Microsoft Network Monitor 3.4, in the Recent Captures pane, click New capture tab. On the Capture 1 tab, on the menu bar, click Start. Switch to the command prompt. At the command prompt, type the following command and then press ENTER:
Ipconfig /flushdns
7.
Ping nyc-dc1
8.
Ipconfig /displaydns
9.
In Network Monitor, on the menu, click Stop.
10. What type of frames can you see? Answer: Might vary, but may include BROWSER, ARP, TCP, and ICMP frames. 11. In Microsoft Network Monitor, in the Display Filter pane, click Load Filter. 12. Point to Standard Filters, click Addresses, and then click IPv4 Addresses. 13. Scroll through the text and locate the IPv4.Address = = 192.168.0.100 line. Edit the IPv4 address to read 10.10.0.10. 14. On the menu in the Display Filter pane, click Apply. 15. Examine the filtered records. 16. Click Clear Text and click Remove. 17. In Microsoft Network Monitor, in the Display Filter pane, click Load Filter. 18. Point to Standard Filters, click DNS, and then click DnsQueryName. 19. Scroll through the text and locate the DNS.Qrecord.QuestionName.contains = = (server) line. Edit the server name to read (contoso) 20. On the menu in the Display Filter pane, click Apply. 21. Examine the filtered records.
22. What do the records show? Answer: A query for a site name. (Answers might vary) 23. Close Network Monitor. Results: At the end of this exercise, you will have configured the branch office subnet.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-RTR, 6421B-NYC-SVR2 and 6421B-NYC-CL2.
Lab Answer Key: Configuring and Troubleshooting DHCP
Module 2
Contents:
Exercise 1: Selecting a Suitable DHCP Configuration Exercise 2: Implementing DHCP Exercise 3: Reconfiguring DHCP in the Head Office Exercise 4: Testing the Configuration Exercise 5: Troubleshooting DHCP Issues 2 3 5 6 7
Lab: Configuring and Troubleshooting the DHCP Server Role

Exercise 1: Selecting a Suitable DHCP Configuration
Task 1: Read the Branch Office Network Infrastructure Plan: DHCP requirements
Study the network diagram and then read the Branch Office Network Infrastructure Plan: DHCP document requirements section in the module document beneath the Exercise 1 scenario.
Answer the questions in the Branch Office Network Infrastructure Plan: DHCP document. Branch Office Network Infrastructure Plan: DHCP Document Reference Number: CW0703/1 Document Author Date Charlotte Weiss 7th March
Requirements Specify how you plan to implement DHCP to support your branch office requirements. Additional Information It is important that any router, server, or communications link failure does not adversely affect users. Proposals 1. How many DHCP servers do you propose to deploy in the region? Answer: Assuming that the routers are all RFC-compliant, there is no need to deploy DHCP servers in each subnet. However, for fault tolerance, each branch should have a DHCP server with duplicate scopes configured at the head office DHCP server, with appropriate exclusions to support the 80/20 rule; this would provide for addressing fault tolerance. 2. Where do you propose to deploy these servers? Answer: One DHCP server in each branch office and one in the head office. 3. How do you propose to provide for fault tolerance of IP address allocation? Answer: Configure the scopes to support the 80/20 rule. 4. How will clients in a branch obtain an IP configuration if their DHCP server is offline? Answer: They will obtain an IP configuration from the head office server. This requires a DHCP relay on the router that connects the head office to the branch.

Examine the completed Branch Office Network Infrastructure Plan: DHCP document in the Lab Answer Key and be prepared to discuss your solutions with the class.
Results: At the end of this exercise, you will have determined the appropriate DHCP configuration for Contoso.
Exercise 2: Implementing DHCP

Task 1: Install the DHCP role on NYC-SVR2
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR2. On the taskbar, click Server Manager. In Server Manager, in the navigation pane, click Roles, and then in the right-pane, click Add Roles. In the Add Roles Wizard, click Next. On the Select Server Roles page, select the DHCP Server check box and then click Next. On the Introduction to DHCP Server page, click Next. On the Select Network Connection Bindings page, click Next. On the Specify IPv4 DNS Server Settings page, click Next. On the Specify IPv4 WINS Server Settings page, click Next.
10. On the Add or Edit DHCP Scopes page, click Next. 11. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server and then click Next. 12. On the Authorize DHCP Server page, click Skip authorization of this DHCP server in AD DS and then click Next. 13. On the Confirm Installation Selections page, click Install. 14. On the Installation Results page, click Close and then close Server Manager.
Task 2: Enable DHCP Relay

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-RTR. Click Start, point to Administrative Tools, and then click Routing and Remote Access. In the navigation pane, expand NYC-RTR (local), expand IPv4, right-click General, and then click New Routing Protocol. In the Routing protocols list, click DHCP Relay Agent, and then click OK. In the navigation pane, right-click DHCP Relay Agent and then click New Interface. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK. In the DHCP Relay Properties Local Area Connection 2 Properties dialog box, click OK. In the navigation pane, right-click DHCP Relay Agent and then click New Interface. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 3 and then click OK.
10. In the DHCP Relay Properties Local Area Connection 3 Properties dialog box, click OK. 11. Right-click DHCP Relay Agent and then click Properties. 12. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 10.10.0.10, click Add, and then click OK. 13. Close Routing and Remote Access.
Task 3: Authorize the DHCP Server role on NYC-SVR2

1. 2. 3. 4. Switch to NYC-SVR2. Click Start, point to Administrative Tools, and then click DHCP. In DHCP, expand nyc-svr2.contoso.com. Right-click nyc-svr2.contoso.com and then click Authorize.
Task 4: Create the required scope for branch

1. 2. 3. 4. In DHCP, in the navigation pane, click nyc-svr2.consoto.com, expand IPv4, right-click IPv4, and then click New Scope. In the New Scope Wizard, click Next. On the Scope Name page, in the Name box, type Branch Office, and then click Next. On the IP Address Range page, complete the page using the following information and then click Next: 5. Start IP address: 172.16.16.4 End IP address: 172.16.16.254 Length: 24 Subnet mask: 255.255.255.0
On the Add Exclusions and Delay page, complete the page using the following information, click Add, and then click Next: Start IP address: 172.16.16.200 End IP address: 172.16.16.254
6. 7. 8. 9.
On the Lease Duration page, click Next. On the Configure DHCP Options page, click Next. On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next. On the Domain Name and DNS Servers page, click Next.
10. On the WINS Servers page, click Next. 11. On the Activate Scope page, click Next. 12. On the Completing the New Scope Wizard page, click Finish. Results: At the end of this exercise, you will have configured the branch office DHCP server.
Exercise 3: Reconfiguring DHCP in the Head Office

Task 1: Add the branch office scope on NYC-DC1
1. 2. 3. 4. 5. 6. 7. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click DHCP. In DHCP, expand nyc-dc1.contoso.com. In DHCP, in the navigation pane, expand IPv4, right-click IPv4, and then click New Scope. In the New Scope Wizard, click Next. On the Scope Name page, in the Name box, type Branch Office Backup Scope and then click Next. On the IP Address Range page, complete the page using the following information and then click Next: 8. Start IP address: 172.16.16.4 End IP address: 172.16.16.254 Length: 24 Subnet mask: 255.255.255.0
On the Add Exclusions and Delay page, complete the page using the following information, click Add, and then click Next: Start IP address: 172.16.16.4 End IP address: 172.16.16.199
9.
On the Lease Duration page, click Next.
10. On the Configure DHCP Options page, click Next. 11. On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next. 12. On the Domain Name and DNS Servers page, click Next. 13. On the WINS Servers page, click Next. 14. On the Activate Scope page, click Next. 15. On the Completing the New Scope Wizard page, click Finish. Results: At the end of this exercise, you will have created the required scopes on both DHCP servers.
Exercise 4: Testing the Configuration

Task 1: Configure NYC-CL2 for DHCP
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-CL2 computer. On the desktop, click Microsoft Network Monitor 3.4. In the Microsoft Update Opt-in dialog box, click No. In Microsoft Network Monitor 3.4, in the Recent Captures pane, click New capture tab. On the Capture 1 tab, on the menu bar, click Start. Click Start, and in the Search box, type Network and Sharing and then press ENTER. In Network and Sharing Center, click Change adapter settings. In Network Connections, right-click Local Area Connection 3 and then click Properties. In the Local Area Connection 3 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
10. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically. 11. Click Obtain DNS server address automatically and then click OK. 12. In the Local Area Connection 3 Properties dialog box, click OK.
Task 2: Examine DHCP packets

1. 2. 3. 4. 5. 6. 7. Switch to Network Monitor. In Microsoft Network Monitor 3.4, on the menu, click Stop. Click Load Filter, point to Standard Filters, point to Basic Examples, and then click Protocol Filter DNS. In the Display Filter text box, locate the text that reads DNS and change it to DHCP. Click Apply. Now examine the captured frames. In the Frame Summary, click the frame with Destination of 255.255.255.255 and the Description that contains OFFER. In the Frame Details pane, expand Dhcp. What is the ServerIP? Answer: 172.16.16.2 8. Which server is this? Answer: NYC-SVR2 Results: At the end of this exercise, you will have configured the client to obtain an IP address dynamically from the local branch server.
Exercise 5: Troubleshooting DHCP Issues

Task 1: Shut down the DHCP server on NYC-SVR2
1. 2. Switch to NYC-SVR2. In DHCP, right-click nyc-svr2.contoso.com, click All Tasks, and then click Stop.
Task 2: Renew the IP address on NYC-CL2

1. 2. 3. Switch to NYC-CL2. Click Start, and in the Search box, type cmd.exe and press ENTER. At the command prompt, type the following command and then press ENTER:
Ipconfig /release
4. 5. 6.
In Microsoft Network Monitor 3.4, click New Capture. On the Capture 2 tab, on the menu bar, click Start. At the command prompt, type the following command and then press ENTER:
Ipconfig /renew
7. 8. 9.
In Microsoft Network Monitor 3.4, on the menu, click Load Filter, point to Standard Filters, point to Basic Examples, and then click Protocol Filter DNS. In the Display Filter text box, locate the text that reads DNS and change it to DHCP. Click Apply. Now examine the captured frames. In the Frame Summary, click the frame with Destination of 255.255.255.255 and the Description that contains OFFER.
10. In the Frame Details pane, expand Dhcp. 11. What is the ServerIP? Answer: 10.10.0.10 12. Which server is this? Answer: NYC-DC1 Results: At the end of this exercise, you will have verified that the client can obtain an IP address from the head office when the local server is unavailable.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-SVR2, 6421B-NYC-RTR, and 6421B-NYC-CL2.
Lab Answer Key: Configuring and Troubleshooting DNS
Module 3
Contents:
Exercise 1: Selecting a DNS Configuration Exercise 2: Deploying and Configuring DNS Exercise 3: Troubleshooting DNS 2 4 6
Lab: Configuring and Troubleshooting DNS

Exercise 1: Selecting a DNS Configuration
Task 1: Read the Contoso Name Resolution Plan document
Read the Contoso Name Resolution Plan document in Task 2 of the main module document.
Answer the questions in the Contoso Name Resolution Plan document. Contoso Name Resolution Plan Document Reference Number: GW1203/1 Document Author Date Charlotte Weiss 12th March
Requirements Overview 1. Your manager is concerned that the single name server that supports the Contoso.com domain is under strain while servicing name resolution requests. You are tasked with determining a course of action to allay his concerns. Contoso is working with a partner organization, A Datum. It is important that name resolution for servers in the Adatum.com domain is performed without recourse to root name servers.
2.
Additional Information 1. 2. No additional domain controllers are planned for the Contoso domain. Changes to the Adatum.com DNS configuration should not impact the DNS configuration in Contoso; in other words, changes in Adatum.com should not result in administrative effort in Contoso.
Proposals 1. 2. How will you modify the DNS configuration for Contoso to address the first requirement? Answer: Add a DNS server. How will you modify the DNS configuration for Contoso to address the second requirement? Answer: Create either a stub zone for Adatum.com or configure conditional forwarding for Adatum.com. 3. Does either of the points in the additional information section raise any issues? Answer: AD-integrated zones are inappropriate for this scenario; if no additional domain controllers are planned, secondary zones should be configured. Stub zones require less administrative effort in the event of changes in the DNS configuration of the target DNS domain.
(continued) Contoso Name Resolution Plan 4. What is your proposed action plan for this project? Answer: 5. Deploy the DNS role to NYC-SVR1. Create a secondary zone on NYC-SVR1 for Contoso.com. Enable and configure zone transfers to NYC-SVR1. Ensure that the zone data transfers successfully.
How will you distribute load among DNS servers? Answer: Configure DHCP to allocate both DNS server addresses to clients

Examine the completed Contoso Name Resolution Plan document in the Lab Answer Key and be prepared to discuss your solutions with the class.
Results: At the end of this exercise, you will have selected a suitable DNS configuration for Contoso.
Exercise 2: Deploying and Configuring DNS

Task 1: Install the DNS role on NYC-SVR1
1. 2. 3. 4. 5. 6. 7. Switch to NYC-SVR1, and on the Taskbar, click Server Manager. In Server Manager, in the navigation pane, click Roles, and in the right pane, click Add Roles. In the Add Roles Wizard, on the Before You Begin page, click Next. On the Select Server Roles page, in the Roles list, select the DNS Server check box and then click Next. On the DNS Server page, click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close.
Task 2: Create and configure a stub zone on NYC-DC1

1. 2. 3. 4. 5. 6. 7. 8. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click DNS. In DNS Manager, expand NYC-DC1, expand and then right-click Forward Lookup Zones, and then click New Zone. In the New Zone Wizard, click Next. On the Zone Type page, click Stub zone and then click Next. On the Active Directory Zone Replication Scope page, click Next. On the Zone Name page, in the Zone name box, type Adatum.com and then click Next. On the Master DNS Servers page, in the Master Servers list, type 131.107.1.2 and press ENTER. Note 9. Validation will fail. The server is not online.
Click Next, and on the Completing the New Zone Wizard page, click Finish.
Task 3: Create and configure secondary zones on NYC-SVR1

1. 2. 3. Switch to NYC-SVR1. Click Start, and in the Search box, type cmd.exe and press ENTER. At the command prompt, type the following command and then press ENTER:
Dnscmd.exe /zoneadd Contoso.com /secondary 10.10.0.10
4.
Dnscmd.exe /zoneadd Adatum.com /secondary 10.10.0.10
5. 6.
Click Start, point to Administrative Tools, and then click DNS. In DNS Manager, in the navigation pane, expand NYC-SVR1 and then click Forward Lookup Zones. Notice the two zones.
Task 4: Enable and configure zone transfers for Contoso.com

1. 2. 3. Switch to NYC-DC1. Click Start, and in the Search box, type cmd.exe and press ENTER. At the command prompt, type the following command and then press ENTER:
Dnscmd.exe /zoneresetsecondaries Contoso.com /notify /notifylist 10.10.0.24
4. 5. 6. 7. 8.
In DNS Manager, in the navigation pane, expand Forward Lookup Zones, expand Contoso.com. Right-click Contoso.com and then click Properties. In the Contoso.com Properties dialog box, click the Zone Transfers tab. Click Notify, and verify that the server 10.10.0.24 is listed. Click Cancel. Note It might take a few minutes to appear.
Task 5: Update secondary zone data from master server

1. 2. 3. 4. Switch to NYC-SVR1. In DNS Manager, press F5. The zone data should appear. If not, then expand Forward Lookup Zones, and then expand Contoso.com. Right-click Contoso.com and then click Transfer from Master. Close all open windows. Note You will not receive data for Adatum.com, but Contoso.com should be populated with DNS records.
Task 6: Configure clients to use the new name server

1. 1. 2. 3. 4. 5. 6. 7. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click DHCP. In DHCP, expand nyc-dc1.contoso.com. Expand IPv4 and then click Server Options. In the right-pane, double-click 006 DNS Servers. In the Server Options dialog box, click Remove. In the IP address box, type 10.10.0.24, click Add, and then click OK. Close all open windows.
Results: At the end of this exercise, you will have implemented the requirements outlined in the Contoso Name Resolution Plan document.
Exercise 3: Troubleshooting DNS

Task 1: Test simple and recursive queries
1. 2. 3. 4. 5. On NYC-DC1, click Start, click Administrative tools, and then click DNS. In the navigation pane, right-click NYC-DC1 and then click Properties. Click the Monitoring tab. On the Monitoring tab, select A simple query against this DNS server and then click Test Now. On the Monitoring tab, ensure that A recursive query to other DNS servers is selected and then click Test Now. Notice that the Recursive test fails for NYC-DC1, which is normal given that there are no forwarders configured for this DNS server to use. Click Start, and in the Search box, type sc stop dns and then press ENTER. In DNS Manager, in the NYC-DC1 Properties dialog box, on the Monitoring tab, click Test Now. Now, both Simple and Recursive tests fail because no DNS server is available. Click Start, and in the Search box, type sc start dns and then press ENTER. On the Monitoring tab, click Test Now. The Simple test completes successfully.
6. 7. 8. 9.
10. Close the NYC-DC1 Properties dialog box.
Task 2: Verify SOA records with Nslookup

1. 2. On NYC-DC1, click Start, and in the Search box, type cmd.exe and then press ENTER At the command prompt, type the following command and then press ENTER:
nslookup.exe
3.
set querytype=SOA
4.
Contoso.com
5.
Close the command prompt.
Task 3: Use Dnslint to verify name server records

1. 2. 3. Switch to NYC-CL1. Click Start, and in the Search box, type cmd.exe and then press ENTER. In the command prompt, type the following command and then press ENTER:
D:
4.
In the command prompt, type the following command and then press ENTER:
Cd\Labfiles\Mod03
5.
dnslint /s 10.10.0.10 /d Contoso.com
6. 7.
Read through the report results and then close the report window. Close the command prompt.
Task 4: View performance statistics with Performance Monitor

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. Click Start, right-click Computer, and then click Manage. In the list pane of the Server Manager window, expand Diagnostics, expand Performance, expand Monitoring Tools, and then click Performance Monitor. In the center pane, click the green Plus icon. In the Available counters list, double-click DNS. Select Total Query Received and then click Add. Select Total Query Received/sec, click Add, and then click OK. Click Start, click Administrative tools, and then click DNS. In the left pane, right-click NYC-DC1, and then click Properties.
10. Click the Monitoring tab. 11. On the Monitoring tab, select A simple query against this DNS Server and A recursive query to other DNS servers, and then click Test Now several times. 12. Clear the Simple and Recursive test check boxes and then click OK. Close the DNS management tool. 13. Return to the Server Manager console. The graph reflects the queries on the server. 14. In the Server Manager console, press CTRL+G and then press CTRL+G again. This report lists the total number of queries that the server has received. 15. Close the Server Manager console. Results: At the end of this exercise, you will have verified the functionality of DNS with troubleshooting tools.

Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP
Module 4
Contents:
Lab A: Configuring an ISATAP Router Exercise 1: Configuring a New IPv6 Network and Client Exercise 2: Configuring an ISATAP Router to Enable Communication Between an IPv4 Network and an IPv6 Network Lab B: Converting the Network to Native IPv6 Exercise 1: Transitioning to a Native IPv6 Network 8 2 5
Lab A: Configuring an ISATAP Router

Exercise 1: Configuring a New IPv6 Network and Client
Task 1: Configure IPv4 routing
1. 2. 3. 4. 5. 6. Switch to NYC-CL2. Click Start, and in the Search box, type Network and sharing and then press ENTER. In Network and Sharing Center, click Change adapter settings. In Network Connections, right-click Local Area Connection 3 and then click Properties. Double-click Internet Protocol Version 4 (TCP/IPv4). Verify the Local Area Connection 3 properties: 7. 8. 9. IP address: 172.16.16.3 Subnet mask: 255.255.255.0 Default gateway: 172.16.16.1 Preferred DNS server: 10.10.0.10
In the Local Area Connection 3 Properties box, click OK. Close all open windows on NYC-CL2. Switch to NYC-DC1.
10. Click Start, and in the Search box, type Network and sharing and then press ENTER. 11. In Network and Sharing Center, click Change adapter settings. 12. In Network Connections, right-click Local Area Connection 2 and then click Properties. 13. Double-click Internet Protocol Version 4 (TCP/IPv4). 14. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, verify that the Default gateway is 10.10.0.1. Click OK. 15. In the Local Area Connection 2 Properties box, click OK and then close all open windows on NYC-DC1.
Task 2: Enable IP routing on NYC-RTR and confirm IPv4 connectivity

1. 2. 3. 4. 5. Switch to NYC-RTR. Click Start, and in the Search box, type Regedit and then press ENTER. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ Parameters. Double-click IPEnableRouter, and then in the Value data box, type 1. Click OK. Close the Registry Editor and then restart NYC-RTR.
6.
After NYC-RTR restarts, log on with the following credentials: User name: Administrator Password: Pa$$w0rd
Note At this point, only IPv4 traffic is routed through the IPv4 routing infrastructure. Because ICMPv4 traffic is blocked by the Windows Firewall by default, you cannot test connectivity with ping.
Task 3: Disable IPv6 on NYC-DC1

1. 2. 3. 4. 5. Switch to NYC-DC1. Click Start, and in the Search box, type Network and sharing and then press ENTER. In Network and Sharing Center, click Change adapter settings. In Network Connections, right-click Local Area Connection 2 and then click Properties. In the Local Area Connections 2 Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box and then click OK.
Task 4: Disable IPv4 on NYC-CL2

1. 2. 3. 4. 5. 6. 7. Switch to NYC-CL2. Click Start, and in the Search box, type Network and sharing and then press ENTER. In Network and Sharing Center, click Change adapter settings. In Network Connections, right-click Local Area Connection 3 and then click Properties. In the Local Area Connection 3 Properties dialog box, clear the Internet Protocol Version 4 (TCP/IPv4) check box and then click OK. Click Start, and in the Search box, type cmd.exe and then press ENTER. At the command prompt, type the following command and then press ENTER:
ipconfig
Note
The output should be a link-local IPv6 address that starts with fe80.
Task 5: Configure an IPv6 router advertisement for the global address 2001:db8:0:1::/64 network on NYC-RTR
1. 2. 3. Switch to NYC-RTR. Click Start, and in the Search box, type cmd.exe and then press ENTER. At the command prompt, type the following command and then press ENTER:
netsh interface ipv6 set interface "Local Area Connection 3" forwarding=enabled advertise=enabled
4.
netsh interface ipv6 add route 2001:db8:0:1::/64 "Local Area Connection 3" publish=yes
Task 6: Check the IP configuration on NYC-CL2 to ensure that it is configured with an IPv6 global address in the 2001:db8:0:1::/64 network
1. 2. Switch to NYC-CL2. At the command prompt, type the following command and then press ENTER:
ipconfig
Note The output should be a link-local IPv6 address that starts with fe80. Two global IP addresses starting with 2001:db8:0:1: should also be included in the output. 3. Close the command prompt.
Results: At the end of this exercise, you will have configured NYC-CL2 for IPv6 only.
Exercise 2: Configuring an ISATAP Router to Enable Communication between an IPv4 Network and an IPv6 Network
Task 1: Add the ISATAP entry in the DNS zone on NYC-DC1
1. 2. 3. 4. 5. 6. 7. Switch to NYC-DC1. Click Start, click Administrative Tools, and then click DNS. In the left pane, expand NYC-DC1. Expand Forward Lookup Zones, select and then right-click Contoso.com, and then click New host (A or AAAA). In the New Host dialog box, type ISATAP in the Name text box, and then type the IP address 10.10.0.1 (for NYC-RTR). Click Add Host and then click OK. Click Done and then close the DNS Manager.
Task 2: Configure the ISATAP router on NYC-RTR

Note When substituting the following Interface_Index, ensure that you type your Interface_Index with the brackets {} on either side. 1. 2. 3. Switch to NYC-RTR. Switch to the command prompt. At the command prompt, type the following command and then press ENTER:
Netsh interface ipv6 isatap set router 10.10.0.1
4.
ipconfig
5.
Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) you will need it in a moment. Interface_Index: ___________________________
6.
Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER:
netsh interface ipv6 set interface isatap.Interface_Index forwarding=enabled advertise=enabled
7.
At the command prompt, type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER:
netsh interface ipv6 add route 2001:db8:0:10::/64 isatap.Interface_Index publish=yes
8.
Restart NYC-RTR.
9.
Log on using the following credentials: User name: Administrator Password: Pa$$w0rd
10. Click Start, and in the Search box, type cmd.exe and then press ENTER. 11. At the command prompt, type the following command and then press ENTER:
ipconfig
Note The Tunnel adapter associated with the 10.10.0.0/16 network will display an IPv6 address in the 2001:db8:0:10 range.
Task 3: Enable the ISATAP interface on NYC-DC1

1. 2. 3. Switch to NYC-DC1. Click Start, and in the Search box, type cmd.exe and then press ENTER. At the command prompt, type the following command and then press ENTER:
Netsh interface isatap set router 10.10.0.1
4.
ipconfig
Note The Tunnel adapter isatap {Interface_Index} (which is the ISATAP adapter) has automatically received an IPv6 address from the ISATAP router.
Task 4: Test connectivity

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, and in the Search box, type Windows Firewall and then press ENTER. In Windows Firewall with Advanced Security, click Inbound Rules, right-click Inbound Rules and then click New Rule. In the New Inbound Rule Wizard, on the Rule Type page, click Custom and then click Next. On the Program page, click Next. On the Protocols and Ports page, in the Protocol type list, click ICMPv4 and then click Next. On the Scope page, click Next. On the Action page, click Next. On the Profile page, click Next. On the Name page, in the Name box, type Allow PING and then click Finish.
10. Switch to NYC-CL2. 11. Click Start, and in the Search box, type cmd.exe and then press ENTER.
12. At the command prompt, type the following command and then press ENTER:
Ping 2001:db8:0:10:0:5efe:10.10.0.10
ipconfig
14. What is the IPv6 address? Answer: Answers vary, but will start 2001:db8:0:1:. 15. Click Start, and in the Search box, type Windows Firewall and then press ENTER. 16. In Windows Firewall with Advanced Security, click Inbound Rules, right-click Inbound Rules and then click New Rule. 17. In the New Inbound Rule Wizard, on the Rule Type page, click Custom and then click Next. 18. On the Program page, click Next. 19. On the Protocols and Ports page, in the Protocol type list, click ICMPv6 and then click Next. 20. On the Scope page, click Next. 21. On the Action page, click Next. 22. On the Profile page, click Next. 23. On the Name page, in the Name box, type Allow PING and then click Finish. 24. Switch to NYC-DC1. 25. At the command prompt, type the following command, and then press ENTER:
Ping IPv6_address
Where IPv6_address is the IPv6 address on NYC-CL2 you noted earlier. Results: At the end of this exercise, you will have configured ISATAP.
Preparing for the Next Lab

Do not turn off the virtual machines at this time because you will need them to complete the next lab.
Lab B: Converting the Network to Native IPv6

Exercise 1: Transitioning to a native IPv6 Network
Task 1: Disable the ISATAP router on NYC-RTR
Note When substituting the following Interface_Index, ensure that you type your Interface_Index with the brackets {} on either side. 1. 2. 3. Switch to NYC-RTR. Click Start, and in the Search box, type cmd.exe and then press ENTER. At the command prompt, type the following command and then press ENTER:
ipconfig
4.
Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) you will need it in a moment. Interface_Index: ______________________________
5.
Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier:
netsh interface ipv6 set interface isatap.Interface_Index forwarding=disabled advertise=disabled
6.
Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier:
netsh interface ipv6 delete route 2001:db8:0:10::/64 isatap.Interface_Index
Task 2: Configure the native IPv6 router on NYC-RTR

netsh interface ipv6 set interface Local Area Connection 2 forwarding=enabled advertise=enabled
2.
netsh interface ipv6 add route 2001:db8:0:0::/64 Local Area Connection 2 publish=yes
Task 3: Disable IPv4 connectivity

1. 2. 3. Click Start, and in the Search box, type network and sharing and then press ENTER. In the Network and Sharing Center, click Change adapter settings. In the Network Connections box, right-click Local Area Connection 2 and then click Properties.
4. 5. 6. 7. 8. 9.
In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 4 (TCP/IPv4) check box, and then click OK. Close all open windows. Switch to NYC-DC1. Click Start, and in the Search box, type network and sharing and then press ENTER. In the Network and Sharing Center, click Change adapter settings. In the Network Connections box, right-click Local Area Connection 2 and then click Properties. In the Local Area Connection 2 Properties dialog box, clear the Internet Protocol Version 4 (TCP/IPv4) check box.
10. Select the Internet Protocol Version 6 (TCP/IPv6) check box and then click OK. Close all open windows.
Task 4: Test connectivity between each IPv6 subnet

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, and in the Search box, type Windows Firewall and then press ENTER. In the Windows Firewall with Advanced Security window, click Inbound Rules, right-click Inbound Rules and then click New Rule. In the New Inbound Rule Wizard, on the Rule Type page, click Custom and then click Next. On the Program page, click Next. On the Protocols and Ports page, in the Protocol type list, click ICMPv6 and then click Next. On the Scope page, click Next. On the Action page, click Next. On the Profile page, click Next. On the Name page, in the Name box, type Allow PING for IPv6 and then click Finish.
10. Click Start, and in the Search box, type cmd.exe and then press ENTER. 11. At the command prompt, type the following command and then press ENTER:
ipconfig
Note the new IPv6 address (global address begins with 2001:) assigned to the local area connection. Write down the IPv6 address in the space below. NYC-DC1 IPv6 address: _____________________________________________ 12. Switch to NYC-CL2. 13. Click Start, and in the Search box, type cmd.exe and then press ENTER. 14. At the command prompt, type the following command and then press ENTER:
Ping global_IP_address
Where global_IP_address is the NYC-DC1 address that you noted previously.
10
Ipconfig /all
Note the IPv6 address (global address begins with 2001:) assigned to the local area connection. Write down the IPv6 address in the space below. NYC-CL2 IPv6 address: _____________________________________________ 16. Switch to NYC-DC1 and switch to the Command Prompt. 17. At the command prompt, type the following command and then press ENTER:
Ping global_IP_address
Where global_IP_address is the NYC-CL2 address that you noted previously. Results: At the end of this exercise, you will have configured an IPv6 only network.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-RTR and 6421B-NYC-CL2.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
Module 5
Contents:
Lab A: Configuring and Managing Network Access Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution Exercise 2: Configuring a Custom Network Policy Exercise 3: Create and Distribute a CMAK Profile
Lab B: Implementing DirectAccess
2 4 6
Exercise 1: Configure the AD DS Domain Controller and DNS Exercise 2: Configure the PKI Environment Exercise 3: Configure the DirectAccess Clients and Test Intranet Access Exercise 4: Configure the DirectAccess Server
9 12 16 19 21
Lab A: Configuring and Managing Network Access

Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution
Task 1: Install the Network Policy and Access Services role on 6421B-NYC-EDGE1
1. 2. 3. 4. 5. 6. 7. 8. On NYC-EDGE1, if Server Manager does not open automatically, from the Administrative Tools menu, click Server Manager. The Server Manager opens. In the Server Manager (NYC-EDGE1) list pane, right-click Roles and click Add Roles from the context menu. The Add Roles Wizard appears. Click Next. On the Select Server Roles page, select Network Policy and Access Services and then click Next. On the Network Policy and Access Services introduction page, click Next. On the Select Role Services page, select the Network Policy Server and Routing and Remote Access Services check boxes, and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, verify that Installation succeeded appears in the details pane and then click Close. Close the Server Manager. The Network Policy and Routing and Remote Access Services roles are installed on 6421B-NYC-EDGE1.
Task 2: Configure 6421B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-EDGE1, click Start and then click Administrative Tools. From the Administrative Tools menu, click Routing and Remote Access. The Routing and Remote Access administrative tool appears. In the list pane, select and right-click NYC-EDGE1 (Local), and then click Configure and Enable Routing and Remote Access. Click Next on the wizard Welcome page. On the Configuration page, leave the default Remote Access (dial-up or VPN) selected and click Next. On the Remote Access page, select the VPN check box and click Next. On the VPN Connection page, select the Public interface and then click Next. On the IP Address Assignment page, select From a specified range of addresses and then click Next. On the Address Range Assignment page, click New, and in the Start IP address box, type the value of 10.10.0.60. In the Number of addresses box, type the value of 75 and click OK. Click Next.
10. On the Managing Multiple Remote Access Servers page, leave the default selection No, use Routing and Remote Access to authenticate connection requests and click Next. Click Finish.
11. In the Routing and Remote Access dialog box, click OK. 12. In the Routing and Remote Access dialog box regarding the DHCP Relay agent, click OK. The Routing and Remote Access service starts.
Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25 L2TP connections
1. 2. 3. 4. 5. In the Routing and Remote Access management tool interface, expand NYC-EDGE1 (local), select and then right-click Ports, and then click Properties. In the Ports Properties dialog box, double-click WAN Miniport (SSTP). In the Configure Device WAN Miniport (SSTP) dialog box, assign a value of 25 in the Maximum ports box and then click OK. In the Routing and Remote Access dialog box, click Yes to continue. In the Ports Properties dialog box, double-click WAN Miniport (PPTP), and in the Configure Device WAN Miniport (PPTP) dialog box, assign a value of 25 in the Maximum ports box and then click OK. In the Routing and Remote Access dialog box, click Yes to continue. Repeat this procedure, with the same value (25), for WAN Miniport (L2TP). Click OK in the Ports Properties dialog box. Close the Routing and Remote Access administrative tool.
6. 7. 8. 9.
Results: At the end of this exercise, you will have enabled routing and remote access on the NYC-EDGE1 server.
Exercise 2: Configuring a Custom Network Policy
1. 2.
Task 1: Open the Network Policy Server management tool on 6421B-NYC-EDGE1

On NYC-EDGE1, click Start and then click Administrative Tools. On the Administrative Tools menu, click Network Policy Server. The Network Policy Server administrative tool appears.
1. 2.
Task 2: Create a new network policy for RRAS clients

In the list pane, expand Policies, right-click Network Policies, and then click New. On the New Network Policy Specify Network Policy Name and Connection Type page, type Secure VPN in the Policy name text box, and in the Type of network access server drop-down list, click Remote Access Server (VPN-Dial up) and then click Next. On the Specify Conditions page, click Add. On the Select Condition dialog box, scroll down and double-click Tunnel Type. In the Tunnel Type dialog box, select L2TP, PPTP, and SSTP, click OK, and then click Next. On the Specify Access Permission page, leave the default of Access granted and click Next. On the Configure Authentication Methods page, clear Microsoft Encrypted Authentication (MSCHAP) and then click Next. On the Configure Constraints page, under Constraints, click Day and time restrictions, and in the details pane, select Allow access only on these days and at these times, and click Edit. In the Day and time restrictions dialog box, click on the first blue rectangle in the left hand corner that represents Sunday midnight to 1AM. Hold the mouse button and drag your mouse to highlight all of Sunday. Click Denied. Repeat this procedure for all of Saturday. Click OK, and then click Next. On the Configure Settings page, under Settings, click Encryption, and in the details pane, clear all settings except Strongest encryption (MPPE 128-bit). Click Next and then click Finish.
3. 4. 5. 6. 7. 8.
9.
10. In the list pane of the Network Policy Server tool, click the Network Policies node. 11. If necessary, right-click the Secure VPN policy and then click Move Up. Repeat this step to make the policy the first in the list. 12. Close the Network Policy Server tool.
1. 2. 3. 4. 5. 6. 7.
Task 3: Create and Test a VPN connection

Switch to the NYC-CL1 computer. Click Start and then click Control Panel. In the Control Panel window, under Network and Internet, click View network status and tasks. In the Network and Sharing Center window, click Change adapter settings. Right-click Local Area Connection 3 and then click Properties. Select Internet Protocol Version 4 (TCP/IPv4) and then click Properties. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address.
8.
Configure the following IP address settings and then click OK: IP Address: 131.107.0.20 Subnet mask: 255.255.255.0 Default gateway: 131.107.0.1
9.
Click Close and then click the Back button to return to the Network and Sharing Center.
10. In the Network and Sharing Center window, under Change your networking settings, click Set up a new connection or network. In the Choose a connection option dialog box, click Connect to a workplace and then click Next. 11. In the Connect to a workplace dialog box, select the Use my Internet connection (VPN) option. When prompted, select Ill set up an Internet connection later. 12. In the Type the Internet address to connect to dialog box, specify an Internet address of 131.107.0.2 and a Destination Name of Contoso VPN, and then click Next. 13. On the Type your user name and password page, leave the user name and password blank and then click Create. 14. Click Close in the Connect to a Workplace dialog box. 15. In the Network and Sharing Center window, click Change adapter settings. 16. On the Network Connections page, right-click Contoso VPN and then click Connect. 17. Use the following information in the Connect Contoso VPN text boxes and then click Connect: User name: Administrator Password: Pa$$w0rd Domain: Contoso The VPN connects successfully. 18. Right-click Contoso VPN and click Disconnect. The VPN disconnects. 19. Close all open windows on NYC-CL1. Results: At the end of this exercise, you will have created and tested a VPN connection.
Exercise 3: Create and Distribute a CMAK Profile

Task 1: Install the CMAK feature on NYC-CL1
1. 2. 3. 4. 5. Click Start and then click Control Panel. In Control Panel, click Programs. In Programs, click Turn Windows features on or off. In the Windows Features list, select the RAS Connection Manager Administration Kit (CMAK) check box and then click OK. Close Programs and close Control Panel.
Task 2: Create the connection profile

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, and in the Search box, type Connection Manager Administration Kit, and then click in the Programs (1) list, click Connection Manager Administration Kit. In the Connection Manager Administration Kit Wizard, click Next. On the Select the Target Operating System page, click Windows 7 or Windows Vista and then click Next. On the Create or Modify a Connection Manager profile page, click New Profile and then click Next. On the Specify the Service Name and the File Name page, in the Service name box, type Contoso HQ, in the File name box type Contoso and then click Next. On the Specify a Realm Name page, click Do not add a realm name to the user name and then click Next. On the Merge Information from Other Profiles page, click Next. On the Add Support for VPN Connections page, select the Phone book from this profile check box. In the VPN server name or IP address box, type 131.107.0.2 and then click Next.
10. On the Create or Modify a VPN Entry page, click Next. 11. On the Add a Custom Phone Book page, clear the Automatically download phone book updates check box and then click Next. 12. On the Configure Dial-up Networking Entries page, click Next. 13. On the Specify Routing Table Updates page, click Next. 14. On the Configure Proxy Settings for Internet Explorer page, click Next. 15. On the Add Custom Actions page, click Next. 16. On the Display a Custom Logon Bitmap page, click Next. 17. On the Display a Custom Phone Book Bitmap page, click Next. 18. On the Display Custom Icons page, click Next. 19. On the Include a Custom Help File page, click Next. 20. On the Display Custom Support Information page, click Next.
21. On the Display a Custom License Agreement page, click Next. 22. On the Install Additional Files with the Connection Manager profile page, click Next. 23. On the Build the Connection Manager Profile and Its Installation Program page, click Next. 24. On the Your Connection Manager Profile is Complete and Ready to Distribute page, click Finish.
Task 3: Distribute the profile

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. Click Start, click Computer, and then double-click Allfiles (D:). In Windows Explorer, on the menu, click New folder, type Contoso Profile, and then press ENTER. Right-click Contoso Profile and then Properties. On the Sharing tab, click Advanced Sharing. In the Advanced Sharing dialog box, select the Share this folder check box and then click Permissions. In the Permissions for Contoso Profile dialog box, click Add. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type administrators and then click OK. In the Permissions for Contoso Profile dialog box, in the Permissions for Administrators list, select the Full Control Allow check box and then click OK.
10. In the Advanced Sharing dialog box, click OK. 11. In the Contoso Profile Properties dialog box, click Close. 12. Switch to NYC-CL1. 13. Click Start, and in the Search box, type Network and Sharing and then press ENTER. 14. In the Network and Sharing Center window, click Change adapter settings. 15. On the Network Connections page, right-click Contoso VPN and then click Connect. 16. Use the following information in the Connect Contoso VPN text boxes and then click Connect: User name: Administrator Password: Pa$$w0rd Domain: Contoso
The VPN connects successfully. 17. Click Start, and in the Search box, type \\nyc-dc1\Contoso Profile and press ENTER. 18. Click Start, and in the Search box, type C:\Program Files\CMAK\Profiles\Windows 7 and Windows Vista\Contoso. 19. Highlight all files in the open Explorer window and then press CTRL + C. 20. Switch to the \\NYC-DC1\Contoso Profile folder and press CTRL + V. 21. Close all open windows. 22. Click Start, and in the Search box, type \\nyc-dc1\Contoso Profile and press ENTER.
23. Double-click the Contoso application. 24. In the Contoso HQ dialog box, click Yes. 25. On the Make this connection available for page, click All users, select the Add a shortcut on the desktop, and then click OK. 26. In the Contoso HQ dialog box, click Cancel. 27. In Network Connections, right-click Contoso VPN and click Disconnect. 28. On the desktop, double-click Contoso HQ Shortcut. 29. Use the following information in the Connect Contoso HQ text boxes and then click Connect: User name: Administrator Password: Pa$$w0rd Domain: Contoso The VPN connects successfully. 30. Right-click Contoso HQ - Shortcut and click Disconnect. The VPN disconnects. 31. Close all open windows on NYC-CL1. Results: At the end of this exercise, you will have created and distributed a CMAK profile.
Lab B: Implementing DirectAccess

Exercise 1: Configure the AD DS Domain Controller and DNS
Task 1: Create a security group for DirectAccess computers
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers console tree, expand Contoso.com, right-click Users, point to New, and then click Group. In the New Object - Group dialog box, under Group name, type DA_Clients. Under Group scope, select Global, under Group type, choose Security, and then click OK. In the details pane, double-click DA_Clients. In the DA_Clients Properties dialog box, click the Members tab and then click Add. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types, click the Computers check box, and then click OK. Under Enter the object names to select (examples), type NYC-CL1 and then click OK.
10. Verify that NYC-CL1 is displayed below Members and then click OK. 11. Close the Active Directory Users and Computers console. Question: Why did you create the DA_Clients group? Answer: To enable the application of DirectAccess security settings to DirectAccess computers that are a member of this security group.
Task 2: Configure firewall rules for ICMPv6 traffic

Note This task is performed to enable subsequent testing of DirectAccess in the lab environment. 1. 2. 3. 4. Click Start, click Administrative Tools, and then click Group Policy Management. In the console tree, open Forest: Contoso.com\Domains\contoso.com. In the console tree, right-click Default Domain Policy and then click Edit. In the console tree of the Group Policy Management Editor, open Computer Configuration \Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security \Windows Firewall with Advanced Security. In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule. On the Rule Type page, click Custom and then click Next. On the Program page, click Next. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.
5. 6. 7. 8. 9.
10
10. Click Next. 11. On the Scope page, click Next. 12. On the Action page, click Next. 13. On the Profile page, click Next. 14. On the Name page, for Name, type Inbound ICMPv6 Echo Requests and then click Finish. 15. In the console tree, click Outbound Rules, right-click Outbound Rules, and then click New Rule. 16. On the Rule Type page, click Custom and then click Next. 17. On the Program page, click Next. 18. On the Protocols and Ports page, for Protocol type, click ICMPv6 and then click Customize. 19. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK. 20. Click Next. 21. On the Scope page, click Next. 22. On the Action page, click Allow the connection and then click Next. 23. On the Profile page, click Next. 24. On the Name page, for Name, type Outbound ICMPv6 Echo Requests and then click Finish. 25. Close the Group Policy Management Editor and Group Policy Management consoles.
Task 3: Create required DNS records on NYC-DC1

1. 2. 3. 4. 5. 6. 7. 8. Click Start, point to Administrative Tools, and then click DNS. In the console tree of DNS Manager, expand NYC-DC1\Forward Lookup Zones\contoso.com. Right-click contoso.com and then click New Host (A or AAAA). In the Name box, type nls. In the IP address box, type 10.10.0.24. Click Add Host and then click OK. In the New Host dialog box, type CRL in Name (uses parent domain name if blank). In the IP address box, type 10.10.0.15 and then click Add Host. In the DNS dialog box informing you that the record was created, click OK. Click Done in the New Host dialog box. Close the DNS Manager console. Question: What is the purpose of the nls.contoso.com DNS host record that you associated with an internal IP address? Answer: To enable intranet-based DirectAccess clients to locate the Network Location Server while in the intranet.
11
Task 4: Remove ISATAP from DNS global query block list

1. 2. Click Start, click All Programs, click Accessories, and then click Command Prompt. In the command prompt window, type the following command and then press ENTER:
dnscmd /config /globalqueryblocklist wpad
3.
Close the command prompt window.
Results: At the end of this exercise, you prepared AD DS and DNS to support the deployment of DirectAccess.
12
Exercise 2: Configure the PKI Environment

Task 1: Configure the CRL distribution settings
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority. In the details pane, right-click ContosoCA and then click Properties. In the ContosoCA Properties dialog box, click the Extensions tab. On the Extensions tab, click Add. In the Location box, type http://crl.contoso.com/crld/. In Variable, click <CAName> and then click Insert. In Variable, click <CRLNameSuffix> and then click Insert. In Variable, click <DeltaCRLAllowed> and then click Insert. In Location, type .crl at the end of the Location string and then click OK. Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates, and then click Apply. Click No in the dialog box asking you to restart Active Directory Certificate Services.
10. Click Add. 11. In Location, type \\nyc-Edge1\crldist$\. 12. In Variable, click <CaName> and then click Insert. 13. In Variable, click <CRLNameSuffix> and then click Insert. 14. In Variable, click <DeltaCRLAllowed> and then click Insert. 15. In Location, type .crl at the end of the string and then click OK. 16. Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click OK. 17. Click Yes to restart Active Directory Certificate Services. 18. Close the Certification Authority console. Question: What is the purpose of the certificate revocation list? Answer: To enable DirectAccess clients and servers to determine whether issued certificates (used for authentication) have been revoked.
Task 2: Configure the DNS suffix on Edge1

1. 2. 3. 4. 5. 6. 7. 8. Switch to NYC-Edge1. Click Start, and in the Search box, type Network and Sharing Center and then press ENTER. Click Change adapter settings. Right-click Local Area Connection 2 and then click Properties. Double-click Internet Protocol Version 4 (TCP/IPv4). In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click Advanced. On the DNS tab, in the DNS suffix for this connection box, type Contoso.com and then click OK. In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click OK.
13
9.
In the Local Area Connection 2 Properties dialog box, click Close.
10. Close Network Connections.
Task 3: Install the web server role on Edge1

1. 2. 3. 4. 5. 6. On NYC-Edge1, switch to Server Manager. In the console tree of Server Manager, click Roles. In the details pane, click Add Roles and then click Next. On the Select Server Roles page, click Web Server (IIS) and then click Next three times. Click Install. Verify that all installations were successful and then click Close. Leave the Server Manager window open.
Task 4: Create CRL distribution point on NYC-EDGE1

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In the console tree, browse to NYC-EDGE1\Sites\Default Web Site, right-click Default Web Site, and then click Add Virtual Directory. In the Add Virtual Directory dialog box, in the Alias box, type CRLD. Next to Physical path, click the ellipsis button. In the Browse for Folder dialog box, click Local Disk (C:) and then click Make New Folder. Type CRLDist and then press ENTER. Click OK in the Browse for Folder dialog box. Click OK in the Add Virtual Directory dialog box. In the middle pane of the console, double-click Directory Browsing and in the details pane, click Enable. In the console tree, click the CRLD folder. In the middle pane of the console, double-click the Configuration Editor icon.
10. Click the down-arrow for the Section drop-down list, and then browse to system.webServer\security\requestFiltering. 11. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True. 12. In the details pane, click Apply. 13. Close Internet Information Services (IIS) Manager. Question: Why do you make the CRL available on the DirectAccess server in the perimeter network? Answer: So that Internet DirectAccess clients can access the CRL.
14
Task 5: Share and secure the CRL distribution point

Note 1. 2. 3. 4. 5. 6. 7. 8. 9. You perform this step to assign permissions to the CRL distribution point.
Click Start and then click Computer. Double-click Local Disk (C:). In the details pane of Windows Explorer, right-click the CRLDist folder and click Properties. In the CRLDist Properties dialog box, click the Sharing tab and then click Advanced Sharing. In the Advanced Sharing dialog box, select Share this folder. In Share name, add a dollar sign ($) to the end so that the share name is CRLDist$. In the Advanced Sharing dialog box, click Permissions. In the Permissions for CRLDist$ dialog box, click Add. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
10. In the Object Types dialog box, select Computers and then click OK. 11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type NYC-DC1 and then click Check Names. Click OK. 12. In the Permissions for CRLDist$ dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from the Group or user names list. In the Permissions for NYC-DC1 section, select Allow for Full control. Click OK. 13. In the Advanced Sharing dialog box, click OK. 14. In the CRLDist Properties dialog box, click the Security tab. 15. On the Security tab, click Edit. 16. In the Permissions for CRLDist dialog box, click Add. 17. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types. 18. In the Object Types dialog box, select Computers. Click OK. 19. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type NYC-DC1, click Check Names, and then click OK. 20. In the Permissions for CRLDist dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from the Group or user names list. In the Permissions for NYC-DC1 section, select Allow for Full control and then click OK. 21. In the CRLDist Properties dialog box, click Close. 22. Close the Windows Explorer window.
Task 6: Publish the CRL to NYC-EDGE1

Note This step makes the CRL available on the edge server for Internet-based DirectAccess clients. 1. 2. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click Certification Authority.
15
3. 4. 5. 6. 7. 8.
In the console tree, open ContosoCA, right-click Revoked Certificates, point to All Tasks, and then click Publish. In the Publish CRL dialog box, click New CRL, and then click OK. Click Start, type \\NYC-EDGE1\CRLDist$, and press ENTER. In the Windows Explorer window, you should see the ContosoCA and ContosoCA+ files. Close the Windows Explorer window. Close the Certification Authority console.
Task 7: Configure permissions on the web server certificate template

Note 1. 2. 3. 4. 5. Users require the Enroll permission on the certificate.
Click Start, type certtmpl.msc, and then press ENTER. In the contents pane, right-click the Web Server template and then click Properties. Click the Security tab and then click Authenticated Users. In the Permissions for Authenticated Users window, click Enroll under Allow and then click OK. Close the Certificate Templates console
Task 8: Configure computer certificate auto-enrollment

1. 2. 3. 4. 5. 6. 7. 8. Click Start, click Administrative Tools, and then click Group Policy Management. In the console tree, expand Forest: Contoso.com, expand Domains, and then click Contoso.com. In the details pane, right-click Default Domain Policy and then click Edit. In the console tree of the Group Policy Management Editor, open Computer Configuration \Policies\Windows Settings\Security Settings\Public Key Policies. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request. In the Automatic Certificate Request Setup Wizard, click Next. On the Certificate Template page, click Computer, click Next, and then click Finish. Close the Group Policy Management Editor and close the Group Policy Management console. Question: Why would you use GPO to configure certificate deployment? Answer: To more quickly and effortlessly deploy the required certificates to DirectAccess client computers. Results: At the end of this exercise, you will have configured the public key infrastructure in Contoso to support the deployment of DirectAccess.
16
Exercise 3: Configure the DirectAccess Clients and Test Intranet Access

Task 1: Create a shared folder
Note This step is required to provide some data that both intranet and Internet clients can access. 1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. Click Start and then click Computer. Double-click Local Disk (C:). Click New folder, type Files, and then press ENTER. Leave the Local Disk window open. Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as administrator. In the Untitled Notepad window, type This is a shared file. Click File, click Save, double-click Computer, double-click Local Disk (C:), and then double-click the Files folder. In File name, type example.txt, and then click Save. Close the Notepad window. In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific people.
10. Click Share and then click Done. 11. Close the Local Disk window.
Task 2: Request a certificate for NYC-SVR1

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, type cmd, and then press ENTER. At the command prompt, type gpupdate /force and then press ENTER. Close the command prompt. Click Start, type mmc, and then press ENTER. Click File and then click Add/Remove Snap-in. Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK. In the console tree of the Certificates snap-in, open Certificates (Local Computer) \Personal\Certificates. Right-click Certificates, point to All Tasks, and then click Request New Certificate. Click Next twice.
10. On the Request Certificates page, click Web Server and then click More information is required to enroll for this certificate. 11. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common name. 12. In Value, type nls.contoso.com and then click Add.
17
13. Click OK, click Enroll, and then click Finish. 14. In the details pane of the Certificates snap-in, verify that a new certificate with the name nls.contoso.com was enrolled with Intended Purposes of Server Authentication. 15. Close the console window. When you are prompted to save settings, click No.
Task 3: Change the HTTPS bindings

1. 2. 3. 4. 5. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In the console tree of Internet Information Services (IIS) Manager, open NYC-SVR1/Sites and then click Default Web site. In the Actions pane, click Bindings. Click Add. In the Add Site Bindings dialog box, click https, in SSL Certificate, click the certificate with the name nls.contoso.com, click OK, and then click Close. Close the Internet Information Services (IIS) Manager console.
Task 4: Install a certificate on the client computer

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-CL1. Click Start, type cmd, and then press ENTER. At the command prompt, type gpupdate /force and then press ENTER. Close the command prompt. Click Start, type mmc, and then press ENTER. Click File and then click Add/Remove Snap-in. Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK. In the console tree, expand Certificates (Local Computer)\Personal\Certificates. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
10. Click Next twice. 11. Select Computer, and then click Enroll. Click Finish. 12. In the details pane, verify that a certificate with the name NYC-CL1.contoso.com is present with Intended Purposes of Client Authentication and Server Authentication. 13. Close the console window. When you are prompted to save settings, click No. Question: Why did you install a certificate on the client computer? Answer: Without a certificate, the client cannot identify and authenticate itself to the DirectAccess server.
18
Task 5: Test intranet access

1. 2. 3. 4. 5. 6. 7. 8. From the taskbar, click the Internet Explorer icon. In the Address bar, type http://nyc-svr1.contoso.com/ and then press ENTER. You should see the default IIS 7 web page for NYC-SVR1. In the Address bar, type https://nls.contoso.com/ and then press ENTER. You should see the default IIS 7 web page for NYC-SVR1. Leave the Internet Explorer window open. Click Start, type \\NYC-SVR1\Files, and then press ENTER. You should see a folder window with the contents of the Files shared folder. In the Files shared folder window, double-click the example.txt file. You should see the contents of the example.txt file. Close all open windows.
Results: At the end of this exercise, you tested Intranet access.
19
Exercise 4: Configure the DirectAccess Server

Task 1: Obtain required certificates for NYC-EDGE1
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-Edge1. Click Start, type mmc, and then press ENTER. Click File and then click Add/Remove Snap-ins. Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK. In the console tree of the Certificates snap-in, open Certificates (Local Computer) \Personal\Certificates. Right-click Certificates, point to All Tasks, and then click Request New Certificate. Click Next twice. On the Request Certificates page, click Web Server and then click More information is required to enroll for this certificate. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common name.
10. In the Value box, type nyc-edge1.contoso.com and then click Add. 11. Click OK, click Enroll, and then click Finish. 12. In the details pane of the Certificates snap-in, verify that a new certificate with the name nyc-edge1.contoso.com was enrolled with Intended Purposes of Server Authentication. 13. Right-click the certificate and then click Properties. 14. In Friendly Name, type IP-HTTPS Certificate, and then click OK. 15. Close the console window. If you are prompted to save settings, click No.
Task 2: Install DirectAccess feature on NYC-EDGE1

1. 2. 3. 4. 5. 6. 7. Switch to Server Manager. In the main window, under Features Summary, click Add features. On the Select Features page, select DirectAccess Management Console. In the Add Features Wizard window, click Add Required Features. On the Select Features page, click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close.
20
Task 3: Run DirectAccess setup wizard on NYC-EDGE1

Note 1. This step configures NYCEDGE1 as a DirectAccess server.
Open a command prompt and type the following command, and then press ENTER:
GPUpdate /force
2. 3. 4. 5. 6. 7. 8.
Close the command prompt. Click Start, point to Administrative Tools, and then click DirectAccess Management. In the console tree, click Setup. In the details pane, click Configure for step 1. On the DirectAccess Client Setup page, click Add. In the Select Group dialog box, type DA_Clients, click OK, and then click Finish. Click Configure for step 2. On the Connectivity page, for Interface connected to the Internet, select the interface named Public. For Interface connected to the internal network, select the Local Area Connection 2, and then click Next. Note If you receive a warning that the local area connection network adapter must be connected to a Domain network, close the Direct Access Management console. Open Server Manager and click Configure Network Connections. Disable the Local Area Connection and re-enable it. Restart the Direct Access Management console.
9.
On the Certificate Components page, for Select the root certificate to which remote client certificates must chain, click Browse. In the list of certificates, click the ContosoCA root certificate and then click OK.
10. For Select the certificate that will be used to secure remote client connectivity over HTTPS, click Browse. In the list of certificates, click the certificate named IP-HTTPS Certificate, click OK, and then click Finish. 11. Click Configure for step 3. 12. On the Location page, click Network Location server is run on a highly available server, type https://nls.contoso.com, click Validate, and then click Next. 13. On the DNS and Domain Controller page, note the entry for the name contoso.com with the IPv6 address 2002:836b:2:1:0:5efe:10.10.0.10. This IPv6 address is assigned to NYC-DC1 and is composed of a 6to4 network prefix (2002:836b:2:1::/64) and an ISATAP-based interface identifier (::0:5efe:10.10.0.10). Click Next. 14. On the Management page, click Finish. 15. Click Configure for step 4. On the DirectAccess Application Server Setup page, click Finish. 16. Click Save and then click Finish. 17. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy Configuration message box, click OK. Results: At the end of this exercise, you will have successfully configured NYC-EDGE1 as a DirectAccess server.
21

Task 1: Create DNS records on INET1
Note 1. 2. 3. 4. 5. 6. Typically, you would configure this record on your public facing DNS servers.
Switch to INET1. Click Start, point to Administrative Tools, and then click DNS. In the console tree, expand Forward Lookup Zones, right-click contoso.com, and then click New Host (A or AAAA). In the Name box, type crl. In IP address, type 131.107.0.2. Click Add Host, click OK, and then click Done. Close the DNS console.
Task 2: Update IPv6 configuration on NYC-SVR1 and NYC-DC1

Note 1. 2. 3. These steps enable the required IPv6 settings to support DirectAccess.
Switch to NYC-SVR1. Click Start, click All Programs, click Accessories, and then click Command Prompt. At the command prompt, type the following command and then press ENTER:
net stop iphlpsvc
4.
net start iphlpsvc
5.
At the command prompt, type the following command and then press ENTER. Verify that the server has been issued an ISATAP address that ends with 10.10.0.24.
ipconfig
6. 7. 8. 9.
Close the command prompt window. Switch to NYC-DC1. Click Start, click All Programs, click Accessories, and then click Command Prompt. At the command prompt, type the following command and then press ENTER:
net stop iphlpsvc
net start iphlpsvc
22
11. At the command prompt, type the following command and then press ENTER. Verify that the server has been issued an ISATAP address that ends with 10.10.0.10.
ipconfig
12. Close the command prompt window.
Task 3: Update GPO and IPv6 settings on NYC-CL1

1. 2. Switch to NYC-CL1. Restart NYC-CL1 and then log back on as Contoso\Administrator with the password of Pa$$w0rd. This is to ensure that the NYC-CL1 computer connects to the domain as a member of the DA_Clients security group. Click Start, click All Programs, click Accessories, and then click Command Prompt. At the command prompt, type the following command and then press ENTER:
gpupdate /force
3. 4.
5.
net stop iphlpsvc
6.
net start iphlpsvc
7.
At the command prompt, type the following command and then press ENTER. Verify that the client has been issued an ISATAP address that ends with 10.10.10.1.
ipconfig
8.
Gpresult -R
9.
Verify that one Direct Access Group Policy object is being applied to the client computer. If the policy is not being applied, run the gpupdate /force command again. If the policy is still not being applied, restart NYC-CL1. After the computer restarts, log on as Administrator and run the Gpresult R command again.
Task 4: Verify ISATAP connectivity

Ipconfig /flushdns
2.
ping 2002:836b:2:1::5efe:10.10.0.10
3.
ping 2002:836b:2:1::5efe:10.10.0.24
23
4.
ping NYC-DC1.contoso.com
5.
ping NYC-SVR1.contoso.com
6.
All these commands should result in a successful response.
Task 5: Move NYC-CL1 to the Internet

Note 1. 2. 3. 4. 5. 6. To verify functionality, you must move the client computer to the Internet.
On NYC-CL1, click Start, click Control Panel, and then click Network and Internet. Click Network and Sharing Center. Click Change Adapter Settings. Right-click Local Area Connection 3 and then click Properties. In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address. Fill in the following information, and then click OK. IP address: 131.107.0.10 Subnet mask: 255.255.0.0 Default gateway: 131.107.0.2 Preferred DNS server: 131.107.0.1
7. 8. 9.
In the Local Area Connection 3 Properties dialog box, click Close. In Network Connections, right-click Local Area Connection 3 and then click Disable. In Network Connections, right-click Local Area Connection 3 and then click Enable.
10. In the Set Network Location dialog box, click Public network and then click Close.
Task 6: Verify connectivity to Internet resources

ping inet1.isp.example.com
2. 3.
From the taskbar, click the Internet Explorer icon. In the Address bar, type http://inet1.isp.example.com/ and then press ENTER. You should see the default IIS 7 Web page for INET1.
24
Task 7: Verify access to web-based and shared folder resources

ping NYC-SVR1
2. 3. 4. 5. 6.
In Internet Explorer, in the Address bar, type http://NYC-SVR1.contoso.com/, press ENTER, and then press F5. You should see the default IIS 7 web page for NYC-SVR1. Close Internet Explorer. Click Start, type \\NYC-SVR1\files, and then press ENTER. You should see a folder window with the contents of the Files shared folder. In the Files shared folder window, double-click the example.txt file. Close the example.txt - Notepad window and the Files shared folder window.
Task 8: Examine NYC-CL1 IPv6 configuration

ipconfig
2.
From the display of the Ipconfig.exe tool, notice that an interface named Tunnel adapter 6TO4 Adapter has an IPv6 address that begins with 2002:836b:. This is a 6to4 address based on an IPv4 address that begins with 131.107. Notice that this tunnel interface has a default gateway of 2002:836b:2::836b:2, which corresponds to the 6to4 address of EDGE1 (131.107.0.2 in colonhexadecimal notation is 836b:2). NYC-CL1 uses 6to4 and this default gateway to tunnel IPv6 traffic to EDGE1.
Results: At the end of this exercise, you will have successfully implemented, verified, and tested DirectAccess.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-SVR1, 6421B-NYC-EDGE1, 6421B-NYC-INET1, and 6421BNYC-CL1.
Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Module 6
Contents:
Exercise 1: Installing and Configuring the Network Policy Server Role Service Exercise 2: Configuring a RADIUS Client Exercise 3: Configuring Certificate Auto-Enrollment Exercise 4: Configuring and Testing the VPN
2 4 5 6
Lab: Configuring and Managing Network Policy Server

Exercise 1: Installing and Configuring the Network Policy Server Role Service
Task 1: Install the Network Policy and Access Services role
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. On the Taskbar, click Server Manager. In the Server Manager navigation pane, click Roles. In the right pane, click Add Roles. In the Add Roles Wizard, click Next. On the Select Server Roles page, select the Network Policy and Access Services check box and then click Next. On the Network Policy and Access Services Introduction page, click Next. On the Select Role Services page, select the Network Policy Server check box and then click Next. On the Confirm Installation Selections page, click Install.
10. On the Installation Results page, click Close. 11. Close Server Manager.
Task 2: Register NPS in AD DS

1. 2. 3. 4. Click Start, point to Administrative Tools, and then click Network Policy Server. In the navigation pane, right-click NPS (Local) and then click Register server in Active Directory. In the Network Policy Server message box, click OK. Click OK again in the subsequent Network Policy Server message box.
Task 3: Configure NYC-DC1 as a RADIUS server for VPN connections

1. In the Network Policy Server management tool, in the Getting Started details pane, open the drop-down list under Standard Configuration and then click RADIUS server for Dial-Up or VPN Connections. Under Radius server for Dial-Up or VPN Connections, click Configure VPN or Dial-Up. In the Configure VPN or Dial-Up Wizard, click Virtual Private Network (VPN) Connections, accept the default name, and then click Next. On the RADIUS clients page, click Add. In the New RADIUS Client dialog box, in the Friendly Name box, type NYC-EDGE1 and then click Verify. In the Verify Address dialog box, in the address box, type NYC-EDGE1, click Resolve, and then click OK.
2. 3. 4. 5. 6.
7. 8. 9.
In the New RADIUS Client dialog box, in the Shared secret and Confirm shared secret boxes, type Pa$$w0rd and then click OK. On the Specify Dial-Up or VPN Server page, click Next. On the Configure Authentication Methods page, select the Extensible Authentication Protocol and Microsoft Encrypted Authentication version 2 (MS-CHAPv2) check boxes and then click Next.
10. On the Specify User Groups page, click Next. 11. On the Specify IP Filters page, click Next. 12. On the Specify Encryption Settings page, clear the Basic encryption and Strong encryption check boxes and then click Next. 13. On the Specify a Realm Name page, click Next. 14. On the Completing New Dial-Up or Virtual Private Network Connections and RADIUS clients page, click Finish. 15. Close the Network Policy Server administrative tool. Results: At the end of this exercise, you will have configured NYC-DC1 as a RADIUS server by installing and configuring the NPS Server role.
Exercise 2: Configuring a RADIUS Client

Task 1: Install Routing and Remote Access Services on NYC-EDGE1
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-EDGE1. On the Taskbar, click Server Manager. In the Server Manager navigation pane, click Roles, and then in the right pane, click Add Roles. On the Before You Begin page, click Next. On the Select Server Roles page, select the Network Policy and Access Services check box and then click Next. On the Network Policy and Access Services page, click Next. On the Select Role Services page, select the Routing and Remote Access Services check box and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close.
10. Close the Server Manager window.
Task 2: Configure NYC-EDGE1 as a VPN Server

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and then click Routing and Remote Access. In the navigation pane, select NYC-EDGE1 (local). Right-click NYC-EDGE1 (local) and then click Configure and Enable Routing and Remote Access. In the Routing and Remote Access Server Setup Wizard, on the Welcome page, click Next. On the Configuration page, click Remote Access (dial-up or VPN) and click Next. On the Remote Access page, select the VPN check box and click Next. On the VPN Connection page, select the network interface with the IP address of 131.107.0.2, 131.107.0.3 and then click Next. On the IP Address Assignment page, select From a specified range of addresses and then click Next. On the Address Range Assignment page, click New, and in the Start IP address box, type the value of 10.10.0.60. In the Number of addresses box, type the value of 75 and click OK. Click Next.
10. On the Managing Multiple Remote Access Servers page, select Yes, set up this server to work with a RADIUS server and then click Next. 11. On the RADIUS Server Selection page, in the Primary RADIUS server box, type NYC-DC1 12. In the Shared secret box, type Pa$$w0rd and then click Next. 13. Click Finish. 14. In the Routing and Remote Access dialog box, click OK. The Routing and Remote Access service starts. Results: At the end of this exercise, you will have configured NYC-EDGE1 as a VPN server.
Exercise 3: Configuring Certificate Auto-Enrollment

Task 1: Configure automatic enrolment with group policy
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click Group Policy Management. In the Group Policy Management list pane, expand Forest: Contoso.com, expand Domains, and then expand Contoso.com. In the list pane, under Contoso.com, right-click Default Domain Policy and then click Edit. In Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies. In the navigation pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request. In the Welcome to the Automatic Certificate Request Setup Wizard, click Next. On the Certificate Template page, accept the default setting of Computer and then click Next. On the Completing the Automatic Certificate Request Setup Wizard page, click Finish.
10. Close the Group Policy Management Editor. 11. Close the Group Policy Management tool. 12. Switch to NYC-CL1. 13. Restart the computer and then log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
14. Click Start, type MMC in the Search box, and then press ENTER. 15. In the Console1 window, click File and then click Add/Remove Snap-in. 16. In the Add or Remove Snap-ins box, select Certificates and then click Add. 17. In the Certificates snap-in box, select Computer account and then click Next. 18. In the Select Computer box, select Local computer and then click Finish. 19. Click OK to close the Add or Remove Snap-ins box. 20. In the Console1 window, expand Certificates (Local Computer). 21. Expand Personal, and then click Certificates. Notice that NYC-CL1.Contoso.com is displayed. You now can use this certificate as an authentication mechanism. Results: At the end of this exercise, you will have configured the appropriate certificate settings for your VPN solution.
Exercise 4: Configuring and Testing the VPN

Task 1: Reconfigure the NYC-CL1 computer onto the public network
1. 2. 3. 4. 5. 6. Click Start and then click Control Panel. In Control Panel, under Network and Internet, click View network status and tasks. In the Network and Sharing Center window, click Change adapter settings. Right-click Local Area Connection 3 and then click Properties. Select Internet Protocol Version 4 (TCP/IPv4) and then click Properties. Configure the following IP address settings and then click OK: 7. IP Address: 131.107.0.20 Subnet mask: 255.255.255.0 Default gateway: 131.107.0.1
Click Close and then click the Back button to return to the Network and Sharing Center.

1. In the Network and Sharing Center window, under Change your networking settings, click Set up a new connection or network. In the Choose a connection option dialog box, click Connect to a workplace and then click Next. In the Connect to a workplace dialog box, select the Use my Internet connection (VPN) option. When prompted, select Ill set up an Internet connection later. In the Type the Internet address to connect to dialog box, specify an Internet address of 131.107.0.2 and a Destination Name of Contoso VPN, and then click Next. On the Type your user name and password page, leave the user name and password blank and then click Create. Click Close in the Connect to a Workplace dialog box. In the Network and Sharing Center window, click Change adapter settings. On the Network Connections page, right-click Contoso VPN and then click Properties. In the Contoso VPN Properties dialog box, click the Security tab. In the Type of VPN list, click Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).
2. 3. 4. 5. 6. 7. 8. 9.
10. In the Data encryption list, click Maximum strength encryption (disconnect if server declines) and then click OK. 11. On the Network Connections page, right-click Contoso VPN and then click Connect. 12. Use the following information in the Connect Contoso VPN text boxes and then click Connect: User name: Administrator Password: Pa$$w0rd Domain: Contoso
The VPN connects successfully.
13. Right-click Contoso VPN and click Disconnect. The VPN disconnects. 14. Close all open windows on NYC-CL1. Do not save Console 1. Results: At the end of this exercise, you will have verified the VPN solution.

Lab Answer Key: Implementing Network Access Protection
Module 7
Contents:
Exercise 1: Configuring NAP Components Exercise 2: Configuring Client Settings to Support NAP 2 8
Lab: Implementing NAP into a VPN Remote Access Solution

Exercise 1: Configuring NAP Components
Task 1: Configure a Computer Certificate
1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority. In the certsrv management console, expand ContosoCA, right-click Certificate Templates, and then select Manage from the context menu. In the Certificate Templates Console details pane, right-click Computer and then choose Properties from the context menu. Click on the Security tab in the Computer Properties dialog box and then select Authenticated Users. In the Permissions for Authenticated Users, select the Allow check box for the Enroll permission and then click OK. Close the Certificate Templates Console and then close the certsrv management console.
Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server

1. 2. Switch to the NYC-EDGE1 computer. Obtain the computer certificate and install on NYC-EDGE1 for server-side PEAP authentication: a. b. c. d. e. f. g. h. i. j. k. Click Start, click Run, type mmc, and then press ENTER. On the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish. Click OK to close the Add or Remove Snap-ins dialog box. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate. The Certificate Enrollment dialog box opens. Click Next. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and then click Next. Select the Computer check box and then click Enroll. Verify the status of certificate installation as Succeeded and then click Finish. Close the Console1 window. Click No when prompted to save console settings.
3.
Install the NPS Server role: a. b. c. d. e. f. On NYC-EDGE1, switch to Server Manager. Click Roles, and then under Roles Summary, click Add Roles and then click Next. Select the Network Policy and Access Services check box and then click Next twice. Select the Network Policy Server and Remote Access Service check boxes, click Next, and then click Install. Verify that the installation was successful and then click Close. Close the Server Manager window.
4.
Configure NPS as a NAP health policy server: a. b. c. d. e. Click Start, point to Administrative Tools, and then click Network Policy Server. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the right pane under Name, double-click Default Configuration. On the Windows 7/Windows Vista selection, clear all check boxes except the A firewall is enabled for all network connections check box. Click OK to close the Windows Security Health Validator dialog box.
5.
Configure health policies: a. b. c. d. e. f. g. h. i. j. k. Expand Policies. Right-click Health Policies and then click New. In the Create New Health Policy dialog box, under Policy name, type Compliant. Under Client SHV checks, verify that Client passes all SHV checks is selected. Under SHVs used in this health policy, select the Windows Security Health Validator check box. Click OK. Right-click Health Policies and then click New. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant. Under Client SHV checks, select Client fails one or more SHV checks. Under SHVs used in this health policy, select the Windows Security Health Validator check box. Click OK.
6.
Configure network policies for compliant computers: a. b. c. d. Ensure that Policies is expanded. Click Network Policies. Disable the two default policies found under Policy Name by right-clicking the policies and then clicking Disable. Right-click Network Policies and then click New.
e. f. g. h. i. j. k. l.
In the Specify Network Policy Name And Connection Type window, under Policy name, type Compliant-Full-Access and then click Next. In the Specify Conditions window, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant and then click Next. In the Specify Access Permission window, verify that Access granted is selected. Click Next three times. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected and then click Next.
m. In the Completing New Network Policy window, click Finish. 7. Configure network policies for noncompliant computers: a. b. c. d. e. f. g. Right-click Network Policies and then click New. In the Specify Network Policy Name And Connection Type window, under Policy name, type Noncompliant-Restricted and then click Next. In the Specify Conditions window, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Noncompliant and then click OK. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant and then click Next. In the Specify Access Permission window, verify that Access granted is selected.
Note A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients that match these conditions. h. i. j. k. l. Click Next three times. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and remove the check box next to Enable auto-remediation of client computers. In the Configure Settings window, click IP Filters. Under IPv4, click Input Filters and then click New. In the Add IP Filter dialog box, select Destination network. Type 10.10.0.10 next to IP address and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from noncompliant clients can reach only NYC-DC1.
m. Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below in the Inbound Filters dialog box. n. Click OK to close the Inbound Filters dialog box.
o. p. q.
Under IPv4, click Output Filters and then click New. In the Add IP Filter dialog box, select Source network. Type 10.10.0.10 next to IP address and then type 255.255.255.255 next to Subnet mask. Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below in the Outbound Filters dialog box. This step ensures that only traffic from NYC-DC1 can be sent to noncompliant clients. Click OK to close the Outbound Filters dialog box. In the Configure Settings window, click Next. In the Completing New Network Policy window, click Finish.
r. s. t. 8.
Configure connection request policies: a. b. c. d. e. f. g. h. i. j. k. l. Click Connection Request Policies. Disable the default Connection Request policy that is found under Policy Name by right-clicking the policy and then clicking Disable. Right-click Connection Request Policies and then click New. In the Specify Connection Request Policy Name And Connection Type window, under Policy name, type VPN connections. Under Type of network access server, select Remote Access Server (VPN-Dial up) and then click Next. In the Specify Conditions window, click Add. In the Select Condition window, double-click Tunnel Type, select PPTP, SSTP, and L2TP. Click OK and then click Next. In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected and then click Next. In the Specify Authentication Methods window, select Override network policy authentication settings. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP) and then click OK. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2) and then click OK. Under EAP Types, click Microsoft: Protected EAP (PEAP) and then click Edit.
m. Verify that Enforce Network Access Protection is selected and then click OK. n. 9. Click Next twice and then click Finish.
Close the Network Policy Server console.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server
1. 2. On NYC-EDGE1, click Start, point to Administrative Tools, and then click Routing and Remote Access. In the Routing and Remote Access console, right-click NYC-EDGE1 (local) and then click Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard. Click Next, select Remote access (dial-up or VPN), and then click Next. Select the VPN check box and then click Next. Click the network interface called Public. Clear the Enable security on the selected interface by setting up static packet filters check box and then click Next. This ensures that NYC-EDGE1 will be able to ping NYC-DC1 when it is attached to the Internet subnet without requiring that you configure additional packet filters for Internet Control Message Protocol (ICMP) traffic. On the IP Address Assignment page, select From a specified range of addresses and then click Next. On the Address Range Assignment page, click New. Type 10.10.0.100 next to Start IP address and 10.10.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses were assigned for remote clients and then click Next. On the Managing Multiple Remote Access Servers page, ensure that No, use Routing and Remote Access to authenticate connection requests is already selected and then click Next. Click Finish.
3. 4. 5.
6. 7.
8. 9.
10. Click OK twice and wait for the Routing and Remote Access Service to start. 11. In the Network Policy Server, click the Connection Request Policies node and disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled. 12. Click Connection Request Policies, and in the results pane, right-click the Microsoft Routing and Remote Access Service Policy and then click Disable. 13. Close the Network Policy Server management console. 14. Close Routing and Remote Access.
Task 4: Allow ping on NYC-EDGE1

1. 2. 3. 4. 5. 6. 7. Click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security. Click on Inbound Rules, right-click Inbound Rules, and then click New Rule. Select Custom and then click Next. Select All programs and then click Next. Next to Protocol type, select ICMPv4 and then click Customize. Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next. Click Next to accept the default scope.
8. 9.
In the Action window, verify that Allow the connection is selected and then click Next. Click Next to accept the default profile.
10. In the Name window, under Name, type ICMPv4 echo request and then click Finish. 11. Close the Windows Firewall with Advanced Security console. Results: At the end of this exercise, you will have configured and enabled a VPN-enforced NAP scheme.
Exercise 2: Configuring Client Settings to Support NAP

Task 1: Configure Security Center
1. 2. Switch to the NYC-CL1 computer. Configure NYC-CL1 so that Security Center is always enabled: a. b. c. d. e. Click Start, point to All Programs, click Accessories, and then click Run. Type gpedit.msc and then press ENTER. In the console tree, click Local Computer Policy/Computer Configuration /Administrative Templates/Windows Components/Security Center. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK. Close the Local Group Policy Editor.
Task 2: Enable client NAP enforcement

1. Enable the remote-access, quarantine-enforcement client: a. b. c. d. e. 2. Click Start, click All Programs, click Accessories, and then click Run. Type napclcfg.msc and then press ENTER. In the console tree, click Enforcement Clients. In the details pane, right-click EAP Quarantine Enforcement Client and then click Enable. Close the NAP Client Configuration window.
Enable and start the NAP agent service: a. b. c. d. e. f. Click Start, click Control Panel, click System and Security, and then click Administrative Tools. Double-click Services. In the Services list, double-click Network Access Protection Agent. In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic and then click Start. Wait for the NAP Agent service to start and then click OK. Close the Services console and then close the Administrative Tools and System and Security windows.
Task 3: Move the client to the Internet

1. Configure NYC-CL1 for the Internet network segment: a. b. c. d. e. Click Start, click Control Panel, and then click Network and Internet. Click Network and Sharing Center. Click Change adapter settings. Right-click Local Area Connection 3 and then click Properties. Click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
f. g. h. i. 2.
Click Use the following IP address. Next to IP address, type 131.107.0.20. Next to Subnet mask, type 255.255.0.0. Do not configure the Default gateway. Click Use the following DNS server addresses. Click OK and then click Close to close the Local Area Connection 3 Properties dialog box. Close the Network Connections window.
Verify network connectivity for NYC-CL1: a. b. c. d. e. Click Start, click All Programs, click Accessories, and then click Run. Type cmd and then press ENTER. At the command prompt, type ping 131.107.0.2 and press ENTER. Verify that the response reads Reply from 131.107.0.2. Close the command window.
Task 4: Create a VPN on NYC-CL1

1. Configure a VPN connection: a. b. c. d. e. f. g. Click Start, click Control Panel, and then click Network and Internet. Click Network and Sharing Center. Click Set up a new connection or network. On the Choose a connection option page, click Connect to a workplace and then click Next. On the How do you want to connect page, click Use my Internet connection (VPN). Click Ill set up an Internet connection later. On the Type the Internet address to connect to page, next to Internet address, type 131.107.0.2. Next to Destination name, type Contoso VPN. Select the Allow other people to use this connection check box and then click Next. On the Type your user name and password page, type administrator next to User name and type Pa$$w0rd next to Password. Select the Remember this password check box, type Contoso next to Domain (optional), and then click Create. On The connection is ready to use page, click Close. In the Network And Sharing Center window, click Change adapter settings. Right-click the Contoso VPN connection, click Properties, and then click the Security tab. Under Authentication, click Use Extensible Authentication Protocol (EAP).
h.
i. j. k. l.
m. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft: Protected EAP (PEAP) (encryption enabled) and then click Properties. n. Ensure that the Validate server certificate check box is already selected. Clear the Connect to these servers check box, and then ensure that Secured password (EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast Reconnect check box and then select the Enforce Network Access Protection check box. Click OK twice to accept these settings.
o.
10
2.
Test the VPN connection: a. In the Network Connections window, right-click the Contoso VPN connection and then click Connect. b. c. In the Connect Contoso VPN window, click Connect. You are presented with a Windows Security Alert window the first time that this VPN connection is used. Click Details and verify that Certificate Information states that the certificate was issued to NYC-EDGE1.Contoso.com by ContosoCA. Click Connect. Wait for the VPN connection to be made. Because NYC-CL1 is compliant, it should have unlimited access to the intranet subnet. Click Start, click All Programs, click Accessories, and then click Command Prompt. Type ipconfig /all and view the IP configuration. System Quarantine State should be Not Restricted. In the Command window, type ping 10.10.0.10 and then press ENTER. This should be successful. The client now meets the requirement for VPN full connectivity. Disconnect from the Contoso VPN.
d. e. f. g. h. 3.
Configure Windows Security Health Validator to require an antivirus application: a. b. c. d. On NYC-EDGE1, open Network Policy Server. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the right pane under Name, double-click Default Configuration. On the Windows 7/Windows Vista selection, select the An antivirus application is on check box and then click OK.
4.
Verify that the client is placed on the restricted network: a. b. c. d. e. On NYC-CL1, in the Network Connections window, right-click the Contoso VPN and then click Connect. Click Connect. Wait for the VPN connection to be made. Verify that a message appears in the Action Center stating that the computer does not meet security standards. Click Start, click All Programs, click Accessories, and then click Command Prompt. Type ipconfig /all and view the IP configuration. System Quarantine State should be Restricted. The client does not meet the requirements for the network, and therefore is placed on the restricted network. f. Disconnect the Contoso VPN.
Results: At the end of this exercise, you will have enabled and configured a VPN NAP enforcement policy for Contoso.
11

Lab Answer Key: Increasing Security for Windows Servers
Module 8
Contents:
Exercise 1: Deploying a Windows Firewall Rule Exercise 2: Implementing WSUS 2 3
Lab: Increasing Security for Windows Servers

Exercise 1: Deploying a Windows Firewall Rule
Task 1: Create a Group Policy object with a firewall rule
1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, point to Administrative Tools, and click Group Policy Management. In the Group Policy Management window, expand Forest: Contoso.com, expand Domains, and click Contoso.com. Right-click Contoso.com and click Create a GPO in this domain, and Link it here. In the New GPO window, in the Name box, type Firewall and click OK. On the Linked Group Policy Objects tab, right-click Firewall and click Edit. In the Group Policy Management Editor window, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and click Inbound Rules. Right-click Inbound Rules and click New Rule. In the New Inbound Rule Wizard window, click Port and click Next. On the Protocol and Ports page, click TCP and click Specific local ports.
7. 8. 9.
10. In the Specific local ports box, type 10005 and then click Next. 11. On the Action page, confirm that Allow the connection is selected and click Next. 12. On the Profile page, clear the Private and Public check boxes and then click Next. 13. On the Name page, in the Name box, type Monitoring and then click Finish.
Task 2: Apply Group Policy settings to NYC-SVR1

1. 2. 3. On NYC-SVR1, open a command prompt. At the command prompt, type gpupdate /force and then press ENTER. Close the command window on NYC-SVR1.
Task 3: Test access to the monitoring client

1. 2. On NYC-DC1, click Start, point to All Programs, and click Internet Explorer. In the Internet Explorer address bar, type http://nyc-svr1.contoso.com/status.xml and press ENTER.
Results: After this exercise, you should have created a Windows Firewall rule that allows communication to port 10005.
Exercise 2: Implementing WSUS

Task 1: Create a GPO for configuring WSUS clients
1. 2. 3. 4. 5. On NYC-DC1, click Start, point to Administrative Tools, and click Group Policy Management. In the Group Policy Management window, right-click Contoso.com and click Create a GPO in this domain, and Link it here. In the New GPO window, in the Name box, type WSUS and click OK. On the Linked Group Policy Objects tab, right-click WSUS and click Edit. In the Group Policy Management Editor window, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update. In the details pane, double-click Configure Automatic Updates. In the Configure Automatic Updates dialog box, click Enabled. In the Configure automatic updating drop-down list, click 4 - Auto download and schedule the install and then click Next Setting. On the Specify intranet Microsoft update service location page, select Enabled.
6. 7. 8. 9.
10. Under Set the intranet update service for detecting updates and under Set the intranet statistics server, type http://NYC-SVR1 in the text boxes and then click Next Setting. 11. On the Automatic Updates detection frequency page, click Enabled and then click OK. 12. Close the Group Policy Management Editor and the Group Policy Management Console. 13. Click Start, type cmd, and press ENTER. 14. At the command prompt, type gpupdate /force and press ENTER. 15. At the command prompt, type wuauclt /detectnow and press ENTER. 16. Close the command prompt.
Task 2: Review the configuration settings for a WSUS server

1. 2. 3. On NYC-SVR1, click Start, point to Administrative Tools, and click Windows Server Update Services. In the Update Services window, in the left pane, click Options. Read the list of options available for configuration.
Task 3: Create a computer group for servers

1. 2. 3. 4. 5. On NYC-SVR1, in the Update Services window, in the left pane, expand Computers, expand All Computers, and click All Computers. In the Actions pane, click Add Computer Group. In the Add Computer Group window, in the Name box, type HO Servers and click Add. Click the Unassigned Computers computer group. In the center pane, in the Status box, select Any and then click Refresh.
6. 7.
Right-click NYC-DC1.contoso.com, and click Change Membership. In the Set Computer Group Membership box, select the HO Servers check box and click OK.
Task 4: View the update report for NYC-DC1

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, in the Update Services window, click the HO Servers computer group. In the center pane, in the Status box, select Any and then click Refresh. Right-click nyc-dc1.contoso.com and click Status Report. Read the Status Summary for nyc-dc1.contoso.com. Notice that four updates have not been installed. At the top of the report, beside Include updates that have a status of, click Any. In the Choose Update Status window, clear all check boxes except Needed and then click OK. In the top menu, click Run Report. Click the right arrow to view the second page of the report. Read the list of updates that are needed. Notice that they are not approved.
10. Leave this report open for the next task.
Task 5: Approve an update for the HO Servers computer group

1. 2. 3. 4. 5. 6. On NYC-SVR1, in the Computers Report for NYC-SVR1, for the first update listed, click Not approved. In the Approve Updates window, click the down arrow to the left of HO Servers and click Approved for Install. Read the warning message at the bottom of the Window. This file is not downloaded due to the configuration of the lab environment. Click OK. In the Approval Progress window, read the actions that were performed and then click Close. Close all open windows. Note Notice that a message appears stating that the update is approved, but must be downloaded to complete. This is due to the configuration of the lab environment.
Results: After this exercise, you should have approved an update for NYC-DC1.

Lab Answer Key: Increasing Security for Network Communication
Module 9
Contents:
Exercise 1: Selecting a Network Security Configuration Exercise 2: Configuring IPsec to Authenticate Computers Exercise 3: Testing IPsec Authentication 2 4 6
Lab: Increasing Security for Network Communication

Exercise 1: Selecting a Network Security Configuration
Task 1: Read the Research application security document
Read the Research application security document located in task 2 in the main module document.
Answer the questions in the Research application security document. Research application security Document Reference Number: GW1605/1 Document Author Date Charlotte Weiss 16th May
Requirements Overview Contoso Ltd. has implemented a new web-based Research application that contains confidential information such as product information. To improve security, you must: 1. 2. Create a connection security rule that authenticates the computers in the Research department. Create a firewall rule that ensures only authenticated computers from the Research department can access the application.
Additional Information 1. 2. 3. The application exists on NYC-SVR1. The application is not configured to use SSL. NYC-SVR1 and NYC-CL1, both computers in the Research department, are stored in the AD DS Computers container.
Proposals 1. How will you accomplish requirement 1? Answer: 2. Configure a Connection Security Rule that requires Kerberos authentication for connections to TCP port 80 (web server). Restrict authentication to specific users and computers.
How will you accomplish requirement 2? Answer: Create a firewall rule that enables communication over port 80 if authenticated.
Research application security 3. Are there any additional tasks that you must perform? Answer: Create a GPO that is linked to the Research OU. Configure the Connection Security rule and Firewall Rule as part of this policy. Move both NYC-SVR1 and NYC-CL1 to the Research OU. Refresh the GPO on the client computers from NYC-DC1.

Compare your solution to the proposed solution in the Research application security document in the Lab Answer Key. Be prepared to discuss your solution with the class.
Results: At the end of this exercise, you will have selected a suitable IPsec configuration to support the needs of the Research department.
Exercise 2: Configuring IPsec to Authenticate Computers

Task 1: Move the NYC-SVR1 and NYC-CL1 computers into the Research OU
1. Switch to NYC-DC1. 2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 3. In Active Directory Users and Computers, expand Contoso.com and then click Computers. 4. Right-click NYC-CL1 and then click Move. 5. In the Move dialog box, click Research and then click OK. 6. Right-click NYC-SVR1 and then click Move. 7. In the Move dialog box, click Research and then click OK. 8. In the navigation pane, click Research.
Task 2: Create a GPO and link to the Research OU

1. Click Start, point to Administrative Tools, and then click Group Policy Management. 2. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Research. 3. Right-click Research and then click Create a GPO in this domain, and link it here. 4. In the New GPO dialog box, in the Name box, type Research Department Application Security Policy and then click OK.
Task 3: Create the required connection security rule

1. In Group Policy Management, expand Research. 2. Right-click Research Department Application Security Policy and then click Edit. 3. In Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security LDAP://CN={GUID}, and then click Connection Security Rules. 4. Right-click Connection Security Rules and then click New Rule. 5. In the New Connection Security Rule Wizard, on the Rule Type page, click Custom and then click Next. 6. On the Endpoints page, click Next. 7. On the Requirements page, click Require authentication for inbound connections and request authentication for outbound connections and then click Next. 8. On the Authentication Method page, click Computer and user (Kerberos V5) and then click Next. 9. On the Protocol and Ports page, in the Protocol type list, click TCP. 10. In the Endpoint 1 port list, click Specific Ports and in the text box, type 80 and then click Next. 11. On the Profile page, clear the Private and Public check boxes and then click Next. 12. On the Name page, in the Name box, type Research Department Application Security rule and then click Finish.
Task 4: Create the firewall rule

1. In Group Policy Management Editor, click Inbound Rules. 2. Right-click Inbound Rules and then click New Rule. 3. In the New Inbound Rule Wizard, on the Rule Type page, click Custom and then click Next. 4. On the Program page, click Next. 5. On the Protocol and Ports page, in the Protocol type list, click TCP. 6. In the Local port list, click Specific Ports and in the text box, type 80 and then click Next. 7. On the Scope page, click Next. 8. On the Action page, click Allow the connection if it is secure and then click Customize. Ensure that Allow the connection if it is authenticated and integrity-protected is selected and click OK. 9. Click Next. 10. On the Users page, click Next. 11. On the Computers page, select Only allow connections from these computers and then click Add. 12. In the Select Computers, or Groups dialog box, in the Enter the object names to select (examples) box, type NYC-CL1; NYC-SVR1, click Check Names, click OK, and then click Next. 13. On the Profile page, clear the Private and Public check boxes and then click Next. 14. On the Name page, in the Name box, type Research Department Application Firewall rule and then click Finish.
Task 5: Refresh the Group Policy on client computers

1. Switch to NYC-CL1. 2. Click Start, and in the Search box, type cmd.exe and press ENTER. 3. In the command prompt, type the following command and then press ENTER:
Gpupdate /force
4.
Shutdown /r
5. Switch to NYC-SVR1. 6. Click Start, and in the Search box, type cmd.exe and press ENTER. 7. In the command prompt, type the following command and then press ENTER:
Gpupdate /force
8. In the command prompt, type the following command and then press ENTER:
Shutdown /r
Results: At the end of this exercise, you will have successfully configured the connection security rule and firewall rule that are required to secure the Research department application.
Exercise 3: Testing IPsec Authentication

Task 1: Attempt to connect to the web server on NYC-SVR1
1. Switch to NYC-CL1. 2. Log on using the following information: User name: Administrator Password: Pa$$w0rd Domain : Contoso
3. On the Taskbar, click Internet Explorer. 4. In the Address bar, type http://nyc-svr1 and press ENTER. The default IIS 7 webpage displays.
Task 2: Verify settings with Windows Firewall with Advanced Security

1. Click Start, and in the Search box, type Windows Firewall with Advanced Security and press ENTER. 2. In Windows Firewall with Advanced Security, in the navigation pane, expand Monitoring, expand Security Associations, and then click Main Mode. 3. In the right pane, double-click the item listed. 4. What is the First authentication method? Answer: Computer (Kerberos V5) 5. Click OK. 6. Expand Quick Mode. 7. In the right pane, double-click the item listed. 8. What is the Remote port? Answer: TCP 80 9. Click OK.
Task 3: Verify settings with IP Security Monitor

1. Click Start, and in the Search box, type mmc.exe and then press ENTER. 2. In Console1 [Console Root] window, click File and then click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, in the Snap-in list, click IP Security Monitor, click Add, and then click OK. 4. Expand IP Security Monitor, expand NYC-CL1, expand Main Mode, and then click Security Associations. 5. In the right pane, double-click the item listed. 6. What is the encryption method? Answer: None. No encryption was required, merely authentication.
7. Close all open windows. Do not save changes to Console 1. Results: At the end of this exercise, you will have verified IPsec settings.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. On the host computer, start Hyper-V Manager. 2. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. 3. In the Revert Virtual Machine dialog box, click Revert. 4. Repeat these steps for 6421B-NYC-SVR1 and 6421B-NYC-CL1.
Lab Answer Key: Configuring and Troubleshooting Network File and Print Services
Module 10
Contents:
Exercise 1: Creating and Configuring a File Share Exercise 2: Encrypting and Recovering Files Exercise 3: Creating and Configuring a Printer Pool 2 5 7
Lab: Configuring and Troubleshooting Network File and Print Services

Exercise 1: Creating and Configuring a File Share
Task 1: Create the folder structure for the share
1. 2. 3. 4. 5. 6. 7. On NYC-DC1, click Start and click Computer. In Windows Explorer, double-click Local Disk (C:) and click New folder on the top menu bar. Type Share and press ENTER to rename the folder. Double-click Share and click New folder. Type Marketing and press ENTER to rename the folder. Click New folder. Type Production and press ENTER to rename the folder.
Task 2: Configure NTFS permissions on the folder structure

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, in Windows Explorer, browse to C:\. Right-click Share and click Properties. In the Share Properties window, click the Security tab. Notice that Users have read access to the Share folder. Click Cancel. In Windows Explorer, double-click Share. Right-click Marketing and click Properties. In the Marketing Properties window, on the Security tab, click Advanced. In the Advanced Security Settings For Marketing window, click Change Permissions. Clear the Include inheritable permissions from this objects parent check box.
10. In the Windows security window, click Add. 11. Use Ctrl+click to select both entries for Users and then click Remove. 12. Click OK twice to close both Advanced Security Settings For Marketing windows. 13. In the Marketing Properties window, click Edit. 14. In the Permissions For Marketing window, click Add, type Marketing, and click OK. 15. With Marketing selected, click the Allow Modify permission and click OK. 16. In the Marketing Properties windows, click OK.
17. Right-click Production and click Properties. 18. In the Production Properties window, on the Security tab, click Advanced. 19. In the Advanced Security Settings For Production window, click Change Permissions. 20. Clear the Include inheritable permissions from this objects parent check box. 21. In the Windows security window, click Add. 22. Use Ctrl+click to select both entries for Users and then click Remove. 23. Click OK twice to close both Advanced Security Settings For Production windows. 24. In the Production Properties window, click Edit. 25. In the Permissions For Production window, click Add, type Production and then click OK. 26. With Production selected, click the Allow Modify permission and click OK. 27. In the Production Properties window, click OK.
Task 3: Create the share

1. 2. 3. 4. 5. 6. 7. 8. On NYC-DC1, in Windows Explorer, browse to C:\. Right-click Share and click Properties. In the Share Properties window, on the Sharing tab, click Advanced Sharing. In the Advanced Sharing window, select the Share this folder check box and click Permissions. In the Permissions For Share window, with Everyone selected, select the Full Control Allow permission and click OK. In the Advanced Sharing window, click OK. In the Share Properties window, click Close. Close Windows Explorer.
Task 4: Enable Access-Based Enumeration

1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, point to Administrative Tools, and click Share and Storage Management. In Share and Storage Management, right-click Share, and click Properties. In the Share Properties window, click Advanced. In the Advanced window, on the User Limits tab, select the Enable Access-based enumeration check box and click OK. In the Share Properties window, click OK. Close Share and Storage Management.
Task 5: Verify that permissions are properly configured

1. 2. 3. 4. 5. 6. On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd. Adam is a member of Marketing. Click Start, type \\nyc-dc1\share, and press ENTER. Read the folders that are available and double-click Marketing. Right-click an open area, point to New, and click Text Document. Type AdamFile and press ENTER to rename the file. Close Windows Explorer.
Results: After this exercise, you should have created and configured a file share.
Exercise 2: Encrypting and Recovering Files

Task 1: Update the recovery agent certificate for EFS
1. 2. 3. 4. 5. On NYC-DC1, click Start, point to Administrative Tools, and click Group Policy Management. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and click Default Domain Policy. In the Group Policy Management Console dialog box, click OK to clear the message. Right-click Default Domain Policy and click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Public Key Policies, and click Encrypting File System. Right-click the Administrator certificate and click Delete. In the Certificates window, click Yes. Right-click Encrypting File System and click Create Data Recovery Agent. Read the information for the new certificate that was created. Notice that this certificate was obtained from ContosoCA.
6. 7. 8. 9.
10. Close Group Policy Management Editor. 11. Close Group Policy Management.
Task 2: Update Group Policy on the computers

1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, type cmd, and press ENTER. At the command prompt, type gpupdate /force and press ENTER. Close the command prompt. On NYC-CL1, click Start, type cmd, and press ENTER. At the command prompt, type gpupdate /force and press ENTER. Close the command prompt.
Task 3: Obtain a certificate for EFS

1. 2. 3. 4. 5. 6. 7. On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd. Click Start, type mmc, and press ENTER. In Console1, click File and click Add/Remove Snap-in. In the list of available snap-ins, click Certificates and click Add. In the Add Or Remove Snap-ins window, click OK. In the left pane, click Certificates Current User, then right-click Personal, point to All Tasks, and click Request New Certificate. In the Certificate Enrollment window, click Next.
8. 9.
On the Select Certificate Enrollment Policy page, click Next to use the Active Directory Enrollment Policy. On the Request Certificates page, select the Basic EFS check box and click Enroll.
10. On the Certificate Installation Results page, click Finish. 11. In the Console1 window, in the left pane, expand Certificates Current User, expand Personal, and click Certificates. 12. Read the list of certificates and note the one that was issued by ContosoCA. 13. Close Console1 and do not save the settings.
Task 4: Encrypt a file

1. 2. 3. 4. 5. 6. 7. 8. On NYC-CL1, click Start, type \\NYC-DC1\Share\Marketing, and press ENTER. Right-click AdamFile and click Properties. On the General tab, click Advanced. In the Advanced Attributes window, select the Encrypt contents to secure data check box and click OK. In the AdamFile Properties window, click OK. In the Encryption Warning window, click Encrypt the file only and then click OK. Wait a few seconds for the file to be encrypted. Look at the color of the file name. Close Windows Explorer.
Task 5: Use the recovery agent to open the file

1. 2. 3. 4. 5. On NYC-DC1, click Start and click Computer. Browse to C:\Share\Marketing. Double-click AdamFile.txt. Add some text to the file, click File, and then click Save. Close Notepad and Windows Explorer.
Results: After this exercise, you should have encrypted and recovered a file.
Exercise 3: Creating and Configuring a Printer Pool

Task 1: Install the Print Management role
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, point to Administrative Tools, and click Server Manager. In the left pane, click Roles and then click Add Roles. Click Next to start the Add Roles Wizard. On the Select Server Roles page, select the Print and Document Services check box and click Next. On the Print and Document Services page, click Next. On the Select Role Services page, verify that Print Server is selected and click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.
Task 2: Create two IP printer ports

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and click Print Management. In Print Management, expand Print Servers, expand NYC-DC1 (local), and click Ports. Right-click Ports and click Add Port. In the Printer Ports window, click Standard TCP/IP Port and click New Port. Click Next to start the Add Standard TCP/IP Printer Port Wizard. In the Printer Name or IP Address box, type 10.10.0.98 and click Next. It will take a minute or two while Windows Server 2008 R2 attempts to detect the type of device at that IP address. On the Additional port information required page, click Next to accept the default settings of a Generic Network Card. Click Finish to complete the wizard. In the Printer Ports window, click Standard TCP/IP Port and click New Port.
10. Click Next to start the Add Standard TCP/IP Printer Port Wizard. 11. In the Printer Name or IP Address box, type 10.10.0.99 and click Next. It will take a minute or two while Windows Server 2008 R2 attempts to detect the type of device at that IP address. 12. On the Additional port information required page, click Next to accept the default settings of a Generic Network Card. 13. Click Finish to complete the wizard. 14. In the Printer Ports window, click Close.
Task 3: Create a printer

1. 2. In Print Management, under NYC-DC1 (local), click Printers. Right-click Printers and click Add Printer.
3. 4. 5. 6. 7. 8.
On the Printer Installation page, click Add a new printer using an existing port, click 10.10.0.98, and click Next. On the Printer Driver page, click Install a new driver and click Next. On the Printer Installation page, click Next to accept the default driver. On the Printer Name and Sharing Settings page, in the Printer Name and Share Name boxes, type PrinterPool and click Next. On the Printer Found page, click Next. Click Finish to complete the wizard.
Task 4: Make the new printer into a printer pool

1. 2. 3. 4. In Print Management, right-click PrinterPool and click Properties. In the PrinterPool Properties window, on the Ports tab, select the Enable printer pooling check box. In the list of ports, select the 10.10.0.99 check box and click OK. Notice that two ports are selected. Close Print Management
Task 5: Distribute the printer pool to users

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and click Group Policy Management. Right-click the Marketing OU and click Create a GPO in this domain, and Link it here. In the New GPO window, in the Name box, type MarketingGPO and click OK. Right-click MarketingGPO and click Edit. Under User Configuration, expand Preferences, expand Control Panel Settings, and click Printers. Right-click Printers, point to New, and click Shared Printer. In the New Shared Printer Properties windows, in the Share path box, type \\NYC-DC1\PrinterPool. Select the Set this printer as the default printer check box, and click OK. Close Group Policy Management Editor.
10. Close Group Policy Management.
Task 6: Verify printer distribution to a marketing user

1. 2. 3. 4. 5. 6. On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd. Click Start, type cmd, and press ENTER. At the command prompt, type gpupdate /force and press ENTER. Close the command prompt. Click Start and click Devices and Printers. Confirm that PrinterPool on NYC-DC1 appears and is configured as the default printer.
Results: After this exercise, you should have created a printer pool and distributed it to Marketing users.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-CL1.
Lab Answer Key: Optimizing Data Access for Branch Offices
Module 11
Contents:
Lab A: Implementing DFS Exercise 1: Installing the DFS Role Service Exercise 2: Configuring the Required Namespace Exercise 3: Configuring DFS Replication Lab B: Implementing BranchCache Exercise 1: Performing Initial Configuration Tasks for BranchCache Exercise 2: Configuring BranchCache Clients Exercise 3: Configuring BranchCache on the Branch Server
2 3 5
7 9
11 13
Lab A: Implementing DFS

Exercise 1: Installing the DFS Role Service
Task 1: Install the DFS Role Service on NYC-SVR1
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. On the taskbar, click Server Manager. In the navigation pane, click Roles. In the details pane, under the File Services section, click Add Role Services. The Add Role Services wizard opens. On the Select Role Services page, select the check box next to Distributed File System. Ensure that the File Server, DFS Namespaces and DFS Replication options are also selected. Click Next. On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.
Task 2: Install the DFS Role Service on NYC-DC1

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. On the taskbar, click Server Manager. In the navigation pane, click Roles. In the details pane, click Add Roles. In the Add Roles Wizard, click Next. On the Select Server Roles page, select the File Services check box and then click Next. On the File Services page, click Next. On the Select Role Services page, select the check box next to Distributed File System. Ensure that the File Server, DFS Namespaces, and DFS Replication options are also selected. Click Next. On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager and then click Next.
10. On the Confirm Installation Selections page, click Install. 11. On the Installation Results page, click Close. 12. Close Server Manager. Results: At the end of this exercise, you will have installed the required role services on both servers.
Exercise 2: Configuring the Required Namespace

Task 1: Use the New Namespace Wizard to create the BranchDocs namespace
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-SVR1. Click Start, point to Administrative Tools, and then click DFS Management. In the navigation pane, click Namespaces. Right-click Namespaces and then click New Namespace. The New Namespace Wizard starts. On the Namespace Server page, under Server, type NYC-SVR1 and then click Next. On the Namespace Name and Settings page, under Name, type BranchDocs and then click Next. On the Namespace Type page, ensure that Domain-based namespace is selected. Take note that the namespace will be accessed by \\Contoso.com\BranchDocs. Ensure that the check box next to Enable Windows Server 2008 mode is selected and then click Next. On the Review Settings and Create Namespace page, click Create.
10. On the Confirmation page, ensure that the Create namespace task is successful and then click Close. 11. In the navigation pane, under Namespaces, click \\Contoso.com\BranchDocs. 12. In the details pane, click the Namespace Servers tab and ensure that there is one entry that is enabled for \\NYC-SVR1\BranchDocs.
Task 2: Enable access-based enumeration for the BranchDocs namespace

1. 2. 3. In the navigation pane, under Namespaces, right-click \\Contoso.com\BranchDocs and then click Properties. In the \\Contoso.com\BranchDocs Properties dialog box, click the Advanced tab. On the Advanced tab, select the check box next to Enable access-based enumeration for this namespace and then click OK.
Task 3: Add the ResearchTemplates folder to the BranchDocs namespace

1. 2. 3. 4. 5. 6. 7. 8. 9. In DFS Management, right-click Contoso.com\BranchDocs and then click New Folder. The New Folder dialog box opens. In the New Folder dialog box, under Name, type ResearchTemplates. In the New Folder dialog box, click Add. The Add Folder Target dialog box opens. In the Add Folder Target dialog box, type \\NYC-DC1\ResearchTemplates and then click OK. In the Warning dialog box, click Yes. In the Create Share dialog box, in the Local path of shared folder box, type C:\BranchDocs\ResearchTemplates. Click All users have read and write permissions and then click OK. In the Warning dialog box, click Yes. Click OK again to close the New Folder dialog box.
Task 4: Add the DataFiles folder to the BranchDocs namespace

1. 2. 3. 4. 5. 6. 7. 8. 9. In DFS Management, right-click Contoso.com\BranchDocs and then click New Folder. The New Folder dialog box opens. In the New Folder dialog box, under Name, type DataFiles. In the New Folder dialog box, click Add. The Add Folder Target dialog box opens. In the Add Folder Target dialog box, type \\NYC-SVR1\DataFiles and then click OK. In the Warning dialog box, click Yes. In the Create Share dialog box, in the Local path of shared folder box, type C:\BranchDocs\DataFiles. Click All users have read and write permissions and then click OK. The permissions will be configured later. In the Warning dialog box, click Yes. Click OK again to close the New Folder dialog box.
Task 5: Verify the BranchDocs namespace

1. 2. 3. On NYC-SVR1, click Start, and then in the Search programs and files box, type \\Contoso.com\BranchDocs. Press ENTER. In the BranchDocs window, verify that both ResearchTemplates and DataFiles are visible. Close the BranchDocs window.
Results: At the end of this exercise, you will have created and verified the DFS namespace.
Exercise 3: Configuring DFS Replication

Task 1: Create another Folder Target for DataFiles
1. 2. 3. 4. 5. 6. 7. 8. In DFS Management, expand Contoso.com\BranchDocs and then click DataFiles. In the details pane, notice that there is currently only one folder target. Right-click DataFiles and then click Add Folder Target. In the New Folder Target dialog box, under Path to folder target, type \\NYC-DC1\DataFiles and then click OK. In the Warning dialog box, click Yes to create the shared folder on NYC-DC1. In the Create Share dialog box, under Local path of shared folder, type C:\BranchDocs\DataFiles. In the Create Share dialog box, under Shared folder permissions, select All users have read and write permissions and then click OK. In the Warning dialog box, click Yes to create the folder on NYC-DC1. In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.
Task 2: Configure Replication for the namespace

1. 2. 3. 4. 5. 6. 7. 8. 9. In DFS Management, in the Replicate Folder Wizard, on the Replication Group and Replicated Folder Name page, accept the default settings and then click Next. On the Replication Eligibility page, click Next. On the Primary Member page, select NYC-SVR1 and then click Next. On the Topology Selection page, select No topology and then click Next. In the Warning dialog box, click OK. On the Review Settings and Create Replication Group page, click Create. On the Confirmation page, click Close. In the Replication Delay dialog box, click OK. In the DFS Management console, expand Replication and then click contoso.com\BranchDocs\DataFiles.
10. In the action pane, click New Topology. 11. In the New Topology Wizard, on the Topology Selection page, click Full mesh and then click Next. 12. On the Replication Group Schedule and Bandwidth page, click Next. 13. On the Review Settings and Create Topology page, click Create. 14. On the Confirmation page, click Close, and in the Replication Delay dialog box, click OK. 15. In the details pane, on the Memberships tab, verify that the replicated folder is shown on both NYC-DC1 and NYC-SVR1. 16. On the Memberships tab, right-click NYC-DC1 and then click Make read-only. This setting will automatically configure the replicated copy to be read-only. Results: At the end of this exercise, you will have successfully configured DFS replication.

ab Answer Key: Optimizing Data Access for Branch Offices
Lab B: Implementing BranchCache

Exercise 1: Performing Initial Configuration Tasks for BranchCache
Task 1: Configure NYC-DC1 to use BranchCache
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. Click Start, point to Administrative Tools, and then click Server Manager. In the navigation pane, click Roles. In the details pane, click Add Roles and then click Next. In the Add Roles Wizard, on the Select Server Roles page, select the File Services check box and then click Next. On the File Services page, click Next. On the Select Role Services page, in the Role services list, select the BranchCache for network files check box and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close.
10. Close Server Manager. 11. Click Start, and in the Search box, type gpedit.msc and then press ENTER. 12. In the navigation pane of the Local Group Policy Editor console, under Computer Configuration, expand Administrative Templates, expand Network, and then click Lanman Server. 13. In the Setting list of the Lanman Server result pane, right-click Hash Publication for BranchCache and then click Edit. 14. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication actions list, select Allow hash publication only for shared folders on which BranchCache is enabled, and then click OK.
Task 2: Simulate slow link to the branch office

1. 2. In the navigation pane of the Local Group Policy Editor console, under Computer Configuration, expand Windows Settings, right-click Policy-based QoS, and then click Create new policy. On the Create a QoS policy page of the Policy-based QoS Wizard, in the Policy name box, type Limit to 100 KBps, select the Specify Outbound Throttle Rate: check box, type 100, and then click Next. On the This QoS policy applies to page, click Next. On the Specify the source and destination IP addresses page, click Next. On the Specify the protocol and port numbers page, click Finish. Close the Local Group Policy Editor.
3. 4. 5. 6.
Task 3: Enable a file share for BranchCache

1. 2. Click Start and then click Computer. In the Computer window, browse to Local Disk (C:).
3. 4. 5. 6. 7. 8. 9.
On the menu, click New Folder. Type Share and then press ENTER Right-click Share and then click Properties. On the Sharing tab of the Share Properties dialog box, click Advanced Sharing. Select the Share this folder check box and then click Caching. In the Offline Settings dialog box, select the Enable BranchCache check box and then click OK. In the Advanced Sharing dialog box, click OK.
10. In the Share Properties dialog box, click Close. 11. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 12. At the command prompt window, type the following command and then press ENTER:
Copy C:\windows\system32\mspaint.exe c:\share
13. Close the command prompt. 14. Close Windows Explorer.
Task 4: Configure client firewall rules for BranchCache

1. 2. 3. Click Start, point to Administrative Tools, and then click Group Policy Management. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, right-click Default Domain Policy, and then click Edit. In the navigation pane of the Group Policy Management Editor console, under Policies, expand Windows Settings, expand Security Settings, and then expand Windows Firewall with Advanced Security. In the navigation pane, under Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security and then click Inbound Rules. On the Action menu of the Group Policy Management Editor console, click New Rule. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache Content Retrieval (Uses HTTP), and then click Next. On the Predefined Rules page, click Next. On the Action page, click Finish to create the firewall inbound rule. Click Inbound Rules, and then on the Action menu of the Group Policy Management Editor console, select New Rule.
4. 5. 6. 7. 8. 9.
10. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache Peer Discovery (Uses WSD), and then click Next. 11. On the Predefined Rules page, click Next. 12. On the Action page, click Finish. Results: At the end of this exercise, you will have prepared the network environment for BranchCache.
Exercise 2: Configuring BranchCache Clients

Task 1: Configure clients to use BranchCache in hosted cache mode
1. In the navigation pane of the Group Policy Management Editor console, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then click BranchCache. In the Setting list of the BranchCache result pane, right-click Turn on BranchCache and then click Edit. In the Turn on BranchCache dialog box, click Enabled and then click OK. In the Setting list of the BranchCache result pane, right-click Set BranchCache Hosted Cache mode and then click Edit. In the Set BranchCache Hosted Cache mode dialog box, click Enabled, in the Enter the location of hosted Cache box, type NYC-SVR1.contoso.com, and then click OK. In the Setting list of the BranchCache result pane, right-click Configure BranchCache for network files and then click Edit. In the Configure BranchCache for network files dialog box, click Enabled, in the Enter the round trip network latency value in milliseconds above which network files must be cached in the branch office box, type 0, and then click OK. This setting is required to simulate access from a branch office and is not typically required. Close the Group Policy Management Editor console. Close the Group Policy Management console.
2. 3. 4. 5. 6. 7.
8. 9.
10. Start 6421B-NYC-CL1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 11. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 12. At the command prompt window, type the following command and then press ENTER:
gpupdate /force
13. At the command prompt window, type the following command and then press ENTER:
netsh branchcache show status all
14. Start 6421B-NYC-CL2. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 15. Click Start, and in the Search box, type Network and Sharing and then press ENTER. 16. In Network Connections, click Change adapter settings. 17. Right-click Local Area Connection 3 and then click Properties. 18. In the Local Area Connection 3 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). 19. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically.
10
20. Click Obtain DNS server address automatically and then click OK. 21. In the Local Area Connection 3 Properties dialog box, click OK. 22. Restart the computer. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 23. Click Start, point to All Programs, click Accessories, and then click Command prompt. 24. At the command prompt window, type the following command and then press ENTER:
gpupdate /force
25. At the command prompt window, type the following command and then press ENTER:
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
11
Exercise 3 Configuring BranchCache on the Branch Server

Task 1: Install the BranchCache feature on NYC-SVR1
1. 2. 3. 4. 5. 6. 7. Start 6421B-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. Click Start, point to Administrative Tools, and then click Server Manager. In the navigation pane of the Server Manager console, right-click Features and then click Add Features. On the Select Features page of the Add Features Wizard, select the BranchCache check box and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close. Close Server Manager.
Task 2: Request a certificate and link it to BranchCache

1. 2. 3. 4. 5. 6. 7. 8. 9. On the Start menu of NYC-SVR1, click Run. In the Open box of the Run dialog box, type mmc and then click OK. On the File menu of the Console1 [Console Root] console, click Add/Remove Snap-ins. In the Available snap-ins area of the Add or Remove Snap-ins dialog box, click Certificates and then click Add. In the This snap-in will always manage certificates for page of the Certificates Snap-in Wizard, click Computer account and then click Next. On the Select the computer you want this snap-in to manage page, click Finish. In the Add or Remove Snap-ins dialog box, click OK. In the navigation pane of the Console1 [Console Root] console, expand Certificates (Local Computer), right-click Personal, point to All Tasks, and then click Request New Certificate. On the Before You Begin page of the Certificate Enrollment Wizard, click Next.
10. On the Select Certificate Enrollment Policy page, click Next. 11. On the Request Certificates page, select the Computer check box and then click Enroll. 12. On the Certificate Installation Results page, click Finish. 13. In the navigation pane of the Console1 [Console Root] console, under Personal, click Certificates. 14. In the Issued To result pane, right-click NYC-SVR1.Contoso.com and then click Open. 15. On the Details tab of the Certificate dialog box, in the Field list, click Thumbprint, select thumbprint values in the details section, press Ctrl+C to copy the values to the Clipboard, and then click OK. 16. On the Start menu, click All Programs, click Accessories, and then click Command Prompt.
12
17. At the command prompt window, type the following command and then press Enter. You can paste the certificatehashvalue from the certificate, but you must remove the spaces.
netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}
Task 3: Start the BranchCache Host Server

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to NYC-DC1. Click Start, point to Administrative Tools, and click Active Directory Users and Computers. Right-click Contoso.com, point to New, and click Organizational Unit. In the New Object - Organization Unit window, type BranchCacheHost and then click OK. Click the Computers container. Click NYC-SVR1 and drag it to BranchCacheHost. Click Yes to clear the warning about moving objects. Close Active Directory Users and Computers. Click Start, point to Administrative Tools, and click Group Policy Management.
10. Under Domains, expand Contoso.com, right-click BranchCacheHost, and click Block Inheritance. 11. On NYC-DC1, close all open windows. 12. Restart NYC-SVR1 and log on as Contoso\Administrator with the password of Pa$$w0rd. 13. On NYC-SVR1, open a command prompt, type the following command, and then press ENTER:
netsh branchcache set service hostedserver
14. Close the command prompt. Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
13

Task 1: Configure Performance Monitor on NYC-SVR1
1. 2. 3. 4. 5. 6. Click Start, and in the Search box, type Performance and then press ENTER. In the navigation pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor. In the Performance Monitor result pane, click the Delete (Delete Key) icon. In the Performance Monitor result pane, click the Add (Ctrl+N) icon. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click Add, and then click OK. Change graph type to Report.
Task 2: View Performance statistics on NYC-CL1

1. 2. 3. 4. 5. 6. 7. Switch to NYC-CL1. On the Start menu, in the Search programs and files box, type Performance and then press ENTER. In the navigation pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor. In the Performance Monitor result pane, click the Delete (Delete Key) icon. In the Performance Monitor result pane, click the Add (Ctrl+N) icon. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click Add, and then click OK. Change graph type to Report. Notice that the value of all performance statistics is zero.
Task 3: View performance statistics on NYC-CL2

1. 2. 3. 4. 5. 6. 7. Switch to NYC-CL2. On the Start menu, in the Search programs and files box, type Performance and then press ENTER. In the navigation pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor. In the Performance Monitor result pane, click the Delete (Delete Key) icon. In the Performance Monitor result pane, click the Add (Ctrl+N) icon. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click Add, and then click OK. Change graph type to Report. Notice that the value for all performance statistics is zero.
Task 4: Test BranchCache in hosted caching mode

1. 2. 3. 4. Switch to NYC-CL1. Click Start, and in the Search box, type \\NYC-DC1.contoso.com\Share and then press ENTER. In the Name list of the Share window, right-click mspaint.exe and then click Copy. In the Share window, click Minimize.
14
5. 6. 7.
In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize. On the desktop, right-click anywhere and then click Paste. Read the performance statistics on NYC-CL1. This file was retrieved from NYC-DC1 (Retrieval: Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes Served) On the Start menu of NYC-CL2, in the Search programs and files box, type \\NYC-DC1.contoso.com\Share and then press ENTER. In the Name list of the Share window, right-click mspaint.exe and then click Copy.
8. 9.
10. In the Share window, click Minimize. 11. In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize. 12. On the desktop, right-click anywhere and then click Paste. 13. Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval: Bytes from Cache). 14. Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted Cache: Client file segment offers made). Results: At the end of this exercise, you will have verified the function of BranchCache.
Prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-SVR1, 6421B-NYC-CL1 and 6421B-NYC-CL2.
Lab Answer Key: Controlling and Monitoring Network Storage
Module 12
Contents:
Exercise 1: Configuring FSRM Quotas Exercise 2: Configuring File Screening Exercise 3: Configuring File Classification and File Management 2 4 5
Lab: Controlling and Monitoring Network Storage

Exercise 1: Configuring FSRM Quotas
Task 1: Create the Home share
1. 2. 3. 4. On NYC-SVR1, click Start, type cmd, and press ENTER. At the command prompt, type md C:\Home and press ENTER. At the command prompt, type net share Home=C:\Home /grant:everyone,full and press ENTER. Close the command prompt.
Task 2: Install FSRM

1. 2. 3. 4. 5. 6. On NYC-SVR1, click Start, point to Administrative Tools, and click Server Manager. In Server Manager, in the left pane, expand Roles, click File Services, and then click Add Role Services. In the Add Role Services window, select the File Server Resource Manager check box and click Next. On the Configure Storage Usage Monitoring page, click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close.
Task 3: Create a quota template for home folders

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start, point to Administrative Tools, and click File Server Resource Manager. In File Server Resource Manager, expand Quota Management and click Quota Templates. In the Actions pane, click Create Quota Template. In the Create Quota Template window, in the Template name box, type Home Folders. In the Description box, type Template for user home folders. In the Space limit area, in the Limit box, type 500. Verify that Hard quota: Do not allow users to exceed limit is selected. In the Notification thresholds area, click Add. In the Add Threshold window, in the Generate notifications when usage reaches (%) box, type 75.
10. On the E-mail Message tab, select the Send e-mail to the user who exceeded the threshold check box. 11. Click the Event log tab and click Yes in the warning window. 12. On the Event Log tab, select the Send warning to event log check box. 13. Click OK and click Yes to close the warning window. 14. Click OK to close the Create Quota Template window.
Task 4: Configure an SMTP server for FSRM notifications

1. 2. 3. In File Server Resource Manager, right-click File Server Resource Manager (Local) and click Configure Options. In the File Server Resource Manager Options window, on the Email Notifications tab, in the SMTP server name or IP address box, type mail.contoso.com. In the Default administrator recipients box, type Administrator@contoso.com and click OK.
Task 5: Configure quotas on Home share folders

1. 2. 3. 4. 5. 6. 7. In File Server Resource Manager, click Quotas. In the Actions pane, click Create Quota. In the Create Quota window, in the Quota path box, type C:\Home. Click Auto apply template and create quotas on existing and new subfolders. In the Quota properties area, click Derive properties form this quota template (recommended) and select Home Folders. Click Create. Close File Server Resource Manager.
Task 6: Create a home folder for a user

1. 2. 3. 4. 5. 6. On NYC-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers. In Active Directory Users and Computers, expand Contoso.com and click Marketing. Right-click Adam Carter and click Properties. In the Adam Carter Properties window, on the Profile tab, in the Home folder area, click Connect, select H:, and type \\NYC-SVR1\Home\Adam. Click OK to save the changes. Close Active Directory Users and Computers.
Task 7: Verify that the quota is applied

1. 2. 3. 4. 5. 6. On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd. Click Start and click Computer. Verify that H: is mapped to \\NYC-SVR1\Home\Adam. Right-click Adam (\\NYC-SVR1\Home) (H:) and click Properties. In the Adam (\\NYC-SVR1\Home) (H:) Properties window, read the size of H: and notice that it corresponds to the size of the quota that has been assigned. Close all open windows.
Results: After this exercise, you will have created and applied quotas to home folders.
Exercise 2: Configuring File Screening

Task 1: Add AUDX files to a file group
1. 2. 3. 4. 5. On NYC-SVR1, click Start, point to Administrative Tools, and click File Server Resource Manager. In File Server Resource Manager, expand File Screening Management and click File Groups. Right-click Audio and Video Files and click Edit File Group Properties. In the File Group Properties For Audio And Video Files window, in the Files to include box, type *.audx and click Add. Click OK to close the File Group Properties For Audio And Video Files window.
Task 2: Create a file screen template

1. 2. 3. 4. 5. 6. On NYC-SVR1, in File Server Resource Manager, click File Screen Templates. In the Actions pane, click Create File Screen Template. In the Create File Screen Template window, on the Settings tab, in the Template name box, type Home Folder Media. If necessary, click Active Screening: Do not allow users to save unauthorized files. In the File groups area, select the Audio and Video Files check box and the Image Files check box. On the Event log tab, select the Send warning to event log check box and then click OK.
Task 3: Configure a file screen for C:\Home

1. 2. 3. 4. 5. 6. On NYC-SVR1, in File Server Resource Manager, click File Screens. In the Actions pane, click Create File Screen. In the Create File Screen window, in the File screen path box, type C:\Home. If necessary, click Derive properties from this file screen template (recommended) and select Home Folder Media. Click Create. Close File Server Resource Manager.
Task 4: Verify that the file screen is applied

1. 2. 3. 4. 5. 6. 7. On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd. Click Start and click Computer. In the left pane, under Libraries, click Videos and then double-click Sample Videos. Right-click Wildlife and click Copy. Browse to H:\, right-click an open area, and click Paste. In the Destination Folder Access Denied window, click Cancel. Close all open windows.
Results: After this exercise, you will have configured file screening to prevent media files from being placed in home folders.
Exercise 3: Configuring File Classification and File Management

Task 1: Create a classification property for official documents
1. 2. 3. 4. 5. 6. On NYC-SVR1, click Start, point to Administrative Tools, and click File Server Resource Manager. In File Server Resource Manager, expand Classification Management and click Classification Properties. In the Actions pane, click Create Property. In the Create Classification Property Definition window, in the Property name box, type Official Document. In the Description box, type Official document that is available in the web archive. In the Property type box, select Yes/No and then click OK.
Task 2: Create a classification rule for official documents

1. 2. 3. 4. 5. 6. 7. 8. 9. In File Server Resource Manager, click Classification Rules. In the Actions pane, click Create a New Rule. In the Classification Rule Definitions window, on the Rule Settings tab, in the Rule name box, type Official Documents. In the Scope area, click Add. In the Browse For Folder window, expand Local Disk (C:), click Home, and click OK. In the Classification Rule Definitions window, on the Classification tab, in the Classification mechanism area, select Content Classifier. In the Property name area, select Official Document. In the Property value area, select Yes and then click Advanced. In the Additional Rule Parameters window, on the Additional Classification Parameters tab, in the Name box, type RegularExpression.
10. In the Value box, type Document#\d\d\d\d-\d\d\d and then click OK. 11. Click OK to close the Classification Rule Definitions window.
Task 3: Create a file management task to expire official documents

1. 2. 3. 4. 5. 6. 7. In File Server Resource Manager, click File Management Tasks. In the Actions page, click Create File Management Task. In the Create File Management Task window, on the General tab, in the Task name box, type Remove Official Documents. In the Scope area, click Add. In the Browse For Folder window, expand Local Disk (C:), click Home, and click OK. In the Create File Management Task window, on the Action tab, in the Type box, select File expiration. To the right of the Expiration Directory box, click the Browse button.
8. 9.
In the Browse For Folder window, click Local Disk (C:), click Make New Folder, type Expired Documents, press ENTER, and click OK. In the Create File Management Task window, on the Condition tab, in the Property conditions area, click Add.
10. In the Property Condition window, in the Property box, select Official Document. 11. In the Operator box, select Equal. 12. In the Value box, select Yes and click OK. 13. In the Create File Management Task window, on the Schedule tab, click Create. 14. In the Schedule window, click New. 15. In the Schedule Task box, select Weekly. 16. In the Start time box, type 9:00 PM. 17. In the Schedule Task Weekly area, select only the Sun check box and then click OK. 18. Click OK to close the Create File Management Task window.
Task 4: Verify that official documents are expired

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd. Click Start, click Computer, and browse to H:\. In Windows Explorer, right-click an empty area, point to New, and click Microsoft Office Word Document. Type Test Document and press ENTER. Double-click Test Document, click OK to close the Microsoft Office Word window, and then click OK to set the user name. In Microsoft Word, type Document#2011-001 and press ENTER. Click the Save button and close Microsoft Word. If the document is open in Word, then FSRM is not able to expire the document. On NYC-SVR1, in File Server Resource Manager, click Classification Rules. In the Actions pane, click Run Classification With All Rules Now.
10. In the Run Classification window, click Wait for classification to complete execution and click OK. 11. Review the Automatic Classification Report in Internet Explorer and verify that one Official Document was found. 12. Close Internet Explorer. 13. In File Server Resource Manager, click File Management Tasks, right-click Remove Official Documents, and click Run File Management Task Now. 14. In the Run File Management Task window, click Wait for the task to complete execution and click OK. 15. Review the File Management Task Report and verify that one file was expired. 16. Click Start, click Computer, and browse to C:\Expired Documents\NYC-SVR1.Contoso.com \Remove Official Documents_datetime\c$\Home\Adam.
17. Review the list of expired files and verify that Test Document.docx is there. 18. Close all open windows. Results: After this exercise, you will have configured a classification rule for official documents and a file management task that expires official documents.

Lab Answer Key: Recovering Network Data and Servers
Module 13
Contents:
Exercise 1: Configuring Shadow Copies Exercise 2: Configuring a Scheduled Backup 2 5
Lab: Recovering Network Data and Servers

Exercise 1: Configuring Shadow Copies
Task 1: Configure shadow copies on NYC-SVR1
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start and click Computer. Right-click Local Disk (C:) and click Configure Shadow Copies. In the Shadow Copies window, click C:\ and then click Enable. In the Enable Shadow Copies window, click Yes. In the Shadow Copies window, click Settings. In the Settings window, click Schedule. In the C:\ window, click Delete twice to remove the default schedule. Click New and then click Advanced. In the Advanced Schedule Options window, select the Repeat task check box.
10. In the Every box, type 1 and select hours. 11. In the Duration box, type 24 hours. 12. Click OK to close the Advanced Schedule Options window. 13. Click OK to close the C:\ window. 14. Click OK to close the Settings window. 15. Click OK to close the Shadow Copies window.
Task 2: Create a file share

1. 2. 3. 4. 5. 6. 7. On NYC-SVR1, in Windows Explorer, browse to C:\ and click New folder. Type Marketing and press ENTER to rename the folder. Right-click Marketing, point to Share with, and click Specific people. In the File Sharing window, type Marketing and click Add. With Marketing selected, in the Permission Level column, select Read/Write. Click Share. Take note of the share path and click Done.
Task 3: Create multiple shadow copies of a file

1. 2. 3. 4. 5. 6. 7. On NYC-CL1, log on as Adam with a password of Pa$$w0rd. Click Start, type \\NYC-SVR1\Marketing, and press ENTER. In Windows Explorer, in an open area, right-click, point to New, and click Microsoft Office Word Document. Type Budget Planning and press ENTER to rename the document. Double-click Budget Planning and click OK to close the error message. In the User Name box, click OK. In Microsoft Word, type the following items in a bulleted list: 8. 9. 2011 - $1,000 2012 - $1,100 2013 - $1,200
Click the Save button. On NYC-SVR1, in Windows Explorer, right-click Local Disk (C:) and click Configure Shadow Copies.
10. In the Shadow Copies window, with C:\ selected, click Create Now. 11. On NYC-CL1, add the following bullets to the document: 2014 - $1,500 2015 - $2,000
12. Click the Save button and close Microsoft Word. 13. On NYC-SVR1, in the Shadow Copies window, click Create Now. 14. Click OK to close the Shadow Copies window and close Windows Explorer. 15. On NYC-CL1, right-click Budget Planning and click Delete. 16. In the Delete File window, click Yes.
Task 4: Recover a deleted file from a shadow copy

1. 2. 3. 4. 5. 6. On NYC-CL1, in Windows Explorer, right-click an open area and click Properties. In the Marketing (\\NYC-SVR1) Properties window, on the Previous Versions tab, double-click the second most recent folder version of Marketing. In the newly opened window, double-click Budget Planning. Verify that this is not the correct version of Budget Planning, close Word, and close the window containing Budget Planning. In the Marketing (\\NYC-SVR1) Properties window, on the Previous Versions tab, double-click the most recent folder version of Marketing. In the newly opened window, double-click Budget Planning.
7. 8. 9.
Verify that this is the correct version of Budget Planning, close Word, and close the window containing Budget Planning. In the Marketing (\\NYC-SVR1) Properties window, on the Previous Versions tab, with the most recent folder version of Marketing selected, click Restore. In the warning window, click Restore.
10. Click OK to clear the success message. 11. Click OK to close the Marketing (\\NYC-SVR1) Properties window. 12. In Windows Explorer, double-click Budget Planning to view the restored file. 13. Close all open windows. Results: At the end of this exercise, you will have enabled shadow copies for the Marketing file server.
Exercise 2: Configuring a Scheduled Backup

Task 1: Install the Windows Server Backup feature
1. 2. 3. 4. 5. 6. 7. On NYC-SVR1, click Start, point to Administrative Tools, and click Server Manager. In Server Manager, click Features and click Add Features. In the Add Features Wizard, expand Windows Server Backup Features. Under Windows Server Backup Features, select the Windows Server Backup and Command-line Tools check boxes. Click Next and then click Install. On the Results page, click Close. Close Server Manager.
Task 2: Create a scheduled backup

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start, point to Administrative Tools, and click Windows Server Backup. In Windows Server Backup, in the Actions pane, click Backup Schedule. In the Backup Schedule Wizard, click Next. On the Select Backup Configuration page, click Full server and then click Next. On the Specify Backup Time page, click Once a day, select 11:00 PM, and click Next. On the Specify Destination Type page, click Back up to a hard disk that is dedicated for backups (recommended) and click Next. On the Select Destination Disk page, click Show All Available Disks, select the Disk 1 check box, and click OK. Select the Disk 1 check box and click Next. Click OK to remove D: from the backup.
10. Click Yes to confirm that data on D: will be removed. 11. On the Confirmation page, click Finish. 12. On the Summary page, click Close.
Task 3: Verify that two backups fit on the destination disk

1. 2. 3. 4. 5. 6. 7. On NYC-SVR1, in Windows Server Backup, read the information in the Destination usage area. There is approximately 32 GB of total disk space and 0 GB used. In the Actions pane, click Backup Once. On the Backup Options page, click Scheduled Backup options and click Next. On the Confirmation page, click Backup. Wait while the backup completes. This will take about five minutes. When the backup is complete, click Close. Read the information in the Destination usage area. There is approximately 32 GB of total disk space and approximately 7.4 GB used.
8. 9.
In the Actions pane, click Backup Once. On the Backup Options page, click Scheduled Backup options and click Next.
10. On the Confirmation page, click Backup. 11. Wait while the backup completes. This will take about one minute. 12. When the backup is complete, click Close. 13. Read the information in the Destination usage area. There is approximately 32 GB of total disk space and approximately 7.4 GB used.
Task 4: Perform a test restore of a file

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, in Windows Server Backup, in the Actions pane, click Recover. On the Getting Started page, click This server (NYC-SVR1) and click Next. On the Select Backup Date page, select todays date and the most recent time, and then click Next. On the Select Recovery Type page, click Files and folders and click Next. On the Select Items to Recover page, browse to C:\Marketing, click Budget Planning.docx, and click Next. On the Specify Recovery Options page, review the default options and click Next. On the Confirmation page, click Recover. After the recovery is complete, click Close. Close Windows Server Backup.
10. Click Start and click Computer. 11. In Windows Explorer, browse to C:\Marketing and verify that the file is restored. 12. Close Windows Explorer. Results: At the end of this exercise, you will have configured a scheduled backup and tested backup functionality.

Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers
Module 14
Contents:
Exercise 1: Establishing a Performance Baseline Exercise 2: Identifying the Source of a Performance Problem Exercise 3: Centralizing Events Logs 2 5 7
Lab: Monitoring Windows Server 2008 Network Infrastructure Servers

Exercise 1: Establishing a Performance Baseline
Task 1: Create a Data Collector Set
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-SVR1 computer. Click Start, point to Administrative Tools, and then click Performance Monitor. In Performance Monitor, in the navigation pane, expand Data Collector Sets and then click User Defined. Right-click User Defined, point to New, and then click Data Collector Set. In the Create new Data Collector Set Wizard, in the Name box, type NYC-SVR1 Performance. Click Create manually (Advanced) and then click Next. On the What type of data do you want to include? page, select the Performance counter check box and then click Next. On the Which performance counters would you like to log? page, click Add. In the Available counters list, expand Processor, click %Processor Time, and then click Add >>.
10. In the Available counters list, expand Memory, click Pages/sec, and then click Add >>. 11. In the Available counters list, expand PhysicalDisk, click %Disk Time, and then click Add >>. 12. Click Avg. Disk Queue Length and then click Add >>. 13. In the Available counters list, expand System, click Processor Queue Length, and then click Add >>. 14. In the Available counters list, expand Network Interface, click Bytes Total/sec, click Add >>, and then click OK. 15. On the Which performance counters would you like to log? page, in the Sample interval box, type 1 and then click Next. 16. On the Where would you like the data to be saved? page, click Next. 17. On the Create the data collector set? page, click Save and close and then click Finish.
Task 2: Start the Data Collector Set

In Performance Monitor, in the Results pane, right-click NYC-SVR1 Performance and then click Start.
Task 3: Create workload on the server

1. 2. Click Start, and in the Search box, type cmd.exe and press ENTER. At the command prompt, type the following command and press ENTER:
Fsutil file createnew bigfile 104857600
3.
At the command prompt, type the following command and press ENTER:
Copy bigfile \\nyc-dc1\c$
4.
Copy \\nyc-dc1\c$\bigfile bigfile2
5.
Del bigfile*.*
6.
Del \\nyc-dc1\c$\bigfile*.*
7.
Do not close the command prompt.
Task 4: Analyze collected data

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to Performance Monitor. In the navigation pane, right-click NYC-SVR1 Performance and then click Stop. In Performance Monitor, in the navigation pane, click Performance Monitor. On the toolbar, click View Log Data. In the Performance Monitor Properties dialog box, on the Source tab, click Log files and then click Add. In the Select Log File dialog box, double-click Admin. Double-click NYC-SVR1 Performance, double-click the NYC-SVR1_date-000001 folder, and then double-click DataCollector01.blg. Click the Data tab and then click Add. In the Add Counters dialog box, in the Available counters list, expand Memory, click Pages/sec, and then click Add >>.
10. Expand Network Interface, click Bytes Total/sec, and then click Add >>. 11. Expand PhysicalDisk, click %Disk Time, and then click Add >>. 12. Click Avg. Disk Queue Length and then click Add >>. 13. Expand Processor, click %Processor Time, and then click Add >>.
14. Expand System, click Processor Queue Length, click Add >>, and then click OK. 15. In the Performance Monitor Properties dialog box, click OK. 16. On the toolbar, click the down arrow and then click Report. 17. Record the values listed in the report for analysis later. Results: After this exercise, you should have established a baseline.
Exercise 2: Identifying the Source of a Performance Problem

Task 1: Load a new program on the server
1. 2. On NYC-SVR1, switch to the command prompt. At the command prompt, type the following command and press ENTER:
C:
3.
Cd\Labfiles
Task 2: Configure the load on the server

StressTool 95
Task 3: Start the data collector set again

1. 2. 3. Switch to Performance Monitor. In Performance Monitor, click User Defined, in the results pane, right-click NYC-SVR1 Performance, and then click Start. Wait for one minute to allow data to be captured.
Task 4: Stop the running program

1. 2. 3. After one minute, switch to the command prompt. Press Ctrl+C. Close the command prompt.
Task 5: View performance data

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to Performance Monitor. In the navigation pane, right-click NYC-SVR1 Performance and then click Stop. In Performance Monitor, in the navigation pane, click Performance Monitor. On the toolbar, click View log data. In the Performance Monitor Properties dialog box, on the Source tab, click Log files and then click Remove. Click Add. In the Select Log File dialog box, click Up One Level. Double-click the NYC-SVR1_date-000002 folder and then double-click DataCollector01.blg. Click the Data tab and then click OK. Note If you receive an error at this point, or the values in your report are zero, repeat steps 4-9.
Task 6: Analyze results and draw a conclusion

Question: Compared with your previous report, which values have changed? Answer: Memory and disk activity are reduced; however, processor activity has increased significantly. Question: What would you recommend? Answer: Continue to monitor the server to ensure that the processor workload does not reach capacity. Results: After this exercise, you should have identified a potential bottleneck.
Exercise 3: Centralizing Events Logs

Task 1: Configure the source computer
1. 2. On NYC-SVR1, open a command prompt. At the command prompt, type the following command and then press ENTER:
winrm quickconfig
3. 4. 5. 6. 7. 8. 9.
When prompted, type Y and press ENTER. Click Start, right-click Computer, and then click Manage. In Server Manager, in the navigation pane, expand Configuration, expand Local Users and Groups, and then click Groups. In the results pane, double-click Administrators. Click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, click Object Types. In the Object Types dialog box, select the Computers check box, and then click OK. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object names to select box, type nyc-dc1 and then click OK.
10. In the Administrators Properties dialog box, click OK.
Task 2: Configure the collector computer

1. 2. 3. Switch to NYC-DC1. Click Start, and in the Search box, type cmd.exe and press ENTER. At the command prompt, type the following command and then press ENTER:
Wecutil qc
4.
When prompted, type Y and press ENTER.
Task 3: Create a subscribed log

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and then click Event Viewer. In the Event Viewer, in the navigation pane, click Subscriptions. Right-click Subscriptions and then click Create Subscription. In the Subscription Properties dialog box, in the Subscription name box, type NYC-SVR1 Events. Click Collector Initiated and then click Select Computers. In the Computers dialog box, click Add Domain Computers. In the Select Computer dialog box, in the Enter the object name to select box, type NYC-SVR1 and then click OK. In the Computers dialog box, click OK. In the Subscription Properties NYC-SVR1 Events dialog box, click Select Events.
10. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check boxes. 11. In the Logged list, click Last 7 days. 12. In the Event logs list, select Windows Logs. Click the mouse back in the Query Filter dialog box and then click OK. 13. In the Subscription Properties NYC-SVR1 Events dialog box, click OK.
Task 4: Create a data collector set with an alert counter

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-SVR1 computer. In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User Defined. Right-click User Defined, point to New, and then click Data Collector Set. In the Create new Data Collector Set Wizard, in the Name box, type NYC-SVR1 Alert. Click Create manually (Advanced) and then click Next. On the What type of data do you want to include? page, click Performance Counter Alert and then click Next. On the Which performance counters would you like to monitor? page, click Add. In the Available counters list, expand Processor, click %Processor Time, click Add >>, and then click OK. On the Which performance counters would you like to monitor? page, in the Alert when list, click Above.
10. In the Limit box, type 10 and then click Next. 11. On the Create the data collector set? page, click Finish. 12. In the navigation pane, expand the User Defined node, and then click NYC-SVR1 Alert. 13. In the Results pane, right-click DataCollector01 and then click Properties. 14. In the DataCollector01 Properties dialog box, in the Sample interval box, type 1 and then click the Alert Action tab. 15. Select the Log an entry in the application event log check box and then click OK. 16. In the navigation pane, right-click NYC-SVR1 Alert and then click Start. 17. Click Start, and then in the Search box, type cmd.exe and press ENTER. 18. At the command prompt, type the following command and press ENTER:
C:
19. At the command prompt, type the following command and press ENTER:
Cd\Labfiles
20. At the command prompt, type the following command and press ENTER:
StressTool 95
21. Wait for one minute to allow for alerts to be generated. 22. Press Ctrl+C. 23. Close the command prompt.
Task 5: Check the subscribed log for performance-related alerts

1. 2. 3. Switch to NYC-DC1. In Event Viewer, in the navigation pane, expand Windows Logs. Click Forwarded Events. Question: Are there any performance-related alerts? Answer: Answers may vary, but there should be some events that relate to the imposed workload on NYC-SVR1. Results: At the end of this exercise, you will have centralized event logs.


6421BD ENU LabManual

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

6421BD ENU LabManual

Transféré par

Droits d'auteur :

Formats disponibles

O F F I C I A L

6421B And Lab Answer Key: Lab Instructions

Product Number: 6421B Part Number: X17-66521 Released: 05/2011

Lab Instructions: Planning and Configuring IPv4

Lab Instructions: Planning and Configuring IPv4

Lab: Planning and Configuring IPv4

Repeat steps 2 to 4 for 6421B-NYC-RTR, 6421B-NYC-SVR2, and 6421B-NYC-CL2.

Lab Instructions: Planning and Configuring IPv4

Exercise 1: Selecting an IPv4 Addressing Scheme for Branch Offices

Supporting Documentation Charlotte Weiss

Lab Instructions: Planning and Configuring IPv4

Contoso Branch Network Plan.vsd

Task 1: Read the supporting documentation

Lab Instructions: Planning and Configuring IPv4

Task 3: Examine the suggested proposals in the Lab Answer Key

Lab Instructions: Planning and Configuring IPv4

Exercise 2: Implementing and Verifying IPv4 in the Branch Office

Task 1: Determine the current IPv4 configuration of the router

Task 2: Determine the IPv4 configuration of NYC-SVR2

Task 3: Determine the configuration of the NYC-CL2 computer

Lab Instructions: Planning and Configuring IPv4

Task 4: Reconfigure the NYC-CL2 computer

Task 5: Verify the configuration

Task 6: Capture and analyze network traffic using Network Monitor

Preparing for the next module

Lab Instructions: Configuring and Troubleshooting DHCP

Lab Instructions: Configuring and Troubleshooting DHCP

Lab: Configuring and Troubleshooting the DHCP Server Role

Repeat steps 2 to 4 for 6421B-NYC-RTR, 6421B-NYC-SVR2, and 6421B-NYC-CL2.

Lab Instructions: Configuring and Troubleshooting DHCP

Contoso Branch Network Plan.vsd

Lab Instructions: Configuring and Troubleshooting DHCP

Exercise 1: Selecting a Suitable DHCP Configuration

Task 3: Examine the suggested proposals in the Lab Answer Key

Lab Instructions: Configuring and Troubleshooting DHCP

Exercise 2: Implementing DHCP

Task 1: Install the DHCP role on NYC-SVR2

Close Server Manager.

Task 2: Enable DHCP Relay

Close Routing and Remote Access.

Task 3: Authorize the DHCP Server role on NYC-SVR2

Lab Instructions: Configuring and Troubleshooting DHCP

Task 4: Create the required scope for branch

Lab Instructions: Configuring and Troubleshooting DHCP

Exercise 3: Reconfiguring DHCP in the Head Office

Task 1: Add the branch office scope on NYC-DC1

Lab Instructions: Configuring and Troubleshooting DHCP

Exercise 4: Testing the Configuration

Task 1: Configure NYC-CL2 for DHCP

Task 2: Examine DHCP packets

Lab Instructions: Configuring and Troubleshooting DHCP

Exercise 5: Troubleshooting DHCP Issues

Task 1: Shut down the DHCP server on NYC-SVR2

Task 2: Renew the IP address on NYC-CL2

Lab Instructions: Configuring and Troubleshooting DHCP

Preparing for the next module

Lab Instructions: Configuring and Troubleshooting DNS

Lab Instructions: Configuring and Troubleshooting DNS

Lab: Configuring and Troubleshooting DNS

Repeat steps 2 to 4 for 6421B-NYC-SVR1 and 6421B-NYC-CL1.

Lab Instructions: Configuring and Troubleshooting DNS

Exercise 1: Selecting a DNS Configuration