Professional Documents
Culture Documents
6421BD ENU LabManual
6421BD ENU LabManual
M I C R O S O F T
L E A R N I N G
P R O D U C T
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2011 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
Module 1
Lab Instructions: Planning and Configuring IPv4
Contents:
Exercise 1: Selecting an IPv4 Addressing Scheme for Branch Offices Exercise 2: Implementing and Verifying IPv4 in the Branch Office 3 6
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
You are a network engineer for Contoso Ltd. You must select a suitable IPv4 addressing scheme for a branch office deployment and then implement elements of the scheme. The branch will initially use manually assigned IPv4 addresses, although it is planned that they will implement DHCP in the future. Once you have determined the appropriate configuration, you are required to configure the client workstations according to your plan. For this project, you must complete the following tasks: Plan a suitable IPv4 subnet scheme for branch offices. Implement and verify the IPv4 subnet scheme.
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Infrastructure Plan: IPv4 Addressing document, shown as follows. Branch Office Network Infrastructure Plan: IPv4 Addressing Document Reference Number: GW00602/1 Document Author Date Charlotte Weiss 6th February
Requirements Overview Design an IPv4 addressing scheme for the Contoso branch sales offices, shown in the exhibit. The block address 172.16.16.0/20 has been reserved for this region. You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25 percent growth of hosts in each branch. For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet.
(continued) Branch Office Network Infrastructure Plan: IPv4 Addressing Additional Information You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch. Proposals 1. How many subnets do you envisage requiring for this region? 2. How many hosts will you deploy in each subnet? 3. What subnet mask will you use for each branch? 4. What are the subnet addresses for each branch? 5. What range of host addresses are in each branch?
Results: At the end of this exercise, you should have a completed IP addressing plan for the Contoso branch offices.
Results: At the end of this exercise, you will have configured the branch office subnet.
Module 2
Lab Instructions: Configuring and Troubleshooting DHCP
Contents:
Exercise 1: Selecting a Suitable DHCP Configuration Exercise 2: Implementing DHCP Exercise 3: Reconfiguring DHCP in the Head Office Exercise 4: Testing the Configuration Exercise 5: Troubleshooting DHCP Issues 4 5 7 8 9
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso is deploying DHCP to their branch offices. Fault tolerance is important, and you are tasked with configuring the DHCP services in the head office and branch offices to support the requirements. For this project, you must complete the following tasks: Plan suitable DHCP configuration Install the DHCP server role on NYC-SVR2 Configure scopes at head office and branch office DHCP servers Test client functionality with primary DHCP server online, and then simulate a connection failure with the head office Troubleshoot common DHCP issues
Branch Office Network Infrastructure Plan: DHCP Document Reference Number: CW0703/1 Document Author Date Charlotte Weiss 7th March
Requirements Specify how you plan to implement DHCP to support your branch office requirements. Additional Information It is important that any router, server, or communications link failure does not adversely affect users. Proposals 1. How many DHCP servers do you propose to deploy in the region? 2. Where do you propose to deploy these servers? 3. How do you propose to provide for fault tolerance of IP address allocation? 4. How will clients in a branch obtain an IP configuration if their DHCP server is offline?
Task 1: Read the Branch Office Network Infrastructure Plan: DHCP requirements
Study the network diagram and then read the Branch Office Network Infrastructure Plan: DHCP document requirements section.
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Infrastructure Plan: DHCP document.
Results: At the end of this exercise, you will have determined the appropriate DHCP configuration for Contoso.
Activate scope
Results: At the end of this exercise, you will have configured the branch office DHCP server.
Activate scope
Results: At the end of this exercise, you will have created the required scopes on both DHCP servers.
Now examine the captured frames. In the Frame Summary, click the frame with Destination of 255.255.255.255 and the Description that contains OFFER. In the Frame Details pane, expand Dhcp. What is the ServerIP? Which server is this?
Results: At the end of this exercise, you will have configured the client to obtain an IP address dynamically from the local branch server.
Now examine the captured frames. In the Frame Summary, click the frame with Destination of 255.255.255.255 and the Description that contains OFFER. In the Frame Details pane, expand Dhcp. What is the ServerIP? Which server is this?
Results: At the end of this exercise, you will have verified that the client can obtain an IP address from the head office when the local server is unavailable.
10
Module 3
Lab Instructions: Configuring and Troubleshooting DNS
Contents:
Exercise 1: Selecting a DNS Configuration Exercise 2: Deploying and Configuring DNS Exercise 3: Troubleshooting DNS 3 4 6
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso is planning to improve their DNS infrastructure due to complaints from users about poor performance. In addition, Contoso is partnering with A Datum and name resolution must be optimized between these two organizations. Your task is to plan and implement the required changes. For this project, you must complete the following tasks: Plan an appropriate DNS configuration. Configure a suitable DNS configuration. Verify and troubleshoot DNS.
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Contoso Name Resolution Plan document. Contoso Name Resolution Plan Document Reference Number: GW1203/1 Document Author Date Charlotte Weiss 12th March
Requirements Overview 1. Your manager is concerned that the single name server that supports the Contoso.com domain is under strain while servicing name resolution requests. You are tasked with determining a course of action to allay his concerns. 2. Contoso is working with a partner organization, A Datum. It is important that name resolution for servers in the Adatum.com domain is performed without recourse to root name servers. Additional Information 1. No additional domain controllers are planned for the Contoso domain. 2. Changes to the Adatum.com DNS configuration should not impact the DNS configuration in Contoso; in other words, changes in Adatum.com should not result in administrative effort in Contoso. Proposals 1. How will you modify the DNS configuration for Contoso to address the first requirement? 2. How will you modify the DNS configuration for Contoso to address the second requirement? 3. Does either of the points in the additional information section raise any issues? 4. What is your proposed action plan for this project? 5. How will you distribute load among DNS servers?
Results: At the end of this exercise, you will have selected a suitable DNS configuration for Contoso.
Results: At the end of this exercise, you will have implemented the requirements outlined in the Contoso Name Resolution Plan document.
3. 4.
5. 6. 7. 8. 9.
Select Total Query Received and then click Add. Select Total Query Received/sec, click Add, and then click OK. Click Start, click Administrative tools, and then click DNS. In the left pane, right-click NYC-DC1 and then click Properties. Click the Monitoring tab.
10. On the Monitoring tab, select A simple query against this DNS Server and A recursive query to other DNS servers and then click Test Now several times. 11. Clear the Simple and Recursive test check boxes and then click OK. Close the DNS management tool. 12. Return to the Server Manager console. The graph reflects the queries on the server. 13. In the Server Manager console, press CTRL+G and then press CTRL+G again. This report lists the total number of queries that the server has received. 14. Close Server Manager. Results: At the end of this exercise, you will have verified the functionality of DNS with troubleshooting tools.
Module 4
Lab Instructions: Configuring and Troubleshooting IPv6 TCP/IP
Contents:
Lab A: Configuring an ISATAP Router Exercise 1: Configuring a New IPv6 Network and Client Exercise 2: Configuring an ISATAP Router to Enable Communication Between an IPv4 Network and an IPv6 Network Lab B: Converting the Network to Native IPv6 Exercise 1: Transitioning to a Native IPv6 Network 9 3 5
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso has decided to begin the process of migrating their network to IPv6. Your initial task is to prove the principle of the migration by configuring a single client computer for IPv6. For this project, you must complete the following tasks: Configure a new IPv6 network and client. Configure an ISATAP Router to enable communication between an IPv4 network and an IPv6 network.
Close all open windows. Switch to NYC-DC1. Verify the Local Area Connection 2 properties: Default gateway: 10.10.0.1
6.
Note At this point, only IPv4 traffic is routed through the IPv4 routing infrastructure. Because ICMPv4 traffic is blocked by the Windows Firewall by default, you cannot test connectivity with ping.
Task 5: Configure an IPv6 router advertisement for the global address 2001:db8:0:1::/64 network on NYC-RTR
1. 2. Switch to NYC-RTR. Open a command prompt, and then type the following commands.
netsh interface ipv6 set interface "Local Area Connection 3" forwarding=enabled advertise=enabled netsh interface ipv6 add route 2001:db8:0:1::/64 "Local Area Connection 3" publish=yes
Task 6: Check the IP configuration on NYC-CL2 to ensure that it is configured with an IPv6 global address in the 2001:db8:0:1::/64 network
1. 2. Switch to NYC-CL2. At the command prompt, type ipconfig and then press ENTER. Note The output should be a link-local IPv6 address that starts with fe80. Two global IP addresses starting with 2001:db8:0:1: should also be included in the output. 3. Close the command prompt.
Results: At the end of this exercise, you will have configured NYC-CL2 for IPv6 only.
Exercise 2: Configuring an ISATAP Router to Enable Communication Between an IPv4 Network and an IPv6 Network
Scenario
In this exercise, you will configure ISATAP to enable connectivity between the new IPv6 client and the remaining IPv4 clients, including NYC-DC1. The main tasks for this exercise are as follows: 1. 2. 3. 4. Add the ISATAP entry in the DNS zone on NYC-DC1. Configure the ISATAP router on NYC-RTR. Enable the ISATAP interface on NYC-DC1. Test connectivity.
3.
Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) you will need it in a moment. Interface index:
4.
Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER:
netsh interface ipv6 set interface isatap.Interface_Index forwarding=enabled advertise=enabled
5.
At the command prompt, type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER:
netsh interface ipv6 add route 2001:db8:0:10::/64 isatap.Interface_Index publish=yes
6.
Restart NYC-RTR and then log on using the following credentials: User name: Administrator Password: Pa$$w0rd
7.
Open a command prompt and type ipconfig and press ENTER. Note The Tunnel adapter associated with the 10.10.0.0/16 network will display an IPv6 address in the 2001:db8:0:10 range.
Note The Tunnel adapter isatap {Interface_Index} (which is the ISATAP adapter) has automatically received an IPv6 address from the ISATAP router.
Switch to NYC-CL2. Open a command prompt and then type the following commands:
Ping 2001:db8:0:10:0:5efe:10.10.0.10 ipconfig
5. 6.
Open Windows Firewall with Advanced Security. Create a new inbound rule with the following properties: Rule Type: Custom Program: Default Protocols and Ports: Protocol > ICMPv6 Scope: Default Action: Default Profile: Default Name: Allow PING
7. 8.
Switch to NYC-DC1. Open a command prompt, type Ping IPv6_address, and then press ENTER. Where IPv6_address is the IPv6 address on NYC-CL2 you noted earlier.
Results: At the end of this exercise, you will have configured ISATAP.
Lab Setup
For this lab, you will use the available virtual machine environment. The virtual machines must be running following the completion of Lab A.
Lab Scenario
The pilot went well. Your manager has asked you to convert the network to IPv6. Your task is to disable ISATAP and enable native IPv6 routing. For this project, you must transition to a native IPv6 Network.
3.
Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) you will need it in a moment. Interface index:
4.
Type the following commands, replacing Interface_Index with the number (and brackets {}) that you recorded earlier.
netsh interface ipv6 set interface isatap.Interface_Index forwarding=disabled advertise=disabled netsh interface ipv6 delete route 2001:db8:0:10::/64 isatap.Interface_Index
10
3. 4.
Disable IPv4 on the Local Area Connection 2 by clearing the Internet Protocol Version 4 (TCP/IPv4) check box in the Local Area Connection 2 Properties. Enable IPv6 on the Local Area Connection 2 by selecting the Internet Protocol Version 6 (TCP/IPv6) check box in the Local Area Connection 2 Properties.
At the command prompt, type ipconfig and then press ENTER. Note the new IPv6 address (global address begins with 2001:) assigned to the Local Area Connection 2. Write down the IPv6 address in the space below. NYC-DC1 IPv6 address: _____________________________________________
4. 5.
Switch to NYC-CL2. Open a command prompt, type Ping global_IP_address, and then press ENTER. Where global_IP_address is the NYC-DC1 address that you noted previously.
6.
At the command prompt, type ipconfig /all and then press ENTER: Note the IPv6 address (global address begins with 2001:) assigned to the Local Area Connection 2. Write down the IPv6 address in the space below. NYC-CL2 IPv6 address: _____________________________________________
7. 8.
Switch to NYC-DC1 and switch to the Command Prompt. Open a command prompt, type Ping global_IP_address, and then press ENTER Where global_IP_address is the NYC-CL2 address that you noted previously.
Results: At the end of this exercise, you will have configured an IPv6 only network.
Module 5
Lab Instructions: Configuring and Troubleshooting Routing and Remote Access
Contents:
Lab A: Configuring and Managing Network Access Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution Exercise 2: Configuring a Custom Network Policy Exercise 3: Create and Distribute a CMAK Profile Lab B: Configuring and Managing DirectAccess Exercise 1: Configure the AD DS Domain Controller and DNS Exercise 2: Configure the PKI Environment Exercise 3: Configure the DirectAccess Clients and Test Intranet Access Exercise 4: Configure the DirectAccess Server Exercise 5: Verify DirectAccess Functionality 10 10 10 10 10 3 5 7
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso, Ltd. wants to implement a remote access solution for its employees so they can connect to the corporate network while away from the office. Contoso requires a network policy mandating that VPN connections are encrypted for security reasons. You are required to enable and configure the necessary server services to facilitate this remote access. For this project, you must complete the following tasks: Configure Routing and Remote Access as a VPN remote access solution. Configure a custom Network Policy. Create and distribute a CMAK profile.
Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution
Scenario
In this exercise, you will install and configure the Network Policy and Access Services role to support the requirements of the Contoso, Ltd. workforce. The main tasks for this exercise are as follows: 1. 2. 3. Install the Network Policy and Access Services role on 6421B-NYC-EDGE1. Configure 6421B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients. Configure available VPN ports on the (RRAS) server to allow 25 PPTP, 25 L2TP, and 25 SSTP connections.
Task 1: Install the Network Policy and Access Services role on 6421B-NYC-EDGE1
1. 2. 3. Switch to the NYC-EDGE1 virtual server. Open Server Manager. Add the Network Policy and Access Services role with the following role services: a. b. Network Policy Server Routing and Remote Access Services
Task 2: Configure 6421B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients
1. 2. 3. On NYC-EDGE1, open Routing and Remote Access. In the list pane, select and right-click NYC-EDGE1 (Local) and then click Configure and Enable Routing and Remote Access. Use the following settings to configure the service: a. b. c. d. e. f. g. On the Configuration page, accept the defaults. On the Remote Access page, select the VPN check box. On the VPN Connection page, select the Public interface. On the IP Address Assignment page, select the From a specified range of addresses option. On the Address Range Assignment page, create an address pool with 75 entries with a start address of 10.10.0.60. On the Managing Multiple Remote Access Servers page, accept the defaults. Accept any messages by clicking OK.
Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25 L2TP connections
1. 2. In the Routing and Remote Access management tool interface, expand NYC-EDGE1, select and then right-click Ports, and then click Properties. Use the following information to complete the configuration process: a. b. c. 3. 4. Number of WAN Miniport (SSTP) ports: 25 Number of WAN Miniport (PPTP) ports: 25 Number of WAN Miniport (L2TP) ports: 25
Click OK to confirm any prompts. Close the Routing and Remote Access tool.
Results: At the end of this exercise, you will have enabled routing and remote access on the NYC-EDGE1 server.
Ensure that the Secure VPN policy is the first in the list of any policies. Close the Network Policy Server tool.
Create a VPN with the following settings: a. b. Internet address to connect to: 131.107.0.2 Name: Contoso VPN
5.
Connect with the new VPN properties as follows: a. b. c. User name: Administrator Password: Pa$$w0rd Domain: Contoso The VPN connects successfully.
Note 6.
Results: At the end of this exercise, you will have created and tested a VPN connection.
Switch to NYC-CL1 and connect the Contoso VPN. Copy the contents of C:\Program Files\CMAK\Profiles\Windows 7 and Windows Vista\Contoso to \\nyc-dc1\Contoso Profile.
6.
Run \\nyc-dc1\Contoso Profile\Contoso.exe and complete the wizard as follows: Make this connection available for =All users Add a shortcut on the desktop =true
7. 8. 9.
Disconnect the Contoso VPN. On the Desktop, double-click Contoso HQ Shortcut. Connect with the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
The VPN connects successfully. 10. Disconnect and close all open windows. Results: At the end of this exercise, you will have created and distributed a CMAK profile.
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
You are server administrator at Contoso, Ltd. Your organization consists of a large mobile workforce that carries laptops to stay connected. Your organization wants to provide a secure solution to protect data transfer. To do this, you will use DirectAccess to enable persistent connectivity, central administration, and management of remote computers. For this project, you must complete the following tasks: Configure AD DS and DNS to support DirectAccess. Configure the PKI environment. Configure the DirectAccess clients and test Intranet and Internet Access.
10
Lab Instructions
Due to the complexity of the steps involved in enabling and configuring DirectAccess, refer to the steps provided in the Lab Answer Key.
Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Module 6
Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Contents:
Exercise 1: Installing and Configuring the Network Policy Server Role Service Exercise 2: Configuring a RADIUS Client Exercise 3: Configuring Certificate Auto-Enrollment Exercise 4: Configuring and Testing the VPN
3 4 5 6
Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso Ltd. is expanding its remote-access solution to all branch office employees. This will require multiple Routing and Remote Access servers that are located at different points to provide connectivity for its employees. You must use RADIUS to centralize authentication and accounting for the remoteaccess solution. You have been tasked with installing and configuring Network Policy Server into an existing infrastructure to be used for NAP, Wireless and Wired access, RADIUS, and RADIUS Proxy. For this project, you must complete the following tasks: Install and configure the Network Policy Server role service Configure a RADIUS Client Configure Certificate auto-enrollment
Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Exercise 1: Installing and Configuring the Network Policy Server Role Service
Scenario
In this exercise, you will install the Network Policy Server role to enable RADIUS on the NYC-DC1 computer. The main tasks for this exercise are as follows: 1. 2. 3. Install the Network Policy and Access Services role. Register NPS in AD DS. Configure NYC-DC1as a RADIUS server for VPN connections.
Results: At the end of this exercise, you will have configured NYC-DC1 as a RADIUS server by installing and configuring the NPS Server role.
Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Results: At the end of this exercise, you will have configured NYC-EDGE1 as a VPN server.
Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
3. 4. 5. 6.
Results: At the end of this exercise, you will have configured the appropriate certificate settings for your VPN solution.
Lab Instructions: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Modify the default settings of the new VPN connection: Type of VPN: Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) Data encryption: Maximum strength encryption (disconnect if server declines)
3.
Connect with the new VPN properties as follows: User name: Administrator Password: Pa$$w0rd Domain: Contoso Note The VPN connects successfully.
4.
Results: At the end of this exercise, you will have verified the VPN solution.
Module 7
Lab Instructions: Implementing Network Access Protection
Contents:
Exercise 1: Configuring NAP Components Exercise 2: Configuring Client Settings to Support NAP 3 6
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso, Ltd. is required to extend their virtual private network solution to include Network Access Protection (NAP). As a Contoso, Ltd. technology specialist, you need to establish a way to bring client computers automatically into compliance. You will do this by using Network Policy Server, creating client compliance policies, and configuring a NAP server to check the current health of computers. For this project, you must complete the following tasks: Configure NAP Server Components
10. Under Network Access Protection, open the Default Configuration for the Windows Security Health Validator. 11. On the Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for all network connections. 12. Create a health policy with the following settings: Name: Compliant
Client SHV checks: Client passes all SHV checks SHVs used in this health policy: Windows Security Health Validator
13. Create a health policy with the following settings: Name: Noncompliant Client SHV checks: Client fails one or more SHV checks SHVs used in this health policy: Windows Security Health Validator
14. Disable all existing network policies. 15. Configure a new network policy with the following settings: Name: Compliant-Full-Access Conditions: Health Policies = Compliant Access permissions: Access granted Settings: NAP Enforcement = Allow full network access
16. Configure a new network policy with the following settings: Name: Noncompliant-Restricted Conditions: Health Policies = Noncompliant Access permissions: Access granted
Note A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients that match these conditions. Settings: i. NAP Enforcement = Allow limited access is selected and Enable auto-remediation of client computers is not selected. ii. IP Filters = IPv4 input filter, Destination network = 10.10.0.10/255.255.255.255 and IPv4 output filter, Source network = 10.10.0.10/255.255.255.255. 17. Disable existing connection request policies. 18. Create a new Connection Request Policy with the following settings: Policy name: VPN connections Type of network access server: Remote Access Server (VPN-Dial up) Conditions: Tunnel type = L2TP, SSTP, and PPTP Authenticate requests on this server = true Authentication methods: i. Select Override network policy authentication settings ii. Add Microsoft: Protected EAP (PEAP) iii. Add Microsoft: Secured password (EAP-MSCHAP v2)
Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is enabled.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server
1. 2. 3. On NYC-EDGE1, open Routing and Remote Access. Select Configure and Enable Routing and Remote Access. Use the following settings to complete configuration: a. a. b. c. Select Remote access (dial-up or VPN). Select the VPN check box. Choose the interface called Public and clear the Enable security on the selected interface by setting up static packet filters check box. IP Address Assignment: From a specified range of addresses: d. 4. 10.10.0.100 > 10.10.0.110
Complete the process by accepting defaults when prompted and confirming any messages by clicking OK.
In the Network Policy Server, click the Connection Request Policies node and disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled. Close Network Policy Server management console and the Routing and Remote Access console.
5.
Default scope Action: Allow the connection Default profile Name: ICMPv4 echo request
Results: At the end of this exercise, you will have configured and enabled a VPN-enforced NAP scheme.
3.
2.
Once you have created the VPN, modify its settings by viewing the properties of the connection and then selecting the Security tab. Use the following settings to reconfigure the VPN: Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled). Properties of this authentication type: i. Validate server certificate: true ii. Connect to these servers: false iii. Authentication method: Secured password (EAP-MSCHAP v2) iv. Enable Fast Reconnect: false v. Enforce Network Access Protection: true
3.
Test the VPN connection: a. b. c. In the Network Connections window, right-click the Contoso VPN connection and then click Connect. In the Connect Contoso VPN window, click Connect. View the details of the Windows Security Alert. Verify that the correct certificate information is displayed and then click Connect.
4.
Verify that your computer meets the health requirements of the NAP policy: a. b. Use IPCONFIG /all to verify that the System Quarantine State is Not Restricted. Ping 10.10.0.10.
5. 6.
Disconnect the Contoso VPN. Configure Windows Security Health Validator to require an antivirus application: a. b. Switch to NYC-EDGE1 and open Network Policy Server. Modify the Default Configuration of the Windows Security Health Validator so that An antivirus application is on check box is enabled on the Windows 7/Windows Vista selection.
7. 8.
Switch back to NYC-CL1 and reconnect the VPN. Verify that your computer does not meet the health requirements of the NAP policy: a. b. Verify that a message is displayed in the Action Center stating that the computer does not meet security standards. Use IPCONFIG /all to verify that the System Quarantine State is Restricted.
9.
Results: At the end of this exercise, you will have enabled and configured a VPN NAP enforcement policy for Contoso.
Module 8
Lab Instructions: Increasing Security for Windows Servers
Contents:
Exercise 1: Deploying a Windows Firewall Rule Exercise 2: Implementing WSUS 3 5
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
You are a server administrator for Contoso and have been assigned two security related tasks. First, you must deploy a Windows Firewall rule to support new monitoring software that is used for your servers. Second, you must configure servers to start using updates that are distributed by a WSUS server.
4.
Close the Group Policy Management Editor and then close the Group Policy Management tool.
Results: After this exercise, you should have created a Windows Firewall rule that allows communication to port 10005.
Configure the Specify intranet Microsoft update service location setting as follows: Enabled Set the intranet update service for detecting updates: http://NYC-SVR1 Set the intranet statistics server: http://NYC-SVR1
6.
Configure the Automatic Updates detection frequency setting as follows: Enabled Check for updates at the following interval (hours): 22
7. 8. 9.
Close the Group Policy Management Editor and then close the Group Policy Management tool. On NYC-DC1, open a command prompt. At the command prompt, type gpupdate /force and then press ENTER.
10. At the command prompt, type wuauclt /detectnow and then press ENTER. 11. Close the command window on NYC-DC1.
Results: After this exercise, you should have approved an update for NYC-DC1.
Module 9
Lab Instructions: Increasing Security for Network Communication
Contents:
Exercise 1: Selecting a Network Security Configuration Exercise 2: Configuring IPsec to Authenticate Computers Exercise 3: Testing IPsec Authentication 3 4 6
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso Ltd. has implemented a new web-based Research application that contains confidential information such as product information. The application is secured by authenticating users by using a username and password. To enhance security, the director of Research wants the application to be accessible only from computers in the Research department. To meet the requirements specified by the director of Research, you will create a connection security rule that authenticates the computers in the Research department. Then, you will create a firewall rule that ensures only authenticated computers from the Research department can access the application. For this project, you must complete the following tasks: Configure IPsec to authenticate network communication for an application.
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Research application security document. Research application security Document Reference Number: GW1605/1 Document Author Date Charlotte Weiss 16th May
Requirements Overview Contoso Ltd. has implemented a new web-based Research application that contains confidential information such as product information. To improve security, you must: 1. Create a connection security rule that authenticates the computers in the Research department. 2. Create a firewall rule that ensures only authenticated computers from the Research department can access the application. Additional Information 1. The application exists on NYC-SVR1. 2. The application is not configured to use SSL. 3. NYC-SVR1 and NYC-CL1, both computers in the Research department, are stored in the AD DS Computers container. Proposals 1. How will you accomplish requirement 1? 2. How will you accomplish requirement 2? 3. Are there any additional tasks that you must perform?
Results: At the end of this exercise, you will have selected a suitable IPsec configuration to support the needs of the Research department.
Task 1: Move the NYC-SVR1 and NYC-CL1 computers into the Research OU
1. 2. 3. Switch to NYC-DC1. Open Active Directory Users and Computers. Move NYC-CL1 and NYC-SVR1 from the Computers built-in container to the Research OU.
3.
Results: At the end of this exercise, you will have successfully configured the connection security rule and firewall rule that are required to secure the Research department application.
Open Internet Explorer and attempt to open the webpage at http://nyc-svr1. This is successful.
Lab Instructions: Configuring and Troubleshooting Network File and Print Services
Module 10
Lab Instructions: Configuring and Troubleshooting Network File and Print Services
Contents:
Exercise 1: Creating and Configuring a File Share Exercise 2: Encrypting and Recovering Files Exercise 3: Creating and Configuring a Printer Pool 3 5 7
Lab Instructions: Configuring and Troubleshooting Network File and Print Services
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
As a server administrator for Contoso, you are responsible for configuring the file and print services that are available to users. You have been assigned several tasks to perform: 1. 2. 3. Create and configure a new file share for multiple departments. Configure a recovery agent for EFS encrypted files. Configure a printer pool to enhance printing capacity.
Lab Instructions: Configuring and Troubleshooting Network File and Print Services
Lab Instructions: Configuring and Troubleshooting Network File and Print Services
Results: After this exercise, you should have created and configured a file share.
Lab Instructions: Configuring and Troubleshooting Network File and Print Services
Lab Instructions: Configuring and Troubleshooting Network File and Print Services
Results: After this exercise, you should have encrypted and recovered a file.
Lab Instructions: Configuring and Troubleshooting Network File and Print Services
Create a second port with the following properties: Standard TCP/IP Port IP Address: 10.10.0.99 Generic Network Card
Lab Instructions: Configuring and Troubleshooting Network File and Print Services
Right-click MarketingGPO and edit. Browse to \User Configuration\Preferences\Control Panel Settings\Printers. Create a new shared printer with the following properties: Share path: \\NYC-DC1\PrinterPool Set this printer as the default printer
Results: After this exercise, you should have created a printer pool and distributed it to Marketing users.
Module 11
Lab Instructions: Optimizing Data Access for Branch Offices
Contents:
Lab A: Implementing DFS Exercise 1: Installing the DFS Role Service Exercise 2: Configuring the Required Namespace Exercise 3: Configuring DFS Replication Lab B: Implementing BranchCache Exercise 1: Performing Initial Configuration Tasks for BranchCache Exercise 2: Configuring BranchCache Clients
Exercise 3: Configuring BranchCache on the Branch Server Exercise 4: Monitoring BranchCache
3 4 6
10 12
13 14
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso has deployed a new branch office. This office has a single server. To support branch staff requirements, you must configure DFS. To avoid the need to perform backups remotely, a departmental file share in the branch office will be replicated back to the head office for centralized backup. Data replicated to the head office should be read only. For this project, you must complete the following tasks: Install the DFS role service Configure the required namespace Configure DFS replication
Results: At the end of this exercise, you will have installed the required role services on both servers.
Task 1: Use the New Namespace Wizard to create the BranchDocs namespace
1. 2. 3. Switch to NYC-SVR1. Open DFS Management. Create a new namespace with the following properties: 4. Server: NYC-SVR1 Name: BranchDocs Namespace type: Domain-based namespace, and select Enable Windows Server 2008 mode
Results: At the end of this exercise, you will have created and verified the DFS namespace.
In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.
Create a new replication topology for the namespace: Type: Full mesh Schedule and bandwidth: defaults
3.
In the details pane, on the Memberships tab, verify that the replicated folder is shown on NYC-DC1 and NYC-SVR1. Right-click NYC-DC1 and then click Make read-only.
Results: At the end of this exercise, you will have successfully configured DFS replication.
Lab Setup
Important You must reconfigure the 6421B-NYC-CL2 computer onto the Private Network. Instructions are provided for this. For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. 6. 7. User name: Administrator Password: Pa$$w0rd Domain: Contoso
In Hyper-V Manager, click 6421B-NYC-CL2, and in the Actions pane, click Settings. In the Settings for 6421B-NYC-CL2 dialog box, in the navigation pane, click Network Adapter. In the Results pane, in the Network drop down list, click Private Network and then click OK.
Lab Scenario
Contoso has deployed a new branch office. This office has a single server. To support branch staff requirements, you must configure BranchCache. Data is centralized at the head office. To reduce WAN utilization out to the branch office, BranchCache will be configured for these data. For this project, you must complete the following tasks: Perform initial configuration tasks for BranchCache Configure BranchCache clients Configure BranchCache on the branch server Monitor and verify BranchCache
10
11
4.
Create a new inbound firewall rule with the following properties: Rule type: predefined Use BranchCache Content Retrieval (Uses HTTP) Action: Allow
5.
Create a new inbound firewall rule with the following properties: Rule type: predefined Use BranchCache Peer Discovery (Uses WSD) Action: Allow
Results: At the end of this exercise, you will have prepared the network environment for BranchCache.
12
5. 6. 7. 8. 9.
10. Restart the computer. Log on as Contoso\Administrator with the password of Pa$$w0rd. 11. Open a command prompt and refresh the group policy settings (gpupdate /force). 12. At the command prompt window, type netsh branchcache show status all and then press ENTER. Results: At the end of this exercise, you will have configured the client computers for BranchCache.
13
6.
At the command prompt window, type netsh branchcache show status all and then press ENTER.
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
14
4. 5.
15
6. 7.
Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval: Bytes from Cache). Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted Cache: Client file segment offers made).
Results: At the end of this exercise, you will have verified the function of BranchCache.
Module 12
Lab Instructions: Controlling and Monitoring Network Storage
Contents:
Exercise 1: Configuring FSRM Quotas Exercise 2: Configuring File Screening Exercise 3: Configuring File Classification and File Management 3 5 6
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Contoso has recently decided to implement private home folders for each user. These folders will be an alternative storage location to centralized departmental file shares. Users can save documents in their home folders when there is no need for other users to access the files. For example, some users prefer not to show anyone reports until they are completed. For this project, you must complete the following tasks: Configure FSRM quotas to limit the size of home folders. Configure file screening to prevent storage of media files. Configure file classification and file management to remove official documents.
Results: After this exercise, you will have created and applied quotas to home folders.
Results: After this exercise, you will have configured file screening to prevent media files from being placed in home folders.
Close Microsoft Word. On NYC-SVR1, in File Server Resource Manager, at the Classification Rules node, run the classification rules now. Review the Automatic Classification Report that is generated to verify that one official document is found. Run the Remove Official Documents file management task. Review the File Management Task Report and verify that one file was expired. Use Windows Explorer to browse the contents of C:\Expired Documents and verify that Test Document is there.
Results: After this exercise, you will have configured a classification rule for official documents and a file management task that expires official documents.
Module 13
Lab Instructions: Recovering Network Data and Servers
Contents:
Exercise 1: Configuring Shadow Copies Exercise 2: Configuring a Scheduled Backup 3 5
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Recently, a new file server was implemented for the marketing department. Somehow in the planning process, no one considered how data on the server would be protected. You need to configure volume shadow copies on the server to simplify recovery of files. You also need to configure a scheduled backup for disaster recovery.
Save the Budget Planning document. On NYC-SVR1, create a new shadow copy of C:\.
6.
On NYC-CL1, add the following bullets to the Budget Planning document: 2014 - $1,500 2015 - $2,000
7. 8. 9.
Save the Budget Planning document. On NYC-SVR1, create a new shadow copy of C:\. On NYC-CL1, delete the Budget Planning Document.
Results: After this exercise, you will have enabled shadow copies for the Marketing file server.
Install the Windows Server Backup feature. Create a scheduled backup. Verify that two backups fit on the destination disk. Perform a test restore of a file.
Open Windows Explorer and browse to C:\Marketing to verify that the file is restored.
Results: After this exercise, you will have configured a scheduled backup and tested backup functionality.
Module 14
Lab Instructions: Monitoring Windows Server 2008 Network Infrastructure Servers
Contents:
Exercise 1: Establishing a Performance Baseline Exercise 2: Identifying the Source of a Performance Problem Exercise 3: Centralizing Events Logs 4 6 8
Lab Setup
For this lab, you will use the available virtual machine environment. Before beginning the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 6421B-NYC-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: 5. User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Scenario
Having recently deployed some new servers, it is important to establish a performance baseline with a typical load for these new servers. You are tasked with undertaking this project. In addition, to make the process of performance monitoring easier, you decide to implement a subscribed log for the new servers so that you can effortlessly determine server health. For this project, you must complete the following tasks: Establish a performance baseline for NYC-SVR1 under typical load conditions.
Use Performance Monitor to identify resources that are affected by a new application that is running on NYC-SVR1. Centralize events logs within Contoso.
2.
10. On the toolbar, click the down arrow and then click Report. 11. Record the values that are listed in the report for analysis later. Recorded values: Memory, Pages/sec Network Interface, Bytes Total/sec PhysicalDisk, %Disk Time PhysicalDisk, Avg. Disk Queue Length Processor, %Processor Time System, Processor Queue Length
8. 9.
Double-click the NYC-SVR1_date-000002 folder and then double-click DataCollector01.blg. Click the Data tab and then click OK. Note If you receive an error at this point, or the values in your report are zero, repeat steps 4-9.
Recorded values:
Memory, Pages/sec Network Interface, Bytes Total/sec PhysicalDisk, %Disk Time PhysicalDisk, Avg. Disk Queue Length Processor, %Processor Time System, Processor Queue Length
Results: After this exercise, you should have identified a potential bottleneck.
Type of data: Performance counter Alert Select the following counters: Processor, %Processor Time above 10%
4. 5. 6. 7. 8.
Sample interval: 1 second Where to store data: default value Alert Action: Log an entry in the application event log
Start the NYC-SVR1 Alert data collector set. Switch to the command prompt. Change to the C:\Labfiles and run StressTool.exe 95. Wait one minute for data to be captured, and then at the command prompt, press CTRL+ C and then close the command prompt. Close the command prompt.
Results: At the end of this exercise, you will have centralized event logs.
Module 1
Lab Answer Key: Planning and Configuring IPv4
Contents:
Exercise 1: Selecting an IPv4 Addressing Scheme for Branch Offices Exercise 2: Implementing and Verifying IPv4 in the Branch Office 2 4
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Update the Branch Office Network Infrastructure Plan: IPv4 Addressing document. Branch Office Network Infrastructure Plan: IPv4 Addressing Document Reference Number: GW00602/1 Document Author Date Charlotte Weiss 6th February
Requirements Overview Design an IPv4 addressing scheme for the Contoso branch sales offices, shown in the exhibit. The block address 172.16.16.0/20 has been reserved for this region. You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25 percent growth of hosts in each branch. For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet. Additional Information You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch. Proposals 1. How many subnets do you envisage requiring for this region? Answer: There are 300 computers in the region. The specification states that around 50 computers should be deployed in each subnet. You also need to plan for growth of around 25 percent. Six subnets are required in the region to host computers, but an additional subnet for each location should be planned for to host the growth in computers. This is a total of nine subnets. 2. How many hosts will you deploy in each subnet? Answer: The specification states that you must deploy a maximum of 50 host computers for each subnet. 3. What subnet mask will you use for each branch? Answer: The current network address for the region is 172.16.16.0/20. This leaves 12 bits to allocate to subnets and hosts. To express 9 subnets, you would require 4 bits, since 3 bits only provides for 8 subnets. Four bits actually provides for 16 subnets, which is plenty. This is a decimal mask of 255.255.255.0.
(continued) Branch Office Network Infrastructure Plan: IPv4 Addressing 4. What are the subnet addresses for each branch? Answer: Branch 1: 172.16.16.0/24 172.16.17.0/24 172.16.18.0/24 Branch 2: 172.16.19.0/24 172.16.20.0/24 172.16.21.0/24 Branch 3: 172.16.22.0/24 172.16.23.0/24 172.16.24.0/24 5. What range of host addresses are in each branch? Answer: Branch 1: 172.16.16.1 > 172.16.16.254 172.16.17.1 > 172.16.17.254 172.16.18.1 > 172.16.18.254 Branch 2: 172.16.19.1 > 172.16.19.254 172.16.20.1 > 172.16.20.254 172.16.21.1 > 172.16.21.254 Branch 3: 172.16.22.1 > 172.16.22.254 172.16.23.1 > 172.16.23.254 172.16.24.1 > 172.16.24.254
Results: At the end of this exercise, you should have a completed an IP addressing plan for the Contoso branch offices.
4.
What is the IPv4 address and subnet mask listed that starts 172.16? Answer: 172.16.16.1/255.255.255.0
5.
6.
What would the last host address in this subnet be? Answer: 172.16.16.254
7.
4.
5.
6.
7.
8.
4. 5. 6. 7.
Double-click Reconfigure.cmd. Close Explorer. Click Start, and in the Search box, type cmd.exe and press ENTER. At the command prompt, type the following command and then press ENTER:
Ipconfig /all
8.
What is the IPv4 address and subnet mask? Answer: 169.254.x.y the answer will vary.
9.
What does this tell you? Answer: The client is attempting to obtain an IP address dynamically and has failed to connect to a DHCP server.
In the Local Area Connection 3 Properties dialog box, click Close. If prompted with the Set Network Location dialog box, click Work network, and then click Close.
3.
What is the IPv4 address and subnet mask? Answer: 172.16.16.x/255.255.255.0 answers might vary.
4.
At the command prompt, type the following command and then press ENTER:
Ping nyc-dc1
5.
At the command prompt, type the following command and then press ENTER:
Ipconfig /displaydns
6.
7.
At the command prompt, type the following command and then press ENTER:
Ping nyc-dc1
8.
At the command prompt, type the following command and then press ENTER:
Ipconfig /displaydns
9.
10. What type of frames can you see? Answer: Might vary, but may include BROWSER, ARP, TCP, and ICMP frames. 11. In Microsoft Network Monitor, in the Display Filter pane, click Load Filter. 12. Point to Standard Filters, click Addresses, and then click IPv4 Addresses. 13. Scroll through the text and locate the IPv4.Address = = 192.168.0.100 line. Edit the IPv4 address to read 10.10.0.10. 14. On the menu in the Display Filter pane, click Apply. 15. Examine the filtered records. 16. Click Clear Text and click Remove. 17. In Microsoft Network Monitor, in the Display Filter pane, click Load Filter. 18. Point to Standard Filters, click DNS, and then click DnsQueryName. 19. Scroll through the text and locate the DNS.Qrecord.QuestionName.contains = = (server) line. Edit the server name to read (contoso) 20. On the menu in the Display Filter pane, click Apply. 21. Examine the filtered records.
22. What do the records show? Answer: A query for a site name. (Answers might vary) 23. Close Network Monitor. Results: At the end of this exercise, you will have configured the branch office subnet.
Module 2
Lab Answer Key: Configuring and Troubleshooting DHCP
Contents:
Exercise 1: Selecting a Suitable DHCP Configuration Exercise 2: Implementing DHCP Exercise 3: Reconfiguring DHCP in the Head Office Exercise 4: Testing the Configuration Exercise 5: Troubleshooting DHCP Issues 2 3 5 6 7
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Infrastructure Plan: DHCP document. Branch Office Network Infrastructure Plan: DHCP Document Reference Number: CW0703/1 Document Author Date Charlotte Weiss 7th March
Requirements Specify how you plan to implement DHCP to support your branch office requirements. Additional Information It is important that any router, server, or communications link failure does not adversely affect users. Proposals 1. How many DHCP servers do you propose to deploy in the region? Answer: Assuming that the routers are all RFC-compliant, there is no need to deploy DHCP servers in each subnet. However, for fault tolerance, each branch should have a DHCP server with duplicate scopes configured at the head office DHCP server, with appropriate exclusions to support the 80/20 rule; this would provide for addressing fault tolerance. 2. Where do you propose to deploy these servers? Answer: One DHCP server in each branch office and one in the head office. 3. How do you propose to provide for fault tolerance of IP address allocation? Answer: Configure the scopes to support the 80/20 rule. 4. How will clients in a branch obtain an IP configuration if their DHCP server is offline? Answer: They will obtain an IP configuration from the head office server. This requires a DHCP relay on the router that connects the head office to the branch.
Results: At the end of this exercise, you will have determined the appropriate DHCP configuration for Contoso.
10. On the Add or Edit DHCP Scopes page, click Next. 11. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server and then click Next. 12. On the Authorize DHCP Server page, click Skip authorization of this DHCP server in AD DS and then click Next. 13. On the Confirm Installation Selections page, click Install. 14. On the Installation Results page, click Close and then close Server Manager.
10. In the DHCP Relay Properties Local Area Connection 3 Properties dialog box, click OK. 11. Right-click DHCP Relay Agent and then click Properties. 12. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 10.10.0.10, click Add, and then click OK. 13. Close Routing and Remote Access.
On the Add Exclusions and Delay page, complete the page using the following information, click Add, and then click Next: Start IP address: 172.16.16.200 End IP address: 172.16.16.254
6. 7. 8. 9.
On the Lease Duration page, click Next. On the Configure DHCP Options page, click Next. On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next. On the Domain Name and DNS Servers page, click Next.
10. On the WINS Servers page, click Next. 11. On the Activate Scope page, click Next. 12. On the Completing the New Scope Wizard page, click Finish. Results: At the end of this exercise, you will have configured the branch office DHCP server.
On the Add Exclusions and Delay page, complete the page using the following information, click Add, and then click Next: Start IP address: 172.16.16.4 End IP address: 172.16.16.199
9.
10. On the Configure DHCP Options page, click Next. 11. On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next. 12. On the Domain Name and DNS Servers page, click Next. 13. On the WINS Servers page, click Next. 14. On the Activate Scope page, click Next. 15. On the Completing the New Scope Wizard page, click Finish. Results: At the end of this exercise, you will have created the required scopes on both DHCP servers.
10. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically. 11. Click Obtain DNS server address automatically and then click OK. 12. In the Local Area Connection 3 Properties dialog box, click OK.
4. 5. 6.
In Microsoft Network Monitor 3.4, click New Capture. On the Capture 2 tab, on the menu bar, click Start. At the command prompt, type the following command and then press ENTER:
Ipconfig /renew
7. 8. 9.
In Microsoft Network Monitor 3.4, on the menu, click Load Filter, point to Standard Filters, point to Basic Examples, and then click Protocol Filter DNS. In the Display Filter text box, locate the text that reads DNS and change it to DHCP. Click Apply. Now examine the captured frames. In the Frame Summary, click the frame with Destination of 255.255.255.255 and the Description that contains OFFER.
10. In the Frame Details pane, expand Dhcp. 11. What is the ServerIP? Answer: 10.10.0.10 12. Which server is this? Answer: NYC-DC1 Results: At the end of this exercise, you will have verified that the client can obtain an IP address from the head office when the local server is unavailable.
Module 3
Lab Answer Key: Configuring and Troubleshooting DNS
Contents:
Exercise 1: Selecting a DNS Configuration Exercise 2: Deploying and Configuring DNS Exercise 3: Troubleshooting DNS 2 4 6
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Contoso Name Resolution Plan document. Contoso Name Resolution Plan Document Reference Number: GW1203/1 Document Author Date Charlotte Weiss 12th March
Requirements Overview 1. Your manager is concerned that the single name server that supports the Contoso.com domain is under strain while servicing name resolution requests. You are tasked with determining a course of action to allay his concerns. Contoso is working with a partner organization, A Datum. It is important that name resolution for servers in the Adatum.com domain is performed without recourse to root name servers.
2.
Additional Information 1. 2. No additional domain controllers are planned for the Contoso domain. Changes to the Adatum.com DNS configuration should not impact the DNS configuration in Contoso; in other words, changes in Adatum.com should not result in administrative effort in Contoso.
Proposals 1. 2. How will you modify the DNS configuration for Contoso to address the first requirement? Answer: Add a DNS server. How will you modify the DNS configuration for Contoso to address the second requirement? Answer: Create either a stub zone for Adatum.com or configure conditional forwarding for Adatum.com. 3. Does either of the points in the additional information section raise any issues? Answer: AD-integrated zones are inappropriate for this scenario; if no additional domain controllers are planned, secondary zones should be configured. Stub zones require less administrative effort in the event of changes in the DNS configuration of the target DNS domain.
(continued) Contoso Name Resolution Plan 4. What is your proposed action plan for this project? Answer: 5. Deploy the DNS role to NYC-SVR1. Create a secondary zone on NYC-SVR1 for Contoso.com. Enable and configure zone transfers to NYC-SVR1. Ensure that the zone data transfers successfully.
How will you distribute load among DNS servers? Answer: Configure DHCP to allocate both DNS server addresses to clients
Results: At the end of this exercise, you will have selected a suitable DNS configuration for Contoso.
Click Next, and on the Completing the New Zone Wizard page, click Finish.
4.
At the command prompt, type the following command and then press ENTER:
Dnscmd.exe /zoneadd Adatum.com /secondary 10.10.0.10
5. 6.
Click Start, point to Administrative Tools, and then click DNS. In DNS Manager, in the navigation pane, expand NYC-SVR1 and then click Forward Lookup Zones. Notice the two zones.
4. 5. 6. 7. 8.
In DNS Manager, in the navigation pane, expand Forward Lookup Zones, expand Contoso.com. Right-click Contoso.com and then click Properties. In the Contoso.com Properties dialog box, click the Zone Transfers tab. Click Notify, and verify that the server 10.10.0.24 is listed. Click Cancel. Note It might take a few minutes to appear.
Results: At the end of this exercise, you will have implemented the requirements outlined in the Contoso Name Resolution Plan document.
6. 7. 8. 9.
3.
At the command prompt, type the following command and then press ENTER:
set querytype=SOA
4.
At the command prompt, type the following command and then press ENTER:
Contoso.com
5.
4.
In the command prompt, type the following command and then press ENTER:
Cd\Labfiles\Mod03
5.
In the command prompt, type the following command and then press ENTER:
dnslint /s 10.10.0.10 /d Contoso.com
6. 7.
Read through the report results and then close the report window. Close the command prompt.
10. Click the Monitoring tab. 11. On the Monitoring tab, select A simple query against this DNS Server and A recursive query to other DNS servers, and then click Test Now several times. 12. Clear the Simple and Recursive test check boxes and then click OK. Close the DNS management tool. 13. Return to the Server Manager console. The graph reflects the queries on the server. 14. In the Server Manager console, press CTRL+G and then press CTRL+G again. This report lists the total number of queries that the server has received. 15. Close the Server Manager console. Results: At the end of this exercise, you will have verified the functionality of DNS with troubleshooting tools.
Module 4
Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP
Contents:
Lab A: Configuring an ISATAP Router Exercise 1: Configuring a New IPv6 Network and Client Exercise 2: Configuring an ISATAP Router to Enable Communication Between an IPv4 Network and an IPv6 Network Lab B: Converting the Network to Native IPv6 Exercise 1: Transitioning to a Native IPv6 Network 8 2 5
In the Local Area Connection 3 Properties box, click OK. Close all open windows on NYC-CL2. Switch to NYC-DC1.
10. Click Start, and in the Search box, type Network and sharing and then press ENTER. 11. In Network and Sharing Center, click Change adapter settings. 12. In Network Connections, right-click Local Area Connection 2 and then click Properties. 13. Double-click Internet Protocol Version 4 (TCP/IPv4). 14. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, verify that the Default gateway is 10.10.0.1. Click OK. 15. In the Local Area Connection 2 Properties box, click OK and then close all open windows on NYC-DC1.
6.
After NYC-RTR restarts, log on with the following credentials: User name: Administrator Password: Pa$$w0rd
Note At this point, only IPv4 traffic is routed through the IPv4 routing infrastructure. Because ICMPv4 traffic is blocked by the Windows Firewall by default, you cannot test connectivity with ping.
Note
The output should be a link-local IPv6 address that starts with fe80.
Task 5: Configure an IPv6 router advertisement for the global address 2001:db8:0:1::/64 network on NYC-RTR
1. 2. 3. Switch to NYC-RTR. Click Start, and in the Search box, type cmd.exe and then press ENTER. At the command prompt, type the following command and then press ENTER:
netsh interface ipv6 set interface "Local Area Connection 3" forwarding=enabled advertise=enabled
4.
At the command prompt, type the following command and then press ENTER:
netsh interface ipv6 add route 2001:db8:0:1::/64 "Local Area Connection 3" publish=yes
Task 6: Check the IP configuration on NYC-CL2 to ensure that it is configured with an IPv6 global address in the 2001:db8:0:1::/64 network
1. 2. Switch to NYC-CL2. At the command prompt, type the following command and then press ENTER:
ipconfig
Note The output should be a link-local IPv6 address that starts with fe80. Two global IP addresses starting with 2001:db8:0:1: should also be included in the output. 3. Close the command prompt.
Results: At the end of this exercise, you will have configured NYC-CL2 for IPv6 only.
Exercise 2: Configuring an ISATAP Router to Enable Communication between an IPv4 Network and an IPv6 Network
Task 1: Add the ISATAP entry in the DNS zone on NYC-DC1
1. 2. 3. 4. 5. 6. 7. Switch to NYC-DC1. Click Start, click Administrative Tools, and then click DNS. In the left pane, expand NYC-DC1. Expand Forward Lookup Zones, select and then right-click Contoso.com, and then click New host (A or AAAA). In the New Host dialog box, type ISATAP in the Name text box, and then type the IP address 10.10.0.1 (for NYC-RTR). Click Add Host and then click OK. Click Done and then close the DNS Manager.
4.
At the command prompt, type the following command and then press ENTER:
ipconfig
5.
Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) you will need it in a moment. Interface_Index: ___________________________
6.
Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER:
netsh interface ipv6 set interface isatap.Interface_Index forwarding=enabled advertise=enabled
7.
At the command prompt, type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER:
netsh interface ipv6 add route 2001:db8:0:10::/64 isatap.Interface_Index publish=yes
8.
Restart NYC-RTR.
9.
Log on using the following credentials: User name: Administrator Password: Pa$$w0rd
10. Click Start, and in the Search box, type cmd.exe and then press ENTER. 11. At the command prompt, type the following command and then press ENTER:
ipconfig
Note The Tunnel adapter associated with the 10.10.0.0/16 network will display an IPv6 address in the 2001:db8:0:10 range.
4.
At the command prompt, type the following command and then press ENTER:
ipconfig
Note The Tunnel adapter isatap {Interface_Index} (which is the ISATAP adapter) has automatically received an IPv6 address from the ISATAP router.
10. Switch to NYC-CL2. 11. Click Start, and in the Search box, type cmd.exe and then press ENTER.
12. At the command prompt, type the following command and then press ENTER:
Ping 2001:db8:0:10:0:5efe:10.10.0.10
13. At the command prompt, type the following command and then press ENTER:
ipconfig
14. What is the IPv6 address? Answer: Answers vary, but will start 2001:db8:0:1:. 15. Click Start, and in the Search box, type Windows Firewall and then press ENTER. 16. In Windows Firewall with Advanced Security, click Inbound Rules, right-click Inbound Rules and then click New Rule. 17. In the New Inbound Rule Wizard, on the Rule Type page, click Custom and then click Next. 18. On the Program page, click Next. 19. On the Protocols and Ports page, in the Protocol type list, click ICMPv6 and then click Next. 20. On the Scope page, click Next. 21. On the Action page, click Next. 22. On the Profile page, click Next. 23. On the Name page, in the Name box, type Allow PING and then click Finish. 24. Switch to NYC-DC1. 25. At the command prompt, type the following command, and then press ENTER:
Ping IPv6_address
Where IPv6_address is the IPv6 address on NYC-CL2 you noted earlier. Results: At the end of this exercise, you will have configured ISATAP.
4.
Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) you will need it in a moment. Interface_Index: ______________________________
5.
Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier:
netsh interface ipv6 set interface isatap.Interface_Index forwarding=disabled advertise=disabled
6.
Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier:
netsh interface ipv6 delete route 2001:db8:0:10::/64 isatap.Interface_Index
2.
At the command prompt, type the following command and then press ENTER:
netsh interface ipv6 add route 2001:db8:0:0::/64 Local Area Connection 2 publish=yes
4. 5. 6. 7. 8. 9.
In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 4 (TCP/IPv4) check box, and then click OK. Close all open windows. Switch to NYC-DC1. Click Start, and in the Search box, type network and sharing and then press ENTER. In the Network and Sharing Center, click Change adapter settings. In the Network Connections box, right-click Local Area Connection 2 and then click Properties. In the Local Area Connection 2 Properties dialog box, clear the Internet Protocol Version 4 (TCP/IPv4) check box.
10. Select the Internet Protocol Version 6 (TCP/IPv6) check box and then click OK. Close all open windows.
10. Click Start, and in the Search box, type cmd.exe and then press ENTER. 11. At the command prompt, type the following command and then press ENTER:
ipconfig
Note the new IPv6 address (global address begins with 2001:) assigned to the local area connection. Write down the IPv6 address in the space below. NYC-DC1 IPv6 address: _____________________________________________ 12. Switch to NYC-CL2. 13. Click Start, and in the Search box, type cmd.exe and then press ENTER. 14. At the command prompt, type the following command and then press ENTER:
Ping global_IP_address
10
15. At the command prompt, type the following command and then press ENTER:
Ipconfig /all
Note the IPv6 address (global address begins with 2001:) assigned to the local area connection. Write down the IPv6 address in the space below. NYC-CL2 IPv6 address: _____________________________________________ 16. Switch to NYC-DC1 and switch to the Command Prompt. 17. At the command prompt, type the following command and then press ENTER:
Ping global_IP_address
Where global_IP_address is the NYC-CL2 address that you noted previously. Results: At the end of this exercise, you will have configured an IPv6 only network.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
Module 5
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
Contents:
Lab A: Configuring and Managing Network Access Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution Exercise 2: Configuring a Custom Network Policy Exercise 3: Create and Distribute a CMAK Profile
Lab B: Implementing DirectAccess
2 4 6
Exercise 1: Configure the AD DS Domain Controller and DNS Exercise 2: Configure the PKI Environment Exercise 3: Configure the DirectAccess Clients and Test Intranet Access Exercise 4: Configure the DirectAccess Server
Exercise 5: Verify DirectAccess Functionality
9 12 16 19 21
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
Task 2: Configure 6421B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-EDGE1, click Start and then click Administrative Tools. From the Administrative Tools menu, click Routing and Remote Access. The Routing and Remote Access administrative tool appears. In the list pane, select and right-click NYC-EDGE1 (Local), and then click Configure and Enable Routing and Remote Access. Click Next on the wizard Welcome page. On the Configuration page, leave the default Remote Access (dial-up or VPN) selected and click Next. On the Remote Access page, select the VPN check box and click Next. On the VPN Connection page, select the Public interface and then click Next. On the IP Address Assignment page, select From a specified range of addresses and then click Next. On the Address Range Assignment page, click New, and in the Start IP address box, type the value of 10.10.0.60. In the Number of addresses box, type the value of 75 and click OK. Click Next.
10. On the Managing Multiple Remote Access Servers page, leave the default selection No, use Routing and Remote Access to authenticate connection requests and click Next. Click Finish.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
11. In the Routing and Remote Access dialog box, click OK. 12. In the Routing and Remote Access dialog box regarding the DHCP Relay agent, click OK. The Routing and Remote Access service starts.
Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25 L2TP connections
1. 2. 3. 4. 5. In the Routing and Remote Access management tool interface, expand NYC-EDGE1 (local), select and then right-click Ports, and then click Properties. In the Ports Properties dialog box, double-click WAN Miniport (SSTP). In the Configure Device WAN Miniport (SSTP) dialog box, assign a value of 25 in the Maximum ports box and then click OK. In the Routing and Remote Access dialog box, click Yes to continue. In the Ports Properties dialog box, double-click WAN Miniport (PPTP), and in the Configure Device WAN Miniport (PPTP) dialog box, assign a value of 25 in the Maximum ports box and then click OK. In the Routing and Remote Access dialog box, click Yes to continue. Repeat this procedure, with the same value (25), for WAN Miniport (L2TP). Click OK in the Ports Properties dialog box. Close the Routing and Remote Access administrative tool.
6. 7. 8. 9.
Results: At the end of this exercise, you will have enabled routing and remote access on the NYC-EDGE1 server.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
1. 2.
1. 2.
3. 4. 5. 6. 7. 8.
9.
10. In the list pane of the Network Policy Server tool, click the Network Policies node. 11. If necessary, right-click the Secure VPN policy and then click Move Up. Repeat this step to make the policy the first in the list. 12. Close the Network Policy Server tool.
1. 2. 3. 4. 5. 6. 7.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
8.
Configure the following IP address settings and then click OK: IP Address: 131.107.0.20 Subnet mask: 255.255.255.0 Default gateway: 131.107.0.1
9.
Click Close and then click the Back button to return to the Network and Sharing Center.
10. In the Network and Sharing Center window, under Change your networking settings, click Set up a new connection or network. In the Choose a connection option dialog box, click Connect to a workplace and then click Next. 11. In the Connect to a workplace dialog box, select the Use my Internet connection (VPN) option. When prompted, select Ill set up an Internet connection later. 12. In the Type the Internet address to connect to dialog box, specify an Internet address of 131.107.0.2 and a Destination Name of Contoso VPN, and then click Next. 13. On the Type your user name and password page, leave the user name and password blank and then click Create. 14. Click Close in the Connect to a Workplace dialog box. 15. In the Network and Sharing Center window, click Change adapter settings. 16. On the Network Connections page, right-click Contoso VPN and then click Connect. 17. Use the following information in the Connect Contoso VPN text boxes and then click Connect: User name: Administrator Password: Pa$$w0rd Domain: Contoso The VPN connects successfully. 18. Right-click Contoso VPN and click Disconnect. The VPN disconnects. 19. Close all open windows on NYC-CL1. Results: At the end of this exercise, you will have created and tested a VPN connection.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
10. On the Create or Modify a VPN Entry page, click Next. 11. On the Add a Custom Phone Book page, clear the Automatically download phone book updates check box and then click Next. 12. On the Configure Dial-up Networking Entries page, click Next. 13. On the Specify Routing Table Updates page, click Next. 14. On the Configure Proxy Settings for Internet Explorer page, click Next. 15. On the Add Custom Actions page, click Next. 16. On the Display a Custom Logon Bitmap page, click Next. 17. On the Display a Custom Phone Book Bitmap page, click Next. 18. On the Display Custom Icons page, click Next. 19. On the Include a Custom Help File page, click Next. 20. On the Display Custom Support Information page, click Next.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
21. On the Display a Custom License Agreement page, click Next. 22. On the Install Additional Files with the Connection Manager profile page, click Next. 23. On the Build the Connection Manager Profile and Its Installation Program page, click Next. 24. On the Your Connection Manager Profile is Complete and Ready to Distribute page, click Finish.
10. In the Advanced Sharing dialog box, click OK. 11. In the Contoso Profile Properties dialog box, click Close. 12. Switch to NYC-CL1. 13. Click Start, and in the Search box, type Network and Sharing and then press ENTER. 14. In the Network and Sharing Center window, click Change adapter settings. 15. On the Network Connections page, right-click Contoso VPN and then click Connect. 16. Use the following information in the Connect Contoso VPN text boxes and then click Connect: User name: Administrator Password: Pa$$w0rd Domain: Contoso
The VPN connects successfully. 17. Click Start, and in the Search box, type \\nyc-dc1\Contoso Profile and press ENTER. 18. Click Start, and in the Search box, type C:\Program Files\CMAK\Profiles\Windows 7 and Windows Vista\Contoso. 19. Highlight all files in the open Explorer window and then press CTRL + C. 20. Switch to the \\NYC-DC1\Contoso Profile folder and press CTRL + V. 21. Close all open windows. 22. Click Start, and in the Search box, type \\nyc-dc1\Contoso Profile and press ENTER.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
23. Double-click the Contoso application. 24. In the Contoso HQ dialog box, click Yes. 25. On the Make this connection available for page, click All users, select the Add a shortcut on the desktop, and then click OK. 26. In the Contoso HQ dialog box, click Cancel. 27. In Network Connections, right-click Contoso VPN and click Disconnect. 28. On the desktop, double-click Contoso HQ Shortcut. 29. Use the following information in the Connect Contoso HQ text boxes and then click Connect: User name: Administrator Password: Pa$$w0rd Domain: Contoso The VPN connects successfully. 30. Right-click Contoso HQ - Shortcut and click Disconnect. The VPN disconnects. 31. Close all open windows on NYC-CL1. Results: At the end of this exercise, you will have created and distributed a CMAK profile.
When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6421B-NYC-EDGE1 and 6421B-NYC-CL1.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
10. Verify that NYC-CL1 is displayed below Members and then click OK. 11. Close the Active Directory Users and Computers console. Question: Why did you create the DA_Clients group? Answer: To enable the application of DirectAccess security settings to DirectAccess computers that are a member of this security group.
5. 6. 7. 8. 9.
10
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
10. Click Next. 11. On the Scope page, click Next. 12. On the Action page, click Next. 13. On the Profile page, click Next. 14. On the Name page, for Name, type Inbound ICMPv6 Echo Requests and then click Finish. 15. In the console tree, click Outbound Rules, right-click Outbound Rules, and then click New Rule. 16. On the Rule Type page, click Custom and then click Next. 17. On the Program page, click Next. 18. On the Protocols and Ports page, for Protocol type, click ICMPv6 and then click Customize. 19. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK. 20. Click Next. 21. On the Scope page, click Next. 22. On the Action page, click Allow the connection and then click Next. 23. On the Profile page, click Next. 24. On the Name page, for Name, type Outbound ICMPv6 Echo Requests and then click Finish. 25. Close the Group Policy Management Editor and Group Policy Management consoles.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
11
3.
Results: At the end of this exercise, you prepared AD DS and DNS to support the deployment of DirectAccess.
12
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
10. Click Add. 11. In Location, type \\nyc-Edge1\crldist$\. 12. In Variable, click <CaName> and then click Insert. 13. In Variable, click <CRLNameSuffix> and then click Insert. 14. In Variable, click <DeltaCRLAllowed> and then click Insert. 15. In Location, type .crl at the end of the string and then click OK. 16. Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click OK. 17. Click Yes to restart Active Directory Certificate Services. 18. Close the Certification Authority console. Question: What is the purpose of the certificate revocation list? Answer: To enable DirectAccess clients and servers to determine whether issued certificates (used for authentication) have been revoked.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
13
9.
10. Click the down-arrow for the Section drop-down list, and then browse to system.webServer\security\requestFiltering. 11. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True. 12. In the details pane, click Apply. 13. Close Internet Information Services (IIS) Manager. Question: Why do you make the CRL available on the DirectAccess server in the perimeter network? Answer: So that Internet DirectAccess clients can access the CRL.
14
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
Click Start and then click Computer. Double-click Local Disk (C:). In the details pane of Windows Explorer, right-click the CRLDist folder and click Properties. In the CRLDist Properties dialog box, click the Sharing tab and then click Advanced Sharing. In the Advanced Sharing dialog box, select Share this folder. In Share name, add a dollar sign ($) to the end so that the share name is CRLDist$. In the Advanced Sharing dialog box, click Permissions. In the Permissions for CRLDist$ dialog box, click Add. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
10. In the Object Types dialog box, select Computers and then click OK. 11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type NYC-DC1 and then click Check Names. Click OK. 12. In the Permissions for CRLDist$ dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from the Group or user names list. In the Permissions for NYC-DC1 section, select Allow for Full control. Click OK. 13. In the Advanced Sharing dialog box, click OK. 14. In the CRLDist Properties dialog box, click the Security tab. 15. On the Security tab, click Edit. 16. In the Permissions for CRLDist dialog box, click Add. 17. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types. 18. In the Object Types dialog box, select Computers. Click OK. 19. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type NYC-DC1, click Check Names, and then click OK. 20. In the Permissions for CRLDist dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from the Group or user names list. In the Permissions for NYC-DC1 section, select Allow for Full control and then click OK. 21. In the CRLDist Properties dialog box, click Close. 22. Close the Windows Explorer window.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
15
3. 4. 5. 6. 7. 8.
In the console tree, open ContosoCA, right-click Revoked Certificates, point to All Tasks, and then click Publish. In the Publish CRL dialog box, click New CRL, and then click OK. Click Start, type \\NYC-EDGE1\CRLDist$, and press ENTER. In the Windows Explorer window, you should see the ContosoCA and ContosoCA+ files. Close the Windows Explorer window. Close the Certification Authority console.
Click Start, type certtmpl.msc, and then press ENTER. In the contents pane, right-click the Web Server template and then click Properties. Click the Security tab and then click Authenticated Users. In the Permissions for Authenticated Users window, click Enroll under Allow and then click OK. Close the Certificate Templates console
16
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
10. Click Share and then click Done. 11. Close the Local Disk window.
10. On the Request Certificates page, click Web Server and then click More information is required to enroll for this certificate. 11. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common name. 12. In Value, type nls.contoso.com and then click Add.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
17
13. Click OK, click Enroll, and then click Finish. 14. In the details pane of the Certificates snap-in, verify that a new certificate with the name nls.contoso.com was enrolled with Intended Purposes of Server Authentication. 15. Close the console window. When you are prompted to save settings, click No.
10. Click Next twice. 11. Select Computer, and then click Enroll. Click Finish. 12. In the details pane, verify that a certificate with the name NYC-CL1.contoso.com is present with Intended Purposes of Client Authentication and Server Authentication. 13. Close the console window. When you are prompted to save settings, click No. Question: Why did you install a certificate on the client computer? Answer: Without a certificate, the client cannot identify and authenticate itself to the DirectAccess server.
18
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
19
10. In the Value box, type nyc-edge1.contoso.com and then click Add. 11. Click OK, click Enroll, and then click Finish. 12. In the details pane of the Certificates snap-in, verify that a new certificate with the name nyc-edge1.contoso.com was enrolled with Intended Purposes of Server Authentication. 13. Right-click the certificate and then click Properties. 14. In Friendly Name, type IP-HTTPS Certificate, and then click OK. 15. Close the console window. If you are prompted to save settings, click No.
20
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
Open a command prompt and type the following command, and then press ENTER:
GPUpdate /force
2. 3. 4. 5. 6. 7. 8.
Close the command prompt. Click Start, point to Administrative Tools, and then click DirectAccess Management. In the console tree, click Setup. In the details pane, click Configure for step 1. On the DirectAccess Client Setup page, click Add. In the Select Group dialog box, type DA_Clients, click OK, and then click Finish. Click Configure for step 2. On the Connectivity page, for Interface connected to the Internet, select the interface named Public. For Interface connected to the internal network, select the Local Area Connection 2, and then click Next. Note If you receive a warning that the local area connection network adapter must be connected to a Domain network, close the Direct Access Management console. Open Server Manager and click Configure Network Connections. Disable the Local Area Connection and re-enable it. Restart the Direct Access Management console.
9.
On the Certificate Components page, for Select the root certificate to which remote client certificates must chain, click Browse. In the list of certificates, click the ContosoCA root certificate and then click OK.
10. For Select the certificate that will be used to secure remote client connectivity over HTTPS, click Browse. In the list of certificates, click the certificate named IP-HTTPS Certificate, click OK, and then click Finish. 11. Click Configure for step 3. 12. On the Location page, click Network Location server is run on a highly available server, type https://nls.contoso.com, click Validate, and then click Next. 13. On the DNS and Domain Controller page, note the entry for the name contoso.com with the IPv6 address 2002:836b:2:1:0:5efe:10.10.0.10. This IPv6 address is assigned to NYC-DC1 and is composed of a 6to4 network prefix (2002:836b:2:1::/64) and an ISATAP-based interface identifier (::0:5efe:10.10.0.10). Click Next. 14. On the Management page, click Finish. 15. Click Configure for step 4. On the DirectAccess Application Server Setup page, click Finish. 16. Click Save and then click Finish. 17. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy Configuration message box, click OK. Results: At the end of this exercise, you will have successfully configured NYC-EDGE1 as a DirectAccess server.
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
21
Switch to INET1. Click Start, point to Administrative Tools, and then click DNS. In the console tree, expand Forward Lookup Zones, right-click contoso.com, and then click New Host (A or AAAA). In the Name box, type crl. In IP address, type 131.107.0.2. Click Add Host, click OK, and then click Done. Close the DNS console.
Switch to NYC-SVR1. Click Start, click All Programs, click Accessories, and then click Command Prompt. At the command prompt, type the following command and then press ENTER:
net stop iphlpsvc
4.
At the command prompt, type the following command and then press ENTER:
net start iphlpsvc
5.
At the command prompt, type the following command and then press ENTER. Verify that the server has been issued an ISATAP address that ends with 10.10.0.24.
ipconfig
6. 7. 8. 9.
Close the command prompt window. Switch to NYC-DC1. Click Start, click All Programs, click Accessories, and then click Command Prompt. At the command prompt, type the following command and then press ENTER:
net stop iphlpsvc
10. At the command prompt, type the following command and then press ENTER:
net start iphlpsvc
22
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
11. At the command prompt, type the following command and then press ENTER. Verify that the server has been issued an ISATAP address that ends with 10.10.0.10.
ipconfig
3. 4.
5.
At the command prompt, type the following command and then press ENTER:
net stop iphlpsvc
6.
At the command prompt, type the following command and then press ENTER:
net start iphlpsvc
7.
At the command prompt, type the following command and then press ENTER. Verify that the client has been issued an ISATAP address that ends with 10.10.10.1.
ipconfig
8.
At the command prompt, type the following command and then press ENTER:
Gpresult -R
9.
Verify that one Direct Access Group Policy object is being applied to the client computer. If the policy is not being applied, run the gpupdate /force command again. If the policy is still not being applied, restart NYC-CL1. After the computer restarts, log on as Administrator and run the Gpresult R command again.
2.
At the command prompt, type the following command and then press ENTER:
ping 2002:836b:2:1::5efe:10.10.0.10
3.
At the command prompt, type the following command and then press ENTER:
ping 2002:836b:2:1::5efe:10.10.0.24
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
23
4.
At the command prompt, type the following command and then press ENTER:
ping NYC-DC1.contoso.com
5.
At the command prompt, type the following command and then press ENTER:
ping NYC-SVR1.contoso.com
6.
On NYC-CL1, click Start, click Control Panel, and then click Network and Internet. Click Network and Sharing Center. Click Change Adapter Settings. Right-click Local Area Connection 3 and then click Properties. In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address. Fill in the following information, and then click OK. IP address: 131.107.0.10 Subnet mask: 255.255.0.0 Default gateway: 131.107.0.2 Preferred DNS server: 131.107.0.1
7. 8. 9.
In the Local Area Connection 3 Properties dialog box, click Close. In Network Connections, right-click Local Area Connection 3 and then click Disable. In Network Connections, right-click Local Area Connection 3 and then click Enable.
10. In the Set Network Location dialog box, click Public network and then click Close.
2. 3.
From the taskbar, click the Internet Explorer icon. In the Address bar, type http://inet1.isp.example.com/ and then press ENTER. You should see the default IIS 7 Web page for INET1.
24
Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access
2. 3. 4. 5. 6.
In Internet Explorer, in the Address bar, type http://NYC-SVR1.contoso.com/, press ENTER, and then press F5. You should see the default IIS 7 web page for NYC-SVR1. Close Internet Explorer. Click Start, type \\NYC-SVR1\files, and then press ENTER. You should see a folder window with the contents of the Files shared folder. In the Files shared folder window, double-click the example.txt file. Close the example.txt - Notepad window and the Files shared folder window.
2.
From the display of the Ipconfig.exe tool, notice that an interface named Tunnel adapter 6TO4 Adapter has an IPv6 address that begins with 2002:836b:. This is a 6to4 address based on an IPv4 address that begins with 131.107. Notice that this tunnel interface has a default gateway of 2002:836b:2::836b:2, which corresponds to the 6to4 address of EDGE1 (131.107.0.2 in colonhexadecimal notation is 836b:2). NYC-CL1 uses 6to4 and this default gateway to tunnel IPv6 traffic to EDGE1.
Results: At the end of this exercise, you will have successfully implemented, verified, and tested DirectAccess.
Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Module 6
Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Contents:
Exercise 1: Installing and Configuring the Network Policy Server Role Service Exercise 2: Configuring a RADIUS Client Exercise 3: Configuring Certificate Auto-Enrollment Exercise 4: Configuring and Testing the VPN
2 4 5 6
Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
10. On the Installation Results page, click Close. 11. Close Server Manager.
2. 3. 4. 5. 6.
Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
7. 8. 9.
In the New RADIUS Client dialog box, in the Shared secret and Confirm shared secret boxes, type Pa$$w0rd and then click OK. On the Specify Dial-Up or VPN Server page, click Next. On the Configure Authentication Methods page, select the Extensible Authentication Protocol and Microsoft Encrypted Authentication version 2 (MS-CHAPv2) check boxes and then click Next.
10. On the Specify User Groups page, click Next. 11. On the Specify IP Filters page, click Next. 12. On the Specify Encryption Settings page, clear the Basic encryption and Strong encryption check boxes and then click Next. 13. On the Specify a Realm Name page, click Next. 14. On the Completing New Dial-Up or Virtual Private Network Connections and RADIUS clients page, click Finish. 15. Close the Network Policy Server administrative tool. Results: At the end of this exercise, you will have configured NYC-DC1 as a RADIUS server by installing and configuring the NPS Server role.
Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
10. On the Managing Multiple Remote Access Servers page, select Yes, set up this server to work with a RADIUS server and then click Next. 11. On the RADIUS Server Selection page, in the Primary RADIUS server box, type NYC-DC1 12. In the Shared secret box, type Pa$$w0rd and then click Next. 13. Click Finish. 14. In the Routing and Remote Access dialog box, click OK. The Routing and Remote Access service starts. Results: At the end of this exercise, you will have configured NYC-EDGE1 as a VPN server.
Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
10. Close the Group Policy Management Editor. 11. Close the Group Policy Management tool. 12. Switch to NYC-CL1. 13. Restart the computer and then log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
14. Click Start, type MMC in the Search box, and then press ENTER. 15. In the Console1 window, click File and then click Add/Remove Snap-in. 16. In the Add or Remove Snap-ins box, select Certificates and then click Add. 17. In the Certificates snap-in box, select Computer account and then click Next. 18. In the Select Computer box, select Local computer and then click Finish. 19. Click OK to close the Add or Remove Snap-ins box. 20. In the Console1 window, expand Certificates (Local Computer). 21. Expand Personal, and then click Certificates. Notice that NYC-CL1.Contoso.com is displayed. You now can use this certificate as an authentication mechanism. Results: At the end of this exercise, you will have configured the appropriate certificate settings for your VPN solution.
Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
Click Close and then click the Back button to return to the Network and Sharing Center.
2. 3. 4. 5. 6. 7. 8. 9.
10. In the Data encryption list, click Maximum strength encryption (disconnect if server declines) and then click OK. 11. On the Network Connections page, right-click Contoso VPN and then click Connect. 12. Use the following information in the Connect Contoso VPN text boxes and then click Connect: User name: Administrator Password: Pa$$w0rd Domain: Contoso
Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service
13. Right-click Contoso VPN and click Disconnect. The VPN disconnects. 14. Close all open windows on NYC-CL1. Do not save Console 1. Results: At the end of this exercise, you will have verified the VPN solution.
Module 7
Lab Answer Key: Implementing Network Access Protection
Contents:
Exercise 1: Configuring NAP Components Exercise 2: Configuring Client Settings to Support NAP 2 8
3.
Install the NPS Server role: a. b. c. d. e. f. On NYC-EDGE1, switch to Server Manager. Click Roles, and then under Roles Summary, click Add Roles and then click Next. Select the Network Policy and Access Services check box and then click Next twice. Select the Network Policy Server and Remote Access Service check boxes, click Next, and then click Install. Verify that the installation was successful and then click Close. Close the Server Manager window.
4.
Configure NPS as a NAP health policy server: a. b. c. d. e. Click Start, point to Administrative Tools, and then click Network Policy Server. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the right pane under Name, double-click Default Configuration. On the Windows 7/Windows Vista selection, clear all check boxes except the A firewall is enabled for all network connections check box. Click OK to close the Windows Security Health Validator dialog box.
5.
Configure health policies: a. b. c. d. e. f. g. h. i. j. k. Expand Policies. Right-click Health Policies and then click New. In the Create New Health Policy dialog box, under Policy name, type Compliant. Under Client SHV checks, verify that Client passes all SHV checks is selected. Under SHVs used in this health policy, select the Windows Security Health Validator check box. Click OK. Right-click Health Policies and then click New. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant. Under Client SHV checks, select Client fails one or more SHV checks. Under SHVs used in this health policy, select the Windows Security Health Validator check box. Click OK.
6.
Configure network policies for compliant computers: a. b. c. d. Ensure that Policies is expanded. Click Network Policies. Disable the two default policies found under Policy Name by right-clicking the policies and then clicking Disable. Right-click Network Policies and then click New.
e. f. g. h. i. j. k. l.
In the Specify Network Policy Name And Connection Type window, under Policy name, type Compliant-Full-Access and then click Next. In the Specify Conditions window, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant and then click Next. In the Specify Access Permission window, verify that Access granted is selected. Click Next three times. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected and then click Next.
m. In the Completing New Network Policy window, click Finish. 7. Configure network policies for noncompliant computers: a. b. c. d. e. f. g. Right-click Network Policies and then click New. In the Specify Network Policy Name And Connection Type window, under Policy name, type Noncompliant-Restricted and then click Next. In the Specify Conditions window, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Noncompliant and then click OK. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant and then click Next. In the Specify Access Permission window, verify that Access granted is selected.
Note A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients that match these conditions. h. i. j. k. l. Click Next three times. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and remove the check box next to Enable auto-remediation of client computers. In the Configure Settings window, click IP Filters. Under IPv4, click Input Filters and then click New. In the Add IP Filter dialog box, select Destination network. Type 10.10.0.10 next to IP address and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from noncompliant clients can reach only NYC-DC1.
m. Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below in the Inbound Filters dialog box. n. Click OK to close the Inbound Filters dialog box.
o. p. q.
Under IPv4, click Output Filters and then click New. In the Add IP Filter dialog box, select Source network. Type 10.10.0.10 next to IP address and then type 255.255.255.255 next to Subnet mask. Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below in the Outbound Filters dialog box. This step ensures that only traffic from NYC-DC1 can be sent to noncompliant clients. Click OK to close the Outbound Filters dialog box. In the Configure Settings window, click Next. In the Completing New Network Policy window, click Finish.
r. s. t. 8.
Configure connection request policies: a. b. c. d. e. f. g. h. i. j. k. l. Click Connection Request Policies. Disable the default Connection Request policy that is found under Policy Name by right-clicking the policy and then clicking Disable. Right-click Connection Request Policies and then click New. In the Specify Connection Request Policy Name And Connection Type window, under Policy name, type VPN connections. Under Type of network access server, select Remote Access Server (VPN-Dial up) and then click Next. In the Specify Conditions window, click Add. In the Select Condition window, double-click Tunnel Type, select PPTP, SSTP, and L2TP. Click OK and then click Next. In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected and then click Next. In the Specify Authentication Methods window, select Override network policy authentication settings. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP) and then click OK. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2) and then click OK. Under EAP Types, click Microsoft: Protected EAP (PEAP) and then click Edit.
m. Verify that Enforce Network Access Protection is selected and then click OK. n. 9. Click Next twice and then click Finish.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server
1. 2. On NYC-EDGE1, click Start, point to Administrative Tools, and then click Routing and Remote Access. In the Routing and Remote Access console, right-click NYC-EDGE1 (local) and then click Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard. Click Next, select Remote access (dial-up or VPN), and then click Next. Select the VPN check box and then click Next. Click the network interface called Public. Clear the Enable security on the selected interface by setting up static packet filters check box and then click Next. This ensures that NYC-EDGE1 will be able to ping NYC-DC1 when it is attached to the Internet subnet without requiring that you configure additional packet filters for Internet Control Message Protocol (ICMP) traffic. On the IP Address Assignment page, select From a specified range of addresses and then click Next. On the Address Range Assignment page, click New. Type 10.10.0.100 next to Start IP address and 10.10.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses were assigned for remote clients and then click Next. On the Managing Multiple Remote Access Servers page, ensure that No, use Routing and Remote Access to authenticate connection requests is already selected and then click Next. Click Finish.
3. 4. 5.
6. 7.
8. 9.
10. Click OK twice and wait for the Routing and Remote Access Service to start. 11. In the Network Policy Server, click the Connection Request Policies node and disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled. 12. Click Connection Request Policies, and in the results pane, right-click the Microsoft Routing and Remote Access Service Policy and then click Disable. 13. Close the Network Policy Server management console. 14. Close Routing and Remote Access.
8. 9.
In the Action window, verify that Allow the connection is selected and then click Next. Click Next to accept the default profile.
10. In the Name window, under Name, type ICMPv4 echo request and then click Finish. 11. Close the Windows Firewall with Advanced Security console. Results: At the end of this exercise, you will have configured and enabled a VPN-enforced NAP scheme.
Enable and start the NAP agent service: a. b. c. d. e. f. Click Start, click Control Panel, click System and Security, and then click Administrative Tools. Double-click Services. In the Services list, double-click Network Access Protection Agent. In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic and then click Start. Wait for the NAP Agent service to start and then click OK. Close the Services console and then close the Administrative Tools and System and Security windows.
f. g. h. i. 2.
Click Use the following IP address. Next to IP address, type 131.107.0.20. Next to Subnet mask, type 255.255.0.0. Do not configure the Default gateway. Click Use the following DNS server addresses. Click OK and then click Close to close the Local Area Connection 3 Properties dialog box. Close the Network Connections window.
Verify network connectivity for NYC-CL1: a. b. c. d. e. Click Start, click All Programs, click Accessories, and then click Run. Type cmd and then press ENTER. At the command prompt, type ping 131.107.0.2 and press ENTER. Verify that the response reads Reply from 131.107.0.2. Close the command window.
h.
i. j. k. l.
m. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft: Protected EAP (PEAP) (encryption enabled) and then click Properties. n. Ensure that the Validate server certificate check box is already selected. Clear the Connect to these servers check box, and then ensure that Secured password (EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast Reconnect check box and then select the Enforce Network Access Protection check box. Click OK twice to accept these settings.
o.
10
2.
Test the VPN connection: a. In the Network Connections window, right-click the Contoso VPN connection and then click Connect. b. c. In the Connect Contoso VPN window, click Connect. You are presented with a Windows Security Alert window the first time that this VPN connection is used. Click Details and verify that Certificate Information states that the certificate was issued to NYC-EDGE1.Contoso.com by ContosoCA. Click Connect. Wait for the VPN connection to be made. Because NYC-CL1 is compliant, it should have unlimited access to the intranet subnet. Click Start, click All Programs, click Accessories, and then click Command Prompt. Type ipconfig /all and view the IP configuration. System Quarantine State should be Not Restricted. In the Command window, type ping 10.10.0.10 and then press ENTER. This should be successful. The client now meets the requirement for VPN full connectivity. Disconnect from the Contoso VPN.
d. e. f. g. h. 3.
Configure Windows Security Health Validator to require an antivirus application: a. b. c. d. On NYC-EDGE1, open Network Policy Server. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the right pane under Name, double-click Default Configuration. On the Windows 7/Windows Vista selection, select the An antivirus application is on check box and then click OK.
4.
Verify that the client is placed on the restricted network: a. b. c. d. e. On NYC-CL1, in the Network Connections window, right-click the Contoso VPN and then click Connect. Click Connect. Wait for the VPN connection to be made. Verify that a message appears in the Action Center stating that the computer does not meet security standards. Click Start, click All Programs, click Accessories, and then click Command Prompt. Type ipconfig /all and view the IP configuration. System Quarantine State should be Restricted. The client does not meet the requirements for the network, and therefore is placed on the restricted network. f. Disconnect the Contoso VPN.
Results: At the end of this exercise, you will have enabled and configured a VPN NAP enforcement policy for Contoso.
11
Module 8
Lab Answer Key: Increasing Security for Windows Servers
Contents:
Exercise 1: Deploying a Windows Firewall Rule Exercise 2: Implementing WSUS 2 3
7. 8. 9.
10. In the Specific local ports box, type 10005 and then click Next. 11. On the Action page, confirm that Allow the connection is selected and click Next. 12. On the Profile page, clear the Private and Public check boxes and then click Next. 13. On the Name page, in the Name box, type Monitoring and then click Finish.
Results: After this exercise, you should have created a Windows Firewall rule that allows communication to port 10005.
6. 7. 8. 9.
10. Under Set the intranet update service for detecting updates and under Set the intranet statistics server, type http://NYC-SVR1 in the text boxes and then click Next Setting. 11. On the Automatic Updates detection frequency page, click Enabled and then click OK. 12. Close the Group Policy Management Editor and the Group Policy Management Console. 13. Click Start, type cmd, and press ENTER. 14. At the command prompt, type gpupdate /force and press ENTER. 15. At the command prompt, type wuauclt /detectnow and press ENTER. 16. Close the command prompt.
6. 7.
Right-click NYC-DC1.contoso.com, and click Change Membership. In the Set Computer Group Membership box, select the HO Servers check box and click OK.
Results: After this exercise, you should have approved an update for NYC-DC1.
Module 9
Lab Answer Key: Increasing Security for Network Communication
Contents:
Exercise 1: Selecting a Network Security Configuration Exercise 2: Configuring IPsec to Authenticate Computers Exercise 3: Testing IPsec Authentication 2 4 6
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Research application security document. Research application security Document Reference Number: GW1605/1 Document Author Date Charlotte Weiss 16th May
Requirements Overview Contoso Ltd. has implemented a new web-based Research application that contains confidential information such as product information. To improve security, you must: 1. 2. Create a connection security rule that authenticates the computers in the Research department. Create a firewall rule that ensures only authenticated computers from the Research department can access the application.
Additional Information 1. 2. 3. The application exists on NYC-SVR1. The application is not configured to use SSL. NYC-SVR1 and NYC-CL1, both computers in the Research department, are stored in the AD DS Computers container.
Proposals 1. How will you accomplish requirement 1? Answer: 2. Configure a Connection Security Rule that requires Kerberos authentication for connections to TCP port 80 (web server). Restrict authentication to specific users and computers.
How will you accomplish requirement 2? Answer: Create a firewall rule that enables communication over port 80 if authenticated.
Research application security 3. Are there any additional tasks that you must perform? Answer: Create a GPO that is linked to the Research OU. Configure the Connection Security rule and Firewall Rule as part of this policy. Move both NYC-SVR1 and NYC-CL1 to the Research OU. Refresh the GPO on the client computers from NYC-DC1.
Results: At the end of this exercise, you will have selected a suitable IPsec configuration to support the needs of the Research department.
4.
In the command prompt, type the following command and then press ENTER:
Shutdown /r
5. Switch to NYC-SVR1. 6. Click Start, and in the Search box, type cmd.exe and press ENTER. 7. In the command prompt, type the following command and then press ENTER:
Gpupdate /force
8. In the command prompt, type the following command and then press ENTER:
Shutdown /r
Results: At the end of this exercise, you will have successfully configured the connection security rule and firewall rule that are required to secure the Research department application.
3. On the Taskbar, click Internet Explorer. 4. In the Address bar, type http://nyc-svr1 and press ENTER. The default IIS 7 webpage displays.
7. Close all open windows. Do not save changes to Console 1. Results: At the end of this exercise, you will have verified IPsec settings.
Lab Answer Key: Configuring and Troubleshooting Network File and Print Services
Module 10
Lab Answer Key: Configuring and Troubleshooting Network File and Print Services
Contents:
Exercise 1: Creating and Configuring a File Share Exercise 2: Encrypting and Recovering Files Exercise 3: Creating and Configuring a Printer Pool 2 5 7
Lab Answer Key: Configuring and Troubleshooting Network File and Print Services
10. In the Windows security window, click Add. 11. Use Ctrl+click to select both entries for Users and then click Remove. 12. Click OK twice to close both Advanced Security Settings For Marketing windows. 13. In the Marketing Properties window, click Edit. 14. In the Permissions For Marketing window, click Add, type Marketing, and click OK. 15. With Marketing selected, click the Allow Modify permission and click OK. 16. In the Marketing Properties windows, click OK.
Lab Answer Key: Configuring and Troubleshooting Network File and Print Services
17. Right-click Production and click Properties. 18. In the Production Properties window, on the Security tab, click Advanced. 19. In the Advanced Security Settings For Production window, click Change Permissions. 20. Clear the Include inheritable permissions from this objects parent check box. 21. In the Windows security window, click Add. 22. Use Ctrl+click to select both entries for Users and then click Remove. 23. Click OK twice to close both Advanced Security Settings For Production windows. 24. In the Production Properties window, click Edit. 25. In the Permissions For Production window, click Add, type Production and then click OK. 26. With Production selected, click the Allow Modify permission and click OK. 27. In the Production Properties window, click OK.
Lab Answer Key: Configuring and Troubleshooting Network File and Print Services
Results: After this exercise, you should have created and configured a file share.
Lab Answer Key: Configuring and Troubleshooting Network File and Print Services
6. 7. 8. 9.
10. Close Group Policy Management Editor. 11. Close Group Policy Management.
Lab Answer Key: Configuring and Troubleshooting Network File and Print Services
8. 9.
On the Select Certificate Enrollment Policy page, click Next to use the Active Directory Enrollment Policy. On the Request Certificates page, select the Basic EFS check box and click Enroll.
10. On the Certificate Installation Results page, click Finish. 11. In the Console1 window, in the left pane, expand Certificates Current User, expand Personal, and click Certificates. 12. Read the list of certificates and note the one that was issued by ContosoCA. 13. Close Console1 and do not save the settings.
Results: After this exercise, you should have encrypted and recovered a file.
Lab Answer Key: Configuring and Troubleshooting Network File and Print Services
10. Click Next to start the Add Standard TCP/IP Printer Port Wizard. 11. In the Printer Name or IP Address box, type 10.10.0.99 and click Next. It will take a minute or two while Windows Server 2008 R2 attempts to detect the type of device at that IP address. 12. On the Additional port information required page, click Next to accept the default settings of a Generic Network Card. 13. Click Finish to complete the wizard. 14. In the Printer Ports window, click Close.
Lab Answer Key: Configuring and Troubleshooting Network File and Print Services
3. 4. 5. 6. 7. 8.
On the Printer Installation page, click Add a new printer using an existing port, click 10.10.0.98, and click Next. On the Printer Driver page, click Install a new driver and click Next. On the Printer Installation page, click Next to accept the default driver. On the Printer Name and Sharing Settings page, in the Printer Name and Share Name boxes, type PrinterPool and click Next. On the Printer Found page, click Next. Click Finish to complete the wizard.
Results: After this exercise, you should have created a printer pool and distributed it to Marketing users.
Lab Answer Key: Configuring and Troubleshooting Network File and Print Services
Module 11
Lab Answer Key: Optimizing Data Access for Branch Offices
Contents:
Lab A: Implementing DFS Exercise 1: Installing the DFS Role Service Exercise 2: Configuring the Required Namespace Exercise 3: Configuring DFS Replication Lab B: Implementing BranchCache Exercise 1: Performing Initial Configuration Tasks for BranchCache Exercise 2: Configuring BranchCache Clients Exercise 3: Configuring BranchCache on the Branch Server
Exercise 4: Monitoring BranchCache
2 3 5
7 9
11 13
10. On the Confirm Installation Selections page, click Install. 11. On the Installation Results page, click Close. 12. Close Server Manager. Results: At the end of this exercise, you will have installed the required role services on both servers.
10. On the Confirmation page, ensure that the Create namespace task is successful and then click Close. 11. In the navigation pane, under Namespaces, click \\Contoso.com\BranchDocs. 12. In the details pane, click the Namespace Servers tab and ensure that there is one entry that is enabled for \\NYC-SVR1\BranchDocs.
Results: At the end of this exercise, you will have created and verified the DFS namespace.
10. In the action pane, click New Topology. 11. In the New Topology Wizard, on the Topology Selection page, click Full mesh and then click Next. 12. On the Replication Group Schedule and Bandwidth page, click Next. 13. On the Review Settings and Create Topology page, click Create. 14. On the Confirmation page, click Close, and in the Replication Delay dialog box, click OK. 15. In the details pane, on the Memberships tab, verify that the replicated folder is shown on both NYC-DC1 and NYC-SVR1. 16. On the Memberships tab, right-click NYC-DC1 and then click Make read-only. This setting will automatically configure the replicated copy to be read-only. Results: At the end of this exercise, you will have successfully configured DFS replication.
10. Close Server Manager. 11. Click Start, and in the Search box, type gpedit.msc and then press ENTER. 12. In the navigation pane of the Local Group Policy Editor console, under Computer Configuration, expand Administrative Templates, expand Network, and then click Lanman Server. 13. In the Setting list of the Lanman Server result pane, right-click Hash Publication for BranchCache and then click Edit. 14. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication actions list, select Allow hash publication only for shared folders on which BranchCache is enabled, and then click OK.
3. 4. 5. 6.
3. 4. 5. 6. 7. 8. 9.
On the menu, click New Folder. Type Share and then press ENTER Right-click Share and then click Properties. On the Sharing tab of the Share Properties dialog box, click Advanced Sharing. Select the Share this folder check box and then click Caching. In the Offline Settings dialog box, select the Enable BranchCache check box and then click OK. In the Advanced Sharing dialog box, click OK.
10. In the Share Properties dialog box, click Close. 11. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 12. At the command prompt window, type the following command and then press ENTER:
Copy C:\windows\system32\mspaint.exe c:\share
4. 5. 6. 7. 8. 9.
10. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache Peer Discovery (Uses WSD), and then click Next. 11. On the Predefined Rules page, click Next. 12. On the Action page, click Finish. Results: At the end of this exercise, you will have prepared the network environment for BranchCache.
2. 3. 4. 5. 6. 7.
8. 9.
10. Start 6421B-NYC-CL1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 11. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 12. At the command prompt window, type the following command and then press ENTER:
gpupdate /force
13. At the command prompt window, type the following command and then press ENTER:
netsh branchcache show status all
14. Start 6421B-NYC-CL2. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 15. Click Start, and in the Search box, type Network and Sharing and then press ENTER. 16. In Network Connections, click Change adapter settings. 17. Right-click Local Area Connection 3 and then click Properties. 18. In the Local Area Connection 3 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). 19. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically.
10
20. Click Obtain DNS server address automatically and then click OK. 21. In the Local Area Connection 3 Properties dialog box, click OK. 22. Restart the computer. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd. 23. Click Start, point to All Programs, click Accessories, and then click Command prompt. 24. At the command prompt window, type the following command and then press ENTER:
gpupdate /force
25. At the command prompt window, type the following command and then press ENTER:
netsh branchcache show status all
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
11
10. On the Select Certificate Enrollment Policy page, click Next. 11. On the Request Certificates page, select the Computer check box and then click Enroll. 12. On the Certificate Installation Results page, click Finish. 13. In the navigation pane of the Console1 [Console Root] console, under Personal, click Certificates. 14. In the Issued To result pane, right-click NYC-SVR1.Contoso.com and then click Open. 15. On the Details tab of the Certificate dialog box, in the Field list, click Thumbprint, select thumbprint values in the details section, press Ctrl+C to copy the values to the Clipboard, and then click OK. 16. On the Start menu, click All Programs, click Accessories, and then click Command Prompt.
12
17. At the command prompt window, type the following command and then press Enter. You can paste the certificatehashvalue from the certificate, but you must remove the spaces.
netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}
18. At the command prompt, type the following command and then press ENTER:
netsh branchcache show status all
10. Under Domains, expand Contoso.com, right-click BranchCacheHost, and click Block Inheritance. 11. On NYC-DC1, close all open windows. 12. Restart NYC-SVR1 and log on as Contoso\Administrator with the password of Pa$$w0rd. 13. On NYC-SVR1, open a command prompt, type the following command, and then press ENTER:
netsh branchcache set service hostedserver
14. Close the command prompt. Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
13
14
5. 6. 7.
In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize. On the desktop, right-click anywhere and then click Paste. Read the performance statistics on NYC-CL1. This file was retrieved from NYC-DC1 (Retrieval: Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes Served) On the Start menu of NYC-CL2, in the Search programs and files box, type \\NYC-DC1.contoso.com\Share and then press ENTER. In the Name list of the Share window, right-click mspaint.exe and then click Copy.
8. 9.
10. In the Share window, click Minimize. 11. In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize. 12. On the desktop, right-click anywhere and then click Paste. 13. Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval: Bytes from Cache). 14. Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted Cache: Client file segment offers made). Results: At the end of this exercise, you will have verified the function of BranchCache.
Module 12
Lab Answer Key: Controlling and Monitoring Network Storage
Contents:
Exercise 1: Configuring FSRM Quotas Exercise 2: Configuring File Screening Exercise 3: Configuring File Classification and File Management 2 4 5
10. On the E-mail Message tab, select the Send e-mail to the user who exceeded the threshold check box. 11. Click the Event log tab and click Yes in the warning window. 12. On the Event Log tab, select the Send warning to event log check box. 13. Click OK and click Yes to close the warning window. 14. Click OK to close the Create Quota Template window.
Results: After this exercise, you will have created and applied quotas to home folders.
Results: After this exercise, you will have configured file screening to prevent media files from being placed in home folders.
10. In the Value box, type Document#\d\d\d\d-\d\d\d and then click OK. 11. Click OK to close the Classification Rule Definitions window.
8. 9.
In the Browse For Folder window, click Local Disk (C:), click Make New Folder, type Expired Documents, press ENTER, and click OK. In the Create File Management Task window, on the Condition tab, in the Property conditions area, click Add.
10. In the Property Condition window, in the Property box, select Official Document. 11. In the Operator box, select Equal. 12. In the Value box, select Yes and click OK. 13. In the Create File Management Task window, on the Schedule tab, click Create. 14. In the Schedule window, click New. 15. In the Schedule Task box, select Weekly. 16. In the Start time box, type 9:00 PM. 17. In the Schedule Task Weekly area, select only the Sun check box and then click OK. 18. Click OK to close the Create File Management Task window.
10. In the Run Classification window, click Wait for classification to complete execution and click OK. 11. Review the Automatic Classification Report in Internet Explorer and verify that one Official Document was found. 12. Close Internet Explorer. 13. In File Server Resource Manager, click File Management Tasks, right-click Remove Official Documents, and click Run File Management Task Now. 14. In the Run File Management Task window, click Wait for the task to complete execution and click OK. 15. Review the File Management Task Report and verify that one file was expired. 16. Click Start, click Computer, and browse to C:\Expired Documents\NYC-SVR1.Contoso.com \Remove Official Documents_datetime\c$\Home\Adam.
17. Review the list of expired files and verify that Test Document.docx is there. 18. Close all open windows. Results: After this exercise, you will have configured a classification rule for official documents and a file management task that expires official documents.
Module 13
Lab Answer Key: Recovering Network Data and Servers
Contents:
Exercise 1: Configuring Shadow Copies Exercise 2: Configuring a Scheduled Backup 2 5
10. In the Every box, type 1 and select hours. 11. In the Duration box, type 24 hours. 12. Click OK to close the Advanced Schedule Options window. 13. Click OK to close the C:\ window. 14. Click OK to close the Settings window. 15. Click OK to close the Shadow Copies window.
Click the Save button. On NYC-SVR1, in Windows Explorer, right-click Local Disk (C:) and click Configure Shadow Copies.
10. In the Shadow Copies window, with C:\ selected, click Create Now. 11. On NYC-CL1, add the following bullets to the document: 2014 - $1,500 2015 - $2,000
12. Click the Save button and close Microsoft Word. 13. On NYC-SVR1, in the Shadow Copies window, click Create Now. 14. Click OK to close the Shadow Copies window and close Windows Explorer. 15. On NYC-CL1, right-click Budget Planning and click Delete. 16. In the Delete File window, click Yes.
7. 8. 9.
Verify that this is the correct version of Budget Planning, close Word, and close the window containing Budget Planning. In the Marketing (\\NYC-SVR1) Properties window, on the Previous Versions tab, with the most recent folder version of Marketing selected, click Restore. In the warning window, click Restore.
10. Click OK to clear the success message. 11. Click OK to close the Marketing (\\NYC-SVR1) Properties window. 12. In Windows Explorer, double-click Budget Planning to view the restored file. 13. Close all open windows. Results: At the end of this exercise, you will have enabled shadow copies for the Marketing file server.
10. Click Yes to confirm that data on D: will be removed. 11. On the Confirmation page, click Finish. 12. On the Summary page, click Close.
8. 9.
In the Actions pane, click Backup Once. On the Backup Options page, click Scheduled Backup options and click Next.
10. On the Confirmation page, click Backup. 11. Wait while the backup completes. This will take about one minute. 12. When the backup is complete, click Close. 13. Read the information in the Destination usage area. There is approximately 32 GB of total disk space and approximately 7.4 GB used.
10. Click Start and click Computer. 11. In Windows Explorer, browse to C:\Marketing and verify that the file is restored. 12. Close Windows Explorer. Results: At the end of this exercise, you will have configured a scheduled backup and tested backup functionality.
Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers
Module 14
Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers
Contents:
Exercise 1: Establishing a Performance Baseline Exercise 2: Identifying the Source of a Performance Problem Exercise 3: Centralizing Events Logs 2 5 7
Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers
10. In the Available counters list, expand Memory, click Pages/sec, and then click Add >>. 11. In the Available counters list, expand PhysicalDisk, click %Disk Time, and then click Add >>. 12. Click Avg. Disk Queue Length and then click Add >>. 13. In the Available counters list, expand System, click Processor Queue Length, and then click Add >>. 14. In the Available counters list, expand Network Interface, click Bytes Total/sec, click Add >>, and then click OK. 15. On the Which performance counters would you like to log? page, in the Sample interval box, type 1 and then click Next. 16. On the Where would you like the data to be saved? page, click Next. 17. On the Create the data collector set? page, click Save and close and then click Finish.
Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers
3.
At the command prompt, type the following command and press ENTER:
Copy bigfile \\nyc-dc1\c$
4.
At the command prompt, type the following command and press ENTER:
Copy \\nyc-dc1\c$\bigfile bigfile2
5.
At the command prompt, type the following command and press ENTER:
Del bigfile*.*
6.
At the command prompt, type the following command and press ENTER:
Del \\nyc-dc1\c$\bigfile*.*
7.
10. Expand Network Interface, click Bytes Total/sec, and then click Add >>. 11. Expand PhysicalDisk, click %Disk Time, and then click Add >>. 12. Click Avg. Disk Queue Length and then click Add >>. 13. Expand Processor, click %Processor Time, and then click Add >>.
Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers
14. Expand System, click Processor Queue Length, click Add >>, and then click OK. 15. In the Performance Monitor Properties dialog box, click OK. 16. On the toolbar, click the down arrow and then click Report. 17. Record the values listed in the report for analysis later. Results: After this exercise, you should have established a baseline.
Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers
3.
At the command prompt, type the following command and press ENTER:
Cd\Labfiles
Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers
Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers
3. 4. 5. 6. 7. 8. 9.
When prompted, type Y and press ENTER. Click Start, right-click Computer, and then click Manage. In Server Manager, in the navigation pane, expand Configuration, expand Local Users and Groups, and then click Groups. In the results pane, double-click Administrators. Click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, click Object Types. In the Object Types dialog box, select the Computers check box, and then click OK. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object names to select box, type nyc-dc1 and then click OK.
4.
Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers
10. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check boxes. 11. In the Logged list, click Last 7 days. 12. In the Event logs list, select Windows Logs. Click the mouse back in the Query Filter dialog box and then click OK. 13. In the Subscription Properties NYC-SVR1 Events dialog box, click OK.
10. In the Limit box, type 10 and then click Next. 11. On the Create the data collector set? page, click Finish. 12. In the navigation pane, expand the User Defined node, and then click NYC-SVR1 Alert. 13. In the Results pane, right-click DataCollector01 and then click Properties. 14. In the DataCollector01 Properties dialog box, in the Sample interval box, type 1 and then click the Alert Action tab. 15. Select the Log an entry in the application event log check box and then click OK. 16. In the navigation pane, right-click NYC-SVR1 Alert and then click Start. 17. Click Start, and then in the Search box, type cmd.exe and press ENTER. 18. At the command prompt, type the following command and press ENTER:
C:
19. At the command prompt, type the following command and press ENTER:
Cd\Labfiles
20. At the command prompt, type the following command and press ENTER:
StressTool 95
Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers
21. Wait for one minute to allow for alerts to be generated. 22. Press Ctrl+C. 23. Close the command prompt.