31-dec-07 windows 2008 rc1 hol instructions

8/3/2019 31-Dec-07 Windows 2008 RC1 HOL Instructions

1/29

Windows Server 2008 (Pre-Release) Hands On Lab Instructions

Dennis Chung | IT Pro Evangelist | Microsoft Singapore | http://windowsmvp.spaces.live.com Page 1

Windows Server 2008 (RC0) Hands on Lab Instructions

Setup InformationThis lab has been designed to be used in either Microsoft Innovation Labs in Singapore, or participants own set up in their own

environment. This section serves to provide information that will allow a participant to reproduce the lab setup and have the

instructions work.

You are encouraged to use Virtualization; however, it is entirely up to you. 5 Virtual machines are used in this lab. You may

either use 5 Virtual machines or 5 physical computers networked together.

Operating Systems and Notes:

Name IP OS Install Order Remarks

DC1 192.168.1.1 Windows 2008 RC1 1 Install as Domain Controller with DNS.

Use Insiders.Com as the Forest.

Server1 192.168.1.2 Windows 2008 RC1 2 Join Insiders.Com as Member Server

Server2 192.168.1.3 Windows 2008 RC1 2 Join Insiders.Com as Member Server

RODC 192.168.1.4 Windows 2008 RC1 2 Join Insiders.Com as Member Server

Vista 192.168.1.5 Vista Ultimate SP1 (RC) 2 Join Insiders.Com as Member Machine

Pre-Requisites for use of this Instruction:

As this lab doesnt teach you how to set up the infrastructure required for this lab, you need to already possess the necessary

knowledge needed to setup the lab. Lab instructions are provided as-is, Microsoft is not responsible to providing any support.

For help and suggestions, send email [email protected]

Useful Information:

All Passwords in this lab uses P@ssw0rd

Network Configuration of all VMs used in this HOL.

Name IP Subnet DNS Roles

DC1 192.168.1.1 255.255.255.0 127.0.0.1 DC/TS/TSRA/TS Lic/IIS7

Server1 192.168.1.2 255.255.255.0 192.168.1.1 NPS/IIS7/TS/TSWA

Server2 192.168.1.3 255.255.255.0 192.168.1.1

RODC 192.168.1.4 255.255.255.0 192.168.1.1 RODC

Vista 192.168.1.5 255.255.255.0 192.168.1.1 NAP / TS Client

Who is this for?

This document is intended to provide a quick hands-on to IT Pros interested in Windows Server 2008, which is

currently at RC1, as at time of releasing this.

It is intended for any IT Pros. Its initial intention is meant for members of Windows Insiders Group and Singapore

Windows Group in Singapore.

This set of instructions has been used and updated by members of the Windows Insiders and Singapore Windows

Group in 3 separate lab sessions
mailto:[email protected]:[email protected]:[email protected]:[email protected]


2/29



Lab 1: Install Virtualization

Installing HyperV (Perform on LHS)Pre-requisite of Hyper-V:

- Windows Server 2008 RC0/1 x64

- CPU with virtualization support (Intel-VT or AMD-V)

- Sufficient Memory (This lab instructions was designed for a machine with 2GB of ram)

1. Logon with Administrator account

2. Execute the 2 files found in c:\windows\wsv (These 2 files are the update files to add Hyper-V Role into Server

Manager

3. Launch Server Manager and select a role called Hyper-V. (If you do not the see Hyper-V role, reboot)

4. When prompted for Virtual Networks, select Local Area Connection and click Next.

5. After installation you will reboot.

You have just completed installing Hyper Visor into your 64bit machine. You are ready for Virtualization.

Lab 2: Active Directory Backup and Restore

Machines Needed for this Lab

Name Machine State

DC1 Running

Server1 Running

Server2 Saved

RODC Saved

Installing Windows Server Backup (Done on DC1)1. Click Start, and then click Server Manager

2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then

click Continue.

3. In Features Summary, click Add Features

4. In the list of features, double-click Windows Server Backup Features, click Windows Server Backup and click

Command-line tools, and then click Next

5. If necessary, click Add Required Features

6. On the Confirmation Installation page, click Install

7. Click Close

Perform unscheduled backup of critical volumes by GUI

1. Click Start, point to Administrative Tools, and then click Backup

2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then

click Continue

3. On the Action menu, click Backup once

4. In the Backup Once Wizard, on the Backup options page, click Different options, and then click Next

5. If you are creating the first backup of the domain controller, click Yes to confirm that this is the first backup

6. On the Select backup configuration page, click Custom, and then click Next

7. On the Select backup items page, select the Enable system recovery check box

8. On the Specify destination type page, Remote shared folder, and then click Next

9. On the Select backup destination page, type the path to the share, and then click Next


3/29



a. Path to share:\\Server1\Backup(Create this share on Server1)

10.On the Specify advanced option page, select VSS copy backup and then click Next

11.On the Summary page, review your selections, and then click Backup

12.When the Backup Once Wizard is complete, click Close

Lab 3: Using Restartable Active DirectoryMachines Needed for this Lab

Name Machine State

DC1 Running

Server1 Saved

Server2 Saved

RODC Saved

Performing an Offline Defragmentation of the Directory Database

Like other services in Server Manager, the Active Directory Domain Services can be stopped and restarted, without

the need to shut down the server. In this task, you will stop the Domain Controller service and do a routine

maintenance task on the Domain Controller.

1. Log on to DC1 as [email protected]

2. In the Server Manager window, select Active Directory Services, clickStop.

3. In the Stop Other Services dialog box, clickYes.

Note: Before stopping this service, all dependant services will also be stopped.

4. On theStart menu, clickCommand Prompt.

5. In the Command Prompt window type the following commands, pressing ENTER after each one. This

will perform an offline defragmentation of the Active Directory database.

ntdsutil

Activate Instance NTDS

Files

Compact to C:\

Note: This will create a compacted version of the NTDS.dit file. This process will take approximatelytwo minutes.

quit

quit

Del C:\Windows\NTDS\*.log

Copy /y C:\ntds.dit C:\Windows\NTDS\ntds.dit

ntdsutil

Activate Instance ntds

files

integrity

quit

semantic database analysis

go fixup

Note: The go fixup command will run the database checker and fix any errors it encounters.
http://server1/Backuphttp://server1/Backuphttp://server1/Backuphttp://server1/Backup


4/29



quit

quit

exit

6. In the Server Manager window, clickStart to start the Active Directory Domain Services service.

Lab 4: Implementing RODC


Name Machine State

DC1 Running

Server1 Saved

Server2 Saved

RODC Running

Installing RODC

1. Logon to RODC as [email protected] using the password P@ssw0rd.

2. On RODC, on the Start menu clickRun.

3. Type DCPROMO and then clickOK.

NOTE: This will start the Active Directory Domain Services Installation Wizard. It may take a fewminutes for the Active Directory Domain Services binaries to install.

4. On the Welcome page, clickUse advanced mode installation and then clickNext.

5. On the Choose a Deployment Configuration page, select Existing forest and then clickNext.

6. On the Network Credentials page, clickNext.

7. On the Select a Domain page, clickNext.

8. On the Select a Site page, clickNext.

9. In the Additional Domain Controller Options page, checkRead-only domain Controller (RODC) and

then clickNext.

Note: As a best practice, your RODC should also be a DNS server, so the branch office clients willhave name resolution even in the event of a WAN problem.

10.On the Specify the Password Replication Policy page, accept the defaults and then clickNext.

NOTE: We will specify a Password Replication Policy later in the lab.

11.On the Delegation of RODC Installation and Administration page, click Set.

12.In the Select User or Group dialog box, in Enter the object name to select, type Branch Office

Admins (Create this in DC1) and then clickOK.

13.On the Install from Media page, accept the default and clickNext.

NOTE: An Administrator at the Main office could Backup Active Directory and then send the backupmedia to you at the Branch office. Then you can restore the System State to an alternate location andpoint to that location on this page. This will save Bandwidth over a slow WAN link.


5/29



14.On the Source Domain Controller page, accept the default and clickNext.

15.On the Location for Database, Log Files, and SYSVOL page accept all defaults and clickNext.

16.On the Directory Services Restore Mode Administrator Password page, set the password to

P@ssw0rd and then clickNext.

17.On the Summary page clickNext.

NOTE: If you wanted to save these settings to an Unattended answer file instead of installing AD, youwould click Export Settings.

18.On the Active Directory Domain Services Installation Wizard page, click the Reboot on completion

checkbox.

NOTE: The installation of Active Directory will take approximately five minutes and the computer willreboot when complete.

19.When the machine reboots, log on as Insiders\administrator with a password ofP@ssw0rd.

Review Allowed and Denied Groups

The RODC Allowed Groups and Denied Groups specify which groups, if any, will have their passwords cached on the

RODC. Caching passwords makes authentication possible, even in the event of a WAN link failure. In this task, you

will review the default Password Replication policy settings.

1. Log on to DC1 as Administrator with a password ofP@ssw0rd.

2. On the Start menu navigate to Administrative Tools, and then clickActive Directory Users and

Computers.

3. In Active Directory Users and Computers, clickDomain Controllers.

4. ClickRODC and then on the Action menu, clickProperties.

5. In the RODC Properties dialog box, clickPassword Replication Policy and review the policy settings.

NOTE: The Password Replication Policy defines which groups will have their passwords cached on theRODC. By default, if any member of the Administrators group logs on in the branch office, theirpassword will not be cached on the RODC, making it less vulnerable to attacks.

6. In the RODC Properties dialog box clickCancel.

Create a New Active Directory Group and add to Allow Group

Now that you have reviewed the default Password Replication policy settings, you will create a new Active Directory

group, add members to the group, and add them to the Allowed list in the Password replication policy.

1. In the Navigation pane, clickUsers, on the Action menu, point to New and then clickGroup.

2. In the New Object-Group dialog box, in the Group Name field type Sales Users and then clickOK.

3. In Active Directory Users and Computers, ensure Sales Users is selected, and then on the Action

menu, clickProperties.

4. In the Sales Users Properties dialog box, clickMembers and then clickAdd.


6/29



5. In the Select Users, Contacts, Computers, or Groups dialog box, type BenSmith;DonHall, (Create

these 2 users in DC1) clickCheck Names and then clickOK.

6. In the Sales Users Properties dialog box, clickOK.

7. In the Navigation Pane, clickDomain Controllers, and then in the contents pane, clickRODC, and then

on the Action menu, clickProperties.

8. In the RODC Properties dialog box, clickPassword Replication Policy and then clickAdd.

9. In the Add Groups, Users and Computers dialog box, clickAllow and then clickOK.

10. In the Select Users, Computers, or Groups dialog box, type Sales Users, clickCheck Names, and then

clickOK.

11. In the RODC Properties dialog box, clickApply

View and Add cached credentials to a RODC

Not only is it possible for the RODC to cache passwords of users that have logged on, but an administrator can pre-

populate the RODC Password cache, to make authentication more efficient from the first logon. In this task you will

pre-populate the RODC Password cache.

1. In the RODC Properties dialog box, clickAdvanced and then clickPrepopulate Passwords.

NOTE: This is a listing of all passwords that are cached on this RODC

2. Type BenSmith, clickCheck Names, and then clickOK.

3. In the Prepopulate Passwords dialog box, clickYes.

4. In the Prepopulate Password Success dialog box clickOK and then clickClose.

5. In the RODC Properties dialog box clickOK.

Configure Administrator Role Separation for a RODC

Administrator Role Separation specifies that any user can be delegated to be the local administrator of an RODC

without granting that user rights for the domain or other domain controllers. Therefore, a local branch user can

logon to the RODC to perform general maintenance on the server, but could not log onto any other domain

controller to perform a similar task. In this task you will configure Administrator Role Separation on the RODC.

1. On RODC, on the Start menu clickCommand Prompt.

2. In the Command Prompt window, type the following commands, pressing ENTER at the end of each line.

dsmgmt

Local Roles

List Roles

Note: By default, no local administrator role is defined on RODC after AD DS has been installed. Toadd the Local Administrator role, you need to use the ADD parameter.

Add [email protected] administrators

Quit

Quit

Close the Command Prompt window.


7/29



Reset all cache credentials on the RODC

In the event that an RODC has been stolen, to ensure the user accounts whose passwords have been cached on the

RODC to not become compromised, you must reset all passwords for all of the users that have had their passwords

cached. In this task you will reset the passwords of all of the users who have had their passwords cached on the

RODC.

1. On DC1, in the Active Directory Domain Controllerwindow, clickRODC and on the Action menu,clickDelete.

2. In the Active Directory Domain Services box, clickYes.

3. In the Deleting Domain Controller dialog box, ensure Reset all passwords for user accounts that were

cached on this Read-only Domain Controller is selected, and uncheckExport the list of accounts that

were cached on this Read-only Domain Controller to this file check box.

Note: In the production environment, do not uncheck this box. Always export the list and archive it forfuture reference, as the list of users is not available after the Domain Controller object has beendeleted.

4. In the Delete Domain Controller dialog box, read the warnings and then clickCancel.

Lab 5: Managing IIS 7


Name Machine State

DC1 Running

Server1 Running

Server2 RunningRODC Saved

Installing IIS 7 (Perform on Server 1 & Server 2)

1. Click Start, point to Administrative Tools, and then click Server Manager

2. In Roles Summary, click Add Roles

3. Use the Add Roles Wizard to add the Web Server role

4. Select all modules to install

Stopping a Website using Appcmd

In this exercise, you will use the appcmd to stop a website in preparation for making changes to the site

1. Log on to Server1 as [email protected]

2. On the Start menu, clickCommand Prompt.

3. At the command prompt, type the following command and then press ENTER.

cd %windir%\system32\inetsrv

4. At the command prompt, type the following commands and then press ENTER after each one.

appcmd stop site default web site


appcmd list site


8/29



Note: To verify that the site has been stopped or started, examine the state value at the right of theoutput. If the site has stopped the state value will be shown as Stopped.

Explore the Configuration of an existing site

In this task you will review the configuration of using IIS Manager.

Perform this task on Server1 as [email protected]

1. On the Start menu, navigate to All Programs/Administrative Tools and then click Internet Information

Services (IIS) Manager.

2. In the Connections pane, expand Server1, and then clickSites.

3. Under Sites, clickDefault Web Site.

4. In the Actions pane clickBindings.

5. In the Web Site Bindings dialog box, clickhttp and then clickEdit.

6. In the Edit Web Site Binding window verify the settings and make any changes as required shown in thetable below:

Setting Values

IP Address 192.168.1.2

Port 80

7. ClickOK to close the Edit Site Binding dialog box, and then clickClose to close the Site Bindings

dialog box.

8. In the Actions pane, under Edit Site clickBasic Settings. Review the settings and make any changes as

required.

Setting Values

Application Pool DefaultAppPool

Physical Path %systemdrive%\inetpub\wwwroot

9. ClickCancel to close the Edit Web Site dialog box.

10. In the Actions pane, clickAdvanced Settings.

11. In the Advanced Settings dialog box, review the following settings.

(General) Setting Values

ID 1

Physical Path % systemdrive%\inetpub\wwwroot

Physical Path Credentials Ensure it is blank

Physical Path CredentialsLogon Type

ClearText

Start Automatically True


9/29



12.ClickCancel to close the Advanced Settings dialog box.

13.Leave Internet Information Services (IIS) Manager open

Creating a Virtual Directory

In this task you will create a virtual directory in the Default Web Site that will hold employee information that can be

accessed by other personnel in the organization. This virtual directory will be used at a later time. You will use the

APPCMD command line tool to create this virtual directory. The commands used in this exercise could be placed in a

batch file or script to automate the creation of virtual directories.

Perform this task on the Server1 as [email protected]



cd \inetpub\wwwroot


md employeedata




appcmd add vdir /app.name:Default Web Site/ /path:/EmployeeData

/physicalpath:c:\inetpub\wwwroot\employeedata

6. In Internet Information Services (IIS) Manager, in the Connections pane, clickServer1 and then click

Default Web Site.

7. Verify that the Employee Data virtual directory is present

Starting a Web Site using Appcmd

In this exercise, you will use the appcmd to start the Default Web site after having made changes to the site.




appcmd start site /site.name:Default Web Site


appcmd list site

Note: To verify that the site has been started, examine the state value at the right of the output. If thesite has started the state value will be shown as Started.

4. Close the Command Prompt window

Displaying Website Information with Content View

In this task, you will use the display Content View tab to view the contents of the Default Web Site. The Content

View page displays the contents of the website or virtual directory selected in the Connections pane. For example, if

you click on a Web site and select the Content View, IIS Manager displays a list of the applications, virtual directories,


10/29



physical directories and files of that web site. You can right-click an object in the content list, click Switch to

Featuresview to go to the objects home page. From the home page, you can configure features for the object, such

as authentication settings for a virtual directory.


1. In Internet Information Services (IIS) Manager, in the Connections pane, expand Server1, clickWeb

Sites, and then clickDefault Web Site.

2. Right-clickDefault Web Site and then clickSwitch to Content View

3. In the Default Web Site Content pane, notice the new virtual directory you created earlier and the

default.htm file.

4. In the Connections pane, right-clickDefault Web Site and select Features View

Create a new Application pool using Command Line

In this task you will create a new application pool. An application pool is a group of one or more applications that are

served by a worker process or a set of worker processes. Application pools set boundaries for the applications they

contain, which means that any applications running outside of a given application pool cannot affect the applications

within the application pool. Application pools are used to isolate web sites and web applications to address

reliability, availability, and security issues. You should consider creating application pools for any of the following

reasons:

To group sites and applications that run with the same configuration settings

To isolate sites and applications that run with unique configuration settings

To increase security by using a custom identity to run an application

To improve performance by separating unstable applications from well-behaved applications

To prevent resources in one application from accessing resources in another application. For example,

ISPs might create individual application pools for each customers sites and web applications. Separating

customer content on this way can prevent one customers resources from accessing resources on another

customers web site, even though both customers sites are on the same web server


The IIS 7.0 command-line tools reside in the %windir%\system32\inetsrv directory, which is available only to the

Administrators or to users who are members of the Administrators group on the computer. In addition, members of

the Administrators group must start the IIS 7.0 command-line tools with elevated permissions. Users who view orchange Web.config files in sites or application directories must have access to read and write to files in those

directories.



cd %windir%\system32\inetsrv.


appcmd add apppool /name:NewIntranet


11/29



4. In Internet Information Services (IIS) Manager, in the Connections pane, clickServer1 and then click

Application Pools.

In Application Pools and verify that NewIntranet is listed.

Change an Application Pool assigned to a Web Site

In this exercise, you are going to assign the Default Web Site to the new application pool you created.

1. Internet Information Services (IIS) Manager, in the Connections pane clickSites and then click

Default Web Site.

2. In the Actions pane, clickAdvanced Settings.

3. In the Advanced Settings window clickDefaultAppPool, and then click the ellipses button ().

4. In the Select Application Pool dialog box, in Application pool, select NewIntranet and then clickOK.

5. ClickOK to close the Advanced Settings dialog box

Starting and Stopping Application Pools

In this task, you are going to manage application pools. When you stop an application pool, this causes the WWW

service to shut down all running worker processes serving that application pool. The WWW service does not

restart these worker processes. An administrator must restart all stopped application pools. All applications

routed to a stopped application pool receive 503 Service Unavailable errors.


1. In Internet Information Services (IIS) Manager, in the Connections pane, clickApplication Pools and

then clickNewIntranet.

2. In the Actions pane clickStop.

3. In the Actions pane, clickStart to restart the application pool

Recycling Application Pools

In this task, you are going to force the recycle of an application pool. Occasionally, you may need to immediately

recycle an unhealthy worker process instead of waiting for the next configured recycle. Rather than abruptly

stopping the worker process, which can cause service interruptions, you can use on-demand recycling.

Overlapping recycling, the default, allows an unhealthy worker process to be marked for recycling, but to continue

handling requests that it already received. It does not accept new requests from HTTP.sys. When all existing

requests are handled, the unhealthy worker process shuts down.


1. In the Connections pane, clickApplication Pools and then clickNewIntranet.

2. In the Actions pane clickrecycle

Viewing Applications in an Application Pool

In this task you are going to view the Applications that are assigned to the DefaultAppPool. You may want to see all

of the applications assigned to a given application pool to verify that applications are correctly assigned or to assess

whether you should move some applications to another application pool.



12/29



1. In Internet Information Services (IIS) Manager, in the Connections pane, clickApplication Pools and

then clickDefaultAppPool.

2. In the Actions pane, clickView Applications

View Information about Worker Processes and Application Pool Settings

In this exercise, you are going to examine the worker processes that are running on the web server. You can view

performance information about worker processes running on your web server. This information can help you narrow

down applications that cause problems on your web server, and help you make decisions about how to fix these

issues. IIS 7.0 lists worker processes with associated application pool names and provides information for each

worker process.


1. In Internet Information Services (IIS) Manager, in the Connections pane, clickWeb Sites and click

Default Web Site.

2. In Action Pane, under Manage Web Site ClickStart

3. In the Actions pane, clickBrowse *:80 (http).

Note:You may need to add this site to the trusted site list.

4. Minimize the home page for the default Web Site once it has opened.

5. In Internet Information Services (IIS) Manager, in the Connections pane, under Sites, clickDefault

Web Site.

6. In the Actions pane, clickBrowse 192.168.1.2:80 (http)

If you receive the Microsoft Phishing Filter warning, check the Ask me later radio button and click OK to close thewarning

7. Once the Default Web Site home page has opened, minimize it.

8. In the Connections pane, clickServer1 (Insiders\Administrator)

9. In the Server1 Home pane, under IIS, double-clickWorker Processes.

Note: In the Worker Processes pane are listed the active Application Pool Names, Process IDs, State,CPU%, Private Bytes (KB) and Virtual Bytes (KB).

10.Close the Internet Information Services (IIS) Manager console

Shared Web Server Configuration

Introduction

In this exercise, you are the web administer at your company. You want to implement the shared web farm

configuration in IIS 7.0. To do this you will designate a single shared master IIS configuration file on a

central server that can be accessed through a Universal Naming Convention (UNC) share on either a local or

remote server. This shared configuration file can be used across multiple front-end Web servers, avoiding

costly and error-prone replication and manual synchronization issues. Web site and application settings are no

longer explicitly tied to a centralized configuration store on each local machine. Configuration files cansimply be copied from the developers workstation to a test server and from the test server to the production


13/29



Web server that will serve as the central configuration store. In this exercise, you are going to use this new

feature to create a single configuration file that will affect several web servers.

Backing up the Current applicationhost.config

It is always a good practice backing up the current applicationHost.config file when changing multiple settings. In

this task, you are going to back up the applicationHost.config file before making any changes to the server or

configurations. You are going to backup the applicationHost.config file by creating a backup object using theAPPCMD command-line tool. The configuration files are stored in the %windir%\InetSrv\Config directory. This will

create a backup object which will include the applicationHost.config file and the legacy metabase file (for SMTP and

other non-web server settings) into a backup folder. You are able to perform a list on this backup object and make

sure it is present

1. Log on to Server1 as [email protected] with a password ofP@ssw0rd.





appcmd add backup centralConfigBackup

Verifying Backup of Applicationhost.config

In this task, you are going to verify that the backup of the applicationHost.config took place and there is a file

present.


1. At the command prompt, type the following command and then press ENTER.Appcmd list backup

Restore Applicationhost.config

In this task, you are going to replace the current applicationhost.config file with the backup copy. Since you

havent made any changes to the file when you made the original copy, this is simply a test of the restore

procedure.



Appcmd restore backup centralConfigBackup

Creating a user account for accessing the UNC Share

In this task, you are going to create a domain user account that will be used for creating the share folder required for

the Shared Web Farm. You will create a domain user called ConfigUser with a password of P@ssw0rd. You will use

this account to access the web server machine (the front-end machine, Server1, where the IIS7 server is installed),

and also on the file server machine (the back-end machine, Server2, where the central configuration will reside).

Perform this task on DC1

1. Log on to DC1 as [email protected] with the password P@ssw0rd.


14/29



2. On the Start menu, navigate to All Programs/Administrative Tools and then clickActive Directory

Users and Computers.

3. In Active Directory Users and computers, clickLabUsers (Create this OU if it doesnt exist), on the

Action menu, point to Users and select New and then User.

4. In the New ObjectUser dialog box, in Full Name and User logon name, type Configuser, and click

Next.

5. In the New ObjectUser dialog box, type P@ssw0rd in both the Password and Confirm password

boxes, clear the User must change password at next logon box, and then clickNext. (Note:

Please "check the Password Never Expires box").

6. In the New ObjectUser dialog box, clickFinish.

Create the UNC Shares for central configuration and content

In this task you are going to create a shared directory that will hold the configuration file. As part of this procedure,

you need to ensure that the users who will access this directory have read and write permissions. The UNC share

for configuration will host the applicationHost.config file for the web servers to pickup the shared configuration file

from the centralized location.

1. Ensure you are logged on to Server2 as Administrator using the password P@ssw0rd.



md c:\centralconfig


net share centralconfig$=%SystemDrive%\centralconfig /grant:Users,Read

Give Permissions to the configuser account for the UNC Shares that will host the central

configuration file and content

In this task you are going to configure the permissions required by the user to access the central configuration store.

This account will be used by IIS to access the UNC share in the same manner it accesses content when a virtual

directory is mapped to a UNC share. The read permissions for this account are useful when accessing the

configuration share only. After that point, whenever IIS reads the configuration file, it will revert back to the identity

that the caller has used to access the configuration share, either the API, the administration tool being used or the

user account that is logged at that moment.


1. On the Start menu, clickComputer.

2. In the Computer window navigate to Local Disk (c:)\centralconfig

3. Right-clickcentralconfig and clickshare

4. In the File Sharing window clickChange sharing permissions

5. In the File Sharing window, click the drop down arrow, select Find

6. In the Select User or Group dialog box type in configuser, then clickCheck Names,

7. ClickOK.


15/29



8. ClickShare.

9. In the File Sharing window, clickShare, and when it is finished sharing clickDone

Creating Logon Batch Configuration for User Accounts

In this task you are going to enable logon batch configuration. When creating the web share configuration in

either a domain or non-domain scenario, the username will have to include logon batch job configuration.

This is not a default setting in Windows Server 2008, so it will have to be added manually to the computer

holding the shared configuration.


1. Click on the Start menu, navigate to All Programs/Administrative Tools and then clickLocal Security

Policy.

2. In Local Security Policy, expand Local Policies and then clickUser Rights Assignment.

3. In the contents pane, clickLogon as a batch job and then on the Action menu, clickProperties.

4. In the Logon as a batch job Properties dialog box, clickAdd User or Group.

5. In the Select Users, Computers or Groups window type [email protected] in the Enter the

object names to select window and clickOK

6. ClickOK to close the Logon as a batch job Properties dialog box.

7. Close Local Security Policy.

Enable Shared Configuration

The new IIS 7 administration user interface includes support for setting up configuration redirection. The user

interface provides support for exporting configuration files and any necessary encryption keys to a specified path

and also provides for easy modification of the redirection.config file.

Perform this task on Server1 as Administrator (Steps at this section may vary a little)

1. On the Start menu, navigate to All Programs/Administrative Tools and then clickInternet

Information Services (IIS) Manager.

2. In Internet Information Services (IIS) Manager, in the Connections pane, clickServer1

(Insiders\Administrator), and then in the Server1 Home pane, clickShared Configuration.

3. In the Actions pane, clickOpen Feature.

4. In the Actions pane, clickExport Configuration.

5. In the Export Configuration dialog box, type the values in the following table, and then click OK.

Setting Value

Physical Path \\Server2\CentralConfig$

Encryption keys password P@ssw0rd

Confirm Password P@ssw0rd

6. In the Export Configuration dialog box, clickOK.

7. In the Shared Configuration pane, clickEnable shared configuration and then in Physical Path type

\\Server2\CentralConfig$.

8. In the Shared Configuration pane, clickConnect As.
http://server2/CentralConfig$http://server2/CentralConfig$http://server2/CentralConfig$http://server2/CentralConfig$http://server2/CentralConfig$http://server2/CentralConfig$


16/29



9. In the Set Credentials dialog box, type the values in the following table and then clickOK.

Value Setting

User name [email protected]

Password P@ssw0rd

Confirm password P@ssw0rd

10. In the Actions pane, clickApply

11. In the Shared Configuration dialog box, clickOK.

12. In the Shared Configuration dialog box, type P@ssw0rd, and then clickOK.

13. In the Shared Configuration dialog box, clickOK.

14.Close Internet Information Services (IIS) Manager, and then re-open Internet Information Services

(IIS) Manager.

15.Repeat steps 115 on Server2. Do not repeat steps 46 which export the configuration.

Testing the Shared Configuration FileIn this task you will test the use of the shared configuration file by making a change to the applicationHost.config file

and observe the changes on the web servers.

Perform this task on Server2 as Administrator

1. In Internet Information Services (IIS) Manager, expand Server2(Insiders\Administrator) and then

clickApplication Pools.

2. In the Actions pane, clickAdd Application Pool.

3. In the Add Application Pool dialog box, type Test Applications Pool and then clickOK.

4. Switch to the Server1computer, ensuring you are logged on as Insiders\administrator using the

password P@ssw0rd.

5. Open Internet Information Services (IIS) Manager.

6. In Internet Information Services (IIS) Manager, expand Server1(Insiders\Administrator) and then

clickApplication Pools.

7. Verify that Test Applications Pool is listed.

Managing an IIS 7 Server

Introduction

In this exercise you will configure an IIS 7 server to allow a remote administrator the ability to manage a

subset of the features on one web site. You will first enable remote administration so that the administrator

can manage the web server using IIS Manager over HTTP. You will then configure delegation to restrict

modifications of some site settings to only the administrator of the web server. Finally, you will create an IIS

account and grant that account permission to administer a web site.

Configure Management Service Page

In this task, you are going to configure the management service page to accept remote connections. The

management service enables computer and domain administrators to remotely manage a web server that uses

IIS Manager. The service also enables delegated administrators to locally and remotely manage delegated

features if web sites and web applications on the web server.
mailto:[email protected]:[email protected]:[email protected]


17/29




1. On the Start menu, navigate to All Programs/Administrative Tools and then clickInternet

Information Services (IIS) Manager.

2. In the Connections pane, clickServer1 (Insiders\Administrator).

3. In the Server1 home pane, under Management, clickManagement Service, and then in the Actions

pane, clickOpen Feature.

4. In the Management Service pane, clickEnable remote connections.

5. In the Actions pane, clickStart, and then in the Management Service dialog box, clickYes.

Configure Feature Delegation

In this task, you will configure feature delegation to ensure that some settings are only configurable at the server

level, and not at the individual web site level.



(Insiders\Administrator).

2. In the Server1 Home pane, clickFeature Delegation and then in the Actions pane, clickOpen Feature.

3. In the Feature Delegation pane, clickLogging and then in the Actions pane, clickRead Only.

Enable IIS Users and Create a User

In this task you will configure the Management Service to allow connections from IIS users. You will then create a

new IIS user account for an administrator that does not have a windows user account with administrative permission

on the IIS 7 server.




2. In the Server1 home pane, under Management, clickManagement Service, and then in the Actions

pane, clickOpen Feature.

3. In the Actions pane, clickStop.

4. In the Management Service pane, clickWindows credentials or IIS Manager Credentials.

5. In the Actions pane, clickStart, and then in the Management Service dialog box, clickYes.



7. In the Server1 home pane, under Management, clickIIS Manager Users, and then in the Actions pane,

clickOpen Feature.

8. In the IIS Manager Users pane, in the Actions pane, clickAdd User.

9. In the Add User dialog box, enter the values in the following table and then clickOK.

Setting Value

User name IntranetAdmin


18/29



Setting Value

Password P@ssw0rd

Confirm password P@ssw0rd

Delegate Control of Default Web Site

In this task you will grant the IntranetAdmin user account control over the Insiders Intranet Web Site.

7. In InternetInformation Services (IIS) Manager, in the Connections pane, expand Server1

(Insiders\Administrator), expand Sites, and then clickDefault Web Site

5. In the Default Web Home pane, under Management, clickIIS Manager Permissions and then in the

Actions pane clickOpen Feature.

6. In the Actions pane, clickAllow User

7. In the Allow User dialog box, clickIIS Manager and then clickSelect.

8. In the Users dialog box, clickIntranetAdmin and then clickOK.

Click OK to close the Allow User dialog box.

Important: Prior to starting Lab 6, remove IIS7 from Server 1 and Server 2.

Reboot when done before commencing Lab 6

Lab 6: Implementing Terminal Services RemoteApps

Machines Needed for this LabName Machine State

DC1 Running

Server1 Running

Server2 Running

RODC Saved

RemoteApp applications are programs that are accessed remotely through Terminal Services and appear as if they

are running on a user's local computer. Users can run RemoteApp applications side-by-side with their local

programs. If a user is running more than one Remote Program on the same terminal server, RemoteApp will share

the same Terminal Services session. You can use TS Web Access to make RemoteApp applications available through a

Web site.

In this exercise, you will configure DC1 to be able to publish remote applications. In addition you will create packages

for deploying remote applications to the client machines and then distribute these packages.

You will also test the connection of the remote program application from a client machine. In order to test these

RemoteApp, you will also modify the allow list to allow an application to be accessed remotely.

Install Terminal Server Role Service

In this task you will add the Terminal Server role to DC1.


19/29



Note: This task uses the following computer: DC1

1. On the Start menu, navigate to AllPrograms/AdministrativeTools/Server Manager.

2. In Server Manager, Add Terminal Services.

3. In the Add Role Services dialog box, click Install Terminal Services anyway (not recommended).

4. In the Add Role Services dialog box, in the Uninstall and Reinstall Applications for Compatibility page,

click Next.

5. In the Add Role Services dialog box, in the Specify Authentication for Terminal Services page, select

RequireNetwork Level Authentication then click Next.

6. In the Add Role Services dialog box, in the Specify Licensing Mode page, select Configure later then click

Next.

7. In the Add Role Services dialog box, in the Select User Groups Allowed Access to This Terminal Server

page, click Next.

8. In the Add Role Services dialog box, in the Confirm Installation Selections screen, click Install.

Note: On the Confirm Installation Selections screen, there is one warning. The warning is advising thatyou may need to reinstall applications. In the lab it is safe to ignore, however in a productionenvironment it is important to remember that applications may need to be reinstalled. The reason for theneed to reinstall the applications is that on a Terminal Server applications are installed into a differentsection of the registry. This is so that the applications can be safely accessed by multiple userssimultaneously.

The installation process will take approximately 3 minutes. After this you will need to restart DC1.

9. In the Add Role Services dialog box, in the Installation Results screen, click Close.10. In the Add Role Services dialog box, click Yes to begin the restart.

11.After the restart, log on to DC1 as Administrator using the password P@ssw0rd.

Note: After completing the log in the Post-Reboot Configuration Wizard will appear to confirm that theTerminal Services role has been installed successfully.

12. In the Post-Reboot Configuration Wizard dialog box, click Close.

Add a program to the Allow List

In this task you will add two existing program to the Allow list for Terminal Services RemoteApp. In order for a user

to be able to access a program with RemoteApp the application must be on the Allow List. The Allow List settings

also includes the ability to change settings for the remote applications, such as additional command line arguments

and changes to the default icons. You will add WordPad to the Allow List.

1. Log on to DC1 as Administrator with the password ofP@ssw0rd.

2. On the Start menu, navigate to All Programs/Administrative Tools/Terminal Services/TS RemoteApp

Manager.

3. In RemoteApp, in the Action menu, click AddRemoteApps.

4. In the RemoteApp Wizard, click Next.


20/29



5. In the Choose programs to add to the RemoteApps list, check the box next to WordPad and then click

Next.

6. In the RemoteApp Wizard, in the Review Settings page, click Finish.

Create a RDP file that publishes a connection to an application

In this task you will create a RDP file that can then be distributed to clients either via e-email or USB Flash Disk (UFD).

This will then enable users to connect remotely to the remote program that was added to the allow list. Any settings

that have been added to the application in the allow list will also be added to the RDP file.

1. In TS RemoteApp Manager, select Wordpad in the Contents pane,

2. In TS RemoteApp Manager, in the Actions pane, click Create .rdp File.

3. In the RemoteApp Wizard, click Next.

4. In the RemoteApp Wizard, in the Specify Packages Settings page, modify the location for saving the

package to C:\Public\ (Create this Folder)

5.

In the RemoteApp Wizard, in the Specify Packages Settings page, in TS Gateway Settings, click

Change.

6. In the Configure TS Gateway Settings dialog box, select AUTO.

7. In the RemoteApp Wizard, in the Specify Packages Settings page, click Next.


Note: Windows Explorer will now appear displaying the created RDP file. The created file is namedWordpad.rdp

Create an MSI file that installs an applicationIn this task you will create a MSI file that can be distributed as an installation package. This package could be

distributed for users to manually install or installed as part of a Group Policy Object. As part of the configuration of

an MSI package it is possible to define where the remote program will appear in the Users environment and also to

associate the remote program with client file associations. An example of using this would be to publish Microsoft

Wordto be integrated into the users Start Menu and to be opened when they click on a Word Document. This

gives a seamless integration for the users to the remote program. Any settings that have been added to the

application in the allow list will also be added to the MSI file.

1. In TS RemoteApp Manager, in the Contents pane, select WordPad

2. In the Actions pane, click CreateWindows InstallerPackage.

3. In the RemoteAppWizard, click Next.

4. In the RemoteApp Wizard, in the SpecifyPackagesSettings page, modify the location for saving the

package to C:\Users\Public\

5. In the RemoteApp Wizard, in the Specify Packages Settings page, in TS Gateway Settings, click

Change.

6. In the Configure TS Gateway Settings dialog box, select Auto

7. In the RemoteApp Wizard, in the Configure Distribution Package page, accept the default settings by

clicking Next.


21/29




Note: Windows Explorer will now appear displaying the created installation file. The created file isnamed wordpad.msi

Using RemoteApp Access

In this task, you will use the RDP file and the MSI file that you created in the previous tasks. This will be achieved byaccessing the files on the Public share on DC1.


1. Log on to VISTA as Administrator with the password ofP@ssw0rd

2. On the Start menu, in StartSearch, type\\DC1\Publicand then press ENTER.

3. In Windows Explorer, double click Wordpad.RDP.

4. In the Windows Security dialog box, enter the following values:

Setting Value

User Name: [email protected]

Password: P@ssw0rd

5. Check Remember my credentials and then click OK.

6. In the RemoteApp dialog box, check Dont prompt me again for connections to this computer, and then

click Yes.

Note: The application now launches. When the application launches successfully it will display on thescreen as On The Server. This is the remote application running on the server.

7. Close the On The Server remote program.

8. In WindowsExplorer, double click WordPad.msi.

Note: The remote WordPad application now installs. Observe the name of the application matches thename that was entered during the creation of the MSI file.

9. After the application has completed installation, on the Start menu, navigate to All Programs

RemoteApp WordPad.

Note: The application now launches. When the application launches successfully it will display on thescreen as WordPad.

10. In the remote WordPad application, in the File menu, click Exit to close.

Implementing Terminal Services Web Access

TS Web Access is a feature that makes RemoteApp available to users from a Web browser. With TS Web

Access, a user can visit a Web siteeither from the Internet or from an intranetto access a list of available

RemoteApp applications. When a user starts a RemoteApp applicaion, a Terminal Services session is started

on the terminal server that hosts the Remote Program.
http://dc1/Publichttp://dc1/Publichttp://dc1/Publichttp://dc1/Public


22/29



TS Web Access includes a default Web page that you can use to deploy RemoteApp applications over the

Web. The Web page consists of a frame and a customizable Web Part, where the list of RemoteApp

application is displayed.

In this exercise, you will configure the terminal server to support Terminal Services Web Access and then

configure an application to be made unavailable via the web interface.

Install Terminal Server Web Access Role Service

In this task you will modify DC1 to include the Terminal Server Web Access role. This will then extend our Terminal

Server to now be able to provide Remote Applications via a web interface.


1. Log on to DC1 using the username Administrator and the password P@ssw0rd.

2. On the Start menu, navigate to All Programs/Administrative Tools/Server Manager.

3. In the Explorer pane, navigate to Roles/TerminalServices.4. In the Contents pane, in Role Services, click Add Roles Services.

5. In the Select Role Services dialog box, check TS Web Access.

6. In the Add Role Services dialog box, select Add Required Role Services.

7. In the Add Role Services dialog box, in the Select Role Services page, click Next.

8. In the Add Role Services dialog box, in the Web Server (IIS) page, click Next.

9. In the Add Role Services dialog box, in the Select Role Services page, click Next.

10. In the Add Role Services dialog box, in the ConfirmInstallationSelections page, click Install.

Connect to Terminal Server Web Access and launch application

In this task, use the Terminal Server Web Access to access to the applications that you have previously published.

Note: This task uses the following computer: VISTA

1. On the Start menu, click InternetExplorer.

2. In the address bar, enter the addresshttp://DC1/tsand then press ENTER.

3. In the Connect to dc1 dialog box, enter the User name insiders\Administrator and the password

P@ssw0rd.

Note: The TS Web Access page is now displayed. There is two programs displayed the DemoApplication and the WordPad that you published in an earlier task.

4. Click Demo Application in the TS Web Access webpage.

5. In the Trust Warning pop-up, click Yes.

6. In the RemoteApp dialog box, click Yes

7. In the Windows Security dialog box, enter the username Insiders\Adminisrator and the password

P@ssw0rd, and then press ENTER.
http://dc1/tshttp://dc1/tshttp://dc1/tshttp://dc1/ts


23/29



Note: The application now launches. When the application launches successfully it will display on thescreen as On The Server.

Lab 7: Network Access Protection

Machines Needed for this LabName Machine State

DC1 Running

Server1 Running

Server2 Saved

RODC Saved

Network Access Protection (NAP) is a new technology introduced in Windows Vista and Windows Server 2008.

NAP includes client components and server components that allow you to create and enforce health requirement

policies that define the required software and system configurations for computers that connect to your network.

NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network

access when client computers are deemed noncompliant, and remediating noncompliant client computers for

unrestricted network access. NAP enforces health requirements on client computers that are attempting to connect

to a network. NAP also provides ongoing health compliance enforcement while a compliant client computer is

connected to a network.

In addition, NAP provides an application programming interface (API) set that allows non-Microsoft software

vendors to integrate their solutions into the NAP framework.

NAP enforcement occurs at the moment when client computers attempt to access the network through network

access servers, such as a VPN server running Routing and Remote Access Service, or when clients attempt tocommunicate with other network resources. The way that NAP is enforced depends on the enforcement method you

choose.

NAP enforces health requirements for the following:

Internet Protocol security (IPsec)-protected communications

Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections

Virtual private network (VPN) connections

Dynamic Host Configuration Protocol (DHCP) configuration

The step-by-step instructions in this paper will show you how to deploy a NAP DHCP enforcement test lab so that

you can better understand how DHCP enforcement works.

NAP enforcement and network restriction

NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer

restriction to a later date, or to merely observe and log the health status of NAP-capable client computers. The

following settings are available:

Allow full network access. This is the default setting. Clients that match the policy conditions are deemed

compliant with network health requirements, and are granted unrestricted access to the network if the connection

request is authenticated and authorized. The health compliance status of NAP-capable client computers is logged.

Allow limited access. Client computers that match the policy conditions are deemed noncompliant with network

health requirements, and are placed on the restricted network.


24/29



Allow full network access for a limited time. Clients that match the policy conditions are temporarily granted full

network access. NAP enforcement is delayed until the specified date and time.

Remediation

Noncompliant client computers that are placed on a restricted network might undergo remediation. Remediation is

the process of updating a client computer so that it meets current health requirements. If additional resources are

required for a noncompliant computer to update its health state, these resources must be provided on the restricted

network. For example, a restricted network might contain a File Transfer Protocol (FTP) server that provides current

virus signatures so that noncompliant client computers can update their outdated signatures.

You can use NAP settings in NPS network policies to configure automatic remediation so that NAP client components

automatically attempt to update the client computer when it is noncompliant.

This test lab includes a demonstration of automatic remediation. The Enable auto-remediation of client computers

setting will be enabled in the noncompliant network policy, which will cause Windows Firewall to be turned on

without user intervention.

Ongoing monitoring to ensure complianceNAP can enforce health compliance on compliant client computers that are already connected to the network. This

functionality is useful for ensuring that a network is protected on an ongoing basis as health policies and the health

of client computers change. Client computers are monitored when their health state changes, and when they initiate

requests for network resources. This test lab includes a demonstration of ongoing monitoring when the client's

DHCP-issued address is renewed. The NAP client computer sends a statement of health (SoH) with the DHCP address

request, and is granted full or restricted access based on its current health state.

Install the NPS and DHCP server roles on Server1

To install the NPS and DHCP server roles (Login in Insiders\Administrator)

1. Click Start, and then click Server Manager.

2. Under Roles Summary, click Add roles, and then click Next.

3. On the Select Server Roles page, select the DHCP Server and Network Policy and Access

Services check boxes, and then click Next twice.

4. On the Select Role Services page, select the Network Policy Server check box, and then

click Next twice.

5. On the Select Network Connection Bindings page, verify that 192.168.1.2 is selected, and

then click Next.

6. On the Specify DNS Server Settings page, verify that insiders.com is listed under Parent

domain.

7. Type 192.168.1.1 under Preferred DNS server IP address, and click Validate. Verify that the

result returned is Valid, and then click Next.

8. On the Specify WINS Server Settings page, accept the default setting of WINS is not

required on this network, and then click Next.

9. On the Add or Edit DHCP Scopes page, click Add.

10. In the Add Scope dialog box, type NAP Scope next to Scope Name. Next to Starting IP

Address, type 192.168.1.150, next to Ending IP Address type 192.168.1.200, and next to

Subnet Mask type 255.255.255.0.

11. Select the Activate this scope check box, click OK, and then click Next.12. On the Select IPv6 DHCP Server Operation Mode page, select Disable DHCPv6, and then


25/29



click Next.

13. On the Authorize DHCP Server page, select Use current credentials. Verify that

Insiders\Administrator is displayed next to Username, and then click Next.

14. On the Confirm Installation Selections page, click Install.

15. Verify the installation was successful, and then click Close.

16. Close the Server Manager window.

Configure Server 1 as a NAP health policy server

To configure SHVs

1. Double-click Network Access Protection, and then click System Health Validators.

2. In the middle pane under Name, double-click Windows Security Health Validator.

3. In the Windows Security Health Validator Properties dialog box, click Configure.

4. Clear all check boxes except A firewall is enabled for all network connections. You do not

have to clear the Windows Update check box.

5. Click OK to close the Windows Security Health Validator dialog box, and then click OK toclose the Windows Security Health Validator Properties dialog box.

Configure remediation server groups

Remediation server groups are lists of computers that noncompliant NAP clients can access to help them update

their configuration. For the test lab, DC1 will be added to a remediation server group so that VISTA will have access

to DNS when it is noncompliant.

To configure a remediation server group

1. In the console tree, under Network Access Protection, right-click Remediation Server

Groups, and then click New.2. Under Group Name, type Rem1.

3. Next to Remediation Servers, click Add.

4. In the Add New Server dialog box, under IP address or DNS name, type 192.168.1.1, and

then click OK twice.

Configure health policies

Health policies define which SHVs are evaluated, and how they are used in validating the configuration of computers

that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health

status. This test lab defines two health policies: one that corresponds to a compliant health state and one that

corresponds to a noncompliant health state.

To configure health policies

1. Double-click Polices.

2. Right-click Health Policies, and then click New.

3. In the Create New Health Policy dialog box, under Policy Name, type Compliant.

4. Under Client SHV checks, verify that Client passes all SHV checks is selected.

5. Under SHVs used in this health policy, select the Windows Security Health Validator check

box.

6. Click OK.7. Right-click Health Policies, and then click New.


26/29



8. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.

9. Under Client SHV checks, select Client fails one or more SHV checks.

10. Under SHVs used in this health policy, select the Windows Security Health Validator check

box, as shown in the following example.

Configure network policiesNetwork policies use conditions, settings, and constraints to determine who can connect to the

network. There must be a network policy that will be applied to computers that are compliant withhealth requirements, and a network policy that will be applied to computers that are noncompliant.For this test lab, compliant client computers will be allowed unrestricted network access. Clientsdetermined to be noncompliant with health requirements will be have their access restricted.Noncompliant clients will also be optionally updated to a compliant state and subsequently grantedunrestricted network access.

Configure a network policy for compliant client computersFirst, create a network policy to match network access requests made by compliant clientcomputers.

To configure a network policy for compliant client computers

1. In the console tree, under Policies, click Network Policies.

2. Disable the two default policies under Policy Name by right-clicking the policies, and then

clicking Disable for each.

3. Right-click Network Policies, and then click New.

4. In the Specify Network Policy Name and Connection Type window, under Policy name,

type Compliant-Full-Access, and then click Next.

5. In the Specify Conditions window, click Add.

6. In the Select condition dialog box, double-click Health Polices.

7. In the Health Policies dialog box, under Health policies, select Compliant, and then click

OK.8. In the Specify Conditions window, verify that Health Policy is specified under Conditions

with a value of Compliant, and then click Next.

9. In the Specify Access Permission window, verify that Access granted is selected, and

then click Next.

10. In the Configure Authentication Methods window, select Perform machine health

check only. Clear all other check boxes, and then click Next.

11. Click No in the pop-up window warning you about authentication methods.

12. In the Configure Constraints window, click Next.

13. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network

access is selected, and then click Next. See the following example.

14. In the Completing New Network Policy window, click Finish to complete configuration of

your network policy for compliant client computers.

15. Click OK

Configure a network policy for noncompliant client computers

Next, create a network policy to match network access requests made by noncompliant client computers.

To configure a network policy for noncompliant client computers

1. Right-click Network Policies, and then click New.2. In the Specify Network Policy Name and Connection Type window, under Policy name,


27/29



type Noncompliant-Restricted, and then click Next.

3. In the Specify Conditions window, click Add.

4. In the Select condition dialog box, double-click Health Polices.

5. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click

OK.6. In the Specify Conditions window, verify that Health Policy is specified under Conditions

with a value of Noncompliant, and then click Next.

7. In the Specify Access Permission window, verify that Access granted is selected, and then

click Next.

Important

A setting of Access granted does not mean that noncompliant clients are granted full

network access. It specifies that clients matching these conditions will be granted an

access level determined by the policy.

8. In the Configure Authentication Methods window, select Perform machine health check

only. Clear all other check boxes, and then click Next.

9. Click No in the pop-up window warning you about authentication methods.

10. In the Configure Constraints window, click Next.

11. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and

verify that Enable auto-remediation of client computers is selected.

12. Click Next, and then click Finish. This completes configuration of your NAP network policies.

Configure DHCP on Server1

Open the DHCP console

To open the DHCP console

1. Click Start, click Run, type dhcpmgmt.msc, and then press ENTER.

2. Leave this window open for all DHCP configuration tasks.

Verify the default NAP profile

First, verify that the default NAP profile is being used on the DHCP server.

To verify the default NAP profile is being used

1. In the DHCP console, double-click server1.insiders.com, and then double-click IPv4.

2. Right-click Scope, and then click Properties.

3. On the Network Access Protection tab, verify that Use default Network Access Protection

profile is selected, and then click OK.

Configure the default user class

Next, configure scope options for the default user class. These server options are used when a compliant client

computer attempts to access the network and obtain an IP address from the DHCP server.

To configure default user class scope options

1. In the DHCP console, double-click Scope, right-click Scope Options, and then click Configure

Options.


28/29



2. On the Advanced tab, verify that Default User Class is chosen next to User class.

3. Under Available Options, select the 003 Router check box, type 192.168.1.1 in IP Address,

and click Add.

4. Select the 006 DNS Servers check box, type 192.168.1.1 in IP Address, and click Add.

5. Select the 015 DNS Domain Name check box, type insiders.com in String value, and then

click OK. The contoso.com domain is a full-access network assigned to compliant NAP clients.

Configure the default NAP class

Next, configure scope options for the default network access protection class. These server options are used when a

noncompliant client computer attempts to access the network and obtain an IP address from the DHCP server.

To configure default NAP class scope options

1. In the DHCP console, right-click Scope Options, and then click Configure Options.

2. On the Advanced tab, next to User class, choose Default Network Access Protection Class.

3. Select the 006 DNS Servers check box, type 192.168.1.1 in IP Address, and click Add.

4. Select the 015 DNS Domain Name check box, type restricted.insiders.com in String value,and then click OK. The restricted.contoso.com domain is a restricted-access network assigned

to noncompliant NAP clients.

Configuring the VISTA

Enable the DHCP enforcement client

The NAP DHCP enforcement method requires that the DHCP enforcement client is enabled on NAP client computers.

To enable the DHCP enforcement client

1. Click Start, click All Programs, click Accessories, and then click Run.

2. Type napclcfg.msc, and then press ENTER.

3. In the console tree, click Enforcement Clients.

4. In the details pane, right-click DHCP Quarantine Enforcement Client, and then click Enable.

5. Close the NAP Client Configuration console.

Enable and start the NAP agent service

By default, the Network Access Protection Agent service on computers running Windows Vista is configured with a

startup type ofManual. VISTA must be configured so that the Network Access Protection Agent service starts

automatically, and the service must be started.

To enable and start the NAP agent service

1. Click Start, click Control Panel, click System and Maintenance, and then click

Administrative Tools.

2. Double-click Services.

3. In the services list, double-click Network Access Protection Agent.

4. In the Network Access Protection Agent Properties dialog box, change the Startup type to

Automatic, and then click Start.

5. Wait for the NAP agent service to start, and then click OK.

6. Close the Services console, Administrative Tools, and System and Maintenance windows.


29/29


Verify network connectivity for VISTA

Run the ping command from VISTA to confirm network communication between VISTA and DC1. Because the

Network Access Protection Agent service and DHCP enforcement client are running, VISTA is considered NAP-

capable by the DHCP server and is issued an IP address on the 192.168.0.0/24 subnet. This is required to join VISTA

to the Contoso.com domain.

To use the ping command to check network connectivity

1. Click Start, click All Programs, click Accessories, and then click Command Prompt.

2. In the command window, type ping DC1.

3. Verify that the response reads Reply from 192.168.1.1".

4. Close the command window.

Verification of NAP auto-remediation

The Noncompliant-Restricted authorization policy specifies that noncompliant computers should be automatically

remediated. Use the following procedure to verify that VISTA is automatically remediated to a compliant state when

Windows Firewall is turned off.

To verify that VISTA is auto-remediated when Windows Firewall is turned off

1. On VISTA, click Start, and then click Control Panel.

2. Click Security Center, and then click Windows Firewall.

3. In the Windows Firewall dialog box, click Change settings.

4. In the Windows Firewall Settings dialog box, click Off (not recommended), and then click

OK.

5. Watch Windows Security Center and you will see that Windows Firewall is displayed as off

and is then displayed as on.

6. You might see a message in the notification area that indicates the computer does not meet

health requirements. This message is displayed because Windows Firewall has been turned off.

Click this message for more information about the health status of VISTA. See the following

example.

7. The NAP client will automatically turn Windows Firewall on to become compliant with network

health requirements. The following message will appear in the notification area: This computer

meets the requirements of this network.

Because auto-remediation occurs rapidly, you might not see one or both of these messages.

Thats it for todays HOL

31-dec-07 windows 2008 rc1 hol instructions

Documents