are practice 6421 - v2

Lab Answer Key: Planning and Configuring IPv4 1

Module 1 Lab Answer Key: Planning and Configuring IPv4

Contents: Exercise 1: Selecting an IPv4 Addressing Scheme for Branch Offices 2

Exercise 2: Implementing and Verifying IPv4 in the Branch Office 4

2 Lab Answer Key: Planning and Configuring IPv4

Lab: Planning and Configuring IPv4 Exercise 1: Selecting an IPv4 Addressing Scheme for Branch Offices

Task 1: Read the supporting documentation

• Read the supporting documentation located beneath the Exercise scenario in the main module document.

Task 2: Update the proposal document with your planned course of action

• Answer the questions in the Update the Branch Office Network Infrastructure Plan: IPv4 Addressing document.

Branch Office Network Infrastructure Plan: IPv4 Addressing

Document Reference Number: GW00602/1

Document Author

Date

Charlotte Weiss

6th February

Requirements Overview

Design an IPv4 addressing scheme for the Contoso branch sales offices, shown in the exhibit.

The block address 172.16.16.0/20 has been reserved for this region.

You must devise a scheme that supports the required number of subnets, the required number of hosts, and provide for 25 percent growth of hosts in each branch.

For each branch, provide the subnet addresses you plan to use, together with the start and end IP addresses for each subnet.

Additional Information

You do not need to concern yourself with the IP addressing for the corporate side of the router at each branch.

Proposals

1. How many subnets do you envisage requiring for this region?

Answer: There are 300 computers in the region. The specification states that around 50 computers should be deployed in each subnet. You also need to plan for growth of around 25 percent. Six subnets are required in the region to host computers, but an additional subnet for each location should be planned for to host the growth in computers. This is a total of nine subnets.

2. How many hosts will you deploy in each subnet?

Answer: The specification states that you must deploy a maximum of 50 host computers for each subnet.

3. What subnet mask will you use for each branch?

Answer: The current network address for the region is 172.16.16.0/20. This leaves 12 bits to allocate to subnets and hosts. To express 9 subnets, you would require 4 bits, since 3 bits only provides for 8 subnets. Four bits actually provides for 16 subnets, which is plenty. This is a decimal mask of 255.255.255.0.


(continued)

Branch Office Network Infrastructure Plan: IPv4 Addressing

4. What are the subnet addresses for each branch?

Answer: Branch 1:

172.16.16.0/24

172.16.17.0/24

172.16.18.0/24

Branch 2:

172.16.19.0/24

172.16.20.0/24

172.16.21.0/24

Branch 3:

172.16.22.0/24

172.16.23.0/24

172.16.24.0/24

5. What range of host addresses are in each branch?

Answer: Branch 1:

172.16.16.1 > 172.16.16.254

172.16.17.1 > 172.16.17.254

172.16.18.1 > 172.16.18.254

Branch 2:

172.16.19.1 > 172.16.19.254

172.16.20.1 > 172.16.20.254

172.16.21.1 > 172.16.21.254

Branch 3:

172.16.22.1 > 172.16.22.254

172.16.23.1 > 172.16.23.254

172.16.24.1 > 172.16.24.254

Task 3: Examine the suggested proposals in the Lab Answer Key

• Examine the completed Branch Office Network Infrastructure plan in the Lab Answer Key and be prepared to discuss your solutions with the class.

Results: At the end of this exercise, you should have a completed an IP addressing plan for the Contoso branch offices.


Exercise 2: Implementing and Verifying IPv4 in the Branch Office

Task 1: Determine the current IPv4 configuration of the router

1. Switch to the NYC-RTR computer.

2. Click Start, and in the Search box, type cmd.exe and press ENTER.

3. At the command prompt, type the following command and then press ENTER:

Ipconfig /all

4. What is the IPv4 address and subnet mask listed that starts 172.16?

Answer: 172.16.16.1/255.255.255.0

5. What subnet is this?

Answer: 172.16.16.0/24

6. What would the last host address in this subnet be?

Answer: 172.16.16.254

7. Close the command prompt.

Task 2: Determine the IPv4 configuration of NYC-SVR2

1. Switch to the NYC-SVR2 computer.



Ipconfig /all

4. What is the IPv4 address and subnet mask?

Answer: 172.16.16.2/255.255.255.0

5. What subnet is this?

Answer: 172.16.16.0/24

6. What is the default gateway?

Answer: 172.16.16.1

7. What is the DNS Servers entry?

Answer: 10.10.0.10

8. Leave the command prompt open.

Task 3: Determine the configuration of the NYC-CL2 computer

1. Switch to the NYC-CL2 computer.

2. Click Start, click Computer, and then double-click Allfiles (E:).

3. In Windows Explorer, double-click Labfiles and then double-click Mod01.


4. Double-click Reconfigure.cmd.

5. Close Explorer.



Ipconfig /all


Answer: 169.254.x.y – the answer will vary.

9. What does this tell you?

Answer: The client is attempting to obtain an IP address dynamically and has failed to connect to a DHCP server.

Task 4: Reconfigure the NYC-CL2 computer

1. Click Start, click Control Panel, and then click Network and Internet.

2. In Network and Internet, click Network and Sharing Center.

3. In Network and Sharing Center, click Change adapter settings.

4. In Network Connections, right-click Local Area Connection 3 and then click Properties.

5. Double-click Internet Protocol Version 4 (TCP/IPv4).

6. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address.

7. Use the following information to complete the configuration, and then click OK.

• IP address: 172.16.16.3

• Subnet mask: 255.255.255.0

• Default gateway: 172.16.16.1

• Preferred DNS server: 10.10.0.10

8. In the Local Area Connection 3 Properties dialog box, click Close.

9. If prompted with the Set Network Location dialog box, click Work network, and then click Close.

Task 5: Verify the configuration

1. Switch to the command prompt.


Ipconfig /all


Answer: 172.16.16.x/255.255.255.0 – answers might vary.


Ping nyc-dc1



Ipconfig /displaydns

6. Close all open windows.

Task 6: Capture and analyze network traffic using Network Monitor

1. On the desktop, double-click Microsoft Network Monitor 3.4.

2. In the Microsoft Update Opt-In dialog box, click No.

3. In Microsoft Network Monitor 3.4, in the Recent Captures pane, click New capture tab.

4. On the Capture 1 tab, on the menu bar, click Start.



Ipconfig /flushdns


Ping nyc-dc1


Ipconfig /displaydns

9. In Network Monitor, on the menu, click Stop.

10. What type of frames can you see?

Answer: Might vary, but may include BROWSER, ARP, TCP, and ICMP frames.

11. In Microsoft Network Monitor, in the Display Filter pane, click Load Filter.

12. Point to Standard Filters, click Addresses, and then click IPv4 Addresses.

13. Scroll through the text and locate the IPv4.Address = = 192.168.0.100 line. Edit the IPv4 address to read 10.10.0.10.

14. On the menu in the Display Filter pane, click Apply.

15. Examine the filtered records.

16. Click Clear Text and click Remove.

17. In Microsoft Network Monitor, in the Display Filter pane, click Load Filter.

18. Point to Standard Filters, click DNS, and then click DnsQueryName.

19. Scroll through the text and locate the DNS.Qrecord.QuestionName.contains = = (“server”) line. Edit the server name to read (“contoso”)

20. On the menu in the Display Filter pane, click Apply.

21. Examine the filtered records.


22. What do the records show?

Answer: A query for a site name. (Answers might vary)

23. Close Network Monitor.

Results: At the end of this exercise, you will have configured the branch office subnet.

Preparing for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps:

1. On the host computer, start Hyper-V Manager.

2. Right-click 6421B-NYC-DC1 in the Virtual Machines list and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat these steps for 6421B-NYC-RTR, 6421B-NYC-SVR2 and 6421B-NYC-CL2.

Lab Answer Key: Configuring and Troubleshooting DHCP 1

Module 2 Lab Answer Key: Configuring and Troubleshooting DHCP

Contents: Exercise 1: Selecting a Suitable DHCP Configuration 2

Exercise 2: Implementing DHCP 3

Exercise 3: Reconfiguring DHCP in the Head Office 5

Exercise 4: Testing the Configuration 6

Exercise 5: Troubleshooting DHCP Issues 7

2 Lab Answer Key: Configuring and Troubleshooting DHCP

Lab: Configuring and Troubleshooting the DHCP Server Role Exercise 1: Selecting a Suitable DHCP Configuration

Task 1: Read the Branch Office Network Infrastructure Plan: DHCP requirements

• Study the network diagram and then read the Branch Office Network Infrastructure Plan: DHCP document requirements section in the module document beneath the Exercise 1 scenario.


• Answer the questions in the Branch Office Network Infrastructure Plan: DHCP document.

Branch Office Network Infrastructure Plan: DHCP

Document Reference Number: CW0703/1

Document Author

Date

Charlotte Weiss

7th March

Requirements

Specify how you plan to implement DHCP to support your branch office requirements.


It is important that any router, server, or communications link failure does not adversely affect users.

Proposals

1. How many DHCP servers do you propose to deploy in the region?

Answer: Assuming that the routers are all RFC-compliant, there is no need to deploy DHCP servers in each subnet. However, for fault tolerance, each branch should have a DHCP server with duplicate scopes configured at the head office DHCP server, with appropriate exclusions to support the 80/20 rule; this would provide for addressing fault tolerance.

2. Where do you propose to deploy these servers?

Answer: One DHCP server in each branch office and one in the head office.

3. How do you propose to provide for fault tolerance of IP address allocation?

Answer: Configure the scopes to support the 80/20 rule.

4. How will clients in a branch obtain an IP configuration if their DHCP server is offline?

Answer: They will obtain an IP configuration from the head office server. This requires a DHCP relay on the router that connects the head office to the branch.


• Examine the completed Branch Office Network Infrastructure Plan: DHCP document in the Lab Answer Key and be prepared to discuss your solutions with the class.

Results: At the end of this exercise, you will have determined the appropriate DHCP configuration for Contoso.


Exercise 2: Implementing DHCP

Task 1: Install the DHCP role on NYC-SVR2

1. Switch to NYC-SVR2.

2. On the taskbar, click Server Manager.

3. In Server Manager, in the navigation pane, click Roles, and then in the right-pane, click Add Roles.

4. In the Add Roles Wizard, click Next.

5. On the Select Server Roles page, select the DHCP Server check box and then click Next.

6. On the Introduction to DHCP Server page, click Next.

7. On the Select Network Connection Bindings page, click Next.

8. On the Specify IPv4 DNS Server Settings page, click Next.

9. On the Specify IPv4 WINS Server Settings page, click Next.

10. On the Add or Edit DHCP Scopes page, click Next.

11. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server and then click Next.

12. On the Authorize DHCP Server page, click Skip authorization of this DHCP server in AD DS and then click Next.

13. On the Confirm Installation Selections page, click Install.

14. On the Installation Results page, click Close and then close Server Manager.

Task 2: Enable DHCP Relay

1. Switch to NYC-RTR.

2. Click Start, point to Administrative Tools, and then click Routing and Remote Access.

3. In the navigation pane, expand NYC-RTR (local), expand IPv4, right-click General, and then click New Routing Protocol.

4. In the Routing protocols list, click DHCP Relay Agent, and then click OK.

5. In the navigation pane, right-click DHCP Relay Agent and then click New Interface.

6. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 2 and then click OK.

7. In the DHCP Relay Properties – Local Area Connection 2 Properties dialog box, click OK.

8. In the navigation pane, right-click DHCP Relay Agent and then click New Interface.

9. In the New Interface for DHCP Relay Agent dialog box, click Local Area Connection 3 and then click OK.

10. In the DHCP Relay Properties – Local Area Connection 3 Properties dialog box, click OK.

11. Right-click DHCP Relay Agent and then click Properties.

12. In the DHCP Relay Agent Properties dialog box, in the Server address box, type 10.10.0.10, click Add, and then click OK.

13. Close Routing and Remote Access.


Task 3: Authorize the DHCP Server role on NYC-SVR2


2. Click Start, point to Administrative Tools, and then click DHCP.

3. In DHCP, expand nyc-svr2.contoso.com.

4. Right-click nyc-svr2.contoso.com and then click Authorize.

Task 4: Create the required scope for branch

1. In DHCP, in the navigation pane, click nyc-svr2.consoto.com, expand IPv4, right-click IPv4, and then click New Scope.

2. In the New Scope Wizard, click Next.

3. On the Scope Name page, in the Name box, type Branch Office, and then click Next.

4. On the IP Address Range page, complete the page using the following information and then click Next:

• Start IP address: 172.16.16.4

• End IP address: 172.16.16.254

• Length: 24

• Subnet mask: 255.255.255.0

5. On the Add Exclusions and Delay page, complete the page using the following information, click Add, and then click Next:


• End IP address: 172.16.16.254

6. On the Lease Duration page, click Next.

7. On the Configure DHCP Options page, click Next.

8. On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next.

9. On the Domain Name and DNS Servers page, click Next.

10. On the WINS Servers page, click Next.

11. On the Activate Scope page, click Next.

12. On the Completing the New Scope Wizard page, click Finish.

Results: At the end of this exercise, you will have configured the branch office DHCP server.


Exercise 3: Reconfiguring DHCP in the Head Office

Task 1: Add the branch office scope on NYC-DC1

1. Switch to NYC-DC1.


3. In DHCP, expand nyc-dc1.contoso.com.

4. In DHCP, in the navigation pane, expand IPv4, right-click IPv4, and then click New Scope.

5. In the New Scope Wizard, click Next.

6. On the Scope Name page, in the Name box, type Branch Office Backup Scope and then click Next.

7. On the IP Address Range page, complete the page using the following information and then click Next:


• End IP address: 172.16.16.254

• Length: 24

• Subnet mask: 255.255.255.0

8. On the Add Exclusions and Delay page, complete the page using the following information, click Add, and then click Next:


• End IP address: 172.16.16.199

9. On the Lease Duration page, click Next.

10. On the Configure DHCP Options page, click Next.

11. On the Router (Default Gateway) page, in the IP address box, type 172.16.16.1, click Add, and then click Next.

12. On the Domain Name and DNS Servers page, click Next.

13. On the WINS Servers page, click Next.

14. On the Activate Scope page, click Next.

15. On the Completing the New Scope Wizard page, click Finish.

Results: At the end of this exercise, you will have created the required scopes on both DHCP servers.


Exercise 4: Testing the Configuration

Task 1: Configure NYC-CL2 for DHCP


2. On the desktop, click Microsoft Network Monitor 3.4.

3. In the Microsoft Update Opt-in dialog box, click No.

4. In Microsoft Network Monitor 3.4, in the Recent Captures pane, click New capture tab.


6. Click Start, and in the Search box, type Network and Sharing and then press ENTER.



9. In the Local Area Connection 3 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).

10. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically.

11. Click Obtain DNS server address automatically and then click OK.

12. In the Local Area Connection 3 Properties dialog box, click OK.

Task 2: Examine DHCP packets

1. Switch to Network Monitor.

2. In Microsoft Network Monitor 3.4, on the menu, click Stop.

3. Click Load Filter, point to Standard Filters, point to Basic Examples, and then click Protocol Filter – DNS.

4. In the Display Filter text box, locate the text that reads DNS and change it to DHCP. Click Apply.

5. Now examine the captured frames. In the Frame Summary, click the frame with Destination of 255.255.255.255 and the Description that contains OFFER.

6. In the Frame Details pane, expand Dhcp.

7. What is the ServerIP?

Answer: 172.16.16.2

8. Which server is this?

Answer: NYC-SVR2

Results: At the end of this exercise, you will have configured the client to obtain an IP address dynamically from the local branch server.


Exercise 5: Troubleshooting DHCP Issues

Task 1: Shut down the DHCP server on NYC-SVR2


2. In DHCP, right-click nyc-svr2.contoso.com, click All Tasks, and then click Stop.

Task 2: Renew the IP address on NYC-CL2

1. Switch to NYC-CL2.



Ipconfig /release

4. In Microsoft Network Monitor 3.4, click New Capture.



Ipconfig /renew

7. In Microsoft Network Monitor 3.4, on the menu, click Load Filter, point to Standard Filters, point to Basic Examples, and then click Protocol Filter – DNS.

8. In the Display Filter text box, locate the text that reads DNS and change it to DHCP. Click Apply.

9. Now examine the captured frames. In the Frame Summary, click the frame with Destination of 255.255.255.255 and the Description that contains OFFER.

10. In the Frame Details pane, expand Dhcp.

11. What is the ServerIP?

Answer: 10.10.0.10

12. Which server is this?

Answer: NYC-DC1

Results: At the end of this exercise, you will have verified that the client can obtain an IP address from the head office when the local server is unavailable.






4. Repeat these steps for 6421B-NYC-SVR2, 6421B-NYC-RTR, and 6421B-NYC-CL2.

Lab Answer Key: Configuring and Troubleshooting DNS 1

Module 3 Lab Answer Key: Configuring and Troubleshooting DNS

Contents: Exercise 1: Selecting a DNS Configuration 2

Exercise 2: Deploying and Configuring DNS 4

Exercise 3: Troubleshooting DNS 6

2 Lab Answer Key: Configuring and Troubleshooting DNS

Lab: Configuring and Troubleshooting DNS Exercise 1: Selecting a DNS Configuration

Task 1: Read the Contoso Name Resolution Plan document

• Read the Contoso Name Resolution Plan document in Task 2 of the main module document.


• Answer the questions in the Contoso Name Resolution Plan document.

Contoso Name Resolution Plan


Document Author

Date

Charlotte Weiss

12th March


1. Your manager is concerned that the single name server that supports the Contoso.com domain is under strain while servicing name resolution requests. You are tasked with determining a course of action to allay his concerns.

2. Contoso is working with a partner organization, A Datum. It is important that name resolution for servers in the Adatum.com domain is performed without recourse to root name servers.


1. No additional domain controllers are planned for the Contoso domain.

2. Changes to the Adatum.com DNS configuration should not impact the DNS configuration in Contoso; in other words, changes in Adatum.com should not result in administrative effort in Contoso.

Proposals

1. How will you modify the DNS configuration for Contoso to address the first requirement?

Answer: Add a DNS server.

2. How will you modify the DNS configuration for Contoso to address the second requirement?

Answer: Create either a stub zone for Adatum.com or configure conditional forwarding for Adatum.com.

3. Does either of the points in the additional information section raise any issues?

Answer:

• AD-integrated zones are inappropriate for this scenario; if no additional domain controllers are planned, secondary zones should be configured.

• Stub zones require less administrative effort in the event of changes in the DNS configuration of the target DNS domain.


(continued)

Contoso Name Resolution Plan

4. What is your proposed action plan for this project?

Answer:

• Deploy the DNS role to NYC-SVR1.

• Create a secondary zone on NYC-SVR1 for Contoso.com.

• Enable and configure zone transfers to NYC-SVR1.

• Ensure that the zone data transfers successfully.

5. How will you distribute load among DNS servers?

Answer: Configure DHCP to allocate both DNS server addresses to clients


• Examine the completed Contoso Name Resolution Plan document in the Lab Answer Key and be prepared to discuss your solutions with the class.

Results: At the end of this exercise, you will have selected a suitable DNS configuration for Contoso.


Exercise 2: Deploying and Configuring DNS

Task 1: Install the DNS role on NYC-SVR1

1. Switch to NYC-SVR1, and on the Taskbar, click Server Manager.

2. In Server Manager, in the navigation pane, click Roles, and in the right pane, click Add Roles.

3. In the Add Roles Wizard, on the Before You Begin page, click Next.

4. On the Select Server Roles page, in the Roles list, select the DNS Server check box and then click Next.

5. On the DNS Server page, click Next.


7. On the Installation Results page, click Close.

Task 2: Create and configure a stub zone on NYC-DC1


2. Click Start, point to Administrative Tools, and then click DNS.

3. In DNS Manager, expand NYC-DC1, expand and then right-click Forward Lookup Zones, and then click New Zone.

4. In the New Zone Wizard, click Next.

5. On the Zone Type page, click Stub zone and then click Next.

6. On the Active Directory Zone Replication Scope page, click Next.

7. On the Zone Name page, in the Zone name box, type Adatum.com and then click Next.

8. On the Master DNS Servers page, in the Master Servers list, type 131.107.1.2 and press ENTER.

Note Validation will fail. The server is not online.

9. Click Next, and on the Completing the New Zone Wizard page, click Finish.

Task 3: Create and configure secondary zones on NYC-SVR1




Dnscmd.exe /zoneadd Contoso.com /secondary 10.10.0.10


Dnscmd.exe /zoneadd Adatum.com /secondary 10.10.0.10


6. In DNS Manager, in the navigation pane, expand NYC-SVR1 and then click Forward Lookup Zones.

Notice the two zones.


Task 4: Enable and configure zone transfers for Contoso.com




Dnscmd.exe /zoneresetsecondaries Contoso.com /notify /notifylist 10.10.0.24

4. In DNS Manager, in the navigation pane, expand Forward Lookup Zones, expand Contoso.com.

5. Right-click Contoso.com and then click Properties.

6. In the Contoso.com Properties dialog box, click the Zone Transfers tab.

7. Click Notify, and verify that the server 10.10.0.24 is listed.

8. Click Cancel.

Note It might take a few minutes to appear.

Task 5: Update secondary zone data from master server


2. In DNS Manager, press F5. The zone data should appear. If not, then expand Forward Lookup Zones, and then expand Contoso.com.

3. Right-click Contoso.com and then click Transfer from Master.


Note You will not receive data for Adatum.com, but Contoso.com should be populated with DNS records.

Task 6: Configure clients to use the new name server



2. In DHCP, expand nyc-dc1.contoso.com.

3. Expand IPv4 and then click Server Options.

4. In the right-pane, double-click 006 DNS Servers.

5. In the Server Options dialog box, click Remove.

6. In the IP address box, type 10.10.0.24, click Add, and then click OK.


Results: At the end of this exercise, you will have implemented the requirements outlined in the Contoso Name Resolution Plan document.


Exercise 3: Troubleshooting DNS

Task 1: Test simple and recursive queries

1. On NYC-DC1, click Start, click Administrative tools, and then click DNS.

2. In the navigation pane, right-click NYC-DC1 and then click Properties.

3. Click the Monitoring tab.

4. On the Monitoring tab, select A simple query against this DNS server and then click Test Now.

5. On the Monitoring tab, ensure that A recursive query to other DNS servers is selected and then click Test Now. Notice that the Recursive test fails for NYC-DC1, which is normal given that there are no forwarders configured for this DNS server to use.

6. Click Start, and in the Search box, type sc stop dns and then press ENTER.

7. In DNS Manager, in the NYC-DC1 Properties dialog box, on the Monitoring tab, click Test Now. Now, both Simple and Recursive tests fail because no DNS server is available.

8. Click Start, and in the Search box, type sc start dns and then press ENTER.

9. On the Monitoring tab, click Test Now. The Simple test completes successfully.

10. Close the NYC-DC1 Properties dialog box.

Task 2: Verify SOA records with Nslookup

1. On NYC-DC1, click Start, and in the Search box, type cmd.exe and then press ENTER


nslookup.exe


set querytype=SOA


Contoso.com


Task 3: Use Dnslint to verify name server records


2. Click Start, and in the Search box, type cmd.exe and then press ENTER.

3. In the command prompt, type the following command and then press ENTER:

D:


Cd\Labfiles\Mod03



dnslint /s 10.10.0.10 /d Contoso.com

6. Read through the report results and then close the report window.


Task 4: View performance statistics with Performance Monitor


2. Click Start, right-click Computer, and then click Manage.

3. In the list pane of the Server Manager window, expand Diagnostics, expand Performance, expand Monitoring Tools, and then click Performance Monitor.

4. In the center pane, click the green Plus icon.

5. In the Available counters list, double-click DNS.

6. Select Total Query Received and then click Add.

7. Select Total Query Received/sec, click Add, and then click OK.

8. Click Start, click Administrative tools, and then click DNS.

9. In the left pane, right-click NYC-DC1, and then click Properties.

10. Click the Monitoring tab.

11. On the Monitoring tab, select A simple query against this DNS Server and A recursive query to other DNS servers, and then click Test Now several times.

12. Clear the Simple and Recursive test check boxes and then click OK. Close the DNS management tool.

13. Return to the Server Manager console. The graph reflects the queries on the server.

14. In the Server Manager console, press CTRL+G and then press CTRL+G again. This report lists the total number of queries that the server has received.

15. Close the Server Manager console.

Results: At the end of this exercise, you will have verified the functionality of DNS with troubleshooting tools.






4. Repeat these steps for 6421B-NYC-SVR1 and 6421B-NYC-CL1.

Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP 1

Module 4 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP

Contents: Lab A: Configuring an ISATAP Router

Exercise 1: Configuring a New IPv6 Network and Client 2

Exercise 2: Configuring an ISATAP Router to Enable Communication Between an IPv4 Network and an IPv6 Network 5

Lab B: Converting the Network to Native IPv6

Exercise 1: Transitioning to a Native IPv6 Network 8

2 Lab Answer Key: Configuring and Troubleshooting IPv6 TCP/IP

Lab A: Configuring an ISATAP Router Exercise 1: Configuring a New IPv6 Network and Client

Task 1: Configure IPv4 routing


2. Click Start, and in the Search box, type Network and sharing and then press ENTER.




6. Verify the Local Area Connection 3 properties:

• IP address: 172.16.16.3

• Subnet mask: 255.255.255.0



7. In the Local Area Connection 3 Properties box, click OK.

8. Close all open windows on NYC-CL2.






14. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, verify that the Default gateway is 10.10.0.1. Click OK.

15. In the Local Area Connection 2 Properties box, click OK and then close all open windows on NYC-DC1.

Task 2: Enable IP routing on NYC-RTR and confirm IPv4 connectivity


2. Click Start, and in the Search box, type Regedit and then press ENTER.

3. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ Parameters.

4. Double-click IPEnableRouter, and then in the Value data box, type 1. Click OK.

5. Close the Registry Editor and then restart NYC-RTR.


6. After NYC-RTR restarts, log on with the following credentials:

• User name: Administrator

• Password: Pa$$w0rd

Note At this point, only IPv4 traffic is routed through the IPv4 routing infrastructure. Because ICMPv4 traffic is blocked by the Windows Firewall by default, you cannot test connectivity with ping.

Task 3: Disable IPv6 on NYC-DC1





5. In the Local Area Connections 2 Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box and then click OK.

Task 4: Disable IPv4 on NYC-CL2





5. In the Local Area Connection 3 Properties dialog box, clear the Internet Protocol Version 4 (TCP/IPv4) check box and then click OK.



ipconfig

Note The output should be a link-local IPv6 address that starts with fe80.


Task 5: Configure an IPv6 router advertisement for the global address 2001:db8:0:1::/64 network on NYC-RTR




netsh interface ipv6 set interface "Local Area Connection 3" forwarding=enabled advertise=enabled


netsh interface ipv6 add route 2001:db8:0:1::/64 "Local Area Connection 3" publish=yes

Task 6: Check the IP configuration on NYC-CL2 to ensure that it is configured with an IPv6 global address in the 2001:db8:0:1::/64 network



ipconfig

Note The output should be a link-local IPv6 address that starts with fe80. Two global IP addresses starting with 2001:db8:0:1: should also be included in the output.


Results: At the end of this exercise, you will have configured NYC-CL2 for IPv6 only.


Exercise 2: Configuring an ISATAP Router to Enable Communication between an IPv4 Network and an IPv6 Network

Task 1: Add the ISATAP entry in the DNS zone on NYC-DC1


2. Click Start, click Administrative Tools, and then click DNS.

3. In the left pane, expand NYC-DC1.

4. Expand Forward Lookup Zones, select and then right-click Contoso.com, and then click New host (A or AAAA).

5. In the New Host dialog box, type ISATAP in the Name text box, and then type the IP address 10.10.0.1 (for NYC-RTR).

6. Click Add Host and then click OK.

7. Click Done and then close the DNS Manager.

Task 2: Configure the ISATAP router on NYC-RTR

Note When substituting the following Interface_Index, ensure that you type your Interface_Index with the brackets {} on either side.




Netsh interface ipv6 isatap set router 10.10.0.1


ipconfig

5. Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) – you will need it in a moment.

Interface_Index: ___________________________

6. Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER:

netsh interface ipv6 set interface “isatap.Interface_Index” forwarding=enabled advertise=enabled

7. At the command prompt, type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier, and then press ENTER:

netsh interface ipv6 add route 2001:db8:0:10::/64 “isatap.Interface_Index” publish=yes

8. Restart NYC-RTR.


9. Log on using the following credentials:





ipconfig

Note The Tunnel adapter associated with the 10.10.0.0/16 network will display an IPv6 address in the 2001:db8:0:10 range.

Task 3: Enable the ISATAP interface on NYC-DC1




Netsh interface isatap set router 10.10.0.1


ipconfig

Note The Tunnel adapter isatap {Interface_Index} (which is the ISATAP adapter) has automatically received an IPv6 address from the ISATAP router.

Task 4: Test connectivity

1. Click Start, and in the Search box, type Windows Firewall and then press ENTER.

2. In Windows Firewall with Advanced Security, click Inbound Rules, right-click Inbound Rules and then click New Rule.

3. In the New Inbound Rule Wizard, on the Rule Type page, click Custom and then click Next.

4. On the Program page, click Next.

5. On the Protocols and Ports page, in the Protocol type list, click ICMPv4 and then click Next.

6. On the Scope page, click Next.

7. On the Action page, click Next.

8. On the Profile page, click Next.

9. On the Name page, in the Name box, type Allow PING and then click Finish.





Ping 2001:db8:0:10:0:5efe:10.10.0.10


ipconfig

14. What is the IPv6 address?

Answer: Answers vary, but will start 2001:db8:0:1:.


16. In Windows Firewall with Advanced Security, click Inbound Rules, right-click Inbound Rules and then click New Rule.







23. On the Name page, in the Name box, type Allow PING and then click Finish.


25. At the command prompt, type the following command, and then press ENTER:

Ping IPv6_address

Where IPv6_address is the IPv6 address on NYC-CL2 you noted earlier.

Results: At the end of this exercise, you will have configured ISATAP.

Preparing for the Next Lab Do not turn off the virtual machines at this time because you will need them to complete the next lab.


Lab B: Converting the Network to Native IPv6 Exercise 1: Transitioning to a native IPv6 Network

Task 1: Disable the ISATAP router on NYC-RTR

Note When substituting the following Interface_Index, ensure that you type your Interface_Index with the brackets {} on either side.




ipconfig

4. Locate the Tunnel adapter isatap.{Interface_Index}: that has a Link-local IPv6 address that contains 10.10.0.1. Note the Interface_Index (including brackets) – you will need it in a moment.

Interface_Index: ______________________________

5. Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier:

netsh interface ipv6 set interface “isatap.Interface_Index” forwarding=disabled advertise=disabled

6. Type the following command, replacing Interface_Index with the number (and brackets {}) that you recorded earlier:

netsh interface ipv6 delete route 2001:db8:0:10::/64 “isatap.Interface_Index”

Task 2: Configure the native IPv6 router on NYC-RTR


netsh interface ipv6 set interface “Local Area Connection 2” forwarding=enabled advertise=enabled


netsh interface ipv6 add route 2001:db8:0:0::/64 “Local Area Connection 2” publish=yes

Task 3: Disable IPv4 connectivity

1. Click Start, and in the Search box, type network and sharing and then press ENTER.

2. In the Network and Sharing Center, click Change adapter settings.

3. In the Network Connections box, right-click Local Area Connection 2 and then click Properties.


4. In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 4 (TCP/IPv4) check box, and then click OK. Close all open windows.


6. Click Start, and in the Search box, type network and sharing and then press ENTER.

7. In the Network and Sharing Center, click Change adapter settings.

8. In the Network Connections box, right-click Local Area Connection 2 and then click Properties.

9. In the Local Area Connection 2 Properties dialog box, clear the Internet Protocol Version 4 (TCP/IPv4) check box.

10. Select the Internet Protocol Version 6 (TCP/IPv6) check box and then click OK. Close all open windows.

Task 4: Test connectivity between each IPv6 subnet


2. In the Windows Firewall with Advanced Security window, click Inbound Rules, right-click Inbound Rules and then click New Rule.







9. On the Name page, in the Name box, type Allow PING for IPv6 and then click Finish.



ipconfig

Note the new IPv6 address (global address begins with 2001:) assigned to the local area connection. Write down the IPv6 address in the space below.

NYC-DC1 IPv6 address: _____________________________________________




Ping global_IP_address

Where global_IP_address is the NYC-DC1 address that you noted previously.



Ipconfig /all

Note the IPv6 address (global address begins with 2001:) assigned to the local area connection. Write down the IPv6 address in the space below.

NYC-CL2 IPv6 address: _____________________________________________

16. Switch to NYC-DC1 and switch to the Command Prompt.


Ping global_IP_address

Where global_IP_address is the NYC-CL2 address that you noted previously.

Results: At the end of this exercise, you will have configured an IPv6 only network.




2. Right-click 6421B-NYC-DC1 in the Virtual Machines list, and then click Revert.


4. Repeat these steps for 6421B-NYC-RTR and 6421B-NYC-CL2.

Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access 1

Module 5 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access

Contents: Lab A: Configuring and Managing Network Access

Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution 2

Exercise 2: Configuring a Custom Network Policy 4

Exercise 3: Create and Distribute a CMAK Profile 6

Lab B: Implementing DirectAccess

Exercise 1: Configure the AD DS Domain Controller and DNS 9

Exercise 2: Configure the PKI Environment 12

Exercise 3: Configure the DirectAccess Clients and Test Intranet Access 16

Exercise 4: Configure the DirectAccess Server 19

Exercise 5: Verify DirectAccess Functionality 21

2 Lab Answer Key: Configuring and Troubleshooting Routing and Remote Access

Lab A: Configuring and Managing Network Access Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution

Task 1: Install the Network Policy and Access Services role on 6421B-NYC-EDGE1

1. On NYC-EDGE1, if Server Manager does not open automatically, from the Administrative Tools menu, click Server Manager. The Server Manager opens.

2. In the Server Manager (NYC-EDGE1) list pane, right-click Roles and click Add Roles from the context menu. The Add Roles Wizard appears. Click Next.

3. On the Select Server Roles page, select Network Policy and Access Services and then click Next.

4. On the Network Policy and Access Services introduction page, click Next.

5. On the Select Role Services page, select the Network Policy Server and Routing and Remote Access Services check boxes, and then click Next.


7. On the Installation Results page, verify that Installation succeeded appears in the details pane and then click Close.

8. Close the Server Manager. The Network Policy and Routing and Remote Access Services roles are installed on 6421B-NYC-EDGE1.

Task 2: Configure 6421B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients

1. On NYC-EDGE1, click Start and then click Administrative Tools.

2. From the Administrative Tools menu, click Routing and Remote Access. The Routing and Remote Access administrative tool appears.

3. In the list pane, select and right-click NYC-EDGE1 (Local), and then click Configure and Enable Routing and Remote Access.

4. Click Next on the wizard Welcome page.

5. On the Configuration page, leave the default Remote Access (dial-up or VPN) selected and click Next.

6. On the Remote Access page, select the VPN check box and click Next.

7. On the VPN Connection page, select the Public interface and then click Next.

8. On the IP Address Assignment page, select From a specified range of addresses and then click Next.

9. On the Address Range Assignment page, click New, and in the Start IP address box, type the value of 10.10.0.60. In the Number of addresses box, type the value of 75 and click OK. Click Next.

10. On the Managing Multiple Remote Access Servers page, leave the default selection No, use Routing and Remote Access to authenticate connection requests and click Next. Click Finish.


11. In the Routing and Remote Access dialog box, click OK.

12. In the Routing and Remote Access dialog box regarding the DHCP Relay agent, click OK. The Routing and Remote Access service starts.

Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25 L2TP connections

1. In the Routing and Remote Access management tool interface, expand NYC-EDGE1 (local), select and then right-click Ports, and then click Properties.

2. In the Ports Properties dialog box, double-click WAN Miniport (SSTP).

3. In the Configure Device – WAN Miniport (SSTP) dialog box, assign a value of 25 in the Maximum ports box and then click OK.

4. In the Routing and Remote Access dialog box, click Yes to continue.

5. In the Ports Properties dialog box, double-click WAN Miniport (PPTP), and in the Configure Device – WAN Miniport (PPTP) dialog box, assign a value of 25 in the Maximum ports box and then click OK.

6. In the Routing and Remote Access dialog box, click Yes to continue.

7. Repeat this procedure, with the same value (25), for WAN Miniport (L2TP).

8. Click OK in the Ports Properties dialog box.

9. Close the Routing and Remote Access administrative tool.

Results: At the end of this exercise, you will have enabled routing and remote access on the NYC-EDGE1 server.


Exercise 2: Configuring a Custom Network Policy

Task 1: Open the Network Policy Server management tool on 6421B-NYC-EDGE1

1. On NYC-EDGE1, click Start and then click Administrative Tools.

2. On the Administrative Tools menu, click Network Policy Server. The Network Policy Server administrative tool appears.

Task 2: Create a new network policy for RRAS clients

1. In the list pane, expand Policies, right-click Network Policies, and then click New.

2. On the New Network Policy – Specify Network Policy Name and Connection Type page, type Secure VPN in the Policy name text box, and in the Type of network access server drop-down list, click Remote Access Server (VPN-Dial up) and then click Next.

3. On the Specify Conditions page, click Add. On the Select Condition dialog box, scroll down and double-click Tunnel Type.

4. In the Tunnel Type dialog box, select L2TP, PPTP, and SSTP, click OK, and then click Next.

5. On the Specify Access Permission page, leave the default of Access granted and click Next.

6. On the Configure Authentication Methods page, clear Microsoft Encrypted Authentication (MS-CHAP) and then click Next.

7. On the Configure Constraints page, under Constraints, click Day and time restrictions, and in the details pane, select Allow access only on these days and at these times, and click Edit.

8. In the Day and time restrictions dialog box, click on the first blue rectangle in the left hand corner that represents Sunday midnight to 1AM. Hold the mouse button and drag your mouse to highlight all of Sunday. Click Denied. Repeat this procedure for all of Saturday. Click OK, and then click Next.

9. On the Configure Settings page, under Settings, click Encryption, and in the details pane, clear all settings except Strongest encryption (MPPE 128-bit). Click Next and then click Finish.

10. In the list pane of the Network Policy Server tool, click the Network Policies node.

11. If necessary, right-click the Secure VPN policy and then click Move Up. Repeat this step to make the policy the first in the list.

12. Close the Network Policy Server tool.

Task 3: Create and Test a VPN connection


2. Click Start and then click Control Panel.

3. In the Control Panel window, under Network and Internet, click View network status and tasks.

4. In the Network and Sharing Center window, click Change adapter settings.

5. Right-click Local Area Connection 3 and then click Properties.

6. Select Internet Protocol Version 4 (TCP/IPv4) and then click Properties.

7. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address.


8. Configure the following IP address settings and then click OK:

• IP Address: 131.107.0.20

• Subnet mask: 255.255.255.0


9. Click Close and then click the Back button to return to the Network and Sharing Center.

10. In the Network and Sharing Center window, under Change your networking settings, click Set up a new connection or network. In the Choose a connection option dialog box, click Connect to a workplace and then click Next.

11. In the Connect to a workplace dialog box, select the Use my Internet connection (VPN) option. When prompted, select I’ll set up an Internet connection later.

12. In the Type the Internet address to connect to dialog box, specify an Internet address of 131.107.0.2 and a Destination Name of Contoso VPN, and then click Next.

13. On the Type your user name and password page, leave the user name and password blank and then click Create.

14. Click Close in the Connect to a Workplace dialog box.


16. On the Network Connections page, right-click Contoso VPN and then click Connect.

17. Use the following information in the Connect Contoso VPN text boxes and then click Connect:



• Domain: Contoso

The VPN connects successfully.

18. Right-click Contoso VPN and click Disconnect. The VPN disconnects.


Results: At the end of this exercise, you will have created and tested a VPN connection.


Exercise 3: Create and Distribute a CMAK Profile

Task 1: Install the CMAK feature on NYC-CL1


2. In Control Panel, click Programs.

3. In Programs, click Turn Windows features on or off.

4. In the Windows Features list, select the RAS Connection Manager Administration Kit (CMAK) check box and then click OK.

5. Close Programs and close Control Panel.

Task 2: Create the connection profile

1. Click Start, and in the Search box, type Connection Manager Administration Kit, and then click in the Programs (1) list, click Connection Manager Administration Kit.

2. In the Connection Manager Administration Kit Wizard, click Next.

3. On the Select the Target Operating System page, click Windows 7 or Windows Vista and then click Next.

4. On the Create or Modify a Connection Manager profile page, click New Profile and then click Next.

5. On the Specify the Service Name and the File Name page, in the Service name box, type Contoso HQ, in the File name box type Contoso and then click Next.

6. On the Specify a Realm Name page, click Do not add a realm name to the user name and then click Next.

7. On the Merge Information from Other Profiles page, click Next.

8. On the Add Support for VPN Connections page, select the Phone book from this profile check box.

9. In the VPN server name or IP address box, type 131.107.0.2 and then click Next.

10. On the Create or Modify a VPN Entry page, click Next.

11. On the Add a Custom Phone Book page, clear the Automatically download phone book updates check box and then click Next.

12. On the Configure Dial-up Networking Entries page, click Next.

13. On the Specify Routing Table Updates page, click Next.

14. On the Configure Proxy Settings for Internet Explorer page, click Next.

15. On the Add Custom Actions page, click Next.

16. On the Display a Custom Logon Bitmap page, click Next.

17. On the Display a Custom Phone Book Bitmap page, click Next.

18. On the Display Custom Icons page, click Next.

19. On the Include a Custom Help File page, click Next.

20. On the Display Custom Support Information page, click Next.


21. On the Display a Custom License Agreement page, click Next.

22. On the Install Additional Files with the Connection Manager profile page, click Next.

23. On the Build the Connection Manager Profile and Its Installation Program page, click Next.

24. On the Your Connection Manager Profile is Complete and Ready to Distribute page, click Finish.

Task 3: Distribute the profile


2. Click Start, click Computer, and then double-click Allfiles (D:).

3. In Windows Explorer, on the menu, click New folder, type Contoso Profile, and then press ENTER.

4. Right-click Contoso Profile and then Properties.

5. On the Sharing tab, click Advanced Sharing.

6. In the Advanced Sharing dialog box, select the Share this folder check box and then click Permissions.

7. In the Permissions for Contoso Profile dialog box, click Add.

8. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type administrators and then click OK.

9. In the Permissions for Contoso Profile dialog box, in the Permissions for Administrators list, select the Full Control Allow check box and then click OK.

10. In the Advanced Sharing dialog box, click OK.

11. In the Contoso Profile Properties dialog box, click Close.








• Domain: Contoso


17. Click Start, and in the Search box, type \\nyc-dc1\Contoso Profile and press ENTER.

18. Click Start, and in the Search box, type C:\Program Files\CMAK\Profiles\Windows 7 and Windows Vista\Contoso.

19. Highlight all files in the open Explorer window and then press CTRL + C.

20. Switch to the \\NYC-DC1\Contoso Profile folder and press CTRL + V.


22. Click Start, and in the Search box, type \\nyc-dc1\Contoso Profile and press ENTER.


23. Double-click the Contoso application.

24. In the Contoso HQ dialog box, click Yes.

25. On the Make this connection available for page, click All users, select the Add a shortcut on the desktop, and then click OK.

26. In the Contoso HQ dialog box, click Cancel.

27. In Network Connections, right-click Contoso VPN and click Disconnect.

28. On the desktop, double-click Contoso HQ – Shortcut.

29. Use the following information in the Connect Contoso HQ text boxes and then click Connect:



• Domain: Contoso


30. Right-click Contoso HQ - Shortcut and click Disconnect. The VPN disconnects.


Results: At the end of this exercise, you will have created and distributed a CMAK profile.

Preparing for the next lab





4. Repeat these steps for 6421B-NYC-EDGE1 and 6421B-NYC-CL1.


Lab B: Implementing DirectAccess Exercise 1: Configure the AD DS Domain Controller and DNS

Task 1: Create a security group for DirectAccess computers


2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. In the Active Directory Users and Computers console tree, expand Contoso.com, right-click Users, point to New, and then click Group.

4. In the New Object - Group dialog box, under Group name, type DA_Clients.

5. Under Group scope, select Global, under Group type, choose Security, and then click OK.

6. In the details pane, double-click DA_Clients.

7. In the DA_Clients Properties dialog box, click the Members tab and then click Add.

8. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types, click the Computers check box, and then click OK.

9. Under Enter the object names to select (examples), type NYC-CL1 and then click OK.

10. Verify that NYC-CL1 is displayed below Members and then click OK.

11. Close the Active Directory Users and Computers console.

Question: Why did you create the DA_Clients group?

Answer: To enable the application of DirectAccess security settings to DirectAccess computers that are a member of this security group.

Task 2: Configure firewall rules for ICMPv6 traffic

Note This task is performed to enable subsequent testing of DirectAccess in the lab environment.

1. Click Start, click Administrative Tools, and then click Group Policy Management.

2. In the console tree, open Forest: Contoso.com\Domains\contoso.com.

3. In the console tree, right-click Default Domain Policy and then click Edit.

4. In the console tree of the Group Policy Management Editor, open Computer Configuration \Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security \Windows Firewall with Advanced Security.

5. In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.

6. On the Rule Type page, click Custom and then click Next.


8. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.

9. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.


10. Click Next.




14. On the Name page, for Name, type Inbound ICMPv6 Echo Requests and then click Finish.

15. In the console tree, click Outbound Rules, right-click Outbound Rules, and then click New Rule.

16. On the Rule Type page, click Custom and then click Next.


18. On the Protocols and Ports page, for Protocol type, click ICMPv6 and then click Customize.

19. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.

20. Click Next.


22. On the Action page, click Allow the connection and then click Next.


24. On the Name page, for Name, type Outbound ICMPv6 Echo Requests and then click Finish.

25. Close the Group Policy Management Editor and Group Policy Management consoles.

Task 3: Create required DNS records on NYC-DC1


2. In the console tree of DNS Manager, expand NYC-DC1\Forward Lookup Zones\contoso.com.

3. Right-click contoso.com and then click New Host (A or AAAA).

4. In the Name box, type nls. In the IP address box, type 10.10.0.24. Click Add Host and then click OK.

5. In the New Host dialog box, type CRL in Name (uses parent domain name if blank). In the IP address box, type 10.10.0.15 and then click Add Host.

6. In the DNS dialog box informing you that the record was created, click OK.

7. Click Done in the New Host dialog box.

8. Close the DNS Manager console.

Question: What is the purpose of the nls.contoso.com DNS host record that you associated with an internal IP address?

Answer: To enable intranet-based DirectAccess clients to locate the Network Location Server while in the intranet.


Task 4: Remove ISATAP from DNS global query block list

1. Click Start, click All Programs, click Accessories, and then click Command Prompt.

2. In the command prompt window, type the following command and then press ENTER:

dnscmd /config /globalqueryblocklist wpad

3. Close the command prompt window.

Results: At the end of this exercise, you prepared AD DS and DNS to support the deployment of DirectAccess.


Exercise 2: Configure the PKI Environment

Task 1: Configure the CRL distribution settings

1. On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority.

2. In the details pane, right-click ContosoCA and then click Properties.

3. In the ContosoCA Properties dialog box, click the Extensions tab.

4. On the Extensions tab, click Add. In the Location box, type http://crl.contoso.com/crld/.

5. In Variable, click <CAName> and then click Insert.

6. In Variable, click <CRLNameSuffix> and then click Insert.

7. In Variable, click <DeltaCRLAllowed> and then click Insert.

8. In Location, type .crl at the end of the Location string and then click OK.

9. Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates, and then click Apply. Click No in the dialog box asking you to restart Active Directory Certificate Services.

10. Click Add.

11. In Location, type \\nyc-Edge1\crldist$\.

12. In Variable, click <CaName> and then click Insert.

13. In Variable, click <CRLNameSuffix> and then click Insert.

14. In Variable, click <DeltaCRLAllowed> and then click Insert.

15. In Location, type .crl at the end of the string and then click OK.

16. Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click OK.

17. Click Yes to restart Active Directory Certificate Services.

18. Close the Certification Authority console.

Question: What is the purpose of the certificate revocation list?

Answer: To enable DirectAccess clients and servers to determine whether issued certificates (used for authentication) have been revoked.

Task 2: Configure the DNS suffix on Edge1

1. Switch to NYC-Edge1.

2. Click Start, and in the Search box, type Network and Sharing Center and then press ENTER.

3. Click Change adapter settings.



6. In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click Advanced.

7. On the DNS tab, in the DNS suffix for this connection box, type Contoso.com and then click OK.

8. In the Internet Protocol Version 4 (TCP/IPv4) dialog box, click OK.



10. Close Network Connections.

Task 3: Install the web server role on Edge1

1. On NYC-Edge1, switch to Server Manager.

2. In the console tree of Server Manager, click Roles. In the details pane, click Add Roles and then click Next.

3. On the Select Server Roles page, click Web Server (IIS) and then click Next three times.

4. Click Install.

5. Verify that all installations were successful and then click Close.

6. Leave the Server Manager window open.

Task 4: Create CRL distribution point on NYC-EDGE1

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. In the console tree, browse to NYC-EDGE1\Sites\Default Web Site, right-click Default Web Site, and then click Add Virtual Directory.

3. In the Add Virtual Directory dialog box, in the Alias box, type CRLD. Next to Physical path, click the ellipsis “…” button.

4. In the Browse for Folder dialog box, click Local Disk (C:) and then click Make New Folder.

5. Type CRLDist and then press ENTER. Click OK in the Browse for Folder dialog box.

6. Click OK in the Add Virtual Directory dialog box.

7. In the middle pane of the console, double-click Directory Browsing and in the details pane, click Enable.

8. In the console tree, click the CRLD folder.

9. In the middle pane of the console, double-click the Configuration Editor icon.

10. Click the down-arrow for the Section drop-down list, and then browse to system.webServer\security\requestFiltering.

11. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True.

12. In the details pane, click Apply.

13. Close Internet Information Services (IIS) Manager.

Question: Why do you make the CRL available on the DirectAccess server in the perimeter network?

Answer: So that Internet DirectAccess clients can access the CRL.


Task 5: Share and secure the CRL distribution point

Note You perform this step to assign permissions to the CRL distribution point.

1. Click Start and then click Computer.

2. Double-click Local Disk (C:).

3. In the details pane of Windows Explorer, right-click the CRLDist folder and click Properties.

4. In the CRLDist Properties dialog box, click the Sharing tab and then click Advanced Sharing.

5. In the Advanced Sharing dialog box, select Share this folder.

6. In Share name, add a dollar sign ($) to the end so that the share name is CRLDist$.

7. In the Advanced Sharing dialog box, click Permissions.

8. In the Permissions for CRLDist$ dialog box, click Add.

9. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.

10. In the Object Types dialog box, select Computers and then click OK.

11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type NYC-DC1 and then click Check Names. Click OK.

12. In the Permissions for CRLDist$ dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from the Group or user names list. In the Permissions for NYC-DC1 section, select Allow for Full control. Click OK.


14. In the CRLDist Properties dialog box, click the Security tab.

15. On the Security tab, click Edit.

16. In the Permissions for CRLDist dialog box, click Add.

17. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.

18. In the Object Types dialog box, select Computers. Click OK.

19. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type NYC-DC1, click Check Names, and then click OK.

20. In the Permissions for CRLDist dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from the Group or user names list. In the Permissions for NYC-DC1 section, select Allow for Full control and then click OK.

21. In the CRLDist Properties dialog box, click Close.

22. Close the Windows Explorer window.

Task 6: Publish the CRL to NYC-EDGE1

Note This step makes the CRL available on the edge server for Internet-based DirectAccess clients.


2. Click Start, point to Administrative Tools, and then click Certification Authority.


3. In the console tree, open ContosoCA, right-click Revoked Certificates, point to All Tasks, and then click Publish.

4. In the Publish CRL dialog box, click New CRL, and then click OK.

5. Click Start, type \\NYC-EDGE1\CRLDist$, and press ENTER.

6. In the Windows Explorer window, you should see the ContosoCA and ContosoCA+ files.

7. Close the Windows Explorer window.

8. Close the Certification Authority console.

Task 7: Configure permissions on the web server certificate template

Note Users require the Enroll permission on the certificate.

1. Click Start, type certtmpl.msc, and then press ENTER.

2. In the contents pane, right-click the Web Server template and then click Properties.

3. Click the Security tab and then click Authenticated Users.

4. In the Permissions for Authenticated Users window, click Enroll under Allow and then click OK.

5. Close the Certificate Templates console

Task 8: Configure computer certificate auto-enrollment

1. Click Start, click Administrative Tools, and then click Group Policy Management.

2. In the console tree, expand Forest: Contoso.com, expand Domains, and then click Contoso.com.

3. In the details pane, right-click Default Domain Policy and then click Edit.

4. In the console tree of the Group Policy Management Editor, open Computer Configuration \Policies\Windows Settings\Security Settings\Public Key Policies.

5. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

6. In the Automatic Certificate Request Setup Wizard, click Next.

7. On the Certificate Template page, click Computer, click Next, and then click Finish.

8. Close the Group Policy Management Editor and close the Group Policy Management console.

Question: Why would you use GPO to configure certificate deployment?

Answer: To more quickly and effortlessly deploy the required certificates to DirectAccess client computers.

Results: At the end of this exercise, you will have configured the public key infrastructure in Contoso to support the deployment of DirectAccess.


Exercise 3: Configure the DirectAccess Clients and Test Intranet Access

Task 1: Create a shared folder

Note This step is required to provide some data that both intranet and Internet clients can access.



3. Double-click Local Disk (C:).

4. Click New folder, type Files, and then press ENTER. Leave the Local Disk window open.

5. Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as administrator.

6. In the Untitled – Notepad window, type This is a shared file.

7. Click File, click Save, double-click Computer, double-click Local Disk (C:), and then double-click the Files folder.

8. In File name, type example.txt, and then click Save. Close the Notepad window.

9. In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific people.

10. Click Share and then click Done.

11. Close the Local Disk window.

Task 2: Request a certificate for NYC-SVR1

1. Click Start, type cmd, and then press ENTER.

2. At the command prompt, type gpupdate /force and then press ENTER.


4. Click Start, type mmc, and then press ENTER.

5. Click File and then click Add/Remove Snap-in.

6. Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK.

7. In the console tree of the Certificates snap-in, open Certificates (Local Computer) \Personal\Certificates.

8. Right-click Certificates, point to All Tasks, and then click Request New Certificate.

9. Click Next twice.

10. On the Request Certificates page, click Web Server and then click More information is required to enroll for this certificate.

11. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common name.

12. In Value, type nls.contoso.com and then click Add.


13. Click OK, click Enroll, and then click Finish.

14. In the details pane of the Certificates snap-in, verify that a new certificate with the name nls.contoso.com was enrolled with Intended Purposes of Server Authentication.

15. Close the console window. When you are prompted to save settings, click No.

Task 3: Change the HTTPS bindings

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. In the console tree of Internet Information Services (IIS) Manager, open NYC-SVR1/Sites and then click Default Web site.

3. In the Actions pane, click Bindings. Click Add.

4. In the Add Site Bindings dialog box, click https, in SSL Certificate, click the certificate with the name nls.contoso.com, click OK, and then click Close.

5. Close the Internet Information Services (IIS) Manager console.

Task 4: Install a certificate on the client computer


2. Click Start, type cmd, and then press ENTER.




6. Click File and then click Add/Remove Snap-in.

7. Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK.

8. In the console tree, expand Certificates (Local Computer)\Personal\Certificates.



11. Select Computer, and then click Enroll. Click Finish.

12. In the details pane, verify that a certificate with the name NYC-CL1.contoso.com is present with Intended Purposes of Client Authentication and Server Authentication.

13. Close the console window. When you are prompted to save settings, click No.

Question: Why did you install a certificate on the client computer?

Answer: Without a certificate, the client cannot identify and authenticate itself to the DirectAccess server.


Task 5: Test intranet access

1. From the taskbar, click the Internet Explorer icon.

2. In the Address bar, type http://nyc-svr1.contoso.com/ and then press ENTER. You should see the default IIS 7 web page for NYC-SVR1.

3. In the Address bar, type https://nls.contoso.com/ and then press ENTER. You should see the default IIS 7 web page for NYC-SVR1.

4. Leave the Internet Explorer window open.

5. Click Start, type \\NYC-SVR1\Files, and then press ENTER.

6. You should see a folder window with the contents of the Files shared folder.

7. In the Files shared folder window, double-click the example.txt file. You should see the contents of the example.txt file.


Results: At the end of this exercise, you tested Intranet access.


Exercise 4: Configure the DirectAccess Server

Task 1: Obtain required certificates for NYC-EDGE1

1. Switch to NYC-Edge1.


3. Click File and then click Add/Remove Snap-ins.

4. Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.

5. In the console tree of the Certificates snap-in, open Certificates (Local Computer) \Personal\Certificates.



8. On the Request Certificates page, click Web Server and then click More information is required to enroll for this certificate.

9. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common name.

10. In the Value box, type nyc-edge1.contoso.com and then click Add.

11. Click OK, click Enroll, and then click Finish.

12. In the details pane of the Certificates snap-in, verify that a new certificate with the name nyc-edge1.contoso.com was enrolled with Intended Purposes of Server Authentication.

13. Right-click the certificate and then click Properties.

14. In Friendly Name, type IP-HTTPS Certificate, and then click OK.

15. Close the console window. If you are prompted to save settings, click No.

Task 2: Install DirectAccess feature on NYC-EDGE1

1. Switch to Server Manager.

2. In the main window, under Features Summary, click Add features.

3. On the Select Features page, select DirectAccess Management Console.

4. In the Add Features Wizard window, click Add Required Features.

5. On the Select Features page, click Next.




Task 3: Run DirectAccess setup wizard on NYC-EDGE1

Note This step configures NYC—EDGE1 as a DirectAccess server.

1. Open a command prompt and type the following command, and then press ENTER:

GPUpdate /force


3. Click Start, point to Administrative Tools, and then click DirectAccess Management.

4. In the console tree, click Setup. In the details pane, click Configure for step 1.

5. On the DirectAccess Client Setup page, click Add.

6. In the Select Group dialog box, type DA_Clients, click OK, and then click Finish.

7. Click Configure for step 2.

8. On the Connectivity page, for Interface connected to the Internet, select the interface named Public. For Interface connected to the internal network, select the Local Area Connection 2, and then click Next.

Note If you receive a warning that the local area connection network adapter must be connected to a Domain network, close the Direct Access Management console. Open Server Manager and click Configure Network Connections. Disable the Local Area Connection and re-enable it. Restart the Direct Access Management console.

9. On the Certificate Components page, for Select the root certificate to which remote client certificates must chain, click Browse. In the list of certificates, click the ContosoCA root certificate and then click OK.

10. For Select the certificate that will be used to secure remote client connectivity over HTTPS, click Browse. In the list of certificates, click the certificate named IP-HTTPS Certificate, click OK, and then click Finish.

11. Click Configure for step 3.

12. On the Location page, click Network Location server is run on a highly available server, type https://nls.contoso.com, click Validate, and then click Next.

13. On the DNS and Domain Controller page, note the entry for the name contoso.com with the IPv6 address 2002:836b:2:1:0:5efe:10.10.0.10. This IPv6 address is assigned to NYC-DC1 and is composed of a 6to4 network prefix (2002:836b:2:1::/64) and an ISATAP-based interface identifier (::0:5efe:10.10.0.10). Click Next.

14. On the Management page, click Finish.

15. Click Configure for step 4. On the DirectAccess Application Server Setup page, click Finish.

16. Click Save and then click Finish.

17. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy Configuration message box, click OK.

Results: At the end of this exercise, you will have successfully configured NYC-EDGE1 as a DirectAccess server.


Exercise 5: Verify DirectAccess Functionality

Task 1: Create DNS records on INET1

Note Typically, you would configure this record on your public facing DNS servers.

1. Switch to INET1.


3. In the console tree, expand Forward Lookup Zones, right-click contoso.com, and then click New Host (A or AAAA).

4. In the Name box, type crl. In IP address, type 131.107.0.2.

5. Click Add Host, click OK, and then click Done.

6. Close the DNS console.

Task 2: Update IPv6 configuration on NYC-SVR1 and NYC-DC1

Note These steps enable the required IPv6 settings to support DirectAccess.




net stop iphlpsvc


net start iphlpsvc

5. At the command prompt, type the following command and then press ENTER. Verify that the server has been issued an ISATAP address that ends with 10.10.0.24.

ipconfig





net stop iphlpsvc


net start iphlpsvc


11. At the command prompt, type the following command and then press ENTER. Verify that the server has been issued an ISATAP address that ends with 10.10.0.10.

ipconfig


Task 3: Update GPO and IPv6 settings on NYC-CL1


2. Restart NYC-CL1 and then log back on as Contoso\Administrator with the password of Pa$$w0rd. This is to ensure that the NYC-CL1 computer connects to the domain as a member of the DA_Clients security group.



gpupdate /force


net stop iphlpsvc


net start iphlpsvc

7. At the command prompt, type the following command and then press ENTER. Verify that the client has been issued an ISATAP address that ends with 10.10.10.1.

ipconfig


Gpresult -R

9. Verify that one Direct Access Group Policy object is being applied to the client computer. If the policy is not being applied, run the gpupdate /force command again. If the policy is still not being applied, restart NYC-CL1. After the computer restarts, log on as Administrator and run the Gpresult –R command again.

Task 4: Verify ISATAP connectivity


Ipconfig /flushdns


ping 2002:836b:2:1::5efe:10.10.0.10


ping 2002:836b:2:1::5efe:10.10.0.24



ping NYC-DC1.contoso.com


ping NYC-SVR1.contoso.com

6. All these commands should result in a successful response.

Task 5: Move NYC-CL1 to the Internet

Note To verify functionality, you must move the client computer to the Internet.

1. On NYC-CL1, click Start, click Control Panel, and then click Network and Internet.

2. Click Network and Sharing Center.

3. Click Change Adapter Settings.


5. In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).

6. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address. Fill in the following information, and then click OK.

• IP address: 131.107.0.10

• Subnet mask: 255.255.0.0




8. In Network Connections, right-click Local Area Connection 3 and then click Disable.

9. In Network Connections, right-click Local Area Connection 3 and then click Enable.

10. In the Set Network Location dialog box, click Public network and then click Close.

Task 6: Verify connectivity to Internet resources


ping inet1.isp.example.com

2. From the taskbar, click the Internet Explorer icon.

3. In the Address bar, type http://inet1.isp.example.com/ and then press ENTER. You should see the default IIS 7 Web page for INET1.


Task 7: Verify access to web-based and shared folder resources


ping NYC-SVR1

2. In Internet Explorer, in the Address bar, type http://NYC-SVR1.contoso.com/, press ENTER, and then press F5. You should see the default IIS 7 web page for NYC-SVR1.

3. Close Internet Explorer.

4. Click Start, type \\NYC-SVR1\files, and then press ENTER. You should see a folder window with the contents of the Files shared folder.

5. In the Files shared folder window, double-click the example.txt file.

6. Close the example.txt - Notepad window and the Files shared folder window.

Task 8: Examine NYC-CL1 IPv6 configuration


ipconfig

2. From the display of the Ipconfig.exe tool, notice that an interface named Tunnel adapter 6TO4 Adapter has an IPv6 address that begins with 2002:836b:. This is a 6to4 address based on an IPv4 address that begins with 131.107. Notice that this tunnel interface has a default gateway of 2002:836b:2::836b:2, which corresponds to the 6to4 address of EDGE1 (131.107.0.2 in colon-hexadecimal notation is 836b:2). NYC-CL1 uses 6to4 and this default gateway to tunnel IPv6 traffic to EDGE1.

Results: At the end of this exercise, you will have successfully implemented, verified, and tested DirectAccess.






4. Repeat these steps for 6421B-NYC-SVR1, 6421B-NYC-EDGE1, 6421B-NYC-INET1, and 6421B-NYC-CL1.

Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service 1

Module 6 Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Contents: Exercise 1: Installing and Configuring the Network Policy Server Role Service 2

Exercise 2: Configuring a RADIUS Client 4

Exercise 3: Configuring Certificate Auto-Enrollment 5

Exercise 4: Configuring and Testing the VPN 6

2 Lab Answer Key: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service

Lab: Configuring and Managing Network Policy Server Exercise 1: Installing and Configuring the Network Policy Server Role Service

Task 1: Install the Network Policy and Access Services role


2. On the Taskbar, click Server Manager.

3. In the Server Manager navigation pane, click Roles.

4. In the right pane, click Add Roles.


6. On the Select Server Roles page, select the Network Policy and Access Services check box and then click Next.

7. On the Network Policy and Access Services Introduction page, click Next.

8. On the Select Role Services page, select the Network Policy Server check box and then click Next.



11. Close Server Manager.

Task 2: Register NPS in AD DS

1. Click Start, point to Administrative Tools, and then click Network Policy Server.

2. In the navigation pane, right-click NPS (Local) and then click Register server in Active Directory.

3. In the Network Policy Server message box, click OK.

4. Click OK again in the subsequent Network Policy Server message box.

Task 3: Configure NYC-DC1 as a RADIUS server for VPN connections

1. In the Network Policy Server management tool, in the Getting Started details pane, open the drop-down list under Standard Configuration and then click RADIUS server for Dial-Up or VPN Connections.

2. Under Radius server for Dial-Up or VPN Connections, click Configure VPN or Dial-Up.

3. In the Configure VPN or Dial-Up Wizard, click Virtual Private Network (VPN) Connections, accept the default name, and then click Next.

4. On the RADIUS clients page, click Add.

5. In the New RADIUS Client dialog box, in the Friendly Name box, type NYC-EDGE1 and then click Verify.

6. In the Verify Address dialog box, in the address box, type NYC-EDGE1, click Resolve, and then click OK.


7. In the New RADIUS Client dialog box, in the Shared secret and Confirm shared secret boxes, type Pa$$w0rd and then click OK.

8. On the Specify Dial-Up or VPN Server page, click Next.

9. On the Configure Authentication Methods page, select the Extensible Authentication Protocol and Microsoft Encrypted Authentication version 2 (MS-CHAPv2) check boxes and then click Next.

10. On the Specify User Groups page, click Next.

11. On the Specify IP Filters page, click Next.

12. On the Specify Encryption Settings page, clear the Basic encryption and Strong encryption check boxes and then click Next.

13. On the Specify a Realm Name page, click Next.

14. On the Completing New Dial-Up or Virtual Private Network Connections and RADIUS clients page, click Finish.

15. Close the Network Policy Server administrative tool.

Results: At the end of this exercise, you will have configured NYC-DC1 as a RADIUS server by installing and configuring the NPS Server role.


Exercise 2: Configuring a RADIUS Client

Task 1: Install Routing and Remote Access Services on NYC-EDGE1

1. Switch to NYC-EDGE1.

2. On the Taskbar, click Server Manager.

3. In the Server Manager navigation pane, click Roles, and then in the right pane, click Add Roles.

4. On the Before You Begin page, click Next.

5. On the Select Server Roles page, select the Network Policy and Access Services check box and then click Next.

6. On the Network Policy and Access Services page, click Next.

7. On the Select Role Services page, select the Routing and Remote Access Services check box and then click Next.



10. Close the Server Manager window.

Task 2: Configure NYC-EDGE1 as a VPN Server

1. Click Start, point to Administrative Tools, and then click Routing and Remote Access.

2. In the navigation pane, select NYC-EDGE1 (local).

3. Right-click NYC-EDGE1 (local) and then click Configure and Enable Routing and Remote Access.

4. In the Routing and Remote Access Server Setup Wizard, on the Welcome page, click Next.

5. On the Configuration page, click Remote Access (dial-up or VPN) and click Next.

6. On the Remote Access page, select the VPN check box and click Next.

7. On the VPN Connection page, select the network interface with the IP address of 131.107.0.2, 131.107.0.3 and then click Next.


9. On the Address Range Assignment page, click New, and in the Start IP address box, type the value of 10.10.0.60. In the Number of addresses box, type the value of 75 and click OK. Click Next.

10. On the Managing Multiple Remote Access Servers page, select Yes, set up this server to work with a RADIUS server and then click Next.

11. On the RADIUS Server Selection page, in the Primary RADIUS server box, type NYC-DC1

12. In the Shared secret box, type Pa$$w0rd and then click Next.

13. Click Finish.

14. In the Routing and Remote Access dialog box, click OK. The Routing and Remote Access service starts.

Results: At the end of this exercise, you will have configured NYC-EDGE1 as a VPN server.


Exercise 3: Configuring Certificate Auto-Enrollment

Task 1: Configure automatic enrolment with group policy


2. Click Start, point to Administrative Tools, and then click Group Policy Management.

3. In the Group Policy Management list pane, expand Forest: Contoso.com, expand Domains, and then expand Contoso.com.

4. In the list pane, under Contoso.com, right-click Default Domain Policy and then click Edit.

5. In Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.

6. In the navigation pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

7. In the Welcome to the Automatic Certificate Request Setup Wizard, click Next.

8. On the Certificate Template page, accept the default setting of Computer and then click Next.

9. On the Completing the Automatic Certificate Request Setup Wizard page, click Finish.

10. Close the Group Policy Management Editor.

11. Close the Group Policy Management tool.


13. Restart the computer and then log on using the following credentials:



• Domain: Contoso

14. Click Start, type MMC in the Search box, and then press ENTER.

15. In the Console1 window, click File and then click Add/Remove Snap-in.

16. In the Add or Remove Snap-ins box, select Certificates and then click Add.

17. In the Certificates snap-in box, select Computer account and then click Next.

18. In the Select Computer box, select Local computer and then click Finish.

19. Click OK to close the Add or Remove Snap-ins box.

20. In the Console1 window, expand Certificates (Local Computer).

21. Expand Personal, and then click Certificates. Notice that NYC-CL1.Contoso.com is displayed. You now can use this certificate as an authentication mechanism.

Results: At the end of this exercise, you will have configured the appropriate certificate settings for your VPN solution.


Exercise 4: Configuring and Testing the VPN

Task 1: Reconfigure the NYC-CL1 computer onto the public network


2. In Control Panel, under Network and Internet, click View network status and tasks.



5. Select Internet Protocol Version 4 (TCP/IPv4) and then click Properties.

6. Configure the following IP address settings and then click OK:

• IP Address: 131.107.0.20

• Subnet mask: 255.255.255.0


7. Click Close and then click the Back button to return to the Network and Sharing Center.

Task 2: Create and test a VPN connection

1. In the Network and Sharing Center window, under Change your networking settings, click Set up a new connection or network. In the Choose a connection option dialog box, click Connect to a workplace and then click Next.

2. In the Connect to a workplace dialog box, select the Use my Internet connection (VPN) option. When prompted, select I’ll set up an Internet connection later.

3. In the Type the Internet address to connect to dialog box, specify an Internet address of 131.107.0.2 and a Destination Name of Contoso VPN, and then click Next.

4. On the Type your user name and password page, leave the user name and password blank and then click Create.

5. Click Close in the Connect to a Workplace dialog box.


7. On the Network Connections page, right-click Contoso VPN and then click Properties.

8. In the Contoso VPN Properties dialog box, click the Security tab.

9. In the Type of VPN list, click Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).

10. In the Data encryption list, click Maximum strength encryption (disconnect if server declines) and then click OK.





• Domain: Contoso



13. Right-click Contoso VPN and click Disconnect. The VPN disconnects.

14. Close all open windows on NYC-CL1. Do not save Console 1.

Results: At the end of this exercise, you will have verified the VPN solution.







Lab Answer Key: Implementing Network Access Protection 1

Module 7 Lab Answer Key: Implementing Network Access Protection

Contents: Exercise 1: Configuring NAP Components 2

Exercise 2: Configuring Client Settings to Support NAP 8

2 Lab Answer Key: Implementing Network Access Protection

Lab: Implementing NAP into a VPN Remote Access Solution Exercise 1: Configuring NAP Components

Task 1: Configure a Computer Certificate

1. On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority.

2. In the certsrv management console, expand ContosoCA, right-click Certificate Templates, and then select Manage from the context menu.

3. In the Certificate Templates Console details pane, right-click Computer and then choose Properties from the context menu.

4. Click on the Security tab in the Computer Properties dialog box and then select Authenticated Users.

5. In the Permissions for Authenticated Users, select the Allow check box for the Enroll permission and then click OK.

6. Close the Certificate Templates Console and then close the certsrv management console.

Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server

1. Switch to the NYC-EDGE1 computer.

2. Obtain the computer certificate and install on NYC-EDGE1 for server-side PEAP authentication:

a. Click Start, click Run, type mmc, and then press ENTER.

b. On the File menu, click Add/Remove Snap-in.

c. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.

d. Click OK to close the Add or Remove Snap-ins dialog box.

e. In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.

f. The Certificate Enrollment dialog box opens. Click Next.

g. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and then click Next.

h. Select the Computer check box and then click Enroll.

i. Verify the status of certificate installation as Succeeded and then click Finish.

j. Close the Console1 window.

k. Click No when prompted to save console settings.


3. Install the NPS Server role:

a. On NYC-EDGE1, switch to Server Manager.

b. Click Roles, and then under Roles Summary, click Add Roles and then click Next.

c. Select the Network Policy and Access Services check box and then click Next twice.

d. Select the Network Policy Server and Remote Access Service check boxes, click Next, and then click Install.

e. Verify that the installation was successful and then click Close.

f. Close the Server Manager window.

4. Configure NPS as a NAP health policy server:

a. Click Start, point to Administrative Tools, and then click Network Policy Server.

b. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings.

c. In the right pane under Name, double-click Default Configuration.

d. On the Windows 7/Windows Vista selection, clear all check boxes except the A firewall is enabled for all network connections check box.

e. Click OK to close the Windows Security Health Validator dialog box.

5. Configure health policies:

a. Expand Policies.

b. Right-click Health Policies and then click New.

c. In the Create New Health Policy dialog box, under Policy name, type Compliant.

d. Under Client SHV checks, verify that Client passes all SHV checks is selected.

e. Under SHVs used in this health policy, select the Windows Security Health Validator check box.

f. Click OK.

g. Right-click Health Policies and then click New.

h. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.

i. Under Client SHV checks, select Client fails one or more SHV checks.

j. Under SHVs used in this health policy, select the Windows Security Health Validator check box.

k. Click OK.

6. Configure network policies for compliant computers:

a. Ensure that Policies is expanded.

b. Click Network Policies.

c. Disable the two default policies found under Policy Name by right-clicking the policies and then clicking Disable.

d. Right-click Network Policies and then click New.


e. In the Specify Network Policy Name And Connection Type window, under Policy name, type Compliant-Full-Access and then click Next.

f. In the Specify Conditions window, click Add.

g. In the Select condition dialog box, double-click Health Policies.

h. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK.

i. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant and then click Next.

j. In the Specify Access Permission window, verify that Access granted is selected.

k. Click Next three times.

l. In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected and then click Next.

m. In the Completing New Network Policy window, click Finish.

7. Configure network policies for noncompliant computers:

a. Right-click Network Policies and then click New.

b. In the Specify Network Policy Name And Connection Type window, under Policy name, type Noncompliant-Restricted and then click Next.

c. In the Specify Conditions window, click Add.

d. In the Select condition dialog box, double-click Health Policies.

e. In the Health Policies dialog box, under Health policies, select Noncompliant and then click OK.

f. In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant and then click Next.

g. In the Specify Access Permission window, verify that Access granted is selected.

Note A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that the policy should continue to evaluate the clients that match these conditions.

h. Click Next three times.

i. In the Configure Settings window, click NAP Enforcement. Select Allow limited access and remove the check box next to Enable auto-remediation of client computers.

j. In the Configure Settings window, click IP Filters.

k. Under IPv4, click Input Filters and then click New.

l. In the Add IP Filter dialog box, select Destination network. Type 10.10.0.10 next to IP address and then type 255.255.255.255 next to Subnet mask. This step ensures that traffic from noncompliant clients can reach only NYC-DC1.

m. Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below in the Inbound Filters dialog box.

n. Click OK to close the Inbound Filters dialog box.


o. Under IPv4, click Output Filters and then click New.

p. In the Add IP Filter dialog box, select Source network. Type 10.10.0.10 next to IP address and then type 255.255.255.255 next to Subnet mask.

q. Click OK to close the Add IP Filter dialog box and then select Permit only the packets listed below in the Outbound Filters dialog box. This step ensures that only traffic from NYC-DC1 can be sent to noncompliant clients.

r. Click OK to close the Outbound Filters dialog box.

s. In the Configure Settings window, click Next.

t. In the Completing New Network Policy window, click Finish.

8. Configure connection request policies:

a. Click Connection Request Policies.

b. Disable the default Connection Request policy that is found under Policy Name by right-clicking the policy and then clicking Disable.

c. Right-click Connection Request Policies and then click New.

d. In the Specify Connection Request Policy Name And Connection Type window, under Policy name, type VPN connections.

e. Under Type of network access server, select Remote Access Server (VPN-Dial up) and then click Next.

f. In the Specify Conditions window, click Add.

g. In the Select Condition window, double-click Tunnel Type, select PPTP, SSTP, and L2TP. Click OK and then click Next.

h. In the Specify Connection Request Forwarding window, verify that Authenticate requests on this server is selected and then click Next.

i. In the Specify Authentication Methods window, select Override network policy authentication settings.

j. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP) and then click OK.

k. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click Microsoft: Secured password (EAP-MSCHAP v2) and then click OK.

l. Under EAP Types, click Microsoft: Protected EAP (PEAP) and then click Edit.

m. Verify that Enforce Network Access Protection is selected and then click OK.

n. Click Next twice and then click Finish.

9. Close the Network Policy Server console.


Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) that is configured as a VPN server

1. On NYC-EDGE1, click Start, point to Administrative Tools, and then click Routing and Remote Access.

2. In the Routing and Remote Access console, right-click NYC-EDGE1 (local) and then click Configure and Enable Routing and Remote Access. This starts the Routing and Remote Access Server Setup Wizard.

3. Click Next, select Remote access (dial-up or VPN), and then click Next.

4. Select the VPN check box and then click Next.

5. Click the network interface called Public. Clear the Enable security on the selected interface by setting up static packet filters check box and then click Next. This ensures that NYC-EDGE1 will be able to ping NYC-DC1 when it is attached to the Internet subnet without requiring that you configure additional packet filters for Internet Control Message Protocol (ICMP) traffic.


7. On the Address Range Assignment page, click New. Type 10.10.0.100 next to Start IP address and 10.10.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses were assigned for remote clients and then click Next.

8. On the Managing Multiple Remote Access Servers page, ensure that No, use Routing and Remote Access to authenticate connection requests is already selected and then click Next.

9. Click Finish.

10. Click OK twice and wait for the Routing and Remote Access Service to start.

11. In the Network Policy Server, click the Connection Request Policies node and disable the Microsoft Routing and Remote Access Service Policy. This was created automatically when Routing and Remote Access was enabled.

12. Click Connection Request Policies, and in the results pane, right-click the Microsoft Routing and Remote Access Service Policy and then click Disable.

13. Close the Network Policy Server management console.

14. Close Routing and Remote Access.

Task 4: Allow ping on NYC-EDGE1

1. Click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.

2. Click on Inbound Rules, right-click Inbound Rules, and then click New Rule.

3. Select Custom and then click Next.

4. Select All programs and then click Next.

5. Next to Protocol type, select ICMPv4 and then click Customize.

6. Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next.

7. Click Next to accept the default scope.


8. In the Action window, verify that Allow the connection is selected and then click Next.

9. Click Next to accept the default profile.

10. In the Name window, under Name, type ICMPv4 echo request and then click Finish.

11. Close the Windows Firewall with Advanced Security console.

Results: At the end of this exercise, you will have configured and enabled a VPN-enforced NAP scheme.


Exercise 2: Configuring Client Settings to Support NAP

Task 1: Configure Security Center


2. Configure NYC-CL1 so that Security Center is always enabled:

a. Click Start, point to All Programs, click Accessories, and then click Run.

b. Type gpedit.msc and then press ENTER.

c. In the console tree, click Local Computer Policy/Computer Configuration /Administrative Templates/Windows Components/Security Center.

d. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.

e. Close the Local Group Policy Editor.

Task 2: Enable client NAP enforcement

1. Enable the remote-access, quarantine-enforcement client:

a. Click Start, click All Programs, click Accessories, and then click Run.

b. Type napclcfg.msc and then press ENTER.

c. In the console tree, click Enforcement Clients.

d. In the details pane, right-click EAP Quarantine Enforcement Client and then click Enable.

e. Close the NAP Client Configuration window.

2. Enable and start the NAP agent service:

a. Click Start, click Control Panel, click System and Security, and then click Administrative Tools.

b. Double-click Services.

c. In the Services list, double-click Network Access Protection Agent.

d. In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic and then click Start.

e. Wait for the NAP Agent service to start and then click OK.

f. Close the Services console and then close the Administrative Tools and System and Security windows.

Task 3: Move the client to the Internet

1. Configure NYC-CL1 for the Internet network segment:

a. Click Start, click Control Panel, and then click Network and Internet.

b. Click Network and Sharing Center.

c. Click Change adapter settings.

d. Right-click Local Area Connection 3 and then click Properties.

e. Click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.


f. Click Use the following IP address. Next to IP address, type 131.107.0.20. Next to Subnet mask, type 255.255.0.0. Do not configure the Default gateway.

g. Click Use the following DNS server addresses.

h. Click OK and then click Close to close the Local Area Connection 3 Properties dialog box.

i. Close the Network Connections window.

2. Verify network connectivity for NYC-CL1:

a. Click Start, click All Programs, click Accessories, and then click Run.

b. Type cmd and then press ENTER.

c. At the command prompt, type ping 131.107.0.2 and press ENTER.

d. Verify that the response reads “Reply from 131.107.0.2”.

e. Close the command window.

Task 4: Create a VPN on NYC-CL1

1. Configure a VPN connection:

a. Click Start, click Control Panel, and then click Network and Internet.

b. Click Network and Sharing Center.

c. Click Set up a new connection or network.

d. On the Choose a connection option page, click Connect to a workplace and then click Next.

e. On the How do you want to connect page, click Use my Internet connection (VPN).

f. Click I’ll set up an Internet connection later.

g. On the Type the Internet address to connect to page, next to Internet address, type 131.107.0.2. Next to Destination name, type Contoso VPN. Select the Allow other people to use this connection check box and then click Next.

h. On the Type your user name and password page, type administrator next to User name and type Pa$$w0rd next to Password. Select the Remember this password check box, type Contoso next to Domain (optional), and then click Create.

i. On The connection is ready to use page, click Close.

j. In the Network And Sharing Center window, click Change adapter settings.

k. Right-click the Contoso VPN connection, click Properties, and then click the Security tab.

l. Under Authentication, click Use Extensible Authentication Protocol (EAP).

m. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft: Protected EAP (PEAP) (encryption enabled) and then click Properties.

n. Ensure that the Validate server certificate check box is already selected. Clear the Connect to these servers check box, and then ensure that Secured password (EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast Reconnect check box and then select the Enforce Network Access Protection check box.

o. Click OK twice to accept these settings.


2. Test the VPN connection:

a. In the Network Connections window, right-click the Contoso VPN connection and then click Connect.

b. In the Connect Contoso VPN window, click Connect.

c. You are presented with a Windows Security Alert window the first time that this VPN connection is used. Click Details and verify that Certificate Information states that the certificate was issued to NYC-EDGE1.Contoso.com by ContosoCA. Click Connect.

d. Wait for the VPN connection to be made. Because NYC-CL1 is compliant, it should have unlimited access to the intranet subnet.

e. Click Start, click All Programs, click Accessories, and then click Command Prompt.

f. Type ipconfig /all and view the IP configuration. System Quarantine State should be Not Restricted.

g. In the Command window, type ping 10.10.0.10 and then press ENTER. This should be successful. The client now meets the requirement for VPN full connectivity.

h. Disconnect from the Contoso VPN.

3. Configure Windows Security Health Validator to require an antivirus application:

a. On NYC-EDGE1, open Network Policy Server.

b. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings.

c. In the right pane under Name, double-click Default Configuration.

d. On the Windows 7/Windows Vista selection, select the An antivirus application is on check box and then click OK.

4. Verify that the client is placed on the restricted network:

a. On NYC-CL1, in the Network Connections window, right-click the Contoso VPN and then click Connect.

b. Click Connect.

c. Wait for the VPN connection to be made. Verify that a message appears in the Action Center stating that the computer does not meet security standards.

d. Click Start, click All Programs, click Accessories, and then click Command Prompt.

e. Type ipconfig /all and view the IP configuration. System Quarantine State should be Restricted.

The client does not meet the requirements for the network, and therefore is placed on the restricted network.

f. Disconnect the Contoso VPN.

Results: At the end of this exercise, you will have enabled and configured a VPN NAP enforcement policy for Contoso.

Lab Answer Key: Increasing Security for Windows Servers 1

Module 8 Lab Answer Key: Increasing Security for Windows Servers

Contents: Exercise 1: Deploying a Windows Firewall Rule 2

Exercise 2: Implementing WSUS 3

2 Lab Answer Key: Increasing Security for Windows Servers

Lab: Increasing Security for Windows Servers Exercise 1: Deploying a Windows Firewall Rule

Task 1: Create a Group Policy object with a firewall rule

1. On NYC-DC1, click Start, point to Administrative Tools, and click Group Policy Management.

2. In the Group Policy Management window, expand Forest: Contoso.com, expand Domains, and click Contoso.com.

3. Right-click Contoso.com and click Create a GPO in this domain, and Link it here.

4. In the New GPO window, in the Name box, type Firewall and click OK.

5. On the Linked Group Policy Objects tab, right-click Firewall and click Edit.

6. In the Group Policy Management Editor window, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and click Inbound Rules.

7. Right-click Inbound Rules and click New Rule.

8. In the New Inbound Rule Wizard window, click Port and click Next.

9. On the Protocol and Ports page, click TCP and click Specific local ports.

10. In the Specific local ports box, type 10005 and then click Next.

11. On the Action page, confirm that Allow the connection is selected and click Next.

12. On the Profile page, clear the Private and Public check boxes and then click Next.

13. On the Name page, in the Name box, type Monitoring and then click Finish.

Task 2: Apply Group Policy settings to NYC-SVR1

1. On NYC-SVR1, open a command prompt.


3. Close the command window on NYC-SVR1.

Task 3: Test access to the monitoring client

1. On NYC-DC1, click Start, point to All Programs, and click Internet Explorer.

2. In the Internet Explorer address bar, type http://nyc-svr1.contoso.com/status.xml and press ENTER.

Results: After this exercise, you should have created a Windows Firewall rule that allows communication to port 10005.

Lab Answer Key: Increasing Security for Windows Servers 3

Exercise 2: Implementing WSUS

Task 1: Create a GPO for configuring WSUS clients


2. In the Group Policy Management window, right-click Contoso.com and click Create a GPO in this domain, and Link it here.

3. In the New GPO window, in the Name box, type WSUS and click OK.

4. On the Linked Group Policy Objects tab, right-click WSUS and click Edit.

5. In the Group Policy Management Editor window, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update.

6. In the details pane, double-click Configure Automatic Updates.

7. In the Configure Automatic Updates dialog box, click Enabled.

8. In the Configure automatic updating drop-down list, click 4 - Auto download and schedule the install and then click Next Setting.

9. On the Specify intranet Microsoft update service location page, select Enabled.

10. Under Set the intranet update service for detecting updates and under Set the intranet statistics server, type http://NYC-SVR1 in the text boxes and then click Next Setting.

11. On the Automatic Updates detection frequency page, click Enabled and then click OK.

12. Close the Group Policy Management Editor and the Group Policy Management Console.

13. Click Start, type cmd, and press ENTER.

14. At the command prompt, type gpupdate /force and press ENTER.

15. At the command prompt, type wuauclt /detectnow and press ENTER.


Task 2: Review the configuration settings for a WSUS server

1. On NYC-SVR1, click Start, point to Administrative Tools, and click Windows Server Update Services.

2. In the Update Services window, in the left pane, click Options.

3. Read the list of options available for configuration.

Task 3: Create a computer group for servers

1. On NYC-SVR1, in the Update Services window, in the left pane, expand Computers, expand All Computers, and click All Computers.

2. In the Actions pane, click Add Computer Group.

3. In the Add Computer Group window, in the Name box, type HO Servers and click Add.

4. Click the Unassigned Computers computer group.

5. In the center pane, in the Status box, select Any and then click Refresh.

4 Lab Answer Key: Increasing Security for Windows Servers

6. Right-click NYC-DC1.contoso.com, and click Change Membership.

7. In the Set Computer Group Membership box, select the HO Servers check box and click OK.

Task 4: View the update report for NYC-DC1

1. On NYC-SVR1, in the Update Services window, click the HO Servers computer group.

2. In the center pane, in the Status box, select Any and then click Refresh.

3. Right-click nyc-dc1.contoso.com and click Status Report.

4. Read the Status Summary for nyc-dc1.contoso.com. Notice that four updates have not been installed.

5. At the top of the report, beside Include updates that have a status of, click Any.

6. In the Choose Update Status window, clear all check boxes except Needed and then click OK.

7. In the top menu, click Run Report.

8. Click the right arrow to view the second page of the report.

9. Read the list of updates that are needed. Notice that they are not approved.

10. Leave this report open for the next task.

Task 5: Approve an update for the HO Servers computer group

1. On NYC-SVR1, in the Computers Report for NYC-SVR1, for the first update listed, click Not approved.

2. In the Approve Updates window, click the down arrow to the left of HO Servers and click Approved for Install.

3. Read the warning message at the bottom of the Window. This file is not downloaded due to the configuration of the lab environment.

4. Click OK.

5. In the Approval Progress window, read the actions that were performed and then click Close.


Note Notice that a message appears stating that the update is approved, but must be downloaded to complete. This is due to the configuration of the lab environment.

Results: After this exercise, you should have approved an update for NYC-DC1.






4. Repeat these steps for 6421B-NYC-SVR1.

Lab Answer Key: Increasing Security for Network Communication 1

Module 9 Lab Answer Key: Increasing Security for Network Communication

Contents: Exercise 1: Selecting a Network Security Configuration 2

Exercise 2: Configuring IPsec to Authenticate Computers 4

Exercise 3: Testing IPsec Authentication 6

2 Lab Answer Key: Increasing Security for Network Communication

Lab: Increasing Security for Network Communication Exercise 1: Selecting a Network Security Configuration

Task 1: Read the Research application security document

• Read the Research application security document located in task 2 in the main module document.


• Answer the questions in the Research application security document.

Research application security


Document Author

Date

Charlotte Weiss

16th May


Contoso Ltd. has implemented a new web-based Research application that contains confidential information such as product information. To improve security, you must:

1. Create a connection security rule that authenticates the computers in the Research department.

2. Create a firewall rule that ensures only authenticated computers from the Research department can access the application.


1. The application exists on NYC-SVR1.

2. The application is not configured to use SSL.

3. NYC-SVR1 and NYC-CL1, both computers in the Research department, are stored in the AD DS Computers container.

Proposals

1. How will you accomplish requirement 1?

Answer:

• Configure a Connection Security Rule that requires Kerberos authentication for connections to TCP port 80 (web server).

• Restrict authentication to specific users and computers.

2. How will you accomplish requirement 2?

Answer: Create a firewall rule that enables communication over port 80 if authenticated.


Research application security

3. Are there any additional tasks that you must perform?

Answer:

• Create a GPO that is linked to the Research OU.

• Configure the Connection Security rule and Firewall Rule as part of this policy.

• Move both NYC-SVR1 and NYC-CL1 to the Research OU.

• Refresh the GPO on the client computers from NYC-DC1.


• Compare your solution to the proposed solution in the Research application security document in the Lab Answer Key. Be prepared to discuss your solution with the class.

Results: At the end of this exercise, you will have selected a suitable IPsec configuration to support the needs of the Research department.


Exercise 2: Configuring IPsec to Authenticate Computers

Task 1: Move the NYC-SVR1 and NYC-CL1 computers into the Research OU


2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. In Active Directory Users and Computers, expand Contoso.com and then click Computers.

4. Right-click NYC-CL1 and then click Move.

5. In the Move dialog box, click Research and then click OK.

6. Right-click NYC-SVR1 and then click Move.

7. In the Move dialog box, click Research and then click OK.

8. In the navigation pane, click Research.

Task 2: Create a GPO and link to the Research OU


2. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Research.

3. Right-click Research and then click Create a GPO in this domain, and link it here.

4. In the New GPO dialog box, in the Name box, type Research Department Application Security Policy and then click OK.

Task 3: Create the required connection security rule

1. In Group Policy Management, expand Research.

2. Right-click Research Department Application Security Policy and then click Edit.

3. In Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security – LDAP://CN={GUID}, and then click Connection Security Rules.

4. Right-click Connection Security Rules and then click New Rule.

5. In the New Connection Security Rule Wizard, on the Rule Type page, click Custom and then click Next.

6. On the Endpoints page, click Next.

7. On the Requirements page, click Require authentication for inbound connections and request authentication for outbound connections and then click Next.

8. On the Authentication Method page, click Computer and user (Kerberos V5) and then click Next.

9. On the Protocol and Ports page, in the Protocol type list, click TCP.

10. In the Endpoint 1 port list, click Specific Ports and in the text box, type 80 and then click Next.


12. On the Name page, in the Name box, type Research Department Application Security rule and then click Finish.


Task 4: Create the firewall rule

1. In Group Policy Management Editor, click Inbound Rules.

2. Right-click Inbound Rules and then click New Rule.



5. On the Protocol and Ports page, in the Protocol type list, click TCP.

6. In the Local port list, click Specific Ports and in the text box, type 80 and then click Next.


8. On the Action page, click Allow the connection if it is secure and then click Customize. Ensure that Allow the connection if it is authenticated and integrity-protected is selected and click OK.

9. Click Next.

10. On the Users page, click Next.

11. On the Computers page, select Only allow connections from these computers and then click Add.

12. In the Select Computers, or Groups dialog box, in the Enter the object names to select (examples) box, type NYC-CL1; NYC-SVR1, click Check Names, click OK, and then click Next.


14. On the Name page, in the Name box, type Research Department Application Firewall rule and then click Finish.

Task 5: Refresh the Group Policy on client computers




Gpupdate /force


Shutdown /r




Gpupdate /force


Shutdown /r

Results: At the end of this exercise, you will have successfully configured the connection security rule and firewall rule that are required to secure the Research department application.


Exercise 3: Testing IPsec Authentication

Task 1: Attempt to connect to the web server on NYC-SVR1


2. Log on using the following information:



• Domain : Contoso

3. On the Taskbar, click Internet Explorer.

4. In the Address bar, type http://nyc-svr1 and press ENTER.

The default IIS 7 webpage displays.

Task 2: Verify settings with Windows Firewall with Advanced Security

1. Click Start, and in the Search box, type Windows Firewall with Advanced Security and press ENTER.

2. In Windows Firewall with Advanced Security, in the navigation pane, expand Monitoring, expand Security Associations, and then click Main Mode.

3. In the right pane, double-click the item listed.

4. What is the First authentication method?

Answer: Computer (Kerberos V5)

5. Click OK.

6. Expand Quick Mode.


8. What is the Remote port?

Answer: TCP 80

9. Click OK.

Task 3: Verify settings with IP Security Monitor

1. Click Start, and in the Search box, type mmc.exe and then press ENTER.

2. In Console1 – [Console Root] window, click File and then click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, in the Snap-in list, click IP Security Monitor, click Add, and then click OK.

4. Expand IP Security Monitor, expand NYC-CL1, expand Main Mode, and then click Security Associations.


6. What is the encryption method?

Answer: None. No encryption was required, merely authentication.


7. Close all open windows. Do not save changes to Console 1.

Results: At the end of this exercise, you will have verified IPsec settings.







Lab Answer Key: Configuring and Troubleshooting Network File and Print Services 1

Module 10 Lab Answer Key: Configuring and Troubleshooting Network File and Print Services

Contents: Exercise 1: Creating and Configuring a File Share 2

Exercise 2: Encrypting and Recovering Files 5

Exercise 3: Creating and Configuring a Printer Pool 7

2 Lab Answer Key: Configuring and Troubleshooting Network File and Print Services

Lab: Configuring and Troubleshooting Network File and Print Services Exercise 1: Creating and Configuring a File Share

Task 1: Create the folder structure for the share

1. On NYC-DC1, click Start and click Computer.

2. In Windows Explorer, double-click Local Disk (C:) and click New folder on the top menu bar.

3. Type Share and press ENTER to rename the folder.

4. Double-click Share and click New folder.

5. Type Marketing and press ENTER to rename the folder.

6. Click New folder.

7. Type Production and press ENTER to rename the folder.

Task 2: Configure NTFS permissions on the folder structure

1. On NYC-DC1, in Windows Explorer, browse to C:\.

2. Right-click Share and click Properties.

3. In the Share Properties window, click the Security tab. Notice that Users have read access to the Share folder.

4. Click Cancel.

5. In Windows Explorer, double-click Share.

6. Right-click Marketing and click Properties.

7. In the Marketing Properties window, on the Security tab, click Advanced.

8. In the Advanced Security Settings For Marketing window, click Change Permissions.

9. Clear the Include inheritable permissions from this object’s parent check box.

10. In the Windows security window, click Add.

11. Use Ctrl+click to select both entries for Users and then click Remove.

12. Click OK twice to close both Advanced Security Settings For Marketing windows.

13. In the Marketing Properties window, click Edit.

14. In the Permissions For Marketing window, click Add, type Marketing, and click OK.

15. With Marketing selected, click the Allow Modify permission and click OK.

16. In the Marketing Properties windows, click OK.


17. Right-click Production and click Properties.

18. In the Production Properties window, on the Security tab, click Advanced.

19. In the Advanced Security Settings For Production window, click Change Permissions.

20. Clear the Include inheritable permissions from this object’s parent check box.

21. In the Windows security window, click Add.

22. Use Ctrl+click to select both entries for Users and then click Remove.

23. Click OK twice to close both Advanced Security Settings For Production windows.

24. In the Production Properties window, click Edit.

25. In the Permissions For Production window, click Add, type Production and then click OK.

26. With Production selected, click the Allow Modify permission and click OK.

27. In the Production Properties window, click OK.

Task 3: Create the share

1. On NYC-DC1, in Windows Explorer, browse to C:\.

2. Right-click Share and click Properties.

3. In the Share Properties window, on the Sharing tab, click Advanced Sharing.

4. In the Advanced Sharing window, select the Share this folder check box and click Permissions.

5. In the Permissions For Share window, with Everyone selected, select the Full Control Allow permission and click OK.

6. In the Advanced Sharing window, click OK.

7. In the Share Properties window, click Close.

8. Close Windows Explorer.

Task 4: Enable Access-Based Enumeration

1. On NYC-DC1, click Start, point to Administrative Tools, and click Share and Storage Management.

2. In Share and Storage Management, right-click Share, and click Properties.

3. In the Share Properties window, click Advanced.

4. In the Advanced window, on the User Limits tab, select the Enable Access-based enumeration check box and click OK.

5. In the Share Properties window, click OK.

6. Close Share and Storage Management.


Task 5: Verify that permissions are properly configured

1. On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd. Adam is a member of Marketing.

2. Click Start, type \\nyc-dc1\share, and press ENTER.

3. Read the folders that are available and double-click Marketing.

4. Right-click an open area, point to New, and click Text Document.

5. Type AdamFile and press ENTER to rename the file.


Results: After this exercise, you should have created and configured a file share.


Exercise 2: Encrypting and Recovering Files

Task 1: Update the recovery agent certificate for EFS


2. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and click Default Domain Policy.

3. In the Group Policy Management Console dialog box, click OK to clear the message.

4. Right-click Default Domain Policy and click Edit.

5. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Public Key Policies, and click Encrypting File System.

6. Right-click the Administrator certificate and click Delete.

7. In the Certificates window, click Yes.

8. Right-click Encrypting File System and click Create Data Recovery Agent.

9. Read the information for the new certificate that was created. Notice that this certificate was obtained from ContosoCA.

10. Close Group Policy Management Editor.

11. Close Group Policy Management.

Task 2: Update Group Policy on the computers

1. On NYC-DC1, click Start, type cmd, and press ENTER.



4. On NYC-CL1, click Start, type cmd, and press ENTER.



Task 3: Obtain a certificate for EFS

1. On NYC-CL1, log on as Contoso\Adam with a password of Pa$$w0rd.

2. Click Start, type mmc, and press ENTER.

3. In Console1, click File and click Add/Remove Snap-in.

4. In the list of available snap-ins, click Certificates and click Add.

5. In the Add Or Remove Snap-ins window, click OK.

6. In the left pane, click Certificates – Current User, then right-click Personal, point to All Tasks, and click Request New Certificate.

7. In the Certificate Enrollment window, click Next.


8. On the Select Certificate Enrollment Policy page, click Next to use the Active Directory Enrollment Policy.

9. On the Request Certificates page, select the Basic EFS check box and click Enroll.

10. On the Certificate Installation Results page, click Finish.

11. In the Console1 window, in the left pane, expand Certificates – Current User, expand Personal, and click Certificates.

12. Read the list of certificates and note the one that was issued by ContosoCA.

13. Close Console1 and do not save the settings.

Task 4: Encrypt a file

1. On NYC-CL1, click Start, type \\NYC-DC1\Share\Marketing, and press ENTER.

2. Right-click AdamFile and click Properties.

3. On the General tab, click Advanced.

4. In the Advanced Attributes window, select the Encrypt contents to secure data check box and click OK.

5. In the AdamFile Properties window, click OK.

6. In the Encryption Warning window, click Encrypt the file only and then click OK. Wait a few seconds for the file to be encrypted.

7. Look at the color of the file name.


Task 5: Use the recovery agent to open the file

1. On NYC-DC1, click Start and click Computer.

2. Browse to C:\Share\Marketing.

3. Double-click AdamFile.txt.

4. Add some text to the file, click File, and then click Save.

5. Close Notepad and Windows Explorer.

Results: After this exercise, you should have encrypted and recovered a file.


Exercise 3: Creating and Configuring a Printer Pool

Task 1: Install the Print Management role

1. On NYC-DC1, click Start, point to Administrative Tools, and click Server Manager.

2. In the left pane, click Roles and then click Add Roles.

3. Click Next to start the Add Roles Wizard.

4. On the Select Server Roles page, select the Print and Document Services check box and click Next.

5. On the Print and Document Services page, click Next.

6. On the Select Role Services page, verify that Print Server is selected and click Next.




Task 2: Create two IP printer ports

1. Click Start, point to Administrative Tools, and click Print Management.

2. In Print Management, expand Print Servers, expand NYC-DC1 (local), and click Ports.

3. Right-click Ports and click Add Port.

4. In the Printer Ports window, click Standard TCP/IP Port and click New Port.

5. Click Next to start the Add Standard TCP/IP Printer Port Wizard.

6. In the Printer Name or IP Address box, type 10.10.0.98 and click Next. It will take a minute or two while Windows Server 2008 R2 attempts to detect the type of device at that IP address.

7. On the Additional port information required page, click Next to accept the default settings of a Generic Network Card.

8. Click Finish to complete the wizard.

9. In the Printer Ports window, click Standard TCP/IP Port and click New Port.

10. Click Next to start the Add Standard TCP/IP Printer Port Wizard.

11. In the Printer Name or IP Address box, type 10.10.0.99 and click Next. It will take a minute or two while Windows Server 2008 R2 attempts to detect the type of device at that IP address.

12. On the Additional port information required page, click Next to accept the default settings of a Generic Network Card.


14. In the Printer Ports window, click Close.

Task 3: Create a printer

1. In Print Management, under NYC-DC1 (local), click Printers.

2. Right-click Printers and click Add Printer.


3. On the Printer Installation page, click Add a new printer using an existing port, click 10.10.0.98, and click Next.

4. On the Printer Driver page, click Install a new driver and click Next.

5. On the Printer Installation page, click Next to accept the default driver.

6. On the Printer Name and Sharing Settings page, in the Printer Name and Share Name boxes, type PrinterPool and click Next.

7. On the Printer Found page, click Next.


Task 4: Make the new printer into a printer pool

1. In Print Management, right-click PrinterPool and click Properties.

2. In the PrinterPool Properties window, on the Ports tab, select the Enable printer pooling check box.

3. In the list of ports, select the 10.10.0.99 check box and click OK. Notice that two ports are selected.

4. Close Print Management

Task 5: Distribute the printer pool to users

1. Click Start, point to Administrative Tools, and click Group Policy Management.

2. Right-click the Marketing OU and click Create a GPO in this domain, and Link it here.

3. In the New GPO window, in the Name box, type MarketingGPO and click OK.

4. Right-click MarketingGPO and click Edit.

5. Under User Configuration, expand Preferences, expand Control Panel Settings, and click Printers.

6. Right-click Printers, point to New, and click Shared Printer.

7. In the New Shared Printer Properties windows, in the Share path box, type \\NYC-DC1\PrinterPool.

8. Select the Set this printer as the default printer check box, and click OK.

9. Close Group Policy Management Editor.

10. Close Group Policy Management.

Task 6: Verify printer distribution to a marketing user


2. Click Start, type cmd, and press ENTER.



5. Click Start and click Devices and Printers.

6. Confirm that PrinterPool on NYC-DC1 appears and is configured as the default printer.

Results: After this exercise, you should have created a printer pool and distributed it to Marketing users.







4. Repeat these steps for 6421B-NYC-CL1.

Lab Answer Key: Optimizing Data Access for Branch Offices 1

Module 11 Lab Answer Key: Optimizing Data Access for Branch Offices

Contents: Lab A: Implementing DFS

Exercise 1: Installing the DFS Role Service 2

Exercise 2: Configuring the Required Namespace 3

Exercise 3: Configuring DFS Replication 5

Lab B: Implementing BranchCache

Exercise 1: Performing Initial Configuration Tasks for BranchCache 7

Exercise 2: Configuring BranchCache Clients 9

Exercise 3: Configuring BranchCache on the Branch Server 11

Exercise 4: Monitoring BranchCache 13

2 Lab Answer Key: Optimizing Data Access for Branch Offices

Lab A: Implementing DFS Exercise 1: Installing the DFS Role Service

Task 1: Install the DFS Role Service on NYC-SVR1



3. In the navigation pane, click Roles.

4. In the details pane, under the File Services section, click Add Role Services. The Add Role Services wizard opens.

5. On the Select Role Services page, select the check box next to Distributed File System. Ensure that the File Server, DFS Namespaces and DFS Replication options are also selected. Click Next.

6. On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager and then click Next.




Task 2: Install the DFS Role Service on NYC-DC1




4. In the details pane, click Add Roles.


6. On the Select Server Roles page, select the File Services check box and then click Next.

7. On the File Services page, click Next.

8. On the Select Role Services page, select the check box next to Distributed File System. Ensure that the File Server, DFS Namespaces, and DFS Replication options are also selected. Click Next.

9. On the Create a DFS Namespace page, click Create a namespace later using the DFS Management snap-in in Server Manager and then click Next.




Results: At the end of this exercise, you will have installed the required role services on both servers.


Exercise 2: Configuring the Required Namespace

Task 1: Use the New Namespace Wizard to create the BranchDocs namespace


2. Click Start, point to Administrative Tools, and then click DFS Management.

3. In the navigation pane, click Namespaces.

4. Right-click Namespaces and then click New Namespace. The New Namespace Wizard starts.

5. On the Namespace Server page, under Server, type NYC-SVR1 and then click Next.

6. On the Namespace Name and Settings page, under Name, type BranchDocs and then click Next.

7. On the Namespace Type page, ensure that Domain-based namespace is selected. Take note that the namespace will be accessed by \\Contoso.com\BranchDocs.

8. Ensure that the check box next to Enable Windows Server 2008 mode is selected and then click Next.

9. On the Review Settings and Create Namespace page, click Create.

10. On the Confirmation page, ensure that the Create namespace task is successful and then click Close.

11. In the navigation pane, under Namespaces, click \\Contoso.com\BranchDocs.

12. In the details pane, click the Namespace Servers tab and ensure that there is one entry that is enabled for \\NYC-SVR1\BranchDocs.

Task 2: Enable access-based enumeration for the BranchDocs namespace

1. In the navigation pane, under Namespaces, right-click \\Contoso.com\BranchDocs and then click Properties.

2. In the \\Contoso.com\BranchDocs Properties dialog box, click the Advanced tab.

3. On the Advanced tab, select the check box next to Enable access-based enumeration for this namespace and then click OK.

Task 3: Add the ResearchTemplates folder to the BranchDocs namespace

1. In DFS Management, right-click Contoso.com\BranchDocs and then click New Folder. The New Folder dialog box opens.

2. In the New Folder dialog box, under Name, type ResearchTemplates.

3. In the New Folder dialog box, click Add. The Add Folder Target dialog box opens.

4. In the Add Folder Target dialog box, type \\NYC-DC1\ResearchTemplates and then click OK.

5. In the Warning dialog box, click Yes.

6. In the Create Share dialog box, in the Local path of shared folder box, type C:\BranchDocs\ResearchTemplates.

7. Click All users have read and write permissions and then click OK.


9. Click OK again to close the New Folder dialog box.


Task 4: Add the DataFiles folder to the BranchDocs namespace

1. In DFS Management, right-click Contoso.com\BranchDocs and then click New Folder. The New Folder dialog box opens.

2. In the New Folder dialog box, under Name, type DataFiles.

3. In the New Folder dialog box, click Add. The Add Folder Target dialog box opens.

4. In the Add Folder Target dialog box, type \\NYC-SVR1\DataFiles and then click OK.


6. In the Create Share dialog box, in the Local path of shared folder box, type C:\BranchDocs\DataFiles.

7. Click All users have read and write permissions and then click OK. The permissions will be configured later.


9. Click OK again to close the New Folder dialog box.

Task 5: Verify the BranchDocs namespace

1. On NYC-SVR1, click Start, and then in the Search programs and files box, type \\Contoso.com\BranchDocs. Press ENTER.

2. In the BranchDocs window, verify that both ResearchTemplates and DataFiles are visible.

3. Close the BranchDocs window.

Results: At the end of this exercise, you will have created and verified the DFS namespace.


Exercise 3: Configuring DFS Replication

Task 1: Create another Folder Target for DataFiles

1. In DFS Management, expand Contoso.com\BranchDocs and then click DataFiles. In the details pane, notice that there is currently only one folder target.

2. Right-click DataFiles and then click Add Folder Target.

3. In the New Folder Target dialog box, under Path to folder target, type \\NYC-DC1\DataFiles and then click OK.

4. In the Warning dialog box, click Yes to create the shared folder on NYC-DC1.

5. In the Create Share dialog box, under Local path of shared folder, type C:\BranchDocs\DataFiles.

6. In the Create Share dialog box, under Shared folder permissions, select All users have read and write permissions and then click OK.

7. In the Warning dialog box, click Yes to create the folder on NYC-DC1.

8. In the Replication dialog box, click Yes. The Replicate Folder Wizard starts.

Task 2: Configure Replication for the namespace

1. In DFS Management, in the Replicate Folder Wizard, on the Replication Group and Replicated Folder Name page, accept the default settings and then click Next.

2. On the Replication Eligibility page, click Next.

3. On the Primary Member page, select NYC-SVR1 and then click Next.

4. On the Topology Selection page, select No topology and then click Next.

5. In the Warning dialog box, click OK.

6. On the Review Settings and Create Replication Group page, click Create.

7. On the Confirmation page, click Close.

8. In the Replication Delay dialog box, click OK.

9. In the DFS Management console, expand Replication and then click contoso.com\BranchDocs\DataFiles.

10. In the action pane, click New Topology.

11. In the New Topology Wizard, on the Topology Selection page, click Full mesh and then click Next.

12. On the Replication Group Schedule and Bandwidth page, click Next.

13. On the Review Settings and Create Topology page, click Create.

14. On the Confirmation page, click Close, and in the Replication Delay dialog box, click OK.

15. In the details pane, on the Memberships tab, verify that the replicated folder is shown on both NYC-DC1 and NYC-SVR1.

16. On the Memberships tab, right-click NYC-DC1 and then click Make read-only. This setting will automatically configure the replicated copy to be read-only.

Results: At the end of this exercise, you will have successfully configured DFS replication.


Preparing for the next lab






ab Answer Key: Optimizing Data Access for Branch Offices 7

Lab B: Implementing BranchCache Exercise 1: Performing Initial Configuration Tasks for BranchCache

Task 1: Configure NYC-DC1 to use BranchCache


2. Click Start, point to Administrative Tools, and then click Server Manager.


4. In the details pane, click Add Roles and then click Next.

5. In the Add Roles Wizard, on the Select Server Roles page, select the File Services check box and then click Next.

6. On the File Services page, click Next.

7. On the Select Role Services page, in the Role services list, select the BranchCache for network files check box and then click Next.




11. Click Start, and in the Search box, type gpedit.msc and then press ENTER.

12. In the navigation pane of the Local Group Policy Editor console, under Computer Configuration, expand Administrative Templates, expand Network, and then click Lanman Server.

13. In the Setting list of the Lanman Server result pane, right-click Hash Publication for BranchCache and then click Edit.

14. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication actions list, select Allow hash publication only for shared folders on which BranchCache is enabled, and then click OK.

Task 2: Simulate slow link to the branch office

1. In the navigation pane of the Local Group Policy Editor console, under Computer Configuration, expand Windows Settings, right-click Policy-based QoS, and then click Create new policy.

2. On the Create a QoS policy page of the Policy-based QoS Wizard, in the Policy name box, type Limit to 100 KBps, select the Specify Outbound Throttle Rate: check box, type 100, and then click Next.

3. On the This QoS policy applies to page, click Next.

4. On the Specify the source and destination IP addresses page, click Next.

5. On the Specify the protocol and port numbers page, click Finish.

6. Close the Local Group Policy Editor.

Task 3: Enable a file share for BranchCache


2. In the Computer window, browse to Local Disk (C:).


3. On the menu, click New Folder.

4. Type Share and then press ENTER

5. Right-click Share and then click Properties.

6. On the Sharing tab of the Share Properties dialog box, click Advanced Sharing.

7. Select the Share this folder check box and then click Caching.

8. In the Offline Settings dialog box, select the Enable BranchCache check box and then click OK.


10. In the Share Properties dialog box, click Close.

11. Click Start, point to All Programs, click Accessories, and then click Command Prompt.

12. At the command prompt window, type the following command and then press ENTER:

Copy C:\windows\system32\mspaint.exe c:\share



Task 4: Configure client firewall rules for BranchCache


2. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, right-click Default Domain Policy, and then click Edit.

3. In the navigation pane of the Group Policy Management Editor console, under Policies, expand Windows Settings, expand Security Settings, and then expand Windows Firewall with Advanced Security.

4. In the navigation pane, under Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security and then click Inbound Rules.

5. On the Action menu of the Group Policy Management Editor console, click New Rule.

6. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache – Content Retrieval (Uses HTTP), and then click Next.

7. On the Predefined Rules page, click Next.

8. On the Action page, click Finish to create the firewall inbound rule.

9. Click Inbound Rules, and then on the Action menu of the Group Policy Management Editor console, select New Rule.

10. On the Rule Type page of the New Inbound Rule Wizard, click Predefined, click BranchCache – Peer Discovery (Uses WSD), and then click Next.

11. On the Predefined Rules page, click Next.

12. On the Action page, click Finish.

Results: At the end of this exercise, you will have prepared the network environment for BranchCache.


Exercise 2: Configuring BranchCache Clients

Task 1: Configure clients to use BranchCache in hosted cache mode

1. In the navigation pane of the Group Policy Management Editor console, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then click BranchCache.

2. In the Setting list of the BranchCache result pane, right-click Turn on BranchCache and then click Edit.

3. In the Turn on BranchCache dialog box, click Enabled and then click OK.

4. In the Setting list of the BranchCache result pane, right-click Set BranchCache Hosted Cache mode and then click Edit.

5. In the Set BranchCache Hosted Cache mode dialog box, click Enabled, in the Enter the location of hosted Cache box, type NYC-SVR1.contoso.com, and then click OK.

6. In the Setting list of the BranchCache result pane, right-click Configure BranchCache for network files and then click Edit.

7. In the Configure BranchCache for network files dialog box, click Enabled, in the Enter the round trip network latency value in milliseconds above which network files must be cached in the branch office box, type 0, and then click OK. This setting is required to simulate access from a branch office and is not typically required.

8. Close the Group Policy Management Editor console.

9. Close the Group Policy Management console.

10. Start 6421B-NYC-CL1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd.

11. Click Start, point to All Programs, click Accessories, and then click Command Prompt.


gpupdate /force


netsh branchcache show status all

14. Start 6421B-NYC-CL2. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd.


16. In Network Connections, click Change adapter settings.


18. In the Local Area Connection 3 Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).

19. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically.


20. Click Obtain DNS server address automatically and then click OK.

21. In the Local Area Connection 3 Properties dialog box, click OK.

22. Restart the computer. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd.

23. Click Start, point to All Programs, click Accessories, and then click Command prompt.


gpupdate /force



Results: At the end of this exercise, you will have configured the client computers for BranchCache.


Exercise 3 Configuring BranchCache on the Branch Server

Task 1: Install the BranchCache feature on NYC-SVR1

1. Start 6421B-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the password of Pa$$w0rd.

2. Click Start, point to Administrative Tools, and then click Server Manager.

3. In the navigation pane of the Server Manager console, right-click Features and then click Add Features.

4. On the Select Features page of the Add Features Wizard, select the BranchCache check box and then click Next.




Task 2: Request a certificate and link it to BranchCache

1. On the Start menu of NYC-SVR1, click Run.

2. In the Open box of the Run dialog box, type mmc and then click OK.

3. On the File menu of the Console1 – [Console Root] console, click Add/Remove Snap-ins.

4. In the Available snap-ins area of the Add or Remove Snap-ins dialog box, click Certificates and then click Add.

5. In the This snap-in will always manage certificates for page of the Certificates Snap-in Wizard, click Computer account and then click Next.

6. On the Select the computer you want this snap-in to manage page, click Finish.

7. In the Add or Remove Snap-ins dialog box, click OK.

8. In the navigation pane of the Console1 – [Console Root] console, expand Certificates (Local Computer), right-click Personal, point to All Tasks, and then click Request New Certificate.

9. On the Before You Begin page of the Certificate Enrollment Wizard, click Next.

10. On the Select Certificate Enrollment Policy page, click Next.

11. On the Request Certificates page, select the Computer check box and then click Enroll.

12. On the Certificate Installation Results page, click Finish.

13. In the navigation pane of the Console1 – [Console Root] console, under Personal, click Certificates.

14. In the Issued To result pane, right-click NYC-SVR1.Contoso.com and then click Open.

15. On the Details tab of the Certificate dialog box, in the Field list, click Thumbprint, select thumbprint values in the details section, press Ctrl+C to copy the values to the Clipboard, and then click OK.

16. On the Start menu, click All Programs, click Accessories, and then click Command Prompt.


17. At the command prompt window, type the following command and then press Enter. You can paste the certificatehashvalue from the certificate, but you must remove the spaces.

netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}



Task 3: Start the BranchCache Host Server


2. Click Start, point to Administrative Tools, and click Active Directory Users and Computers.

3. Right-click Contoso.com, point to New, and click Organizational Unit.

4. In the New Object - Organization Unit window, type BranchCacheHost and then click OK.

5. Click the Computers container.

6. Click NYC-SVR1 and drag it to BranchCacheHost.

7. Click Yes to clear the warning about moving objects.

8. Close Active Directory Users and Computers.

9. Click Start, point to Administrative Tools, and click Group Policy Management.

10. Under Domains, expand Contoso.com, right-click BranchCacheHost, and click Block Inheritance.

11. On NYC-DC1, close all open windows.

12. Restart NYC-SVR1 and log on as Contoso\Administrator with the password of Pa$$w0rd.

13. On NYC-SVR1, open a command prompt, type the following command, and then press ENTER:

netsh branchcache set service hostedserver


Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.


Exercise 4: Monitoring BranchCache

Task 1: Configure Performance Monitor on NYC-SVR1

1. Click Start, and in the Search box, type Performance and then press ENTER.

2. In the navigation pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor.

3. In the Performance Monitor result pane, click the Delete (Delete Key) icon.

4. In the Performance Monitor result pane, click the Add (Ctrl+N) icon.

5. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click Add, and then click OK.

6. Change graph type to Report.

Task 2: View Performance statistics on NYC-CL1


2. On the Start menu, in the Search programs and files box, type Performance and then press ENTER.





7. Change graph type to Report. Notice that the value of all performance statistics is zero.

Task 3: View performance statistics on NYC-CL2


2. On the Start menu, in the Search programs and files box, type Performance and then press ENTER.





7. Change graph type to Report. Notice that the value for all performance statistics is zero.

Task 4: Test BranchCache in hosted caching mode


2. Click Start, and in the Search box, type \\NYC-DC1.contoso.com\Share and then press ENTER.

3. In the Name list of the Share window, right-click mspaint.exe and then click Copy.

4. In the Share window, click Minimize.


5. In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize.

6. On the desktop, right-click anywhere and then click Paste.

7. Read the performance statistics on NYC-CL1. This file was retrieved from NYC-DC1 (Retrieval: Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes Served)

8. On the Start menu of NYC-CL2, in the Search programs and files box, type \\NYC-DC1.contoso.com\Share and then press ENTER.

9. In the Name list of the Share window, right-click mspaint.exe and then click Copy.

10. In the Share window, click Minimize.

11. In the Administrator: C:\Windows\system32\cmd.exe window, click Minimize.

12. On the desktop, right-click anywhere and then click Paste.

13. Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval: Bytes from Cache).

14. Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted Cache: Client file segment offers made).

Results: At the end of this exercise, you will have verified the function of BranchCache.

Prepare for the next module





4. Repeat these steps for 6421B-NYC-SVR1, 6421B-NYC-CL1 and 6421B-NYC-CL2.

Lab Answer Key: Controlling and Monitoring Network Storage 1

Module 12 Lab Answer Key: Controlling and Monitoring Network Storage

Contents: Exercise 1: Configuring FSRM Quotas 2

Exercise 2: Configuring File Screening 4

Exercise 3: Configuring File Classification and File Management 5

2 Lab Answer Key: Controlling and Monitoring Network Storage

Lab: Controlling and Monitoring Network Storage Exercise 1: Configuring FSRM Quotas

Task 1: Create the Home share

1. On NYC-SVR1, click Start, type cmd, and press ENTER.

2. At the command prompt, type md C:\Home and press ENTER.

3. At the command prompt, type net share Home=C:\Home /grant:everyone,full and press ENTER.


Task 2: Install FSRM

1. On NYC-SVR1, click Start, point to Administrative Tools, and click Server Manager.

2. In Server Manager, in the left pane, expand Roles, click File Services, and then click Add Role Services.

3. In the Add Role Services window, select the File Server Resource Manager check box and click Next.

4. On the Configure Storage Usage Monitoring page, click Next.



Task 3: Create a quota template for home folders

1. On NYC-SVR1, click Start, point to Administrative Tools, and click File Server Resource Manager.

2. In File Server Resource Manager, expand Quota Management and click Quota Templates.

3. In the Actions pane, click Create Quota Template.

4. In the Create Quota Template window, in the Template name box, type Home Folders.

5. In the Description box, type Template for user home folders.

6. In the Space limit area, in the Limit box, type 500.

7. Verify that Hard quota: Do not allow users to exceed limit is selected.

8. In the Notification thresholds area, click Add.

9. In the Add Threshold window, in the Generate notifications when usage reaches (%) box, type 75.

10. On the E-mail Message tab, select the Send e-mail to the user who exceeded the threshold check box.

11. Click the Event log tab and click Yes in the warning window.

12. On the Event Log tab, select the Send warning to event log check box.

13. Click OK and click Yes to close the warning window.

14. Click OK to close the Create Quota Template window.


Task 4: Configure an SMTP server for FSRM notifications

1. In File Server Resource Manager, right-click File Server Resource Manager (Local) and click Configure Options.

2. In the File Server Resource Manager Options window, on the Email Notifications tab, in the SMTP server name or IP address box, type mail.contoso.com.

3. In the Default administrator recipients box, type [email protected] and click OK.

Task 5: Configure quotas on Home share folders

1. In File Server Resource Manager, click Quotas.

2. In the Actions pane, click Create Quota.

3. In the Create Quota window, in the Quota path box, type C:\Home.

4. Click Auto apply template and create quotas on existing and new subfolders.

5. In the Quota properties area, click Derive properties form this quota template (recommended) and select Home Folders.

6. Click Create.

7. Close File Server Resource Manager.

Task 6: Create a home folder for a user

1. On NYC-DC1, click Start, point to Administrative Tools, and click Active Directory Users and Computers.

2. In Active Directory Users and Computers, expand Contoso.com and click Marketing.

3. Right-click Adam Carter and click Properties.

4. In the Adam Carter Properties window, on the Profile tab, in the Home folder area, click Connect, select H:, and type \\NYC-SVR1\Home\Adam.

5. Click OK to save the changes.

6. Close Active Directory Users and Computers.

Task 7: Verify that the quota is applied


2. Click Start and click Computer.

3. Verify that H: is mapped to \\NYC-SVR1\Home\Adam.

4. Right-click Adam (\\NYC-SVR1\Home) (H:) and click Properties.

5. In the Adam (\\NYC-SVR1\Home) (H:) Properties window, read the size of H: and notice that it corresponds to the size of the quota that has been assigned.


Results: After this exercise, you will have created and applied quotas to home folders.


Exercise 2: Configuring File Screening

Task 1: Add AUDX files to a file group


2. In File Server Resource Manager, expand File Screening Management and click File Groups.

3. Right-click Audio and Video Files and click Edit File Group Properties.

4. In the File Group Properties For Audio And Video Files window, in the Files to include box, type *.audx and click Add.

5. Click OK to close the File Group Properties For Audio And Video Files window.

Task 2: Create a file screen template

1. On NYC-SVR1, in File Server Resource Manager, click File Screen Templates.

2. In the Actions pane, click Create File Screen Template.

3. In the Create File Screen Template window, on the Settings tab, in the Template name box, type Home Folder Media.

4. If necessary, click Active Screening: Do not allow users to save unauthorized files.

5. In the File groups area, select the Audio and Video Files check box and the Image Files check box.

6. On the Event log tab, select the Send warning to event log check box and then click OK.

Task 3: Configure a file screen for C:\Home

1. On NYC-SVR1, in File Server Resource Manager, click File Screens.

2. In the Actions pane, click Create File Screen.

3. In the Create File Screen window, in the File screen path box, type C:\Home.

4. If necessary, click Derive properties from this file screen template (recommended) and select Home Folder Media.

5. Click Create.

6. Close File Server Resource Manager.

Task 4: Verify that the file screen is applied



3. In the left pane, under Libraries, click Videos and then double-click Sample Videos.

4. Right-click Wildlife and click Copy.

5. Browse to H:\, right-click an open area, and click Paste.

6. In the Destination Folder Access Denied window, click Cancel.


Results: After this exercise, you will have configured file screening to prevent media files from being placed in home folders.


Exercise 3: Configuring File Classification and File Management

Task 1: Create a classification property for official documents


2. In File Server Resource Manager, expand Classification Management and click Classification Properties.

3. In the Actions pane, click Create Property.

4. In the Create Classification Property Definition window, in the Property name box, type Official Document.

5. In the Description box, type Official document that is available in the web archive.

6. In the Property type box, select Yes/No and then click OK.

Task 2: Create a classification rule for official documents

1. In File Server Resource Manager, click Classification Rules.

2. In the Actions pane, click Create a New Rule.

3. In the Classification Rule Definitions window, on the Rule Settings tab, in the Rule name box, type Official Documents.

4. In the Scope area, click Add.

5. In the Browse For Folder window, expand Local Disk (C:), click Home, and click OK.

6. In the Classification Rule Definitions window, on the Classification tab, in the Classification mechanism area, select Content Classifier.

7. In the Property name area, select Official Document.

8. In the Property value area, select Yes and then click Advanced.

9. In the Additional Rule Parameters window, on the Additional Classification Parameters tab, in the Name box, type RegularExpression.

10. In the Value box, type Document#\d\d\d\d-\d\d\d and then click OK.

11. Click OK to close the Classification Rule Definitions window.

Task 3: Create a file management task to expire official documents

1. In File Server Resource Manager, click File Management Tasks.

2. In the Actions page, click Create File Management Task.

3. In the Create File Management Task window, on the General tab, in the Task name box, type Remove Official Documents.

4. In the Scope area, click Add.

5. In the Browse For Folder window, expand Local Disk (C:), click Home, and click OK.

6. In the Create File Management Task window, on the Action tab, in the Type box, select File expiration.

7. To the right of the Expiration Directory box, click the Browse button.


8. In the Browse For Folder window, click Local Disk (C:), click Make New Folder, type Expired Documents, press ENTER, and click OK.

9. In the Create File Management Task window, on the Condition tab, in the Property conditions area, click Add.

10. In the Property Condition window, in the Property box, select Official Document.

11. In the Operator box, select Equal.

12. In the Value box, select Yes and click OK.

13. In the Create File Management Task window, on the Schedule tab, click Create.

14. In the Schedule window, click New.

15. In the Schedule Task box, select Weekly.

16. In the Start time box, type 9:00 PM.

17. In the Schedule Task Weekly area, select only the Sun check box and then click OK.

18. Click OK to close the Create File Management Task window.

Task 4: Verify that official documents are expired


2. Click Start, click Computer, and browse to H:\.

3. In Windows Explorer, right-click an empty area, point to New, and click Microsoft Office Word Document.

4. Type Test Document and press ENTER.

5. Double-click Test Document, click OK to close the Microsoft Office Word window, and then click OK to set the user name.

6. In Microsoft Word, type Document#2011-001 and press ENTER.

7. Click the Save button and close Microsoft Word. If the document is open in Word, then FSRM is not able to expire the document.

8. On NYC-SVR1, in File Server Resource Manager, click Classification Rules.

9. In the Actions pane, click Run Classification With All Rules Now.

10. In the Run Classification window, click Wait for classification to complete execution and click OK.

11. Review the Automatic Classification Report in Internet Explorer and verify that one Official Document was found.

12. Close Internet Explorer.

13. In File Server Resource Manager, click File Management Tasks, right-click Remove Official Documents, and click Run File Management Task Now.

14. In the Run File Management Task window, click Wait for the task to complete execution and click OK.

15. Review the File Management Task Report and verify that one file was expired.

16. Click Start, click Computer, and browse to C:\Expired Documents\NYC-SVR1.Contoso.com \Remove Official Documents_datetime\c$\Home\Adam.


17. Review the list of expired files and verify that Test Document.docx is there.


Results: After this exercise, you will have configured a classification rule for official documents and a file management task that expires official documents.







Lab Answer Key: Recovering Network Data and Servers 1

Module 13 Lab Answer Key: Recovering Network Data and Servers

Contents: Exercise 1: Configuring Shadow Copies 2

Exercise 2: Configuring a Scheduled Backup 5

2 Lab Answer Key: Recovering Network Data and Servers

Lab: Recovering Network Data and Servers Exercise 1: Configuring Shadow Copies

Task 1: Configure shadow copies on NYC-SVR1

1. On NYC-SVR1, click Start and click Computer.

2. Right-click Local Disk (C:) and click Configure Shadow Copies.

3. In the Shadow Copies window, click C:\ and then click Enable.

4. In the Enable Shadow Copies window, click Yes.

5. In the Shadow Copies window, click Settings.

6. In the Settings window, click Schedule.

7. In the C:\ window, click Delete twice to remove the default schedule.

8. Click New and then click Advanced.

9. In the Advanced Schedule Options window, select the Repeat task check box.

10. In the Every box, type 1 and select hours.

11. In the Duration box, type 24 hours.

12. Click OK to close the Advanced Schedule Options window.

13. Click OK to close the C:\ window.

14. Click OK to close the Settings window.

15. Click OK to close the Shadow Copies window.

Task 2: Create a file share

1. On NYC-SVR1, in Windows Explorer, browse to C:\ and click New folder.

2. Type Marketing and press ENTER to rename the folder.

3. Right-click Marketing, point to Share with, and click Specific people.

4. In the File Sharing window, type Marketing and click Add.

5. With Marketing selected, in the Permission Level column, select Read/Write.

6. Click Share.

7. Take note of the share path and click Done.


Task 3: Create multiple shadow copies of a file

1. On NYC-CL1, log on as Adam with a password of Pa$$w0rd.

2. Click Start, type \\NYC-SVR1\Marketing, and press ENTER.

3. In Windows Explorer, in an open area, right-click, point to New, and click Microsoft Office Word Document.

4. Type Budget Planning and press ENTER to rename the document.

5. Double-click Budget Planning and click OK to close the error message.

6. In the User Name box, click OK.

7. In Microsoft Word, type the following items in a bulleted list:

• 2011 - $1,000

• 2012 - $1,100

• 2013 - $1,200

8. Click the Save button.

9. On NYC-SVR1, in Windows Explorer, right-click Local Disk (C:) and click Configure Shadow Copies.

10. In the Shadow Copies window, with C:\ selected, click Create Now.

11. On NYC-CL1, add the following bullets to the document:

• 2014 - $1,500

• 2015 - $2,000

12. Click the Save button and close Microsoft Word.

13. On NYC-SVR1, in the Shadow Copies window, click Create Now.

14. Click OK to close the Shadow Copies window and close Windows Explorer.

15. On NYC-CL1, right-click Budget Planning and click Delete.

16. In the Delete File window, click Yes.

Task 4: Recover a deleted file from a shadow copy

1. On NYC-CL1, in Windows Explorer, right-click an open area and click Properties.

2. In the Marketing (\\NYC-SVR1) Properties window, on the Previous Versions tab, double-click the second most recent folder version of Marketing.

3. In the newly opened window, double-click Budget Planning.

4. Verify that this is not the correct version of Budget Planning, close Word, and close the window containing Budget Planning.

5. In the Marketing (\\NYC-SVR1) Properties window, on the Previous Versions tab, double-click the most recent folder version of Marketing.

6. In the newly opened window, double-click Budget Planning.


7. Verify that this is the correct version of Budget Planning, close Word, and close the window containing Budget Planning.

8. In the Marketing (\\NYC-SVR1) Properties window, on the Previous Versions tab, with the most recent folder version of Marketing selected, click Restore.

9. In the warning window, click Restore.

10. Click OK to clear the success message.

11. Click OK to close the Marketing (\\NYC-SVR1) Properties window.

12. In Windows Explorer, double-click Budget Planning to view the restored file.


Results: At the end of this exercise, you will have enabled shadow copies for the Marketing file server.


Exercise 2: Configuring a Scheduled Backup

Task 1: Install the Windows Server Backup feature

1. On NYC-SVR1, click Start, point to Administrative Tools, and click Server Manager.

2. In Server Manager, click Features and click Add Features.

3. In the Add Features Wizard, expand Windows Server Backup Features.

4. Under Windows Server Backup Features, select the Windows Server Backup and Command-line Tools check boxes.

5. Click Next and then click Install.

6. On the Results page, click Close.


Task 2: Create a scheduled backup

1. On NYC-SVR1, click Start, point to Administrative Tools, and click Windows Server Backup.

2. In Windows Server Backup, in the Actions pane, click Backup Schedule.

3. In the Backup Schedule Wizard, click Next.

4. On the Select Backup Configuration page, click Full server and then click Next.

5. On the Specify Backup Time page, click Once a day, select 11:00 PM, and click Next.

6. On the Specify Destination Type page, click Back up to a hard disk that is dedicated for backups (recommended) and click Next.

7. On the Select Destination Disk page, click Show All Available Disks, select the Disk 1 check box, and click OK.

8. Select the Disk 1 check box and click Next.

9. Click OK to remove D: from the backup.

10. Click Yes to confirm that data on D: will be removed.

11. On the Confirmation page, click Finish.

12. On the Summary page, click Close.

Task 3: Verify that two backups fit on the destination disk

1. On NYC-SVR1, in Windows Server Backup, read the information in the Destination usage area. There is approximately 32 GB of total disk space and 0 GB used.

2. In the Actions pane, click Backup Once.

3. On the Backup Options page, click Scheduled Backup options and click Next.

4. On the Confirmation page, click Backup.

5. Wait while the backup completes. This will take about five minutes.

6. When the backup is complete, click Close.

7. Read the information in the Destination usage area. There is approximately 32 GB of total disk space and approximately 7.4 GB used.


8. In the Actions pane, click Backup Once.

9. On the Backup Options page, click Scheduled Backup options and click Next.

10. On the Confirmation page, click Backup.

11. Wait while the backup completes. This will take about one minute.

12. When the backup is complete, click Close.

13. Read the information in the Destination usage area. There is approximately 32 GB of total disk space and approximately 7.4 GB used.

Task 4: Perform a test restore of a file

1. On NYC-SVR1, in Windows Server Backup, in the Actions pane, click Recover.

2. On the Getting Started page, click This server (NYC-SVR1) and click Next.

3. On the Select Backup Date page, select today’s date and the most recent time, and then click Next.

4. On the Select Recovery Type page, click Files and folders and click Next.

5. On the Select Items to Recover page, browse to C:\Marketing, click Budget Planning.docx, and click Next.

6. On the Specify Recovery Options page, review the default options and click Next.

7. On the Confirmation page, click Recover.

8. After the recovery is complete, click Close.

9. Close Windows Server Backup.


11. In Windows Explorer, browse to C:\Marketing and verify that the file is restored.


Results: At the end of this exercise, you will have configured a scheduled backup and tested backup functionality.







Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers 1

Module 14 Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers

Contents: Exercise 1: Establishing a Performance Baseline 2

Exercise 2: Identifying the Source of a Performance Problem 5

Exercise 3: Centralizing Events Logs 7

2 Lab Answer Key: Monitoring Windows Server 2008 Network Infrastructure Servers

Lab: Monitoring Windows Server 2008 Network Infrastructure Servers Exercise 1: Establishing a Performance Baseline

Task 1: Create a Data Collector Set


2. Click Start, point to Administrative Tools, and then click Performance Monitor.

3. In Performance Monitor, in the navigation pane, expand Data Collector Sets and then click User Defined.

4. Right-click User Defined, point to New, and then click Data Collector Set.

5. In the Create new Data Collector Set Wizard, in the Name box, type NYC-SVR1 Performance.

6. Click Create manually (Advanced) and then click Next.

7. On the What type of data do you want to include? page, select the Performance counter check box and then click Next.

8. On the Which performance counters would you like to log? page, click Add.

9. In the Available counters list, expand Processor, click %Processor Time, and then click Add >>.

10. In the Available counters list, expand Memory, click Pages/sec, and then click Add >>.

11. In the Available counters list, expand PhysicalDisk, click %Disk Time, and then click Add >>.

12. Click Avg. Disk Queue Length and then click Add >>.

13. In the Available counters list, expand System, click Processor Queue Length, and then click Add >>.

14. In the Available counters list, expand Network Interface, click Bytes Total/sec, click Add >>, and then click OK.

15. On the Which performance counters would you like to log? page, in the Sample interval box, type 1 and then click Next.

16. On the Where would you like the data to be saved? page, click Next.

17. On the Create the data collector set? page, click Save and close and then click Finish.

Task 2: Start the Data Collector Set

• In Performance Monitor, in the Results pane, right-click NYC-SVR1 Performance and then click Start.


Task 3: Create workload on the server


2. At the command prompt, type the following command and press ENTER:

Fsutil file createnew bigfile 104857600


Copy bigfile \\nyc-dc1\c$


Copy \\nyc-dc1\c$\bigfile bigfile2


Del bigfile*.*


Del \\nyc-dc1\c$\bigfile*.*

7. Do not close the command prompt.

Task 4: Analyze collected data

1. Switch to Performance Monitor.

2. In the navigation pane, right-click NYC-SVR1 Performance and then click Stop.

3. In Performance Monitor, in the navigation pane, click Performance Monitor.

4. On the toolbar, click View Log Data.

5. In the Performance Monitor Properties dialog box, on the Source tab, click Log files and then click Add.

6. In the Select Log File dialog box, double-click Admin.

7. Double-click NYC-SVR1 Performance, double-click the NYC-SVR1_date-000001 folder, and then double-click DataCollector01.blg.

8. Click the Data tab and then click Add.

9. In the Add Counters dialog box, in the Available counters list, expand Memory, click Pages/sec, and then click Add >>.

10. Expand Network Interface, click Bytes Total/sec, and then click Add >>.

11. Expand PhysicalDisk, click %Disk Time, and then click Add >>.

12. Click Avg. Disk Queue Length and then click Add >>.

13. Expand Processor, click %Processor Time, and then click Add >>.


14. Expand System, click Processor Queue Length, click Add >>, and then click OK.

15. In the Performance Monitor Properties dialog box, click OK.

16. On the toolbar, click the down arrow and then click Report.

17. Record the values listed in the report for analysis later.

Results: After this exercise, you should have established a baseline.


Exercise 2: Identifying the Source of a Performance Problem

Task 1: Load a new program on the server

1. On NYC-SVR1, switch to the command prompt.


C:


Cd\Labfiles

Task 2: Configure the load on the server

• At the command prompt, type the following command and press ENTER:

StressTool 95

Task 3: Start the data collector set again


2. In Performance Monitor, click User Defined, in the results pane, right-click NYC-SVR1 Performance, and then click Start.

3. Wait for one minute to allow data to be captured.

Task 4: Stop the running program

1. After one minute, switch to the command prompt.

2. Press Ctrl+C.


Task 5: View performance data


2. In the navigation pane, right-click NYC-SVR1 Performance and then click Stop.

3. In Performance Monitor, in the navigation pane, click Performance Monitor.

4. On the toolbar, click View log data.

5. In the Performance Monitor Properties dialog box, on the Source tab, click Log files and then click Remove.

6. Click Add.

7. In the Select Log File dialog box, click Up One Level.

8. Double-click the NYC-SVR1_date-000002 folder and then double-click DataCollector01.blg.

9. Click the Data tab and then click OK.

Note If you receive an error at this point, or the values in your report are zero, repeat steps 4-9.


Task 6: Analyze results and draw a conclusion

Question: Compared with your previous report, which values have changed?

Answer: Memory and disk activity are reduced; however, processor activity has increased significantly.

Question: What would you recommend?

Answer: Continue to monitor the server to ensure that the processor workload does not reach capacity.

Results: After this exercise, you should have identified a potential bottleneck.


Exercise 3: Centralizing Events Logs

Task 1: Configure the source computer

1. On NYC-SVR1, open a command prompt.


winrm quickconfig

3. When prompted, type Y and press ENTER.

4. Click Start, right-click Computer, and then click Manage.

5. In Server Manager, in the navigation pane, expand Configuration, expand Local Users and Groups, and then click Groups.

6. In the results pane, double-click Administrators.

7. Click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, click Object Types.

8. In the Object Types dialog box, select the Computers check box, and then click OK.

9. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object names to select box, type nyc-dc1 and then click OK.

10. In the Administrators Properties dialog box, click OK.

Task 2: Configure the collector computer




Wecutil qc

4. When prompted, type Y and press ENTER.

Task 3: Create a subscribed log

1. Click Start, point to Administrative Tools, and then click Event Viewer.

2. In the Event Viewer, in the navigation pane, click Subscriptions.

3. Right-click Subscriptions and then click Create Subscription.

4. In the Subscription Properties dialog box, in the Subscription name box, type NYC-SVR1 Events.

5. Click Collector Initiated and then click Select Computers.

6. In the Computers dialog box, click Add Domain Computers.

7. In the Select Computer dialog box, in the Enter the object name to select box, type NYC-SVR1 and then click OK.

8. In the Computers dialog box, click OK.

9. In the Subscription Properties – NYC-SVR1 Events dialog box, click Select Events.


10. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check boxes.

11. In the Logged list, click Last 7 days.

12. In the Event logs list, select Windows Logs. Click the mouse back in the Query Filter dialog box and then click OK.

13. In the Subscription Properties – NYC-SVR1 Events dialog box, click OK.

Task 4: Create a data collector set with an alert counter


2. In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User Defined.

3. Right-click User Defined, point to New, and then click Data Collector Set.

4. In the Create new Data Collector Set Wizard, in the Name box, type NYC-SVR1 Alert.

5. Click Create manually (Advanced) and then click Next.

6. On the What type of data do you want to include? page, click Performance Counter Alert and then click Next.

7. On the Which performance counters would you like to monitor? page, click Add.

8. In the Available counters list, expand Processor, click %Processor Time, click Add >>, and then click OK.

9. On the Which performance counters would you like to monitor? page, in the Alert when list, click Above.

10. In the Limit box, type 10 and then click Next.

11. On the Create the data collector set? page, click Finish.

12. In the navigation pane, expand the User Defined node, and then click NYC-SVR1 Alert.

13. In the Results pane, right-click DataCollector01 and then click Properties.

14. In the DataCollector01 Properties dialog box, in the Sample interval box, type 1 and then click the Alert Action tab.

15. Select the Log an entry in the application event log check box and then click OK.

16. In the navigation pane, right-click NYC-SVR1 Alert and then click Start.

17. Click Start, and then in the Search box, type cmd.exe and press ENTER.


C:


Cd\Labfiles


StressTool 95


21. Wait for one minute to allow for alerts to be generated.

22. Press Ctrl+C.


Task 5: Check the subscribed log for performance-related alerts


2. In Event Viewer, in the navigation pane, expand Windows Logs.

3. Click Forwarded Events.

Question: Are there any performance-related alerts?

Answer: Answers may vary, but there should be some events that relate to the imposed workload on NYC-SVR1.

Results: At the end of this exercise, you will have centralized event logs.





